The Ultimate Git Control Plane
ๅฎ่ญท่ ใฎ้ - Guardian of the Gate
"Just as the sacred torii gate marks the boundary between the mundane and the divine, TORII stands as the guardian between chaos and order in your Git infrastructure."
TORII embodies three core principles:
- ๐ก๏ธ Zero Trust - Every operation is validated, no exceptions
- ๐ Policy as Code - Governance defined in version-controlled YAML
- โก Git-Native - Enforcement at the protocol level, not post-facto
TORII is a production-ready Git Control Plane built in Rust that enforces policy-driven governance for Git operations. Unlike traditional Git hosting solutions that rely on webhooks and post-receive validation, TORII intercepts operations at the pre-receive stage, providing true zero-trust enforcement.
Modern enterprises face critical challenges with Git governance:
- โ No Central Control - Teams push directly to production branches
- โ Post-Facto Validation - Webhooks catch violations too late
- โ Inconsistent Policies - Rules differ across repositories
- โ Audit Gaps - No comprehensive record of who did what
TORII solves these problems by acting as a policy enforcement point for all Git operations.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TORII Ecosystem โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Developer Admin Interface CI/CD System โ
โ โ โ โ โ
โ โ git push โ manage policies โ โ
โ โผ โผ โผ โ
โ โโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโ โ
โ โ SSH โโโโโโโโโโโโโถโ torii- โโโโโโโโโโโโโโโ HTTP โ โ
โ โ (Port โ โ server โ โ API โ โ
โ โ 22) โ โ :3000 โ โ โ โ
โ โโโโโโฌโโโโ โโโโโโโฌโโโโโ โโโโโโโโโโโ โ
โ โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ Control Plane โ โ โ
โ โ โ โผ โ โ
โ โ โ โโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โ Policy Engine โ โ โ
โ โ โ โ (torii-core) โ โ โ
โ โ โ โโโโโโโโโโฌโโโโโโโโโโ โ โ
โ โ โ โ โ โ
โ โ โ โผ โ โ
โ โ โ โโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โ Storage Layer โ โ โ
โ โ โ โ SQLite/Postgres โ โ โ
โ โ โ โโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ Enforcement Layer โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โโโโโโโโโโโโถ torii-hook (pre-receive) โ
โ โโ Validates refs โ
โ โโ Checks policies โ
โ โโ Allows/Denies push โ
โ โ
โ Authentication: torii-auth โโโโโ sshd (AuthorizedKeysCommand) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Define governance rules as declarative YAML policies:
apiVersion: torii.io/v1beta1
kind: RepositoryPolicy
metadata:
name: "protect-production"
spec:
defaultAction: "deny"
rules:
- name: "senior-engineers-only"
scope:
refs: ["refs/heads/main", "refs/heads/production"]
conditions:
- field: "actor.group"
operator: "in"
value: ["senior-engineers", "platform-team"]
decision: "allow"- Integrated with OpenSSH's
AuthorizedKeysCommand - Automatic identity injection via environment variables
- No custom Git clients required
- SQLite - Perfect for edge deployments and single-node setups
- PostgreSQL - Production-grade for multi-node clusters
- Written in Rust for memory safety and speed
- Async/await for concurrent request handling
- Zero-copy policy evaluation
- Comprehensive E2E test suite with Testcontainers
- Docker support for Postgres integration tests
- CI/CD validated across multiple database backends
Problem: Developers accidentally push to production branches.
Solution: TORII enforces strict branch policies at the Git protocol level.
# Only allow releases from CI/CD
- name: "production-from-ci-only"
scope:
refs: ["refs/heads/production"]
conditions:
- field: "actor.type"
operator: "equals"
value: "service-account"
decision: "allow"Problem: SaaS platforms need to isolate customer repositories.
Solution: Dynamic policies per repository with tenant-specific rules.
# Tenant isolation
- name: "tenant-a-only"
conditions:
- field: "actor.tenant_id"
operator: "equals"
value: "tenant-a"
decision: "allow"Problem: Financial institutions require immutable audit trails.
Solution: TORII logs every Git operation with policy decisions.
# Query audit logs
SELECT * FROM audit_log
WHERE repository_id = 'trading-system'
AND action = 'git-receive-pack'
AND timestamp > NOW() - INTERVAL '7 days';Problem: Pull requests bypass security checks via force-push.
