config

type AckPolicy string

type Auth struct {
	// OIDC contains configuration for OpenID Connect authentication.
	// If nil, OIDC authentication is disabled.
	OIDC *OIDC `yaml:"oidc" default:"-"`

	// OPA contains configuration for Open Policy Agent authorization.
	// If nil, OPA authorization is disabled.
	OPA *OPA `yaml:"opa" default:"-"`
}

type BaseGrpcInterceptorConfig struct {
	// EnableMixin controls whether this interceptor is active.
	EnableMixin `yaml:",inline"`

	// InterceptorFilterConfig provides method filtering settings.
	InterceptorFilterConfig `yaml:",inline"`
}

type BaseHttpMiddlewareConfig struct {
	// EnableMixin controls whether this middleware is active.
	EnableMixin `yaml:",inline"`

	// HttpMiddlewareFilterConfig provides path filtering settings.
	HttpMiddlewareFilterConfig `yaml:",inline"`
}

type Broker struct {
	// Provider is the type of broker to use.
	Provider BrokerProvider `yaml:"provider" default:"nats"`

	// Nats contains NATS-specific configuration.
	// Required when Provider is "nats".
	Nats *Nats `yaml:"nats"`

	// InProgress contains configuration for InProgress heartbeat manager.
	InProgress InProgress `yaml:"inProgress"`

	// Outbox contains configuration for reliable message delivery.
	Outbox Outbox `yaml:"outbox"`
}

type BrokerProvider string

type CacheStorageConfig struct {
	// Type defines the storage backend type.
	// Must be one of the supported storage types (memory, redis, nats).
	Type CacheStorageType `yaml:"type"`

	// Memory defines the in-memory configuration.
	// Required when Type is CacheStorageTypeMemory, ignored otherwise.
	Memory *StorageMemoryConfig `yaml:"memory,omitempty" default:"-"`

	// Nats defines the NATS configuration.
	// Required when Type is CacheStorageTypeNats, ignored otherwise.
	Nats *StorageNATSConfig `yaml:"nats,omitempty" default:"-"`

	// Redis defines the Redis configuration.
	// Required when Type is CacheStorageTypeRedis, ignored otherwise.
	Redis *StorageRedisConfig `yaml:"redis,omitempty" default:"-"`
}

type CacheStorageType string

type DeliverPolicy string

type DistributionLock struct {
	// Provider defines the type of distributed locking implementation to use.
	// Must be one of the supported providers (currently only "nats").
	Provider DistributionLockProvider `yaml:"provider"`

	// Nats defines the NATS configuration for distributed locking.
	// Required when Provider is DistributionLockProviderNats, ignored otherwise.
	Nats *DistributionLockNats `yaml:"nats" default:"-"`
}

type DistributionLockNats struct {
	// Bucket is the name of the NATS JetStream Key-Value bucket
	// where distributed locks will be stored.
	// Defaults to "dlock" if not specified.
	Bucket string `yaml:"bucket" default:"dlock"`
}

type DistributionLockProvider string

type EnableMixin struct {
	// Enable controls whether this feature is active.
	// When false, the feature is disabled and has no effect.
	Enable bool `yaml:"enable" default:"false"`
}

type Enableable interface {
	IsEnabled() bool
}

type FallbackBehavior string

type Grpc struct {
	// TLS contains optional TLS configuration for secure gRPC connections.
	// If nil, the server will run without TLS encryption.
	TLS *GrpcTls `yaml:"tls" default:"-"`

	// ListenAddress specifies the address and port to bind the gRPC server to.
	// Defaults to "0.0.0.0:7777" which binds to all interfaces on port 7777.
	ListenAddress string `yaml:"listenAddress" default:"0.0.0.0:7777"`

	// Reflection enables or disables gRPC server reflection.
	// When enabled, clients can discover available services and methods.
	// Defaults to false for security reasons.
	Reflection bool `yaml:"reflection" default:"false"`

	// ConnectionTimeout specifies the timeout for establishing connections.
	// If not set, gRPC uses the default behavior.
	// A zero or negative value will result in an immediate timeout.
	// Default value: not set
	ConnectionTimeout *time.Duration `yaml:"connectionTimeout"`

	// MaxConcurrentStreams limits the maximum number of concurrent streams.
	// If not set, gRPC uses math.MaxUint32 as the default limit.
	// Default value: not set
	MaxConcurrentStreams *uint32 `yaml:"maxConcurrentStreams"`

	// MaxSendMsgSize sets the maximum message size in bytes that can be sent.
	// If not set, gRPC uses the default of 4MB (4194304 bytes).
	// Default value: not set
	MaxSendMsgSize *int `yaml:"maxSendMsgSize"`

	// MaxRecvMsgSize sets the maximum message size in bytes that can be received.
	// If not set, gRPC uses the default of 4MB (4194304 bytes).
	// Default value: not set
	MaxRecvMsgSize *int `yaml:"maxRecvMsgSize"`

	// WriteBufferSize sets the size of the write buffer in bytes.
	// If not set, gRPC uses the default of 32KB.
	// Zero or negative values will disable the write buffer.
	// Default value: not set
	WriteBufferSize *int `yaml:"writeBufferSize"`

	// ReadBufferSize sets the size of the read buffer in bytes.
	// If not set, gRPC uses the default of 32KB.
	// Zero or negative values will disable the read buffer.
	// Default value: not set
	ReadBufferSize *int `yaml:"readBufferSize"`

	// KeepAlive contains server-side keepalive parameters for connection management.
	KeepAlive *GrpcKeepAlive `yaml:"keepAlive" default:"-"`

	// Interceptors contains configuration for gRPC middleware components.
	// Includes settings for cache, realIp, requestId, recovery, idempotency, auth, and limiter interceptors.
	Interceptors *InterceptorsConfig `yaml:"interceptors" default:"-"`
}

type GrpcEnforcementPolicy struct {
	// MinTime is the minimum amount of time a client should wait before sending a keepalive ping.
	// Defaults to 5s.
	MinTime time.Duration `yaml:"minTime" default:"5s"`

	// PermitWithoutStream allows clients to send keepalive pings even when there are no active streams.
	// If false, server will close the connection if a keepalive ping is received when no streams are active.
	// Defaults to true.
	PermitWithoutStream bool `yaml:"permitWithoutStream" default:"false"`
}

type GrpcInterAuthConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`
}

type GrpcInterCacheCompressionPreset string

type GrpcInterCacheConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// SuccessTTL defines the default TTL for successful responses.
	// Successful responses (no gRPC errors) are cached for this duration.
	// Must be at least 1 minute to prevent cache thrashing.
	SuccessTTL time.Duration `yaml:"successTTL" default:"24h"`

	// ErrorTTL defines the default TTL for error responses.
	// Error responses are cached for shorter periods to allow quick recovery.
	// Must be at least 1 minute to prevent cache thrashing.
	ErrorTTL time.Duration `yaml:"errorTTL" default:"1h"`

	// EnableCacheHeaders controls whether cache hit/miss headers are added to responses.
	// When enabled, responses include headers indicating cache status for debugging.
	EnableCacheHeaders bool `yaml:"enableCacheHeaders" default:"true"`

	// CompressionPreset defines compression level for cached responses.
	// Higher compression reduces storage but increases CPU usage.
	CompressionPreset GrpcInterCacheCompressionPreset `yaml:"compressionPreset" default:"fast"`

	// KeysPrefix is a prefix for all cache keys in storage.
	// Useful for namespacing cache keys when sharing storage between services.
	KeysPrefix string `yaml:"keysPrefix"`

	// KeyMetadata is a list of gRPC metadata keys (headers) to include in the cache key hash.
	// If empty, a standard set of security and identity headers is used.
	KeyMetadata []string `yaml:"keyMetadata"`
}

type GrpcInterHealthConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`
}

type GrpcInterIdempotencyConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// IdempotencyKeyHeader is the header name for idempotency key.
	// Clients can provide idempotency keys via this header.
	// Must be a valid HTTP header name, defaults to "idempotency-key".
	IdempotencyKeyHeader string `yaml:"idempotencyKeyHeader" default:"idempotency-key"`

	// IdempotencyKeyField is the field name to extract idempotency key from request.
	// Used when idempotency key is embedded in the request message itself.
	// Must be a valid protobuf field name, defaults to "idempotencyKey".
	IdempotencyKeyField string `yaml:"idempotencyKeyField" default:"idempotencyKey"`

	// FallbackBehavior defines how the idempotency checker behaves when encountering errors
	// or when storage backends are unavailable, providing graceful degradation options.
	// See FallbackBehavior type for available options.
	FallbackBehavior FallbackBehavior `yaml:"fallbackBehavior" default:"deny"`

	// IdempotencyKeyStatusMetadata is the metadata key for idempotency status.
	IdempotencyKeyStatusMetadata string `yaml:"idempotencyKeyStatusMetadata" default:"Idempotency-Key-Status"`

	// IdempotencyKeyEntityIdMetadata is the metadata key for entity ID.
	IdempotencyKeyEntityIdMetadata string `yaml:"idempotencyKeyEntityIdMetadata" default:"Idempotency-Key-Entity-Id"`

	// EnforceMandatory controls whether the idempotency key is mandatory for all methods.
	EnforceMandatory bool `yaml:"enforceMandatory" default:"true"`
}

type GrpcInterLimiterConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// FallbackBehavior defines how the rate limiter behaves when encountering errors
	// or when storage backends are unavailable, providing graceful degradation options.
	// See FallbackBehavior type for available options.
	FallbackBehavior FallbackBehavior `yaml:"fallbackBehavior" default:"deny"`
}

type GrpcInterLoggerConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// TimeFormat defines how timestamps should be formatted in log entries.
	// Must be one of the supported TimeFormat constants.
	// Different formats offer trade-offs between readability and performance.
	TimeFormat timeformat.Format `yaml:"timeFormat" default:"rfc3339"`

	// LogRequest controls whether to log request payloads.
	// Set to true to include request content in logs for debugging purposes.
	LogRequest bool `yaml:"logRequest" default:"false"`

	// LogResponse controls whether to log response payloads.
	// Set to true to include response content in logs for debugging purposes.
	LogResponse bool `yaml:"logResponse" default:"true"`

	// IgnoreGrpcResponseCodes is a list of gRPC response codes to never log.
	// Takes precedence over LogGrpcResponseCodes.
	// Example: [0, 1] to ignore OK and CANCELED codes.
	// Useful for filtering out expected or non-error responses.
	IgnoreGrpcResponseCodes []uint32 `yaml:"ignoreGrpcResponseCodes"`

	// LogGrpcResponseCodes is a list of gRPC response codes to always log.
	// Example: [5, 13] to always log NOT_FOUND and INTERNAL codes.
	// Useful for ensuring important error responses are always captured.
	LogGrpcResponseCodes []uint32 `yaml:"logGrpcResponseCodes"`

	// EnableContextLogger controls whether the logger instance is injected into the context.
	// When enabled, handlers can retrieve the logger using slogx.FromContextOrDefault(ctx).
	EnableContextLogger bool `yaml:"enableContextLogger" default:"false"`
}

type GrpcInterPrometheusConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// Namespace is the Prometheus metric namespace.
	// Used as the first part of metric names (e.g., "myapp" -> "myapp_grpc_server_requests_total").
	// Empty namespace is allowed and results in metrics without namespace prefix.
	Namespace string `yaml:"namespace" default:""`

	// Subsystem is the Prometheus metric subsystem.
	// Used as the second part of metric names after namespace (e.g., "api" -> "myapp_api_server_requests_total").
	// Default is "grpc" which results in standard gRPC metric names.
	Subsystem string `yaml:"subsystem" default:"grpc"`

	// DurationBuckets defines custom histogram buckets for request duration metrics in seconds.
	// Must be in increasing order. If not specified, reasonable defaults are used.
	// Example: [0.001, 0.01, 0.1, 1.0, 10.0]
	DurationBuckets []float64 `yaml:"durationBuckets"`

	// SizeBuckets defines custom histogram buckets for message size metrics in bytes.
	// Only used when EnableSizeMetrics is true. Must be in increasing order.
	// If not specified, reasonable defaults are used.
	// Example: [1024, 4096, 16384, 65536]
	SizeBuckets []float64 `yaml:"sizeBuckets"`

	// EnableSizeMetrics controls whether request/response size metrics are collected.
	// Size metrics add overhead as they require inspecting message payloads.
	// When enabled, collects grpc_server_request_size_bytes and grpc_server_response_size_bytes histograms.
	EnableSizeMetrics bool `yaml:"enableSizeMetrics" default:"false"`

	// EnableStreamMetrics controls whether per-message streaming metrics are collected.
	// Streaming metrics track individual message counts and sizes within gRPC streams but add overhead.
	// When enabled, collects grpc_server_stream_messages_sent_total and grpc_server_stream_messages_received_total counters.
	EnableStreamMetrics bool `yaml:"enableStreamMetrics" default:"false"`

	// StreamSamplingRate controls the sampling rate for streaming message metrics (0.0 to 1.0).
	// Only effective when EnableStreamMetrics is true. Used to reduce overhead in high-throughput scenarios.
	// 1.0 = no sampling (record all), 0.1 = record 10% of messages, 0.0 = disable streaming metrics.
	StreamSamplingRate float64 `yaml:"streamSamplingRate" default:"1.0"`

	// StreamSamplingStrategy defines how sampling is applied to streaming messages.
	// Only effective when EnableStreamMetrics is true and StreamSamplingRate < 1.0.
	// "per_message" = sample individual messages, "per_stream" = sample entire streams.
	StreamSamplingStrategy GrpcInterPrometheusSamplingStrategy `yaml:"streamSamplingStrategy" default:"per_message"`
}

type GrpcInterPrometheusSamplingStrategy string

type GrpcInterRealIpConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// TrustedProxies is a list of trusted proxy IP addresses or CIDR blocks.
	// Only requests from these proxies will have their X-Forwarded-For headers processed.
	// Example: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
	TrustedProxies []string `yaml:"trustedProxies"`

	// TrustedProxiesCount specifies the number of trusted proxies that may append X-Forwarded-For.
	// This helps prevent IP spoofing by limiting the number of hops we trust.
	// Set to 0 to trust unlimited proxy hops (not recommended for production).
	TrustedProxiesCount uint `yaml:"trustedProxiesCount" default:"0"`

	// TrustedPeers is a list of trusted peer IP addresses or CIDR blocks.
	// These are additional trusted sources beyond the standard proxy list.
	// Useful for direct connections from known services or clusters.
	TrustedPeers []string `yaml:"trustedPeers"`

	// Headers is a list of headers to check for real IP (in order of preference).
	// The interceptor will check these headers in order until a valid IP is found.
	// Default headers: X-Forwarded-For, X-Real-IP, X-Client-IP, CF-Connecting-IP,
	// Fastly-Client-Ip, True-Client-Ip.
	Headers []string `yaml:"headers"`

	// CacheSize specifies the size of the IP validation cache (0 to disable).
	// Caching improves performance by avoiding repeated IP prefix parsing.
	// Recommended values: 1000-10000 for high-traffic services.
	CacheSize int `yaml:"cacheSize" default:"1000"`
}

type GrpcInterRecoveryConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`
}

type GrpcInterRequestIdConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// GenerateIfMissing controls whether to generate a request ID if none is provided.
	// When true, missing request IDs are automatically generated using UUIDs.
	// When false, requests without IDs proceed without modification.
	// Recommended: true for production systems to ensure complete tracing coverage.
	GenerateIfMissing bool `yaml:"generateIfMissing" default:"true"`
}

type GrpcInterTracingConfig struct {
	// BaseGrpcInterceptorConfig provides common interceptor configuration.
	BaseGrpcInterceptorConfig `yaml:",inline"`

	// RecordPayload determines whether request/response payloads are recorded.
	// Warning: This can significantly increase trace size and may expose sensitive data.
	// Defaults to false.
	RecordPayload bool `yaml:"recordPayload" default:"false"`

	// RecordMetadata determines whether gRPC metadata is recorded as span attributes.
	// Defaults to true.
	RecordMetadata bool `yaml:"recordMetadata" default:"true"`

	// RecordEvents determines whether streaming message events are recorded.
	// Defaults to true.
	RecordEvents bool `yaml:"recordEvents" default:"true"`

	// PropagateContext determines whether trace context is propagated from incoming requests.
	// When true, parent spans from incoming requests are linked to server spans.
	// Defaults to true.
	PropagateContext bool `yaml:"propagateContext" default:"true"`
}

type GrpcKeepAlive struct {
	// MaxConnectionIdle is a duration for the amount of time after which an
	// idle connection would be closed by sending a GoAway. Idleness duration is
	// defined since the most recent time the number of outstanding RPCs became
	// zero or the connection establishment.
	// Defaults to 15m (15 minutes).
	MaxConnectionIdle time.Duration `yaml:"maxConnectionIdle" default:"15m"`

	// MaxConnectionAge is a duration for the maximum amount of time a
	// connection may exist before it will be closed by sending a GoAway. A
	// random jitter of +/-10% will be added to MaxConnectionAge to spread out
	// connection storms.
	// Defaults to 30m (30 minutes).
	MaxConnectionAge time.Duration `yaml:"maxConnectionAge" default:"30m"`

	// MaxConnectionAgeGrace is an additive period after MaxConnectionAge after
	// which the connection will be forcibly closed.
	// Defaults to 5s (5 seconds).
	MaxConnectionAgeGrace time.Duration `yaml:"maxConnectionAgeGrace" default:"5s"`

	// Time specifies the duration after which if the server doesn't see any
	// activity it pings the client to see if the transport is still alive.
	// If set below 1s, a minimum value of 1s will be used instead.
	// Defaults to 5s (5 seconds).
	Time time.Duration `yaml:"time" default:"30s"`

	// Timeout specifies the duration the server waits for a response after
	// having pinged for keepalive check. If no activity is seen even after
	// that, the connection is closed.
	// Defaults to 1s (1 second).
	Timeout time.Duration `yaml:"timeout" default:"10s"`

	// EnforcementPolicy contains optional keepalive enforcement rules.
	// If nil, default enforcement policy is used.
	EnforcementPolicy *GrpcEnforcementPolicy `yaml:"enforcementPolicy" default:"-"`
}

type GrpcTls struct {
	// TlsServer contains the base server TLS configuration (embedded inline).
	*TlsServer `yaml:",inline"`

	// Client contains optional client certificate authentication settings.
	// If nil, client authentication is disabled.
	Client *TlsClientAuth `yaml:"client" default:"-"`
}

type Health struct {
	// HealthCheckInterval defines how often a watcher polls health status.
	// Determines the freshness of health updates for active subscriptions.
	// Defaults to 5s.
	HealthCheckInterval time.Duration `yaml:"healthCheckInterval" default:"5s"`

	// WatcherChannelBuffer is the base buffer size for notification channels.
	// Controls how many status changes can be queued before non-blocking drops.
	// Defaults to 10.
	WatcherChannelBuffer int `yaml:"watcherChannelBuffer" default:"10"`

	// MaxWatchersPerService limits concurrent subscriptions per service.
	// Protects resources by capping the number of active watchers.
	// Value 0 means unlimited. Defaults to 1000.
	MaxWatchersPerService int `yaml:"maxWatchersPerService" default:"1000"`

	// NumShards is the number of lock shards for contention reduction.
	// Distributes activity across multiple mutexes to improve performance.
	// Defaults to 32.
	NumShards int `yaml:"numShards" default:"32"`

	// MaxConcurrentHealthChecks limits worker pool for ListStatuses.
	// Controls the parallelism of batch health check operations.
	// Defaults to 10.
	MaxConcurrentHealthChecks int `yaml:"maxConcurrentHealthChecks" default:"10"`

	// StatusCacheTTL is the cache duration for check results.
	// Reduces the load on checked services by reusing recent results.
	// Defaults to 500ms.
	StatusCacheTTL time.Duration `yaml:"statusCacheTTL" default:"500ms"`

	// CheckTimeout is the timeout per individual health check.
	// Ensures that slow or hung checks do not block the coordinator.
	// Defaults to 2s.
	CheckTimeout time.Duration `yaml:"checkTimeout" default:"2s"`

	// AdaptiveBufferThreshold is the watcher count to trigger adaptive buffering.
	// Automatically increases channel sizes when the system is under high load.
	// Defaults to 100.
	AdaptiveBufferThreshold int32 `yaml:"adaptiveBufferThreshold" default:"100"`

	// AdaptiveBufferMultiplier is the buffer multiplier under load.
	// Scale factor applied to the base buffer size when threshold is reached.
	// Defaults to 2.
	AdaptiveBufferMultiplier int `yaml:"adaptiveBufferMultiplier" default:"2"`

	// MaxAdaptiveBuffer is the maximum adaptive buffer size.
	// Cap for buffer growth to prevent excessive memory consumption.
	// Defaults to 100.
	MaxAdaptiveBuffer int `yaml:"maxAdaptiveBuffer" default:"100"`
}

type Http struct {
	// RouterPrefix is an optional prefix for all Http routes.
	// Allows mounting the service under a specific path prefix.
	// If empty, routes are mounted at the root level.
	RouterPrefix string `yaml:"routerPrefix"`

	// ListenAddress specifies the address and port to bind the Http server to.
	// Defaults to "0.0.0.0:9080" which binds to all interfaces on port 9080.
	ListenAddress string `yaml:"listenAddress" default:"0.0.0.0:9080"`

	// MaxRequestPayloadSize sets the maximum size in bytes for request payloads.
	// Defaults to 10485760 bytes (10MB). Set to 0 for unlimited size.
	MaxRequestPayloadSize int64 `yaml:"maxRequestPayloadSize" default:"10485760"`

	// ReadTimeout is the maximum duration for reading the entire request,
	// including the body. Defaults to 300 seconds.
	ReadTimeout time.Duration `yaml:"readTimeout" default:"300s"`

	// WriteTimeout is the maximum duration before timing out writes of the response.
	// Defaults to 300 seconds.
	WriteTimeout time.Duration `yaml:"writeTimeout" default:"300s"`

	// IdleTimeout is the maximum amount of time to wait for the next request
	// when keep-alives are enabled. Defaults to 600 seconds.
	IdleTimeout time.Duration `yaml:"idleTimeout" default:"600s"`

	// LogRequests enables or disables Http request logging.
	// Defaults to false.
	LogRequests bool `yaml:"logRequests" default:"false"`

	// Tls contains optional Tls configuration for HTTPS.
	// If nil, the server will run in Http mode only.
	TLS *HttpTls `yaml:"tls" default:"-"`

	// Middlewares contains configuration for HTTP server middleware components.
	Middlewares *MiddlewaresConfig `yaml:"middlewares" default:"-"`
}

type HttpInterBodyLimitConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// MaxSize is the maximum allowed size of the request body in bytes.
	// Defaults to 10MB (10485760 bytes).
	MaxSize int64 `yaml:"maxSize" default:"10485760"`
}

type HttpInterCorsConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// AllowedOrigins is a list of origins that are allowed to access the resource.
	// Use ["*"] to allow all origins.
	AllowedOrigins []string `yaml:"allowedOrigins"`

	// AllowedMethods is a list of HTTP methods allowed when accessing the resource.
	// Defaults to standard methods if not specified.
	AllowedMethods []string `yaml:"allowedMethods"`

