Skip to content

Commit ce1f4db

Browse files
committed
Initial Fluxheim scaffold
0 parents  commit ce1f4db

18 files changed

Lines changed: 254 additions & 0 deletions

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
/target/
2+
*.log

Cargo.lock

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
[package]
2+
name = "fluxheim"
3+
version = "0.1.0"
4+
edition = "2024"
5+
rust-version = "1.95"
6+
license = "EUPL-1.2"
7+
publish = false
8+
description = "A modular Pingora-based reverse proxy, static web server, and cache."
9+
10+
[features]
11+
default = ["proxy", "cache", "web", "tls", "acme", "metrics", "security"]
12+
proxy = []
13+
cache = []
14+
web = []
15+
tls = []
16+
acme = ["tls"]
17+
metrics = []
18+
security = []
19+
20+
[dependencies]
21+
22+
[dev-dependencies]

README.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
# Fluxheim
2+
3+
Fluxheim is planned as a modular Rust reverse proxy built on Pingora. The
4+
default binary will include proxying, caching, static file serving, TLS, ACME,
5+
metrics, and security controls. Each major capability is feature-gated so a
6+
smaller binary can be compiled when only one role is needed.
7+
8+
## Current Baseline
9+
10+
- Rust stable: `1.95.0`
11+
- Rust edition: `2024`
12+
- License: `EUPL-1.2`
13+
- Dependency policy: `deny.toml`
14+
15+
## Feature Flags
16+
17+
Default build:
18+
19+
```bash
20+
cargo build
21+
```
22+
23+
Proxy-only build:
24+
25+
```bash
26+
cargo build --no-default-features --features proxy
27+
```
28+
29+
Static web server-only build:
30+
31+
```bash
32+
cargo build --no-default-features --features web
33+
```
34+
35+
## Required Checks
36+
37+
Run these before committing dependency or security-sensitive changes:
38+
39+
```bash
40+
cargo fmt --all --check
41+
cargo clippy --all-targets --all-features -- -D warnings
42+
cargo test --all-features
43+
cargo deny check
44+
cargo audit
45+
```
46+
47+
Install the security tools with locked versions from crates.io:
48+
49+
```bash
50+
cargo install --locked cargo-deny
51+
cargo install --locked cargo-audit
52+
```
53+
54+
The latest versions verified on May 4, 2026 were `cargo-deny 0.19.4` and
55+
`cargo-audit 0.22.1`.
56+
57+
## Dependency Rules
58+
59+
- Check crates.io/docs.rs before adding or upgrading dependencies.
60+
- Prefer maintained crates with clear SPDX license metadata.
61+
- Keep dependencies compatible with `EUPL-1.2`.
62+
- Do not add git dependencies unless pinned by revision and reviewed.
63+
- Run `cargo deny check licenses` after dependency changes.
64+
- Run `cargo audit` regularly and before releases.

SECURITY.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Security Policy
2+
3+
Fluxheim is security-sensitive infrastructure. Treat dependency, TLS, cache, and
4+
request-routing changes as high-risk until tested.
5+
6+
## Routine Checks
7+
8+
Run these regularly and before releases:
9+
10+
```bash
11+
cargo deny check
12+
cargo deny check licenses
13+
cargo audit
14+
```
15+
16+
## Dependency Policy
17+
18+
The dependency policy lives in `deny.toml`. Unknown registries and git sources
19+
are denied by default. License exceptions must be narrow, named, versioned, and
20+
documented with the reason for acceptance.
21+
22+
## Reporting
23+
24+
Do not publish exploitable security details before a fix is available. Open a
25+
private security advisory or contact the maintainers directly once the project
26+
has public repository security channels configured.

deny.toml

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
# Fluxheim dependency policy.
2+
#
3+
# Fluxheim is an EUPL-1.2 project. Third-party dependencies are checked with a
4+
# narrow allow-list so incompatible or unclear licenses fail early.
5+
6+
[graph]
7+
all-features = true
8+
9+
[licenses]
10+
confidence-threshold = 0.95
11+
include-dev = true
12+
include-build = true
13+
unused-allowed-license = "allow"
14+
unused-license-exception = "deny"
15+
16+
allow = [
17+
"0BSD",
18+
"Apache-2.0",
19+
"Apache-2.0 WITH LLVM-exception",
20+
"BSD-1-Clause",
21+
"BSD-2-Clause",
22+
"BSD-3-Clause",
23+
"BSL-1.0",
24+
"EUPL-1.2",
25+
"ISC",
26+
"MIT",
27+
"MIT-0",
28+
"Unicode-3.0",
29+
"Zlib",
30+
]
31+
32+
exceptions = [
33+
# TLS root stores can carry reviewed data licenses. Keep exceptions narrow;
34+
# do not globally allow CDLA-Permissive-2.0 for code.
35+
]
36+
37+
[licenses.private]
38+
ignore = true
39+
40+
[bans]
41+
multiple-versions = "allow"
42+
wildcards = "allow"
43+
highlight = "all"
44+
45+
[advisories]
46+
yanked = "deny"
47+
unmaintained = "workspace"
48+
unsound = "workspace"
49+
unused-ignored-advisory = "deny"
50+
ignore = []
51+
52+
[sources]
53+
unknown-registry = "deny"
54+
unknown-git = "deny"
55+
required-git-spec = "rev"
56+
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
57+
allow-git = []

rust-toolchain.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
[toolchain]
2+
channel = "1.95.0"
3+
components = ["clippy", "rustfmt"]

scripts/checks.sh

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
#!/usr/bin/env sh
2+
set -eu
3+
4+
cargo fmt --all --check
5+
cargo clippy --all-targets --all-features -- -D warnings
6+
cargo test --all-features
7+
cargo deny check
8+
cargo audit

src/acme.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
pub fn enabled() -> bool {
2+
true
3+
}

src/cache.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
pub fn enabled() -> bool {
2+
true
3+
}

0 commit comments

Comments
 (0)