config

package
v0.38.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2026 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultAPIRateLimitMax    = 100
	DefaultAPIRateLimitPeriod = 5 * time.Minute
)

Default values for APIRateLimitConfig, applied by the Effective* accessors.

View Source
const (
	EnvPrefix       = "VEF"
	EnvLogLevel     = EnvPrefix + "_LOG_LEVEL"     // Log level (debug|info|warn|error)
	EnvConfigPath   = EnvPrefix + "_CONFIG_PATH"   // Custom config file path
	EnvI18NLanguage = EnvPrefix + "_I18N_LANGUAGE" // Override default language
)

Environment variable keys.

View Source
const (
	DefaultSessionIdleTTL     = 30 * time.Minute
	DefaultSessionMaxLifetime = 7 * 24 * time.Hour
)

Default values for SessionConfig, applied by the Effective* accessors.

View Source
const (
	DefaultLockoutMaxFailures  = 10
	DefaultLockoutWindow       = 15 * time.Minute
	DefaultLockoutLockDuration = 15 * time.Minute
	DefaultLockoutBackoffBase  = 1 * time.Second
	DefaultLockoutBackoffMax   = 15 * time.Minute
)

Default values for LockoutConfig, applied by the Effective* accessors when a field is left at its zero value.

View Source
const (
	DefaultMaxUploadSize int64 = 1024 * 1024 * 1024 // 1 GiB

	DefaultClaimTTL         time.Duration = 24 * time.Hour
	DefaultMaxPendingClaims int           = 100

	DefaultSweepInterval  time.Duration = 5 * time.Minute
	DefaultSweepBatchSize int           = 200

	DefaultDeleteWorkerInterval time.Duration = 5 * time.Minute
	DefaultDeleteBatchSize      int           = 100
	DefaultDeleteConcurrency    int           = 8
	DefaultDeleteMaxAttempts    int           = 12
	DefaultDeleteLeaseWindow    time.Duration = 5 * time.Minute
)

Default upload-flow and worker tunables. Mirror the values documented in the upload API design; configuration overrides apply iff strictly positive (a zero or negative value re-selects the default).

View Source
const PrimaryDataSourceName = "primary"

PrimaryDataSourceName is the reserved name of the data source declared under vef.data_sources.primary. It is mandatory and powers the framework-wide orm.DB injection. config is the lowest layer, so this is the canonical home for the constant.

Variables

View Source
var (
	ErrInvalidLockoutStrategy = errors.New("invalid lockout strategy")
	ErrInvalidLockoutKey      = errors.New("invalid lockout key")
	ErrInvalidTokenType       = errors.New("invalid token type")
	ErrInvalidSessionOnExceed = errors.New("invalid session on_exceed policy")
)

Sentinel errors for security configuration validation.

View Source
var ErrInboxRetentionTooShort = errors.New(
	"event: inbox.retention is shorter than the outbox exponential-backoff horizon")

ErrInboxRetentionTooShort indicates the inbox retention window is smaller than the worst-case exponential-backoff horizon implied by the outbox max_retries. With such a configuration a duplicate delivery from the outbox could arrive after its inbox dedupe entry has already been pruned, producing double-execution.

View Source
var ErrInvalidApprovalBindingConsistency = errors.New("invalid approval business binding consistency")

ErrInvalidApprovalBindingConsistency indicates an unsupported business binding consistency mode.

View Source
var ErrInvalidApprovalBusinessBindingWorkerConfig = errors.New("invalid approval business binding worker config")

ErrInvalidApprovalBusinessBindingWorkerConfig indicates a negative worker interval or batch size. Zero leaves the corresponding setting at its default.

Functions

This section is empty.

Types

type APIConfig added in v0.38.0

type APIConfig struct {
	// RateLimit is the default rate limit applied to every operation that does
	// not declare its own via api.OperationSpec.RateLimit.
	RateLimit APIRateLimitConfig `config:"rate_limit"`
}

APIConfig configures cross-cutting behavior of the API engine (`vef.api`). Zero values resolve to defaults through the Effective* accessors.

type APIRateLimitConfig added in v0.38.0

type APIRateLimitConfig struct {
	// Max is the number of requests admitted per window; 0 resolves to the
	// default. Default: 100.
	Max int `config:"max"`
	// Period is the sliding-window length; 0 resolves to the default.
	// Default: 5m.
	Period time.Duration `config:"period"`
}

APIRateLimitConfig bounds request throughput. The limiter counts per operation and client (resource:version:action + IP + principal) in a sliding window held in process memory, so in a multi-node deployment each node enforces the limit independently.

func (*APIRateLimitConfig) EffectiveMax added in v0.38.0

func (c *APIRateLimitConfig) EffectiveMax() int

EffectiveMax returns Max or its default.

func (*APIRateLimitConfig) EffectivePeriod added in v0.38.0

func (c *APIRateLimitConfig) EffectivePeriod() time.Duration

EffectivePeriod returns Period or its default.

