Operations Runbook
This runbook covers the free, local-first operating path first. Optional production components are documented separately and should only be enabled when a user chooses to run them.
Local Operating Mode
Start the local demo:
Start from source with the mock provider:
Verify health:
Verify a mock chat request:
Cost-Free Defaults
The default local path uses:
- mock provider
- YAML policies
- in-memory rate limiting
- local audit/evidence chain
- Prometheus metrics on the admin port
- Docker Compose for local services
Real providers, hosted tracing, Redis, PostgreSQL, Kubernetes, and external policy engines are optional.
Metrics
Prometheus metrics are available on the admin port:
Recommended local checks:
AgentOS_requests_totalAgentOS_request_duration_seconds
See OBSERVABILITY.md for the included Prometheus scrape config and Grafana dashboard JSON.
Audit And Evidence
Verify the audit chain:
List evidence sessions:
Export a session:
./bin/agentctl evidence export <session-id> --file evidence.json
./bin/agentctl evidence report <session-id> --file evidence.md
Built-In Snapshot Backups
When resilience.enabled is true, the admin API can create and list local JSON snapshots. This is useful for lightweight local state capture.
Enable resilience with a config such as configs/resilience-example.yaml, then create a snapshot:
List snapshots:
Snapshots are stored under the configured resilience.backup_dir.
PostgreSQL Backup
PostgreSQL is optional. Use it when audit, evidence, and usage records need to survive restarts.
Create a dump from the Docker Compose database:
docker compose -f deployments/docker-compose.yaml exec postgres \
pg_dump -U AgentOS -d AgentOS -Fc -f /tmp/AgentOS.dump
docker compose -f deployments/docker-compose.yaml cp \
postgres:/tmp/AgentOS.dump ./AgentOS.dump
Restore into a fresh local database:
docker compose -f deployments/docker-compose.yaml cp \
./AgentOS.dump postgres:/tmp/AgentOS.dump
docker compose -f deployments/docker-compose.yaml exec postgres \
pg_restore -U AgentOS -d AgentOS --clean --if-exists /tmp/AgentOS.dump
After restore:
Incident Response
If a policy allows something unexpected:
- Stop the local stack or remove gateway ingress.
- Export audit and evidence records.
- Verify the audit/evidence chain.
- Tighten the relevant YAML policy.
- Add or update a regression example.
- Restart with the updated config and replay the blocked request.
Upgrade Checks
Before upgrading:
make fmt-check
go test ./... -race -count=1
go run golang.org/x/vuln/cmd/govulncheck@latest ./...
bash scripts/compose_smoke.sh
After upgrading: