// SSH Credential Composer — SPIRE CredentialComposer plugin.
//
// Runs in SPIRE Server. Intercepts SVID minting to generate SSH certificates
// with Shellstream governance extensions. Handles both SSH certificate creation
// and governance metadata injection in a single plugin.
package main

import (
	"github.com/hashicorp/go-plugin"
)

// handshakeConfig is the HandshakeConfig for this plugin.
// TODO: replace with SPIRE Plugin SDK handshake once
// github.com/spiffe/spire-plugin-sdk is added as a dependency.
var handshakeConfig = plugin.HandshakeConfig{
	ProtocolVersion:  1,
	MagicCookieKey:   "ServerAgent",
	MagicCookieValue: "GuildhouseSpire",
}

func main() {
	// TODO: register SSHCredentialComposer as a GRPCPlugin implementing
	// the SPIRE CredentialComposer interface. The plugin will:
	// 1. Receive SVID minting request from SPIRE Server
	// 2. Generate an SSH certificate with the SPIFFE ID as principal
	// 3. Encode Shellstream extensions (sat-scope, tenant-id, roles, etc.)
	// 4. Sign the certificate with the SSH CA key
	// 5. Return the composed credential
	plugin.Serve(&plugin.ServeConfig{
		HandshakeConfig: handshakeConfig,
		Plugins:         map[string]plugin.Plugin{},
		GRPCServer:      plugin.DefaultGRPCServer,
	})
}