package main

// OIDCAttestor implements the SPIRE WorkloadAttestor plugin interface.
//
// When SPIRE Agent needs to attest a workload, it calls Attest() with the
// workload's process ID. This plugin reads the workload's OIDC token and
// returns selectors based on the verified claims.
//
// Selectors produced:
//   - oidc:sub:<subject>     — OIDC subject claim
//   - oidc:iss:<issuer>      — OIDC issuer
//   - oidc:email:<email>     — OIDC email claim (if present)
//   - oidc:group:<group>     — One per OIDC group claim (if present)
type OIDCAttestor struct {
	// TODO: add fields
	// - oidc.Verifier for token validation
	// - config for token discovery path
}