provisioning/taskservs/nushell/default/env.nu.j2

# Nushell Environment Variables for Infrastructure Servers
# Security-focused environment setup

# Core environment paths
$env.NUSHELL_HOME = "{{taskserv.admin_user_home}}/nushell"
$env.NUSHELL_CONFIG_DIR = "{{taskserv.admin_user_home}}/.config/nushell"
$env.NUSHELL_DATA_DIR = "{{taskserv.admin_user_home}}/.local/share/nushell"

# Security environment variables
$env.NUSHELL_EXECUTION_MODE = "{{taskserv.nushell_execution_mode | default('restricted')}}"
$env.NUSHELL_READONLY_MODE = {% if taskserv.nushell_readonly | default(true) %}true{% else %}false{% endif %}
$env.NUSHELL_AUDIT_ENABLED = {% if taskserv.nushell_audit | default(true) %}true{% else %}false{% endif %}
$env.NUSHELL_AUDIT_FILE = "{{taskserv.admin_user_home}}/nushell/audit.log"

# Resource limits
$env.NUSHELL_MAX_MEMORY = "{{taskserv.nushell_max_memory | default('256MB')}}"
$env.NUSHELL_SESSION_TIMEOUT = {{taskserv.nushell_session_timeout | default(900)}}

# Command restrictions
$env.NUSHELL_ALLOWED_COMMANDS = "{{taskserv.nushell_allowed_commands | default('ls,cat,grep,ps,df,free,uptime,systemctl,kubectl')}}"
$env.NUSHELL_BLOCKED_COMMANDS = "{{taskserv.nushell_blocked_commands | default('rm,mv,cp,chmod,chown,sudo,su')}}"
$env.NUSHELL_ALLOWED_PATHS = "{{taskserv.nushell_allowed_paths | default('/tmp,/var/log,/proc,/sys')}}"

# Plugin configuration
$env.NUSHELL_PLUGINS_ENABLED = {% if taskserv.nushell_plugins | default(false) %}true{% else %}false{% endif %}
{% if taskserv.nushell_plugins | default(false) %}
$env.NUSHELL_PLUGIN_ALLOWLIST = "{{taskserv.nushell_plugin_allowlist | default('nu_plugin_kcl,nu_plugin_tera,nu_plugin_polars')}}"
{% endif %}

# KCL integration
$env.KCL_ENABLED = {% if taskserv.kcl_enabled | default(false) %}true{% else %}false{% endif %}
{% if taskserv.kcl_enabled | default(false) %}
$env.KCL_BINARY_PATH = "{{taskserv.kcl_binary_path | default('/usr/local/bin/kcl')}}"
{% endif %}

# Observability settings
$env.NUSHELL_METRICS_ENABLED = {% if taskserv.nushell_metrics | default(true) %}true{% else %}false{% endif %}
$env.NUSHELL_LOG_COLLECTION = {% if taskserv.nushell_log_collection | default(false) %}true{% else %}false{% endif %}
{% if taskserv.nushell_telemetry_endpoint | default("") != "" %}
$env.NUSHELL_TELEMETRY_ENDPOINT = "{{taskserv.nushell_telemetry_endpoint}}"
{% endif %}

# Provisioning integration
$env.PROVISIONING_NUSHELL_VERSION = "1.0.0"
$env.PROVISIONING_NUSHELL_MODE = "infrastructure"

# Security: Sanitize PATH to prevent privilege escalation
$env.PATH = ($env.PATH | split row (char esep) | where $it =~ "^/(usr/)?(local/)?bin$|^/(usr/)?sbin$" | str join (char esep))

# Add Nushell tools to PATH if they exist
if ("{{taskserv.admin_user_home}}/.local/bin" | path exists) {
    $env.PATH = ($env.PATH | split row (char esep) | prepend "{{taskserv.admin_user_home}}/.local/bin" | str join (char esep))
}

# Default editor for security (read-only contexts)
{% if taskserv.nushell_readonly | default(true) %}
$env.EDITOR = "cat"
$env.VISUAL = "cat"
{% else %}
$env.EDITOR = "{{taskserv.editor | default('nano')}}"
$env.VISUAL = "{{taskserv.visual_editor | default('nano')}}"
{% endif %}

