sozu_command_lib/proto/

command.rs

// This file is @generated by prost-build.
/// A message received by Sōzu to change its state or query information
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Eq)]
#[derive(Hash)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct Request {
    #[prost(
        oneof = "request::RequestType",
        tags = "1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59"
    )]
    pub request_type: ::core::option::Option<request::RequestType>,
}
/// Nested message and enum types in `Request`.
pub mod request {
    #[derive(::serde::Serialize, ::serde::Deserialize)]
    #[serde(rename_all = "SCREAMING_SNAKE_CASE")]
    #[allow(clippy::large_enum_variant)]
    #[derive(Hash, Eq, Ord, PartialOrd)]
    #[derive(Clone, PartialEq, ::prost::Oneof)]
    pub enum RequestType {
        /// This message tells Sōzu to dump the current proxy state (backends,
        /// front domains, certificates, etc) as a list of JSON-serialized Requests,
        /// separated by a 0 byte, to a file. This file can be used later
        /// to bootstrap the proxy. This message is not forwarded to workers.
        /// If the specified path is relative, it will be calculated relative to the current
        /// working directory of the proxy.
        #[prost(string, tag = "1")]
        SaveState(::prost::alloc::string::String),
        /// load a state file, given its path
        #[prost(string, tag = "2")]
        LoadState(::prost::alloc::string::String),
        /// list the workers and their status
        #[prost(message, tag = "4")]
        ListWorkers(super::ListWorkers),
        /// list the frontends, filtered by protocol and/or domain
        #[prost(message, tag = "5")]
        ListFrontends(super::FrontendFilters),
        /// list all listeners
        #[prost(message, tag = "6")]
        ListListeners(super::ListListeners),
        /// launch a new worker
        /// never implemented, the tag is unused and probably not needed
        /// we may still implement it later with no paramater
        /// the main process will automatically assign a new id to a new worker
        #[prost(string, tag = "7")]
        LaunchWorker(::prost::alloc::string::String),
        /// upgrade the main process
        #[prost(message, tag = "8")]
        UpgradeMain(super::UpgradeMain),
        /// upgrade an existing worker, giving its id
        #[prost(uint32, tag = "9")]
        UpgradeWorker(u32),
        /// subscribe to proxy events
        #[prost(message, tag = "10")]
        SubscribeEvents(super::SubscribeEvents),
        /// reload the configuration from the config file, or a new file
        /// CHECK: this used to be an option. None => use the config file, Some(string) => path_to_file
        /// make sure it works using "" and "path_to_file"
        #[prost(string, tag = "11")]
        ReloadConfiguration(::prost::alloc::string::String),
        /// give status of main process and all workers
        #[prost(message, tag = "12")]
        Status(super::Status),
        /// add a cluster
        #[prost(message, tag = "13")]
        AddCluster(super::Cluster),
        /// remove a cluster giving its id
        #[prost(string, tag = "14")]
        RemoveCluster(::prost::alloc::string::String),
        /// add an HTTP frontend
        #[prost(message, tag = "15")]
        AddHttpFrontend(super::RequestHttpFrontend),
        /// remove an HTTP frontend
        #[prost(message, tag = "16")]
        RemoveHttpFrontend(super::RequestHttpFrontend),
        /// add an HTTPS frontend
        #[prost(message, tag = "17")]
        AddHttpsFrontend(super::RequestHttpFrontend),
        /// remove an HTTPS frontend
        #[prost(message, tag = "18")]
        RemoveHttpsFrontend(super::RequestHttpFrontend),
        /// add a certificate
        #[prost(message, tag = "19")]
        AddCertificate(super::AddCertificate),
        /// replace a certificate
        #[prost(message, tag = "20")]
        ReplaceCertificate(super::ReplaceCertificate),
        /// remove a certificate
        #[prost(message, tag = "21")]
        RemoveCertificate(super::RemoveCertificate),
        /// add a TCP frontend
        #[prost(message, tag = "22")]
        AddTcpFrontend(super::RequestTcpFrontend),
        /// remove a TCP frontend
        #[prost(message, tag = "23")]
        RemoveTcpFrontend(super::RequestTcpFrontend),
        /// add a backend
        #[prost(message, tag = "24")]
        AddBackend(super::AddBackend),
        /// remove a backend
        #[prost(message, tag = "25")]
        RemoveBackend(super::RemoveBackend),
        /// add an HTTP listener
        #[prost(message, tag = "26")]
        AddHttpListener(super::HttpListenerConfig),
        /// add an HTTPS listener
        #[prost(message, tag = "27")]
        AddHttpsListener(super::HttpsListenerConfig),
        /// add a TCP listener
        #[prost(message, tag = "28")]
        AddTcpListener(super::TcpListenerConfig),
        /// remove a listener
        #[prost(message, tag = "29")]
        RemoveListener(super::RemoveListener),
        /// activate a listener
        #[prost(message, tag = "30")]
        ActivateListener(super::ActivateListener),
        /// deactivate a listener
        #[prost(message, tag = "31")]
        DeactivateListener(super::DeactivateListener),
        /// query a cluster by id
        #[prost(string, tag = "35")]
        QueryClusterById(::prost::alloc::string::String),
        /// query clusters with a hostname and optional path
        #[prost(message, tag = "36")]
        QueryClustersByDomain(super::QueryClusterByDomain),
        /// query clusters hashes
        #[prost(message, tag = "37")]
        QueryClustersHashes(super::QueryClustersHashes),
        /// query metrics
        #[prost(message, tag = "38")]
        QueryMetrics(super::QueryMetricsOptions),
        /// soft stop
        #[prost(message, tag = "39")]
        SoftStop(super::SoftStop),
        /// hard stop
        #[prost(message, tag = "40")]
        HardStop(super::HardStop),
        /// enable, disable or clear the metrics
        #[prost(enumeration = "super::MetricsConfiguration", tag = "41")]
        ConfigureMetrics(i32),
        /// Change the logging level
        #[prost(string, tag = "42")]
        Logging(::prost::alloc::string::String),
        /// Return the listen sockets
        #[prost(message, tag = "43")]
        ReturnListenSockets(super::ReturnListenSockets),
        /// Get certificates from the state (rather than from the workers)
        #[prost(message, tag = "44")]
        QueryCertificatesFromTheState(super::QueryCertificatesFilters),
        /// Get certificates from the workers (rather than from the state)
        #[prost(message, tag = "45")]
        QueryCertificatesFromWorkers(super::QueryCertificatesFilters),
        /// query the state about how many requests of each type has been received
        /// since startup
        #[prost(message, tag = "46")]
        CountRequests(super::CountRequests),
        /// patch a running HTTP listener in place (no socket re-bind)
        #[prost(message, tag = "47")]
        UpdateHttpListener(super::UpdateHttpListenerConfig),
        /// patch a running HTTPS listener in place (no socket re-bind)
        #[prost(message, tag = "48")]
        UpdateHttpsListener(super::UpdateHttpsListenerConfig),
        /// patch a running TCP listener in place (no socket re-bind)
        #[prost(message, tag = "49")]
        UpdateTcpListener(super::UpdateTcpListenerConfig),
        /// set the global per-(cluster, source-IP) connection limit at
        /// runtime. `0` is "unlimited". Per-cluster overrides set on the
        /// `Cluster` message take precedence at admit time.
        #[prost(uint64, tag = "50")]
        SetMaxConnectionsPerIp(u64),
        /// query the current global per-(cluster, source-IP) connection
        /// limit. Workers reply with `MaxConnectionsPerIpLimit`.
        #[prost(message, tag = "51")]
        QueryMaxConnectionsPerIp(super::QueryMaxConnectionsPerIp),
        /// set or update the health check configuration for a cluster.
        /// Tags 47-49 carry in-place listener patches (HTTP/HTTPS/TCP) and
        /// 50-51 carry the per-(cluster, source-IP) connection-limit
        /// request/query, so health-check verbs start at 52.
        #[prost(message, tag = "52")]
        SetHealthCheck(super::SetHealthCheck),
        /// remove the health check configuration from a cluster.
        #[prost(string, tag = "53")]
        RemoveHealthCheck(::prost::alloc::string::String),
        /// list health check configurations (optional cluster id filter).
        #[prost(message, tag = "54")]
        QueryHealthChecks(super::QueryHealthChecks),
        /// Apply, renew, or release a runtime cardinality lease on the metrics
        /// drain. `sozu top` (and any future TUI client) leases DETAIL_BACKEND
        /// for the duration of an interactive session; the worker's effective
        /// detail is `max(configured, max(active leases))`. Leases self-expire
        /// server-side after `ttl_seconds` so a crashed client never permanently
        /// elevates cardinality. See doc/configure.md for the full semantics.
        #[prost(message, tag = "55")]
        SetMetricDetail(super::SetMetricDetail),
        /// add a UDP listener
        #[prost(message, tag = "56")]
        AddUdpListener(super::UdpListenerConfig),
        /// patch a running UDP listener in place (no socket re-bind)
        #[prost(message, tag = "57")]
        UpdateUdpListener(super::UpdateUdpListenerConfig),
        /// add a UDP frontend
        #[prost(message, tag = "58")]
        AddUdpFrontend(super::RequestUdpFrontend),
        /// remove a UDP frontend
        #[prost(message, tag = "59")]
        RemoveUdpFrontend(super::RequestUdpFrontend),
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct QueryHealthChecks {
    #[prost(string, optional, tag = "1")]
    pub cluster_id: ::core::option::Option<::prost::alloc::string::String>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct SetHealthCheck {
    #[prost(string, required, tag = "1")]
    pub cluster_id: ::prost::alloc::string::String,
    #[prost(message, required, tag = "2")]
    pub config: HealthCheckConfig,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ListWorkers {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ListListeners {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct UpgradeMain {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct SubscribeEvents {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Status {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct QueryClustersHashes {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct SoftStop {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct HardStop {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ReturnListenSockets {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct CountRequests {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct QueryMaxConnectionsPerIp {}
/// Wrapper message to distinguish "absent" (preserve) from "present but empty"
/// (reset to default) for ALPN protocols. A bare `repeated string` cannot make
/// this distinction in proto2 since field absence is not detectable for repeated
/// scalars without a sentinel.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct AlpnProtocols {
    #[prost(string, repeated, tag = "1")]
    pub values: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
/// Partial-update patch for a running HTTP listener.
/// Only fields that are `Some` in the patch will be applied;
/// absent fields preserve their current value on the listener.
/// Bind-only fields (address, active) are intentionally absent — use
/// RemoveListener + AddHttpListener to change them.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct UpdateHttpListenerConfig {
    /// identifies the listener to patch (required — used as key)
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    #[prost(bool, optional, tag = "3")]
    pub expect_proxy: ::core::option::Option<bool>,
    #[prost(string, optional, tag = "4")]
    pub sticky_name: ::core::option::Option<::prost::alloc::string::String>,
    /// client inactive time, in seconds
    #[prost(uint32, optional, tag = "5")]
    pub front_timeout: ::core::option::Option<u32>,
    /// backend server inactive time, in seconds
    #[prost(uint32, optional, tag = "6")]
    pub back_timeout: ::core::option::Option<u32>,
    /// time to connect to the backend, in seconds
    #[prost(uint32, optional, tag = "7")]
    pub connect_timeout: ::core::option::Option<u32>,
    /// max time to send a complete request, in seconds
    #[prost(uint32, optional, tag = "8")]
    pub request_timeout: ::core::option::Option<u32>,
    /// DEPRECATED: per-status answer message. Prefer the `answers` map at
    /// field 38. Kept on the wire so older managers can still patch a running
    /// listener for one minor; on the worker side both fields are merged.
    #[prost(message, optional, tag = "9")]
    pub http_answers: ::core::option::Option<CustomHttpAnswers>,
    /// H2 flood thresholds — see HttpListenerConfig for semantics & CVE refs.
    /// All values must be >= 1 (validated server-side before applying).
    /// Maximum RST_STREAM frames per second window (CVE-2023-44487, CVE-2019-9514)
    #[prost(uint32, optional, tag = "20")]
    pub h2_max_rst_stream_per_window: ::core::option::Option<u32>,
    /// Maximum PING frames per second window (CVE-2019-9512)
    #[prost(uint32, optional, tag = "21")]
    pub h2_max_ping_per_window: ::core::option::Option<u32>,
    /// Maximum SETTINGS frames per second window (CVE-2019-9515)
    #[prost(uint32, optional, tag = "22")]
    pub h2_max_settings_per_window: ::core::option::Option<u32>,
    /// Maximum empty DATA frames per second window (CVE-2019-9518)
    #[prost(uint32, optional, tag = "23")]
    pub h2_max_empty_data_per_window: ::core::option::Option<u32>,
    /// Maximum CONTINUATION frames per header block (CVE-2024-27316)
    #[prost(uint32, optional, tag = "24")]
    pub h2_max_continuation_frames: ::core::option::Option<u32>,
    /// Maximum accumulated protocol anomalies before ENHANCE_YOUR_CALM
    #[prost(uint32, optional, tag = "25")]
    pub h2_max_glitch_count: ::core::option::Option<u32>,
    /// Connection-level receive window size in bytes (RFC 9113 §6.9.2)
    #[prost(uint32, optional, tag = "26")]
    pub h2_initial_connection_window: ::core::option::Option<u32>,
    /// Maximum concurrent H2 streams (SETTINGS_MAX_CONCURRENT_STREAMS); >= 1
    #[prost(uint32, optional, tag = "27")]
    pub h2_max_concurrent_streams: ::core::option::Option<u32>,
    /// Shrink threshold ratio for recycled stream slots; >= 1
    #[prost(uint32, optional, tag = "28")]
    pub h2_stream_shrink_ratio: ::core::option::Option<u32>,
    /// Absolute lifetime cap on RST_STREAM frames received (CVE-2023-44487)
    #[prost(uint64, optional, tag = "29")]
    pub h2_max_rst_stream_lifetime: ::core::option::Option<u64>,
    /// Lifetime cap on abusive RST_STREAM frames — Rapid Reset signature
    #[prost(uint64, optional, tag = "30")]
    pub h2_max_rst_stream_abusive_lifetime: ::core::option::Option<u64>,
    /// Absolute lifetime cap on RST_STREAM frames emitted by the server (CVE-2025-8671)
    #[prost(uint64, optional, tag = "31")]
    pub h2_max_rst_stream_emitted_lifetime: ::core::option::Option<u64>,
    /// Maximum HPACK-decoded header list size per request (RFC 9113 §6.5.2)
    #[prost(uint32, optional, tag = "32")]
    pub h2_max_header_list_size: ::core::option::Option<u32>,
    /// Maximum HPACK dynamic table size accepted from the peer
    #[prost(uint32, optional, tag = "33")]
    pub h2_max_header_table_size: ::core::option::Option<u32>,
    /// Per-stream idle timeout in seconds
    #[prost(uint32, optional, tag = "34")]
    pub h2_stream_idle_timeout_seconds: ::core::option::Option<u32>,
    /// Maximum wall-clock seconds to wait after GOAWAY(NO_ERROR). 0 = wait forever.
    #[prost(uint32, optional, tag = "35")]
    pub h2_graceful_shutdown_deadline_seconds: ::core::option::Option<u32>,
    /// Maximum connection-level (stream 0) WINDOW_UPDATE frames per window; >= 1
    #[prost(uint32, optional, tag = "36")]
    pub h2_max_window_update_stream0_per_window: ::core::option::Option<u32>,
    /// Name of the correlation header injected per request (e.g. "Sozu-Id")
    #[prost(string, optional, tag = "37")]
    pub sozu_id_header: ::core::option::Option<::prost::alloc::string::String>,
    /// Per-status HTTP answer template bodies, keyed by HTTP status code
    /// (e.g. "503"). Replaces the per-field shape of `CustomHttpAnswers` (field
    /// 9). An entry with an empty value is treated as "preserve current"; an
    /// entry with a non-empty value replaces the listener's stored template
    /// for that status. To clear a status template, recreate the listener.
    #[prost(btree_map = "string, string", tag = "38")]
    pub answers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// When true, any client-supplied `X-Real-IP` header is stripped from
    /// requests before forwarding (anti-spoofing). See HttpListenerConfig.
    #[prost(bool, optional, tag = "39")]
    pub elide_x_real_ip: ::core::option::Option<bool>,
    /// When true, a proxy-generated `X-Real-IP` header carrying the connection
    /// peer IP is appended to every forwarded request. See HttpListenerConfig.
    #[prost(bool, optional, tag = "40")]
    pub send_x_real_ip: ::core::option::Option<bool>,
    /// Maximum materialized header fields per request — see HttpListenerConfig.
    #[prost(uint32, optional, tag = "41")]
    pub h2_max_header_fields: ::core::option::Option<u32>,
}
/// Partial-update patch for a running HTTPS listener.
