Documentation
¶
Index ¶
- Constants
- Variables
- type APIConfig
- type APIRateLimitConfig
- type AppConfig
- type ApprovalBindingConsistency
- type ApprovalBusinessBindingConfig
- type ApprovalConfig
- type CORSConfig
- type Config
- type DBKind
- type DataSourceConfig
- type DataSourcesConfig
- type EventConfig
- type EventInboxConfig
- type EventMemoryTransportConfig
- type EventMiddlewareConfig
- type EventOutboxTransportConfig
- type EventRedisStreamTransportConfig
- type EventRoutingRule
- type EventTransportsConfig
- type FilesystemConfig
- type LockoutConfig
- func (c *LockoutConfig) EffectiveBackoffBase() time.Duration
- func (c *LockoutConfig) EffectiveBackoffMax() time.Duration
- func (c *LockoutConfig) EffectiveKey() LockoutKey
- func (c *LockoutConfig) EffectiveLockDuration() time.Duration
- func (c *LockoutConfig) EffectiveMaxFailures() int
- func (c *LockoutConfig) EffectiveStrategy() LockoutStrategy
- func (c *LockoutConfig) EffectiveWindow() time.Duration
- func (c *LockoutConfig) IsEnabled() bool
- func (c *LockoutConfig) Validate() error
- type LockoutKey
- type LockoutStrategy
- type MCPConfig
- type MinIOConfig
- type MonitorConfig
- type PasswordPolicyConfig
- type RedisConfig
- type SSLMode
- type SecurityConfig
- type SessionConfig
- type SessionExceedPolicy
- type StorageConfig
- func (c *StorageConfig) EffectiveClaimTTL() time.Duration
- func (c *StorageConfig) EffectiveDeleteBatchSize() int
- func (c *StorageConfig) EffectiveDeleteConcurrency() int
- func (c *StorageConfig) EffectiveDeleteLeaseWindow() time.Duration
- func (c *StorageConfig) EffectiveDeleteMaxAttempts() int
- func (c *StorageConfig) EffectiveDeleteWorkerInterval() time.Duration
- func (c *StorageConfig) EffectiveMaxPendingClaims() int
- func (c *StorageConfig) EffectiveMaxUploadSize() int64
- func (c *StorageConfig) EffectiveSweepBatchSize() int
- func (c *StorageConfig) EffectiveSweepInterval() time.Duration
- type StorageProvider
- type TokenType
Constants ¶
const ( DefaultAPIRateLimitMax = 100 DefaultAPIRateLimitPeriod = 5 * time.Minute )
Default values for APIRateLimitConfig, applied by the Effective* accessors.
const ( EnvPrefix = "VEF" EnvLogLevel = EnvPrefix + "_LOG_LEVEL" // Log level (debug|info|warn|error) EnvConfigPath = EnvPrefix + "_CONFIG_PATH" // Custom config file path EnvI18NLanguage = EnvPrefix + "_I18N_LANGUAGE" // Override default language )
Environment variable keys.
const ( DefaultSessionIdleTTL = 30 * time.Minute DefaultSessionMaxLifetime = 7 * 24 * time.Hour )
Default values for SessionConfig, applied by the Effective* accessors.
const ( DefaultLockoutMaxFailures = 10 DefaultLockoutWindow = 15 * time.Minute DefaultLockoutLockDuration = 15 * time.Minute DefaultLockoutBackoffBase = 1 * time.Second DefaultLockoutBackoffMax = 15 * time.Minute )
Default values for LockoutConfig, applied by the Effective* accessors when a field is left at its zero value.
const ( DefaultMaxUploadSize int64 = 1024 * 1024 * 1024 // 1 GiB DefaultClaimTTL time.Duration = 24 * time.Hour DefaultMaxPendingClaims int = 100 DefaultSweepInterval time.Duration = 5 * time.Minute DefaultSweepBatchSize int = 200 DefaultDeleteWorkerInterval time.Duration = 5 * time.Minute DefaultDeleteBatchSize int = 100 DefaultDeleteConcurrency int = 8 DefaultDeleteMaxAttempts int = 12 DefaultDeleteLeaseWindow time.Duration = 5 * time.Minute )
Default upload-flow and worker tunables. Mirror the values documented in the upload API design; configuration overrides apply iff strictly positive (a zero or negative value re-selects the default).
const PrimaryDataSourceName = "primary"
PrimaryDataSourceName is the reserved name of the data source declared under vef.data_sources.primary. It is mandatory and powers the framework-wide orm.DB injection. config is the lowest layer, so this is the canonical home for the constant.
Variables ¶
var ( ErrInvalidLockoutStrategy = errors.New("invalid lockout strategy") ErrInvalidLockoutKey = errors.New("invalid lockout key") ErrInvalidTokenType = errors.New("invalid token type") ErrInvalidSessionOnExceed = errors.New("invalid session on_exceed policy") )
Sentinel errors for security configuration validation.
var ErrInboxRetentionTooShort = errors.New(
"event: inbox.retention is shorter than the outbox exponential-backoff horizon")
ErrInboxRetentionTooShort indicates the inbox retention window is smaller than the worst-case exponential-backoff horizon implied by the outbox max_retries. With such a configuration a duplicate delivery from the outbox could arrive after its inbox dedupe entry has already been pruned, producing double-execution.
var ErrInvalidApprovalBindingConsistency = errors.New("invalid approval business binding consistency")
ErrInvalidApprovalBindingConsistency indicates an unsupported business binding consistency mode.
var ErrInvalidApprovalBusinessBindingWorkerConfig = errors.New("invalid approval business binding worker config")
ErrInvalidApprovalBusinessBindingWorkerConfig indicates a negative worker interval or batch size. Zero leaves the corresponding setting at its default.
