Directories
¶
| Path | Synopsis |
|---|---|
|
Package alerts is the producer-facing seam for security alerting.
|
Package alerts is the producer-facing seam for security alerting. |
|
Package audit is the admin-action audit trail engine: a bounded in-memory ring (the newest MaxRing entries), optional append-only JSONL persistence with rotation, paginated/time-filtered reads over both, and the Data-Plane → Control-Plane push queue.
|
Package audit is the admin-action audit trail engine: a bounded in-memory ring (the newest MaxRing entries), optional append-only JSONL persistence with rotation, paginated/time-filtered reads over both, and the Data-Plane → Control-Plane push queue. |
|
Package autoexclude is the adaptive decryption-exclusion cache: a bounded, TTL-bounded, in-memory learned set of hosts that could not be SSL-inspected, so that subsequent CONNECTs to them can fail open (bypass decryption) instead of breaking.
|
Package autoexclude is the adaptive decryption-exclusion cache: a bounded, TTL-bounded, in-memory learned set of hosts that could not be SSL-inspected, so that subsequent CONNECTs to them can fail open (bypass decryption) instead of breaking. |
|
Package backupcrypt is the D1.4 backup-envelope cryptography leaf: optional AES-256-GCM encryption of the compressed tar.gz backup blob, with the fixed 43-byte header bound to the ciphertext via AAD so any header tampering — including a KDF iteration-count downgrade — fails authentication.
|
Package backupcrypt is the D1.4 backup-envelope cryptography leaf: optional AES-256-GCM encryption of the compressed tar.gz backup blob, with the fixed 43-byte header bound to the ciphertext via AAD so any header tampering — including a KDF iteration-count downgrade — fails authentication. |
|
Package bandwidth is the per-node-group bandwidth/QoS policy engine: named policies with label selectors, priority-based matching (F10 overlap detection), token-bucket rate limiting, and atomic JSON persistence.
|
Package bandwidth is the per-node-group bandwidth/QoS policy engine: named policies with label selectors, priority-based matching (F10 overlap detection), token-bucket rate limiting, and atomic JSON persistence. |
|
Package blocklist is the host blocklist engine: O(labels) exact/wildcard matching with a never-block exceptions list, block/allow modes, sidecar persistence (.mode/.manual/.exceptions/.sources), per-feed attribution, and hosts-format line normalization.
|
Package blocklist is the host blocklist engine: O(labels) exact/wildcard matching with a never-block exceptions list, block/allow modes, sidecar persistence (.mode/.manual/.exceptions/.sources), per-feed attribution, and hosts-format line normalization. |
|
Package blocklistfeed is the remote blocklist syncer: it periodically downloads one or more remote blocklists (one domain per line, '#' comments allowed) and merges new entries into the live blocklist without removing manually-added entries.
|
Package blocklistfeed is the remote blocklist syncer: it periodically downloads one or more remote blocklists (one domain per line, '#' comments allowed) and merges new entries into the live blocklist without removing manually-added entries. |
|
Package blockpage owns the corporate "Access Denied" block page: the default HTML template, the runtime-mutable override, and the 403 response writer.
|
Package blockpage owns the corporate "Access Denied" block page: the default HTML template, the runtime-mutable override, and the 403 response writer. |
|
Package bootstrap generates the one-click DP-node deployment artifacts: the shell install script and the docker-compose.yml that the Control Plane serves against a single-use enrollment token.
|
Package bootstrap generates the one-click DP-node deployment artifacts: the shell install script and the docker-compose.yml that the Control Plane serves against a single-use enrollment token. |
|
Package ca implements Culvert's SSL-inspection Root CA — the MITM trust core (ADR-0002 extraction; engine was ca.go in package main).
|
Package ca implements Culvert's SSL-inspection Root CA — the MITM trust core (ADR-0002 extraction; engine was ca.go in package main). |
|
Package catdb is Layer 2 of the two-tier URL categorisation engine — the community category store.
|
Package catdb is Layer 2 of the two-tier URL categorisation engine — the community category store. |
|
Package catgroup is the named category-group engine: bundles of URL categories (e.g.
|
Package catgroup is the named category-group engine: bundles of URL categories (e.g. |
|
Package clamav implements a ClamAV CLAMD protocol client (INSTREAM scanning) over Unix domain sockets or TCP, with zero external API dependency.
|
Package clamav implements a ClamAV CLAMD protocol client (INSTREAM scanning) over Unix domain sockets or TCP, with zero external API dependency. |
|
Package clientclass is the deterministic client classifier: whether a request comes from an interactive browser (eligible for a captive-portal SSO redirect), an opaque CONNECT tunnel (never redirectable), or a non-browser service client.
