Authorization Deployment
Deploy the Authorization tier to add Cedar-based policy enforcement on top of Discovery & Registry.
Prerequisites
- Docker Engine 24+ with Compose v2
- 4 GB RAM available for containers
- Ports available: 443 (Policy Manager), 8443 (Registry dashboard)
- GHCR access token (provided by Watchlight AI)
Install
cd deploy/tier2-authorization/docker-compose
./bootstrap.sh
Access
| Endpoint | Purpose |
|---|---|
https://localhost | Policy Manager Dashboard |
https://localhost:8443 | Registry Dashboard |
https://localhost/authorize | Authorization API (Cedar eval) |
Cedar Policies
Default: Observation mode — all actions allowed, all decisions logged.
Load enforcement policies via the Policy Manager Dashboard at https://localhost, or via API:
curl -k -X POST https://localhost/authorize \
-H 'Content-Type: application/json' \
-d '{
"principal": "Agent::\"my-agent\"",
"action": "Action::\"execute_tool\"",
"resource": "Tool::\"web_search\""
}'
Dashboard Authentication
Both dashboards start without authentication by default. See Authentication for OIDC and LDAP configuration.
Commands
# Re-run bootstrap
./docker-compose/bootstrap.sh
# View logs
docker compose -f docker-compose/docker-compose.yml logs -f
# Stop
docker compose -f docker-compose/docker-compose.yml down
# Full reset
./docker-compose/bootstrap.sh --reset
Upgrade to Runtime Governance
Ready for transparent policy enforcement on every API call? See the Governance Deployment guide.