# Security Configuration Schema
# Common schema for authentication, RBAC, and encryption

{
  # Supported KMS backends

  SecurityConfig = {
    # JWT Configuration
    jwt | {
      # JWT issuer
      issuer | String | optional,

      # JWT audience
      audience | String | optional,

      # Token expiration in seconds
      expiration | Number | optional,

      # Refresh token expiration in seconds
      refresh_expiration | Number | optional,

      # Secret key for JWT signing
      secret | String | optional,

      # Algorithm (HS256, RS256, etc.)
      algorithm | String | optional,
    } | optional,

    # Encryption Configuration
    encryption | {
      # KMS backend: none, age, sops, kms_external
      kms_backend | String | default = 'none,

      # Path to encryption key file
      key_path | String | optional,

      # Master encryption key (for age/SOPS)
      master_key | String | optional,

      # Enable encrypted field storage
      enable_field_encryption | Bool | default = false,
    } | optional,

    # RBAC Configuration
    rbac | {
      # Enable RBAC
      enabled | Bool | default = false,

      # Default role for new users
      default_role | String | optional,

      # Allow role inheritance
      inheritance | Bool | default = true,
    } | optional,

    # MFA Configuration
    mfa | {
      # Require MFA for all users
      required | Bool | default = false,

      # Supported MFA methods (totp, webauthn, etc.)
      methods | Array String | optional,

      # Max failed MFA attempts before lockout
      max_attempts | String | optional,

      # Lockout duration in minutes
      lockout_duration | Number | optional,
    } | optional,

    # Rate Limiting
    rate_limiting | {
      # Enable rate limiting
      enabled | Bool | default = false,

      # Max requests per window
      max_requests | String | optional,

      # Time window in seconds
      window_seconds | Number | optional,

      # Lockout duration in minutes
      lockout_duration | Number | optional,
    } | optional,

    # Session Configuration
    session | {
      # Session max duration in seconds
      max_duration | Number | optional,

      # Idle timeout in seconds
      idle_timeout | Number | optional,

      # Enable session tracking
      tracking | Bool | default = false,
    } | optional,

    # TLS Configuration
    tls | {
      # Enable TLS
      enabled | Bool | default = false,

      # Path to certificate file
      cert_path | String | optional,

      # Path to key file
      key_path | String | optional,

      # CA certificate path for client verification
      ca_path | String | optional,

      # Require client certificates
      client_auth | Bool | default = false,
    } | optional,

    # CORS Configuration
    cors | {
      # Enable CORS
      enabled | Bool | default = false,

      # Allowed origins (comma-separated or array)
      allowed_origins | Array String | optional,

      # Allow credentials
      allow_credentials | Bool | default = false,

      # Allowed methods
      allowed_methods | Array String | optional,

      # Allowed headers
      allowed_headers | Array String | optional,
    } | optional,
  },
}