config

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2026 License: MIT Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source 
const RuleFileType = "file"

RuleFileType is the special rule type for including rules from external files

View Source 
const TemplateFileType = "file"

TemplateFileType is the special template type for including templates from external files

Variables

This section is empty.

Functions

func EffectiveRuleID added in v0.1.0 

func EffectiveRuleID(idx int, ruleCfg RuleConfig) types.RuleID

EffectiveRuleID returns the rule ID for a config rule at the given index. Used by rule sync and by evm_js startup validation (same as validate-rules). Exported so cmd/remote-signer can run evm_js test cases at startup.

func ExpandEnvWithDefaults 

func ExpandEnvWithDefaults(s string) string

ExpandEnvWithDefaults expands environment variables with support for default values. Supports: ${VAR}, ${VAR:-default}, $VAR

func ValidateDelegationTargets added in v0.1.0 

func ValidateDelegationTargets(rules []RuleConfig) error

ValidateDelegationTargets checks that all delegate_to references in rules resolve to existing rule IDs. Returns error if any target is missing.

Types

type APIKeyConfig 

type APIKeyConfig struct {
	ID                string   `yaml:"id"`                  // Unique identifier for the API key
	Name              string   `yaml:"name"`                // Human-readable name
	PublicKey         string   `yaml:"public_key"`          // Ed25519 public key (hex or base64, auto-detected)
	PublicKeyEnv      string   `yaml:"public_key_env"`      // Environment variable containing public key
	AllowedChainTypes []string `yaml:"allowed_chain_types"` // Empty = all chains allowed
	AllowedSigners    []string `yaml:"allowed_signers"`     // Empty = all signers allowed
	AllowedHDWallets  []string `yaml:"allowed_hd_wallets"`  // HD wallet primary addresses (empty = none)
	RateLimit         int      `yaml:"rate_limit"`          // Requests per minute (default: 100)
	Enabled           bool     `yaml:"enabled"`             // Whether the key is active
	Admin             bool     `yaml:"admin"`               // Admin keys can approve requests and manage rules
}

APIKeyConfig defines an API key in configuration

func (*APIKeyConfig) ResolvePublicKey 

func (c *APIKeyConfig) ResolvePublicKey() (string, error)

ResolvePublicKey returns the public key hex, resolving from env var and auto-detecting format (hex or base64)

type APIKeyInitializer 

type APIKeyInitializer struct {
	// contains filtered or unexported fields
}

APIKeyInitializer handles syncing API keys from config to database

func NewAPIKeyInitializer 

func NewAPIKeyInitializer(repo storage.APIKeyRepository, logger *slog.Logger) (*APIKeyInitializer, error)

NewAPIKeyInitializer creates a new API key initializer

func (*APIKeyInitializer) SyncFromConfig 

func (i *APIKeyInitializer) SyncFromConfig(ctx context.Context, keys []APIKeyConfig) error

SyncFromConfig syncs API keys from config to database - Creates new keys that don't exist - Updates existing keys with new values from config - Does NOT delete keys that are in database but not in config (preserves API-created keys)

type ApprovalGuardConfig 

type ApprovalGuardConfig struct {
	Enabled     bool          `yaml:"enabled"`
	Window      time.Duration `yaml:"window"`       // time window for counting (e.g. 5m); 0 = no window check
	Threshold   int           `yaml:"threshold"`    // consecutive rejections (blocked or manual-approval) that trigger pause (e.g. 10)
	ResumeAfter time.Duration `yaml:"resume_after"` // pause duration after which to auto-resume (e.g. 2h)
}

ApprovalGuardConfig configures the request-rejection burst guard. When within Window there are Threshold consecutive outcomes that are either: (a) blocked by a rule, or (b) require manual approval (no whitelist match), the guard pauses all sign requests and alerts. Use case: detect API key abuse — attacker with valid API key repeatedly hits rule rejections or pending approval. After ResumeAfter the guard auto-resumes so the team has time to respond.

type ChainsConfig 

type ChainsConfig struct {
	EVM *EVMConfig `yaml:"evm,omitempty"`
}

ChainsConfig contains chain-specific configurations

type Config 

type Config struct {
	Server        ServerConfig        `yaml:"server"`
	Database      storage.Config      `yaml:"database"`
	Chains        ChainsConfig        `yaml:"chains"`
	Notify        notify.Config       `yaml:"notify"`
	NotifyChannel notify.Channel      `yaml:"notify_channels"`
	AuditMonitor  audit.MonitorConfig `yaml:"audit_monitor"`
	Security      SecurityConfig      `yaml:"security"`
	Logger        LoggerConfig        `yaml:"logger"`
	APIKeys       []APIKeyConfig      `yaml:"api_keys"`
	Templates     []TemplateConfig    `yaml:"templates"`
	Rules         []RuleConfig        `yaml:"rules"`
}

