Skip to main content

Module config

Module config 

Source
Expand description

External configuration loading: path resolution + load → parse → validate.

Precedence for the config path (most explicit/ephemeral first):

  1. CLI flag --config <path> / --config=<path> — per-invocation intent.
  2. env var WAF_CONFIG — deployment-level (container/systemd/CI).
  3. default config.toml — last resort.

A missing file is ALWAYS fatal: a WAF must never start with implicit config (empty trusted_proxies, rate limit off, untuned thresholds) — the “looks-protected-but-isn’t” failure mode. Errors print to stderr and the process exits non-zero; we never start partially configured.

parse_and_validate (parse + semantic Config::validate) is the fs/CLI-free core, reused by hot reload (Pillar 3).

Enums§

LoadError
Why loading the configuration failed. Each variant maps to a distinct operator diagnosis (file vs syntax vs semantics).

Constants§

DEFAULT_CONFIG_PATH
ENV_CONFIG

Functions§

load
Full load pipeline: read file (missing → fatal) → parse → validate.
parse_and_validate
Parse + validate a TOML string. fs/CLI-free, so hot reload can reuse it.
resolve_path
Resolve the config path by precedence: CLI flag > env var > default. args are the process args WITHOUT the program name; env is WAF_CONFIG.