|
Package clientclass is the deterministic client classifier: whether a request comes from an interactive browser (eligible for a captive-portal SSO redirect), an opaque CONNECT tunnel (never redirectable), or a non-browser service client. |
|
Package configver implements the numbered config-version snapshot store (ADR-0002 extraction; engine was the store half of configversion.go in package main).
|
Package configver implements the numbered config-version snapshot store (ADR-0002 extraction; engine was the store half of configversion.go in package main). |
|
Package connlimit provides per-IP connection limiting.
|
Package connlimit provides per-IP connection limiting. |
|
Package decryptobs is the bounded-enum vocabulary for Culvert's decryption- observability model (ADR-0011).
|
Package decryptobs is the bounded-enum vocabulary for Culvert's decryption- observability model (ADR-0011). |
|
Package decryptprofile is the named SSL-decryption-profile engine: a PAN-OS-style "how to decrypt" object that policy rules reference by name to control HOW an inspected (SSLAction=Inspect) tunnel is decrypted — whether to inspect natively as HTTP/2, the upstream server-certificate-verification posture, the unsupported-TLS failure posture, the TLS version floor/cap, and the per-stream inactivity bound.
|
Package decryptprofile is the named SSL-decryption-profile engine: a PAN-OS-style "how to decrypt" object that policy rules reference by name to control HOW an inspected (SSLAction=Inspect) tunnel is decrypted — whether to inspect natively as HTTP/2, the upstream server-certificate-verification posture, the unsupported-TLS failure posture, the TLS version floor/cap, and the per-stream inactivity bound. |
|
Package feedsync is the UT1 URL-category feed syncer: it periodically downloads the UT1 Capitole blacklist tarball (via the NethServer mirror), extracts the categories in the ingest map, and bulk-writes them into the community URL-category database (internal/catdb).
|
Package feedsync is the UT1 URL-category feed syncer: it periodically downloads the UT1 Capitole blacklist tarball (via the NethServer mirror), extracts the categories in the ingest map, and bulk-writes them into the community URL-category database (internal/catdb). |
|
Package fileblock is the file-type blocking engine: an extension/MIME/ Content-Disposition blocklist (FileBlocker) and named file-type profiles (FileProfileStore, in fileprofile.go).
|
Package fileblock is the file-type blocking engine: an extension/MIME/ Content-Disposition blocklist (FileBlocker) and named file-type profiles (FileProfileStore, in fileprofile.go). |
|
Package filemagic does magic-byte detection for archive identification and polyglot detection — examining the first bytes of a response body to catch archives disguised as safe types and Content-Type/content mismatches.
|
Package filemagic does magic-byte detection for archive identification and polyglot detection — examining the first bytes of a response body to catch archives disguised as safe types and Content-Type/content mismatches. |
|
Package fileutil provides durable filesystem helpers shared by package main and internal/* packages (ADR-0003).
|
Package fileutil provides durable filesystem helpers shared by package main and internal/* packages (ADR-0003). |
|
Package geoip is the GeoIP country-lookup engine: a local MaxMind GeoLite2 (.mmdb) reader with an in-memory IP→country cache.
|
Package geoip is the GeoIP country-lookup engine: a local MaxMind GeoLite2 (.mmdb) reader with an in-memory IP→country cache. |
|
Package halease is the HA fencing-lease primitive (ADR-0005 S1): a single cluster-wide lease with a strictly-monotonic epoch (the fencing token), arbitrated by a strongly-consistent backend.
|
Package halease is the HA fencing-lease primitive (ADR-0005 S1): a single cluster-wide lease with a strictly-monotonic epoch (the fencing token), arbitrated by a strongly-consistent backend. |
|
Package hashcache provides a size-bounded, TTL-evicting cache of security scan results keyed on the SHA-256 digest of scanned content.
|
Package hashcache provides a size-bounded, TTL-evicting cache of security scan results keyed on the SHA-256 digest of scanned content. |
|
Package hostutil provides pure host-string normalization helpers shared across the proxy (policy matching, category lookups, scan/bypass keys).
|
Package hostutil provides pure host-string normalization helpers shared across the proxy (policy matching, category lookups, scan/bypass keys). |
|
Package lockout provides the login account-lockout limiter and the admin-API rate limiter.
|
Package lockout provides the login account-lockout limiter and the admin-API rate limiter. |
|
Package logstore is the Badger-backed, time-ordered persistent request-log history engine.
