config

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 24, 2026 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const RuleFileType = "file"

RuleFileType is the special rule type for including rules from external files

View Source 
const TemplateFileType = "file"

TemplateFileType is the special template type for including templates from external files

Variables

This section is empty.

Functions

func ExpandEnvWithDefaults 

func ExpandEnvWithDefaults(s string) string

ExpandEnvWithDefaults expands environment variables with support for default values. Supports: ${VAR}, ${VAR:-default}, $VAR

Types

type APIKeyConfig 

type APIKeyConfig struct {
	ID                string   `yaml:"id"`                  // Unique identifier for the API key
	Name              string   `yaml:"name"`                // Human-readable name
	PublicKey         string   `yaml:"public_key"`          // Ed25519 public key (hex or base64, auto-detected)
	PublicKeyEnv      string   `yaml:"public_key_env"`      // Environment variable containing public key
	AllowedChainTypes []string `yaml:"allowed_chain_types"` // Empty = all chains allowed
	AllowedSigners    []string `yaml:"allowed_signers"`     // Empty = all signers allowed
	RateLimit         int      `yaml:"rate_limit"`          // Requests per minute (default: 100)
	Enabled           bool     `yaml:"enabled"`             // Whether the key is active
	Admin             bool     `yaml:"admin"`               // Admin keys can approve requests and manage rules
}

APIKeyConfig defines an API key in configuration

func (*APIKeyConfig) ResolvePublicKey 

func (c *APIKeyConfig) ResolvePublicKey() (string, error)

ResolvePublicKey returns the public key hex, resolving from env var and auto-detecting format (hex or base64)

type APIKeyInitializer 

type APIKeyInitializer struct {
	// contains filtered or unexported fields
}

APIKeyInitializer handles syncing API keys from config to database

func NewAPIKeyInitializer 

func NewAPIKeyInitializer(repo storage.APIKeyRepository, logger *slog.Logger) (*APIKeyInitializer, error)

NewAPIKeyInitializer creates a new API key initializer

func (*APIKeyInitializer) SyncFromConfig 

func (i *APIKeyInitializer) SyncFromConfig(ctx context.Context, keys []APIKeyConfig) error

SyncFromConfig syncs API keys from config to database - Creates new keys that don't exist - Updates existing keys with new values from config - Does NOT delete keys that are in database but not in config (preserves API-created keys)

type ApprovalGuardConfig 

type ApprovalGuardConfig struct {
	Enabled     bool          `yaml:"enabled"`
	Window      time.Duration `yaml:"window"`       // time window for counting (e.g. 5m); 0 = no window check
	Threshold   int           `yaml:"threshold"`    // consecutive rejections (blocked or manual-approval) that trigger pause (e.g. 10)
	ResumeAfter time.Duration `yaml:"resume_after"` // pause duration after which to auto-resume (e.g. 2h)
}

ApprovalGuardConfig configures the request-rejection burst guard. When within Window there are Threshold consecutive outcomes that are either: (a) blocked by a rule, or (b) require manual approval (no whitelist match), the guard pauses all sign requests and alerts. Use case: detect API key abuse — attacker with valid API key repeatedly hits rule rejections or pending approval. After ResumeAfter the guard auto-resumes so the team has time to respond.

type ChainsConfig 

type ChainsConfig struct {
	EVM *EVMConfig `yaml:"evm,omitempty"`
}

ChainsConfig contains chain-specific configurations

type Config 

type Config struct {
	Server        ServerConfig        `yaml:"server"`
	Database      storage.Config      `yaml:"database"`
	Chains        ChainsConfig        `yaml:"chains"`
	Notify        notify.Config       `yaml:"notify"`
	NotifyChannel notify.Channel      `yaml:"notify_channels"`
	AuditMonitor  audit.MonitorConfig `yaml:"audit_monitor"`
	Security      SecurityConfig      `yaml:"security"`
	Logger        LoggerConfig        `yaml:"logger"`
	APIKeys       []APIKeyConfig      `yaml:"api_keys"`
	Templates     []TemplateConfig    `yaml:"templates"`
	Rules         []RuleConfig        `yaml:"rules"`
}

Config is the root configuration structure

func Load 

func Load(path string) (*Config, error)

Load loads configuration from a YAML file

type EVMConfig 

type EVMConfig struct {
	Enabled     bool             `yaml:"enabled"`
	Signers     evm.SignerConfig `yaml:"signers"`
	KeystoreDir string           `yaml:"keystore_dir"` // Directory for storing dynamically created keystores
	Foundry     FoundryConfig    `yaml:"foundry"`
}

