consts

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 18, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package consts provides compile-time constants and pure path/URI accessors shared across the clawker codebase. This is a leaf package — stdlib only, zero internal imports. Any package can import it without pulling in config, docker, storage, or any other heavy dependency.

What goes here:

  • True Go `const` values (strings, ints, ports, label keys, file names)
  • Pure accessor functions that combine consts with a caller-provided base (e.g. join a dataDir with a subdir name, format a host+port into a URL)
  • Methods that ensure directory existence on the caller-provided base
  • Values that read from env vars

What stays on Config:

  • Anything that requires yaml backed file i/o via storage layer

Migration: callers that previously accessed these via Config interface methods (e.g. cfg.ClawkerNetwork()) can import this package directly. The Config methods remain as deprecated wrappers backed by these values.

Path accessors ensure their target directory exists on every call via os.MkdirAll (0o755). Callers do not need to pre-create directories before writing files underneath — accessing the parent directory path is enough.

Index

Constants

View Source 
const (
	// NamePrefix is the leading segment of every clawker resource name
	// (containers, volumes, images, AgentFullName values). Three-segment
	// names NamePrefix.project.agent scope an agent to a registered
	// project; two-segment names NamePrefix.agent identify a
	// global-scope agent (no project namespace). Both shapes are
	// first-class — neither is a degraded form of the other.
	NamePrefix = "clawker"

	// Domain is the public-facing domain used in help text, URLs, and output.
	Domain = "clawker.dev"

	// LabelDomain is the base OCI/Docker label namespace prefix.
	LabelDomain = "dev.clawker"

	// LabelPrefix is the full label key prefix with trailing dot.
	LabelPrefix = LabelDomain + "."
)

Domain and label namespace.

View Source 
const (
	LabelManaged   = LabelPrefix + "managed"
	LabelProject   = LabelPrefix + "project"
	LabelAgent     = LabelPrefix + "agent"
	LabelVersion   = LabelPrefix + "version"
	LabelImage     = LabelPrefix + "image"
	LabelCreated   = LabelPrefix + "created"
	LabelWorkdir   = LabelPrefix + "workdir"
	LabelPurpose   = LabelPrefix + "purpose"
	LabelTestName  = LabelPrefix + "test.name"
	LabelBaseImage = LabelPrefix + "base-image"
	LabelFlavor    = LabelPrefix + "flavor"
	LabelTest      = LabelPrefix + "test"
	LabelE2ETest   = LabelPrefix + "e2e-test"
)

Docker/OCI label keys.

View Source 
const (
	ManagedLabelValue = "true"

	PurposeAgent        = "agent"
	PurposeMonitoring   = "monitoring"
	PurposeFirewall     = "firewall"
	PurposeControlPlane = "controlplane"
)

Label values.

View Source 
const (
	EngineLabelPrefix  = LabelDomain
	EngineManagedLabel = "managed"
)

Whail engine label configuration (without trailing dot — whail adds its own).

View Source 
const (
	EnvConfigDir   = "CLAWKER_CONFIG_DIR"
	EnvDataDir     = "CLAWKER_DATA_DIR"
	EnvStateDir    = "CLAWKER_STATE_DIR"
	EnvCacheDir    = "CLAWKER_CACHE_DIR"
	EnvTestRepoDir = "CLAWKER_TEST_REPO_DIR"
)

Environment variable names for directory overrides.

View Source 
const (
	ProjectConfigFile   = "clawker.yaml"
	SettingsFile        = "settings.yaml"
	ProjectRegistryFile = "projects.yaml"
	IgnoreFile          = ".clawkerignore"
	EgressRulesFile     = "egress-rules.yaml"
	EnvoyConfigFile     = "envoy.yaml"
	Corefile            = "Corefile"
	// ControlPlaneDBFile is the sqlite database the CP daemon owns under
	// ControlPlaneSubdir. agentregistry holds the `agents` table; future
	// CP-owned tables share the same file.
	ControlPlaneDBFile = "controlplane.db"
)

File names (not paths — paths are runtime-resolved via accessor funcs below).