type AppConfig

type AppConfig struct {
	Name      string `config:"name"`
	Port      uint16 `config:"port"`
	BodyLimit string `config:"body_limit"`
	// TrustedProxies lists proxy IPs or CIDR ranges allowed to set
	// X-Forwarded-For. When empty, the client IP is the direct connection peer
	// and a forwarded header from an untrusted client is ignored.
	TrustedProxies []string `config:"trusted_proxies"`
}

AppConfig defines core application settings.

type ApprovalBindingConsistency added in v0.38.0

type ApprovalBindingConsistency string

ApprovalBindingConsistency selects how business-table projections participate in approval transactions.

const (
	// ApprovalBindingSynchronous writes the business row inside the approval
	// transaction. A projection failure rolls the approval action back.
	ApprovalBindingSynchronous ApprovalBindingConsistency = "synchronous"
	// ApprovalBindingEventual commits the desired projection with the approval
	// action and lets the binding worker converge the business row afterwards.
	ApprovalBindingEventual ApprovalBindingConsistency = "eventual"
)

type ApprovalBusinessBindingConfig added in v0.38.0

type ApprovalBusinessBindingConfig struct {
	// Consistency defaults to synchronous so business projection failures abort
	// the approval action unless eventual consistency is explicitly enabled.
	Consistency ApprovalBindingConsistency `config:"consistency"`
	// ScanInterval is the eventual projection worker cadence. Default: 10 seconds.
	ScanInterval time.Duration `config:"scan_interval"`
	// BatchSize bounds the number of pending projections processed per scan.
	// Default: 100.
	BatchSize int `config:"batch_size"`
}

ApprovalBusinessBindingConfig controls business-state projection behavior.

func (*ApprovalBusinessBindingConfig) EffectiveBatchSize added in v0.38.0

func (c *ApprovalBusinessBindingConfig) EffectiveBatchSize() int

EffectiveBatchSize returns BatchSize or its default.

func (*ApprovalBusinessBindingConfig) EffectiveConsistency added in v0.38.0

EffectiveConsistency returns Consistency or the synchronous default.

func (*ApprovalBusinessBindingConfig) EffectiveScanInterval added in v0.38.0

func (c *ApprovalBusinessBindingConfig) EffectiveScanInterval() time.Duration

EffectiveScanInterval returns ScanInterval or its default.

func (*ApprovalBusinessBindingConfig) Validate added in v0.38.0

func (c *ApprovalBusinessBindingConfig) Validate() error

Validate rejects unsupported consistency modes so configuration typos fail at startup instead of silently selecting different transaction semantics.

type ApprovalConfig

type ApprovalConfig struct {
	// AutoMigrate runs the approval DDL migration on application start.
	AutoMigrate bool `config:"auto_migrate"`

	// TimeoutScanInterval is the polling cadence for the timeout scanner
	// that finds tasks past their deadline. Default: 1 minute.
	TimeoutScanInterval time.Duration `config:"timeout_scan_interval"`

	// PreWarningScanInterval is the polling cadence for the pre-warning
	// scanner that notifies before a task hits its deadline. Default: 5 minutes.
	PreWarningScanInterval time.Duration `config:"pre_warning_scan_interval"`

	// CleanupScanInterval is the cadence of the retention cleanup job
	// that prunes form snapshots, urge records, and CC records past
	// their retention window. Default: 24 hours.
	CleanupScanInterval time.Duration `config:"cleanup_scan_interval"`

	// DelegationMaxDepth caps how deep a delegation chain (A→B→C…) can
	// be resolved before short-circuiting. Default: 10.
	DelegationMaxDepth int `config:"delegation_max_depth"`

	// FormSnapshotRetention is the retention window for apv_form_snapshot
	// rows; older snapshots are deleted by the cleanup job. Default: 90 days.
	FormSnapshotRetention time.Duration `config:"form_snapshot_retention"`

	// UrgeRecordRetention is the retention window for apv_urge_record rows.
	// Default: 30 days.
	UrgeRecordRetention time.Duration `config:"urge_record_retention"`

	// CCRecordRetention is the retention window for apv_cc_record rows
	// (only records that have been read are pruned). Default: 90 days.
	CCRecordRetention time.Duration `config:"cc_record_retention"`

	// BusinessBinding controls approval-to-business-table state projection.
	BusinessBinding ApprovalBusinessBindingConfig `config:"business_binding"`
}

ApprovalConfig defines approval workflow engine settings.

Outbox-related fields previously lived here; they have moved to EventConfig.Transports.Outbox so the framework-wide outbox transport can serve any module, not just approval.

func (*ApprovalConfig) ApplyDefaults added in v0.24.0

func (c *ApprovalConfig) ApplyDefaults()

ApplyDefaults fills zero-valued fields with sensible defaults so callers don't have to mirror them in every TOML file.

func (*ApprovalConfig) Validate added in v0.38.0

func (c *ApprovalConfig) Validate() error

Validate checks approval configuration invariants.

type CORSConfig added in v0.32.0

type CORSConfig struct {
	Enabled      bool     `config:"enabled"`
	AllowOrigins []string `config:"allow_origins"`
}

CORSConfig defines CORS middleware settings.

type Config

type Config interface {
	// Unmarshal decodes configuration at the given key into target.
	Unmarshal(key string, target any) error
}

