# Whitelist of allowed commands for ops-agent.
# Copy to /etc/ops-agent/commands.yml on the host.
# Restart ops-agent after changes.
#
# Schema per command:
#   cmd:         required — command + static args as array (no shell, no interpolation)
#   cwd:         optional — working directory for the subprocess
#   cwd_pattern: optional — working directory as a glob/pattern (resolved at runtime)
#   args:
#     allowed:   optional — whitelist of argument values accepted from the caller
#                If absent or empty, the command takes no extra arguments.
#   description: optional — human-readable description

commands:
  docker_ps:
    cmd: ["docker", "ps", "--format", "table"]
    description: "List running Docker containers"

  git_status:
    cmd: ["git", "status", "--short", "--branch"]
    cwd_pattern: "/srv/"
    description: "Git status with branch info (first arg = repo path, must start with /srv/)"

  git_log_ahead:
    cmd: ["git", "log", "@{upstream}..HEAD", "--oneline"]
    cwd_pattern: "/srv/"
    description: "Local commits not yet pushed (first arg = repo path)"

  git_diff:
    cmd: ["git", "diff", "HEAD"]
    cwd_pattern: "/srv/"
    description: "Uncommitted diff against HEAD (first arg = repo path)"

  git_fetch:
    cmd: ["git", "fetch", "--quiet"]
    cwd_pattern: "/srv/"
    description: "Fetch all remotes silently (first arg = repo path)"

  systemctl_status:
    cmd: ["systemctl", "status", "--no-pager", "-l"]
    args:
      allowed:
        - scrum4me-web
        - ops-agent
        - caddy
        - docker
        - nginx
        - postgresql
    description: "Show systemctl status for an allowed service"

  journalctl_recent:
    cmd: ["journalctl", "--since", "1 hour ago", "-n", "100", "--no-pager", "-u"]
    args:
      allowed:
        - scrum4me-web
        - ops-agent
        - caddy
        - docker
        - nginx
        - postgresql
    description: "Last 100 journal lines from the past hour for an allowed service"

  caddy_show_config:
    cmd: ["caddy", "fmt", "/etc/caddy/Caddyfile"]
    description: "Print the formatted Caddy config"

  caddy_list_certs:
    cmd:
      - sh
      - -c
      - "for f in /data/caddy/certificates/*/*.crt; do [ -f \"$f\" ] || continue; echo \"CERTFILE:$f\"; openssl x509 -noout -subject -issuer -dates -in \"$f\" 2>&1; echo \"CERTEND\"; done"
    description: "List TLS cert info (subject, issuer, validity dates) from Caddy certificate store"