Config is the root configuration structure

func Load 

func Load(path string) (*Config, error)

Load loads configuration from a YAML file

type EVMConfig 

type EVMConfig struct {
	Enabled     bool             `yaml:"enabled"`
	Signers     evm.SignerConfig `yaml:"signers"`
	KeystoreDir string           `yaml:"keystore_dir"`  // Directory for storing dynamically created keystores
	HDWalletDir string           `yaml:"hd_wallet_dir"` // Directory for storing HD wallets
	Foundry     FoundryConfig    `yaml:"foundry"`
}

EVMConfig contains EVM chain configuration

type FoundryConfig 

type FoundryConfig struct {
	Enabled   bool          `yaml:"enabled"`
	ForgePath string        `yaml:"forge_path"` // path to forge binary, empty = auto-detect from PATH
	CacheDir  string        `yaml:"cache_dir"`  // cache directory for compiled scripts
	TempDir   string        `yaml:"temp_dir"`   // workspace dir for rule scripts and lib/forge-std; empty = os.TempDir()/remote-signer-rules. For Docker, set to /app/data/forge-workspace and mount repo data/forge-workspace.
	Timeout   time.Duration `yaml:"timeout"`    // max execution time per rule (default: 30s)
}

FoundryConfig contains Foundry (forge) configuration for Solidity rules

type IPWhitelistConfig 

type IPWhitelistConfig struct {
	// Enabled controls whether IP whitelist is enforced
	Enabled bool `yaml:"enabled"`
	// AllowedIPs is a list of allowed IP addresses or CIDR ranges
	// Examples: "192.168.1.1", "10.0.0.0/8", "::1"
	AllowedIPs []string `yaml:"allowed_ips"`
	// TrustProxy enables parsing X-Forwarded-For and X-Real-IP headers
	// WARNING: Only enable this if running behind a trusted reverse proxy
	TrustProxy bool `yaml:"trust_proxy"`
	// TrustedProxies is a list of IP addresses or CIDR ranges of trusted reverse proxies
	// When TrustProxy is true, X-Forwarded-For/X-Real-IP headers are only honored
	// if the request's direct RemoteAddr matches one of these entries.
	// If TrustProxy is true but TrustedProxies is empty, proxy headers are ignored
	// (fail-closed: no trusted proxies means no header trust).
	TrustedProxies []string `yaml:"trusted_proxies"`
}

IPWhitelistConfig contains IP whitelist settings

type LoggerConfig 

type LoggerConfig struct {
	Level  string `yaml:"level"` // debug, info, warn, error
	Pretty bool   `yaml:"pretty"`
}

LoggerConfig contains logging configuration

type RuleConfig 

type RuleConfig struct {
	// Id is an optional stable rule ID. If set, it is used as the rule's ID (for delegate_to etc.);
	// must be unique across all rules. If empty, a deterministic ID is generated from config order.
	Id            string                 `yaml:"id,omitempty" json:"id,omitempty"`
	Name          string                 `yaml:"name" json:"name"`
	Description   string                 `yaml:"description,omitempty" json:"description,omitempty"`
	Type          string                 `yaml:"type" json:"type"`
	Mode          string                 `yaml:"mode" json:"mode"`
	ChainType     string                 `yaml:"chain_type,omitempty" json:"chain_type,omitempty"`
	ChainID       string                 `yaml:"chain_id,omitempty" json:"chain_id,omitempty"`
	APIKeyID      string                 `yaml:"api_key_id,omitempty" json:"api_key_id,omitempty"`
	SignerAddress string                 `yaml:"signer_address,omitempty" json:"signer_address,omitempty"`
	Config        map[string]interface{} `yaml:"config" json:"config"`
	Variables     map[string]interface{} `yaml:"variables,omitempty" json:"variables,omitempty"`   // instance/template variable values (e.g. for evm_js config)
	TestCases     []TestCaseConfig       `yaml:"test_cases,omitempty" json:"test_cases,omitempty"` // test cases for validation (evm_js, solidity, etc.)
	Enabled       bool                   `yaml:"enabled" json:"enabled"`
}

RuleConfig defines a rule in configuration. JSON tags must match YAML/validator expectations so that substituted rules_json unmarshals correctly (e.g. "config" not "Config").

