os.lr

// Copyright (c) Mondoo, Inc.
// SPDX-License-Identifier: BUSL-1.1

import "../../core/resources/core.lr"
import "../../network/resources/network.lr"

option provider = "go.mondoo.com/cnquery/v9/providers/os"
option go_package = "go.mondoo.com/mql/v13/providers/os/resources"

alias os.base.command = command
alias os.base.user = user
alias os.base.group = group
alias os.base.file = file
alias os.base.packages = packages
alias os.base.service = service
alias os.base.services = services
alias os.unix.sshd = sshd

extend asset {
  // Common Platform Enumeration (CPE) for the asset
  cpes() []core.cpe
  // Advisory & vulnerability report
  // Deprecated; will be removed in version 13.0 (use vulnmgmt instead)
  vulnerabilityReport() dict
  // Platform URL in the package URL format (as opposed to the CPE format)
  purl() string
}

asset.eol @defaults("date") {
  // Documentation URL
  docsUrl string
  // Product URL
  productUrl string
  // End-of-Life date
  date time
}

// Platform end-of-life information
private mondoo.eol {
  // Product name
  product string
  // Product version
  version string
  // End-of-life date for the product
  date() time
}

// Asset vulnerability information
vulnmgmt {
  // List of all CVEs affecting the asset
  cves() []vuln.cve
  // List of all Advisories affecting the asset
  advisories() []vuln.advisory
  // List of all packages affected by vulnerabilities
  packages() []vuln.package
  // Last time the vulnerability information was updated
  lastAssessment() time
  // Statistics about the vulnerabilities
  stats() audit.cvss
}

// CVE information
private vuln.cve @defaults("id") {
  // CVE ID
  id string
  // CVE state
  state     string
  // Summary description
  summary   string
  // Whether the CVE has a CVSS score
  unscored  bool
  // Publication date
  published   time
  // Last modification date
  modified    time
  // Worst CVSS score of all assigned CVEs
  worstScore    audit.cvss
}

// Advisory information
private vuln.advisory @defaults("id") {
  // Advisory ID
  id string
  // Title of the advisory
  title string
  // Description of the advisory
  description string
  // Advisory publication date
  published   time
  // Last modification date
  modified    time
  // Worst CVSS score of all assigned CVEs
  worstScore    audit.cvss
}

// Package information relevant for vulnerability management
private vuln.package @defaults("name version") {
  // Package name
  name string
  // Package version
  version string
  // Available package version
  available string
  // Architecture of this package
  arch string
}

// All platform/package advisories
platform.advisories {
  []audit.advisory
  // Worst CVSS score for all advisories
  cvss() audit.cvss
  // Statistical information: total, critical, high, medium, low, none, unknown
  stats() dict
}

// All platform/package CVEs
platform.cves {
  []audit.cve
  // Worst CVSS score for all CVEs
  cvss() audit.cvss
  // Statistical information: total, critical, high, medium, low, none, unknown
  stats() dict
}

// Common Vulnerability Scoring System (CVSS) score
private audit.cvss @defaults("score") {
  // CVSS score ranging from 0.0 to 10.0
  score   float
  // CVSS score represented as a vector string
  vector  string
}

// Platform/package advisory
private audit.advisory {
  // Advisory ID
  id          string
  // Mondoo advisory identifier
  mrn         string
  // Advisory title
  title       string
  // Advisory description
  description string
  // Advisory publication date
  published   time
  // Last modification date
  modified    time
  // Worst CVSS score of all assigned CVEs
  worstScore    audit.cvss
}

// Common Vulnerabilities and Exposures (CVEs)
private audit.cve {
  // CVE ID
  id        string
  // Mondoo CVE identifier
  mrn       string
  // CVE state
  state     string
  // Summary description
  summary   string
  // Whether the CVE has a CVSS score
  unscored  bool
  // Publication date
  published   time
  // Last modification date
  modified    time
  // Worst CVSS score of all assigned CVEs
  worstScore    audit.cvss
}

machine {}

// SMBIOS BIOS information
machine.bios {
  // BIOS vendor
  vendor string
  // BIOS version
  version string
  // BIOS release date
  releaseDate string
}

// SMBIOS system information
machine.system {
  // Manufacturer
  manufacturer string
  // Product name
  product string
  // Version
  version string
  // Serial number
  serial string
  // UUID
  uuid string
  // SKU number
  sku string
  // Family
  family string
}

// SMBIOS baseboard (or module) information
machine.baseboard {
  // Manufacturer
  manufacturer string
  // Product
  product string
  // Version
  version string
  // Serial number
  serial string
  // Asset tag
  assetTag string
}

// SMBIOS system enclosure or chassis
machine.chassis {
  // Manufacturer
  manufacturer string
  // Version
  version string
  // Serial number
  serial string
  // Asset tag number
  assetTag string
}

// CPU information
machine.cpu @defaults("manufacturer model processorCount coreCount") {
  // CPU manufacturer
  manufacturer string
  // CPU model name
  model string
  // Number of physical CPU packages (sockets)
  processorCount int
  // Total number of physical CPU cores
  coreCount int
}

// Operating system information
os {
  // Pretty hostname on macOS/Linux or device name on Windows
  name() string
  // ENV variable contents
  env() map[string]string
  // PATH variable contents
  path(env) []string
  // Current uptime
  uptime() time
  // List of available OS updates
  updates() []os.update
  // Whether a reboot is pending
  rebootpending() bool
  // Hostname for this OS
  hostname() string
  // Hypervisor for this OS
  hypervisor() string
  // Machine ID for this OS
  machineid() string
  // Current date and timezone of the system
  date() os.date
}

// Operating system date and timezone information
os.date @defaults("time timezone") {
  // Current system time
  time() time
  // System timezone (e.g., "America/New_York", "UTC")
  timezone() string
}

// Operating system update information
os.update @defaults("name")  {
  // Name of the update
  name string
  // Category of the update
  category string
  // Severity of the update
  severity string
  // Whether a restart is required
  restart bool
  // Package format for this update
  format string
}

os.base {
  embed machine

  // Pretty Hostname on macOS/Linux or device name on Windows
  name() string
  // ENV variable contents
  env() map[string]string
  // PATH variable contents
  path(env) []string
  // Current uptime
  uptime() time
  // List of available OS updates
  updates() []os.update
  // Whether a reboot is pending
  rebootpending() bool
  // Hostname for this OS
  hostname() string
  // User groups
  groups() groups
  // Users
  users() users
}

os.unix {
  embed os.base as base
}

os.linux {
  embed os.unix as unix

  // iptables firewall for IPv4
  iptables() iptables
  // iptables firewall for IPv6
  ip6tables() ip6tables
  // nftables firewall
  nftables() nftables
  // UFW (Uncomplicated Firewall)
  ufw() ufw
  // firewalld dynamic firewall manager (RHEL/CentOS/Fedora)
  firewalld() firewalld
  // /etc/fstab entries
  fstab() fstab
  // AppArmor mandatory access control
  apparmor() apparmor
}

// Operating system root certificates
os.rootCertificates {
  []certificate(content)
  // List of files that define these certificates
  files []file
  content(files) []string
}

// Results of running a command on the system
command {
  init(command string)
  // Raw contents of the command
  command string
  // Standard output from running the command
  stdout(command) string
  // Standard error output from running the command
  stderr(command) string
  // Exit code the command returned
  exitcode(command) int
}

// Results of running a PowerShell script on the system
powershell {
  init(script string)
  // Raw contents of the script
  script string
  // Standard output from running the script
  stdout() string
  // Standard error output from running the script
  stderr() string
  // Exit code the script returned
  exitcode() int
}

// File on the system
file @defaults("path size permissions.string") {
  init(path string)
  // Location of the file on the system
  path string
  // Filename without path prefix of this file
  basename(path) string
  // Path to the folder containing this file
  dirname(path) string
  // Contents of this file
  content(path, exists) string
  // Whether this file exists on the system
  exists(path) bool
  // Permissions for this file
  permissions(path) file.permissions
  // Size of this file on disk
  size(path) int
  // Ownership information about the user
  user() user
  // Ownership information about the group
  group() group
  // Whether the path is empty
  empty(path) bool
}

// File context is a range of lines/columns in a file
private file.context @defaults("file.path range content") {
  // File referenced by this file context
  file file
  // Range of content in the file
  range range
  // Content for this range in the file, shown as an excerpt
  content(file, range) string
}

// Access permissions for a given file
private file.permissions @defaults("string") {
  // Raw POSIX mode for the permissions
  mode int
  // Whether the file is readable by its owner
  user_readable bool
  // Whether the file is writeable by its owner
  user_writeable bool
  // Whether the file is executable by its owner
  user_executable bool
  // Whether the file is readable by members of the group
  group_readable bool
  // Whether the file is writeable by members of the group
  group_writeable bool
  // Whether the file is executable by members of the group
  group_executable bool
  // Whether the file is readable by others
  other_readable bool
  // Whether the file is writeable by others
  other_writeable bool
  // Whether the file is executable by others
  other_executable bool
  // SUID bit indicator
  suid bool
  // SGID bit indicator
  sgid bool
  // Sticky bit indicator
  sticky bool
  // Whether the file describes a directory
  isDirectory bool
  // Whether the file describes a regular file
  isFile bool
  // Whether the file is a symlink
  isSymlink bool
  // A simple printed string version of the permissions
  string() string
}

files {}

// Find files on the system
files.find {
  []file
  // Sets the starting point for the search operation
  from string
  // Whether to search across other devices
  xdev bool
  // What types of files to list (directories, files, devices, etc)
  type string
  // A regular expression for the file search
  regex string
  // What permissions the file matches
  permissions int
  // Search name
  name string
  // The depth of the file search.
  depth int
}

// Parse INI files
parse.ini {
  init(path string, delimiter string)
  // Symbol that separates keys and values
  delimiter string
  // File that is parsed
  file file
  // Raw content of the file that is parsed
  content(file) string
  // Map of sections and key-value pairs
  sections(content, delimiter) map[string]map[string]string
  // Map of parameters that don't belong to sections
  params(sections) map[string]string
}

// Parse JSON files
parse.json {
  init(path string)
  // File that is parsed
  file file
  // Raw content of the file that is parsed
  content(file) string
  // The parsed parameters defined in this file
  params(content) dict
}

// Parse XML files
parse.xml {
  init(path string)
  // File that is parsed
  file file
  // Raw content of the file that is parsed
  content(file) string
  // The parsed parameters defined in this file
  params(content) dict
}

// Parse plist files
parse.plist {
  init(path string)
  // File that is parsed
  file file
  // Raw content of the file that is parsed
  content(file) string
  // The parsed parameters that are defined in this file
  params(content) dict
}

// Parse YAML files
parse.yaml {
  init(path string)
  // File that is parsed
  file file
  // Raw content of the file that is parsed
  content(file) string
  // The parsed parameters that are defined in this file
  params(content) dict
  // Parsed yaml documents
  documents(content) []dict
}

// Parse certificates from files
parse.certificates {
  []network.certificate(content, path)
  init(path string)
  // Certificate file path
  path string
  // Certificate file
  file() file
  // Certificate file content
  content(file) string
}

// Parse OpenPGP from files
parse.openpgp {
  []network.openpgp.entity(content)
  init(path string)
  // OpenPGP file
  file file
  // OpenPGP file content
  content(file) string
}

// User on this system
user @defaults("name uid gid") {
  // User ID
  uid int
  // User's group ID
  gid int
  // User's security identifier (Windows)
  sid string
  // Name of the user
  name string
  // Home folder
  home string
  // Default shell configured
  shell string
  // Whether the user is enabled
  enabled bool
  // List of authorized keys
  authorizedkeys(home) authorizedkeys
  // List of SSH keys
  sshkeys() []privatekey
  // Group of which user is a member
  group(gid) group
}

// Private key resource
privatekey {
  // PEM data
  pem string
  // Deprecated; use file instead
  path string
  // File on disk for this private key
  file file
  // Whether the file is encrypted
  encrypted bool
}

// Users configured on this system
users {
  []user
}

// List of SSH authorized keys
authorizedkeys {
  []authorizedkeys.entry(file, content)
  init(path string)
  // Path to the key file
  path string
  // Key file
  file file
  // Key file content
  content(file) string
}

// SSH authorized key
authorizedkeys.entry @defaults("key") {
  // Line of the key
  line int
  // Type of key
  type string
  // Key
  key string
  // Key label
  label string
  // SSH key options (e.g., command restrictions, source IP limits)
  options []string
  // Key file
  file file
}

// Group on this system
group @defaults("name gid") {
  init(id string)
  // Group ID
  gid int
  // Group's security identifier (Windows)
  sid string
  // Name of this group
  name string
  // Users who are members of this group
  members() []user
}

// Groups configured on this system
groups {
  []group
}

// Package on the platform or OS
package @defaults("name version") {
  // May be initialized with the name only, in which case it will look up
  // The package with the given name on the system.
  init(name string)

  // Name of the package
  name string
  // Package description
  description string
  // Current version of the package
  version string
  // Architecture of this package
  arch string
  // Epoch of this package
  epoch string

  // Format of this package (e.g., rpm, deb)
  format string
  // Status of this package (e.g., if it is needed)
  status() string

  // Package URL
  purl string

  // Common Platform Enumeration (CPE) for the package
  cpes []core.cpe

  // Package origin, may include version if available (optional)
  origin() string

  // Available version
  available string
  // Whether the package is installed
  installed bool
  // Whether the package is outdated
  outdated() bool

  // Package files
  files() []pkgFileInfo

  // Package vendor
  vendor string
}

private pkgFileInfo @defaults("path") {
  // Path to the file
  path string
}

// List of packages on this system
packages {
  []package
}

// PAM configuration (pluggable authentication module)
pam.conf {
  init(path string)
  // List of files that make up the PAM configuration
  files() []file
  // The raw PAM configuration (across all files)
  content(files) string
  // Deprecated; list of services that are configured via PAM
  services(files) map[string][]string
  // List of services with parsed entries that are configured via PAM
  entries(files) map[string][]pam.conf.serviceEntry
}

private pam.conf.serviceEntry @defaults("service module") {
  // Service file that the entry is from
  service string
  // Line number in service file (used for ID)
  lineNumber int
  // Type for PAM entry, (i.e., auth, password, etc)
  pamType string
  // Level of control, (i.e., required, requisite, sufficient)
  control string
  // PAM module used
  module string
  // Configuration options for pam service entry
  options []string
}

// SSH server resource
sshd {}

// SSH server configuration
sshd.config {
  init(path? string)
  // File of this SSH server configuration
  file() file
  // A list of lexically sorted files making up the SSH server configuration
  files(file) []file
  // Configuration values of this SSH server
  params(file) map[string]string
  // Blocks with match conditions in this SSH server config
  blocks(file) []sshd.config.matchBlock
  // Ciphers configured for this SSH server
  ciphers(params) []string
  // MACs configured for this SSH server
  macs(params) []string
  // Key exchange algorithms configured for this SSH server
  kexs(params) []string
  // Host keys configured for this SSH server
  hostkeys(params) []string
  // PermitRootLogin setting in SSH server
  permitRootLogin(params) []string
}

// A block of SSH server configuration
private sshd.config.matchBlock @defaults("criteria") @context("file.context") {
  // The match criteria for this block
  criteria string
  // Configuration values in this block
  params map[string]string
  // Ciphers configured for this SSH server
  ciphers(params) []string
  // MACs configured for this SSH server
  macs(params) []string
  // Key exchange algorithms configured for this SSH server
  kexs(params) []string
  // Host keys configured for this SSH server
  hostkeys(params) []string
  // PermitRootLogin setting in SSH server
  permitRootLogin(params) []string
}

// auditd (Linux Audit Daemon) configuration
auditd.config {
  init(path? string)
  // File of this auditd configuration
  file() file
  // Configuration values of this config
  params(file) map[string]string
}

// auditd (Linux Audit Daemon) rules aggregated on disk
// via /etc/audit/audit.rules by default
auditd.rules {
  // Path to folder to look up rules
  path() string
  // All controls for auditd
  controls(path) []auditd.rule.control
  // All file rules
  files(path) []auditd.rule.file
  // All syscall rules
  syscalls(path) []auditd.rule.syscall
}

// auditd (Linux Audit Daemon) rule
private auditd.rule {}

// auditd (Linux Audit Daemon) rule for a control
// We translate these into simple key-value pairs consisting of a flag and a value
// eg: --backlog_wait_time 60000  =>  {flag: "--backlog_wait_time", value: "60000"}
// eg: -b 8192                    =>  {flag: "-b", value: "8192"}
// eg: -D                         =>  {flag: "-D", value: nil}
private auditd.rule.control @defaults("flag value") {
  // The flag used for this control, i.e. the first part of the control including any leading `-`
  flag string
  // The value of the control, which may be specified
  value string
}

// auditd (Linux Audit Daemon) rule for a file
// eg: -w /etc/shadow -p rw -k shadow_access
//  => {path: "/etc/shadow", permissions: "rw", keyname: "shadow_access"}
private auditd.rule.file @defaults("path permissions") {
  // The path this rule matches as specified by -w
  path string
  // The permissions specified by this rule via -p
  permissions string
  // The key name for related rules as specified by -k
  keyname string
}

// auditd (Linux Audit Daemon) rule for a syscall
// eg: -a always,exit -F arch=b32 -F auid>=1000 -F auid!=unset
//  => {
//    action: "always",
//    list: "exit",
//    syscalls: [],
//    field_entries: [
//      key="arch" op="=" value="b32"
//      key="auid" op=">=" value="1000"
//      key="auid" op="!=" value="unset"
//    ],
//    keyname: nil,
// }
private auditd.rule.syscall @defaults("action list") {
  // The action specified by -a
  action string
  // The list, the second value specified by -a
  list string
  // The list of syscalls that this rule matches, specified by -S
  syscalls []string
  // All field entries as raw values, as specified by -F
  fields []dict
  // All inter-field comparisons as specified by -C
  comparisons []dict
  // The key name for related rules as specified by -k
  keyname string
}

// Apache2 HTTP Server
apache2 {
  // Apache2 version (e.g., "2.4.62")
  version() string
}

// Apache2 HTTP Server configuration
apache2.conf {
  init(path? string)
  // Primary configuration file
  file() file
  // All configuration files (main + included fragments)
  files(file) []file
  // Flat key-value directives from the configuration
  params(file) map[string]string
  // Listen addresses/ports
  listenAddresses(params) []string
  // Loaded modules (LoadModule directives)
  modules(file) []apache2.conf.module
  // VirtualHost blocks
  virtualHosts(file) []apache2.conf.virtualHost
  // Directory blocks
  directories(file) []apache2.conf.directory
}

// Apache2 loaded module
private apache2.conf.module @defaults("name") {
  // Module name (e.g., "ssl_module")
  name string
  // Shared object path (e.g., "modules/mod_ssl.so")
  path string
}

