Configuracions predefinides
A Simple Vista
Decision Gate ofereix quatre presets curats per equilibrar la velocitat d’integració amb la postura de seguretat. Trieu-ne un, executeu-lo i després avanceu al següent.
| Preconfiguració | Intenció | Ruta |
|---|---|---|
| Quickstart-Dev | Incorporació local amb la menor fricció | configs/presets/quickstart-dev.toml |
| Default-Recommended | Ús local segur per defecte | configs/presets/default-recommended.toml |
| Container-Prod | Base de servidor en contenidor (autenticació bearer, TLS ascendent) | configs/presets/container-prod.toml |
| Hardened | Postura de seguretat local forta (autenticació bearer + signatura) | configs/presets/hardened.toml |
Important: Cada preset és executable. Per a l’exposició en producció, utilitzeu TLS (en contenidor o terminació a l’upstream) i mTLS tal com es descriu a la guia de seguretat.
Quickstart-Dev (Mínima Fricció)
Executa-ho:
cargo run -p decision-gate-cli -- serve --config configs/presets/quickstart-dev.toml
Config:
# Decision Gate preset: Quickstart-Dev
# Lowest-friction local setup for first-time users.
# NOT for shared machines or production.
[server]
transport = "http"
bind = "127.0.0.1:4000"
mode = "strict"
[server.auth]
mode = "local_only"
[dev]
permissive = true
permissive_warn = true
[namespace]
allow_default = true
default_tenants = [1]
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "sqlite"
path = "decision-gate-registry.db"
[schema_registry.acl]
# Allow local-only registry access without explicit principal mappings.
allow_local_only = true
require_signing = false
[run_state_store]
# Use SQLite for local durability.
type = "sqlite"
path = "decision-gate.db"
journal_mode = "wal"
sync_mode = "full"
busy_timeout_ms = 5000
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Postura de risc: el bypass només local està habilitat per a l’accés al registre. Això és acceptable per a una màquina d’usuari únic, però no per a hosts compartits.
Nota: Aquests presets assumeixen que existeix un directori ./evidence per a la arrel del proveïdor json. Creeu-lo (o canvieu root) abans d’iniciar el servidor.
Per defecte - Recomanat (Per defecte local segur)
Executa-ho:
cargo run -p decision-gate-cli -- serve --config configs/presets/default-recommended.toml
Config:
# Decision Gate preset: Default-Recommended
# Safe-by-default local configuration with explicit principal mapping.
[server]
transport = "http"
bind = "127.0.0.1:4000"
mode = "strict"
[server.auth]
mode = "local_only"
[[server.auth.principals]]
subject = "loopback"
policy_class = "prod"
[[server.auth.principals.roles]]
name = "TenantAdmin"
tenant_id = 1
namespace_id = 1
[namespace]
allow_default = true
default_tenants = [1]
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "sqlite"
path = "decision-gate-registry.db"
[schema_registry.acl]
# Enforce principal mapping even for local-only requests.
allow_local_only = false
require_signing = false
[run_state_store]
# Use SQLite for local durability.
type = "sqlite"
path = "decision-gate.db"
journal_mode = "wal"
sync_mode = "full"
busy_timeout_ms = 5000
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Container-Prod (Base de contenidors)
Executa-ho:
DECISION_GATE_ALLOW_NON_LOOPBACK=1 cargo run -p decision-gate-cli -- serve \
--config configs/presets/container-prod.toml
Config:
# Decision Gate preset: Container-Prod
# Production-oriented container configuration.
# Requires explicit auth and upstream TLS termination.
[server]
transport = "http"
bind = "0.0.0.0:8080"
mode = "strict"
tls_termination = "upstream"
[server.auth]
mode = "bearer_token"
# Replace this token and update the principal subject hash below.
bearer_tokens = ["dg-container-demo-token"]
[[server.auth.principals]]
# Subject is token:sha256(bearer_token). Update when rotating the token.
subject = "token:5e268e45a49c26207274917a880f33eafbf6e98563170d0bfe1504408d33d18c"
policy_class = "prod"
[[server.auth.principals.roles]]
name = "TenantAdmin"
tenant_id = 1
[namespace]
# Disable the default namespace id=1; use a non-default namespace (e.g., 2).
allow_default = false
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "memory"
[schema_registry.acl]
allow_local_only = false
require_signing = false
[run_state_store]
type = "memory"
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Postura de risc: s’exigeix autenticació explícita; es pressuposa la terminació TLS a munt. Vegeu Docs/guides/container_deployment.md per a orientació sobre el desplegament.
Hardened (Bearer Auth + Signing)
Executa-ho:
cargo run -p decision-gate-cli -- serve --config configs/presets/hardened.toml
Config:
# Decision Gate preset: Hardened
# Strong local security posture. For production, add TLS + mTLS.
[server]
transport = "http"
bind = "127.0.0.1:4000"
mode = "strict"
[server.auth]
mode = "bearer_token"
# Replace this token and update the principal subject hash below.
bearer_tokens = ["dg-hardened-demo-token"]
[[server.auth.principals]]
# Subject is token:sha256(bearer_token). Update when rotating the token.
subject = "token:73a7ceabc74caaa14553ad02540165ba8ad8b709f15e6503b8879552f22042a1"
policy_class = "prod"
[[server.auth.principals.roles]]
name = "TenantAdmin"
tenant_id = 1
[namespace]
# Disable the default namespace id=1; use a non-default namespace (e.g., 2).
allow_default = false
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "sqlite"
path = "decision-gate-registry.db"
[schema_registry.acl]
# Require signatures for schema registry writes.
allow_local_only = false
require_signing = true
[run_state_store]
# Use SQLite for local durability.
type = "sqlite"
path = "decision-gate.db"
journal_mode = "wal"
sync_mode = "full"
busy_timeout_ms = 5000
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Actualització del Mapeig del Token de Portador Principal
Genera la cadena de subjecte token:<sha256> quan canvies el token:
python3 - <<'PY'
import hashlib
token = "your-token"
print("token:" + hashlib.sha256(token.encode()).hexdigest())
PY
Mappatge del Comportament Predefinit
Cada preset estableix intencionadament les mateixes seccions bàsiques perquè el comportament sigui explícit:
- Auth:
server.auth(només local vs token de portador) - Registre ACL:
schema_registry.acl(bypass només local vs imposat) - Política de namespace:
namespace.allow_default - Postura de confiança:
trustidev.permissive - Durabilitat:
run_state_storeischema_registrybackends SQLite - Terminació TLS:
server.tls_termination(servidor vs ascendent)
Si canvies una d’aquestes seccions, actualitza el preset i les expectatives corresponents a system-tests/tests/suites/presets.rs.