config

package
v1.4.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 24, 2026 License: AGPL-3.0 Imports: 19 Imported by: 0

Documentation

Overview

Package config provides application configuration management for Lesser's serverless deployment.

Index

Constants

View Source 
const (
	// DefaultOAuthClientSecretRotationGracePeriod is the product default for in-place secret rotation grace windows.
	DefaultOAuthClientSecretRotationGracePeriod = 24 * time.Hour
	// DefaultGraphQLMaxComplexity is the conservative operator-safe default query complexity limit.
	DefaultGraphQLMaxComplexity = 500
)
View Source 
const RedactedSecretSentinel = "[REDACTED]"

RedactedSecretSentinel is the replacement text used for secret field values in redacted config output. Recovery snapshots, validation reports, logs, and any other artifact that includes config fields must use [REDACTED] in place of real secret material.

Variables

This section is empty.

Functions

func GetDomainName 

func GetDomainName() string

GetDomainName returns the domain name

func GetDynamoTableName 

func GetDynamoTableName() string

GetDynamoTableName returns the DynamoDB table name

func GetEnvironment 

func GetEnvironment() string

GetEnvironment returns the current environment

func GetMainTableName 

func GetMainTableName() string

GetMainTableName returns the canonical DynamoDB table name for the current stage/environment.

func GetPrivateKeySecret 

func GetPrivateKeySecret() string

GetPrivateKeySecret returns the private key secret name

func GetS3Bucket 

func GetS3Bucket() string

GetS3Bucket returns the S3 bucket name

func GetStreamEventsTableName 

func GetStreamEventsTableName() string

GetStreamEventsTableName returns the DynamoDB table used for SSE stream event log storage.

func QuickValidateProductionConfig 

func QuickValidateProductionConfig() error

QuickValidateProductionConfig performs a quick validation without AWS resource checks

func ResetForTests 

func ResetForTests()

ResetForTests clears cached configuration so tests can vary environment variables safely within a single package test run.

This should only be used in tests.

func SetupTestEnvironment 

func SetupTestEnvironment(t *testing.T)

SetupTestEnvironment sets up environment variables for testing

Types

type Config 

type Config struct {
	// Instance configuration
	Domain       string // e.g., "example.com"
	InstanceName string // e.g., "My ActivityPub Server"
	InstanceMode InstanceMode

	// AWS configuration
	Region                  string
	DynamoTableName         string
	DynamoDBEndpoint        string // DynamoDB endpoint (for local development)
	S3BucketName            string
	SQSQueueURL             string
	ReputationTableName     string // For reputation/vouch storage
	AWSAccountID            string // AWS Account ID
	ExportProcessorQueueURL string // Export processor SQS queue URL
	ImportProcessorQueueURL string // Import processor SQS queue URL
	MediaProcessorQueueURL  string // Media processor SQS queue URL
	EnhancedRetryQueueURL   string // Enhanced federation retry SQS queue URL

	// Security
	JWTSecret            string // For client authentication
	JWTSecretARN         string // ARN pointing to stored secret (optional)
	KMSKeyID             string // AWS KMS key ID for encryption (optional)
	ReputationPrivateKey string // Private key for reputation system
	VAPIDPublicKey       string // VAPID public key for push notifications
	VAPIDSecretARN       string // ARN pointing to VAPID secret (private key + metadata)
	VAPIDSubject         string // Subject/identifier used for VAPID JWTs
	AdminUsername        string // Admin username for privileged operations
	SystemActorPublicKey string // System actor public key for recovery federation

	// Instance API key used to authenticate internal, machine-to-machine calls into
	// the instance (e.g., lesser-host delivering communication notifications).
	InstanceAPIKey    string // Optional value or Secrets Manager resolved secret
	InstanceAPIKeyARN string // ARN pointing to stored secret (optional)

	// lesser.host trust services (optional; managed instances)
	LesserHostURL             string // Base URL for lesser.host trust API
	LesserHostInstanceKey     string // Instance key for machine-to-machine trust API calls (server-side only)
	LesserHostInstanceKeyARN  string // ARN pointing to stored instance key (optional)
	LesserHostAttestationsURL string // Optional override for public attestations/JWKS base URL

