profile: cicd
description: CI/CD pipeline access profile with restricted permissions
version: 1.0.0
restricted: true

# Allowed operations for CI/CD
allowed:
  commands:
    - "server list"
    - "server status"
    - "taskserv list"
    - "taskserv status"
    - "taskserv create"
    - "taskserv install"
    - "cluster status"
    - "generate"
    - "show"
    - "context"

  providers:
    - "local"
    - "digitalocean"

  taskservs:
    - "kubernetes"
    - "monitoring"
    - "gitea"
    - "postgres"

  profiles:
    - "staging"
    - "development"

# Blocked operations for security
blocked:
  commands:
    - "server create"
    - "server delete"
    - "taskserv delete"
    - "cluster create"
    - "cluster delete"
    - "sops"
    - "secrets"

  providers:
    - "aws"

  taskservs:
    - "postgres-admin"

  profiles:
    - "production"

# Environment restrictions
environment:
  max_servers: 5
  allowed_regions:
    - "nyc1"
    - "ams3"
  allowed_sizes:
    - "s-1vcpu-1gb"
    - "s-1vcpu-2gb"
    - "s-2vcpu-2gb"

# Audit settings
audit:
  log_commands: true
  require_justification: true
  notify_webhook: "${CI_AUDIT_WEBHOOK_URL}"

# Time-based restrictions
schedule:
  allowed_hours: "06:00-22:00"
  allowed_days: ["mon", "tue", "wed", "thu", "fri"]
  timezone: "UTC"