# Command Policy Configuration Example
# ====================================
# 
# Copy this file to command_policy.yaml and customize as needed.
# Set COMMAND_POLICY_CONFIG=/path/to/command_policy.yaml to use.
#
# This file extends (not replaces) the default policy patterns.

# Policy mode:
# - 'strict': Only log commands matching allowlist (recommended)
# - 'permissive': Log everything except blocklist matches
mode: strict

# Additional blocklist patterns (regex, case-insensitive)
# Commands matching these will NEVER be logged
blocklist:
  # Add your organization-specific sensitive patterns here
  # - '\bcompany-secret\b'
  # - '\binternal-api-key\b'

# Additional allowlist patterns (regex, case-insensitive)
# Commands matching these WILL be logged (if not in blocklist)
allowlist:
  # Add your organization-specific safe commands here
  # - '^our-monitoring-tool\s+(status|check)\b'
  # - '^internal-cli\s+(info|list)\b'

# Masking patterns: [pattern, replacement]
# Sensitive values in allowed commands will be redacted
mask:
  # Add custom masking for your tools
  # - ['(--internal-token[=\s]+)\S+', '\1***']
  # - ['(COMPANY_API_KEY=)\S+', '\1***']

# ============================================================================
# DEFAULT PATTERNS (for reference, these are built-in)
# ============================================================================
#
# BLOCKLIST (never logged):
# - password, passwd, token, apikey, secret keywords
# - docker login
# - curl/wget with Authorization headers
# - export of *TOKEN*, *SECRET*, *KEY*, *PASS* variables
# - cat ~/.ssh/*, /etc/shadow, id_rsa, authorized_keys
# - mysql -p*, psql with credentials
# - aws configure, gcloud auth, az login
# - kubectl get/describe/edit secret
# - ansible-vault encrypt/decrypt/edit
#
# ALLOWLIST (logged):
# - ls, cd, pwd, whoami, id, uname, hostname, date, uptime
# - df, du, free, lsblk, fdisk -l, mount
# - ps, top, htop, pgrep, pstree
# - ip addr/link/route, ifconfig, netstat, ss, ping, traceroute
# - systemctl status/start/stop/restart/enable/disable
# - journalctl, service status
# - docker ps/images/logs/inspect/stats/compose
# - apt/dnf/yum list/search/show (and install/update for audit)
# - tail, head, less, more, grep, awk, sed, find, locate
# - cp, mv, rm, mkdir, rmdir, chmod, chown
# - git status/log/diff/branch/show
# - ansible, ansible-playbook, ansible-galaxy
# - terraform plan/show/state/output/validate
# - zfs list/get/status, zpool list/status
# - lvs, vgs, pvs
# - clear, exit, logout