#!/usr/bin/env bash
# Surgical Proxmox mutation guard — source from operator scripts that SSH + pct/qm.
# Mission-critical: mutations default OFF unless explicitly opted in; optional VMID allowlist.
#
# Usage:
#   source "${PROJECT_ROOT}/scripts/lib/proxmox-production-guard.sh"
#   pguard_require_apply_flag "$APPLY" || exit 0   # after parsing --apply
#   pguard_vmid_allowed "$vmid" || continue
#
# Opt-in (either):
#   --apply on the script, or
#   PROXMOX_OPS_APPLY=1 / yes
#
# Optional belt-and-suspenders (comma or space separated):
#   PROXMOX_OPS_ALLOWED_VMIDS="2400,2402,2403"
#
# Version: 2026-04-06

pguard_log() { echo "[proxmox-guard] $*" >&2; }

# When enabled (e.g. PROXMOX_SAFE_DEFAULTS=1 in operator .env), maintenance scripts that
# source this file should default to dry-run unless the caller passes --apply or sets PROXMOX_OPS_APPLY=1.
pguard_safe_defaults_enabled() {
  case "${PROXMOX_SAFE_DEFAULTS:-}" in
    1|yes|true|TRUE|Yes) return 0 ;;
    *) return 1 ;;
  esac
}

pguard_mutations_allowed() {
  case "${PROXMOX_OPS_APPLY:-}" in
    1|yes|true|TRUE|Yes) return 0 ;;
    *) return 1 ;;
  esac
}

# Call after CLI sets APPLY=true from --apply
pguard_require_apply_flag() {
  local apply_flag="${1:-false}"
  [[ "$apply_flag" == true ]] && return 0
  pguard_mutations_allowed && return 0
  return 1
}

# If PROXMOX_OPS_ALLOWED_VMIDS is set, vmid must match one token (comma/space separated).
pguard_vmid_allowed() {
  local vmid="$1"
  local allow="${PROXMOX_OPS_ALLOWED_VMIDS:-}"
  [[ -z "${allow// }" ]] && return 0
  allow="${allow//,/ }"
  local x
  for x in $allow; do
    [[ "$x" == "$vmid" ]] && return 0
  done
  pguard_log "refused: VMID ${vmid} not in PROXMOX_OPS_ALLOWED_VMIDS"
  return 1
}