namespace StellaOps.Scanner.Sources.Services;

/// <summary>
/// Credential types supported by the resolver.
/// </summary>
public enum CredentialType
{
    None,
    BearerToken,
    BasicAuth,
    SshKey,
    AwsCredentials,
    GcpServiceAccount,
    AzureServicePrincipal,
    GitHubApp
}

/// <summary>
/// Resolved credential from the credential store.
/// </summary>
public sealed record ResolvedCredential
{
    public required CredentialType Type { get; init; }
    public string? Token { get; init; }
    public string? Username { get; init; }
    public string? Password { get; init; }
    public string? PrivateKey { get; init; }
    public string? Passphrase { get; init; }
    public IReadOnlyDictionary<string, string>? Properties { get; init; }
    public DateTimeOffset? ExpiresAt { get; init; }
}

/// <summary>
/// Interface for resolving credentials from the credential store.
/// Credentials are stored externally and referenced by AuthRef.
/// </summary>
public interface ICredentialResolver
{
    /// <summary>
    /// Resolves credentials by AuthRef.
    /// </summary>
    /// <param name="authRef">Reference to the credential in the store (e.g., "vault://secrets/registry-auth")</param>
    /// <param name="ct">Cancellation token</param>
    /// <returns>Resolved credential or null if not found</returns>
    Task<ResolvedCredential?> ResolveAsync(string authRef, CancellationToken ct = default);

    /// <summary>
    /// Checks if a credential reference is valid (exists and is accessible).
    /// </summary>
    Task<bool> ValidateRefAsync(string authRef, CancellationToken ct = default);
}