#!/bin/sh
set -e

# Fresh-secret-on-boot: generate a NEW random nonce on every container start.
# Never baked into the image; written here at runtime.
NONCE_DIR="${NONCE_DIR:-/nonce}"
mkdir -p "$NONCE_DIR"

NONCE="$(cat /proc/sys/kernel/random/uuid)"
printf '%s' "$NONCE" > "$NONCE_DIR/boot_nonce"

# Start fresh arrival log each boot so prior runs do not bleed into this one.
: > "$NONCE_DIR/arrivals.log"

chmod 0644 "$NONCE_DIR/boot_nonce" "$NONCE_DIR/arrivals.log"

echo "[backend-entrypoint] fresh boot nonce written to $NONCE_DIR/boot_nonce"

# Hand off to the stock Tomcat launcher.
exec catalina.sh run