#!/usr/bin/env bash
#
# scrt4 Docker wrapper — one-command access to the hardened container.
#
# Usage:
#   curl -fsSL https://install.llmsecrets.com/scrt4-docker.sh | sh
#
# Or install persistently:
#   sudo curl -fsSL https://install.llmsecrets.com/scrt4-docker.sh -o /usr/local/bin/scrt4
#   sudo chmod +x /usr/local/bin/scrt4
#   scrt4
#
# What it does:
#   - First run: creates a named container `scrt4` from joshgottlieb/scrt4-hardened
#   - Every run after: reattaches to the same container
#   - Vault, Claude Code auth, shell history all persist in the container's
#     own filesystem. No named volumes, no bind mounts, no Docker engine
#     context headaches.
#
# To reset:
#   docker rm -f scrt4   # wipes everything

set -eu

IMAGE="${SCRT4_IMAGE:-joshgottlieb/scrt4-hardened}"
NAME="${SCRT4_NAME:-scrt4}"

if ! command -v docker >/dev/null 2>&1; then
    printf 'scrt4: docker is not installed or not on PATH.\n' >&2
    printf 'Install Docker first: https://docs.docker.com/engine/install/\n' >&2
    exit 1
fi

if docker inspect "$NAME" >/dev/null 2>&1; then
    # Container exists — start if stopped, clean stale daemon socket from
    # previous session (the daemon's socket file persists in the container FS
    # across restarts but the daemon itself does not; without cleanup the
    # scrt4 CLI sees the stale socket and never re-spawns the daemon), then
    # reattach in a fresh interactive bash.
    docker start "$NAME" >/dev/null 2>&1 || true
    docker exec "$NAME" rm -f /tmp/scrt4-runtime/scrt4.sock 2>/dev/null || true
    exec docker exec -it "$NAME" bash -l
else
    printf 'scrt4: first run — creating container "%s" from %s\n' "$NAME" "$IMAGE" >&2
    exec docker run -it --name "$NAME" "$IMAGE" shell
fi