profile: readonly
description: Read-only access profile for monitoring and auditing
version: 1.0.0
restricted: true

# Read-only permissions
allowed:
  commands:
    - "server list"
    - "server status"
    - "taskserv list"
    - "taskserv status"
    - "cluster status"
    - "show"
    - "context"

  providers:
    - "local"
    - "aws"
    - "upcloud"
    - "digitalocean"

  taskservs: []

  profiles:
    - "production"
    - "staging"
    - "development"

# All modification operations blocked
blocked:
  commands:
    - "server create"
    - "server delete"
    - "server ssh"
    - "taskserv create"
    - "taskserv delete"
    - "taskserv install"
    - "cluster create"
    - "cluster delete"
    - "generate"
    - "sops"
    - "secrets"

  providers: []
  taskservs: []
  profiles: []

# No resource limits needed for read-only
environment:
  max_servers: 0
  allowed_regions: []
  allowed_sizes: []

# Audit settings
audit:
  log_commands: true
  require_justification: false
  notify_webhook: "${READONLY_AUDIT_WEBHOOK_URL}"

# 24/7 access for monitoring
schedule:
  allowed_hours: "00:00-23:59"
  allowed_days: ["mon", "tue", "wed", "thu", "fri", "sat", "sun"]
  timezone: "UTC"