Configuration Reference

This document provides a comprehensive reference for all Triage Warden configuration options.

Configuration Methods

Triage Warden can be configured through:

1. Environment variables (recommended for production)
2. Configuration file (config/default.yaml)
3. Command-line arguments (for specific settings)

Environment variables take precedence over configuration file values.

Environment Variables

Security Settings (Required)

Warning: These secrets must be consistent across all instances in a cluster. Changing them will invalidate existing sessions and encrypted data.

Database Configuration

Connection String Format:

postgres://username:password@hostname:port/database?sslmode=require

SSL modes: disable, allow, prefer, require, verify-ca, verify-full

Redis Configuration

Redis is required for HA deployments (message queue, cache, leader election).

Connection URL Formats:

redis://localhost:6379
redis://:password@localhost:6379
redis://localhost:6379/0
rediss://localhost:6379  # TLS

Server Configuration

Instance Configuration

Authentication & Sessions

CORS Configuration

LLM Configuration

Provider-specific API Keys:

Orchestrator Configuration

Logging Configuration

Log Level Examples:

# Basic level
RUST_LOG=info

# Per-module levels
RUST_LOG=info,triage_warden=debug,tw_api=trace

# All debug
RUST_LOG=debug

Metrics Configuration

Rate Limiting

Feature Flags

Webhook Configuration

Source-specific webhook secrets:

Configuration File

Configuration can also be provided via YAML file.

File Locations

Triage Warden searches for configuration in order:

1. Path specified by --config flag
2. $HOME/.config/triage-warden/config.yaml
3. /etc/triage-warden/config.yaml
4. ./config/default.yaml

Example Configuration File

# config/default.yaml

# Server configuration
server:
  bind_address: "0.0.0.0:8080"
  base_url: "https://triage.example.com"
  trusted_proxies:
    - "10.0.0.0/8"
    - "172.16.0.0/12"

# Database configuration
database:
  url: "postgres://triage:password@localhost:5432/triage_warden"
  max_connections: 25
  min_connections: 5
  connect_timeout: 30

# Redis configuration (for HA)
redis:
  url: "redis://localhost:6379"
  message_queue:
    enabled: true
  cache:
    enabled: true
    ttl_seconds: 3600
  leader_election:
    enabled: true

# LLM configuration
llm:
  provider: anthropic
  model: claude-3-sonnet-20240229
  temperature: 0.2
  max_tokens: 4096
  # API key should be set via environment variable

# Orchestrator settings
orchestrator:
  operation_mode: supervised
  auto_approve_low_risk: false
  max_concurrent_incidents: 100
  timeouts:
    enrichment: 60
    analysis: 120
    action: 300

# Logging
logging:
  level: info
  format: json

# Metrics
metrics:
  enabled: true
  path: /metrics

# Rate limiting
rate_limit:
  enabled: true
  requests_per_minute: 200
  burst: 50

# Feature flags
features:
  playbooks: true
  auto_enrich: true
  api_keys: true
  multi_tenant: false

# Connectors
connectors:
  crowdstrike:
    enabled: true
    type: edr
    base_url: "https://api.crowdstrike.com"
    # Credentials via environment or secrets

  splunk:
    enabled: true
    type: siem
    base_url: "https://splunk.example.com:8089"

Precedence

Configuration is loaded in this order (later overrides earlier):

1. Default values (built into application)
2. Configuration file (config/default.yaml)
3. Environment-specific file (config/{TW_ENV}.yaml)
4. Environment variables

Generating Secrets

Encryption Key (32 bytes, base64)

# macOS/Linux
openssl rand -base64 32

# Alternative using /dev/urandom
head -c 32 /dev/urandom | base64

JWT/Session Secrets

# Hex-encoded secret
openssl rand -hex 32

# Or use a password generator
pwgen -s 64 1

Database URL Format

PostgreSQL

postgres://username:password@hostname:port/database?sslmode=require

Options:

• sslmode=disable - No SSL (development only)
• sslmode=require - Require SSL, don't verify certificate
• sslmode=verify-ca - Require SSL, verify CA
• sslmode=verify-full - Require SSL, verify CA and hostname

Connection Pooling (PgBouncer)

postgres://username:password@pgbouncer:6432/database?sslmode=require

Operation Modes

Triage Warden supports three operation modes:

Supervised Mode (Default)

All actions require human approval:

TW_OPERATION_MODE=supervised
TW_AUTO_APPROVE_LOW_RISK=false

Assisted Mode

Low-risk actions are auto-approved, high-risk require approval:

TW_OPERATION_MODE=assisted
TW_AUTO_APPROVE_LOW_RISK=true

Autonomous Mode

All actions within guardrails are auto-executed:

TW_OPERATION_MODE=autonomous

Warning: Autonomous mode should only be enabled after thorough testing and with appropriate guardrails configured.

Health Check Endpoints

Health Status Values

Security Best Practices

1. Never commit secrets to version control
2. Use different secrets for each environment
3. Rotate secrets periodically
4. Enable TLS in production (TW_COOKIE_SECURE=true)
5. Restrict trusted proxies to known IP ranges
6. Enable rate limiting in production
7. Use read-only database users where possible

Environment-Specific Recommendations

Development

TW_ENV=development
TW_LOG_FORMAT=pretty
RUST_LOG=debug,triage_warden=trace
TW_COOKIE_SECURE=false
TW_ENABLE_SWAGGER=true

Staging

TW_ENV=production
TW_LOG_FORMAT=json
RUST_LOG=info,triage_warden=debug
TW_COOKIE_SECURE=true
TW_ENABLE_SWAGGER=true

Production

TW_ENV=production
TW_LOG_FORMAT=json
RUST_LOG=info
TW_COOKIE_SECURE=true
TW_ENABLE_SWAGGER=false
TW_METRICS_ENABLED=true
TW_RATE_LIMIT_ENABLED=true

High-Availability

DATABASE_URL=postgres://tw_user:pass@pgbouncer:6432/triage_warden?sslmode=require
DATABASE_MAX_CONNECTIONS=50
TW_TRUSTED_PROXIES=10.0.0.0/8
TW_METRICS_ENABLED=true
TW_TRACING_ENABLED=true
OTEL_EXPORTER_OTLP_ENDPOINT=http://jaeger:4317

Next Steps

• Configure monitoring
• Set up horizontal scaling
• Deploy to Kubernetes