// OIDC Attestor — SPIRE WorkloadAttestor plugin.
//
// Runs in SPIRE Agent. Verifies OIDC tokens presented by workloads
// and maps their claims to SPIRE selectors for registration matching.
package main

import (
	"github.com/hashicorp/go-plugin"
)

// handshakeConfig is the HandshakeConfig for this plugin.
// TODO: replace with SPIRE Plugin SDK handshake once
// github.com/spiffe/spire-plugin-sdk is added as a dependency.
var handshakeConfig = plugin.HandshakeConfig{
	ProtocolVersion:  1,
	MagicCookieKey:   "ServerAgent",
	MagicCookieValue: "GuildhouseSpire",
}

func main() {
	// TODO: register OIDCAttestor as a GRPCPlugin implementing
	// the SPIRE WorkloadAttestor interface. The plugin will:
	// 1. Receive a workload PID from SPIRE Agent
	// 2. Read the workload's OIDC token (from filesystem or environment)
	// 3. Verify the token using pkg/oidc
	// 4. Return selectors: oidc:sub:<subject>, oidc:iss:<issuer>, oidc:email:<email>
	plugin.Serve(&plugin.ServeConfig{
		HandshakeConfig: handshakeConfig,
		Plugins:         map[string]plugin.Plugin{},
		GRPCServer:      plugin.DefaultGRPCServer,
	})
}