{
+ fn is_expired(&self, ttl: Duration) -> bool {
+ self.inserted_at.elapsed() > ttl
+ }
+}
+
+/// Wraps a [`ConfigProvider`] with in-memory TTL-based caching.
+///
+/// Thread-safe via `RwLock`. Cache entries are evicted lazily on access.
+#[derive(Clone)]
+pub struct CachedProvider {
+ inner: P,
+ cache: Arc,
+ ttl: Duration,
+}
+
+struct CacheState {
+ buckets_list: RwLock>>>,
+ buckets: RwLock>>>,
+ roles: RwLock>>>,
+ credentials: RwLock>>>,
+}
+
+impl CachedProvider {
+ /// Create a new caching wrapper with the given TTL.
+ pub fn new(inner: P, ttl: Duration) -> Self {
+ Self {
+ inner,
+ cache: Arc::new(CacheState {
+ buckets_list: RwLock::new(None),
+ buckets: RwLock::new(HashMap::new()),
+ roles: RwLock::new(HashMap::new()),
+ credentials: RwLock::new(HashMap::new()),
+ }),
+ ttl,
+ }
+ }
+
+ /// Invalidate all cached entries.
+ pub fn invalidate_all(&self) {
+ if let Ok(mut lock) = self.cache.buckets_list.write() {
+ *lock = None;
+ }
+ if let Ok(mut lock) = self.cache.buckets.write() {
+ lock.clear();
+ }
+ if let Ok(mut lock) = self.cache.roles.write() {
+ lock.clear();
+ }
+ if let Ok(mut lock) = self.cache.credentials.write() {
+ lock.clear();
+ }
+ }
+
+ /// Invalidate a specific bucket entry.
+ pub fn invalidate_bucket(&self, name: &str) {
+ if let Ok(mut lock) = self.cache.buckets.write() {
+ lock.remove(name);
+ }
+ // Also invalidate the list since it may contain stale data
+ if let Ok(mut lock) = self.cache.buckets_list.write() {
+ *lock = None;
+ }
+ }
+}
+
+impl ConfigProvider for CachedProvider {
+ async fn list_buckets(&self) -> Result, ProxyError> {
+ // Check cache
+ if let Ok(lock) = self.cache.buckets_list.read() {
+ if let Some(entry) = &*lock {
+ if !entry.is_expired(self.ttl) {
+ return Ok(entry.value.clone());
+ }
+ }
+ }
+
+ // Cache miss — fetch from inner
+ let result = self.inner.list_buckets().await?;
+
+ if let Ok(mut lock) = self.cache.buckets_list.write() {
+ *lock = Some(CacheEntry {
+ value: result.clone(),
+ inserted_at: Instant::now(),
+ });
+ }
+
+ Ok(result)
+ }
+
+ async fn get_bucket(&self, name: &str) -> Result, ProxyError> {
+ // Check cache
+ if let Ok(lock) = self.cache.buckets.read() {
+ if let Some(entry) = lock.get(name) {
+ if !entry.is_expired(self.ttl) {
+ return Ok(entry.value.clone());
+ }
+ }
+ }
+
+ let result = self.inner.get_bucket(name).await?;
+
+ if let Ok(mut lock) = self.cache.buckets.write() {
+ lock.insert(
+ name.to_string(),
+ CacheEntry {
+ value: result.clone(),
+ inserted_at: Instant::now(),
+ },
+ );
+ }
+
+ Ok(result)
+ }
+
+ async fn get_role(&self, role_id: &str) -> Result, ProxyError> {
+ if let Ok(lock) = self.cache.roles.read() {
+ if let Some(entry) = lock.get(role_id) {
+ if !entry.is_expired(self.ttl) {
+ return Ok(entry.value.clone());
+ }
+ }
+ }
+
+ let result = self.inner.get_role(role_id).await?;
+
+ if let Ok(mut lock) = self.cache.roles.write() {
+ lock.insert(
+ role_id.to_string(),
+ CacheEntry {
+ value: result.clone(),
+ inserted_at: Instant::now(),
+ },
+ );
+ }
+
+ Ok(result)
+ }
+
+ async fn get_credential(
+ &self,
+ access_key_id: &str,
+ ) -> Result, ProxyError> {
+ if let Ok(lock) = self.cache.credentials.read() {
+ if let Some(entry) = lock.get(access_key_id) {
+ if !entry.is_expired(self.ttl) {
+ return Ok(entry.value.clone());
+ }
+ }
+ }
+
+ let result = self.inner.get_credential(access_key_id).await?;
+
+ if let Ok(mut lock) = self.cache.credentials.write() {
+ lock.insert(
+ access_key_id.to_string(),
+ CacheEntry {
+ value: result.clone(),
+ inserted_at: Instant::now(),
+ },
+ );
+ }
+
+ Ok(result)
+ }
+}
diff --git a/crates/libs/core/src/config/dynamodb.rs b/crates/libs/core/src/config/dynamodb.rs
new file mode 100644
index 0000000..d5723bb
--- /dev/null
+++ b/crates/libs/core/src/config/dynamodb.rs
@@ -0,0 +1,169 @@
+//! DynamoDB-backed configuration provider.
