# SPDX-License-Identifier: AGPL-3.0-or-later
# Sprint: SPRINT_4100_0006_0005 - Admin Utility Integration
# Configuration example for administrative operations

StellaOps:
  # Backend API configuration
  Backend:
    BaseUrl: "https://api.stellaops.example.com"

    # Admin authentication (choose one method)
    Auth:
      # Option 1: OpTok with admin scopes (recommended for production)
      OpTok:
        Enabled: true
        # Obtain via: stella auth login
        # Token will be stored in ~/.stellaops/tokens.json

      # Option 2: Bootstrap API key (for initial setup only)
      BootstrapKey:
        Enabled: false
        # Set this to the bootstrap key from backend config
        # Use environment variable: STELLAOPS_BOOTSTRAP_KEY
        Value: "${STELLAOPS_BOOTSTRAP_KEY}"

    # HTTP client settings
    Http:
      TimeoutSeconds: 30
      RetryCount: 3
      RetryDelayMs: 1000

  # Admin operation defaults
  Admin:
    # Default tenant for user operations
    DefaultTenant: "default"

    # Require confirmation for destructive operations
    RequireConfirmation: true

    # Audit logging
    AuditLog:
      Enabled: true
      OutputPath: "~/.stellaops/admin-audit.jsonl"

    # Policy management
    Policy:
      # Default export format
      ExportFormat: "yaml"  # yaml or json

      # Backup policies before import
      BackupBeforeImport: true
      BackupPath: "~/.stellaops/policy-backups"

    # User management
    Users:
      # Available roles
      ValidRoles:
        - "admin"
        - "security-engineer"
        - "developer"
        - "viewer"

      # Email validation pattern
      EmailPattern: "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$"

    # Feed management
    Feeds:
      # Default refresh behavior
      RefreshTimeout: 300  # seconds

      # Available feed sources
      Sources:
        - id: "nvd"
          name: "NVD (National Vulnerability Database)"
          type: "nvd-api"

        - id: "osv"
          name: "OSV (Open Source Vulnerabilities)"
          type: "osv-api"

        - id: "github"
          name: "GitHub Advisory Database"
          type: "github-api"

# Environment-specific overrides
#
# Development:
#   export STELLAOPS_BACKEND__BASEURL="http://localhost:5000"
#   export STELLAOPS_ADMIN__REQUIRECONFIRMATION="false"
#
# Production:
#   export STELLAOPS_BACKEND__BASEURL="https://api.stellaops.prod.example.com"
#   export STELLAOPS_ADMIN__AUDITLOG__ENABLED="true"

# Required Scopes for Admin Operations:
#
# stella admin policy   → admin.policy
# stella admin users    → admin.users
# stella admin feeds    → admin.feeds
# stella admin system   → admin.platform
#
# Bootstrap Mode (before Authority configured):
#   export STELLAOPS_BOOTSTRAP_KEY="<key-from-backend-config>"
#   stella admin users add admin@example.com --role admin

# Usage Examples:
#
# Policy Management:
#   stella admin policy export --output backup-$(date +%F).yaml
#   stella admin policy validate --file new-policy.yaml
#   stella admin policy import --file new-policy.yaml
#   stella admin policy list
#
# User Management:
#   stella admin users list --role admin
#   stella admin users add alice@example.com --role security-engineer
#   stella admin users update alice@example.com --role admin
#   stella admin users revoke bob@example.com --confirm
#
# Feed Management:
#   stella admin feeds list
#   stella admin feeds status --source nvd
#   stella admin feeds refresh --source nvd --force
#   stella admin feeds history --source nvd --limit 20
#
# System Management:
#   stella admin system status
#   stella admin system info