/// Only fields that are `Some` in the patch will be applied;
/// absent fields preserve their current value on the listener.
/// Bind-only fields (tls_versions, cipher_list, cipher_suites,
/// signature_algorithms, groups_list, certificate, certificate_chain, key,
/// send_tls13_tickets, active) are intentionally absent — use
/// RemoveListener + AddHttpsListener to change them.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct UpdateHttpsListenerConfig {
    /// identifies the listener to patch (required — used as key)
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    #[prost(bool, optional, tag = "3")]
    pub expect_proxy: ::core::option::Option<bool>,
    #[prost(string, optional, tag = "4")]
    pub sticky_name: ::core::option::Option<::prost::alloc::string::String>,
    /// client inactive time, in seconds
    #[prost(uint32, optional, tag = "5")]
    pub front_timeout: ::core::option::Option<u32>,
    /// backend server inactive time, in seconds
    #[prost(uint32, optional, tag = "6")]
    pub back_timeout: ::core::option::Option<u32>,
    /// time to connect to the backend, in seconds
    #[prost(uint32, optional, tag = "7")]
    pub connect_timeout: ::core::option::Option<u32>,
    /// max time to send a complete request, in seconds
    #[prost(uint32, optional, tag = "8")]
    pub request_timeout: ::core::option::Option<u32>,
    /// DEPRECATED: per-status answer message. Prefer the `answers` map at
    /// field 38. Kept on the wire so older managers can still patch a running
    /// listener for one minor; on the worker side both fields are merged.
    #[prost(message, optional, tag = "9")]
    pub http_answers: ::core::option::Option<CustomHttpAnswers>,
    /// ALPN protocols to advertise during TLS handshake.
    /// Uses a wrapper message so "absent" (preserve) and "present but empty"
    /// (reset to default \["h2","http/1.1"\]) are unambiguous. Valid values per
    /// element: "h2", "http/1.1". Validated server-side.
    #[prost(message, optional, tag = "10")]
    pub alpn_protocols: ::core::option::Option<AlpnProtocols>,
    /// When true, :authority/Host must match the TLS SNI (CWE-346/CWE-444)
    #[prost(bool, optional, tag = "11")]
    pub strict_sni_binding: ::core::option::Option<bool>,
    /// When true, only H2 connections are accepted; HTTP/1.1 is dropped at handshake
    #[prost(bool, optional, tag = "12")]
    pub disable_http11: ::core::option::Option<bool>,
    /// H2 flood thresholds — same numbers/semantics as UpdateHttpListenerConfig.
    /// All values must be >= 1 (validated server-side before applying).
    /// Maximum RST_STREAM frames per second window (CVE-2023-44487, CVE-2019-9514)
    #[prost(uint32, optional, tag = "20")]
    pub h2_max_rst_stream_per_window: ::core::option::Option<u32>,
    /// Maximum PING frames per second window (CVE-2019-9512)
    #[prost(uint32, optional, tag = "21")]
    pub h2_max_ping_per_window: ::core::option::Option<u32>,
    /// Maximum SETTINGS frames per second window (CVE-2019-9515)
    #[prost(uint32, optional, tag = "22")]
    pub h2_max_settings_per_window: ::core::option::Option<u32>,
    /// Maximum empty DATA frames per second window (CVE-2019-9518)
    #[prost(uint32, optional, tag = "23")]
    pub h2_max_empty_data_per_window: ::core::option::Option<u32>,
    /// Maximum CONTINUATION frames per header block (CVE-2024-27316)
    #[prost(uint32, optional, tag = "24")]
    pub h2_max_continuation_frames: ::core::option::Option<u32>,
    /// Maximum accumulated protocol anomalies before ENHANCE_YOUR_CALM
    #[prost(uint32, optional, tag = "25")]
    pub h2_max_glitch_count: ::core::option::Option<u32>,
    /// Connection-level receive window size in bytes (RFC 9113 §6.9.2)
    #[prost(uint32, optional, tag = "26")]
    pub h2_initial_connection_window: ::core::option::Option<u32>,
    /// Maximum concurrent H2 streams (SETTINGS_MAX_CONCURRENT_STREAMS); >= 1
    #[prost(uint32, optional, tag = "27")]
    pub h2_max_concurrent_streams: ::core::option::Option<u32>,
    /// Shrink threshold ratio for recycled stream slots; >= 1
    #[prost(uint32, optional, tag = "28")]
    pub h2_stream_shrink_ratio: ::core::option::Option<u32>,
    /// Absolute lifetime cap on RST_STREAM frames received (CVE-2023-44487)
    #[prost(uint64, optional, tag = "29")]
    pub h2_max_rst_stream_lifetime: ::core::option::Option<u64>,
    /// Lifetime cap on abusive RST_STREAM frames — Rapid Reset signature
    #[prost(uint64, optional, tag = "30")]
    pub h2_max_rst_stream_abusive_lifetime: ::core::option::Option<u64>,
    /// Absolute lifetime cap on RST_STREAM frames emitted by the server (CVE-2025-8671)
    #[prost(uint64, optional, tag = "31")]
    pub h2_max_rst_stream_emitted_lifetime: ::core::option::Option<u64>,
    /// Maximum HPACK-decoded header list size per request (RFC 9113 §6.5.2)
    #[prost(uint32, optional, tag = "32")]
    pub h2_max_header_list_size: ::core::option::Option<u32>,
    /// Maximum HPACK dynamic table size accepted from the peer
    #[prost(uint32, optional, tag = "33")]
    pub h2_max_header_table_size: ::core::option::Option<u32>,
    /// Per-stream idle timeout in seconds
    #[prost(uint32, optional, tag = "34")]
    pub h2_stream_idle_timeout_seconds: ::core::option::Option<u32>,
    /// Maximum wall-clock seconds to wait after GOAWAY(NO_ERROR). 0 = wait forever.
    #[prost(uint32, optional, tag = "35")]
    pub h2_graceful_shutdown_deadline_seconds: ::core::option::Option<u32>,
    /// Maximum connection-level (stream 0) WINDOW_UPDATE frames per window; >= 1
    #[prost(uint32, optional, tag = "36")]
    pub h2_max_window_update_stream0_per_window: ::core::option::Option<u32>,
    /// Name of the correlation header injected per request (e.g. "Sozu-Id")
    #[prost(string, optional, tag = "37")]
    pub sozu_id_header: ::core::option::Option<::prost::alloc::string::String>,
    /// Per-status HTTP answer template bodies, keyed by HTTP status code
    /// (e.g. "503"). Replaces the per-field shape of `CustomHttpAnswers` (field
    /// 9). An entry with an empty value is treated as "preserve current"; an
    /// entry with a non-empty value replaces the listener's stored template
    /// for that status. To clear a status template, recreate the listener.
    #[prost(btree_map = "string, string", tag = "38")]
    pub answers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// When true, any client-supplied `X-Real-IP` header is stripped from
    /// requests before forwarding (anti-spoofing). See HttpsListenerConfig.
    #[prost(bool, optional, tag = "39")]
    pub elide_x_real_ip: ::core::option::Option<bool>,
    /// When true, a proxy-generated `X-Real-IP` header carrying the connection
    /// peer IP is appended to every forwarded request. See HttpsListenerConfig.
    #[prost(bool, optional, tag = "40")]
    pub send_x_real_ip: ::core::option::Option<bool>,
    /// Listener-default HSTS policy (RFC 6797). Full-object replacement on
    /// partial update — when this field is `Some`, the supplied
    /// `HstsConfig` overwrites whatever the listener currently holds; when
    /// absent, the existing policy is preserved. Use
    /// `Some(HstsConfig { enabled: Some(false), .. })` to explicitly
    /// disable HSTS via partial update. Cites RFC 6797 §6.1 (single
    /// header) and §7.2 (HTTPS-only).
    #[prost(message, optional, tag = "41")]
    pub hsts: ::core::option::Option<HstsConfig>,
    /// Maximum materialized header fields per request — see HttpsListenerConfig.
    #[prost(uint32, optional, tag = "42")]
    pub h2_max_header_fields: ::core::option::Option<u32>,
}
/// Partial-update patch for a running TCP listener.
/// Only fields that are `Some` in the patch will be applied;
/// absent fields preserve their current value on the listener.
/// Bind-only fields (address, active) are intentionally absent.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct UpdateTcpListenerConfig {
    /// identifies the listener to patch (required — used as key)
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    #[prost(bool, optional, tag = "3")]
    pub expect_proxy: ::core::option::Option<bool>,
    /// client inactive time, in seconds
    #[prost(uint32, optional, tag = "4")]
    pub front_timeout: ::core::option::Option<u32>,
    /// backend server inactive time, in seconds
    #[prost(uint32, optional, tag = "5")]
    pub back_timeout: ::core::option::Option<u32>,
    /// time to connect to the backend, in seconds
    #[prost(uint32, optional, tag = "6")]
    pub connect_timeout: ::core::option::Option<u32>,
}
/// Partial-update patch for a running UDP listener.
/// Only fields that are `Some` in the patch will be applied;
/// absent fields preserve their current value on the listener.
/// Bind-only fields (address, active) are intentionally absent — use
/// RemoveListener + AddUdpListener to change them.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct UpdateUdpListenerConfig {
    /// identifies the listener to patch (required — used as key)
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    /// client flow idle time, in seconds
    #[prost(uint32, optional, tag = "3")]
    pub front_timeout: ::core::option::Option<u32>,
    /// upstream flow idle time, in seconds
    #[prost(uint32, optional, tag = "4")]
    pub back_timeout: ::core::option::Option<u32>,
    /// maximum received datagram size, in bytes (capped at buffer_size at runtime)
    #[prost(uint32, optional, tag = "5")]
    pub max_rx_datagram_size: ::core::option::Option<u32>,
    /// maximum number of concurrent flows; 0 = auto (~70% soft RLIMIT_NOFILE)
    #[prost(uint32, optional, tag = "6")]
    pub max_flows: ::core::option::Option<u32>,
}
/// details of an HTTP listener
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct HttpListenerConfig {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    #[prost(bool, required, tag = "5", default = "false")]
    pub expect_proxy: bool,
    #[prost(string, required, tag = "6")]
    pub sticky_name: ::prost::alloc::string::String,
    /// client inactive time, in seconds
    #[prost(uint32, required, tag = "7", default = "60")]
    pub front_timeout: u32,
    /// backend server inactive time, in seconds
    #[prost(uint32, required, tag = "8", default = "30")]
    pub back_timeout: u32,
    /// time to connect to the backend, in seconds
    #[prost(uint32, required, tag = "9", default = "3")]
    pub connect_timeout: u32,
    /// max time to send a complete request, in seconds
    #[prost(uint32, required, tag = "10", default = "10")]
    pub request_timeout: u32,
    /// wether the listener is actively listening on its socket
    #[prost(bool, required, tag = "11", default = "false")]
    pub active: bool,
    /// DEPRECATED: per-status answer message. Prefer the `answers` map at
    /// field 31. Kept on the wire so legacy state files round-trip cleanly;
    /// workers populate both fields and treat them as equivalent on read.
    #[prost(message, optional, tag = "12")]
    pub http_answers: ::core::option::Option<CustomHttpAnswers>,
    /// H2 flood detection thresholds (CVE mitigations).
    /// All are optional; when absent, built-in defaults are used.
    /// Maximum RST_STREAM frames per second window (CVE-2023-44487, CVE-2019-9514)
    #[prost(uint32, optional, tag = "13")]
    pub h2_max_rst_stream_per_window: ::core::option::Option<u32>,
    /// Maximum PING frames per second window (CVE-2019-9512)
    #[prost(uint32, optional, tag = "14")]
    pub h2_max_ping_per_window: ::core::option::Option<u32>,
    /// Maximum SETTINGS frames per second window (CVE-2019-9515)
    #[prost(uint32, optional, tag = "15")]
    pub h2_max_settings_per_window: ::core::option::Option<u32>,
    /// Maximum empty DATA frames per second window (CVE-2019-9518)
    #[prost(uint32, optional, tag = "16")]
    pub h2_max_empty_data_per_window: ::core::option::Option<u32>,
    /// Maximum CONTINUATION frames per header block (CVE-2024-27316)
    #[prost(uint32, optional, tag = "17")]
    pub h2_max_continuation_frames: ::core::option::Option<u32>,
    /// Maximum accumulated protocol anomalies before ENHANCE_YOUR_CALM
    #[prost(uint32, optional, tag = "18")]
    pub h2_max_glitch_count: ::core::option::Option<u32>,
    /// H2 connection tuning parameters.
    /// Connection-level receive window size in bytes (RFC 9113 §6.9.2).
    /// Default: 1048576 (1MB). The RFC default of 65535 is too small for proxying.
    #[prost(uint32, optional, tag = "19")]
    pub h2_initial_connection_window: ::core::option::Option<u32>,
    /// Maximum concurrent H2 streams the proxy accepts (SETTINGS_MAX_CONCURRENT_STREAMS).
    /// Default: 100.
    #[prost(uint32, optional, tag = "20")]
    pub h2_max_concurrent_streams: ::core::option::Option<u32>,
    /// Shrink threshold ratio for recycled stream slots. Vec is shrunk when
    /// total_slots > active_streams * ratio. Default: 2.
    #[prost(uint32, optional, tag = "21")]
    pub h2_stream_shrink_ratio: ::core::option::Option<u32>,
    /// Absolute lifetime cap on RST_STREAM frames received on a single H2
    /// connection (CVE-2023-44487). Default: 10000.
    #[prost(uint64, optional, tag = "22")]
    pub h2_max_rst_stream_lifetime: ::core::option::Option<u64>,
    /// Lifetime cap on "abusive" (pre-response-start) RST_STREAM frames
    /// received on a single H2 connection — the Rapid Reset signature.
    /// Default: 50.
    #[prost(uint64, optional, tag = "23")]
    pub h2_max_rst_stream_abusive_lifetime: ::core::option::Option<u64>,
    /// Absolute lifetime cap on RST_STREAM frames **emitted by the server**
    /// on a single H2 connection (CVE-2025-8671 "MadeYouReset"). Covers the
    /// emission-direction-flipped sibling of Rapid Reset, where an attacker
    /// sends legitimate-looking frames (Content-Length mismatch, header parse
    /// error, rejected priority, zero-increment WINDOW_UPDATE on an open
    /// stream) that coerce the server into emitting RST_STREAM. Graceful
    /// `NoError` cancels are exempt. Default: 500.
    #[prost(uint64, optional, tag = "27")]
    pub h2_max_rst_stream_emitted_lifetime: ::core::option::Option<u64>,
    /// Maximum accumulated HPACK-decoded header list size per request
    /// (SETTINGS_MAX_HEADER_LIST_SIZE, RFC 9113 §6.5.2). Default: 65536.
    #[prost(uint32, optional, tag = "24")]
    pub h2_max_header_list_size: ::core::option::Option<u32>,
    /// Per-stream idle timeout, in seconds. An open H2 stream that receives
    /// no meaningful application data (non-empty DATA or HEADERS frames) for
    /// this duration is cancelled (RST_STREAM / CANCEL). Active uploads that
    /// trickle DATA frames reset the timer on each non-empty frame. Defends
    /// against slow-multiplex Slowloris where a client keeps connection-level
    /// activity high (any frame resets the connection idle timer) while pinning
    /// up to `h2_max_concurrent_streams` streams. Default: 30.
    #[prost(uint32, optional, tag = "25")]
    pub h2_stream_idle_timeout_seconds: ::core::option::Option<u32>,
    /// Maximum HPACK dynamic table size (SETTINGS_HEADER_TABLE_SIZE) accepted
    /// from the peer. Caps the peer-advertised value to prevent unbounded
    /// HPACK encoder memory growth. Default: 65536.
    #[prost(uint32, optional, tag = "26")]
    pub h2_max_header_table_size: ::core::option::Option<u32>,
    /// Maximum wall-clock seconds to wait for in-flight H2 streams after
    /// GOAWAY(NO_ERROR) before forcibly closing the connection. Default: 5.
    /// Set to 0 to require streams to finish (no forced close).
    #[prost(uint32, optional, tag = "28")]
    pub h2_graceful_shutdown_deadline_seconds: ::core::option::Option<u32>,
    /// Maximum connection-level (stream 0) WINDOW_UPDATE frames per second
    /// window. Caps non-zero stream-0 WINDOW_UPDATE floods that would otherwise
    /// stay under the generic glitch counter (zero-increment stream-0 updates
    /// already trigger GOAWAY per RFC 9113 §6.9). Default: 100.
