/*
Volt Platform — Feature Gating
Tier-based feature definitions and access control infrastructure

TWO-LICENSE MODEL (revised 2026-03-20):
  ALL source code is AGPSL v5 (source-available). NOTHING is open source.
  Proprietary components are closed-source separate binaries.

Licensing Tiers:
  - Community (Free): Limited CLI — basic container lifecycle, ps, logs,
    local CAS, basic networking, security profiles. 50 containers/node.
  - Pro ($29/node/month): Full CLI + API unlocked. VMs, hybrid modes,
    compose, advanced networking, tuning, tasks, services, events, config,
    top, backups, QEMU profiles, desktop/ODE, distributed CAS, clustering,
    deployments, CI/CD, mesh, vuln scan, BYOK. 500 containers/node.
  - Enterprise ($99/node/month): + Scale-to-Zero, Packing, Frogger,
    SSO, RBAC, audit, HSM/FIPS, cross-region CAS sync. Unlimited containers.

Source-available (AGPSL v5) — anti-competition clauses apply to ALL code:
  - Volt CLI (ALL commands, Community and Pro)
  - Stellarium CAS (local and distributed)
  - VoltVisor / Stardust (VMs + hybrid modes)
  - All packages (networking, security, deploy, cdn, etc.)

Proprietary (closed-source, separate binaries):
  - Scale-to-Zero (Volt Edge)
  - Small File Packing (EROFS/SquashFS)
  - Frogger (database branching)
  - License Validation Server

Free binary: Pre-compiled binary with Community limits baked in.
Distributed under usage license (no modification). No copyleft.

Nonprofit Partner Program:
  - Free Pro tier, unlimited nodes
  - Requires verification + ongoing relationship
*/
package license

const (
	TierCommunity  = "community"
	TierPro        = "pro"
	TierEnterprise = "enterprise"
)

// Container limits per node by tier
const (
	CommunityMaxContainersPerNode  = 50
	ProMaxContainersPerNode        = 500
	EnterpriseMaxContainersPerNode = 0 // 0 = unlimited
)

// MaxContainersPerNode returns the container limit for a given tier
func MaxContainersPerNode(tier string) int {
	switch tier {
	case TierPro:
		return ProMaxContainersPerNode
	case TierEnterprise:
		return EnterpriseMaxContainersPerNode
	default:
		return CommunityMaxContainersPerNode
	}
}

// TierFeatures maps each tier to its available features.
// Higher tiers include all features from lower tiers.
// NOTE: Feature gating enforcement is being implemented.
// Enterprise-only proprietary features (Scale-to-Zero, Packing, Frogger)
// are separate binaries and not gated here.
//
// CAS PIVOT (2026-03-20): "cas" (local CAS) moved to Community.
// "cas-distributed" (cross-node dedup/replication) is Pro.
// "cas-audit" and "cas-cross-region" are Enterprise.
var TierFeatures = map[string][]string{
	TierCommunity: {
		// Core container runtime — bare minimum to run containers
		"containers",
		"networking-basic",  // Basic bridge networking only
		"security-profiles",
		"ps",                // List running containers (basic operational necessity)
		"logs",              // View container logs (basic operational necessity)
		// Stellarium Core — free for all (CAS pivot 2026-03-20)
		// CAS is the universal storage path. Source-available (AGPSL v5), NOT open source.
		"cas",           // Local CAS store, TinyVol assembly, single-node dedup
		"cas-pull",      // Pull blobs from CDN
		"cas-push",      // Push blobs to CDN
		"encryption",    // LUKS + CDN blob encryption (baseline, all tiers)
	},
	TierPro: {
		// Community features
		"containers",
		"networking-basic",
		"security-profiles",
		"ps",
		"logs",
		"cas",
		"cas-pull",
		"cas-push",
		"encryption",
		// Pro features (source-available, license-gated)
		// --- Moved from Community (2026-03-20, Karl's decision) ---
		"tuning",           // Resource tuning (CPU/mem/IO/net profiles)
		"constellations",   // Compose/multi-container stacks
		"bundles",          // .vbundle air-gapped deployment
		"networking",       // Advanced networking: VLANs, policies, DNS, firewall rules
		// --- VM / Hybrid (all modes gated) ---
		"vms",              // VoltVisor / Stardust + ALL hybrid modes (native, KVM, emulated)
		"qemu-profiles",    // Custom QEMU profile builds per workload
		"desktop",          // Desktop/ODE integration
		// --- Workload management ---
		"tasks",            // One-shot jobs
		"services",         // Long-running daemon management
		"events",           // Event system
		"config",           // Advanced config management
		"top",              // Real-time resource monitoring
		// --- Storage & ops ---
		"backups",          // CAS-based backup/archive/restore
		"cas-distributed",  // Cross-node CAS deduplication + replication
		"cas-retention",    // CAS retention policies
		"cas-analytics",    // Dedup analytics and reporting
		"cluster",          // Multi-node cluster management
		"rolling-deploy",   // Rolling + canary deployments
		"cicada",           // CI/CD delivery pipelines
		"gitops",           // GitOps webhook-driven deployments
		"mesh-relay",       // Multi-region mesh networking
		"vuln-scan",        // Vulnerability scanning
		"encryption-byok",  // Bring Your Own Key encryption
		"registry",         // OCI-compliant container registry (push access)
	},
	TierEnterprise: {
		// Community features
		"containers",
		"networking-basic",
		"security-profiles",
		"ps",
		"logs",
		"cas",
		"cas-pull",
		"cas-push",
		"encryption",
		// Pro features
		"tuning",
		"constellations",
		"bundles",
		"networking",
		"vms",
		"qemu-profiles",
		"desktop",
		"tasks",
		"services",
		"events",
		"config",
		"top",
		"backups",
		"cas-distributed",
		"cas-retention",
		"cas-analytics",
		"cluster",
		"rolling-deploy",
		"cicada",
		"gitops",
		"mesh-relay",
		"vuln-scan",
		"encryption-byok",
		"registry",         // OCI-compliant container registry (push access)
		// Enterprise features (in-binary, gated)
		"cas-cross-region", // Cross-region CAS sync
		"cas-audit",        // CAS access logging and audit
		"blue-green",       // Blue-green deployments
		"auto-scale",       // Automatic horizontal scaling
		"live-migration",   // Live VM migration
		"sso",              // SSO/SAML integration
		"rbac",             // Role-based access control
		"audit",            // Audit logging
		"compliance",       // Compliance reporting + docs
		"mesh-acl",         // Mesh access control lists
		"gpu-passthrough",  // GPU passthrough for VMs
		"sbom",             // Software bill of materials
		"encryption-hsm",   // HSM/FIPS key management
		// Enterprise proprietary features (separate binaries, listed for reference)
		// "scale-to-zero"  — Volt Edge (closed-source)
		// "file-packing"   — EROFS/SquashFS packing (closed-source)
		// "frogger"        — Database branching proxy (closed-source)
	},
}

// TierIncludes checks if a tier includes a specific feature
func TierIncludes(tier, feature string) bool {
	features, ok := TierFeatures[tier]
	if !ok {
		return false
	}
	for _, f := range features {
		if f == feature {
			return true
		}
	}
	return false
}

// FeatureCount returns the number of features available for a tier
func FeatureCount(tier string) int {
	features, ok := TierFeatures[tier]
	if !ok {
		return 0
	}
	return len(features)
}