Expand description
External configuration loading: path resolution + load → parse → validate.
Precedence for the config path (most explicit/ephemeral first):
- CLI flag
--config <path>/--config=<path>— per-invocation intent. - env var
WAF_CONFIG— deployment-level (container/systemd/CI). - default
config.toml— last resort.
A missing file is ALWAYS fatal: a WAF must never start with implicit config (empty trusted_proxies, rate limit off, untuned thresholds) — the “looks-protected-but-isn’t” failure mode. Errors print to stderr and the process exits non-zero; we never start partially configured.
parse_and_validate (parse + semantic Config::validate) is the fs/CLI-free
core, reused by hot reload (Pillar 3).
Enums§
- Load
Error - Why loading the configuration failed. Each variant maps to a distinct operator diagnosis (file vs syntax vs semantics).
Constants§
Functions§
- load
- Full load pipeline: read file (missing → fatal) → parse → validate.
- parse_
and_ validate - Parse + validate a TOML string. fs/CLI-free, so hot reload can reuse it.
- resolve_
path - Resolve the config path by precedence: CLI flag > env var > default.
argsare the process args WITHOUT the program name;envisWAF_CONFIG.