View Source 
const (
	HostProxyPIDFile    = "hostproxy.pid"
	HostProxyLogFile    = "hostproxy.log"
	ControlPlaneLogFile = "clawker-controlplane.log"
	// CPBootLogFile is the host-side CP-lifecycle log. The CP daemon owns
	// ControlPlaneLogFile (it writes to it from inside the container via
	// the bind-mounted logs dir); the host-side cpboot code that manages
	// CP container lifecycle writes here instead so the two processes
	// never concurrently append to the same file and shear each other's
	// log lines.
	CPBootLogFile   = "clawker-cpboot.log"
	BridgePIDSuffix = ".pid"
	ReadyFile       = "ready"
	GRPCSocketFile  = "grpc.sock"
	OIDCSocketFile  = "oidc.sock"
	AuditLogFile    = "audit.log"
)

PID and log file names.

View Source 
const (
	ContainerCP      = "clawker-controlplane"
	ContainerEnvoy   = "clawker-envoy"
	ContainerCoreDNS = "clawker-coredns"
	// ContainerClawkerd is the deterministic Subject.CommonName baked
	// into every per-agent leaf cert minted by the CLI. It identifies
	// the clawkerd binary as the cert holder; the per-agent identity
	// (the AgentFullName "clawker.<project>.<agent>") lives in a URI
	// SAN so it isn't pinned to x509's 64-byte CN limit. CP-side gates
	// pin the peer CN to this constant; agent identity is read from
	// the SAN and verified against label-derived ground truth.
	ContainerClawkerd = "clawker-clawkerd"
)

Container names.

View Source 
const (
	EnvoyIPLastOctet   = 200
	CoreDNSIPLastOctet = 201
	CPIPLastOctet      = 202
)

Static IP assignments (last octet on clawker-net). Docker DHCP assigns from .2 upward; firewall infra uses high octets.

View Source 
const (
	// EnvoyEgressPort is the main Envoy egress listener (TLS + HTTP).
	EnvoyEgressPort = 10000
	// EnvoyTCPPortBase is the starting port for TCP/SSH listeners.
	EnvoyTCPPortBase = 10001
	// EnvoyHealthPort is the Envoy health check listener (inside container).
	EnvoyHealthPort = 9902
	// EnvoyHealthHostPort is the host-published port for Envoy health probes.
	EnvoyHealthHostPort = 18901
	// CoreDNSHealthHostPort is the host-published port for CoreDNS health probes.
	CoreDNSHealthHostPort = 18902
	// CoreDNSHealthPath is the HTTP path for CoreDNS health checks.
	CoreDNSHealthPath = "/health"
)

Firewall stack ports.

View Source 
const (
	DefaultCPAdminPort     = 7443
	DefaultCPHealthPort    = 7080
	DefaultHydraPublicPort = 4444
	DefaultHydraAdminPort  = 4445
	DefaultOathkeeperPort  = 4456
	// DefaultCPAgentPort is the in-container gRPC port for the agent
	// listener (mTLS, clawker-net only). Matches the
	// ControlPlaneSettings.AgentPort struct-tag default.
	DefaultCPAgentPort = 7444
	// DefaultClawkerdPort is the in-container gRPC port for the
	// clawkerd listener (mTLS, clawker-net only). CP dials this
	// port to dispatch commands; the listener pins peer CN to
	// ContainerCP.
	DefaultClawkerdPort = 7700
)

Control plane port defaults. These are flag defaults for the CP binary and test constants. Production callers should read from cfg.Settings().ControlPlane.<field> which gets defaults from struct tags via the storage layer.

View Source 
const (
	// ClawkerdKeepaliveServerPingInterval is how often the server
	// (clawkerd) pings an otherwise-idle client (CP). Drives the
	// server's keepalive.ServerParameters.Time.
	ClawkerdKeepaliveServerPingInterval = 30 * time.Second
	// ClawkerdKeepaliveClientPingInterval is how often the client
	// (CP) pings an otherwise-idle server (clawkerd). Drives the
	// client's keepalive.ClientParameters.Time.
	ClawkerdKeepaliveClientPingInterval = 30 * time.Second
	// ClawkerdKeepalivePingTimeout is how long either side waits
	// for a keepalive ping response before declaring the connection
	// dead. Drives keepalive.{Server,Client}Parameters.Timeout.
	ClawkerdKeepalivePingTimeout = 10 * time.Second
	// ClawkerdKeepaliveMinClientPing caps how often a client may
	// ping the server (server-side abuse defense). MUST be <=
	// ClawkerdKeepaliveClientPingInterval. Drives the server's
	// keepalive.EnforcementPolicy.MinTime.
	ClawkerdKeepaliveMinClientPing = 10 * time.Second
)

gRPC keepalive parameters for the CP↔clawkerd Session channel. Shared by clawkerd (server) and CP (client) so the two sides can't drift apart and start tearing down healthy connections.

