config.go

v1.3.7

package config

import (
	"fmt"
	"os"
	"strings"

	"github.com/spf13/viper"
)

// ResolveValue resolves a configuration value. If it starts with "@",
// the remainder is treated as a file path and the file contents are returned.
// Otherwise the value is returned as-is.
func ResolveValue(value string) (string, error) {
	path, ok := strings.CutPrefix(value, "@")
	if !ok {
		return value, nil
	}

	data, err := os.ReadFile(path)
	if err != nil {
		return "", fmt.Errorf("read %s: %w", path, err)
	}
	return strings.TrimSpace(string(data)), nil
}

// Module represents a Go module configuration.
type Module struct {
	VCS            string `json:"vcs"`
	Repo           string `json:"repo"`
	Web            string `json:"web"`
	Private        bool   `json:"private,omitempty"`
	CredentialName string `json:"credential_name,omitempty"`
}

// FallbackMode controls behavior for modules not defined in config.
type FallbackMode string

const (
	FallbackNone FallbackMode = ""

	FallbackRedirect FallbackMode = "redirect" // 302 redirect to upstream
	FallbackSync     FallbackMode = "sync"     // fetch upstream, cache synchronously, then serve
	FallbackAsync    FallbackMode = "async"    // fetch upstream, serve immediately, cache in background
)

// RequiresUpstream reports whether the mode needs an upstream URL.
func (m FallbackMode) RequiresUpstream() bool {
	switch m {
	case FallbackRedirect, FallbackSync, FallbackAsync:
		return true
	}
	return false
}

type FallbackConfig struct {
	Mode     FallbackMode `mapstructure:"mode"`
	Upstream string       `mapstructure:"upstream"`
}

// S3Config is kept for backward compatibility with NewS3Storage.
type S3Config struct {
	Endpoint     string `mapstructure:"endpoint"`
	Bucket       string `mapstructure:"bucket"`
	Region       string `mapstructure:"region"`
	UsePathStyle bool   `mapstructure:"use_path_style"`
}

// StorageConfig supports multiple storage backends.
type StorageConfig struct {
	Type         string `mapstructure:"type"`           // "memory", "disk", "s3" (default: "s3")
	Root         string `mapstructure:"root"`           // disk only
	Endpoint     string `mapstructure:"endpoint"`       // s3 only
	Bucket       string `mapstructure:"bucket"`         // s3 only
	Region       string `mapstructure:"region"`         // s3 only
	UsePathStyle bool   `mapstructure:"use_path_style"` // s3 only: path-style addressing for Garage, MinIO, etc.
	MaxBytes     int64  `mapstructure:"max_bytes"`      // memory only (0 = unlimited)
}

// S3 returns S3Config extracted from StorageConfig.
func (c *StorageConfig) S3() S3Config {
	return S3Config{Endpoint: c.Endpoint, Bucket: c.Bucket, Region: c.Region, UsePathStyle: c.UsePathStyle}
}

type SumdbConfig struct {
	Enabled  bool   `mapstructure:"enabled"`
	Key      string `mapstructure:"key"`
	Upstream string `mapstructure:"upstream"` // upstream sumdb URL for non-local lookups
}

// OIDCConfig configures OpenID Connect authentication for the admin UI.
type OIDCConfig struct {
	Issuer       string `mapstructure:"issuer"`
	ClientID     string `mapstructure:"client_id"`
	ClientSecret string `mapstructure:"client_secret"` // supports @file
	RedirectURL  string `mapstructure:"redirect_url"`
}

type InstrumentationConfig struct {
	Listen      string `mapstructure:"listen"`
	MetricsPath string `mapstructure:"metrics_path"`
	HealthPath  string `mapstructure:"health_path"`
}

// DatabaseConfig configures the module store database backend.
type DatabaseConfig struct {
	Type string `mapstructure:"type"` // "sqlite" (default), "postgres"
	DSN  string `mapstructure:"dsn"`  // file path for sqlite, connection string for postgres
}

type Config struct {
	Host            string                 `mapstructure:"host"`
	Database        *DatabaseConfig        `mapstructure:"database"`
	Storage         *StorageConfig         `mapstructure:"storage"`
	Fallback        *FallbackConfig        `mapstructure:"fallback"`
	Sumdb           *SumdbConfig           `mapstructure:"sumdb"`
	Instrumentation *InstrumentationConfig `mapstructure:"instrumentation"`
	OIDC            *OIDCConfig            `mapstructure:"oidc"`
	Listen          string                 `mapstructure:"listen"`
	Cache           string                 `mapstructure:"cache"`
	AuthTokens      string                 `mapstructure:"auth_tokens"`
	AdminToken      string                 `mapstructure:"admin_token"`
}