    #[prost(uint32, optional, tag = "29")]
    pub h2_max_window_update_stream0_per_window: ::core::option::Option<u32>,
    /// Name of the correlation header Sozu injects into every request and
    /// response to carry the per-request ULID. Default: "Sozu-Id". Operators
    /// who want to rebrand can set e.g. "X-Edge-Id" or "X-Request-Trace".
    #[prost(string, optional, tag = "30")]
    pub sozu_id_header: ::core::option::Option<::prost::alloc::string::String>,
    /// Per-status HTTP answer template bodies, keyed by HTTP status code
    /// (e.g. "404", "503"). Replaces the per-field shape of `CustomHttpAnswers`
    /// (field 12). The new field is populated alongside `http_answers` so
    /// legacy state files round-trip; new code should read this map.
    #[prost(btree_map = "string, string", tag = "31")]
    #[serde(default)]
    pub answers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// When true, any client-supplied `X-Real-IP` header is stripped from
    /// requests before forwarding (anti-spoofing). Independently combinable
    /// with `send_x_real_ip`. Default: false.
    #[prost(bool, optional, tag = "32", default = "false")]
    pub elide_x_real_ip: ::core::option::Option<bool>,
    /// When true, a proxy-generated `X-Real-IP` header carrying the connection
    /// peer IP (post-PROXY-v2 unwrap, i.e. the original client IP) is appended
    /// to every forwarded request. Independently combinable with
    /// `elide_x_real_ip`. Default: false.
    #[prost(bool, optional, tag = "33", default = "false")]
    pub send_x_real_ip: ::core::option::Option<bool>,
    /// Maximum number of materialized header fields per request — HPACK fields
    /// plus expanded cookie crumbs (RFC 9113 §8.2.3). Bounds the HPACK
    /// indexed-reference header bomb, where 1-byte indexed references are
    /// amplified into per-entry bookkeeping. Default: 128.
    #[prost(uint32, optional, tag = "34")]
    pub h2_max_header_fields: ::core::option::Option<u32>,
}
/// details of an HTTPS listener
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct HttpsListenerConfig {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    #[prost(bool, required, tag = "5", default = "false")]
    pub expect_proxy: bool,
    #[prost(string, required, tag = "6")]
    pub sticky_name: ::prost::alloc::string::String,
    /// client inactive time, in seconds
    #[prost(uint32, required, tag = "7", default = "60")]
    pub front_timeout: u32,
    /// backend server inactive time, in seconds
    #[prost(uint32, required, tag = "8", default = "30")]
    pub back_timeout: u32,
    /// time to connect to the backend, in seconds
    #[prost(uint32, required, tag = "9", default = "3")]
    pub connect_timeout: u32,
    /// max time to send a complete request, in seconds
    #[prost(uint32, required, tag = "10", default = "10")]
    pub request_timeout: u32,
    /// wether the listener is actively listening on its socket
    #[prost(bool, required, tag = "11", default = "false")]
    pub active: bool,
    /// TLS versions
    #[prost(enumeration = "TlsVersion", repeated, packed = "false", tag = "12")]
    pub versions: ::prost::alloc::vec::Vec<i32>,
    #[prost(string, repeated, tag = "13")]
    pub cipher_list: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, repeated, tag = "14")]
    pub cipher_suites: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, repeated, tag = "15")]
    pub signature_algorithms: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, repeated, tag = "16")]
    pub groups_list: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, optional, tag = "17")]
    pub certificate: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(string, repeated, tag = "18")]
    pub certificate_chain: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, optional, tag = "19")]
    pub key: ::core::option::Option<::prost::alloc::string::String>,
    /// Number of TLS 1.3 tickets to send to a client when establishing a connection.
    /// The tickets allow the client to resume a session. This protects the client
    /// agains session tracking. Defaults to 4.
    #[prost(uint64, required, tag = "20")]
    pub send_tls13_tickets: u64,
    /// DEPRECATED: per-status answer message. Prefer the `answers` map at
    /// field 43. Kept on the wire so legacy state files round-trip cleanly;
    /// workers populate both fields and treat them as equivalent on read.
    #[prost(message, optional, tag = "21")]
    pub http_answers: ::core::option::Option<CustomHttpAnswers>,
    /// ALPN protocols to advertise during TLS handshake, in order of preference.
    /// Valid values: "h2", "http/1.1". Defaults to \["h2", "http/1.1"\].
    #[prost(string, repeated, tag = "22")]
    #[serde(default)]
    pub alpn_protocols: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// H2 flood detection thresholds (CVE mitigations).
    /// All are optional; when absent, built-in defaults are used.
    /// Maximum RST_STREAM frames per second window (CVE-2023-44487, CVE-2019-9514)
    #[prost(uint32, optional, tag = "23")]
    pub h2_max_rst_stream_per_window: ::core::option::Option<u32>,
    /// Maximum PING frames per second window (CVE-2019-9512)
    #[prost(uint32, optional, tag = "24")]
    pub h2_max_ping_per_window: ::core::option::Option<u32>,
    /// Maximum SETTINGS frames per second window (CVE-2019-9515)
    #[prost(uint32, optional, tag = "25")]
    pub h2_max_settings_per_window: ::core::option::Option<u32>,
    /// Maximum empty DATA frames per second window (CVE-2019-9518)
    #[prost(uint32, optional, tag = "26")]
    pub h2_max_empty_data_per_window: ::core::option::Option<u32>,
    /// Maximum CONTINUATION frames per header block (CVE-2024-27316)
    #[prost(uint32, optional, tag = "27")]
    pub h2_max_continuation_frames: ::core::option::Option<u32>,
    /// Maximum accumulated protocol anomalies before ENHANCE_YOUR_CALM
    #[prost(uint32, optional, tag = "28")]
    pub h2_max_glitch_count: ::core::option::Option<u32>,
    /// H2 connection tuning parameters.
    /// Connection-level receive window size in bytes (RFC 9113 §6.9.2).
    /// Default: 1048576 (1MB). The RFC default of 65535 is too small for proxying.
    #[prost(uint32, optional, tag = "29")]
    pub h2_initial_connection_window: ::core::option::Option<u32>,
    /// Maximum concurrent H2 streams the proxy accepts (SETTINGS_MAX_CONCURRENT_STREAMS).
    /// Default: 100.
    #[prost(uint32, optional, tag = "30")]
    pub h2_max_concurrent_streams: ::core::option::Option<u32>,
    /// Shrink threshold ratio for recycled stream slots. Vec is shrunk when
    /// total_slots > active_streams * ratio. Default: 2.
    #[prost(uint32, optional, tag = "31")]
    pub h2_stream_shrink_ratio: ::core::option::Option<u32>,
    /// Absolute lifetime cap on RST_STREAM frames received on a single H2
    /// connection (CVE-2023-44487). Default: 10000.
    #[prost(uint64, optional, tag = "32")]
    pub h2_max_rst_stream_lifetime: ::core::option::Option<u64>,
    /// Lifetime cap on "abusive" (pre-response-start) RST_STREAM frames
    /// received on a single H2 connection — the Rapid Reset signature.
    /// Default: 50.
    #[prost(uint64, optional, tag = "33")]
    pub h2_max_rst_stream_abusive_lifetime: ::core::option::Option<u64>,
    /// Absolute lifetime cap on RST_STREAM frames **emitted by the server**
    /// on a single H2 connection (CVE-2025-8671 "MadeYouReset"). Covers the
    /// emission-direction-flipped sibling of Rapid Reset, where an attacker
    /// sends legitimate-looking frames (Content-Length mismatch, header parse
    /// error, rejected priority, zero-increment WINDOW_UPDATE on an open
    /// stream) that coerce the server into emitting RST_STREAM. Graceful
    /// `NoError` cancels are exempt. Default: 500.
    #[prost(uint64, optional, tag = "39")]
    pub h2_max_rst_stream_emitted_lifetime: ::core::option::Option<u64>,
    /// Maximum accumulated HPACK-decoded header list size per request
    /// (SETTINGS_MAX_HEADER_LIST_SIZE, RFC 9113 §6.5.2). Default: 65536.
    #[prost(uint32, optional, tag = "34")]
    pub h2_max_header_list_size: ::core::option::Option<u32>,
    /// When true, every HTTP request served on this listener must have its
    /// `:authority` / `Host` host exact-match the TLS SNI that was negotiated
    /// at handshake (CWE-346 / CWE-444). Disabling this lifts the per-stream
    /// TLS trust boundary, so leave enabled unless an operational need
    /// requires cross-SNI routing. Default: true.
    #[prost(bool, optional, tag = "35")]
    pub strict_sni_binding: ::core::option::Option<bool>,
    /// When true, this listener only accepts HTTP/2 connections: clients
    /// that fail to negotiate `h2` via TLS ALPN (including those that
    /// omit ALPN altogether) are dropped at handshake instead of silently
    /// falling back to HTTP/1.1. Default: false — preserves the historical
    /// "ALPN missing defaults to h1" behavior.
    #[prost(bool, optional, tag = "36")]
    pub disable_http11: ::core::option::Option<bool>,
    /// Per-stream idle timeout, in seconds. An open H2 stream that receives
    /// no meaningful application data (non-empty DATA or HEADERS frames) for
    /// this duration is cancelled (RST_STREAM / CANCEL). Active uploads that
    /// trickle DATA frames reset the timer on each non-empty frame. Defends
    /// against slow-multiplex Slowloris where a client keeps connection-level
    /// activity high (any frame resets the connection idle timer) while pinning
    /// up to `h2_max_concurrent_streams` streams. Default: 30.
    #[prost(uint32, optional, tag = "37")]
    pub h2_stream_idle_timeout_seconds: ::core::option::Option<u32>,
    /// Maximum HPACK dynamic table size (SETTINGS_HEADER_TABLE_SIZE) accepted
    /// from the peer. Caps the peer-advertised value to prevent unbounded
    /// HPACK encoder memory growth. Default: 65536.
    #[prost(uint32, optional, tag = "38")]
    pub h2_max_header_table_size: ::core::option::Option<u32>,
    /// Maximum wall-clock seconds to wait for in-flight H2 streams after
    /// GOAWAY(NO_ERROR) before forcibly closing the connection. Default: 5.
    /// Set to 0 to require streams to finish (no forced close).
    #[prost(uint32, optional, tag = "40")]
    pub h2_graceful_shutdown_deadline_seconds: ::core::option::Option<u32>,
    /// Maximum connection-level (stream 0) WINDOW_UPDATE frames per second
    /// window. Caps non-zero stream-0 WINDOW_UPDATE floods that would otherwise
    /// stay under the generic glitch counter (zero-increment stream-0 updates
    /// already trigger GOAWAY per RFC 9113 §6.9). Default: 100.
    #[prost(uint32, optional, tag = "41")]
    pub h2_max_window_update_stream0_per_window: ::core::option::Option<u32>,
    /// Name of the correlation header Sozu injects into every request and
    /// response to carry the per-request ULID. Default: "Sozu-Id". Operators
    /// who want to rebrand can set e.g. "X-Edge-Id" or "X-Request-Trace".
    #[prost(string, optional, tag = "42")]
    pub sozu_id_header: ::core::option::Option<::prost::alloc::string::String>,
    /// Per-status HTTP answer template bodies, keyed by HTTP status code
    /// (e.g. "404", "503"). Replaces the per-field shape of `CustomHttpAnswers`
    /// (field 21). The new field is populated alongside `http_answers` so
    /// legacy state files round-trip; new code should read this map.
    #[prost(btree_map = "string, string", tag = "43")]
    #[serde(default)]
    pub answers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// When true, any client-supplied `X-Real-IP` header is stripped from
    /// requests before forwarding (anti-spoofing). Independently combinable
    /// with `send_x_real_ip`. Default: false.
    #[prost(bool, optional, tag = "44", default = "false")]
    pub elide_x_real_ip: ::core::option::Option<bool>,
    /// When true, a proxy-generated `X-Real-IP` header carrying the connection
    /// peer IP (post-PROXY-v2 unwrap, i.e. the original client IP) is appended
    /// to every forwarded request. Independently combinable with
    /// `elide_x_real_ip`. Default: false.
    #[prost(bool, optional, tag = "45", default = "false")]
    pub send_x_real_ip: ::core::option::Option<bool>,
    /// Listener-default HSTS (HTTP Strict Transport Security, RFC 6797)
    /// policy. When set, every successful response on this listener gains
    /// a `Strict-Transport-Security` header derived from the materialised
    /// policy (RFC 6797 §6.1 single-header requirement, §7.2 HTTPS-only
    /// emission, §8.1 host scope, §11.4 max-age=0 kill-switch). A
    /// per-frontend `RequestHttpFrontend.hsts` overrides this default.
    #[prost(message, optional, tag = "46")]
    pub hsts: ::core::option::Option<HstsConfig>,
    /// Maximum number of materialized header fields per request — HPACK fields
    /// plus expanded cookie crumbs (RFC 9113 §8.2.3). Bounds the HPACK
    /// indexed-reference header bomb, where 1-byte indexed references are
    /// amplified into per-entry bookkeeping. Default: 128.
    #[prost(uint32, optional, tag = "47")]
    pub h2_max_header_fields: ::core::option::Option<u32>,
}
/// details of an TCP listener
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct TcpListenerConfig {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    #[prost(bool, required, tag = "3", default = "false")]
    pub expect_proxy: bool,
    /// client inactive time, in seconds
    #[prost(uint32, required, tag = "4", default = "60")]
    pub front_timeout: u32,
    /// backend server inactive time, in seconds
    #[prost(uint32, required, tag = "5", default = "30")]
    pub back_timeout: u32,
    /// time to connect to the backend, in seconds
    #[prost(uint32, required, tag = "6", default = "3")]
    pub connect_timeout: u32,
    /// wether the listener is actively listening on its socket
    #[prost(bool, required, tag = "7", default = "false")]
    pub active: bool,
}
/// details of a UDP listener
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct UdpListenerConfig {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, optional, tag = "2")]
    pub public_address: ::core::option::Option<SocketAddress>,
    /// client flow idle time, in seconds
    #[prost(uint32, required, tag = "3", default = "30")]
    pub front_timeout: u32,
    /// upstream flow idle time, in seconds
    #[prost(uint32, required, tag = "4", default = "30")]
    pub back_timeout: u32,
    /// maximum received datagram size, in bytes (capped at buffer_size at runtime)
    #[prost(uint32, required, tag = "5", default = "1500")]
    pub max_rx_datagram_size: u32,
    /// maximum number of concurrent flows; 0 = auto (~70% soft RLIMIT_NOFILE)
    #[prost(uint32, required, tag = "6", default = "0")]
    pub max_flows: u32,
    /// wether the listener is actively listening on its socket
    #[prost(bool, required, tag = "7", default = "false")]
    pub active: bool,
}
/// HSTS (HTTP Strict Transport Security, RFC 6797) policy attached to
/// an HTTPS listener default or per-frontend. The materialised
/// `Strict-Transport-Security: max-age=N[; includeSubDomains][; preload]`
/// header is injected on every successful HTTPS response (including
/// proxy-generated 3xx/401/5xx default answers). Per RFC 6797 §7.2 the
/// header MUST NOT be emitted on plaintext-HTTP responses; sozu rejects
/// HSTS configured on an HttpListenerConfig at config-load time and gates
/// the runtime injection on `context.protocol == Protocol::HTTPS`.
///
/// Validation:
/// - `enabled = true` with `max_age = None` defaults `max_age` to
///   31536000 seconds (1 year) at config-load.
/// - `max_age = 0` is the RFC 6797 §11.4 kill-switch and is allowed
///   silently; `0 < max_age < 86400` warns.
/// - `preload = true` with `max_age < 31536000` or
///   `include_subdomains != true` warns (Chrome HSTS preload list
///   prerequisites at <https://hstspreload.org/>).
/// - `preload` is opt-in only; never default-true (RFC 6797 §14.2 —
///   removal from the preload list is slow and partial).
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct HstsConfig {
    /// Whether HSTS is enabled for this scope. Required whenever the
    /// parent message includes an HstsConfig — the partial-update path
    /// treats `enabled = false` as the explicit-disable signal.
    #[prost(bool, optional, tag = "1")]
    pub enabled: ::core::option::Option<bool>,
    /// Strict-Transport-Security `max-age` directive in seconds. When
    /// `enabled = true` and this is unset, sozu substitutes 31536000
    /// (1 year, HSTS preload list minimum) at config-load.
    #[prost(uint32, optional, tag = "2")]
    pub max_age: ::core::option::Option<u32>,
    /// Append `; includeSubDomains` to the rendered header.
    #[prost(bool, optional, tag = "3")]
    pub include_subdomains: ::core::option::Option<bool>,
    /// Append `; preload` to the rendered header. Opt-in only — see
    /// RFC 6797 §14.2 and <https://hstspreload.org/.>
    #[prost(bool, optional, tag = "4")]
    pub preload: ::core::option::Option<bool>,
    /// Operator opt-in to override any backend-supplied
    /// `Strict-Transport-Security` header with sozu's typed policy.
