server

package

v1.19.1 Latest Latest Go to latest Published: May 29, 2026 License: MIT Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/darpanzope/compliancekit

Links

Open Source Insights

Documentation ¶

Overview ¶

Package server is the v1.3 serve-mode HTTP daemon. It wires the chi router, security middleware, observability endpoints (/health + /metrics), and the read/write API + UI handlers that v1.3-v1.5 fill in across phases. The single entry point is New(), which returns a *Server whose Run(ctx) method blocks until the context cancels — graceful shutdown happens on SIGTERM/SIGINT signaled into the same context.

ADR-015 codifies the UI stack (htmx + Alpine + Tailwind + Preline + vanilla SVG, all go:embed-ed). Single-binary invariant preserved; no Node runtime ships with compliancekit; no CDN is reached at runtime.

Index ¶

type Config
- func Default() Config
type ReadinessCheck
type ReadinessRegistry
- func (r *ReadinessRegistry) Add(c ReadinessCheck)
type Server
- func New(cfg Config) *Server

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	// Addr is the bind interface; default "127.0.0.1" so the
	// out-of-the-box experience is loopback-only (operator opts into
	// 0.0.0.0 explicitly).
	Addr string

	// Port is the TCP port; default 8080. Override via --port.
	Port int

	// ReadHeaderTimeout caps the time a peer may take to send request
	// headers; protects against slowloris-style starvation.
	ReadHeaderTimeout time.Duration

	// IdleTimeout caps keep-alive idle duration.
	IdleTimeout time.Duration
}

Config carries every knob the daemon takes at startup. Loaded by the CLI subcommand from a mix of compliancekit.yaml + flags + env. Defaults below in Default().

func Default ¶

func Default() Config

Default returns the recommended baseline Config. Tests construct their own; the CLI overlays flags + env onto a Default().

type ReadinessCheck ¶ added in v1.15.0

type ReadinessCheck struct {
	Name string
	// Check returns nil when the probe is healthy. The error string
	// surfaces in the /health/ready JSON body (sanitized — no
	// secrets in the message; the daemon already controls every
	// caller).
	Check func(ctx context.Context) error
	// Timeout caps the probe execution. Zero falls back to 3s.
	Timeout time.Duration
}

ReadinessCheck names a single probe. Name appears in the JSON response body + the v1.15.x compliancekit_readiness_* metric.

type ReadinessRegistry ¶ added in v1.15.0

type ReadinessRegistry struct {
	// contains filtered or unexported fields
}

ReadinessRegistry holds the daemon's readiness checks. Safe for concurrent Add / Run.

func (*ReadinessRegistry) Add ¶ added in v1.15.0

func (r *ReadinessRegistry) Add(c ReadinessCheck)

Add appends a check. Thread-safe.

type Server ¶

type Server struct {
	// contains filtered or unexported fields
}

Server is the running daemon. Construct via New(); start via Run().

func New ¶

func New(cfg Config) *Server

New builds the daemon. Wires middleware in the right order (recovery → request-id → real-ip → metrics → security headers), mounts /health + /metrics, and leaves the rest of the routing for future phases to attach via the returned *Server's Router() method.

func (*Server) Addr ¶

func (s *Server) Addr() string

Addr returns the bound listen address; useful for tests that need the concrete port when cfg.Port == 0 (ephemeral) is requested.

func (*Server) QueueDepthObserver ¶ added in v1.11.0

func (s *Server) QueueDepthObserver() interface{ ObserveQueueDepth(int) }

QueueDepthObserver returns the daemon's worker.DepthObserver implementation so cmd/serve can wire it into the worker pool's autoscale sampler. nil-safe — if the metrics registry isn't yet constructed (zero-value Server), the worker pool silently no-ops.

The interface signature lives in internal/server/worker; we satisfy it without importing the package to avoid a circular dep.

func (*Server) Router ¶

func (s *Server) Router() chi.Router

Router returns the chi router so later-phase packages (api/, auth/, ui/) can mount their routes without re-importing the middleware stack. Callers should attach routes before Run().

func (*Server) Run ¶

func (s *Server) Run(ctx context.Context) error

Run starts the HTTP listener and blocks until ctx is canceled. On cancellation it triggers a graceful shutdown with a 15-second grace period for in-flight requests to drain. Returns nil on a clean shutdown; the underlying http.Server error otherwise.

func (*Server) WithReadiness ¶ added in v1.15.0

func (s *Server) WithReadiness(c ReadinessCheck) *Server

WithReadiness registers a readiness check on the server. Chainable.