// Dump returns a human-readable configuration summary with secrets masked.
func (cfg *Config) Dump() string {
	var b strings.Builder

	fmt.Fprintf(&b, "host: %s\n", cfg.Host)
	fmt.Fprintf(&b, "listen: %s\n", cfg.Listen)
	fmt.Fprintf(&b, "cache: %s\n", cfg.Cache)
	fmt.Fprintf(&b, "admin_token: %s\n", mask(cfg.AdminToken))
	fmt.Fprintf(&b, "auth_tokens: %s\n", mask(cfg.AuthTokens))

	if cfg.Database != nil {
		fmt.Fprintf(&b, "database:\n")
		fmt.Fprintf(&b, "  type: %s\n", cfg.Database.Type)
		fmt.Fprintf(&b, "  dsn: %s\n", maskDSN(cfg.Database.Type, cfg.Database.DSN))
	}

	if cfg.Storage != nil {
		t := cfg.Storage.Type
		if t == "" {
			t = "s3"
		}
		fmt.Fprintf(&b, "storage:\n")
		fmt.Fprintf(&b, "  type: %s\n", t)
		switch t {
		case "s3":
			fmt.Fprintf(&b, "  endpoint: %s\n", cfg.Storage.Endpoint)
			fmt.Fprintf(&b, "  bucket: %s\n", cfg.Storage.Bucket)
			fmt.Fprintf(&b, "  region: %s\n", cfg.Storage.Region)
			fmt.Fprintf(&b, "  use_path_style: %v\n", cfg.Storage.UsePathStyle)
		case "disk":
			fmt.Fprintf(&b, "  root: %s\n", cfg.Storage.Root)
		case "memory":
			fmt.Fprintf(&b, "  max_bytes: %d\n", cfg.Storage.MaxBytes)
		}
	}

	if cfg.Fallback != nil {
		fmt.Fprintf(&b, "fallback:\n")
		fmt.Fprintf(&b, "  mode: %s\n", cfg.Fallback.Mode)
		fmt.Fprintf(&b, "  upstream: %s\n", cfg.Fallback.Upstream)
	}

	if cfg.Sumdb != nil {
		fmt.Fprintf(&b, "sumdb:\n")
		fmt.Fprintf(&b, "  enabled: %v\n", cfg.Sumdb.Enabled)
		fmt.Fprintf(&b, "  key: %s\n", mask(cfg.Sumdb.Key))
		fmt.Fprintf(&b, "  upstream: %s\n", cfg.Sumdb.Upstream)
	}

	if cfg.Instrumentation != nil {
		fmt.Fprintf(&b, "instrumentation:\n")
		fmt.Fprintf(&b, "  listen: %s\n", cfg.Instrumentation.Listen)
		fmt.Fprintf(&b, "  metrics_path: %s\n", cfg.Instrumentation.MetricsPath)
		fmt.Fprintf(&b, "  health_path: %s\n", cfg.Instrumentation.HealthPath)
	}

	if cfg.OIDC != nil {
		fmt.Fprintf(&b, "oidc:\n")
		fmt.Fprintf(&b, "  issuer: %s\n", cfg.OIDC.Issuer)
		fmt.Fprintf(&b, "  client_id: %s\n", cfg.OIDC.ClientID)
		fmt.Fprintf(&b, "  client_secret: %s\n", mask(cfg.OIDC.ClientSecret))
		fmt.Fprintf(&b, "  redirect_url: %s\n", cfg.OIDC.RedirectURL)
	}

	return b.String()
}

func mask(s string) string {
	if s == "" {
		return "(not set)"
	}
	if strings.HasPrefix(s, "@") {
		return s // file reference, safe to show
	}
	if len(s) <= 4 {
		return "****"
	}
	return s[:2] + "****" + s[len(s)-2:]
}

