pub struct SharedServerConfig {Show 13 fields
pub cwd: PathBuf,
pub max_output_bytes: usize,
pub default_call_timeout_ms: u64,
pub granted_capabilities: Vec<String>,
pub audit_sink: Option<Arc<dyn AuditSink>>,
pub server_version: String,
pub token_broker: Option<Arc<dyn TokenBroker>>,
pub max_ucan_chain_depth: u8,
pub ucan_revocation_store: Option<Arc<dyn UcanRevocationStore>>,
pub frame_deadline_active_ms: u64,
pub frame_deadline_handshake_ms: u64,
pub cursor_signing_key: [u8; 32],
pub cursor_ttl_seconds: u64,
}Expand description
Transport-neutral configuration shared across listeners.
Carries the fields every listener needs to dispatch a RunTool: cwd for
relative-path tools, the output / timeout budgets, the operator
capability allow-list, plus the pluggable audit sink, token broker, and
server identity. The Unix-socket-specific socket_path and the HTTP-
specific listen / extra_origins / require_bearer live in
atd-server::ServerConfig and atd-server-http::HttpServerConfig
respectively (SP-streamable-http §6.3 — the configs share fields by
composition rather than by trait, to keep struct-literal construction
across crate boundaries ergonomic).
Fields§
§cwd: PathBuf§max_output_bytes: usize§default_call_timeout_ms: u64§granted_capabilities: Vec<String>Server-operator capability allow-list. The set the Hello handshake
intersects with on UDS, and the set the HTTP listener intersects
BearerIdentity::granted_capabilities against per request.
audit_sink: Option<Arc<dyn AuditSink>>Optional audit sink for per-call observability. SP-operability-v1 C1.
server_version: StringIdentity string echoed in the Hello ack (and in the MCP
initialize response on HTTP). Concretely the deployed server’s
name + version, e.g. "atd-ref-server 0.3.0".
token_broker: Option<Arc<dyn TokenBroker>>Optional TokenBroker for multi-tenant secret routing.
SP-token-broker-phase1.
max_ucan_chain_depth: u8Maximum UCAN-lite chain depth accepted by the verifier. Default
5 per SP-capability-v2 spec §4.6 — prevents stack-exhaustion
attacks via pathologically deep proof chains. Override via the
listener crate’s CLI flag if a specific deployment justifies it.
ucan_revocation_store: Option<Arc<dyn UcanRevocationStore>>Optional revocation store for UCAN-lite tokens (SP-capability-v2
§4.7). When None, no revocation check is performed; the
connection-scoped allow-list is the only authority bound.
Adopters wrap their existing revocation table (e.g. celia’s
consent.status='revoked') behind this trait.
frame_deadline_active_ms: u64Per-frame deadline applied to reads/writes on a connection that has
already completed the Hello handshake. Long enough to cover a
reasonable tool call’s slowest reply (e.g. host:media.convert at
25s). Default 30_000 ms. SP-concurrency-baseline §5.2.
frame_deadline_handshake_ms: u64Per-frame deadline applied to the pre-Hello handshake window. Short
enough to fail fast under a single-threaded server starvation
(the §1.2 root cause of the 2026-05-12 celia incident) so the SDK
retry path can reissue against a less contended worker. Default
5_000 ms. SP-concurrency-baseline §5.2.
cursor_signing_key: [u8; 32]HMAC signing key for paginated-result cursors. SP-pagination-v1 §4.5.
Production: random per server startup (so cursor forgery requires
process-state compromise). Multi-instance load-balanced deployments
share a key via env (ATD_CURSOR_SIGNING_KEY=base64...); the
listener crates apply this on Server::new. Test fixtures use a
fixed zero key — safe because they don’t span processes.
cursor_ttl_seconds: u64Time-to-live for paginated-result cursors, in seconds. Cursors older
than this fail verification with ERR_CURSOR_EXPIRED (1020).
Default 300s (5 minutes) — long enough for one human “think”
round-trip without indefinite server-side state retention.