#!/usr/bin/env bash
# Phase 4: Sovereign Tenants — VLAN isolation, tenant access control.
# Usage: bash scripts/deployment/phase4-sovereign-tenants.sh [--show-steps|--dry-run]
# Runbook: docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Phase 4

set -euo pipefail

DRY_RUN=false
SHOW_STEPS=false
for a in "$@"; do
  [[ "$a" == "--dry-run" ]] && DRY_RUN=true
  [[ "$a" == "--show-steps" ]] && SHOW_STEPS=true
done

echo "Phase 4: Sovereign Tenants"
echo "=========================="
echo ""
echo "Steps:"
echo "  1. Configure sovereign VLANs on UDM Pro (200–203)"
echo "  2. Enable VLAN-aware bridge on Proxmox"
echo "  3. Migrate tenant containers to VLANs"
echo "  4. Configure access control (firewall rules; deny east-west)"
echo "  5. Apply Block #6 egress NAT; verify tenant isolation"
echo ""
if [[ "$SHOW_STEPS" == true ]]; then
  echo "Runbook: docs/03-deployment/OPERATIONAL_RUNBOOKS.md (Phase 4)"
  echo "Architecture: docs/02-architecture/NETWORK_ARCHITECTURE.md, ORCHESTRATION_DEPLOYMENT_GUIDE.md"
  echo "Firewall: docs/04-configuration/UDM_PRO_FIREWALL_MANUAL_CONFIGURATION.md"
  exit 0
fi
if [[ "$DRY_RUN" == true ]]; then
  echo "[DRY-RUN] No changes. Run without --dry-run to execute (script is checklist-only; manual steps in runbook)."
  exit 0
fi
echo "See: docs/02-architecture/NETWORK_ARCHITECTURE.md"
echo "     docs/03-deployment/OPERATIONAL_RUNBOOKS.md § Phase 4"