Config provides access to application configuration values.

type DBKind

type DBKind string

DBKind represents supported database kinds.

const (
	Oracle    DBKind = "oracle"
	SQLServer DBKind = "sqlserver"
	Postgres  DBKind = "postgres"
	MySQL     DBKind = "mysql"
	SQLite    DBKind = "sqlite"
)

Supported database kinds. The constants are intentionally unprefixed (MySQL, not DBMySQL): a DB* prefix would produce the stacked-acronym form DBSQLServer, which the identifier convention avoids, so bare names are kept.

type DataSourceConfig

type DataSourceConfig struct {
	Kind           DBKind `config:"type"`
	Host           string `config:"host"`
	Port           uint16 `config:"port"`
	User           string `config:"user"`
	Password       string `config:"password"`
	Database       string `config:"database"`
	Schema         string `config:"schema"`
	Path           string `config:"path"`
	EnableSQLGuard bool   `config:"enable_sql_guard"`

	// SSLMode selects the TLS posture for network dialects (Postgres, MySQL).
	// It defaults to SSLDisable (plaintext) when omitted, so TLS is opt-in
	// and existing zero-config deployments are unaffected. SQLite ignores it.
	SSLMode SSLMode `config:"ssl_mode"`
	// SSLRootCert is an optional path to a PEM file holding the CA
	// certificate(s) used to verify the server in the verify-ca / verify-full
	// modes. When empty, the host's system certificate pool is used.
	SSLRootCert string `config:"ssl_root_cert"`
}

DataSourceConfig defines database connection settings for one named data source. Sources live under `vef.data_sources.<name>` in the TOML configuration; the entry under name "primary" is mandatory and is the source exposed in the FX container as orm.DB.

type DataSourcesConfig added in v0.27.0

type DataSourcesConfig struct {
	Map map[string]DataSourceConfig
}

DataSourcesConfig groups every entry under vef.data_sources. Map keys are the data source names (lower-case, alphanumeric); the entry named "primary" is mandatory and powers the framework-wide orm.DB injection.

func (*DataSourcesConfig) Primary added in v0.27.0

func (c *DataSourcesConfig) Primary() DataSourceConfig

Primary returns the configuration for the primary data source, or the zero value if absent. The framework validates the primary entry's presence at startup, so callers that obtain this config from the framework can rely on it being populated.

type EventConfig added in v0.24.0

type EventConfig struct {
	// DefaultTransport is the route fallback when no rule matches.
	DefaultTransport string `config:"default_transport"`
	// AsyncQueueSize is the capacity of the async fan-in queue used
	// by WithAsync publishes.
	AsyncQueueSize int `config:"async_queue_size"`
	// AsyncWorkers is the number of goroutines draining the async
	// fan-in queue.
	AsyncWorkers int `config:"async_workers"`
	// PublishTimeout caps an individual transport.Publish call.
	PublishTimeout time.Duration `config:"publish_timeout"`

	Transports EventTransportsConfig `config:"transports"`
	Middleware EventMiddlewareConfig `config:"middleware"`
	Inbox      EventInboxConfig      `config:"inbox"`
	// Routing is matched top-to-bottom; the first rule whose Pattern
	// matches via path.Match wins. fan-out is expressed by listing
	// multiple transports in Transports.
	Routing []EventRoutingRule `config:"routing"`
}

EventConfig governs the framework event bus: transports, routing, middleware, and the consume-side Inbox table.

func (*EventConfig) EffectiveAsyncQueueSize added in v0.24.0

func (c *EventConfig) EffectiveAsyncQueueSize() int

EffectiveAsyncQueueSize applies the default.

func (*EventConfig) EffectiveAsyncWorkers added in v0.24.0

func (c *EventConfig) EffectiveAsyncWorkers() int

EffectiveAsyncWorkers applies the default.

func (*EventConfig) EffectiveDefaultTransport added in v0.24.0

func (c *EventConfig) EffectiveDefaultTransport() string

EffectiveDefaultTransport applies the default fallback.

func (*EventConfig) EffectivePublishTimeout added in v0.24.0

func (c *EventConfig) EffectivePublishTimeout() time.Duration

EffectivePublishTimeout applies the default.

func (*EventConfig) Validate added in v0.24.0

func (c *EventConfig) Validate() error

Validate checks invariants that cross multiple subtrees of the EventConfig. Called once at fx Start. Currently enforced:

  • The inbox retention window must comfortably outlast the worst case outbox retry horizon (sum of 2^k seconds across max_retries attempts) so dedupe entries survive the longest delayed duplicate.

type EventInboxConfig added in v0.24.0

type EventInboxConfig struct {
	Retention       time.Duration `config:"retention"`
	ProcessingLease time.Duration `config:"processing_lease"`
	CleanupInterval time.Duration `config:"cleanup_interval"`
}

EventInboxConfig governs the inbox table retention, processing leases, and cleanup.

func (*EventInboxConfig) EffectiveCleanupInterval added in v0.24.0

func (c *EventInboxConfig) EffectiveCleanupInterval() time.Duration

EffectiveCleanupInterval applies the default of 1 hour.

