90a4addb21
Vault is optional — server falls back to bcrypt (Phase 1 behaviour) when VAULT_ADDR is not set. Full coexistence: existing bcrypt credentials continue to work until rotated. Changes: - src/vault/VaultClient.ts — wraps node-vault KV v2; writeSecret, readSecret, verifySecret (constant-time), deleteSecret - src/db/migrations/005_add_vault_path.sql — vault_path column on credentials - CredentialRepository — createWithVaultPath, updateVaultPath methods - CredentialService — routes generate/rotate through Vault when configured; bcrypt path unchanged - OAuth2Service — verifies via Vault when vaultPath set, bcrypt otherwise - src/app.ts — createVaultClientFromEnv() wired into service layer - ICredentialRow — vaultPath field added - docs/devops/environment-variables.md — VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT - docs/devops/vault-setup.md — dev quickstart, production config, migration guide - tests: 33/33 unit tests pass (VaultClient + CredentialService Vault path) - node-vault + @types/node-vault installed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
SentryAgent.ai AgentIdP — DevOps Documentation
Operational reference for engineers who deploy, configure, and maintain the AgentIdP infrastructure.
System Overview
SentryAgent.ai AgentIdP is a Node.js REST API backed by PostgreSQL and Redis. It runs as a single stateless application process. All state lives in PostgreSQL (durable) and Redis (ephemeral cache and rate limiting).
Stack:
- Runtime: Node.js 18+ (TypeScript, compiled to JS)
- Application: Express 4.18 on port 3000
- Database: PostgreSQL 14+ (primary data store)
- Cache: Redis 7+ (token revocation, rate limiting, monthly token counters)
Documentation
| Document | What it covers |
|---|---|
| Architecture | Components, ports, data flow, Redis key patterns |
| Environment Variables | Every env var — required, optional, format, examples |
| Database | Schema (4 tables), migrations, how to apply and verify |
| Local Development | docker-compose setup, startup, health checks |
| Security | JWT key generation and rotation, CORS, secret storage |
| Operations | Startup order, graceful shutdown, log interpretation, troubleshooting |
Quick Reference — Ports
| Service | Port |
|---|---|
| AgentIdP app | 3000 |
| PostgreSQL | 5432 |
| Redis | 6379 |
Quick Reference — npm Scripts
| Script | Purpose |
|---|---|
npm run dev |
Run from TypeScript source (development) |
npm run build |
Compile TypeScript to dist/ |
npm start |
Run compiled output from dist/ (production) |
npm run db:migrate |
Apply pending database migrations |
npm test |
Run all tests |
npm run test:unit |
Unit tests only |
Developer Documentation
For API usage (registering agents, getting tokens, calling endpoints) — see docs/developers/.