Skip to main content

ServerConfig

ff_server::config

Struct ServerConfig 

Source 
pub struct ServerConfig {
    pub partition_config: PartitionConfig,
    pub lanes: Vec<LaneId>,
    pub listen_addr: String,
    pub engine_config: EngineConfig,
    pub cors_origins: Vec<String>,
    pub api_token: Option<String>,
    pub waitpoint_hmac_secret: String,
    pub waitpoint_hmac_grace_ms: u64,
    pub max_concurrent_stream_ops: u32,
    pub backend: BackendKind,
    pub valkey: ValkeyServerConfig,
    pub postgres: PostgresServerConfig,
}
Expand description

Server configuration, loaded from environment variables.

RFC-017 Stage E4 (v0.8.0): the flat Valkey fields (host, port, tls, cluster, skip_library_load) were removed. Use ValkeyServerConfig on the valkey field instead.

Fields§

§partition_config: PartitionConfig

Partition counts (execution/flow/budget/quota).

§lanes: Vec<LaneId>

Lanes to manage. Default: ["default"].

§listen_addr: String

Listen address for the API surface. Default: "0.0.0.0:9090".

§engine_config: EngineConfig

Scanner intervals and engine config.

§cors_origins: Vec<String>

Allowed CORS origins. ["*"] means permissive (all origins).

§api_token: Option<String>

Shared-secret API token. If set, all requests except GET /healthz must include Authorization: Bearer <token>. If unset, auth is disabled.

§waitpoint_hmac_secret: String

Hex-encoded secret used to sign waitpoint HMAC tokens (RFC-004 §Waitpoint Security). Required on boot; the server refuses to start without it so multi-tenant signal authentication is never silently disabled. Recommended length: 64 hex chars (32 bytes).

§waitpoint_hmac_grace_ms: u64

Grace window during which tokens signed by the previous kid remain accepted after rotation. Tokens already in flight survive operator rotation; operators tighten this for sensitive tenants. Default 24h.

§max_concurrent_stream_ops: u32

Maximum concurrent stream-op callers (read_attempt_stream + tail_attempt_stream combined). Each caller holds one semaphore permit for the duration of its Valkey round-trip(s); contention surfaces as HTTP 429 at the REST boundary.

Shared bound for both read and tail because both run on the same dedicated tail_client (see Server.tail_client) — a big 10_000-frame XRANGE reply can head-of-line the mux just as badly as a long XREAD BLOCK, so they should share fairness accounting.

Default 64. Set below the server’s request-concurrency budget so stream ops cannot starve other routes. Env var: FF_MAX_CONCURRENT_STREAM_OPS (preferred) or legacy FF_MAX_CONCURRENT_TAIL (accepted during the R4 rename; both valid for at least one release).

§backend: BackendKind

RFC-017 Stage A: which backend family to boot. Default BackendKind::Valkey. BackendKind::Postgres is rejected at startup through Stage D per RFC-017 §9.0.

§valkey: ValkeyServerConfig

RFC-017 Stage E4 (v0.8.0): Valkey connection parameters. Meaningful only when backend == BackendKind::Valkey; the Postgres path ignores these fields.

§postgres: PostgresServerConfig

RFC-017 Wave 8 Stage E1: Postgres connection parameters. Meaningful only when backend == BackendKind::Postgres; the Valkey path ignores these fields.

Implementations§

Source§

impl ServerConfig

Source

pub fn postgres_config(&self) -> BackendConfig

RFC-017 Wave 8 Stage E1: build the ff_core::backend::BackendConfig the Postgres backend’s connect_with_metrics expects, from the flat postgres.url

  • postgres.pool_size fields on this struct.
Source§

impl ServerConfig

Source

pub fn from_env() -> Result<Self, ConfigError>

Load configuration from environment variables.

The table below enumerates every variable this function reads. It is the canonical rustdoc mirror of the identical table in the top-level README.md. docs/DEPLOYMENT.md references these names.

