Infrastructure Configuration

Detailed property reference for Contexa's infrastructure layer — caching, Redis pub/sub and streams, Kafka event topics, and OpenTelemetry observability. These properties control how Contexa communicates with external systems in a distributed deployment.

Enable distributed mode (PoC / enterprise demo) — Run contexa init --distributed and the CLI will:

  1. Dependencies — automatically add spring-kafka and redisson to your build file.
  2. Infrastructure — generate a docker-compose.yml with PostgreSQL + Ollama + Redis + Kafka + Zookeeper.
  3. Configuration — set contexa.infrastructure.mode: DISTRIBUTED and the Redis / Kafka hosts inside the Contexa-managed block of application.yml.

The properties on this page apply once distributed mode is enabled. For production, use Kubernetes + Helm.

Contexa Core Properties (Summary)

The top-level ContexaProperties class (prefix contexa) contains the master switches for infrastructure mode, Redis, Kafka, and observability. These properties are fully documented on the Configuration Overview page. Key infrastructure-related entries include:

Property Type Default Description
contexa (master)
contexa.enabled boolean true Top-level master switch for the entire Contexa auto-configuration. When false, every sub-module is disabled.
contexa.infrastructure
.mode enum STANDALONE STANDALONE (in-memory) or DISTRIBUTED (Redis/Kafka)
.redis.enabled boolean true Enable Redis for distributed caching and pub/sub
.kafka.enabled boolean true Enable Kafka for event streaming in distributed mode
.observability.enabled boolean true Enable observability infrastructure
.observability.open-telemetry-enabled boolean true Enable OpenTelemetry for distributed tracing

See the Configuration Overview for the complete ContexaProperties reference.

Cache Properties

Properties under contexa.cache, bound to ContexaCacheProperties. Controls the multi-tier caching subsystem used throughout Contexa for identity, policy, and behavioral data. Supports local (Caffeine), Redis, and hybrid caching strategies with optional pub/sub-based cache invalidation.

General Settings

Property Type Default Description
contexa.cache
.type CacheType REDIS LOCAL, REDIS, or HYBRID (L1 local + L2 Redis)
.local.max-size int 1000 Max entries in the local (L1) cache
.local.default-ttl-seconds int 60 Default TTL (seconds) for local cache entries
.redis.default-ttl-seconds int 300 Default TTL (seconds) for Redis cache entries
.redis.key-prefix String contexa:cache: Prefix for all Redis cache keys (namespace isolation)
.pubsub.enabled boolean true Enable pub/sub cache invalidation across cluster nodes
.pubsub.channel String contexa:cache:invalidation Pub/sub channel for cache invalidation broadcasts

Domain-Specific TTL

Each cache domain can have independent TTL values for local and Redis tiers. This allows fine-grained control — for example, frequently changing policy data can use shorter TTLs while stable HCAD baseline data uses longer ones.

Property Type Default Description
contexa.cache.domains
.users TtlConfig local: 3600 / redis: 3600 User identity and profile data
.roles TtlConfig local: 14400 / redis: 14400 Role definitions and permission mappings
.permissions TtlConfig local: 28800 / redis: 28800 Permission grants and access control entries
.groups TtlConfig local: 14400 / redis: 14400 Group membership and hierarchy data
.policies TtlConfig local: 30 / redis: 300 XACML/ABAC policy definitions (short local TTL)
.soar TtlConfig local: 900 / redis: 900 SOAR playbook and automated response data
.hcad TtlConfig local: 86400 / redis: 86400 HCAD behavioral baselines (long-lived profiles)

Each domain entry is a TtlConfig object with local-ttl-seconds and redis-ttl-seconds fields. Override any domain independently:

YAML
contexa:
  cache:
    type: HYBRID
    local:
      max-size: 5000
      default-ttl-seconds: 120
    redis:
      default-ttl-seconds: 600
      key-prefix: "myapp:contexa:cache:"
    pubsub:
      enabled: true
      channel: "contexa:cache:invalidation"
    domains:
      users:
        local-ttl-seconds: 1800
        redis-ttl-seconds: 3600
      policies:
        local-ttl-seconds: 15
        redis-ttl-seconds: 60
      hcad:
        local-ttl-seconds: 43200
        redis-ttl-seconds: 86400

Bridge Properties

BridgeProperties is bound to contexa.bridge. It controls the bridge layer that maps user, authority, delegation, and session information bidirectionally between an external (legacy) authentication system and Contexa. The properties define SecurityContext extraction keys, session attribute candidates, request-attribute keys, HTTP header names, sync policy, and the trusted-proxy list.

Bridge Core Toggles

PropertyTypeDefaultDescription
contexa.bridge.enabledbooleantrueMaster switch for the entire bridge layer.
contexa.bridge.populate-security-contextbooleantrueWhether to populate Spring SecurityContext from the external principal.

Synchronization (Sync)

PropertyTypeDefaultDescription
contexa.bridge.sync.enabledbooleantrueEnables periodic synchronization of external user information.
contexa.bridge.sync.min-refresh-interval-secondslong60Minimum seconds between sync calls for the same principal — acts as a throttle.
contexa.bridge.sync.synthetic-email-domainStringshadow.contexa.localDomain suffix used to synthesize an email address when none is provided externally.