	// AllowedHeaders is a list of request headers that can be used when making the actual request.
	AllowedHeaders []string `yaml:"allowedHeaders"`

	// ExposedHeaders is a whitelist of headers that browsers are allowed to access.
	ExposedHeaders []string `yaml:"exposedHeaders"`

	// AllowCredentials indicates whether the request can include user credentials like cookies or auth headers.
	AllowCredentials bool `yaml:"allowCredentials" default:"false"`

	// MaxAge indicates how long (in seconds) the results of a preflight request can be cached.
	MaxAge int `yaml:"maxAge" default:"86400"`

	// AllowPrivateNetwork enables support for Private Network Access preflight requests.
	AllowPrivateNetwork bool `yaml:"allowPrivateNetwork" default:"false"`

	// OptionsPassthrough passes OPTIONS requests to the next handler instead of handling them internally.
	OptionsPassthrough bool `yaml:"optionsPassthrough" default:"false"`

	// OptionsSuccessStatus is the status code to return for successful OPTIONS requests.
	// Defaults to 204.
	OptionsSuccessStatus int `yaml:"optionsSuccessStatus" default:"204"`
}

type HttpInterIdempotencyConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// IdempotencyKeyHeader is the name of the HTTP header used to pass the idempotency key.
	// Defaults to "Idempotency-Key".
	IdempotencyKeyHeader string `yaml:"idempotencyKeyHeader" default:"Idempotency-Key"`

	// IdempotencyKeyStatusHeader is the name of the HTTP header used to return idempotency status.
	// Defaults to "Idempotency-Key-Status".
	IdempotencyKeyStatusHeader string `yaml:"idempotencyKeyStatusHeader" default:"Idempotency-Key-Status"`

	// IdempotencyKeyEntityIdHeader is the name of the HTTP header used to return an entity ID if captured.
	// Defaults to "Idempotency-Key-Entity-Id".
	IdempotencyKeyEntityIdHeader string `yaml:"idempotencyKeyEntityIdHeader" default:"Idempotency-Key-Entity-Id"`

	// FallbackBehavior defines how the idempotency checker behaves when encountering errors
	// or when storage backends are unavailable, providing graceful degradation options.
	FallbackBehavior FallbackBehavior `yaml:"fallbackBehavior" default:"deny"`

	// EnforceMandatory, when true, requires all requests (not ignored) to have an idempotency key.
	EnforceMandatory bool `yaml:"enforceMandatory" default:"true"`
}

type HttpInterLimiterConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// FallbackBehavior determines what happens if the rate limiter itself fails.
	FallbackBehavior FallbackBehavior `yaml:"fallbackBehavior" default:"error"`
}

type HttpInterLoggerConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// LogRequest enables or disables logging of the request body.
	// CAUTION: Enabling this may log sensitive data.
	LogRequest bool `yaml:"logRequest" default:"false"`

	// LogResponse enables or disables logging of the response body.
	// CAUTION: Enabling this may log sensitive data.
	LogResponse bool `yaml:"logResponse" default:"false"`

	// TimeFormat defines how timestamps should be formatted in log entries.
	// Must be one of the supported TimeFormat constants.
	TimeFormat timeformat.Format `yaml:"timeFormat" default:"rfc3339"`

	// IgnoreResponseCodes is a list of HTTP status codes that should not be logged.
	// Takes precedence over LogResponseCodes.
	IgnoreResponseCodes []int `yaml:"ignoreResponseCodes"`

	// LogResponseCodes is a list of HTTP status codes that SHOULD be logged.
	// If set, only these codes (minus those in IgnoreResponseCodes) will be logged.
	LogResponseCodes []int `yaml:"logResponseCodes"`

	// IgnoreHttpMethods is a list of HTTP methods to skip logging for.
	// Example: ["OPTIONS", "HEAD"] to skip logging preflight and HEAD requests.
	IgnoreHttpMethods []string `yaml:"ignoreHttpMethods"`
}

type HttpInterPrometheusConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// Namespace is the Prometheus metric namespace.
	Namespace string `yaml:"namespace"`

	// Subsystem is the Prometheus metric subsystem.
	Subsystem string `yaml:"subsystem"`

	// EnableSizeMetrics enables collection of request and response size metrics.
	EnableSizeMetrics bool `yaml:"enableSizeMetrics" default:"false"`

	// DurationBuckets defines the buckets for request duration histogram.
	DurationBuckets []float64 `yaml:"durationBuckets"`

	// SizeBuckets defines the buckets for request/response size histograms.
	SizeBuckets []float64 `yaml:"sizeBuckets"`
}

type HttpInterRealIpConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// Headers is a list of HTTP headers to check for the real client IP.
	// Headers are checked in the order specified.
	// Common values: ["X-Forwarded-For", "X-Real-IP", "True-Client-IP"].
	Headers []string `yaml:"headers"`

	// TrustedProxies is a list of IP addresses or CIDR ranges of trusted proxies.
	// Only IP addresses from these proxies will be considered when extracting IP from headers.
	TrustedProxies []string `yaml:"trustedProxies"`
}

type HttpInterRecoveryConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// LogStack enables or disables logging of the stack trace when a panic is recovered.
	// Defaults to true.
	LogStack bool `yaml:"logStack" default:"true"`
}

type HttpInterRequestIdConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// HeaderName is the name of the HTTP header used to pass/return the request ID.
	// Defaults to "X-Request-ID".
	HeaderName string `yaml:"headerName" default:"X-Request-ID"`

	// GenerateIfMissing determines whether to generate a new request ID if none is provided.
	// Defaults to true.
	GenerateIfMissing bool `yaml:"generateIfMissing" default:"true"`
}

type HttpInterSecurityHeadersConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// FrameOptions sets the X-Frame-Options header.
	// Common values: "DENY", "SAMEORIGIN".
	FrameOptions string `yaml:"frameOptions" default:"DENY"`

	// ReferrerPolicy sets the Referrer-Policy header.
	// Common values: "strict-origin-when-cross-origin", "no-referrer".
	ReferrerPolicy string `yaml:"referrerPolicy" default:"strict-origin-when-cross-origin"`

	// ContentSecurityPolicy sets the Content-Security-Policy header.
	ContentSecurityPolicy string `yaml:"contentSecurityPolicy"`

	// PermissionsPolicy sets the Permissions-Policy header.
	PermissionsPolicy string `yaml:"permissionsPolicy"`

	// HstsEnabled enables the Strict-Transport-Security (HSTS) header.
	HstsEnabled bool `yaml:"hstsEnabled" default:"false"`

	// HstsMaxAge sets the max-age value for HSTS.
	HstsMaxAge int `yaml:"hstsMaxAge" default:"31536000"`

	// HstsIncludeSubDomains includes subdomains in HSTS policy.
	HstsIncludeSubDomains bool `yaml:"hstsIncludeSubDomains" default:"true"`

	// HstsPreload enables the HSTS preload directive.
	HstsPreload bool `yaml:"hstsPreload" default:"false"`

	// ContentTypeNoSniff sets X-Content-Type-Options: nosniff.
	ContentTypeNoSniff bool `yaml:"contentTypeNoSniff" default:"true"`

	// XssProtectionDisabled sets X-XSS-Protection: 0.
	XssProtectionDisabled bool `yaml:"xssProtectionDisabled" default:"true"`
}

type HttpInterTracingConfig struct {
	// BaseHttpMiddlewareConfig provides standard enable and filtering fields.
	BaseHttpMiddlewareConfig `yaml:",inline"`

	// RecordBody determines whether request/response bodies are recorded.
	// Warning: This can significantly increase trace size and may expose sensitive data.
	// Defaults to false.
	RecordBody bool `yaml:"recordBody" default:"false"`

	// RecordHeaders determines whether HTTP headers are recorded as span attributes.
	// Sensitive headers (Authorization, Cookie, etc.) are automatically redacted.
	// Defaults to true.
	RecordHeaders bool `yaml:"recordHeaders" default:"true"`

	// RedactedHeaders is a list of header names to redact from traces.
	// Values are replaced with "[REDACTED]".
	// Defaults include Authorization, Cookie, Set-Cookie, X-API-Key.
	RedactedHeaders []string `yaml:"redactedHeaders"`

	// PropagateContext determines whether trace context is propagated from incoming requests.
	// When true, parent spans from incoming requests are linked to server spans.
	// Defaults to true.
	PropagateContext bool `yaml:"propagateContext" default:"true"`

	// RecordClientIP determines whether client IP is recorded as span attribute.
	// Defaults to true.
	RecordClientIP bool `yaml:"recordClientIP" default:"true"`
}

type HttpMiddlewareFilterConfig struct {
	// IgnorePaths is a list of exact URL paths to skip processing for.
	// Example: ["/health", "/metrics"]
	IgnorePaths []string `yaml:"ignorePaths"`

	// IgnorePatterns is a list of regex patterns for URL paths to skip processing.
	// Example: ["^/health\\..*", ".*\\.html$"]
	IgnorePatterns []string `yaml:"ignorePatterns"`
}

type HttpTls struct {
	*TlsServer `yaml:",inline"`
	// StrictTransport configures Http Strict Transport Security (HSTS) headers
	StrictTransport *STS `yaml:"sts" default:"-"`
}

type Idempotency struct {
	// TTL defines the time-to-live for idempotency keys.
	// Keys are automatically expired after this duration to prevent storage bloat.
	TTL time.Duration `yaml:"ttl" default:"24h"`

	// Storage defines the storage configuration for idempotency keys.
	// Required, specifies backend and settings.
	Storage *CacheStorageConfig `yaml:"storage"`
}

type IgnoreConfig struct {
	// IgnoreMethods is a list of gRPC methods to skip processing for.
	// Methods should be specified in the format "/service.Service/Method".
	IgnoreMethods []string `yaml:"ignoreMethods"`

	// IgnorePatterns is a list of regex patterns for methods to skip processing.
	// Pattern-based rules for bypass.
	IgnorePatterns []string `yaml:"ignorePatterns"`
}

type InProgress struct {
	// Enabled determines whether the InProgress manager is enabled.
	// Defaults to true.
	Enabled bool `yaml:"enabled" default:"true"`

	// TickSchedule defines the cron schedule for the heartbeat tick cycle.
	// Uses standard cron format with seconds: "second minute hour day month weekday"
	// Defaults to "*/1 * * * * *" (every second).
	// Examples:
	//   - "*/1 * * * * *" - every second
	//   - "*/5 * * * * *" - every 5 seconds
	//   - "0 * * * * *" - every minute
	TickSchedule string `yaml:"tickSchedule" default:"*/1 * * * * *"`

	// DefaultHeartbeatInterval specifies the default interval for heartbeats.
	// Defaults to 10 seconds.
	DefaultHeartbeatInterval time.Duration `yaml:"defaultHeartbeatInterval" default:"10s"`

	// MaxEntries defines the maximum number of registered heartbeaters.
	// Must be between 1 and 100000. Setting a reasonable limit prevents
	// resource exhaustion from unbounded registration.
	// Defaults to 10000.
	MaxEntries int `yaml:"maxEntries" default:"10000"`

	// Metrics contains metrics-related settings.
	Metrics InProgressMetrics `yaml:"metrics"`
}

type InProgressMetrics struct {
	// Enabled allows enabling or disabling metrics collection.
	// Defaults to true.
	Enabled bool `yaml:"enabled" default:"true"`

	// Prefix for InProgress heartbeat manager metrics.
	// Defaults to "inprogress".
	Prefix string `yaml:"prefix" default:"inprogress"`
}

type InterceptorFilterConfig struct {
	// IgnoreMethods is a list of gRPC methods to skip processing for.
	// Methods should be specified in the format "/service.Service/Method".
	// Example: ["/health.Health/Check", "/metrics.Metrics/Get"]
	IgnoreMethods []string `yaml:"ignoreMethods"`

