Module config 

.mkit/config parser / writer and XDG path helpers.

On-disk format: key = value, one per line, lines starting with # ignored. User-facing short-hand values for user.identity: ed25519:<hex>, mid:<u64>, or raw [kind][len][bytes] hex.

Config scope

There are two layered config files. Higher-priority values win:

1. Repo-scoped (<repo>/.mkit/config) — per-project knobs that travel with a clone: branch defaults and remote endpoints. Security-sensitive keys are rejected here, see REPO_FORBIDDEN_KEYS.
2. User-scoped ($XDG_CONFIG_HOME/mkit/config, default ~/.config/mkit/config) — per-user knobs that decide what gets signed, what gets executed, and what hosts to trust. A hostile cloned repo cannot influence these.
3. Built-in defaults — fall-back when neither file sets a value.

Merge order: defaults → user → repo (filtered). The repo file is parsed last so its safe values take precedence over defaults; any security-sensitive key in the repo file is rejected with a stderr warning and otherwise ignored. See docs/THREAT-MODEL.md for the threat model that motivates the split.

Structs

AttestConfig

[attest] section. All fields optional with documented defaults; a fresh repo’s config file has none of them set.

Config

Full in-memory representation of merged config (user + repo + defaults). All fields default to empty / documented defaults; readers that want a known-good default file should call read_or_default.

KeyConfig

[key] section for keystore-backed signing. All fields are user-scoped.

LayeredConfig

Parsed config with per-layer provenance preserved so callers can distinguish “repo configured this” from “user explicitly trusted this”.

RemoteEntry

A named remote’s stored address. type is a dispatch hint derived from the URL scheme at mkit remote add time.

ResolvedRemote

A resolved remote: its endpoint URL plus whether the repo-scoped config selected it (repo_chosen), which the #97 credential gate keys on. Returned by resolve_remote.

Upstream

Per-branch upstream: the remote name plus the remote branch this local branch tracks (branch.<b>.merge stores the bare branch name, e.g. main).

Enums

ConfigError

ConfigScope

Source of a parsed config line — used to decide whether a key is allowed (Repo rejects REPO_FORBIDDEN_KEYS; User accepts everything).

Constants

CONFIG_FILE

CORE_ALLOWED_KEYS

Inert core.* keys accepted for git compatibility. They are stored and round-tripped but mkit does not act on them (it has no CRLF translation, honors exec bits natively, etc.). Repo-safe precisely because inert.

CORE_DENIED_KEYS

Dangerous core.* keys that mkit refuses to store: they would change what commands or hooks mkit invokes if it honored them, so a hostile repo (or a typo) must not be able to set them. Rejected with a clear message.

DEFAULT_BRANCH

DEFAULT_KEY_BACKEND

DEFAULT_KEY_REF

DEFAULT_P256_KEY_REF

DEFAULT_REMOTE_NAME

The implicit name of the legacy flat remote_endpoint / remote_type remote.

DEFAULT_SECP256K1_KEY_REF

DEFAULT_SIGNER

DEFAULT_SIGNING_KEY

REPO_FORBIDDEN_KEYS

Keys that MUST NOT be settable via the per-repo <repo>/.mkit/config because a hostile clone could otherwise:

USER_CONFIG_SUBPATH

Functions

core_allowed_suffix

If key is core.<x> (section matched case-insensitively) with <x> an allowlisted inert key, return the canonical lowercase suffix. git lowercases both the section and the variable name, so Core.AutoCRLF → autocrlf.

endpoint_credential_trust

Per-endpoint credential trust check for the shared dispatch choke point (crate::remote_dispatch::open_trusted) and named-remote callers. repo_chosen is true when the endpoint was selected by the repo-scoped config (the flat remote_endpoint or a remote.<name>.url entry), false when it was supplied by the user (user-scoped config or an explicit CLI argument). Trust is keyed on the resolved ENDPOINT plus this provenance, never on a remote name.

enforce_trusted_remote_endpoint

Refuse to use ambient HTTP/S3 environment credentials with a repo-configured endpoint unless the user has explicitly trusted that exact remote in user-scoped config.

expand_user_identity

Expand a user-typed user.identity into the canonical hex form [kind:u8][len:u16 LE][bytes]. See docs/CLI.md.

home_dir_for_euid

Resolve the home directory of the current effective uid via getpwuid_r, ignoring $HOME.

is_core_section

true if key is in the core section (core.<x>), matched case-insensitively like git (Core.x, CORE.x all count).

parse_pipe_list

Split a pipe-separated argv string into argv tokens.

read_layered

Read both raw layers plus the merged config.

read_or_default

Read the layered config: defaults → user-scoped → repo-scoped (filtered to non-sensitive keys). Missing files are not errors; the per-layer absence simply leaves the lower layer’s value in place.

resolve_key_path

Resolve a configured signing-key path against root.

resolve_remote

Resolve a remote NAME to its endpoint + provenance.

resolve_upstream

Resolve the upstream (remote name, remote branch) for a local branch. Falls back to the default remote tracking the same-named branch when no explicit branch.<b>.{remote,merge} is configured and a default remote exists.

user_config_path

Resolve the user-scoped config file path: $XDG_CONFIG_HOME/mkit/config, falling back to $HOME/.config/mkit/config.

validate_key_path

validate_value

Validate a config value has no control bytes below 0x20 (except tab) and no 0x7f.

write

Write the given Config to <root>/.mkit/config. Only repo-scoped (non-forbidden) fields are emitted; security-sensitive fields live in the user-scoped file and must be written there explicitly.

write_user_kv

Write a single user-scoped key/value to $XDG_CONFIG_HOME/mkit/config. Reads the existing file (if any), updates the matching line (or appends), and writes back. Caller is responsible for validating value (control bytes, key-path traversal).

xdg_cache_home

xdg_config_home

xdg_data_home

xdg_state_home