/**
 * Runs sonar-scanner inside container('sonar') (sonarsource/sonar-scanner-cli).
 * Must be called inside container('sonar') block.
 * Agent pod must be created with homelabK8sAgent(withSonar: true).
 *
 * config keys:
 *   projectKey (required) - SonarQube project key
 *   sonarUrl   (optional) - SonarQube server URL, default: http://sonarqube-sonarqube.sonarqube.svc.cluster.local:9000
 *   credId     (optional) - Jenkins secret-text credential id, default: sonarqube-token
 *   sources    (optional) - sources to scan, default: .
 *   exclusions  (optional) - comma-separated paths to exclude
 *   lcovReport  (optional) - path to lcov.info for coverage, default: coverage/lcov.info
 */
def call(Map config) {
    def projectKey = config.projectKey
    if (!projectKey) error('scanCodeQuality: projectKey is required')

    def sonarUrl   = config.sonarUrl   ?: 'http://sonarqube-sonarqube.sonarqube.svc.cluster.local:9000'
    def credId     = config.credId     ?: 'sonarqube-token'
    def sources    = config.sources    ?: '.'
    def exclusions = config.exclusions ?: ''
    def lcovReport = config.lcovReport ?: 'coverage/lcov.info'

    def exclusionsArg = exclusions ? "-Dsonar.exclusions=${exclusions}" : ''

    withCredentials([string(credentialsId: credId, variable: 'SONAR_TOKEN')]) {
        sh """
            sonar-scanner \
              -Dsonar.projectKey=${projectKey} \
              -Dsonar.sources=${sources} \
              -Dsonar.host.url=${sonarUrl} \
              -Dsonar.token=\${SONAR_TOKEN} \
              -Dsonar.javascript.lcov.reportPaths=${lcovReport} \
              ${exclusionsArg}
        """
    }
}