Three ways to run Lucairn

The fastest path to a running stack on your machine. One make target, all 7 services up in under 60 seconds.

# Clone the dual-sandbox-architecture repo, then:
make compose-up

# Brings up the full stack on your laptop:
#   - gateway (8080)
#   - sanitizer (50055)
#   - id-bridge (50052)
#   - sandbox-a (postgres + identity provider)
#   - sandbox-b (LLM proxy)
#   - veil-witness (50059)
#   - audit (postgres + grpc)
# All host ports bound to 127.0.0.1 only — never publicly reachable.

# Health probe:
curl http://localhost:8080/healthz

Best for

Local development, integration tests, demoing the architecture.

Gotchas

• Host ports are bound to 127.0.0.1 only. Never publicly reachable.

• Default postgres passwords are dev-only; do not use compose for production.

• All env vars come from config.env; copy config.env.example and fill in upstream LLM keys.

Canonical source

• → Makefile (compose-up target)

Production-grade install on any Kubernetes 1.27+ cluster. NetworkPolicies enforce the split-knowledge boundary.

# Add the chart and install:
helm repo add lucairn https://charts.lucairn.eu
helm install lucairn lucairn/lucairn-platform \
  --namespace lucairn \
  --create-namespace \
  --values values.yaml

# Key values to set:
#   gateway.image.tag         — pinned release version
#   sandboxB.upstream.host    — your LLM provider endpoint
#   sandboxA.postgres.size    — identity DB size
#   networkPolicies.enabled   — must be true for split-knowledge guarantee
#   witness.signingKeyRef     — secretRef for the Ed25519 signing key

Best for

Multi-tenant SaaS, internal platform teams, customers who already run Kubernetes.

Gotchas

• NetworkPolicies must be enforced (cilium / calico / kube-router). Without enforcement the split-knowledge guarantee degrades to a software promise.

• Sandbox B's egress allowlist is the load-bearing security control. Audit it before every chart upgrade.

• Witness signing key MUST be sourced from your KMS (HashiCorp Vault, AWS KMS, Azure Key Vault). Never check signing material into git.

Canonical source

• → deploy/helm/ chart

Deploy onto your existing K8s namespace alongside your other workloads. Identity data never leaves your cluster — even Lucairn operators cannot see it.

# Bring-your-own cluster pattern:
#   1. Run helm install in your existing K8s namespace
#   2. Point your apps at gateway.<your-cluster>.local:8080
#   3. Mint lcr_live_* keys via /api/v1/register, scoped to your tenant
#   4. Identity data never leaves your cluster
#   5. Sandbox B can call any LLM you allowlist (private LLM, OpenAI, etc.)
#
# Used in production by healthcare and finance customers.
# See /use-cases/healthcare and /use-cases/finance for the regulatory framing.

Best for

Healthcare, finance, government, EU-data-residency-mandated industries, and anyone with an air-gapped or sovereign-cloud requirement.

Gotchas

• Sandbox B can call any LLM you allowlist — point it at your private LLM, your OpenAI tenant, or your in-cluster Llama deployment.

• Update channel is operator-controlled. Lucairn never auto-upgrades on your cluster.

• Audit trail and certificate verification still work fully offline; only changelog/news fetches need internet.

Canonical source

• → Healthcare deployment patterns
• → Finance deployment patterns