	// IgnorePatterns is a list of regex patterns for methods to skip processing.
	// Patterns are matched against the full method name.
	// Example: ["^/health\\..*", ".*\\.Get$"]
	IgnorePatterns []string `yaml:"ignorePatterns"`
}

type InterceptorsConfig struct {
	// Cache contains configuration for response caching interceptor.
	Cache *GrpcInterCacheConfig `yaml:"cache" default:"-"`
	// RealIp contains configuration for real IP extraction interceptor.
	RealIp *GrpcInterRealIpConfig `yaml:"realIp" default:"-"`
	// RequestId contains configuration for request ID generation interceptor.
	RequestId *GrpcInterRequestIdConfig `yaml:"requestId" default:"-"`
	// Recovery contains configuration for panic recovery interceptor.
	Recovery *GrpcInterRecoveryConfig `yaml:"recovery" default:"-"`
	// Idempotency contains configuration for idempotency interceptor.
	Idempotency *GrpcInterIdempotencyConfig `yaml:"idempotency" default:"-"`
	// Auth contains configuration for authentication interceptor.
	Auth *GrpcInterAuthConfig `yaml:"auth" default:"-"`
	// Health contains configuration for health check interceptor.
	Health *GrpcInterHealthConfig `yaml:"health" default:"-"`
	// Limiter contains configuration for rate limiting interceptor.
	Limiter *GrpcInterLimiterConfig `yaml:"limiter" default:"-"`
	// Logger contains configuration for logging interceptor.
	Logger *GrpcInterLoggerConfig `yaml:"logger" default:"-"`
	// Prometheus contains configuration for Prometheus metrics interceptor.
	Prometheus *GrpcInterPrometheusConfig `yaml:"prometheus" default:"-"`
	// Tracing contains configuration for distributed tracing interceptor.
	Tracing *GrpcInterTracingConfig `yaml:"tracing" default:"-"`
}

type LeaderElector struct {
	// Provider specifies which leader election provider to use
	Provider LeaderElectorProvider `yaml:"provider" default:"nats"`
	// Ttl defines the time-to-live for leader election locks
	Ttl time.Duration `yaml:"ttl" default:"10s"`
}

type LeaderElectorProvider string

type Limiter struct {
	// IpCacheSize defines the size of the LRU cache for IP-to-settings mappings.
	// This cache optimizes repeated lookups for the same client IP.
	IpCacheSize int `yaml:"ipCacheSize" default:"1000"`

	// Storage defines the storage configuration for rate limit counters.
	// Required, specifies backend and settings.
	Storage *CacheStorageConfig `yaml:"storage"`

	// Rules contains the rate limiting rules configuration.
	// Includes default settings and specific rules for targeted clients.
	Rules *LimiterRules `yaml:"rules"`
}

type LimiterDefaultRule struct {
	// Limit is the maximum number of requests allowed within the period.
	// Must be a positive integer greater than 0.
	Limit int64 `yaml:"limit" default:"1000"`

	// Period is the time window for the limit (e.g., "1h", "30m", "60s").
	// Must be a valid duration string parseable by time.ParseDuration.
	Period time.Duration `yaml:"period" default:"1h"`
}

type LimiterRules struct {
	// Default contains the default rate limiting settings.
	// Applied when no specific target rule matches the client.
	Default *LimiterDefaultRule `yaml:"default"`

	// Targets contains specific rate limiting rules for different clients.
	// Rules are evaluated in order; the first matching rule is applied.
	// If no target rule matches, the default rule (if specified) is used.
	Targets []LimiterTargetRule `yaml:"targets,omitempty"`
}

type LimiterTargetRule struct {
	// Target specifies the client identifier (IP address, CIDR block, etc.).
	// Examples: "192.168.1.100", "10.0.0.0/8", "client-id-123"
	Target string `yaml:"target"`

	// Limit is the maximum number of requests allowed within the period.
	// Must be a positive integer greater than 0.
	Limit int64 `yaml:"limit"`

	// Period is the time window for the limit (e.g., "1h", "30m", "60s").
	// Must be a valid duration string parseable by time.ParseDuration.
	Period time.Duration `yaml:"period"`
}

type LogFormat = string

type Logger struct {
	// Level sets the minimum logging level for message output
	Level LoggerLevel `yaml:"level" default:"error"`
	// Tags contains key-value pairs to include with all log messages
	Tags map[string]string `yaml:"tags"`
	// TimeFormat specifies the format for timestamps in log messages
	TimeFormat string `yaml:"timeFormat"`
	// Colorized enables colored output for console logging
	Colorized bool `yaml:"colorized"`
	// Output specifies whether to write to stdout or stderr
	Output LoggerConsoleOutput `yaml:"output" default:"stdout"`
	// OutputFormat controls whether logs are in text or JSON format
	OutputFormat LogFormat `yaml:"outputFormat" default:"text"`
	// SensitiveTags lists tag keys that should be redacted in log output
	SensitiveTags []string `yaml:"sensitiveTags"`
	// MaskString is the string used for masking sensitive fields
	MaskString string `yaml:"maskString" default:"****"`
	// AppGroupName is the group name for application metadata
	AppGroupName string `yaml:"appGroupName" default:"app"`
	// OutputSource includes source file and line information in log messages
	OutputSource bool `yaml:"outputSource"`
	// Buffered enables asynchronous log writing
	Buffered bool `yaml:"buffered"`
	// BufferSize specifies the size of the log buffer (default: 100)
	BufferSize int `yaml:"bufferSize" default:"100"`
	// BypassLevel specifies the minimum level to bypass the buffer (write synchronously, default: error)
	BypassLevel LoggerLevel `yaml:"bypassLevel" default:"error"`
}

type LoggerConsoleOutput = string

type LoggerLevel = string

type Metrics struct {
	// Enable determines whether metrics collection is enabled.
	// Defaults to false.
	Enable bool `yaml:"enable" default:"false"`

	// Type specifies the metrics backend type.
	// Valid values: "prometheus", "noop".
	// Defaults to "prometheus".
	Type MetricsType `yaml:"type" default:"prometheus"`

	// ServiceName is the global prefix for all metrics.
	// This becomes the first part of the metric name: {serviceName}_{subsystem}_{name}.
	// Example: "myapp" results in metrics like "myapp_http_requests_total".
	ServiceName string `yaml:"serviceName"`

	// Adapters contains adapter-specific configurations.
	Adapters *MetricsAdapters `yaml:"adapters,omitempty" default:"-"`
}

type MetricsAdapters struct {
	// Prometheus contains Prometheus-specific configuration.
	// Only used when Type is "prometheus".
	Prometheus *MetricsPrometheus `yaml:"prometheus,omitempty" default:"-"`
}

type MetricsPrometheus struct {
	// CustomRegistry determines whether to use a custom Prometheus registry
	// instead of the default global registry.
	// Use this when running tests or when you need isolated metrics.
	CustomRegistry bool `yaml:"customRegistry" default:"false"`
}

type MetricsType string

type MiddlewaresConfig struct {
	// BodyLimit contains configuration for request body size limiting middleware.
	BodyLimit *HttpInterBodyLimitConfig `yaml:"bodyLimit" default:"-"`
	// Cors contains configuration for CORS middleware.
	Cors *HttpInterCorsConfig `yaml:"cors" default:"-"`
	// Idempotency contains configuration for idempotency middleware.
	Idempotency *HttpInterIdempotencyConfig `yaml:"idempotency" default:"-"`
	// Limiter contains configuration for rate limiting middleware.
	Limiter *HttpInterLimiterConfig `yaml:"limiter" default:"-"`
	// Logger contains configuration for logging middleware.
	Logger *HttpInterLoggerConfig `yaml:"logger" default:"-"`
	// Prometheus contains configuration for Prometheus metrics middleware.
	Prometheus *HttpInterPrometheusConfig `yaml:"prometheus" default:"-"`
	// RealIp contains configuration for real IP extraction middleware.
	RealIp *HttpInterRealIpConfig `yaml:"realIp" default:"-"`
	// Recovery contains configuration for panic recovery middleware.
	Recovery *HttpInterRecoveryConfig `yaml:"recovery" default:"-"`
	// RequestId contains configuration for request ID middleware.
	RequestId *HttpInterRequestIdConfig `yaml:"requestId" default:"-"`
	// SecurityHeaders contains configuration for security headers middleware.
	SecurityHeaders *HttpInterSecurityHeadersConfig `yaml:"securityHeaders" default:"-"`
	// Tracing contains configuration for distributed tracing middleware.
	Tracing *HttpInterTracingConfig `yaml:"tracing" default:"-"`
}

type MongoAuthMechanismType string

type MongoCompressionType string

type MongoCompressionTypes []MongoCompressionType

type MongoEncryption struct {
	VaultDatabase   *string             `yaml:"vaultDatabase"`
	VaultCollection string              `yaml:"vaultCollection" default:"__keyVault"`
	KMS             *MongoKMS           `yaml:"kms"`
	Type            MongoEncryptionType `yaml:"type" default:"auto"`
}

type MongoEncryptionType string

type MongoKMS struct {
	Provider MongoKMSProvider `yaml:"provider"`
	Local    *MongoKMSLocal   `yaml:"local" default:"-"`
	Amazon   *MongoKMSAmazon  `yaml:"amazon" default:"-"`
	Azure    *MongoKMSAzure   `yaml:"azure" default:"-"`
	Google   *MongoKMSGoogle  `yaml:"google" default:"-"`
}

type MongoKMSAmazon struct {
	AccessKeyId     string     `yaml:"accessKeyId"`
	SecretAccessKey Secret     `yaml:"secretAccessKey"`
	SessionToken    *string    `yaml:"sessionToken"`
	Key             string     `yaml:"key"`
	Region          *string    `yaml:"region"`
	Endpoint        *string    `yaml:"endpoint"`
	TLS             *TlsClient `yaml:"tls" default:"-"`
}

type MongoKMSAzure struct {
	ClientId         string     `yaml:"clientId"`
	ClientSecret     Secret     `yaml:"clientSecret"`
	TenantId         string     `yaml:"tenantId"`
	KeyName          string     `yaml:"keyName"`
	KeyVersion       *string    `yaml:"keyVersion"`
	KeyVaultEndpoint *string    `yaml:"keyVaultEndpoint"`
	TLS              *TlsClient `yaml:"tls" default:"-"`
}

type MongoKMSGoogle struct {
	Endpoint               *string    `yaml:"endpoint"`
	ProjectId              string     `yaml:"projectId"`
	Email                  string     `yaml:"email"`
	AuthenticationEndpoint *string    `yaml:"authenticationEndpoint"`
	PrivateKey             Secret     `yaml:"privateKey"`
	Location               string     `yaml:"location"`
	KeyRing                string     `yaml:"keyRing"`
	KeyName                string     `yaml:"keyName"`
	KeyVersion             *string    `yaml:"keyVersion"`
	TLS                    *TlsClient `yaml:"tls" default:"-"`
}

type MongoKMSLocal struct {
	// A 96-byte long base64-encoded string. Locally managed keys do not require additional setup,
	// but are not recommended for production applications.
	MasterKey     Secret `yaml:"masterKey"`
	MasterKeyFile string `yaml:"masterKeyFile"`
}

type MongoKMSProvider string

type MongoPLAINCredentials struct {
	Username string `yaml:"username"`
	Password Secret `yaml:"password"`
}

type MongoSCRAMCredentials struct {
	Username   string `yaml:"username"`
	Password   Secret `yaml:"password"`
	AuthSource string `yaml:"authSource" default:"admin"`
}

type Mongodb struct {
	// DirectConnection forces a direct connection to the specified host.
	// When true, bypasses automatic discovery of replica set topology.
	// Defaults to false.
	DirectConnection bool `yaml:"directConnection" default:"false"` //+