+//!
+//! Stores configuration in DynamoDB tables. Designed for AWS-native
+//! deployments where DynamoDB is readily available.
+//!
+//! # Table Schema
+//!
+//! Uses a single-table design with the following layout:
+//!
+//! | PK | SK | Attributes |
+//! |----|----|------------|
+//! | `BUCKET#{name}` | `CONFIG` | BucketConfig fields |
+//! | `ROLE#{role_id}` | `CONFIG` | RoleConfig fields |
+//! | `CRED#{access_key_id}` | `LONG_LIVED` | StoredCredential fields |
+//!
+//! # Example
+//!
+//! ```rust,ignore
+//! use source_coop_core::config::dynamodb::DynamoDbProvider;
+//! use aws_sdk_dynamodb::Client;
+//!
+//! let sdk_config = aws_config::load_defaults(aws_config::BehaviorVersion::latest()).await;
+//! let client = Client::new(&sdk_config);
+//! let provider = DynamoDbProvider::new(client, "s3-proxy-config".to_string());
+//! ```
+
+use crate::config::ConfigProvider;
+use crate::error::ProxyError;
+use crate::types::{BucketConfig, RoleConfig, StoredCredential};
+use aws_sdk_dynamodb::types::AttributeValue;
+use aws_sdk_dynamodb::Client;
+use std::sync::Arc;
+
+/// Configuration provider backed by a single DynamoDB table.
+#[derive(Clone)]
+pub struct DynamoDbProvider {
+ inner: Arc,
+}
+
+struct DynamoDbProviderInner {
+ client: Client,
+ table_name: String,
+}
+
+impl DynamoDbProvider {
+ pub fn new(client: Client, table_name: String) -> Self {
+ Self {
+ inner: Arc::new(DynamoDbProviderInner { client, table_name }),
+ }
+ }
+
+ fn table(&self) -> &str {
+ &self.inner.table_name
+ }
+
+ fn client(&self) -> &Client {
+ &self.inner.client
+ }
+}
+
+impl ConfigProvider for DynamoDbProvider {
+ async fn list_buckets(&self) -> Result, ProxyError> {
+ let result = self
+ .client()
+ .query()
+ .table_name(self.table())
+ .key_condition_expression("begins_with(PK, :prefix)")
+ .expression_attribute_values(":prefix", AttributeValue::S("BUCKET#".into()))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ let items = result.items();
+ let mut buckets = Vec::with_capacity(items.len());
+
+ for item in items {
+ if let Some(json_val) = item.get("config_json") {
+ if let Ok(s) = json_val.as_s() {
+ if let Ok(config) = serde_json::from_str::(s) {
+ buckets.push(config);
+ }
+ }
+ }
+ }
+
+ Ok(buckets)
+ }
+
+ async fn get_bucket(&self, name: &str) -> Result, ProxyError> {
+ let result = self
+ .client()
+ .get_item()
+ .table_name(self.table())
+ .key("PK", AttributeValue::S(format!("BUCKET#{}", name)))
+ .key("SK", AttributeValue::S("CONFIG".into()))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ match result.item() {
+ Some(item) => {
+ let json_val = item
+ .get("config_json")
+ .and_then(|v| v.as_s().ok())
+ .ok_or_else(|| ProxyError::ConfigError("missing config_json".into()))?;
+
+ let config = serde_json::from_str(json_val)
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+ Ok(Some(config))
+ }
+ None => Ok(None),
+ }
+ }
+
+ async fn get_role(&self, role_id: &str) -> Result, ProxyError> {
+ let result = self
+ .client()
+ .get_item()
+ .table_name(self.table())
+ .key("PK", AttributeValue::S(format!("ROLE#{}", role_id)))
+ .key("SK", AttributeValue::S("CONFIG".into()))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ match result.item() {
+ Some(item) => {
+ let json_val = item
+ .get("config_json")
+ .and_then(|v| v.as_s().ok())
+ .ok_or_else(|| ProxyError::ConfigError("missing config_json".into()))?;
+
+ let config = serde_json::from_str(json_val)
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+ Ok(Some(config))
+ }
+ None => Ok(None),
+ }
+ }
+
+ async fn get_credential(
+ &self,
+ access_key_id: &str,
+ ) -> Result, ProxyError> {
+ let result = self
+ .client()
+ .get_item()
+ .table_name(self.table())
+ .key("PK", AttributeValue::S(format!("CRED#{}", access_key_id)))
+ .key("SK", AttributeValue::S("LONG_LIVED".into()))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ match result.item() {
+ Some(item) => {
+ let json_val = item
+ .get("config_json")
+ .and_then(|v| v.as_s().ok())
+ .ok_or_else(|| ProxyError::ConfigError("missing config_json".into()))?;
+
+ let config = serde_json::from_str(json_val)
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+ Ok(Some(config))
+ }
+ None => Ok(None),
+ }
+ }
+}
diff --git a/crates/libs/core/src/config/http.rs b/crates/libs/core/src/config/http.rs
new file mode 100644
index 0000000..4faa84c
--- /dev/null
+++ b/crates/libs/core/src/config/http.rs
@@ -0,0 +1,182 @@
+//! HTTP API-backed configuration provider.