// Apache2 VirtualHost block
private apache2.conf.virtualHost @defaults("address") {
  // VirtualHost address (e.g., "*:443")
  address string
  // ServerName directive
  serverName string
  // DocumentRoot directive
  documentRoot string
  // Whether SSL is enabled (SSLEngine on)
  ssl bool
  // All directives within this VirtualHost
  params map[string]string
}

// Apache2 Directory block
private apache2.conf.directory @defaults("path") {
  // Directory path
  path string
  // Options directive value
  options string
  // AllowOverride directive value
  allowOverride string
  // All directives within this Directory block
  params map[string]string
}

// systemd journald configuration
journald.config {
  init(path? string)
  // File of this journald configuration
  file() file
  // Deprecated; use sections() instead
  params(file) map[string]string
  // All sections in this journald configuration
  sections(file) []journald.config.section
}

// A section in journald configuration
journald.config.section @defaults("name") {
  // Name of the section (e.g., "Journal", "Upload")
  name string
  // Key-value pairs in this section
  params []journald.config.section.param
}

journald.config.section.param @defaults("name value") {
  name string
  value string
}

// Service on this system
service @defaults("name running enabled type") {
  init(name string)
  // Name of the service
  name string
  // Service description
  description string
  // Whether the service is installed
  installed bool
  // Whether the service is running
  running bool
  // Whether the service is enabled (start at boot)
  enabled bool
  // Service type (e.g., simple, forking, oneshot, notify)
  type string
  // Whether the service is masked
  masked bool
  // Whether the service is static (unit file has no [Install] section and cannot be enabled/disabled)
  static bool
}

// Services configured on this system
services {
  []service
}

// System kernel information
kernel @defaults("info") {
  // Active kernel information
  info() dict
  // Kernel parameters map
  parameters() map[string]string
  // List of kernel modules
  modules() []kernel.module
  // Installed versions
  installed() []dict
}

// System kernel module information
kernel.module @defaults("name loaded") {
  init(name string)

  // Name of the kernel module
  name string
  // Size of the kernel module
  size string
  // Whether the module is loaded
  loaded bool
}

// Docker host resource
docker {
  // List all Docker images
  images() []docker.image
  // List all Docker containers
  containers() []docker.container
}

// Dockerfile resource
docker.file @defaults("file.path instructions.length stages.length") {
  init(path string)
  // File information about this Dockerfile
  embed file
  // List of instructions in the order they appear
  instructions(file) dict
  // All stages included in this Dockerfile
  stages(file) []docker.file.stage
}

// Dockerfile stages
private docker.file.stage @defaults("from.name") {
  // The source of this stage, specified via `FROM` in Dockerfiles
  from docker.file.from
  // Contains the reference to the Dockerfile this stage belongs to
  file docker.file
  // ENV instructions in this Dockerfile
  env []docker.file.env
  // ARG instructions in the Dockerfile
  arg []docker.file.arg
  // LABEL instructions in the Dockerfile
  labels map[string]string
  // RUN instructions in this Dockerfile
  run []docker.file.run
  // CMD instructions in this Dockerfile
  cmd docker.file.run
  // USER instruction in this Dockerfile
  user docker.file.user
  // ENTRYPOINT instructions in this Dockerfile
  entrypoint docker.file.run
  // ADD instructions in this Dockerfile
  add []docker.file.add
  // COPY instructions in this Dockerfile
  copy []docker.file.copy
  // EXPOSE instructions in this Dockerfile
  expose []docker.file.expose
  // HEALTHCHECK instruction in this Dockerfile
  healthcheck docker.file.healthcheck
  // VOLUME instructions in this Dockerfile
  volumes []docker.file.volume
  // SHELL instruction in this Dockerfile
  shell docker.file.shell
  // WORKDIR instructions in this Dockerfile
  workdir []docker.file.workdir
}

// Dockerfile ARG instructions
private docker.file.arg @defaults("name default") {
  // Name of the variable
  name string
  // (optional) Default value of the variable.
  // Values are preserved as-is, without stripping quotes.
  default string
}

// Dockerfile ENV instructions
private docker.file.env @defaults("name value") {
  // Name of the variable
  name string
  // Value of the variable
  // Values are preserved as-is, without stripping quotes.
  value string
}

// Dockerfile USER instructions
private docker.file.user @defaults("user") {
  // Set the user name or UID
  user string
  // Set the user group or GID (optional)
  group string
}

// Dockerfile EXPOSE instruction
private docker.file.expose @defaults("port protocol") {
  // Port that is exposed
  port int
  // Protocol that is exposed (evaluates to `tcp` if not specified)
  protocol string
}

// Dockerfile FROM instructions
private docker.file.from @defaults("name image tag") {
  platform string
  image string
  tag string
  digest string
  name string
}

// Dockerfile RUN instructions
private docker.file.run @defaults("script") {
  script string
}

// Dockerfile ADD instructions
private docker.file.add @defaults("src dst") {
  src []string
  dst string
  chown string
  chmod string
}

// Dockerfile COPY instructions
private docker.file.copy @defaults("src dst") {
  // Optional source to copy file(s) from when not using the default build context
  src []string
  // The destination in the image for the file(s)
  dst string
  // Ownership of the file(s)
  chown string
  // Octal permissions of the file(s)
  chmod string
}

// Dockerfile HEALTHCHECK instruction
private docker.file.healthcheck @defaults("test") {
  // The health check test command (e.g., ["CMD-SHELL", "curl -f http://localhost/ || exit 1"])
  test []string
  // Time between running the check in nanoseconds
  interval int
  // Time to wait before considering the check hung in nanoseconds
  timeout int
  // Start period for the container to initialize before counting retries in nanoseconds
  startPeriod int
  // Interval between checks during start period in nanoseconds
  startInterval int
  // Number of consecutive failures needed to report unhealthy
  retries int
  // Whether HEALTHCHECK is set to NONE (disables any inherited healthcheck)
  none bool
}

// Dockerfile VOLUME instruction
private docker.file.volume @defaults("path") {
  // Volume mount path
  path string
}

// Dockerfile SHELL instruction
private docker.file.shell @defaults("command") {
  // Shell executable and flags (e.g., ["/bin/bash", "-o", "pipefail", "-c"])
  command []string
}

// Dockerfile WORKDIR instruction
private docker.file.workdir @defaults("path") {
  // Working directory path
  path string
}

// Docker image
docker.image {
  // Image ID
  id string
  // Image size in kilobytes
  size int
  // Repo digests
  repoDigests []string
  // Tag key value pairs
  tags []string
  // Labels key value pairs
  labels map[string]string
}

// Docker container
docker.container @defaults("names.first status"){
  embed os.linux as os
  // Container ID
  id string
  // Container command
  command string
  // Container image
  image string
  // Image ID
  imageid string
  // Container names
  names []string
  // Container state (e.g., created, running, paused, restarting, exited, dead)
  state string
  // Status message
  status string
  // Label key value pairs
  labels map[string]string
  // Container configuration that depends on the host running the container
  hostConfig() dict
}

// containerd host resource
containerd {
  // List all containerd containers
  containers() []containerd.container
}

// containerd container
containerd.container @defaults("id status") {
  // Container ID
  id string
  // Container image reference
  image string
  // Container status (created, running, paused, stopped, unknown)
  status string
  // Container labels
  labels map[string]string
  // Container PID (0 if not running)
  pid int
  // containerd namespace
  namespace string
  // Container runtime (e.g., "io.containerd.runc.v2")
  runtime string
  // Container snapshotter
  snapshotter string
}

// IPv4 tables
iptables {
  // IPv4 input chain entries
  input() []iptables.entry
  // IPv4 output chain entries
  output() []iptables.entry
  // IPv4 forward chain entries
  forward() []iptables.entry
  // Default policy for the INPUT chain (e.g., ACCEPT, DROP)
  inputPolicy() string
  // Default policy for the FORWARD chain (e.g., ACCEPT, DROP)
  forwardPolicy() string
  // Default policy for the OUTPUT chain (e.g., ACCEPT, DROP)
  outputPolicy() string
}

// IPv6 tables
ip6tables {
  // IPv6 input chain entries
  input() []iptables.entry
  // IPv6 output chain entries
  output() []iptables.entry
  // IPv6 forward chain entries
  forward() []iptables.entry
  // Default policy for the INPUT chain (e.g., ACCEPT, DROP)
  inputPolicy() string
  // Default policy for the FORWARD chain (e.g., ACCEPT, DROP)
  forwardPolicy() string
  // Default policy for the OUTPUT chain (e.g., ACCEPT, DROP)
  outputPolicy() string
}

// Individual iptables entry
iptables.entry {
  // Line number of statistic, which is used to create the ID
  lineNumber int
  // Packets from iptable
  packets int
  // How large the packet is in octets, including headers and everything.
  bytes int
  // What to do with the packet if it matches a rule
  target string
  // Protocol of the next level layer (e.g., TCP, UDP, ICMP, etc)
  protocol string
  // IP options
  opt string
  // Input
  in string
  // Output
  out string
  // Source address field that tells the receiver where the packet came from
  source string
  //The destination IP address of the traffic, subnet of the traffic, or anywhere
  destination string
  // Optional settings within the header such as internet timestamps, SACK, or record route options
  options string
  // Input or output, which is used to create the ID
  chain string
}

