package checker

import (
	"fmt"

	sdk "git.happydns.org/checker-sdk-go/checker"
	tlsct "git.happydns.org/checker-tls/contract"
)

// DiscoverEntries implements sdk.DiscoveryPublisher.
//
// stuns:/turns: (RFC 7064/7065) speak TLS immediately after the TCP
// handshake, so every secure TCP-based endpoint we observed is published
// under the tls.endpoint.v1 contract for checker-tls to pick up.
//
// DTLS is intentionally omitted: the current checker-tls consumer uses
// crypto/tls and would not probe a datagram-TLS endpoint correctly. Emitting
// a DTLS entry today would only produce orphan lineage.
//
// SNI is left empty (= Host); no STARTTLS upgrade applies; the scheme
// mandates direct TLS on the wire.
func (p *stunTurnProvider) DiscoverEntries(data any) ([]sdk.DiscoveryEntry, error) {
	d, ok := data.(*StunTurnData)
	if !ok {
		return nil, fmt.Errorf("unexpected data type %T", data)
	}
	seen := make(map[string]struct{})
	var out []sdk.DiscoveryEntry
	for _, ep := range d.Endpoints {
		if !ep.Dial.OK {
			continue
		}
		if !ep.Endpoint.Secure || ep.Endpoint.Transport == TransportDTLS {
			continue
		}
		key := fmt.Sprintf("%s|%d", ep.Endpoint.Host, ep.Endpoint.Port)
		if _, dup := seen[key]; dup {
			continue
		}
		seen[key] = struct{}{}
		entry, err := tlsct.NewEntry(tlsct.TLSEndpoint{
			Host: ep.Endpoint.Host,
			Port: ep.Endpoint.Port,
		})
		if err != nil {
			return nil, err
		}
		out = append(out, entry)
	}
	return out, nil
}