# Logging configuration
$env.NU_LOG_LEVEL = "{{taskserv.nushell_log_level | default('info')}}"
$env.NU_LOG_FORMAT = "json"
$env.NU_LOG_DATE_FORMAT = "%Y-%m-%d %H:%M:%S"

# Network restrictions
{% if taskserv.nushell_network | default(false) %}
$env.NUSHELL_NETWORK_ENABLED = true
{% else %}
$env.NUSHELL_NETWORK_ENABLED = false
# Disable network access for security
$env.http_proxy = "127.0.0.1:9999"
$env.https_proxy = "127.0.0.1:9999"
{% endif %}

# Session information
$env.NUSHELL_SESSION_ID = (random uuid)
$env.NUSHELL_SESSION_START = (date now | format date "%Y-%m-%d %H:%M:%S")
$env.NUSHELL_SERVER_ROLE = "{{server.role | default('worker')}}"
$env.NUSHELL_SERVER_HOSTNAME = "{{server.hostname | default('unknown')}}"

# Startup message
if not ($env.NUSHELL_QUIET? | default false) {
    print $"🔧 Nushell Infrastructure Runtime v($env.PROVISIONING_NUSHELL_VERSION)"
    print $"🏷️  Server: ($env.NUSHELL_SERVER_HOSTNAME) | Role: ($env.NUSHELL_SERVER_ROLE)"
    print $"🛡️  Security: ($env.NUSHELL_EXECUTION_MODE) mode | Readonly: ($env.NUSHELL_READONLY_MODE)"
    if $env.NUSHELL_AUDIT_ENABLED {
        print $"📝 Audit logging enabled: ($env.NUSHELL_AUDIT_FILE)"
    }
}
feat(taskserv): implement real-time version checking with configurable HTTP client - Add: GitHub API integration for live version checking in taskserv management - Add: HTTP client configuration option (http.use_curl) in config.defaults.toml - Add: Helper function fetch_latest_version with curl/http get support - Fix: Settings path structure for prov_data_dirpath access pattern - Remove: Legacy simulation code for version checking - Update: Core configuration name from "provisioning-system" to "provisioning" - Clean: Remove obsolete example configs and infrastructure files 2025-09-24 00:55:06 +00:00			`# Nushell Environment Variables for Infrastructure Servers`
			`# Security-focused environment setup`

			`# Core environment paths`
			`$env.NUSHELL_HOME = "{{taskserv.admin_user_home}}/nushell"`
			`$env.NUSHELL_CONFIG_DIR = "{{taskserv.admin_user_home}}/.config/nushell"`
			`$env.NUSHELL_DATA_DIR = "{{taskserv.admin_user_home}}/.local/share/nushell"`

			`# Security environment variables`
			`$env.NUSHELL_EXECUTION_MODE = "{{taskserv.nushell_execution_mode \| default('restricted')}}"`
			`$env.NUSHELL_READONLY_MODE = {% if taskserv.nushell_readonly \| default(true) %}true{% else %}false{% endif %}`
			`$env.NUSHELL_AUDIT_ENABLED = {% if taskserv.nushell_audit \| default(true) %}true{% else %}false{% endif %}`
			`$env.NUSHELL_AUDIT_FILE = "{{taskserv.admin_user_home}}/nushell/audit.log"`

			`# Resource limits`
			`$env.NUSHELL_MAX_MEMORY = "{{taskserv.nushell_max_memory \| default('256MB')}}"`
			`$env.NUSHELL_SESSION_TIMEOUT = {{taskserv.nushell_session_timeout \| default(900)}}`

			`# Command restrictions`
			`$env.NUSHELL_ALLOWED_COMMANDS = "{{taskserv.nushell_allowed_commands \| default('ls,cat,grep,ps,df,free,uptime,systemctl,kubectl')}}"`
			`$env.NUSHELL_BLOCKED_COMMANDS = "{{taskserv.nushell_blocked_commands \| default('rm,mv,cp,chmod,chown,sudo,su')}}"`
			`$env.NUSHELL_ALLOWED_PATHS = "{{taskserv.nushell_allowed_paths \| default('/tmp,/var/log,/proc,/sys')}}"`

			`# Plugin configuration`
			`$env.NUSHELL_PLUGINS_ENABLED = {% if taskserv.nushell_plugins \| default(false) %}true{% else %}false{% endif %}`
			`{% if taskserv.nushell_plugins \| default(false) %}`
			`$env.NUSHELL_PLUGIN_ALLOWLIST = "{{taskserv.nushell_plugin_allowlist \| default('nu_plugin_kcl,nu_plugin_tera,nu_plugin_polars')}}"`
			`{% endif %}`