	// Privacy Configuration
	PrivacyMasterKey     string // Master key for privacy hashing (required for audit privacy)
	EnablePrivacyHashing bool   // Enable privacy-preserving hashing in audit logs
	IPLevel              string // Privacy level for IP addresses: none, partial, full
	EmailLevel           string // Privacy level for email addresses: none, partial, full
	UsernameLevel        string // Privacy level for usernames: none, partial, full
	PIILevel             string // Privacy level for PII data: none, partial, full
	GenericLevel         string // Privacy level for generic data: none, partial, full

	// Privacy Key Rotation
	KeyRotationEnabled  bool          // Enable key rotation
	KeyRotationInterval time.Duration // Key rotation interval

	// Privacy Argon2 Parameters
	Argon2Memory  uint32 // Argon2 memory usage in KB
	Argon2Time    uint32 // Argon2 number of iterations
	Argon2Threads uint8  // Argon2 number of threads
	Argon2KeyLen  uint32 // Argon2 derived key length in bytes

	// ActivityPub URLs
	InboxURL     string // Inbox URL pattern
	OutboxURL    string // Outbox URL pattern
	FollowersURL string // Followers URL pattern
	FollowingURL string // Following URL pattern

	// Features
	MaxUploadSize                        int64         // Maximum file upload size in bytes
	PageSize                             int           // Default pagination size
	AllowRegistration                    bool          // Whether new users can register
	AllowAgents                          bool          // Whether agent accounts are enabled
	AllowAgentRegistration               bool          // Whether new agent accounts can be registered/delegated
	AllowDeviceFlow                      bool          // Whether OAuth device authorization is enabled
	AgentAccessTokenDuration             time.Duration // Default lifetime for agent-minted access tokens
	OAuthClientSecretRotationGracePeriod time.Duration // Default grace window for in-place OAuth client secret rotation

	// CLI automation safety rails (device-flow tokens classified as client_class=cli)
	CLIAutomationConcurrencyLimit   int           // Max concurrent in-flight requests per CLI session (sid)
	CLIAutomationBurstLimit         int           // Burst requests allowed per window
	CLIAutomationBurstWindow        time.Duration // Burst window duration
	CLIAutomationSustainedLimit     int           // Sustained requests allowed per window
	CLIAutomationSustainedWindow    time.Duration // Sustained window duration
	CLIAutomationErrorRateThreshold float64       // Fraction of requests in window that may be errors before lockout
	CLIAutomationErrorRateMin       int           // Minimum requests in window before error-rate lockout can trigger
	CLIAutomationErrorRateWindow    time.Duration // Error-rate evaluation window
	CLIAutomationLockoutDuration    time.Duration // Lockout duration when error-rate threshold exceeded

	// CMS Configuration
	CMSLongFormPublishingEnabled  bool // Enable Article creation and CMS reads
	CMSDraftSystemEnabled         bool // Enable draft storage and editing workflows
	CMSRevisionHistoryEnabled     bool // Enable revision history and restores
	CMSScheduledPublishingEnabled bool // Enable scheduled publishing worker behavior
	CMSSeriesEnabled              bool // Enable series organization
	CMSCategoriesEnabled          bool // Enable categories organization
	CMSMaxRevisionsPerObject      int  // Maximum revisions retained per CMS object (0 = unlimited)

	// Moderation Features
	DisableAWSModeration bool // Master switch to disable all AWS moderation services
	DisableComprehend    bool // Disable AWS Comprehend text analysis
	DisableRekognition   bool // Disable AWS Rekognition image/video analysis

	// Development & Debug Features
	DisableMetrics                bool // Disable metrics collection
	DisableCostTracking           bool // Disable cost tracking
	DisableRateLimiting           bool // Disable rate limiting
	DisableFederationRateLimiting bool // Disable federation-specific rate limiting
	DisableAI                     bool // Disable AI features
	EnablePlayground              bool // Enable GraphQL playground
	GraphQLAllowIntrospection     bool // Allow GraphQL introspection (non-debug deployments should keep this off)
	GraphQLMaxDepth               int  // Maximum GraphQL query depth (0 disables)
	GraphQLMaxComplexity          int  // Maximum GraphQL query complexity (0 disables)
	GraphQLParserTokenLimit       int  // Maximum GraphQL parser tokens (0 disables)
	GraphQLRequestTimeout         time.Duration
	TranslationEnabled            bool   // Enable translation features
	XRayTracingEnabled            bool   // Enable X-Ray tracing
	DebugMode                     bool   // Enable debug mode
	LogLevel                      string // Log level (debug, info, warn, error)

