Governance Deployment
Deploy the Runtime Governance tier to add transparent policy enforcement and credential injection.
Prerequisites
- Docker Engine 24+ with Compose v2
- 8 GB RAM available for containers
- Ports available: 443 (Policy Manager), 8443 (Registry), 9443 (Governance Proxy)
- GHCR access token (provided by Watchlight AI)
Install
cd deploy/tier3-runtime-governance/docker-compose
./bootstrap.sh
The bootstrap script will prompt for your OpenAI and Anthropic API keys. These are stored in OpenBao — agents never see them.
Access
| Endpoint | Purpose |
|---|---|
https://localhost | Policy Manager Dashboard |
https://localhost:8443 | Registry Dashboard |
https://localhost:9443 | Governance Proxy |
Examples
Three compose files showing the governance progression:
cd examples
# 1. Standalone: agent calls OpenAI directly (own API key)
docker compose up
# 2. Governed: agent through proxy (own key, policy logged)
docker compose -f docker-compose.governed.yml up
# 3. Secrets-managed: agent has NO key (wl-secrets-broker injects)
docker compose -f docker-compose.secrets-managed.yml up
Dashboard Authentication
Both dashboards start without authentication by default. See Authentication for OIDC and LDAP configuration.
Commands
# Re-run bootstrap
./docker-compose/bootstrap.sh
# View logs
docker compose -f docker-compose/docker-compose.yml logs -f
# Stop
docker compose -f docker-compose/docker-compose.yml down
# Full reset
./docker-compose/bootstrap.sh --reset