Skip to content
OpenFirma OpenFirma
Blog

config

Module: config

Section titled “Module: config”

Contents

Section titled “Contents”

Structs

Enums

firma_sidecar::config::CaConfig

Section titled “firma_sidecar::config::CaConfig”

Struct

Certificate authority directory settings.

Fields:

  • dir: std::path::PathBuf - Directory containing CA key material.

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Default
    • fn default() -> Self
  • Clone
    • fn clone(self: &Self) -> CaConfig

firma_sidecar::config::ConnectRelayConfig

Section titled “firma_sidecar::config::ConnectRelayConfig”

Struct

Timeout controls for CONNECT tunnel and MITM relay sessions.

Fields:

  • setup_timeout_secs: u64 - Timeout for CONNECT upgrade and upstream connect/TLS setup.
  • session_max_secs: u64 - Hard cap for the full tunnel/MITM session lifetime.

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Default
    • fn default() -> Self
  • Clone
    • fn clone(self: &Self) -> ConnectRelayConfig

firma_sidecar::config::CredentialConfig

Section titled “firma_sidecar::config::CredentialConfig”

Struct

Credential injection entry for a single external target.

Each entry selects a mode (basic or vault) and provides the fields that mode requires. At proxy time, matching outbound requests have the specified header injected.

Fields:

  • mode: CredentialMode - Injection mode. Default: basic.
  • target_host: String - Host that this credential applies to.
  • header: String - HTTP header name to inject (e.g. Authorization).
  • prefix: Option<String> - Optional prefix prepended to the resolved value
  • value_from_env: Option<String> - Environment variable whose value is injected (basic mode).
  • secret_path: Option<std::path::PathBuf> - Filesystem path to the secret file rendered by Vault Agent

Trait Implementations:

  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Clone
    • fn clone(self: &Self) -> CredentialConfig
  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>

firma_sidecar::config::CredentialMode

Section titled “firma_sidecar::config::CredentialMode”

Enum

Credential injection mode selector.

Variants:

  • Basic - Static credential read from an environment variable at startup.
  • Vault - Secret file rendered by Vault Agent, read from disk per-call.

Traits: Eq, Copy

Trait Implementations:

  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Default
    • fn default() -> CredentialMode
  • PartialEq
    • fn eq(self: &Self, other: &CredentialMode) -> bool
  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Clone
    • fn clone(self: &Self) -> CredentialMode

firma_sidecar::config::HttpsMitmConfig

Section titled “firma_sidecar::config::HttpsMitmConfig”

Struct

HTTPS MITM controls for the HTTP proxy interceptor.

When disabled, HTTPS CONNECT requests are handled as blind tunnels. When enabled, hosts matched by intercept_hosts are decrypted and re-encrypted by the sidecar.

Fields:

  • enabled: bool - Enables TLS MITM interception for selected hosts.
  • ca_cert_path: Option<std::path::PathBuf> - Optional explicit CA certificate path. Defaults under ca.dir.
  • ca_key_path: Option<std::path::PathBuf> - Optional explicit CA private key path. Defaults under ca.dir.
  • intercept_hosts: Vec<String> - Host patterns that should be intercepted (supports * wildcard).
  • bypass_hosts: Vec<String> - Host patterns that should bypass interception and use CONNECT tunnel.
  • cert_ttl_secs: u64 - Dynamic leaf certificate TTL in seconds.
  • cert_cache_capacity: usize - Maximum number of cached leaf certificates.
  • strict_hosts: Vec<String> - Host patterns that must be intercepted; failures are hard deny.

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Default
    • fn default() -> Self
  • Clone
    • fn clone(self: &Self) -> HttpsMitmConfig

firma_sidecar::config::InterceptorConfig

Section titled “firma_sidecar::config::InterceptorConfig”

Struct

Interceptor settings.

Selects the interception mode and supplies mode-specific parameters:

ModeRequired fields
http_proxylisten_addr
grpclisten_addr
unix_socketsocket_path

drain_timeout_secs is shared across all modes.

Fields:

  • mode: InterceptorMode - Interception mode. Default: http_proxy.
  • listen_addr: std::net::SocketAddr - Socket address used by http_proxy and grpc modes.
  • socket_path: Option<std::path::PathBuf> - Path to the Unix domain socket file, used by unix_socket
  • drain_timeout_secs: u64 - Seconds to wait for in-flight requests to drain on shutdown.
  • max_request_body_bytes: usize - Maximum request body size accepted by proxy interceptors.
  • connect_relay: ConnectRelayConfig - CONNECT/MITM relay timeout controls.
  • https_mitm: HttpsMitmConfig - HTTPS MITM settings used by the HTTP proxy interceptor.

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Default
    • fn default() -> Self
  • Clone
    • fn clone(self: &Self) -> InterceptorConfig

firma_sidecar::config::InterceptorMode

Section titled “firma_sidecar::config::InterceptorMode”

Enum

Interception mode selector.

Determines which transport the sidecar uses to capture outbound agent traffic.

Variants:

  • HttpProxy - Pingora-based HTTP forward proxy. The agent sets
  • Grpc - Tonic gRPC hook server. The agent calls the Intercept RPC
  • UnixSocket - Unix domain socket. Avoids TCP port binding in containers.