// nftables firewall
nftables @defaults("tables") {
  // nft version string (e.g., "1.0.2")
  version() string
  // All nftables tables
  tables() []nftables.table
  // All chains across all tables
  chains() []nftables.chain
  // All rules across all tables and chains
  rules() []nftables.rule
  // All named sets across all tables
  sets() []nftables.set
}

// nftables table
private nftables.table @defaults("family name") {
  // Address family (ip, ip6, inet, arp, bridge, netdev)
  family string
  // Table name
  name string
  // Table handle number
  handle int
  // Table flags (e.g., dormant, owner, persist)
  flags []string
  // Chains in this table
  chains []nftables.chain
  // Rules in this table across all chains
  rules []nftables.rule
  // Named sets in this table
  sets []nftables.set
}

// nftables chain
private nftables.chain @defaults("family table name") {
  // Address family
  family string
  // Table this chain belongs to
  table string
  // Chain name
  name string
  // Chain handle number
  handle int
  // Chain type (filter, route, nat) - only for base chains
  type string
  // Hook point (input, output, forward, prerouting, postrouting, ingress, egress) - only for base chains
  hook string
  // Chain priority - only for base chains
  prio int
  // Default policy (accept, drop) - only for base chains
  policy string
  // Whether this is a base chain (has type, hook, and priority)
  isBaseChain bool
  // Rules in this chain
  rules []nftables.rule
}

// nftables rule
private nftables.rule @defaults("family table chain handle") {
  // Address family
  family string
  // Table this rule belongs to
  table string
  // Chain this rule belongs to
  chain string
  // Rule handle number
  handle int
  // Rule expressions as structured data
  expr []dict
  // Rule comment
  comment string
}

// nftables named set (or map)
private nftables.set @defaults("family table name") {
  // Address family
  family string
  // Table this set belongs to
  table string
  // Set name
  name string
  // Set handle number
  handle int
  // Element data type (e.g., "ipv4_addr", "inet_service", "ether_addr")
  keyType string
  // Value data type for maps (empty for plain sets)
  valueType string
  // Set flags (e.g., "constant", "interval", "timeout", "dynamic")
  flags []string
  // Set elements (values as strings)
  elements []string
  // Whether this is a map (has both key and value types)
  isMap bool
  // Set timeout in seconds (0 if not set)
  timeout int
}

// UFW (Uncomplicated Firewall) status and rules
ufw @defaults("status rules") {
  // Whether UFW is active ("active", "inactive", "not installed")
  status() string
  // Default policy for incoming traffic (e.g., "deny", "allow", "reject")
  defaultIncoming() string
  // Default policy for outgoing traffic (e.g., "allow", "deny", "reject")
  defaultOutgoing() string
  // Default policy for routed traffic (e.g., "deny", "allow", "reject")
  defaultRouted() string
  // Logging level (off, low, medium, high, full)
  logging() string
  // All UFW rules
  rules() []ufw.rule
  // Application profiles from /etc/ufw/applications.d/
  applications() []ufw.application
}

// Individual UFW rule
private ufw.rule @defaults("action direction port") {
  // Rule number (sequential across IPv4 and IPv6 rules; may differ from `ufw status numbered`)
  number int
  // Action (ALLOW, DENY, REJECT, LIMIT)
  action string
  // Direction (IN, OUT, FWD)
  direction string
  // Protocol (tcp, udp, any)
  protocol string
  // Port or port range (e.g., "22", "6000:6007", "any")
  port string
  // Network interface (e.g., "eth0"), empty if not specified
  interface string
  // Source address or subnet (e.g., "192.168.1.0/24", "Anywhere")
  from string
  // Destination address or subnet
  to string
  // Whether this is an IPv6 rule
  ipv6 bool
  // Raw rule text as reported by ufw
  raw string
}

// UFW application profile from /etc/ufw/applications.d/
private ufw.application @defaults("name ports") {
  // Profile name (e.g., "Nginx Full")
  name string
  // Short title describing the application
  title string
  // Description of the application
  description string
  // Port specification (e.g., "80/tcp", "80,443/tcp", "80,443/tcp|443/udp")
  ports string
}

// firewalld - Dynamic firewall manager (RHEL/CentOS/Fedora)
firewalld @defaults("status defaultZone") {
  // Whether firewalld is running ("running", "not running", "not installed")
  status() string
  // Default zone name (e.g., "public", "home", "dmz")
  defaultZone() string
  // All configured zones
  zones() []firewalld.zone
}

// firewalld zone configuration
private firewalld.zone @defaults("name target") {
  // Zone name (e.g., "public", "internal", "dmz")
  name string
  // Default target (default, ACCEPT, REJECT, DROP)
  target string
  // Whether ICMP block inversion is enabled
  icmpBlockInversion bool
  // Whether this zone is currently active (has bound interfaces or sources)
  active bool
  // Network interfaces bound to this zone
  interfaces []string
  // Source addresses/subnets bound to this zone
  sources []string
  // Allowed service names (e.g., "ssh", "http", "https")
  services []string
  // Allowed ports (e.g., "80/tcp", "443/tcp", "8080-8090/udp")
  ports []string
  // Whether masquerading is enabled
  masquerade bool
  // Port forwarding rules (e.g., "port=80:proto=tcp:toport=8080")
  forwardPorts []string
  // Source ports
  sourcePorts []string
  // ICMP types that are blocked
  icmpBlocks []string
  // Rich rules (expressive firewall rules)
  richRules []firewalld.richrule
  // Allowed protocols (e.g., "icmp", "ipv6-icmp")
  protocols []string
}

// firewalld rich rule
private firewalld.richrule @defaults("family rule") {
  // Address family ("ipv4" or "ipv6"), empty if not specified
  family string
  // Full rich rule string
  rule string
  // Source address/subnet, empty if not specified
  source string
  // Destination address/subnet, empty if not specified
  destination string
  // Action (accept, reject, drop, mark), empty if not specified
  action string
}

// fstab file and entries
fstab @defaults("path") {
  init(path? string)
  path string

  // fstab entries defined in this fstab file
  entries() []fstab.entry
}

// fstab entry for a device and its mount point
private fstab.entry @defaults("device mountpoint") {
  // Device referenced in the fstab, e.g., LABEL=rootfs
  device string
  // Mount point, e.g., '/'
  mountpoint string
  // File system type, e.g., ext4
  fstype string
  // Mount options, e.g., defaults (`man fstab` for details)
  options string
  // Dump frequency (0 for full backup or an integer above 0, incremental backup, copies all files new or modified since the last dump of a lower level)
  dump int
  // File system check order, e.g., 1
  fsck int
}

// GRUB bootloader configuration
grub.config @defaults("defaultsPath grubPath") {
  init(defaultsPath? string, grubPath? string)
  // Path to /etc/default/grub (key-value defaults)
  defaultsPath string
  // Path to grub.cfg (generated configuration)
  grubPath string
  // Configuration parameters from /etc/default/grub (e.g., GRUB_TIMEOUT, GRUB_CMDLINE_LINUX)
  params() map[string]string
  // Menu entries defined in grub.cfg
  entries() []grub.config.entry
  // Whether GRUB password protection is enabled (superusers + password_pbkdf2)
  passwordProtected() bool
}

// GRUB menu entry
private grub.config.entry @defaults("title") {
  // Menu entry title
  title string
  // Kernel command line (linux/linux16/linuxefi line)
  cmdline string
  // Initrd path (initrd/initrd16/initrdefi line)
  initrd string
  // Whether this is a submenu
  isSubmenu bool
}

// FreeBSD rc.conf system configuration via sysrc
sysrc @defaults("files") {
  init(path? string)
  // List of rc.conf files that make up the configuration
  files() []file
  // Raw contents of all rc.conf files
  content(files) string
  // Parsed key-value entries from all rc.conf files
  entries(files) []sysrc.entry
}

// Single rc.conf variable entry
private sysrc.entry @defaults("name value") {
  // Variable name
  name string
  // Variable value
  value string
  // File where this entry is defined
  file string
}

// Process on this system
process @defaults("executable pid state") {
  init(pid int)
  // PID (process ID)
  pid int
  // State of the process (i.e., sleeping, running, etc)
  state() string
  // Executable that is running this process
  executable() string
  // Full command used to run this process
  command() string
  // Map of additional flags
  flags() map[string]string
}

// Processes available on this system
processes {
  []process
}

// TCP/IP port on the system
port @defaults("port protocol address process.executable") {
  // Protocol of this port
  protocol string
  // Port number
  port int
  // Local address of this port
  address string
  // User configured for this port
  user user
  // Process that is connected to this port
  process() process
  // State of this open port
  state string
  // Remote address connected to this port
  remoteAddress string
  // Remote port connected to this port
  remotePort int
  // TLS on this port, if it is available
  tls(address, port, protocol) network.tls
}

// TCP/IP ports on the system
ports {
  []port
  // All listening ports
  listening() []port
}

// Windows audit policies
auditpol {
  []auditpol.entry
}

// Windows audit policy
auditpol.entry  @defaults("subcategory inclusionsetting exclusionsetting") {
  // Machine name
  machinename string
  // Policy target
  policytarget string
  // Subcategory
  subcategory string
  // Subcategory GUID
  subcategoryguid string
  // Inclusive setting
  inclusionsetting string
  // Exclusive settings
  exclusionsetting string
}

// Windows local security policy
secpol {
  // System access
  systemaccess() map[string]string
  // Event audit
  eventaudit() map[string]string
  // Registry values
  registryvalues() map[string]string
  // Privilege rights
  privilegerights() map[string][]string
}

