Documentation
¶
Overview ¶
Package system provides infrastructure for system-level configuration. This includes loading system config files (~/.reglet/config.yaml) and capability grants.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
SensitiveData SensitiveDataConfig `yaml:"sensitive_data"`
Redaction RedactionConfig `yaml:"redaction"`
Security SecurityConfig `yaml:"security"`
Capabilities []struct {
Kind string `yaml:"kind"`
Pattern string `yaml:"pattern"`
} `yaml:"capabilities"`
WasmMemoryLimitMB int `yaml:"wasm_memory_limit_mb"`
MaxEvidenceSizeBytes int `yaml:"max_evidence_size_bytes"`
}
Config represents the global configuration file (~/.reglet/config.yaml). This is infrastructure-level configuration separate from profile configuration.
func (*Config) ToHostFuncsCapabilities ¶
func (c *Config) ToHostFuncsCapabilities() []capabilities.Capability
ToHostFuncsCapabilities converts the config capability format to the internal hostfuncs format.
type ConfigLoader ¶
type ConfigLoader struct{}
ConfigLoader loads system configuration from disk.
func NewConfigLoader ¶
func NewConfigLoader() *ConfigLoader
NewConfigLoader creates a new system config loader.
type HashModeConfig ¶
HashModeConfig controls hash-based redaction.
type RedactionConfig ¶
type RedactionConfig struct {
HashMode HashModeConfig `yaml:"hash_mode"`
Patterns []string `yaml:"patterns"`
Paths []string `yaml:"paths"`
}
RedactionConfig configures how sensitive data is sanitized.
type SecretsConfig ¶
type SecretsConfig struct {
// Local defines static secrets for development (name -> value)
Local map[string]string `yaml:"local"`
// Env defines environment variable mappings (secret_name -> env_var_name)
Env map[string]string `yaml:"env"`
// Files defines file path mappings (secret_name -> file_path)
Files map[string]string `yaml:"files"`
}
SecretsConfig configures secret resolution sources.
type SecurityConfig ¶
type SecurityConfig struct {
// Level defines the security policy: "strict", "standard", or "permissive"
// - strict: Deny all broad capabilities
// - standard: Warn about broad capabilities (default)
// - permissive: Allow all capabilities without warnings
Level string `yaml:"level"`
// CustomBroadPatterns allows users to define additional patterns considered "broad"
// Format: "kind:pattern" (e.g., "fs:write:/tmp/**")
CustomBroadPatterns []string `yaml:"custom_broad_patterns"`
}
SecurityConfig configures capability security policies.
func (*SecurityConfig) GetSecurityLevel ¶
func (c *SecurityConfig) GetSecurityLevel() SecurityLevel
GetSecurityLevel returns the configured security level, defaulting to Standard.
type SecurityLevel ¶
type SecurityLevel string
SecurityLevel represents the security enforcement level.
const ( // SecurityLevelStrict denies broad capabilities SecurityLevelStrict SecurityLevel = "strict" // SecurityLevelStandard warns about broad capabilities (default) SecurityLevelStandard SecurityLevel = "standard" // SecurityLevelPermissive allows all capabilities without warnings SecurityLevelPermissive SecurityLevel = "permissive" )
type SensitiveDataConfig ¶
type SensitiveDataConfig struct {
Secrets SecretsConfig `yaml:"secrets"`
}
SensitiveDataConfig configures secret resolution and protection. This structure is forward-compatible with future phases (OIDC, Cloud).