	// ConnectionURI is a full MongoDB connection string (e.g. "mongodb://user:pass@host:27017/db").
	// When set, it replaces Hosts, Credentials, ReplicaSet, DirectConnection, and Compressors.
	// Mutually exclusive with Credentials.
	ConnectionURI Secret `yaml:"connectionUri"`

	// Credentials contains optional authentication credentials.
	// If nil, the connection will attempt to connect without authentication.
	Credentials *MongodbCredentials `yaml:"credentials" default:"-"` //+

	// TLS contains optional TLS configuration for secure connections.
	// Required when using X.509 certificate authentication.
	TLS *TlsClient `yaml:"tls" default:"-"` //+

	// Database specifies the default database name.
	Database string `yaml:"database"`

	// ReplicaSet specifies the replica set name for replica set connections.
	// Leave empty for standalone server connections.
	ReplicaSet string `yaml:"replicaSet"` //+

	// Compressors specifies the list of compression algorithms to use.
	// Supported values: snappy, zlib, zstd.
	Compressors MongoCompressionTypes `yaml:"compressors"` //+

	// Hosts is the list of MongoDB server addresses.
	// Defaults to ["localhost:27017"].
	Hosts []string `yaml:"hosts" default:"localhost:27017"` //+

	// MaxPoolSize is the maximum number of connections in the connection pool.
	// Defaults to 100.
	MaxPoolSize uint64 `yaml:"maxPoolSize" default:"100"` //+

	// MinPoolSize is the minimum number of connections in the connection pool.
	// Defaults to 0.
	MinPoolSize uint64 `yaml:"minPoolSize" default:"0"` //+

	// ConnectTimeout is the maximum time to wait for a connection to be established.
	// Defaults to 30 seconds.
	ConnectTimeout time.Duration `yaml:"connectTimeout" default:"30s"` //+

	// MaxIdleTimeout is the maximum time a connection can be idle before being closed.
	// Set to 0 for no timeout (default).
	MaxIdleTimeout time.Duration `yaml:"maxIdleTimeout" default:"0"` //+

	// ZlibCompressionLevel specifies the compression level for zlib compression.
	// Valid range: -1 to 9, where -1 is default compression (default).
	ZlibCompressionLevel int `yaml:"zlibCompressionLevel" default:"-1"` //+

	// RetryReads enables automatic retrying of read operations.
	// Defaults to true.
	RetryReads bool `yaml:"retryReads" default:"true"` //+

	// RetryWrites enables automatic retrying of write operations.
	// Defaults to true.
	RetryWrites bool `yaml:"retryWrites" default:"true"` //+

	// Encryption contains optional client-side field level encryption settings.
	// If nil, no client-side encryption is used.
	Encryption *MongoEncryption `yaml:"encryption" default:"-"`
}

type MongodbCredentials struct {
	AuthMechanism MongoAuthMechanismType `yaml:"authMechanism" default:"SCRAM-SHA-256"`
	Plain         *MongoPLAINCredentials `yaml:"plain" default:"-"`
	Scram         *MongoSCRAMCredentials `yaml:"scram" default:"-"`
}

type Nats struct {
	// TLS contains optional TLS configuration for secure connections.
	// If nil, the connection will be made without TLS encryption.
	TLS *TlsClient `yaml:"tls" default:"-"`

	// ConnectionURI is a full NATS connection string (e.g. "nats://user:pass@host:4222").
	// When set, it replaces Hosts and authentication fields.
	// Mutually exclusive with Username, Password, Token, and NkeySeed.
	ConnectionURI Secret `yaml:"connectionUri"`

	// Username is the username for NATS authentication.
	// Used with password-based authentication.
	Username string `yaml:"username"`

	// Token is the authentication token for NATS.
	// Alternative to username/password authentication.
	Token Secret `yaml:"token"`

	// Password is the password for NATS authentication.
	// Used with username-based authentication.
	Password Secret `yaml:"password"`

	// NkeySeed is the NKey seed (private key) for NKey-based authentication.
	// The seed is used to derive the public key and sign server challenges.
	// Mutually exclusive with Token and Username/Password authentication.
	NkeySeed Secret `yaml:"nkeySeed"`

	// ClientName is an optional name for the NATS client connection.
	// Useful for debugging and monitoring purposes.
	ClientName string `yaml:"clientName"`

	// Hosts is the list of NATS server URLs to connect to.
	// Defaults to ["nats://localhost:4222"].
	// The client will attempt to connect to servers in order.
	Hosts []string `yaml:"hosts" default:"nats://localhost:4222"`

	// ConnectTimeout is the maximum time to wait for a connection to be established.
	// Defaults to 5 seconds.
	ConnectTimeout time.Duration `yaml:"connectTimeout" default:"5s"`

	// ReconnectWait is the time to wait between reconnection attempts.
	// Defaults to 10 seconds.
	ReconnectWait time.Duration `yaml:"reconnectWait" default:"10s"`

	// PingInterval is the interval between ping messages to keep the connection alive.
	// Defaults to 10 seconds.
	PingInterval time.Duration `yaml:"pingInterval" default:"10s"`

	// MaxReconnect is the maximum number of reconnection attempts.
	// Set to 0 for unlimited reconnection attempts (default).
	// Set to -1 to disable reconnection.
	MaxReconnect int `yaml:"maxReconnect" default:"0"`

	// MaxPingsOut is the maximum number of ping messages that can be sent
	// without receiving a pong response before the connection is considered dead.
	// Defaults to 3.
	MaxPingsOut int `yaml:"maxPingsOut" default:"3"`

	// Consumers is a collection of consumer configurations keyed by consumer name.
	// Each consumer defines how messages are consumed from NATS JetStream.
	// The key serves as the durable consumer name in NATS.
	Consumers NatsConsumers `yaml:"consumers"`

	// Recovery contains configuration for automatic stream/consumer recovery.
	// If nil, recovery is disabled.
	Recovery *NatsRecovery `yaml:"recovery" default:"-"`
}

type NatsConsumer struct {
	// Description is an optional description of the consumer.
	Description string `yaml:"description"`

	// DurableName is the durable name for the consumer.
	// If not specified, the consumer name from the configuration map key is used.
	// Durable consumers maintain their state across restarts and reconnections.
	DurableName string `yaml:"durableName"`

	// DeliverPolicy defines the point in the stream to start delivering messages.
	// Defaults to "all" which delivers all available messages.
	DeliverPolicy DeliverPolicy `yaml:"deliverPolicy" default:"all"`

	// OptStartSeq is the sequence number to start from when DeliverPolicy is "by_start_sequence".
	// Must be greater than 0 when used.
	OptStartSeq uint64 `yaml:"optStartSeq"`

	// OptStartTime is the time to start from when DeliverPolicy is "by_start_time".
	// Format: RFC3339 timestamp.
	OptStartTime *time.Time `yaml:"optStartTime"`

	// AckPolicy defines how messages should be acknowledged.
	// Defaults to "explicit" which requires explicit ack for each message.
	AckPolicy AckPolicy `yaml:"ackPolicy" default:"explicit"`

	// AckWait is the duration to wait for acknowledgement before redelivery.
	// Defaults to 30 seconds.
	AckWait time.Duration `yaml:"ackWait" default:"30s"`

	// MaxDeliver is the maximum number of delivery attempts for a message.
	// After this, the message is considered permanently failed.
	// Set to -1 for unlimited attempts. Defaults to -1.
	MaxDeliver int `yaml:"maxDeliver" default:"-1"`

	// BackOff is a custom backoff schedule for message redelivery.
	// If not specified, uses exponential backoff.
	// Each duration in the slice represents the delay before the next redelivery attempt.
	// Example: [1s, 5s, 30s, 2m, 5m] means:
	//   - 1st retry after 1 second
	//   - 2nd retry after 5 seconds
	//   - 3rd retry after 30 seconds
	//   - 4th retry after 2 minutes
	//   - 5th retry after 5 minutes
	// After exhausting the backoff schedule, the last duration is used for subsequent retries.
	BackOff []time.Duration `yaml:"backOff"`

	// FilterSubject is an optional subject filter for the consumer.
	// Only messages matching this subject will be delivered.
	FilterSubjects []string `yaml:"filterSubject"`

	// ReplayPolicy defines how messages are replayed from the stream.
	// Defaults to "instant" which replays as fast as possible.
	ReplayPolicy ReplayPolicy `yaml:"replayPolicy" default:"instant"`

	// MaxAckPending is the maximum number of messages that can be outstanding
	// (delivered but not yet acknowledged) at any time.
	// Defaults to 1000.
	MaxAckPending int `yaml:"maxAckPending" default:"1000"`

	// MaxWaiting is the maximum number of waiting pull requests.
	// Only applicable for pull-based consumers.
	// Defaults to 512.
	MaxWaiting int `yaml:"maxWaiting" default:"512"`

	// InactiveThreshold is the duration of inactivity before the consumer is removed.
	// Set to 0 to disable automatic removal.
	// Defaults to 0 (disabled).
	InactiveThreshold time.Duration `yaml:"inactiveThreshold" default:"0s"`
}

type NatsConsumers map[string]*NatsConsumer

type NatsRecovery struct {
	// Enabled determines whether recovery is enabled.
	// Defaults to true.
	Enabled bool `yaml:"enabled" default:"true"`

	// HealthCheckSchedule defines the cron schedule for health checks.
	// Acts as fallback detection when advisory events are missed.
	// Supports cron expressions and intervals (e.g., "@every 5m", "0 */5 * * * *").
	// Defaults to "@every 5m".
	HealthCheckSchedule string `yaml:"healthCheckSchedule" default:"@every 5m"`

	// MaxRecoveryAttempts defines the maximum number of recovery attempts before giving up.
	// Must be between 1 and 100.
	// Defaults to 3.
	MaxRecoveryAttempts int `yaml:"maxRecoveryAttempts" default:"3"`

	// RecoveryBackoff defines the base backoff duration between recovery attempts.
	// Actual backoff is calculated as backoff * attemptNumber.
	// Defaults to 5 seconds.
	RecoveryBackoff time.Duration `yaml:"recoveryBackoff" default:"5s"`

	// StaleRecoveryTimeout defines how long a recovery mark can exist before
	// being considered stale and cleared. This prevents permanent blocking
	// of recovery operations due to crashes or bugs.
	// Defaults to 20 minutes.
	StaleRecoveryTimeout time.Duration `yaml:"staleRecoveryTimeout" default:"20m"`

	// StaleRecoveryCleanupSchedule defines the cron schedule for stale recovery cleanup.
	// Supports cron expressions and intervals (e.g., "@every 1m", "0 * * * * *").
	// Defaults to "@every 1m".
	StaleRecoveryCleanupSchedule string `yaml:"staleRecoveryCleanupSchedule" default:"@every 1m"`
}

type Node struct {
	// Unique identifier for the service node
	// Must contain only alphanumeric characters, underscores, and hyphens
	Id *string `yaml:"id"`
}

type OIDC struct {
	// DiscoveryUrl is the URL of the OpenID Connect discovery endpoint
	DiscoveryUrl string `yaml:"discoveryUrl"`

	// ClockSkew is the acceptable time difference when validating timestamps
	ClockSkew time.Duration `yaml:"clockSkew" default:"10s"`

	// Cache contains optional token caching settings
	Cache *OIDCCache `yaml:"cache" default:"-"`

	// Validation contains optional token validation settings
	Validation *OIDCValidation `yaml:"validation" default:"-"`

	// ServiceAccount contains optional service-to-service authentication credentials
	ServiceAccount *OIDCServiceAccount `yaml:"serviceAccount" default:"-"`

	// JWKS contains optional JWKS-specific settings
	JWKS *OIDCJwks `yaml:"jwks" default:"-"`

	// Introspection contains optional RFC 7662 token introspection settings
	Introspection *OIDCIntrospection `yaml:"introspection" default:"-"`

	// Presets contains optional validation presets configuration
	Presets *OIDCPresets `yaml:"presets" default:"-"`

	// Revocation contains optional token/key revocation settings
	Revocation *OIDCRevocation `yaml:"revocation" default:"-"`
}

type OIDCCache struct {
	// Enabled enables caching of token validation results
	Enabled bool `yaml:"enabled" default:"false"`

	// TokensKeyPrefix is the prefix for validated token cache keys
	TokensKeyPrefix string `yaml:"tokensKeyPrefix" default:"tokens:"`

	// RevokedTokensKeyPrefix is the prefix for revoked token cache keys
	RevokedTokensKeyPrefix string `yaml:"revokedTokensKeyPrefix" default:"revoked-tokens:"`
}

type OIDCClaims struct {
	// Required is the list of claims that must be present in the token
	Required []string `yaml:"required"`

	// Expected defines exact values that specific claims must have
	Expected map[string]string `yaml:"expected"`

	// Ignored is the list of claims to skip during validation
	Ignored []string `yaml:"ignored"`

	// Audience is the expected audience claim in the token
	Audience []string `yaml:"audience"`

	// AllowedClientIds is the whitelist of client_id values for service-to-service calls
	AllowedClientIds []string `yaml:"allowedClientIds"`

	// RequiredScopes is the list of required scopes for service tokens
	RequiredScopes []string `yaml:"requiredScopes"`

	// RequireAuthorizedParty requires the 'azp' (authorized party) claim
	RequireAuthorizedParty bool `yaml:"requireAuthorizedParty"`

	// AllowedAuthorizedParties is the whitelist of allowed 'azp' claim values
	AllowedAuthorizedParties []string `yaml:"allowedAuthorizedParties"`

	// AllowMissingSubject permits tokens without 'sub' claim
	AllowMissingSubject bool `yaml:"allowMissingSubject"`
}

type OIDCExpression struct {
	// Expression is the CEL expression to evaluate (required)
	Expression string `yaml:"expression"`

	// Name is the rule identifier used in error messages (optional)
	Name string `yaml:"name"`
}

type OIDCIntrospection struct {
	// ClientId is the OAuth2 client identifier for introspection endpoint authentication
	ClientId string `yaml:"clientId"`

	// ClientSecret is the OAuth2 client secret for introspection endpoint authentication
	ClientSecret Secret `yaml:"clientSecret"`
}

type OIDCJwks struct {
	// RefreshEnabled enables proactive JWKS refresh via an external scheduler.
	RefreshEnabled bool `yaml:"refreshEnabled" default:"true"`

	// RefreshSchedule is the cron expression for periodic JWKS refresh.
	RefreshSchedule string `yaml:"refreshSchedule" default:"0 0 * * * *"`

	// HTTPTimeout is the timeout for JWKS HTTP requests
	HTTPTimeout time.Duration `yaml:"httpTimeout" default:"30s"`
}

type OIDCPreset struct {
	// Name is the unique preset identifier
	Name string `yaml:"name"`

	// Issuer is the expected issuer claim (iss) for this preset
	Issuer *string `yaml:"issuer"`

	// MaxTokenLifetime is the maximum acceptable token lifetime for this preset
	MaxTokenLifetime time.Duration `yaml:"maxTokenLifetime"`

	// Expression is a CEL expression for custom token validation logic
	Expression *OIDCExpression `yaml:"expression" default:"-"`

	// Claims contains optional requirements for JWT token claims validation
	Claims *OIDCClaims `yaml:"claims" default:"-"`
}

type OIDCPresets struct {
	// List is the list of named validation presets
	List []OIDCPreset `yaml:"list"`

	// Selectors is the list of rules for automatic preset selection
	Selectors []OIDCSelector `yaml:"selectors"`
}

type OIDCRevocation struct {
	// Enabled enables revocation checking.
	Enabled bool `yaml:"enabled" default:"false"`

	// SyncEnabled enables periodic synchronization of the revocation storage
	// via an external scheduler.
	SyncEnabled bool `yaml:"syncEnabled" default:"true"`

	// SyncSchedule is the cron expression for periodic revocation synchronization.
	SyncSchedule string `yaml:"syncSchedule" default:"0 0 * * * *"`

	// ItemType specifies what items are being revoked: "token", "jti", or "kid"
	ItemType string `yaml:"itemType" default:"token"`

	// Filter contains configuration for the probabilistic filter used for revocation
	Filter *ProbabilisticFilterConfig `yaml:"filter"`

	// Source contains configuration for fetching the revocation list
	Source *OIDCRevocationSource `yaml:"source"`
}

type OIDCRevocationSource struct {
	// URL to fetch revoked items from
	URL string `yaml:"url"`

	// File path to read revoked items from
	File string `yaml:"file"`
}

type OIDCSelector struct {
	// Expression is the CEL expression that evaluates to true/false to select this preset
	Expression string `yaml:"expression"`

	// Priority determines the evaluation order (higher values = higher priority)
	Priority int `yaml:"priority"`

	// PresetName is the name of the preset to apply when this selector matches
	PresetName string `yaml:"presetName"`
}

type OIDCServiceAccount struct {
	// ClientId is the OAuth2 client identifier for the service account
	ClientId string `yaml:"clientId"`

	// ClientSecret is the OAuth2 client secret for authentication
	ClientSecret Secret `yaml:"clientSecret"`

	// Scopes defines the OAuth2 scopes to request
	Scopes []string `yaml:"scopes"`
}

type OIDCValidation struct {
	// Issuer is the expected issuer claim (iss) in the token
	Issuer *string `yaml:"issuer"`

	// Claims contains optional requirements for JWT token claims validation
	Claims *OIDCClaims `yaml:"claims" default:"-"`

	// MaxTokenLifetime is the maximum acceptable token lifetime
	MaxTokenLifetime time.Duration `yaml:"maxTokenLifetime"`

	// Expression is a CEL expression for custom token validation logic
	Expression *OIDCExpression `yaml:"expression" default:"-"`
}

type OPA struct {
	// BundlePath is the filesystem path or URL to the OPA policy bundle.
	// Can be a directory path (e.g., "./policies") or bundle URL.
	// This field is required.
	BundlePath string `yaml:"bundlePath"`

	// Query is the Rego query to evaluate for authorization decisions.
	// Defaults to "data.profiles.authz.allow".
	Query string `yaml:"query" default:"data.profiles.authz.allow"`

	// DecisionLogging enables logging of all authorization decisions.
	// Useful for auditing and debugging authorization policies.
	// Defaults to false.
	DecisionLogging bool `yaml:"decisionLogging" default:"false"`

	// Cache contains caching configuration for authorization decisions.
	// If nil, caching is disabled.
	Cache *OPACache `yaml:"cache" default:"-"`

	// WatchBundle enables automatic reloading of policies when a bundle changes.
	// Uses fsnotify to watch for filesystem changes.
	// Useful for development and dynamic policy updates.
	// Defaults to false.
	WatchBundle bool `yaml:"watchBundle" default:"false"`

	// UpdateSchedule is an optional cron schedule for periodic policy updates.
	// If set, policies are reloaded according to this schedule regardless of file changes.
	// Example: "*/5 * * * * *" for every 5 seconds, "@every 1m" for every minute.
	// Defaults to empty (disabled).
	UpdateSchedule string `yaml:"updateSchedule" default:""`

	// RunOnStart determines whether to run an update cycle when the manager starts.
	// Defaults to true.
	RunOnStart bool `yaml:"runOnStart" default:"true"`

	// FileExtensions specifies the file extensions to include when loading policies.
	// Defaults to [".rego"].
	FileExtensions []string `yaml:"fileExtensions" default:"[\".rego\"]"`

	// IncludeData enables loading .json files as OPA data.
	// When enabled, JSON files in the policy directory are loaded into OPA's data store.
	// Defaults to false.
	IncludeData bool `yaml:"includeData" default:"false"`
}

type OPACache struct {
	// Enabled enables caching of authorization decisions.
	// Improves performance for repeated authorization checks.
	// Defaults to false.
	Enabled bool `yaml:"enabled" default:"false"`

	// TTL is the time-to-live for cached decisions.
	// Defaults to 5 minutes.
	TTL time.Duration `yaml:"ttl" default:"5m"`
}

type OTLPProtocol string

type Observability struct {
	// Metrics contains configuration for the metrics collection system.
	Metrics *Metrics `yaml:"metrics,omitempty" default:"-"`

	// Tracing contains configuration for distributed tracing.
	Tracing *Tracing `yaml:"tracing,omitempty" default:"-"`
}

type Outbox struct {
	// Enabled determines whether the outbox is enabled.
	// Defaults to true.
	Enabled bool `yaml:"enabled" default:"true"`

	// DispatchSchedule defines the cron schedule for the dispatcher.
	// Example: "*/2 * * * * *" for every 2 seconds.
	DispatchSchedule string `yaml:"dispatchSchedule" default:"@every 2s"`

	// FetchTimeout defines the timeout for fetching unprocessed events.
	// Defaults to 5 seconds.
	FetchTimeout time.Duration `yaml:"fetchTimeout" default:"5s"`

	// HandleTimeout defines the timeout for processing a batch of events.
	// Defaults to 20 seconds.
	HandleTimeout time.Duration `yaml:"handleTimeout" default:"20s"`

	// UpdateTimeout defines the timeout for updating event status.
	// Defaults to 5 seconds.
	UpdateTimeout time.Duration `yaml:"updateTimeout" default:"5s"`

	// CleanupSchedule defines the cron schedule for the cleanup task.
	// Example: "0 */10 * * * *" for every 10 minutes.
	CleanupSchedule string `yaml:"cleanupSchedule" default:"@every 10m"`

	// UnlockSchedule defines the cron schedule for the unlocker task.
	// Example: "*/11 * * * * *" for every 11 seconds.
	UnlockSchedule string `yaml:"unlockSchedule" default:"@every 11s"`

	// MessagesBatchSize defines the number of events fetched per batch.
	// Must be between 1 and 10000 to prevent memory exhaustion.
	// Defaults to 200.
	MessagesBatchSize uint32 `yaml:"messagesBatchSize" default:"200"`

	// RetryMaxAttempts defines the maximum number of publish attempts.
	// Must be between 1 and 100 to prevent infinite retry loops.
	// Defaults to 10.
	RetryMaxAttempts uint32 `yaml:"retryMaxAttempts" default:"10"`

	// PublishedEventsLifetime defines how long published events are retained.
	// -1 means indefinite. Defaults to -1.
	PublishedEventsLifetime time.Duration `yaml:"publishedEventsLifetime" default:"-1"`

	// TopicCompaction enables log compaction behavior.
	// Defaults to false.
	TopicCompaction bool `yaml:"topicCompaction" default:"false"`
}

type ProbabilisticFilter struct {
	// Defaults contains default settings for all filters.
	Defaults *ProbabilisticFilterDefaults `yaml:"defaults"`

	// Filters contains named filter configurations.
	Filters map[string]*ProbabilisticFilterConfig `yaml:"filters"`
}

type ProbabilisticFilterBloomConfig struct {
	// Storage defines the storage backend for the filter.
	Storage *ProbabilisticFilterStorageType `yaml:"storage,omitempty"`

	// ExpectedItems is the expected number of elements in the filter.
	ExpectedItems int64 `yaml:"expectedItems"`

	// FalsePositiveRate is the target false positive rate.
	FalsePositiveRate *float64 `yaml:"falsePositiveRate,omitempty"`

	// RebuildCron is the cron expression for periodic filter rebuild.
	RebuildCron *string `yaml:"rebuildCron,omitempty"`

	// RebuildOnStart enables rebuilding filter on service startup.
	RebuildOnStart *bool `yaml:"rebuildOnStart,omitempty"`

