{"id":34559372,"url":"https://github.com/inferadb/control","last_synced_at":"2026-05-22T05:06:42.528Z","repository":{"id":325031800,"uuid":"1084704939","full_name":"inferadb/control","owner":"inferadb","description":"InferaDB control plane — multi-tenant administration with WebAuthn","archived":false,"fork":false,"pushed_at":"2026-05-06T03:07:16.000Z","size":2677,"stargazers_count":3,"open_issues_count":7,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-06T05:34:13.304Z","etag":null,"topics":["access-control","audit-logging","authorization","fine-grained-access-control","grpc","inferadb","jwt","multi-tenant","passkeys","permissions","rbac","rebac","rest-api","rust","webauthn","zanzibar"],"latest_commit_sha":null,"homepage":"https://inferadb.com","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/inferadb.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE-APACHE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":"evansims"}},"created_at":"2025-10-28T03:38:57.000Z","updated_at":"2026-04-07T06:11:18.000Z","dependencies_parsed_at":"2026-04-21T05:01:04.471Z","dependency_job_id":null,"html_url":"https://github.com/inferadb/control","commit_stats":null,"previous_names":["inferadb/management"],"tags_count":110,"template":false,"template_full_name":null,"purl":"pkg:github/inferadb/control","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inferadb%2Fcontrol","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inferadb%2Fcontrol/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inferadb%2Fcontrol/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inferadb%2Fcontrol/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/inferadb","download_url":"https://codeload.github.com/inferadb/control/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inferadb%2Fcontrol/sbom","scorecard":{"id":1242473,"data":{"date":"2025-12-30T07:36:43Z","repo":{"name":"github.com/inferadb/control","commit":"9bd62adbc80e62b9283951fd1d80301df2d91985"},"scorecard":{"version":"v5.3.0","commit":"c22063e786c11f9dd714d777a687ff7c4599b600"},"score":5.8,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#maintained"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":8,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:135","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:191","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/ci.yml:192","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:262","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:319","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:351","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/ci.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:62","Info: jobLevel 'contents' permission set to 'read': .github/workflows/ci.yml:87","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:29","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30","Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecards.yml:32","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecards.yml:33","Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecards.yml:35","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:69","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:26","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/security.yml:27","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security.yml:47","Info: topLevel 'contents' permission set to 'read': .github/workflows/ci.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:20","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:21","Info: topLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:8","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/security.yml:16","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/security.yml:17"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#signed-releases"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: containerImage not pinned by hash: Dockerfile:12: pin your Docker image by updating rustlang/rust:nightly-bookworm-slim to rustlang/rust:nightly-bookworm-slim@sha256:a852c61b4ec8d18a29b0893a3f049a05296a8bd6c924a66cd1939297d7d02546","Warn: containerImage not pinned by hash: Dockerfile:54: pin your Docker image by updating debian:bookworm-slim to debian:bookworm-slim@sha256:d5d3f9c23164ea16f31852f95bd5959aad1c5e854332fe00f7b3a20fcc9f635c","Warn: containerImage not pinned by hash: Dockerfile.integration:4: pin your Docker image by updating rustlang/rust:nightly-bookworm-slim to rustlang/rust:nightly-bookworm-slim@sha256:a852c61b4ec8d18a29b0893a3f049a05296a8bd6c924a66cd1939297d7d02546","Warn: containerImage not pinned by hash: Dockerfile.integration:44: pin your Docker image by updating debian:bookworm-slim to debian:bookworm-slim@sha256:d5d3f9c23164ea16f31852f95bd5959aad1c5e854332fe00f7b3a20fcc9f635c","Warn: containerImage not pinned by hash: docker/fdb-integration-tests/Dockerfile.fdb:5: pin your Docker image by updating debian:bookworm-slim to debian:bookworm-slim@sha256:d5d3f9c23164ea16f31852f95bd5959aad1c5e854332fe00f7b3a20fcc9f635c","Info:  21 out of  21 GitHub-owned GitHubAction dependencies pinned","Info:  35 out of  35 third-party GitHubAction dependencies pinned","Info:   1 out of   6 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#sast"}},{"name":"CI-Tests","score":10,"reason":"2 out of 2 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#ci-tests"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#security-policy"}},{"name":"Contributors","score":10,"reason":"project has 4 contributing companies or organizations","details":["Info: found contributions from: inferadb, momentful, psr-discovery, psr-mock"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/c22063e786c11f9dd714d777a687ff7c4599b600/docs/checks.md#contributors"}}]},"last_synced_at":"2026-01-26T22:48:52.470Z","repository_id":325031800,"created_at":"2026-01-26T22:48:52.470Z","updated_at":"2026-01-26T22:48:52.470Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33011340,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-13T13:14:54.681Z","status":"online","status_checked_at":"2026-05-14T02:00:06.663Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","audit-logging","authorization","fine-grained-access-control","grpc","inferadb","jwt","multi-tenant","passkeys","permissions","rbac","rebac","rest-api","rust","webauthn","zanzibar"],"created_at":"2025-12-24T08:38:19.485Z","updated_at":"2026-05-14T05:02:12.771Z","avatar_url":"https://github.com/inferadb.png","language":"Rust","funding_links":["https://github.com/sponsors/evansims"],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n    \u003cp\u003e\u003ca href=\"https://inferadb.com\"\u003e\u003cimg src=\".github/inferadb.png\" width=\"100\" alt=\"InferaDB Logo\" /\u003e\u003c/a\u003e\u003c/p\u003e\n    \u003ch1\u003eInferaDB Control Plane\u003c/h1\u003e\n    \u003cp\u003e\n        \u003ca href=\"https://discord.gg/inferadb\"\u003e\u003cimg src=\"https://img.shields.io/badge/Discord-Join%20us-5865F2?logo=discord\u0026logoColor=white\" alt=\"Discord\" /\u003e\u003c/a\u003e\n        \u003ca href=\"#license\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT%2FApache--2.0-blue.svg\" alt=\"License\" /\u003e\u003c/a\u003e\n    \u003c/p\u003e\n    \u003cp\u003e\u003cb\u003eMulti-tenant administration APIs for authorization infrastructure.\u003c/b\u003e\u003c/p\u003e\n\u003c/div\u003e\n\n\u003e [!IMPORTANT]\n\u003e Under active development. Not production-ready.\n\n[InferaDB](https://inferadb.com) Control is the administration plane for InferaDB. It manages organizations, users, vaults, clients, and token issuance. Control authenticates operators via passwordless email codes, passkeys (WebAuthn), and TOTP, enforces RBAC across tenants, and issues vault-scoped JWTs consumed by the [InferaDB Engine](https://github.com/inferadb/engine). Data is persisted to [InferaDB Ledger](https://github.com/inferadb/ledger) for cryptographic auditability.\n\n- [Features](#features)\n- [Quick Start](#quick-start)\n- [Configuration](#configuration)\n- [Contributing](#contributing)\n- [Documentation](#documentation)\n- [Community](#community)\n- [License](#license)\n\n## Features\n\n- **Authentication** — Passwordless email codes, passkeys (WebAuthn), TOTP, recovery codes\n- **Multi-Tenancy** — Organization-based isolation with role hierarchy and team management\n- **Vault Management** — Create and manage vaults with schema versioning\n- **Client Auth** — Ed25519 certificate lifecycle, RFC 7523 JWT client assertions\n- **Token Issuance** — Vault-scoped JWTs with refresh token rotation for Engine API\n\n## Quick Start\n\n```bash\ngit clone https://github.com/inferadb/control \u0026\u0026 cd control\nmise trust \u0026\u0026 mise install\ncargo run --bin inferadb-control -- --dev-mode\n```\n\nDev mode uses in-memory storage and auto-generates an Ed25519 identity. The REST API is available at `http://localhost:9090`.\n\n**Production:**\n\n```bash\ninferadb-control \\\n  --listen 0.0.0.0:9090 \\\n  --storage ledger \\\n  --ledger-endpoint http://ledger:50051 \\\n  --ledger-client-id ctrl-prod-01 \\\n  --key-file /data/master.key \\\n  --log-format json\n```\n\n## Configuration\n\n| CLI                      | Purpose                                   | Default                 |\n| ------------------------ | ----------------------------------------- | ----------------------- |\n| `--listen`               | HTTP bind address                         | `127.0.0.1:9090`        |\n| `--storage`              | Storage backend: `memory` or `ledger`     | `ledger`                |\n| `--dev-mode`             | Force in-memory storage (CLI only)        |                         |\n| `--key-file`             | Path to AES-256-GCM master key            | `./data/master.key`     |\n| `--pem`                  | Ed25519 private key (PEM string)          |                         |\n| `--ledger-endpoint`      | Ledger gRPC endpoint URL                  |                         |\n| `--ledger-client-id`     | Unique client ID for idempotency tracking |                         |\n| `--log-level`            | Tracing filter (`info`, `debug`, etc.)    | `info`                  |\n| `--log-format`           | `auto`, `json`, `text`                    | `auto`                  |\n| `--frontend-url`         | Base URL for CORS and email links         | `http://localhost:3000` |\n| `--webauthn-rp-id`       | WebAuthn Relying Party domain             | `localhost`             |\n| `--webauthn-origin`      | WebAuthn Relying Party origin URL         | `http://localhost:3000` |\n| `--worker-id`            | Snowflake ID worker (0–1023, unique/node) |                         |\n| `--trusted-proxy-depth`  | Trusted proxy count for `X-Forwarded-For` |                         |\n| `--email-blinding-key`   | HMAC-SHA256 key (64-char hex)             |                         |\n| `--email-host`           | SMTP host (empty = email disabled)        | `\"\"`                    |\n\nSee [Configuration Reference](docs/guides/configuration.md) for environment variables, email/SMTP setup, and all options.\n\n## Contributing\n\n### Prerequisites\n\n- Rust 1.92+\n- [mise](https://mise.jdx.dev/) for synchronized development tooling\n- [just](https://github.com/casey/just) for convenient development commands\n\n### Build and Test\n\n```bash\nmise trust \u0026\u0026 mise install\n\njust build     # Build workspace\njust test      # Run tests\njust lint      # Run clippy\njust fmt       # Format code\njust ci        # All checks\n```\n\n## Documentation\n\n- [Getting Started](docs/getting-started.md) — First steps with Control\n- [Configuration Reference](docs/guides/configuration.md) — CLI flags, environment variables, email setup\n- [Authentication](docs/authentication.md) — Auth flows and session management\n- [Architecture](docs/architecture.md) — Crate structure and design decisions\n- [Deployment](docs/deployment.md) — Docker, Kubernetes, and Helm\n- [API Overview](docs/overview.md) — Complete endpoint reference\n- [OpenAPI Spec](openapi.yaml) — OpenAPI specification\n\n## Community\n\nJoin us on [Discord](https://discord.gg/inferadb) for questions and discussions.\n\n## License\n\nDual-licensed under [MIT](LICENSE-MIT) or [Apache 2.0](LICENSE-APACHE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finferadb%2Fcontrol","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finferadb%2Fcontrol","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finferadb%2Fcontrol/lists"}