func (*EventInboxConfig) EffectiveProcessingLease added in v0.24.0

func (c *EventInboxConfig) EffectiveProcessingLease() time.Duration

EffectiveProcessingLease applies the default of 10 minutes.

func (*EventInboxConfig) EffectiveRetention added in v0.24.0

func (c *EventInboxConfig) EffectiveRetention() time.Duration

EffectiveRetention applies the default of 7 days.

type EventMemoryTransportConfig added in v0.24.0

type EventMemoryTransportConfig struct {
	QueueSize      int           `config:"queue_size"`
	FullPolicy     string        `config:"full_policy"` // error | block | drop_oldest
	PublishTimeout time.Duration `config:"publish_timeout"`
}

EventMemoryTransportConfig configures the in-process transport.

type EventMiddlewareConfig added in v0.24.0

type EventMiddlewareConfig struct {
	Logging bool `config:"logging"`
	Tracing bool `config:"tracing"`
	// TracingStrict, when true, switches the Tracing middleware to
	// strict mode: incoming TraceIDs from cross-process transports are
	// treated as untrusted and parked under IncomingTraceIDFromContext;
	// a fresh ID is generated for log correlation. Default (false) is
	// W3C / OpenTelemetry-compatible propagation suitable for intra-
	// cluster pub/sub. Toggle this on at the edge between trust zones.
	TracingStrict bool `config:"tracing_strict"`
	Metrics       bool `config:"metrics"`
	Recover       bool `config:"recover"`
	// Inbox controls whether the consume-side idempotency middleware
	// is enabled. It only activates on transports whose Capabilities
	// declare AtLeastOnce regardless of this flag.
	Inbox bool `config:"inbox"`
}

EventMiddlewareConfig toggles the built-in consume/publish middlewares.

type EventOutboxTransportConfig added in v0.24.0

type EventOutboxTransportConfig struct {
	Enabled         bool          `config:"enabled"`
	RelayInterval   time.Duration `config:"relay_interval"`
	MaxRetries      int           `config:"max_retries"`
	BatchSize       int           `config:"batch_size"`
	LeaseMultiplier int           `config:"lease_multiplier"`
	MinLease        time.Duration `config:"min_lease"`
	SinkName        string        `config:"sink"`
	CleanupInterval time.Duration `config:"cleanup_interval"`
	CompletedTTL    time.Duration `config:"completed_ttl"`
}

EventOutboxTransportConfig configures the persistent outbox transport.

func (*EventOutboxTransportConfig) EffectiveCleanupInterval added in v0.24.0

func (c *EventOutboxTransportConfig) EffectiveCleanupInterval() time.Duration

EffectiveCleanupInterval applies the outbox cleanup default.

func (*EventOutboxTransportConfig) EffectiveCompletedTTL added in v0.24.0

func (c *EventOutboxTransportConfig) EffectiveCompletedTTL() time.Duration

EffectiveCompletedTTL applies the outbox completed-row TTL default.

type EventRedisStreamTransportConfig added in v0.24.0

type EventRedisStreamTransportConfig struct {
	Enabled           bool          `config:"enabled"`
	StreamPrefix      string        `config:"stream_prefix"`
	MaxLenApprox      int64         `config:"max_len_approx"`
	BlockTimeout      time.Duration `config:"block_timeout"`
	ClaimIdle         time.Duration `config:"claim_idle"`
	ClaimInterval     time.Duration `config:"claim_interval"`
	ClaimBatchSize    int64         `config:"claim_batch_size"`
	ReaperConcurrency int           `config:"reaper_concurrency"`
	// HandlerTimeout bounds each delivery so a hung handler cannot pin a worker.
	// Zero disables the deadline — but the deadline is also the ONLY thing that
	// frees a wedged reaper slot before shutdown: a reclaimed handler that blocks
	// forever holds its bounded slot until Stop, so with HandlerTimeout=0 a few
	// stuck reclaims can starve reaper failover for all other streams. Operators
	// who disable it should size ReaperConcurrency with that risk in mind.
	HandlerTimeout time.Duration `config:"handler_timeout"`
	SetupTimeout   time.Duration `config:"setup_timeout"`
	ConsumerID     string        `config:"consumer_id"`
	StartID        string        `config:"start_id"`
	// IdleGroupRetention enables reclamation of orphaned consumer groups
	// (a decommissioned subscriber's leftovers): a group with no pending
	// entries whose every consumer record has been idle beyond this window
	// is destroyed. Zero (default) disables the sweep.
	IdleGroupRetention time.Duration `config:"idle_group_retention"`
	// IdleGroupSweepInterval is the sweep period when IdleGroupRetention
	// is enabled. Defaults to 10m.
	IdleGroupSweepInterval time.Duration `config:"idle_group_sweep_interval"`
}

EventRedisStreamTransportConfig configures the Redis Streams transport.

type EventRoutingRule added in v0.24.0

type EventRoutingRule struct {
	Pattern    string   `config:"pattern"`
	Transports []string `config:"transports"`
}

