config

type Config struct {
	// Addr is the listen address. Defaults to loopback only; binding to a
	// public interface is an explicit, conscious choice by the operator.
	Addr string
	// DataDir holds the SQLite database and any persisted secrets.
	DataDir string
	// SessionTTL is how long a logged-in session token stays valid.
	SessionTTL time.Duration
	// Dev enables developer conveniences (e.g. permissive CORS for Vite).
	Dev bool
	// UpdateCheck enables the periodic GitHub-release update check that backs
	// the admin "update available" banner. On by default; set DC_UPDATE_CHECK=0
	// (or -update-check=false) to disable outbound calls on air-gapped hosts.
	UpdateCheck bool
	// SelfUpdate allows an admin to download and apply an update from the web UI
	// (the one-tap "Update & restart"). On by default; set DC_SELF_UPDATE=0 to
	// keep the "update available" banner but forbid web-triggered self-replacement
	// of the binary (e.g. when updates are managed by your packaging/orchestrator).
	SelfUpdate bool
	// MetricsToken, when set, requires a bearer token to scrape /metrics.
	// Empty means the endpoint is open (fine for loopback-only use).
	MetricsToken string

	// TLSCert/TLSKey are paths to a PEM certificate and key. When both are set,
	// the server speaks HTTPS directly (otherwise plain HTTP behind a proxy).
	TLSCert string
	TLSKey  string

	// MCPEnabled turns on the remote MCP server (and its OAuth endpoints). Off by
	// default: when false the /mcp, /oauth and MCP /.well-known routes are not
	// mounted, so a request is an unknown path (it falls through to the SPA, or a
	// 404 without an embedded UI) — no hint the feature exists. It exposes Docker
	// read/control to AI tooling over the network — enable consciously, behind
	// HTTPS. Startup logs the resolved on/off state.
	MCPEnabled bool
	// MCPPublicURL is the externally reachable base URL of this server
	// (e.g. https://docker.example.com), used as the canonical resource
	// identifier for OAuth audience binding and the protected-resource metadata.
	// Empty is fine for Bearer-only (Claude Code header) use; the OAuth flow
	// needs it set.
	MCPPublicURL string

	// Version is the build version string, set by main (not from flags/env).
	Version string
	// ConfigFile is the config file that was loaded, or "" if none.
	ConfigFile string

	// Metrics history backend. RedisAddr empty → in-memory ring buffer.
	RedisAddr        string
	RedisPassword    string
	RedisDB          int
	MetricsRetention time.Duration
	// MetricsInterval is how often the monitor samples every running container's
	// stats (feeding the charts/history and resource alert rules). Lower means
	// fresher data but more CPU on the app and the Docker daemon; raise it on a
	// host with many containers where the sweep is costly.
	MetricsInterval time.Duration

	// PProf exposes Go's net/http/pprof profiling endpoints under /debug/pprof.
	// Off by default; when on, the endpoints are restricted to loopback clients
	// (use an SSH tunnel) since they leak goroutine stacks and heap detail.
	PProf bool

	// TrustedProxies is the set of reverse-proxy networks whose forwarded client
	// IP (X-Forwarded-For) we trust. Empty (default) means forwarded headers are
	// IGNORED and the real TCP peer is used for every IP-based decision (rate
	// limits, the loopback 2FA exemption, audit) — so a remote client cannot
	// spoof its address. Set it (e.g. 127.0.0.1/32,::1/128) only for the actual
	// proxy in front of this server.
	TrustedProxies []*net.IPNet
}