#!/bin/sh set -e # --------------------------------------------------------------------------- # 1. Trust corporate CA — must run first # --------------------------------------------------------------------------- if [ -f /certs/corp-ca.crt ]; then echo "[docker-entrypoint] Installing corporate CA certificate..." if openssl x509 -inform PEM -in /certs/corp-ca.crt -noout 2>/dev/null; then # PEM format — copy directly cp /certs/corp-ca.crt /usr/local/share/ca-certificates/corp-ca.crt else # DER format — convert to PEM openssl x509 -inform DER -in /certs/corp-ca.crt \ -out /usr/local/share/ca-certificates/corp-ca.crt fi update-ca-certificates 2>/dev/null fi # --------------------------------------------------------------------------- # 2. Fix SSH key permissions (Windows mounts arrive world-readable) # --------------------------------------------------------------------------- if [ -d /root/.ssh ]; then echo "[docker-entrypoint] Fixing SSH key permissions..." chmod 700 /root/.ssh chmod 600 /root/.ssh/* 2>/dev/null || true fi # --------------------------------------------------------------------------- # 3. Per-host HTTPS credential helpers # --------------------------------------------------------------------------- if [ -n "$GIT_TOKEN_BITBUCKET" ] && [ -n "$BITBUCKET_HOST" ]; then echo "[docker-entrypoint] Configuring Bitbucket credential helper for ${BITBUCKET_HOST}..." git config --global \ "credential.https://${BITBUCKET_HOST}.helper" \ "!f() { echo username=x-token-auth; echo password=\$GIT_TOKEN_BITBUCKET; }; f" fi if [ -n "$GIT_TOKEN_GITLAB" ] && [ -n "$GITLAB_HOST" ]; then echo "[docker-entrypoint] Configuring GitLab credential helper for ${GITLAB_HOST}..." git config --global \ "credential.https://${GITLAB_HOST}.helper" \ "!f() { echo username=oauth2; echo password=\$GIT_TOKEN_GITLAB; }; f" fi # --------------------------------------------------------------------------- # 4. Start requested service # --------------------------------------------------------------------------- case "${1:-web}" in web) echo "Running database migrations..." DATABASE_URL="$DATABASE_URL" npx drizzle-kit migrate echo "Starting TrueRef web app on port ${PORT:-3000}..." exec node build ;; mcp) MCP_PORT="${MCP_PORT:-3001}" echo "Starting TrueRef MCP HTTP server on port ${MCP_PORT}..." exec npx tsx src/mcp/index.ts --transport http --port "$MCP_PORT" ;; *) exec "$@" ;; esac