Skip to content

Configuration

Frank Yglesias Bertheau edited this page Jul 7, 2026 · 1 revision
<h1>ᚾ&nbsp;NornGate — Configuration</h1>

Scope note. This is the config model implied by the documented runtime behavior. Treat the running service's config schema as authoritative and reconcile exact kinds and field names against it.

Configuration is declarative and versioned. Every config resource carries a version, and the active versions are exactly the config and policy snapshots recorded with each gate decision — so config is a first-class input to determinism and replay (Deterministic Execution).


ᛜ Overview

Four things hold across every resource:

  • Declarative — desired state in YAML; the control plane reconciles.
  • Versioned — e.g. gatecfg_v14, pol_20260706_01; a change is a new version, not an in-place edit.
  • Validated — an admission webhook (the former Galley role in istiod) rejects invalid config before it is applied; a bad config cannot silently open a gate.
  • Snapshotted — the version in force at evaluation is pinned to the decision, so a verdict is always explainable against the exact config that produced it.

ᚦ Gate configuration

Per-gate timeouts and behavior. Order is fixed (G0 → G4); config tunes each gate, it does not reorder or disable them.

apiVersion: norngate.io/v1
kind: GateConfig
metadata: { name: default, version: gatecfg_v14 }
spec:
  timeouts: { ingress: 5s, policy: 10s, approval: 30s, sandbox: 60s, arbitration: 10s }
  ingress:
    rateLimit: { unit: tenant, tokens: 1000, refillPerSecond: 100 }
    allowlist: ["10.0.0.0/8"]
  approval:
    riskThreshold: high        # actions at or above this risk require G2
    budget: { perTenantPerDay: 500 }
  sandbox:
    runtime: firecracker
    limits: { cpu: "2", memory: 2Gi }
    egress: brokered-only        # no un-brokered egress from G3
  arbitration:
    shardBy: resourceKey
    lease: { ttl: 30s }
    fairness: aging              # deterministic winner, but not starvation

The timeouts are deny ceilings, not latencies (The Five Gates).


ᛏ Policy configuration

Rules evaluated as a pure function, with the two safe defaults: default-deny and deny-overrides.

apiVersion: norngate.io/v1
kind: Policy
metadata: { name: acme, version: pol_20260706_01 }
spec:
  defaultEffect: deny
  combining: deny-overrides
  rules:
    - id: pii-write-needs-approval
      effect: allow
      match: { resource.sensitivity: pii, action: write, subject.role: retrieval-agent }
      obligations: ["require:approval"]     # allow, but oblige a G2 consent
    - id: deny-cross-tenant
      effect: deny
      match: { resource.ownerNeSubjectTenant: true }

Attribute names and provenance are on Gates & Attributes — remember that subject/resource attributes come from signed identity and the registry, never the request body.


ᛟ Realm configuration

A realm binds a subdomain to a trust posture and its isolation resources.

apiVersion: norngate.io/v1
kind: Realm
metadata: { name: jotunheim }
spec:
  subdomain: "jotun.*"
  tier: middle
  posture: untrusted
  routeTimeout: 60s              # upstream route timeout — not a gate timeout
  credentials: none             # zero standing credentials
  networkPolicyRef: jotunheim-default-deny
  quotaRef: jotunheim-quota

The referenced NetworkPolicy, ResourceQuota, and Istio AuthorizationPolicy are native resources — see The Nine Worlds and The Spine. Mesh routing (VirtualService, PeerAuthentication STRICT) is configured there.


ᛈ Ledger configuration

Urd's storage, signing, and erasure behavior. It is a centralized ledger — the integrity is cryptographic, not quorum-based.

apiVersion: norngate.io/v1
kind: LedgerConfig
metadata: { name: urd }
spec:
  mode: centralized
  hot:  { backend: kafka, partitionsPerRealm: 8, retention: 7d }
  cold: { backend: s3, realm: niflheim, retention: 7y, immutable: true }
  signing: { algorithm: ed25519, keyId: urd-2026-07, keyStore: asgard-hsm }
  checkpointInterval: 1h
  payloads: { store: encrypted, perSubjectKey: true, cryptoShred: true }

keyStore: asgard-hsm is what makes the ledger defensible — the signing key is off the worker path (Urd Ledger). cryptoShred: true is the GDPR erasure mechanism.