// NTP service configuration
ntp.conf {
  init(path string)
  // File of the NTP service configuration
  file() file
  // Raw contents of the NTP service configuration
  content(file) string
  // List of settings for the NTP service
  settings(content) []string
  // List of servers for the NTP service
  servers(settings) []string
  // List of access control restrictions for the NTP service
  restrict(settings) []string
  // Additional information for clock drivers
  fudge(settings) []string
}

// rsyslog service configuration
rsyslog.conf {
  init(path string)
  // Path for the main rsyslog file and search
  path() string
  // Files that make up this rsyslog service configuration
  files(path) []file
  // Raw contents of this rsyslog service configuration
  content(files) string
  // List of settings for this rsyslog service
  settings(content) []string
}

// Shadow password suite configuration
logindefs {
  init(path string)
  // Current configuration file for resource
  file() file
  // Content of the configuration file
  content(file) string
  // Parsed logindef parameter
  params(content) map[string]string
}

// System resource limits configuration
limits {
  // List of files that make up the limits configuration
  files() []file
  // Parsed limits entries
  entries(files) []limits.entry
}

// Resource limit entry
private limits.entry @defaults("domain item") {
  // File where this entry is defined
  file file
  // Line number in the file
  lineNumber int
  // Domain (username, @groupname, *, %)
  domain string
  // Limit type (soft, hard, -)
  type string
  // Resource item (core, nofile, nproc, etc.)
  item string
  // Limit value
  value string
}

// Sudoers configuration
sudoers @defaults("files") {
  init(path? string)
  // List of files that make up the sudoers configuration
  files() []file
  // Raw contents of all sudoers files
  content(files) string
  // User permission specifications
  userSpecs(files) []sudoers.userSpec
  // Default settings
  defaults(files) []sudoers.default
  // Alias definitions (User_Alias, Host_Alias, Cmnd_Alias, Runas_Alias)
  aliases(files) []sudoers.alias
}

// Sudoers user specification (permission entry)
private sudoers.userSpec @defaults("users hosts commands") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Users or user aliases this rule applies to
  users []string
  // Hosts or host aliases this rule applies to
  hosts []string
  // RunAs users (users the command can be run as)
  runasUsers []string
  // RunAs groups (groups the command can be run as)
  runasGroups []string
  // Commands or command aliases
  commands []string
  // Tags applied to the command (NOPASSWD, SETENV, etc.)
  tags []string
}

// Sudoers default setting
private sudoers.default @defaults("parameter") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Raw Defaults line
  raw string
  // Scope: global, user, host, command, or runas
  scope string
  // Target (user/host/command/runas this applies to, if not global)
  target string
  // Parameter name (e.g., "env_reset", "secure_path")
  parameter string
  // Value (if parameter takes a value)
  value string
  // Operation: "=", "+=", or "-="
  operation string
  // Whether parameter is negated (starts with !)
  negated bool
}

// Sudoers alias definition
private sudoers.alias @defaults("type name") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Type: user, host, cmnd, or runas
  type string
  // Alias name (e.g., "ADMINS", "WEBSERVERS")
  name string
  // Values assigned to this alias
  members []string
}

// Unix list block devices
lsblk {
  []lsblk.entry
}

// Unix block device
lsblk.entry {
  // Device name
  name string
  // File system type
  fstype string
  // Label for the file system
  label string
  // UUID for the file system
  uuid string
  // Mount points for the device
  mountpoints  []string
}

// AppArmor mandatory access control status
apparmor @defaults("profiles") {
  // AppArmor status output version
  version() string
  // Loaded AppArmor profiles
  profiles() []apparmor.profile
  // Processes with AppArmor confinement
  processes() []apparmor.process
}

// AppArmor profile
private apparmor.profile @defaults("name mode") {
  // Profile name
  name string
  // Profile mode: enforce, complain, or unconfined
  mode string
}

// AppArmor confined process
private apparmor.process @defaults("pid profile status") {
  // Process executable path
  executable string
  // Profile applied to this process
  profile string
  // Process ID
  pid int
  // Confinement status (e.g., enforce)
  status string
}

// SELinux mandatory access control status
selinux @defaults("mode") {
  // Whether SELinux is installed on the system
  installed() bool
  // Current enforcement mode: enforcing, permissive, or disabled
  mode() string
  // Configured mode from /etc/selinux/config (persists across reboot)
  configMode() string
  // Active policy type (e.g., targeted, mls, minimum)
  policyType() string
  // Loaded SELinux booleans
  booleans() []selinux.boolean
  // Installed SELinux policy modules
  modules() []selinux.module
}

// SELinux boolean setting
private selinux.boolean @defaults("name value") {
  // Boolean name (e.g., httpd_can_network_connect)
  name string
  // Current runtime value
  value bool
}

// SELinux policy module
private selinux.module @defaults("name status") {
  // Module name
  name string
  // Module status (e.g., enabled, disabled)
  status string
  // Module priority
  priority int
}

// Kernel module configuration from modprobe.d
modprobe @defaults("blacklists installs") {
  init(path? string)
  // List of files that make up the modprobe configuration
  files() []file
  // Install directives (custom commands for loading modules)
  installs(files) []modprobe.install
  // Remove directives (custom commands for unloading modules)
  removes(files) []modprobe.remove
  // Blacklisted modules
  blacklists(files) []modprobe.blacklist
  // Module options and parameters
  options(files) []modprobe.option
  // Module aliases
  aliases(files) []modprobe.alias
  // Soft dependencies
  softdeps(files) []modprobe.softdep
}

// Install directive for module loading
private modprobe.install @defaults("module command") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Module name
  module string
  // Command to execute instead of default insmod
  command string
}

// Remove directive for module unloading
private modprobe.remove @defaults("module command") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Module name
  module string
  // Command to execute instead of default rmmod
  command string
}

// Blacklist directive
private modprobe.blacklist @defaults("module") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Module name that is blacklisted
  module string
}

// Module options and parameters
private modprobe.option @defaults("module") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Module name
  module string
  // Raw parameters string
  parameters string
  // Parsed parameters as key-value pairs
  params() map[string]string
}

// Module alias
private modprobe.alias @defaults("alias module") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Alias name (pattern or wildcard)
  alias string
  // Target module name
  module string
}

// Soft dependency
private modprobe.softdep @defaults("module") {
  // File where this entry is defined
  file string
  // Line number in the file
  lineNumber int
  // Module name
  module string
  // Modules to load before (pre: dependencies)
  pre []string
  // Modules to load after (post: dependencies)
  post []string
}

// Unix mounted file system
mount {
  []mount.point
}

// Unix mount point
mount.point @defaults("device path fstype") {
  init(path string)
  // Device
  device string
  // Path
  path string
  // File system type
  fstype string
  // Mount options
  options map[string]string
  // Whether the mount point is mounted
  mounted bool
  // Total size in bytes
  size() int
  // Used space in bytes
  used() int
  // Available space in bytes
  available() int
}

// Shadowed password file
shadow {
  []shadow.entry
}

// Shadowed password file entry
shadow.entry {
  // User
  user string
  // Password
  password string
  // Date of last password change
  lastchanged time
  // Minimum password age in days
  mindays int
  // Maximum password age in days
  maxdays int
  // Password warning period in days
  warndays int
  // Password inactivity period in days
  inactivedays int
  // Account expiration date
  expirydates string
  // Reserved field
  reserved string
}

// Yum package manager resource
yum {
  // Variables defined in Yum configuration files (/etc/yum.conf and all .repo files in the /etc/yum.repos.d/)
  vars() map[string]string
  // List of all configured Yum repositories
  repos() []yum.repo
}

// Yum repository resource
yum.repo {
  init(id string)
  // Repository ID
  id string
  // Human-readable repository name
  name string
  // Repository status
  status string
  // URL where the repodata directory of a repository is located
  baseurl []string
  // Indicator when the repository will expire
  expire string
  // Repository configuration file path
  file file
  // Repository revision
  revision string
  // Packages in repository
  pkgs string
  // File size of this repository
  size string
  // Mirrors for this repository
  mirrors string
  // Whether the repository is used as package source
  enabled() bool
}

// Windows registry key
registrykey @defaults("path") {
  init(path string)
  // Registry key path
  path string
  // Whether the property exists
  exists() bool
  // Deprecated; use `items` instead
  properties() map[string]string
  // Registry key items
  items() []registrykey.property
  // Registry key children
  children() []string
}

// Windows registry key property
registrykey.property @defaults("path name") {
  init(path string, name string)
  // Registry key path
  path string
  // Registry key name
  name string
  // Whether the property exists
  exists() bool
  // Deprecated; use `data` instead
  value() string
  // Registry key type
  type() string
  // Registry key data
  data() dict
}

// Container image
container.image @defaults("name") {
  // Image reference
  reference string
  // Fully-qualified reference name
  name string
  // Identifier of type-specific portion of the image reference
  identifier string
  // Identifier type: tag or digest
  identifierType string
  // Repository used for the container image
  repository() container.repository
}

// Container registry repository
container.repository {
  // Container registry repository name
  name string
  // URL scheme
  scheme string
  // Container registry repository URL
  fullName string
  // Container registry URL
  registry string
}

// Kubernetes kubelet configuration
kubelet {
  // Kubelet config file
  configFile file
  // Kubelet process
  process process
  // Combination of config file parameters and CLI parameters
  configuration() dict
}

// Python package details found on the operating system image
python {
  init(path? string)
  // Path to a specific site-packages location to exclusively scan (empty means scan default locations)
  path string