Constraint the gRPC library enforces: a client's ping interval must be >= the server's EnforcementPolicy MinTime, otherwise the server tears the connection with ENHANCE_YOUR_CALM. Setting ClawkerdKeepaliveClientPingInterval == ClawkerdKeepaliveMinClientPing keeps both sides aligned at the floor.

View Source 
const (
	ContainerUID  = 1001
	ContainerGID  = 1001
	ContainerUser = "claude"
	// ContainerHomeDir is the unprivileged container user's home,
	// fixed by the bundler's Dockerfile template. CP-side init scripts
	// reference $HOME, but PipeStage.Env must set HOME explicitly per
	// stage because Linux's setuid syscall does not update HOME/USER.
	ContainerHomeDir = "/home/" + ContainerUser
)

Container user identity.

View Source 
const (
	// HostGitConfigStagingPath is the in-container target where the
	// host's ~/.gitconfig is bind-mounted RO. The CP-driven init "git"
	// step filters [credential] sections out and copies the result to
	// $HOME/.gitconfig. Workspace mount setup re-exports this value.
	HostGitConfigStagingPath = "/tmp/host-gitconfig"
	// ReadyMarkerPath is the file clawkerd touches after the spawn
	// child's exec.Cmd.Start returns nil. Docker HEALTHCHECK and
	// external readiness probes look for it. Cleared on every
	// container start.
	ReadyMarkerPath = "/var/run/clawker/ready"
)

In-container paths that span the supervisor↔CP-driven init contract. The Dockerfile template (or CLI ContainerCopy) creates these; CP-side init scripts and clawkerd's spawn path read/write them. Single source of truth so a path rename in the bundler doesn't drift silently from init.go.

View Source 
const (
	InitStepTimeoutDefaultSeconds  uint32 = 30
	InitStepTimeoutPostInitSeconds uint32 = 600
)

Init-phase wall-clock ceilings used by the CP-driven init plan. post-init governs the longest-running step. CP's per-step ceiling in `internal/controlplane/agent/init.go::runStep` is the only timeout that gates init now — clawkerd-as-PID-1 has no separate shell-script ceiling to coordinate with.

View Source 
const (
	ScopeAdmin = "admin"
	// ScopeAgentSelfRegister gates clawkerd's calls on AgentService.
	// AgentService proto is empty in this branch; Hydra still grants
	// this scope so future inbound clawkerd→CP RPCs land with the
	// auth chain intact. Finer-grained agent scopes can be added
	// alongside future methods.
	ScopeAgentSelfRegister = "agent:self:register"
)

Auth scopes (for gRPC method authorization).

View Source 
const (
	ClientIDCLI = "clawker-cli"
	// ClientIDAgent is the OAuth2 client identity Hydra issues access
	// tokens to for clawkerd. CLI signs assertions for both clients with
	// one private key — distinct client IDs keep the scope surface clean.
	ClientIDAgent = "clawker-agent"
)

OIDC client IDs.

View Source 
const (
	// BootstrapDir is the in-container path where the CLI delivers
	// per-agent registration material via Docker's CopyToContainer API
	// between `docker create` and `docker start`. Files are 0400
	// root:root, directory is 0700 root:root. Lives in the container's
	// writable layer (NOT a tmpfs mount — Docker has no API to
	// pre-populate tmpfs, and a tmpfs mount at this path would shadow
	// the pre-start writes). Reclaimed on `docker rm`.
	BootstrapDir = "/run/clawker/bootstrap"

	// Bootstrap file names under BootstrapDir.
	BootstrapCertFile      = "cert.pem"
	BootstrapKeyFile       = "key.pem"
	BootstrapCAFile        = "ca.pem"
	BootstrapAssertionFile = "assertion.jwt"
)

Agent bootstrap material (per-container auth artifacts).

