#!/bin/sh
# Container startup wrapper for the missions service.
#
# Registers any CA certificates mounted into /usr/local/share/ca-certificates/
# with the system trust store, then execs the original ENTRYPOINT command.
#
# Why this exists:
#   .NET HttpClient (used by the JwtBearer JWKS retriever) trusts only CAs in
#   /etc/ssl/certs/ca-certificates.crt on Debian-based images. A CA file
#   dropped into /usr/local/share/ca-certificates/ is NOT picked up until
#   `update-ca-certificates` regenerates the bundle. Because the test harness
#   mounts the jwks-mock CA at runtime (not build time), we have to run this
#   on every container start.
#
# Production semantics:
#   When no extra CAs are mounted, `update-ca-certificates --fresh` is a
#   no-op that rewrites the bundle from the OS-provided certs unchanged.
#   Operators deploying behind an enterprise PKI can mount their CA and have
#   it trusted without rebuilding the image.
#
# Error handling:
#   We `|| true` only the CA-update step itself (the only failure mode is a
#   read-only /etc/ssl/, which would break the existing image too). We do NOT
#   swallow errors from the wrapped dotnet command -- those propagate normally
#   via `exec`. A genuinely broken TLS trust chain still surfaces loudly when
#   the JWKS HTTPS handshake fails.

set -eu

if command -v update-ca-certificates >/dev/null 2>&1; then
    update-ca-certificates --fresh >/dev/null 2>&1 || true
fi

exec "$@"