config

package
v0.2.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 26, 2026 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConfigPath

func ConfigPath() string

ConfigPath returns the expanded config file path

func DataDir

func DataDir() string

DataDir returns the data directory path

func GetConfigDir

func GetConfigDir() string

GetConfigDir returns the config directory path

func GetRulesDir added in v0.2.2

func GetRulesDir() string

GetRulesDir returns the rules directory path (for local rule lists and subscription cache).

func ProjectConfigPath

func ProjectConfigPath() string

ProjectConfigPath returns the project-level config path

func SanitizeCategory

func SanitizeCategory(s string) string

SanitizeCategory sanitizes and normalizes a category name so placeholders can be reliably recognized and restored. Rules: - keep only [A-Z0-9_] - normalize whitespace and '-' into '_' - uppercase; return empty on empty result (caller should apply a default)

func SanitizeNERLanguage added in v0.2.2

func SanitizeNERLanguage(s string) string

SanitizeNERLanguage sanitizes and normalizes the NER language parameter (patterns.ner.language). Allowed values: - auto - other BCP47-like tags (e.g. en / zh / zh-cn / fr ...), normalized to lowercase with illegal chars removed

func SanitizePatternValue

func SanitizePatternValue(s string) string

SanitizePatternValue sanitizes a user-provided pattern value: - trim leading/trailing whitespace - remove invisible control/format characters (e.g. 0x1F, BOM, zero-width chars)

Goal: avoid "looks the same but doesn't match" issues caused by invisible characters.

Types

type AuditDBConfig added in v0.2.2

type AuditDBConfig struct {
	Enabled bool `yaml:"enabled"`
	// Path is the SQLite file path (supports ~).
	Path string `yaml:"path"`
	// Retention is the retention duration (time.ParseDuration; also supports "7d" for days).
	Retention string `yaml:"retention"`
}

AuditDBConfig holds SQLite audit persistence settings. Note: when enabled, audit events are written to disk (by default only preview values are persisted; if privacy mode is disabled, truncated originals may be persisted).

type Config

type Config struct {
	Proxy    ProxyConfig    `yaml:"proxy"`
	Patterns PatternsConfig `yaml:"patterns"`
	Targets  []TargetConfig `yaml:"targets"`
	Session  SessionConfig  `yaml:"session"`
	Log      LogConfig      `yaml:"log"`
	// AuditDB controls whether audit events are persisted to SQLite (only available in the "full" build; disabled by default).
	AuditDB AuditDBConfig `yaml:"audit_db"`
}

Config represents the main configuration structure

type KeywordPattern

type KeywordPattern struct {
	Value    string `yaml:"value" json:"value"`
	Category string `yaml:"category" json:"category"`
}

KeywordPattern represents a keyword to match

type LogConfig

type LogConfig struct {
	Level     string `yaml:"level"`
	File      string `yaml:"file"`
	RedactLog bool   `yaml:"redact_log"`
}

LogConfig holds logging configuration

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager handles config loading, merging, and hot-reload

func Load

func Load(cfgFile string) (*Manager, error)

Load loads configuration from the given file path

func NewManager

func NewManager() *Manager

NewManager creates a new config manager

func (*Manager) Close

func (m *Manager) Close() error

Close stops the config watcher

func (*Manager) Get

func (m *Manager) Get() Config

Get returns the current configuration

func (*Manager) Load

func (m *Manager) Load() error

Load loads configuration from file

func (*Manager) SetPatternEncryptionKey

func (m *Manager) SetPatternEncryptionKey(key32 []byte) error

SetPatternEncryptionKey enables "at-rest encryption" for persisted pattern values. key32 must be 32 bytes (AES-256).

Note: this only configures the encryptor and does not rewrite the config file automatically; callers typically run Load() again afterwards to decrypt an already-loaded config.

func (*Manager) Update

func (m *Manager) Update(fn func(*Config)) error

Update applies a mutation function to the config and saves to disk

func (*Manager) Watch

func (m *Manager) Watch(onChange func()) error

Watch starts watching for config file changes

type NERConfig added in v0.2.2

type NERConfig struct {
	Enabled bool `yaml:"enabled"`
	// PresidioURL is the Presidio Analyzer service URL (e.g. http://127.0.0.1:5001).
	// Note: VibeGuard does not bundle Presidio; it only calls an external service.
	PresidioURL string `yaml:"presidio_url"`
	// Language is passed to Presidio (e.g. en / zh / fr ...).
	// Note: Presidio requires a language; for backward compatibility, "auto" is treated as "en".
	Language string `yaml:"language"`
	// Entities specifies enabled entity types (e.g. PERSON/ORG/LOCATION/DATE...). Empty means the implementation default set.
	Entities []string `yaml:"entities"`
	// MinScore is the Presidio confidence threshold (0~1; 0 means Presidio default).
	MinScore float64 `yaml:"min_score"`
}

