Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.aidonow.com/llms.txt

Use this file to discover all available pages before exploring further.

Executive Summary

Manual configuration retrieval in multi-tenant SaaS handlers produces three compounding deficiencies: inconsistent error handling patterns across call sites, no structural guarantee that handlers respect the correct tenant or environment scope, and progressive accumulation of boilerplate that accounts for a disproportionate share of handler complexity. This analysis documents the design and implementation of a hierarchical configuration middleware for a Rust/Actix-web platform, wherein a three-level resolution chain (platform defaults → tenant overrides → capsule-level overrides) is executed once per request and injected into handlers via type-safe request data. The migration eliminated 340 lines of configuration boilerplate across 17 handlers, reduced DynamoDB calls from 17,000 per 1,000 requests to 8 through a Moka cache layer with a 5-minute TTL, and reduced P99 latency by 42 milliseconds. A critical ordering defect — ConfigMiddleware registered before CapsuleExtractor in the middleware chain — was identified during verification and required human knowledge of Actix-web’s middleware execution model to resolve. Organizations implementing hierarchical configuration systems should treat middleware injection as the default pattern, use compiler enforcement as a substitute for documentation, and add a configuration preview endpoint to reduce the risk of misconfiguration in production environments.

Key Findings

  1. Repetitive manual configuration loading across 17 handlers produced 340 lines of boilerplate with inconsistent error handling and no structural guarantee that every handler loaded the correct tenant-scoped configuration.
  2. Middleware-based injection makes configuration loading mandatory and uniform: a handler that declares config: web::ReqData<ConfigContext> will not compile unless ConfigMiddleware is registered, eliminating the configuration-omission defect class entirely.
  3. A three-level hierarchical fallback chain (platform defaults → tenant overrides → capsule overrides) enables differentiated configuration per customer and environment without any handler-level awareness of the resolution logic.
  4. A Moka cache layer with a 10,000-entry capacity and 5-minute TTL achieved a 99.2 percent cache hit rate, reducing DynamoDB calls by 99.95 percent (from 17,000 to 8 per 1,000 requests) and mean configuration load latency from 45 ms to 0.3 ms.
  5. AI-generated middleware implementations correctly model data flow but do not infer framework-specific execution order; the initial middleware registration sequence was inverted, requiring human knowledge of Actix-web’s wrap execution model to correct.
  6. A configuration preview endpoint — returning effective resolved configuration with per-field source attribution before any change is committed — materially reduces production misconfiguration risk for operators managing multi-level overrides.

1. Problem Definition: Configuration Chaos in Multi-Tenant Handlers

By January 2026, the subject platform exhibited a configuration management pattern that was architecturally unsound despite appearing locally reasonable at each individual call site. The deficiencies were structural:
  • JWT expiration values were hardcoded in three separate locations, creating the possibility that a value change in one location would not propagate to others.
  • Each crate read std::env::var() directly, bypassing any centralized governance or override capability.
  • No mechanism existed for tenant-specific configuration overrides, precluding the differentiation that enterprise customers commonly require.
  • No hierarchy existed spanning platform defaults, tenant overrides, and environment-specific capsule overrides.
The consequence was a handler pattern that repeated configuration retrieval logic in every endpoint:
Before (Manual Config Loading)
pub async fn login_handler(
    config_service: web::Data<Arc<ConfigService>>,
    tenant_id: web::Path<String>,
    capsule: web::ReqData<CapsuleContext>,
) -> Result<HttpResponse> {
    // Manual config loading - repeated in EVERY handler
    let auth_config = config_service
        .get_auth_config(&tenant_id, Some(&capsule.capsule_id))
        .await
        .map_err(|e| ErrorInternalServerError(e))?;

    let jwt_expiry = auth_config.jwt_expiration_seconds;
    // ... handler logic
}
With 17 handlers each containing this pattern, the platform had 17 independent opportunities to introduce incorrect error handling, reference the wrong tenant scope, or fail to load configuration at all. None of these failure modes were detectable at compile time.

