Skip to content

Commit 181ed3d

Browse files
committed
updated readme
1 parent 6abf8d6 commit 181ed3d

3 files changed

Lines changed: 308 additions & 114 deletions

File tree

README.md

Lines changed: 126 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -60,37 +60,146 @@ This SDK requires the **Predicate Authority Sidecar** daemon to be running. The
6060

6161
| Resource | Link |
6262
|----------|------|
63-
| Sidecar Repository | [rust-predicate-authorityd](https://github.com/PredicateSystems/predicate-authority-sidecar) |
63+
| Sidecar Repository | [predicate-authority-sidecar](https://github.com/PredicateSystems/predicate-authority-sidecar) |
6464
| Download Binaries | [Latest Releases](https://github.com/PredicateSystems/predicate-authority-sidecar/releases) |
6565
| License | MIT / Apache 2.0 |
6666

6767
### Quick Sidecar Setup
6868

69-
**Option A: Install with sidecar (recommended)**
69+
**Option A: Install with pip (recommended)**
7070

7171
```bash
72-
# Install SDK with automatic sidecar download
73-
pip install predicate-authority[sidecar]
72+
# Install SDK with sidecar extra
73+
pip install "predicate-authority[sidecar]"
7474

75-
# The sidecar binary is downloaded automatically on first use
76-
# Or manually trigger download:
75+
# IMPORTANT: The binary is NOT downloaded automatically during pip install.
76+
# You must manually download it:
7777
predicate-download-sidecar
78+
79+
# The binary is installed to:
80+
# - macOS: ~/Library/Application Support/predicate-authority/bin/predicate-authorityd
81+
# - Linux: ~/.local/share/predicate-authority/bin/predicate-authorityd
82+
# - Windows: %LOCALAPPDATA%/predicate-authority/bin/predicate-authorityd.exe
7883
```
7984

8085
**Option B: Manual download**
8186

8287
```bash
83-
# Download the latest release for your platform
84-
# Linux x64, macOS x64/ARM64, Windows x64 available
88+
# Download the latest release for your platform from GitHub:
89+
# https://github.com/PredicateSystems/predicate-authority-sidecar/releases
8590

86-
# Extract and run
87-
tar -xzf predicate-authorityd-*.tar.gz
91+
# Extract and make executable
92+
tar -xzf predicate-authorityd-darwin-arm64.tar.gz # or your platform
8893
chmod +x predicate-authorityd
94+
```
95+
96+
### Running the Sidecar
97+
98+
The Rust sidecar uses **global CLI arguments** (before the `run` subcommand) or a **TOML config file**.
99+
100+
**CLI arguments (place BEFORE `run`):**
101+
102+
```bash
103+
./predicate-authorityd \
104+
--host 127.0.0.1 \
105+
--port 8787 \
106+
--mode local_only \
107+
--policy-file policy.json \
108+
run
109+
```
110+
111+
**Using environment variables:**
112+
113+
```bash
114+
export PREDICATE_HOST=127.0.0.1
115+
export PREDICATE_PORT=8787
116+
export PREDICATE_MODE=local_only
117+
export PREDICATE_POLICY_FILE=policy.json
118+
119+
./predicate-authorityd run
120+
```
121+
122+
**Using a config file:**
123+
124+
```bash
125+
# Generate example config
126+
./predicate-authorityd init-config --output config.toml
89127

90-
# Start with a policy file (local mode)
91-
./predicate-authorityd run --port 8787 --mode local_only --policy-file policy.json
128+
# Run with config
129+
./predicate-authorityd --config config.toml run
92130
```
93131

