#!/usr/bin/env bash
# Mint a one-time t3 pairing token for a mapped OS user.
# Runs as root via the scoped sudoers entry for the t3-dispatch service user.
# Validates the requested user is an actual t3 OS user (a value on the RHS of
# /etc/ttyd-user-map) before minting as that user. Prints the t3 CLI JSON.
set -euo pipefail
os_user="${1:-}"
[[ "$os_user" =~ ^[a-z_][a-z0-9_-]{0,31}$ ]] || { echo "invalid user" >&2; exit 2; }
# Must be a mapped t3 OS user (RHS of a non-comment "authentik=os" line).
awk -F= '!/^[[:space:]]*#/ && NF==2 { gsub(/[[:space:]]/, "", $2); print $2 }' /etc/ttyd-user-map \
  | grep -qxF "$os_user" || { echo "user not mapped" >&2; exit 3; }
exec runuser -u "$os_user" -- /usr/bin/t3 auth pairing create \
  --base-dir "/home/${os_user}/.t3" --ttl 5m --json