# Security middleware and RBAC policy path # # SecurityConfig drives CSRF protection, rate limiting, and bcrypt cost. # RbacNclConfig.ncl_path points to the hot-reloadable RBAC policy file — # only the PATH is declared here; the file content is never inlined so that # the rbac-watcher can reload it without a server restart. let C = import "server/contracts.ncl" in let SC = import "security/contracts.ncl" in { security = { enable_csrf = false, csrf_token_name = "csrf_token", rate_limit_requests = 100, rate_limit_window = 60, bcrypt_cost = 12, } | SC.SecurityConfig, rbac = { ncl_path = "site/rbac.ncl", } | C.RbacNclConfig, }