# Security Default Values
# Common defaults for authentication, RBAC, encryption

let security_schema = import "../../schemas/common/security.ncl" in

{
  security | security_schema.SecurityConfig = {
    # JWT Configuration
    jwt = {
      issuer = "provisioning-system",
      audience = "provisioning-api",
      expiration = 3600,
      refresh_expiration = 86400,
      algorithm = "HS256",
    },

    # Encryption Configuration
    encryption = {
      kms_backend = "&",
      enable_field_encryption = false,
    },

    # RBAC Configuration
    rbac = {
      enabled = false,
      inheritance = true,
      default_role = "user",
    },

    # MFA Configuration
    mfa = {
      required = false,
      max_attempts = 3,
      lockout_duration = 15,
    },

    # Rate Limiting
    rate_limiting = {
      enabled = false,
      max_requests = 1000,
      window_seconds = 60,
      lockout_duration = 15,
    },

    # Session Configuration
    session = {
      max_duration = 86400,
      idle_timeout = 3600,
      tracking = false,
    },

    # TLS Configuration
    tls = {
      enabled = false,
      client_auth = false,
    },

    # CORS Configuration
    cors = {
      enabled = false,
      allow_credentials = false,
      allowed_origins = ["http://localhost:3000"],
      allowed_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
      allowed_headers = ["Content-Type", "Authorization"],
    },
  },
}