    ///
    /// RFC 6797 §6.1 default behaviour is to PRESERVE a backend-emitted
    /// STS header when one is already present (sozu's HSTS edit uses
    /// `HeaderEditMode::SetIfAbsent`). That keeps the backend's intent
    /// intact for upstreams that ship their own HSTS policy.
    ///
    /// Set this to `true` for the harden-centrally case: backends behind
    /// sozu emit a stale or weak HSTS policy (e.g. legacy `max-age=300`)
    /// and the operator wants to enforce a stronger policy at the proxy
    /// edge unconditionally. The materialiser then uses
    /// `HeaderEditMode::Set` instead of `SetIfAbsent`, replacing every
    /// backend-supplied STS header with sozu's rendered value.
    ///
    /// Cite: <https://datatracker.ietf.org/doc/html/rfc6797#section-6.1>
    #[prost(bool, optional, tag = "5")]
    pub force_replace_backend: ::core::option::Option<bool>,
}
/// custom HTTP answers, useful for 404, 503 pages
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct CustomHttpAnswers {
    /// MovedPermanently
    #[prost(string, optional, tag = "1")]
    pub answer_301: ::core::option::Option<::prost::alloc::string::String>,
    /// BadRequest
    #[prost(string, optional, tag = "2")]
    pub answer_400: ::core::option::Option<::prost::alloc::string::String>,
    /// Unauthorized
    #[prost(string, optional, tag = "3")]
    pub answer_401: ::core::option::Option<::prost::alloc::string::String>,
    /// NotFound
    #[prost(string, optional, tag = "4")]
    pub answer_404: ::core::option::Option<::prost::alloc::string::String>,
    /// RequestTimeout
    #[prost(string, optional, tag = "5")]
    pub answer_408: ::core::option::Option<::prost::alloc::string::String>,
    /// PayloadTooLarge
    #[prost(string, optional, tag = "6")]
    pub answer_413: ::core::option::Option<::prost::alloc::string::String>,
    /// MisdirectedRequest (RFC 9110 §15.5.20, TLS SNI ↔ :authority mismatch)
    #[prost(string, optional, tag = "11")]
    pub answer_421: ::core::option::Option<::prost::alloc::string::String>,
    /// BadGateway
    #[prost(string, optional, tag = "7")]
    pub answer_502: ::core::option::Option<::prost::alloc::string::String>,
    /// ServiceUnavailable
    #[prost(string, optional, tag = "8")]
    pub answer_503: ::core::option::Option<::prost::alloc::string::String>,
    /// GatewayTimeout
    #[prost(string, optional, tag = "9")]
    pub answer_504: ::core::option::Option<::prost::alloc::string::String>,
    /// InsufficientStorage
    #[prost(string, optional, tag = "10")]
    pub answer_507: ::core::option::Option<::prost::alloc::string::String>,
    /// TooManyRequests (per-(cluster, source-IP) connection limit hit)
    #[prost(string, optional, tag = "12")]
    pub answer_429: ::core::option::Option<::prost::alloc::string::String>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ActivateListener {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(enumeration = "ListenerType", required, tag = "2")]
    pub proxy: i32,
    #[prost(bool, required, tag = "3")]
    pub from_scm: bool,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct DeactivateListener {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(enumeration = "ListenerType", required, tag = "2")]
    pub proxy: i32,
    #[prost(bool, required, tag = "3")]
    pub to_scm: bool,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct RemoveListener {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(enumeration = "ListenerType", required, tag = "2")]
    pub proxy: i32,
}
/// All listeners, listed
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ListenersList {
    /// address -> http listener config
    #[prost(btree_map = "string, message", tag = "1")]
    pub http_listeners: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        HttpListenerConfig,
    >,
    /// address -> https listener config
    #[prost(btree_map = "string, message", tag = "2")]
    pub https_listeners: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        HttpsListenerConfig,
    >,
    /// address -> tcp listener config
    #[prost(btree_map = "string, message", tag = "3")]
    pub tcp_listeners: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        TcpListenerConfig,
    >,
    /// address -> udp listener config
    #[prost(btree_map = "string, message", tag = "4")]
    pub udp_listeners: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        UdpListenerConfig,
    >,
}
/// A single header mutation applied to a request, response, or both.
///
/// An empty `val` deletes the header by name (HAProxy `del-header` parity).
/// A non-empty `val` performs a set/replace; a header with the same name is
/// overwritten. Header names are matched case-insensitively per RFC 9110 §5.1.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Header {
    #[prost(enumeration = "HeaderPosition", required, tag = "1")]
    pub position: i32,
    #[prost(string, required, tag = "2")]
    pub key: ::prost::alloc::string::String,
    /// Empty `val` deletes the header by name (HAProxy `del-header` parity).
    #[prost(string, required, tag = "3")]
    pub val: ::prost::alloc::string::String,
}
/// An HTTP or HTTPS frontend, as order to, or received from, Sōzu
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct RequestHttpFrontend {
    #[prost(string, optional, tag = "1")]
    pub cluster_id: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(message, required, tag = "2")]
    pub address: SocketAddress,
    #[prost(string, required, tag = "3")]
    pub hostname: ::prost::alloc::string::String,
    #[prost(message, required, tag = "4")]
    pub path: PathRule,
    #[prost(string, optional, tag = "5")]
    pub method: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(enumeration = "RulePosition", required, tag = "6", default = "Tree")]
    pub position: i32,
    /// custom tags to identify the frontend in the access logs
    #[prost(btree_map = "string, string", tag = "7")]
    pub tags: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// Redirect policy for this frontend. Default `FORWARD` (no redirect).
    #[prost(enumeration = "RedirectPolicy", optional, tag = "8", default = "Forward")]
    pub redirect: ::core::option::Option<i32>,
    /// When true, requests routed through this frontend must carry a valid
    /// `Authorization: Basic <user:pass>` header whose hash matches one of
    /// `cluster.authorized_hashes`. Default: false.
    #[prost(bool, optional, tag = "9")]
    pub required_auth: ::core::option::Option<bool>,
    /// Scheme to use when emitting a 301 `Location` header. Default `USE_SAME`
    /// (preserve the request scheme).
    #[prost(enumeration = "RedirectScheme", optional, tag = "10", default = "UseSame")]
    pub redirect_scheme: ::core::option::Option<i32>,
    /// Optional template applied when emitting a permanent redirect. Supports
    /// `%REDIRECT_LOCATION` and the variables documented in `doc/configure.md`.
    #[prost(string, optional, tag = "11")]
    pub redirect_template: ::core::option::Option<::prost::alloc::string::String>,
    /// Rewrite host template. Supports `$HOST\[n\]` / `$PATH\[n\]` placeholders
    /// populated from regex captures collected during routing. When set, both
    /// the backend authority/path and the wire request line are rewritten.
    #[prost(string, optional, tag = "12")]
    pub rewrite_host: ::core::option::Option<::prost::alloc::string::String>,
    /// Rewrite path template. Same grammar as `rewrite_host`.
    #[prost(string, optional, tag = "13")]
    pub rewrite_path: ::core::option::Option<::prost::alloc::string::String>,
    /// Optional literal port override on the rewritten URL.
    #[prost(uint32, optional, tag = "14")]
    pub rewrite_port: ::core::option::Option<u32>,
    /// Header mutations applied to requests and/or responses passing through
    /// this frontend. See `Header` for delete semantics.
    #[prost(message, repeated, tag = "15")]
    #[serde(default)]
    pub headers: ::prost::alloc::vec::Vec<Header>,
    /// Per-frontend HSTS (RFC 6797) override. When `Some`, this entire
    /// policy replaces the listener-default `HttpsListenerConfig.hsts`
    /// for matched requests; when absent, the listener default applies.
    /// Honours RFC 6797 §6.1 (single Strict-Transport-Security header on
    /// the response) and §8.1 (HSTS host scope tied to the receiving
    /// host). On HTTP-only frontends the value is rejected at config-load
    /// (RFC 6797 §7.2). The §11.4 `max-age=0` kill-switch is honoured
    /// verbatim so an operator can shadow a listener-wide HSTS for one
    /// hostname.
    #[prost(message, optional, tag = "16")]
    pub hsts: ::core::option::Option<HstsConfig>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct RequestTcpFrontend {
    #[prost(string, required, tag = "1")]
    pub cluster_id: ::prost::alloc::string::String,
    /// the socket address on which to listen for incoming traffic
    #[prost(message, required, tag = "2")]
    pub address: SocketAddress,
    /// custom tags to identify the frontend in the access logs
    #[prost(btree_map = "string, string", tag = "3")]
    pub tags: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct RequestUdpFrontend {
    #[prost(string, required, tag = "1")]
    pub cluster_id: ::prost::alloc::string::String,
    /// the socket address on which to listen for incoming datagrams
    #[prost(message, required, tag = "2")]
    pub address: SocketAddress,
    /// custom tags to identify the frontend in the access logs
    #[prost(btree_map = "string, string", tag = "3")]
    #[serde(default)]
    pub tags: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
}
/// list the frontends, filtered by protocol and/or domain
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct FrontendFilters {
    #[prost(bool, required, tag = "1")]
    pub http: bool,
    #[prost(bool, required, tag = "2")]
    pub https: bool,
    #[prost(bool, required, tag = "3")]
    pub tcp: bool,
    #[prost(string, optional, tag = "4")]
    pub domain: ::core::option::Option<::prost::alloc::string::String>,
}
/// A filter for the path of incoming requests
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct PathRule {
    /// The kind of filter used for path rules
    #[prost(enumeration = "PathRuleKind", required, tag = "1")]
    pub kind: i32,
    /// the value of the given prefix, regex or equal pathrule
    #[prost(string, required, tag = "2")]
    pub value: ::prost::alloc::string::String,
}
/// Add a new TLS certificate to an HTTPs listener
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct AddCertificate {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, required, tag = "2")]
    pub certificate: CertificateAndKey,
    /// A unix timestamp. Overrides certificate expiration.
    #[prost(int64, optional, tag = "3")]
    pub expired_at: ::core::option::Option<i64>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct RemoveCertificate {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    /// a hex-encoded TLS fingerprint to identify the certificate to remove
    #[prost(string, required, tag = "2")]
    pub fingerprint: ::prost::alloc::string::String,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ReplaceCertificate {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, required, tag = "2")]
    pub new_certificate: CertificateAndKey,
    /// a hex-encoded TLS fingerprint to identify the old certificate
    #[prost(string, required, tag = "3")]
    pub old_fingerprint: ::prost::alloc::string::String,
    /// A unix timestamp. Overrides certificate expiration.
    #[prost(int64, optional, tag = "4")]
    pub new_expired_at: ::core::option::Option<i64>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct CertificateAndKey {
    #[prost(string, required, tag = "1")]
    pub certificate: ::prost::alloc::string::String,
    #[prost(string, repeated, tag = "2")]
    pub certificate_chain: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, required, tag = "3")]
    pub key: ::prost::alloc::string::String,
    #[prost(enumeration = "TlsVersion", repeated, packed = "false", tag = "4")]
    pub versions: ::prost::alloc::vec::Vec<i32>,
    /// a list of domain names. Override certificate names
    /// if empty, the names of the certificate will be used
    #[prost(string, repeated, tag = "5")]
    pub names: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
/// Should be either a domain name or a fingerprint.
/// These filter do not compound, use either one but not both.
/// If none of them is specified, all certificates will be returned.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct QueryCertificatesFilters {
    /// a domain name to filter certificate results
    #[prost(string, optional, tag = "1")]
    pub domain: ::core::option::Option<::prost::alloc::string::String>,
    /// a hex-encoded fingerprint of the TLS certificate to find
    #[prost(string, optional, tag = "2")]
    pub fingerprint: ::core::option::Option<::prost::alloc::string::String>,
}
/// domain name and fingerprint of a certificate
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct CertificateSummary {
    #[prost(string, required, tag = "1")]
    pub domain: ::prost::alloc::string::String,
    /// a hex-encoded TLS fingerprint
    #[prost(string, required, tag = "2")]
    pub fingerprint: ::prost::alloc::string::String,
}
/// Used by workers to reply to some certificate queries
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ListOfCertificatesByAddress {
    #[prost(message, repeated, tag = "1")]
    pub certificates: ::prost::alloc::vec::Vec<CertificatesByAddress>,
}
/// Summaries of certificates for a given address
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct CertificatesByAddress {
    #[prost(message, required, tag = "1")]
    pub address: SocketAddress,
    #[prost(message, repeated, tag = "2")]
    pub certificate_summaries: ::prost::alloc::vec::Vec<CertificateSummary>,
}
/// to reply to several certificate queries
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct CertificatesWithFingerprints {
    /// a map of fingerprint -> certificate_and_key
    #[prost(btree_map = "string, message", tag = "1")]
    pub certs: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        CertificateAndKey,
    >,
}
/// Optional health-check configuration for a UDP cluster's backends.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct UdpHealthConfig {
    /// probe mode; defaults to TCP_PROBE when a udp block is present
    #[prost(enumeration = "UdpHealthMode", optional, tag = "1")]
    pub mode: ::core::option::Option<i32>,
    /// companion TCP probe port; unset = the backend data port
    #[prost(uint32, optional, tag = "2")]
    pub tcp_port: ::core::option::Option<u32>,
    /// consecutive successes before a backend is marked up
    #[prost(uint32, optional, tag = "3", default = "2")]
    pub rise: ::core::option::Option<u32>,
    /// consecutive failures before a backend is marked down
    #[prost(uint32, optional, tag = "4", default = "3")]
    pub fall: ::core::option::Option<u32>,
    /// when all backends are down, still forward (don't drop the flow)
    #[prost(bool, optional, tag = "5", default = "true")]
    pub fail_open: ::core::option::Option<bool>,
    /// payload sent for a UDP_PROBE
    #[prost(bytes = "vec", optional, tag = "6")]
    pub udp_probe_payload: ::core::option::Option<::prost::alloc::vec::Vec<u8>>,
    /// delay between probes, in seconds
    #[prost(uint32, optional, tag = "7", default = "5")]
    pub probe_interval_seconds: ::core::option::Option<u32>,
    /// per-probe response timeout, in seconds
    #[prost(uint32, optional, tag = "8", default = "2")]
    pub probe_timeout_seconds: ::core::option::Option<u32>,
}
/// UDP-specific cluster knobs. Attached to a `Cluster` via the `udp` field.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct UdpClusterConfig {
    /// flow affinity key; defaults to SOURCE_IP
    #[prost(enumeration = "UdpAffinityKey", optional, tag = "1")]
    pub affinity_key: ::core::option::Option<i32>,
    /// expected replies per flow; 0 = unlimited
    #[prost(uint32, optional, tag = "2")]
    pub responses: ::core::option::Option<u32>,
    /// max client datagrams per flow; 0 = unlimited
    #[prost(uint32, optional, tag = "3")]
    pub requests: ::core::option::Option<u32>,
    /// send a PROXY protocol v2 header to the backend
    #[prost(bool, optional, tag = "4")]
    pub send_proxy_protocol: ::core::option::Option<bool>,
    /// prepend PPv2 to every datagram; false = first-datagram only
    #[prost(bool, optional, tag = "5")]
    pub proxy_protocol_every_datagram: ::core::option::Option<bool>,
    /// optional backend health-check configuration
    #[prost(message, optional, tag = "6")]
    pub health: ::core::option::Option<UdpHealthConfig>,
}
/// A cluster is what binds a frontend to backends with routing rules
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct Cluster {
    #[prost(string, required, tag = "1")]
    pub cluster_id: ::prost::alloc::string::String,
    /// wether a connection from a client shall be always redirected to the same backend
    #[prost(bool, required, tag = "2")]
    pub sticky_session: bool,
    #[prost(bool, required, tag = "3")]
    pub https_redirect: bool,
    #[prost(enumeration = "ProxyProtocolConfig", optional, tag = "4")]
    pub proxy_protocol: ::core::option::Option<i32>,
    #[prost(
        enumeration = "LoadBalancingAlgorithms",
        required,
        tag = "5",
        default = "RoundRobin"
    )]
    pub load_balancing: i32,
    #[prost(string, optional, tag = "6")]
    pub answer_503: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(enumeration = "LoadMetric", optional, tag = "7")]
    pub load_metric: ::core::option::Option<i32>,
    /// Backend-capability hint: set to true when THE BACKEND speaks HTTP/2 (h2c or h2+TLS).
    /// This does NOT gate H2 acceptance at the frontend — frontend H2 is negotiated via
    /// TLS ALPN independently of per-cluster configuration (see alpn_protocols on the listener).
