trustgraph

mirror of https://github.com/trustgraph-ai/trustgraph.git synced 2026-04-30 02:46:23 +02:00

cybermaggedon 666af1c4b3 feat(iam): allow bootstrap mode and token to be sourced from env vars (#851 ) Adds an environment-variable fallback for the iam-svc bootstrap configuration so the token can be injected from a Kubernetes Secret (or any equivalent secret store) without ever appearing in the processor-group YAML — which is typically version-controlled. Resolution order is fixed and per-setting: bootstrap_mode = params["bootstrap_mode"] or $IAM_BOOTSTRAP_MODE bootstrap_token = params["bootstrap_token"] or $IAM_BOOTSTRAP_TOKEN If neither source supplies a value, the service refuses to start with a clear message naming both options. The two settings are resolved independently, which lets operators commit the mode in YAML (it is not a secret) while pulling the token from a Secret-backed ``IAM_BOOTSTRAP_TOKEN`` env var. Validation invariants are unchanged: * mode must be 'token' or 'bootstrap' * mode='token' requires a token (from any source) * mode='bootstrap' must NOT have a token (ambiguous intent) There is no permissive fallback — the service fails closed in every branch where configuration is incomplete. docs/tech-specs/iam-protocol.md gains a 'Configuration sources' subsection under 'Bootstrap modes' that documents the precedence table and the K8s injection pattern. The 'Bootstrap-token lifecycle' step about removing the token after rotation now applies to whichever source was used (Secret, env var, or YAML field).		2026-04-28 15:00:33 +01:00
..
trustgraph	feat(iam): allow bootstrap mode and token to be sourced from env vars (#851 )	2026-04-28 15:00:33 +01:00
pyproject.toml	feat: IAM service, gateway auth middleware, capability model, and CLIs (#849 )	2026-04-24 17:29:10 +01:00
README.md	Maint/fix build env (#84 )	2024-09-30 19:47:09 +01:00

README.md

See https://trustgraph.ai/