EventRoutingRule matches an event type to one or more transports. Pattern uses path.Match semantics ("*", "?", "[abc]"). The list of transports expresses fan-out — each frame is dispatched to every listed transport.

type EventTransportsConfig added in v0.24.0

type EventTransportsConfig struct {
	Memory      EventMemoryTransportConfig      `config:"memory"`
	Outbox      EventOutboxTransportConfig      `config:"outbox"`
	RedisStream EventRedisStreamTransportConfig `config:"redis_stream"`
}

EventTransportsConfig groups per-transport configuration blocks.

type FilesystemConfig

type FilesystemConfig struct {
	Root string `config:"root"`
}

FilesystemConfig defines filesystem storage settings.

type LockoutConfig added in v0.38.0

type LockoutConfig struct {
	// Enabled toggles lockout. A nil pointer resolves to enabled, so brute-force
	// protection is on by default; set it to false to switch the feature off.
	Enabled *bool `config:"enabled"`
	// MaxFailures is the number of failed attempts tolerated before the strategy
	// engages. Default: 10.
	MaxFailures int `config:"max_failures"`
	// Window is how long failed attempts are remembered; a spell of no failures
	// this long resets the counter. Default: 15m.
	Window time.Duration `config:"window"`
	// LockDuration is how long attempts are blocked once the threshold is
	// reached under the "lock" strategy. Default: 15m.
	LockDuration time.Duration `config:"lock_duration"`
	// Strategy selects "lock" (hard block) or "backoff" (escalating delay).
	// Default: "lock".
	Strategy LockoutStrategy `config:"strategy"`
	// BackoffBase is the first delay imposed past the threshold under the
	// "backoff" strategy; it doubles per further failure. Default: 1s.
	BackoffBase time.Duration `config:"backoff_base"`
	// BackoffMax caps the per-attempt backoff delay. Default: 15m.
	BackoffMax time.Duration `config:"backoff_max"`
	// Key selects the identity dimension the counter is keyed by. Default:
	// "user_ip".
	Key LockoutKey `config:"key"`
}

LockoutConfig configures brute-force protection on the login endpoint.

Zero values resolve to defaults through the Effective* accessors; treat the parsed struct as raw input and read policy through those accessors, never the fields directly.

func (*LockoutConfig) EffectiveBackoffBase added in v0.38.0

func (c *LockoutConfig) EffectiveBackoffBase() time.Duration

EffectiveBackoffBase returns BackoffBase or its default.

func (*LockoutConfig) EffectiveBackoffMax added in v0.38.0

func (c *LockoutConfig) EffectiveBackoffMax() time.Duration

EffectiveBackoffMax returns BackoffMax or its default.

func (*LockoutConfig) EffectiveKey added in v0.38.0

func (c *LockoutConfig) EffectiveKey() LockoutKey

EffectiveKey returns Key or its default.

func (*LockoutConfig) EffectiveLockDuration added in v0.38.0

func (c *LockoutConfig) EffectiveLockDuration() time.Duration

EffectiveLockDuration returns LockDuration or its default.

func (*LockoutConfig) EffectiveMaxFailures added in v0.38.0

func (c *LockoutConfig) EffectiveMaxFailures() int

EffectiveMaxFailures returns MaxFailures or its default.

func (*LockoutConfig) EffectiveStrategy added in v0.38.0

func (c *LockoutConfig) EffectiveStrategy() LockoutStrategy

EffectiveStrategy returns Strategy or its default.

func (*LockoutConfig) EffectiveWindow added in v0.38.0

func (c *LockoutConfig) EffectiveWindow() time.Duration

EffectiveWindow returns Window or its default.

func (*LockoutConfig) IsEnabled added in v0.38.0

func (c *LockoutConfig) IsEnabled() bool

IsEnabled reports whether lockout is active. An omitted toggle means enabled.

func (*LockoutConfig) Validate added in v0.38.0

func (c *LockoutConfig) Validate() error

Validate rejects out-of-enum strategy and key values so a configuration typo fails fast at boot instead of silently degrading to a default.

type LockoutKey added in v0.38.0

type LockoutKey string

LockoutKey selects the identity dimension a lockout counter is keyed by.

const (
	// LockoutKeyUser counts failures per login identifier, across all sources.
	LockoutKeyUser LockoutKey = "user"
	// LockoutKeyIP counts failures per source address, across all identifiers.
	LockoutKeyIP LockoutKey = "ip"
	// LockoutKeyUserIP counts failures per identifier-and-source pair. This is
	// the default: it throttles credential guessing while denying an attacker
	// the ability to lock a victim out of every source by guessing one account.
	LockoutKeyUserIP LockoutKey = "user_ip"
)

type LockoutStrategy added in v0.38.0

type LockoutStrategy string

LockoutStrategy selects how repeated login failures are penalized.