2. Architectural Solution: Middleware-Enforced Hierarchical Resolution

The AI evaluator agent’s principal contribution was identifying the problem as a middleware design challenge rather than a service design challenge. The distinction is consequential: a service that handlers must explicitly invoke remains optional; a middleware that executes on every request is structurally mandatory. The proposed architecture chains three middleware components: 
Request → CapsuleExtractor → ConfigMiddleware → Handler
          (extracts scope)    (loads config)    (uses config)
After middleware execution, handlers receive fully resolved configuration through Actix-web’s typed request data mechanism:
After (Automatic Injection)
pub async fn login_handler(
    config: web::ReqData<ConfigContext>,  // Automatic!
) -> Result<HttpResponse> {
    // Config already resolved and injected
    let jwt_expiry = config.auth_config.jwt_expiration_seconds;
    // ... handler logic
}

2.1 Hierarchical Resolution Chain

The ConfigService resolves configuration using a cascading fallback chain. The most specific scope that provides a value wins; if no override exists at a given scope, resolution falls through to the next level. 
impl ConfigService {
    pub async fn get_auth_config(
        &self,
        tenant_id: &str,
        capsule_id: Option<&str>,
    ) -> Result<Arc<AuthConfig>> {
        // Try capsule-level override
        if let Some(capsule_id) = capsule_id {
            if let Some(config) = self.get_capsule_config(tenant_id, capsule_id).await? {
                return Ok(Arc::new(config));
            }
        }

        // Try tenant-level override
        if let Some(config) = self.get_tenant_config(tenant_id).await? {
            return Ok(Arc::new(config));
        }

        // Fall back to platform defaults (env vars)
        Ok(Arc::new(self.get_platform_defaults()))
    }
}
The resolution behavior for a representative configuration value illustrates the differentiation capability this enables: 
Platform defaults:     jwt_expiration_seconds = 3600 (1 hour)
Tenant override:       jwt_expiration_seconds = 7200 (2 hours, enterprise)
Capsule override:      jwt_expiration_seconds = 300  (5 min, dev env)

Result for dev capsule: 300 seconds
Result for prod capsule: 7200 seconds (tenant override)

2.2 Caching Architecture

DynamoDB retrieval on every request would introduce unacceptable latency at non-trivial traffic volumes. A Moka cache layer with configurable capacity and TTL sits between the middleware and the DynamoDB repository. 
pub struct ConfigService {
    cache: Arc<Cache<ConfigCacheKey, Arc<AuthConfig>>>,
    repository: Arc<dyn ConfigRepository>,
}

impl ConfigService {
    pub fn new(repository: Arc<dyn ConfigRepository>) -> Self {
        let cache = Cache::builder()
            .max_capacity(10_000)  // 10K tenant/capsule combos
            .time_to_live(Duration::from_secs(300))  // 5 min TTL
            .build();

        Self { cache: Arc::new(cache), repository }
    }
}

struct ConfigCacheKey {
    tenant_id: String,
    capsule_id: Option<String>,
    scope: ConfigScope,  // Platform, Tenant, Capsule
}
The 5-minute TTL is deliberate. Configuration changes are infrequent and operationally planned; a 5-minute propagation delay is acceptable in exchange for a 99.2 percent cache hit rate that eliminates DynamoDB as a per-request latency contributor.

3. Operational Deficiency: Middleware Execution Order

The initial implementation contained a defect that was architecturally subtle but operationally severe.
Deficiency Identified: ConfigMiddleware was registered before CapsuleExtractor in the Actix-web middleware chain. Because ConfigMiddleware depends on CapsuleContext — produced by CapsuleExtractor — to determine which tenant and capsule scope to load, registering it first caused every configuration resolution attempt to fail with no scope information available.Actix-web Execution Model: Actix-web’s .wrap() calls execute in reverse registration order. The last-registered middleware executes first. This is consistent with the layered-wrapper pattern common in web framework design, but it is not documented prominently and is a common source of ordering defects.Resolution:
// WRONG ORDER
App::new()
    .wrap(ConfigMiddleware::new(config_service))  // Runs first
    .wrap(CapsuleExtractor::new())                // Runs second

// CORRECT ORDER
App::new()
    .wrap(CapsuleExtractor::new())                // Runs first
    .wrap(ConfigMiddleware::new(config_service))  // Runs second
Implication: AI agents correctly model data flow dependencies between components but do not infer framework-specific execution semantics. Human review by practitioners familiar with the target framework is required before middleware registration patterns are considered correct.

