credential

type Credential interface {
	// Name returns the unique identifier for this credential type (e.g. "gcloud", "kubeconfig").
	Name() string

	// ContainerFilePath returns the absolute path inside the container at which
	// the placeholder file must be mounted.
	ContainerFilePath() string

	// Detect scans workspace mounts and returns the resolved host-side path to
	// the real credential file and the mount entry to intercept.
	// Returns ("", nil) when this credential is not declared or not applicable.
	Detect(mounts []workspace.Mount, homeDir string) (hostFilePath string, intercepted *workspace.Mount)

	// FakeFile returns the bytes to write as the placeholder credential file
	// that will be mounted into the container instead of the real one.
	// hostFilePath is the path to the real credential on the host.
	FakeFile(hostFilePath string) ([]byte, error)

	// Configure performs any OneCLI setup needed when this credential is active
	// (e.g. calling ConnectApp or creating secrets with the real credential).
	// hostFilePath is the path to the real credential on the host.
	Configure(ctx context.Context, client onecli.Client, hostFilePath string) error

	// HostPatterns returns host globs to add to the allow list in deny-mode
	// networking when this credential is active. hostFilePath lets dynamic
	// implementations extract the server URL from the real credential file.
	HostPatterns(hostFilePath string) []string
}

type Registry interface {
	// Register adds a credential implementation to the registry.
	// Returns an error if a credential with the same name is already registered.
	Register(c Credential) error

	// List returns all registered credentials.
	List() []Credential
}