startup
Module: startup
Section titled “Module: startup”Contents
Section titled “Contents”Modules
audit- Audit subsystem startup.authority- Authority stream client spawn helper.capability- Build the runtime [CapabilityMap] and [TokenVerifier] from theconnector- [ConnectorRegistry] construction from the[connector]config.credential-CredentialInjectorconstruction from the[credentials]interceptor- Interceptor spawn dispatch.local_exec- Startup builder for the local-exec governance endpoint.log_contract- Standalone-startup log contract.pipeline- Enforcement pipeline construction.
Module: audit
Section titled “Module: audit”Audit subsystem startup.
Covers three responsibilities:
- [
load_audit_event_builder] — reads the ECDSA signing key from file or environment and constructs anEventBuilder. - [
spawn_audit_sink] — spawns the signing adapter plus the concrete sink (stdout/file/gRPC/WAL) as background tokio tasks. - internal
run_signing_adapter— sits between the pipeline and the concrete sink, signingAuditPayloads intoExecutionEvents on their way out.
Module: authority
Section titled “Module: authority”Authority stream client spawn helper.
Wires the shared tonic channel and spawns the background
WatchPolicyBundle / WatchRevocations tasks when
authority.url
is configured. Returns Ok(None) when the Authority integration is
disabled so the binary still runs in dev mode against local state.
Module: capability
Section titled “Module: capability”Build the runtime [CapabilityMap] and [TokenVerifier] from the
sidecar’s [capability_seed] and [authority] public_key_path config.
Seeds are minted per session by firma run (via IssueCapability) and
written under the runtime capabilities directory; operator-configured
[capability_seed] paths are deprecated and warn at load time.
Module: connector
Section titled “Module: connector”[ConnectorRegistry] construction from the [connector] config.
The registry default is built from default_timeout_ms (30s uses
the [GenericHttpConnector::default_for_unconfigured] shortcut);
every host connector entry becomes a
[GenericHttpConnector] registered under its host string.
Module: credential
Section titled “Module: credential”CredentialInjector construction from the [credentials]
config section.
Basic-mode entries resolve their value_from_env environment
variable at startup. Vault-mode entries record the secret_path
for per-call reads. When both modes are present, the resulting
injector tries the basic provider first, then falls back to vault.
Module: interceptor
Section titled “Module: interceptor”Interceptor spawn dispatch.
Selects the concrete interceptor implementation based on the
[InterceptorMode] in config and
returns a [tokio::task::JoinHandle] that resolves when the
interceptor shuts down.
Module: local_exec
Section titled “Module: local_exec”Startup builder for the local-exec governance endpoint.
[spawn_local_exec_endpoint] reads [LocalExecConfig] from
[SidecarConfig], builds the handler and endpoint, and spawns them as a
background tokio task. Returns None when local_exec is not configured.
Module: log_contract
Section titled “Module: log_contract”Standalone-startup log contract.
Locks the seven-line INFO sequence the sidecar emits on every
successful start. The contract is part of the operator-facing
interface: examples/demo/ and the demo-e2e CI gate scrape these
lines to assert readiness, so the order, prefix, and field surface
are all stable.
The seven lines, in order, are:
config loaded path="…"mapping table loaded rules=Npolicy bundle loaded version="…" policies=Nauthority stream connected endpoint="…"connector registry built hosts=N default_timeout_ms=Tinterceptor listening addr="…"sidecar ready
Line 4 fires unconditionally. When authority.url is unset
the endpoint is reported as "(disabled)" so the contract surface
stays stable across deployment flavours.
Module: pipeline
Section titled “Module: pipeline”Enforcement pipeline construction.
Reads the mapping rules file, assembles the normalizer, both
enforcement stages, and the credential injector, and wraps them in
an EnforcementPipeline.