func ExpandFileRules 

func ExpandFileRules(rules []RuleConfig, configDir string, logger *slog.Logger) ([]RuleConfig, error)

ExpandFileRules expands "file" type rules by loading from external YAML files (no DB). Use for validation (e.g. validate-rules -config). configDir resolves relative paths.

func ExpandInstanceRules 

func ExpandInstanceRules(rules []RuleConfig, templates []TemplateConfig) ([]RuleConfig, error)

ExpandInstanceRules expands "instance" type rules in config by substituting template variables. Called during rule loading to convert instance references into concrete rules.

type RuleFileConfig 

type RuleFileConfig struct {
	Path string `yaml:"path"` // Path to the YAML file containing rules
}

RuleFileConfig represents the config structure for file-type rules

type RuleInitializer 

type RuleInitializer struct {
	// contains filtered or unexported fields
}

RuleInitializer handles syncing rules from config to database

func NewRuleInitializer 

func NewRuleInitializer(repo storage.RuleRepository, logger *slog.Logger) (*RuleInitializer, error)

NewRuleInitializer creates a new rule initializer

func (*RuleInitializer) SetConfigDir 

func (i *RuleInitializer) SetConfigDir(dir string)

SetConfigDir sets the base directory for resolving relative file paths in rule files

func (*RuleInitializer) SyncFromConfig 

func (i *RuleInitializer) SyncFromConfig(ctx context.Context, rules []RuleConfig) error

SyncFromConfig syncs rules from config to database - Creates new rules that don't exist (identified by generated ID from config) - Updates existing rules with new values from config - Deletes config-sourced rules that are no longer in config (preserves API-created rules) - Expands "file" type rules by loading rules from external YAML files - Wraps all operations in a transaction if the repository supports it

type SecurityConfig 

type SecurityConfig struct {
	MaxRequestAge    time.Duration `yaml:"max_request_age"`
	RateLimitDefault int           `yaml:"rate_limit_default"`
	// IPRateLimit is the maximum requests per minute from a single IP address (pre-auth).
	// Protects against unauthenticated flood attacks. Default: 200.
	IPRateLimit int               `yaml:"ip_rate_limit"`
	IPWhitelist IPWhitelistConfig `yaml:"ip_whitelist"`
	// ManualApprovalEnabled: when true, requests with no whitelist match go to manual approval;
	// when false (default), they are rejected immediately. Default false for stricter security.
	ManualApprovalEnabled bool `yaml:"manual_approval_enabled"`
	// ApprovalGuard pauses all sign requests when too many consecutive manual-approval outcomes occur
	ApprovalGuard ApprovalGuardConfig `yaml:"approval_guard"`
	// NonceRequired enforces nonce for all requests (recommended for production)
	// When true, requests without X-Nonce header will be rejected
	NonceRequired *bool `yaml:"nonce_required"`

	// RulesAPIReadonly disables rule/template mutations via API.
	// Default (nil) = true. Covers: rule CRUD, template CRUD/instantiate/revoke,
	// approval auto-rule creation. Rules managed through config files only.
	RulesAPIReadonly *bool `yaml:"rules_api_readonly"`

	// SignersAPIReadonly disables signer/HD-wallet creation via API.
	// Default (nil) = false. Covers: signer creation, HD wallet create/import/derive.
	// Unlock/lock remain allowed. Signers managed through config or TUI.
	SignersAPIReadonly *bool `yaml:"signers_api_readonly"`

	// AllowSIGHUPRulesReload enables reloading rules from config when receiving SIGHUP.
	// Default (nil) = false (secure by default). When disabled, SIGHUP is ignored (process stays alive).
	AllowSIGHUPRulesReload *bool `yaml:"allow_sighup_rules_reload"`
}

SecurityConfig contains security-related settings

func (SecurityConfig) IsRulesAPIReadonly added in v0.1.0 

func (s SecurityConfig) IsRulesAPIReadonly() bool

IsRulesAPIReadonly returns whether rule/template mutations via API are disabled. Defaults to true (secure by default) when not explicitly configured.

func (SecurityConfig) IsSIGHUPRulesReloadEnabled added in v0.1.2 

func (s SecurityConfig) IsSIGHUPRulesReloadEnabled() bool

IsSIGHUPRulesReloadEnabled returns whether SIGHUP-triggered rules reload is enabled. Defaults to false (secure by default) when not explicitly configured.

