Skip to content

Commit 33c67b3

Browse files
authored
update installation (#620)
1 parent c4d5089 commit 33c67b3

2 files changed

Lines changed: 74 additions & 71 deletions

File tree

docs/agentguard-installation.md

Lines changed: 72 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,8 @@ This guide walks through a complete AgentGuard setup from scratch:
44

55
1. [Prerequisites](#1-prerequisites)
66
2. [Install and run Timeplus](#2-install-and-run-timeplus)
7-
3. [Create a Timeplus user for AgentGuard](#3-create-a-timeplus-user-for-agentguard)
8-
4. [Install and run AgentGuard](#4-install-and-run-agentguard)
7+
3. [Install and run AgentGuard](#3-install-and-run-agentguard)
8+
4. [First-time setup wizard](#4-first-time-setup-wizard)
99
5. [Connect OpenClaw](#5-connect-openclaw)
1010
6. [Connect Claude Code](#6-connect-claude-code)
1111
7. [Verify everything is working](#7-verify-everything-is-working)
@@ -51,32 +51,15 @@ done
5151
echo "Timeplus is ready"
5252
```
5353

54-
> **Docker Compose shortcut:** to run Timeplus and AgentGuard together in one step, skip to [section 4C](#option-c--docker-compose-recommended-for-new-installs).
54+
> **Docker Compose shortcut:** to run Timeplus and AgentGuard together in one step, skip to [Option C](#option-c--docker-compose-recommended-for-new-installs).
5555
5656
---
5757

58-
## 3. Create a Timeplus user for AgentGuard
59-
60-
AgentGuard connects to Timeplus using dedicated credentials. Skip this section if you are using the default `default` user with no password (acceptable for local dev).
61-
62-
### Via Timeplus web console
63-
64-
1. Open [http://localhost:8000](http://localhost:8000) in your browser.
65-
2. Log in with the default admin credentials (set during first-run setup).
66-
3. Navigate to **Settings → Users → Add User**.
67-
4. Create a user — for example:
68-
- **Username:** `User`
69-
- **Password:** `Password`
70-
- **Role:** Admin (AgentGuard needs DDL permissions to create streams and views on startup)
71-
5. Click **Save**.
72-
73-
---
74-
75-
## 4. Install and run AgentGuard
58+
## 3. Install and run AgentGuard
7659

7760
### Option A — Shell script installer (recommended)
7861

79-
The installer downloads the correct binary for your platform from S3, installs it to `/usr/local/bin`, and guides you through Timeplus Enterprise connection configuration interactively.
62+
The installer downloads the correct binary for your platform, installs it to `/usr/local/bin`, and writes a minimal `~/.agentguard/config.yaml` with the Timeplus host/port.
8063

8164
```bash
8265
# Install latest
@@ -88,27 +71,38 @@ curl -fsSL https://agentguard.s3.us-west-1.amazonaws.com/install.sh | sh -s -- -
8871

8972
Supported platforms: macOS (Apple Silicon / Intel), Linux (x86-64 / ARM64).
9073

91-
The script will:
92-
1. Download the correct binary and install it to `/usr/local/bin/agentguard`
93-
2. Prompt for your Timeplus Enterprise connection settings and write `~/.agentguard/config.yaml`
94-
3. Optionally set up AgentGuard as a background service (launchd on macOS, systemd on Linux)
74+
After installation, start AgentGuard:
9575

96-
After installation, start AgentGuard manually with:
9776
```bash
9877
agentguard
9978
```
10079

101-
Or use the service that was configured during installation.
80+
Open [http://localhost:8080](http://localhost:8080)the **setup wizard** appears on first launch (see [Section 4](#4-first-time-setup-wizard)).
10281

103-
Open [http://localhost:8080](http://localhost:8080).
82+
### Option B — Docker image (standalone)
10483

105-
AgentGuard creates all required Timeplus streams and materialized views on first startup. This is non-fatal — the server starts even if Timeplus is temporarily unavailable.
84+
```bash
85+
docker run -d \
86+
--name agentguard \
87+
-p 8080:8080 \
88+
-e TIMEPLUS_HOST=<timeplus-host> \
89+
-e AGENTGUARD_URL=http://<agentguard-host>:8080 \
90+
-v agentguard-data:/app/data \
91+
--restart unless-stopped \
92+
ghcr.io/timeplus-io/agentguard:latest
93+
```
94+
95+
Replace `<timeplus-host>` with the hostname or IP where Timeplus is running (use `host.docker.internal` on macOS/Windows when Timeplus runs on the host machine).
96+
97+
Replace `<agentguard-host>` with the address Timeplus will use to call back AgentGuard for alert webhooks — see [Alert UDF webhook](#alert-udf-webhook) below.
10698

107-
> **Non-interactive install:** If you pipe the script through `sh` without a terminal (e.g. in CI), configuration prompts are skipped. Edit `~/.agentguard/config.yaml` manually afterwards.
99+
The `-v agentguard-data:/app/data` volume persists the `config.yaml` written by the setup wizard across container restarts and image upgrades. Without it, setup runs again after every restart.
108100

109-
### Option B — Docker Compose (recommended for new installs)
101+
> **Credentials** are entered in the setup wizard — not via environment variables.
110102
111-
This starts Timeplus and AgentGuard together with the correct networking. Save the following as `docker-compose.yaml` and run it:
103+
### Option C — Docker Compose (recommended for new installs)
104+
105+
This starts Timeplus and AgentGuard together with the correct networking:
112106

113107
```yaml
114108
services:
@@ -134,64 +128,48 @@ services:
134128
start_period: 30s
135129

136130
agentguard:
137-
image: timeplus/agentguard:latest
131+
image: ghcr.io/timeplus-io/agentguard:latest
138132
container_name: agentguard
139133
ports:
140134
- "8080:8080"
141135
environment:
142136
TIMEPLUS_HOST: timeplus
143137
TIMEPLUS_PORT: 3218
144-
TIMEPLUS_NATIVE_PORT: 8463
145-
TIMEPLUS_USER: "proton"
146-
TIMEPLUS_PASSWORD: "timeplus@t+"
147138
SERVER_PORT: 8080
148139
# Timeplus calls this URL for alert webhooks; use the Docker service name.
149140
AGENTGUARD_URL: "http://agentguard:8080"
141+
volumes:
142+
# Persists config.yaml and custom catalog rules across restarts and image upgrades.
143+
# Mounted at /app/data only — the binary is never shadowed by the volume.
144+
- agentguard-data:/app/data
150145
depends_on:
151146
timeplus:
152147
condition: service_healthy
153148
restart: unless-stopped
154149

155150
volumes:
156151
timeplus-data:
152+
agentguard-data:
157153
```
158154
159155
```bash
160156
docker compose up -d
161157
```
162158

163-
Open [http://localhost:8080](http://localhost:8080).
159+
Open [http://localhost:8080](http://localhost:8080) — the **setup wizard** appears on first launch.
164160

165161
- AgentGuard waits for Timeplus to pass its health check before starting.
166-
- `AGENTGUARD_URL=http://agentguard:8080` ensures Timeplus Enterprise can call back AgentGuard for alert webhooks using the Docker service name.
167-
- Change `TIMEPLUS_USER` / `TIMEPLUS_PASSWORD` if you created a different user in step 3.
162+
- `AGENTGUARD_URL=http://agentguard:8080` ensures Timeplus Enterprise can call back AgentGuard using the Docker service name.
163+
- Credentials are entered in the setup wizard, not in the compose file.
168164

169-
To stop and remove volumes:
165+
To stop and remove all data (requires re-setup):
170166
```bash
171167
docker compose down -v
172168
```
173169

174-
### Option C — Docker image (standalone)
175-
176-
```bash
177-
docker run -d \
178-
--name agentguard \
179-
-p 8080:8080 \
180-
-e TIMEPLUS_HOST=<timeplus-host> \
181-
-e TIMEPLUS_USER=proton \
182-
-e TIMEPLUS_PASSWORD="timeplus@t+" \
183-
-e AGENTGUARD_URL=http://<agentguard-host>:8080 \
184-
--restart unless-stopped \
185-
timeplus/agentguard:latest
186-
```
187-
188-
Replace `<timeplus-host>` with the hostname or IP where Timeplus is running (use `host.docker.internal` on macOS/Windows when Timeplus runs on the host machine).
189-
190-
Replace `<agentguard-host>` with the address Timeplus will use to call back AgentGuard for alert webhooks — see [Alert UDF webhook](#alert-udf-webhook) below.
191-
192170
### Alert UDF webhook
193171

194-
AgentGuard creates a Timeplus Python UDF (`notify_agentguard_udf`) at startup. When a security rule fires, Timeplus calls this UDF, which HTTP-POSTs the alert back to AgentGuard at:
172+
When a security rule fires, Timeplus executes a Python UDF (`notify_agentguard_udf`) that HTTP-POSTs the alert back to AgentGuard at:
195173

