# Vault Service Schema
# Secrets management and encryption configuration

let constraints = import "schemas/platform/common/constraints.ncl" in
let docker_build_schema = import "schemas/platform/docker-build.ncl" in

let VaultStorage =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_backends = ["surrealdb", "etcd", "postgresql", "filesystem"] in
          if std.array.any (fun x => x == value) valid_backends then
            'Ok value
          else
            'Error {
              message = "Invalid storage_backend '%{value}'.\nValid values: surrealdb | etcd | postgresql | filesystem"
            }
    ) in

let DeploymentMode =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_modes = ["local", "docker", "kubernetes"] in
          if std.array.any (fun x => x == value) valid_modes then
            'Ok value
          else
            'Error {
              message = "Invalid deployment_mode '%{value}'.\nValid values: local | docker | kubernetes"
            }
    ) in

let LogLevel =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_levels = ["debug", "info", "warn", "error"] in
          if std.array.any (fun x => x == value) valid_levels then
            'Ok value
          else
            'Error {
              message = "Invalid log level '%{value}'.\nValid values: debug | info | warn | error"
            }
    ) in

let HAMode =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_modes = ["active-passive", "active-active"] in
          if std.array.any (fun x => x == value) valid_modes then
            'Ok value
          else
            'Error {
              message = "Invalid HA mode '%{value}'.\nValid values: active-passive | active-active"
            }
    ) in

let EncryptionAlgorithm =
    std.contract.custom (
      fun label =>
        fun value =>
          let valid_algos = ["aes-256-gcm", "aes-128-gcm", "chacha20-poly1305"] in
          if std.array.any (fun x => x == value) valid_algos then
            'Ok value
          else
            'Error {
              message = "Invalid encryption_algorithm '%{value}'.\nValid values: aes-256-gcm | aes-128-gcm | chacha20-poly1305"
            }
    ) in

{
  VaultServiceConfig = {
    # Server configuration (port must be >= 9000 for vault-service)
    server | {
      host | String,
      port | Number | constraints.port_high,
      workers | Number | optional,
      keep_alive | Number | optional,
      max_connections | Number | optional,
    } | optional,

    # Storage backend configuration
    storage | {
      backend | VaultStorage,
      path | String | optional,
      encryption_key_path | String | optional,
    } | optional,

    # Vault-specific settings
    vault | {
      server_url | String,
      storage_backend
        | doc "Storage Backend for Vault"
        | VaultStorage
        | default = "filesystem",
      deployment_mode | DeploymentMode | optional,
      auth_token | String | optional,
      mount_point | String | default = "transit",
      key_name | String | default = "provisioning-master",
      tls_verify | Bool | default = false,
      tls_ca_cert | String | optional,
    } | optional,

    # High Availability configuration
    ha | {
      enabled | Bool | default = false,
      mode | HAMode | optional,
    } | optional,

    # Security configuration
    security | {
      encryption_algorithm | EncryptionAlgorithm | optional,
      key_rotation_days | Number | optional,
    } | optional,

    # Monitoring and logging
    monitoring | {
      enabled | Bool | default = false,
      metrics_interval | Number | optional,
    } | optional,

    logging | {
      level | LogLevel | default = "info",
      format | String | optional,
    } | optional,

    # Docker build configuration
    build | docker_build_schema.DockerBuildConfig | optional,
  },
}