# Kubernetes Network Policy for BZZZ v2 (if migrating to K8s later)
# Currently using Docker Swarm, but this provides a template for K8s migration

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: bzzz-v2-network-policy
  namespace: bzzz-v2
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  
  # Default deny all ingress and egress
  ingress: []
  egress: []

---
# Allow internal cluster communication
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: bzzz-internal-communication
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: bzzz-agent
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: bzzz-v2
    ports:
    - protocol: TCP
      port: 9000
    - protocol: UDP
      port: 9000
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: bzzz-v2
    ports:
    - protocol: TCP
      port: 9000
    - protocol: UDP
      port: 9000

---
# DHT Bootstrap Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: dht-bootstrap-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: dht-bootstrap
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: bzzz-v2
    ports:
    - protocol: TCP
      port: 9101
    - protocol: TCP
      port: 9102
    - protocol: TCP
      port: 9103
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: bzzz-v2
    ports:
    - protocol: TCP
      port: 9101
    - protocol: TCP
      port: 9102
    - protocol: TCP
      port: 9103

---
# MCP Server Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: mcp-server-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: mcp-server
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: traefik
    ports:
    - protocol: TCP
      port: 3001
  - from:
    - podSelector:
        matchLabels:
          app: bzzz-agent
    ports:
    - protocol: TCP
      port: 3001
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: bzzz-agent
    ports:
    - protocol: TCP
      port: 9000

---
# OpenAI Proxy Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: openai-proxy-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: openai-proxy
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: traefik
    ports:
    - protocol: TCP
      port: 3002
  - from:
    - podSelector:
        matchLabels:
          app: bzzz-agent
    ports:
    - protocol: TCP
      port: 3002
  egress:
  # Allow outbound to OpenAI API
  - to: []
    ports:
    - protocol: TCP
      port: 443
  # Allow access to Redis and PostgreSQL
  - to:
    - podSelector:
        matchLabels:
          app: redis
    ports:
    - protocol: TCP
      port: 6379
  - to:
    - podSelector:
        matchLabels:
          app: postgres
    ports:
    - protocol: TCP
      port: 5432

---
# Content Resolver Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: content-resolver-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: content-resolver
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: traefik
    ports:
    - protocol: TCP
      port: 3003
  - from:
    - podSelector:
        matchLabels:
          app: bzzz-agent
    ports:
    - protocol: TCP
      port: 3003
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: dht-bootstrap
    ports:
    - protocol: TCP
      port: 9101
    - protocol: TCP
      port: 9102
    - protocol: TCP
      port: 9103

---
# Database Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: postgres-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: postgres
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: bzzz-agent
    - podSelector:
        matchLabels:
          app: openai-proxy
    - podSelector:
        matchLabels:
          app: conversation-manager
    - podSelector:
        matchLabels:
          app: openai-cost-monitor
    ports:
    - protocol: TCP
      port: 5432

---
# Redis Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: redis-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      app: redis
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: bzzz-agent
    - podSelector:
        matchLabels:
          app: openai-proxy
    ports:
    - protocol: TCP
      port: 6379

---
# Monitoring Network Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: monitoring-policy
  namespace: bzzz-v2
spec:
  podSelector:
    matchLabels:
      monitoring: "true"
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: monitoring
    - namespaceSelector:
        matchLabels:
          name: traefik
    ports:
    - protocol: TCP
      port: 9090
    - protocol: TCP
      port: 3000
    - protocol: TCP
      port: 9093
  egress:
  # Allow monitoring to scrape all services
  - to:
    - namespaceSelector:
        matchLabels:
          name: bzzz-v2
    ports:
    - protocol: TCP
      port: 9000
    - protocol: TCP
      port: 3001
    - protocol: TCP
      port: 3002
    - protocol: TCP
      port: 3003
    - protocol: TCP
      port: 9100
    - protocol: TCP
      port: 8080
    - protocol: TCP
      port: 9200
    - protocol: TCP
      port: 9201
    - protocol: TCP
      port: 9202
    - protocol: TCP
      port: 9203