TrigGuard
TRIGGUARD EXAMPLES
Request a demo

Integration Examples

Reference patterns for integrating TrigGuard execution authorization into CI/CD pipelines, infrastructure automation, and application workflows.

CI/CD

GitHub Deploy Gate

DENY production deployments in GitHub Actions until authorized by TrigGuard. Fail-closed if authorization service is unavailable.

surface: deploy.release
INFRASTRUCTURE

Terraform Pre-Apply Gate

Require authorization before terraform apply. Use external data source to gate infrastructure changes.

surface: infra.terraform
REST API

REST API Integration

Direct API integration using curl, Python, Node.js, or Go. Verify receipts offline.

POST /execute
DATA

Data Export Gate

Authorize bulk data exports before allowing download. Log receipt for compliance audit trail.

surface: data.export
CI/CD

Database Migration Gate

Require authorization before running database migrations in production environments.

surface: data.migrate
CLI

CLI Integration

Shell script patterns for command-line authorization. Exit codes, receipt caching, retry logic.

shell / bash

// GITHUB ACTIONS

GitHub Deploy Gate

.github/workflows/deploy.yml YAML 
# Production deployment with TrigGuard authorization gate
name: Deploy to Production

on:
  push:
    branches: [main]

jobs:
  authorize:
    runs-on: ubuntu-latest
    outputs:
      receipt_id: ${{ steps.auth.outputs.receipt_id }}
    steps:
      - name: Request TrigGuard Authorization
        id: auth
        run: |
          RESPONSE=$(curl -sf https://api.trigguardai.com/execute \
            -H "Authorization: Bearer ${{ secrets.TG_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{
              "surface": "deploy.release",
              "action": "promote-to-production",
              "context": {
                "commit": "${{ github.sha }}",
                "branch": "${{ github.ref_name }}",
                "actor": "${{ github.actor }}",
                "repo": "${{ github.repository }}"
              }
            }')
          
          DECISION=$(echo "$RESPONSE" | jq -r '.decision')
          RECEIPT_ID=$(echo "$RESPONSE" | jq -r '.receipt_id')
          
          if [ "$DECISION" != "PERMIT" ]; then
            echo "::error::Authorization denied: $DECISION"
            exit 1
          fi
          
          echo "receipt_id=$RECEIPT_ID" >> $GITHUB_OUTPUT
          echo "Authorization granted: $RECEIPT_ID"

  deploy:
    needs: authorize
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Deploy Application
        env:
          TG_RECEIPT_ID: ${{ needs.authorize.outputs.receipt_id }}
        run: |
          echo "Deploying with receipt: $TG_RECEIPT_ID"
          # Your deployment commands here

// TERRAFORM

Terraform Pre-Apply Gate

authorization.tf HCL 
# Request TrigGuard authorization before infrastructure changes

data "http" "trigguard_auth" {
  url    = "https://api.trigguardai.com/execute"
  method = "POST"

  request_headers = {
    Authorization = "Bearer ${var.trigguard_api_key}"
    Content-Type  = "application/json"
  }

  request_body = jsonencode({
    surface = "infra.terraform"
    action  = "apply"
    context = {
      workspace   = terraform.workspace
      environment = var.environment
      actor       = var.actor
    }
  })
}

locals {
  auth_response = jsondecode(data.http.trigguard_auth.response_body)
  authorized    = local.auth_response.decision == "PERMIT"
}

# Fail if not authorized
resource "null_resource" "authorization_check" {
  count = local.authorized ? 0 : 1

  provisioner "local-exec" {
    command = "echo 'TrigGuard authorization denied' && exit 1"
  }
}

output "receipt_id" {
  value       = local.auth_response.receipt_id
  description = "TrigGuard authorization receipt"
}

// REST API

Direct API Integration

Python

Using the requests library:

import requests

response = requests.post(
    "https://api.trigguardai.com/execute",
    headers={
        "Authorization": f"Bearer {api_key}",
        "Content-Type": "application/json"
    },
    json={
        "surface": "deploy.release",
        "action": "promote"
    }
)

if response.json()["decision"] == "PERMIT":
    # Proceed with action
    pass

Node.js

Using fetch:

const response = await fetch(
  'https://api.trigguardai.com/execute',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      surface: 'deploy.release',
      action: 'promote'
    })
  }
);

const { decision } = await response.json();
if (decision === 'PERMIT') {
  // Proceed
}

Go

Using net/http:

req, _ := http.NewRequest(
  "POST",
  "https://api.trigguardai.com/execute",
  bytes.NewBuffer(payload),
)
req.Header.Set("Authorization", 
  "Bearer "+apiKey)
req.Header.Set("Content-Type", 
  "application/json")

resp, _ := client.Do(req)

// SHELL

CLI Integration Pattern

authorize.sh BASH 
#!/bin/bash
set -euo pipefail

# TrigGuard authorization wrapper
# Usage: ./authorize.sh <surface> <action>

SURFACE="${1:?Surface required}"
ACTION="${2:-default}"

RESPONSE=$(curl -sf \
  -H "Authorization: Bearer $TG_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"surface\": \"$SURFACE\", \"action\": \"$ACTION\"}" \
  https://api.trigguardai.com/execute)

DECISION=$(echo "$RESPONSE" | jq -r '.decision')
RECEIPT_ID=$(echo "$RESPONSE" | jq -r '.receipt_id')

case "$DECISION" in
  PERMIT)
    echo "[TG] Authorized: $RECEIPT_ID"
    export TG_RECEIPT_ID="$RECEIPT_ID"
    exit 0
    ;;
  DENY)
    REASON=$(echo "$RESPONSE" | jq -r '.reason')
    echo "[TG] Blocked: $REASON" >&2
    exit 1
    ;;
  *)
    echo "[TG] Failed: $DECISION" >&2
    exit 2
    ;;
esac

Client Libraries

Official client libraries for JavaScript, Python, Go, and Ruby are planned. The patterns above represent the current recommended integration approach via REST API.