# Modes Base Contracts
# Common execution mode contracts shared by all deployment modes

let rec contracts = {
  ExecutionMode = {
    mode_name | doc "Mode identifier" | [| 'solo, 'multi_user, 'cicd, 'enterprise |],
    description | String,
    authentication | contracts.AuthenticationStrategy,
    services | contracts.ServiceDeployments,
    extensions | contracts.ExtensionConfig,
    workspaces | contracts.WorkspacePolicy,
    security | contracts.SecurityConfig,
    resource_limits | optional | contracts.ResourceLimits,
  },

  AuthenticationStrategy = {
    auth_type | [| 'none, 'token, 'mtls, 'oauth, 'kms |],
    token_config | optional,
    mtls_config | optional,
    oauth_config | optional,
    ssh_key_storage | default = 'local | [| 'local, 'kms, 'vault |],
  },

  TokenConfig = {
    token_path | String,
    token_format | default = 'jwt | [| 'jwt, 'opaque |],
    expiry_seconds | default = 86400 | Number,
    refresh_enabled | default = true | Bool,
  },

  MTLSConfig = {
    client_cert_path | String,
    client_key_path | String,
    ca_cert_path | String,
    verify_server | default = true | Bool,
  },

  OAuthConfig = {
    provider_url | String,
    client_id | String,
    client_secret_path | String,
    scopes | default = ["read", "write"] | Array String,
    redirect_uri | optional | String,
  },

  ServiceDeployments = {
    orchestrator | contracts.ServiceConfig,
    control_center | optional | contracts.ServiceConfig,
    coredns | optional | contracts.ServiceConfig,
    gitea | optional | contracts.ServiceConfig,
    oci_registry | optional,
    custom_services | optional | { _ : contracts.ServiceConfig },
  },

  ServiceConfig = {
    deployment | [| 'local, 'remote, 'k8s, 'disabled |],
    local_config | optional | contracts.LocalServiceConfig,
    remote_config | optional | contracts.RemoteServiceConfig,
    k8s_config | optional | contracts.K8sServiceConfig,
    auto_start | default = false | Bool,
    health_check | optional | contracts.HealthCheck,
  },

  LocalServiceConfig = {
    binary_path | optional | String,
    config_path | optional | String,
    data_dir | String,
    port | Number,
    bind_address | default = "127.0.0.1" | String,
    tls_enabled | default = false | Bool,
  },

  RemoteServiceConfig = {
    endpoint | String,
    port | optional | Number,
    tls_enabled | default = true | Bool,
    verify_ssl | default = true | Bool,
    timeout | default = 30 | Number,
    retries | default = 3 | Number,
  },

  K8sServiceConfig = {
    namespace | default = "provisioning" | String,
    deployment_name | String,
    service_name | String,
    replicas | default = 1 | Number,
    image | String,
    image_pull_policy | default = 'IfNotPresent | [| 'Always, 'IfNotPresent, 'Never |],
    resources | optional | contracts.K8sResources,
  },

  K8sResources = {
    cpu_request | default = "100m" | String,
    cpu_limit | default = "500m" | String,
    memory_request | default = "128Mi" | String,
    memory_limit | default = "512Mi" | String,
  },

  HealthCheck = {
    enabled | default = true | Bool,
    endpoint | default = "/health" | String,
    interval | default = 10 | Number,
    timeout | default = 5 | Number,
    healthy_threshold | default = 2 | Number,
    unhealthy_threshold | default = 3 | Number,
  },

  ExtensionConfig = {
    source | [| 'local, 'gitea, 'oci, 'mixed |],
    local_path | optional | String,
    gitea_config | optional | contracts.GiteaConfig,
    oci_registry | optional | contracts.OCIExtensionConfig,
    allow_mixed | default = false | Bool,
  },

  GiteaConfig = {
    url | String,
    organization | default = "provisioning" | String,
    username | optional | String,
    token_path | optional | String,
    verify_ssl | default = true | Bool,
  },

  OCIExtensionConfig = {
    enabled | default = true | Bool,
    endpoint | String,
    namespace | default = "provisioning-extensions" | String,
    auth_token_path | optional | String,
    tls_enabled | default = true | Bool,
    verify_ssl | default = true | Bool,
    cache_dir | default = "~/.provisioning/oci-cache" | String,
  },

  WorkspacePolicy = {
    locking | default = 'disabled | [| 'disabled, 'enabled, 'required |],
    lock_provider | optional | [| 'gitea, 'etcd, 'redis, 'filesystem |],
    git_integration | default = 'optional | [| 'disabled, 'optional, 'required |],
    isolation | default = 'user | [| 'none, 'user, 'strict |],
    max_workspaces_per_user | optional | Number,
  },

  SecurityConfig = {
    encryption_at_rest | default = false | Bool,
    encryption_in_transit | default = false | Bool,
    secret_provider | optional = { provider = "sops" },
    dns_modification | default = 'none | [| 'none, 'coredns, 'system |],
    audit_logging | default = false | Bool,
    audit_log_path | optional | String,
    network_isolation | default = false | Bool,
  },

  ResourceLimits = {
    max_servers_per_user | default = 10 | Number,
    max_cpu_cores_per_user | default = 32 | Number,
    max_memory_gb_per_user | default = 128 | Number,
    max_storage_gb_per_user | default = 500 | Number,
    max_total_servers | optional | Number,
    max_total_cpu_cores | optional | Number,
    max_total_memory_gb | optional | Number,
  },
} in

contracts