"""GET /api/vault/status — list credctl-managed secrets.

Migrated from hermes-webui fork commit 3e2c74f3 per Phase 2 of the
SVRNTY-HERMES Plugin Protocol. Reports each vault entry's presence (no values
ever leave the vault — secrets stay opaque to the LLM by design).

Public API surface used: api.register_route, api.logger.
No forced internal dependencies — uses subprocess to call credctl directly.
"""
import json
import os
import subprocess

_DEFAULT_CREDCTL = "/home/svrnty/workspaces/cortex/L6-svrnty.core-credentials/credctl"


def register(api):
    """Wire the GET /api/vault/status route."""
    log = api.logger("svrnty.routes.vault_status")
    api.register_route("/api/vault/status", "GET", _handle_vault_status)
    log.info("vault status endpoint registered")


def _handle_vault_status(handler, parsed):
    """Handler signature matches the plugin loader contract."""
    credctl = os.environ.get("CREDCTL", _DEFAULT_CREDCTL)
    names = []
    try:
        out = subprocess.run(
            [credctl, "list"],
            capture_output=True, text=True, timeout=5,
        )
        names = [
            line.strip() for line in out.stdout.splitlines()
            if line.strip() and not line.startswith("credentials:")
        ]
    except Exception:
        names = []
    payload = json.dumps({"secrets": [{"name": n} for n in names]})
    body = payload.encode("utf-8")
    handler.send_response(200)
    handler.send_header("Content-Type", "application/json; charset=utf-8")
    handler.send_header("Content-Length", str(len(body)))
    handler.send_header("Cache-Control", "no-store")
    handler.end_headers()
    handler.wfile.write(body)
    return True