Configuration

Configure scope, never raw access to everything.

Release Passport should know enough to decide release readiness, not scrape every app in the customer environment. Configuration is scoped by service, namespace, project, query, and token.

Auth / OIDC

Issuer URL, client ID, secret, callback URL, allowed groups, and session policy.

API tokens

Scoped service or pipeline tokens stored in CI secret managers.

Connectors

Kubernetes namespace, Prometheus query allowlist, GitOps app, CI provider, error project.

Retention

Passport, evidence, decision, comment, and report history by plan.

Configuration areas

AreaLicense

Configured byHelm values or Settings status

What to settrial, starter_monthly, team_monthly, business_monthly, custom entitlement, expiration, feature flags.

Security noteShow status only in UI. Do not expose license signing material.

AreaRuntime

Configured byHelm values

What to setWorkspace ID, public URL, API base path, default environment, default mode.

Security noteStart shadow; require explicit change before enforce.

AreaAuth/OIDC

Configured bySecret-backed Helm values and Settings status

What to setIssuer, client ID, callback URL, allowed groups, session duration.

Security noteClient secret must be env/secret-backed only.

AreaAPI tokens

Configured byKubernetes secret or token UI

What to setGate tokens scoped by service/workspace and optionally environment.

Security noteTokens must not appear in reports, docs output, or console detail.

AreaConnectors

Configured byHelm values and Settings status

What to setProvider, namespace/project/app/query allowlist, freshness thresholds.

Security noteNo broad unscoped scraping.

AreaRetention

Configured byPlan and values

What to setPassport, evidence, report, comment, and audit retention.

Security noteStarter, Team, Business, and Custom unlock longer retention and reporting.

Area	Configured by	What to set	Security note
License	Helm values or Settings status	trial, starter_monthly, team_monthly, business_monthly, custom entitlement, expiration, feature flags.	Show status only in UI. Do not expose license signing material.
Runtime	Helm values	Workspace ID, public URL, API base path, default environment, default mode.	Start shadow; require explicit change before enforce.
Auth/OIDC	Secret-backed Helm values and Settings status	Issuer, client ID, callback URL, allowed groups, session duration.	Client secret must be env/secret-backed only.
API tokens	Kubernetes secret or token UI	Gate tokens scoped by service/workspace and optionally environment.	Tokens must not appear in reports, docs output, or console detail.
Connectors	Helm values and Settings status	Provider, namespace/project/app/query allowlist, freshness thresholds.	No broad unscoped scraping.
Retention	Plan and values	Passport, evidence, report, comment, and audit retention.	Starter, Team, Business, and Custom unlock longer retention and reporting.

Recommended rollout configuration

Day 1

Install Trial, configure OIDC, create one token, connect one evidence source, and run shadow mode.

Week 1

Add service inventory, ensure evidence freshness is stable, review false holds, and document expected policies.

Advisory

Move critical services to advisory after operators understand why each hold or block appears.

Enforce

Use enforce only when rollback, runtime, policy, and connector evidence are consistently fresh and trusted.

Production package

Upgrade when the team needs more services, longer retention, advanced connectors, SSO group mapping, reports, or runtime checks.