The Config Block

The config {} block defines framework-wide settings: API configuration, security policies, monitoring, admin UI, database migration behaviour, and output directory. It appears once across all .radiant files.

Syntax

config {
  // Top-level keys (each is optional):
  core: { ... }
  security: { ... }
  monitoring: { ... }
  adminUI: { ... }
  apiPrefix: "..."
  migrate: { ... }
  output: "..."
}

Allowed Keys

Only these top-level keys are valid inside config {}. Unknown keys produce a compile-time error:

KeyTypeDescription
coreObjectCore framework settings (API, OpenAPI, uploads).
securityObjectAuthentication, CORS, rate limiting, headers, secrets, audit.
monitoringObjectHealth checks, request ID tracking.
adminUIObjectAdmin dashboard configuration.
apiPrefixStringShorthand for core.api.prefix.
migrateObjectDatabase migration behaviour.
outputStringOutput directory for generated files (relative to radiant/).

core

Core framework settings. Allowed keys: api, openapi, upload.

api

config {
  core: {
    api: {
      prefix: "/api"          // API route prefix
      maxBodyBytes: 1048576   // Max request body size in bytes
      trustedProxies: ["127.0.0.1"]  // Trusted proxy IPs
    }
  }
}
PropertyTypeDefaultDescription
prefixString"/api"Prefix for all generated API routes.
maxBodyBytesNumber1048576 (1MB)Maximum request body size.
trustedProxiesString[][]IP addresses of trusted proxies for header forwarding.

openapi

config {
  core: {
    openapi: {
      enabled: true
      path: "/api/docs"
    }
  }
}

When enabled, the runtime serves an OpenAPI/Swagger specification at the configured path.

upload

config {
  core: {
    upload: {
      maxFileSize: 10485760  // 10MB
      allowedTypes: ["image/png", "image/jpeg"]
    }
  }
}

security

Security policies. Allowed keys: auth, cors, rateLimit, headers, secrets, audit, csrfTrustedOrigins.

auth

config {
  security: {
    auth: {
      strategies: ["jwt", "session"]
      jwt: {
        accessTokenExpiry: env("JWT_EXPIRY", "15m")
        refreshTokenExpiry: "7d"
        cookies: {
          name: "radiant_auth"
          timeout: "7d"
          refreshToken: true
          secure: true
          httpOnly: true
          sameSite: "lax"
          domain: "example.com"
        }
      }
      passwordPolicy: {
        minLength: 8
        requireUppercase: true
        requireNumber: true
      }
      lockout: {
        maxAttempts: env("LOGIN_ATTEMPTS", 5)
        durationMinutes: 15
      }
    }
  }
}
Sub-propertyTypeDescription
strategiesString[]Auth strategies to enable: "jwt", "session", "apiKey".
jwtObjectJWT settings: accessTokenExpiry, refreshTokenExpiry, cookies.
cookiesObjectJWT Cookie configuration properties.
cookies.nameStringBase name for the cookie. Default: "radiant_auth".
cookies.timeoutStringTime before the cookie expires (e.g. "7d").
cookies.refreshTokenBooleanEnable a separate cookie for the refresh token. Default: false.
cookies.secureBooleanEmit Secure flag for HTTPS only. Default: false.
cookies.httpOnlyBooleanEmit HttpOnly flag. Default: false.
cookies.sameSiteStringSameSite policy ("lax", "strict", "none"). Default: "lax".
cookies.domainStringSpecifies the allowed domain for the cookie.
sessionObjectSession-based auth settings.
apiKeyObjectAPI key auth settings: header (header name, defaults to X-API-Key), enabled.
passwordPolicyObjectminLength, requireUppercase, requireNumber.
lockoutObjectmaxAttempts, durationMinutes — lock accounts after repeated failures.

cors

config {
  security: {
    cors: {
      origin: ["http://localhost:3000", "https://myapp.com"]
      credentials: true
    }
  }
}
PropertyTypeDescription
originString[]Allowed origin URLs.
credentialsBooleanWhether to allow credentials (cookies, Authorization headers).

rateLimit

config {
  security: {
    rateLimit: {
      write: {
        max: 100
        window: "15m"
      }
      login: {
        max: 5
        window: "15m"
      }
    }
  }
}
PropertyTypeDescription
writeObjectRate limit for write operations (POST, PUT, DELETE). max requests per window.
loginObjectRate limit for login attempts. max attempts per window.
maxNumberMaximum number of requests in the window.
windowStringTime window (e.g., "15m", "1h", "30s").

headers

config {
  security: {
    headers: {
      enabled: true
    }
  }
}

When enabled, the runtime adds the following security headers to every response:

HeaderValue
X-Content-Type-Optionsnosniff
X-Frame-OptionsDENY
X-XSS-Protection1; mode=block
Strict-Transport-Securitymax-age=31536000; includeSubDomains
Referrer-Policystrict-origin-when-cross-origin
Permissions-Policygeolocation=(), microphone=(), camera=()

secrets

config {
  security: {
    secrets: {
      enabled: true
    }
  }
}

When enabled, the runtime provides a secret management API for storing and retrieving encrypted values.

