/**
 * Startup bootstrap — resolves secrets from Azure Key Vault before loading
 * the main application. Uses DefaultAzureCredential (Azure CLI in dev,
 * Managed Identity in production). Falls back gracefully to .env values
 * if Key Vault is unreachable or AZURE_KEYVAULT_URL is not set.
 *
 * Secret resolution happens here so that config/index.ts reads fully-populated
 * process.env values when it is evaluated via the dynamic import below.
 */

import { resolveSecrets, type SecretMapping } from '@bytelyst/config';

const INVTTRDG_SECRETS: SecretMapping[] = [
    { kvName: 'invttrdg-cosmos-endpoint',          envVar: 'COSMOS_ENDPOINT' },
    { kvName: 'invttrdg-cosmos-key',               envVar: 'COSMOS_KEY' },
    { kvName: 'invttrdg-cosmos-database',          envVar: 'COSMOS_DATABASE' },
    { kvName: 'invttrdg-azure-openai-endpoint',    envVar: 'AZURE_OPENAI_ENDPOINT' },
    { kvName: 'invttrdg-azure-openai-key',         envVar: 'AZURE_OPENAI_KEY' },
    { kvName: 'invttrdg-azure-openai-deployment',  envVar: 'AZURE_OPENAI_DEPLOYMENT' },
    { kvName: 'invttrdg-product-id',               envVar: 'PRODUCT_ID' },
];

// AZURE_KEYVAULT_URL must be set to trigger Key Vault resolution.
// If absent, resolveSecrets() is a no-op and .env values are used as-is.
await resolveSecrets(INVTTRDG_SECRETS, {
    vaultUrl: process.env.AZURE_KEYVAULT_URL,
});

// Dynamic import ensures config/index.ts (and all transitive modules) evaluate
// AFTER process.env is fully populated above.
// tradingTelemetry.init() is called at the start of main() in index.ts.
await import('./index.js');