Functions ¶
This section is empty.
Types ¶
type APIConfig ¶ added in v0.38.0
type APIConfig struct {
// RateLimit is the default rate limit applied to every operation that does
// not declare its own via api.OperationSpec.RateLimit.
RateLimit APIRateLimitConfig `config:"rate_limit"`
}
APIConfig configures cross-cutting behavior of the API engine (`vef.api`). Zero values resolve to defaults through the Effective* accessors.
type APIRateLimitConfig ¶ added in v0.38.0
type APIRateLimitConfig struct {
// Max is the number of requests admitted per window; 0 resolves to the
// default. Default: 100.
Max int `config:"max"`
// Period is the sliding-window length; 0 resolves to the default.
// Default: 5m.
Period time.Duration `config:"period"`
}
APIRateLimitConfig bounds request throughput. The limiter counts per operation and client (resource:version:action + IP + principal) in a sliding window held in process memory, so in a multi-node deployment each node enforces the limit independently.
func (*APIRateLimitConfig) EffectiveMax ¶ added in v0.38.0
func (c *APIRateLimitConfig) EffectiveMax() int
EffectiveMax returns Max or its default.
func (*APIRateLimitConfig) EffectivePeriod ¶ added in v0.38.0
func (c *APIRateLimitConfig) EffectivePeriod() time.Duration
EffectivePeriod returns Period or its default.
type AppConfig ¶
type AppConfig struct {
Name string `config:"name"`
Port uint16 `config:"port"`
BodyLimit string `config:"body_limit"`
// TrustedProxies lists proxy IPs or CIDR ranges allowed to set
// X-Forwarded-For. When empty, the client IP is the direct connection peer
// and a forwarded header from an untrusted client is ignored.
TrustedProxies []string `config:"trusted_proxies"`
}
AppConfig defines core application settings.
type ApprovalBindingConsistency ¶ added in v0.38.0
type ApprovalBindingConsistency string
ApprovalBindingConsistency selects how business-table projections participate in approval transactions.
const ( // ApprovalBindingSynchronous writes the business row inside the approval // transaction. A projection failure rolls the approval action back. ApprovalBindingSynchronous ApprovalBindingConsistency = "synchronous" // ApprovalBindingEventual commits the desired projection with the approval // action and lets the binding worker converge the business row afterwards. ApprovalBindingEventual ApprovalBindingConsistency = "eventual" )
type ApprovalBusinessBindingConfig ¶ added in v0.38.0
type ApprovalBusinessBindingConfig struct {
// Consistency defaults to synchronous so business projection failures abort
// the approval action unless eventual consistency is explicitly enabled.
Consistency ApprovalBindingConsistency `config:"consistency"`
// ScanInterval is the eventual projection worker cadence. Default: 10 seconds.
ScanInterval time.Duration `config:"scan_interval"`
// BatchSize bounds the number of pending projections processed per scan.
// Default: 100.
BatchSize int `config:"batch_size"`
}
ApprovalBusinessBindingConfig controls business-state projection behavior.
func (*ApprovalBusinessBindingConfig) EffectiveBatchSize ¶ added in v0.38.0
func (c *ApprovalBusinessBindingConfig) EffectiveBatchSize() int
EffectiveBatchSize returns BatchSize or its default.
func (*ApprovalBusinessBindingConfig) EffectiveConsistency ¶ added in v0.38.0
func (c *ApprovalBusinessBindingConfig) EffectiveConsistency() ApprovalBindingConsistency
EffectiveConsistency returns Consistency or the synchronous default.
func (*ApprovalBusinessBindingConfig) EffectiveScanInterval ¶ added in v0.38.0
func (c *ApprovalBusinessBindingConfig) EffectiveScanInterval() time.Duration
EffectiveScanInterval returns ScanInterval or its default.
func (*ApprovalBusinessBindingConfig) Validate ¶ added in v0.38.0
func (c *ApprovalBusinessBindingConfig) Validate() error
Validate rejects unsupported consistency modes so configuration typos fail at startup instead of silently selecting different transaction semantics.
type ApprovalConfig ¶
type ApprovalConfig struct {
// AutoMigrate runs the approval DDL migration on application start.
AutoMigrate bool `config:"auto_migrate"`
// TimeoutScanInterval is the polling cadence for the timeout scanner
// that finds tasks past their deadline. Default: 1 minute.
TimeoutScanInterval time.Duration `config:"timeout_scan_interval"`
// PreWarningScanInterval is the polling cadence for the pre-warning
// scanner that notifies before a task hits its deadline. Default: 5 minutes.
PreWarningScanInterval time.Duration `config:"pre_warning_scan_interval"`
// CleanupScanInterval is the cadence of the retention cleanup job
// that prunes form snapshots, urge records, and CC records past
// their retention window. Default: 24 hours.