View Source 
const (
	// EnvAgent is the agent name (e.g. "dev"). Container-wide env;
	// readable by every process in the container including the
	// unprivileged user's shell. Set by the CLI at container create
	// from `--agent` (or generated). Consumed by the statusline and by
	// clawkerd's structured-log binding.
	EnvAgent = "CLAWKER_AGENT"
	// EnvProject is the project name (e.g. "clawker"). Same scope +
	// caveats as EnvAgent.
	EnvProject = "CLAWKER_PROJECT"
	// EnvClawkerdHydraURL points clawkerd at the CP-published Hydra
	// public endpoint for OAuth2 token exchange.
	EnvClawkerdHydraURL = "CLAWKER_CP_HYDRA_URL"
	// EnvClawkerdAgentAddr is the host:port of the CP's agent gRPC
	// listener on clawker-net.
	EnvClawkerdAgentAddr = "CLAWKER_CP_AGENT_ADDR"
	// EnvClawkerUser names the unprivileged identity the spawn child
	// runs as. Set by the Dockerfile to ContainerUser at image build;
	// clawkerd resolves it against /etc/passwd to fill
	// SysProcAttr.Credential when forking the user CMD. Empty/unset
	// falls back to ContainerUser ("claude").
	EnvClawkerUser = "CLAWKER_USER"
)

Container env vars for clawkerd bootstrap. clawkerd reads only what it can authoritatively assert: container_id is server-derived from the registry row keyed by container_id, and project + agent_name travel via env vars only for log binding (the AgentFullName is reconstructed on demand from the registry row's project + agent_name columns; there is no pre-computed identity column). Adding a CLAWKER_CONTAINER_ID env would let a coerced clawkerd lie to itself; resist that temptation.

View Source 
const (
	EnvHostConfigDir = "CLAWKER_HOST_CONFIG_DIR"
	EnvHostDataDir   = "CLAWKER_HOST_DATA_DIR"
	EnvHostStateDir  = "CLAWKER_HOST_STATE_DIR"
	EnvHostCacheDir  = "CLAWKER_HOST_CACHE_DIR"
)

Env vars the CLI host-side bootstrap MUST set on the CP container so the CP can compute host-FS bind mount sources when it creates sibling containers (Envoy, CoreDNS, etc.) via Docker-outside-of-Docker. All four are required; a missing value is caught by cpboot.HostDirs.Validate().

View Source 
const (
	// CPLogsPath is the container-side directory for CP logs.
	// Bind-mounted from the host's state/logs directory.
	CPLogsPath = "/var/log/clawker"

	// CPDockerSockPath is the host-side Docker socket path.
	CPDockerSockPath = "/var/run/docker.sock"

	// CPClawkerDataDir is the container-side directory for Clawker data.
	CPClawkerDataDir = "/usr/local/share/clawker"

	CPClawkerDir = "/etc/clawker"

	// CPClawkerConfigDir is the container-side directory for Clawker config.
	CPClawkerConfigDir = CPClawkerDir + "/config"

	// CPMaxRestartRetries bounds Docker's on-failure restart loop so a
	// persistently crashing CP stays down until the user runs
	// `clawker controlplane up`.
	CPMaxRestartRetries = 3

	// CPCACertPath is the container-side path for the CP's CA certificate.
	CPCACertPath = CPClawkerDir + "/auth/tls/ca.pem"

	// CPTLSCertPath and CPTLSKeyPath are the container-side paths for the CP's TLS certificate and private key.
	CPTLSCertPath = CPClawkerDir + "/auth/tls/server.pem"

	// CPTLSKeyPath is the container-side path for the CP's TLS private key.
	CPTLSKeyPath = CPClawkerDir + "/auth/tls/server.key"

	// CPCLIPubKeyPath is the container-side path for the CLI's public signing key (JWK).
	CPCLIPubKeyPath = CPClawkerDir + "/auth/cli/signing-jwk.json"

	// CPClientCertPath / CPClientKeyPath are the container-side paths
	// for the CP's outbound mTLS identity. CN equals ContainerCP and
	// ExtKeyUsage includes ClientAuth so any peer that needs to
	// authenticate "this is the CP" (clawkerd's listener CN-pin, the
	// OTLP receiver, etc.) accepts this cert. One identity cert
	// across all CP-as-client uses keeps the contract simple — the
	// cert IS "this is the CP".
	CPClientCertPath = CPClawkerDir + "/auth/cp/client.pem"
	CPClientKeyPath  = CPClawkerDir + "/auth/cp/client.key"

