POLICIES
Production Setup
A practical production checklist for running Faramesh with durable storage, monitoring, secret boundaries, and staged rollout.
Production Setup
Section titled “Production Setup”This page turns the core production checklist into a concrete deployment path for running Faramesh in a real environment.
Minimum production requirements
Section titled “Minimum production requirements”- Keep a dedicated policy file in version control.
- Use a dedicated data directory and back it up.
- Run Faramesh under a service manager or container supervisor.
- Expose and monitor the
/metricsendpoint. - Run regular
audit verifychecks.
Recommended daemon command
Section titled “Recommended daemon command”faramesh serve \ --policy /etc/faramesh/policy.yaml \ --data-dir /var/lib/faramesh \ --socket /var/run/faramesh.sock \ --dpr-hmac-key <DPR_HMAC_KEY> \ --metrics-port 9108 \ --log-level infoIf you do not pass --dpr-hmac-key, the daemon persists a generated key under the data directory as faramesh.hmac.key.
Secret boundary setup
Section titled “Secret boundary setup”Use the credential broker to keep secrets out of the agent process by default.
Local Vault provisioned by Faramesh
Section titled “Local Vault provisioned by Faramesh”faramesh credential enable --policy /etc/faramesh/policy.fplfaramesh up --policy /etc/faramesh/policy.fplfaramesh run --broker --agent-id payments-prod -- python your_agent.pyExternal Vault
Section titled “External Vault”faramesh credential enable \ --policy /etc/faramesh/policy.fpl \ --backend vault \ --vault-addr https://vault.company.internal:8200 \ --vault-token "$VAULT_TOKEN"
faramesh up --policy /etc/faramesh/policy.fplOperational helpers:
faramesh credential statusfaramesh credential vault statusfaramesh credential vault downIdentity hardening
Section titled “Identity hardening”If you run SPIRE, point Faramesh at the SPIFFE Workload API socket:
faramesh serve \ --policy /etc/faramesh/policy.yaml \ --data-dir /var/lib/faramesh \ --spiffe-socket unix:///run/spire/sockets/agent.sockThen verify identity and trust material:
faramesh identity statusfaramesh identity verify --spiffe spiffe://example.org/agent/farameshfaramesh identity trust --domain example.org --bundle /etc/spiffe/bundle.pemHealth and audit checks
Section titled “Health and audit checks”faramesh statusfaramesh approvals history --agent payments-prodfaramesh explain agent payments-prodfaramesh explain run <run-or-session-id>faramesh audit verify /var/lib/faramesh/faramesh.walfaramesh audit show <action-id>Pack rollout pattern
Section titled “Pack rollout pattern”faramesh pack status faramesh/<pack>faramesh pack shadow faramesh/<pack># monitor coverage / audit outcomesfaramesh pack enforce faramesh/<pack>Observability backends
Section titled “Observability backends”Use the same /metrics endpoint for common observability stacks:
- Prometheus / Grafana
- Datadog OpenMetrics
- New Relic Prometheus ingestion
Horizon auth
Section titled “Horizon auth”faramesh auth loginfaramesh auth statusfaramesh serve --policy /etc/faramesh/policy.yaml --sync-horizonSee also
Section titled “See also”faramesh-core/docs/simple/07_PRODUCTION_SETUP.mdfaramesh-core/README.mdfaramesh-core/docs/guides/DPR_HMAC_KEY.md