    #[prost(bool, optional, tag = "8")]
    pub http2: ::core::option::Option<bool>,
    /// Per-cluster HTTP answer template overrides keyed by HTTP status code
    /// (e.g. "503"). Override a listener-level answer for this cluster only.
    #[prost(btree_map = "string, string", tag = "9")]
    #[serde(default)]
    pub answers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// Optional explicit port to use when building the `Location` header for
    /// an `https_redirect`. When unset, the listener's effective HTTPS port is
    /// used. Lets operators front a non-standard HTTPS port (e.g. 8443) on
    /// the redirect target while keeping `https_redirect = true`.
    #[prost(uint32, optional, tag = "10")]
    pub https_redirect_port: ::core::option::Option<u32>,
    /// Authorized credentials for HTTP basic authentication. Each entry is
    /// formatted as `username:hex(sha256(password))` (lower-case hex). The
    /// mux compares the supplied `Authorization: Basic` header in
    /// constant-time against the full list. Empty list disables auth even
    /// when a frontend sets `required_auth = true` — those requests are
    /// rejected with a 401.
    #[prost(string, repeated, tag = "11")]
    #[serde(default)]
    pub authorized_hashes: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// Realm string emitted in `WWW-Authenticate: Basic realm="…"` when an
    /// unauthenticated request is rejected. Treated as an opaque value (no
    /// template substitution). Defaults to a generic realm if unset.
    #[prost(string, optional, tag = "12")]
    pub www_authenticate: ::core::option::Option<::prost::alloc::string::String>,
    /// Per-cluster override for the global `max_connections_per_ip`.
    /// `None` (field absent) inherits the global default. `Some(0)` is
    /// explicit "unlimited for this cluster". `Some(n > 0)` overrides with
    /// the cluster-specific limit. Counts are kept per
    /// `(cluster_id, source_ip)` pair, so two clusters never share a
    /// counter even from the same IP.
    #[prost(uint64, optional, tag = "13")]
    pub max_connections_per_ip: ::core::option::Option<u64>,
    /// Per-cluster override for the global `retry_after` header value
    /// (seconds, HTTP 429 only). `None` inherits the global default.
    /// `Some(0)` omits the header.
    #[prost(uint32, optional, tag = "14")]
    pub retry_after: ::core::option::Option<u32>,
    /// Optional HTTP health check configuration for backends in this cluster.
    /// Tag 8 in this message is the `http2` backend-capability hint and
    /// tags 9-14 cover answers/redirect/auth/limits, so health-check
    /// configuration occupies tag 15.
    #[prost(message, optional, tag = "15")]
    pub health_check: ::core::option::Option<HealthCheckConfig>,
    /// Optional UDP-specific cluster configuration. Present only for clusters
    /// that front UDP backends; absent for HTTP/HTTPS/TCP clusters.
    #[prost(message, optional, tag = "16")]
    pub udp: ::core::option::Option<UdpClusterConfig>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct HealthCheckConfig {
    #[prost(string, required, tag = "1")]
    pub uri: ::prost::alloc::string::String,
    #[prost(uint32, required, tag = "2", default = "10")]
    pub interval: u32,
    #[prost(uint32, required, tag = "3", default = "5")]
    pub timeout: u32,
    #[prost(uint32, required, tag = "4", default = "3")]
    pub healthy_threshold: u32,
    #[prost(uint32, required, tag = "5", default = "3")]
    pub unhealthy_threshold: u32,
    /// The probe wire format is derived from `Cluster.http2` (the same
    /// backend-capability hint the mux router reads). When the cluster
    /// sets `http2 = true`, the probe sends the HTTP/2 connection
    /// preface + empty SETTINGS + HEADERS frame on stream 1; otherwise
    /// HTTP/1.1. There is no per-`HealthCheckConfig` h2c flag — the
    /// probe wire follows the data-plane wire so an h2c-only backend
    /// is never probed with HTTP/1.1 (and vice versa).
    #[prost(uint32, required, tag = "6", default = "0")]
    pub expected_status: u32,
}
/// add a backend
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct AddBackend {
    #[prost(string, required, tag = "1")]
    pub cluster_id: ::prost::alloc::string::String,
    #[prost(string, required, tag = "2")]
    pub backend_id: ::prost::alloc::string::String,
    /// the socket address of the backend
    #[prost(message, required, tag = "3")]
    pub address: SocketAddress,
    #[prost(string, optional, tag = "4")]
    pub sticky_id: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(message, optional, tag = "5")]
    pub load_balancing_parameters: ::core::option::Option<LoadBalancingParams>,
    #[prost(bool, optional, tag = "6")]
    pub backup: ::core::option::Option<bool>,
}
/// remove an existing backend
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct RemoveBackend {
    #[prost(string, required, tag = "1")]
    pub cluster_id: ::prost::alloc::string::String,
    #[prost(string, required, tag = "2")]
    pub backend_id: ::prost::alloc::string::String,
    /// the socket address of the backend
    #[prost(message, required, tag = "3")]
    pub address: SocketAddress,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct LoadBalancingParams {
    #[prost(int32, required, tag = "1")]
    pub weight: i32,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct QueryClusterByDomain {
    #[prost(string, required, tag = "1")]
    pub hostname: ::prost::alloc::string::String,
    #[prost(string, optional, tag = "2")]
    pub path: ::core::option::Option<::prost::alloc::string::String>,
}
/// Options when querying metrics
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct QueryMetricsOptions {
    /// query a list of available metrics
    #[prost(bool, required, tag = "1")]
    pub list: bool,
    /// query metrics for these clusters
    #[prost(string, repeated, tag = "2")]
    pub cluster_ids: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// query metrics for these backends
    #[prost(string, repeated, tag = "3")]
    pub backend_ids: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// query only these metrics
    #[prost(string, repeated, tag = "4")]
    pub metric_names: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// query only worker and main process metrics (no cluster metrics)
    #[prost(bool, required, tag = "5")]
    pub no_clusters: bool,
    /// display metrics of each worker, without flattening (takes more space)
    #[prost(bool, required, tag = "6")]
    pub workers: bool,
}
/// Response to a request
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct Response {
    /// wether the request was a success, a failure, or is processing
    #[prost(enumeration = "ResponseStatus", required, tag = "1", default = "Failure")]
    pub status: i32,
    /// a success or error message
    #[prost(string, required, tag = "2")]
    pub message: ::prost::alloc::string::String,
    /// response data, if any
    #[prost(message, optional, tag = "3")]
    pub content: ::core::option::Option<ResponseContent>,
}
/// content of a response
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ResponseContent {
    #[prost(
        oneof = "response_content::ContentType",
        tags = "1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17"
    )]
    pub content_type: ::core::option::Option<response_content::ContentType>,
}
/// Nested message and enum types in `ResponseContent`.
pub mod response_content {
    #[derive(::serde::Serialize, ::serde::Deserialize)]
    #[serde(rename_all = "SCREAMING_SNAKE_CASE")]
    #[derive(Hash, Eq, Ord, PartialOrd)]
    #[derive(Clone, PartialEq, ::prost::Oneof)]
    pub enum ContentType {
        /// a list of workers, with ids, pids, statuses
        #[prost(message, tag = "1")]
        Workers(super::WorkerInfos),
        /// aggregated metrics of main process and workers
        #[prost(message, tag = "2")]
        Metrics(super::AggregatedMetrics),
        /// a collection of worker responses to the same request
        #[prost(message, tag = "3")]
        WorkerResponses(super::WorkerResponses),
        /// a proxy event
        #[prost(message, tag = "4")]
        Event(super::Event),
        /// a filtered list of frontend
        #[prost(message, tag = "5")]
        FrontendList(super::ListedFrontends),
        /// all listeners
        #[prost(message, tag = "6")]
        ListenersList(super::ListenersList),
        /// contains proxy & cluster metrics
        #[prost(message, tag = "7")]
        WorkerMetrics(super::WorkerMetrics),
        /// Lists of metrics that are available
        #[prost(message, tag = "8")]
        AvailableMetrics(super::AvailableMetrics),
        /// a list of cluster informations
        #[prost(message, tag = "9")]
        Clusters(super::ClusterInformations),
        /// collection of hashes of cluster information,
        #[prost(message, tag = "10")]
        ClusterHashes(super::ClusterHashes),
        /// a list of certificates summaries, grouped by socket address
        #[prost(message, tag = "11")]
        CertificatesByAddress(super::ListOfCertificatesByAddress),
        /// a map of complete certificates using fingerprints as key
        #[prost(message, tag = "12")]
        CertificatesWithFingerprints(super::CertificatesWithFingerprints),
        /// a census of the types of requests received since startup,
        #[prost(message, tag = "13")]
        RequestCounts(super::RequestCounts),
        /// current global per-(cluster, source-IP) connection limit
        #[prost(message, tag = "14")]
        MaxConnectionsPerIpLimit(super::MaxConnectionsPerIpLimit),
        /// health check configurations by cluster (renumbered from PR #1191's
        /// original `14` since post-1209 occupies that tag).
        #[prost(message, tag = "15")]
        HealthChecksList(super::HealthChecksList),
        /// Aggregated outcome of a `SetMetricDetail` fan-out: per-worker
        /// configured/effective/previous_effective levels plus the list of
        /// workers that could not decode the verb (mixed-version safety).
        #[prost(message, tag = "16")]
        MetricDetailStatus(super::MetricDetailStatus),
        /// Per-worker status payload returned by a single worker in
        /// response to `SetMetricDetail`. The master collects these
        /// across the fan-out and assembles them into
        /// `MetricDetailStatus.workers\[<worker_id>\]`. Carries the
        /// worker's own `(configured, effective, previous_effective,
        /// active_lease_count)` quartet — distinct from the master-side
        /// view rendered in `MetricDetailStatus.{configured,effective,
        /// previous_effective}` because each worker holds its own
        /// `Aggregator` with an independent lease table.
        #[prost(message, tag = "17")]
        WorkerMetricDetailStatus(super::WorkerMetricDetailStatus),
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct HealthChecksList {
    #[prost(btree_map = "string, message", tag = "1")]
    pub map: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        HealthCheckConfig,
    >,
}
/// a map of worker_id -> ResponseContent
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct WorkerResponses {
    #[prost(btree_map = "string, message", tag = "1")]
    pub map: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ResponseContent,
    >,
}
/// lists of frontends present in the state
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ListedFrontends {
    #[prost(message, repeated, tag = "1")]
    pub http_frontends: ::prost::alloc::vec::Vec<RequestHttpFrontend>,
    #[prost(message, repeated, tag = "2")]
    pub https_frontends: ::prost::alloc::vec::Vec<RequestHttpFrontend>,
    #[prost(message, repeated, tag = "3")]
    pub tcp_frontends: ::prost::alloc::vec::Vec<RequestTcpFrontend>,
    #[prost(message, repeated, tag = "4")]
    pub udp_frontends: ::prost::alloc::vec::Vec<RequestUdpFrontend>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ClusterInformations {
    #[prost(message, repeated, tag = "1")]
    pub vec: ::prost::alloc::vec::Vec<ClusterInformation>,
}
/// Information about a given cluster
/// Contains types usually used in requests, because they are readily available in protobuf
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ClusterInformation {
    #[prost(message, optional, tag = "1")]
    pub configuration: ::core::option::Option<Cluster>,
    #[prost(message, repeated, tag = "2")]
    pub http_frontends: ::prost::alloc::vec::Vec<RequestHttpFrontend>,
    #[prost(message, repeated, tag = "3")]
    pub https_frontends: ::prost::alloc::vec::Vec<RequestHttpFrontend>,
    #[prost(message, repeated, tag = "4")]
    pub tcp_frontends: ::prost::alloc::vec::Vec<RequestTcpFrontend>,
    #[prost(message, repeated, tag = "5")]
    pub backends: ::prost::alloc::vec::Vec<AddBackend>,
    #[prost(message, repeated, tag = "6")]
    pub udp_frontends: ::prost::alloc::vec::Vec<RequestUdpFrontend>,
}
/// an event produced by a worker to notify about backends status
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Event {
    #[prost(enumeration = "EventKind", required, tag = "1")]
    pub kind: i32,
    #[prost(string, optional, tag = "2")]
    pub cluster_id: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(string, optional, tag = "3")]
    pub backend_id: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(message, optional, tag = "4")]
    pub address: ::core::option::Option<SocketAddress>,
    /// Set only when `kind == METRIC_DETAIL_CHANGED` and the worker is
    /// surfacing a worker-local lease transition (apply, clear, or polled
    /// expiry). Operator-initiated transitions are audited at the master
    /// dispatch site and DO emit this event for the SubscribeEvents bus,
    /// but the audit-log line for those is generated master-side and
    /// duplicates of `metric_detail` should be ignored by SOC tooling.
    /// See the `EventKind::METRIC_DETAIL_CHANGED` doc and the
    /// `MetricDetailTransition` message below for the trust model.
    #[prost(message, optional, tag = "5")]
    pub metric_detail: ::core::option::Option<MetricDetailTransition>,
}
/// Worker-emitted cardinality-lease transition. Populates the
/// `Event.metric_detail` field when a worker's `effective` level changes
/// because a lease was applied, renewed, expired (TTL janitor), or
/// cleared. The master folds these into the audit log alongside the
/// operator-initiated transitions emitted from
/// `bin/src/command/requests.rs::worker_request`, closing the gap where
/// worker-local expiries previously left no audit trail.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct MetricDetailTransition {
    /// The worker's effective cardinality level BEFORE the transition.
    #[prost(enumeration = "MetricDetail", required, tag = "1")]
    pub previous_effective: i32,
    /// The worker's effective cardinality level AFTER the transition.
    #[prost(enumeration = "MetricDetail", required, tag = "2")]
    pub effective: i32,
    /// What caused the transition. Stable strings: "lease_tick_expired"
    /// (janitor retired one or more leases), "lease_apply" (worker arm
    /// applied a lease), "lease_clear" (worker arm cleared a lease).
    /// Operator-initiated apply/clear emit master-side; the worker still
    /// emits this Event so the SubscribeEvents bus has one canonical
    /// signal for cardinality changes regardless of origin.
    #[prost(string, required, tag = "3")]
    pub transition_kind: ::prost::alloc::string::String,
    /// Operator-supplied lease key (`SetMetricDetail.client_id`) when the
    /// transition was triggered by an explicit apply/clear. Empty for
    /// janitor expiries, which clear many leases at once.
    #[prost(string, optional, tag = "4")]
    pub client_id: ::core::option::Option<::prost::alloc::string::String>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ClusterHashes {
    /// cluster id -> hash of cluster information
    #[prost(btree_map = "string, uint64", tag = "1")]
    pub map: ::prost::alloc::collections::BTreeMap<::prost::alloc::string::String, u64>,
}
/// A list of worker infos
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct WorkerInfos {
    #[prost(message, repeated, tag = "1")]
    pub vec: ::prost::alloc::vec::Vec<WorkerInfo>,
}
/// Information about a worker with id, pid, runstate
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct WorkerInfo {
    #[prost(uint32, required, tag = "1")]
    pub id: u32,
    #[prost(int32, required, tag = "2")]
    pub pid: i32,
    #[prost(enumeration = "RunState", required, tag = "3")]
    pub run_state: i32,
}
/// lists of available metrics in a worker, or in the main process (in which case there are no cluster metrics)
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct AvailableMetrics {
    #[prost(string, repeated, tag = "1")]
    pub proxy_metrics: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    #[prost(string, repeated, tag = "2")]
    pub cluster_metrics: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
/// Aggregated metrics of main process & workers
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct AggregatedMetrics {
    /// metrics about the main process.
    /// metric_name -> metric_value
    #[prost(btree_map = "string, message", tag = "1")]
    pub main: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        FilteredMetrics,
    >,
    /// details of worker metrics, with clusters and backends.
    /// worker_id -> worker_metrics
    #[prost(btree_map = "string, message", tag = "2")]
    pub workers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        WorkerMetrics,
    >,
    /// if present, contains metrics of clusters and their backends, merged across all workers.
    /// cluster_id -> cluster_metrics
    #[prost(btree_map = "string, message", tag = "3")]
    pub clusters: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ClusterMetrics,
    >,
    /// if present, proxying metrics, merged accross all workers.
    /// metric_name -> metric_value
    #[prost(btree_map = "string, message", tag = "4")]
    pub proxying: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        FilteredMetrics,
    >,
}
/// All metrics of a worker: proxy and clusters
/// Populated by Options so partial results can be sent
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct WorkerMetrics {
    /// Metrics of the worker process, key -> value
    #[prost(btree_map = "string, message", tag = "1")]
    pub proxy: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        FilteredMetrics,
    >,
    /// cluster_id -> cluster_metrics
    #[prost(btree_map = "string, message", tag = "2")]
    pub clusters: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ClusterMetrics,
    >,
}
/// the metrics of a given cluster, with several backends
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ClusterMetrics {
    /// metric name -> metric value
    #[prost(btree_map = "string, message", tag = "1")]
    pub cluster: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        FilteredMetrics,
    >,
    /// list of backends with their metrics
    #[prost(message, repeated, tag = "2")]
    pub backends: ::prost::alloc::vec::Vec<BackendMetrics>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct BackendMetrics {
    #[prost(string, required, tag = "1")]
    pub backend_id: ::prost::alloc::string::String,
    #[prost(btree_map = "string, message", tag = "2")]
    pub metrics: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        FilteredMetrics,
    >,
}
/// A metric, in a "filtered" format, which means: sendable to outside programs.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct FilteredMetrics {
    #[prost(oneof = "filtered_metrics::Inner", tags = "1, 2, 3, 4, 5, 6")]
    pub inner: ::core::option::Option<filtered_metrics::Inner>,
}
/// Nested message and enum types in `FilteredMetrics`.
pub mod filtered_metrics {
    #[derive(::serde::Serialize, ::serde::Deserialize)]
    #[serde(rename_all = "SCREAMING_SNAKE_CASE")]
    #[derive(Hash, Eq, Ord, PartialOrd)]
    #[derive(Clone, PartialEq, ::prost::Oneof)]
    pub enum Inner {
        /// increases or decrease depending on the state
        #[prost(uint64, tag = "1")]
        Gauge(u64),
        /// increases only
        #[prost(int64, tag = "2")]
        Count(i64),
        /// milliseconds
        #[prost(uint64, tag = "3")]
        Time(u64),
        #[prost(message, tag = "4")]
        Percentiles(super::Percentiles),
        #[prost(message, tag = "5")]
        TimeSerie(super::FilteredTimeSerie),
        #[prost(message, tag = "6")]
        Histogram(super::FilteredHistogram),
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct FilteredTimeSerie {
    #[prost(uint32, required, tag = "1")]
    pub last_second: u32,
    #[prost(uint32, repeated, packed = "false", tag = "2")]
    pub last_minute: ::prost::alloc::vec::Vec<u32>,
    #[prost(uint32, repeated, packed = "false", tag = "3")]
    pub last_hour: ::prost::alloc::vec::Vec<u32>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Percentiles {
    #[prost(uint64, required, tag = "1")]
    pub samples: u64,
    #[prost(uint64, required, tag = "2")]
    pub p_50: u64,
    #[prost(uint64, required, tag = "3")]
    pub p_90: u64,
    #[prost(uint64, required, tag = "4")]
    pub p_99: u64,
    #[prost(uint64, required, tag = "5")]
    pub p_99_9: u64,
    #[prost(uint64, required, tag = "6")]
    pub p_99_99: u64,
    #[prost(uint64, required, tag = "7")]
    pub p_99_999: u64,
    #[prost(uint64, required, tag = "8")]
    pub p_100: u64,
    #[prost(uint64, required, tag = "9")]
    pub sum: u64,
}
/// a histogram meant to be translated to prometheus
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct FilteredHistogram {
    #[prost(uint64, required, tag = "1")]
    pub sum: u64,
    #[prost(uint64, required, tag = "2")]
    pub count: u64,
    #[prost(message, repeated, tag = "3")]
    pub buckets: ::prost::alloc::vec::Vec<Bucket>,
}
/// a prometheus histogram bucket
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Bucket {
    #[prost(uint64, required, tag = "1")]
    pub count: u64,
    /// upper range of the bucket (le = less or equal)
    #[prost(uint64, required, tag = "2")]
    pub le: u64,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct RequestCounts {
    #[prost(btree_map = "string, int32", tag = "1")]
    pub map: ::prost::alloc::collections::BTreeMap<::prost::alloc::string::String, i32>,
}
/// `0` means unlimited (the feature is disabled). Returned by workers in
/// response to `Request.query_max_connections_per_ip`.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct MaxConnectionsPerIpLimit {
    #[prost(uint64, required, tag = "1")]
    pub limit: u64,
}
/// matches std::net::SocketAddr in the Rust library
/// beware that the ports are expressed with uint32 here,
/// but they should NOT exceed uint16 value
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct SocketAddress {
    #[prost(message, required, tag = "1")]
    pub ip: IpAddress,
    #[prost(uint32, required, tag = "2")]
    pub port: u32,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct IpAddress {
    #[prost(oneof = "ip_address::Inner", tags = "1, 2")]
    pub inner: ::core::option::Option<ip_address::Inner>,
}
/// Nested message and enum types in `IpAddress`.
pub mod ip_address {
    #[derive(::serde::Serialize, ::serde::Deserialize)]
    #[serde(rename_all = "SCREAMING_SNAKE_CASE")]
    #[derive(Ord, PartialOrd)]
    #[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Oneof)]
    pub enum Inner {
        #[prost(fixed32, tag = "1")]
        V4(u32),
        #[prost(message, tag = "2")]
        V6(super::Uint128),
    }
}
/// used to represent the 128 bits of an IPv6 address
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Uint128 {
    /// higher value, first 8 bytes of the ip
    #[prost(uint64, required, tag = "1")]
    pub low: u64,
    /// lower value, last 8 bytes of the ip
    #[prost(uint64, required, tag = "2")]
    pub high: u64,
}
/// This is sent only from Sōzu to Sōzu
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct WorkerRequest {
    #[prost(string, required, tag = "1")]
    pub id: ::prost::alloc::string::String,
    #[prost(message, required, tag = "2")]
    pub content: Request,
}
/// A response as sent by a worker
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct WorkerResponse {
    #[prost(string, required, tag = "1")]
    pub id: ::prost::alloc::string::String,
    #[prost(enumeration = "ResponseStatus", required, tag = "2")]
    pub status: i32,
    /// an associated message to detail failure, success or processing
    #[prost(string, required, tag = "3")]
    pub message: ::prost::alloc::string::String,
    #[prost(message, optional, tag = "4")]
    pub content: ::core::option::Option<ResponseContent>,
}
/// Apply, renew, or release a runtime cardinality lease on the metrics drain.
///
/// Leasing model: `sozu top` (and any future TUI client) leases a higher
/// `MetricDetail` for the duration of an interactive session. The worker's
/// effective detail is `max(configured, max(active leases))`, where
/// `configured` is `MetricsConfig.detail` from the static configuration.
/// Multiple clients can lease independently; the worker keeps a `client_id`-
/// keyed table and uses the maximum across active entries.
///
/// Lifecycle:
/// 1. Apply: send `SetMetricDetail{ client_id, detail, ttl_seconds, reason }`.
///    The worker stores `(client_id) -> (detail, expires_at = now + ttl)`. If
///    a lease for `client_id` already exists, it is REPLACED (acts as a
///    renewal). The renewer client is expected to re-send every `ttl/2`.
/// 2. Expire: leases self-expire server-side at `expires_at`. The worker's
///    janitor (5s polled tick at the top of `notify`) prunes expired leases
///    and recomputes effective. Crash safety: a dead client is forgotten.
/// 3. Clear: send `SetMetricDetail{ client_id, clear: true }` for explicit
///    revocation. `client_id` must match the leased entry; mismatched IDs
///    are silently ignored (other clients' leases are not affected).
///
/// Audit
/// =====
/// Every operator-initiated effective-level transition emits an
/// `EventKind::METRIC_DETAIL_CHANGED` event on `SubscribeEvents` with the
/// previous and new effective levels and the requesting `client_id` plus
/// optional `reason` text. Renewal-no-op (same effective level) is NOT
/// emitted.
///
/// Emitter scope: operator-initiated transitions emit
/// `METRIC_DETAIL_CHANGED` via the master-side audit log. Worker-local
/// transitions — the polled janitor expiring a lease, or a worker-local
/// clear/apply after a master fan-out — are not yet surfaced; follow-up
/// tracked separately.
///
/// Backwards compatibility
/// =======================
/// Workers that pre-date this verb cannot decode `SetMetricDetail` and return
/// `WorkerResponse::error("unknown request type")` which folds into the standard
/// fan-out error tally (`extras.fanout.workers_err`); operators see "succeeded
/// with errors" rather than a dedicated capability-skip list. Production
/// deployments keep master + workers in sync via the `UpgradeMain` hot-upgrade
/// flow, so this mixed-version state is transient. The master itself also
/// leases (mirroring the symmetric `setup_metrics` path) so the audit log has a
/// single canonical row when an operator flips detail across the fleet.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct SetMetricDetail {
    /// Stable identifier for the leasing client (`sozu top` uses
    /// `top:<pid>:<random>`). Required so multiple TUIs / scrapers / other
    /// tooling can lease independently.
    #[prost(string, required, tag = "1")]
    pub client_id: ::prost::alloc::string::String,
    /// Target detail for the lease. Required when `clear` is false/absent.
    #[prost(enumeration = "MetricDetail", optional, tag = "2")]
    pub detail: ::core::option::Option<i32>,
    /// Time-to-live for the lease in seconds. The worker rejects (FAILURE)
    /// values larger than 300s to bound the worst-case effect of a stuck
    /// renewer. Defaults server-side to 60s when absent (the master treats
    /// 0 as "use default" and emits a warning).
    #[prost(uint32, optional, tag = "3")]
    pub ttl_seconds: ::core::option::Option<u32>,
    /// When true, releases the lease for `client_id` instead of applying.
    /// `detail` and `ttl_seconds` are ignored when `clear` is true.
    #[prost(bool, optional, tag = "4")]
    pub clear: ::core::option::Option<bool>,
    /// Optional human-readable provenance for the audit log
    /// (e.g. `"sozu top --detail backend"`, `"prometheus-scraper:sozu-1"`).
    #[prost(string, optional, tag = "5")]
    pub reason: ::core::option::Option<::prost::alloc::string::String>,
    /// Master-populated peer binding. These fields are NOT set by clients —
    /// the master fills them in `bin/src/command/requests.rs::worker_request`
    /// from the connecting `ClientSession` (`actor_pid` + `session_ulid`)
    /// before forwarding to workers. The worker stores the binding
    /// alongside the lease and rejects subsequent `clear` requests whose
    /// binding does not match the apply-time binding. Prevents one same-UID
    /// operator from accidentally (or deliberately) clearing another
    /// operator's lease by guessing the `client_id` format. A `None` value
    /// means "binding not available" — the worker accepts any matching
    /// `client_id` clear, preserving compat with pre-binding callers and
    /// with platforms whose unix socket peer credentials are unavailable.
    #[prost(int32, optional, tag = "6")]
    pub peer_pid: ::core::option::Option<i32>,
    #[prost(string, optional, tag = "7")]
    pub peer_session_ulid: ::core::option::Option<::prost::alloc::string::String>,
}
/// Per-worker outcome of a `SetMetricDetail` fan-out. Reported back to the
/// requesting client so it can decide whether the elevation actually took
/// effect (e.g. all workers acknowledged) or whether degraded operation
/// (some workers too old) is in play.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct WorkerMetricDetailStatus {
    /// The worker's static `MetricsConfig.detail` (or DETAIL_CLUSTER if
    /// unset). Independent of leases.
    #[prost(enumeration = "MetricDetail", required, tag = "1")]
    pub configured: i32,
    /// Effective level AFTER processing this verb: `max(configured, leases)`.
    #[prost(enumeration = "MetricDetail", required, tag = "2")]
    pub effective: i32,
    /// Effective level BEFORE the verb. Equal to `effective` for a no-op.
    #[prost(enumeration = "MetricDetail", required, tag = "3")]
    pub previous_effective: i32,
    /// Number of active leases on this worker (post-prune). Useful to
    /// surface "another client is still leasing this level" in the TUI.
    #[prost(uint32, required, tag = "4")]
    pub active_lease_count: u32,
}
/// Aggregated `SetMetricDetail` outcome across the fleet. Returned by the
/// master to the requesting client (no `WorkerResponses` indirection needed
/// because the schema is symmetric per-worker).
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct MetricDetailStatus {
    /// The master's own `configured` view (mirrors a worker's view since the
    /// master also runs the metrics aggregator).
    #[prost(enumeration = "MetricDetail", required, tag = "1")]
    pub configured: i32,
    /// Master's effective level AFTER the verb.
    #[prost(enumeration = "MetricDetail", required, tag = "2")]
    pub effective: i32,
    /// Master's effective level BEFORE the verb.
    #[prost(enumeration = "MetricDetail", required, tag = "3")]
    pub previous_effective: i32,
    /// Per-worker status. Map keyed by worker_id (string form for parity
    /// with `WorkerResponses`).
    #[prost(btree_map = "string, message", tag = "4")]
    pub workers: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        WorkerMetricDetailStatus,
    >,
}
/// intended to workers
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ServerMetricsConfig {
    #[prost(string, required, tag = "1")]
    pub address: ::prost::alloc::string::String,
    #[prost(bool, required, tag = "2")]
    pub tagged_metrics: bool,
    #[prost(string, optional, tag = "3")]
    pub prefix: ::core::option::Option<::prost::alloc::string::String>,
    /// optional in proto: workers built before this field default to
    /// DETAIL_CLUSTER on the lib side to preserve historical behaviour.
    #[prost(enumeration = "MetricDetail", optional, tag = "4")]
    pub detail: ::core::option::Option<i32>,
}
/// Used by a worker to start its server loop.
/// The defaults should match those of the config module
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ServerConfig {
    #[prost(uint64, required, tag = "1", default = "10000")]
    pub max_connections: u64,
    #[prost(uint32, required, tag = "2", default = "60")]
    pub front_timeout: u32,
    #[prost(uint32, required, tag = "3", default = "30")]
    pub back_timeout: u32,
    #[prost(uint32, required, tag = "4", default = "3")]
    pub connect_timeout: u32,
    #[prost(uint32, required, tag = "5", default = "1800")]
    pub zombie_check_interval: u32,
    #[prost(uint32, required, tag = "6", default = "60")]
    pub accept_queue_timeout: u32,
    #[prost(uint64, required, tag = "7", default = "1")]
    pub min_buffers: u64,
    #[prost(uint64, required, tag = "8", default = "1000")]
    pub max_buffers: u64,
    #[prost(uint64, required, tag = "9", default = "16393")]
    pub buffer_size: u64,
    #[prost(string, required, tag = "10", default = "info")]
    pub log_level: ::prost::alloc::string::String,
    #[prost(string, required, tag = "11", default = "stdout")]
    pub log_target: ::prost::alloc::string::String,
    #[prost(string, optional, tag = "12")]
    pub access_logs_target: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(uint64, required, tag = "13", default = "1000000")]
    pub command_buffer_size: u64,
    #[prost(uint64, required, tag = "14", default = "2000000")]
    pub max_command_buffer_size: u64,
    #[prost(message, optional, tag = "15")]
    pub metrics: ::core::option::Option<ServerMetricsConfig>,
    #[prost(enumeration = "ProtobufAccessLogFormat", required, tag = "16")]
    pub access_log_format: i32,
    #[prost(bool, required, tag = "17")]
    pub log_colored: bool,
    /// Dedicated file path for the control-plane audit trail. When set on the
    /// main process, every audit line is also appended to this file opened
    /// `O_APPEND | O_CREAT` with mode `0o640`. Workers currently ignore this
    /// field (audit only lives on the main), but the field is propagated on
    /// the proto wire so a future worker-side audit path can pick it up.
    #[prost(string, optional, tag = "18")]
    pub audit_logs_target: ::core::option::Option<::prost::alloc::string::String>,
    /// Dedicated JSON mirror of the audit log. One JSON object per line for
    /// SIEM ingest. Same lifecycle as `audit_logs_target`.
    #[prost(string, optional, tag = "19")]
    pub audit_logs_json_target: ::core::option::Option<::prost::alloc::string::String>,
    /// Slab capacity multiplier per connection. Defaults to 4 to accommodate
    /// H2 multiplexing (1 frontend + up to 3 backend connections per
    /// frontend). Operators with topologies that fan out across more clusters
    /// per session can raise this; the slab capacity is computed as
    /// `10 + slab_entries_per_connection * max_connections`. Clamped to
    /// \[2, 32\] at config-load time. The previous compile-time constant was
    /// 4 and remains the default.
    #[prost(uint64, optional, tag = "20")]
    pub slab_entries_per_connection: ::core::option::Option<u64>,
    /// Maximum length, in bytes, of a base64-decoded `Authorization: Basic`
    /// payload accepted by `mux::auth`. Caps the per-failed-auth allocation
    /// so a hostile peer cannot force the worker to decode arbitrarily
    /// large tokens. RFC 7617 imposes no upper bound; the default is 4096
    /// (well above the realistic shape `username:password`). Operators on
    /// tight memory budgets can lower this to 256-512; values that approach
    /// the per-frontend `buffer_size` raise a warning at config-load time
    /// (see config.rs validation). Set once at worker boot via
    /// `mux::auth::set_max_decoded_credential_bytes`.
    #[prost(uint64, optional, tag = "21")]
    pub basic_auth_max_credential_bytes: ::core::option::Option<u64>,
    /// when the accept queue is full (max_connections reached), evict the
    /// least recently active sessions to make room for new connections.
    /// Defaults to false: during DDoS, existing connections are likely real clients.
    #[prost(bool, optional, tag = "22", default = "false")]
    pub evict_on_queue_full: ::core::option::Option<bool>,
    /// Default per-(cluster, source-IP) connection limit. `0` means unlimited
    /// (the default). When a request resolves to a cluster whose
    /// `(cluster_id, client_ip)` already holds this many concurrent
    /// connections, the proxy answers HTTP 429 (H1 + H2) or closes the TCP
    /// socket gracefully. Each cluster may override with its own
    /// `max_connections_per_ip`. The source IP is the proxy-protocol
    /// address when present, else `peer_addr`.
    #[prost(uint64, optional, tag = "23", default = "0")]
    pub max_connections_per_ip: ::core::option::Option<u64>,
    /// Default `Retry-After` header value (seconds) sent on HTTP 429
    /// responses. `0` omits the header (rendering `Retry-After: 0` invites
    /// an immediate retry that defeats the limit). Per-cluster overrides
    /// are available on the `Cluster` message. TCP rejections do not emit
    /// this value (no HTTP envelope), but it is still accepted in the
    /// proto/config shape for symmetry.
    #[prost(uint32, optional, tag = "24", default = "60")]
    pub retry_after: ::core::option::Option<u32>,
    /// Requested kernel-pipe capacity, in bytes, for each `splice(2)`
    /// zero-copy direction in the `Pipe` protocol. Applied via
    /// `fcntl(F_SETPIPE_SZ)` per pipe at `SplicePipe::new`; the kernel
    /// rounds up to a page boundary and caps the value at
    /// `/proc/sys/fs/pipe-max-size` (default 1 MiB for unprivileged
    /// processes; CAP_SYS_RESOURCE goes higher). The realised capacity
    /// is read back via `fcntl(F_GETPIPE_SZ)` and used as the per-call
    /// `len` for `splice_in`. `None` keeps the kernel default of 64 KiB.
    /// Larger values amortise syscalls and reduce wakeups for bulk-
    /// transfer workloads at the cost of per-session pinned memory.
    /// Linux-only; ignored on builds without the `splice` feature.
    #[prost(uint64, optional, tag = "25")]
    pub splice_pipe_capacity_bytes: ::core::option::Option<u64>,
}
/// Addresses of listeners, passed to new workers
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ListenersCount {
    /// socket addresses of HTTP listeners
    #[prost(string, repeated, tag = "1")]
    pub http: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// socket addresses of HTTPS listeners
    #[prost(string, repeated, tag = "2")]
    pub tls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// socket addresses of TCP listeners
    #[prost(string, repeated, tag = "3")]
    pub tcp: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// socket addresses of UDP listeners
    #[prost(string, repeated, tag = "4")]
    pub udp: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
/// the Sōzu state, passed to a new worker.
/// Consists in a collection of worker requests
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct InitialState {
    #[prost(message, repeated, tag = "1")]
    pub requests: ::prost::alloc::vec::Vec<WorkerRequest>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct OpenTelemetry {
    #[prost(string, required, tag = "1")]
    pub trace_id: ::prost::alloc::string::String,
    #[prost(string, required, tag = "2")]
    pub span_id: ::prost::alloc::string::String,
    #[prost(string, optional, tag = "3")]
    pub parent_span_id: ::core::option::Option<::prost::alloc::string::String>,
}
/// An access log, meant to be passed to another agent
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Hash, Eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ProtobufAccessLog {
    /// error message if any
    #[prost(string, optional, tag = "1")]
    pub message: ::core::option::Option<::prost::alloc::string::String>,
    /// LogContext = request_id + cluster_id + backend_id
    #[prost(message, required, tag = "2")]
    pub request_id: Uint128,
    /// id of the cluster (set of frontend, backend, routing rules)
    #[prost(string, optional, tag = "3")]
    pub cluster_id: ::core::option::Option<::prost::alloc::string::String>,
    /// id of the backend (the server to which the traffic is redirected)
    #[prost(string, optional, tag = "4")]
    pub backend_id: ::core::option::Option<::prost::alloc::string::String>,
    /// ip and port of the client
    #[prost(message, optional, tag = "5")]
    pub session_address: ::core::option::Option<SocketAddress>,
    /// socket address of the backend server
    #[prost(message, optional, tag = "6")]
    pub backend_address: ::core::option::Option<SocketAddress>,
    /// the protocol, with SSL/TLS version, for instance "HTTPS-TLS1.1"
    #[prost(string, required, tag = "7")]
    pub protocol: ::prost::alloc::string::String,
    /// TCP or HTTP endpoint (method, path, context...)
    #[prost(message, required, tag = "8")]
    pub endpoint: ProtobufEndpoint,
    /// round trip time for the client (microseconds)
    #[prost(uint64, optional, tag = "9")]
    pub client_rtt: ::core::option::Option<u64>,
    /// round trip time for the backend (microseconds)
    #[prost(uint64, optional, tag = "10")]
    pub server_rtt: ::core::option::Option<u64>,
    /// time spent on a session (microseconds)
    #[prost(uint64, required, tag = "13")]
    pub service_time: u64,
    /// number of bytes received from the client
    #[prost(uint64, required, tag = "14")]
    pub bytes_in: u64,
    /// number of bytes written to the client
    #[prost(uint64, required, tag = "15")]
    pub bytes_out: u64,
    /// value of the User-Agent header, if any
    #[prost(string, optional, tag = "16")]
    pub user_agent: ::core::option::Option<::prost::alloc::string::String>,
    /// custom tags as key-values, for instance owner_id: MyOrganisation
    #[prost(btree_map = "string, string", tag = "17")]
    pub tags: ::prost::alloc::collections::BTreeMap<
        ::prost::alloc::string::String,
        ::prost::alloc::string::String,
    >,
    /// short description of which process sends the log, for instance: "WRK-02"
    #[prost(string, required, tag = "18")]
    pub tag: ::prost::alloc::string::String,
    /// POSIX timestamp, nanoseconds
    #[prost(message, required, tag = "19")]
    pub time: Uint128,
    /// Entire time between first byte received and last byte of the response.
    /// If a request ends abruptly before the last byte is transmitted,
    /// the `request_time` produced is the time elapsed since the first byte received.
    #[prost(uint64, optional, tag = "20")]
    pub request_time: ::core::option::Option<u64>,
    /// time for the backend to respond (microseconds)
    #[prost(uint64, optional, tag = "21")]
    pub response_time: ::core::option::Option<u64>,
    /// OpenTelemetry tracing information
    #[prost(message, optional, tag = "22")]
    pub otel: ::core::option::Option<OpenTelemetry>,
    /// connection/session ULID — stable across all requests multiplexed on the
    /// same TCP or TLS connection. Distinct from `request_id`, which is set
    /// per-request (one per H2 stream, one per H1 keep-alive exchange).
    #[prost(message, optional, tag = "23")]
    pub session_id: ::core::option::Option<Uint128>,
    /// Value of the `x-request-id` header as forwarded to the backend —
    /// either preserved verbatim from the client/upstream LB, or derived from
    /// the request ULID when the client did not supply one. Universal
    /// correlation key for end-to-end tracing across Envoy/HAProxy/Sōzu hops.
    #[prost(string, optional, tag = "24")]
    pub x_request_id: ::core::option::Option<::prost::alloc::string::String>,
    /// Negotiated TLS protocol version, short-form (e.g. "TLSv1.3"). Captured
    /// once at handshake completion. `None` for plaintext listeners or when
    /// the rustls version label is unknown to Sōzu.
    #[prost(string, optional, tag = "25")]
    pub tls_version: ::core::option::Option<::prost::alloc::string::String>,
    /// Negotiated TLS cipher suite, short-form (e.g.
    /// "TLS_AES_128_GCM_SHA256"). Captured once at handshake completion.
    /// `None` for plaintext listeners or when the rustls cipher label is
    /// unknown to Sōzu.
    #[prost(string, optional, tag = "26")]
    pub tls_cipher: ::core::option::Option<::prost::alloc::string::String>,
    /// TLS Server Name Indication (SNI) sent by the client at handshake.
    /// Stored pre-lowercased without a port. `None` for plaintext listeners
    /// or when the client omitted the SNI extension.
    #[prost(string, optional, tag = "27")]
    pub tls_sni: ::core::option::Option<::prost::alloc::string::String>,
    /// Negotiated ALPN protocol, short-form (e.g. "h2", "http/1.1"). `None`
    /// for plaintext listeners or when no ALPN was negotiated.
    #[prost(string, optional, tag = "28")]
    pub tls_alpn: ::core::option::Option<::prost::alloc::string::String>,
    /// Verbatim value of the client-supplied `X-Forwarded-For` header as
    /// observed before Sōzu appended its own hop. Comma-separated chain of
    /// proxy hops (e.g. `"203.0.113.5, 198.51.100.10"`). `None` if no
    /// upstream proxy supplied the header.
    #[prost(string, optional, tag = "29")]
    pub xff_chain: ::core::option::Option<::prost::alloc::string::String>,
    /// Wall-clock timestamp (POSIX nanoseconds since epoch) captured at the
    /// start of the request. Enables accurate OTel span reconstruction
    /// without subtracting a monotonic `request_time` duration from the
    /// wall-clock `time` field — a computation that mixes two unsynchronised
    /// clock sources (CLOCK_MONOTONIC vs CLOCK_REALTIME) and produces
    /// unreliable start timestamps, especially for short-lived requests or
    /// across NTP adjustments. Optional for backwards compatibility.
    #[prost(message, optional, tag = "30")]
    pub start_time: ::core::option::Option<Uint128>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ProtobufEndpoint {
    #[prost(oneof = "protobuf_endpoint::Inner", tags = "1, 2")]
    pub inner: ::core::option::Option<protobuf_endpoint::Inner>,
}
/// Nested message and enum types in `ProtobufEndpoint`.
pub mod protobuf_endpoint {
    #[derive(::serde::Serialize, ::serde::Deserialize)]
    #[serde(rename_all = "SCREAMING_SNAKE_CASE")]
    #[derive(Ord, PartialOrd)]
    #[derive(Clone, PartialEq, Eq, Hash, ::prost::Oneof)]
    pub enum Inner {
        #[prost(message, tag = "1")]
        Http(super::HttpEndpoint),
        #[prost(message, tag = "2")]
        Tcp(super::TcpEndpoint),
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct HttpEndpoint {
    #[prost(string, optional, tag = "1")]
    pub method: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(string, optional, tag = "2")]
    pub authority: ::core::option::Option<::prost::alloc::string::String>,
    #[prost(string, optional, tag = "3")]
    pub path: ::core::option::Option<::prost::alloc::string::String>,
    /// warning: this should be a u16 but protobuf only has uint32.
    /// Make sure the value never exceeds u16 bounds.
    #[prost(uint32, optional, tag = "4")]
    pub status: ::core::option::Option<u32>,
    #[prost(string, optional, tag = "5")]
    pub reason: ::core::option::Option<::prost::alloc::string::String>,
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[derive(Ord, PartialOrd)]
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct TcpEndpoint {}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum ListenerType {
    Http = 0,
    Https = 1,
    Tcp = 2,
    Udp = 3,
}
impl ListenerType {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Http => "HTTP",
            Self::Https => "HTTPS",
            Self::Tcp => "TCP",
            Self::Udp => "UDP",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "HTTP" => Some(Self::Http),
            "HTTPS" => Some(Self::Https),
            "TCP" => Some(Self::Tcp),
            "UDP" => Some(Self::Udp),
            _ => None,
        }
    }
}
/// Frontend-level redirect policy. Mirrors HAProxy's
/// `http-request redirect|deny|auth` directives.
/// FORWARD routes to the backend (default).
/// PERMANENT returns 301 with a `Location` header derived from
/// `redirect_scheme`, optional `rewrite_*` fields, and `cluster.https_redirect_port`.
/// FOUND returns 302 — a temporary redirect (RFC 9110 §15.4.3); user agents may
/// rewrite POST to GET on follow.
/// PERMANENT_REDIRECT returns 308 — a permanent redirect (RFC 9110 §15.4.9); the
/// HTTP method MUST be preserved on follow (no GET-rewrite on POST).
/// UNAUTHORIZED returns 401 with `WWW-Authenticate: Basic realm=...`
/// using `cluster.www_authenticate`; suitable for blanket deny-by-default
/// routes that still want to surface a login prompt.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum RedirectPolicy {
    Forward = 0,
    Permanent = 1,
    Unauthorized = 2,
    Found = 3,
    PermanentRedirect = 4,
}
impl RedirectPolicy {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Forward => "FORWARD",
            Self::Permanent => "PERMANENT",
            Self::Unauthorized => "UNAUTHORIZED",
            Self::Found => "FOUND",
            Self::PermanentRedirect => "PERMANENT_REDIRECT",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "FORWARD" => Some(Self::Forward),
            "PERMANENT" => Some(Self::Permanent),
            "UNAUTHORIZED" => Some(Self::Unauthorized),
            "FOUND" => Some(Self::Found),
            "PERMANENT_REDIRECT" => Some(Self::PermanentRedirect),
            _ => None,
        }
    }
}
/// Scheme to use when building the `Location` header for a permanent redirect.
/// USE_SAME preserves the request scheme (default), USE_HTTP forces `<http://`,>
/// USE_HTTPS forces `<https://`.>
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum RedirectScheme {
    UseSame = 0,
    UseHttp = 1,
    UseHttps = 2,
}
impl RedirectScheme {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::UseSame => "USE_SAME",
            Self::UseHttp => "USE_HTTP",
            Self::UseHttps => "USE_HTTPS",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "USE_SAME" => Some(Self::UseSame),
            "USE_HTTP" => Some(Self::UseHttp),
            "USE_HTTPS" => Some(Self::UseHttps),
            _ => None,
        }
    }
}
/// Where a `Header` mutation applies. `BOTH` applies the same edit on the
/// request side (before backend connect) and the response side (before kawa
/// preparation). Mirrors HAProxy `http-request set-header` /
/// `http-response set-header` parity.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum HeaderPosition {
    /// Reserve 0 for the proto-default-encoded shape so a `Header` written
    /// by `..Default::default()` (or by an older client) deserialises into
    /// an explicit "unset" rather than failing `HeaderPosition::try_from(0)`.
    /// The runtime treats this as a hard config error and rejects the
    /// header rather than guessing a position.
    Unspecified = 0,
    Request = 1,
    Response = 2,
    Both = 3,
}
impl HeaderPosition {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Unspecified => "HEADER_POSITION_UNSPECIFIED",
            Self::Request => "REQUEST",
            Self::Response => "RESPONSE",
            Self::Both => "BOTH",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "HEADER_POSITION_UNSPECIFIED" => Some(Self::Unspecified),
            "REQUEST" => Some(Self::Request),
            "RESPONSE" => Some(Self::Response),
            "BOTH" => Some(Self::Both),
            _ => None,
        }
    }
}
/// The kind of filter used for path rules
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum PathRuleKind {
    /// filters paths that start with a pattern, typically "/api"
    Prefix = 0,
    /// filters paths that match a regex pattern
    Regex = 1,
    /// filters paths that exactly match a pattern, no more, no less
    Equals = 2,
}
impl PathRuleKind {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Prefix => "PREFIX",
            Self::Regex => "REGEX",
            Self::Equals => "EQUALS",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "PREFIX" => Some(Self::Prefix),
            "REGEX" => Some(Self::Regex),
            "EQUALS" => Some(Self::Equals),
            _ => None,
        }
    }
}
/// TODO: find a proper definition for this
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum RulePosition {
    Pre = 0,
    Post = 1,
    Tree = 2,
}
impl RulePosition {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Pre => "PRE",
            Self::Post => "POST",
            Self::Tree => "TREE",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "PRE" => Some(Self::Pre),
            "POST" => Some(Self::Post),
            "TREE" => Some(Self::Tree),
            _ => None,
        }
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum TlsVersion {
    SslV2 = 0,
    SslV3 = 1,
    TlsV10 = 2,
    TlsV11 = 3,
    TlsV12 = 4,
    TlsV13 = 5,
}
impl TlsVersion {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::SslV2 => "SSL_V2",
            Self::SslV3 => "SSL_V3",
            Self::TlsV10 => "TLS_V1_0",
            Self::TlsV11 => "TLS_V1_1",
            Self::TlsV12 => "TLS_V1_2",
            Self::TlsV13 => "TLS_V1_3",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "SSL_V2" => Some(Self::SslV2),
            "SSL_V3" => Some(Self::SslV3),
            "TLS_V1_0" => Some(Self::TlsV10),
            "TLS_V1_1" => Some(Self::TlsV11),
            "TLS_V1_2" => Some(Self::TlsV12),
            "TLS_V1_3" => Some(Self::TlsV13),
            _ => None,
        }
    }
}
/// How a UDP flow is keyed for backend affinity. SOURCE_IP keys on the
/// client source IP only (all ports from one client pin to one backend);
/// SOURCE_IP_PORT keys on the full 2-tuple (per-socket affinity).