	// CPInfraCACertPath / CPInfraCAKeyPath are the container-side paths
	// for the infra intermediate CA the CP uses to mint short-lived
	// mTLS client leaves for clawker infra services (Envoy, CoreDNS,
	// ...). The intermediate is signed by the CLI root CA. The same
	// intermediate cert is mounted as the otel-collector's
	// `client_ca_file` for the `otlp/infra` receiver (see
	// internal/cmd/monitor/init), which locks the trusted forensic
	// lane to envoy/coredns/cp senders — a CLI-root-signed agent leaf
	// cannot chain to the intermediate and is rejected at the TLS
	// handshake. See internal/controlplane/infracerts for the Issuer.
	CPInfraCACertPath = CPClawkerDir + "/auth/infra-ca/infra-ca.pem"
	CPInfraCAKeyPath  = CPClawkerDir + "/auth/infra-ca/infra-ca.key"

	// CPFirewallDataDir is the container-side directory for CP-managed firewall state.
	CPFirewallDataDir = CPClawkerDataDir + "/firewall"

	// CPControlPlaneDir is the container-side directory holding the
	// CP daemon's own state (sqlite DB, future CP-owned files).
	// Bind-mounted RW from HostControlPlaneSubdir.
	CPControlPlaneDir = CPClawkerDataDir + "/controlplane"

	// CPControlPlaneDBPath is the container-side path to the sqlite
	// database the CP daemon owns. agentregistry holds the `agents`
	// table; future CP-owned tables share the same file.
	CPControlPlaneDBPath = CPControlPlaneDir + "/controlplane.db"

	CPKratosConfigFilename = "kratos.yaml"

	CPHydraConfigFilename = "hydra.yaml"

	CPOathkeeperConfigFilename = "oathkeeper.yaml"

	// KratosConfigPath
	CPKratosConfigPath = CPClawkerDir + "/" + CPKratosConfigFilename

	// HydraConfigPath
	CPHydraConfigPath = CPClawkerDir + "/" + CPHydraConfigFilename

	// OathkeeperConfigPath
	CPOathkeeperConfigPath = CPClawkerDir + "/" + CPOathkeeperConfigFilename
)
View Source 
const (
	MonitoringServiceOtelCollector        = "otel-collector"
	MonitoringServicePrometheus           = "prometheus"
	MonitoringServiceOpenSearchNode       = "opensearch-node"
	MonitoringServiceOpenSearchDashboards = "opensearch-dashboards"
)

Monitoring stack service names. Each value is the hostname its container registers under on clawker-net (compose service key → Docker DNS). A subset — see MonitoringServiceHostnames — is forwarded by CoreDNS to Docker's embedded resolver so agent containers can dial the OTEL collector and Prometheus when the firewall is in front of them. OpenSearch and OpenSearch Dashboards are intentionally NOT forwarded: agents push telemetry through the collector and never address those services directly. Renaming a service here propagates to both the compose template and the firewall plane without further edits.

View Source 
const (
	// CPImageTag is the local Docker image tag for the built control plane image.
	// Built on-demand from embedded binaries by ensureCPImage in the firewall manager.
	CPImageTag = "clawker-controlplane:latest"
)

Container images.

View Source 
const (
	// Network is the shared Docker bridge network name.
	Network = "clawker-net"
)

Network.

View Source 
const (

	// OtelClientsDirName is the per-service mTLS material subdirectory
	// under firewallDir: clients/<svc>/{client.pem,client.key} plus a
	// shared ca.pem copy. CP-side firewall.Stack mints leaves here at
	// EnsureRunning; sibling Envoy/CoreDNS containers bind-mount from
	// the equivalent host path (HostFirewallOtelCertsDir).
	OtelClientsDirName = "otel-clients"
)

Subdirectory names within XDG base dirs.

Variables

View Source 
var (
	HostConfigDir = os.Getenv(EnvHostConfigDir)
	HostDataDir   = os.Getenv(EnvHostDataDir)
	HostStateDir  = os.Getenv(EnvHostStateDir)
	HostCacheDir  = os.Getenv(EnvHostCacheDir)
)

Host-FS XDG-shaped directory roots resolved from the env vars above. Package-init'd once; inside the CP container these are authoritative for every host-FS bind source. Outside the CP (unit tests, host-side e2e) they are empty unless the test fixture sets the env vars or overrides the vars directly before exercising CP code paths.