ᚷ Budgets

The two levers that keep the expensive gates rare — both are attributes, so a budget-based denial is replayable.

apiVersion: norngate.io/v1
kind: BudgetConfig
metadata: { name: default }
spec:
  deliberation: { perAgentPerRequest: 50000, unit: tokens }   # Mimir / enforced at G1
  approval:     { perTenantPerDay: 500 }                       # enforced at G2

The approval budget is the mechanism that holds human transits under ~5% (Gates & Attributes).


ᛁ Validation and versioning

  • Validation — every resource is checked at admission; schema errors, an empty allowlist that would open ingress, or a policy with no defaultEffect are rejected before apply. Fail-closed extends to config: an invalid gate config does not run.
  • Versioning — bump a version to change behavior; the old version stays resolvable so historical decisions still replay. A config change legitimately changes future verdicts, and every affected decision records which version it used.
  • Rollout — apply a new version, watch Urd for the shift in decisions, roll back by re-pinning the previous version if needed.

This is why "the same request flipped from allow to deny" is always answerable: compare the config and policy snapshot IDs on the two decisions.


ᚱ Next steps


Iconography

Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — semantic, not emoji. Full set on Home:

Rune Name Gloss Marks
Nauðiz need, constraint the platform mark
Ingwaz the structured whole overview
Thurisaz thorn, gateway gate configuration
Tiwaz Týr — law, order policy configuration
Othala enclosed estate, boundary realm configuration
Perthro the well of Urd ledger configuration
Gebo the granted allowance budgets
Isa ice, the pinned version validation & versioning
Raidō the ride, the road next steps

References. Kubernetes CRDs + admission webhooks; Istio config (per The Spine); NIST SP 800-162 + OASIS XACML (policy / deny-overrides); Ed25519 / KMS envelope encryption (per Urd Ledger). Naming doctrine: Prose Edda / Poetic Edda, per Norse Cosmology & Platform Design.

ᚾ NornGate — Configuration

Scope note. This is the config model implied by the documented runtime behavior. Treat the running service's config schema as authoritative and reconcile exact kinds and field names against it.

Configuration is declarative and versioned. Every config resource carries a version, and the active versions are exactly the config and policy snapshots recorded with each gate decision — so config is a first-class input to determinism and replay ([Deterministic Execution](Deterministic-Execution)).


ᛜ Overview

Four things hold across every resource:

  • Declarative — desired state in YAML; the control plane reconciles.
  • Versioned — e.g. gatecfg_v14, pol_20260706_01; a change is a new version, not an in-place edit.
  • Validated — an admission webhook (the former Galley role in istiod) rejects invalid config before it is applied; a bad config cannot silently open a gate.
  • Snapshotted — the version in force at evaluation is pinned to the decision, so a verdict is always explainable against the exact config that produced it.

ᚦ Gate configuration

Per-gate timeouts and behavior. Order is fixed (G0 → G4); config tunes each gate, it does not reorder or disable them.

apiVersion: norngate.io/v1
kind: GateConfig
metadata: { name: default, version: gatecfg_v14 }
spec:
  timeouts: { ingress: 5s, policy: 10s, approval: 30s, sandbox: 60s, arbitration: 10s }
  ingress:
    rateLimit: { unit: tenant, tokens: 1000, refillPerSecond: 100 }
    allowlist: ["10.0.0.0/8"]
  approval:
    riskThreshold: high        # actions at or above this risk require G2
    budget: { perTenantPerDay: 500 }
  sandbox:
    runtime: firecracker
    limits: { cpu: "2", memory: 2Gi }
    egress: brokered-only        # no un-brokered egress from G3
  arbitration:
    shardBy: resourceKey
    lease: { ttl: 30s }
    fairness: aging              # deterministic winner, but not starvation

The timeouts are deny ceilings, not latencies ([The Five Gates](The-Five-Gates)).