Trusted Proxies (Network)

PropertyTypeDefaultDescription
contexa.bridge.network.trusted-proxy-validation-enabledbooleantrueWhether to validate the reverse-proxy origin before trusting X-Forwarded-* headers.
contexa.bridge.network.trusted-proxiesList<String>[] (empty list)Trusted reverse-proxy IPs or CIDR ranges. When empty, headers are not trusted even if validation is enabled.

Authentication SecurityContext Keys

Properties under contexa.bridge.authentication.security-context, bound to Authentication.SecurityContext. Defines the candidate keys used to extract display name, principal type, authentication method, assurance level, MFA state, authentication time, and additional attributes from the external token's claims/attributes. The first matching key wins.

PropertyTypeDefaultDescription
contexa.bridge.authentication.security-context.enabledbooleantrueEnables SecurityContext extraction.
contexa.bridge.authentication.security-context.display-name-keysList<String>[displayName, name, fullName, userName, username, preferred_username]Candidate keys used to extract the display name.
contexa.bridge.authentication.security-context.principal-type-keysList<String>[principalType, userType, actorType, token_use]Candidate keys used to extract the principal type (user / service / agent, etc.).
contexa.bridge.authentication.security-context.authentication-type-keysList<String>[authenticationType, authMethod, loginMethod, method, factorType]Candidate keys used to extract the authentication method.
contexa.bridge.authentication.security-context.authentication-assurance-keysList<String>[authenticationAssurance, authLevel, loa, acr]Candidate keys used to extract the authentication assurance level (LoA/ACR).
contexa.bridge.authentication.security-context.mfa-keysList<String>[mfa, mfaVerified, mfaCompleted, secondFactorVerified, amr]Candidate keys used to extract MFA-completion state.
contexa.bridge.authentication.security-context.auth-time-keysList<String>[authenticationTime, authenticatedAt, loginTime, issuedAt, auth_time, iat]Candidate keys used to extract the authentication time.
contexa.bridge.authentication.security-context.attribute-keysList<String>[organizationId, orgId, tenantId, department, team, email, loginIp, authenticationType, authenticationAssurance, mfaVerified, mfaCompleted, authenticatedAt, loginTime, iss, aud, azp, scope, scp, amr, acr]Additional attribute keys preserved in the SecurityContext (20 entries by default).

Authentication Session Keys

Properties under contexa.bridge.authentication.session, bound to the shared Bridge.Session class. When an external system stores the authenticated user object as an HTTP session attribute, these keys define which attribute names to try and which keys to use to extract principal id, display name, authorities, authentication method, MFA state, authentication time, and additional attributes from that object.

PropertyTypeDefaultDescription
contexa.bridge.authentication.session.enabledbooleantrueEnables HTTP-session-based user extraction.
contexa.bridge.authentication.session.attributeString"" (empty)Explicit session-attribute name where the user object is stored. When empty and auto-discover is true, the candidate list is tried.
contexa.bridge.authentication.session.attribute-candidatesList<String>[currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal]Candidate attribute names tried in auto-discover mode.
contexa.bridge.authentication.session.auto-discoverbooleantrueWhether to walk the candidate-attribute list automatically.
contexa.bridge.authentication.session.object-type-nameString"" (empty)Optional fully-qualified class name the discovered object must match.
contexa.bridge.authentication.session.principal-id-keysList<String>[userId, username, id, loginId, email]Candidate keys used to extract the principal identifier from the session object.
contexa.bridge.authentication.session.display-name-keysList<String>[displayName, name, fullName, userName, preferred_username]Candidate keys used to extract the display name.
contexa.bridge.authentication.session.authorities-keysList<String>[roles, authorities, permissions, scopes]Candidate keys used to extract authorities, roles, or scopes.
contexa.bridge.authentication.session.authentication-type-keysList<String>[authenticationType, authMethod, loginMethod]Candidate keys used to extract the authentication method.
contexa.bridge.authentication.session.authentication-assurance-keysList<String>[authenticationAssurance, authLevel, loa]Candidate keys used to extract the authentication assurance level.
contexa.bridge.authentication.session.mfa-keysList<String>[mfa, mfaVerified, mfa_verified]Candidate keys used to extract MFA-completion state.
contexa.bridge.authentication.session.auth-time-keysList<String>[authenticationTime, authenticatedAt, loginTime]Candidate keys used to extract the authentication time.
contexa.bridge.authentication.session.attribute-keysList<String>[department, organizationId, orgId, authMethod, loginIp, loginTime]Additional attribute keys preserved in the SecurityContext.

Authentication RequestAttributes Keys

Properties under contexa.bridge.authentication.request-attributes, bound to the shared Bridge.RequestAttributes class. Defines which attribute candidates to try when an external filter stores the user object on HttpServletRequest, which keys to read from that object, and which flat key names Contexa uses when re-exposing values back as request attributes.

Discovery / Extraction (13 shared)

PropertyTypeDefaultDescription
contexa.bridge.authentication.request-attributes.enabledbooleantrueEnables request-attribute-based user extraction.
contexa.bridge.authentication.request-attributes.attributeString"" (empty)Explicit request-attribute name where the user object is stored.
contexa.bridge.authentication.request-attributes.attribute-candidatesList<String>[currentUser, authenticatedUser, requestUser, principal, user, authenticatedPrincipal, authUser]Candidate attribute names tried in auto-discover mode.
contexa.bridge.authentication.request-attributes.auto-discoverbooleantrueWhether to walk the candidate-attribute list automatically.
contexa.bridge.authentication.request-attributes.object-type-nameString"" (empty)Optional fully-qualified class name the discovered object must match.
contexa.bridge.authentication.request-attributes.principal-id-keysList<String>[userId, username, id, loginId, email]Candidate keys used to extract the principal identifier.
contexa.bridge.authentication.request-attributes.display-name-keysList<String>[displayName, name, fullName, userName, preferred_username]Candidate keys used to extract the display name.
contexa.bridge.authentication.request-attributes.authorities-keysList<String>[roles, authorities, permissions, scopes]Candidate keys used to extract authorities, roles, or scopes.
contexa.bridge.authentication.request-attributes.authentication-type-keysList<String>[authenticationType, authMethod, loginMethod]Candidate keys used to extract the authentication method.
contexa.bridge.authentication.request-attributes.authentication-assurance-keysList<String>[authenticationAssurance, authLevel, loa]Candidate keys used to extract the authentication assurance level.
contexa.bridge.authentication.request-attributes.mfa-keysList<String>[mfa, mfaVerified, mfa_verified]Candidate keys used to extract MFA-completion state.
contexa.bridge.authentication.request-attributes.auth-time-keysList<String>[authenticationTime, authenticatedAt, loginTime]Candidate keys used to extract the authentication time.
contexa.bridge.authentication.request-attributes.attribute-keysList<String>[department, organizationId, orgId, authMethod, loginIp, loginTime]Additional attribute keys preserved in the SecurityContext.

Flat authentication attribute keys (flat-*, 8)

Single key names Contexa uses when flattening values back onto request attributes so downstream components can read them directly.

PropertyDefaultDescription
contexa.bridge.authentication.request-attributes.flat-principal-idctxa.auth.principalIdPrincipal identifier.
contexa.bridge.authentication.request-attributes.flat-display-namectxa.auth.displayNameDisplay name.
contexa.bridge.authentication.request-attributes.flat-authenticatedctxa.auth.authenticatedAuthenticated boolean.
contexa.bridge.authentication.request-attributes.flat-authoritiesctxa.auth.authoritiesAuthorities collection.
contexa.bridge.authentication.request-attributes.flat-authentication-typectxa.auth.typeAuthentication method.
contexa.bridge.authentication.request-attributes.flat-authentication-assurancectxa.auth.assuranceAuthentication assurance level.
contexa.bridge.authentication.request-attributes.flat-mfa-completedctxa.auth.mfaCompletedMFA completion state.
contexa.bridge.authentication.request-attributes.flat-authentication-timectxa.auth.timeAuthentication time.

Authorization mapping keys (7)

PropertyDefaultDescription
contexa.bridge.authentication.request-attributes.authorization-effectctxa.authz.effectAuthorization decision effect (ALLOW/DENY).
contexa.bridge.authentication.request-attributes.privilegedctxa.authz.privilegedWhether this is a privileged flow.
contexa.bridge.authentication.request-attributes.policy-idctxa.authz.policyIdID of the matching policy.
contexa.bridge.authentication.request-attributes.policy-versionctxa.authz.policyVersionPolicy version.
contexa.bridge.authentication.request-attributes.scope-tagsctxa.authz.scopeTagsScope tags.
contexa.bridge.authentication.request-attributes.effective-rolesctxa.authz.rolesEffective role set.
contexa.bridge.authentication.request-attributes.effective-authoritiesctxa.authz.authoritiesEffective authority set.

Delegation mapping keys (11)

PropertyDefaultDescription
contexa.bridge.authentication.request-attributes.delegatedctxa.delegation.enabledWhether delegation is active.
contexa.bridge.authentication.request-attributes.agent-idctxa.delegation.agentIdDelegated agent ID.
contexa.bridge.authentication.request-attributes.objective-idctxa.delegation.objectiveIdDelegation objective ID.
contexa.bridge.authentication.request-attributes.objective-familyctxa.delegation.objectiveFamilyObjective family / type.
contexa.bridge.authentication.request-attributes.objective-summaryctxa.delegation.objectiveSummaryObjective summary.
contexa.bridge.authentication.request-attributes.allowed-operationsctxa.delegation.allowedOperationsPermitted operations list.
contexa.bridge.authentication.request-attributes.allowed-resourcesctxa.delegation.allowedResourcesPermitted resources list.
contexa.bridge.authentication.request-attributes.approval-requiredctxa.delegation.approvalRequiredWhether approval is required.
contexa.bridge.authentication.request-attributes.privileged-export-allowedctxa.delegation.privilegedExportAllowedWhether privileged export is allowed.
contexa.bridge.authentication.request-attributes.containment-onlyctxa.delegation.containmentOnlyContainment-only restriction flag.
contexa.bridge.authentication.request-attributes.expires-atctxa.delegation.expiresAtDelegation expiry instant.