  // List of all discovered packages
  packages() []python.package

  // List of all packages that were specifically installed (i.e., not auto-installed as a dependency)
  toplevel() []python.package
}

// Python package information
python.package @defaults("name version") {
  init(path? string)
  // ID is the python.package unique identifier
  id string
  // Name of the package
  name string
  // File containing the package metadata
  file file
  // Version of the package
  version string
  // License of the package
  license string
  // Author of the package
  author string
  // Author email of the package
  authorEmail string
  // Short package description
  summary string
  // Required Python version (e.g., ">=3.6")
  requiresPython string
  // Project URLs by label (e.g., Homepage, Repository, Documentation)
  projectUrls map[string]string
  // Package URL
  purl string
  // Common Platform Enumeration (CPE) for the package
  cpes []core.cpe
  // List of packages depended on
  dependencies() []python.package
}

// npm packages
npm.packages {
  []npm.package

  init(path? string)

  // Deprecated: path to search for packages, use paths instead
  path string

  // Optional: list of paths searched for packages
  paths() []string

  // Root Package (may not exist)
  root() npm.package

  // List of direct dependencies
  directDependencies() []npm.package

  // Files used to determine the packages
  files() []pkgFileInfo

  // Scripts defined in package.json
  scripts() map[string]string
}

npm.package @defaults("name version purl") {
  // ID is the npm.package unique identifier
  id string
  // Name of the package
  name() string
  // Version of the package
  version() string
  // Package URL
  purl() string
  // Common Platform Enumeration (CPE) for the package
  cpes() []core.cpe
  // Package files
  files() []pkgFileInfo
}

// macOS specific resources
macos {
  // macOS computer name
  computerName() string
  // macOS user defaults
  userPreferences() map[string]dict
  // macOS user defaults for current host
  userHostPreferences() map[string]dict
  // macOS global account policies
  globalAccountPolicies() dict
  // System extensions
  systemExtensions() []macos.systemExtension
}

// macOS hardware overview
macos.hardware @defaults("machineName chipType physicalMemory serialNumber") {
  // Activation Lock security feature
  activationLockStatus string
  // Boot ROM (firmware) version identifier
  bootRomVersion string
  // Processor chip type (e.g., "Apple M1", "Apple M2", "Intel")
  chipType string
  // Specific model identifier (e.g., "MacBookPro18,3")
  machineModel string
  // User-friendly hardware name (e.g., "MacBook Pro")
  machineName string
  // Apple's model number for the device (e.g., "A2442")
  modelNumber string
  // Total number of processor cores
  numberProcessors string
  // Version of the OS bootloader
  osLoaderVersion string
  // Total RAM installed (e.g., "16 GB")
  physicalMemory string
  // Universally unique identifier for the hardware platform
  platformUUID string
  // Unique Device Identifier for MDM provisioning
  provisioningUDID string
  // Apple's unique serial number for the device
  serialNumber string
}

// macOS application layer firewall (ALF) service
macos.alf {
  // Whether the firewall service allows downloaded software to receive incoming connections
  allowDownloadSignedEnabled int
  // Whether the firewall service allows built-in software to receive incoming connections for signed software
  allowSignedEnabled int
  // Whether the firewall is unloaded
  firewallUnload int
  // Whether the firewall is enabled
  globalState int
  // Whether alf.log is used
  loggingEnabled int
  // Logging option flags (0=disabled, 1=detail, 2=brief, 3=throttled)
  loggingOption int
  // Whether the firewall service is in stealth mode
  stealthEnabled int
  // ALF version
  version string
  // Service exceptions
  exceptions []dict
  // Services explicitly allowed to perform networking
  explicitAuths []string
  // Applications with exceptions for network blocking
  applications []dict
}

// macOS application layer firewall
macos.firewall @defaults("enabled stealthEnabled") {
  // Whether the firewall is enabled
  enabled() bool
  // Whether block-all-incoming mode is active (globalState == 2)
  blockAllIncoming() bool
  // Whether stealth mode is enabled
  stealthEnabled() bool
  // Whether logging is enabled
  loggingEnabled() bool
  // Logging detail level: disabled (0), detail (1), brief (2), throttled (3)
  loggingDetail() string
  // Whether signed applications are automatically allowed
  allowSignedApps() bool
  // Whether downloaded signed applications are automatically allowed
  allowDownloadSignedApps() bool
  // ALF version
  version() string
  // Service exceptions
  exceptions() []dict
  // Services explicitly allowed to perform networking
  explicitAuths() []string
  // Applications with explicit firewall rules
  applications() []macos.firewall.app
}

// macOS firewall per-application rule
private macos.firewall.app @defaults("name state") {
  // Application path
  name string
  // Bundle ID
  bundleId string
  // Whether incoming connections are allowed (0=block, 1=allow)
  state int
}

// macOS FileVault full-disk encryption
macos.filevault @defaults("enabled status") {
  // Whether FileVault is enabled
  enabled() bool
  // FileVault status (On, Off, Encryption in progress, Decryption in progress)
  status() string
  // Whether a personal recovery key exists
  hasPersonalRecoveryKey() bool
  // Whether an institutional recovery key exists
  hasInstitutionalRecoveryKey() bool
  // Users that can unlock the FileVault encrypted drive
  users() []string
}

// macOS Gatekeeper application execution policy
macos.gatekeeper @defaults("enabled status") {
  // Whether Gatekeeper assessments are enabled
  enabled() bool
  // Gatekeeper assessment status (assessments enabled, assessments disabled)
  status() string
}

// macOS System Integrity Protection (SIP)
macos.sip @defaults("enabled status") {
  // Whether System Integrity Protection is enabled
  enabled() bool
  // SIP status message
  status() string
}

// macOS Time Machine
macos.timemachine {
  // macOS Time Machine preferences
  preferences() dict
}

// macOS machine settings
// Note: The resource requires at least admin privileges to run.
macos.systemsetup {
  // Current date
  date() string
  // Current time in 24-hour format
  time() string
  // Current time zone
  timeZone() string
  // Whether network time is on or off
  usingNetworkTime() string
  // Configured network time server
  networkTimeServer() string
  // Amount of idle time until the machine sleeps
  sleep() []string
  // Amount of idle time until the display sleeps
  displaySleep() string
  // Amount of idle time until the hard disk sleeps
  harddiskSleep() string
  // Whether wake on modem is on or off
  wakeOnModem() string
  // Whether wake on network access is on or off
  wakeOnNetworkAccess() string
  // Whether restart on power failure is on or off
  restartPowerFailure() string
  // Whether restart on freeze is on or off
  restartFreeze() string
  // Whether the power button can sleep the computer
  allowPowerButtonToSleepComputer() string
  // Whether remote login (SSH) is on or off
  remoteLogin() string
  // Whether remote Apple events are on or off
  remoteAppleEvents() string
  // Computer name
  computerName() string
  // Local subnet name
  localSubnetName() string
  // Current startup disk
  startupDisk() string
  // Number of seconds after which the computer will start up after a power failure
  waitForStartupAfterPowerFailure() string
  // Whether the keyboard is disabled when the X Serve enclosure lock is engaged
  disableKeyboardWhenEnclosureLockIsEngaged() string
}

// OpenBSM audit control configuration (used by macOS and other BSD systems)
openBSMAudit @defaults("path") {
  init(path? string)
  // Path to the audit_control file
  path string
  // File resource for the audit_control file
  file() file
  // Content of the audit_control file
  content(file) string
  // Parsed parameters from the audit_control file
  params(content) map[string]string
  // Directory where audit log files are stored
  dir(params) string
  // Audit event flags for attributable (user) events
  flags(params) []string
  // Minimum free space threshold (percentage) before audit warnings
  minfree(params) int
  // Audit event flags for non-attributable events
  naflags(params) []string
  // Audit policy settings
  policy(params) []string
  // Maximum size of individual audit log files
  filesz(params) string
  // Expiration criteria for audit logs
  expireAfter(params) string
  // Flags that superusers can set on their processes
  superuserSetSflagsMask(params) []string
  // Flags that superusers can clear on their processes
  superuserClearSflagsMask(params) []string
  // Flags that non-superusers can set on their processes
  memberSetSflagsMask(params) []string
  // Flags that non-superusers can clear on their processes
  memberClearSflagsMask(params) []string
}

// Windows-specific resource to get operating system details
windows {
  // A consolidated object of system and operating system properties
  // see https://learn.microsoft.com/en-us/dotnet/api/microsoft.powershell.commands.computerinfo?view=powershellsdk-1.1.0 for more information
  computerInfo() dict

  // Hotfixes installed on the computer
  hotfixes() []windows.hotfix

  // Information about Windows Server roles, role services, and features that are available for installation and installed on a specified server.
  serverFeatures() []windows.serverFeature

  // Information about optional features in a Windows image.
  optionalFeatures() []windows.optionalFeature
}

// macOS system extension
private macos.systemExtension @defaults("teamID identifier version state"){
  // Identifier of the system extension
  identifier string
  // System extension unique identifier
  uuid string
  // Version of the system extension
  version string
  // Categories of the system extension
  categories []string
  // State of the system extension
  state string
  // Whether the system extension is enabled
  enabled() bool
  // Whether the system extension is active
  active() bool
  // Team identifier of the system extension
  teamID string
  // Path to the system extension
  bundlePath string
  // Whether the system extension is MDM managed
  mdmManaged bool
}

// Safari browser resources (macOS only)
safari {
  // All installed Safari extensions
  extensions() []safari.extension
}

