#!/usr/bin/env bash
# Phase 2a Policy Engine · local dev starter
# A-owned · session_a
#
# One-shot bootstrap: venv + deps + example regression + uvicorn on 127.0.0.1:8090.
# Requires: python3 (>=3.11)
# Not for production. No JWT · no audit sink · localhost only.

set -euo pipefail

HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
cd "$HERE"

PORT="${POLICY_PORT:-8090}"
HOST="${POLICY_HOST:-127.0.0.1}"
VENV="${POLICY_VENV:-.venv}"

if [ ! -d "$VENV" ]; then
  echo "[policy-service] creating venv at $VENV"
  python3 -m venv "$VENV"
fi

# shellcheck disable=SC1091
source "$VENV/bin/activate"

echo "[policy-service] installing requirements"
pip install --quiet --disable-pip-version-check -r requirements.txt

echo "[policy-service] running example regression"
python3 verify_examples.py > /tmp/policy-verify.log || {
  echo "[policy-service] EXAMPLE REGRESSION FAILED · aborting"
  tail -20 /tmp/policy-verify.log
  exit 1
}
tail -1 /tmp/policy-verify.log

echo "[policy-service] starting on http://$HOST:$PORT"
echo "[policy-service] endpoints:"
echo "  GET  http://$HOST:$PORT/api/policy/health"
echo "  GET  http://$HOST:$PORT/api/policy/access/check?actor_role=tenant_admin&actor_user_id=U-TA-1&actor_tenant_id=pty-zeroth&target_tenant_id=pty-zeroth&field_category=email"
echo "  POST http://$HOST:$PORT/api/policy/mask/resolve"
echo "  POST http://$HOST:$PORT/api/policy/assist/validate"
echo "  POST http://$HOST:$PORT/api/policy/view-as/validate"
echo "  POST http://$HOST:$PORT/api/policy/sensitive/check"
echo

exec python3 -m uvicorn app:app --host "$HOST" --port "$PORT" --log-level info