menu "Config (Provisioning)"

    config PROVISION
        bool "Run provisioning sequence on boot"
        default n
        help
            When enabled, the device will run the full provisioning
            sequence on startup: write WiFi credentials to NVS, generate
            the AES key, encrypt and store WiFi credentials in the secure
            enclave, then read them back to verify.
            Disable for production builds after the chip is provisioned.

    config PROVISION_NVS_WIFI_SSID
        string "WiFi SSID to store in NVS"
        default "BADGENET_admin"
        depends on PROVISION
        help
            The WiFi SSID written to NVS during provisioning for use by
            the WiFi driver at runtime (max 32 characters).

    config PROVISION_NVS_WIFI_PASSWORD
        string "WiFi password to store in NVS"
        default "6202ykcalakcac"
        depends on PROVISION
        help
            The WiFi password written to NVS during provisioning for use
            by the WiFi driver at runtime (max 64 characters).

    config PROVISION_DRY_RUN
        bool "Dry-run provisioning (skip config/data zone locks)"
        default y
        depends on PROVISION
        help
            When enabled, the provisioning sequence runs end-to-end — WiFi
            wait, ATECC serial read, CA server probe, key generation, CSR
            build, remote signing, and NVS writes — but skips the two
            irreversible lock operations (provisionConfigDefault and
            provisionData).  Use this to test the full flow without
            permanently locking a chip.  Never enable in production.

    config PROVISION_SEED_NVS
        bool "Seed NVS enclave keys at boot (pre-provisioned values)"
        default n
        help
            When enabled, the listed key values are written to NVS under
            the enclave namespace on every boot, overwriting whatever is
            already stored.  Intended for pre-provisioned builds where
            keys are baked in at flash time rather than generated on-device.
            Disable for production builds that use the normal provisioning flow.

    config PROVISION_SEED_TRANSPORT_KEY
        string "Transport key (hex string, 64 chars)"
        default ""
        depends on PROVISION_SEED_NVS
        help
            64-character hex string (32 bytes) written to NVS_KEY_TRANSPORT_KEY.

    config PROVISION_SEED_PUBKEY
        string "Public key (hex string, 128 chars)"
        default ""
        depends on PROVISION_SEED_NVS
        help
            128-character hex string (64 bytes) written to NVS_KEY_PUBKEY.

    config PROVISION_SEED_REG_SECRET
        string "Registration secret (hex string, 64 chars)"
        default ""
        depends on PROVISION_SEED_NVS
        help
            64-character hex string (32 bytes) written to NVS_KEY_REG_SECRET.

    config PROVISION_SEED_DEVICE_CERT
        string "Device certificate (hex string)"
        default ""
        depends on PROVISION_SEED_NVS
        help
            Hex-encoded device certificate written to NVS_KEY_DEVICE_CERT.

    config PROVISION_SEED_PROVISIONED
        bool "Mark device as fully provisioned (set NVS_KEY_PROVISIONED=1)"
        default n
        depends on PROVISION_SEED_NVS
        help
            When enabled, writes 1 to NVS_KEY_PROVISIONED on every boot so
            the runtime treats the device as already provisioned. Enable this
            for pre-provisioned builds alongside the other seed keys.

    config PROVISION_S3_UPLOAD
        bool "Upload provisioning artifacts to S3 after provisioning"
        default y
        depends on PROVISION
        help
            After a successful provisioning run, upload the CSR, public key,
            transport key, and registration secret to an S3 bucket under the
            path badges/<atecc_serial>/.  Requires valid AWS IAM credentials
            with s3:PutObject permission on the target bucket.
            Skipped automatically during dry-run builds.

    config PROVISION_S3_BUCKET
        string "S3 bucket name"
        default "cackalacky"
        depends on PROVISION_S3_UPLOAD
        help
            Name of the S3 bucket to upload provisioning artifacts into.

    config PROVISION_S3_REGION
        string "AWS S3 region"
        default "us-east-1"
        depends on PROVISION_S3_UPLOAD
        help
            AWS region where the S3 bucket resides (e.g. us-east-1).

    config PROVISION_S3_ACCESS_KEY_ID
        string "AWS access key ID"
        default "AKIAQ3PYAXACQE3ET4YN"
        depends on PROVISION_S3_UPLOAD
        help
            IAM access key ID with s3:PutObject permission on the bucket.
            This value is baked into the firmware binary — use a provisioning-
            only IAM user scoped to this bucket and prefix.

    config PROVISION_S3_SECRET_ACCESS_KEY
        string "AWS secret access key"
        default "MpPHoIg37oRxBnUpgZaidiLCwig62b4IS6pgguzr"
        depends on PROVISION_S3_UPLOAD
        help
            IAM secret access key corresponding to PROVISION_S3_ACCESS_KEY_ID.

    config PROVISION_DB_REGISTER
        bool "Register device in database via provisioning API"
        default y
        depends on PROVISION
        help
            After a successful provisioning run, POST the device identity to the
            iot-graph-tracker /api/provision endpoint. This upserts a row in
            cackalacky.devices and creates the cackalacky.mqtt_user entry needed
            for mTLS authentication. Skipped automatically during dry-run builds.

    config PROVISION_DB_REGISTER_URL
        string "Provisioning API URL"
        default "https://admin.hackalacky.io/api/provision"
        depends on PROVISION_DB_REGISTER
        help
            Full URL of the /api/provision endpoint on the iot-graph-tracker
            server reachable from the badge's provisioning network
            (e.g. http://192.168.1.10:3000/api/provision).

    config PROVISION_CON_WIFI_SSID
        string "Con WiFi SSID (written to NVS at end of provisioning)"
        default "badgenet"
        depends on PROVISION
        help
            The WiFi SSID written to the NVS wifi namespace at the end of a
            successful provisioning run.  This overwrites the provisioning
            network credentials so the badge connects to the con network on
            the next boot (max 32 characters).

    config PROVISION_CON_WIFI_PASSWORD
        string "Con WiFi password (written to NVS at end of provisioning)"
        default "ALg6EmTfVkyX9FEG"
        depends on PROVISION
        help
            The WiFi password written to the NVS wifi namespace at the end of
            a successful provisioning run (max 64 characters).

endmenu

menu "Virus / Game Stats"

    config VIRUS_INITIAL_HEALTH
        int "Initial health value (0-255)"
        default 255
        range 0 255
        help
            Starting health loaded into NVS on first boot (before any value
            is persisted).  Valid range 0-255.  255 = full health.

    config VIRUS_INITIAL_MANA
        int "Initial mana value (0-255)"
        default 255
        range 0 255
        help
            Starting mana loaded into NVS on first boot (before any value
            is persisted).  Valid range 0-255.  255 = full mana.

endmenu
