package auth

import "sort"

// MissingDeployedSecrets returns the names of secrets that must be non-empty in
// deployed environments (staging/production) but are currently unset. It returns
// nil for non-deployed environments (development, acctest) and when every
// required secret is present, so callers can treat a non-empty result as fatal.
//
// This closes the fail-open gap where an empty USER_SIGNING_KEY turns the
// user-header signature check into a no-op (forgeable identity) and an empty
// INTERNAL_API_KEY leaves the authz cache-hydration endpoint unauthenticated.
// See ADR-0005 and ADR-0006.
func MissingDeployedSecrets(environment string, secrets map[string]string) []string {
	if environment != "staging" && environment != "production" {
		return nil
	}
	var missing []string
	for name, value := range secrets {
		if value == "" {
			missing = append(missing, name)
		}
	}
	sort.Strings(missing)
	return missing
}