Skip to main content

Module router_config

Module router_config 

Source
Expand description

Router configuration loader per ADR-021 §2.

The router maps an ADR-020 path to a (source, reference) pair. Its configuration is global and lives at <config_dir>/devboy-tools/secrets/sources.toml (the ADR text abbreviates this to ~/.devboy/secrets/sources.toml).

This module parses and validates that file. The actual resolution algorithm — “which source serves this path?” — is the next phase (P5.3) and lives in crate::router_resolve. Splitting parse from resolve keeps the loader testable in isolation and lets the config be inspected by doctor without committing to a runtime decision.

§File layout

# Source definitions — one per backend instance.
[[source]]
name = "keychain"
type = "keychain"

[[source]]
name = "1p-personal"
type = "1password"
account = "personal.example.1password.com"

[[source]]
name = "vault-team"
type = "vault"
addr  = "https://vault.example.internal/"
mount = "secret"

# The default route — used when no [[route]] prefix matches.
[default]
source   = "keychain"
fallback = "local-vault"          # optional, see ADR-021 §8

# Prefix routes — longest match wins.
[[route]]
prefix = "team/"
source = "vault-team"
mount  = "secret/data/team"        # source-specific extra

# Per-secret override — explicit (source, reference) for one path.
[secret."client-acme/jira/api-key"]
source    = "1p-personal"
reference = "op://Work/Acme Jira/credential"

Per-source and per-route extra fields are kept verbatim as toml::Value; concrete source plugins (P6) parse them into their own typed config when they’re constructed. The router itself never inspects them.

§Validation

RouterConfig::parse returns a typed config when:

  • source names are non-empty and ^[a-z0-9][a-z0-9_-]*$,
  • no two [[source]] blocks share a name,
  • default.source and default.fallback (when set) reference defined sources,
  • every [[route]].source references a defined source,
  • every [[route]].prefix ends with /,
  • no two [[route]] blocks share a prefix,
  • every [secret."<path>"] key parses as a SecretPath,
  • every [secret."<path>"].source references a defined source.

Anything else is left to P5.3 / P5.5 (e.g. the source-credential recursion check).

Structs§

DefaultRoute
[default] block.
RouteRule
One [[route]] block.
RouterConfig
Parsed + validated router configuration.
SecretOverride
[secret."<path>"] block — explicit override for one path.
SourceDefinition
One [[source]] block.

Enums§

RouterConfigError
Failure modes when loading or validating a RouterConfig.
SourceAccess
Access mode for one [[source]] — a capability mask layered over whatever the source plugin declares.

Constants§

SOURCES_FILENAME
Filename of the router config inside SECRETS_SUBDIR.