Authentication HTTP Header Names

Properties under contexa.bridge.authentication.headers, bound to the shared Bridge.Headers class. Defines which header names Contexa reads from (and emits onto) HTTP traffic when a reverse proxy or gateway propagates authentication, authorization, or delegation context. All header names are configurable.

Toggle

PropertyTypeDefaultDescription
contexa.bridge.authentication.headers.enabledbooleantrueEnables HTTP-header-based extraction and emission.

Authentication headers (8)

PropertyDefaultDescription
contexa.bridge.authentication.headers.principal-idX-Contexa-Principal-IdPrincipal-identifier header.
contexa.bridge.authentication.headers.display-nameX-Contexa-Principal-NameDisplay-name header.
contexa.bridge.authentication.headers.authenticatedX-Contexa-AuthenticatedAuthenticated boolean header.
contexa.bridge.authentication.headers.authoritiesX-Contexa-AuthoritiesAuthorities collection header.
contexa.bridge.authentication.headers.authentication-typeX-Contexa-Authentication-TypeAuthentication-method header.
contexa.bridge.authentication.headers.authentication-assuranceX-Contexa-Authentication-AssuranceAuthentication-assurance header.
contexa.bridge.authentication.headers.mfa-completedX-Contexa-Mfa-CompletedMFA-completion header.
contexa.bridge.authentication.headers.authentication-timeX-Contexa-Authenticated-AtAuthentication-time header.

Authorization headers (7)

PropertyDefaultDescription
contexa.bridge.authentication.headers.authorization-effectX-Contexa-Authz-EffectAuthorization-effect header.
contexa.bridge.authentication.headers.privilegedX-Contexa-Authz-PrivilegedPrivileged-flow boolean header.
contexa.bridge.authentication.headers.policy-idX-Contexa-Authz-PolicyMatching-policy ID header.
contexa.bridge.authentication.headers.policy-versionX-Contexa-Authz-Policy-VersionPolicy-version header.
contexa.bridge.authentication.headers.scope-tagsX-Contexa-Authz-ScopeScope-tag header.
contexa.bridge.authentication.headers.effective-rolesX-Contexa-Authz-RolesEffective-roles header.
contexa.bridge.authentication.headers.effective-authoritiesX-Contexa-Authz-AuthoritiesEffective-authorities header.

Delegation headers (11)

PropertyDefaultDescription
contexa.bridge.authentication.headers.delegatedX-Contexa-DelegatedDelegation-active header.
contexa.bridge.authentication.headers.agent-idX-Contexa-Agent-IdDelegated-agent ID header.
contexa.bridge.authentication.headers.objective-idX-Contexa-Objective-IdObjective ID header.
contexa.bridge.authentication.headers.objective-familyX-Contexa-Objective-FamilyObjective family / type header.
contexa.bridge.authentication.headers.objective-summaryX-Contexa-Objective-SummaryObjective summary header.
contexa.bridge.authentication.headers.allowed-operationsX-Contexa-Allowed-OperationsPermitted-operations header.
contexa.bridge.authentication.headers.allowed-resourcesX-Contexa-Allowed-ResourcesPermitted-resources header.
contexa.bridge.authentication.headers.approval-requiredX-Contexa-Approval-RequiredApproval-required header.
contexa.bridge.authentication.headers.privileged-export-allowedX-Contexa-Privileged-Export-AllowedPrivileged-export-allowed header.
contexa.bridge.authentication.headers.containment-onlyX-Contexa-Containment-OnlyContainment-only header.
contexa.bridge.authentication.headers.expires-atX-Contexa-Delegation-Expires-AtDelegation-expiry header.

Authorization SecurityContext Keys

Properties under contexa.bridge.authorization.security-context, bound to Authorization.SecurityContext. When an external system stores authorization decisions (effect, policy ID, authorities, etc.) as attributes on the Spring SecurityContext Authentication, these keys define which candidate names Contexa tries to read that information. The first matching key wins.

PropertyTypeDefaultDescription
contexa.bridge.authorization.security-context.enabledbooleantrueEnables SecurityContext-based authorization extraction.
contexa.bridge.authorization.security-context.authorization-effect-keysList<String>[authorizationEffect, effect, decision, decisionEffect]Candidate keys used to extract the authorization effect (ALLOW/DENY).
contexa.bridge.authorization.security-context.privileged-keysList<String>[privileged, isPrivileged, privilegedFlow]Candidate keys used to extract the privileged-flow boolean.
contexa.bridge.authorization.security-context.policy-id-keysList<String>[policyId, policy, decisionPolicy]Candidate keys used to extract the matching policy ID.
contexa.bridge.authorization.security-context.policy-version-keysList<String>[policyVersion, version]Candidate keys used to extract the policy version.
contexa.bridge.authorization.security-context.scope-tag-keysList<String>[scopeTags, scopes, scope, permissionScopes, scp]Candidate keys used to extract scope tags.
contexa.bridge.authorization.security-context.role-keysList<String>[effectiveRoles, roles, roleSet, groups]Candidate keys used to extract the effective role set.
contexa.bridge.authorization.security-context.authority-keysList<String>[effectiveAuthorities, authorities, permissions, grantedAuthorities, scope, scp]Candidate keys used to extract the effective authority set.
contexa.bridge.authorization.security-context.attribute-keysList<String>[authorizationEffect, effect, privileged, policyId, policyVersion, scopeTags, scopes, scope, scp, roles, effectiveRoles, permissions, effectiveAuthorities]Additional attribute keys preserved in the authorization context (13 defaults).

