How does this PR change the system?

adds a crate to hang a simple webserver off of a service
currently provides a simple /health endpoint and a /config endpoint that dumps the service's computed config
ensures we don't serialize protected values (secrets in configs and all SensitiveString types
adds implementations to edda, forklift, pinga, rebaser, and veritech

Screenshots:

On service startup

2025-10-15T19:11:55.873147Z  INFO ThreadId(43) rebaser: ready to receive messages
2025-10-15T19:11:55.873230Z  INFO ThreadId(54) si_service_endpoints::server: service endpoints listening service="rebaser" address=127.0.0.1:33665 health_endpoint="/health" config_endpoint="/config"

Testing:

❯ curl -s localhost:33665/{health,config} | jq
{
  "status": "healthy"
}
{
  "service": "rebaser",
  "config": {
    "pg_pool": {
      "user": "si",
      "password": "...",
      "dbname": "si",
      "application_name": "rebaser",
      "hostname": "localhost",
      "port": 5432,
      "pool_max_size": 128,
      "pool_timeout_wait_secs": null,
      "pool_timeout_create_secs": null,
      "pool_timeout_recycle_secs": null,
      "pool_total_connection_lifetime_secs": 72000,
      "pool_idle_connection_lifetime_secs": 21600,
      "pool_lifetime_check_interval_secs": null,
      "recycling_method": null
    },
    "nats": {
      "connection_name": "rebaser",
      "creds": null,
      "creds_file": null,
      "subject_prefix": null,
      "url": "localhost"
    },
    "crypto": {},
    "symmetric_crypto_service": {},
    "layer_db_config": {
      "pg_pool_config": {
        "user": "si",
        "password": "...",
        "dbname": "si_layer_db",
        "application_name": "rebaser",
        "hostname": "localhost",
        "port": 5432,
        "pool_max_size": 128,
        "pool_timeout_wait_secs": null,
        "pool_timeout_create_secs": null,
        "pool_timeout_recycle_secs": null,
        "pool_total_connection_lifetime_secs": 72000,
        "pool_idle_connection_lifetime_secs": 21600,
        "pool_lifetime_check_interval_secs": null,
        "recycling_method": null
      },
      "nats_config": {
        "connection_name": "rebaser",
        "creds": null,
        "creds_file": null,
        "subject_prefix": null,
        "url": "localhost"
      },
      "cache_config": {
        "name": "default",
        "memory_reserved_percent": 40,
        "memory_usable_max_percent": 100,
        "disk_layer": true,
        "disk_reserved_percent": 5,
        "disk_usable_max_percent": 100,
        "disk_admission_rate_limit": 1073741824,
        "disk_buffer_size": 134217728,
        "disk_buffer_flushers": 2,
        "disk_indexer_shards": 64,
        "disk_path": "/tmp/nix-shell.EHJBad/default-cache-2MGVoF",
        "disk_reclaimers": 2,
        "disk_recover_concurrency": 8
      }
    },
    "instance_id": "01K7MMJFQHSXD23B5MMXTEJN04",
    "concurrency_limit": null,
    "quiescent_period": {
      "secs": 300,
      "nanos": 0
    },
    "features": {
      "generate_mvs": true
    },
    "snapshot_eviction_grace_period": {
      "secs": 0,
      "nanos": 0
    },
    "service_endpoints": {
      "enabled": true,
      "bind_address": "127.0.0.1:0",
      "health_endpoint": "/health",
      "config_endpoint": "/config"
    }
  }
}

Out of Scope:

I want to extend this to allow services that already have an axum stack to just use it there, but it's a but more complicated, so I'm punting for sdf and luminork for now.

How was it tested?

Locally it works! Try passes!

[X] Integration tests pass
[X] Manual test: new functionality works in UI

In short: :link:

Oct 15 '25 18:10 sprutton1

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Scanned Files

None

Oct 15 '25 18:10 github-actions[bot]

/try

Oct 15 '25 18:10 sprutton1

Okay, starting a try! I'll update this comment once it's running... 🚀 Try running here! 🚀

Oct 15 '25 18:10 github-actions[bot]

/try

Oct 22 '25 19:10 sprutton1

Okay, starting a try! I'll update this comment once it's running... 🚀 Try running here! 🚀

Oct 22 '25 19:10 github-actions[bot]