Skip to main content

Config reference

Single-page reference for the gateway's YAML config β€” every key the parser accepts today, with type, requirement, and a short description. The spec at ../initial-idea/08-config.md covers intended shape (including sections like gateway: / auth: / logging: that the parser doesn't enforce yet); this page is what the binary actually checks at boot.

Boot-time validation (issue #16):

  • Unknown keys inside servers[].*, databases[].*, permissions[].*, grants[].*, and constraints.* are errors with a line:column pointer and the list of expected fields. A typo like statemnt_timeout_ms aborts startup rather than silently dropping the constraint.
  • Unknown keys at the top level (gateway:, auth:, logging:, …) are ignored for now β€” strictness there waits on the envβ†’YAML unification.
  • Every ${ENV:…} / ${FILE:…} ref must resolve cleanly; unresolved refs abort startup (issue #15).

Top level​

KeyTypeRequiredNotes
serverslist of Serverno (defaults [])Target DBs the gateway can dispatch to.
permissionslist of Permissionno (defaults [])Group→grant mapping. Empty list means no caller can reach anything.
adminAdminno/admin/v1/* surface gating β€” see admin-api.md.
permissions_storePermissionsStorenoStorage backend for users/databases/grants. Absent β†’ state DB (pg).

Other top-level keys (gateway:, auth:, logging:) are accepted for forward-compat with the full spec but not parsed. Their settings come from environment variables today β€” see .env.example.

Server​

#[serde(deny_unknown_fields)] β€” unknown keys here are boot errors.

KeyTypeRequiredDefaultNotes
namestringyesβ€”Stable identifier used in grants, audit, and list_servers.
kindpostgres | mongo | mysql | mssqlyesβ€”postgres and mongo work today (#56–#58); mysql / mssql parse but abort on first dispatch with UnsupportedAdapter.
hoststringyesβ€”DNS or IP of the target DB.
portu16no5432
tlsrequired | insecurenorequiredinsecure logs a warning every minute when used in prod.
descriptionstringno""Human-readable purpose; surfaced by list_servers.
databaseslist of Databaseno[]Per-DB definitions.

Database​

#[serde(deny_unknown_fields)] β€” unknown keys here are boot errors.

KeyTypeRequiredDefaultNotes
namestringyesβ€”DB name on the target server.
rolestringyesβ€”Postgres role / mongo username (^[A-Za-z_][A-Za-z0-9_]*$). Typo here is caught at boot.
passwordsecret refyesβ€”${ENV:…} / ${FILE:…} / vault:… / aws-sm:… / gcp-sm:… / inline literal.
descriptionstringno""
auth_databasestringnoNone (falls back to name)Mongo authSource. Set to "admin" when the role lives outside the target DB (container-bootstrapped users). Empty/whitespace is a boot error β€” omit to fall back. Ignored by pg. See multi-db.md.

Spec also defines sql_capture and pool: on Database. Those aren't enforced yet β€” they're commented out in config/example.yaml so the parser doesn't reject them. Will land when the relevant features ship.

Permission​

#[serde(deny_unknown_fields)].

KeyTypeRequiredDefaultNotes
groupstringyesβ€”Group claim from the IdP token (e.g. engineers, oncall).
grantslist of Grantno[]Empty means the group is recognized but grants nothing.

Admin​

#[serde(deny_unknown_fields)]. Gates the /admin/v1/* surface β€” full reference at admin-api.md.

KeyTypeRequiredDefaultNotes
enabledboolnofalseWhen false (or admin: absent), /admin/* returns 404 β€” the route never mounts.
groupstringyes when enabled: trueβ€”SSO group claim that authorizes admin calls. Empty/whitespace with enabled: true aborts boot (every authenticated user would otherwise be an admin).

PermissionsStore​

#[serde(deny_unknown_fields)]. Selects the backend for users / databases / grants β€” see admin-api.md Β§Storage backend.

KeyTypeRequiredDefaultNotes
driverpg | mysqlyesβ€”pg (default if the block is absent) shares the state DB. mysql opens a separate pool via PERMISSIONS_DB_DSN env at boot.

Boot-gate: driver: mysql + admin.enabled: true is rejected β€” admin handlers haven't been ported to mysql. Use pg for the admin path, or mysql with YAML grants only.

Grant​

#[serde(deny_unknown_fields)].

KeyTypeRequiredDefaultNotes
serverstringyesβ€”Must match a servers[].name, or "*" for all visible servers.
databasestringyesβ€”Must match a databases[].name somewhere, or "*". Catches typos at boot.
actionschema_read | query_read | query_write | history_readyesβ€”Misspelled variants (e.g. query_reed) fail at boot with the expected list.
constraintsConstraintsnoemptyMost-restrictive-merged across all matching grants (spec 06).

Action hierarchy​

query_write βŠ‡ query_read βŠ‡ schema_read. history_read is its own track.

Constraints​

#[serde(deny_unknown_fields)] β€” this is where the headline typo case from issue #16 lives. Unknown keys here used to silently drop the constraint; now they abort boot.

KeyTypeRequiredDefaultNotes
require_reasonboolnofalseCaller must pass a non-empty reason arg.
row_limitu32nononeTruncate cap. Combined with caller's limit, most-restrictive wins.
statement_timeout_msu32nononePostgres-side SET LOCAL statement_timeout for queries under this grant.

Secret references​

Used wherever the schema expects a password.

FormWhen to useResolution timing
${ENV:NAME}dev / CI; secret is in process envstartup + every pool open
${FILE:/path}k8s sealed-secret, file-projected secret, Vault Agent sidecarstartup + every pool open (so rotation works)
vault:secret/...recognized, not implemented; aborts bootβ€”
aws-sm:arn:...recognized, not implemented; aborts bootβ€”
gcp-sm:projects/...recognized, not implemented; aborts bootβ€”
anything elseinline literal (dev/test only)startup

Boot-time guarantees (issue #15):

  • Missing env var β†’ boot abort with EnvNotSet(name).
  • Missing or empty file β†’ boot abort with FileUnreadable / FileEmpty(path).
  • Malformed ${…} ref (legacy ${VAR} syntax, empty ${ENV:}, unknown scheme) β†’ YAML parse error pointing at the line.

What the parser does NOT validate (yet)​

  • Top-level gateway: / auth: / logging: sections are silently ignored. Their values come from env vars today.
  • Pool sizing (pool: { max_connections, idle_timeout_seconds, … }) on databases β€” gateway uses fixed defaults until per-DB pool sizing ships.
  • env: production strictness (rejecting inline literal passwords) is in the spec but not enforced today.
  • Network reachability β€” boot doesn't try to connect to listed servers; pools open lazily on first use.

When any of those fields ship, this page gets the corresponding row.