# Vault Service Validator

let vault_schema = import "../schemas/vault-service.ncl" in
let constraints = import "../constraints/constraints.toml" in

{
  validate_vault_config | vault_schema.VaultServiceConfig -> Array String = fun config =>
    let errors = [] in
    let errors = if config.server.port < constraints.vault_service.port.min
                 then errors @ ["Server port below minimum (#{constraints.vault_service.port.min})"]
                 else if config.server.port > constraints.vault_service.port.max
                      then errors @ ["Server port above maximum (#{constraints.vault_service.port.max})"]
                      else errors in
    let errors = if std.array.length config.vault.mount_point == 0
                 then errors @ ["Mount point cannot be empty"]
                 else errors in
    let errors = if config.vault.key_name |> std.array.length < 1
                 then errors @ ["Key name is required"]
                 else errors in
    let errors = if config.vault.storage_backend == "surrealdb"
                 then if std.is_null (std.string.contains ":" config.vault.server_url)
                      then errors @ ["SurrealDB mode requires valid server URL"]
                      else errors
                 else errors in
    let errors = if config.vault.tls_verify == true
                 then if std.is_null config.vault.tls_ca_cert
                      then errors @ ["TLS verification enabled but CA cert not provided"]
                      else errors
                 else errors in
    errors,
}