{
  // Agent Tools Configuration (JSON5 supported)
  $schema: "https://raw.githubusercontent.com/blogic-cz/agent-tools/main/schemas/agent-tools.schema.json",

  // Default environment used when --env flag is omitted.
  // Implicit production access is always blocked for safety.
  defaultEnvironment: "test",

  // VPN definitions referenced by tool prerequisites.
  vpns: {
    officeVpn: { name: "OfficeVPN" },
    testVpn: { name: "TestVPN" },
  },

  // Azure DevOps profiles
  azure: {
    default: {
      organization: "https://dev.azure.com/example-org",
      defaultProject: "platform",
      timeoutMs: 60000,
    },
    legacy: {
      organization: "https://dev.azure.com/legacy-org",
      defaultProject: "main-project",
    },
  },

  // Kubernetes cluster profiles
  kubernetes: {
    default: {
      clusterId: "398bf1ad-788c-40f5-a7e0-88366648d9d9",
      namespaces: {
        test: "my-app-test",
        prod: "my-app-prod",
        system: "system",
      },
      timeoutMs: 60000,
    },
  },

  // Database profiles (with kubectl tunneling support)
  database: {
    default: {
      // Optional profile-level prerequisites apply to every DB environment unless an environment
      // declares its own vpn/prerequisites. DB commands try direct access first, then connect VPN.
      vpn: "officeVpn",
      environments: {
        local: {
          host: "127.0.0.1",
          port: 25538,
          user: "my-app-user",
          database: "my-app",
          passwordEnvVar: "AGENT_TOOLS_DB_LOCAL_CRED", // Read from env for security
          prerequisites: [], // Explicitly disables inherited database.default.vpn for local access
        },
        test: {
          host: "127.0.0.1",
          port: 25437,
          user: "readonly-user",
          database: "my-app-test",
          passwordEnvVar: "AGENT_TOOLS_DB_TEST_CRED",
          vpn: "testVpn", // Environment-level VPN overrides database.default.vpn
        },
      },
      kubectl: {
        context: "example-cluster",
        namespace: "system",
      },
      tunnelTimeoutMs: 5000,
      remotePort: 5432,
    },
  },

  // Logs profiles
  logs: {
    default: {
      localDir: "apps/web-app/logs",
      remotePath: "/app/logs",
    },
  },

  // Observability profiles (Grafana-backed Tempo/Loki/Prometheus)
  observability: {
    // Profile name selected via --profile (or auto-selected when only one profile exists)
    default: {
      // Environment name selected via --env
      environments: {
        local: {
          url: "http://localhost:40300",
          prometheusUid: "prometheus",
          lokiUid: "loki",
        },
        prod: {
          url: "https://grafana.example.com",
          tokenEnvVar: "AGENT_TOOLS_OBSERVABILITY_PROD_TOKEN",
          prometheusUid: "prometheus",
          lokiUid: "loki",
        },
      },
    },
  },

  // Global session storage path
  session: {
    storagePath: "~/.local/share/opencode/storage",
  },

  // Global audit log settings
  audit: {
    retentionDays: 90,
    dbPath: "~/.agent-tools/audit.sqlite",
  },

  // Global security rules for AI agents
  credentialGuard: {
    additionalBlockedPaths: ["private/"],
    additionalAllowedPaths: ["apps/web-app/.env.test"],
    additionalBlockedCliTools: [
      {
        tool: "kubectl",
        suggestion: "Use agent-tools-k8s instead",
      },
    ],
    additionalDangerousBashPatterns: ["rm -rf /"],
  },
}