// Substrate KeyManager — SPIRE KeyManager plugin.
//
// Runs in SPIRE Server. Manages signing keys with governance-aware rotation.
// Key rotation events require ceremony approval when the Accord policy demands it,
// ensuring that CA key changes are governed mutations.
package main

import (
	"github.com/hashicorp/go-plugin"
)

// handshakeConfig is the HandshakeConfig for this plugin.
// TODO: replace with SPIRE Plugin SDK handshake once
// github.com/spiffe/spire-plugin-sdk is added as a dependency.
var handshakeConfig = plugin.HandshakeConfig{
	ProtocolVersion:  1,
	MagicCookieKey:   "ServerAgent",
	MagicCookieValue: "GuildhouseSpire",
}

func main() {
	// TODO: register SubstrateKeyManager as a GRPCPlugin implementing
	// the SPIRE KeyManager interface. The plugin will:
	// 1. Generate and store signing keys (Ed25519 for SSH, ECDSA for X.509)
	// 2. Provide signing operations to SPIRE Server
	// 3. On key rotation: create a governance intent and await ceremony approval
	// 4. Submit key rotation events to NotaryService for merkle anchoring
	plugin.Serve(&plugin.ServeConfig{
		HandshakeConfig: handshakeConfig,
		Plugins:         map[string]plugin.Plugin{},
		GRPCServer:      plugin.DefaultGRPCServer,
	})
}