Authorization Session Keys

Properties under contexa.bridge.authorization.session, bound to Authorization.Session. When an external system stores authorization decisions on a session-scoped user object, these keys define which attribute candidates to try and which keys to read for effect, policy, scope, role, and authority extraction.

PropertyTypeDefaultDescription
contexa.bridge.authorization.session.enabledbooleantrueEnables session-based authorization extraction.
contexa.bridge.authorization.session.attributeString"" (empty)Explicit session attribute name carrying the user object.
contexa.bridge.authorization.session.attribute-candidatesList<String>[currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal]Candidate attribute names tried in auto-discover mode.
contexa.bridge.authorization.session.auto-discoverbooleantrueWhether to walk the candidate-attribute list automatically.
contexa.bridge.authorization.session.object-type-nameString"" (empty)Optional fully-qualified class name the discovered object must match.
contexa.bridge.authorization.session.principal-id-keysList<String>[userId, username, id, loginId, email]Candidate keys used to extract the principal identifier.
contexa.bridge.authorization.session.authorization-effect-keysList<String>[authorizationEffect, effect, decision, decisionEffect]Candidate keys used to extract the authorization effect.
contexa.bridge.authorization.session.privileged-keysList<String>[privileged, isPrivileged, privilegedFlow]Candidate keys used to extract the privileged flag.
contexa.bridge.authorization.session.policy-id-keysList<String>[policyId, policy, decisionPolicy]Candidate keys used to extract the policy ID.
contexa.bridge.authorization.session.policy-version-keysList<String>[policyVersion, version]Candidate keys used to extract the policy version.
contexa.bridge.authorization.session.scope-tag-keysList<String>[scopeTags, scopes, scope, permissionScopes]Candidate keys used to extract scope tags (note: scp is not included here, unlike Authorization.SecurityContext).
contexa.bridge.authorization.session.role-keysList<String>[effectiveRoles, roles, roleSet]Candidate keys used to extract the effective role set (no groups).
contexa.bridge.authorization.session.authority-keysList<String>[effectiveAuthorities, authorities, permissions, grantedAuthorities]Candidate keys used to extract the effective authority set (no scope, scp).
contexa.bridge.authorization.session.attribute-keysList<String>[authorizationEffect, effect, privileged, policyId, policyVersion, scopeTags, scopes, roles, effectiveRoles, permissions, effectiveAuthorities, organizationId, orgId, tenantId, department, team]Additional attribute keys preserved in the authorization context (16 defaults).

Authorization RequestAttributes / Headers

Authorization reuses the same shared Bridge.RequestAttributes / Bridge.Headers classes. Key structure and defaults are identical to the Authentication RequestAttributes Keys and Authentication HTTP Header Names tables — only the prefix differs:

  • contexa.bridge.authorization.request-attributes.* — 39 fields, same table
  • contexa.bridge.authorization.headers.* — 27 fields, same table

The tables are not duplicated because BridgeProperties.java references a single class from three locations — keeping the documentation single-sourced.

Delegation Session Keys

Properties under contexa.bridge.delegation.session, bound to Delegation.Session. When an external system stores agent-delegation context — agent ID, objective, allowed operations/resources, approval requirement, expiry — on a session-scoped user object, these keys define which attribute candidates to try and which keys to read.

