plex-playlist/scripts/check-dockerfile-boundaries.sh

#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "${ROOT_DIR}"

backend_file="Dockerfile.backend"
frontend_file="Dockerfile.frontend"

declare -a disallowed_references=(
  "cicd-base"
  "CICD_BASE_IMAGE"
  "Dockerfile.cicd"
  "Dockerfile.cicd-base"
  "plex-playlist-cicd"
)

declare -a disallowed_runtime_tools=(
  "ruff"
  "pyright"
  "pytest"
  "pydoclint"
  "xdoctest"
  "pre-commit"
  "yamllint"
  "toml-sort"
  "eslint"
  "prettier"
  "typescript"
  "vitest"
  "playwright"
)

check_absent() {
  local file="$1"
  local token="$2"

  if grep -Eiv '^[[:space:]]*#' "${file}" | grep -Eiq "${token}"; then
    echo "❌ Found disallowed token '${token}' in ${file}" >&2
    return 1
  fi

  return 0
}

status=0

for token in "${disallowed_references[@]}"; do
  check_absent "${backend_file}" "${token}" || status=1
  check_absent "${frontend_file}" "${token}" || status=1
done

for token in "${disallowed_runtime_tools[@]}"; do
  check_absent "${backend_file}" "${token}" || status=1
  check_absent "${frontend_file}" "${token}" || status=1
done

if ! grep -Eq '^FROM[[:space:]]+python:3\.14-slim' "${backend_file}"; then
  echo "❌ ${backend_file} must use python:3.14-slim as runtime base" >&2
  status=1
fi

if ! grep -Eq '^FROM[[:space:]]+nginx:alpine[[:space:]]+AS[[:space:]]+production' "${frontend_file}"; then
  echo "❌ ${frontend_file} must use nginx:alpine for production target" >&2
  status=1
fi

if [[ "${status}" -ne 0 ]]; then
  exit "${status}"
fi

echo "✅ Dockerfile runtime boundaries are valid"