Autoconfigure Overview
How Contexa bootstraps the OSS runtime control plane through import selection, default platform configuration, and identity/core wiring.
Bootstrap Chain
The runtime bootstrap starts with @EnableAISecurity, which imports AiSecurityImportSelector. That selector imports AiSecurityConfiguration from the autoconfigure module.
Default Platform Wiring
AiSecurityConfiguration provides a default PlatformConfig through IdentityDslRegistry when the application does not define one explicitly.
Identity/Core Integration
IdentitySecurityCoreAutoConfiguration assembles the identity bootstrap, zero trust filters, audit/event wiring, and supporting infrastructure used by the OSS runtime path.
Module Auto-Configurations
The contexa-autoconfigure module registers auto-configurations through META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports. The table below lists the primary module entry points; the full import list also includes per-feature configurations such as CoreLLMTieredAutoConfiguration, CoreAdvisorAutoConfiguration, CoreRAGAutoConfiguration, CoreStreamingAutoConfiguration, the IAM XACML chain (IamXacmlPap/Pdp/Pep/Pip/PrpAutoConfiguration), the IAM Admin console configurations, and the Identity StateMachine/MFA/WebAuthn/OAuth2 configurations. AiSecurityConfiguration is not listed in the imports file — it is pulled in only when @EnableAISecurity activates AiSecurityImportSelector.
| Auto-Configuration | Package | Role |
|---|---|---|
AiSecurityConfiguration | io.contexa.autoconfigure.ai | Imported via AiSecurityImportSelector. Provides the default PlatformConfig via platformDslConfig() (@ConditionalOnMissingBean). |
IdentitySecurityCoreAutoConfiguration | io.contexa.autoconfigure.identity | Assembles the Identity DSL, zero-trust filter chain, authentication flows, and session integration. |
CoreInfrastructureAutoConfiguration | io.contexa.autoconfigure.core.infra | Provisions in-memory or distributed infrastructure beans based on contexa.infrastructure.mode (STANDALONE/DISTRIBUTED). |
CoreLLMAutoConfiguration | io.contexa.autoconfigure.core.llm | Wires DynamicModelRegistry, UnifiedLLMOrchestrator, Ollama/OpenAI/Anthropic providers, and the contexa.llm.* runtime. |
CoreHCADAutoConfiguration | io.contexa.autoconfigure.core.hcad | Configures Host & Context Anomaly Detection (HCAD) filters, baseline learning, and hot-path thresholds. |
IamInfrastructureAutoConfiguration | io.contexa.autoconfigure.iam | Registers AuthorizationManagerMethodInterceptor + ProtectableMethodAuthorizationManager for method-level enforcement. The XACML chain (PAP/PDP/PEP/PIP/PRP) lives in separate IamXacml*AutoConfiguration classes. |
IamSecurityCoreAutoConfiguration | io.contexa.autoconfigure.iam | Resolves SessionIdResolver (in-memory or Redis) and the SecuritySessionProperties bindings. |
CoreAutonomousAutoConfiguration | io.contexa.autoconfigure.core.autonomous | Starts the asynchronous event pipeline: registers SecurityEventProcessor with the ordered handler chain and SecurityPlaneAgent. Companion CoreAutonomousEventAutoConfiguration registers ColdPathEventProcessor, and CoreAutonomousStrategyAutoConfiguration wires the Layer 1/2 strategies. |
Conditional Activation
Auto-configurations are gated by @ConditionalOnProperty so that standalone and distributed topologies share the same classpath:
contexa.infrastructure.mode=standalone(default,matchIfMissing = true) — activates in-memoryZeroTrustActionRepository, in-memory cache, and local event bus.contexa.infrastructure.mode=distributed— activates Redis-backed action storage, Redis cache, and Kafka event streaming where the distributed variants are defined.contexa.enabled=false— master switch that disables the entire platform and keeps Spring Security at its baseline configuration.