Expand description
Configuration file handling for the KeyHog CLI.
Structs§
- Allowlist
Section [allowlist]nested table. Issue #5: README documentsfile,require_reason,require_approved_by,max_expires_days. The allowlist enforcement layer reads.keyhogignoredirectly so thefileoverride is the wiring point; the governance flags are surfaced to the allowlist evaluator post-parse.- Config
File - On-disk
.keyhog.tomlconfiguration file that mirrors CLI arguments. CLI flags always override values from the config file. - Config
Outcome - Outcome of merging
.keyhog.tomlintoScanArgs, beyond the in-placeargsmutations: the things the caller must still act on. - Detector
Section [detector.<id>]per-detector override.enabled = falsedrops the detector from the corpus (wired viaConfigOutcome::disabled_detectors).min_confidence = <f>sets a per-detector confidence floor applied in scan post-processing (wired viaConfigOutcome::detector_min_confidence), taking precedence over the global--min-confidence. Both are README-documented and now reach the runtime.- Lockdown
Section [lockdown]enforcement.require = truerefuses to run unless the operator passes--lockdownon the CLI. Issue #5: README example implied this was active; pre-fix the table was discarded silently.- Scan
Section [scan]nested table. Fields here map 1:1 to the flat top-level scalars and override them when both are present. Issue #5: README documented[scan]as the canonical surface; we now accept both shapes and warn-on-mismatch.
Constants§
- SHIPPED_
DETECTOR_ FLOORS - Compiled-in Tier-A per-detector confidence floors that ship inside the
binary, independent of any on-disk
.keyhog.toml. This is the fix for the “tuned != benched != shipped” leak:[detector.<id>] min_confidenceoverrides used to exist ONLY in a user-authored.keyhog.toml, so the bench and every default scan (which find no such file and short-circuit toConfigOutcome::default()) never exercised them. Floors listed here are seeded into everyConfigOutcomeregardless of whether a config file is present, so the benched/default path runs the same per-detector tuning the shipped binary carries. A user.keyhog.toml[detector.<id>] min_confidenceoverrides the compiled value for that id (operator intent wins per-detector); ids only listed here still apply on the no-file path. - SHIPPED_
DISABLED_ DETECTORS - Compiled-in Tier-A detector disables that ship inside the binary, same
rationale as
SHIPPED_DETECTOR_FLOORS: a detector listed here is dropped from the loaded corpus on every path, including the no-config bench/default path. A user.keyhog.toml[detector.<id>] enabled = truecannot re-enable a compiled disable today (the merge is additive); keep this table for detectors that must never fire by default.
Functions§
- apply_
config_ file - Load and merge a
.keyhog.tomlconfig file into the parsedScanArgs. CLI flags always take precedence over the config file. - apply_
config_ file_ quiet - Diagnostics-free variant for the daemon-routing PROBE in
crate::subcommands::scan’sEffectivePolicy::resolve, which applies the config to a THROWAWAY clone of the args solely to read the resolved routing knobs (min_confidence / show_secrets / severity). The real orchestrator merge then runsapply_config_fileand emits any read/parse warning exactly once. Without this, the probe + the real call each printed the “Failed to parse .keyhog.toml” warning, so a malformed config warned TWICE on the daemon route (HUNT-2). Keep the emission on the real path; only the probe is silenced. - find_
config_ file - Search for
.keyhog.tomlstarting from the scan root, walking up to the filesystem root. ReturnsNonewhen no config file is found.