# Control Center Service Default Configuration
# Pattern: 3-Layer Config (flat notation + | default)

let control_center_schema = import "../control-center.ncl" in
let monitoring_defaults = import "./common/monitoring-defaults.ncl" in
let logging_defaults = import "./common/logging-defaults.ncl" in

let base_control_center = {
  # Workspace Configuration
  workspace.name | default = "default",
  workspace.path | default = "/var/lib/provisioning/control-center",
  workspace.enabled | default = true,
  workspace.multi_workspace | default = false,

  # HTTP Server Settings
  server.host | default = "127.0.0.1",
  server.port | default = 9091,
  server.workers | default = 4,
  server.keep_alive | default = 75,
  server.max_connections | default = 100,
  server.request_timeout | default = 30000,
  server.graceful_shutdown | default = true,
  server.shutdown_timeout | default = 30,

  # Database Configuration
  database.backend | default = "rocksdb",
  database.path | default = "/var/lib/provisioning/control-center/data",
  database.pool_size | default = 10,
  database.timeout | default = 30,
  database.retry | default = true,
  database.max_retries | default = "3",

  # Security - JWT Configuration
  security.jwt.issuer | default = "control-center",
  security.jwt.audience | default = "provisioning",
  security.jwt.expiration | default = 3600,
  security.jwt.refresh_expiration | default = 86400,
  security.jwt.secret | default = "change_me_in_production",
  security.jwt.algorithm | default = "HS256",

  # Security - RBAC Configuration
  security.rbac.enabled | default = true,
  security.rbac.inheritance | default = true,
  security.rbac.default_role | default = "user",

  # Security - MFA Configuration
  security.mfa.required | default = false,
  security.mfa.methods | default = ["totp"],
  security.mfa.max_attempts | default = "5",
  security.mfa.lockout_duration | default = 15,

  # Security - Rate Limiting Configuration
  security.rate_limiting.enabled | default = false,
  security.rate_limiting.max_requests | default = "1000",
  security.rate_limiting.window_seconds | default = 60,

  # Security - TLS Configuration
  security.tls.enabled | default = false,

  # Security - CORS Configuration
  security.cors.enabled | default = false,

  # Security - Session Configuration
  security.session.max_duration | default = 86400,
  security.session.idle_timeout | default = 3600,
  security.session.tracking | default = false,

  # Policy Engine Configuration
  policy.enabled | default = true,
  policy.cache.enabled | default = true,
  policy.cache.ttl | default = 3600,
  policy.cache.max_policies | default = 10000,
  policy.versioning.enabled | default = true,
  policy.versioning.max_versions | default = 20,

  # RBAC Configuration
  rbac.enabled | default = true,
  rbac.hierarchy | default = true,
  rbac.dynamic_roles | default = false,
  rbac.default_role | default = "user",
  rbac.roles.admin | default = true,
  rbac.roles.operator | default = true,
  rbac.roles.viewer | default = true,
  rbac.attribute_based | default = false,

  # User Management Configuration
  users.enabled | default = true,
  users.registration.enabled | default = true,
  users.registration.requires_approval | default = false,
  users.registration.auto_assign_role | default = "user",
  users.sessions.max_active | default = 5,
  users.sessions.idle_timeout | default = 3600,
  users.sessions.absolute_timeout | default = 86400,
  users.audit_enabled | default = false,

  # Audit Logging Configuration
  audit.enabled | default = false,
  audit.storage.retention_days | default = 90,
  audit.storage.immutable | default = false,
  audit.redact_sensitive | default = true,

  # Compliance Configuration
  compliance.enabled | default = false,
  compliance.validation.enabled | default = false,
  compliance.validation.interval_hours | default = 24,
  compliance.data_retention.policy_years | default = 7,
  compliance.data_retention.audit_log_days | default = 2555,
  compliance.encryption_required | default = false,

  # Integrations Configuration
  integrations.ldap.enabled | default = false,
  integrations.oauth2.enabled | default = false,
  integrations.webhooks.enabled | default = false,

  # Monitoring Configuration (from common defaults)
  monitoring.enabled | default = monitoring_defaults.monitoring.enabled,
  monitoring.metrics.enabled | default = monitoring_defaults.monitoring.metrics.enabled,
  monitoring.metrics.interval | default = monitoring_defaults.monitoring.metrics.interval,
  monitoring.health_check.enabled | default = monitoring_defaults.monitoring.health_check.enabled,
  monitoring.health_check.interval | default = monitoring_defaults.monitoring.health_check.interval,
  monitoring.resources.cpu | default = monitoring_defaults.monitoring.resources.cpu,
  monitoring.resources.memory | default = monitoring_defaults.monitoring.resources.memory,
  monitoring.resources.alert_threshold | default = monitoring_defaults.monitoring.resources.alert_threshold,

  # Logging Configuration (from common defaults)
  logging.level | default = logging_defaults.logging.level,
  logging.format | default = logging_defaults.logging.format,

  # Docker Build Configuration (no | default to override schema)
  build.package = "control-center",
  build.binary = "provisioning-control-center",
  build.port = 9091,
  build.features = ["all"],
  build.extra_runtime_pkgs = [],
  build.config_file = "config.defaults.toml",
} in

{
  # Base configuration with all defaults
  control_center = base_control_center | control_center_schema.ControlCenterConfig,
}