// Package gsap defines the SPIRE selector vocabulary for GSAP-attested workloads.
//
// The constants mirror the Rust definitions in gsap-types/src/selectors.rs.
// Selectors are formatted as "gsap:key:value" and reported by the gsap-attestor
// WorkloadAttestor plugin.
package gsap

const SelectorType = "gsap"

const (
	SelectorContextID      = "context_id"
	SelectorCapabilityMask = "capability_mask"
	SelectorCorpusCID      = "corpus_cid"
	SelectorParametersCID  = "parameters_cid"
	SelectorAccordTemplate = "accord_template"
	SelectorPlaybook       = "playbook"
	SelectorPrincipalDID   = "principal_did"
	SelectorDriverID       = "driver_id"
	SelectorSessionMode    = "session_mode"
	SelectorShellClass     = "shell_class"
	SelectorPostureLevel   = "posture_level"
)

var AllSelectorKeys = []string{
	SelectorContextID,
	SelectorCapabilityMask,
	SelectorCorpusCID,
	SelectorParametersCID,
	SelectorAccordTemplate,
	SelectorPlaybook,
	SelectorPrincipalDID,
	SelectorDriverID,
	SelectorSessionMode,
	SelectorShellClass,
	SelectorPostureLevel,
}

// FormatSelector builds a SPIRE selector string "gsap:key:value".
func FormatSelector(key, value string) string {
	return SelectorType + ":" + key + ":" + value
}

// CapabilityCeilingToHex translates BASCULE_CAPABILITY_CEILING name strings
// to the hex mask used by GSAP selectors. Ceiling semantics are cumulative:
// CAP_MUTATE means "up to and including MUTATE" = READ|PROPOSE|MUTATE = 0x07.
var CapabilityCeilingToHex = map[string]string{
	"CAP_NONE":    "0x00",
	"CAP_READ":    "0x01",
	"CAP_PROPOSE": "0x03",
	"CAP_MUTATE":  "0x07",
	"CAP_GOVERN":  "0x0f",
}