startup

Module: startup

Modules

audit - Audit subsystem startup.
authority - Authority stream client spawn helper.
capability - Build the runtime [CapabilityMap] and [TokenVerifier] from the
connector - [ConnectorRegistry] construction from the [connector] config.
credential - [CredentialInjector] construction from the [credentials]
interceptor - Interceptor spawn dispatch.
local_exec - Startup builder for the local-exec governance endpoint.
log_contract - Standalone-startup log contract.
pipeline - Enforcement pipeline construction.
preflight - Pre-flight capability token provisioning.

Module: audit

Audit subsystem startup.

Covers three responsibilities:

[load_audit_event_builder] — reads the ECDSA signing key from file or environment and constructs an EventBuilder.
[spawn_audit_sink] — spawns the signing adapter plus the concrete sink (stdout/file/gRPC/WAL) as background tokio tasks.
internal run_signing_adapter — sits between the pipeline and the concrete sink, signing [AuditPayload]s into [ExecutionEvent]s on their way out.

Module: authority

Authority stream client spawn helper.

Wires the shared tonic channel and spawns the background WatchPolicyBundle / WatchRevocations tasks when PolicyConfig::authority_url is configured. Returns Ok(None) when the Authority integration is disabled so the binary still runs in dev mode against local state.

Module: capability

Build the runtime [CapabilityMap] and [TokenVerifier] from the sidecar’s [capability_seed] and [authority] public_key_path config.

Replaces the empty-default + stub-verifier wiring that lived inline in [crate::startup::pipeline] until the gRPC IssueCapability client lands.

Module: connector

[ConnectorRegistry] construction from the [connector] config.

The registry default is built from default_timeout_ms (30s uses the [GenericHttpConnector::default_for_unconfigured] shortcut); every [HostConnectorConfig] entry becomes a [GenericHttpConnector] registered under its host string.

Module: credential

[CredentialInjector] construction from the [credentials] config section.

Basic-mode entries resolve their value_from_env environment variable at startup. Vault-mode entries record the secret_path for per-call reads. When both modes are present, the resulting injector tries the basic provider first, then falls back to vault.

Module: interceptor

Interceptor spawn dispatch.

Selects the concrete interceptor implementation based on the InterceptorMode in config and returns a [tokio::task::JoinHandle] that resolves when the interceptor shuts down.

Module: local_exec

Startup builder for the local-exec governance endpoint.

[spawn_local_exec_endpoint] reads [LocalExecConfig] from [SidecarConfig], builds the handler and endpoint, and spawns them as a background tokio task. Returns None when local_exec is not configured.

Module: log_contract

Standalone-startup log contract.

Locks the seven-line INFO sequence the sidecar emits on every successful start. The contract is part of the operator-facing interface: examples/demo/ and the demo-e2e CI gate scrape these lines to assert readiness, so the order, prefix, and field surface are all stable.

The seven lines, in order, are:

config loaded path="…"
mapping table loaded rules=N
policy bundle loaded version="…" policies=N
authority stream connected endpoint="…"
connector registry built hosts=N default_timeout_ms=T
interceptor listening addr="…"
ready

Line 4 fires unconditionally. When policy.authority_url is unset the endpoint is reported as "(disabled)" so the contract surface stays stable across deployment flavours.

Module: pipeline

Enforcement pipeline construction.

Reads the mapping rules file, assembles the normalizer, both enforcement stages, and the credential injector, and wraps them in an EnforcementPipeline.

When [preflight] is configured, the caller must call startup::run_preflight first and pass the result to [build_pipeline_runtime] via the preflight argument. Without it, Stage 1 falls back to the stub verifier (always deny).

Module: preflight

Pre-flight capability token provisioning.

Contacts the Authority via IssueCapability before the enforcement pipeline starts accepting requests, and returns a live CapabilityMap paired with a PasetoV4Verifier. When [preflight] is absent from the sidecar config the sidecar falls back to the stub verifier (always deny) and an empty map — useful for unit-testing but not for demos.