package shellstream

import (
	"context"
	"fmt"

	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
	"github.com/spiffe/go-spiffe/v2/workloadapi"
)

// ValidateSAT validates a Substrate Attestation Token against the SPIRE/Vigil trust bundle.
// Phase 1: Simplified to SPIFFE SVID verification only.
// Future: Full SAT validation with TPM attestation and capability semantics via Vigil.
func ValidateSAT(token []byte, trustBundlePath string) error {
	if len(token) == 0 {
		return fmt.Errorf("empty SAT token")
	}

	// Phase 1: Parse as X.509 SVID and verify against the SPIRE trust bundle.
	// The token is expected to be a DER-encoded X.509 certificate chain.
	svid, err := x509svid.Parse(token, nil)
	if err != nil {
		return fmt.Errorf("failed to parse SVID from SAT: %w", err)
	}

	// Verify the SVID against the local workload API trust bundle.
	ctx := context.Background()
	source, err := workloadapi.NewX509Source(ctx)
	if err != nil {
		return fmt.Errorf("failed to create X509Source: %w", err)
	}
	defer source.Close()

	bundle, err := source.GetX509BundleForTrustDomain(svid.ID.TrustDomain())
	if err != nil {
		return fmt.Errorf("failed to get trust bundle for %s: %w", svid.ID.TrustDomain(), err)
	}

	_ = bundle
	// TODO: Verify the certificate chain against the bundle.
	// For Phase 1, presence of a parseable SVID from a known trust domain is sufficient.

	return nil
}