Solution: Enforce linear history and required checks.
- name: "no-force-push"
conditions:
- field: "ref_update.forced"
operator: "equals"
value: "true"
decision: "deny"- Rust 1.70+ (
rustup) - PostgreSQL or SQLite
- OpenSSH (for SSH auth)
# Clone the repository
git clone https://github.com/copyleftdev/torii.git
cd torii
# Build all components
cargo build --release
# Binaries are in target/release/
ls target/release/torii-*# With SQLite (development)
TORII_DB_URL="sqlite:///tmp/torii.db" \
cargo run -p torii-server
# With PostgreSQL (production)
TORII_DB_URL="postgres://user:pass@localhost/torii" \
cargo run -p torii-serverServer will start on http://localhost:3000
# Create a policy file
cat > policy.yaml <<EOF
apiVersion: torii.io/v1beta1
kind: RepositoryPolicy
metadata:
name: "basic-protection"
description: "Protect main branch"
spec:
defaultAction: "allow"
rules:
- name: "protect-main"
scope:
refs: ["refs/heads/main"]
conditions: []
decision: "deny"
EOF
# Apply the policy
./target/release/torii-cli policy apply -f policy.yaml# Create repository
./target/release/torii-cli repo create \
--name "my-app" \
--owner "platform-team"
# Bind policy to repository
./target/release/torii-cli binding add \
--repo "my-app" \
--policy "basic-protection"# In your bare Git repository
cd /path/to/my-app.git
# Install pre-receive hook
ln -s /path/to/torii/target/release/torii-hook \
hooks/pre-receive
# Make it executable
chmod +x hooks/pre-receive
# Configure environment
export TORII_REPO_ID="my-app"
export TORII_CONTROL_PLANE="http://localhost:3000"# Try to push to main (should be denied)
cd /tmp
git clone /path/to/my-app.git
cd my-app
git checkout -b main
echo "test" > README.md
git commit -am "test"
# Set actor identity
export TORII_ACTOR_ID="alice"
git push origin main
# โ Denied by policy 'basic-protection'| Variable | Description | Default |
|---|---|---|
TORII_DB_URL |
Database connection string | sqlite::memory: |
TORII_CONTROL_PLANE |
API endpoint for hooks | http://localhost:3000 |
TORII_REPO_ID |
Repository identifier | (required) |
TORII_ACTOR_ID |
User identifier | (from SSH env) |
RUST_LOG |
Log level | info |
Add to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/local/bin/torii-auth
AuthorizedKeysCommandUser git
PermitUserEnvironment TORII_ACTOR_ID| Crate | Purpose | Lines of Code |
|---|---|---|
torii-core |
Domain models, policy engine | ~600 |
torii-server |
Control Plane API & web service | ~400 |
torii-storage |
Persistence (SQLite/Postgres) | ~500 |
torii-hook |
Git pre-receive enforcement | ~150 |
torii-cli |
Administrative CLI | ~250 |
torii-auth |
SSH key resolver | ~50 |
torii-e2e |
End-to-end tests | ~200 |
Total: ~2,150 lines of Rust (excluding tests)
# Run all tests
cargo test --workspace
# Run E2E tests (requires Docker)
cargo test -p torii-e2e
# Run with coverage
cargo tarpaulin --workspace
# Integration tests only
cargo test -p torii-storageTest Coverage: 85%+ across critical paths
- Phase 1-4: Core Policy Engine & Server
- Phase 5: Persistent Storage (SQLite)
- Phase 6: Management CLI
- Phase 7: SSH Authentication
- Phase 8: E2E Testing (PostgreSQL)
- Phase 9: Event Plane (AsyncAPI webhooks)
- Phase 10: Observability (Prometheus metrics)
- Phase 11: HA Deployment (Kubernetes)
- Phase 12: Web UI Dashboard
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Clone and build
git clone https://github.com/copyleftdev/torii.git
cd torii
cargo build
# Run tests
cargo test
# Check formatting
cargo fmt --check
# Run linter
cargo clippyMIT License - see LICENSE for details.
Inspired by:
Built with โค๏ธ and โ๏ธ in Rust
"ๅฎ่ญท่ ใฎ้" - Guardian of the Gate
Documentation โข Architecture โข API Spec โข Roadmap