Maintenance contract: every env var key this function consumes — whether via a direct std::env::var(...) call or through the env_or / env_bool / env_u16 / env_u16_positive / env_u64 / env_u32_positive helpers — MUST have a row here. When you add, rename, or remove an env var, update this table in the same commit. There is no compile-time check — reviewers enforce it. Legacy aliases accepted during a rename window (e.g. FF_MAX_CONCURRENT_TAIL) should be listed alongside their preferred name.

VariableDefaultDescription
FF_WAITPOINT_HMAC_SECRETrequiredHex-encoded HMAC signing secret for waitpoint tokens (RFC-004 §Waitpoint Security). Even-length hex; 64 chars (32 bytes) recommended. Boot fails without it.
FF_HOSTlocalhostValkey host
FF_PORT6379Valkey port
FF_TLSfalseEnable TLS for Valkey (1 or true)
FF_CLUSTERfalseEnable Valkey cluster mode (1 or true)
FF_LISTEN_ADDR0.0.0.0:9090API listen address
FF_LANESdefaultComma-separated lane names; at least one non-empty lane required
FF_FLOW_PARTITIONS256Flow partition count — authoritative; under RFC-011 hash-tag co-location, exec keys also route here
FF_BUDGET_PARTITIONS32Budget partition count
FF_QUOTA_PARTITIONS32Quota partition count
FF_CORS_ORIGINS*Comma-separated CORS origins (* = permissive). Empty string is rejected; unset the var to get the default.
FF_API_TOKEN(none)Shared-secret Bearer token. If set, all non-/healthz requests require it.
FF_WAITPOINT_HMAC_GRACE_MS86400000Grace window (ms) during which tokens signed by the previous kid remain accepted after rotation. Default 24h.
FF_MAX_CONCURRENT_STREAM_OPS64Shared semaphore bound for read_attempt_stream + tail_attempt_stream. Legacy FF_MAX_CONCURRENT_TAIL is accepted as a fallback; if both are set, the new name wins.
FF_MAX_CONCURRENT_TAIL(legacy)Deprecated alias for FF_MAX_CONCURRENT_STREAM_OPS; accepted during the R4 rename window.
FF_LEASE_EXPIRY_INTERVAL_MS1500Lease-expiry scanner interval
FF_DELAYED_PROMOTER_INTERVAL_MS750Delayed-promoter scanner interval
FF_INDEX_RECONCILER_INTERVAL_S45Index reconciler interval
FF_ATTEMPT_TIMEOUT_INTERVAL_S2Attempt-timeout scanner interval
FF_SUSPENSION_TIMEOUT_INTERVAL_S2Suspension-timeout scanner interval
FF_PENDING_WP_EXPIRY_INTERVAL_S5Pending-waitpoint expiry scanner interval
FF_RETENTION_TRIMMER_INTERVAL_S60Retention-trimmer scanner interval
FF_BUDGET_RESET_INTERVAL_S15Budget-reset scanner interval
FF_BUDGET_RECONCILER_INTERVAL_S30Budget reconciler interval
FF_QUOTA_RECONCILER_INTERVAL_S30Quota reconciler interval
FF_UNBLOCK_INTERVAL_S5Unblock scanner interval
FF_DEPENDENCY_RECONCILER_INTERVAL_S15DAG dependency reconciler interval (safety net behind push-based promotion)
FF_FLOW_PROJECTOR_INTERVAL_S15Flow projector scanner interval
FF_EXECUTION_DEADLINE_INTERVAL_S5Execution-deadline scanner interval
FF_CANCEL_RECONCILER_INTERVAL_S15Cancel reconciler scanner interval
FF_BACKENDvalkeyBackend family — valkey or postgres. Both are first-class at v0.8.0 (RFC-017 Stage E4 flipped BACKEND_STAGE_READY to &["valkey", "postgres"]).
FF_POSTGRES_URL(empty)Postgres connection URL (libpq/sqlx shape, e.g. postgres://user:pass@host:port/db). Required when FF_BACKEND=postgres; ignored otherwise.
FF_POSTGRES_POOL_SIZE10Max Postgres pool connections; ignored on the Valkey path.

Trait Implementations§

Source§

impl Default for ServerConfig

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

Source§

fn vzip(self) -> V

Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<A, B, T> HttpServerConnExec<A, B> for T
where B: Body,