Knowledge Base / Administrator Guide

Administrator Guide

This guide covers installation, deployment, configuration, license management, and platform administration for Donjon Platform v7.0.

Installation and Deployment

Windows Deployment

The recommended way to launch on Windows is with the PowerShell launcher or the batch file.

Option A: Batch File (simplest)

REM Navigate to the platform directory
cd C:\path\to\donjon-platform

REM Run setup (first time only)
bin\setup-windows.bat

REM Launch
bin\donjon-launcher.bat

Option B: PowerShell Launcher

# Set execution policy (first time only)
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned

# Launch
.\bin\donjon-launcher.ps1

The PowerShell launcher (donjon-launcher.ps1) performs automatic bootstrapping:

Detects Python (venv first, then system python/python3, then py -3 launcher)
Creates a virtual environment if one does not exist
Installs dependencies from requirements.txt
Creates data directories (data/results, data/evidence, data/reports, data/logs)
Sets PYTHONPATH to include lib/
Launches the platform

Linux / macOS Deployment

# Clone
git clone https://github.com/DonjonSec/donjon-platform.git
cd donjon-platform

# Setup
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Populate vulnerability intelligence
python3 bin/update-intel.py --quick     # Fast: KEV + EPSS + 14-day NVD (~2 min)
# OR full database with NVD API key (~2 hrs, 800K+ entries):
NVD_API_KEY=your-key python3 bin/update-intel.py

# Launch
python3 bin/donjon-launcher

Docker Deployment

# Build the image
docker build -t donjon:7.0 .

# Run with persistent data volume
docker run -d \
    --name donjon \
    -p 8443:8443 \
    -v donjon-data:/app/data \
    donjon:7.0

# View logs
docker logs -f donjon

Air-Gapped / USB Deployment

Donjon is designed for air-gapped environments. The platform auto-detects USB deployment mode.

Prepare on a connected machine
Clone the repository, install dependencies, and populate the vulnerability intelligence database.
Copy to USB drive
Copy the entire donjon-platform directory (including venv/ and data/vuln_db/) to a USB drive.
Run on the air-gapped machine
Plug in the USB drive and launch directly. Cloud scanning is automatically disabled. AI defaults to the template backend (no network required).
```
# Linux/macOS
python3 /media/USB_DRIVE/donjon-platform/bin/donjon-launcher

# Windows
E:\donjon-platform\bin\donjon-launcher.bat
```

Air-Gap License Activation

For paid tiers in air-gapped environments, generate the machine fingerprint on the target machine, then use the offline license activation tool on a connected machine. See Air-Gap License Activation below.

Configuration

Configuration File

The main configuration file is config/active/config.yaml.

# AI backend configuration
ai:
  provider: 'template'        # template | ollama | openai
  sanitize_external: true     # Strip IPs/hostnames for external LLMs
  ollama_url: 'http://localhost:11434'
  openai_model: 'gpt-4'

# Risk quantification
risk:
  industry: 'technology'      # Maps to IBM/Ponemon benchmarks
  monte_carlo_iterations: 10000

# Compliance frameworks to assess
compliance:
  frameworks:
    - 'NIST-800-53'
    - 'HIPAA'
    - 'PCI-DSS-v4'
    - 'ISO27001-2022'

# CI/CD security gate thresholds
cicd:
  security_gate:
    max_critical: 0
    max_high: 5

Environment Variables

Variable	Description	Default
`DONJON_HOME`	Platform root directory	Auto-detected
`PYTHONPATH`	Python module search path	Set by launcher
`NVD_API_KEY`	NVD API key for faster intel downloads	None
`OPENAI_API_KEY`	OpenAI API key for AI backend	None
`DONJON_DB_URL`	Database connection string	SQLite (local file)
`DONJON_LOG_LEVEL`	Logging level	INFO
`GITHUB_ACTIONS`	Triggers CI/CD mode when present	None
`GITLAB_CI`	Triggers CI/CD mode when present	None

Database Setup

SQLite (Default)

Donjon uses SQLite by default, with databases stored in the data/ directory. No configuration required.

data/evidence/evidence.db — Scan sessions, findings, evidence
data/vuln_db/vuln_intel.db — Vulnerability intelligence (803K+ entries)

PostgreSQL (Enterprise)

Enterprise tier supports PostgreSQL for multi-user environments:

# Set the database URL
export DONJON_DB_URL="postgresql://donjon:password@db-server:5432/donjon"

# Or in config.yaml
database:
  url: 'postgresql://donjon:password@db-server:5432/donjon'

AI Provider Configuration

Template Backend (Default)

The template backend uses pre-built analysis templates and requires no external services. It works completely offline and is the default for portable/USB deployments.

ai:
  provider: 'template'

Ollama Backend (Local LLM)

Ollama runs a local LLM. No data leaves your machine.

