#!/bin/bash
# Sample Tier 0 Agent: Plan Generator
# Demonstrates proper agent behavior per foundation document

set -e

# Load bootstrap library
source /opt/agent-governance/lib/agent-bootstrap.sh

AGENT_ID="plan-generator-001"

# --- Agent Metadata Declaration (Section 4) ---
declare -A AGENT_META=(
    [agent_id]="plan-generator-001"
    [agent_role]="observer"
    [version]="0.1.0"
    [tier]=0
)

main() {
    log_info "Starting agent: ${AGENT_META[agent_id]} v${AGENT_META[version]}"
    
    # Check for required credentials
    if [[ -z "$ROLE_ID" || -z "$SECRET_ID" ]]; then
        agent_error "CONFIGURATION_ERROR" \
            "Missing credentials" \
            "Environment variables ROLE_ID and SECRET_ID" \
            "None" \
            "Set ROLE_ID and SECRET_ID environment variables"
        exit 1
    fi
    
    # Authenticate (Section 3.3 - Bounded Authority)
    if ! agent_authenticate "$ROLE_ID" "$SECRET_ID"; then
        agent_error "AUTH_ERROR" \
            "Failed to authenticate with Vault" \
            "role_id=$ROLE_ID" \
            "None" \
            "Verify credentials and Vault connectivity"
        exit 1
    fi
    
    # Load metadata from Vault
    if ! agent_load_metadata "$AGENT_ID"; then
        agent_error "METADATA_ERROR" \
            "Failed to load agent metadata" \
            "agent_id=$AGENT_ID" \
            "Authenticated successfully" \
            "Verify agent is registered in Vault"
        exit 1
    fi
    
    # Validate action before proceeding (Section 5 - Input Discipline)
    local requested_action="${1:-read_docs}"
    
    if ! agent_validate_action "$requested_action"; then
        agent_error "FORBIDDEN_ACTION" \
            "Requested action is not permitted for this agent" \
            "action=$requested_action" \
            "Authenticated and loaded metadata" \
            "Request action within allowed scope or escalate to higher tier"
        exit 1
    fi
    
    # Execute action
    case "$requested_action" in
        read_docs)
            log_info "Reading documentation..."
            local docs
            docs=$(curl -sk -H "X-Vault-Token: $VAULT_TOKEN" \
                "$VAULT_ADDR/v1/secret/data/docs/agent-taxonomy" | jq -r '.data.data')
            
            if [[ -n "$docs" ]]; then
                agent_output "EXECUTE" 0.95 "read_docs" "Successfully read agent taxonomy documentation"
            else
                agent_output "ERROR" 0.0 "read_docs" "Failed to read documentation"
            fi
            ;;
        read_inventory)
            log_info "Reading inventory..."
            local inventory
            inventory=$(curl -sk -H "X-Vault-Token: $VAULT_TOKEN" \
                "$VAULT_ADDR/v1/secret/data/inventory/proxmox" | jq -r '.data.data')
            
            agent_output "EXECUTE" 0.90 "read_inventory" "Read Proxmox inventory: $(echo "$inventory" | jq -r '.cluster')"
            ;;
        generate_plan)
            log_info "Generating plan..."
            # Tier 0 can generate plans but not execute
            agent_output "EXECUTE" 0.85 "generate_plan" "Plan generated. Requires Tier 1+ agent for execution."
            ;;
        *)
            agent_output "INSUFFICIENT_INFORMATION" 0.0 "$requested_action" "Unknown action requested"
            ;;
    esac
}

# Run main
main "$@"