wyrelog/meson.options at main · semantic-reasoning/wyrelog · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
option('enable_tpm',
  type : 'feature',
  value : 'auto',
  description : 'Use the tss2-esys TPM 2.0 ESAPI library. When auto, '
              + 'wyrelog detects tss2-esys at configure time and builds '
              + 'the hardware-backed key provider if available; on hosts '
              + 'without tss2-esys (notably non-Linux platforms) wyrelog '
              + 'falls back to the development-stub key provider. Set to '
              + 'enabled to require tss2-esys (Linux production builds) '
              + 'or disabled to skip the dependency entirely.'
)

option('enable_client',
  type : 'feature',
  value : 'auto',
  description : 'Build the libwyrelog-client HTTP client library. Pulls '
              + 'in libsoup-3.0 as a hard dependency. Set to disabled to '
              + 'skip the client library entirely on platforms where '
              + 'libsoup-3.0 is unavailable (for example native Windows MSVC '
              + 'builds that have not staged vcpkg libsoup); the server library '
              + '(libwyrelog) and its tests still build under disabled.'
)

option('require_tpm',
  type : 'boolean',
  value : true,
  description : 'Release intent for hardware-backed key provider '
              + 'requirements. Production daemon startup fails closed when '
              + 'only the development KeyProvider is available; set this '
              + 'false only for host development configurations that are '
              + 'not expected to satisfy production key custody.'
)

option('enable_audit',
  type : 'feature',
  value : 'disabled',
  description : 'Build the DuckDB-backed audit subsystem that records '
              + 'access decisions to a local analytic store. Disabled by '
              + 'default pending dependency stabilisation; set to enabled '
              + 'to opt in to the DuckDB-backed audit sink.'
)

option('enable_fact_store',
  type : 'feature',
  value : 'disabled',
  description : 'Build the DuckDB-backed Datalog fact store foundation. '
              + 'This is independent from the audit subsystem: builds with '
              + 'enable_audit=disabled and enable_fact_store=enabled must '
              + 'still make DuckDB available for fact storage.'
)

option('duckdb_source',
  type : 'combo',
  choices : ['prebuilt', 'subproject'],
  value : 'prebuilt',
  description : 'How libduckdb is sourced when audit or fact storage is on. '
              + '"prebuilt" downloads the upstream-published library '
              + 'binary for the host platform (fast: ~30 MB download '
              + 'and zero compile). "subproject" downloads the '
              + 'upstream amalgamated source release at v1.5.2 and '
              + 'compiles the single 25 MB duckdb.cpp translation unit '
              + 'in tree (slow: multi-minute single-TU compile). '
              + 'Default is prebuilt; main-branch CI overrides to '
              + 'subproject for from-source validation.'
)

option('wyrelog_log_max_level',
  type : 'combo',
  choices : ['none', 'error', 'warn', 'info', 'debug', 'trace'],
  value : 'debug',
  description : 'Compile-time ceiling for the WYL_LOG structured '
              + 'logger. Levels above this value have their call '
              + 'sites stripped at compile time so no .text bytes '
              + 'and no argument evaluation occur. Use "error" or '
              + '"warn" for release/production builds. Default '
              + '"debug" suits in-tree development. The runtime '
              + 'WYL_LOG environment variable filters within this '
              + 'compile-time ceiling but cannot raise it.'
)

option('enable_break_glass',
  type : 'boolean',
  value : false,
  description : 'Compile in the break-glass override path that allows a '
              + 'pre-authorised principal to bypass the policy decision '
              + 'point under declared emergency. Off by default; only '
              + 'enable for builds that ship the corresponding signed '
              + 'override credential. Must not be enabled unless '
              + 'enable_audit is also enabled, since the override path '
              + 'requires a recorded audit reason code.'
)

option('require_template_manifest',
  type : 'boolean',
  value : false,
  description : 'Fail closed when the access template directory does not '
              + 'ship a template manifest. Enable for release builds so '
              + 'the canonical template version, SHA-256 hash, Ed25519 '
              + 'signature, and append-only migration contract are verified '
              + 'before the policy program is loaded.'
)