Module rule 

Structs

ClientAuthConfig

Per-rule mTLS config block, parsed from the tls.client_auth JSON. mode == None is operator-explicit “don’t request a cert”; the trust store must be absent there. mode == Request | Require requires a non-empty trust_store.

ClientTrustStoreConfig

Per-rule trust store config for verifying client certs. At least one of ca_paths / ca_dir must be present (enforced at compile).

ListenerTlsSpec

Per-listener cert pool — produced by compile/lower from every rule on the bind address that carries a tls block, after hash-consing identical entries and rejecting conflicts.

ManagedSpec

ACME-managed cert spec — operator-supplied, parsed verbatim from tls.managed per spec/crates/engine-acme.md § Configuration schema.

MiddlewareRef

RawRule

SourceInfo

SynthResponse

TerminateSpec

TlsConfig

Listener-side TLS termination config — paths to the cert chain + private key in PEM, plus an optional SNI hostname this cert serves.

Enums

ChallengeKind

ClientAuthMode

Three-valued client-auth mode (no implicit default per spec).

ClientAuthSpec

Listener-level resolved mTLS policy. Built by the lower pass from the union of per-rule ClientAuthConfig blocks; rules on the same listener must all agree.

CrlFetchFailure

CRL availability policy (per spec/crates/engine-tls.md § CRL).

CrlSourceConfig

One CRL source entry — file or URL, with a per-source fetch_failure policy. Bytes are owned by the daemon-wide CRL cache (vane_engine::tls::CrlCache); this struct only carries the parsed schema.

ManagedKeyType

OnErrorSpec

Type Aliases

ListenSpec