func (SecurityConfig) IsSignersAPIReadonly added in v0.1.0 

func (s SecurityConfig) IsSignersAPIReadonly() bool

IsSignersAPIReadonly returns whether signer/HD-wallet creation via API is disabled. Defaults to false when not explicitly configured (low risk: API never exposes private keys).

type ServerConfig 

type ServerConfig struct {
	Host         string        `yaml:"host"`
	Port         int           `yaml:"port"`
	ReadTimeout  time.Duration `yaml:"read_timeout"`
	WriteTimeout time.Duration `yaml:"write_timeout"`
	TLS          TLSConfig     `yaml:"tls"`
}

ServerConfig contains HTTP server configuration

type TLSConfig 

type TLSConfig struct {
	// Enabled enables TLS (HTTPS) for the server
	Enabled bool `yaml:"enabled"`
	// CertFile is the path to the server TLS certificate
	CertFile string `yaml:"cert_file"`
	// KeyFile is the path to the server TLS private key
	KeyFile string `yaml:"key_file"`
	// CAFile is the path to the CA certificate for verifying client certificates (mTLS)
	CAFile string `yaml:"ca_file"`
	// ClientAuth enables mutual TLS (mTLS) — requires clients to present a valid certificate
	ClientAuth bool `yaml:"client_auth"`
}

TLSConfig contains TLS/mTLS configuration for the server

type TemplateConfig 

type TemplateConfig struct {
	Name           string                 `yaml:"name" json:"name"`
	Description    string                 `yaml:"description,omitempty" json:"description,omitempty"`
	Type           string                 `yaml:"type" json:"type"` // actual rule type or "file" for external file
	Mode           string                 `yaml:"mode,omitempty" json:"mode,omitempty"`
	Variables      []TemplateVarConfig    `yaml:"variables,omitempty" json:"variables,omitempty"`
	Config         map[string]interface{} `yaml:"config,omitempty" json:"config,omitempty"`
	BudgetMetering map[string]interface{} `yaml:"budget_metering,omitempty" json:"budget_metering,omitempty"`
	TestVariables  map[string]string      `yaml:"test_variables,omitempty" json:"test_variables,omitempty"` // default variable values for validation
	Enabled        bool                   `yaml:"enabled" json:"enabled"`
}

TemplateConfig defines a rule template in configuration

func ExpandTemplatesFromFiles 

func ExpandTemplatesFromFiles(templates []TemplateConfig, configDir string, logger *slog.Logger) ([]TemplateConfig, error)

ExpandTemplatesFromFiles expands "file" type templates by loading from external YAML files. Does not require DB; use for validation (e.g. validate-rules -config). configDir resolves relative paths.

type TemplateInitializer 

type TemplateInitializer struct {
	// contains filtered or unexported fields
}

TemplateInitializer handles syncing templates from config to database

func NewTemplateInitializer 

func NewTemplateInitializer(repo storage.TemplateRepository, logger *slog.Logger) (*TemplateInitializer, error)

NewTemplateInitializer creates a new template initializer

func (*TemplateInitializer) GetLoadedTemplates 

func (i *TemplateInitializer) GetLoadedTemplates(templates []TemplateConfig) ([]TemplateConfig, error)

GetLoadedTemplates returns templates expanded from config (for use by RuleInitializer)

func (*TemplateInitializer) SetConfigDir 

func (i *TemplateInitializer) SetConfigDir(dir string)

SetConfigDir sets the base directory for resolving relative file paths

func (*TemplateInitializer) SyncFromConfig 

func (i *TemplateInitializer) SyncFromConfig(ctx context.Context, templates []TemplateConfig) error

SyncFromConfig syncs templates from config to database. Follows the same three-way sync pattern as RuleInitializer: - Creates new templates - Updates existing templates - Deletes templates no longer in config (preserves API-created ones)

type TemplateVarConfig 

type TemplateVarConfig struct {
	Name        string `yaml:"name"`
	Type        string `yaml:"type"`
	Description string `yaml:"description,omitempty"`
	Required    bool   `yaml:"required"`
	Default     string `yaml:"default,omitempty"`
}

TemplateVarConfig defines a template variable in configuration

type TestCaseConfig added in v0.1.0 

type TestCaseConfig struct {
	Name         string                 `yaml:"name" json:"name"`
	Input        map[string]interface{} `yaml:"input" json:"input"`
	ExpectPass   bool                   `yaml:"expect_pass" json:"expect_pass"`
	ExpectReason string                 `yaml:"expect_reason,omitempty" json:"expect_reason,omitempty"`
}

TestCaseConfig defines a single test case for rule validation (evm_js, solidity, etc.)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.