// adminServiceServer implements mciasv1.AdminServiceServer.
// Health and GetPublicKey are public RPCs that bypass auth.
package grpcserver

import (
	"context"
	"encoding/base64"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	mciasv1 "git.wntrmute.dev/kyle/mcias/gen/mcias/v1"
)

type adminServiceServer struct {
	mciasv1.UnimplementedAdminServiceServer
	s *Server
}

// Health returns {"status":"ok"} to signal the server is operational, or
// {"status":"sealed"} when the vault is sealed.
func (a *adminServiceServer) Health(_ context.Context, _ *mciasv1.HealthRequest) (*mciasv1.HealthResponse, error) {
	if a.s.vault.IsSealed() {
		return &mciasv1.HealthResponse{Status: "sealed"}, nil
	}
	return &mciasv1.HealthResponse{Status: "ok"}, nil
}

// GetPublicKey returns the Ed25519 public key as JWK field values.
// The "x" field is the raw 32-byte public key base64url-encoded without padding,
// matching the REST /v1/keys/public response format.
func (a *adminServiceServer) GetPublicKey(_ context.Context, _ *mciasv1.GetPublicKeyRequest) (*mciasv1.GetPublicKeyResponse, error) {
	pubKey, err := a.s.vault.PubKey()
	if err != nil {
		return nil, status.Error(codes.Unavailable, "vault sealed")
	}
	// Encode as base64url without padding — identical to the REST handler.
	x := base64.RawURLEncoding.EncodeToString(pubKey)
	return &mciasv1.GetPublicKeyResponse{
		Kty: "OKP",
		Crv: "Ed25519",
		Use: "sig",
		Alg: "EdDSA",
		X:   x,
	}, nil
}