const (
	// LockoutStrategyLock blocks all further attempts for a fixed duration once
	// the failure threshold is reached.
	LockoutStrategyLock LockoutStrategy = "lock"
	// LockoutStrategyBackoff imposes an exponentially growing delay between
	// attempts past the threshold instead of a hard lock, so a legitimate user
	// is never fully locked out and a mass-lockout denial of service against a
	// targeted account is not possible.
	LockoutStrategyBackoff LockoutStrategy = "backoff"
)

type MCPConfig

type MCPConfig struct {
	Enabled bool `config:"enabled"`
	// RequireAuth gates the MCP HTTP endpoint behind bearer-token authentication.
	// It is a pointer so an unset value defaults to secure (auth required); set it
	// to false explicitly to allow anonymous access.
	RequireAuth *bool `config:"require_auth"`
}

MCPConfig defines MCP server settings.

type MinIOConfig

type MinIOConfig struct {
	Endpoint  string `config:"endpoint"`
	AccessKey string `config:"access_key"`
	SecretKey string `config:"secret_key"`
	Bucket    string `config:"bucket"`
	Region    string `config:"region"`
	UseSSL    bool   `config:"use_ssl"`
}

MinIOConfig defines MinIO storage settings.

type MonitorConfig

type MonitorConfig struct {
	SampleInterval time.Duration `config:"sample_interval"` // Interval between samples (default: 10s)
	SampleDuration time.Duration `config:"sample_duration"` // Sampling window duration (default: 2s)
}

MonitorConfig defines monitoring service settings.

type PasswordPolicyConfig added in v0.38.0

type PasswordPolicyConfig struct {
	// MinLength requires at least this many characters when > 0.
	MinLength int `config:"min_length"`
	// MaxLength requires at most this many characters when > 0.
	MaxLength int `config:"max_length"`
	// RequireUpper requires at least one uppercase letter.
	RequireUpper bool `config:"require_upper"`
	// RequireLower requires at least one lowercase letter.
	RequireLower bool `config:"require_lower"`
	// RequireDigit requires at least one digit.
	RequireDigit bool `config:"require_digit"`
	// RequireSymbol requires at least one symbol (non-space, non-letter,
	// non-digit; caseless letters such as CJK do not count).
	RequireSymbol bool `config:"require_symbol"`
	// MinCharClasses requires at least this many distinct character classes
	// (uppercase, lowercase, digit, symbol) when > 0.
	MinCharClasses int `config:"min_char_classes"`
	// DisallowUsername rejects a password that contains the account id or name.
	DisallowUsername bool `config:"disallow_username"`
	// Blocklist rejects passwords matching any listed entry (case-insensitive).
	Blocklist []string `config:"blocklist"`
	// HistoryDepth rejects a new password that repeats any of the subject's last
	// N passwords when > 0. Enforcement requires a security.PasswordHistoryStore.
	HistoryDepth int `config:"history_depth"`
	// MaxAge forces a password change once the password is older than this.
	// Zero disables expiry. Enforcement requires a security.PasswordMetadataLoader
	// and a security.ExpiryPasswordChangeChecker wired into the login flow.
	MaxAge time.Duration `config:"max_age"`
}

PasswordPolicyConfig configures password strength rules. Every field is opt-in: a zero value disables the corresponding rule, so an unconfigured policy accepts any password and enabling a rule is an explicit choice.

type RedisConfig

type RedisConfig struct {
	// Enabled gates the Redis client construction. When false (default) the
	// framework provides a nil *redis.Client into the fx graph and skips the
	// connection PING during start-up; downstream modules that ask for the
	// client via `optional:"true"` therefore stay dormant. Set this to true
	// only when the application actually depends on Redis (cache, redis_stream
	// transport, nonce store, etc.).
	Enabled  bool   `config:"enabled"`
	Host     string `config:"host"`
	Port     uint16 `config:"port"`
	User     string `config:"user"`
	Password string `config:"password"`
	Database uint8  `config:"database"` // Database number (0-15)
	Network  string `config:"network"`  // "tcp" or "unix" (default: "tcp")
}

RedisConfig defines Redis connection settings.

type SSLMode added in v0.29.0

type SSLMode string

SSLMode controls the TLS posture of a database connection. The values follow the PostgreSQL libpq vocabulary so operators familiar with `sslmode` can reuse it. It applies to the network-based dialects (Postgres, MySQL); SQLite is a local file and ignores it.

const (
	// SSLDisable connects without TLS. This is the default when the field
	// is omitted.
	SSLDisable SSLMode = "disable"
	// SSLRequire negotiates TLS but performs no certificate or hostname
	// verification (encryption without authentication; vulnerable to MITM).
	SSLRequire SSLMode = "require"
	// SSLVerifyCA negotiates TLS and verifies that the server certificate
	// chains to a trusted CA, but does not check the hostname.
	SSLVerifyCA SSLMode = "verify-ca"
	// SSLVerifyFull negotiates TLS and verifies both the CA chain and that
	// the certificate matches the server hostname. This is the strongest mode.
	SSLVerifyFull SSLMode = "verify-full"
)

Supported SSL modes. The empty value is treated as SSLDisable so a zero-config data source keeps connecting over plaintext exactly as before — TLS is strictly opt-in.