# Install Ollama and pull a model
ollama pull llama3

# Configure Donjon
ai:
  provider: 'ollama'
  ollama_url: 'http://localhost:11434'
  ollama_model: 'llama3'

OpenAI Backend

Uses any OpenAI-compatible API. Data sanitization automatically strips IP addresses and hostnames before sending to external APIs.

ai:
  provider: 'openai'
  sanitize_external: true  # Always enable for external APIs
  openai_model: 'gpt-4'

# Set API key via environment variable
export OPENAI_API_KEY="sk-..."

Notification Channels

Configure alert delivery channels via the API or dashboard:

Channel	Community	Pro+
Email	✓	✓
Webhook	✓	✓
Slack	—	✓
Microsoft Teams	—	✓
SMS	—	✓

License Management

Tier Overview

Tier	License Required	Key Features
Community	No (free)	7 core scanners, quick/standard depth, CSV/JSON export, template-based analysis (AI is Pro), 1 user
Pro	Yes (signed)	All scanners, all depths, all exports, unlimited AI, scheduled scans, 25 users
Enterprise	Yes (signed)	Everything in Pro + SSO, RBAC, multi-tenant, audit log export, priority support, unlimited users
Managed (MSSP/MSP)	Yes (signed)	Everything in Enterprise + client provisioning, per-client dashboards, consolidated rollup, bulk scan orchestration, cross-client reporting, usage metering API, license sub-allocation, per-client branding, scan template library, unlimited clients

Activating a License

Obtain a license file
Purchase a license at donjonsec.com. You will receive a license.json file.
Place the license file
Copy license.json to data/license.json in your platform directory.

Verify activation

Restart the platform or call the license API:

GET /api/v1/license
# Response shows tier, organization, expiry, and validation status

You can also activate via the API:

POST /api/v1/license/activate
Content-Type: application/json

{
    "license_data": { /* full license.json contents */ }
}

Machine Fingerprinting

Licenses can be bound to a specific machine via fingerprinting. The fingerprint is a SHA-256 hash combining:

MAC address (first available NIC)
Hostname
Platform identifier (OS + architecture)
Processor string
OS machine ID (Linux: /etc/machine-id; Windows: MachineGuid from registry)

Format: sha256:<64-char-hex-digest>

Fingerprint Generation

To view the fingerprint for the current machine, use the API: GET /api/v1/license (includes the current machine fingerprint in the response).

License Renewal and Transfer

Renewal: Replace data/license.json with the new file and restart the platform or call POST /api/v1/license/activate.
Transfer: Contact donjonsec.com support with your current license ID and the new machine fingerprint.

Air-Gap License Activation

Generate fingerprint on target machine
Launch Donjon and note the machine fingerprint from the license page or run the fingerprint tool.
Request license on connected machine
Submit the fingerprint to donjonsec.com for a machine-bound license.
Transfer license file
Copy the received license.json to the air-gapped machine's data/ directory via USB or approved media.
Restart Donjon
The platform verifies the license using dual ML-DSA-65 + Ed25519 signatures locally. No network call is required.

License Verification Process

When the platform loads a license file, it performs these checks in order:

Signature verification — Dual ML-DSA-65 (post-quantum) + Ed25519 (classical) signatures must both pass (v2 format). Legacy v1 uses HMAC-SHA256.
Expiry check — License must not be expired (or have no expiry for perpetual licenses).
Machine fingerprint — If the license carries a fingerprint, it must match the current machine.
Revocation check — License ID must not appear in the local data/revoked.json list.
Tier validation — The tier field must be a recognized value (community, pro, enterprise, managed).

If any check fails, the platform falls back to Community tier with a warning in the log.

User Management

Tier	Max Users	SSO	RBAC
Community	1	No	No
Pro	25	No	No
Enterprise	Unlimited	SAML/OIDC	Yes
Managed	Unlimited	SAML/OIDC	Yes

API Key Authentication

The REST API uses API key authentication. Generate and manage keys through the dashboard or configuration.

# Include the API key in requests
curl -H "X-API-Key: your-api-key" https://localhost:8443/api/v1/stats

Backup and Recovery

What to Back Up

Path	Contents	Priority
`data/evidence/`	SQLite evidence database (scans, findings)	Critical
`data/license.json`	License file	Critical
`config/active/config.yaml`	Platform configuration	High
`data/reports/`	Generated reports	Medium
`data/vuln_db/`	Vulnerability intelligence database	Low (can regenerate)

Backup Procedure

# Stop the platform before backing up the database

# Linux/macOS
tar -czf donjon-backup-$(date +%Y%m%d).tar.gz \
    data/evidence/ \
    data/license.json \
    config/active/config.yaml \
    data/reports/

# Windows (PowerShell)
Compress-Archive -Path data\evidence, data\license.json, `
    config\active\config.yaml, data\reports `
    -DestinationPath "donjon-backup-$(Get-Date -Format yyyyMMdd).zip"

Recovery

Install Donjon on the target machine
Extract the backup archive into the platform directory
Restart the platform
If the license is machine-bound, request a transfer from support

Updating the Platform

# Pull the latest version
git pull origin main

# Update dependencies
source venv/bin/activate   # or venv\Scripts\activate on Windows
pip install -r requirements.txt

# Update vulnerability intelligence
python3 bin/update-intel.py --quick

# Restart the platform
python3 bin/donjon-launcher

Back Up Before Updating

Always back up your data/ directory before updating. While updates are designed to be non-destructive, backing up ensures you can recover from any issues.