Source Files ¶

View all Source files

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
api Package api implements the v1.3+ REST API.	Package api implements the v1.3+ REST API.
assets Package assets embeds the compiled UI bundle (Tailwind output + vendored htmx, Alpine, Preline) produced by `make ui`.	Package assets embeds the compiled UI bundle (Tailwind output + vendored htmx, Alpine, Preline) produced by `make ui`.
auth Package auth handles every authentication concern for the v1.3 serve-mode daemon: bcrypt password hashing, DB-backed sessions, double-submit-cookie CSRF protection, and the chi middleware that gates non-public routes.	Package auth handles every authentication concern for the v1.3 serve-mode daemon: bcrypt password hashing, DB-backed sessions, double-submit-cookie CSRF protection, and the chi middleware that gates non-public routes.
backups Package backups owns the v1.12 phase 8 backup/restore workflow.	Package backups owns the v1.12 phase 8 backup/restore workflow.
collab Package collab owns the v1.8 collaboration data layer that doesn't fit into the comments package: per-finding assignees, per-resource owners, and resource follower opt-ins.	Package collab owns the v1.8 collaboration data layer that doesn't fit into the comments package: per-finding assignees, per-resource owners, and resource follower opt-ins.
comments Package comments owns the goldmark+bluemonday pipeline that turns operator-authored markdown into the sanitized HTML cached in the comments table.	Package comments owns the goldmark+bluemonday pipeline that turns operator-authored markdown into the sanitized HTML cached in the comments table.
compress Package compress is the v1.11 phase 4 HTTP-compression middleware.	Package compress is the v1.11 phase 4 HTTP-compression middleware.
dashboards Package dashboards is the v1.14 reporting-renaissance persistence layer.	Package dashboards is the v1.14 reporting-renaissance persistence layer.
etag Package etag is the v1.11 phase 5 HTTP caching middleware.	Package etag is the v1.11 phase 5 HTTP caching middleware.
events Package events is the v1.6 SSE event bus the daemon uses to push live state changes to subscribed UI / TUI / API clients without polling.	Package events is the v1.6 SSE event bus the daemon uses to push live state changes to subscribed UI / TUI / API clients without polling.
leader Package leader implements pg_advisory_lock-based leader election for the v1.15 phase 4 HA Postgres mode.	Package leader implements pg_advisory_lock-based leader election for the v1.15 phase 4 HA Postgres mode.
logs Package logs is the v1.6 phase 6 in-UI log tail.	Package logs is the v1.6 phase 6 in-UI log tail.
plugins Package plugins owns the v1.13 daemon-side plugin runtime: filesystem discovery, manifest parsing, cosign signature verification, sandbox dial-time egress enforcement, and hot-reload of Rego packs.	Package plugins owns the v1.13 daemon-side plugin runtime: filesystem discovery, manifest parsing, cosign signature verification, sandbox dial-time egress enforcement, and hot-reload of Rego packs.
push Package push implements VAPID-encrypted Web Push delivery for v1.16 phase 4.	Package push implements VAPID-encrypted Web Push delivery for v1.16 phase 4.
rbac Package rbac is the v1.12 phase 0 daemon-side persistence + lookup layer for the role/permission grid defined in pkg/compliancekit/rbac.	Package rbac is the v1.12 phase 0 daemon-side persistence + lookup layer for the role/permission grid defined in pkg/compliancekit/rbac.
respcache Package respcache is the v1.11 phase 6 in-memory LRU for hot list responses.	Package respcache is the v1.11 phase 6 in-memory LRU for hot list responses.
scim Package scim implements a minimal SCIM 2.0 (RFC 7643 / 7644) server for v1.12 phase 4.	Package scim implements a minimal SCIM 2.0 (RFC 7643 / 7644) server for v1.12 phase 4.
search Package search hosts the v1.19 phase 5 global search index — an in-memory, periodically-rebuilt index spanning findings, resources, scans, users, waivers, settings, and docs.	Package search hosts the v1.19 phase 5 global search index — an in-memory, periodically-rebuilt index spanning findings, resources, scans, users, waivers, settings, and docs.
slowlog Package slowlog is the v1.11 phase 7 query-budget + slow-query log.	Package slowlog is the v1.11 phase 7 query-budget + slow-query log.
store Package store is the persistent-state layer for compliancekit's serve-mode daemon.	Package store is the persistent-state layer for compliancekit's serve-mode daemon.
ui Package ui mounts the v1.3 minimal UI shell on the daemon's chi router.	Package ui mounts the v1.3 minimal UI shell on the daemon's chi router.
design Package design hosts the v1.18 design-system contract per ADR-017.	Package design hosts the v1.18 design-system contract per ADR-017.
webhook Package webhook handles inbound webhook receivers — GitHub PR / push events + operator-defined generic webhooks.	Package webhook handles inbound webhook receivers — GitHub PR / push events + operator-defined generic webhooks.
worker Package worker is the v1.3 background job runner.	Package worker is the v1.3 background job runner.