#!/usr/bin/env bash
set -euo pipefail

# Semgrep writes state/logs under ~/.semgrep by default.
# In this Codex sandbox, $HOME is not writable, so force a writable home.
# Also set an explicit CA bundle to avoid semgrep-core failing with
# "ca-certs: empty trust anchors".
export HOME="/tmp/semgrep-home"
export SEMGREP_USER_HOME="/tmp/semgrep-user"
export SSL_CERT_FILE="${SSL_CERT_FILE:-/etc/ssl/cert.pem}"
export REQUESTS_CA_BUNDLE="${REQUESTS_CA_BUNDLE:-/etc/ssl/cert.pem}"

mkdir -p "$HOME" "$SEMGREP_USER_HOME" >/dev/null 2>&1 || true

# Reduce any background network chatter.
export SEMGREP_SEND_METRICS="${SEMGREP_SEND_METRICS:-off}"
export SEMGREP_ENABLE_VERSION_CHECK="${SEMGREP_ENABLE_VERSION_CHECK:-0}"

exec semgrep "$@"