4. REST API Surface for Configuration Management

The implementation exposed 10 endpoints spanning the three configuration scopes. This API enables operators to manage configuration at any level of the hierarchy without direct database access. Platform Configuration: 
GET    /api/platform/config/auth
PUT    /api/platform/config/auth
POST   /api/platform/config/auth/reset
Tenant Configuration: 
GET    /api/{tenant_id}/config/auth
PUT    /api/{tenant_id}/config/auth
DELETE /api/{tenant_id}/config/auth
Capsule Configuration: 
GET    /api/{tenant_id}/capsules/{capsule_id}/config/auth
PUT    /api/{tenant_id}/capsules/{capsule_id}/config/auth
DELETE /api/{tenant_id}/capsules/{capsule_id}/config/auth
POST   /api/{tenant_id}/capsules/{capsule_id}/config/auth/preview
The preview endpoint returns the effective resolved configuration that would result from a proposed override, along with per-field source attribution, without persisting any change: 
POST /api/tenant-123/capsules/DEVUS/config/auth/preview
{
  "jwt_expiration_seconds": 300
}

Response:
{
  "effective_config": {
    "jwt_expiration_seconds": 300,
    "refresh_token_ttl_seconds": 7200,
    "enable_ses": true
  },
  "source": {
    "jwt_expiration_seconds": "capsule",
    "refresh_token_ttl_seconds": "tenant",
    "enable_ses": "platform"
  }
}
This gives operators complete visibility into the resolution hierarchy before committing a change — materially reducing the risk of misconfiguration in environments where multiple override levels interact.

5. Migration: From Manual Boilerplate to Compiler Enforcement

The migration from manual configuration loading to middleware injection followed a three-step per-handler pattern, documented in a structured migration guide that reduced per-crate migration time from approximately two days to two hours. Step 1: Remove ConfigService dependency 
Before:
async fn handler(
    config_service: web::Data<Arc<ConfigService>>,
    tenant_id: web::Path<String>,
) -> Result<HttpResponse>

After:
async fn handler(
    config: web::ReqData<ConfigContext>,
) -> Result<HttpResponse>
Step 2: Replace config loading 
Before:
let auth_config = config_service
    .get_auth_config(&tenant_id, None)
    .await?;

After:
// Config already loaded by middleware
let auth_config = &config.auth_config;
Step 3: Update main.rs middleware chain 
App::new()
    .wrap(CapsuleExtractor::new())  // MUST be first
    .wrap(ConfigMiddleware::new(config_service))
    .service(web::scope("/api").configure(routes))
The migration of 17 handlers resulted in a net code reduction of 161 lines, removed 17 independent error handling blocks, and eliminated all manually managed ConfigService.get() call sites.

6. Comparative Analysis: Manual vs. Middleware Configuration

DimensionManual ConfigService CallsMiddleware Injection
Handler boilerplate~20 lines per handler0 lines per handler
Error handling consistencyVariable — per-developer discretionUniform — single middleware implementation
Compile-time enforcementNone — omission is a runtime defectEnforced — missing declaration fails compilation
DynamoDB calls per 1,000 requests17,0008
Mean config load latency45 ms0.3 ms (cached)
Tenant scope accuracyDependent on correct parameter threadingStructural — middleware extracts scope
Configuration change propagationImmediateUp to 5 minutes (cache TTL)
Production misconfiguration riskHigh — no preview capabilityReduced — preview endpoint available

