The Ultimate Git Control Plane
ๅฎ่ญท่ ใฎ้ - Guardian of the Gate
"Just as the sacred torii gate marks the boundary between the mundane and the divine, TORII stands as the guardian between chaos and order in your Git infrastructure."
TORII embodies three core principles:
- ๐ก๏ธ Zero Trust - Every operation is validated, no exceptions
- ๐ Policy as Code - Governance defined in version-controlled YAML
- โก Git-Native - Enforcement at the protocol level, not post-facto
TORII is a production-ready Git Control Plane built in Rust that enforces policy-driven governance for Git operations. Unlike traditional Git hosting solutions that rely on webhooks and post-receive validation, TORII intercepts operations at the pre-receive stage, providing true zero-trust enforcement.
Modern enterprises face critical challenges with Git governance:
- โ No Central Control - Teams push directly to production branches
- โ Post-Facto Validation - Webhooks catch violations too late
- โ Inconsistent Policies - Rules differ across repositories
- โ Audit Gaps - No comprehensive record of who did what
TORII solves these problems by acting as a policy enforcement point for all Git operations.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TORII Ecosystem โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Developer Admin Interface CI/CD System โ
โ โ โ โ โ
โ โ git push โ manage policies โ โ
โ โผ โผ โผ โ
โ โโโโโโโโโโ โโโโโโโโโโโโ โโโโโโโโโโโ โ
โ โ SSH โโโโโโโโโโโโโถโ torii- โโโโโโโโโโโโโโโ HTTP โ โ
โ โ (Port โ โ server โ โ API โ โ
โ โ 22) โ โ :3000 โ โ โ โ
โ โโโโโโฌโโโโ โโโโโโโฌโโโโโ โโโโโโโโโโโ โ
โ โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ Control Plane โ โ โ
โ โ โ โผ โ โ
โ โ โ โโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โ Policy Engine โ โ โ
โ โ โ โ (torii-core) โ โ โ
โ โ โ โโโโโโโโโโฌโโโโโโโโโโ โ โ
โ โ โ โ โ โ
โ โ โ โผ โ โ
โ โ โ โโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โ Storage Layer โ โ โ
โ โ โ โ SQLite/Postgres โ โ โ
โ โ โ โโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ Enforcement Layer โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โโโโโโโโโโโโถ torii-hook (pre-receive) โ
โ โโ Validates refs โ
โ โโ Checks policies โ
โ โโ Allows/Denies push โ
โ โ
โ Authentication: torii-auth โโโโโ sshd (AuthorizedKeysCommand) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Define governance rules as declarative YAML policies:
apiVersion: torii.io/v1beta1 kind: RepositoryPolicy metadata: name: "protect-production" spec: defaultAction: "deny" rules: - name: "senior-engineers-only" scope: refs: ["refs/heads/main", "refs/heads/production"] conditions: - field: "actor.group" operator: "in" value: ["senior-engineers", "platform-team"] decision: "allow"
- Integrated with OpenSSH's
AuthorizedKeysCommand - Automatic identity injection via environment variables
- No custom Git clients required
- SQLite - Perfect for edge deployments and single-node setups
- PostgreSQL - Production-grade for multi-node clusters
- Written in Rust for memory safety and speed
- Async/await for concurrent request handling
- Zero-copy policy evaluation
- Comprehensive E2E test suite with Testcontainers
- Docker support for Postgres integration tests
- CI/CD validated across multiple database backends
Problem: Developers accidentally push to production branches.
Solution: TORII enforces strict branch policies at the Git protocol level.
# Only allow releases from CI/CD - name: "production-from-ci-only" scope: refs: ["refs/heads/production"] conditions: - field: "actor.type" operator: "equals" value: "service-account" decision: "allow"
Problem: SaaS platforms need to isolate customer repositories.
Solution: Dynamic policies per repository with tenant-specific rules.
# Tenant isolation - name: "tenant-a-only" conditions: - field: "actor.tenant_id" operator: "equals" value: "tenant-a" decision: "allow"
Problem: Financial institutions require immutable audit trails.
Solution: TORII logs every Git operation with policy decisions.
# Query audit logs SELECT * FROM audit_log WHERE repository_id = 'trading-system' AND action = 'git-receive-pack' AND timestamp > NOW() - INTERVAL '7 days';
Problem: Pull requests bypass security checks via force-push.