PropertyTypeDefaultDescription
contexa.bridge.delegation.session.enabledbooleantrueEnables session-based delegation extraction.
contexa.bridge.delegation.session.attributeString"" (empty)Explicit session attribute name carrying the user object.
contexa.bridge.delegation.session.attribute-candidatesList<String>[currentUser, authenticatedUser, sessionUser, userSession, principal, user, securityUser, authenticatedPrincipal]Candidate attribute names tried in auto-discover mode.
contexa.bridge.delegation.session.auto-discoverbooleantrueWhether to walk the candidate list automatically. (Note: Delegation.Session does not expose an object-type-name field.)
contexa.bridge.delegation.session.principal-id-keysList<String>[userId, username, id, loginId, email]Candidate keys used to extract the principal identifier.
contexa.bridge.delegation.session.delegated-keysList<String>[delegated, delegationEnabled, agentDelegated]Candidate keys used to extract the delegation-active flag.
contexa.bridge.delegation.session.agent-id-keysList<String>[agentId, delegateAgentId]Candidate keys used to extract the agent ID.
contexa.bridge.delegation.session.objective-id-keysList<String>[objectiveId, taskPurpose, delegationObjectiveId]Candidate keys used to extract the delegation objective ID.
contexa.bridge.delegation.session.objective-family-keysList<String>[objectiveFamily, objectiveType, delegationObjectiveFamily]Candidate keys used to extract the objective family / type.
contexa.bridge.delegation.session.objective-summary-keysList<String>[objectiveSummary, taskSummary, delegationObjectiveSummary]Candidate keys used to extract the objective summary.
contexa.bridge.delegation.session.allowed-operations-keysList<String>[allowedOperations, delegatedOperations, permittedOperations]Candidate keys used to extract the permitted operations list.
contexa.bridge.delegation.session.allowed-resources-keysList<String>[allowedResources, delegatedResources, permittedResources]Candidate keys used to extract the permitted resources list.
contexa.bridge.delegation.session.approval-required-keysList<String>[approvalRequired, requiresApproval]Candidate keys used to extract the approval-required flag.
contexa.bridge.delegation.session.privileged-export-allowed-keysList<String>[privilegedExportAllowed, allowPrivilegedExport]Candidate keys used to extract the privileged-export-allowed flag.
contexa.bridge.delegation.session.containment-only-keysList<String>[containmentOnly, restrictedContainment]Candidate keys used to extract the containment-only flag.
contexa.bridge.delegation.session.expires-at-keysList<String>[expiresAt, delegationExpiresAt]Candidate keys used to extract the delegation expiry instant.
contexa.bridge.delegation.session.attribute-keysList<String>[delegated, agentId, objectiveId, objectiveFamily, objectiveSummary, allowedOperations, allowedResources, approvalRequired, privilegedExportAllowed, containmentOnly, expiresAt, organizationId, orgId, tenantId, department, team]Additional attribute keys preserved in the delegation context (16 defaults).

Delegation RequestAttributes / Headers

Delegation reuses the same shared Bridge.RequestAttributes / Bridge.Headers classes. Key structure and defaults match the Authentication RequestAttributes Keys and Authentication HTTP Header Names tables — only the prefix differs:

  • contexa.bridge.delegation.request-attributes.* — 39 fields, same table
  • contexa.bridge.delegation.headers.* — 27 fields, same table

Security Kafka Properties

Properties under contexa.security.kafka, bound to SecurityKafkaProperties. Configures Kafka topic names for Contexa's security event pipeline.

Property Type Default Description
contexa.security.kafka.topic (TopicSettings)
.authorizationStringsecurity-authorization-eventsAuthorization-decision event topic.
.authenticationStringauth-eventsAuthentication event topic.
.incidentStringsecurity-incident-eventsSecurity-incident event topic.
.threatStringthreat-indicatorsThreat-indicators topic.
.auditStringsecurity-audit-eventsAudit-event topic.
.generalStringsecurity-eventsGeneral security-event topic.
.dlqStringsecurity-events-dlqDead-letter queue topic for failed event processing.
.soar-actionStringsoar-action-eventsSOAR action event topic.
contexa.security.kafka.dlq (DlqSettings)
.max-retriesint3Maximum DLQ processing retries.
.retry-delay-msint5000Delay between retries in milliseconds.
.alert-thresholdint10Alerting threshold for the number of DLQ messages.
YAML
security:
  kafka:
    topic:
      authorization: security-authorization-events
      authentication: auth-events
      incident: security-incident-events
      threat: threat-indicators
      audit: security-audit-events
      general: security-events
      dlq: security-events-dlq
      soar-action: soar-action-events
    dlq:
      max-retries: 3
      retry-delay-ms: 5000
      alert-threshold: 10

Related: Zero Trust Security Reference | SOAR Automation Reference

OpenTelemetry Properties

Properties under contexa.opentelemetry, bound to OpenTelemetryProperties. Configures the OpenTelemetry integration for distributed tracing, metrics export, and observability.

Property Type Default Description
contexa.opentelemetry
.enabled boolean true Enable OpenTelemetry trace and metric export
.service-name String contexa-core Service name in trace spans and metric labels
.exporter-endpoint String http://localhost:4317 OTLP exporter endpoint (gRPC; 4318 for HTTP)
.sampling-probability double 1.0 Sampling probability (0.0–1.0); lower in production
YAML
contexa:
  opentelemetry:
    enabled: true
    service-name: "my-application"
    exporter-endpoint: "http://otel-collector.monitoring:4317"
    sampling-probability: 0.1

Security Plane Properties

Properties under contexa.security.plane, bound to SecurityPlaneProperties. The class configures the distributed security-plane agent, Kafka topics, Redis relay settings, monitoring batches, deduplication windows, and the LLM executor pool used by asynchronous security analysis.