	// Testing Configuration
	IntegrationTestsEnabled bool // Enable integration tests
	CIEnvironment           bool // Running in CI environment
	IntegrationTestMode     bool // Integration test mode enabled

	// AI Configuration
	BedrockModelID string // AWS Bedrock model ID for AI features

	// Media Streaming Configuration
	MediaSourceBucketName    string // S3 bucket for original media uploads
	MediaStreamingBucketName string // S3 bucket for transcoded streaming outputs
	MediaConvertEndpoint     string // AWS MediaConvert custom endpoint
	MediaConvertRoleArn      string // IAM role ARN for MediaConvert
	CloudFrontDomain         string // CloudFront distribution domain for streaming
	CloudFrontKeyPairID      string // CloudFront key pair ID for signed URLs
	CloudFrontPrivateKeyPath string // Path or secret ARN for CloudFront private key
	ManifestTTLHours         int    // Default TTL for streaming manifests (hours)

	// ML Moderation Configuration
	ModerationTrainingBucketName string   // S3 bucket for ML training datasets
	ModerationModelMetadataTable string   // DynamoDB table for model metadata
	BedrockTrainingRegion        string   // AWS region for Bedrock training jobs
	BedrockInferenceModelID      string   // Bedrock model ID for moderation inference
	BedrockGuardrailID           string   // Bedrock guardrail ID for inference safety
	BedrockGuardrailVersion      string   // Bedrock guardrail version (defaults to "DRAFT")
	BedrockCustomizationRoleARN  string   // IAM role ARN for Bedrock model customization jobs
	ModerationMLEnabled          bool     // Feature flag to enable ML moderation
	ModerationMLTenants          []string // List of tenant IDs allowed to use ML moderation

	// Alerting & Monitoring
	AlertSNSTopicArn          string // SNS topic ARN for alerts
	AlertWebhookURL           string // Webhook URL for alerts
	AlertWebhookVerifySSL     bool   // Verify TLS certificates for alert webhooks (default true)
	AlertEmail                string // Email address for alerts
	WebSocketEndpoint         string // WebSocket endpoint for real-time updates
	NotificationRetryQueueURL string // Notification retry queue URL

	// WebSocket & Streaming
	ConnectionsTable   string // DynamoDB table for WebSocket connections
	SubscriptionsTable string // DynamoDB table for subscriptions
	StreamEventsTable  string // DynamoDB table for SSE stream event log
	IdleTimeoutMinutes int    // WebSocket idle timeout in minutes
	StaleTimeoutHours  int    // Stale connection timeout in hours

	// Budget & Cost Management
	BudgetAlertWebhookURL  string // Budget alert webhook URL
	BudgetAlertSNSTopicArn string // Budget alert SNS topic ARN
	CostHistoryTableName   string // Cost history DynamoDB table name

	// Notification System
	NotificationDLQURL       string // Notification dead letter queue URL
	PushNotificationTopicArn string // Push notification SNS topic ARN
	PushNotificationQueueURL string // Push notification queue URL

	// Dead Letter Queue Configuration
	DLQEnabled         bool     // Enable DLQ processing
	DLQMaxRetries      int      // Maximum number of retries before sending to DLQ
	DLQRetryDelay      int      // Retry delay in seconds
	DLQFailFast        bool     // Send to DLQ immediately on certain errors
	DLQPermanentErrors []string // Error patterns that should go straight to DLQ
	DLQTransientErrors []string // Error patterns that should be retried

	// Queue URLs for job processing
	ImportQueueURL     string // Import processing queue URL
	ExportQueueURL     string // Export generation queue URL
	MediaQueueURL      string // Media processing queue URL
	ScheduledQueueURL  string // Scheduled publishing queue URL
	FederationQueueURL string // Federation queue URL

	// Media & Storage
	MediaBucketName           string // S3 bucket for media storage
	S3MediaBucket             string // Alternative S3 bucket name
	DynamoDBEncryptionKey     string // DynamoDB encryption key
	ActorPrivateKeyEncryption string // Actor private key encryption key

	// Delivery & Processing
	FederationDeliveryMode   string // Federation delivery mode
	AuthorizedFetchEnabled   bool   // Authorized fetch enabled
	ModerationMode           string // Moderation mode setting
	AllowPublicStatusHistory bool   // Allow public access to status history

	// Deployment info
	Stage   string // Deployment stage (dev, staging, prod)
	Version string // Application version