func maskDSN(dbType, dsn string) string {
	if dbType == "sqlite" {
		return dsn // file path, safe to show
	}
	// Mask password in connection strings like postgres://user:pass@host/db
	if at := strings.Index(dsn, "@"); at > 0 {
		prefix := dsn[:at]
		if colon := strings.LastIndex(prefix, ":"); colon > 0 {
			return prefix[:colon+1] + "****" + dsn[at:]
		}
	}
	return dsn
}

var validKeys = map[string]bool{
	"host":                          true,
	"listen":                        true,
	"cache":                         true,
	"database":                      true,
	"database.type":                 true,
	"database.dsn":                  true,
	"auth_tokens":                   true,
	"admin_token":                   true,
	"sumdb":                         true,
	"sumdb.enabled":                 true,
	"sumdb.key":                     true,
	"sumdb.upstream":                true,
	"instrumentation":               true,
	"instrumentation.listen":        true,
	"instrumentation.metrics_path":  true,
	"instrumentation.health_path":   true,
	"storage":                       true,
	"storage.type":                  true,
	"storage.root":                  true,
	"storage.endpoint":              true,
	"storage.bucket":                true,
	"storage.region":                true,
	"storage.use_path_style":        true,
	"storage.max_bytes":             true,
	"fallback":                      true,
	"fallback.mode":                 true,
	"fallback.upstream":             true,
	"oidc":                          true,
	"oidc.issuer":                   true,
	"oidc.client_id":                true,
	"oidc.client_secret":            true,
	"oidc.redirect_url":             true,
}

// Load reads configuration from a YAML file and environment variables.
func Load(path string) (*Config, error) {
	v := viper.New()

	v.SetDefault("listen", ":8080")
	v.SetDefault("cache", "./cache")

	// Bind each config key to its exact CURATOR_* env var.
	// We avoid SetEnvKeyReplacer/AutomaticEnv because "." → "_"
	// is ambiguous for keys with underscores in the leaf name
	// (e.g., storage.use_path_style vs storage.use.path.style),
	// and SetDefault for parent sections clobbers env-bound children.
	for key := range validKeys {
		// Skip parent section keys (e.g., "storage", "sumdb") — binding
		// them to CURATOR_STORAGE (unset) makes Viper treat the whole
		// section as nil, hiding env-bound child keys during Unmarshal.
		if !strings.Contains(key, ".") {
			continue
		}
		envVar := "CURATOR_" + strings.ToUpper(strings.ReplaceAll(key, ".", "_"))
		_ = v.BindEnv(key, envVar)
	}
	// Bind top-level keys that aren't sections.
	for _, key := range []string{"host", "listen", "cache", "admin_token", "auth_tokens"} {
		_ = v.BindEnv(key, "CURATOR_"+strings.ToUpper(key))
	}

	if path != "" {
		v.SetConfigFile(path)
		if err := v.ReadInConfig(); err != nil {
			if _, ok := err.(viper.ConfigFileNotFoundError); !ok {
				return nil, fmt.Errorf("read config: %w", err)
			}
		}
	}

	if err := validateKeys(v); err != nil {
		return nil, err
	}

	var cfg Config
	if err := v.Unmarshal(&cfg); err != nil {
		return nil, fmt.Errorf("parse config: %w", err)
	}

	// Database defaults.
	if cfg.Database == nil {
		cfg.Database = &DatabaseConfig{}
	}
	if cfg.Database.Type == "" {
		cfg.Database.Type = "sqlite"
	}

	switch cfg.Database.Type {
	case "sqlite":
		if cfg.Database.DSN == "" {
			cfg.Database.DSN = "curator.db"
		}
	case "postgres":
		if cfg.Database.DSN == "" {
			return nil, fmt.Errorf("config: database.dsn is required for postgres")
		}
	default:
		return nil, fmt.Errorf("config: unknown database type %q (use sqlite or postgres)", cfg.Database.Type)
	}

	if cfg.Host == "" {
		return nil, fmt.Errorf("config: host is required (set via config file or CURATOR_HOST)")
	}

	if cfg.Sumdb != nil && cfg.Sumdb.Enabled && cfg.Sumdb.Key == "" {
		return nil, fmt.Errorf("config: sumdb.enabled is true but sumdb.key is not set")
	}

	// Storage validation.
	if cfg.Storage != nil {
		switch cfg.Storage.Type {
		case "s3", "":
			if cfg.Storage.Bucket == "" {
				return nil, fmt.Errorf("config: storage.bucket is required for s3 storage")
			}
		case "disk":
			if cfg.Storage.Root == "" {
				return nil, fmt.Errorf("config: storage.root is required for disk storage")
			}
		case "memory":
			// no required fields
		default:
			return nil, fmt.Errorf("config: unknown storage type %q (use s3, disk, or memory)", cfg.Storage.Type)
		}
	}

	// Fallback validation.
	if cfg.Fallback != nil && cfg.Fallback.Mode.RequiresUpstream() && cfg.Fallback.Upstream == "" {
		return nil, fmt.Errorf("config: fallback mode %q requires upstream URL", cfg.Fallback.Mode)
	}

	// OIDC validation.
	if cfg.OIDC != nil && cfg.OIDC.Issuer != "" {
		if cfg.OIDC.ClientID == "" {
			return nil, fmt.Errorf("config: oidc.client_id is required when oidc.issuer is set")
		}
		if cfg.OIDC.ClientSecret == "" {
			return nil, fmt.Errorf("config: oidc.client_secret is required when oidc.issuer is set")
		}
		if cfg.OIDC.RedirectURL == "" {
			return nil, fmt.Errorf("config: oidc.redirect_url is required when oidc.issuer is set")
		}
	}

	return &cfg, nil
}

// FallbackMode returns the configured fallback mode, or "" if none.
func (cfg *Config) FallbackMode() FallbackMode {
	if cfg.Fallback != nil {
		return cfg.Fallback.Mode
	}
	return FallbackNone
}

func validateKeys(v *viper.Viper) error {
	for _, key := range v.AllKeys() {
		if !validKeys[key] {
			return fmt.Errorf("config: unknown key %q", key)
		}
	}
	return nil
}


