#!/usr/bin/env python3
"""Convert a Kubernetes Secret JSON document into a SOPS-ready Secret manifest.

The output contains decoded secret values under stringData and must be redirected
to a temporary file, encrypted with sops, and removed immediately.
"""

import base64
import json
import sys


def yaml_string(value: str) -> str:
    return json.dumps(value)


source = json.load(sys.stdin)
metadata = source.get("metadata", {})
name = metadata.get("name", "inter-hub-env")
namespace = metadata.get("namespace", "inter-hub")
data = source.get("data", {})

print("apiVersion: v1")
print("kind: Secret")
print("metadata:")
print(f"  name: {yaml_string(name)}")
print(f"  namespace: {yaml_string(namespace)}")
print("type: Opaque")
print("stringData:")

for key in sorted(data):
    decoded = base64.b64decode(data[key]).decode("utf-8")
    print(f"  {key}: {yaml_string(decoded)}")