+//!
+//! Fetches configuration from a centralized REST API. Useful when you have
+//! a control plane service that manages proxy configuration.
+//!
+//! # Expected API Contract
+//!
+//! The API should expose:
+//! - `GET /buckets` → `Vec`
+//! - `GET /buckets/{name}` → `Option`
+//! - `GET /roles/{role_id}` → `Option`
+//! - `GET /credentials/{access_key_id}` → `Option`
+//!
+//! # Example
+//!
+//! ```rust,ignore
+//! use source_coop_core::config::http::HttpProvider;
+//!
+//! let provider = HttpProvider::new(
+//! "https://config-api.internal:8080".to_string(),
+//! Some("Bearer my-api-token".to_string()),
+//! );
+//! ```
+
+use crate::config::ConfigProvider;
+use crate::error::ProxyError;
+use crate::types::{BucketConfig, RoleConfig, StoredCredential};
+use std::sync::Arc;
+
+/// Validate that a value is safe to use as a single URL path segment.
+///
+/// Rejects values containing `/`, `\`, `..`, null bytes, or that are empty,
+/// to prevent path traversal against the config API.
+fn validate_path_segment(value: &str, param_name: &str) -> Result<(), ProxyError> {
+ if value.is_empty()
+ || value.contains('/')
+ || value.contains('\\')
+ || value.contains('\0')
+ || value == ".."
+ || value == "."
+ {
+ return Err(ProxyError::InvalidRequest(format!(
+ "invalid {}: contains illegal characters",
+ param_name
+ )));
+ }
+ Ok(())
+}
+
+/// Configuration provider that reads from a REST API.
+#[derive(Clone)]
+pub struct HttpProvider {
+ inner: Arc,
+}
+
+struct HttpProviderInner {
+ base_url: String,
+ client: reqwest::Client,
+ auth_header: Option,
+}
+
+impl HttpProvider {
+ /// Create a new HTTP config provider.
+ ///
+ /// `base_url`: The base URL of the config API (no trailing slash).
+ /// `auth_header`: Optional Authorization header value (e.g., "Bearer ...").
+ pub fn new(base_url: String, auth_header: Option) -> Self {
+ Self {
+ inner: Arc::new(HttpProviderInner {
+ base_url: base_url.trim_end_matches('/').to_string(),
+ client: reqwest::Client::new(),
+ auth_header,
+ }),
+ }
+ }
+
+ fn request(&self, path: &str) -> reqwest::RequestBuilder {
+ let mut req = self
+ .inner
+ .client
+ .get(format!("{}{}", self.inner.base_url, path));
+ if let Some(ref auth) = self.inner.auth_header {
+ req = req.header("authorization", auth);
+ }
+ req
+ }
+}
+
+impl ConfigProvider for HttpProvider {
+ async fn list_buckets(&self) -> Result, ProxyError> {
+ let resp = self
+ .request("/buckets")
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ resp.json()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))
+ }
+
+ async fn get_bucket(&self, name: &str) -> Result, ProxyError> {
+ validate_path_segment(name, "bucket name")?;
+ let resp = self
+ .request(&format!("/buckets/{}", name))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ if resp.status().as_u16() == 404 {
+ return Ok(None);
+ }
+
+ resp.json()
+ .await
+ .map(Some)
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))
+ }
+
+ async fn get_role(&self, role_id: &str) -> Result, ProxyError> {
+ validate_path_segment(role_id, "role ID")?;
+ let resp = self
+ .request(&format!("/roles/{}", role_id))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ if resp.status().as_u16() == 404 {
+ return Ok(None);
+ }
+
+ resp.json()
+ .await
+ .map(Some)
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))
+ }
+
+ async fn get_credential(
+ &self,
+ access_key_id: &str,
+ ) -> Result, ProxyError> {
+ validate_path_segment(access_key_id, "access key ID")?;
+ let resp = self
+ .request(&format!("/credentials/{}", access_key_id))
+ .send()
+ .await
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))?;
+
