Documentation
¶
Overview ¶
Package system provides infrastructure for system-level configuration. This includes loading system config files (~/.reglet/config.yaml) and capability grants.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
SensitiveData SensitiveDataConfig `yaml:"sensitive_data"`
Limits *LimitsConfig `yaml:"limits,omitempty"`
Redaction RedactionConfig `yaml:"redaction"`
Security SecurityConfig `yaml:"security"`
// Embed GrantSet for direct capability configuration
// This maps network, fs, exec, env, kv blocks directly
entities.GrantSet `yaml:",inline"`
// TrustedProfileSources contains glob patterns for trusted remote profile sources.
// Profiles from URLs matching these patterns bypass interactive trust prompts.
// Example: ["https://company.github.io/*", "https://internal.example.com/profiles/*"]
TrustedProfileSources []string `yaml:"trusted_profile_sources"`
WasmMemoryLimitMB int `yaml:"wasm_memory_limit_mb"`
MaxEvidenceSizeBytes int `yaml:"max_evidence_size_bytes"`
}
Config represents the global configuration file (~/.reglet/config.yaml). This is infrastructure-level configuration separate from profile configuration.
func DefaultConfig ¶
func DefaultConfig() *Config
DefaultConfig returns a Config with safe defaults for all fields. This is used when no system config file exists.
type ConfigLoader ¶
type ConfigLoader struct{}
ConfigLoader loads system configuration from disk.
func NewConfigLoader ¶
func NewConfigLoader() *ConfigLoader
NewConfigLoader creates a new system config loader.
type HashModeConfig ¶
HashModeConfig controls hash-based redaction.
type LimitsConfig ¶
type LimitsConfig struct {
// Evidence & Data Limits
MaxEvidenceSize *int `yaml:"max_evidence_size,omitempty"`
MaxHTTPResponseSize *int `yaml:"max_http_response_size,omitempty"`
MaxCommandOutputSize *int `yaml:"max_command_output_size,omitempty"`
MaxSARIFArtifactSize *int `yaml:"max_sarif_artifact_size,omitempty"`
// Expression Evaluation Limits
MaxExpressionLength *int `yaml:"max_expression_length,omitempty"`
MaxASTNodes *int `yaml:"max_ast_nodes,omitempty"`
// Network & HTTP Limits
MaxHTTPRedirects *int `yaml:"max_http_redirects,omitempty"`
HTTPTimeout *time.Duration `yaml:"http_timeout,omitempty"`
HTTPIdleTimeout *time.Duration `yaml:"http_idle_timeout,omitempty"`
// Concurrency Limits
MaxConcurrentControls *int `yaml:"max_concurrent_controls,omitempty"`
MaxConcurrentObservations *int `yaml:"max_concurrent_observations,omitempty"`
}
LimitsConfig defines configurable limits for security, performance, and resource usage. This can be specified at system level (~/.reglet/config.yaml) or profile level. Profile limits override system limits, but neither can exceed absolute maximums defined in constants.
All fields are pointers to distinguish between "not set" (nil) and "set to value". This allows proper merging: profile can override system, system can override defaults.
func (*LimitsConfig) Merge ¶
func (l *LimitsConfig) Merge(override *LimitsConfig) *LimitsConfig
Merge applies overrides from another LimitsConfig. Non-nil values in override take precedence over values in l. Returns a new LimitsConfig with merged values (does not modify l or override).
func (*LimitsConfig) Validate ¶
func (l *LimitsConfig) Validate() error
Validate checks that all configured limits are within acceptable bounds. Returns a detailed error if any limit exceeds its absolute maximum.
type RedactionConfig ¶
type RedactionConfig struct {
HashMode HashModeConfig `yaml:"hash_mode"`
Patterns []string `yaml:"patterns"`
Paths []string `yaml:"paths"`
}
RedactionConfig configures how sensitive data is sanitized.
type SecretsConfig ¶
type SecretsConfig struct {
// Local defines static secrets for development (name -> value)
Local map[string]string `yaml:"local"`
// Env defines environment variable mappings (secret_name -> env_var_name)
Env map[string]string `yaml:"env"`
// Files defines file path mappings (secret_name -> file_path)
Files map[string]string `yaml:"files"`
}
SecretsConfig configures secret resolution sources.
type SecurityConfig ¶
type SecurityConfig struct {
// Level defines the security policy: "strict", "standard", or "permissive"
// - strict: Deny all broad capabilities
// - standard: Warn about broad capabilities (default)
// - permissive: Allow all capabilities without warnings
Level string `yaml:"level"`
// CustomBroadPatterns allows users to define additional patterns considered "broad"
// Format: "kind:pattern" (e.g., "fs:write:/tmp/**")
CustomBroadPatterns []string `yaml:"custom_broad_patterns"`
}
SecurityConfig configures capability security policies.
func (*SecurityConfig) GetSecurityLevel ¶
func (c *SecurityConfig) GetSecurityLevel() SecurityLevel
GetSecurityLevel returns the configured security level, defaulting to Standard.
type SecurityLevel ¶
type SecurityLevel string
SecurityLevel represents the security enforcement level.
const ( // SecurityLevelStrict denies broad capabilities SecurityLevelStrict SecurityLevel = "strict" // SecurityLevelStandard warns about broad capabilities (default) SecurityLevelStandard SecurityLevel = "standard" // SecurityLevelPermissive allows all capabilities without warnings SecurityLevelPermissive SecurityLevel = "permissive" )
type SensitiveDataConfig ¶
type SensitiveDataConfig struct {
Secrets SecretsConfig `yaml:"secrets"`
}
SensitiveDataConfig configures secret resolution and protection. This structure is forward-compatible with future phases (OIDC, Cloud).
Source Files