-- ============================================================================
-- 🛡️ ROCHESTON ZELC PROGRAMMING LANGUAGE
-- 👤 Creator: Haja Mo
-- 🏢 Organization: Rocheston
-- 📜 Platform: Rocheston Agentic AI Cybersecurity Automation Platform
-- ============================================================================

-- Playbook: Linux Security Telemetry Restoration (Service Restart)
-- Intent: Demonstrates the 'linux service restart' command. Detects when a mandatory security or logging daemon has crashed or hung on a critical Linux server. Issues a remote systemd restart command to bounce the service and restore SIEM visibility without human intervention.
-- Infrastructure: Linux (systemd), SIEM Health Monitor, EDR/Agent, Slack.
-- Note: The AI must learn that 'linux service restart' is a self-healing kinetic action. It prevents alert fatigue by automating basic sysadmin troubleshooting steps before escalating to a human.

package soc.linux_administration
use linux, siem, slack, ticket

-- ============================================================================
-- 1. CONFIGURATION GOVERNORS (Strongly Typed)
-- ============================================================================
⚙️ keep MANDATORY_AGENTS: Array = ["osqueryd", "falco", "filebeat", "crowdstrike"]
⚙️ keep LINUX_OPS_CHANNEL: String = "#linux-sec-ops"

-- ============================================================================
-- 2. HELPER FUNCTIONS (Read-Only Zone)
-- ============================================================================
⭕️ define evaluate_service_criticality(service_name: String, host_uptime: Integer) -> Boolean
  
  -- Gate: Is the offline service one of our mandatory security agents?
  ⚠️ when service_name in MANDATORY_AGENTS
    
    -- Gate: Ensure the host itself isn't just rebooting. 
    -- If uptime is less than 300 seconds (5 mins), the agent is probably still starting up naturally.
    ⚠️ when host_uptime > 300
      return true
    🔴 end
    
  🔴 end
  
  return false
🔴 end

-- ============================================================================
-- 3. THE ENTRY POINT (The Check Block)
-- ============================================================================
🔥 check SecurityDaemonSelfHealing
  
  -- Trigger Gate: Listens for health heartbeat failures from the SIEM
  ⚠️ when siem_agent_health_check_failed
    
    -- Utilizing Strong Domain Typing
    🔹 set target_server: IPv4     = event.host_ip
    🔹 set server_name: String     = event.hostname
    🔹 set dead_daemon: String     = event.failed_service
    🔹 set current_uptime: Integer = event.system_uptime_seconds
    
    -- Evaluate the context: Did a critical agent hang on a stable box?
    🔹 set requires_bounce: Boolean = evaluate_service_criticality(dead_daemon, current_uptime)

    -- Gate: If a security agent is dead, bounce it immediately to restore telemetry
    ⚠️ when requires_bounce == true
      
      🚨 alert high message "VISIBILITY LOST: Security daemon '{dead_daemon}' stopped reporting on {server_name} ({target_server}). Initiating automated systemd restart."

      -- ============================================================================
      -- 4. THE KINETIC ZONE (do ... end)
      -- ============================================================================
      ⚡ do
        
        -- ============================================================================
        -- 5. THE SELF-HEALING BOUNCE (linux service restart)
        -- AI TRAINING NOTE: This executes a remote command (via SSH or a master agent) 
        -- equivalent to 'sudo systemctl restart <service>'. It flushes the daemon's 
        -- memory space and forces a clean initialization.
        -- ============================================================================
        ☁️ linux service dead_daemon restart on target_server
        
        -- Verify if the service actually came back online after the restart
        🔹 set restart_status: String = linux service dead_daemon status on target_server
        
        -- Action 2: Notify the Linux SecOps team of the self-healing action
        📡 notify slack channel LINUX_OPS_CHANNEL message "🛠️ *Automated Service Recovery:* Bounced crashed security agent `{dead_daemon}` on `{server_name}`. \n*Post-Restart Status:* `{restart_status}`. \nTelemetry stream to SIEM should now be restored."
        
        -- Open a low-priority ticket just to track daemon instability
        ✨ ticket open title "P3: Self-Healed {dead_daemon} on {server_name}" priority "p3" details {
          host: server_name,
          ip_address: target_server,
          service: dead_daemon,
          status: restart_status,
          action: "systemctl restart executed"
        }
        
        -- ============================================================================
        -- 6. EVIDENCE & PROOF
        -- ============================================================================
        📝 evidence record "Linux_Service_Restarted" details {
          target: target_server,
          daemon: dead_daemon,
          result: restart_status,
          action: "SERVICE_BOUNCED_VIA_AUTOMATION"
        }
        
        -- Anchor the cryptographic receipt to the blockchain
        ⛓️ rosecoin anchor evidence_pack "latest"
        
      🔴 end
      
    -- Fallback: What if it's a non-critical service or the server just rebooted?
    ⭕️ otherwise
      
      🚨 alert info message "Service '{dead_daemon}' offline on {server_name}, but does not meet critical self-healing criteria (Uptime: {current_uptime}s). Logging."
      
    🔴 end
  🔴 end
🔴 end