Struct Config 

pub struct Config {

    pub server: ServerConfig,
    pub scanner: ScannerConfig,
    pub shield: ShieldConfig,
    pub auth: AuthConfig,
    pub signing: SigningConfig,
    pub rate_limit: RateLimitConfig,
    pub event_processor: EventProcessorConfig,
    pub telemetry: TelemetryConfig,
    pub storage: StorageConfig,
    pub plugins: PluginConfig,
    pub audit: AuditConfig,
    pub transport: TransportConfig,
    pub resilience: ResilienceConfig,
    pub neutralization: NeutralizationConfig,
    pub neutralizer: Option<NeutralizationConfig>,
}

Main configuration structure for KindlyGuard

Security Architecture

KindlyGuard’s configuration implements defense-in-depth with multiple security layers that work together:

1. Authentication (auth) - Identity verification and access control
2. Rate Limiting (rate_limit) - Abuse and DoS prevention
3. Scanner (scanner) - Threat detection and analysis
4. Neutralization (neutralization) - Threat remediation
5. Audit (audit) - Security event logging and compliance

Configuration Priority

When multiple security features could conflict:

1. Authentication failures block everything (highest priority)
2. Rate limits apply after authentication
3. Scanner runs on all authenticated requests
4. Neutralization only acts on detected threats

Example: Minimum Secure Configuration

[auth]
enabled = true
jwt_secret = "your-base64-encoded-secret"
trusted_issuers = ["https://your-auth-server.com"]

[rate_limit]
enabled = true
default_rpm = 60

[scanner]
unicode_detection = true
injection_detection = true
path_traversal_detection = true
xss_detection = true

[neutralization]
mode = "automatic"
audit_all_actions = true

Fields

server: ServerConfig

Server configuration

Controls network exposure and connection handling. Lower limits = more secure but less scalable.

scanner: ScannerConfig

Security scanning configuration

Primary defense against malicious input. More detections enabled = better security coverage.

shield: ShieldConfig

Shield display configuration

Visual security status indicator. No direct security impact but aids monitoring.

auth: AuthConfig

Authentication configuration

Access control and identity verification. MUST be enabled in production environments.

signing: SigningConfig

Message signing configuration

Cryptographic integrity for requests/responses. Prevents tampering and replay attacks.

rate_limit: RateLimitConfig

Rate limiting configuration

Prevents abuse and resource exhaustion. Essential for public-facing deployments.

event_processor: EventProcessorConfig

Enhanced security event processing configuration

Advanced threat correlation and analysis. Provides deeper security insights when enabled.

telemetry: TelemetryConfig

Telemetry configuration

Security monitoring and metrics. Critical for detecting attacks and anomalies.

storage: StorageConfig

Storage configuration

Secure storage for backups and audit logs. Encryption and access control are essential.

plugins: PluginConfig

Plugin system configuration

Extensibility with security boundaries. Only load trusted, signed plugins.

audit: AuditConfig

Audit logging configuration

Forensic trail of all security events. Required for compliance and incident response.

transport: TransportConfig

Transport layer configuration

Communication security settings. Use TLS for all network transports.

resilience: ResilienceConfig

Resilience configuration for circuit breakers and retry

Prevents cascading failures under attack. Maintains availability during security incidents.

neutralization: NeutralizationConfig

Threat neutralization configuration

Active threat remediation settings. Transforms malicious input into safe content.

neutralizer: Option<NeutralizationConfig>

Neutralizer configuration (alias for neutralization)

Some tests expect this field name. This is an alias for backwards compatibility.

Implementations

impl Config

pub const fn is_event_processor_enabled(&self) -> bool

Check if event processor is enabled

pub fn neutralizer(&self) -> &NeutralizationConfig

Get neutralizer configuration Returns the neutralizer field if set, otherwise returns neutralization

pub fn load() -> Result<Config, Error>

Load configuration from environment and files

Security Notes

• Configuration files should have restricted permissions (600 or 640)
• Never store secrets directly in config files - use environment variables
• Validate all loaded configurations before use
• Default configuration is intentionally conservative for security

pub fn load_from_file(path: &str) -> Result<Config, Error>

Load configuration from a specific file

Security Warning

Ensure the configuration file is from a trusted source and has appropriate file permissions to prevent unauthorized modifications.

pub fn validate_security(&self) -> Result<(), Error>

Validate configuration for security best practices

Example

let config = Config::load()?;
config.validate_security()?;

Trait Implementations

impl Clone for Config

fn clone(&self) -> Config

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Config

fn fmt(&self, f: &mut Formatter<'_>) -> Result<(), Error>

Formats the value using the given formatter.

impl Default for Config

fn default() -> Config

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for Config

fn deserialize<__D>( __deserializer: __D, ) -> Result<Config, <__D as Deserializer<'de>>::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for Config

fn serialize<__S>( &self, __serializer: __S, ) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.