# Nushell Environment Variables for Infrastructure Servers
# Security-focused environment setup

# Core environment paths
$env.NUSHELL_HOME = "{{taskserv.admin_user_home}}/nushell"
$env.NUSHELL_CONFIG_DIR = "{{taskserv.admin_user_home}}/.config/nushell"
$env.NUSHELL_DATA_DIR = "{{taskserv.admin_user_home}}/.local/share/nushell"

# Security environment variables
$env.NUSHELL_EXECUTION_MODE = "{{taskserv.nushell_execution_mode | default('restricted')}}"
$env.NUSHELL_READONLY_MODE = {% if taskserv.nushell_readonly | default(true) %}true{% else %}false{% endif %}
$env.NUSHELL_AUDIT_ENABLED = {% if taskserv.nushell_audit | default(true) %}true{% else %}false{% endif %}
$env.NUSHELL_AUDIT_FILE = "{{taskserv.admin_user_home}}/nushell/audit.log"

# Resource limits
$env.NUSHELL_MAX_MEMORY = "{{taskserv.nushell_max_memory | default('256MB')}}"
$env.NUSHELL_SESSION_TIMEOUT = {{taskserv.nushell_session_timeout | default(900)}}

# Command restrictions
$env.NUSHELL_ALLOWED_COMMANDS = "{{taskserv.nushell_allowed_commands | default('ls,cat,grep,ps,df,free,uptime,systemctl,kubectl')}}"
$env.NUSHELL_BLOCKED_COMMANDS = "{{taskserv.nushell_blocked_commands | default('rm,mv,cp,chmod,chown,sudo,su')}}"
$env.NUSHELL_ALLOWED_PATHS = "{{taskserv.nushell_allowed_paths | default('/tmp,/var/log,/proc,/sys')}}"

# Plugin configuration
$env.NUSHELL_PLUGINS_ENABLED = {% if taskserv.nushell_plugins | default(false) %}true{% else %}false{% endif %}
{% if taskserv.nushell_plugins | default(false) %}
$env.NUSHELL_PLUGIN_ALLOWLIST = "{{taskserv.nushell_plugin_allowlist | default('nu_plugin_kcl,nu_plugin_tera,nu_plugin_polars')}}"
{% endif %}

# KCL integration
$env.KCL_ENABLED = {% if taskserv.kcl_enabled | default(false) %}true{% else %}false{% endif %}
{% if taskserv.kcl_enabled | default(false) %}
$env.KCL_BINARY_PATH = "{{taskserv.kcl_binary_path | default('/usr/local/bin/kcl')}}"
{% endif %}

# Observability settings
$env.NUSHELL_METRICS_ENABLED = {% if taskserv.nushell_metrics | default(true) %}true{% else %}false{% endif %}
$env.NUSHELL_LOG_COLLECTION = {% if taskserv.nushell_log_collection | default(false) %}true{% else %}false{% endif %}
{% if taskserv.nushell_telemetry_endpoint | default("") != "" %}
$env.NUSHELL_TELEMETRY_ENDPOINT = "{{taskserv.nushell_telemetry_endpoint}}"
{% endif %}

# Provisioning integration
$env.PROVISIONING_NUSHELL_VERSION = "1.0.0"
$env.PROVISIONING_NUSHELL_MODE = "infrastructure"

# Security: Sanitize PATH to prevent privilege escalation
$env.PATH = ($env.PATH | split row (char esep) | where $it =~ "^/(usr/)?(local/)?bin$|^/(usr/)?sbin$" | str join (char esep))

# Add Nushell tools to PATH if they exist
if ("{{taskserv.admin_user_home}}/.local/bin" | path exists) {
    $env.PATH = ($env.PATH | split row (char esep) | prepend "{{taskserv.admin_user_home}}/.local/bin" | str join (char esep))
}

# Default editor for security (read-only contexts)
{% if taskserv.nushell_readonly | default(true) %}
$env.EDITOR = "cat"
$env.VISUAL = "cat"
{% else %}
$env.EDITOR = "{{taskserv.editor | default('nano')}}"
$env.VISUAL = "{{taskserv.visual_editor | default('nano')}}"
{% endif %}

# Logging configuration
$env.NU_LOG_LEVEL = "{{taskserv.nushell_log_level | default('info')}}"
$env.NU_LOG_FORMAT = "json"
$env.NU_LOG_DATE_FORMAT = "%Y-%m-%d %H:%M:%S"

# Network restrictions
{% if taskserv.nushell_network | default(false) %}
$env.NUSHELL_NETWORK_ENABLED = true
{% else %}
$env.NUSHELL_NETWORK_ENABLED = false
# Disable network access for security
$env.http_proxy = "127.0.0.1:9999"
$env.https_proxy = "127.0.0.1:9999"
{% endif %}

# Session information
$env.NUSHELL_SESSION_ID = (random uuid)
$env.NUSHELL_SESSION_START = (date now | format date "%Y-%m-%d %H:%M:%S")
$env.NUSHELL_SERVER_ROLE = "{{server.role | default('worker')}}"
$env.NUSHELL_SERVER_HOSTNAME = "{{server.hostname | default('unknown')}}"

# Startup message
if not ($env.NUSHELL_QUIET? | default false) {
    print $"🔧 Nushell Infrastructure Runtime v($env.PROVISIONING_NUSHELL_VERSION)"
    print $"🏷️  Server: ($env.NUSHELL_SERVER_HOSTNAME) | Role: ($env.NUSHELL_SERVER_ROLE)"
    print $"🛡️  Security: ($env.NUSHELL_EXECUTION_MODE) mode | Readonly: ($env.NUSHELL_READONLY_MODE)"
    if $env.NUSHELL_AUDIT_ENABLED {
        print $"📝 Audit logging enabled: ($env.NUSHELL_AUDIT_FILE)"
    }
}