132+
### Sidecar CLI Reference
133+
134+
```
135+
GLOBAL OPTIONS (use before 'run'):
136+
-c, --config <FILE> Path to TOML config file [env: PREDICATE_CONFIG]
137+
--host <HOST> Host to bind to [env: PREDICATE_HOST] [default: 127.0.0.1]
138+
--port <PORT> Port to bind to [env: PREDICATE_PORT] [default: 8787]
139+
--mode <MODE> local_only or cloud_connected [env: PREDICATE_MODE]
140+
--policy-file <PATH> Path to policy JSON [env: PREDICATE_POLICY_FILE]
141+
--identity-file <PATH> Path to local identity registry [env: PREDICATE_IDENTITY_FILE]
142+
--log-level <LEVEL> trace, debug, info, warn, error [env: PREDICATE_LOG_LEVEL]
143+
--control-plane-url <URL> Control-plane URL [env: PREDICATE_CONTROL_PLANE_URL]
144+
--tenant-id <ID> Tenant ID [env: PREDICATE_TENANT_ID]
145+
--project-id <ID> Project ID [env: PREDICATE_PROJECT_ID]
146+
--predicate-api-key <KEY> API key [env: PREDICATE_API_KEY]
147+
--sync-enabled Enable control-plane sync [env: PREDICATE_SYNC_ENABLED]
148+
--fail-open Fail open if control-plane unreachable [env: PREDICATE_FAIL_OPEN]
149+
150+
IDENTITY PROVIDER OPTIONS:
151+
--identity-mode <MODE> local, local-idp, oidc, entra, or okta [env: PREDICATE_IDENTITY_MODE]
152+
--allow-local-fallback Allow local/local-idp in cloud_connected mode
153+
--idp-token-ttl-s <SECS> IdP token TTL seconds [default: 300]
154+
--mandate-ttl-s <SECS> Mandate TTL seconds [default: 300]
155+
156+
LOCAL IDP OPTIONS (for identity-mode=local-idp):
157+
--local-idp-issuer <URL> Issuer URL [env: LOCAL_IDP_ISSUER]
158+
--local-idp-audience <AUD> Audience [env: LOCAL_IDP_AUDIENCE]
159+
--local-idp-signing-key-env <VAR> Env var for signing key [default: LOCAL_IDP_SIGNING_KEY]
160+
161+
OIDC OPTIONS (for identity-mode=oidc):
162+
--oidc-issuer <URL> Issuer URL [env: OIDC_ISSUER]
163+
--oidc-client-id <ID> Client ID [env: OIDC_CLIENT_ID]
164+
--oidc-audience <AUD> Audience [env: OIDC_AUDIENCE]
165+
166+
ENTRA OPTIONS (for identity-mode=entra):
167+
--entra-tenant-id <ID> Tenant ID [env: ENTRA_TENANT_ID]
168+
--entra-client-id <ID> Client ID [env: ENTRA_CLIENT_ID]
169+
--entra-audience <AUD> Audience [env: ENTRA_AUDIENCE]
170+
171+
OKTA OPTIONS (for identity-mode=okta):
172+
--okta-issuer <URL> Issuer URL [env: OKTA_ISSUER]
173+
--okta-client-id <ID> Client ID [env: OKTA_CLIENT_ID]
174+
--okta-audience <AUD> Audience [env: OKTA_AUDIENCE]
175+
--okta-required-claims Required claims (comma-separated)
176+
--okta-required-scopes Required scopes (comma-separated)
177+
--okta-required-roles Required roles/groups (comma-separated)
178+
--okta-allowed-tenants Allowed tenant IDs (comma-separated)
179+
180+
COMMANDS:
181+
run Start the daemon (default)
182+
init-config Generate example config file
183+
check-config Validate config file
184+
version Show version info
185+
```
186+
187+
### Identity Provider Modes
188+
189+
The sidecar supports multiple identity modes for token validation:
190+
191+
- **local** (default): No token validation. Suitable for development.
192+
- **local-idp**: Self-issued JWT tokens for ephemeral task identities.
193+
- **oidc**: Generic OIDC provider integration.
194+
- **entra**: Microsoft Entra ID (Azure AD) integration.
195+
- **okta**: Enterprise Okta integration with JWKS validation.
196+
197+
**Safety notes:**
198+
- `idp-token-ttl-s` must be >= `mandate-ttl-s` (enforced at startup)
199+
- In `cloud_connected` mode, `local` or `local-idp` requires `--allow-local-fallback`
200+
201+
For detailed IdP configuration and production hardening, see `docs/authorityd-operations.md`.
202+
94203
### Running the sidecar from Python
95204

96205
```python
@@ -209,39 +318,24 @@ python examples/delegation/oidc_compat_demo.py \
209318
--scope "${OIDC_SCOPE:-authority:check}"
210319
```
211320

212-
### Local IdP mode (development/air-gapped)
213-
214-
For development or air-gapped environments without external IdP:
215-
216-
```bash
217-
export LOCAL_IDP_SIGNING_KEY="replace-with-strong-secret"
218-
219-
./predicate-authorityd run \
220-
--host 127.0.0.1 \
221-
--port 8787 \
222-
--mode local_only \
223-
--policy-file policy.json \
224-
--identity-mode local-idp \
225-
--local-idp-issuer "http://localhost/predicate-local-idp" \
226-
--local-idp-audience "api://predicate-authority"
227-
```
228-
229321
### Cloud-connected sidecar (control-plane sync)
230322

231323
Connect the sidecar to Predicate Authority control-plane for policy sync, revocation push, and audit forwarding:
232324

233325
```bash
234326
export PREDICATE_API_KEY="your-api-key"
235327

236-
./predicate-authorityd run \
328+
./predicate-authorityd \
237329
--host 127.0.0.1 \
238330
--port 8787 \
239331
--mode cloud_connected \
332+
--policy-file policy.json \
240333
--control-plane-url https://api.predicatesystems.dev \
241334
--tenant-id your-tenant \
242335
--project-id your-project \
243-
--predicate-api-key $PREDICATE_API_KEY \
244-
--sync-enabled
336+
--predicate-api-key "$PREDICATE_API_KEY" \
337+
--sync-enabled \
338+
run
245339
```
246340

247341
## Sidecar Operations
@@ -272,12 +366,6 @@ curl -X POST http://127.0.0.1:8787/revoke/principal -d '{"principal_id": "agent:
272366
curl -X POST http://127.0.0.1:8787/revoke/intent -d '{"intent_hash": "<intent_hash>"}'
273367
```
274368

275-
### Identity mode options
276-
277-
- `--identity-mode local`: deterministic local bridge (default).
278-
- `--identity-mode local-idp`: local IdP-style signed token mode for dev/air-gapped workflows.
279-
- `--identity-mode oidc`: enterprise OIDC bridge mode.
280-
- `--identity-mode entra`: Microsoft Entra bridge mode.
281369

282370
### Runtime endpoints
283371

0 commit comments

Comments
 (0)