Skip to main content

Module config

Module config 

Source
Expand description

Top-level application config knobs that don’t fit naturally into any single middleware-scoped config struct.

The historical tensor-wasm-api pattern co-locates configuration with the middleware it parametrises (see crate::middleware::AuthConfig, crate::middleware::TenantConfig, crate::rate_limit::RateLimitConfig, crate::audit::AuditConfig). That works fine for knobs that flow into exactly one layer, but breaks down for cross-cutting concerns whose consumer spans more than one route — e.g. the snapshot HMAC key, which is parsed at server startup and consumed by the /snapshot/save and /snapshot/restore route handlers.

This module hosts that small set of cross-cutting knobs as AppConfig, keeping the env-var schema in one place.

§Env-var schema

Both variables below are LIVE (M5). They are parsed and validated at startup by AppConfig::from_env, which crate::server::build_router now calls and threads onto the shared crate::routes::AppState (via AppState::with_app_config). The /snapshot/save and /snapshot/restore routes consume the resulting AppConfig to sign and verify snapshot blobs.

VariableFormatDefaultMeaning
TENSOR_WASM_API_SNAPSHOT_HMAC_KEYhex (64 chars)unset/snapshot/save HMAC-SHA256-signs the returned blob and /snapshot/restore verifies it. Unset ⇒ both routes return 503 snapshot_signing_not_configured. Malformed values are a hard startup error.
TENSOR_WASM_API_SNAPSHOT_REQUIRE_SIGNATUREtrue/falsefalseStrict-restore posture: refuse unsigned (v2) snapshots. /snapshot/restore enforces signature verification unconditionally as its hardened default; this knob is the operator surface for that posture.

§Status

The /snapshot/save and /snapshot/restore HTTP routes are wired into crate::server::build_router, which reads AppConfig::from_env at startup and installs it on the crate::routes::AppState. The key is therefore a live knob at runtime (closes finding M5): with it set, save returns a signed blob and restore verifies the HMAC; with it unset, both routes report 503 snapshot_signing_not_configured. A malformed key / toggle is a hard startup failure (build_router panics) — the gateway refuses to come up serving snapshot routes under a misconfigured signing key rather than silently downgrading restore integrity.

Structs§

AppConfig
Top-level configuration knobs read from the process environment at server startup.

Enums§

ConfigError
Errors returned by AppConfig::from_env for malformed values.
HexParseReason
Specific reason a hex-encoded key failed to parse.

Constants§

ENV_SNAPSHOT_HMAC_KEY
Environment variable carrying the hex-encoded HMAC-SHA256 key used for signing and verifying snapshot blobs.
ENV_SNAPSHOT_REQUIRE_SIGNATURE
Environment variable selecting the strict-restore posture: when set to true (case-insensitive) snapshot restore refuses v2 (unsigned) snapshots. Defaults to false.
SNAPSHOT_HMAC_KEY_LEN
Byte length of the HMAC-SHA256 key. Fixed by the algorithm.