# Secret Validation Rules
# Defines which environment variables must use secret references

production_secrets:
  coordinator:
    required_secrets:
      - pattern: "DATABASE_URL"
        secret_ref: "db-credentials"
        validation: "postgresql://"
      
      - pattern: "ADMIN_API_KEY"
        secret_ref: "api-keys:admin"
        validation: "^[a-zA-Z0-9]{32,}$"
      
      - pattern: "CLIENT_API_KEY"
        secret_ref: "api-keys:client"
        validation: "^[a-zA-Z0-9]{32,}$"
      
      - pattern: "ENCRYPTION_KEY"
        secret_ref: "security-keys:encryption"
        validation: "^[a-fA-F0-9]{64}$"
      
      - pattern: "HMAC_SECRET"
        secret_ref: "security-keys:hmac"
        validation: "^[a-fA-F0-9]{64}$"
      
      - pattern: "JWT_SECRET"
        secret_ref: "security-keys:jwt"
        validation: "^[a-fA-F0-9]{64}$"
      
      - pattern: "OPENAI_API_KEY"
        secret_ref: "external-services:openai"
        validation: "^sk-"
      
      - pattern: "SENTRY_DSN"
        secret_ref: "monitoring:sentry"
        validation: "^https://"

  wallet_daemon:
    required_secrets:
      - pattern: "COORDINATOR_API_KEY"
        secret_ref: "api-keys:coordinator"
        validation: "^[a-zA-Z0-9]{32,}$"

forbidden_patterns:
  # These patterns should never appear in ANY configs
  - "your-.*-key-here"
  - "change-this-.*"
  - "password="
  - "secret_key="
  - "api_secret="

production_forbidden_patterns:
  # These patterns should never appear in PRODUCTION configs
  - "localhost"
  - "127.0.0.1"
  - "sqlite://"
  - "debug.*true"

validation_rules:
  # Minimum security requirements
  min_key_length: 32
  require_complexity: true
  no_default_values: true
  no_localhost_in_prod: true
  
  # Database security
  require_ssl_database: true
  forbid_sqlite_in_prod: true
  
  # API security
  require_https_urls: true
  validate_api_key_format: true