EVMConfig contains EVM chain configuration

type FoundryConfig 

type FoundryConfig struct {
	Enabled   bool          `yaml:"enabled"`
	ForgePath string        `yaml:"forge_path"` // path to forge binary, empty = auto-detect from PATH
	CacheDir  string        `yaml:"cache_dir"`  // cache directory for compiled scripts
	TempDir   string        `yaml:"temp_dir"`   // workspace dir for rule scripts and lib/forge-std; empty = os.TempDir()/remote-signer-rules. For Docker, set to /app/data/forge-workspace and mount repo data/forge-workspace.
	Timeout   time.Duration `yaml:"timeout"`    // max execution time per rule (default: 30s)
}

FoundryConfig contains Foundry (forge) configuration for Solidity rules

type IPWhitelistConfig 

type IPWhitelistConfig struct {
	// Enabled controls whether IP whitelist is enforced
	Enabled bool `yaml:"enabled"`
	// AllowedIPs is a list of allowed IP addresses or CIDR ranges
	// Examples: "192.168.1.1", "10.0.0.0/8", "::1"
	AllowedIPs []string `yaml:"allowed_ips"`
	// AllowedCIDRs is parsed from AllowedIPs during validation (internal use)
	// TrustProxy enables parsing X-Forwarded-For and X-Real-IP headers
	// WARNING: Only enable this if running behind a trusted reverse proxy
	TrustProxy bool `yaml:"trust_proxy"`
}

IPWhitelistConfig contains IP whitelist settings

type LoggerConfig 

type LoggerConfig struct {
	Level  string `yaml:"level"` // debug, info, warn, error
	Pretty bool   `yaml:"pretty"`
}

LoggerConfig contains logging configuration

type RuleConfig 

type RuleConfig struct {
	Name          string                 `yaml:"name" json:"name"`
	Description   string                 `yaml:"description,omitempty" json:"description,omitempty"`
	Type          string                 `yaml:"type" json:"type"`
	Mode          string                 `yaml:"mode" json:"mode"`
	ChainType     string                 `yaml:"chain_type,omitempty" json:"chain_type,omitempty"`
	ChainID       string                 `yaml:"chain_id,omitempty" json:"chain_id,omitempty"`
	APIKeyID      string                 `yaml:"api_key_id,omitempty" json:"api_key_id,omitempty"`
	SignerAddress string                 `yaml:"signer_address,omitempty" json:"signer_address,omitempty"`
	Config        map[string]interface{} `yaml:"config" json:"config"`
	Enabled       bool                   `yaml:"enabled" json:"enabled"`
}

RuleConfig defines a rule in configuration. JSON tags must match YAML/validator expectations so that substituted rules_json unmarshals correctly (e.g. "config" not "Config").

func ExpandFileRules 

func ExpandFileRules(rules []RuleConfig, configDir string, logger *slog.Logger) ([]RuleConfig, error)

ExpandFileRules expands "file" type rules by loading from external YAML files (no DB). Use for validation (e.g. validate-rules -config). configDir resolves relative paths.

func ExpandInstanceRules 

func ExpandInstanceRules(rules []RuleConfig, templates []TemplateConfig) ([]RuleConfig, error)

ExpandInstanceRules expands "instance" type rules in config by substituting template variables. Called during rule loading to convert instance references into concrete rules.

type RuleFileConfig 

type RuleFileConfig struct {
	Path string `yaml:"path"` // Path to the YAML file containing rules
}

RuleFileConfig represents the config structure for file-type rules

type RuleInitializer 

type RuleInitializer struct {
	// contains filtered or unexported fields
}

RuleInitializer handles syncing rules from config to database

func NewRuleInitializer 

func NewRuleInitializer(repo storage.RuleRepository, logger *slog.Logger) (*RuleInitializer, error)

NewRuleInitializer creates a new rule initializer

func (*RuleInitializer) SetConfigDir 

func (i *RuleInitializer) SetConfigDir(dir string)

SetConfigDir sets the base directory for resolving relative file paths in rule files

func (*RuleInitializer) SyncFromConfig 

func (i *RuleInitializer) SyncFromConfig(ctx context.Context, rules []RuleConfig) error

SyncFromConfig syncs rules from config to database - Creates new rules that don't exist (identified by generated ID from config) - Updates existing rules with new values from config - Deletes config-sourced rules that are no longer in config (preserves API-created rules) - Expands "file" type rules by loading rules from external YAML files

type SecurityConfig 

type SecurityConfig struct {
	MaxRequestAge    time.Duration     `yaml:"max_request_age"`
	RateLimitDefault int               `yaml:"rate_limit_default"`
	IPWhitelist      IPWhitelistConfig `yaml:"ip_whitelist"`
	// ManualApprovalEnabled: when true, requests with no whitelist match go to manual approval;
	// when false (default), they are rejected immediately. Default false for stricter security.
	ManualApprovalEnabled bool `yaml:"manual_approval_enabled"`
	// ApprovalGuard pauses all sign requests when too many consecutive manual-approval outcomes occur
	ApprovalGuard ApprovalGuardConfig `yaml:"approval_guard"`
	// NonceRequired enforces nonce for all requests (recommended for production)
	// When true, requests without X-Nonce header will be rejected
	NonceRequired *bool `yaml:"nonce_required"`
}

SecurityConfig contains security-related settings

type ServerConfig 

type ServerConfig struct {
	Host string    `yaml:"host"`
	Port int       `yaml:"port"`
	TLS  TLSConfig `yaml:"tls"`
}

ServerConfig contains HTTP server configuration

type TLSConfig 

type TLSConfig struct {
	// Enabled enables TLS (HTTPS) for the server
	Enabled bool `yaml:"enabled"`
	// CertFile is the path to the server TLS certificate
	CertFile string `yaml:"cert_file"`
	// KeyFile is the path to the server TLS private key
	KeyFile string `yaml:"key_file"`
	// CAFile is the path to the CA certificate for verifying client certificates (mTLS)
	CAFile string `yaml:"ca_file"`
	// ClientAuth enables mutual TLS (mTLS) — requires clients to present a valid certificate
	ClientAuth bool `yaml:"client_auth"`
}

TLSConfig contains TLS/mTLS configuration for the server

type TemplateConfig 

type TemplateConfig struct {
	Name           string                 `yaml:"name" json:"name"`
	Description    string                 `yaml:"description,omitempty" json:"description,omitempty"`
	Type           string                 `yaml:"type" json:"type"` // actual rule type or "file" for external file
	Mode           string                 `yaml:"mode,omitempty" json:"mode,omitempty"`
	Variables      []TemplateVarConfig    `yaml:"variables,omitempty" json:"variables,omitempty"`
	Config         map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
	BudgetMetering map[string]interface{} `yaml:"budget_metering,omitempty" json:"budget_metering,omitempty"`
	TestVariables  map[string]string      `yaml:"test_variables,omitempty" json:"test_variables,omitempty"` // default variable values for validation
	Enabled        bool                   `yaml:"enabled" json:"enabled"`
}

TemplateConfig defines a rule template in configuration

func ExpandTemplatesFromFiles 

func ExpandTemplatesFromFiles(templates []TemplateConfig, configDir string, logger *slog.Logger) ([]TemplateConfig, error)

ExpandTemplatesFromFiles expands "file" type templates by loading from external YAML files. Does not require DB; use for validation (e.g. validate-rules -config). configDir resolves relative paths.

type TemplateInitializer 

type TemplateInitializer struct {
	// contains filtered or unexported fields
}

TemplateInitializer handles syncing templates from config to database

func NewTemplateInitializer 

func NewTemplateInitializer(repo storage.TemplateRepository, logger *slog.Logger) (*TemplateInitializer, error)

NewTemplateInitializer creates a new template initializer

func (*TemplateInitializer) GetLoadedTemplates 

func (i *TemplateInitializer) GetLoadedTemplates(templates []TemplateConfig) ([]TemplateConfig, error)

GetLoadedTemplates returns templates expanded from config (for use by RuleInitializer)

func (*TemplateInitializer) SetConfigDir 

func (i *TemplateInitializer) SetConfigDir(dir string)

SetConfigDir sets the base directory for resolving relative file paths

func (*TemplateInitializer) SyncFromConfig 

func (i *TemplateInitializer) SyncFromConfig(ctx context.Context, templates []TemplateConfig) error

SyncFromConfig syncs templates from config to database. Follows the same three-way sync pattern as RuleInitializer: - Creates new templates - Updates existing templates - Deletes templates no longer in config (preserves API-created ones)

type TemplateVarConfig 

type TemplateVarConfig struct {
	Name        string `yaml:"name"`
	Type        string `yaml:"type"`
	Description string `yaml:"description,omitempty"`
	Required    bool   `yaml:"required"`
	Default     string `yaml:"default,omitempty"`
}

TemplateVarConfig defines a template variable in configuration

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.