Struct Env 

pub struct Env {

    pub wasm_dir: PathBuf,
    pub log_level: String,
    pub bind_ipv4: bool,
    pub bind_ipv6: bool,
    pub sec_max_header_bytes: u32,
    pub sec_max_headers_count: u32,
    pub sec_header_timeout_secs: u32,
    pub sec_max_conn_per_ip: u32,
    pub sec_max_total_conns: u32,
    pub bind_max_attempts: u32,
    pub bind_backoff_initial_ms: u32,
    pub bind_backoff_max_ms: u32,
    pub force_cancel_grace_secs: u32,
    pub drain_timeout_secs: u32,
    pub boot_health_timeout_secs: u32,
    pub mgmt_unix: PathBuf,
    pub mgmt_http_port: Option<u16>,
    pub mgmt_http_public: bool,
    pub mgmt_http_token: Option<String>,
    pub native_roots_refresh_interval_secs: u32,
    pub allow_insecure_upstream: bool,
}

Typed snapshot of every VANE_* deployment constant the daemon reads at startup. Defaults match spec/crates/core.md § Config layers.

config_dir is not modeled as a field — the daemon’s --config CLI arg is the single source of truth, and Env::from_reader takes that path explicitly so derived defaults (wasm_dir) follow it without an extra env var to keep in sync.

Fields

wasm_dir: PathBuf

VANE_WASM_DIR — WASM plugin source directory scanned at boot. Defaults to <config_dir>/wasm where config_dir is the daemon’s --config argument. See spec/crates/engine-wasm.md § Module lifecycle.

log_level: String

VANE_LOG_LEVEL — tracing-subscriber filter directive (default "info"). Honors the same syntax as RUST_LOG (per-target overrides like vane=debug,hyper=warn). The process env RUST_LOG, when set, takes precedence so operators can override the file value ad-hoc.

bind_ipv4: bool

VANE_BIND_IPV4 — listen on 0.0.0.0 for :N listen specs (default true).

bind_ipv6: bool

VANE_BIND_IPV6 — listen on [::] for :N listen specs (default true).

sec_max_header_bytes: u32

VANE_SEC_MAX_HEADER_BYTES — request-header size cap (default 65536).

sec_max_headers_count: u32

VANE_SEC_MAX_HEADERS_COUNT — request-header count cap (default 100).

sec_header_timeout_secs: u32

VANE_SEC_HEADER_TIMEOUT — header-completion timeout, seconds (default 30).

sec_max_conn_per_ip: u32

VANE_SEC_MAX_CONN_PER_IP — per-IP concurrent-connection cap (default 100).

sec_max_total_conns: u32

VANE_SEC_MAX_TOTAL_CONNS — daemon-wide concurrent-connection cap (default 65536).

bind_max_attempts: u32

VANE_BIND_MAX_ATTEMPTS — bind-retry count per listener address (default 10).

bind_backoff_initial_ms: u32

VANE_BIND_BACKOFF_INITIAL_MS — initial retry backoff in milliseconds (default 100).

bind_backoff_max_ms: u32

VANE_BIND_BACKOFF_MAX_MS — retry backoff cap in milliseconds (default 5000).

force_cancel_grace_secs: u32

VANE_FORCE_CANCEL_GRACE_SECS — secondary grace window after force_cancel fires, seconds (default 5). Applies to both SIGTERM drain and removed-listener reconcile.

drain_timeout_secs: u32

VANE_DRAIN_TIMEOUT_SECS — in-flight connection drain budget for reload and SIGTERM, seconds (default 30).

boot_health_timeout_secs: u32

VANE_BOOT_HEALTH_TIMEOUT_SECS — budget for all listeners to flip bind_ready, seconds (default 60). Partial bind (some bound, some failed) stays a warn.

mgmt_unix: PathBuf

VANE_MGMT_UNIX — management Unix socket path. Defaults to $XDG_RUNTIME_DIR/vaned.sock when that env var is set, then to /run/vaned.sock. /tmp/... is intentionally not the default: it’s world-writable and survives reboots, both of which make it the wrong place for a privileged control socket.

mgmt_http_port: Option<u16>

VANE_MGMT_HTTP_PORT — TCP port for the HTTP management transport. Some(3333) by default; an explicit empty string disables the transport (None). Matches spec/crates/core.md § Config layers.

mgmt_http_public: bool

VANE_MGMT_HTTP_PUBLIC — when truthy, bind the HTTP management port on the wildcard address (0.0.0.0 / [::]). When falsy (default), bind on loopback. Mandatory pairing with mgmt_http_token is enforced at daemon boot, not here.

mgmt_http_token: Option<String>

VANE_MGMT_HTTP_TOKEN — bearer token for the HTTP management transport (None when unset or empty string).

native_roots_refresh_interval_secs: u32

VANE_NATIVE_ROOTS_REFRESH_INTERVAL_SECS — cadence at which the daemon re-reads the OS native trust store, in seconds (default 21 600 = 6h). The refresh is non-blocking; failures preserve the previous snapshot and emit a warn. Operators who want a one-shot refresh use the reload_native_roots mgmt verb instead.

allow_insecure_upstream: bool

VANE_ALLOW_INSECURE_UPSTREAM — master gate for the per-upstream tls.insecure_skip_verify: true knob. Falsy (default) makes the parser reject any config that sets the flag, so an accidental insecure_skip_verify: true left in a production rules file fails the reload instead of silently disabling cert verification. Truthy values authorise the per-upstream override; the per-upstream flag still has to be set explicitly — the env var alone never weakens verification.

Implementations

impl Env

pub fn from_process_env(config_dir: &Path) -> Result<Self, Error>

Read from the actual process environment.

config_dir is the daemon’s resolved --config path; it is the basis for wasm_dir’s default when VANE_WASM_DIR is unset.

Errors

Returns Error::compile when any VANE_* value fails its type-specific parse (bool, u32, port).

pub fn from_reader<R: EnvReader>( r: &R, config_dir: &Path, ) -> Result<Self, Error>

Read from any EnvReader. Primary entry point for unit tests.

Errors

As Self::from_process_env.

Trait Implementations

impl Clone for Env

fn clone(&self) -> Env

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Env

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for Env

fn eq(&self, other: &Env) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for Env

impl StructuralPartialEq for Env