View Source 
var (
	HostFirewallDataSubdir   = filepath.Join(HostDataDir, firewallDir)
	HostFirewallCertSubdir   = filepath.Join(HostFirewallDataSubdir, firewallCertDir)
	HostFirewallOtelCertsDir = filepath.Join(HostFirewallDataSubdir, OtelClientsDirName)
	HostEnvoyConfigPath      = filepath.Join(HostFirewallDataSubdir, EnvoyConfigFile)
	HostCorefilePath         = filepath.Join(HostFirewallDataSubdir, Corefile)
	// HostControlPlaneSubdir is the host-FS path of the CP-owned data
	// subdirectory. Bind source for the RW mount that backs the sqlite
	// DB at HostControlPlaneDBPath.
	HostControlPlaneSubdir = filepath.Join(HostDataDir, controlPlaneDir)
	HostControlPlaneDBPath = filepath.Join(HostControlPlaneSubdir, ControlPlaneDBFile)
)

Composed host paths used as sibling-container bind Mount.Source values. Pure string composition — Go package-var dependency ordering resolves HostDataDir before these evaluate.

View Source 
var MonitoringServiceHostnames = []string{
	MonitoringServiceOtelCollector,
	MonitoringServicePrometheus,
}

MonitoringServiceHostnames lists the internal monitoring hostnames CoreDNS must rewire to Docker's embedded DNS (127.0.0.11). Consumed by:

  • internal/controlplane/firewall/coredns_config.go (internalHosts)

internal/monitor/templates.go renders compose YAML for all monitoring services (opensearch-node, opensearch-dashboards, otel-collector, prometheus, plus the one-shot clawker-opensearch-bootstrap) from the individual MonitoringService* constants directly, not from this slice — do NOT add OpenSearch hostnames here to "make compose work"; doing so only widens CoreDNS forwarding for no reason.

Scope: only services agent containers legitimately need to dial. otel-collector is the OTLP push target for Claude Code + clawker-cp. prometheus is included for workflows that scrape it from agent code. opensearch-node + opensearch-dashboards are deliberately omitted — agents push telemetry through the collector and never query/write the indices directly. Containers on clawker-net that DO need those (the collector, the dashboards UI, the one-shot bootstrap container) reach them via Docker's embedded resolver without going through CoreDNS. The bootstrap container has no constant in this file either — it dials opensearch-node:9200 + opensearch-dashboards:5601 once per stack lifecycle and is never reached from an agent container.

Functions

func AuditLogPath 

func AuditLogPath() (string, error)

AuditLogPath ensures <StateDir>/audit and returns the audit log file path.

func AuthCACertPath 

func AuthCACertPath() (string, error)

func AuthCADir 

func AuthCADir() (string, error)

AuthCADir ensures and returns the auth/ca directory under DataDir.

func AuthCAKeyPath 

func AuthCAKeyPath() (string, error)

func AuthCLIClientCertPath 

func AuthCLIClientCertPath() (string, error)

func AuthCLIClientKeyPath 

func AuthCLIClientKeyPath() (string, error)

func AuthCLIDir 

func AuthCLIDir() (string, error)

AuthCLIDir ensures and returns the auth/cli directory under DataDir.

func AuthCLISigningJWKPath 

func AuthCLISigningJWKPath() (string, error)

func AuthCLISigningKeyPath 

func AuthCLISigningKeyPath() (string, error)

func AuthCPClientCertPath 

func AuthCPClientCertPath() (string, error)

AuthCPClientCertPath returns the path to the CP's outbound mTLS client certificate. Bind-mounted RO into the CP container at CPClientCertPath.

func AuthCPClientKeyPath 

func AuthCPClientKeyPath() (string, error)

AuthCPClientKeyPath returns the path to the CP's outbound mTLS client private key.

func AuthCPDir 

func AuthCPDir() (string, error)