7. AI Collaboration Profile

AI Capability Boundary: AI agents correctly model middleware data flow and generate implementation code that handles the functional requirements of hierarchical resolution. They do not infer framework-specific execution semantics — specifically, the reverse-order execution of Actix-web middleware wrappers. Human review by practitioners with target-framework expertise is required before middleware registration patterns are validated.
TaskAI ContributionHuman Contribution
Middleware pattern identificationHigh — proposed chain architectureProvided hierarchy requirements
ConfigService implementationHigh — hierarchical fallback logicReviewed fallback order
Caching layer designMedium — generated structureSpecified capacity, TTL values
Middleware registration orderLow — incorrect initiallyCorrected based on framework knowledge
Test generation (28 tests)High — systematic coverageReviewed edge cases
Migration guide authorshipHigh — systematic patternValidated per-crate accuracy

8. Recommendations

  1. Adopt middleware injection as the default pattern for cross-cutting request data. Any data that all or most handlers require — configuration, authentication context, tenant scope — should be resolved in middleware and injected via type-safe request data. This converts optional conventions into structural requirements.
  2. Cache configuration at the service layer, not the handler layer. Moka or equivalent in-process caches placed in front of configuration backends eliminate DynamoDB as a per-request latency source. A 5-minute TTL is appropriate for configuration data that changes infrequently; adjust based on the operational profile of the target environment.
  3. Implement a configuration preview endpoint before deploying multi-level hierarchy management. The ability to see the effective resolved configuration before committing a change prevents operators from inadvertently introducing production misconfiguration through override interactions that are not immediately obvious.
  4. Document middleware execution order explicitly in the codebase. Actix-web’s reverse-order execution model is a known source of defects. Add a comment in main.rs at the middleware registration site that states the execution order explicitly, with a reference to the framework documentation.
  5. Produce a structured migration guide before migrating multiple crates. A guide covering the three-step per-handler migration pattern reduces per-crate migration time from days to hours and ensures that the migration is executed consistently across the codebase.
Use web::ReqData<T> in Actix-web for type-safe middleware injection. If a handler declares config: web::ReqData<ConfigContext>, it will not compile unless ConfigMiddleware is registered in the application. This converts a class of runtime defects into compile-time errors at zero additional development cost.

9. Implementation Metrics Summary

MetricValue
Handlers migrated17
Boilerplate removed340 lines
ConfigMiddleware implementation179 lines
Net code reduction161 lines (32%)
Manual ConfigService.get() calls after migration0
Tests added28 (middleware + service + repository)
Existing tests preserved382
Configuration bugs post-deployment0
Cache hit rate99.2%
DynamoDB calls per 1,000 requests (before)17,000
DynamoDB calls per 1,000 requests (after)8
Config load latency — cached0.3 ms
Config load latency — uncached45 ms
P99 latency improvement42 ms
Infrastructure added (total)5,541 lines

10. Conclusion and Forward-Looking Assessment

Hierarchical configuration middleware converts a pervasive source of inconsistency — manual, ad hoc configuration retrieval — into a structural guarantee enforced by the compiler. The resulting system is not merely more convenient; it is architecturally more correct, eliminating defect classes that documentation and code review cannot reliably prevent. The caching architecture delivers a performance benefit that scales with request volume: as the platform grows, the ratio of DynamoDB calls to requests remains bounded by cache hit rate rather than growing proportionally to handler count. This is not an optimization — it is a prerequisite for operating configuration-dependent services at production scale. As multi-tenant SaaS platforms evolve toward more granular customer-specific configuration — a trajectory driven by enterprise customer requirements — the hierarchical resolution model documented here provides an extensibility foundation that flat configuration architectures cannot accommodate without rearchitecture. Organizations that implement middleware-enforced hierarchical configuration early will find that accommodating new configuration scopes requires extension rather than redesign.

Resources and Further Reading

Next in This Series

Week 6: How we built event-sourced workflows with saga patterns and automatic compensation logic.

Week 6: Saga Workflow Patterns

State machines that handle multi-step business processes with rollback

Discussion

Share Your Experience

How do you handle configuration in multi-tenant systems? Manual lookups or automatic injection?Connect on LinkedIn
Disclaimer: This content represents my personal learning journey using AI for a personal project. It does not represent my employer’s views, technologies, or approaches.All code examples are generic patterns or pseudocode for educational purposes.