1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
//! Data provider configuration
//!
//! Configuration for the WASM-based data provider that executes policy data plugins.
use crate::config::ConfigLoader;
use serde::{Deserialize, Serialize};
/// Configuration for the data provider service.
///
/// Controls WASM execution limits, caching, and HPKE integration for secrets.
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq, Clone)]
#[serde(default)]
pub struct DataProviderConfig {
/// Maximum cache size in bytes for WASM modules
pub max_cache_size: u64,
/// Maximum compiled wasmtime::Component entries cached in RAM.
/// LRU-evicted. Each entry is typically 2-5x the source WASM byte size.
pub max_component_cache_entries: u32,
/// Instruction limit (fuel) for WASM execution
pub fuel: u64,
/// Maximum WASM stack size in bytes
pub max_wasm_stack: u64,
/// Maximum HTTP calls per WASM execution
pub max_http_calls: u32,
/// Maximum HTTP request size (body + headers) in bytes
pub max_http_request_size: u32,
/// Timeout for individual WASM HTTP requests in milliseconds
pub wasm_http_timeout_ms: u64,
/// Maximum number of policy data addresses allowed per policy.
/// Limits the number of WASM executions per policy evaluation task.
// TODO: Once WASM opcode fee mechanism is in place, this policy task data generation step
// will be bounded by the total WASM cost (execution cycles, latency, size, etc.) for the
// policy evaluation task, rather than a fixed count limit.
pub max_policy_data_limit: usize,
/// Redis URL for data cache
pub data_cache_url: String,
/// Hex-encoded trusted TLSNotary notary verifying key for WASM TLSN host verification.
#[serde(default)]
pub tls_notary_trusted_key: Option<String>,
}
impl Default for DataProviderConfig {
fn default() -> Self {
Self {
max_cache_size: 100 * 1024 * 1024, // 100 MiB
max_component_cache_entries: 32,
fuel: 100_000_000, // 100M instructions
max_wasm_stack: 1024 * 1024 * 64, // 64 MiB
max_http_calls: 50,
max_http_request_size: 1024 * 1024, // 1 MiB
wasm_http_timeout_ms: 10_000, // 10s per HTTP request
max_policy_data_limit: 10, // Max policy data addresses per policy
data_cache_url: "redis://:redis@127.0.0.1:6379".to_string(),
tls_notary_trusted_key: None,
}
}
}
impl ConfigLoader for DataProviderConfig {
const FILE_NAME: &'static str = "data-provider";
const ENV_PREFIX: &'static str = "DATA_PROVIDER";
}
impl DataProviderConfig {
/// Set maximum cache size
pub fn set_max_cache_size(&mut self, max_cache_size: u64) {
self.max_cache_size = max_cache_size;
}
/// Set fuel (instruction limit)
pub fn set_fuel(&mut self, fuel: u64) {
self.fuel = fuel;
}
/// Set maximum WASM stack size
pub fn set_max_wasm_stack(&mut self, max_wasm_stack: u64) {
self.max_wasm_stack = max_wasm_stack;
}
/// Set maximum HTTP calls per execution
pub fn set_max_http_calls(&mut self, max_http_calls: u32) {
self.max_http_calls = max_http_calls;
}
/// Set maximum HTTP request size
pub fn set_max_http_request_size(&mut self, max_http_request_size: u32) {
self.max_http_request_size = max_http_request_size;
}
/// Set maximum policy data limit
pub fn set_max_policy_data_limit(&mut self, max_policy_data_limit: usize) {
self.max_policy_data_limit = max_policy_data_limit;
}
/// Set data cache URL
pub fn set_data_cache_url(&mut self, data_cache_url: String) {
self.data_cache_url = data_cache_url;
}
/// Set the trusted TLSNotary notary verifying key for WASM TLSN host verification.
pub fn set_tls_notary_trusted_key(&mut self, tls_notary_trusted_key: Option<String>) {
self.tls_notary_trusted_key = tls_notary_trusted_key;
}
}