param()

Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"

$repoRoot = (Resolve-Path (Join-Path $PSScriptRoot "..")).ProviderPath
$forbidden = @(
    ('RAP_' + 'BACKEND_URL'),
    ('RAP_' + 'CONTROL_PLANE_ENDPOINTS_JSON'),
    ('RAP_' + 'MESH_LISTEN_ADDR'),
    ('RAP_' + 'MESH_LISTEN_PORT_MODE'),
    ('RAP_' + 'MESH_LISTEN_AUTO_PORT_START'),
    ('RAP_' + 'MESH_LISTEN_AUTO_PORT_END'),
    ('RAP_' + 'MESH_SYNTHETIC_RUNTIME_ENABLED'),
    ('--' + 'backend-url'),
    ('--' + 'control-plane-endpoints-json'),
    ('mesh' + '-listener'),
    ('mesh_' + 'synthetic_runtime_enabled'),
    ('mesh' + '-synthetic-runtime-enabled')
)

$rgArgs = @(
    '-n',
    '--glob', '!**/deploy/html/assets/**',
    '--glob', '!**/dist/**',
    '--glob', '!**/node_modules/**',
    ($forbidden -join '|'),
    $repoRoot
)

$matches = & rg @rgArgs
if ($LASTEXITCODE -eq 1) {
    $matches = @()
} elseif ($LASTEXITCODE -ne 0) {
    throw "rg failed with exit code $LASTEXITCODE"
}

$farmActiveForbidden = @(
    ('net' + '/http'),
    ('http' + '://'),
    ('https' + '://'),
    ('ws' + '://'),
    ('wss' + '://'),
    ('http' + '.Client')
)
$farmStandardForbidden = @(
    ('compat_' + 'fallback'),
    ('compat' + ' fallback'),
    ('compat_' + 'relay'),
    ('last_' + 'compat_relay_policy'),
    ('force_' + 'compat_fallback'),
    ('entry_node_' + 'compat_fallback'),
    ('fabric_route_send_failed_' + 'compat_fallback_blocked'),
    ('compat_' + 'cleanup'),
    ('compat_' + 'control'),
    ('compat_' + 'updater'),
    ('compat_' + 'recovery'),
    ('compat_' + 'contract'),
    ('remove_' + 'compat'),
    ('fallback_' + 'poll_seconds'),
    ('direct_' + 'fallback'),
    ('trigger_direct_' + 'fallback'),
    ('launchDirectUpdater' + 'Fallback'),
    ('runLocalDirectUpdate' + 'Fallback')
)
$farmRouteForbidden = @(
    ('/node-agents/\{nodeID\}/' + 'health'),
    ('/node-agents/\{nodeID\}/' + 'services/status'),
    ('/node-agents/\{nodeID\}/' + 'update-manifest/request'),
    ('/node-agents/\{nodeID\}/' + 'update-result'),
    ('/node-agents/\{nodeID\}/' + 'rollback-result'),
    ('/node-agents/enrollments/\{requestID\}/' + 'bootstrap'),
    ('docker-' + 'bootstrap-bundle'),
    ('windows-' + 'bootstrap-bundle'),
    ('linux-' + 'bootstrap-bundle')
)
$farmIngressClassForbidden = @(
    'platform_admin',
    'cluster_admin',
    'organization_portal',
    'user_portal',
    'global-admin-runtime',
    'cluster-admin-runtime',
    'organization-portal-runtime',
    'user-portal-runtime',
    'identity-runtime',
    'policy-authority',
    'audit-sink'
)
$farmActivePaths = @(
    (Join-Path $repoRoot "agents/rap-node-agent/internal/client"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/hostagent"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/mesh"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/vpnruntime"),
    (Join-Path $repoRoot "agents/rap-node-agent/cmd/rap-node-agent"),
    (Join-Path $repoRoot "agents/rap-node-agent/cmd/rap-host-agent")
)
$farmRgArgs = @(
    '-n',
    '--glob', '*.go',
    '--glob', '!*_test.go',
    ($farmActiveForbidden -join '|')
) + $farmActivePaths

$farmMatches = & rg @farmRgArgs
if ($LASTEXITCODE -eq 1) {
    $farmMatches = @()
} elseif ($LASTEXITCODE -ne 0) {
    throw "active farm rg failed with exit code $LASTEXITCODE"
}

$farmStandardPaths = @(
    (Join-Path $repoRoot "agents/rap-node-agent/internal/client"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/hostagent"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/mesh"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/vpnruntime"),
    (Join-Path $repoRoot "agents/rap-node-agent/cmd/rap-node-agent"),
    (Join-Path $repoRoot "agents/rap-node-agent/cmd/rap-host-agent"),
    (Join-Path $repoRoot "backend/internal/modules/cluster"),
    (Join-Path $repoRoot "web-admin/src")
)
$farmStandardRgArgs = @(
    '-n',
    '--glob', '!**/*_test.go',
    ($farmStandardForbidden -join '|')
) + $farmStandardPaths

$farmStandardMatches = & rg @farmStandardRgArgs
if ($LASTEXITCODE -eq 1) {
    $farmStandardMatches = @()
} elseif ($LASTEXITCODE -ne 0) {
    throw "farm standard rg failed with exit code $LASTEXITCODE"
}

$farmRouteRgArgs = @(
    '-n',
    '--glob', '!**/deploy/html/assets/**',
    '--glob', '!**/dist/**',
    '--glob', '!**/node_modules/**',
    ($farmRouteForbidden -join '|'),
    $repoRoot
)
$farmRouteMatches = & rg @farmRouteRgArgs
if ($LASTEXITCODE -eq 1) {
    $farmRouteMatches = @()
} elseif ($LASTEXITCODE -ne 0) {
    throw "farm route rg failed with exit code $LASTEXITCODE"
}

$farmIngressClassPaths = @(
    (Join-Path $repoRoot "agents/rap-node-agent/internal/webingress"),
    (Join-Path $repoRoot "agents/rap-node-agent/internal/supervisor"),
    (Join-Path $repoRoot "agents/rap-node-agent/cmd/rap-node-agent")
)
$farmIngressClassRgArgs = @(
    '-n',
    '--glob', '!**/*_test.go',
    ($farmIngressClassForbidden -join '|')
) + $farmIngressClassPaths
$farmIngressClassMatches = & rg @farmIngressClassRgArgs
if ($LASTEXITCODE -eq 1) {
    $farmIngressClassMatches = @()
} elseif ($LASTEXITCODE -ne 0) {
    throw "farm ingress class rg failed with exit code $LASTEXITCODE"
}

if (@($matches).Count -eq 0 -and @($farmMatches).Count -eq 0 -and @($farmStandardMatches).Count -eq 0 -and @($farmRouteMatches).Count -eq 0 -and @($farmIngressClassMatches).Count -eq 0) {
    Write-Host "Fabric standard boundary check passed."
    exit 0
}

$allMatches = @($matches) + @($farmMatches) + @($farmStandardMatches) + @($farmRouteMatches) + @($farmIngressClassMatches)
Write-Error "Fabric standard boundary violated:`n$allMatches"
exit 1