#!/bin/bash --
# chaperon/stubs/srun — Chaperon-proxied srun stub
#
# All srun invocations go through the chaperon, which runs OUTSIDE the
# sandbox and has access to munge for Slurm authentication.  Two modes:
#
#   Allocation mode (login node, no SLURM_JOB_ID):
#     Validates flags, wraps the command in sandbox-exec.sh so compute-node
#     processes inherit sandbox restrictions, then calls real srun.
#
#   Step mode (compute node, SLURM_JOB_ID set):
#     Validates flags against step-only whitelist, execs real srun directly
#     for MPI/multi-process step launching.
#
# --pty is denied in both modes (no PTY passthrough via protocol).
# Munge is never exposed inside the sandbox.

set -euo pipefail

_STUB_DIR="$(cd "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")" && pwd)"
source "$_STUB_DIR/_stub_lib.sh"

chaperon_call srun "$@"
exit $?
