"""
Edit this file to configure your bootstrap server. app.py should not need changes.
"""
import base64
import os

# ─── Config ──────────────────────────────────────────────────────────
TENANT_ID = os.environ["TENANT_ID"]                         # your Entra tenant
AUDIENCE  = "c2995f31-11e7-4882-b7a7-ef9def0a0266"          # Claude in Office add-in app ID
ISSUER    = f"https://login.microsoftonline.com/{TENANT_ID}/v2.0"
JWKS_URL  = f"https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys"
HOST      = os.getenv("HOST", "127.0.0.1")
PORT      = int(os.getenv("PORT", "8080"))

# Local-dev override: point at a self-issued JWKS instead of Entra.
# Signature verification still runs. Refuses to start on non-loopback.
DEV_JWKS_PATH = os.getenv("DEV_JWKS_PATH")
if DEV_JWKS_PATH and HOST != "127.0.0.1":
    raise SystemExit("DEV_JWKS_PATH may only be used when HOST=127.0.0.1")

# ─── Catalog: every skill / MCP server you might hand out ────────────
def b64(s: str) -> str:
    return base64.b64encode(s.encode()).decode()

SKILLS = {
    "deal-memo": {
        "description": "Draft a deal memo from a term sheet",
        "url": "https://your-bucket.s3.amazonaws.com/skills/deal-memo.zip?X-Amz-Signature=...",
    },
    "compliance-check": {
        "description": "Review a document for compliance issues",
        "content": b64("# Compliance check\n\nReview the document for regulatory red flags..."),
    },
    "risk-dashboard": {
        "description": "Summarize positions from the risk dashboard",
        "url": "https://your-bucket.s3.amazonaws.com/skills/risk.zip?X-Amz-Signature=...",
    },
}

MCP_SERVERS = {
    "linear": {"url": "https://mcp.linear.app/sse", "label": "Linear"},
    "risk-api": {
        "url": "https://internal.example.com/mcp/risk",
        "label": "Risk Dashboard",
        "headers": {"Authorization": "Bearer {{gateway_token}}"},
    },
}

# ─── RBAC: first matching rule wins ──────────────────────────────────
# `when` conditions (all must match):
#   group — value from the Entra token's `groups` claim
#   user  — Entra user `oid`
#   app   — Office host: "word" | "excel" | "powerpoint"
# In production, group/user values are GUIDs — replace the names below
# with real Object IDs from Entra admin center.
RULES = [
    {"when": {"app": "word", "group": "investment-banking"},
     "skills": ["deal-memo", "compliance-check"], "mcp_servers": ["linear"]},

    {"when": {"group": "risk"},
     "skills": ["risk-dashboard", "compliance-check"], "mcp_servers": ["risk-api"]},

    {"when": {"user": "alice"},
     "skills": ["deal-memo"], "mcp_servers": []},

    {"when": {}, "skills": ["compliance-check"], "mcp_servers": []},  # default
]