Documentation
¶
Index ¶
- Constants
- func DecodeEncryptionKey(raw string) ([]byte, error)
- func DecodeEncryptionKeysCSV(raw string) ([][]byte, error)
- func ParseMemorySize(raw string) (int64, error)
- func WithContext(ctx context.Context, cfg *Config) context.Context
- type Config
- func (c *Config) ApplyJavaCompatFromEnv() error
- func (c *Config) AttachmentSigningKey() ([]byte, error)
- func (c *Config) AttachmentSigningKeys() ([][]byte, error)
- func (c *Config) QdrantAddress() string
- func (c *Config) ResolvedAttachmentsFSDir() (string, error)
- func (c *Config) ResolvedTempDir() string
- func (c *Config) SQLiteFilePath() (string, error)
- type ListenerConfig
Constants ¶
View Source
const ( ModeProd = "prod" ModeTesting = "testing" )
Variables ¶
This section is empty.
Functions ¶
func DecodeEncryptionKey ¶
DecodeEncryptionKey supports both legacy hex keys and Java-style base64 keys.
func DecodeEncryptionKeysCSV ¶
DecodeEncryptionKeysCSV parses comma-separated encryption keys.
func ParseMemorySize ¶
Types ¶
type Config ¶
type Config struct {
// Mode controls security behavior: "prod" (default) or "testing".
// In testing mode, X-Client-ID header is accepted and API key validation is relaxed.
Mode string
// Database
DBURL string
// Run datastore migrations on startup.
DatastoreMigrateAtStart bool
// Redis
RedisURL string
// Infinispan (RESP protocol — connects via go-redis under the covers)
InfinispanHost string // host:port (e.g. "localhost:11222")
InfinispanUsername string
InfinispanPassword string
// Datastore backend type
DatastoreType string // "postgres" or "mongo"
// Cache backend type
CacheType string // "local", "redis", "infinispan", or "none"
// Optional named Redis client (Java parity surface).
CacheRedisClient string
// Infinispan cache options (Java parity surface).
InfinispanStartupTimeout time.Duration
InfinispanMemoryEntriesCacheName string
InfinispanResponseRecordingsCacheName string
// Memory entries cache TTL.
CacheEpochTTL time.Duration
// Process-local cache options.
CacheLocalMaxBytes int64
CacheLocalNumCounters int64
CacheLocalBufferItems int64
// Attachment store type
AttachType string // "db", "postgres", "mongo", "s3", or "fs"
// AttachTypeExplicit records whether the attachment store was explicitly set by flag/env.
AttachTypeExplicit bool
// AttachFSDir overrides the local filesystem directory used by the "fs" attachment store.
AttachFSDir string
// Attachment behavior.
AttachmentMaxSize int64
AttachmentDefaultExpiresIn time.Duration
AttachmentMaxExpiresIn time.Duration
AttachmentCleanupInterval time.Duration
AttachmentDownloadURLExpiresIn time.Duration
// Vector store type
VectorType string // "pgvector", "qdrant", or "" (disabled)
// Run vector migrations on startup.
VectorMigrateAtStart bool
// Number of entries to embed and index per background indexer tick.
VectorIndexerBatchSize int
// Qdrant
QdrantHost string
QdrantPort int
QdrantCollectionPrefix string
QdrantCollectionName string
QdrantAPIKey string
QdrantUseTLS bool
QdrantStartupTimeout time.Duration
// Infinispan vector store (REST API)
InfinispanVectorURL string
InfinispanVectorCacheName string
InfinispanVectorCachePrefix string
InfinispanVectorUsername string
InfinispanVectorPassword string
InfinispanVectorAuthType string // "basic" or "digest"
InfinispanVectorUseTLS bool
InfinispanVectorVerifySSL bool
// Embedding type
EmbedType string // "none", "local", or "openai"
// OpenAI
OpenAIAPIKey string
OpenAIModelName string
OpenAIBaseURL string
OpenAIDimensions int
// Search feature toggles.
SearchSemanticEnabled bool
SearchFulltextEnabled bool
// OIDC
OIDCIssuer string
OIDCDiscoveryURL string // Internal URL for OIDC discovery (when issuer URL is not reachable)
// Prometheus
PrometheusURL string
// MetricsLabels is a comma-separated list of key=value pairs added as
// constant labels to all Prometheus metrics. Values support ${VAR} expansion.
// Defaults to "service=memory-service".
MetricsLabels string
// S3
S3Bucket string
S3Prefix string
S3DirectDownload bool
S3ExternalEndpoint string
S3UsePathStyle bool
// Server
Listener ListenerConfig
ManagementListener ListenerConfig
// ManagementListenerEnabled is true when --management-port / --management-unix-socket
// (or their env vars) was explicitly provided. When false, management endpoints are
// served on the main port.
ManagementListenerEnabled bool
// ManagementAccessLog enables HTTP access logging for management endpoints (/health, /ready, /metrics).
// Disabled by default to suppress high-frequency probe noise from the access log.