CleanupScanInterval time.Duration `config:"cleanup_scan_interval"`
// DelegationMaxDepth caps how deep a delegation chain (A→B→C…) can
// be resolved before short-circuiting. Default: 10.
DelegationMaxDepth int `config:"delegation_max_depth"`
// FormSnapshotRetention is the retention window for apv_form_snapshot
// rows; older snapshots are deleted by the cleanup job. Default: 90 days.
FormSnapshotRetention time.Duration `config:"form_snapshot_retention"`
// UrgeRecordRetention is the retention window for apv_urge_record rows.
// Default: 30 days.
UrgeRecordRetention time.Duration `config:"urge_record_retention"`
// CCRecordRetention is the retention window for apv_cc_record rows
// (only records that have been read are pruned). Default: 90 days.
CCRecordRetention time.Duration `config:"cc_record_retention"`
// BusinessBinding controls approval-to-business-table state projection.
BusinessBinding ApprovalBusinessBindingConfig `config:"business_binding"`
}
ApprovalConfig defines approval workflow engine settings.
Outbox-related fields previously lived here; they have moved to EventConfig.Transports.Outbox so the framework-wide outbox transport can serve any module, not just approval.
func (*ApprovalConfig) ApplyDefaults ¶ added in v0.24.0
func (c *ApprovalConfig) ApplyDefaults()
ApplyDefaults fills zero-valued fields with sensible defaults so callers don't have to mirror them in every TOML file.
func (*ApprovalConfig) Validate ¶ added in v0.38.0
func (c *ApprovalConfig) Validate() error
Validate checks approval configuration invariants.
type CORSConfig ¶ added in v0.32.0
type CORSConfig struct {
Enabled bool `config:"enabled"`
AllowOrigins []string `config:"allow_origins"`
}
CORSConfig defines CORS middleware settings.
type Config ¶
type Config interface {
// Unmarshal decodes configuration at the given key into target.
Unmarshal(key string, target any) error
}
Config provides access to application configuration values.
type DBKind ¶
type DBKind string
DBKind represents supported database kinds.
const ( Oracle DBKind = "oracle" SQLServer DBKind = "sqlserver" Postgres DBKind = "postgres" MySQL DBKind = "mysql" SQLite DBKind = "sqlite" )
Supported database kinds. The constants are intentionally unprefixed (MySQL, not DBMySQL): a DB* prefix would produce the stacked-acronym form DBSQLServer, which the identifier convention avoids, so bare names are kept.
type DataSourceConfig ¶
type DataSourceConfig struct {
Kind DBKind `config:"type"`
Host string `config:"host"`
Port uint16 `config:"port"`
User string `config:"user"`
Password string `config:"password"`
Database string `config:"database"`
Schema string `config:"schema"`
Path string `config:"path"`
EnableSQLGuard bool `config:"enable_sql_guard"`
// SSLMode selects the TLS posture for network dialects (Postgres, MySQL).
// It defaults to SSLDisable (plaintext) when omitted, so TLS is opt-in
// and existing zero-config deployments are unaffected. SQLite ignores it.
SSLMode SSLMode `config:"ssl_mode"`
// SSLRootCert is an optional path to a PEM file holding the CA
// certificate(s) used to verify the server in the verify-ca / verify-full
// modes. When empty, the host's system certificate pool is used.
SSLRootCert string `config:"ssl_root_cert"`
}
DataSourceConfig defines database connection settings for one named data source. Sources live under `vef.data_sources.<name>` in the TOML configuration; the entry under name "primary" is mandatory and is the source exposed in the FX container as orm.DB.
type DataSourcesConfig ¶ added in v0.27.0
type DataSourcesConfig struct {
Map map[string]DataSourceConfig
}
DataSourcesConfig groups every entry under vef.data_sources. Map keys are the data source names (lower-case, alphanumeric); the entry named "primary" is mandatory and powers the framework-wide orm.DB injection.
func (*DataSourcesConfig) Primary ¶ added in v0.27.0
func (c *DataSourcesConfig) Primary() DataSourceConfig
Primary returns the configuration for the primary data source, or the zero value if absent. The framework validates the primary entry's presence at startup, so callers that obtain this config from the framework can rely on it being populated.
type EventConfig ¶ added in v0.24.0
type EventConfig struct {
// DefaultTransport is the route fallback when no rule matches.
DefaultTransport string `config:"default_transport"`
// AsyncQueueSize is the capacity of the async fan-in queue used
// by WithAsync publishes.
AsyncQueueSize int `config:"async_queue_size"`
// AsyncWorkers is the number of goroutines draining the async
// fan-in queue.
AsyncWorkers int `config:"async_workers"`
// PublishTimeout caps an individual transport.Publish call.
PublishTimeout time.Duration `config:"publish_timeout"`
Transports EventTransportsConfig `config:"transports"`
Middleware EventMiddlewareConfig `config:"middleware"`
Inbox EventInboxConfig `config:"inbox"`
// Routing is matched top-to-bottom; the first rule whose Pattern
// matches via path.Match wins. fan-out is expressed by listing
// multiple transports in Transports.
