Design Partner Setup

Get the full Watchlight Beacon platform running in under 10 minutes.

Register as a Design Partner

You must be a registered design partner to access Watchlight Beacon. Apply for the Early Preview Program to get started.

Prerequisites

Requirement	Details
Design Partner registration	Register for the Early Preview
Docker Engine 24+	Install Docker
Docker Compose v2	Included with Docker Desktop; or install separately
4 GB RAM minimum	8 GB recommended for production-like evaluation
GHCR access token	GitHub Personal Access Token — provided after registration
License key (optional)	JWT license file — provided after registration

Step 1: Get Your Credentials

Once accepted into the Early Preview Program, your Watchlight AI contact will provide:

1. A GitHub Personal Access Token (classic PAT) with read:packages scope
2. A license key (JWT file) — optional for evaluation; services run in read-only mode without it

Step 2: Install

cd design-partner/

# Place your license file (optional)
cp /path/to/license.jwt ./license.jwt

# Run the bootstrap script
./bootstrap.sh

The bootstrap script will interactively prompt for configuration, then:

1. Validate prerequisites (Docker version, Compose)
2. Authenticate to GHCR and pull all container images
3. Generate secrets in memory (database password, vault token, admin key, session secret)
4. Start infrastructure (OpenBao for secret management, PostgreSQL)
5. Store secrets in OpenBao's KV engine (never written to disk)
6. Start all Beacon services (registry, authorization, discovery, frontends)
7. Seed a sample Cedar policy
8. Register a discovery scanner
9. Start the discovery daemon
10. Configure Caddy TLS reverse proxy
11. Verify all 8 containers are healthy

Configuration Prompts

Prompt	Default	Description
Domain	localhost	Set to a real domain for Let's Encrypt auto-TLS
Image version	0.3.0-preview	Docker image tag to pull
Log level	info	debug, info, warn, error
Agent registration mode	open	open, token_required, disabled
HTTPS port	443	HTTPS port for Caddy
HTTP port	80	HTTP port (redirects to HTTPS)
License file path	./license.jwt	Path to your license JWT

TLS Options

Mode	Configuration
Self-signed (default)	Leave domain as localhost. Caddy generates self-signed certs.
Let's Encrypt	Set domain to beacon.yourcompany.com and ensure ports 443/80 are publicly accessible.

Self-signed certs

The bootstrap exports a CA certificate to ./beacon-ca.crt and prints instructions to trust it in your OS keychain.

Non-Interactive Mode

export BEACON_DOMAIN=localhost
export VERSION=0.3.0-preview
export GHCR_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
./bootstrap.sh

Step 3: Verify

Health check

curl -k https://localhost/health

Expected response: healthy

Access dashboards

URL	Description
https://localhost	Policy Manager (WL-APDP Dashboard)
https://localhost:8443	AI Agent and MCP Registry Dashboard
https://localhost:8443/topology	Interactive Topology Graph
https://localhost:8443/api/v1/servers	Registry API (JSON)

Register a test agent

curl -k -X POST https://localhost:8443/api/v1/agents/register \
  -H 'Content-Type: application/json' \
  -d '{
    "name": "test-agent",
    "agent_type": "autonomous",
    "description": "Test agent for verification"
  }'

You should receive a JSON response with the agent's id, api_key, and trust_state: "unverified".

What's Running

Service	Container	Description
Caddy	beacon-caddy	TLS reverse proxy (ports 443/80, 8443)
WL-Registry	beacon-registry	MCP server and AI agent registry API
WL-Registry Frontend	beacon-registry-frontend	Registry dashboard SPA
WL-APDP	beacon-apdp	Cedar-based authorization engine
WL-APDP Frontend	beacon-apdp-frontend	Policy management dashboard SPA
WL-Discover	beacon-discover	Background discovery daemon
OpenBao	beacon-openbao	Runtime secret management (in-memory)
PostgreSQL	beacon-postgres	Database

Common Operations

# View logs (all services)
docker compose -f docker-compose.yml logs -f

# View logs for a specific service
docker compose -f docker-compose.yml logs -f wl-registry

# Stop all services (preserves data)
docker compose -f docker-compose.yml down

# Restart after reboot
docker compose -f docker-compose.yml up -d

# Full reset (destroys all data)
./bootstrap.sh --reset

Upgrading

When Watchlight AI releases a new version:

1. Stop the current deployment: docker compose -f docker-compose.yml down
2. Re-run bootstrap with the new version: VERSION=0.3.0-preview ./bootstrap.sh

note

Upgrading regenerates secrets and re-bootstraps the environment. Export any policies or agent configurations you want to keep before upgrading.

Uninstalling

# Stop and remove all containers, volumes, and networks
./bootstrap.sh --reset

# Or manually:
docker compose -f docker-compose.yml down -v

# Remove container images
docker rmi $(docker images "ghcr.io/watchlight-ai-beacon/*" -q) 2>/dev/null

Security Notes

• Secrets: All secrets are generated at install time and stored exclusively in OpenBao (in-memory). Never written to disk.
• GHCR token: Used only during image pull, then cleared from the environment.
• TLS: All external traffic encrypted via Caddy. Internal service-to-service communication uses the Docker bridge network.
• Non-root containers: All application containers run as non-root users.
• Network isolation: Backend services (PostgreSQL, OpenBao) are on an internal-only Docker network.

Troubleshooting

Issue	Solution
docker login returns unauthorized	Verify your GHCR token has read:packages scope
Port conflict (443/80)	Set custom ports during bootstrap prompts
License expired	Contact sales@watchlight.ai for renewal
Services won't start	Check logs: docker compose -f docker-compose.yml logs
Browser certificate warning	Trust the CA cert (see bootstrap output) or use curl -k
wl-discover not finding servers	Check that targets are on the beacon-partner Docker network
Database connection errors	Verify PostgreSQL: docker inspect beacon-postgres --format='{{.State.Health.Status}}'

Support

• Partner Portal: https://www.watchlight.ai/partner
• Documentation: https://docs.watchlight.ai
• Email: sales@watchlight.ai