package cni

import (
	"fmt"

	"github.com/containernetworking/cni/pkg/skel"

	"github.com/guildhouse-co/kedge/internal/topology"
)

// applySVIDPolicy enforces SVID-scoped network policy on the pod's net1 interface.
// Restricts which subnets are reachable and which mode (overlay/underlay) is authorized
// based on the pod's SPIFFE identity.
func applySVIDPolicy(args *skel.CmdArgs, conf *NetConf, topo *topology.MeshTopology) error {
	// Phase 1: permissive — all Bascule runtime pods get full access.
	// TODO: Fetch pod's SPIFFE SVID from SPIRE agent unix socket.
	// TODO: Evaluate SVID against accord-defined subnet and mode policies.
	// TODO: Program iptables/nftables rules scoped to the pod's veth pair.

	_ = args
	_ = conf
	_ = topo

	return nil
}

// PolicyRule defines a subnet access rule scoped to a SPIFFE identity.
type PolicyRule struct {
	SVID       string   // SPIFFE Verifiable Identity Document URI
	AllowedDst []string // Allowed destination CIDRs
	Mode       string   // "overlay", "underlay", or "both"
	Operations []string // "read", "mutate", "admin"
}

// EvaluatePolicy checks whether the given SVID is authorized for the requested
// subnets and mode per the local accord policy.
func EvaluatePolicy(svid string, rules []PolicyRule, requestedDst string, mode string) error {
	for _, rule := range rules {
		if rule.SVID != svid {
			continue
		}
		if rule.Mode != "both" && rule.Mode != mode {
			continue
		}
		for _, allowed := range rule.AllowedDst {
			if allowed == requestedDst {
				return nil
			}
		}
	}
	return fmt.Errorf("SVID %s not authorized for %s in mode %s", svid, requestedDst, mode)
}