Skip to main content

Module config

Module config 

Source
Expand description

Configuration file handling for the KeyHog CLI.

Structs§

AllowlistSection
[allowlist] nested table. Issue #5: README documents file, require_reason, require_approved_by, max_expires_days. The allowlist enforcement layer reads .keyhogignore directly so the file override is the wiring point; the governance flags are surfaced to the allowlist evaluator post-parse.
ConfigFile
On-disk .keyhog.toml configuration file that mirrors CLI arguments. CLI flags always override values from the config file.
ConfigOutcome
Outcome of merging .keyhog.toml into ScanArgs, beyond the in-place args mutations: the things the caller must still act on.
DetectorSection
[detector.<id>] per-detector override. enabled = false drops the detector from the corpus (wired via ConfigOutcome::disabled_detectors). min_confidence = <f> sets a per-detector confidence floor applied in scan post-processing (wired via ConfigOutcome::detector_min_confidence), taking precedence over the global --min-confidence. Both are README-documented and now reach the runtime.
LockdownSection
[lockdown] enforcement. require = true refuses to run unless the operator passes --lockdown on the CLI. Issue #5: README example implied this was active; pre-fix the table was discarded silently.
ScanSection
[scan] nested table. Fields here map 1:1 to the flat top-level scalars and override them when both are present. Issue #5: README documented [scan] as the canonical surface; we now accept both shapes and warn-on-mismatch.

Constants§

SHIPPED_DETECTOR_FLOORS
Compiled-in Tier-A per-detector confidence floors that ship inside the binary, independent of any on-disk .keyhog.toml. This is the fix for the “tuned != benched != shipped” leak: [detector.<id>] min_confidence overrides used to exist ONLY in a user-authored .keyhog.toml, so the bench and every default scan (which find no such file and short-circuit to ConfigOutcome::default()) never exercised them. Floors listed here are seeded into every ConfigOutcome regardless of whether a config file is present, so the benched/default path runs the same per-detector tuning the shipped binary carries. A user .keyhog.toml [detector.<id>] min_confidence overrides the compiled value for that id (operator intent wins per-detector); ids only listed here still apply on the no-file path.
SHIPPED_DISABLED_DETECTORS
Compiled-in Tier-A detector disables that ship inside the binary, same rationale as SHIPPED_DETECTOR_FLOORS: a detector listed here is dropped from the loaded corpus on every path, including the no-config bench/default path. A user .keyhog.toml [detector.<id>] enabled = true cannot re-enable a compiled disable today (the merge is additive); keep this table for detectors that must never fire by default.

Functions§

apply_config_file
Load and merge a .keyhog.toml config file into the parsed ScanArgs. CLI flags always take precedence over the config file.
apply_config_file_quiet
Diagnostics-free variant for the daemon-routing PROBE in crate::subcommands::scan’s EffectivePolicy::resolve, which applies the config to a THROWAWAY clone of the args solely to read the resolved routing knobs (min_confidence / show_secrets / severity). The real orchestrator merge then runs apply_config_file and emits any read/parse warning exactly once. Without this, the probe + the real call each printed the “Failed to parse .keyhog.toml” warning, so a malformed config warned TWICE on the daemon route (HUNT-2). Keep the emission on the real path; only the probe is silenced.
find_config_file
Search for .keyhog.toml starting from the scan root, walking up to the filesystem root. Returns None when no config file is found.