defmodule SimpleshopTheme.Secrets do
  @moduledoc """
  Loads encrypted secrets from the database into Application env at runtime.

  Secrets are stored encrypted in the settings table via `Settings.put_secret/2`
  and loaded into the appropriate Application config on startup. This keeps all
  credentials in the portable SQLite database, encrypted via the Vault module.

  The only external dependency is `SECRET_KEY_BASE` (used to derive encryption keys).
  """

  alias SimpleshopTheme.Settings

  require Logger

  # Registry of {settings_key, app, env_key} — add new secrets here
  @secret_registry [
    {"stripe_api_key", :stripity_stripe, :api_key},
    {"stripe_signing_secret", :stripity_stripe, :signing_secret}
  ]

  @doc """
  Loads all secrets from the database into Application env.

  Called at startup from the supervision tree, after the Repo is ready.
  """
  def load_all do
    for {settings_key, app, env_key} <- @secret_registry do
      case Settings.get_secret(settings_key) do
        nil ->
          :skip

        value ->
          Application.put_env(app, env_key, value)
          Logger.debug("Loaded #{settings_key} from database")
      end
    end

    :ok
  end
end