# Turnstone pattern library — named regex patterns for log tagging at ingest time.
# Each matched pattern name is stored on RetrievedEntry.matched_patterns and
# used to boost retrieval relevance for diagnostic queries.
#
# Add domain-specific patterns here. Patterns are applied in order; multiple
# can match a single entry.

patterns:
  - name: service_restart
    pattern: "(restarting|restart requested|service.*start)"
    severity: WARN
    description: Service restart detected

  - name: connection_lost
    pattern: "(connection (lost|dropped|refused|timed? out)|disconnect(ed)?)"
    severity: ERROR
    description: Network or device connection failure

  - name: auth_failure
    pattern: "(auth(entication)? (failed?|error|denied)|permission denied|unauthorized)"
    severity: ERROR
    description: Authentication or authorization failure

  - name: oom
    pattern: "(out of memory|OOM|killed process|cannot allocate)"
    severity: CRITICAL
    description: Out-of-memory condition

  - name: segfault
    pattern: "(segmentation fault|segfault|SIGSEGV|core dump)"
    severity: CRITICAL
    description: Process crash or memory corruption

  - name: disk_full
    pattern: "(no space left|disk full|filesystem.*full|ENOSPC)"
    severity: ERROR
    description: Storage capacity exhausted

  - name: timeout
    pattern: "(timed? out|deadline exceeded|operation timed?)"
    severity: WARN
    description: Operation timeout

  - name: caddy_tls_error
    pattern: "(acme|certificate|tls).*(error|fail|invalid|expired|renew)"
    severity: ERROR
    description: Caddy TLS or certificate error

  - name: caddy_config_error
    pattern: "(config|caddyfile|directive).*(error|invalid|unknown|unrecognized)"
    severity: ERROR
    description: Caddy configuration error

  - name: caddy_auth_error
    pattern: "(forward_auth|basicauth|basic_auth).*(error|fail|denied|invalid|unreachable)"
    severity: ERROR
    description: Caddy authentication middleware failure

  - name: caddy_upstream_error
    pattern: "(upstream|backend|reverse.proxy).*(error|fail|unreachable|refused|timeout)"
    severity: ERROR
    description: Caddy upstream/backend failure

  - name: service_update
    pattern: "(upgraded?|updated?|installing|dpkg|apt|package).*(caddy|nginx|apache|proxy)"
    severity: INFO
    description: Web server package update detected

  - name: power_failure
    pattern: "(power (fail|loss|outage|cut)|ups|battery|shutdown.*power|lost power)"
    severity: CRITICAL
    description: Power failure or UPS event

  - name: network_interface
    pattern: "(eth[0-9]|ens[0-9]|enp[0-9]|wlan[0-9]).*(down|up|carrier|link)"
    severity: WARN
    description: Network interface state change

  - name: ip_change
    pattern: "(new ip|ip.*(changed|assigned|address)|dhcp.*(ack|offer|bound|renew))"
    severity: INFO
    description: IP address change or DHCP event

  # ── System / journald patterns ─────────────────────────────────────────────

  - name: systemd_fail
    pattern: "(Failed to start|failed with result|entered failed state|start request repeated too quickly|Main process exited)"
    severity: ERROR
    description: systemd service failed to start or crashed

  - name: oom_kill
    pattern: "(Killed process|oom.kill|oom_kill_process|Out of memory: Kill|memory cgroup out of memory)"
    severity: CRITICAL
    description: Kernel OOM killer terminated a process

  - name: disk_hw_error
    pattern: "(ata[0-9]|sd[a-z]|nvme[0-9]).*(error|failed|reset|timeout|exception|EH|FAILED COMMAND)"
    severity: ERROR
    description: Storage device hardware error or reset

  - name: fs_error
    pattern: "(EXT4-fs error|XFS.*error|BTRFS.*error|I/O error|blk_update_request.*error|buffer I/O error)"
    severity: ERROR
    description: Filesystem or block I/O error

  - name: kernel_error
    pattern: "(kernel: BUG|kernel panic|Oops:|general protection fault|Call Trace|RIP:.*[0-9a-f]{16})"
    severity: CRITICAL
    description: Kernel bug, panic, or oops — system may be unstable

  - name: ssh_brute
    pattern: "(Failed password|Invalid user|authentication failure|Connection closed by authenticating user).*(sshd|ssh)"
    severity: WARN
    description: SSH authentication failure — possible brute force

  - name: container_crash
    pattern: "(container.*exited|oci runtime.*error|podman.*error|docker.*error|container.*killed|OCI.*failed)"
    severity: ERROR
    description: Container runtime error or unexpected exit

  - name: smart_error
    pattern: "(smartd|SMART.*error|reallocated sector|pending sector|uncorrectable sector|Current_Pending_Sector)"
    severity: CRITICAL
    description: SMART disk health warning — potential drive failure

  - name: nfs_error
    pattern: "(nfs.*error|nfs.*timeout|RPC.*timed out|nfs4.*server.*not responding|mount.*nfs.*failed)"
    severity: ERROR
    description: NFS mount or RPC timeout

  # Add device/service-specific patterns below this line:

  - name: qbit_tracker_error
    pattern: "(tracker|announce).*(not working|error|fail|unreachable|timeout|refused|invalid)"
    severity: WARN
    description: qBittorrent tracker connection or announce failure

  - name: qbit_port_bind
    pattern: "(couldn't? listen|bind.*fail|port.*in use|listening.*fail)"
    severity: CRITICAL
    description: qBittorrent failed to bind listen port — firewall or port conflict

  - name: qbit_disk_error
    pattern: "(cannot (write|open|create)|disk.*error|i/o error|file.*fail|write.*fail)"
    severity: ERROR
    description: qBittorrent disk write or file access failure

  - name: qbit_hash_fail
    pattern: "(hash.*(check|fail|mismatch)|recheck|piece.*fail)"
    severity: WARN
    description: qBittorrent torrent hash verification failure — possible corrupt data

  - name: qbit_peer_ban
    pattern: "(peer.*ban|banned.*peer|blocked.*peer)"
    severity: INFO
    description: qBittorrent peer banned (encryption enforcement or bad actor)

  - name: qbit_download_complete
    pattern: "(download.*complet|torrent.*finish|has finished downloading)"
    severity: INFO
    description: qBittorrent torrent download completed

  - name: qbit_ratio_limit
    pattern: "(ratio.*reach|seeding.*limit|stop.*seeding|upload.*limit)"
    severity: INFO
    description: qBittorrent seeding ratio or time limit reached

  - name: qbit_session_error
    pattern: "(session.*error|couldn't? resume|resume.*fail|torrent.*error)"
    severity: ERROR
    description: qBittorrent session or resume data error

  - name: plex_eae_failure
    pattern: "(EAE timeout|EAE not running|eac3_eae.*error reading output|Error submitting packet to decoder.*I/O error)"
    severity: ERROR
    description: Plex EasyAudioEncoder (EAC3 Dolby audio transcoder) crashed — service restart required

  # - name: ext_device_device_error
  #   pattern: "ERR-\d{4}"
  #   severity: ERROR
  #   description: EXT_DEVICE device error code