15 , cloud and hub

Horizon Auth and Policy Hub

Cloud and Hub workflows connect local enforcement to shared governance operations. Horizon handles authenticated cloud sync for runtime evidence, while Hub provides policy-pack distribution with versioning and signature checks. Together they let teams move from one-off local policy files to controlled policy supply chains.

The key principle is separation of concerns: local daemons still enforce decisions, but policy collaboration, distribution, and evidence visibility can happen centrally. This allows platform teams to publish reviewed packs while product teams adopt them with explicit version and signature controls.

Recommended lifecycle

Use a repeatable flow from authoring to rollout instead of ad-hoc policy copies between teams.

Authenticate with Horizon

Login once, then verify status before enabling sync.

faramesh auth login
faramesh auth status

For self-hosted Horizon deployments, set an explicit URL:

faramesh auth login --horizon-url https://horizon.example.com

Run with cloud sync

After login, enable DPR streaming to Horizon from the daemon.

faramesh serve \
  --policy /etc/faramesh/policy.yaml \
  --sync-horizon

Search and install policy packs

Hub supports versioned packs and optional signature enforcement.

faramesh hub search "refund"

faramesh hub install org/payment-guard@1.2.0 --require-signature

Verify and publish packs

Verify integrity before install and publish from a local file or directory.

faramesh hub verify org/payment-guard@1.2.0 --require-signature

faramesh hub publish ./policy.yaml --name org/payment-guard --version 1.3.0

Operational guardrails

Prevent policy-supply incidents by enforcing these baseline controls: