#!/usr/bin/env bash
# validate_access.sh — report PASS / BLOCKED / FAIL per credential, per
# PROFILE-DISTRIBUTION-PROTOCOL §7 (readiness checklist, "credbridge resolves
# every credential the manifest lists; validate_access reports PASS/BLOCKED/
# FAIL"). Sourceable from install.sh and standalone.
#
# Usage: validate_access.sh
# Exit code: always 0. Emits one JSON line per credential, suitable for jq /
# log aggregation.
#
# Statuses:
#   PASS    credctl key set + non-empty
#   BLOCKED key absent or empty — actionable: run `credctl set <name>`
#   FAIL    credctl itself missing or broken — environmental issue

set -uo pipefail

CREDCTL="${CREDCTL:-/home/svrnty/workspaces/cortex/L6-svrnty.core-credentials/credctl}"

CREDENTIALS=(
  google-workspace
  proton-bridge-imap
  perplexity-api
)

check() {
  local name="$1" status reason
  if [ ! -x "$CREDCTL" ]; then
    status="FAIL"; reason="credctl not found at $CREDCTL"
  elif ! "$CREDCTL" list 2>/dev/null | grep -q "^${name}[[:space:]]"; then
    status="BLOCKED"; reason="credctl key not set — run: credctl set ${name}"
  elif [ -z "$("$CREDCTL" get "$name" --unmask 2>/dev/null | sed -n '/^Value:/,$p' | sed '1s/^Value:[[:space:]]*//')" ]; then
    status="BLOCKED"; reason="key exists but value empty"
  else
    status="PASS"; reason="present"
  fi
  printf '{"credential":"%s","status":"%s","reason":"%s"}\n' "$name" "$status" "$reason"
}

for cred in "${CREDENTIALS[@]}"; do
  check "$cred"
done