Traits: Copy, Eq

Trait Implementations:

  • PartialEq
    • fn eq(self: &Self, other: &InterceptorMode) -> bool
  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Clone
    • fn clone(self: &Self) -> InterceptorMode
  • Default
    • fn default() -> Self
  • Display
    • fn fmt(self: &Self, f: & mut fmt::Formatter) -> fmt::Result
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_sidecar::config::LocalExecConfig

Section titled “firma_sidecar::config::LocalExecConfig”

Struct

Configuration for the local-exec governance UDS endpoint.

When present in SidecarConfig, the sidecar binds an additional Unix domain socket that firma-run clients contact for pre-execution governance decisions. This is the server-side counterpart to the sidecar_local_exec section in the firma-run profile config.

Fields:

  • socket_path: std::path::PathBuf - Absolute path to the Unix domain socket file.
  • default_action: crate::local_exec::handler::DefaultAction - Policy applied to every fresh local-exec request.
  • token_ttl_secs: u64 - Approval token time-to-live in seconds (default: 300).
  • retry_after_ms: u64 - Suggested retry interval returned to firma-run in pending_hitl

Methods:

  • fn validate(self: &Self) -> Result<(), String> - Validate the local-exec configuration.

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Clone
    • fn clone(self: &Self) -> LocalExecConfig

firma_sidecar::config::LogConfig

Section titled “firma_sidecar::config::LogConfig”

Struct

Log settings sourced from the TOML file.

The log level set here acts as the base; CLI args (--log-level) override it.

Fields:

  • level: String - Log level: trace, debug, info, warn, or error.

Trait Implementations:

  • Default
    • fn default() -> Self
  • Clone
    • fn clone(self: &Self) -> LogConfig
  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result

firma_sidecar::config::PolicyConfig

Section titled “firma_sidecar::config::PolicyConfig”

Struct

Policy source settings.

Fields:

  • dir: std::path::PathBuf - Directory containing .cedar policy files.
  • authority_url: Option<String> - Optional Authority gRPC URL. When set, the sidecar streams

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Default
    • fn default() -> Self
  • Clone
    • fn clone(self: &Self) -> PolicyConfig

firma_sidecar::config::PreflightConfig

Section titled “firma_sidecar::config::PreflightConfig”

Struct

Pre-flight capability token provisioning settings.

When present, the sidecar calls IssueCapability on the Authority at startup to obtain a real PASETO v4 token and build a live CapabilityMap. Requires policy.authority_url to also be set.

Fields:

  • agent_id: String - Agent identity string (e.g. "demo0-agent").
  • session_id: String - Session identifier for the pre-flight token.
  • requested_actions: Vec<String> - Action classes the agent is requesting authorization for.
  • resource_scope: String - Resource scope requested (e.g. "*" for any resource).
  • authority_pub_key_path: std::path::PathBuf - Path to the Authority’s Ed25519 public key file (32 raw bytes).
  • ttl_seconds: i32 - Requested token TTL in seconds (default: 900 / 15 min).

Methods:

  • fn validate(self: &Self) -> Result<(), String> - Validate preflight config fields.

Trait Implementations:

  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Clone
    • fn clone(self: &Self) -> PreflightConfig

firma_sidecar::config::SidecarConfig

Section titled “firma_sidecar::config::SidecarConfig”

Struct

Top-level sidecar configuration deserialized from TOML.

Contains both infrastructure settings (interceptor, policy, CA, logging, credentials) and enforcement-engine settings (mapping, capability validation, constraint enforcement) via [EnforcementConfig].

Fields:

  • interceptor: InterceptorConfig - Interceptor settings (mode, listen address or socket path,
  • policy: PolicyConfig - Policy directory and optional authority URL.
  • ca: CaConfig - Certificate authority directory.
  • log: LogConfig - Log settings (level only; file/filter come from CLI args).
  • credentials: std::collections::HashMap<String, CredentialConfig> - Per-target credential injection entries, keyed by an arbitrary
  • connector: ConnectorConfig - Outbound connector settings (default timeout + per-host
  • authority: AuthorityConfig - Background Authority stream client tuning.
  • enforcement: EnforcementConfig - Enforcement engine settings (mapping rules, capability
  • revocation: RevocationConfig - Revocation cache settings (bloom filter + LRU sizing).
  • capability_seed: CapabilitySeedConfig - Static capability provisioning for the demo path. Until the
  • audit: AuditConfig - Audit event emitter settings.
  • preflight: Option<PreflightConfig> - Optional pre-flight capability token provisioning.
  • local_exec: Option<LocalExecConfig> - Local-exec governance endpoint configuration.

Methods:

  • fn load_from_path(path: &std::path::Path) -> Result<Self, String> - Load a sidecar configuration from a TOML file and validate it.
  • fn validate(self: &Self) -> Result<(), String> - Validate the entire configuration tree.
  • fn rebase_defaults(self: & mut Self, config_dir: &std::path::Path) - Re-base every relative resource path against config_dir;

Trait Implementations:

  • Debug
    • fn fmt(self: &Self, f: & mut $crate::fmt::Formatter) -> $crate::fmt::Result
  • Deserialize
    • fn deserialize<__D>(__deserializer: __D) -> _serde::__private228::Result<Self, <__D as >::Error>
  • Clone
    • fn clone(self: &Self) -> SidecarConfig
  • Default
    • fn default() -> SidecarConfig