package dockerfile

import (
	"log/slog"

	"github.com/alexei/tinyforge/internal/crypto"
	"github.com/alexei/tinyforge/internal/workload/plugin"
)

// buildEnv flattens workload_env rows into the KEY=VALUE list Docker
// expects. Mirrors the static plugin's env helper exactly so the two
// plugins handle decrypt failures the same way: log + skip the one
// entry rather than fail the deploy. Bricking a build because one
// rotated key missed an env entry would be worse than running with
// the variable unset and a single warning in the operator's log.
func buildEnv(deps plugin.Deps, workloadID string) []string {
	rows, err := deps.Store.ListWorkloadEnv(workloadID)
	if err != nil {
		slog.Warn("dockerfile source: list workload env", "workload", workloadID, "error", err)
		return nil
	}
	out := make([]string, 0, len(rows))
	for _, e := range rows {
		value := e.Value
		if e.Encrypted {
			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
			if err != nil {
				slog.Warn("dockerfile source: decrypt env value",
					"workload", workloadID, "key", e.Key, "error", err)
				continue
			}
			value = decrypted
		}
		out = append(out, e.Key+"="+value)
	}
	return out
}