# HIPAA compliance mode worker configuration
# Strict validation, no network, PHI protection
host: localhost
port: 22
user: hipaa-worker
base_path: /var/lib/fetchml/secure
train_script: train.py

# Redis configuration (must use env var for password)
redis_url: redis://redis:6379
redis_password: ${REDIS_PASSWORD}

# HIPAA mode - strict compliance
compliance_mode: hipaa
max_workers: 1

# Sandbox settings (strict isolation required by HIPAA)
sandbox:
  # Network must be disabled for HIPAA compliance
  network_mode: none
  # Seccomp profile must be set
  seccomp_profile: default-hardened
  # No new privileges must be enforced
  no_new_privileges: true
  # Only approved secrets allowed (no PHI fields)
  allowed_secrets:
    - HF_TOKEN
    - WANDB_API_KEY
    - AWS_ACCESS_KEY_ID
    - AWS_SECRET_ACCESS_KEY
    # PHI fields are EXPLICITLY DENIED:
    # - PATIENT_ID
    # - SSN
    # - MEDICAL_RECORD_NUMBER
    # - DIAGNOSIS_CODE
    # - DOB
    # - INSURANCE_ID

# GPU configuration
gpu_vendor: none

# Artifact handling (strict limits for HIPAA)
max_artifact_files: 100
max_artifact_total_bytes: 104857600  # 100MB

# Provenance (strictly required for HIPAA)
provenance_best_effort: false

# SSH key must use environment variable
ssh_key: ${SSH_KEY_PATH}

# Config hash computation enabled (required for audit)
# This is automatically computed by Validate()