# Server Diagnostics Configuration
# Used by client.py for server inventory and security constraints

# Server inventory - SSH connection details
servers:
  paper-dynasty:
    hostname: 10.10.0.88
    ssh_user: cal
    ssh_key: ~/.ssh/claude_diagnostics_key
    description: "Paper Dynasty Discord bots and services"

# Docker containers to monitor
# restart_allowed: false prevents automatic remediation
docker_containers:
  - name: paper-dynasty_discord-app_1
    critical: true
    restart_allowed: true
    description: "Paper Dynasty Discord bot"

  - name: paper-dynasty_db_1
    critical: true
    restart_allowed: true
    description: "Paper Dynasty PostgreSQL database"

  - name: paper-dynasty_adminer_1
    critical: false
    restart_allowed: true
    description: "Database admin UI"

  - name: sba-website_sba-web_1
    critical: true
    restart_allowed: true
    description: "SBA website"

  - name: sba-ghost_sba-ghost_1
    critical: false
    restart_allowed: true
    description: "SBA Ghost CMS"

# Whitelisted diagnostic commands
diagnostic_commands:
  disk_usage: "df -h"
  memory_usage: "free -h"
  cpu_usage: "top -bn1 | head -20"
  cpu_load: "uptime"
  process_list: "ps aux --sort=-%mem | head -20"
  network_status: "ss -tuln"
  docker_ps: "docker ps -a --format 'table {{.Names}}\\t{{.Status}}\\t{{.Ports}}'"
  docker_stats: "docker stats --no-stream --format 'table {{.Name}}\\t{{.CPUPerc}}\\t{{.MemUsage}}'"
  journal_errors: "journalctl -p err -n 50 --no-pager"

# Remediation commands (low-risk only)
remediation_commands:
  docker_restart: "docker restart {container}"
  docker_logs: "docker logs --tail 500 {container}"

# DENIED patterns - commands containing these will be rejected
denied_patterns:
  - "rm -rf"
  - "rm -r /"
  - "dd if="
  - "mkfs"
  - ":(){:|:&};:"
  - "shutdown"
  - "reboot"
  - "init 0"
  - "init 6"
  - "systemctl stop"
  - "> /dev/sd"
  - "chmod 777"
  - "wget|sh"
  - "curl|sh"