Source Files

config.go

1	package config
2
3	import (
4	"fmt"
5	"os"
6	"strings"
7
8	"github.com/spf13/viper"
9	)
10
11	// ResolveValue resolves a configuration value. If it starts with "@",
12	// the remainder is treated as a file path and the file contents are returned.
13	// Otherwise the value is returned as-is.
14	func ResolveValue(value string) (string, error) {
15	path, ok := strings.CutPrefix(value, "@")
16	if !ok {
17	return value, nil
18	}
19
20	data, err := os.ReadFile(path)
21	if err != nil {
22	return "", fmt.Errorf("read %s: %w", path, err)
23	}
24	return strings.TrimSpace(string(data)), nil
25	}
26
27	// Module represents a Go module configuration.
28	type Module struct {
29	VCS string `json:"vcs"`
30	Repo string `json:"repo"`
31	Web string `json:"web"`
32	Private bool `json:"private,omitempty"`
33	CredentialName string `json:"credential_name,omitempty"`
34	}
35
36	// FallbackMode controls behavior for modules not defined in config.
37	type FallbackMode string
38
39	const (
40	FallbackNone FallbackMode = ""
41
42	FallbackRedirect FallbackMode = "redirect" // 302 redirect to upstream
43	FallbackSync FallbackMode = "sync" // fetch upstream, cache synchronously, then serve
44	FallbackAsync FallbackMode = "async" // fetch upstream, serve immediately, cache in background
45	)
46
47	// RequiresUpstream reports whether the mode needs an upstream URL.
48	func (m FallbackMode) RequiresUpstream() bool {
49	switch m {
50	case FallbackRedirect, FallbackSync, FallbackAsync:
51	return true
52	}
53	return false
54	}
55
56	type FallbackConfig struct {
57	Mode FallbackMode `mapstructure:"mode"`
58	Upstream string `mapstructure:"upstream"`
59	}
60
61	// S3Config is kept for backward compatibility with NewS3Storage.
62	type S3Config struct {
63	Endpoint string `mapstructure:"endpoint"`
64	Bucket string `mapstructure:"bucket"`
65	Region string `mapstructure:"region"`
66	UsePathStyle bool `mapstructure:"use_path_style"`
67	}
68
69	// StorageConfig supports multiple storage backends.
70	type StorageConfig struct {
71	Type string `mapstructure:"type"` // "memory", "disk", "s3" (default: "s3")
72	Root string `mapstructure:"root"` // disk only
73	Endpoint string `mapstructure:"endpoint"` // s3 only
74	Bucket string `mapstructure:"bucket"` // s3 only
75	Region string `mapstructure:"region"` // s3 only
76	UsePathStyle bool `mapstructure:"use_path_style"` // s3 only: path-style addressing for Garage, MinIO, etc.
77	MaxBytes int64 `mapstructure:"max_bytes"` // memory only (0 = unlimited)
78	}
79
80	// S3 returns S3Config extracted from StorageConfig.
81	func (c *StorageConfig) S3() S3Config {
82	return S3Config{Endpoint: c.Endpoint, Bucket: c.Bucket, Region: c.Region, UsePathStyle: c.UsePathStyle}
83	}
84
85	type SumdbConfig struct {
86	Enabled bool `mapstructure:"enabled"`
87	Key string `mapstructure:"key"`
88	Upstream string `mapstructure:"upstream"` // upstream sumdb URL for non-local lookups
89	}
90
91	// OIDCConfig configures OpenID Connect authentication for the admin UI.
92	type OIDCConfig struct {
93	Issuer string `mapstructure:"issuer"`
94	ClientID string `mapstructure:"client_id"`
95	ClientSecret string `mapstructure:"client_secret"` // supports @file
96	RedirectURL string `mapstructure:"redirect_url"`
97	}
98
99	type InstrumentationConfig struct {
100	Listen string `mapstructure:"listen"`
101	MetricsPath string `mapstructure:"metrics_path"`
102	HealthPath string `mapstructure:"health_path"`
103	}
104
105	// DatabaseConfig configures the module store database backend.
106	type DatabaseConfig struct {
107	Type string `mapstructure:"type"` // "sqlite" (default), "postgres"
108	DSN string `mapstructure:"dsn"` // file path for sqlite, connection string for postgres
109	}
110
111	type Config struct {
112	Host string `mapstructure:"host"`
113	Database *DatabaseConfig `mapstructure:"database"`
114	Storage *StorageConfig `mapstructure:"storage"`
115	Fallback *FallbackConfig `mapstructure:"fallback"`
116	Sumdb *SumdbConfig `mapstructure:"sumdb"`
117	Instrumentation *InstrumentationConfig `mapstructure:"instrumentation"`
118	OIDC *OIDCConfig `mapstructure:"oidc"`