type SecurityConfig

type SecurityConfig struct {
	// Secret is the hex-encoded key used to sign and verify JWT tokens.
	// Leave empty in development to have the framework generate an ephemeral
	// key at startup; set a stable per-deployment value in production.
	Secret           string        `config:"secret"`
	TokenExpires     time.Duration `config:"token_expires"`
	RefreshNotBefore time.Duration `config:"refresh_not_before"`
	LoginRateLimit   int           `config:"login_rate_limit"`
	RefreshRateLimit int           `config:"refresh_rate_limit"`
	// IPWhitelists names the source-IP whitelists served by the framework's
	// default security.IPWhitelistLoader; the built-in "ip" auth strategy
	// resolves api.IPAuth(name) against them, and the no-arg api.IPAuth()
	// targets the "default" key. Each entry is a single IP address or CIDR
	// range. Note: the config layer lowercases TOML keys, so whitelist names
	// are effectively lowercase.
	IPWhitelists map[string][]string `config:"ip_whitelists"`
	// Lockout configures brute-force protection on the login endpoint.
	Lockout LockoutConfig `config:"lockout"`
	// PasswordPolicy configures strength rules enforced when a password is set.
	PasswordPolicy PasswordPolicyConfig `config:"password_policy"`
	// TokenType selects the login token mechanism: stateless "jwt_token"
	// (default) or stateful "opaque_token". Session control (concurrency limits,
	// force-offline, renewal) is only available with opaque tokens.
	TokenType TokenType `config:"token_type"`
	// Session configures opaque-token session behavior; it has no effect under
	// the jwt_token mechanism.
	Session SessionConfig `config:"session"`
}

SecurityConfig defines security settings.

func (*SecurityConfig) EffectiveTokenType added in v0.38.0

func (c *SecurityConfig) EffectiveTokenType() TokenType

EffectiveTokenType returns TokenType or its default (jwt_token).

func (*SecurityConfig) Validate added in v0.38.0

func (c *SecurityConfig) Validate() error

Validate rejects out-of-enum token type and session policy so a configuration typo fails fast at boot.

type SessionConfig added in v0.38.0

type SessionConfig struct {
	// MaxConcurrent bounds simultaneous sessions per account; 0 is unlimited.
	// Enforcement is best-effort under concurrent logins: a burst of simultaneous
	// logins for one account may briefly exceed the limit by the number of racing
	// requests before it settles.
	MaxConcurrent int `config:"max_concurrent"`
	// OnExceed selects reject vs. evict-oldest when the limit is hit.
	// Default: evict_oldest (a new login kicks the earliest device offline).
	OnExceed SessionExceedPolicy `config:"on_exceed"`
	// IdleTTL is the inactivity timeout and the sliding renewal window applied on
	// each authenticated request. Default: 30m.
	IdleTTL time.Duration `config:"idle_ttl"`
	// MaxLifetime caps a session's total age regardless of renewal; 0 is
	// uncapped. Default: 7 days.
	MaxLifetime time.Duration `config:"max_lifetime"`
	// Sliding enables idle-timeout renewal on each request. A nil pointer
	// resolves to enabled.
	Sliding *bool `config:"sliding"`
}

SessionConfig configures opaque-token sessions. Zero values resolve to defaults through the Effective* accessors.

func (*SessionConfig) EffectiveIdleTTL added in v0.38.0

func (c *SessionConfig) EffectiveIdleTTL() time.Duration

EffectiveIdleTTL returns IdleTTL or its default.

func (*SessionConfig) EffectiveMaxLifetime added in v0.38.0

func (c *SessionConfig) EffectiveMaxLifetime() time.Duration

EffectiveMaxLifetime returns MaxLifetime or its default.

func (*SessionConfig) EffectiveOnExceed added in v0.38.0

func (c *SessionConfig) EffectiveOnExceed() SessionExceedPolicy

EffectiveOnExceed returns OnExceed or its default.

func (*SessionConfig) IsSliding added in v0.38.0

func (c *SessionConfig) IsSliding() bool

IsSliding reports whether idle-timeout renewal is enabled. Omitted means on.

type SessionExceedPolicy added in v0.38.0

type SessionExceedPolicy string

SessionExceedPolicy selects what happens when a login exceeds the concurrent session limit.

const (
	// SessionExceedReject denies the new login once the limit is reached.
	SessionExceedReject SessionExceedPolicy = "reject"
	// SessionExceedEvictOldest revokes the oldest session to admit the new login.
	SessionExceedEvictOldest SessionExceedPolicy = "evict_oldest"
)

type StorageConfig

type StorageConfig struct {
	Provider    StorageProvider  `config:"provider"`
	AutoMigrate bool             `config:"auto_migrate"`
	MinIO       MinIOConfig      `config:"minio"`
	Filesystem  FilesystemConfig `config:"filesystem"`

	// MaxUploadSize is the hard upper bound (in bytes) on a single object
	// uploaded through the storage RPC, regardless of declared mode.
	// Default: 1 GiB.
	MaxUploadSize int64 `config:"max_upload_size"`

	// ClaimTTL is how long an upload claim stays valid before being swept.
	// Default: 24h.
	ClaimTTL time.Duration `config:"claim_ttl"`

