Expand description
Top-level application config knobs that don’t fit naturally into any single middleware-scoped config struct.
The historical tensor-wasm-api pattern co-locates configuration with
the middleware it parametrises (see
crate::middleware::AuthConfig, crate::middleware::TenantConfig,
crate::rate_limit::RateLimitConfig, crate::audit::AuditConfig).
That works fine for knobs that flow into exactly one layer, but breaks
down for cross-cutting concerns whose consumer spans more than one
route — e.g. the snapshot HMAC key, which is parsed at server startup
and consumed by the /snapshot/save and /snapshot/restore route
handlers.
This module hosts that small set of cross-cutting knobs as
AppConfig, keeping the env-var schema in one place.
§Env-var schema
Both variables below are LIVE (M5). They are parsed and validated
at startup by AppConfig::from_env, which
crate::server::build_router now calls and threads onto the shared
crate::routes::AppState (via AppState::with_app_config). The
/snapshot/save and /snapshot/restore routes consume the resulting
AppConfig to sign and verify snapshot blobs.
| Variable | Format | Default | Meaning |
|---|---|---|---|
TENSOR_WASM_API_SNAPSHOT_HMAC_KEY | hex (64 chars) | unset | /snapshot/save HMAC-SHA256-signs the returned blob and /snapshot/restore verifies it. Unset ⇒ both routes return 503 snapshot_signing_not_configured. Malformed values are a hard startup error. |
TENSOR_WASM_API_SNAPSHOT_REQUIRE_SIGNATURE | true/false | false | Strict-restore posture: refuse unsigned (v2) snapshots. /snapshot/restore enforces signature verification unconditionally as its hardened default; this knob is the operator surface for that posture. |
§Status
The /snapshot/save and /snapshot/restore HTTP routes are wired into
crate::server::build_router, which reads
AppConfig::from_env at startup and installs it on the
crate::routes::AppState. The key is therefore a live knob at
runtime (closes finding M5): with it set, save returns a signed blob
and restore verifies the HMAC; with it unset, both routes report
503 snapshot_signing_not_configured. A malformed key / toggle is a
hard startup failure (build_router panics) — the gateway refuses to
come up serving snapshot routes under a misconfigured signing key
rather than silently downgrading restore integrity.
Structs§
- AppConfig
- Top-level configuration knobs read from the process environment at server startup.
Enums§
- Config
Error - Errors returned by
AppConfig::from_envfor malformed values. - HexParse
Reason - Specific reason a hex-encoded key failed to parse.
Constants§
- ENV_
SNAPSHOT_ HMAC_ KEY - Environment variable carrying the hex-encoded HMAC-SHA256 key used for signing and verifying snapshot blobs.
- ENV_
SNAPSHOT_ REQUIRE_ SIGNATURE - Environment variable selecting the strict-restore posture: when set to
true(case-insensitive) snapshot restore refuses v2 (unsigned) snapshots. Defaults tofalse. - SNAPSHOT_
HMAC_ KEY_ LEN - Byte length of the HMAC-SHA256 key. Fixed by the algorithm.