package static

import (
	"log/slog"

	"github.com/alexei/tinyforge/internal/crypto"
	"github.com/alexei/tinyforge/internal/workload/plugin"
)

// buildEnv flattens workload_env rows into the KEY=VALUE list Docker
// expects. Mirrors image/image.go:buildEnv but without an embedded
// cfg.Env map — the static source only carries env via workload_env
// today (legacy static_site_secrets has been replaced by the unified
// workload_env table during the workload refactor).
//
// Encrypted rows are decrypted lazily so plaintext never lives in the
// store output. A decrypt failure logs and skips the entry rather than
// failing the whole deploy: bricking a sync because one rotated key
// missed an env entry would be worse than running with the variable
// unset and surfacing the warning.
func buildEnv(deps plugin.Deps, workloadID string) []string {
	rows, err := deps.Store.ListWorkloadEnv(workloadID)
	if err != nil {
		slog.Warn("static source: list workload env", "workload", workloadID, "error", err)
		return nil
	}
	out := make([]string, 0, len(rows))
	for _, e := range rows {
		value := e.Value
		if e.Encrypted {
			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
			if err != nil {
				slog.Warn("static source: decrypt env value",
					"workload", workloadID, "key", e.Key, "error", err)
				continue
			}
			value = decrypted
		}
		out = append(out, e.Key+"="+value)
	}
	return out
}