package plugin

import (
	"log/slog"

	"github.com/alexei/tinyforge/internal/crypto"
)

// BuildWorkloadEnv flattens workload_env rows into the KEY=VALUE list Docker
// expects. Shared by the source plugins (static, dockerfile) so they all
// handle decrypt failures the same way.
//
// Encrypted rows are decrypted lazily so plaintext never lives in the store
// output. A decrypt failure logs and skips the entry rather than failing the
// whole deploy: bricking a sync/build because one rotated key missed an env
// entry would be worse than running with the variable unset and surfacing the
// warning.
//
// sourceName is the slog prefix the caller wants on the two warning lines
// (e.g. "static source" / "dockerfile source") so existing log scrapers keep
// matching the per-source message text.
func BuildWorkloadEnv(deps Deps, workloadID, sourceName string) []string {
	rows, err := deps.Store.ListWorkloadEnv(workloadID)
	if err != nil {
		slog.Warn(sourceName+": list workload env", "workload", workloadID, "error", err)
		return nil
	}
	out := make([]string, 0, len(rows))
	for _, e := range rows {
		value := e.Value
		if e.Encrypted {
			decrypted, err := crypto.Decrypt(deps.EncKey, e.Value)
			if err != nil {
				slog.Warn(sourceName+": decrypt env value",
					"workload", workloadID, "key", e.Key, "error", err)
				continue
			}
			value = decrypted
		}
		out = append(out, e.Key+"="+value)
	}
	return out
}