// Package sshcert builds SSH certificates with Shellstream extensions,
// bridging SPIFFE identity and Guildhouse governance metadata.
package sshcert

import (
	"fmt"

	"github.com/guildhouse-cooperative/guildhouse-spire-plugins/pkg/shellstream"
)

// Config holds SSH certificate builder configuration.
type Config struct {
	// TrustDomain is the SPIFFE trust domain.
	TrustDomain string
}

// CertRequest describes an SSH certificate to build.
type CertRequest struct {
	// SpiffeID is the workload's SPIFFE ID (used as principal).
	SpiffeID string

	// Extensions are the Shellstream governance extensions to embed.
	Extensions *shellstream.ShellstreamExtensions

	// ValidSeconds is the certificate lifetime in seconds.
	ValidSeconds uint64

	// Principals are additional SSH principals beyond the SPIFFE ID.
	Principals []string
}

// Builder creates SSH certificates with Shellstream extensions.
type Builder struct {
	config Config
}

// NewBuilder creates an SSH certificate builder.
func NewBuilder(cfg Config) (*Builder, error) {
	if cfg.TrustDomain == "" {
		return nil, fmt.Errorf("sshcert: trust domain is required")
	}
	return &Builder{config: cfg}, nil
}

// Build creates an SSH certificate from the request.
// TODO: implement — create golang.org/x/crypto/ssh.Certificate with Shellstream extensions.
func (b *Builder) Build(req *CertRequest) ([]byte, error) {
	if req == nil {
		return nil, fmt.Errorf("sshcert: nil request")
	}
	if req.SpiffeID == "" {
		return nil, fmt.Errorf("sshcert: spiffe ID is required")
	}
	// TODO: implement — generate key pair, build certificate, sign with CA key
	return nil, fmt.Errorf("sshcert: Build not yet implemented")
}