Property Type Default Description
contexa.security.plane.agent
.nameStringSecurityPlaneAgent-1Agent instance name
.auto-startbooleantrueAuto-starts the agent on boot
.organization-idStringdefault-orgOrganization identifier for distributed deployments
.execution-modeStringASYNCAgent execution mode
.auto-approve-low-riskbooleanfalseAutomatically approves low-risk decisions when enabled
.event-timeout-mslong30000Per-event processing timeout
.max-deferred-retriesint3Deferred retry limit for agent processing
contexa.security.plane.kafka
.bootstrap-serversStringlocalhost:9092Kafka bootstrap servers
.group-idStringsecurity-plane-consumerKafka consumer group id
.topics.contexa-security-eventsStringcontexa-security-eventsSecurity event topic
.topics.threat-indicatorsStringthreat-indicatorsThreat indicator topic
.topics.network-eventsStringnetwork-eventsNetwork event topic
.topics.auth-eventsStringauth-eventsAuthentication event topic
contexa.security.plane.monitor
.queue-sizeint10000Event queue capacity
.batch-sizeint8Monitoring batch size
.flush-interval-mslong500Batch flush interval
.correlation-window-minutesint10Correlation window size
.dedup-window-minutesint5Deduplication time window
contexa.security.plane.notifier
.batch-sizeint10Notification batch size
.async-enabledbooleantrueEnable async notification dispatch
.critical-thresholddouble0.8Critical alert threshold
contexa.security.plane.redis
.batch-sizeint50Redis publish batch size
.cache.ttl-minutesint60Redis relay cache TTL
.channel.contexa-security-eventsStringsecurity:eventsRedis security event channel
.channel.threat-alertsStringsecurity:threatsRedis threat alert channel
contexa.security.plane.llm-executor
.core-pool-sizeint2Core thread pool size for LLM analysis
.max-pool-sizeint2Maximum thread pool size for LLM analysis
.queue-capacityint50Queue capacity for pending LLM work
contexa.security.plane.deduplication
.enabledbooleantrueDeduplication toggle
.window-minutesint5Deduplication window size
.cache-sizeint10000Deduplication cache size
YAML
security:
  plane:
    agent:
      name: SecurityPlaneAgent-1
      auto-start: true
      organization-id: default-org
      execution-mode: ASYNC
      auto-approve-low-risk: false
      event-timeout-ms: 30000
      max-deferred-retries: 3
    llm-executor:
      core-pool-size: 2
      max-pool-size: 2
      queue-capacity: 50
    deduplication:
      enabled: true
      window-minutes: 5
      cache-size: 10000

Related: Zero Trust Flow, SOAR Reference

Router Properties

Properties under contexa.security.router, bound to SecurityRouterProperties. Defines the score thresholds used when routing security events (SOAR automation / block / analysis confidence / pass-through).

PropertyTypeDefaultDescription
contexa.security.router.threshold
.soardouble0.9SOAR automated response threshold
.blockdouble0.8Block decision threshold
.analysis-confidencedouble0.6Analysis result acceptance confidence
.pass-throughdouble0.6Pass-through allowance threshold

Event Properties

Properties under contexa.security.event, bound to SecurityEventProperties. Configures event publishing gates, the asynchronous executor pool, per-tier latency budgets, and the deduplication cache.

PropertyTypeDefaultDescription
contexa.security.event.publishing
.enabledbooleantrueEnable event publishing
.exclude-urisString/actuator,/health,/metricsComma-separated URI prefixes excluded from publishing
.anonymous.enabledbooleantrueEnable event publishing for anonymous users
contexa.security.event.executor
.core-pool-sizeintcores × 2Core thread pool size for event processing
.max-pool-sizeintcores × 4Maximum thread pool size
.queue-capacityint10000Pending event queue capacity
contexa.security.event.tier
.critical.max-latency-msint100Latency budget for critical events (ms)
.contextual.max-latency-msint1000Latency budget for contextual events (ms)
.general.max-latency-msint10000Latency budget for general events (ms)
.general.sampling-ratedouble0.1General event sampling rate
contexa.security.event.deduplication
.enabledbooleantrueEnable deduplication
.window-minutesint5Deduplication window (minutes)
.cache-sizeint10000Deduplication cache size

Cold-Path Properties

Properties under contexa.security.coldpath, bound to SecurityColdPathProperties. Defines per-layer baseline confidence values for the asynchronous LLM analysis path.

PropertyTypeDefaultDescription
contexa.security.coldpath.confidence
.layer1-basedouble0.5Base confidence for layer-1 analysis
.layer2-basedouble0.7Base confidence for layer-2 analysis

Pipeline Properties

Properties under contexa.security.pipeline, bound to SecurityPipelineProperties. Configures the Redis · Kafka transport channels of the security event pipeline.

PropertyTypeDefaultDescription
contexa.security.pipeline.kafka
.topicStringcontexa-security-eventsKafka topic the pipeline publishes to

Note: contexa.security.pipeline.redis is an empty marker group. Actual Redis behavior is configured under contexa.security.plane.redis and security.zerotrust.redis.

Security Redis Properties

Properties under contexa.security.redis, bound to SecurityRedisProperties. Configures Redis pub/sub channel names, Redis stream keys, TTL, and memory thresholds for Contexa's security events.