Routing []EventRoutingRule `config:"routing"`
}
EventConfig governs the framework event bus: transports, routing, middleware, and the consume-side Inbox table.
func (*EventConfig) EffectiveAsyncQueueSize ¶ added in v0.24.0
func (c *EventConfig) EffectiveAsyncQueueSize() int
EffectiveAsyncQueueSize applies the default.
func (*EventConfig) EffectiveAsyncWorkers ¶ added in v0.24.0
func (c *EventConfig) EffectiveAsyncWorkers() int
EffectiveAsyncWorkers applies the default.
func (*EventConfig) EffectiveDefaultTransport ¶ added in v0.24.0
func (c *EventConfig) EffectiveDefaultTransport() string
EffectiveDefaultTransport applies the default fallback.
func (*EventConfig) EffectivePublishTimeout ¶ added in v0.24.0
func (c *EventConfig) EffectivePublishTimeout() time.Duration
EffectivePublishTimeout applies the default.
func (*EventConfig) Validate ¶ added in v0.24.0
func (c *EventConfig) Validate() error
Validate checks invariants that cross multiple subtrees of the EventConfig. Called once at fx Start. Currently enforced:
- The inbox retention window must comfortably outlast the worst case outbox retry horizon (sum of 2^k seconds across max_retries attempts) so dedupe entries survive the longest delayed duplicate.
type EventInboxConfig ¶ added in v0.24.0
type EventInboxConfig struct {
Retention time.Duration `config:"retention"`
ProcessingLease time.Duration `config:"processing_lease"`
CleanupInterval time.Duration `config:"cleanup_interval"`
}
EventInboxConfig governs the inbox table retention, processing leases, and cleanup.
func (*EventInboxConfig) EffectiveCleanupInterval ¶ added in v0.24.0
func (c *EventInboxConfig) EffectiveCleanupInterval() time.Duration
EffectiveCleanupInterval applies the default of 1 hour.
func (*EventInboxConfig) EffectiveProcessingLease ¶ added in v0.24.0
func (c *EventInboxConfig) EffectiveProcessingLease() time.Duration
EffectiveProcessingLease applies the default of 10 minutes.
func (*EventInboxConfig) EffectiveRetention ¶ added in v0.24.0
func (c *EventInboxConfig) EffectiveRetention() time.Duration
EffectiveRetention applies the default of 7 days.
type EventMemoryTransportConfig ¶ added in v0.24.0
type EventMemoryTransportConfig struct {
QueueSize int `config:"queue_size"`
FullPolicy string `config:"full_policy"` // error | block | drop_oldest
PublishTimeout time.Duration `config:"publish_timeout"`
}
EventMemoryTransportConfig configures the in-process transport.
type EventMiddlewareConfig ¶ added in v0.24.0
type EventMiddlewareConfig struct {
Logging bool `config:"logging"`
Tracing bool `config:"tracing"`
// TracingStrict, when true, switches the Tracing middleware to
// strict mode: incoming TraceIDs from cross-process transports are
// treated as untrusted and parked under IncomingTraceIDFromContext;
// a fresh ID is generated for log correlation. Default (false) is
// W3C / OpenTelemetry-compatible propagation suitable for intra-
// cluster pub/sub. Toggle this on at the edge between trust zones.
TracingStrict bool `config:"tracing_strict"`
Metrics bool `config:"metrics"`
Recover bool `config:"recover"`
// Inbox controls whether the consume-side idempotency middleware
// is enabled. It only activates on transports whose Capabilities
// declare AtLeastOnce regardless of this flag.
Inbox bool `config:"inbox"`
}
EventMiddlewareConfig toggles the built-in consume/publish middlewares.
type EventOutboxTransportConfig ¶ added in v0.24.0
type EventOutboxTransportConfig struct {
Enabled bool `config:"enabled"`
RelayInterval time.Duration `config:"relay_interval"`
MaxRetries int `config:"max_retries"`
BatchSize int `config:"batch_size"`
LeaseMultiplier int `config:"lease_multiplier"`
MinLease time.Duration `config:"min_lease"`
SinkName string `config:"sink"`
CleanupInterval time.Duration `config:"cleanup_interval"`
CompletedTTL time.Duration `config:"completed_ttl"`
}
EventOutboxTransportConfig configures the persistent outbox transport.
func (*EventOutboxTransportConfig) EffectiveCleanupInterval ¶ added in v0.24.0
func (c *EventOutboxTransportConfig) EffectiveCleanupInterval() time.Duration
EffectiveCleanupInterval applies the outbox cleanup default.
func (*EventOutboxTransportConfig) EffectiveCompletedTTL ¶ added in v0.24.0
func (c *EventOutboxTransportConfig) EffectiveCompletedTTL() time.Duration
EffectiveCompletedTTL applies the outbox completed-row TTL default.
type EventRedisStreamTransportConfig ¶ added in v0.24.0
type EventRedisStreamTransportConfig struct {
Enabled bool `config:"enabled"`
StreamPrefix string `config:"stream_prefix"`
MaxLenApprox int64 `config:"max_len_approx"`
BlockTimeout time.Duration `config:"block_timeout"`
ClaimIdle time.Duration `config:"claim_idle"`
ClaimInterval time.Duration `config:"claim_interval"`
ClaimBatchSize int64 `config:"claim_batch_size"`
ReaperConcurrency int `config:"reaper_concurrency"`
// HandlerTimeout bounds each delivery so a hung handler cannot pin a worker.
