// OIDC Attestor — SPIRE WorkloadAttestor plugin.
//
// Runs in SPIRE Agent. Verifies OIDC tokens presented by workloads
// and maps their claims to SPIRE selectors for registration matching.
package main

import (
	"fmt"
	"os"
)

func main() {
	// TODO: wire up go-plugin serve with SPIRE WorkloadAttestor interface
	// The plugin will:
	// 1. Receive a workload PID from SPIRE Agent
	// 2. Read the workload's OIDC token (from filesystem or environment)
	// 3. Verify the token using pkg/oidc
	// 4. Return selectors: oidc:sub:<subject>, oidc:iss:<issuer>, oidc:email:<email>
	fmt.Fprintln(os.Stderr, "oidc-attestor: SPIRE WorkloadAttestor plugin (not yet implemented)")
	os.Exit(1)
}