	// Redis defines Redis-specific configuration.
	Redis *StorageRedisConfig `yaml:"redis,omitempty" default:"-"`
}

type ProbabilisticFilterBloomDefaults struct {
	// Storage defines the storage backend for the filter.
	Storage ProbabilisticFilterStorageType `yaml:"storage" default:"memory"`

	// FalsePositiveRate is the target false positive rate (0.01 = 1%).
	FalsePositiveRate float64 `yaml:"falsePositiveRate" default:"0.01"`

	// RebuildCron is the cron expression for periodic filter rebuild.
	RebuildCron string `yaml:"rebuildCron" default:"0 0 * * * *"`

	// RebuildOnStart enables rebuilding filter on service startup.
	RebuildOnStart bool `yaml:"rebuildOnStart" default:"true"`
}

type ProbabilisticFilterConfig struct {
	// Type defines the type of probabilistic filter to use.
	Type ProbabilisticFilterType `yaml:"type" default:"bloom"`

	// Bloom defines Bloom filter-specific configuration.
	Bloom *ProbabilisticFilterBloomConfig `yaml:"bloom,omitempty" default:"-"`

	// Cuckoo defines Cuckoo filter-specific configuration.
	Cuckoo *ProbabilisticFilterCuckooConfig `yaml:"cuckoo,omitempty" default:"-"`
}

type ProbabilisticFilterCuckooConfig struct {
	// Storage defines the storage backend for the filter.
	Storage *ProbabilisticFilterStorageType `yaml:"storage,omitempty"`

	// Capacity is the initial capacity of the filter.
	Capacity int64 `yaml:"capacity"`

	// FingerprintSize is the fingerprint size in bits.
	FingerprintSize *int `yaml:"fingerprintSize,omitempty"`

	// CapacityMultiplier is the multiplier for auto-rebuild on overflow.
	CapacityMultiplier *float64 `yaml:"capacityMultiplier,omitempty"`

	// MaxCapacity is the maximum capacity limit.
	MaxCapacity *int64 `yaml:"maxCapacity,omitempty"`

	// Redis defines Redis-specific configuration.
	Redis *StorageRedisConfig `yaml:"redis,omitempty" default:"-"`
}

type ProbabilisticFilterCuckooDefaults struct {
	// Storage defines the storage backend for the filter.
	Storage ProbabilisticFilterStorageType `yaml:"storage" default:"memory"`

	// FingerprintSize is the fingerprint size in bits (8, 12, or 16).
	FingerprintSize int `yaml:"fingerprintSize" default:"12"`

	// CapacityMultiplier is the multiplier for auto-rebuild on overflow.
	CapacityMultiplier float64 `yaml:"capacityMultiplier" default:"2.0"`

	// MaxCapacity is the maximum capacity limit.
	MaxCapacity int64 `yaml:"maxCapacity" default:"100000000"`
}

type ProbabilisticFilterDefaults struct {
	// Bloom contains default Bloom filter settings.
	Bloom *ProbabilisticFilterBloomDefaults `yaml:"bloom"`

	// Cuckoo contains default Cuckoo filter settings.
	Cuckoo *ProbabilisticFilterCuckooDefaults `yaml:"cuckoo"`
}

type ProbabilisticFilterStorageType string

type ProbabilisticFilterType string

type Redis struct {
	// KeysPrefix is an optional prefix to prepend to all Redis keys.
	// If nil, no prefix is used.
	KeysPrefix *string `yaml:"keysPrefix"`

	// ConnectionURI is a full Redis connection string (e.g. "redis://user:pass@host:6379/0").
	// When set, it replaces Hosts, Username, Password, and Database.
	// Mutually exclusive with Username and Password.
	// Supports a single address only; for clusters with multiple seeds use Hosts.
	ConnectionURI Secret `yaml:"connectionUri"`

	// Username is the username for Redis authentication (Redis 6.0+).
	// Leave empty for password-only authentication.
	Username string `yaml:"username"`

	// Password is the password for Redis authentication.
	// Leave empty for no authentication.
	Password Secret `yaml:"password"`

	// SentinelPassword is the password for Redis Sentinel authentication.
	// Used when connecting to Redis through Sentinel.
	SentinelPassword Secret `yaml:"sentinelPassword"`

	// MasterName is the name of the Redis master when using Sentinel.
	// Required for Sentinel-based configurations.
	MasterName string `yaml:"masterName"`

	// Hosts is the list of Redis server addresses.
	// Defaults to ["localhost:6379"].
	// For clusters, specify multiple nodes. For Sentinel, specify sentinel addresses.
	Hosts []string `yaml:"hosts" default:"localhost:6379"`

	// Database is the Redis database number to select.
	// Defaults to 0. Only applicable for standalone Redis (not clusters).
	Database int `yaml:"database" default:"0,skip_zero"`

	// MinIdleConnections is the minimum number of idle connections to maintain.
	// Defaults to 5.
	MinIdleConnections int `yaml:"minIdleConnections" default:"5"`

	// MaxRedirects is the maximum number of redirects for Redis Cluster.
	// Defaults to 3.
	MaxRedirects int `yaml:"maxRedirects" default:"3"`

	// PoolSize is the maximum number of connections in the connection pool.
	// Defaults to 100.
	PoolSize int `yaml:"poolSize" default:"100"`

	// MaxConnectionAge is the maximum lifetime of a connection.
	// Set to 0 for no age limit (default).
	MaxConnectionAge time.Duration `yaml:"maxConnectionAge" default:"0s"`

	// ConnectTimeout is the maximum time to wait for a connection to be established.
	// Defaults to 5 seconds.
	ConnectTimeout time.Duration `yaml:"connectTimeout" default:"5s"`

	// SocketTimeout is the maximum time to wait for socket reads and writes.
	// Defaults to 5 seconds.
	SocketTimeout time.Duration `yaml:"socketTimeout" default:"5s"`

	// IdleTimeout is the maximum time a connection can be idle before being closed.
	// Defaults to 5 seconds.
	IdleTimeout time.Duration `yaml:"idleTimeout" default:"5s"`

	// ReadOnly enables read-only mode for Redis Cluster connections.
	// When true, read commands are routed to replica nodes.
	ReadOnly bool `yaml:"readOnly"`

	// RouteByLatency enables routing to the Redis node with lowest latency.
	// Only applicable for Redis Cluster.
	RouteByLatency bool `yaml:"routeByLatency"`

	// RouteRandomly enables random routing to Redis nodes.
	// Only applicable for Redis Cluster.
	RouteRandomly bool `yaml:"routeRandomly"`
}

type ReplayPolicy string

type RequestsLimiter struct {
	// Rate is the maximum number of requests allowed per period.
	// Defaults to 2500 requests per period.
	// This represents the sustained request rate over the configured period.
	Rate int `yaml:"rate" default:"2500"`

	// Period is the time window for the rate limit.
	// Defaults to 24 hours.
	// The rate limit resets every period.
	Period time.Duration `yaml:"period" default:"24h"`

	// Burst is the maximum number of requests that can be processed
	// in a short burst above the sustained rate.
	// Defaults to 100 requests.
	// This allows handling traffic spikes while maintaining overall rate limits.
	Burst int `yaml:"burst" default:"100"`
}

type S3 struct {
	// Endpoint is the S3 service endpoint URL.
	// Defaults to "http://localhost:9000" for local MinIO development.
	// For AWS S3, use regional endpoints like "https://s3.us-west-2.amazonaws.com".
	Endpoint string `yaml:"endpoint" default:"http://localhost:9000"`

	// AccessKey is the access key ID for S3 authentication.
	// This is required and should be kept secure.
	AccessKey Secret `yaml:"accessKey"`

	// SecretKey is the secret access key for S3 authentication.
	// This is required and should be kept secure.
	SecretKey Secret `yaml:"secretKey"`

	// PathStyle enables path-style addressing instead of virtual-hosted-style.
	// Use for MinIO or S3-compatible services that do not support virtual-hosted-style URLs.
	PathStyle bool `yaml:"pathStyle"`

	// Region is the AWS region for the S3 bucket (e.g. "us-east-1", "eu-west-1").
	// This is required for proper request signing and endpoint resolution.
	Region string `yaml:"region"`
}

type STS struct {
	// MaxAge specifies how long browsers should enforce HTTPS-only access
	// Default is 8760h (1 year)
	MaxAge time.Duration `yaml:"maxAge" default:"8760h"`
}

type SamplerType string

type Scheduler struct {
	// TickInterval is the interval for the scheduler loop to check for tasks.
	// Defaults to 1 second if not specified.
	TickInterval time.Duration `yaml:"tickInterval" default:"1s"`

	// HistoryRetention is the duration to keep task history before cleanup.
	// Defaults to 7 days (168h) if not specified.
	HistoryRetention time.Duration `yaml:"historyRetention" default:"168h"`

	// MaxConcurrentTasks is the maximum number of tasks that can run concurrently.
	// Zero means unlimited.
	// Defaults to 0 (unlimited) if not specified.
	MaxConcurrentTasks int `yaml:"maxConcurrentTasks" default:"0"`

	// ReservedHighPrioritySlots is the number of concurrency slots reserved for
	// high priority tasks. These slots cannot be used by normal/low priority tasks.
	// Defaults to 2 if not specified.
	ReservedHighPrioritySlots int `yaml:"reservedHighPrioritySlots" default:"2"`

	// StaleTaskTimeout is the duration after which a task stuck in Running status
	// is considered stale and will be reset to Active. This handles recovery from
	// process crashes where tasks were left in Running state.
	// Defaults to 30 minutes if not specified.
	StaleTaskTimeout time.Duration `yaml:"staleTaskTimeout" default:"30m"`

	// Storage defines the storage backend configuration.
	// If nil, defaults to in-memory storage.
	Storage *SchedulerStorageConfig `yaml:"storage" default:"-"`
}

type SchedulerStorageConfig struct {
	// Type defines the storage backend type.
	// Must be one of: mongodb, redis, memory.
	// Defaults to "memory" if not specified.
	Type SchedulerStorageType `yaml:"type" default:"memory"`

	// Mongodb defines MongoDB-specific configuration.
	// Required when Type is "mongodb", ignored otherwise.
	Mongodb *SchedulerStorageMongoConfig `yaml:"mongodb" default:"-"`

	// Redis defines Redis-specific configuration.
	// Required when Type is "redis", ignored otherwise.
	Redis *SchedulerStorageRedisConfig `yaml:"redis" default:"-"`

	// Memory defines in-memory storage configuration.
	// Optional when Type is "memory", ignored otherwise.
	Memory *SchedulerStorageMemoryConfig `yaml:"memory" default:"-"`
}

type SchedulerStorageMemoryConfig struct {
	// MaxHistoryPerTask is the maximum number of history entries kept per task.
	// Defaults to 1000 if not specified.
	MaxHistoryPerTask int `yaml:"maxHistoryPerTask" default:"1000"`
}

type SchedulerStorageMongoConfig struct {
	// TasksCollection is the MongoDB collection name for task states.
	// Defaults to "scheduler_tasks" if not specified.
	TasksCollection string `yaml:"tasksCollection" default:"scheduler_tasks"`

	// HistoryCollection is the MongoDB collection name for task history.
	// Defaults to "scheduler_history" if not specified.
	HistoryCollection string `yaml:"historyCollection" default:"scheduler_history"`
}

type SchedulerStorageRedisConfig struct {
	// KeyPrefix is the Redis key prefix for scheduler data.
	// Defaults to "scheduler" if not specified.
	KeyPrefix string `yaml:"keyPrefix" default:"scheduler"`

	// HistoryTTL is the TTL for history entries in Redis.
	// Set to 0 to disable TTL (history cleaned by CleanupHistory only).
	// Defaults to 0 (disabled).
	HistoryTTL time.Duration `yaml:"historyTtl" default:"-"`

