#!/usr/bin/env bash
# credbridge.sh — resolve credctl secrets into env vars for the child command.
# Secrets are NEVER on argv, NEVER in logs, NEVER persisted. credctl is queried
# per-call; the secret enters the child process env only for the duration of the call.
#
# Usage:
#   credbridge.sh <tool> [args...]
#
# Supports: gh (GitHub CLI) — needs github-pat
# v2 will add: deploy keys, cloud creds (aws/gcp/etc)
set -euo pipefail

CREDCTL="${CREDCTL:-/home/svrnty/workspaces/cortex/L6-svrnty.core-credentials/credctl}"

if [ $# -eq 0 ]; then
    echo "usage: credbridge.sh <tool> [args...]" >&2
    echo "  supported tools: gh" >&2
    exit 2
fi

TOOL="$1"; shift

case "$TOOL" in
    gh)
        # GitHub CLI — needs GITHUB_TOKEN from credctl github-pat
        export GITHUB_TOKEN="$($CREDCTL get github-pat --unmask 2>/dev/null | awk '/^Value:/ {print $2}')"
        if [ -z "${GITHUB_TOKEN:-}" ]; then
            echo "ERROR: github-pat not in credctl. Set with: credctl set github-pat" >&2
            exit 3
        fi
        exec gh "$@"
        ;;
    *)
        echo "ERROR: unknown tool '$TOOL'" >&2
        echo "supported tools: gh" >&2
        exit 2
        ;;
esac