+ if resp.status().as_u16() == 404 {
+ return Ok(None);
+ }
+
+ resp.json()
+ .await
+ .map(Some)
+ .map_err(|e| ProxyError::ConfigError(e.to_string()))
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn validate_path_segment_rejects_traversal() {
+ assert!(validate_path_segment("../admin", "test").is_err());
+ assert!(validate_path_segment("foo/bar", "test").is_err());
+ assert!(validate_path_segment("foo\\bar", "test").is_err());
+ assert!(validate_path_segment("..", "test").is_err());
+ assert!(validate_path_segment(".", "test").is_err());
+ assert!(validate_path_segment("", "test").is_err());
+ assert!(validate_path_segment("foo\0bar", "test").is_err());
+ }
+
+ #[test]
+ fn validate_path_segment_accepts_normal_values() {
+ assert!(validate_path_segment("my-bucket", "test").is_ok());
+ assert!(validate_path_segment("AKIAIOSFODNN7EXAMPLE", "test").is_ok());
+ assert!(validate_path_segment("role-123_abc", "test").is_ok());
+ assert!(validate_path_segment("bucket.with.dots", "test").is_ok());
+ }
+}
diff --git a/crates/libs/core/src/config/mod.rs b/crates/libs/core/src/config/mod.rs
new file mode 100644
index 0000000..d766217
--- /dev/null
+++ b/crates/libs/core/src/config/mod.rs
@@ -0,0 +1,78 @@
+//! Configuration provider abstraction and implementations.
+//!
+//! The [`ConfigProvider`] trait defines how the proxy retrieves its
+//! configuration (buckets, roles, credentials) from a backend store.
+//! This allows the same core logic to work with static files, databases,
+//! HTTP APIs, or any other configuration source.
+//!
+//! # Available Implementations
+//!
+//! | Provider | Feature Flag | Use Case |
+//! |----------|-------------|----------|
+//! | [`StaticProvider`](static_file::StaticProvider) | *(always available)* | TOML/JSON config files, baked-in config |
+//! | [`HttpProvider`](http::HttpProvider) | `config-http` | Centralized config API |
+//! | [`DynamoDbProvider`](dynamodb::DynamoDbProvider) | `config-dynamodb` | AWS-native deployments |
+//! | [`PostgresProvider`](postgres::PostgresProvider) | `config-postgres` | Database-backed config |
+//!
+//! # Caching
+//!
+//! Wrap any provider with [`CachedProvider`](cached::CachedProvider) to add
+//! in-memory TTL-based caching. This is recommended for providers that make
+//! network calls (HTTP, DynamoDB, Postgres).
+//!
+//! ```rust,ignore
+//! use source_coop_core::config::{cached::CachedProvider, static_file::StaticProvider};
+//! use std::time::Duration;
+//!
+//! let base = StaticProvider::from_file("config.toml").unwrap();
+//! let cached = CachedProvider::new(base, Duration::from_secs(300));
+//! ```
+
+pub mod cached;
+pub mod static_file;
+
+#[cfg(feature = "config-http")]
+pub mod http;
+
+#[cfg(feature = "config-dynamodb")]
+pub mod dynamodb;
+
+#[cfg(feature = "config-postgres")]
+pub mod postgres;
+
+use crate::error::ProxyError;
+use crate::maybe_send::{MaybeSend, MaybeSync};
+use crate::types::{BucketConfig, RoleConfig, StoredCredential};
+use std::future::Future;
+
+/// Trait for retrieving proxy configuration from a backend store.
+///
+/// Implementations should be cheap to clone (wrap inner state in `Arc`).
+///
+/// Methods use [`MaybeSend`] bounds — on native targets this resolves to `Send`
+/// (required by Tokio's task spawning), on WASM it's a no-op (allowing `!Send`
+/// JS interop types).
+///
+/// Temporary credentials are not stored via this trait — they are encrypted
+/// into self-contained session tokens using [`TokenKey`](crate::sealed_token::TokenKey).
+pub trait ConfigProvider: Clone + MaybeSend + MaybeSync + 'static {
+ fn list_buckets(
+ &self,
+ ) -> impl Future