// Zero disables the deadline — but the deadline is also the ONLY thing that
// frees a wedged reaper slot before shutdown: a reclaimed handler that blocks
// forever holds its bounded slot until Stop, so with HandlerTimeout=0 a few
// stuck reclaims can starve reaper failover for all other streams. Operators
// who disable it should size ReaperConcurrency with that risk in mind.
HandlerTimeout time.Duration `config:"handler_timeout"`
SetupTimeout time.Duration `config:"setup_timeout"`
ConsumerID string `config:"consumer_id"`
StartID string `config:"start_id"`
// IdleGroupRetention enables reclamation of orphaned consumer groups
// (a decommissioned subscriber's leftovers): a group with no pending
// entries whose every consumer record has been idle beyond this window
// is destroyed. Zero (default) disables the sweep.
IdleGroupRetention time.Duration `config:"idle_group_retention"`
// IdleGroupSweepInterval is the sweep period when IdleGroupRetention
// is enabled. Defaults to 10m.
IdleGroupSweepInterval time.Duration `config:"idle_group_sweep_interval"`
}
EventRedisStreamTransportConfig configures the Redis Streams transport.
type EventRoutingRule ¶ added in v0.24.0
type EventRoutingRule struct {
Pattern string `config:"pattern"`
Transports []string `config:"transports"`
}
EventRoutingRule matches an event type to one or more transports. Pattern uses path.Match semantics ("*", "?", "[abc]"). The list of transports expresses fan-out — each frame is dispatched to every listed transport.
type EventTransportsConfig ¶ added in v0.24.0
type EventTransportsConfig struct {
Memory EventMemoryTransportConfig `config:"memory"`
Outbox EventOutboxTransportConfig `config:"outbox"`
RedisStream EventRedisStreamTransportConfig `config:"redis_stream"`
}
EventTransportsConfig groups per-transport configuration blocks.
type FilesystemConfig ¶
type FilesystemConfig struct {
Root string `config:"root"`
}
FilesystemConfig defines filesystem storage settings.
type LockoutConfig ¶ added in v0.38.0
type LockoutConfig struct {
// Enabled toggles lockout. A nil pointer resolves to enabled, so brute-force
// protection is on by default; set it to false to switch the feature off.
Enabled *bool `config:"enabled"`
// MaxFailures is the number of failed attempts tolerated before the strategy
// engages. Default: 10.
MaxFailures int `config:"max_failures"`
// Window is how long failed attempts are remembered; a spell of no failures
// this long resets the counter. Default: 15m.
Window time.Duration `config:"window"`
// LockDuration is how long attempts are blocked once the threshold is
// reached under the "lock" strategy. Default: 15m.
LockDuration time.Duration `config:"lock_duration"`
// Strategy selects "lock" (hard block) or "backoff" (escalating delay).
// Default: "lock".
Strategy LockoutStrategy `config:"strategy"`
// BackoffBase is the first delay imposed past the threshold under the
// "backoff" strategy; it doubles per further failure. Default: 1s.
BackoffBase time.Duration `config:"backoff_base"`
// BackoffMax caps the per-attempt backoff delay. Default: 15m.
BackoffMax time.Duration `config:"backoff_max"`
// Key selects the identity dimension the counter is keyed by. Default:
// "user_ip".
Key LockoutKey `config:"key"`
}
LockoutConfig configures brute-force protection on the login endpoint.
Zero values resolve to defaults through the Effective* accessors; treat the parsed struct as raw input and read policy through those accessors, never the fields directly.
func (*LockoutConfig) EffectiveBackoffBase ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveBackoffBase() time.Duration
EffectiveBackoffBase returns BackoffBase or its default.
func (*LockoutConfig) EffectiveBackoffMax ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveBackoffMax() time.Duration
EffectiveBackoffMax returns BackoffMax or its default.
func (*LockoutConfig) EffectiveKey ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveKey() LockoutKey
EffectiveKey returns Key or its default.
func (*LockoutConfig) EffectiveLockDuration ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveLockDuration() time.Duration
EffectiveLockDuration returns LockDuration or its default.
func (*LockoutConfig) EffectiveMaxFailures ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveMaxFailures() int
EffectiveMaxFailures returns MaxFailures or its default.
func (*LockoutConfig) EffectiveStrategy ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveStrategy() LockoutStrategy
EffectiveStrategy returns Strategy or its default.
func (*LockoutConfig) EffectiveWindow ¶ added in v0.38.0
func (c *LockoutConfig) EffectiveWindow() time.Duration
EffectiveWindow returns Window or its default.
func (*LockoutConfig) IsEnabled ¶ added in v0.38.0
func (c *LockoutConfig) IsEnabled() bool
IsEnabled reports whether lockout is active. An omitted toggle means enabled.
func (*LockoutConfig) Validate ¶ added in v0.38.0
func (c *LockoutConfig) Validate() error
Validate rejects out-of-enum strategy and key values so a configuration typo fails fast at boot instead of silently degrading to a default.
type LockoutKey ¶ added in v0.38.0
type LockoutKey string
LockoutKey selects the identity dimension a lockout counter is keyed by.