ᛏ Policy configuration

Rules evaluated as a pure function, with the two safe defaults: default-deny and deny-overrides.

apiVersion: norngate.io/v1
kind: Policy
metadata: { name: acme, version: pol_20260706_01 }
spec:
  defaultEffect: deny
  combining: deny-overrides
  rules:
    - id: pii-write-needs-approval
      effect: allow
      match: { resource.sensitivity: pii, action: write, subject.role: retrieval-agent }
      obligations: ["require:approval"]     # allow, but oblige a G2 consent
    - id: deny-cross-tenant
      effect: deny
      match: { resource.ownerNeSubjectTenant: true }

Attribute names and provenance are on [Gates & Attributes](Gates-and-Attributes) — remember that subject/resource attributes come from signed identity and the registry, never the request body.


ᛟ Realm configuration

A realm binds a subdomain to a trust posture and its isolation resources.

apiVersion: norngate.io/v1
kind: Realm
metadata: { name: jotunheim }
spec:
  subdomain: "jotun.*"
  tier: middle
  posture: untrusted
  routeTimeout: 60s              # upstream route timeout — not a gate timeout
  credentials: none             # zero standing credentials
  networkPolicyRef: jotunheim-default-deny
  quotaRef: jotunheim-quota

The referenced NetworkPolicy, ResourceQuota, and Istio AuthorizationPolicy are native resources — see [The Nine Worlds](The-Nine-Worlds) and [The Spine](The-Spine). Mesh routing (VirtualService, PeerAuthentication STRICT) is configured there.


ᛈ Ledger configuration

Urd's storage, signing, and erasure behavior. It is a centralized ledger — the integrity is cryptographic, not quorum-based.

apiVersion: norngate.io/v1
kind: LedgerConfig
metadata: { name: urd }
spec:
  mode: centralized
  hot:  { backend: kafka, partitionsPerRealm: 8, retention: 7d }
  cold: { backend: s3, realm: niflheim, retention: 7y, immutable: true }
  signing: { algorithm: ed25519, keyId: urd-2026-07, keyStore: asgard-hsm }
  checkpointInterval: 1h
  payloads: { store: encrypted, perSubjectKey: true, cryptoShred: true }

keyStore: asgard-hsm is what makes the ledger defensible — the signing key is off the worker path ([Urd Ledger](Urd-Ledger)). cryptoShred: true is the GDPR erasure mechanism.


ᚷ Budgets

The two levers that keep the expensive gates rare — both are attributes, so a budget-based denial is replayable.

apiVersion: norngate.io/v1
kind: BudgetConfig
metadata: { name: default }
spec:
  deliberation: { perAgentPerRequest: 50000, unit: tokens }   # Mimir / enforced at G1
  approval:     { perTenantPerDay: 500 }                       # enforced at G2

The approval budget is the mechanism that holds human transits under ~5% ([Gates & Attributes](Gates-and-Attributes)).


ᛁ Validation and versioning

  • Validation — every resource is checked at admission; schema errors, an empty allowlist that would open ingress, or a policy with no defaultEffect are rejected before apply. Fail-closed extends to config: an invalid gate config does not run.
  • Versioning — bump a version to change behavior; the old version stays resolvable so historical decisions still replay. A config change legitimately changes future verdicts, and every affected decision records which version it used.
  • Rollout — apply a new version, watch Urd for the shift in decisions, roll back by re-pinning the previous version if needed.

This is why "the same request flipped from allow to deny" is always answerable: compare the config and policy snapshot IDs on the two decisions.


ᚱ Next steps


Iconography

Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — semantic, not emoji. Full set on [Home](Home#iconography):

Rune Name Gloss Marks
Nauðiz need, constraint the platform mark
Ingwaz the structured whole overview
Thurisaz thorn, gateway gate configuration
Tiwaz Týr — law, order policy configuration
Othala enclosed estate, boundary realm configuration
Perthro the well of Urd ledger configuration
Gebo the granted allowance budgets
Isa ice, the pinned version validation & versioning
Raidō the ride, the road next steps

References. Kubernetes CRDs + admission webhooks; Istio config (per [The Spine](The-Spine)); [NIST SP 800-162](https://csrc.nist.gov/pubs/sp/800/162/final) + OASIS XACML (policy / deny-overrides); Ed25519 / KMS envelope encryption (per [Urd Ledger](Urd-Ledger)). Naming doctrine: Prose Edda / Poetic Edda, per [Norse Cosmology & Platform Design](Norse-Cosmology-and-Platform-Design).

Clone this wiki locally