// Safari browser extension
private safari.extension @defaults("name version identifier") {
  // Extension bundle identifier
  identifier string
  // Extension name from Info.plist
  name string
  // Extension version
  version string
  // Extension description
  description string
  // Extension type (e.g., "web-extension", "extension", "content-blocker")
  extensionType string
  // Path to the extension bundle
  path string
  // Containing application path
  containerAppPath string
  // Containing application name
  containerAppName string
}

// macOS launchd job configurations
launchd {
  // All launchd jobs from system and user directories
  jobs() []launchd.job
}

// Individual launchd job configuration
private launchd.job @defaults("label type") {
  // Unique identifier for the job (from Label key)
  label string
  // Path to the plist file
  path string
  // Type: "daemon" or "agent"
  type string
  // Source: "system", "library", or "user"
  source string
  // Whether this job runs at load
  runAtLoad bool
  // The program to execute
  program string
  // Command arguments
  programArguments []string
  // Whether the job is disabled
  disabled bool
  // Keep alive configuration, normalized to: {"enabled": bool} for simple values,
  // {"enabled": true, "conditions": {...}} for conditional keep-alive, or null if not specified
  keepAlive dict
  // Working directory
  workingDirectory string
  // Environment variables
  environmentVariables map[string]string
  // User the job runs as
  userName string
  // Group the job runs as
  groupName string
  // Process type
  processType string
  // Interval between runs (seconds)
  startInterval int
  // Calendar-based schedule
  startCalendarInterval []dict
  // Socket configuration
  sockets dict
  // Mach services
  machServices dict
  // Watch paths that trigger the job
  watchPaths []string
  // Path to redirect stdout
  stdoutPath string
  // Path to redirect stderr
  stderrPath string
  // Directory to chroot to before launch
  rootDirectory string
  // The plist file resource
  file file
  // Full parsed plist content
  content dict
}

// Windows hotfix resource
windows.hotfix {
  init(hotfixId string)
  // Hotfix ID
  hotfixId string
  // Type of hotfix (e.g., Update or Security Update)
  description string
  // Reference to knowledge base
  caption string
  // Date when the hotfix was installed
  installedOn time
  // User that installed the hotfix
  installedBy string
}

// Windows Server feature resource
private windows.serverFeature @defaults("name") {
  init(name string)
  // Feature full path
  path string
  // Command IDs of role, role service, or feature
  name string
  // Feature name
  displayName string
  // Feature description
  description string
  // Whether the feature is installed
  installed bool
  // Feature installation state
  installState int
}

// Windows optional feature resource (desktop-only)
private windows.optionalFeature @defaults("name") {
  init(name string)
  // Command ID of optional feature
  name string
  // Feature name
  displayName string
  // Feature description
  description string
  // Whether the feature is enabled
  enabled bool
  // Feature installation state
  state int
}

// Windows Firewall resource
windows.firewall {
  // Global firewall settings
  settings() dict
  // Settings that apply to the per-profile configurations of the Windows Firewall with Advanced Security
  profiles() []windows.firewall.profile
  // Firewall rules
  rules() []windows.firewall.rule
}

// Windows Firewall profile entry
// https://learn.microsoft.com/en-us/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile
windows.firewall.profile {
  instanceID string
  // Name of the profile
  name string
  // Whether the firewall is enabled on this profile
  enabled int
  // Default action for inbound traffic
  defaultInboundAction int
  // Default action for outbound traffic
  defaultOutboundAction int
  // Whether administrators can create firewall rules that allow unsolicited inbound traffic (if 0, such rules are ignored)
  allowInboundRules int
  // Whether local firewall rules should merge into the effective policy along with group policy settings
  allowLocalFirewallRules int
  // Whether local IPsec rules should merge into the effective policy along with rules from group policy
  allowLocalIPsecRules int
  // Whether to respect user allowed applications created in the legacy firewall
  allowUserApps int
  // Whether to respect globally opened ports created in the legacy firewall
  allowUserPorts int
  // Whether to allow unicast responses to multicast traffic
  allowUnicastResponseToMulticast int
  // Whether to notify users when an application listens on a port that is closed
  notifyOnListen int
  // Whether to use stealth mode for IPsec-protected traffic
  enableStealthModeForIPsec int
  // Maximum size the log file can reach before being rotated
  logMaxSizeKilobytes int
  // Whether to log allowed packets
  logAllowed int
  // Whether to log blocked traffic
  logBlocked int
  // Whether to log an event when rules are ignored
  logIgnored int
  // Filename in which to store the firewall log
  logFileName string
}

// Windows Firewall rule entry
// https://learn.microsoft.com/en-us/previous-versions/windows/desktop/wfascimprov/msft-netfirewallrule
windows.firewall.rule {
  // A string that uniquely identifies this instance within the policy store
  instanceID string
  // Name of the rule
  name string
  // Localized name of this rule
  displayName string
  // Brief description of the rule
  description string
  // The group that this rule belongs to
  displayGroup string
  // Whether this rule is administratively enabled or disabled
  // Values: enabled (1), disabled (2)
  enabled int
  // Specifies which direction of traffic to match with this rule
  // Values: inbound (1), outbound (2)
  direction int
  // Specifies the action to take on traffic that matches this rule
  action int
  // Specifies how this firewall rule will handle edge traversal cases
  // Values: block (0), allow (1), defer to user (2), defer to app (3)
  edgeTraversalPolicy int
  // Whether to group UDP packets into conversations based on the local address, local port, and remote port
  looseSourceMapping bool
  // Whether to group UDP packets into conversations based only on the local address and port
  localOnlyMapping bool
  // PrimaryStatus provides a high level status value
  // Values: unknown (0), OK (1), degraded (2), error (3)
  primaryStatus int
  // Detailed status of the rule
  status string
  // Whether this object is retrieved from the ActiveStore
  enforcementStatus string
  // Contains the path to the policy store where this rule originally came from
  policyStoreSource string
  // Describes the type of policy store where this rule originally came from
  policyStoreSourceType int
}

// Windows BitLocker
windows.bitlocker {
  // Windows BitLocker volumes
  volumes() []windows.bitlocker.volume
}

// Windows BitLocker volume
windows.bitlocker.volume {
  // Unique identifier for the volume
  deviceID string
  // Drive letter of the volume
  driveLetter string
  // Status of the encryption or decryption on the volume
  conversionStatus dict
  // Encryption algorithm and key size used on the volume
  encryptionMethod dict
  // Whether the contents of the volume are accessible from Windows
  // 0 = Full contents of the volume are accessible
  // 1 = All or a portion of the contents of the volume are not accessible
  lockStatus int
  // Persistent identifier for the volume on this system
  persistentVolumeID string
  // Status of the volume, whether or not BitLocker is protecting the volume
  // 0 = Protection off
  // 1 = Protection on
  // 2 = Protection unknown
  protectionStatus dict
  // BitLocker Full Volume Encryption metadata version of the volume
  version dict
}

// Windows security products (antivirus, anti-spyware, firewall, etc.)
windows.security {
  products() []windows.security.product
}

// Private Windows security product
private windows.security.product {
  // Type of product
  type string
  // Product GUID
  guid string
  // Product name
  name string
  // Product state
  state int
  // Product state
  productState string
  // Signature state
  signatureState string
  // Time stamp
  timestamp time
}

// Health of the Windows security provider
windows.security.health {
  // Windows Firewall status and configuration
  firewall dict
  // Windows Update automatic update settings
  autoUpdate dict
  // Installed antivirus software status and details
  antiVirus dict
  // Anti-spyware protection status and details
  antiSpyware dict
  // Internet settings information
  internetSettings dict
  // User Account Control (UAC) configuration
  uac dict
  // Windows Security Center service status
  securityCenterService dict
}

// Details about an asset in the cloud
cloud @defaults("provider") {
  // Cloud provider (e.g. aws, azure, gcp)
  provider() string
  // Cloud instance metadata
  instance() cloudInstance
}

// Cloud instance metadata
private cloudInstance @defaults("publicHostname privateHostname") {
  // Cloud instance public hostname
  publicHostname() string
  // List of public IPv4 addresses
  publicIpv4() []ipAddress
  // Cloud instance private hostname
  privateHostname() string
  // List of private IPv4 addresses
  privateIpv4() []ipAddress
  // Raw access to the cloud instance metadata
  metadata() dict
}

// IP address (v4 or v6) with additional networking details
ipAddress @defaults("ip") {
  // Unique number that identifies a device on a network (e.g. 172.31.24.71 or 2001:0:2851:782c:869:1f7d:a331:f3e1)
  ip ip
  // Logical subdivision of a network (e.g. 172.31.16.0/20 or 2001:db8::/64)
  subnet ip
  // Classless Inter-Domain Routing notation (e.g. 172.31.24.71/20 or 2001:0:2851:782c:869:1f7d:a331:f3e1/64)
  cidr ip
  // Network address used to transmit to all devices connected to a network
  broadcast ip
  // IP address that acts as the entry point to another, or external, network
  gateway ip
}

// Network information on this system
network {
  // Network interfaces
  interfaces() []networkInterface

  // Routes
  routes() networkRoutes

  // All IPv4 addresses detected on host interfaces
  ipv4() []ip

  // All IPv6 addresses detected on host interfaces
  ipv6() []ip

  // Primary IPv4 address determined by the default route
  primaryIPv4() ip

  // Primary IPv6 address determined by the default route
  primaryIPv6() ip
}

// Detailed information of a network interface
private networkInterface @defaults("name mac active") {
  // Name of the network interface
  name string
  // Unique 12-digit hexadecimal identifier assigned by the manufacturer
  mac string
  // Company that manufactures the network interface
  vendor string
  // List of IP addresses assigned to the network interface (v4 and v6)
  ips []ipAddress
  // Maximum transmission unit
  mtu int
  // Information about an interface's status and capabilities
  flags []string
  // Status of the network interface
  active bool
  // Whether a network interface is virtual of not
  virtual bool
}

