defmodule Mv.OidcRoleSyncConfig do
  @moduledoc """
  Runtime configuration for OIDC group → role sync (e.g. admin group → Admin role).

  Reads from Application config `:mv, :oidc_role_sync`:
  - `:admin_group_name` – OIDC group name that maps to Admin role (optional; when nil, no sync).
  - `:groups_claim` – JWT/user_info claim name for groups (default: `"groups"`).

  Set via ENV in production: OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM (see config/runtime.exs).
  """
  @doc "Returns the OIDC group name that maps to Admin role, or nil if not configured."
  def oidc_admin_group_name do
    get(:admin_group_name)
  end

  @doc "Returns the JWT/user_info claim name for groups; defaults to \"groups\"."
  def oidc_groups_claim do
    get(:groups_claim) || "groups"
  end

  defp get(key) do
    Application.get_env(:mv, :oidc_role_sync, []) |> Keyword.get(key)
  end
end