#!/usr/bin/env bash
# nerf-az-keyvault-secret-stats -- Show metadata for a secret value (length, content type, last modified) without revealing any characters. Use last_modified to detect rotation. No content-derived fingerprint is emitted: a deterministic fingerprint would let an agent verify guessed values offline.
# Generated from az-keyvault manifest. Do not edit directly.
# nerf:threat:read=remote
# nerf:threat:write=none

if [[ "${BASH_VERSINFO[0]:-0}" -lt 4 ]]; then
  echo "error: nerf-az-keyvault-secret-stats requires bash 4+. Found bash ${BASH_VERSION:-unknown}" >&2
  echo "  hint: on macOS, install a newer bash via 'brew install bash'" >&2
  exit 1
fi

set -euo pipefail

_NERF_DRY_RUN=""

usage() {
  cat >&2 <<'EOF'
Usage: nerf-az-keyvault-secret-stats [--subscription <subscription>] <vault_name> <name>

Options:
  --subscription <subscription>
      Subscription name or ID (defaults to active)

Arguments:
  <vault_name> (required)
      Key Vault name
  <name> (required)
      Secret name

Show metadata for a secret value (length, content type, last modified) without revealing any characters. Use last_modified to detect rotation. No content-derived fingerprint is emitted: a deterministic fingerprint would let an agent verify guessed values offline.
EOF
  exit 1
}

SUBSCRIPTION=""
_SUBSCRIPTION_SET=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --subscription) if [[ -n "${_SUBSCRIPTION_SET}" ]]; then echo "error: --subscription can only be specified once" >&2; exit 1; fi; SUBSCRIPTION="$2"; _SUBSCRIPTION_SET=true; shift 2 ;;
    --nerf-dry-run) _NERF_DRY_RUN="true"; shift 1 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) break ;;
  esac
done

_VAULT_NAME_SET=""
if [[ $# -gt 0 ]]; then
  VAULT_NAME="$1"
  _VAULT_NAME_SET=true
  shift
else
  VAULT_NAME=""
fi
_NAME_SET=""
if [[ $# -gt 0 ]]; then
  NAME="$1"
  _NAME_SET=true
  shift
else
  NAME=""
fi
if [[ $# -gt 0 ]]; then
  echo "error: nerf-az-keyvault-secret-stats: unexpected extra arguments: $*" >&2
  echo "  hint: switches and options must come before positional arguments" >&2
  exit 1
fi

if [[ -n "${_VAULT_NAME_SET}" ]] && [[ "${VAULT_NAME}" == -* ]]; then
  echo "error: nerf-az-keyvault-secret-stats: <vault_name> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${VAULT_NAME}" ]]; then
  echo "error: nerf-az-keyvault-secret-stats: missing required argument <vault_name>" >&2
  echo "  hint: provide a value for <vault_name>" >&2
  usage
fi

if [[ -n "${_NAME_SET}" ]] && [[ "${NAME}" == -* ]]; then
  echo "error: nerf-az-keyvault-secret-stats: <name> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${NAME}" ]]; then
  echo "error: nerf-az-keyvault-secret-stats: missing required argument <name>" >&2
  echo "  hint: provide a value for <name>" >&2
  usage
fi

which jq > /dev/null 2>&1 || { echo 'error: nerf-az-keyvault-secret-stats: jq is required but not installed (e.g. apt-get install jq, brew install jq).' >&2; exit 1; }

if [[ "$_NERF_DRY_RUN" == "true" ]]; then
  echo "dry-run: nerf-az-keyvault-secret-stats would run inline script"
  exit 0
fi

ARGS=(az keyvault secret show --vault-name "${VAULT_NAME}" --name "${NAME}" --output json)
if [[ -n "${SUBSCRIPTION}" ]]; then
  ARGS+=(--subscription "${SUBSCRIPTION}")
fi
RESPONSE=$("${ARGS[@]}") || {
  echo "error: az-keyvault-secret-stats: failed to fetch secret '${NAME}' from vault '${VAULT_NAME}'" >&2
  exit 1
}
VALUE=$(printf '%s' "${RESPONSE}" | jq -r '.value')
if [[ "${VALUE}" == "null" ]]; then
  echo "error: az-keyvault-secret-stats: response contained no .value field for '${NAME}' in '${VAULT_NAME}'" >&2
  exit 1
fi
CONTENT_TYPE=$(printf '%s' "${RESPONSE}" | jq -r '.contentType // ""')
UPDATED=$(printf '%s' "${RESPONSE}" | jq -r '.attributes.updated // ""')
LEN=${#VALUE}
jq -n \
  --arg vault "${VAULT_NAME}" \
  --arg name "${NAME}" \
  --argjson length "${LEN}" \
  --arg content_type "${CONTENT_TYPE}" \
  --arg updated "${UPDATED}" \
  '{vault: $vault, name: $name, length: $length, content_type: $content_type, last_modified: $updated}'
