# Security Module - Unified secrets and encryption management
# Integrates SOPS, Age keys, and vault-service for GitOps-native secret management

let sops = import "sops/main.ncl" in

{
  # SOPS encryption configuration
  sops = sops,

  # Security configuration for a deployment
  SecurityConfig = {
    # Which encryption system to use (sops, sealed-secrets, etc.)
    encryption_system | std.string | doc "Encryption system: 'sops' or 'sealed-secrets'" = "sops",

    # Environment-specific SOPS configuration
    sops_config | sops.SopsEnvironmentConfig | doc "SOPS configuration per environment"
      | optional,

    # Environment: dev, staging, prod
    environment | std.string | doc "Deployment environment" = "dev",

    # Age key version for tracking rotations
    age_key_version | std.number | doc "Age key version (tracks rotations)" = 1,

    # Vault service configuration
    vault_service_url | std.string | doc "Vault-service endpoint URL"
      | optional = null,

    # Key rotation schedule (optional)
    key_rotation_interval_days | std.number | doc "Days between key rotations"
      | optional,

    # Audit logging configuration
    audit_logging | std.bool | doc "Enable audit logging for secret access" = true,
  },

  # Initialize security for an environment
  init = fun environment =>
    {
      encryption_system = "sops",
      environment = environment,
      age_key_version = 1,
      audit_logging = true,
    },

  # Helper to get SOPS rules for an environment
  get_sops_rules = fun environment =>
    sops.generate_sops_yaml environment,

  # Helper to generate .sops.yaml content for deployment
  generate_sops_file = fun environment age_public_key =>
    sops.generate_file environment age_public_key,

  # Validate security configuration
  validate = fun config =>
    config.encryption_system == "sops" &&
    config.environment in ["dev", "staging", "prod"] &&
    config.age_key_version >= 1,
}