Skip to main content

Module directive

Module directive 

Source
Expand description

Concrete HMAC verifier for the signed X-Debug-Directive header, the surgical, single-request diagnostics channel (docs/05 §3). An operator mints a token off-band with the shared key; a client cannot forge one, so it cannot self-enable verbose diagnostics (NFR-S3). The token rides the request and is verified by whichever instance handles it.

Token wire form: {payload_hex}.{sig_hex} where payload is a small JSON object and sig is HMAC-SHA256(key, payload_bytes). The MAC is computed and checked through the build’s validated crypto module (ring under non-fips, aws-lc-rs under fips, cfg-selected exactly like the TLS cert fingerprint) so a FIPS artifact never authenticates with a non-validated primitive.

Payload fields: level (required, a DiagLevel name), exp (required, absolute unix-seconds expiry), and optional targeting tenant/index/ principal, sample_per_mille (default 1000), ring_buffer (default false).

Structs§

HmacDirectiveVerifier
Verifies signed X-Debug-Directive tokens against a shared HMAC key.