#!/usr/bin/env bash
set -euo pipefail

# era-wrapper.sh
#
# Minimal wrapper around ERA "agent" CLI for ThreeGate TOOL-EXEC.
#
# This is a stub intended to be called by a future request runner that:
# - parses Tool Request schema
# - validates it
# - stages inputs in a temp directory
# - runs ERA with no-network default
# - collects outputs + stdout/stderr
# - emits a Tool Result artifact (schema'd)
#
# This wrapper does NOT:
# - validate requests
# - mount host paths
# - enable network
#
# It is intentionally minimal and safe.

AGENT_BIN="${AGENT_BIN:-agent}"

need_cmd() {
  command -v "$1" >/dev/null 2>&1 || {
    echo "ERROR: required command not found: $1" >&2
    exit 127
  }
}

usage() {
  cat >&2 <<'EOF'
Usage:
  era-wrapper.sh --language <python|node|ts|go|ruby> --cmd "<single command>" [--network none]

Examples (no network):
  era-wrapper.sh --language python --cmd "python -V" --network none

Notes:
  - Network is forced to 'none' unless explicitly set to allowlist by higher-level tooling.
  - This wrapper is not a policy engine. It is a backend adapter.
EOF
  exit 2
}

LANGUAGE=""
CMD=""
NETWORK="none"

while [[ $# -gt 0 ]]; do
  case "$1" in
    --language) LANGUAGE="${2:-}"; shift 2 ;;
    --cmd) CMD="${2:-}"; shift 2 ;;
    --network) NETWORK="${2:-}"; shift 2 ;;
    -h|--help) usage ;;
    *) echo "ERROR: unknown arg: $1" >&2; usage ;;
  esac
done

[[ -n "${LANGUAGE}" && -n "${CMD}" ]] || usage

need_cmd "${AGENT_BIN}"

if [[ "${NETWORK}" != "none" ]]; then
  echo "ERROR: era-wrapper only supports --network none in this stub." >&2
  exit 3
fi

# Use ephemeral temp VM
# Avoid guest volume mounts here; staging is done by higher-level runner if/when allowed.
exec "${AGENT_BIN}" vm temp --language "${LANGUAGE}" --network none --cmd "${CMD}"