option('pam',               type: 'feature', value: 'auto',     description: 'PAM authentication support')
option('radius',            type: 'feature', value: 'auto',     description: 'RADIUS authentication/accounting support')
option('gssapi',            type: 'feature', value: 'auto',     description: 'GSSAPI/Kerberos authentication support')
option('liboath',           type: 'feature', value: 'auto',     description: 'OTP support via liboath')
option('libnl',             type: 'feature', value: 'auto',     description: 'libnl3 support in occtl')
option('maxmind',           type: 'feature', value: 'auto',     description: 'GeoIP support via libmaxminddb')
option('geoip',             type: 'feature', value: 'auto',     description: 'GeoIP support via libgeoip (fallback when maxmind absent)')
option('lz4',               type: 'feature', value: 'auto',     description: 'LZ4 compression support')
option('compression',       type: 'feature', value: 'enabled',  description: 'Compression support (LZS + optional LZ4)')
option('seccomp',           type: 'feature', value: 'auto',     description: 'seccomp worker isolation')
option('systemd',           type: 'feature', value: 'auto',     description: 'systemd socket-activation support')
option('oidc-auth',         type: 'feature', value: 'disabled', description: 'OpenID Connect authentication support')
option('latency-stats',     type: 'feature', value: 'disabled', description: 'Capture latency statistics')
option('anyconnect-compat', type: 'feature', value: 'enabled',  description: 'Cisco AnyConnect client compatibility')
option('namespaces',        type: 'feature', value: 'enabled',  description: 'Linux network namespace support')
option('utmp',              type: 'feature', value: 'auto',     description: 'utmp support via libutil')
option('libwrap',           type: 'feature', value: 'auto',     description: 'TCP wrappers support via libwrap')
option('local-talloc',      type: 'boolean',  value: false,     description: 'Force use of bundled talloc')
option('local-llhttp',      type: 'boolean',  value: true,      description: 'Use bundled llhttp (default); false to require system llhttp')
option('local-protobuf',    type: 'boolean',  value: false,     description: 'Force use of bundled protobuf-c')
option('local-pcl',         type: 'boolean',  value: true,      description: 'Use bundled PCL (default); false to require system pcl')
option('seccomp-trap',      type: 'boolean',  value: false,     description: 'Filtered syscalls fail with a signal (for CI/testing)')
option('root-tests',        type: 'boolean',  value: true,      description: 'Enable tests requiring root/namespaces')
option('tun-tests',         type: 'boolean',  value: true,      description: 'Enable tests requiring /dev/net/tun')
option('kerberos-tests',    type: 'boolean',  value: false,     description: 'Enable tests requiring a Kerberos setup')
option('with-werror',       type: 'boolean',  value: false,     description: 'Treat compiler warnings as errors')
option('pager',             type: 'string',   value: 'less',    description: 'Default pager for occtl (empty string for none)')
option('firewall-script',   type: 'combo',    choices: ['auto', 'nftables', 'iptables'], value: 'auto', description: 'Firewall script backend (auto prefers nftables if nft is found)')