NERConfig controls the optional NER-based recognizers (e.g. PERSON/ORG/LOCATION). Note: this config does not contain sensitive data; it only controls enablement and entity types.

type PatternsConfig

type PatternsConfig struct {
	Keywords    []KeywordPattern   `yaml:"keywords"`
	Regex       []RegexPattern     `yaml:"regex"`
	Builtin     []string           `yaml:"builtin"`
	Exclude     []string           `yaml:"exclude"`
	SecretFiles []SecretFileConfig `yaml:"secret_files"`
	RuleLists   []RuleListConfig   `yaml:"rule_lists"`
	// NER toggles and configures named-entity recognition (external Presidio engine; off by default).
	NER NERConfig `yaml:"ner"`
}

PatternsConfig holds pattern matching configuration

type ProxyConfig

type ProxyConfig struct {
	Listen            string `yaml:"listen"`
	PlaceholderPrefix string `yaml:"placeholder_prefix"`
	// InterceptMode controls how HTTPS CONNECT is handled:
	// - global: MITM for all hosts (default; best for HTTP(S)_PROXY env usage)
	// - targets: MITM only for enabled hosts in targets (safer; avoids impacting non-target traffic)
	InterceptMode string `yaml:"intercept_mode"`
	// WebSocketRedactionBeta enables best-effort WebSocket text-message redaction/restore.
	// It is intentionally off by default because some servers/extensions may be incompatible.
	WebSocketRedactionBeta bool `yaml:"websocket_redaction_beta"`
}

ProxyConfig holds proxy server settings

type RegexPattern

type RegexPattern struct {
	Pattern  string `yaml:"pattern" json:"pattern"`
	Category string `yaml:"category" json:"category"`
}

RegexPattern represents a regex pattern to match

type RuleListConfig added in v0.2.0

type RuleListConfig struct {
	// ID is a stable identifier (generated by the admin UI); may be empty.
	ID string `yaml:"id" json:"id"`
	// Name is a display name (editable in the admin UI); may be empty.
	Name string `yaml:"name" json:"name"`
	// Path is the local rule file path (supports ~); mutually exclusive with URL.
	Path string `yaml:"path" json:"path"`
	// URL is the remote subscription URL (http/https); mutually exclusive with Path.
	URL string `yaml:"url" json:"url"`
	// UpdateInterval is the subscription update interval (e.g. 24h/6h); applies to URL mode only. Default is 24h.
	UpdateInterval string `yaml:"update_interval" json:"update_interval"`
	// AllowHTTP allows http:// subscriptions when true (unsafe; default only allows https://).
	AllowHTTP bool `yaml:"allow_http" json:"allow_http"`
	// Enabled controls whether this rule list participates in matching.
	Enabled bool `yaml:"enabled" json:"enabled"`
	// Priority controls priority (1~99); higher wins on overlaps.
	Priority int `yaml:"priority" json:"priority"`
}

RuleListConfig describes a rule list file (line-based rules).

type SecretFileConfig added in v0.2.3

type SecretFileConfig struct {
	// Path is a local file path (supports ~). Relative paths are resolved relative to the config file that defined it.
	Path string `yaml:"path" json:"path"`
	// Format controls how the file is parsed:
	// - dotenv: parse KEY=VALUE lines and import VALUEs as keywords (recommended for .env)
	// - lines: treat each non-empty non-comment line as a keyword
	Format string `yaml:"format" json:"format"`
	// Category is the match category used in audit/logging. Defaults to DOTENV/SECRET_FILE based on format.
	Category string `yaml:"category" json:"category"`
	// MinValueLen filters out short values to reduce false positives. Default is 8.
	MinValueLen int `yaml:"min_value_len" json:"min_value_len"`
	// Enabled defaults to true when omitted.
	Enabled *bool `yaml:"enabled" json:"enabled"`
}

SecretFileConfig describes a local file whose contents should be treated as secrets and redacted if they appear in prompts. Note: this does not prevent the client from reading files; it only prevents accidental exfiltration to upstream LLM APIs.

type SessionConfig

type SessionConfig struct {
	TTL                       string `yaml:"ttl"`
	MaxMappings               int    `yaml:"max_mappings"`
	WALEnabled                bool   `yaml:"wal_enabled"`
	WALPath                   string `yaml:"wal_path"`
	DeterministicPlaceholders bool   `yaml:"deterministic_placeholders"`
}

SessionConfig holds session management settings

type TargetConfig

type TargetConfig struct {
	Host    string `yaml:"host"`
	Enabled bool   `yaml:"enabled"`
}

TargetConfig represents a target host configuration

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL