config

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package config provides application configuration management using Viper. It supports configuration files, environment variables, and CLI flag overrides.

Index

Constants

View Source 
const (
	// DefaultConfigFileName is the default config file name (without extension).
	DefaultConfigFileName = "config"

	// DefaultConfigFileType is the default config file type.
	DefaultConfigFileType = "yaml"

	// EnvPrefix is the environment variable prefix.
	EnvPrefix = "SCAFCTL"
)
View Source 
const (
	CatalogTypeFilesystem = "filesystem"
	CatalogTypeOCI        = "oci"
	CatalogTypeHTTP       = "http"
)

CatalogType constants define the supported catalog types.

View Source 
const (
	HTTPClientCacheTypeMemory     = "memory"
	HTTPClientCacheTypeFilesystem = "filesystem"
)

HTTPClientCacheType constants define the supported HTTP cache types.

View Source 
const CurrentConfigVersion = 1

CurrentConfigVersion is the current config file version.

View Source 
const LoggingFormatConsole = "console"

LoggingFormatConsole is the human-readable console log format.

View Source 
const LoggingFormatJSON = "json"

LoggingFormatJSON is the JSON log format.

View Source 
const LoggingFormatText = "text"

LoggingFormatText is the text log format (alias for console).

View Source 
const RedactedValue = "***REDACTED***"

RedactedValue is the placeholder inserted for sensitive fields.

Variables

This section is empty.

Functions

func DefaultConfigPath 

func DefaultConfigPath() (string, error)

DefaultConfigPath returns the default configuration file path. Uses XDG Base Directory Specification.

func IsValidCatalogType 

func IsValidCatalogType(t string) bool

IsValidCatalogType returns true if the given type is valid.

func IsValidHTTPClientCacheType 

func IsValidHTTPClientCacheType(t string) bool

IsValidHTTPClientCacheType returns true if the given cache type is valid.

func ResetGlobal 

func ResetGlobal()

ResetGlobal resets the global configuration (primarily for testing).

func ValidCatalogTypes 

func ValidCatalogTypes() []string

ValidCatalogTypes returns the list of valid catalog types.

func ValidHTTPClientCacheTypes 

func ValidHTTPClientCacheTypes() []string

ValidHTTPClientCacheTypes returns the list of valid HTTP cache types.

func WithConfig 

func WithConfig(ctx context.Context, cfg *Config) context.Context

WithConfig returns a new context with the Config stored in it.

func WithManagerOptions added in v0.7.0 

func WithManagerOptions(ctx context.Context, opts []ManagerOption) context.Context

WithManagerOptions stores ManagerOption values in the context so that subcommands which create their own Manager can apply the same embedder options (e.g., WithBaseConfig, WithEnvPrefix).

Types

type APIAuditConfig added in v0.7.0 

type APIAuditConfig struct {
	Enabled    bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable audit logging"`
	TrustProxy bool `` /* 294-byte string literal not displayed */
}

APIAuditConfig holds audit logging configuration.

type APIAuthConfig added in v0.7.0 

type APIAuthConfig struct {
	AzureOIDC APIAzureOIDCConfig `json:"azureOIDC,omitempty" yaml:"azureOIDC,omitempty" mapstructure:"azureOIDC" doc:"Azure AD OIDC configuration"`
}

APIAuthConfig holds API authentication configuration.

type APIAzureOIDCConfig added in v0.7.0 

type APIAzureOIDCConfig struct {
	Enabled  bool   `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable Entra OIDC authentication"`
	TenantID string `` /* 162-byte string literal not displayed */
	ClientID string `` /* 162-byte string literal not displayed */
}

APIAzureOIDCConfig holds Azure AD OIDC configuration.

type APICORSConfig added in v0.7.0 

type APICORSConfig struct {
	Enabled        bool     `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable CORS"`
	AllowedOrigins []string `` /* 129-byte string literal not displayed */
	AllowedMethods []string `` /* 134-byte string literal not displayed */
	AllowedHeaders []string `` /* 129-byte string literal not displayed */
	MaxAge         int      `` /* 144-byte string literal not displayed */
}

APICORSConfig holds CORS configuration for the API server.

type APICompressionConfig added in v0.7.0 

type APICompressionConfig struct {
	Level int `` /* 132-byte string literal not displayed */
}

APICompressionConfig holds response compression configuration.

type APIOpenAPIConfig added in v0.7.0 

type APIOpenAPIConfig struct {
	Servers     []APIOpenAPIServerConfig `json:"servers,omitempty" yaml:"servers,omitempty" mapstructure:"servers" doc:"OpenAPI server entries" maxItems:"10"`
	Title       string                   `json:"title,omitempty" yaml:"title,omitempty" mapstructure:"title" doc:"API title" maxLength:"200" example:"scafctl API"`
	Description string                   `json:"description,omitempty" yaml:"description,omitempty" mapstructure:"description" doc:"API description" maxLength:"2000"`
}

APIOpenAPIConfig holds OpenAPI specification configuration.

type APIOpenAPIServerConfig added in v0.7.0 

type APIOpenAPIServerConfig struct {
	URL         string `json:"url" yaml:"url" mapstructure:"url" doc:"Server URL" maxLength:"2048" example:"https://api.example.com"`
	Description string `json:"description,omitempty" yaml:"description,omitempty" mapstructure:"description" doc:"Server description" maxLength:"500"`
}

APIOpenAPIServerConfig holds a single OpenAPI server entry.

type APIProfilerConfig added in v0.7.0 

type APIProfilerConfig struct {
	Enabled         bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable pprof profiler endpoints"`
	AllowUnauthProd bool `` /* 154-byte string literal not displayed */
}

APIProfilerConfig holds profiler configuration for the API server.

type APIRateLimitConfig added in v0.7.0 

type APIRateLimitConfig struct {
	Global    *APIRateLimitEntry            `json:"global,omitempty" yaml:"global,omitempty" mapstructure:"global" doc:"Global rate limit"`
	Endpoints map[string]*APIRateLimitEntry `` /* 179-byte string literal not displayed */
}

APIRateLimitConfig holds rate limiting configuration.

type APIRateLimitEntry added in v0.7.0 

type APIRateLimitEntry struct {
	MaxRequests int    `` /* 128-byte string literal not displayed */
	Window      string `json:"window" yaml:"window" mapstructure:"window" doc:"Time window for rate limit" example:"1m" maxLength:"20"`
	TrustProxy  bool   `` /* 295-byte string literal not displayed */
}

APIRateLimitEntry defines a rate limit rule.

type APIServerConfig added in v0.7.0 

type APIServerConfig struct {
	Host            string               `` /* 177-byte string literal not displayed */
	Port            int                  `` /* 130-byte string literal not displayed */
	APIVersion      string               `` /* 246-byte string literal not displayed */
	ShutdownTimeout string               `` /* 157-byte string literal not displayed */
	RequestTimeout  string               `` /* 152-byte string literal not displayed */
	BodyReadTimeout string               `` /* 177-byte string literal not displayed */
	MaxRequestSize  int64                `` /* 174-byte string literal not displayed */
	TLS             APITLSConfig         `json:"tls,omitempty" yaml:"tls,omitempty" mapstructure:"tls" doc:"TLS configuration"`
	CORS            APICORSConfig        `json:"cors,omitempty" yaml:"cors,omitempty" mapstructure:"cors" doc:"CORS configuration"`
	RateLimit       APIRateLimitConfig   `json:"rateLimit,omitempty" yaml:"rateLimit,omitempty" mapstructure:"rateLimit" doc:"Rate limiting configuration"`
	Auth            APIAuthConfig        `json:"auth,omitempty" yaml:"auth,omitempty" mapstructure:"auth" doc:"Authentication configuration"`
	Compression     APICompressionConfig `json:"compression,omitempty" yaml:"compression,omitempty" mapstructure:"compression" doc:"Response compression configuration"`
	OpenAPI         APIOpenAPIConfig     `` /* 205-byte string literal not displayed */
	Profiler        APIProfilerConfig    `` /* 166-byte string literal not displayed */
	Audit           APIAuditConfig       `json:"audit,omitempty" yaml:"audit,omitempty" mapstructure:"audit" doc:"Audit logging configuration"`
	Tracing         APITracingConfig     `json:"tracing,omitempty" yaml:"tracing,omitempty" mapstructure:"tracing" doc:"OpenTelemetry tracing configuration"`
	MaxConcurrent   int                  `` /* 202-byte string literal not displayed */
}

APIServerConfig holds REST API server configuration.

type APITLSConfig added in v0.7.0 

type APITLSConfig struct {
	Enabled bool   `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable TLS"`
	Cert    string `` /* 143-byte string literal not displayed */
	Key     string `` /* 139-byte string literal not displayed */
}

APITLSConfig holds TLS configuration for the API server.

type APITracingConfig added in v0.7.0 

type APITracingConfig struct {
	Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable OpenTelemetry tracing"`
}

APITracingConfig holds OpenTelemetry tracing configuration for the API server.

type ActionConfig 

type ActionConfig struct {
	// DefaultTimeout is the default timeout per action execution
	DefaultTimeout string `` /* 150-byte string literal not displayed */

	// GracePeriod is the cancellation grace period
	GracePeriod string `` /* 145-byte string literal not displayed */

	// MaxConcurrency is the max concurrent actions (0 = unlimited)
	MaxConcurrency int `` /* 162-byte string literal not displayed */

	// OutputDir is the default target directory for action file operations.
	// When set, actions resolve relative paths against this directory instead of CWD.
	// Can be overridden by the --output-dir CLI flag.
	OutputDir string `` /* 175-byte string literal not displayed */
}

ActionConfig holds action executor configuration.

func (*ActionConfig) ToActionValues 

func (a *ActionConfig) ToActionValues() (ActionConfigValues, error)

ToActionValues converts ActionConfig to an ActionConfigValues struct. Duration strings are parsed, and zero/empty values use defaults from settings.

func (*ActionConfig) Validate 

func (a *ActionConfig) Validate() error

Validate validates the action configuration. Returns an error if any value is invalid.

type ActionConfigValues 

type ActionConfigValues struct {
	DefaultTimeout time.Duration `json:"defaultTimeout" yaml:"defaultTimeout" doc:"Default per-action execution timeout"`
	GracePeriod    time.Duration `json:"gracePeriod" yaml:"gracePeriod" doc:"Cancellation grace period"`
	MaxConcurrency int           `json:"maxConcurrency" yaml:"maxConcurrency" doc:"Maximum concurrent action executions" maximum:"1000" example:"5"`
	OutputDir      string        `json:"outputDir" yaml:"outputDir" doc:"Default target directory for action file operations"`
}

ActionConfigValues holds parsed action config values with durations.

type AuthConfig 

type AuthConfig struct {
	Type        string `json:"type" yaml:"type" mapstructure:"type" doc:"Auth type" example:"token" maxLength:"50"`
	TokenEnvVar string `` /* 168-byte string literal not displayed */
}

AuthConfig holds authentication settings for a catalog.

type BuildConfig added in v0.3.0 

type BuildConfig struct {
	// EnableCache enables build-level caching to skip redundant builds.
	EnableCache *bool `json:"enableCache,omitempty" yaml:"enableCache,omitempty" mapstructure:"enableCache" doc:"Enable build-level caching"`

	// CacheDir is the directory for storing build cache entries.
	CacheDir string `` /* 159-byte string literal not displayed */

	// AutoCacheRemoteArtifacts automatically caches remote catalog fetches into the local catalog.
	AutoCacheRemoteArtifacts *bool `` /* 171-byte string literal not displayed */

	// PluginCacheDir is the directory for cached plugin binaries.
	PluginCacheDir string `` /* 181-byte string literal not displayed */
}

BuildConfig holds build command configuration.

func (*BuildConfig) IsAutoCacheRemoteArtifacts added in v0.3.0 

func (b *BuildConfig) IsAutoCacheRemoteArtifacts() bool

IsAutoCacheRemoteArtifacts returns whether remote artifacts are auto-cached (defaults to true).

func (*BuildConfig) IsCacheEnabled added in v0.3.0 

func (b *BuildConfig) IsCacheEnabled() bool

IsCacheEnabled returns whether build caching is enabled (defaults to true).

func (*BuildConfig) Validate added in v0.3.0 

func (b *BuildConfig) Validate() error

Validate validates the build configuration.

type CELConfig 

type CELConfig struct {
	// CacheSize is the maximum number of compiled programs to cache
	CacheSize int `` /* 141-byte string literal not displayed */

	// CostLimit is the cost limit for expression evaluation (0 = disabled)
	// Prevents runaway expressions from consuming resources
	CostLimit int64 `` /* 150-byte string literal not displayed */

	// UseASTBasedCaching enables AST-based cache key generation for better hit rates
	// Expressions with same structure share cache entries
	UseASTBasedCaching bool `` /* 139-byte string literal not displayed */

	// EnableMetrics enables expression metrics collection
	EnableMetrics *bool `json:"enableMetrics,omitempty" yaml:"enableMetrics,omitempty" mapstructure:"enableMetrics" doc:"Enable expression metrics"`
}

CELConfig holds CEL expression engine configuration.

func (*CELConfig) ToCELValues 

func (c *CELConfig) ToCELValues() CELConfigValues

ToCELValues converts CELConfig to a CELConfigValues struct. If a config value is zero/empty, the default value from settings is used.

func (*CELConfig) Validate 

func (c *CELConfig) Validate() error

Validate validates the CEL configuration. Returns an error if any value is invalid.

type CELConfigValues 

type CELConfigValues struct {
	CacheSize          int   `json:"cacheSize" yaml:"cacheSize" doc:"CEL program cache size" maximum:"100000" example:"1000"`
	CostLimit          int64 `json:"costLimit" yaml:"costLimit" doc:"CEL evaluation cost limit" maximum:"1000000000" example:"100000"`
	UseASTBasedCaching bool  `json:"useASTBasedCaching" yaml:"useASTBasedCaching" doc:"Use AST-based cache keys for deduplication"`
	EnableMetrics      bool  `json:"enableMetrics" yaml:"enableMetrics" doc:"Enable CEL evaluation metrics"`
}

CELConfigValues holds parsed CEL configuration values. This avoids circular dependencies between config and celexp packages.

type CatalogConfig 

type CatalogConfig struct {
	Name         string            `json:"name" yaml:"name" mapstructure:"name" doc:"Catalog name" example:"internal" maxLength:"255"`
	Type         string            `json:"type" yaml:"type" mapstructure:"type" doc:"Catalog type" example:"filesystem" maxLength:"50"`
	Path         string            `` /* 151-byte string literal not displayed */
	URL          string            `` /* 145-byte string literal not displayed */
	Auth         *AuthConfig       `json:"auth,omitempty" yaml:"auth,omitempty" mapstructure:"auth" doc:"Authentication configuration"`
	AuthProvider string            `` /* 199-byte string literal not displayed */
	AuthScope    string            `` /* 194-byte string literal not displayed */
	Metadata     map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty" mapstructure:"metadata" doc:"Additional metadata"`
	HTTPClient   *HTTPClientConfig `` /* 144-byte string literal not displayed */
}

CatalogConfig represents a single catalog configuration.

func (*CatalogConfig) Validate 

func (c *CatalogConfig) Validate() error

Validate validates a catalog configuration.

type Config 

type Config struct {
	Version    int              `json:"version,omitempty" yaml:"version,omitempty" mapstructure:"version" doc:"Config file version" example:"1" maximum:"100"`
	Catalogs   []CatalogConfig  `json:"catalogs" yaml:"catalogs" mapstructure:"catalogs" doc:"Configured catalogs" maxItems:"50"`
	Settings   Settings         `json:"settings" yaml:"settings" mapstructure:"settings" doc:"Application settings"`
	Logging    LoggingConfig    `json:"logging,omitempty" yaml:"logging,omitempty" mapstructure:"logging" doc:"Logging configuration"`
	Telemetry  TelemetryConfig  `json:"telemetry,omitempty" yaml:"telemetry,omitempty" mapstructure:"telemetry" doc:"OpenTelemetry configuration"`
	HTTPClient HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"Global HTTP client configuration"`
	CEL        CELConfig        `json:"cel,omitempty" yaml:"cel,omitempty" mapstructure:"cel" doc:"CEL expression engine configuration"`
	GoTemplate GoTemplateConfig `json:"goTemplate,omitempty" yaml:"goTemplate,omitempty" mapstructure:"goTemplate" doc:"Go template engine configuration"`
	Resolver   ResolverConfig   `json:"resolver,omitempty" yaml:"resolver,omitempty" mapstructure:"resolver" doc:"Resolver executor configuration"`
	Action     ActionConfig     `json:"action,omitempty" yaml:"action,omitempty" mapstructure:"action" doc:"Action executor configuration"`
	Auth       GlobalAuthConfig `json:"auth,omitempty" yaml:"auth,omitempty" mapstructure:"auth" doc:"Authentication handler configuration"`
	Build      BuildConfig      `json:"build,omitempty" yaml:"build,omitempty" mapstructure:"build" doc:"Build command configuration"`
	APIServer  APIServerConfig  `json:"apiServer,omitempty" yaml:"apiServer,omitempty" mapstructure:"apiServer" doc:"REST API server configuration"`
}

Config represents the application configuration.

func FromContext 

func FromContext(ctx context.Context) *Config

FromContext retrieves the Config from the context. Returns nil if no Config is stored in the context.

func Global 

func Global() (*Config, error)

Global returns the global configuration (loads once).

func (*Config) AddCatalog 

func (c *Config) AddCatalog(catalog CatalogConfig) error

AddCatalog adds a new catalog configuration.

func (*Config) CheckVersion 

func (c *Config) CheckVersion() string

CheckVersion checks if the config version is current and returns a warning message if not. Returns an empty string if the version is current or if version checking should be skipped.

func (*Config) GetCatalog 

func (c *Config) GetCatalog(name string) (*CatalogConfig, bool)

GetCatalog returns a catalog configuration by name.

func (*Config) GetDefaultCatalog 

func (c *Config) GetDefaultCatalog() (*CatalogConfig, bool)

GetDefaultCatalog returns the default catalog configuration.

func (*Config) RemoveCatalog 

func (c *Config) RemoveCatalog(name string) error

RemoveCatalog removes a catalog by name.

func (*Config) SetDefaultCatalog 

func (c *Config) SetDefaultCatalog(name string) error

SetDefaultCatalog sets the default catalog by name. Returns an error if the catalog doesn't exist.

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the entire configuration. Returns an error if any configuration value is invalid.

type CustomOAuth2Config added in v0.7.0 

type CustomOAuth2Config struct {
	// Name is the handler identifier, used as: scafctl auth login <name>
	// Must not conflict with built-in handler names (github, gcp, entra).
	Name        string `json:"name" yaml:"name" mapstructure:"name" doc:"Handler name (used as CLI argument)" maxLength:"64" example:"quay"`
	DisplayName string `` /* 152-byte string literal not displayed */

	// OAuth2 endpoints
	AuthorizeURL  string `` /* 214-byte string literal not displayed */
	TokenURL      string `` /* 145-byte string literal not displayed */
	DeviceAuthURL string `` /* 228-byte string literal not displayed */

	// Client credentials
	ClientID     string `json:"clientID" yaml:"clientID" mapstructure:"clientID" doc:"OAuth2 client ID" maxLength:"256"`
	ClientSecret string `` //nolint:gosec // G117: config field, not a hardcoded credential
	/* 169-byte string literal not displayed */

	// Flow configuration
	Scopes                 []string `json:"scopes,omitempty" yaml:"scopes,omitempty" mapstructure:"scopes" doc:"Default OAuth scopes" maxItems:"20"`
	DefaultFlow            string   `` /* 244-byte string literal not displayed */
	CallbackPort           int      `` /* 190-byte string literal not displayed */
	DeviceCodePollInterval int      `` /* 230-byte string literal not displayed */

	// Token verification
	VerifyURL      string                `` /* 179-byte string literal not displayed */
	IdentityFields *IdentityFieldMapping `` /* 153-byte string literal not displayed */

	// Registry association (optional, only for OCI registry auth)
	Registry         string `` /* 178-byte string literal not displayed */
	RegistryUsername string `` /* 187-byte string literal not displayed */

	// Token exchange (optional secondary credential derivation)
	TokenExchange *TokenExchangeConfig `` /* 186-byte string literal not displayed */
}

CustomOAuth2Config defines a user-configurable OAuth2 auth handler. Each entry registers as its own named auth.Handler, usable for any OAuth2 service (OCI registries, APIs, providers, etc.).

type EntraAuthConfig 

type EntraAuthConfig struct {
	// HTTPClient optionally overrides HTTP settings for Entra auth requests.
	HTTPClient *HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"HTTP client overrides for Entra"`

	// ClientID overrides the default application ID.
	// If not set, uses the default scafctl public client ID.
	ClientID string `` /* 164-byte string literal not displayed */

	// TenantID sets the default tenant for authentication.
	// Use "common" for multi-tenant, "organizations" for work/school only,
	// or a specific tenant GUID.
	TenantID string `` /* 137-byte string literal not displayed */

	// DefaultScopes are requested during login if not specified on command line.
	DefaultScopes []string `` /* 131-byte string literal not displayed */
}

EntraAuthConfig contains Entra-specific configuration.

type GCPAuthConfig added in v0.5.0 

type GCPAuthConfig struct {
	// HTTPClient optionally overrides HTTP settings for GCP auth requests.
	HTTPClient *HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"HTTP client overrides for GCP"`

	// ClientID overrides the default OAuth 2.0 client ID.
	ClientID string `` /* 195-byte string literal not displayed */

	// ClientSecret overrides the default OAuth 2.0 client secret.
	ClientSecret string `` //nolint:gosec // G117: not a hardcoded credential, it's a config field
	/* 169-byte string literal not displayed */

	// DefaultScopes are requested during login if not specified on command line.
	DefaultScopes []string `` /* 154-byte string literal not displayed */

	// ImpersonateServiceAccount is the service account email to impersonate.
	ImpersonateServiceAccount string `` /* 237-byte string literal not displayed */

	// Project is the default GCP project ID.
	Project string `` /* 141-byte string literal not displayed */
}

GCPAuthConfig contains GCP-specific configuration.

type GitHubAuthConfig added in v0.5.0 

type GitHubAuthConfig struct {
	// HTTPClient optionally overrides HTTP settings for GitHub auth requests.
	HTTPClient *HTTPClientConfig `json:"httpClient,omitempty" yaml:"httpClient,omitempty" mapstructure:"httpClient" doc:"HTTP client overrides for GitHub"`

	// ClientID overrides the default GitHub OAuth App client ID.
	// If not set, uses the default scafctl OAuth App client ID.
	ClientID string `` /* 150-byte string literal not displayed */

	// ClientSecret is the GitHub OAuth App client secret.
	// Required for the interactive (browser authorization code + PKCE) flow.
	// When not set, the interactive flow automatically uses device code with
	// browser auto-open — the same behaviour as 'gh auth login'.
	ClientSecret string `` //nolint:gosec // G117: config field, not a hardcoded credential
	/* 177-byte string literal not displayed */

	// Hostname sets the GitHub hostname for enterprise server (GHES).
	// Defaults to "github.com".
	Hostname string `` /* 134-byte string literal not displayed */

	// DefaultScopes are requested during login if not specified on command line.
	DefaultScopes []string `` /* 131-byte string literal not displayed */

	// AppID is the GitHub App ID for the installation token flow.
	AppID int64 `` /* 152-byte string literal not displayed */

	// InstallationID is the GitHub App installation ID.
	InstallationID int64 `` /* 166-byte string literal not displayed */

	// PrivateKeyPath is the file path to the PEM-encoded private key for the GitHub App.
	PrivateKeyPath string `` /* 207-byte string literal not displayed */

	// PrivateKey is the inline PEM-encoded private key for the GitHub App.
	PrivateKey string `` //nolint:gosec // Field name, not a credential
	/* 154-byte string literal not displayed */

	// PrivateKeySecretName is the name of the secret store entry containing the private key.
	PrivateKeySecretName string `` /* 206-byte string literal not displayed */
}

GitHubAuthConfig contains GitHub-specific configuration.

type GlobalAuthConfig 

type GlobalAuthConfig struct {
	// HTTPClient optionally overrides the global HTTP client settings for all auth handlers.
	// Individual handler configs (Entra, GitHub, GCP) can further override these.
	HTTPClient *HTTPClientConfig `` /* 127-byte string literal not displayed */

	// Entra contains Microsoft Entra ID configuration.
	Entra *EntraAuthConfig `json:"entra,omitempty" yaml:"entra,omitempty" mapstructure:"entra" doc:"Microsoft Entra ID configuration"`

	// GitHub contains GitHub authentication configuration.
	GitHub *GitHubAuthConfig `json:"github,omitempty" yaml:"github,omitempty" mapstructure:"github" doc:"GitHub authentication configuration"`

	// GCP contains Google Cloud Platform authentication configuration.
	GCP *GCPAuthConfig `json:"gcp,omitempty" yaml:"gcp,omitempty" mapstructure:"gcp" doc:"Google Cloud Platform authentication configuration"`

	// CustomOAuth2 contains user-defined OAuth2 auth handlers.
	CustomOAuth2 []CustomOAuth2Config `` /* 164-byte string literal not displayed */
}

GlobalAuthConfig holds authentication handler configuration.

type GoTemplateConfig added in v0.6.0 

type GoTemplateConfig struct {
	// CacheSize is the maximum number of compiled templates to cache
	CacheSize int `` /* 141-byte string literal not displayed */

	// EnableMetrics enables template metrics collection
	EnableMetrics *bool `json:"enableMetrics,omitempty" yaml:"enableMetrics,omitempty" mapstructure:"enableMetrics" doc:"Enable template metrics"`

	// AllowEnvFunctions enables the sprig 'env' and 'expandenv' template functions.
	// When false (the default), these functions are removed from the template
	// function map to prevent solution files from exfiltrating process secrets
	// (e.g. GITHUB_TOKEN, AWS_SECRET_ACCESS_KEY) via {{ env "SECRET" }}.
	// Set to true only if your solutions explicitly require reading env vars.
	AllowEnvFunctions bool `` /* 229-byte string literal not displayed */
}

GoTemplateConfig holds Go template engine configuration.

func (*GoTemplateConfig) ToGoTemplateValues added in v0.6.0 

func (g *GoTemplateConfig) ToGoTemplateValues() GoTemplateConfigValues

ToGoTemplateValues converts GoTemplateConfig to a GoTemplateConfigValues struct. If a config value is zero/empty, the default value from settings is used.

type GoTemplateConfigValues added in v0.6.0 

type GoTemplateConfigValues struct {
	CacheSize         int  `json:"cacheSize" yaml:"cacheSize" doc:"Template compilation cache size" maximum:"100000" example:"500"`
	EnableMetrics     bool `json:"enableMetrics" yaml:"enableMetrics" doc:"Enable template execution metrics"`
	AllowEnvFunctions bool `json:"allowEnvFunctions" yaml:"allowEnvFunctions" doc:"Allow sprig env/expandenv functions"`
}

GoTemplateConfigValues holds parsed Go template config values. This avoids circular dependencies between config and gotmpl packages.

type HTTPClientConfig 

type HTTPClientConfig struct {
	// Timeout is the maximum time to wait for a request to complete
	Timeout string `` /* 128-byte string literal not displayed */

	// Retry settings
	RetryMax     int    `` /* 132-byte string literal not displayed */
	RetryWaitMin string `` /* 155-byte string literal not displayed */
	RetryWaitMax string `` /* 156-byte string literal not displayed */

	// Cache settings
	EnableCache      *bool  `json:"enableCache,omitempty" yaml:"enableCache,omitempty" mapstructure:"enableCache" doc:"Enable HTTP response caching"`
	CacheType        string `` /* 153-byte string literal not displayed */
	CacheDir         string `` /* 161-byte string literal not displayed */
	CacheTTL         string `` /* 144-byte string literal not displayed */
	CacheKeyPrefix   string `` /* 155-byte string literal not displayed */
	MaxCacheFileSize int64  `` /* 192-byte string literal not displayed */
	MemoryCacheSize  int    `` /* 176-byte string literal not displayed */

	// Circuit breaker settings
	EnableCircuitBreaker              *bool  `` /* 148-byte string literal not displayed */
	CircuitBreakerMaxFailures         int    `` /* 190-byte string literal not displayed */
	CircuitBreakerOpenTimeout         string `` /* 194-byte string literal not displayed */
	CircuitBreakerHalfOpenMaxRequests int    `` /* 229-byte string literal not displayed */

	// Compression
	EnableCompression *bool `` /* 142-byte string literal not displayed */

	// AllowPrivateIPs controls whether HTTP requests to private, loopback, and
	// link-local IP addresses are permitted. Checked against IP literals only
	// (hostnames are not pre-resolved). When false (default), requests to RFC 1918
	// ranges (10.x, 172.16.x, 192.168.x), loopback (127.x, ::1), link-local
	// (169.254.x), and CGNAT (100.64.x) are blocked. Set to true to allow private
	// network access (e.g., for on-premises endpoints or local development).
	AllowPrivateIPs *bool `` /* 241-byte string literal not displayed */

	// MaxResponseBodySize is the maximum number of bytes the HTTP provider will
	// read from a single response body. Prevents denial-of-service via unbounded
	// responses from malicious or misconfigured servers. Defaults to 100 MB.
	MaxResponseBodySize int64 `` /* 217-byte string literal not displayed */
}

HTTPClientConfig holds HTTP client configuration settings. All duration fields use string format (e.g., "30s", "5m", "1h").

func (*HTTPClientConfig) Validate 

func (h *HTTPClientConfig) Validate() error

Validate validates the HTTP client configuration. Returns an error if any value is invalid.

type IdentityFieldMapping added in v0.7.0 

type IdentityFieldMapping struct {
	Username string `` /* 140-byte string literal not displayed */
	Email    string `json:"email,omitempty" yaml:"email,omitempty" mapstructure:"email" doc:"JSON field for email" maxLength:"128" example:"email"`
	Name     string `json:"name,omitempty" yaml:"name,omitempty" mapstructure:"name" doc:"JSON field for display name" maxLength:"128"`
}

IdentityFieldMapping maps fields in a token verification response to identity claims.

type LoggingConfig 

type LoggingConfig struct {
	Level           string `` /* 174-byte string literal not displayed */
	Format          string `` /* 144-byte string literal not displayed */
	Timestamps      bool   `json:"timestamps,omitempty" yaml:"timestamps,omitempty" mapstructure:"timestamps" doc:"Include timestamps in logs"`
	EnableProfiling bool   `` /* 142-byte string literal not displayed */
}

LoggingConfig holds logging configuration.

func (*LoggingConfig) Validate 

func (l *LoggingConfig) Validate() error

Validate validates the logging configuration. Returns an error if any value is invalid.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager handles configuration loading and access.

func NewManager 

func NewManager(configPath string, opts ...ManagerOption) *Manager

NewManager creates a new configuration manager. If configPath is empty, the XDG-compliant default path will be used.

func (*Manager) AllSettings 

func (m *Manager) AllSettings() map[string]any

AllSettings returns all settings as a map.

func (*Manager) Config 

func (m *Manager) Config() *Config

Config returns the loaded configuration.

func (*Manager) ConfigPath 

func (m *Manager) ConfigPath() string

ConfigPath returns the path to the config file.

func (*Manager) Get 

func (m *Manager) Get(key string) any

Get returns a configuration value by key.

func (*Manager) GetUnknownKeys 

func (m *Manager) GetUnknownKeys() []string

GetUnknownKeys returns a list of configuration keys that are not recognized by the config schema. Useful for programmatic validation.

func (*Manager) IsSet 

func (m *Manager) IsSet(key string) bool

IsSet checks if a configuration key is set.

func (*Manager) Load 

func (m *Manager) Load() (*Config, error)

Load loads the configuration from file and environment.

func (*Manager) Save 

func (m *Manager) Save() error

Save saves the current configuration to file. It syncs m.config to viper before writing, then uses viper's WriteConfig. This allows both direct config modification AND Set() calls to be persisted.

func (*Manager) SaveAs 

func (m *Manager) SaveAs(path string) error

SaveAs saves the configuration to a specific path.

func (*Manager) Set 

func (m *Manager) Set(key string, value any)

Set sets a configuration value. For individual settings fields (e.g., "logging.level"), this also updates m.config to keep it in sync. For top-level struct values like "settings" or "catalogs", only viper is updated (the caller should modify cfg directly instead).

func (*Manager) WarnUnknownKeys 

func (m *Manager) WarnUnknownKeys(ctx context.Context)

WarnUnknownKeys logs warnings for any configuration keys that are not recognized by the config schema. This helps users identify typos or deprecated settings in their config files.

type ManagerOption added in v0.7.0 

type ManagerOption func(*Manager)

ManagerOption configures a Manager.

func ManagerOptionsFromContext added in v0.7.0 

func ManagerOptionsFromContext(ctx context.Context) []ManagerOption

ManagerOptionsFromContext retrieves the ManagerOption slice from the context. Returns nil when no options were stored.

func WithBaseConfig added in v0.7.0 

func WithBaseConfig(data []byte) ManagerOption

WithBaseConfig sets an embedded configuration layer that is merged after built-in defaults but before the user's config file. This allows embedders to ship organization-specific defaults without overwriting user config. The bytes must be valid YAML.

func WithEnvPrefix added in v0.7.0 

func WithEnvPrefix(prefix string) ManagerOption

WithEnvPrefix overrides the default environment variable prefix ("SCAFCTL"). The prefix is normalized to a safe env var format (upper-cased, hyphens/dots replaced with underscores).

type ResolverConfig 

type ResolverConfig struct {
	// Timeout is the default timeout per resolver execution
	Timeout string `` /* 132-byte string literal not displayed */

	// PhaseTimeout is the maximum time for each resolution phase
	PhaseTimeout string `` /* 144-byte string literal not displayed */

	// MaxConcurrency is the maximum concurrent resolvers per phase (0 = unlimited)
	MaxConcurrency int `` /* 166-byte string literal not displayed */

	// WarnValueSize is the warn threshold in bytes (0 = disabled)
	WarnValueSize int64 `` /* 159-byte string literal not displayed */

	// MaxValueSize is the max value size in bytes (0 = disabled)
	MaxValueSize int64 `` /* 157-byte string literal not displayed */

	// ValidateAll enables collecting all errors instead of stopping at first
	ValidateAll bool `` /* 126-byte string literal not displayed */
}

ResolverConfig holds resolver executor configuration.

func (*ResolverConfig) ToResolverValues 

func (r *ResolverConfig) ToResolverValues() (ResolverConfigValues, error)

ToResolverValues converts ResolverConfig to a ResolverConfigValues struct. Duration strings are parsed, and zero/empty values use defaults from settings.

func (*ResolverConfig) Validate 

func (r *ResolverConfig) Validate() error

Validate validates the resolver configuration. Returns an error if any value is invalid.

type ResolverConfigValues 

type ResolverConfigValues struct {
	Timeout        time.Duration `json:"timeout" yaml:"timeout" doc:"Per-resolver execution timeout"`
	PhaseTimeout   time.Duration `json:"phaseTimeout" yaml:"phaseTimeout" doc:"Per-phase execution timeout"`
	MaxConcurrency int           `json:"maxConcurrency" yaml:"maxConcurrency" doc:"Maximum concurrent resolver executions" maximum:"1000" example:"10"`
	WarnValueSize  int64         `` /* 128-byte string literal not displayed */
	MaxValueSize   int64         `json:"maxValueSize" yaml:"maxValueSize" doc:"Maximum allowed value size (bytes)" maximum:"1073741824" example:"10485760"`
	ValidateAll    bool          `json:"validateAll" yaml:"validateAll" doc:"Run all validators even if one fails"`
}

ResolverConfigValues holds parsed resolver config values with durations.

type SanitizedAuth added in v0.5.0 

type SanitizedAuth struct {
	Entra  *SanitizedEntraAuth  `json:"entra,omitempty" yaml:"entra,omitempty" doc:"Entra ID auth configuration (redacted)"`
	GitHub *SanitizedGitHubAuth `json:"github,omitempty" yaml:"github,omitempty" doc:"GitHub auth configuration (redacted)"`
	GCP    *SanitizedGCPAuth    `json:"gcp,omitempty" yaml:"gcp,omitempty" doc:"GCP auth configuration (redacted)"`
}

SanitizedAuth redacts client secrets and tokens from auth config.

type SanitizedCatAuth added in v0.5.0 

type SanitizedCatAuth struct {
	Type        string `json:"type" yaml:"type" doc:"Authentication type" maxLength:"64" example:"token"`
	TokenEnvVar string `` /* 139-byte string literal not displayed */
}

SanitizedCatAuth contains only non-sensitive catalog auth fields.

type SanitizedCatalog added in v0.5.0 

type SanitizedCatalog struct {
	Name     string            `json:"name" yaml:"name" doc:"Catalog name" maxLength:"256" example:"my-catalog"`
	Type     string            `json:"type" yaml:"type" doc:"Catalog type" maxLength:"64" example:"git"`
	Path     string            `json:"path,omitempty" yaml:"path,omitempty" doc:"Local filesystem path" maxLength:"1024" example:"/path/to/catalog"`
	URL      string            `json:"url,omitempty" yaml:"url,omitempty" doc:"Remote URL" maxLength:"2048" example:"https://github.com/org/catalog"`
	Auth     *SanitizedCatAuth `json:"auth,omitempty" yaml:"auth,omitempty" doc:"Authentication settings (redacted)"`
	Metadata map[string]string `json:"metadata,omitempty" yaml:"metadata,omitempty" doc:"Additional metadata"`
}

SanitizedCatalog redacts auth tokens from catalog config.

type SanitizedConfig added in v0.5.0 

type SanitizedConfig struct {
	Version    int                `json:"version,omitempty" yaml:"version,omitempty" doc:"Config file version" maximum:"10" example:"1"`
	Catalogs   []SanitizedCatalog `json:"catalogs" yaml:"catalogs" doc:"Configured solution catalogs" maxItems:"50"`
	Settings   Settings           `json:"settings" yaml:"settings" doc:"General application settings"`
	Logging    LoggingConfig      `json:"logging" yaml:"logging" doc:"Logging configuration"`
	HTTPClient HTTPClientConfig   `json:"httpClient" yaml:"httpClient" doc:"HTTP client configuration"`
	CEL        CELConfig          `json:"cel" yaml:"cel" doc:"CEL expression engine configuration"`
	Resolver   ResolverConfig     `json:"resolver" yaml:"resolver" doc:"Resolver execution configuration"`
	Action     ActionConfig       `json:"action" yaml:"action" doc:"Action execution configuration"`
	Auth       SanitizedAuth      `json:"auth" yaml:"auth" doc:"Authentication configuration (redacted)"`
	Build      BuildConfig        `json:"build" yaml:"build" doc:"Build configuration"`
}

SanitizedConfig mirrors Config but with sensitive fields redacted.

func SanitizeConfig added in v0.5.0 

func SanitizeConfig(cfg *Config) SanitizedConfig

SanitizeConfig creates a sanitized copy of the config with sensitive values redacted.

type SanitizedEntraAuth added in v0.5.0 

type SanitizedEntraAuth struct {
	ClientID      string   `` /* 151-byte string literal not displayed */
	TenantID      string   `` /* 139-byte string literal not displayed */
	DefaultScopes []string `json:"defaultScopes,omitempty" yaml:"defaultScopes,omitempty" doc:"Default OAuth scopes" maxItems:"20"`
}

SanitizedEntraAuth contains only non-sensitive Entra ID fields.

type SanitizedGCPAuth added in v0.5.0 

type SanitizedGCPAuth struct {
	ClientID                  string   `` /* 140-byte string literal not displayed */
	GCPClientCredential       string   `` /* 164-byte string literal not displayed */
	DefaultScopes             []string `json:"defaultScopes,omitempty" yaml:"defaultScopes,omitempty" doc:"Default OAuth scopes" maxItems:"20"`
	ImpersonateServiceAccount string   `` /* 183-byte string literal not displayed */
	Project                   string   `json:"project,omitempty" yaml:"project,omitempty" doc:"GCP project ID" maxLength:"256" example:"my-gcp-project"`
}

SanitizedGCPAuth contains only non-sensitive GCP auth fields.

type SanitizedGitHubAuth added in v0.5.0 

type SanitizedGitHubAuth struct {
	ClientID      string   `json:"clientId,omitempty" yaml:"clientId,omitempty" doc:"GitHub OAuth app client ID" maxLength:"256" example:"Iv1.abc123"`
	Hostname      string   `json:"hostname,omitempty" yaml:"hostname,omitempty" doc:"GitHub hostname" maxLength:"256" example:"github.com"`
	DefaultScopes []string `json:"defaultScopes,omitempty" yaml:"defaultScopes,omitempty" doc:"Default OAuth scopes" maxItems:"20"`
}

SanitizedGitHubAuth contains only non-sensitive GitHub auth fields.

type Settings 

type Settings struct {
	DefaultCatalog string              `` /* 154-byte string literal not displayed */
	NoColor        bool                `json:"noColor,omitempty" yaml:"noColor,omitempty" mapstructure:"noColor" doc:"Disable colored output"`
	Quiet          bool                `json:"quiet,omitempty" yaml:"quiet,omitempty" mapstructure:"quiet" doc:"Suppress non-essential output"`
	VersionCheck   *VersionCheckConfig `json:"versionCheck,omitempty" yaml:"versionCheck,omitempty" mapstructure:"versionCheck" doc:"Version check configuration"`

	// RequireSecureKeyring when true causes scafctl to fail with an error if the
	// OS keyring is unavailable and the secret store would fall back to an insecure
	// file-based or environment-variable-based master key. Enable this in
	// production or shared environments to prevent silent degradation of secret
	// protection.
	RequireSecureKeyring bool `` /* 195-byte string literal not displayed */
}

Settings holds application-wide settings.

type TelemetryConfig added in v0.5.0 

type TelemetryConfig struct {
	// Endpoint is the OTLP gRPC exporter endpoint (e.g. localhost:4317).
	// Equivalent to the OTEL_EXPORTER_OTLP_ENDPOINT environment variable.
	// When empty, tracing and OTel log export are disabled (noop providers).
	Endpoint string `` /* 151-byte string literal not displayed */

	// Insecure disables TLS for the OTLP gRPC connection. Useful for local
	// development setups where the collector has no TLS configured.
	Insecure bool `` /* 137-byte string literal not displayed */

	// ServiceName overrides the OTel resource service.name attribute.
	// Defaults to the binary name (scafctl).
	ServiceName string `` /* 163-byte string literal not displayed */

	// SamplerType controls the trace sampler. Supported values: always_on, always_off, traceidratio.
	// Defaults to always_on.
	SamplerType string `` /* 182-byte string literal not displayed */

	// SamplerArg is the argument passed to the sampler (e.g. ratio for traceidratio).
	SamplerArg float64 `` /* 152-byte string literal not displayed */
}

TelemetryConfig holds OpenTelemetry configuration.

type TokenExchangeConfig added in v0.7.0 

type TokenExchangeConfig struct {
	// URL is the API endpoint to call to derive a secondary token.
	URL string `` /* 156-byte string literal not displayed */
	// Method is the HTTP method (default: POST).
	Method string `` /* 133-byte string literal not displayed */
	// RequestBody is the JSON body to send. Supports Go template variables: {{.Hostname}}, {{.Username}}.
	RequestBody gotmpl.GoTemplatingContent `` /* 149-byte string literal not displayed */
	// TokenJSONPath is the dot-notation path to extract the derived token from the JSON response.
	TokenJSONPath string `` /* 161-byte string literal not displayed */
	// UsernameJSONPath optionally extracts a username from the response.
	UsernameJSONPath string `` /* 166-byte string literal not displayed */
}

TokenExchangeConfig defines a secondary API call that the OAuth2 handler executes after initial authentication. The primary OAuth2 token is injected as a Bearer token in the Authorization header. The response is parsed to extract a derived credential.

This is fully generic — not coupled to registries or any specific service type:

  • Quay.io: OAuth2 token → POST /api/v1/user/apptoken → app token
  • API gateway: OAuth2 token → POST /v1/keys/generate → scoped API key
  • Vault-like: OAuth2 token → POST /v1/auth/jwt/login → dynamic secret

Note: This is a configurable credential derivation step, not an implementation of RFC 8693 (OAuth 2.0 Token Exchange).

type VersionCheckConfig added in v0.6.0 

type VersionCheckConfig struct {
	// Timeout overrides the version check HTTP timeout (default: 5s).
	Timeout string `` /* 128-byte string literal not displayed */
	// Enabled can disable the automatic version check.
	Enabled *bool `json:"enabled,omitempty" yaml:"enabled,omitempty" mapstructure:"enabled" doc:"Enable version check"`
}

VersionCheckConfig holds version check configuration.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.