---
- name: Determine CIS profile
  ansible.builtin.set_fact:
    cis_profile: "{{ system_cfg.features.cis.profile | default('default') }}"

- name: Validate CIS profile selection
  ansible.builtin.assert:
    that: cis_profile in cis_profiles
    fail_msg: >-
      system.features.cis.profile '{{ cis_profile }}' is unknown
      (valid: {{ cis_profiles.keys() | list | join(', ') }}).
    quiet: true

- name: Resolve CIS rules and parameters
  vars:
    _cis: "{{ system_cfg.features.cis | default({}) }}"
  ansible.builtin.set_fact:
    cis_effective_rules: "{{ cis_profiles[cis_profile] | combine(_cis.rules | default({})) }}"
    cis_cfg: >-
      {{ cis_param_defaults
         | combine(cis_profile_params[cis_profile] | default({}), recursive=True)
         | combine(_cis.params | default({}), recursive=True) }}
    # l1/l2 add the stricter CIS-server controls on top of the legacy `default`
    # baseline; gate those tasks on this so `default` stays byte-for-byte unchanged.
    cis_strict: "{{ cis_profile in ['l1', 'l2'] }}"