	// MaxPendingClaims caps the number of in-flight (status='pending')
	// upload claims a single principal may hold simultaneously. Prevents
	// a single user from exhausting backend resources by opening
	// thousands of multipart sessions. Enforcement is best-effort: the
	// init-upload check is a count-then-insert, so a concurrent burst from
	// one principal may briefly overshoot the cap by the number of
	// in-flight requests before settling. This is a DoS-hygiene limit, not
	// a hard security boundary. Default: 100.
	MaxPendingClaims int `config:"max_pending_claims"`

	// AllowPublicUploads controls whether clients may set public=true on
	// init_upload. When false (default), all uploads land under priv/
	// regardless of the client's request. Set to true only when the
	// business explicitly needs user-initiated public uploads.
	AllowPublicUploads bool `config:"allow_public_uploads"`

	// SweepInterval is how often the claim sweeper polls for expired
	// upload claims. Default: 5m.
	SweepInterval time.Duration `config:"sweep_interval"`
	// SweepBatchSize bounds how many expired claims one sweep tick processes.
	// Default: 200.
	SweepBatchSize int `config:"sweep_batch_size"`

	// DeleteWorkerInterval is how often the delete worker polls for due
	// pending-delete rows. Default: 5m.
	DeleteWorkerInterval time.Duration `config:"delete_worker_interval"`
	// DeleteBatchSize bounds how many rows the delete worker leases per tick.
	// Default: 100.
	DeleteBatchSize int `config:"delete_batch_size"`
	// DeleteConcurrency caps the number of in-flight object deletions
	// per worker tick. Default: 8.
	DeleteConcurrency int `config:"delete_concurrency"`
	// DeleteMaxAttempts is the retry budget after which a pending-delete
	// row is parked as dead-letter. Default: 12.
	DeleteMaxAttempts int `config:"delete_max_attempts"`
	// DeleteLeaseWindow is the visibility timeout applied when leasing
	// rows. Should comfortably exceed expected per-item processing time.
	// Default: 5m.
	DeleteLeaseWindow time.Duration `config:"delete_lease_window"`
}

StorageConfig defines storage provider settings.

Upload-flow and worker tunables have working defaults applied at read time when their zero value is loaded; callers should not assume the parsed config carries non-zero values. Use the Effective* accessors instead of reading struct fields directly.

func (*StorageConfig) EffectiveClaimTTL added in v0.23.0

func (c *StorageConfig) EffectiveClaimTTL() time.Duration

EffectiveClaimTTL returns ClaimTTL or its default.

func (*StorageConfig) EffectiveDeleteBatchSize added in v0.23.0

func (c *StorageConfig) EffectiveDeleteBatchSize() int

EffectiveDeleteBatchSize returns DeleteBatchSize or its default.

func (*StorageConfig) EffectiveDeleteConcurrency added in v0.23.0

func (c *StorageConfig) EffectiveDeleteConcurrency() int

EffectiveDeleteConcurrency returns DeleteConcurrency or its default.

func (*StorageConfig) EffectiveDeleteLeaseWindow added in v0.23.0

func (c *StorageConfig) EffectiveDeleteLeaseWindow() time.Duration

EffectiveDeleteLeaseWindow returns DeleteLeaseWindow or its default.

func (*StorageConfig) EffectiveDeleteMaxAttempts added in v0.23.0

func (c *StorageConfig) EffectiveDeleteMaxAttempts() int

EffectiveDeleteMaxAttempts returns DeleteMaxAttempts or its default.

func (*StorageConfig) EffectiveDeleteWorkerInterval added in v0.23.0

func (c *StorageConfig) EffectiveDeleteWorkerInterval() time.Duration

EffectiveDeleteWorkerInterval returns DeleteWorkerInterval or its default.

func (*StorageConfig) EffectiveMaxPendingClaims added in v0.23.0

func (c *StorageConfig) EffectiveMaxPendingClaims() int

EffectiveMaxPendingClaims returns MaxPendingClaims or its default.

func (*StorageConfig) EffectiveMaxUploadSize added in v0.23.0

func (c *StorageConfig) EffectiveMaxUploadSize() int64

EffectiveMaxUploadSize returns MaxUploadSize or its default.

func (*StorageConfig) EffectiveSweepBatchSize added in v0.23.0

func (c *StorageConfig) EffectiveSweepBatchSize() int

EffectiveSweepBatchSize returns SweepBatchSize or its default.

func (*StorageConfig) EffectiveSweepInterval added in v0.23.0

func (c *StorageConfig) EffectiveSweepInterval() time.Duration

EffectiveSweepInterval returns SweepInterval or its default.

type StorageProvider

type StorageProvider string

StorageProvider represents supported storage backend types.

const (
	StorageMinIO      StorageProvider = "minio"
	StorageMemory     StorageProvider = "memory"
	StorageFilesystem StorageProvider = "filesystem"
)

Supported storage providers.

type TokenType added in v0.38.0

type TokenType string

TokenType selects the login token mechanism.

const (
	// TokenTypeJWT issues stateless, self-contained JWT access/refresh tokens.
	TokenTypeJWT TokenType = "jwt_token"
	// TokenTypeOpaque issues stateful opaque tokens backed by a session store.
	TokenTypeOpaque TokenType = "opaque_token"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL