Skip to content

Self-host (Docker Compose)

Reference self-host of the open core. Requirements: Node.js ≥ 20 and Docker.

Start

npm install
npm run compose:up    # Postgres + API + Agents (migrations + seed automatic)
# API     → http://localhost:4000
# OpenAPI → http://localhost:4000/docs

On startup the API container runs migrateseed (idempotent) → server. Three services come up: postgres, api, agents.

Without Docker (dev)

npm install
# start a Postgres and provision the app role (RLS):
#   psql ... -f infra/postgres/init/02-app-role.sql
npm run migration:run --workspace @vantar/api
npm run dev:api

Main environment variables

Variable Default (dev) Purpose
DATABASE_URL postgres://vantar:vantar@postgres:5432/vantar migrate/seed (superuser; bypasses RLS)
APP_DATABASE_URL role vantar_app runtime (non-superuser; subject to RLS)
JWT_PRIVATE_KEY / JWT_PUBLIC_KEY ephemeral pair (warns) RS256 signing — set in production
CORS_ORIGINS http://localhost:3000 origins allowlist
AGENTS_URL http://agents:8000 AI Agent Plane endpoint
AUTH_LOCKOUT_THRESHOLD / _BASE_MINUTES / _MAX_MINUTES 5 / 15 / 60 account lockout (SEC-03)
AI_USE_LLM true enable the LLM call (otherwise heuristic)
OLLAMA_URL / OLLAMA_MODEL http://ollama:11434 / llama3.1 self-host LLM provider
EGRESS_ALLOWLIST extra hosts allowed by the egress guard (IMDS always blocked)

The LLM is optional: with no Ollama, AI review falls back to the STRIDE heuristic (labeled as such). See AI.

Production (recommendations)

  • Set persistent JWT_PRIVATE_KEY/JWT_PUBLIC_KEY (not ephemeral).
  • TLS/Ingress in front of the API; restricted CORS_ORIGINS.
  • Postgres backups + restore test; reviewed migrations (forward-only).
  • Verify the images' cosign signature and SLSA provenance.