Troubleshooting
If something is wrong, start here. Each entry shows the symptom, the verbatim error you will see, and the fix.
For setup help that is not covered here, open an install problem. For unexpected runtime behavior, open a bug report.
Port already in use
Symptom: AgentOS exits immediately on startup, or docker compose up reports a bind failure.
Verbatim error:
Likely causes
- Another AgentOS process is already running (
pgrep AgentOS). - A previous
docker composestack was not torn down (docker compose ls). - A different service holds the port (
lsof -i :8080).
Fix
# Find what owns the port
lsof -i :8080
lsof -i :8081
lsof -i :8082
# Stop a stale compose stack
cd starter-kit/deploy && docker compose down
# Or run AgentOS on a different port
./bin/AgentOS --config configs/AgentOS.yaml \
--port 18080 --admin-port 18081 --metrics-port 18082
Docker daemon not running
Symptom: the starter-kit installer exits with a connection error before AgentOS ever starts.
Verbatim error:
Fix
- macOS: open Docker Desktop, wait for the whale icon to stop animating.
- Linux:
sudo systemctl start docker - Verify:
docker psshould succeed.
If you do not want Docker at all, build the binary directly:
The binary path requires neither Docker nor Postgres for the mock-provider demo.
Missing or wrong GitHub App config
Symptom: policy says allow, AgentOS tries to mint a GitHub App JWT, and the request fails after the policy check.
Verbatim errors you may see
github: app credentials not configured (set GITHUB_APP_ID, GITHUB_APP_INSTALLATION_ID, GITHUB_APP_PRIVATE_KEY_PATH)
Fix checklist
- [ ]
GITHUB_APP_IDis the numeric App ID, not the client ID. - [ ]
GITHUB_APP_INSTALLATION_IDmatches the installation that owns the target repo. - [ ]
GITHUB_APP_PRIVATE_KEY_PATHpoints at the.pemyou downloaded from the App settings. Permissions should be600. - [ ] The App has
pull_requests:write,contents:read, andmetadata:readat minimum. - [ ] The installation is on the repo or org you are targeting (re-check
https://github.com/settings/installations).
Test the credentials without going through the agent:
agentctl status # admin reachable + no chain errors
curl -s http://localhost:8081/admin/v1/providers -H "X-API-Key: $ADMIN_KEY"
Invalid policy file
Symptom: AgentOS either refuses to start or starts but every action gets the default decision (usually review or block) regardless of your rules.
Verbatim errors you may see
Fix
- Lint the YAML. Any decent editor will highlight indentation issues.
yq eval . your-config.yamlexits non-zero on malformed YAML. - Read the startup warnings. On startup AgentOS walks
tool_policies.rulesand logs[config] tool policy rule #N references unknown protocol ...for anything outsidemcp | http | shell | sql | git | *. If you see this line, that rule never matches — fix the protocol field. - Confirm the policy is the one you think.
agentctl policieslists what the running process has loaded. - Use
agentctl simulateto dry-run an envelope. Cheaper than restarting the gateway every time you tweak a rule.
agentctl simulate \
--protocol git --tool github.create_pull_request \
--target your-org/your-repo --capability write
Evidence verification confusion
Symptom: agentctl evidence verify returns valid: false, or you cannot find the session you expected.
Verbatim outputs
Healthy:
Tampered or partial:
valid: false at entry #5 (b1f0c324-…): hash chain broken — recorded prev_hash does not match previous entry
Likely causes and fixes
| Output / behavior | Cause | Fix |
|---|---|---|
session not found |
Wrong --session ID, or the session is on a different host. |
agentctl evidence sessions to list available sessions; copy the exact ID. |
valid: false at entry #N |
A row in the evidence store was edited or deleted after the fact. | Pull the immutable backup. The chain is intentionally non-repairable — that's the point. |
valid: true but exported file looks short |
You verified the live chain, but exported only the actions visible to your tenant. | Run the export as an admin token, or scope the session correctly. |
| Verify hangs | Admin API unreachable. | agentctl status first. |
Quick health check before you panic:
agentctl status --json | jq '.chain_valid' # should be true
agentctl evidence verify --session $SID # explicit per-session verify
If chain_valid: false shows up under steady-state operation with no operator changes, that is a security event. Treat it as one: snapshot the database, do not let the process keep writing, and file an install problem with the verify output.
Where to look next
- Reverse-proxy setup: docs/deploy/reverse-proxy.md
- Proof artifact / scenario walkthrough: docs/PR_WRITER.md
- Starter-kit policy packs: starter-kit/README.md
- Discussions for everything else: https://github.com/saivedant169/AgentOS/discussions