"""Constants for AYN Antivirus."""

import os

# --- Default Paths ---
DEFAULT_CONFIG_PATHS = [
    "/etc/ayn-antivirus/config.yaml",
    os.path.expanduser("~/.ayn-antivirus/config.yaml"),
]
DEFAULT_SCAN_PATH = "/"
DEFAULT_QUARANTINE_PATH = "/var/lib/ayn-antivirus/quarantine"
DEFAULT_DB_PATH = "/var/lib/ayn-antivirus/signatures.db"
DEFAULT_LOG_PATH = "/var/log/ayn-antivirus/"
DEFAULT_YARA_RULES_DIR = os.path.join(os.path.dirname(__file__), "signatures", "yara_rules")
QUARANTINE_ENCRYPTION_KEY_FILE = "/var/lib/ayn-antivirus/.quarantine.key"

# --- Database ---
DB_SCHEMA_VERSION = 1

# --- Scan Limits ---
SCAN_CHUNK_SIZE = 65536  # 64 KB
MAX_FILE_SIZE = 100 * 1024 * 1024  # 100 MB
HIGH_CPU_THRESHOLD = 80  # percent

# --- Suspicious File Extensions ---
SUSPICIOUS_EXTENSIONS = [
    ".php",
    ".sh",
    ".py",
    ".pl",
    ".rb",
    ".js",
    ".exe",
    ".elf",
    ".bin",
    ".so",
    ".dll",
]

# --- Crypto Miner Process Names ---
CRYPTO_MINER_PROCESS_NAMES = [
    "xmrig",
    "minerd",
    "cpuminer",
    "ethminer",
    "claymore",
    "phoenixminer",
    "nbminer",
    "t-rex",
    "gminer",
    "lolminer",
    "bfgminer",
    "cgminer",
    "ccminer",
    "nicehash",
    "excavator",
    "nanominer",
    "teamredminer",
    "wildrig",
    "srbminer",
    "xmr-stak",
    "randomx",
    "cryptonight",
]

# --- Crypto Pool Domains ---
CRYPTO_POOL_DOMAINS = [
    "pool.minergate.com",
    "xmrpool.eu",
    "nanopool.org",
    "mining.pool.observer",
    "supportxmr.com",
    "pool.hashvault.pro",
    "moneroocean.stream",
    "minexmr.com",
    "herominers.com",
    "2miners.com",
    "f2pool.com",
    "ethermine.org",
    "unmineable.com",
    "nicehash.com",
    "prohashing.com",
    "zpool.ca",
    "miningpoolhub.com",
]

# --- Suspicious Mining Ports ---
SUSPICIOUS_PORTS = [
    3333,
    4444,
    5555,
    7777,
    8888,
    9999,
    14433,
    14444,
    45560,
    45700,
]

# --- Known Rootkit Files ---
KNOWN_ROOTKIT_FILES = [
    "/usr/lib/libproc.so",
    "/usr/lib/libext-2.so",
    "/usr/lib/libns2.so",
    "/usr/lib/libpam.so.1",
    "/dev/shm/.x",
    "/dev/shm/.r",
    "/tmp/.ICE-unix/.x",
    "/tmp/.X11-unix/.x",
    "/usr/bin/sourcemask",
    "/usr/bin/sshd2",
    "/usr/sbin/xntpd",
    "/etc/cron.d/.hidden",
    "/var/tmp/.bash_history",
]

# --- Suspicious Cron Patterns ---
SUSPICIOUS_CRON_PATTERNS = [
    r"curl\s+.*\|\s*sh",
    r"wget\s+.*\|\s*sh",
    r"curl\s+.*\|\s*bash",
    r"wget\s+.*\|\s*bash",
    r"/dev/tcp/",
    r"base64\s+--decode",
    r"xmrig",
    r"minerd",
    r"cryptonight",
    r"\bcurl\b.*-o\s*/tmp/",
    r"\bwget\b.*-O\s*/tmp/",
    r"nohup\s+.*&",
    r"/dev/null\s+2>&1",
]

# --- Malicious Environment Variables ---
MALICIOUS_ENV_VARS = [
    "LD_PRELOAD",
    "LD_LIBRARY_PATH",
    "LD_AUDIT",
    "LD_DEBUG",
    "HISTFILE=/dev/null",
    "PROMPT_COMMAND",
    "BASH_ENV",
    "ENV",
    "CDPATH",
]

# ── Dashboard ──────────────────────────────────────────────────────────
DEFAULT_DASHBOARD_HOST = "0.0.0.0"
DEFAULT_DASHBOARD_PORT = 7777
DEFAULT_DASHBOARD_DB_PATH = "/var/lib/ayn-antivirus/dashboard.db"
DASHBOARD_COLLECTOR_INTERVAL = 10       # seconds between metric samples
DASHBOARD_REFRESH_INTERVAL = 30         # JS auto-refresh seconds
DASHBOARD_MAX_THREATS_DISPLAY = 50
DASHBOARD_MAX_LOG_LINES = 20
DASHBOARD_SCAN_HISTORY_DAYS = 30
DASHBOARD_METRIC_RETENTION_HOURS = 168  # 7 days

# Dashboard authentication
DEFAULT_DASHBOARD_USERNAME = "admin"
DEFAULT_DASHBOARD_PASSWORD = "ayn@2024"