Skip to content
Skip to content
TrustPlane
Quickstart

From pilot to go‑live in your VPC

Follow this guided path to stand up TrustPlane as your governed request‑path control plane. The outcome: a canary live in ≤ 7 days, audit exporting to your SIEM, and policy packs your teams can reuse.

How TrustPlane governs a request

In your VPC • No public ingress
Request path

Apps, agents, or humans send requests through the TrustPlane gateway running in your VPC/VNet.

Policy engine

Identity, residency, budget, and evaluation contracts enforced before any side-effects.

Learning Controls

Golden sets, drift monitors, and reviewer feedback captured for every promotion gate.

Action Certificate

COSE-signed attestation minted with policy hash, approvals, rollout scope, and telemetry references.

Downstream verification

Applications, data stores, and automation hooks verify certificates locally before executing writes.

SIEM & analytics

OpenTelemetry spans stream to Splunk/Datadog for audit, FinOps showback, and incident response.

Request → policy → Learning Controls → certificate minting → downstream verification → SIEM export. Diagram applies to AWS, Azure, and GCP private modes.
Prerequisites (choose what matches your stack)
  • Cloud: AWS, GCP, or Azure account
  • SSO: Okta, Microsoft Entra ID, or Ping
  • Optional: Snowflake / Databricks; ServiceNow / Jira; Slack / Microsoft Teams
  • SIEM/Observability: Splunk or Datadog (for audit export)
Install the SDKs / CLI helpers

Install packages before wiring connectors. Versions align with the snippets below and emit Action Certificate telemetry by default.

JavaScript / TypeScript
npm install @trustplane/sdk # or yarn add @trustplane/sdk # or pnpm add @trustplane/sdk
Python
pip install trustplane-sdk # or poetry add trustplane-sdk
Java
// build.gradle.kts implementation("cloud.trustplane:control-plane-sdk:1.+") // Maven pom.xml <dependency> <groupId>cloud.trustplane</groupId> <artifactId>control-plane-sdk</artifactId> <version>1.+</version> </dependency>

30-sec check: Paste this into your REPL to confirm the SDK wiring before you connect any systems.

const ok = await verifyCertificate(sampleCertificate, {
  expectedPolicyHash: 'sha256:…',
  requiredApprovals: ['security', 'finops', 'data-owner']
});
if (!ok.valid) throw new Error(ok.reason);

Mirrors the /verify checks; full flow below.

Week-by-week milestones (≤ 90 days)
  • Week 1: Gateway deployed in VPC/VNet, SSO/SCIM approved, no public ingress.
  • Week 2: Read-first connectors live against production data; Learning Controls drafted.
  • Week 4: Evaluation contract and drift monitors streaming to SIEM; cost/showback wired.
  • Week 6: First controlled rollout (governed canary) at ≤10%; certificate verification hooks blocking writes.
  • Week 9: Certificate-verified production with Action Certificates required for every write.
  • Week 12: Additional governed automations reusing approved boundary (3–5 per quarter).
  1. 1) Deploy the gateway in your VPC

    The gateway/sidecar runs in your account. You can start with a single region and expand later. Use marketplace images or Terraform modules; no public ingress required for private modes.

    # Terraform (example sketch)
module "trustplane" {
  source  = "trustplane-oss/gateway/<provider>"
  version = "~> 1"
  region  = "us-east-1"

  # networking + egress controls
  vpc_id                  = var.vpc_id
  private_subnet_ids      = var.private_subnet_ids
  outbound_egress_allowed = false
}
  2. 2) Wire up identity (SSO) & provisioning (SCIM)

    Set SAML SSO with your IdP and enable SCIM for lifecycle. Approvers and operators are least‑privilege roles.

    # trustplane-idp.json (IdP app hints)
{
  "saml": { "acsUrl": "https://gw.internal/auth/saml/acs", "entityId": "urn:trustplane" },
  "scim": { "baseUrl": "https://gw.internal/scim", "bearer": "…managed secret…" },
  "roles": ["owner", "approver", "operator"]
}
  3. 3) Add read‑first connectors (Snowflake, ServiceNow, Slack…)

    Start read‑only with dry‑run. Promotion to writes requires explicit approvals and minting an Action Certificate.

    # connectors.yaml
snowflake:
  mode: read_first
  role: ANALYST
servicenow:
  mode: write_gated
slack:
  mode: read_first
  4. 4) Declare policy & Learning Controls

    Define latency, reliability, budget, data boundary, approval gates, and Learning Controls (evaluation contracts, drift triggers, reviewer coverage). Hashes are embedded in every certificate.

    # TrustPlane.slo.yaml
slo: { latency_p95_ms: 1200, availability: "99.9%" }
budget: { monthly_usd: 25000, rps: 5 }
data: { residency: [us, eu], kms: byok, egress: deny_by_default, pii: redact }
policy:
  writes: { approvals: [security, finops] }
  canary: { pct: 10, eval: "golden:v1", rollback_on: { drift_p95: ">5%" } }
connectors: { snowflake: read_first, servicenow: write_gated }
  5. 5) Run the read-first path
    // app/api/example/route.ts
import { NextResponse } from 'next/server';
import { createClient } from '@trustplane/sdk';

const tp = createClient({ sloManifestPath: 'TrustPlane.slo.yaml' });

export async function POST() {
  const resp = await tp.chat({
    model: 'auto',                       // TrustPlane picks model + region + hardware
    input: 'Summarize Q2 risk reports for the board',
    team: 'risk-ops',
    trace: true
  });
  return NextResponse.json(resp);
}

    Reads run without side-effects. Promotion to writes requires approvals and a valid Action Certificate.

  6. 6) Observe cost, SLOs & policy adherence

    Every request emits latency, availability, and cost per team; guardrails and redactions are auditable and exportable.

    • Per‑team cost/showback & budget guardrails
    • SLO adherence (p95 latency, availability)
    • Policy hits, PII redactions, audit export (OTel → Splunk/Datadog)
    • Certificate verification hooks before writes
  7. 7) Verify certificates before writes, then promote

    Downstream systems should block writes unless the certificate is valid. Use the verifier helper before calling promote.

    import { TrustPlane, verifyCertificate } from '@trustplane/sdk';

const tp = new TrustPlane({ policy: 'prod-us-1' });

const result = await tp.promote('ap-matching', {
  percent: 25,
  approvals: ['security', 'finops', 'data-owner']
});

const ok = await verifyCertificate(result.certificate, {
  expectedPolicyHash: 'sha256:9c73…f5a0',
  requiredApprovals: ['security', 'finops', 'data-owner'],
  maxCanaryPercent: 30
});

if (!ok.valid) throw new Error(`Blocked — ${ok.reason}`);

// Attach Action Certificate to downstream writes (ServiceNow, Snowflake, etc.)

    Paste the sample certificate into /verify to see signature and policy-hash checks pass.

Promotion gates

Optional evaluation contracts (golden sets, guardrail metrics) act as gates for canary → production.

Evidence packs

Policy hashes, lineage, and per‑action certificates export directly to your auditors (EU AI Act, NIST AI RMF).