#!/bin/sh
# SSH forced-command wrapper for mother MCP entrypoint.
#
# SSH's authorized_keys command="..." restriction replaces the client's
# command with this script and stores the original in $SSH_ORIGINAL_COMMAND.
#
# Allowlist:
#   ""          → colibri-mcp in stdio MCP mode (persistent JSON-RPC channel)
#   "tools"     → colibri-mcp tools (one-shot discovery, debugging)
#   everything else → rejected with exit 1
#
# Why: the wrapper's job is to constrain what callers can do through the
# SSH forced-command boundary.  Without an allowlist, the caller can pass
# any colibri-mcp subcommand or flag — including ones not yet written.
#
# Installed by setup-mother.sh into /usr/local/bin/.
# Referenced from: ~/.ssh/authorized_keys command="/usr/local/bin/colibri-mcp-ssh"
set -eu

case "${SSH_ORIGINAL_COMMAND:-}" in
    "")
        exec /usr/local/bin/colibri-mcp
        ;;
    "tools")
        exec /usr/local/bin/colibri-mcp tools
        ;;
    *)
        printf '{"jsonrpc":"2.0","id":null,"error":{"code":-1,"message":"rejected: %s"}}\n' \
            "$(printf '%s' "${SSH_ORIGINAL_COMMAND}" | sed 's/"/\\"/g')" >&2
        exit 1
        ;;
esac