// Collection of routing table entries on the system.
private networkRoutes {
  []networkRoute
  // Default routes found on the machine
  defaults() []networkRoute
}

// Network route information
private networkRoute @defaults("destination flags"){
  // Destination network or destination subnet for this route
  destination string
  // Gateway IP address for this route
  gateway string
  // Flags that describe route properties (e.g., 'UG' for up/gateway)
  flags []string
  // Network interface this route applies to
  iface() networkInterface
}

// Chrome browser resources
chrome {
  // All installed Chrome extensions across all profiles and users
  extensions() []chrome.extension
}

// Chrome browser extension
private chrome.extension @defaults("name version identifier browser") {
  // Unique extension identifier (32-character string)
  identifier string
  // Extension name from manifest
  name string
  // Extension version from manifest
  version string
  // Extension description from manifest
  description string
  // Chrome extension manifest version (2 or 3)
  manifestVersion int
  // Permissions requested by the extension
  permissions []string
  // Path to the extension directory
  path string
  // Chrome profile name where extension is installed
  profile string
  // Browser name (e.g., "Google Chrome", "Chromium", "Google Chrome Beta")
  browser string
}

// Firefox browser resources
firefox {
  // All installed Firefox addons across all profiles and users
  addons() []firefox.addon
}

// Firefox browser addon
private firefox.addon @defaults("name version active browser") {
  // Unique addon identifier (e.g., "{uuid}" or "addon@example.com")
  identifier string
  // Addon name
  name string
  // Addon version
  version string
  // Addon description
  description string
  // Addon type (extension, theme, locale, dictionary, etc.)
  type string
  // Whether the addon is currently active
  active bool
  // Whether the addon is disabled by user
  userDisabled bool
  // Whether the addon is visible in the addon manager
  visible bool
  // Path to the addon (can be XPI file or directory)
  path string
  // Firefox profile where addon is installed
  profile string
  // Browser name (e.g., "Firefox", "Firefox Developer Edition", "LibreWolf")
  browser string
  // Source URI from where addon was installed
  sourceUri string
  // Install date as Unix timestamp (milliseconds)
  installDate int
  // Last update date as Unix timestamp (milliseconds)
  updateDate int
}

// Experimental: USB resource
usb {
  // List of USB devices
  devices() []usb.device
}

// Experimental: USB device
private usb.device @defaults("manufacturer name") {
  // USB device vendor id
  vendorId string
  // USB manufacturer
  manufacturer string
  // USB device product id
  productId string
  // USB device serial number
  serial string
  // USB device name
  name string
  // USB device version
  version string
  // USB speed
  speed string
  // USB device class
  class string
  // USB device class name
  className string
  // USB device subclass
  subclass string
  // Protocol
  protocol string
  // Removable device
  isRemovable bool
}

// Crontab entries on the system
crontab {
  // All cron entries from system and user crontabs
  entries() []crontab.entry
  // Files that contain crontab entries
  files() []file
}

// Individual crontab entry
private crontab.entry @defaults("user command") {
  // Line number in the source file
  lineNumber int
  // Minute field (0-59, *, or cron expression)
  minute string
  // Hour field (0-23, *, or cron expression)
  hour string
  // Day of month field (1-31, *, or cron expression)
  dayOfMonth string
  // Month field (1-12, *, or cron expression)
  month string
  // Day of week field (0-7, *, or cron expression)
  dayOfWeek string
  // User that runs the command
  user string
  // Command to execute
  command string
  // File containing this entry
  file file
}

// Visual Studio Code editor resources
vscode {
  // All installed VS Code extensions across all users
  extensions() []vscode.extension
  // Paths searched for VS Code extensions
  paths() []string
}

// Visual Studio Code extension
private vscode.extension @defaults("editor name version") {
  // Unique extension identifier (publisher.name format)
  identifier string
  // Extension name from package.json
  name string
  // Extension display name from package.json
  displayName string
  // Extension version from package.json
  version string
  // Extension description from package.json
  description string
  // Extension publisher from package.json
  publisher string
  // Editor application (e.g., Visual Studio Code, Cursor, Windsurf)
  editor string
  // Path to the extension directory
  path string
  // VS Code engine version compatibility
  vscodeVersion string
  // Extension categories
  categories []string
}

// Logrotate configuration
logrotate {
  // List of configuration files (main + logrotate.d fragments)
  files() []file
  // Global directives (outside any file block)
  globalConfig(files) map[string]string
  // Per-file/glob rotation entries
  entries(files) []logrotate.entry
}

// Logrotate configuration entry for a specific log path
private logrotate.entry @defaults("path") {
  // Configuration file where this entry is defined
  file file
  // Line number in the configuration file
  lineNumber int
  // Log file path or glob pattern
  path string
  // All directives in this block as key-value pairs
  config map[string]string
}

// Linux software RAID arrays (mdadm)
mdadm @defaults("arrays") {
  // List of all discovered RAID arrays
  arrays() []mdadm.array
}

// Linux software RAID array
private mdadm.array @defaults("name level state") {
  // Device name (e.g., /dev/md0)
  name string
  // RAID level (e.g., raid0, raid1, raid5, raid6, raid10, linear)
  level string
  // Array state (e.g., clean, active, degraded, inactive)
  state string
  // Number of active devices in the array
  activeDevices int
  // Number of working devices in the array
  workingDevices int
  // Number of failed devices in the array
  failedDevices int
  // Number of spare devices in the array
  spareDevices int
  // Total size of the array in KiB
  size int
  // UUID of the array
  uuid string
  // Rebuild/resync progress percentage (0-100, -1 if not rebuilding)
  resyncProgress float
  // Member devices in the array
  devices() []mdadm.device
}

// Member device in a software RAID array
private mdadm.device @defaults("name state") {
  // Device path (e.g., /dev/sda1)
  name string
  // Role number in the array
  role int
  // Device state (e.g., active sync, spare, faulty)
  state string
}

// ZFS storage pool and dataset management
zfs @defaults("pools") {
  // ZFS version string
  version() string
  // ZFS storage pools
  pools() []zfs.pool
  // All ZFS datasets (filesystems, volumes, snapshots, bookmarks)
  datasets() []zfs.dataset
}

// ZFS storage pool
zfs.pool @defaults("name health sizeBytes") {
  init(name string)
  // Pool name
  name string
  // Pool GUID
  guid string
  // Health status (ONLINE, DEGRADED, FAULTED, OFFLINE, REMOVED, UNAVAIL)
  health string
  // Total size in bytes
  sizeBytes int
  // Allocated space in bytes
  allocatedBytes int
  // Free space in bytes
  freeBytes int
  // Fragmentation percentage
  fragmentation int
  // Percentage of pool space used (0-100)
  percentUsed int
  // Deduplication ratio
  dedupratio float
  // Whether the pool is read-only
  readonly bool
  // Whether auto-expand is enabled
  autoexpand bool
  // Whether auto-replace is enabled
  autoreplace bool
  // Whether auto-trim is enabled
  autotrim bool
  // Top-level virtual device groups (mirrors, raidz, etc.)
  vdevs() []zfs.pool.vdev
  // All pool properties (lazy-loaded via zpool get all)
  properties() map[string]string
}

// ZFS virtual device (vdev) in a pool's topology
zfs.pool.vdev @defaults("name type state numDevices") {
  // Vdev name (e.g., "raidz2-0", "mirror-0", "sda")
  name string
  // Vdev type (mirror, raidz, raidz2, raidz3, disk, file, draid, etc.)
  type string
  // Vdev state (ONLINE, DEGRADED, FAULTED, OFFLINE, REMOVED, UNAVAIL)
  state string
  // Device path (for leaf vdevs, empty for groups)
  path string
  // Read error count
  readErrors int
  // Write error count
  writeErrors int
  // Checksum error count
  checksumErrors int
  // Slow I/O count
  slowIos int
  // Number of child devices
  numDevices int
  // Child vdevs/devices
  devices []zfs.pool.vdev
}

// ZFS dataset (filesystem, volume, snapshot, or bookmark)
zfs.dataset @defaults("name type usedBytes") {
  init(name string)
  // Full dataset name (pool/path or pool/path@snap)
  name string
  // Dataset type (filesystem, volume, snapshot, bookmark)
  type string
  // Used space in bytes
  usedBytes int
  // Available space in bytes
  availableBytes int
  // Referenced space in bytes
  referencedBytes int
  // Mount point (empty for volumes/snapshots)
  mountpoint string
  // Compression algorithm (off, lz4, gzip, zstd, etc.)
  compression string
  // Compression ratio
  compressratio float
  // Whether the dataset is currently mounted
  mounted bool
  // Record size in bytes
  recordsizeBytes int
  // Quota in bytes (0 = none)
  quotaBytes int
  // Reservation in bytes (0 = none)
  reservationBytes int
  // Origin snapshot (for clones, empty otherwise)
  origin string
  // Creation time
  creation time
  // Encryption algorithm (off, aes-256-gcm, etc.)
  encryption string
  // All dataset properties (lazy-loaded via zfs get all)
  properties() map[string]string
  // Snapshots of this dataset
  snapshots() []zfs.dataset
}