const ( // LockoutKeyUser counts failures per login identifier, across all sources. LockoutKeyUser LockoutKey = "user" // LockoutKeyIP counts failures per source address, across all identifiers. LockoutKeyIP LockoutKey = "ip" // LockoutKeyUserIP counts failures per identifier-and-source pair. This is // the default: it throttles credential guessing while denying an attacker // the ability to lock a victim out of every source by guessing one account. LockoutKeyUserIP LockoutKey = "user_ip" )
type LockoutStrategy ¶ added in v0.38.0
type LockoutStrategy string
LockoutStrategy selects how repeated login failures are penalized.
const ( // LockoutStrategyLock blocks all further attempts for a fixed duration once // the failure threshold is reached. LockoutStrategyLock LockoutStrategy = "lock" // LockoutStrategyBackoff imposes an exponentially growing delay between // attempts past the threshold instead of a hard lock, so a legitimate user // is never fully locked out and a mass-lockout denial of service against a // targeted account is not possible. LockoutStrategyBackoff LockoutStrategy = "backoff" )
type MCPConfig ¶
type MCPConfig struct {
Enabled bool `config:"enabled"`
// RequireAuth gates the MCP HTTP endpoint behind bearer-token authentication.
// It is a pointer so an unset value defaults to secure (auth required); set it
// to false explicitly to allow anonymous access.
RequireAuth *bool `config:"require_auth"`
}
MCPConfig defines MCP server settings.
type MinIOConfig ¶
type MinIOConfig struct {
Endpoint string `config:"endpoint"`
AccessKey string `config:"access_key"`
SecretKey string `config:"secret_key"`
Bucket string `config:"bucket"`
Region string `config:"region"`
UseSSL bool `config:"use_ssl"`
}
MinIOConfig defines MinIO storage settings.
type MonitorConfig ¶
type MonitorConfig struct {
SampleInterval time.Duration `config:"sample_interval"` // Interval between samples (default: 10s)
SampleDuration time.Duration `config:"sample_duration"` // Sampling window duration (default: 2s)
}
MonitorConfig defines monitoring service settings.
type PasswordPolicyConfig ¶ added in v0.38.0
type PasswordPolicyConfig struct {
// MinLength requires at least this many characters when > 0.
MinLength int `config:"min_length"`
// MaxLength requires at most this many characters when > 0.
MaxLength int `config:"max_length"`
// RequireUpper requires at least one uppercase letter.
RequireUpper bool `config:"require_upper"`
// RequireLower requires at least one lowercase letter.
RequireLower bool `config:"require_lower"`
// RequireDigit requires at least one digit.
RequireDigit bool `config:"require_digit"`
// RequireSymbol requires at least one symbol (non-space, non-letter,
// non-digit; caseless letters such as CJK do not count).
RequireSymbol bool `config:"require_symbol"`
// MinCharClasses requires at least this many distinct character classes
// (uppercase, lowercase, digit, symbol) when > 0.
MinCharClasses int `config:"min_char_classes"`
// DisallowUsername rejects a password that contains the account id or name.
DisallowUsername bool `config:"disallow_username"`
// Blocklist rejects passwords matching any listed entry (case-insensitive).
Blocklist []string `config:"blocklist"`
// HistoryDepth rejects a new password that repeats any of the subject's last
// N passwords when > 0. Enforcement requires a security.PasswordHistoryStore.
HistoryDepth int `config:"history_depth"`
// MaxAge forces a password change once the password is older than this.
// Zero disables expiry. Enforcement requires a security.PasswordMetadataLoader
// and a security.ExpiryPasswordChangeChecker wired into the login flow.
MaxAge time.Duration `config:"max_age"`
}
PasswordPolicyConfig configures password strength rules. Every field is opt-in: a zero value disables the corresponding rule, so an unconfigured policy accepts any password and enabling a rule is an explicit choice.
type RedisConfig ¶
type RedisConfig struct {
// Enabled gates the Redis client construction. When false (default) the
// framework provides a nil *redis.Client into the fx graph and skips the
// connection PING during start-up; downstream modules that ask for the
// client via `optional:"true"` therefore stay dormant. Set this to true
// only when the application actually depends on Redis (cache, redis_stream
// transport, nonce store, etc.).
Enabled bool `config:"enabled"`
Host string `config:"host"`
Port uint16 `config:"port"`
User string `config:"user"`
Password string `config:"password"`
Database uint8 `config:"database"` // Database number (0-15)
Network string `config:"network"` // "tcp" or "unix" (default: "tcp")
}
RedisConfig defines Redis connection settings.
type SSLMode ¶ added in v0.29.0
type SSLMode string
SSLMode controls the TLS posture of a database connection. The values follow the PostgreSQL libpq vocabulary so operators familiar with `sslmode` can reuse it. It applies to the network-based dialects (Postgres, MySQL); SQLite is a local file and ignores it.
const ( // SSLDisable connects without TLS. This is the default when the field // is omitted. SSLDisable SSLMode = "disable" // SSLRequire negotiates TLS but performs no certificate or hostname // verification (encryption without authentication; vulnerable to MITM). SSLRequire SSLMode = "require" // SSLVerifyCA negotiates TLS and verifies that the server certificate // chains to a trusted CA, but does not check the hostname. SSLVerifyCA SSLMode = "verify-ca" // SSLVerifyFull negotiates TLS and verifies both the CA chain and that // the certificate matches the server hostname. This is the strongest mode. SSLVerifyFull SSLMode = "verify-full" )
Supported SSL modes. The empty value is treated as SSLDisable so a zero-config data source keeps connecting over plaintext exactly as before — TLS is strictly opt-in.
type SecurityConfig ¶
type SecurityConfig struct {
// Secret is the hex-encoded key used to sign and verify JWT tokens.