ManagementAccessLog bool
CORSEnabled bool
CORSOrigins string
// Security
// APIKeys maps API key values to client IDs (Java parity: MEMORY_SERVICE_API_KEYS_<CLIENT_ID>=<key>).
APIKeys map[string]string // key value → clientId
AdminOIDCRole string
AuditorOIDCRole string
IndexerOIDCRole string
AdminUsers string
AuditorUsers string
IndexerUsers string
AdminClients string
AuditorClients string
IndexerClients string
// Encryption
EncryptionProviders string
EncryptionProviderDEKType string
EncryptionProviderDEKEnabled bool
EncryptionVaultTransitKey string
// EncryptionKMSKeyID is the AWS KMS key ID or ARN used by the "kms" provider.
EncryptionKMSKeyID string
// EncryptionKey is a comma-separated list of AES keys for the "dek" provider.
// The first key is primary (used for new encryptions); subsequent keys are legacy
// (decryption-only, for zero-downtime key rotation).
EncryptionKey string
// EncryptionDBDisabled skips GCM cipher setup in the postgres/mongo stores even when
// EncryptionKey is set. Useful when you want signed download URLs without encrypting data at rest.
EncryptionDBDisabled bool
// EncryptionAttachmentsDisabled skips the encrypt.Wrap layer on the attachment store even when
// EncryptionKey is set.
EncryptionAttachmentsDisabled bool
// Body size limit (bytes)
MaxBodySize int64
// Attachments
AllowPrivateSourceURLs bool
// Temporary file directory. Empty uses platform default temp directory.
TempDir string
// Graceful shutdown drain timeout (seconds)
DrainTimeout int
// DB pool
DBMaxOpenConns int
DBMaxIdleConns int
// Eviction
EvictionBatchSize int
EvictionBatchDelay int // milliseconds
// How long to retain response-resumer temp files.
ResumerTempFileRetention time.Duration
// Resumer advertised address
ResumerAdvertisedAddress string
// Admin
RequireJustification bool
// Event bus
EventBusType string // "local", "redis", "postgres"
EventBusOutboundBuffer int // outbound channel capacity for cross-node publish pipeline
EventBusBatchSize int // max events per cross-node publish batch
// SSE event stream
SSEKeepaliveInterval time.Duration
SSEMembershipCacheTTL time.Duration
SSEMaxConnectionsPerUser int
SSESubscriberBufferSize int
OutboxEnabled bool
OutboxReplayBatchSize int
// Episodic memory settings
EpisodicMaxDepth int // Maximum namespace depth (default 5)
EpisodicIndexingBatchSize int // Items processed per indexer cycle (default 100)
EpisodicIndexingInterval time.Duration // Polling interval for vector indexer (default 30s)
EpisodicTTLInterval time.Duration // Polling interval for TTL expiry + eviction (default 60s)
EpisodicEvictionBatchSize int // Max rows processed per eviction pass (default 100)
EpisodicTombstoneRetention time.Duration // How long to keep delete/expired tombstones (default 90 days)
EpisodicPolicyDir string // Directory for OPA Rego policies (default: built-in)
// Knowledge clustering settings
KnowledgeClusteringEnabled bool // Feature gate (default false)
KnowledgeClusteringEpsilon float64 // DBSCAN neighborhood radius in cosine distance (default 0.3)
KnowledgeClusteringMinPts int // DBSCAN minimum points to form a cluster (default 3)
KnowledgeClusteringDecay time.Duration // Time with no new members before trend becomes decaying (default 30d)
}
Config holds all configuration for the memory service.
func DefaultConfig ¶
func DefaultConfig() Config
DefaultConfig returns a Config with sensible defaults.
func FromContext ¶
FromContext retrieves the Config from the context.
func (*Config) ApplyJavaCompatFromEnv ¶
ApplyJavaCompatFromEnv reads Java-style environment variables that are not represented by dedicated CLI flags in the Go serve command.
func (*Config) AttachmentSigningKey ¶
AttachmentSigningKey returns the HMAC key used to sign new attachment download tokens. A domain-specific 32-byte key is derived from the first (primary) key in EncryptionKey via HKDF-SHA256. Returns (nil, nil) when EncryptionKey is not set.
func (*Config) AttachmentSigningKeys ¶
AttachmentSigningKeys returns all signing keys for token verification, supporting rolling key rotation. EncryptionKey is a comma-separated list; a signing key is derived from each entry via HKDF-SHA256, primary first. Returns (nil, nil) when EncryptionKey is not set.
func (*Config) QdrantAddress ¶
QdrantAddress returns host:port for qdrant gRPC dialing.
func (*Config) ResolvedAttachmentsFSDir ¶
ResolvedAttachmentsFSDir returns the configured filesystem attachment root or derives it from the SQLite DB path when possible.
func (*Config) ResolvedTempDir ¶
ResolvedTempDir returns the configured temp directory or the platform default.
func (*Config) SQLiteFilePath ¶
SQLiteFilePath resolves a file-backed SQLite DB path from the configured DBURL.
Source Files
Click to show internal directories.
Click to hide internal directories.