	// Service identification
	Environment         string // Runtime environment (development, staging, production)
	ServiceName         string // Service name (lesser, api, federation, etc.)
	MonitoringEnabled   bool   // Enable monitoring and alerting
	XrayTracingEnabled  bool   // Enable X-Ray tracing
	EmfMetricsEnabled   bool   // Enable EMF metrics
	LambdaLogGroupName  string // Lambda log group name
	LambdaLogStreamName string // Lambda log stream name

	// Instance configuration
	InstanceTitle       string   // Instance title/name
	InstanceShortDesc   string   // Short description of the instance
	InstanceDescription string   // Detailed description of the instance
	InstanceAdminEmail  string   // Admin email for the instance
	InstanceLanguages   []string // Supported languages
	MaxStatusChars      int      // Maximum characters in a status
	MaxMediaSize        int64    // Maximum media file size in bytes
	MaxVideoSize        int64    // Maximum video file size in bytes
	RegistrationsOpen   bool     // Whether registrations are open
	ApprovalRequired    bool     // Whether new registrations require approval
	InvitesEnabled      bool     // Whether invites are enabled
	FederationEnabled   bool     // Whether federation is enabled

	// Tips (TipSplitter integration; non-secret public config)
	TipEnabled         bool   // Whether on-chain tipping is enabled for this instance
	TipChainID         int    // EVM chain ID (e.g. 8453)
	TipContractAddress string // TipSplitter contract address
}

Config holds the application configuration

func Get 

func Get() *Config

Get returns the current configuration

func (*Config) ActorURL 

func (c *Config) ActorURL(username string) string

ActorURL returns the URL for an actor

func (*Config) BaseURL 

func (c *Config) BaseURL() string

BaseURL returns the base URL for the instance

func (*Config) CMSCategoriesAllowed 

func (c *Config) CMSCategoriesAllowed() bool

CMSCategoriesAllowed reports whether category organization is enabled.

func (*Config) CMSDraftsEnabled 

func (c *Config) CMSDraftsEnabled() bool

CMSDraftsEnabled reports whether the draft system is enabled.

func (*Config) CMSEnabled 

func (c *Config) CMSEnabled() bool

CMSEnabled reports whether the CMS surface is enabled for this instance mode.

func (*Config) CMSLongFormEnabled 

func (c *Config) CMSLongFormEnabled() bool

CMSLongFormEnabled reports whether long-form publishing (Articles) is enabled.

func (*Config) CMSRevisionsEnabled 

func (c *Config) CMSRevisionsEnabled() bool

CMSRevisionsEnabled reports whether revision history is enabled.

func (*Config) CMSSchedulingEnabled 

func (c *Config) CMSSchedulingEnabled() bool

CMSSchedulingEnabled reports whether scheduled publishing is enabled.

func (*Config) CMSSeriesAllowed 

func (c *Config) CMSSeriesAllowed() bool

CMSSeriesAllowed reports whether series organization is enabled.

func (*Config) EffectiveInstanceMode 

func (c *Config) EffectiveInstanceMode() InstanceMode

EffectiveInstanceMode returns the normalized instance mode (defaults to `hybrid`).

func (*Config) ObjectURL 

func (c *Config) ObjectURL(objectType, id string) string

ObjectURL returns the URL for an object

func (*Config) Redacted added in v1.4.12 

func (c *Config) Redacted() *Config

Redacted returns a shallow copy of the config with every known secret field replaced by RedactedSecretSentinel. The returned config is safe to serialize, log, or embed in recovery artifacts without leaking Lambda environment secrets.

Fields that are ARN pointers (not secret values themselves) are preserved unchanged so operators can still verify secret-source configuration.

func (*Config) ResolveInstanceAPIKey added in v1.2.19 

func (c *Config) ResolveInstanceAPIKey() (string, error)

ResolveInstanceAPIKey returns the configured instance API key, resolving the optional Secrets Manager ARN lazily when needed.

func (*Config) ResolveJWTSecret added in v1.4.4 

func (c *Config) ResolveJWTSecret() (string, error)

ResolveJWTSecret returns the configured JWT signing secret, resolving the optional Secrets Manager ARN lazily only for auth paths that need it.

func (*Config) ResolveLesserHostInstanceKey added in v1.2.19 

func (c *Config) ResolveLesserHostInstanceKey() (string, error)

ResolveLesserHostInstanceKey returns the configured lesser.host instance key, resolving the optional Secrets Manager ARN lazily when needed.

