Configuraciones Predeterminadas
A primera vista
Decision Gate envía cuatro preajustes curados para equilibrar la velocidad de incorporación con la postura de seguridad. Elige uno, ejecútalo y luego pasa al siguiente.
| Preestablecido | Intención | Ruta |
|---|---|---|
| Quickstart-Dev | Incorporación local con menor fricción | configs/presets/quickstart-dev.toml |
| Default-Recommended | Uso local seguro por defecto | configs/presets/default-recommended.toml |
| Container-Prod | Línea base de servidor en contenedor (autenticación bearer, TLS ascendente) | configs/presets/container-prod.toml |
| Hardened | Fuerte postura de seguridad local (autenticación bearer + firma) | configs/presets/hardened.toml |
Importante: Cada preset es ejecutable. Para la exposición en producción, utiliza TLS (en el contenedor o terminación upstream) y mTLS como se describe en Guía de seguridad.
Quickstart-Dev (Menor Fricción)
Ejecutalo:
cargo run -p decision-gate-cli -- serve --config configs/presets/quickstart-dev.toml
Configuración:
# Decision Gate preset: Quickstart-Dev
# Lowest-friction local setup for first-time users.
# NOT for shared machines or production.
[server]
transport = "http"
bind = "127.0.0.1:4000"
mode = "strict"
[server.auth]
mode = "local_only"
[dev]
permissive = true
permissive_warn = true
[namespace]
allow_default = true
default_tenants = [1]
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "sqlite"
path = "decision-gate-registry.db"
[schema_registry.acl]
# Allow local-only registry access without explicit principal mappings.
allow_local_only = true
require_signing = false
[run_state_store]
# Use SQLite for local durability.
type = "sqlite"
path = "decision-gate.db"
journal_mode = "wal"
sync_mode = "full"
busy_timeout_ms = 5000
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Postura de riesgo: el bypass solo local está habilitado para el acceso al registro. Esto es adecuado para una máquina de un solo usuario, pero no para hosts compartidos.
Nota: Estos ajustes asumen que existe un directorio ./evidence para la raíz del proveedor json. Créelo (o cambia root) antes de iniciar el servidor.
Predeterminado-Recomendado (Predeterminado Local Seguro)
Ejecutalo:
cargo run -p decision-gate-cli -- serve --config configs/presets/default-recommended.toml
Configuración:
# Decision Gate preset: Default-Recommended
# Safe-by-default local configuration with explicit principal mapping.
[server]
transport = "http"
bind = "127.0.0.1:4000"
mode = "strict"
[server.auth]
mode = "local_only"
[[server.auth.principals]]
subject = "loopback"
policy_class = "prod"
[[server.auth.principals.roles]]
name = "TenantAdmin"
tenant_id = 1
namespace_id = 1
[namespace]
allow_default = true
default_tenants = [1]
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "sqlite"
path = "decision-gate-registry.db"
[schema_registry.acl]
# Enforce principal mapping even for local-only requests.
allow_local_only = false
require_signing = false
[run_state_store]
# Use SQLite for local durability.
type = "sqlite"
path = "decision-gate.db"
journal_mode = "wal"
sync_mode = "full"
busy_timeout_ms = 5000
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Container-Prod (Línea base del contenedor)
Ejecutalo:
DECISION_GATE_ALLOW_NON_LOOPBACK=1 cargo run -p decision-gate-cli -- serve \
--config configs/presets/container-prod.toml
Configuración:
# Decision Gate preset: Container-Prod
# Production-oriented container configuration.
# Requires explicit auth and upstream TLS termination.
[server]
transport = "http"
bind = "0.0.0.0:8080"
mode = "strict"
tls_termination = "upstream"
[server.auth]
mode = "bearer_token"
# Replace this token and update the principal subject hash below.
bearer_tokens = ["dg-container-demo-token"]
[[server.auth.principals]]
# Subject is token:sha256(bearer_token). Update when rotating the token.
subject = "token:5e268e45a49c26207274917a880f33eafbf6e98563170d0bfe1504408d33d18c"
policy_class = "prod"
[[server.auth.principals.roles]]
name = "TenantAdmin"
tenant_id = 1
[namespace]
# Disable the default namespace id=1; use a non-default namespace (e.g., 2).
allow_default = false
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "memory"
[schema_registry.acl]
allow_local_only = false
require_signing = false
[run_state_store]
type = "memory"
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Postura de riesgo: se requiere autenticación explícita; se asume la terminación TLS en la parte superior. Consulte Docs/guides/container_deployment.md para obtener orientación sobre el despliegue.
Endurecido (Autenticación de Portador + Firma)
Ejecutalo:
cargo run -p decision-gate-cli -- serve --config configs/presets/hardened.toml
Configuración:
# Decision Gate preset: Hardened
# Strong local security posture. For production, add TLS + mTLS.
[server]
transport = "http"
bind = "127.0.0.1:4000"
mode = "strict"
[server.auth]
mode = "bearer_token"
# Replace this token and update the principal subject hash below.
bearer_tokens = ["dg-hardened-demo-token"]
[[server.auth.principals]]
# Subject is token:sha256(bearer_token). Update when rotating the token.
subject = "token:73a7ceabc74caaa14553ad02540165ba8ad8b709f15e6503b8879552f22042a1"
policy_class = "prod"
[[server.auth.principals.roles]]
name = "TenantAdmin"
tenant_id = 1
[namespace]
# Disable the default namespace id=1; use a non-default namespace (e.g., 2).
allow_default = false
[trust]
# Audit mode (no signature enforcement).
default_policy = "audit"
min_lane = "verified"
[evidence]
allow_raw_values = false
require_provider_opt_in = true
[schema_registry]
type = "sqlite"
path = "decision-gate-registry.db"
[schema_registry.acl]
# Require signatures for schema registry writes.
allow_local_only = false
require_signing = true
[run_state_store]
# Use SQLite for local durability.
type = "sqlite"
path = "decision-gate.db"
journal_mode = "wal"
sync_mode = "full"
busy_timeout_ms = 5000
[[providers]]
name = "time"
type = "builtin"
[[providers]]
name = "env"
type = "builtin"
[[providers]]
name = "json"
type = "builtin"
config = { root = "./evidence", root_id = "evidence-root", max_bytes = 1048576, allow_yaml = true }
[[providers]]
name = "http"
type = "builtin"
Actualización del Mapeo del Principal del Token Bearer
Generar la cadena de sujeto token:<sha256> cuando cambie el token:
python3 - <<'PY'
import hashlib
token = "your-token"
print("token:" + hashlib.sha256(token.encode()).hexdigest())
PY
Mapeo de Comportamiento Preestablecido
Cada preajuste establece intencionadamente las mismas secciones centrales para que el comportamiento sea explícito:
- Autenticación:
server.auth(solo local vs token portador) - Registro ACL:
schema_registry.acl(bypass solo local vs impuesto) - Política de espacio de nombres:
namespace.allow_default - Postura de confianza:
trustydev.permissive - Durabilidad:
run_state_storeyschema_registrybackends de SQLite - Terminación TLS:
server.tls_termination(servidor vs upstream)
Si cambias una de estas secciones, actualiza el preset y las expectativas correspondientes en system-tests/tests/suites/presets.rs.