AuthCPDir ensures and returns the auth/cp directory under the XDG data dir. Holds the CP's outbound mTLS identity (CN equals ContainerCP, ClientAuth EKU) used by every CP-as-client dial: OTLP push to the monitoring stack, the CP→clawkerd Session channel, and any future outbound mTLS where the peer needs to authenticate that the caller is the control plane.

func AuthInfraCACertPath added in v0.9.0 

func AuthInfraCACertPath() (string, error)

AuthInfraCACertPath returns the path to the infra intermediate CA certificate. Bind-mounted RO into the CP container.

func AuthInfraCADir added in v0.9.0 

func AuthInfraCADir() (string, error)

AuthInfraCADir ensures and returns the auth/infra-ca directory under DataDir. Holds the intermediate CA the CP uses to mint short-lived mTLS client leaves for clawker infrastructure services (Envoy, CoreDNS, future hostproxy sidecars). The intermediate cert + key are bind-mounted RO into the CP container; the key never leaves host disk + the CP process.

func AuthInfraCAKeyPath added in v0.9.0 

func AuthInfraCAKeyPath() (string, error)

AuthInfraCAKeyPath returns the path to the infra intermediate CA private key. Bind-mounted RO into the CP container. Same trust radius as CP — compromise of either is equivalent.

func AuthOtelDir 

func AuthOtelDir() (string, error)

AuthOtelDir ensures and returns the auth/otel directory under DataDir. Holds the mTLS pair gating the CP-only OTLP receiver on the monitoring stack: a server cert mounted into the otel-collector container and a client cert mounted into clawker-cp.

func AuthOtelServerCertPath 

func AuthOtelServerCertPath() (string, error)

AuthOtelServerCertPath returns the path to the otel-collector's receiver server certificate. Bind-mounted RO into the collector container at OtelCollectorServerCertContainerPath.

func AuthOtelServerKeyPath 

func AuthOtelServerKeyPath() (string, error)

AuthOtelServerKeyPath returns the path to the otel-collector's receiver server private key.

func AuthServerCertPath 

func AuthServerCertPath() (string, error)

func AuthServerKeyPath 

func AuthServerKeyPath() (string, error)

func AuthTLSDir 

func AuthTLSDir() (string, error)

AuthTLSDir ensures and returns the auth/tls directory under DataDir.

func BridgePIDFilePath 

func BridgePIDFilePath(containerID string) (string, error)

BridgePIDFilePath ensures the PID subdirectory and returns the per-container bridge PID file path.

func BridgesSubdir 

func BridgesSubdir() (string, error)

BridgesSubdir ensures and returns the legacy bridge PID subdirectory path under StateDir. Alias for PidsSubdir for backward compatibility.

func BuildSubdir 

func BuildSubdir() (string, error)

BuildSubdir ensures and returns the build subdirectory path under DataDir.

func CacheDir 

func CacheDir() string

CacheDir returns the clawker cache directory. Resolution: CLAWKER_CACHE_DIR > XDG_CACHE_HOME/clawker > ~/.cache/clawker

func ConfigDir 

func ConfigDir() string

ConfigDir returns the clawker config directory. Resolution: CLAWKER_CONFIG_DIR > XDG_CONFIG_HOME/clawker > ~/.config/clawker

func ControlPlaneDBPath 

func ControlPlaneDBPath() (string, error)

ControlPlaneDBPath ensures the control-plane subdirectory and returns the host-side path of the CP sqlite database.

func ControlPlaneLogFilePath 

func ControlPlaneLogFilePath() (string, error)

ControlPlaneLogFilePath ensures the logs subdirectory and returns the control plane log file path.

func ControlPlaneSubdir 

func ControlPlaneSubdir() (string, error)

ControlPlaneSubdir ensures and returns the control-plane subdirectory path under DataDir. Bind-mounted RW into the CP container at CPControlPlaneDir; holds the sqlite database the CP daemon owns.

func CorefilePath 

func CorefilePath() (string, error)

func DataDir 

func DataDir() string

DataDir returns the clawker data directory. Resolution: CLAWKER_DATA_DIR > XDG_DATA_HOME/clawker > ~/.local/share/clawker

func DockerfilesSubdir 

func DockerfilesSubdir() (string, error)

DockerfilesSubdir ensures and returns the generated Dockerfiles subdirectory path under BuildSubdir.

func EgressRulesPath 

func EgressRulesPath() (string, error)