type InstanceConfig 

type InstanceConfig struct {
	// From environment variables
	Title            string
	ShortDescription string
	Description      string
	Email            string

	// Static configuration
	Version        string
	Software       string
	MaxStatusChars int
	MaxMediaSize   int64
	MaxVideoSize   int64
	Languages      []string

	// Feature flags
	RegistrationsOpen bool
	ApprovalRequired  bool
	InvitesEnabled    bool
	FederationEnabled bool
}

InstanceConfig holds static instance configuration

func GetInstanceConfig 

func GetInstanceConfig() *InstanceConfig

GetInstanceConfig returns the instance configuration

type InstanceMode 

type InstanceMode string

InstanceMode controls which product surface is enabled for an instance. 

const (
	InstanceModeSocial InstanceMode = "social"
	InstanceModeCMS    InstanceMode = "cms"
	InstanceModeHybrid InstanceMode = "hybrid"
)

Supported instance modes.

type ProductionConfigValidator 

type ProductionConfigValidator struct {
	// contains filtered or unexported fields
}

ProductionConfigValidator validates production configuration

func NewProductionConfigValidator 

func NewProductionConfigValidator(logger *zap.Logger) (*ProductionConfigValidator, error)

NewProductionConfigValidator creates a new production configuration validator

func (*ProductionConfigValidator) ValidateProductionConfig 

func (v *ProductionConfigValidator) ValidateProductionConfig(ctx context.Context) (*ValidationResult, error)

ValidateProductionConfig validates all production configuration requirements

type ResourceStatus 

type ResourceStatus struct {
	Available bool   `json:"available"`
	Message   string `json:"message,omitempty"`
	Error     string `json:"error,omitempty"`
}

ResourceStatus represents the status of an AWS resource

type ResourceValidation 

type ResourceValidation struct {
	DynamoDB       ResourceStatus `json:"dynamodb"`
	S3             ResourceStatus `json:"s3"`
	SecretsManager ResourceStatus `json:"secrets_manager"`
	Lambda         ResourceStatus `json:"lambda"`
}

ResourceValidation tracks AWS resource availability

type SecurityStatus 

type SecurityStatus struct {
	Configured bool   `json:"configured"`
	Valid      bool   `json:"valid"`
	Message    string `json:"message,omitempty"`
}

SecurityStatus represents the status of a security configuration

type SecurityValidation 

type SecurityValidation struct {
	EncryptionKeys   SecurityStatus `json:"encryption_keys"`
	PrivateKeys      SecurityStatus `json:"private_keys"`
	OAuthSecrets     SecurityStatus `json:"oauth_secrets"`
	JWTConfiguration SecurityStatus `json:"jwt_configuration"`
	HTTPSEnforcement SecurityStatus `json:"https_enforcement"`
}

SecurityValidation tracks security configuration status

type ValidationError 

type ValidationError struct {
	Field       string `json:"field"`
	Value       string `json:"value,omitempty"`
	Message     string `json:"message"`
	Severity    string `json:"severity"`
	Remediation string `json:"remediation,omitempty"`
}

ValidationError represents a configuration validation error. The Value field must never contain raw secret material; use RedactedSecretSentinel for any field known to hold secrets.

type ValidationResult 

type ValidationResult struct {
	Valid     bool                `json:"valid"`
	Errors    []ValidationError   `json:"errors,omitempty"`
	Warnings  []ValidationWarning `json:"warnings,omitempty"`
	Summary   ValidationSummary   `json:"summary"`
	Resources ResourceValidation  `json:"resources"`
	Security  SecurityValidation  `json:"security"`
	Timestamp time.Time           `json:"timestamp"`
}

ValidationResult represents the result of configuration validation

type ValidationSummary 

type ValidationSummary struct {
	TotalChecks    int `json:"total_checks"`
	PassedChecks   int `json:"passed_checks"`
	FailedChecks   int `json:"failed_checks"`
	WarningChecks  int `json:"warning_checks"`
	CriticalErrors int `json:"critical_errors"`
}

ValidationSummary provides a summary of validation results

type ValidationWarning 

type ValidationWarning struct {
	Field          string `json:"field"`
	Value          string `json:"value,omitempty"`
	Message        string `json:"message"`
	Recommendation string `json:"recommendation,omitempty"`
}

ValidationWarning represents a configuration validation warning

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.