Solution: Enforce linear history and required checks.
- name: "no-force-push" conditions: - field: "ref_update.forced" operator: "equals" value: "true" decision: "deny"
- Rust 1.70+ (
rustup) - PostgreSQL or SQLite
- OpenSSH (for SSH auth)
# Clone the repository git clone https://github.com/copyleftdev/torii.git cd torii # Build all components cargo build --release # Binaries are in target/release/ ls target/release/torii-*
# With SQLite (development) TORII_DB_URL="sqlite:///tmp/torii.db" \ cargo run -p torii-server # With PostgreSQL (production) TORII_DB_URL="postgres://user:pass@localhost/torii" \ cargo run -p torii-server
Server will start on http://localhost:3000
# Create a policy file cat > policy.yaml <<EOF apiVersion: torii.io/v1beta1 kind: RepositoryPolicy metadata: name: "basic-protection" description: "Protect main branch" spec: defaultAction: "allow" rules: - name: "protect-main" scope: refs: ["refs/heads/main"] conditions: [] decision: "deny" EOF # Apply the policy ./target/release/torii-cli policy apply -f policy.yaml
# Create repository ./target/release/torii-cli repo create \ --name "my-app" \ --owner "platform-team" # Bind policy to repository ./target/release/torii-cli binding add \ --repo "my-app" \ --policy "basic-protection"
# In your bare Git repository cd /path/to/my-app.git # Install pre-receive hook ln -s /path/to/torii/target/release/torii-hook \ hooks/pre-receive # Make it executable chmod +x hooks/pre-receive # Configure environment export TORII_REPO_ID="my-app" export TORII_CONTROL_PLANE="http://localhost:3000"
# Try to push to main (should be denied) cd /tmp git clone /path/to/my-app.git cd my-app git checkout -b main echo "test" > README.md git commit -am "test" # Set actor identity export TORII_ACTOR_ID="alice" git push origin main # โ Denied by policy 'basic-protection'
| Variable | Description | Default |
|---|---|---|
TORII_DB_URL |
Database connection string | sqlite::memory: |
TORII_CONTROL_PLANE |
API endpoint for hooks | http://localhost:3000 |
TORII_REPO_ID |
Repository identifier | (required) |
TORII_ACTOR_ID |
User identifier | (from SSH env) |
RUST_LOG |
Log level | info |
Add to /etc/ssh/sshd_config:
AuthorizedKeysCommand /usr/local/bin/torii-auth AuthorizedKeysCommandUser git PermitUserEnvironment TORII_ACTOR_ID
| Crate | Purpose | Lines of Code |
|---|---|---|
torii-core |
Domain models, policy engine | ~600 |
torii-server |
Control Plane API & web service | ~400 |
torii-storage |
Persistence (SQLite/Postgres) | ~500 |
torii-hook |
Git pre-receive enforcement | ~150 |
torii-cli |
Administrative CLI | ~250 |
torii-auth |
SSH key resolver | ~50 |
torii-e2e |
End-to-end tests | ~200 |
Total: ~2,150 lines of Rust (excluding tests)
# Run all tests cargo test --workspace # Run E2E tests (requires Docker) cargo test -p torii-e2e # Run with coverage cargo tarpaulin --workspace # Integration tests only cargo test -p torii-storage
Test Coverage: 85%+ across critical paths
- Phase 1-4: Core Policy Engine & Server
- Phase 5: Persistent Storage (SQLite)
- Phase 6: Management CLI
- Phase 7: SSH Authentication
- Phase 8: E2E Testing (PostgreSQL)
- Phase 9: Event Plane (AsyncAPI webhooks)
- Phase 10: Observability (Prometheus metrics)
- Phase 11: HA Deployment (Kubernetes)
- Phase 12: Web UI Dashboard
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
# Install Rust curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh # Clone and build git clone https://github.com/copyleftdev/torii.git cd torii cargo build # Run tests cargo test # Check formatting cargo fmt --check # Run linter cargo clippy
MIT License - see LICENSE for details.
Inspired by:
Built with โค๏ธ and โ๏ธ in Rust
"ๅฎ่ญท่ ใฎ้" - Guardian of the Gate
Documentation โข Architecture โข API Spec โข Roadmap