			`# KCL integration`
			`$env.KCL_ENABLED = {% if taskserv.kcl_enabled \| default(false) %}true{% else %}false{% endif %}`
			`{% if taskserv.kcl_enabled \| default(false) %}`
			`$env.KCL_BINARY_PATH = "{{taskserv.kcl_binary_path \| default('/usr/local/bin/kcl')}}"`
			`{% endif %}`

			`# Observability settings`
			`$env.NUSHELL_METRICS_ENABLED = {% if taskserv.nushell_metrics \| default(true) %}true{% else %}false{% endif %}`
			`$env.NUSHELL_LOG_COLLECTION = {% if taskserv.nushell_log_collection \| default(false) %}true{% else %}false{% endif %}`
			`{% if taskserv.nushell_telemetry_endpoint \| default("") != "" %}`
			`$env.NUSHELL_TELEMETRY_ENDPOINT = "{{taskserv.nushell_telemetry_endpoint}}"`
			`{% endif %}`

			`# Provisioning integration`
			`$env.PROVISIONING_NUSHELL_VERSION = "1.0.0"`
			`$env.PROVISIONING_NUSHELL_MODE = "infrastructure"`

			`# Security: Sanitize PATH to prevent privilege escalation`
			`$env.PATH = ($env.PATH \| split row (char esep) \| where $it =~ "^/(usr/)?(local/)?bin$\|^/(usr/)?sbin$" \| str join (char esep))`

			`# Add Nushell tools to PATH if they exist`
			`if ("{{taskserv.admin_user_home}}/.local/bin" \| path exists) {`
			`$env.PATH = ($env.PATH \| split row (char esep) \| prepend "{{taskserv.admin_user_home}}/.local/bin" \| str join (char esep))`
			`}`

			`# Default editor for security (read-only contexts)`
			`{% if taskserv.nushell_readonly \| default(true) %}`
			`$env.EDITOR = "cat"`
			`$env.VISUAL = "cat"`
			`{% else %}`
			`$env.EDITOR = "{{taskserv.editor \| default('nano')}}"`
			`$env.VISUAL = "{{taskserv.visual_editor \| default('nano')}}"`
			`{% endif %}`

			`# Logging configuration`
			`$env.NU_LOG_LEVEL = "{{taskserv.nushell_log_level \| default('info')}}"`
			`$env.NU_LOG_FORMAT = "json"`
			`$env.NU_LOG_DATE_FORMAT = "%Y-%m-%d %H:%M:%S"`

			`# Network restrictions`
			`{% if taskserv.nushell_network \| default(false) %}`
			`$env.NUSHELL_NETWORK_ENABLED = true`
			`{% else %}`
			`$env.NUSHELL_NETWORK_ENABLED = false`
			`# Disable network access for security`
			`$env.http_proxy = "127.0.0.1:9999"`
			`$env.https_proxy = "127.0.0.1:9999"`
			`{% endif %}`

			`# Session information`
			`$env.NUSHELL_SESSION_ID = (random uuid)`
			`$env.NUSHELL_SESSION_START = (date now \| format date "%Y-%m-%d %H:%M:%S")`
			`$env.NUSHELL_SERVER_ROLE = "{{server.role \| default('worker')}}"`
			`$env.NUSHELL_SERVER_HOSTNAME = "{{server.hostname \| default('unknown')}}"`

			`# Startup message`
			`if not ($env.NUSHELL_QUIET? \| default false) {`
			`print $"🔧 Nushell Infrastructure Runtime v($env.PROVISIONING_NUSHELL_VERSION)"`
			`print $"🏷️ Server: ($env.NUSHELL_SERVER_HOSTNAME) \| Role: ($env.NUSHELL_SERVER_ROLE)"`
			`print $"🛡️ Security: ($env.NUSHELL_EXECUTION_MODE) mode \| Readonly: ($env.NUSHELL_READONLY_MODE)"`
			`if $env.NUSHELL_AUDIT_ENABLED {`
			`print $"📝 Audit logging enabled: ($env.NUSHELL_AUDIT_FILE)"`
			`}`
			`}`