119	Listen string `mapstructure:"listen"`
120	Cache string `mapstructure:"cache"`
121	AuthTokens string `mapstructure:"auth_tokens"`
122	AdminToken string `mapstructure:"admin_token"`
123	}
124
125	// Dump returns a human-readable configuration summary with secrets masked.
126	func (cfg *Config) Dump() string {
127	var b strings.Builder
128
129	fmt.Fprintf(&b, "host: %s\n", cfg.Host)
130	fmt.Fprintf(&b, "listen: %s\n", cfg.Listen)
131	fmt.Fprintf(&b, "cache: %s\n", cfg.Cache)
132	fmt.Fprintf(&b, "admin_token: %s\n", mask(cfg.AdminToken))
133	fmt.Fprintf(&b, "auth_tokens: %s\n", mask(cfg.AuthTokens))
134
135	if cfg.Database != nil {
136	fmt.Fprintf(&b, "database:\n")
137	fmt.Fprintf(&b, " type: %s\n", cfg.Database.Type)
138	fmt.Fprintf(&b, " dsn: %s\n", maskDSN(cfg.Database.Type, cfg.Database.DSN))
139	}
140
141	if cfg.Storage != nil {
142	t := cfg.Storage.Type
143	if t == "" {
144	t = "s3"
145	}
146	fmt.Fprintf(&b, "storage:\n")
147	fmt.Fprintf(&b, " type: %s\n", t)
148	switch t {
149	case "s3":
150	fmt.Fprintf(&b, " endpoint: %s\n", cfg.Storage.Endpoint)
151	fmt.Fprintf(&b, " bucket: %s\n", cfg.Storage.Bucket)
152	fmt.Fprintf(&b, " region: %s\n", cfg.Storage.Region)
153	fmt.Fprintf(&b, " use_path_style: %v\n", cfg.Storage.UsePathStyle)
154	case "disk":
155	fmt.Fprintf(&b, " root: %s\n", cfg.Storage.Root)
156	case "memory":
157	fmt.Fprintf(&b, " max_bytes: %d\n", cfg.Storage.MaxBytes)
158	}
159	}
160
161	if cfg.Fallback != nil {
162	fmt.Fprintf(&b, "fallback:\n")
163	fmt.Fprintf(&b, " mode: %s\n", cfg.Fallback.Mode)
164	fmt.Fprintf(&b, " upstream: %s\n", cfg.Fallback.Upstream)
165	}
166
167	if cfg.Sumdb != nil {
168	fmt.Fprintf(&b, "sumdb:\n")
169	fmt.Fprintf(&b, " enabled: %v\n", cfg.Sumdb.Enabled)
170	fmt.Fprintf(&b, " key: %s\n", mask(cfg.Sumdb.Key))
171	fmt.Fprintf(&b, " upstream: %s\n", cfg.Sumdb.Upstream)
172	}
173
174	if cfg.Instrumentation != nil {
175	fmt.Fprintf(&b, "instrumentation:\n")
176	fmt.Fprintf(&b, " listen: %s\n", cfg.Instrumentation.Listen)
177	fmt.Fprintf(&b, " metrics_path: %s\n", cfg.Instrumentation.MetricsPath)
178	fmt.Fprintf(&b, " health_path: %s\n", cfg.Instrumentation.HealthPath)
179	}
180
181	if cfg.OIDC != nil {
182	fmt.Fprintf(&b, "oidc:\n")
183	fmt.Fprintf(&b, " issuer: %s\n", cfg.OIDC.Issuer)
184	fmt.Fprintf(&b, " client_id: %s\n", cfg.OIDC.ClientID)
185	fmt.Fprintf(&b, " client_secret: %s\n", mask(cfg.OIDC.ClientSecret))
186	fmt.Fprintf(&b, " redirect_url: %s\n", cfg.OIDC.RedirectURL)
187	}
188
189	return b.String()
190	}
191
192	func mask(s string) string {
193	if s == "" {
194	return "(not set)"
195	}
196	if strings.HasPrefix(s, "@") {
197	return s // file reference, safe to show
198	}
199	if len(s) <= 4 {
200	return "****"
201	}
202	return s[:2] + "****" + s[len(s)-2:]
203	}
204
205	func maskDSN(dbType, dsn string) string {
206	if dbType == "sqlite" {
207	return dsn // file path, safe to show
208	}
209	// Mask password in connection strings like postgres://user:pass@host/db
210	if at := strings.Index(dsn, "@"); at > 0 {
211	prefix := dsn[:at]
212	if colon := strings.LastIndex(prefix, ":"); colon > 0 {
213	return prefix[:colon+1] + "****" + dsn[at:]
214	}
215	}
216	return dsn
217	}
218
219	var validKeys = map[string]bool{
220	"host": true,
221	"listen": true,
222	"cache": true,
223	"database": true,
224	"database.type": true,
225	"database.dsn": true,
226	"auth_tokens": true,
227	"admin_token": true,
228	"sumdb": true,
229	"sumdb.enabled": true,
230	"sumdb.key": true,
231	"sumdb.upstream": true,
232	"instrumentation": true,
233	"instrumentation.listen": true,
234	"instrumentation.metrics_path": true,
235	"instrumentation.health_path": true,
236	"storage": true,
237	"storage.type": true,
238	"storage.root": true,
239	"storage.endpoint": true,
240	"storage.bucket": true,
241	"storage.region": true,
242	"storage.use_path_style": true,
243	"storage.max_bytes": true,
244	"fallback": true,
245	"fallback.mode": true,
246	"fallback.upstream": true,
247	"oidc": true,
248	"oidc.issuer": true,
249	"oidc.client_id": true,
250	"oidc.client_secret": true,
251	"oidc.redirect_url": true,
252	}
253