	// MaxHistoryPerTask is the maximum number of history entries kept per task.
	// Defaults to 1000 if not specified.
	MaxHistoryPerTask int `yaml:"maxHistoryPerTask" default:"1000"`
}

type SchedulerStorageType string

type Secret string

type Secrets struct {
	// Provider is the type of secrets storage to use.
	Provider SecretsProvider `yaml:"provider" default:"memory"`

	// UpdateSchedule is the cron schedule for cache updates.
	// Example: "0 */5 * * * *" (every 5 minutes)
	UpdateSchedule string `yaml:"updateSchedule" default:"0 */5 * * * *"`

	// RunOnStart triggers an immediate update cycle when starting.
	RunOnStart bool `yaml:"runOnStart" default:"true"`

	// Cache contains cache configuration.
	Cache SecretsCache `yaml:"cache"`

	// Retry contains retry configuration for storage operations.
	Retry SecretsRetry `yaml:"retry"`

	// Vault contains Vault-specific configuration.
	// Required when Provider is "vault".
	Vault *SecretsVault `yaml:"vault"`

	// GCP contains GCP Secret Manager-specific configuration.
	// Required when Provider is "gcp".
	GCP *SecretsGCP `yaml:"gcp"`

	// Lockbox contains Yandex Cloud Lockbox-specific configuration.
	// Required when Provider is "lockbox".
	Lockbox *SecretsLockbox `yaml:"lockbox"`
}

type SecretsCache struct {
	// MaxSize is the maximum number of cached entries.
	// 0 means use default (1000).
	MaxSize int `yaml:"maxSize" default:"1000"`
	// ShardCount is the number of shards for sharded cache.
	// 0 means use standard (non-sharded) cache.
	ShardCount int `yaml:"shardCount" default:"0"`
}

type SecretsGCP struct {
	// ProjectID is the GCP project ID.
	ProjectID string `yaml:"projectId"`
	// ServiceAccountPath is the path to service account JSON file.
	ServiceAccountPath string `yaml:"serviceAccountPath"`
	// Labels filters secrets by GCP labels.
	Labels map[string]string `yaml:"labels"`
	// IgnoreInvalidKeys skips keys that fail to decode instead of returning error.
	IgnoreInvalidKeys bool `yaml:"ignoreInvalidKeys" default:"false"`
}

type SecretsLockbox struct {
	// FolderID is the Yandex Cloud folder ID.
	FolderID string `yaml:"folderId"`
	// KeyID is the service account key ID.
	KeyID string `yaml:"keyId"`
	// ServiceKeyID is the service account ID.
	ServiceKeyID string `yaml:"serviceKeyId"`
	// PrivateKeyPath is the path to the private key PEM file.
	PrivateKeyPath string `yaml:"privateKeyPath"`
	// Labels filters secrets by Yandex Cloud labels.
	Labels map[string]string `yaml:"labels"`
	// IgnoreInvalidKeys skips keys that fail to decode instead of returning error.
	IgnoreInvalidKeys bool `yaml:"ignoreInvalidKeys" default:"false"`
}

type SecretsProvider string

type SecretsRetry struct {
	// MaxAttempts is the maximum number of retry attempts.
	MaxAttempts int `yaml:"maxAttempts" default:"3"`
	// BaseDelay is the initial delay between retries.
	BaseDelay time.Duration `yaml:"baseDelay" default:"1s"`
	// MaxDelay is the maximum delay between retries.
	MaxDelay time.Duration `yaml:"maxDelay" default:"1m"`
	// Multiplier is the exponential backoff factor.
	Multiplier float64 `yaml:"multiplier" default:"2.0"`
}

type SecretsVault struct {
	// MountPath is the mount path for Vault KV v2 engine.
	MountPath string `yaml:"mountPath" default:"kv"`
	// SecretPath is the base path for secrets within the KV engine.
	SecretPath string `yaml:"secretPath" default:"blitz"`
	// CAS enables Check-and-Set operations for atomic updates.
	CAS bool `yaml:"cas" default:"false"`
}

type StorageMemoryConfig struct {
	// CleanupSchedule defines the cron schedule for the cleanup task.
	// Supports standard cron format with seconds: "sec min hour day month weekday"
	// (e.g., "0 */5 * * * *") or descriptor format (e.g., "@every 5m").
	CleanupSchedule string `yaml:"cleanupSchedule" default:"@every 5m"`
}

type StorageNATSConfig struct {
	// Bucket is the name of the NATS KeyValue bucket.
	// If empty, a default bucket name will be generated based on service name.
	Bucket string `yaml:"bucket,omitempty"`

	// Replicas defines the number of replicas for NATS KeyValue storage.
	// Higher values provide better availability but increase storage overhead.
	Replicas int `yaml:"replicas" default:"3"`
}

type StorageRedisConfig struct {
	// KeysPrefix is a prefix for all keys in storage.
	// Useful for namespacing when sharing storage between multiple services.
	KeysPrefix string `yaml:"keysPrefix,omitempty"`
}

type TlsClient struct {
	// Certificate is the path to the client certificate file.
	// Used for mutual Tls authentication.
	Certificate string `yaml:"certificate"`

	// PrivateKey is the path to the client private key file.
	// Must correspond to the client certificate.
	PrivateKey string `yaml:"privateKey"`

	// PrivateKeyPassword is the password for encrypted private key files.
	// Leave empty if the private key is not encrypted.
	PrivateKeyPassword Secret `yaml:"privateKeyPassword"`

	// CACerts is a list of paths to Certificate Authority certificate files.
	// Used to verify the server's certificate.
	CACerts []string `yaml:"caCerts"`

	// ServerName is the expected server name for certificate verification.
	// Used to verify the server's certificate matches the expected hostname.
	ServerName string `yaml:"serverName"`

	// SkipVerify disables server certificate verification.
	// WARNING: Setting this to true makes connections insecure.
	// Defaults to false.
	SkipVerify bool `yaml:"skipVerifyServerName" default:"false"`
}

type TlsClientAuth struct {
	// CACerts is a list of paths to Certificate Authority certificate files.
	// Used to verify client certificates during mutual Tls authentication.
	CACerts []string `yaml:"caCerts"`

	// AllowCertAuth enables client certificate authentication.
	// When true, clients must present valid certificates signed by the configured CAs.
	AllowCertAuth bool `yaml:"allowCertAuth"`
}

type TlsProvider struct {
	// File contains file-based certificate provider settings.
	// Used when certificates are loaded from local files.
	File *TlsProviderFile `yaml:"file" default:"-"`

	// LetsEncrypt contains Let's Encrypt ACME provider settings.
	// Used for automatic certificate provisioning via ACME protocol.
	LetsEncrypt *TlsProviderLetsEncrypt `yaml:"letsencrypt" default:"-"`

	// Vault contains HashiCorp Vault provider settings.
	// Used for certificate provisioning via Vault PKI backend.
	Vault *TlsProviderVault `yaml:"vault" default:"-"`
}

type TlsProviderFile struct {
	// Certificate file path containing the PEM-encoded certificate
	Certificate string `yaml:"certificate"`
	// PrivateKey file path containing the PEM-encoded private key
	PrivateKey string `yaml:"privateKey"`
	// PrivateKeyPassword for encrypted private keys (optional)
	PrivateKeyPassword Secret `yaml:"privateKeyPassword"`
}

type TlsProviderLetsEncrypt struct {
	// Email address for Let's Encrypt account registration and notifications
	Email string `yaml:"email"`
	// Domain names to include in the certificate (first domain becomes the common name)
	Domain []string `yaml:"domain"`
	// RenewBefore specifies when to renew the certificate before expiration
	RenewBefore time.Duration `yaml:"renewBefore" default:"30m"`
	// StartInternalServer enables automatic Http server for ACME challenge handling
	StartInternalServer bool `yaml:"startInternalServer"`
	// ListenAddress specifies the address for the internal ACME challenge server
	ListenAddress *string `yaml:"listenAddress" default:"0.0.0.0:8080"`
}

type TlsProviderType string

type TlsProviderVault struct {
	// CommonName sets the certificate's common name (primary domain or service name)
	CommonName string `yaml:"commonName"`
	// Role specifies the PKI role in Vault that defines certificate constraints and policies
	Role string `yaml:"role"`
	// RenewBefore specifies when to renew the certificate before expiration
	RenewBefore time.Duration `yaml:"renewBefore" default:"30m"`
	// SubjectAlternativeNames contains additional DNS names for the certificate
	SubjectAlternativeNames []string `yaml:"subjectAlternativeNames"`
	// IPSubjectAlternativeNames contains IP addresses to include in the certificate
	IPSubjectAlternativeNames []string `yaml:"ipSubjectAlternativeNames"`
}

type TlsServer struct {
	// ProviderType specifies how Tls certificates are obtained.
	// Defaults to "file" for file-based certificates.
	// Supported types: file, letsencrypt, vault.
	ProviderType TlsProviderType `yaml:"providerType" default:"file"`

	// MinTLSVersion specifies the minimum Tls version to accept.
	// Defaults to "1.2". Supported values: "1.2", "1.3".
	MinTLSVersion string `yaml:"minVersion" default:"1.2"`
}

type Tracing struct {
	// Enable determines whether tracing is enabled.
	// Defaults to false.
	Enable bool `yaml:"enable" default:"false"`

	// Type specifies the tracing backend type.
	// Valid values: "otlp", "console", "noop".
	// Defaults to "otlp".
	Type TracingType `yaml:"type" default:"otlp"`

	// ServiceName identifies the service in traces.
	// This is a required field when tracing is enabled.
	ServiceName string `yaml:"serviceName"`

	// ServiceVersion is the version of the service.
	// Optional but recommended for identifying deployments.
	ServiceVersion string `yaml:"serviceVersion"`

	// Environment identifies the deployment environment (e.g., "production", "staging").
	// Optional but recommended for filtering traces.
	Environment string `yaml:"environment"`

	// Sampler contains sampling configuration.
	// Controls which traces are recorded and exported.
	Sampler *TracingSampler `yaml:"sampler,omitempty" default:"-"`

	// Adapters contains adapter-specific configurations.
	Adapters *TracingAdapters `yaml:"adapters,omitempty" default:"-"`
}

type TracingAdapters struct {
	// OTLP contains OTLP-specific configuration.
	// Only used when Type is "otlp".
	OTLP *TracingOTLP `yaml:"otlp,omitempty" default:"-"`

	// Console contains console-specific configuration.
	// Only used when Type is "console".
	Console *TracingConsole `yaml:"console,omitempty" default:"-"`
}

type TracingConsole struct {
	// PrettyPrint enables indented JSON output.
	// Defaults to true.
	PrettyPrint bool `yaml:"prettyPrint" default:"true"`

	// Timestamps includes timestamps in output.
	// Defaults to true.
	Timestamps bool `yaml:"timestamps" default:"true"`
}

type TracingOTLP struct {
	// Endpoint is the OTLP collector endpoint.
	// For gRPC, this is typically "host:4317".
	// For HTTP, this is typically "host:4318".
	// Defaults to "localhost:4317".
	Endpoint string `yaml:"endpoint" default:"localhost:4317"`

	// Protocol specifies the transport protocol.
	// Valid values: "grpc", "http".
	// Defaults to "grpc".
	Protocol OTLPProtocol `yaml:"protocol" default:"grpc"`

	// Insecure disables TLS.
	// Use for development or when connecting to a local collector.
	// Defaults to false.
	Insecure bool `yaml:"insecure" default:"false"`

	// Headers are custom headers to send with requests.
	// Useful for authentication (e.g., API keys).
	Headers map[string]string `yaml:"headers,omitempty"`

	// Compression enables gzip compression.
	// Defaults to true.
	Compression bool `yaml:"compression" default:"true"`
}