Progressive Deployment
Watchlight Beacon uses a three-tier deployment model. Start with visibility into your AI infrastructure, then layer on authorization and runtime governance as your needs grow.
Tier 1: Discovery & Registry
"What agents and MCP servers are running in my environment?"
| Service | Purpose |
|---|---|
| wl-registry | Agent & MCP server catalog |
| wl-registry-frontend | Registry dashboard |
| wl-discover | Network scanner + agent detector |
| PostgreSQL | Database |
| OpenBao | Secret management |
| Caddy | TLS reverse proxy |
What you get:
- Automatic discovery of MCP servers and AI agents across your infrastructure
- Centralized registry with trust state management (unverified / trusted / quarantined / revoked)
- Docker container security metadata collection and risk signals
- Multi-tier agent framework detection (LangGraph, CrewAI, AutoGen, LangChain)
- Interactive topology visualization
Requirements: Docker Engine 24+, 2 GB RAM, port 8443
Tier 2: Authorization & Policy
"Who can do what? Enforce least-privilege policies on agent actions."
Everything from Tier 1, plus:
| Service | Purpose |
|---|---|
| wl-apdp | Cedar policy authorization engine |
| wl-apdp-frontend | Policy management dashboard |
What you get (in addition to Tier 1):
- Intent-based authorization with Cedar Policy Language
- Goal management — time-boxed, action-limited business objectives
- Delegation chains — cryptographically-verifiable trust paths
- Intelligent policy selection (20-30x performance improvement)
- Observation mode (default) or enforcement mode
- Shared PostgreSQL database — agents discovered by wl-discover are immediately available for policy evaluation
Requirements: Docker Engine 24+, 4 GB RAM, ports 443 + 8443
Tier 3: Runtime Governance
"Transparently enforce policy on every API call. Agents never see raw API keys."
Everything from Tier 2, plus:
| Service | Purpose |
|---|---|
| wl-proxy | Governance proxy — policy eval + credential injection |
| wl-secrets-broker | Policy-enforced secrets management (SCT issuance) |
What you get (in addition to Tier 2):
- Transparent governance — every API call evaluated by Cedar policies before execution
- Credential injection — agents never see raw API keys; wl-secrets-broker injects credentials
- Secret Capability Tokens (SCTs) — Ed25519-signed, time-limited, single-use tokens
- Full audit trail — every secret access, API call, and policy decision logged
- Zero-configuration agent updates — change 1-2 environment variables, no code changes
Requirements: Docker Engine 24+, 8 GB RAM, ports 443 + 8443 + 9443
Choosing Your Starting Point
Most organizations start with Tier 1 to gain visibility, then upgrade as their governance needs mature. Each tier builds on the previous — upgrading means running a new bootstrap script that includes all prior services.
Tier 1 ──────▶ Tier 2 ──────▶ Tier 3
Visibility Authorization Runtime Governance
Next Steps
- Quickstart — Deploy Tier 1 in 5 minutes
- Design Partner Setup — Full platform setup for design partners