|
Package logstore is the Badger-backed, time-ordered persistent request-log history engine. |
|
Package nodegroup is the node-group definition store: named collections of Data-Plane nodes matched by label selectors (geo-aware grouping, tiered routing, policy scoping), with atomic JSON persistence.
|
Package nodegroup is the node-group definition store: named collections of Data-Plane nodes matched by label selectors (geo-aware grouping, tiered routing, policy scoping), with atomic JSON persistence. |
|
Package obs is the shared logging facade for internal/* packages (ADR-0003).
|
Package obs is the shared logging facade for internal/* packages (ADR-0003). |
|
Package ocsp is the OCSP revocation-checking engine for upstream TLS certificates: a TTL'd verdict cache plus the responder query pipeline behind a tls.Config VerifyPeerCertificate callback.
|
Package ocsp is the OCSP revocation-checking engine for upstream TLS certificates: a TTL'd verdict cache plus the responder query pipeline behind a tls.Config VerifyPeerCertificate callback. |
|
Package otlp exports metrics and request spans to any OpenTelemetry Collector via the OTLP/HTTP JSON protocol (POST /v1/metrics, /v1/traces).
|
Package otlp exports metrics and request spans to any OpenTelemetry Collector via the OTLP/HTTP JSON protocol (POST /v1/metrics, /v1/traces). |
|
Package pac is the PAC (proxy auto-config) engine: the persisted PAC configuration store and the FindProxyForURL generator.
|
Package pac is the PAC (proxy auto-config) engine: the persisted PAC configuration store and the FindProxyForURL generator. |
|
Package plugin is the Culvert middleware plugin API: the Middleware contract, the process-wide plugin chain, and the panic-safe dispatch the proxy hot path calls.
|
Package plugin is the Culvert middleware plugin API: the Middleware contract, the process-wide plugin chain, and the panic-safe dispatch the proxy hot path calls. |
|
Package redaction is the data-governance engine for support bundles (REDACTION-MODEL.md, ADR-0009).
|
Package redaction is the data-governance engine for support bundles (REDACTION-MODEL.md, ADR-0009). |
|
Package reqlog is the request-log engine: a bounded in-memory ring (the newest MaxRing entries), an optional persistent JSONL layer with rotation and a count-once-log-first write-error contract, a bounded newest-first read over the persistent file with a short-TTL shared-parse cache, and the status→level mapping.
|
Package reqlog is the request-log engine: a bounded in-memory ring (the newest MaxRing entries), an optional persistent JSONL layer with rotation and a count-once-log-first write-error contract, a bounded newest-first read over the persistent file with a short-TTL shared-parse cache, and the status→level mapping. |
|
Package rewrite owns per-host HTTP header rewrite rules: the rule DTO, the ordered active rule set, and the request/response header mutators.
|
Package rewrite owns per-host HTTP header rewrite rules: the rule DTO, the ordered active rule set, and the request/response header mutators. |
|
Package saasfeed is the SaaS category feed syncer: it periodically fetches a curated JSON file of SaaS URL categories (AI, Marketing, Messaging, …) from a remote URL and hands the parsed categories to an injected merge callback.
|
Package saasfeed is the SaaS category feed syncer: it periodically fetches a curated JSON file of SaaS URL categories (AI, Marketing, Messaging, …) from a remote URL and hands the parsed categories to an injected merge callback. |
|
Package scanexcl holds the admin-managed scan-exclusion store: known-good SHA-256 content hashes and hostnames that bypass all body scanning.
|
Package scanexcl holds the admin-managed scan-exclusion store: known-good SHA-256 content hashes and hostnames that bypass all body scanning. |
|
Package scanner is the DPI content scanner: a set of pre-compiled regex signatures applied to HTTP response bodies flowing through SSL-Inspect tunnels, with a per-host bypass list and atomic persistence.
|
Package scanner is the DPI content scanner: a set of pre-compiled regex signatures applied to HTTP response bodies flowing through SSL-Inspect tunnels, with a per-host bypass list and atomic persistence. |
|
Package sealbox is the recipient-public-key sealing leaf for support-bundle export (M4 E2E).
|
Package sealbox is the recipient-public-key sealing leaf for support-bundle export (M4 E2E). |
|
Package secret is the compiler-enforced containment boundary for key-encryption-key (KEK) material and key-at-rest wrapping, per docs/adr/0007-secret-containment-boundary.md and roadmap/SECRET-CONTAINMENT-PLAN.md.
|
Package secret is the compiler-enforced containment boundary for key-encryption-key (KEK) material and key-at-rest wrapping, per docs/adr/0007-secret-containment-boundary.md and roadmap/SECRET-CONTAINMENT-PLAN.md. |
|
Package secscan is the security-scan orchestrator: it ties ClamAV, YARA, the threat feed, the hash cache, and the admin hash allowlist into the single pipeline the proxy hot path calls.
