Manifest

The access manifest is an optional JSON sidecar that tells the broker how to screen traffic before your handler runs. The filename alone gets a port open to everyone; the manifest is how you lock it down. Proposed the format below.

The sidecar file

A manifest sits beside its handler, sharing the whole name up to the extension:

echo.tcp.7000.port.js       the handler
echo.tcp.7000.port.json     its access manifest

The pattern is <name>.<proto>.<port>.port.json. It syncs like any supporting file but opens no port of its own — it only configures the handler it names.

Fields

FieldTypeMeaning
allowstring[]Source CIDRs permitted to connect ("10.0.0.0/8", "203.0.113.4/32"). If present, anything not matched is denied.
denystring[]Source CIDRs refused. Evaluated after allow, so deny wins on overlap.
maxConnectionsnumberTCP only — the ceiling on concurrent connections the broker will hold open for this handler. Further connections are refused until one closes.
rateLimitobjectPer-source limit, { perIp: number, window: seconds } — new TCP connections or UDP datagrams per source IP per window. Excess is dropped.
tlsobject{ enabled: boolean, cert: … }. TCP only. When enabled the broker terminates TLS and hands the handler plaintext (see Q5). Cert source shape is not yet fixed.
idleTimeoutnumberSeconds a connection (TCP) or a source's session window (UDP) may sit with no traffic before the broker closes or forgets it.

Example

{
  "allow": ["10.0.0.0/8", "203.0.113.0/24"],
  "deny": ["10.9.0.0/16"],
  "maxConnections": 256,
  "rateLimit": { "perIp": 20, "window": 10 },
  "tls": { "enabled": true, "cert": "on-demand" },
  "idleTimeout": 120
}

Defaults when absent

With no manifest, the filename still runs — under permissive defaults, so the manifest is purely additive lockdown.

FieldDefault with no manifest
allow / denyOpen to all sources.
maxConnectionsA sane connection cap the broker sets, not unlimited — enough to run, low enough to avoid a trivial exhaustion.
rateLimitNone applied.
tlsOff — plaintext.
idleTimeoutA default idle cutoff so abandoned connections don't accumulate.

Precedence with a module access

A module may also export an access object. The intent is a split by when the value is needed: anything the broker must know before running your code — allowed sources, TLS, caps — is authoritative in the sidecar, so policy and the firewall can act before a single line of the handler executes. A module access can only refine per-connection decisions the broker makes after hand-off — it cannot loosen what the sidecar locked.

See also