audit

config {
  security: {
    audit: {
      enabled: true
    }
  }
}

When enabled, the runtime auto-creates a radiant_audit_log collection and logs all data mutations with HMAC-signed entries for tamper detection.

csrfTrustedOrigins

config {
  security: {
    csrfTrustedOrigins: ["https://myapp.com", "https://admin.myapp.com"]
  }
}
PropertyTypeDescription
csrfTrustedOriginsString[]Origins allowed to make cookie-authenticated state-changing requests, bypassing same-origin CSRF checks.

The runtime's CSRF guard activates on state-changing methods (POST, PUT, PATCH, DELETE) when a cookie is present. It checks the Origin or Referer header against the request Host. If the origin doesn't match, the request is rejected with 403 CSRF_ERROR — unless the origin is listed in csrfTrustedOrigins. Requests carrying a custom header (X-RADIANT-CSRF, X-CSRF-Token, or X-Requested-With) bypass the origin check entirely, as custom headers cannot be sent cross-origin without CORS permission.

monitoring

config {
  monitoring: {
    enabled: true
    apiKey: env("MONITORING_API_KEY")
    healthCheck: {
      enabled: true
      path: "/health"
      requiresAuth: false
    }
    requestId: {
      enabled: true
    }
  }
}
PropertyTypeDescription
enabledBooleanEnable monitoring endpoints and request instrumentation.
apiKeyStringBearer token required to access monitoring endpoints. If unset, endpoints are insecure (a warning is logged).
healthCheck.enabledBooleanEnable the health check endpoint. Defaults to true when monitoring is enabled.
healthCheck.pathStringURL path for the health check (e.g., "/health"). Defaults to /{apiPrefix}/monitor/health.
healthCheck.requiresAuthBooleanWhether the health check requires the monitoring API key. Defaults to false.
requestId.enabledBooleanGenerate a unique request ID for each request (honours incoming X-Request-ID header).

When monitoring is enabled, the runtime exposes four endpoints under {apiPrefix}/monitor:

EndpointMethodDescription
/monitor/eventsGETQuery buffered monitoring events with filters (?type=, ?severity=, ?since=, ?limit=).
/monitor/metricsGETAggregate summary: event counts by type/severity, request totals, average duration.
/monitor/healthGETDatabase + cache health check. Returns 200 (ok/degraded) or 503 (error).
/monitor/streamGETServer-Sent Events live stream with backlog replay and 30s heartbeat. Supports same query filters as /events.

See Monitoring for the full guide on exporters, SSE streams, and external tool integration.

adminUI

config {
  adminUI: {
    enabled: true
    user: "users"
  }
}
PropertyTypeDescription
enabledBooleanEnable the admin dashboard.
userStringThe collection slug used for admin authentication.

apiPrefix

A shorthand for core.api.prefix:

config {
  apiPrefix: "/api"
}

migrate

config {
  migrate: {
    dropOrphan: true
  }
}
PropertyTypeDescription
dropOrphanBooleanDrop orphaned tables and columns during db:sync without requiring --force.

output

Controls where generated files are written. The path is relative to the radiant/ directory:

config {
  output: "../src/generated"
}

If not specified, generated files go to radiant/ (schema.json, gen.ts) and the project root (radiant-types.ts).

Complete Example

config {
  core: {
    api: {
      prefix: "/api"
      maxBodyBytes: 1048576
      trustedProxies: ["127.0.0.1"]
    }
    openapi: {
      enabled: true
    }
  }

  security: {
    auth: {
      strategies: ["jwt", "session"]
      jwt: {
        accessTokenExpiry: env("JWT_EXPIRY", "15m")
        refreshTokenExpiry: "7d"
        cookies: {
          name: "radiant_auth"
          timeout: "7d"
          refreshToken: true
          secure: true
          httpOnly: true
          sameSite: "lax"
          domain: "example.com"
        }
      }
      passwordPolicy: {
        minLength: 8
        requireUppercase: true
        requireNumber: true
      }
      lockout: {
        maxAttempts: 5
        durationMinutes: 15
      }
    }
    cors: {
      origin: ["http://localhost:3000"]
      credentials: true
    }
    rateLimit: {
      write: { max: 100, window: "15m" }
      login: { max: 5, window: "15m" }
    }
    headers: { enabled: true }
    secrets: { enabled: true }
    audit: { enabled: false }
    csrfTrustedOrigins: ["https://myapp.com"]
  }

  monitoring: {
    enabled: true
    apiKey: env("MONITORING_API_KEY")
    healthCheck: {
      enabled: true
      path: "/health"
      requiresAuth: false
    }
    requestId: { enabled: true }
  }

  adminUI: {
    enabled: true
    user: "users"
  }
}