Neotoma

Inspector, Settings · Attribution policy

Attribution policy controls how Neotoma reacts to writes from agents at different trust tiers. The Inspector renders the AAuth contract as a live operator console: pick a global mode, set a minimum tier, override per path, and watch the resolved decision update against the last 100 requests.

inspector.neotoma.io/settings#attribution
Global mode & minimum tier
Global mode
allowwarnreject
Active: warn
Min tier
hardwaresoftwareunverified_client
Active: software
Per-path overrides
/observationsreject
/relationshipswarn
/timelinewarn
/sourcesallow
Decision (last 100 requests)
Verified sigs
94
94%
Promoted (HW)
12
attestation OK
Rejected
3
anonymous → /observations
Attribution policy panel, global mode, minimum tier, per-path overrides, and a decision summary that mirrors the env-var contract.

Global mode

  • allow Accept writes at every tier, including anonymous. Suitable for personal-use mode and sandbox.
  • warn Accept writes but emit an attribution_decision warn log line whenever the request lands below the minimum tier. Useful while rolling AAuth out across an existing fleet of agents.
  • reject Refuse writes below the minimum tier with a structured 401 error. The recommended setting for shared/server installs once your agents are signing.

Minimum tier

Requests above the configured floor are accepted (subject to global mode); requests below it are warned or rejected. The four tiers, in descending strength:

  1. hardware, verified AAuth signature with hardware-backed attestation (TPM 2.0, Apple Secure Enclave, Yubikey).
  2. software, verified AAuth signature without an attested hardware backing.
  3. unverified_client, recognisable clientInfo but no signature.
  4. anonymous, neither signature nor recognisable client.

Per-path overrides

Per-path overrides let you tighten policy on the highest-risk endpoints (typically /observations and /relationships) while leaving read paths permissive. A per-path reject always wins over a global allow; this is enforced both at the server and surfaced in the UI badge for the row.

Resolution & environment variables

Policy can be set three ways, in increasing precedence:

  1. Inspector UI (this panel), writes through to the local config.
  2. NEOTOMA_ATTRIBUTION_POLICY / NEOTOMA_MIN_ATTRIBUTION_TIER / NEOTOMA_ATTRIBUTION_POLICY_JSON, env vars at server start.
  3. Per-request override headers (signed admission tokens; see AAuth).

The decision summary at the top of the panel reports which source won, so an env-var override on a server is never silently in effect.

Per-agent grants

Tier-based policy is the wide net. For fine-grained (operation, entity_type) allow-lists per signing identity, use Agents & grants , those layer on top of the global policy and apply to a single thumbprint.