196174
```
197175
<AGENTGUARD_URL>/api/alerts/webhook
@@ -208,6 +186,22 @@ This is a **Timeplus → AgentGuard** call, so `AGENTGUARD_URL` must be the addr
208186

209187
---
210188

189+
## 4. First-time setup wizard
190+
191+
On first launch, AgentGuard shows a 3-step setup wizard instead of the dashboard.
192+
193+
**Step 1 — Connection:** Enter your Timeplus host, HTTP port (3218), native TCP port (8463), and the AgentGuard URL (used for alert callbacks). Defaults are pre-filled from environment variables if set.
194+
195+
**Step 2 — Credentials:** Enter your Timeplus username and password. Click **Test Connection** to verify — the Next button is disabled until the test passes. Credentials are never stored on disk or in the config file; they live only in the server's in-memory session.
196+
197+
**Step 3 — Provision:** Click **Provision Resources** to create all required Timeplus streams, materialized views, UDFs, and seed data. Progress is streamed live in a terminal-style log. On success, you are automatically logged in and redirected to the dashboard.
198+
199+
After setup completes, `config.yaml` is written with `setup_complete: true` and the connection details (no credentials). Subsequent server restarts skip directly to the login page.
200+
201+
> **Re-running setup:** Setup runs only once. To reset, delete `config.yaml` (or remove the Docker volume) and restart the server.
202+
203+
---
204+
211205
## 5. Connect OpenClaw
212206

213207
### 5a. Install the plugin
@@ -233,8 +227,8 @@ Add the plugin to your `openclaw.json`:
233227
"stream": "agentguard_hook_events",
234228
"flushMs": 2000,
235229
"batchSize": 50,
236-
"username": "proton",
237-
"password": "timeplus@t+"
230+
"username": "default",
231+
"password": ""
238232
}
239233
}
240234
}
@@ -248,8 +242,8 @@ Or set environment variables before starting OpenClaw:
248242
export AGENTGUARD_TIMEPLUS_URL=http://localhost:3218
249243
export AGENTGUARD_DEPLOYMENT_ID=my-team
250244
export AGENTGUARD_DEPLOYMENT_NAME="My Team"
251-
export AGENTGUARD_USERNAME=proton
252-
export AGENTGUARD_PASSWORD="timeplus@t+"
245+
export AGENTGUARD_USERNAME=default
246+
export AGENTGUARD_PASSWORD=""
253247
```
254248

255249
> **Docker (OpenClaw in container, Timeplus on host):** Use `http://host.docker.internal:3218` instead of `localhost`.
@@ -320,8 +314,8 @@ export AGENTGUARD_AGENT_ID="your-hostname" # identifies this machine
320314
export AGENTGUARD_DEPLOYMENT_ID="local"
321315
export AGENTGUARD_DEPLOYMENT_NAME="Local Dev"
322316
export AGENTGUARD_TIMEPLUS_URL="http://localhost:3218"
323-
export AGENTGUARD_USERNAME="proton"
324-
export AGENTGUARD_PASSWORD="timeplus@t+"
317+
export AGENTGUARD_USERNAME="default"
318+
export AGENTGUARD_PASSWORD=""
325319
```
326320

327321
Then reload your shell:
@@ -391,7 +385,7 @@ curl -s http://localhost:3218/ping
391385

392386
```bash
393387
# Binary / local
394-
./backend/server 2>&1 | grep -E "timeplus|AgentGuard"
388+
./agentguard 2>&1 | grep -E "timeplus|AgentGuard"
395389

396390
# Docker Compose
397391
docker logs agentguard 2>&1 | grep -E "timeplus|AgentGuard"
@@ -400,9 +394,14 @@ docker logs agentguard 2>&1 | grep -E "timeplus|AgentGuard"
400394
Look for lines like:
401395
```
402396
AgentGuard starting on :8080
403-
Proton endpoint: localhost:3218 (native: 8463)
397+
Timeplus endpoint: localhost:3218 (native: 8463)
404398
AgentGuard webhook URL: http://localhost:8080
405-
timeplus: UDF notify_agentguard_udf created/updated (webhook: http://localhost:8080)
399+
Setup complete: false
400+
```
401+
402+
`Setup complete: false` means the setup wizard will run — navigate to [http://localhost:8080](http://localhost:8080) to complete it. After setup and restart:
403+
```
404+
Setup complete: true
406405
```
407406

408407
### Check Claude Code hook events are arriving
@@ -425,4 +424,7 @@ curl -s -X POST http://localhost:3218/proton/v1/query \
425424

426425
### Open the dashboard
427426

428-
Navigate to [http://localhost:8080/onboarding](http://localhost:8080/onboarding) for the guided setup wizard, or go straight to [http://localhost:8080/dashboard](http://localhost:8080/dashboard) to see live agent activity.
427+
Navigate to [http://localhost:8080](http://localhost:8080):
428+
- **First launch:** the setup wizard runs automatically
429+
- **After setup:** the login page appears; sign in with your Timeplus credentials
430+
- **After login:** you land on the dashboard; use the **Onboarding** wizard (`/onboarding`) to connect your first agent

docs/agentguard-introduction.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,13 +27,14 @@ AgentGuard sits alongside your agent fleet and continuously monitors every hook
2727

2828
| Capability | What you get |
2929
|---|---|
30+
| **Setup wizard** | One-time first-launch wizard that connects to Timeplus, provisions all resources, and logs you in |
3031
| **Live threat feed** | Instant alerts when a detection rule fires, with severity, agent identity, and the raw event payload |
3132
| **Agent fleet overview** | All active agents with event counts, session counts, token usage, and last-seen timestamps |
3233
| **Session & run traces** | Per-session waterfall view of every LLM call and tool invocation, with timing |
3334
| **Cost governance** | Daily spend trends, per-model token breakdown, configurable pricing, MTD forecast |
3435
| **Rule packs** | Install, enable/disable, and upgrade versioned detection rules without restarting |
3536
| **SQL console** | Ad-hoc streaming SQL directly against the underlying event streams |
36-
| **Onboarding wizard** | Step-by-step setup for connecting a new agent in under five minutes |
37+
| **Agent onboarding** | Step-by-step wizard for connecting a new agent in under five minutes |
3738

3839
---
3940

0 commit comments

Comments
 (0)