Deployment

Docker Compose

AgentSec ships with Docker Compose files for both local development and production.

Local Development

No TLS, no nginx, proxy exposed directly on port 3100:

cp agentsec.example.yaml agentsec.yaml
cp local.env.example .env
# Edit .env with real values (see Environment Variables)
 
docker-compose -f docker-compose.yaml -f docker-compose.local.yaml up --build

Audit logs are written to ./data/audit.jsonl (local directory, not a Docker volume).

Production

Includes nginx for TLS termination on port 443:

docker-compose up --build

Services:

Audit logs are stored in a named Docker volume (audit-data) at /data/audit.jsonl.

TLS Setup

1. Place your certificate and key in deploy/certs/:

   • deploy/certs/cert.pem
   • deploy/certs/key.pem

2. Configure deploy/nginx.conf with your domain and cert paths

3. Start with docker-compose up --build

Generating Secrets

# Encryption key (HMAC-SHA256 for agent auth)
openssl rand -hex 32
 
# Agent API keys (one per agent)
openssl rand -hex 32

All keys are 64 hex characters (32 bytes). Store them in .env or pass via docker-compose --env-file.

Health Check

The proxy exposes GET /health (no auth required). Docker Compose is configured to check it every 30 seconds with 3 retries:

curl http://localhost:3100/health

Building from Source

cargo build --release
# Binary at target/release/agentsec-proxy
# CLI at target/release/agentsec

Set environment variables directly (see Environment Variables) and run:

./target/release/agentsec-proxy

Production Checklist

• TLS enabled (never expose the proxy without encryption)
• Strong encryption key (openssl rand -hex 32, not the example value)
• Unique API key per agent (not shared between agents)
• Telegram bot token not shared with other services
• Audit log on persistent storage (Docker volume or mounted directory)
• auto_approve policies reviewed (start restrictive, loosen as needed)
• Rate limits configured for high-volume agents
• allowed_approvers set for sensitive credentials