// Leave empty in development to have the framework generate an ephemeral
// key at startup; set a stable per-deployment value in production.
Secret string `config:"secret"`
TokenExpires time.Duration `config:"token_expires"`
RefreshNotBefore time.Duration `config:"refresh_not_before"`
LoginRateLimit int `config:"login_rate_limit"`
RefreshRateLimit int `config:"refresh_rate_limit"`
// IPWhitelists names the source-IP whitelists served by the framework's
// default security.IPWhitelistLoader; the built-in "ip" auth strategy
// resolves api.IPAuth(name) against them, and the no-arg api.IPAuth()
// targets the "default" key. Each entry is a single IP address or CIDR
// range. Note: the config layer lowercases TOML keys, so whitelist names
// are effectively lowercase.
IPWhitelists map[string][]string `config:"ip_whitelists"`
// Lockout configures brute-force protection on the login endpoint.
Lockout LockoutConfig `config:"lockout"`
// PasswordPolicy configures strength rules enforced when a password is set.
PasswordPolicy PasswordPolicyConfig `config:"password_policy"`
// TokenType selects the login token mechanism: stateless "jwt_token"
// (default) or stateful "opaque_token". Session control (concurrency limits,
// force-offline, renewal) is only available with opaque tokens.
TokenType TokenType `config:"token_type"`
// Session configures opaque-token session behavior; it has no effect under
// the jwt_token mechanism.
Session SessionConfig `config:"session"`
}
SecurityConfig defines security settings.
func (*SecurityConfig) EffectiveTokenType ¶ added in v0.38.0
func (c *SecurityConfig) EffectiveTokenType() TokenType
EffectiveTokenType returns TokenType or its default (jwt_token).
func (*SecurityConfig) Validate ¶ added in v0.38.0
func (c *SecurityConfig) Validate() error
Validate rejects out-of-enum token type and session policy so a configuration typo fails fast at boot.
type SessionConfig ¶ added in v0.38.0
type SessionConfig struct {
// MaxConcurrent bounds simultaneous sessions per account; 0 is unlimited.
// Enforcement is best-effort under concurrent logins: a burst of simultaneous
// logins for one account may briefly exceed the limit by the number of racing
// requests before it settles.
MaxConcurrent int `config:"max_concurrent"`
// OnExceed selects reject vs. evict-oldest when the limit is hit.
// Default: evict_oldest (a new login kicks the earliest device offline).
OnExceed SessionExceedPolicy `config:"on_exceed"`
// IdleTTL is the inactivity timeout and the sliding renewal window applied on
// each authenticated request. Default: 30m.
IdleTTL time.Duration `config:"idle_ttl"`
// MaxLifetime caps a session's total age regardless of renewal; 0 is
// uncapped. Default: 7 days.
MaxLifetime time.Duration `config:"max_lifetime"`
// Sliding enables idle-timeout renewal on each request. A nil pointer
// resolves to enabled.
Sliding *bool `config:"sliding"`
}
SessionConfig configures opaque-token sessions. Zero values resolve to defaults through the Effective* accessors.
func (*SessionConfig) EffectiveIdleTTL ¶ added in v0.38.0
func (c *SessionConfig) EffectiveIdleTTL() time.Duration
EffectiveIdleTTL returns IdleTTL or its default.
func (*SessionConfig) EffectiveMaxLifetime ¶ added in v0.38.0
func (c *SessionConfig) EffectiveMaxLifetime() time.Duration
EffectiveMaxLifetime returns MaxLifetime or its default.
func (*SessionConfig) EffectiveOnExceed ¶ added in v0.38.0
func (c *SessionConfig) EffectiveOnExceed() SessionExceedPolicy
EffectiveOnExceed returns OnExceed or its default.
func (*SessionConfig) IsSliding ¶ added in v0.38.0
func (c *SessionConfig) IsSliding() bool
IsSliding reports whether idle-timeout renewal is enabled. Omitted means on.
type SessionExceedPolicy ¶ added in v0.38.0
type SessionExceedPolicy string
SessionExceedPolicy selects what happens when a login exceeds the concurrent session limit.
const ( // SessionExceedReject denies the new login once the limit is reached. SessionExceedReject SessionExceedPolicy = "reject" // SessionExceedEvictOldest revokes the oldest session to admit the new login. SessionExceedEvictOldest SessionExceedPolicy = "evict_oldest" )
type StorageConfig ¶
type StorageConfig struct {
Provider StorageProvider `config:"provider"`
AutoMigrate bool `config:"auto_migrate"`
MinIO MinIOConfig `config:"minio"`
Filesystem FilesystemConfig `config:"filesystem"`
// MaxUploadSize is the hard upper bound (in bytes) on a single object
// uploaded through the storage RPC, regardless of declared mode.
// Default: 1 GiB.
MaxUploadSize int64 `config:"max_upload_size"`
// ClaimTTL is how long an upload claim stays valid before being swept.
// Default: 24h.
ClaimTTL time.Duration `config:"claim_ttl"`
// MaxPendingClaims caps the number of in-flight (status='pending')
// upload claims a single principal may hold simultaneously. Prevents
// a single user from exhausting backend resources by opening
// thousands of multipart sessions. Enforcement is best-effort: the
// init-upload check is a count-then-insert, so a concurrent burst from
// one principal may briefly overshoot the cap by the number of
// in-flight requests before settling. This is a DoS-hygiene limit, not
// a hard security boundary. Default: 100.
MaxPendingClaims int `config:"max_pending_claims"`
// AllowPublicUploads controls whether clients may set public=true on
// init_upload. When false (default), all uploads land under priv/
// regardless of the client's request. Set to true only when the
// business explicitly needs user-initiated public uploads.
AllowPublicUploads bool `config:"allow_public_uploads"`
// SweepInterval is how often the claim sweeper polls for expired
// upload claims. Default: 5m.
SweepInterval time.Duration `config:"sweep_interval"`
// SweepBatchSize bounds how many expired claims one sweep tick processes.
// Default: 200.
SweepBatchSize int `config:"sweep_batch_size"`
// DeleteWorkerInterval is how often the delete worker polls for due
// pending-delete rows. Default: 5m.
DeleteWorkerInterval time.Duration `config:"delete_worker_interval"`
// DeleteBatchSize bounds how many rows the delete worker leases per tick.
// Default: 100.
DeleteBatchSize int `config:"delete_batch_size"`
// DeleteConcurrency caps the number of in-flight object deletions
// per worker tick. Default: 8.
DeleteConcurrency int `config:"delete_concurrency"`
// DeleteMaxAttempts is the retry budget after which a pending-delete
// row is parked as dead-letter. Default: 12.
DeleteMaxAttempts int `config:"delete_max_attempts"`
// DeleteLeaseWindow is the visibility timeout applied when leasing
// rows. Should comfortably exceed expected per-item processing time.
// Default: 5m.
DeleteLeaseWindow time.Duration `config:"delete_lease_window"`
}
StorageConfig defines storage provider settings.
Upload-flow and worker tunables have working defaults applied at read time when their zero value is loaded; callers should not assume the parsed config carries non-zero values. Use the Effective* accessors instead of reading struct fields directly.
func (*StorageConfig) EffectiveClaimTTL ¶ added in v0.23.0
func (c *StorageConfig) EffectiveClaimTTL() time.Duration
EffectiveClaimTTL returns ClaimTTL or its default.
func (*StorageConfig) EffectiveDeleteBatchSize ¶ added in v0.23.0
func (c *StorageConfig) EffectiveDeleteBatchSize() int
EffectiveDeleteBatchSize returns DeleteBatchSize or its default.
func (*StorageConfig) EffectiveDeleteConcurrency ¶ added in v0.23.0
func (c *StorageConfig) EffectiveDeleteConcurrency() int
EffectiveDeleteConcurrency returns DeleteConcurrency or its default.
func (*StorageConfig) EffectiveDeleteLeaseWindow ¶ added in v0.23.0
func (c *StorageConfig) EffectiveDeleteLeaseWindow() time.Duration
EffectiveDeleteLeaseWindow returns DeleteLeaseWindow or its default.
func (*StorageConfig) EffectiveDeleteMaxAttempts ¶ added in v0.23.0
func (c *StorageConfig) EffectiveDeleteMaxAttempts() int
EffectiveDeleteMaxAttempts returns DeleteMaxAttempts or its default.
func (*StorageConfig) EffectiveDeleteWorkerInterval ¶ added in v0.23.0
func (c *StorageConfig) EffectiveDeleteWorkerInterval() time.Duration
EffectiveDeleteWorkerInterval returns DeleteWorkerInterval or its default.
func (*StorageConfig) EffectiveMaxPendingClaims ¶ added in v0.23.0
func (c *StorageConfig) EffectiveMaxPendingClaims() int
EffectiveMaxPendingClaims returns MaxPendingClaims or its default.
func (*StorageConfig) EffectiveMaxUploadSize ¶ added in v0.23.0
func (c *StorageConfig) EffectiveMaxUploadSize() int64
EffectiveMaxUploadSize returns MaxUploadSize or its default.
func (*StorageConfig) EffectiveSweepBatchSize ¶ added in v0.23.0
func (c *StorageConfig) EffectiveSweepBatchSize() int
EffectiveSweepBatchSize returns SweepBatchSize or its default.
func (*StorageConfig) EffectiveSweepInterval ¶ added in v0.23.0
func (c *StorageConfig) EffectiveSweepInterval() time.Duration
EffectiveSweepInterval returns SweepInterval or its default.
type StorageProvider ¶
type StorageProvider string
StorageProvider represents supported storage backend types.
const ( StorageMinIO StorageProvider = "minio" StorageMemory StorageProvider = "memory" StorageFilesystem StorageProvider = "filesystem" )
Supported storage providers.