PropertyTypeDefaultDescription
contexa.security.redis.channel (ChannelSettings)
.authorizationStringsecurity:authorization:eventsAuthorization-event pub/sub channel.
.authenticationStringsecurity:eventsAuthentication-event pub/sub channel.
.incidentStringsecurity:incidentsIncident pub/sub channel.
.threatStringsecurity:threatsThreat pub/sub channel.
.auditStringsecurity:audit:eventsAudit pub/sub channel.
.generalStringsecurity:eventsGeneral pub/sub channel.
contexa.security.redis.stream (StreamSettings)
.authorizationStringsecurity:stream:authorizationAuthorization Redis stream key.
.incidentStringsecurity:stream:incidentIncident Redis stream key.
.threatStringsecurity:stream:threatThreat Redis stream key.
.auditStringsecurity:stream:auditAudit Redis stream key.
.generalStringsecurity:stream:generalGeneral Redis stream key.
.authenticationStringsecurity:stream:authenticationAuthentication Redis stream key.
.maxlenint10000Maximum entries per Redis stream (XADD MAXLEN).
contexa.security.redis.ttl (TtlSettings)
.minutesint60Default Redis TTL for event data (minutes).
contexa.security.redis.memory (MemorySettings)
.max-mbint1024Memory cap (MB) Contexa security events may consume in Redis.
.warning-thresholddouble0.8Warning threshold for memory usage (0.0-1.0).
.critical-thresholddouble0.9Critical threshold for memory usage (0.0-1.0).

Scheduler Lock Properties

Properties under contexa.scheduler.lock, bound to ContexaSchedulerLockProperties (record). Controls the ShedLock auto-configuration that ensures single execution of @Scheduled + @SchedulerLock methods across multiple JVMs. Single-instance deployments may keep the defaults — locks always succeed and the overhead is negligible.

PropertyTypeDefaultDescription
contexa.scheduler.lock
.enabledbooleantrueWhether the ShedLock auto-configuration registers a LockProvider bean. Setting this to false disables every @SchedulerLock; each @Scheduled method then reverts to single-JVM-only exclusivity.
.default-lock-at-most-forDuration5mFallback upper bound applied when a specific scheduler omits lockAtMostFor. Prevents stuck locks from surviving indefinitely after a JVM crash.
.use-database-timebooleantrueWhen true, the JdbcTemplateLockProvider uses now() from the database engine so every instance sees the same clock. When false, it falls back to the JVM clock (useful for local H2 tests with a misaligned timezone).

DataSource Properties

Properties under contexa.datasource, bound to ContexaDataSourceProperties. Defines the database connection Contexa uses for its own metadata (policies, users, audit log, etc.). Can be isolated from the host application's spring.datasource.

PropertyTypeDefaultDescription
contexa.datasource
.urlStringnullJDBC URL. When empty, the host application's spring.datasource.url may be reused depending on the isolation policy.
.usernameStringnullDatabase username.
.passwordStringnullDatabase password.
.driver-class-nameStringnullJDBC driver class name. When empty, derived from the URL automatically.
contexa.datasource.isolation (Isolation)
.allow-shared-application-datasourcebooleanfalseAllows reusing the host application's datasource. Default is isolation (separate connection pool).
.shared-application-datasource-risk-acceptedbooleanfalseOperator's explicit acknowledgment of the risk of using a shared datasource.
.contexa-owned-applicationbooleanfalseIndicates that the application itself is operated by Contexa (bypasses isolation validation).

Full Configuration Example

A production-ready application.yml combining all infrastructure properties for a distributed deployment with Redis, Kafka, and an external OpenTelemetry collector.

YAML
# Infrastructure configuration for Contexa distributed deployment
contexa:
  enabled: true
  infrastructure:
    mode: DISTRIBUTED
    redis:
      enabled: true
    kafka:
      enabled: true
    observability:
      enabled: true
      open-telemetry-enabled: true

  # Multi-tier caching
  cache:
    type: HYBRID
    local:
      max-size: 5000
      default-ttl-seconds: 120
    redis:
      default-ttl-seconds: 600
      key-prefix: "contexa:cache:"
    pubsub:
      enabled: true
      channel: "contexa:cache:invalidation"
    domains:
      users:
        local-ttl-seconds: 1800
        redis-ttl-seconds: 3600
      roles:
        local-ttl-seconds: 7200
        redis-ttl-seconds: 14400
      permissions:
        local-ttl-seconds: 14400
        redis-ttl-seconds: 28800
      groups:
        local-ttl-seconds: 7200
        redis-ttl-seconds: 14400
      policies:
        local-ttl-seconds: 15
        redis-ttl-seconds: 120
      soar:
        local-ttl-seconds: 900
        redis-ttl-seconds: 900
      hcad:
        local-ttl-seconds: 86400
        redis-ttl-seconds: 86400

  # OpenTelemetry
  opentelemetry:
    enabled: true
    service-name: "contexa-production"
    exporter-endpoint: "http://otel-collector.monitoring:4317"
    sampling-probability: 0.1

  # Security Infrastructure
  security:
    kafka:
      topic:
        dlq: "security-events-dlq"
    redis:
      ttl:
        minutes: 60
      memory:
        max-mb: 1024
    plane:
      agent:
        organization-id: "default-org"
        execution-mode: "ASYNC"
      llm-executor:
        core-pool-size: 2
        max-pool-size: 2
      deduplication:
        enabled: true
        window-minutes: 5
        cache-size: 10000