Module config 

fleet.toml parsing and validation.

Trust boundary (§3): every table uses deny_unknown_fields, every repo path is validated to exist and be a directory before any scanning, and every ignore requires a non-empty reason. A bad config is a hard error (exit 2) surfaced up front, never a mid-run surprise.

Structs

Config

Ignore

Repo

VexAssertion

A validated [[settings.vex_assertion]] (§6, §7.2): approved_by + reason non-empty and justification a known label, all enforced at parse (fail-closed).

VexConfig

Validated [settings.vex] (§12); resolved against --vex-* flags at -f vex.

Enums

ConfigError

A configuration error. All are fatal (exit 2).

Constants

DEFAULT_GLOB_MAX_DEPTH

Default depth bound for glob = true lockfile discovery (§6).

VEX_JUSTIFICATIONS

The five CISA VEX Working Group not_affected justification labels; a vex_assertion.justification, when present, must be one of these (§5, §6).