254	// Load reads configuration from a YAML file and environment variables.
255	func Load(path string) (*Config, error) {
256	v := viper.New()
257
258	v.SetDefault("listen", ":8080")
259	v.SetDefault("cache", "./cache")
260
261	// Bind each config key to its exact CURATOR_* env var.
262	// We avoid SetEnvKeyReplacer/AutomaticEnv because "." → "_"
263	// is ambiguous for keys with underscores in the leaf name
264	// (e.g., storage.use_path_style vs storage.use.path.style),
265	// and SetDefault for parent sections clobbers env-bound children.
266	for key := range validKeys {
267	// Skip parent section keys (e.g., "storage", "sumdb") — binding
268	// them to CURATOR_STORAGE (unset) makes Viper treat the whole
269	// section as nil, hiding env-bound child keys during Unmarshal.
270	if !strings.Contains(key, ".") {
271	continue
272	}
273	envVar := "CURATOR_" + strings.ToUpper(strings.ReplaceAll(key, ".", "_"))
274	_ = v.BindEnv(key, envVar)
275	}
276	// Bind top-level keys that aren't sections.
277	for _, key := range []string{"host", "listen", "cache", "admin_token", "auth_tokens"} {
278	_ = v.BindEnv(key, "CURATOR_"+strings.ToUpper(key))
279	}
280
281	if path != "" {
282	v.SetConfigFile(path)
283	if err := v.ReadInConfig(); err != nil {
284	if _, ok := err.(viper.ConfigFileNotFoundError); !ok {
285	return nil, fmt.Errorf("read config: %w", err)
286	}
287	}
288	}
289
290	if err := validateKeys(v); err != nil {
291	return nil, err
292	}
293
294	var cfg Config
295	if err := v.Unmarshal(&cfg); err != nil {
296	return nil, fmt.Errorf("parse config: %w", err)
297	}
298
299	// Database defaults.
300	if cfg.Database == nil {
301	cfg.Database = &DatabaseConfig{}
302	}
303	if cfg.Database.Type == "" {
304	cfg.Database.Type = "sqlite"
305	}
306
307	switch cfg.Database.Type {
308	case "sqlite":
309	if cfg.Database.DSN == "" {
310	cfg.Database.DSN = "curator.db"
311	}
312	case "postgres":
313	if cfg.Database.DSN == "" {
314	return nil, fmt.Errorf("config: database.dsn is required for postgres")
315	}
316	default:
317	return nil, fmt.Errorf("config: unknown database type %q (use sqlite or postgres)", cfg.Database.Type)
318	}
319
320	if cfg.Host == "" {
321	return nil, fmt.Errorf("config: host is required (set via config file or CURATOR_HOST)")
322	}
323
324	if cfg.Sumdb != nil && cfg.Sumdb.Enabled && cfg.Sumdb.Key == "" {
325	return nil, fmt.Errorf("config: sumdb.enabled is true but sumdb.key is not set")
326	}
327
328	// Storage validation.
329	if cfg.Storage != nil {
330	switch cfg.Storage.Type {
331	case "s3", "":
332	if cfg.Storage.Bucket == "" {
333	return nil, fmt.Errorf("config: storage.bucket is required for s3 storage")
334	}
335	case "disk":
336	if cfg.Storage.Root == "" {
337	return nil, fmt.Errorf("config: storage.root is required for disk storage")
338	}
339	case "memory":
340	// no required fields
341	default:
342	return nil, fmt.Errorf("config: unknown storage type %q (use s3, disk, or memory)", cfg.Storage.Type)
343	}
344	}
345
346	// Fallback validation.
347	if cfg.Fallback != nil && cfg.Fallback.Mode.RequiresUpstream() && cfg.Fallback.Upstream == "" {
348	return nil, fmt.Errorf("config: fallback mode %q requires upstream URL", cfg.Fallback.Mode)
349	}
350
351	// OIDC validation.
352	if cfg.OIDC != nil && cfg.OIDC.Issuer != "" {
353	if cfg.OIDC.ClientID == "" {
354	return nil, fmt.Errorf("config: oidc.client_id is required when oidc.issuer is set")
355	}
356	if cfg.OIDC.ClientSecret == "" {
357	return nil, fmt.Errorf("config: oidc.client_secret is required when oidc.issuer is set")
358	}
359	if cfg.OIDC.RedirectURL == "" {
360	return nil, fmt.Errorf("config: oidc.redirect_url is required when oidc.issuer is set")
361	}
362	}
363
364	return &cfg, nil
365	}
366
367	// FallbackMode returns the configured fallback mode, or "" if none.
368	func (cfg *Config) FallbackMode() FallbackMode {
369	if cfg.Fallback != nil {
370	return cfg.Fallback.Mode
371	}
372	return FallbackNone
373	}
374
375	func validateKeys(v *viper.Viper) error {
376	for _, key := range v.AllKeys() {
377	if !validKeys[key] {
378	return fmt.Errorf("config: unknown key %q", key)
379	}
380	}
381	return nil
382	}
383