package config

import (
	"fmt"
	"os"
	"strings"
)

// validateNoBypassFlagsInProduction vérifie qu'aucun flag de bypass n'est activé en production (audit 1.7)
func validateNoBypassFlagsInProduction(env string) error {
	envNorm := strings.ToLower(strings.TrimSpace(env))
	if envNorm != "production" && envNorm != "prod" {
		return nil // Pas en production, pas de vérification
	}
	var violations []string
	if os.Getenv("BYPASS_CONTENT_CREATOR_ROLE") == "true" {
		violations = append(violations, "BYPASS_CONTENT_CREATOR_ROLE=true")
	}
	if os.Getenv("CSRF_DISABLED") == "true" {
		violations = append(violations, "CSRF_DISABLED=true")
	}
	if os.Getenv("DISABLE_RATE_LIMIT_FOR_TESTS") == "true" {
		violations = append(violations, "DISABLE_RATE_LIMIT_FOR_TESTS=true")
	}
	if len(violations) > 0 {
		return fmt.Errorf("security: bypass flags are not allowed in production: %s. Remove these environment variables before deploying",
			strings.Join(violations, ", "))
	}
	return nil
}