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum UdpAffinityKey {
    SourceIp = 0,
    SourceIpPort = 1,
}
impl UdpAffinityKey {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::SourceIp => "SOURCE_IP",
            Self::SourceIpPort => "SOURCE_IP_PORT",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "SOURCE_IP" => Some(Self::SourceIp),
            "SOURCE_IP_PORT" => Some(Self::SourceIpPort),
            _ => None,
        }
    }
}
/// UDP backend health probe mode. HEALTH_OFF disables health checking;
/// TCP_PROBE opens a non-blocking TCP connection to a companion port;
/// UDP_PROBE sends an application datagram and waits for any reply.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum UdpHealthMode {
    HealthOff = 0,
    TcpProbe = 1,
    UdpProbe = 2,
}
impl UdpHealthMode {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::HealthOff => "HEALTH_OFF",
            Self::TcpProbe => "TCP_PROBE",
            Self::UdpProbe => "UDP_PROBE",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "HEALTH_OFF" => Some(Self::HealthOff),
            "TCP_PROBE" => Some(Self::TcpProbe),
            "UDP_PROBE" => Some(Self::UdpProbe),
            _ => None,
        }
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum LoadBalancingAlgorithms {
    RoundRobin = 0,
    Random = 1,
    LeastLoaded = 2,
    PowerOfTwo = 3,
    /// Highest-Random-Weight / rendezvous hashing — flow-affine backend
    /// selection for UDP. Maps a 4-tuple flow key to a backend that survives
    /// minimal disruption on backend add/remove.
    Hrw = 4,
    /// Maglev consistent hashing — precomputed lookup table for even, stable
    /// backend distribution across the flow keyspace.
    Maglev = 5,
}
impl LoadBalancingAlgorithms {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::RoundRobin => "ROUND_ROBIN",
            Self::Random => "RANDOM",
            Self::LeastLoaded => "LEAST_LOADED",
            Self::PowerOfTwo => "POWER_OF_TWO",
            Self::Hrw => "HRW",
            Self::Maglev => "MAGLEV",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "ROUND_ROBIN" => Some(Self::RoundRobin),
            "RANDOM" => Some(Self::Random),
            "LEAST_LOADED" => Some(Self::LeastLoaded),
            "POWER_OF_TWO" => Some(Self::PowerOfTwo),
            "HRW" => Some(Self::Hrw),
            "MAGLEV" => Some(Self::Maglev),
            _ => None,
        }
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum ProxyProtocolConfig {
    ExpectHeader = 0,
    SendHeader = 1,
    RelayHeader = 2,
}
impl ProxyProtocolConfig {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::ExpectHeader => "EXPECT_HEADER",
            Self::SendHeader => "SEND_HEADER",
            Self::RelayHeader => "RELAY_HEADER",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "EXPECT_HEADER" => Some(Self::ExpectHeader),
            "SEND_HEADER" => Some(Self::SendHeader),
            "RELAY_HEADER" => Some(Self::RelayHeader),
            _ => None,
        }
    }
}
/// how sozu measures which backend is less loaded
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum LoadMetric {
    /// number of TCP connections
    Connections = 0,
    /// number of active HTTP requests
    Requests = 1,
    /// time to connect to the backend, weighted by the number of active connections (peak EWMA)
    ConnectionTime = 2,
}
impl LoadMetric {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Connections => "CONNECTIONS",
            Self::Requests => "REQUESTS",
            Self::ConnectionTime => "CONNECTION_TIME",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "CONNECTIONS" => Some(Self::Connections),
            "REQUESTS" => Some(Self::Requests),
            "CONNECTION_TIME" => Some(Self::ConnectionTime),
            _ => None,
        }
    }
}
/// options to configure metrics collection
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum MetricsConfiguration {
    /// enable metrics collection
    Enabled = 0,
    /// disable metrics collection
    Disabled = 1,
    /// wipe the metrics memory
    Clear = 2,
}
impl MetricsConfiguration {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Enabled => "ENABLED",
            Self::Disabled => "DISABLED",
            Self::Clear => "CLEAR",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "ENABLED" => Some(Self::Enabled),
            "DISABLED" => Some(Self::Disabled),
            "CLEAR" => Some(Self::Clear),
            _ => None,
        }
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum EventKind {
    BackendDown = 0,
    BackendUp = 1,
    NoAvailableBackends = 2,
    RemovedBackendHasNoConnections = 3,
    /// Control-plane mutation events (audit trail).
    /// Emitted by the main process to clients subscribed via SubscribeEvents.
    /// The Event.cluster_id / backend_id / address fields are populated when
    /// they are meaningful for the verb (e.g. address for listener verbs,
    /// cluster_id for cluster/frontend verbs). Backend events keep their
    /// historical numeric tags 0..3.
    ClusterAdded = 4,
    ClusterRemoved = 5,
    FrontendAdded = 6,
    FrontendRemoved = 7,
    CertificateAdded = 8,
    CertificateRemoved = 9,
    CertificateReplaced = 10,
    ListenerActivated = 11,
    ListenerDeactivated = 12,
    ConfigurationReloaded = 13,
    WorkerKilled = 14,
    WorkerRelaunched = 15,
    LoggingLevelChanged = 16,
    MetricsConfigured = 17,
    /// A listener's configuration was patched in place via UpdateHttp/Https/TcpListenerConfig
    ListenerUpdated = 18,
    /// A saved state file was loaded (batch state replay via LoadState request).
    /// Emitted once at task completion; `target=file:<path>` and `result=ok|err`
    /// with the ok/err request counts encoded in `target`.
    StateLoaded = 19,
    /// A snapshot of the current state was written to disk via SaveState.
    StateSaved = 20,
    /// A new listener was added to the config (AddHttp/Https/TcpListener).
    /// Distinct from LISTENER_ACTIVATED (binds the socket) — ADDED just
    /// creates the listener's in-memory definition.
    ListenerAdded = 21,
    /// A listener's in-memory definition was removed (RemoveListener).
    /// Distinct from LISTENER_DEACTIVATED (unbinds the socket) — REMOVED
    /// drops the whole listener from the state.
    ListenerRemoved = 22,
    /// A stop request was accepted (SoftStop / HardStop).
    /// `target=stop:soft` or `stop:hard` — distinguishes drain-then-stop from
    /// immediate-abort on the audit trail.
    SozuStopRequested = 23,
    /// The main process started a re-exec upgrade (UpgradeMain).
    MainUpgraded = 24,
    /// A worker was re-launched (UpgradeWorker).
    WorkerUpgraded = 25,
    /// A client subscribed to the SubscribeEvents bus — privileged because
    /// subscribers observe every control-plane mutation.
    EventsSubscribed = 26,
    /// Backend health-check transitioned to healthy after consecutive successes.
    /// Tags 0..3 are the historical backend-state events; 4..26 carry the
    /// control-plane mutation events (cluster, frontend, certificate,
    /// listener, worker, configuration, metrics, state, stop, upgrade,
    /// events). Backend health-check transitions therefore start at 27.
    HealthCheckHealthy = 27,
    /// Backend health-check transitioned to unhealthy after consecutive failures.
    HealthCheckUnhealthy = 28,
    /// Cluster transitioned from "all backends down" back to "at least one
    /// backend available". Pairs with `NoAvailableBackends` (tag 2) so
    /// dashboards can plot per-cluster recovery.
    ClusterRecovered = 29,
    /// The worker's effective `MetricDetail` changed because a runtime
    /// lease was applied, renewed, expired, or cleared. Pairs with
    /// `MetricsConfigured` (tag 17) but distinct: that one fires for
    /// `MetricsConfiguration` (Enabled/Disabled/Clear), this one fires
    /// for cardinality changes.
    ///
    /// Emitter scope: operator-initiated transitions emit
    /// `METRIC_DETAIL_CHANGED` via the master-side audit log (see
    /// `bin/src/command/requests.rs` around the `SetMetricDetail`
    /// success path). Worker-local transitions — the polled janitor
    /// expiring a lease, or a worker-local clear/apply after a master
    /// fan-out — are not yet surfaced because the worker has no direct
    /// IPC path to the master's audit sink; follow-up tracked separately.
    MetricDetailChanged = 30,
}
impl EventKind {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::BackendDown => "BACKEND_DOWN",
            Self::BackendUp => "BACKEND_UP",
            Self::NoAvailableBackends => "NO_AVAILABLE_BACKENDS",
            Self::RemovedBackendHasNoConnections => "REMOVED_BACKEND_HAS_NO_CONNECTIONS",
            Self::ClusterAdded => "CLUSTER_ADDED",
            Self::ClusterRemoved => "CLUSTER_REMOVED",
            Self::FrontendAdded => "FRONTEND_ADDED",
            Self::FrontendRemoved => "FRONTEND_REMOVED",
            Self::CertificateAdded => "CERTIFICATE_ADDED",
            Self::CertificateRemoved => "CERTIFICATE_REMOVED",
            Self::CertificateReplaced => "CERTIFICATE_REPLACED",
            Self::ListenerActivated => "LISTENER_ACTIVATED",
            Self::ListenerDeactivated => "LISTENER_DEACTIVATED",
            Self::ConfigurationReloaded => "CONFIGURATION_RELOADED",
            Self::WorkerKilled => "WORKER_KILLED",
            Self::WorkerRelaunched => "WORKER_RELAUNCHED",
            Self::LoggingLevelChanged => "LOGGING_LEVEL_CHANGED",
            Self::MetricsConfigured => "METRICS_CONFIGURED",
            Self::ListenerUpdated => "LISTENER_UPDATED",
            Self::StateLoaded => "STATE_LOADED",
            Self::StateSaved => "STATE_SAVED",
            Self::ListenerAdded => "LISTENER_ADDED",
            Self::ListenerRemoved => "LISTENER_REMOVED",
            Self::SozuStopRequested => "SOZU_STOP_REQUESTED",
            Self::MainUpgraded => "MAIN_UPGRADED",
            Self::WorkerUpgraded => "WORKER_UPGRADED",
            Self::EventsSubscribed => "EVENTS_SUBSCRIBED",
            Self::HealthCheckHealthy => "HEALTH_CHECK_HEALTHY",
            Self::HealthCheckUnhealthy => "HEALTH_CHECK_UNHEALTHY",
            Self::ClusterRecovered => "CLUSTER_RECOVERED",
            Self::MetricDetailChanged => "METRIC_DETAIL_CHANGED",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "BACKEND_DOWN" => Some(Self::BackendDown),
            "BACKEND_UP" => Some(Self::BackendUp),
            "NO_AVAILABLE_BACKENDS" => Some(Self::NoAvailableBackends),
            "REMOVED_BACKEND_HAS_NO_CONNECTIONS" => {
                Some(Self::RemovedBackendHasNoConnections)
            }
            "CLUSTER_ADDED" => Some(Self::ClusterAdded),
            "CLUSTER_REMOVED" => Some(Self::ClusterRemoved),
            "FRONTEND_ADDED" => Some(Self::FrontendAdded),
            "FRONTEND_REMOVED" => Some(Self::FrontendRemoved),
            "CERTIFICATE_ADDED" => Some(Self::CertificateAdded),
            "CERTIFICATE_REMOVED" => Some(Self::CertificateRemoved),
            "CERTIFICATE_REPLACED" => Some(Self::CertificateReplaced),
            "LISTENER_ACTIVATED" => Some(Self::ListenerActivated),
            "LISTENER_DEACTIVATED" => Some(Self::ListenerDeactivated),
            "CONFIGURATION_RELOADED" => Some(Self::ConfigurationReloaded),
            "WORKER_KILLED" => Some(Self::WorkerKilled),
            "WORKER_RELAUNCHED" => Some(Self::WorkerRelaunched),
            "LOGGING_LEVEL_CHANGED" => Some(Self::LoggingLevelChanged),
            "METRICS_CONFIGURED" => Some(Self::MetricsConfigured),
            "LISTENER_UPDATED" => Some(Self::ListenerUpdated),
            "STATE_LOADED" => Some(Self::StateLoaded),
            "STATE_SAVED" => Some(Self::StateSaved),
            "LISTENER_ADDED" => Some(Self::ListenerAdded),
            "LISTENER_REMOVED" => Some(Self::ListenerRemoved),
            "SOZU_STOP_REQUESTED" => Some(Self::SozuStopRequested),
            "MAIN_UPGRADED" => Some(Self::MainUpgraded),
            "WORKER_UPGRADED" => Some(Self::WorkerUpgraded),
            "EVENTS_SUBSCRIBED" => Some(Self::EventsSubscribed),
            "HEALTH_CHECK_HEALTHY" => Some(Self::HealthCheckHealthy),
            "HEALTH_CHECK_UNHEALTHY" => Some(Self::HealthCheckUnhealthy),
            "CLUSTER_RECOVERED" => Some(Self::ClusterRecovered),
            "METRIC_DETAIL_CHANGED" => Some(Self::MetricDetailChanged),
            _ => None,
        }
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum ResponseStatus {
    Ok = 0,
    Processing = 1,
    Failure = 2,
}
impl ResponseStatus {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Ok => "OK",
            Self::Processing => "PROCESSING",
            Self::Failure => "FAILURE",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "OK" => Some(Self::Ok),
            "PROCESSING" => Some(Self::Processing),
            "FAILURE" => Some(Self::Failure),
            _ => None,
        }
    }
}
/// Runstate of a worker
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum RunState {
    Running = 0,
    Stopping = 1,
    Stopped = 2,
    NotAnswering = 3,
}
impl RunState {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Running => "RUNNING",
            Self::Stopping => "STOPPING",
            Self::Stopped => "STOPPED",
            Self::NotAnswering => "NOT_ANSWERING",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "RUNNING" => Some(Self::Running),
            "STOPPING" => Some(Self::Stopping),
            "STOPPED" => Some(Self::Stopped),
            "NOT_ANSWERING" => Some(Self::NotAnswering),
            _ => None,
        }
    }
}
/// label-cardinality knob for the metrics drain.
/// Mirrors HAProxy's `process|frontend|backend|server` extra-counters opt-in:
/// a higher level enables more granular labels (and thus more keys), letting
/// operators bound the StatsD keyspace explicitly.
///
/// Each level is a SUPERSET of the previous one.
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum MetricDetail {
    /// proxy-only counters (legacy default before opt-in landed)
    DetailProcess = 0,
    /// adds per-listener (frontend) breakdown for accept/connection counters
    DetailFrontend = 1,
    /// adds per-cluster aggregation (current default)
    DetailCluster = 2,
    /// adds per-backend aggregation (cluster + backend, highest cardinality)
    DetailBackend = 3,
}
impl MetricDetail {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::DetailProcess => "DETAIL_PROCESS",
            Self::DetailFrontend => "DETAIL_FRONTEND",
            Self::DetailCluster => "DETAIL_CLUSTER",
            Self::DetailBackend => "DETAIL_BACKEND",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "DETAIL_PROCESS" => Some(Self::DetailProcess),
            "DETAIL_FRONTEND" => Some(Self::DetailFrontend),
            "DETAIL_CLUSTER" => Some(Self::DetailCluster),
            "DETAIL_BACKEND" => Some(Self::DetailBackend),
            _ => None,
        }
    }
}
#[derive(::serde::Serialize, ::serde::Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
#[repr(i32)]
pub enum ProtobufAccessLogFormat {
    Ascii = 1,
    Protobuf = 2,
}
impl ProtobufAccessLogFormat {
    /// String value of the enum field names used in the ProtoBuf definition.
    ///
    /// The values are not transformed in any way and thus are considered stable
    /// (if the ProtoBuf definition does not change) and safe for programmatic use.
    pub fn as_str_name(&self) -> &'static str {
        match self {
            Self::Ascii => "Ascii",
            Self::Protobuf => "Protobuf",
        }
    }
    /// Creates an enum from field names used in the ProtoBuf definition.
    pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
        match value {
            "Ascii" => Some(Self::Ascii),
            "Protobuf" => Some(Self::Protobuf),
            _ => None,
        }
    }
}