{
  "version": "1.0.0",
  "skill": "node-hardening",
  "description": "Safe-by-default hardening: UFW + SSH + fail2ban + auditd",
  "parameters": {
    "required": [],
    "optional": {
      "NODE_NAME": "node-a",
      "SSH_PORT": 22,
      "ALLOW_HTTP": true,
      "ALLOW_HTTPS": true,
      "ALLOW_ICMP": false,
      "DRY_RUN": 1,
      "REQUIRE_CONFIRM": 1,
      "CONFIRM_PHRASE": "I UNDERSTAND THIS CAN LOCK ME OUT",
      "BACKUP_DIR": "outputs/backups",
      "FAIL2BAN_ENABLE": true,
      "AUDITD_ENABLE": true
    }
  },
  "phases": {
    "preflight": ["00_preflight.sh"],
    "ufw": {
      "plan": ["10_ufw_plan.sh"],
      "apply": ["11_ufw_apply.sh"],
      "rollback": ["rollback/undo_ufw.sh"]
    },
    "ssh": {
      "plan": ["20_ssh_plan.sh"],
      "apply": ["21_ssh_apply.sh"],
      "rollback": ["rollback/undo_ssh.sh", "rollback/emergency_restore.sh"]
    },
    "fail2ban": ["30_fail2ban_setup.sh"],
    "auditd": ["40_auditd_setup.sh"],
    "verify": ["90_verify.sh"],
    "report": ["99_report.sh"]
  },
  "checks": {
    "ufw": ["check_ufw.sh"],
    "ssh": ["check_ssh.sh"],
    "fail2ban": ["check_fail2ban.sh"],
    "auditd": ["check_auditd.sh"]
  },
  "rollback_order": [
    "emergency_restore.sh",
    "undo_ssh.sh",
    "undo_ufw.sh"
  ],
  "eu_compliance": {
    "data_residency": "EU",
    "jurisdiction": "Ireland",
    "gdpr_applicable": true
  }
}