EgressRulesPath ensures the firewall data subdirectory and returns the egress rules YAML file path.

func EnsureAuthDirs 

func EnsureAuthDirs() error

EnsureAuthDirs creates the auth material directory tree. Called by auth.EnsureAuthMaterial before writing files. Auth directories are 0o700 — defense-in-depth so private keys (and the looser-perm OTEL keys readable by container uids) cannot be reached by other local users via permissive home/$XDG_DATA_HOME modes.

func EnvoyConfigPath 

func EnvoyConfigPath() (string, error)

func FirewallCertSubdir 

func FirewallCertSubdir() (string, error)

FirewallCertSubdir ensures and returns the firewall certificate subdirectory path under DataDir.

func FirewallDataSubdir 

func FirewallDataSubdir() (string, error)

FirewallDataSubdir ensures and returns the firewall data subdirectory path under DataDir.

func GRPCSocketPath 

func GRPCSocketPath() (string, error)

GRPCSocketPath ensures the sockets subdirectory and returns the gRPC socket file path.

func HealthURL 

func HealthURL(host string, port int, path string) string

HealthURL builds an HTTP health probe URL from host + port + path.

func HostProxyLogFilePath 

func HostProxyLogFilePath() (string, error)

HostProxyLogFilePath ensures the logs subdirectory and returns the host proxy log file path.

func HostProxyPIDFilePath 

func HostProxyPIDFilePath() (string, error)

HostProxyPIDFilePath ensures the PID subdirectory and returns the host proxy PID file path.

func HydraSystemSecretPath 

func HydraSystemSecretPath() (string, error)

HydraSystemSecretPath returns the path to the persisted Hydra system secret file under the auth/ directory. The parent directory is created if needed.

func LogsSubdir 

func LogsSubdir() (string, error)

LogsSubdir ensures and returns the logs subdirectory path under StateDir.

func MonitorSubdir 

func MonitorSubdir() (string, error)

MonitorSubdir ensures and returns the monitor subdirectory path under DataDir.

func OIDCSocketPath 

func OIDCSocketPath() (string, error)

OIDCSocketPath ensures the sockets subdirectory and returns the OIDC socket file path.

func OtelClientsDir added in v0.9.0 

func OtelClientsDir() (string, error)

OtelClientsDir ensures and returns the directory under FirewallDataSubdir where the otelcerts.Service writes mTLS client material for trusted-lane senders (Envoy, CoreDNS, ...). CP is the sole writer; sibling containers bind-mount RO subpaths.

Path stays under FirewallDataSubdir for historical reasons (the firewall plane was the first consumer) — the cert minting itself lives in internal/controlplane/otelcerts and is not a firewall concern.

func PidsSubdir 

func PidsSubdir() (string, error)

PidsSubdir ensures and returns the PID subdirectory path under StateDir.

func ProjectRegistryFilePath 

func ProjectRegistryFilePath() (string, error)

ProjectRegistryFilePath returns the absolute path to the project registry file.

func ReadyFilePath 

func ReadyFilePath() (string, error)

ReadyFilePath ensures the state directory and returns the ready sentinel file path.

func ServiceURL 

func ServiceURL(host string, port int, https bool) string

ServiceURL builds an http(s)://host:port URL.

func SettingsFilePath 

func SettingsFilePath() (string, error)

SettingsFilePath returns the absolute path to the global settings file. The config directory itself is not created by this accessor; callers that write to the returned path must ensure the parent exists (storage layer does this via its atomic write helpers).

func ShareSubdir 

func ShareSubdir() (string, error)

ShareSubdir ensures and returns the shared directory path under DataDir.

func SocketsDir 

func SocketsDir() (string, error)

SocketsDir ensures and returns the sockets subdirectory path under StateDir.

func StateDir 

func StateDir() string

StateDir returns the clawker state directory. Resolution: CLAWKER_STATE_DIR > XDG_STATE_HOME/clawker > ~/.local/state/clawker

func UserProjectConfigFilePath 

func UserProjectConfigFilePath() (string, error)

UserProjectConfigFilePath returns the absolute path to the user-level clawker.yaml file.

func WorktreesSubdir 

func WorktreesSubdir() (string, error)

WorktreesSubdir ensures and returns the worktrees subdirectory path under DataDir.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.