|
Package secscan is the security-scan orchestrator: it ties ClamAV, YARA, the threat feed, the hash cache, and the admin hash allowlist into the single pipeline the proxy hot path calls. |
|
Package session implements Culvert's HMAC-SHA256-signed session tokens and the revocation machinery behind them (ADR-0002 extraction; engine was session.go in package main).
|
Package session implements Culvert's HMAC-SHA256-signed session tokens and the revocation machinery behind them (ADR-0002 extraction; engine was session.go in package main). |
|
Package sse is the Server-Sent-Events client hub: registration under a connection cap, fan-out broadcast with slow-client eviction, and the hub-level observability counters.
|
Package sse is the Server-Sent-Events client hub: registration under a connection cap, fan-out broadcast with slow-client eviction, and the hub-level observability counters. |
|
Package sslbypass is the SSL-inspection bypass matcher: a runtime-managed list of host patterns (FQDN globs via hostutil.MatchFQDN semantics, or "~"-prefixed regexes) that must always bypass SSL inspection regardless of what the PBAC policy says, with pre-compiled matching and JSON file persistence.
|
Package sslbypass is the SSL-inspection bypass matcher: a runtime-managed list of host patterns (FQDN globs via hostutil.MatchFQDN semantics, or "~"-prefixed regexes) that must always bypass SSL inspection regardless of what the PBAC policy says, with pre-compiled matching and JSON file persistence. |
|
Package ssrf is the SSRF (server-side request forgery) guard: the private/internal CIDR table, host resolution checks with a short-TTL DNS cache, and the connect-time dialer control that closes the DNS-rebinding TOCTOU window.
|
Package ssrf is the SSRF (server-side request forgery) guard: the private/internal CIDR table, host resolution checks with a short-TTL DNS cache, and the connect-time dialer control that closes the DNS-rebinding TOCTOU window. |
|
Package support is the support-bundle engine (SUPPORT-BUNDLE-SPEC.md, COLLECTOR-CONTRACT.md): a plugin registry of small, isolated, budgeted, self-redacting collectors plus a runner that assembles a deterministic, integrity-hashed `csb/1` bundle.
|
Package support is the support-bundle engine (SUPPORT-BUNDLE-SPEC.md, COLLECTOR-CONTRACT.md): a plugin registry of small, isolated, budgeted, self-redacting collectors plus a runner that assembles a deterministic, integrity-hashed `csb/1` bundle. |
|
Package syslog forwards log lines to a remote syslog server over UDP or TCP.
|
Package syslog forwards log lines to a remote syslog server over UDP or TCP. |
|
Package threatfeed is the local threat-feed manager: it downloads, persists, and provides instant offline lookups for known-malicious URL/domain lists.
|
Package threatfeed is the local threat-feed manager: it downloads, persists, and provides instant offline lookups for known-malicious URL/domain lists. |
|
Package totp implements TOTP (RFC 6238) validation using only the standard library: HMAC-SHA1 with a 30-second step, 6-digit output, and ±1 step clock skew.
|
Package totp implements TOTP (RFC 6238) validation using only the standard library: HMAC-SHA1 with a 30-second step, 6-digit output, and ±1 step clock skew. |
|
Package uitls generates the self-signed TLS certificate for the admin UI: baseline loopback SANs, all local interface IPs, the hostname, operator extras (CULVERT_PUBLIC_IP + --ui-san values passed in by the caller), and best-effort cloud public-IP detection via instance metadata.
|
Package uitls generates the self-signed TLS certificate for the admin UI: baseline loopback SANs, all local interface IPs, the hostname, operator extras (CULVERT_PUBLIC_IP + --ui-san values passed in by the caller), and best-effort cloud public-IP detection via instance metadata. |
|
Package upstream implements parent-proxy chaining with failover and circuit-breaker protection (ADR-0002 extraction; engine was upstream.go in package main).
|
Package upstream implements parent-proxy chaining with failover and circuit-breaker protection (ADR-0002 extraction; engine was upstream.go in package main). |
|
Package urlcat is the admin-managed URL-category engine: named categories with lowercase host-set indexing for O(labels) membership checks during policy evaluation, JSON file persistence, and the built-in + embedded-SaaS default seed list.
|
Package urlcat is the admin-managed URL-category engine: named categories with lowercase host-set indexing for O(labels) membership checks during policy evaluation, JSON file persistence, and the built-in + embedded-SaaS default seed list. |
Click to show internal directories.
Click to hide internal directories.