#include <tunables/global>

profile j41-agent-profile flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # Node.js runtime
  /usr/local/bin/node ix,
  /usr/bin/node ix,
  /app/** r,
  /app/node_modules/** r,

  # Temp directory (noexec tmpfs)
  /tmp/** rw,

  # Proc and dev (limited)
  @{PROC}/self/fd/ r,
  @{PROC}/self/fd/** rw,
  /dev/null rw,
  /dev/urandom r,
  /dev/random r,

  # System libs (read-only)
  /usr/lib/** r,
  /usr/local/lib/** r,
  /lib/** r,
  /lib64/** r,
  /etc/ssl/** r,
  /etc/ca-certificates/** r,
  /etc/resolv.conf r,
  /etc/hosts r,
  /etc/nsswitch.conf r,
  /etc/passwd r,
  /etc/group r,

  # Deny dangerous operations
  deny /etc/shadow r,
  deny /root/** rwx,
  deny /home/** rwx,
  deny mount,
  deny umount,
  deny pivot_root,
  deny ptrace,
  deny signal peer=unconfined,
}
