Skip to content

Docker Compose deployment

The fastest deployment-like setup is the Compose stack in example/. This page expands on Quick start with the details you need once you are ready to run AICR long-term. For non-Compose Docker runs, see Docker deployment.

The Compose file mounts config.yaml read-only and persists three named volumes:

Volume Mount Purpose
aicr-data /app/data SQLite queue DB, run history, dashboard stats, model-catalog cache
aicr-workspaces /app/workspaces Per-workspace source/, agent/, tmp/ directories and cloned repo caches
aicr-logs /app/logs Review run logs

The service listens on port 8080 and is brought up with docker compose up -d from the example/ directory.

The stack ships a Compose health check against /healthz, the canonical liveness probe (it returns a plain-text ok):

healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/healthz"]
interval: 30s
timeout: 5s
retries: 3

Pair the health check with a restart policy so the container recovers from transient failures:

restart: unless-stopped

The split is simple: secrets live in .env, everything else lives in config.yaml.

.env holds raw secret values and is never committed:

Terminal window
# Inbound: webhook HMAC secrets (protect /webhooks/*)
AICR_WEBHOOK_SECRET=7f3a...
AICR_GITHUB_WEBHOOK_SECRET=b2c1...
# Inbound: API key (protects /triggers/* like P4/SVN)
AICR_API_KEY=c6d7e8f9...
# Outbound: AICR calls external services
AICR_LLM_API_KEY=sk-...
AICR_GITEA_TOKEN=4b5d...
AICR_FEISHU_WEBHOOK=https://open.feishu.cn/open-apis/bot/v2/hook/...
AICR_FEISHU_SECRET=3Ob2...

config.yaml holds non-secret configuration and references env var names (never values):

triggers:
- name: gitea
kind: gitea
webhook_secret_env: AICR_WEBHOOK_SECRET
llm:
providers:
- id: primary
kind: openai_compatible
api_key_env: AICR_LLM_API_KEY

See Authentication & secrets for the full three-layer model (webhook HMAC, server API key, per-workspace API key) and the dashboard’s separate admin login.

config.yaml and .env are volume-mounted into the container, not baked into the image. After editing either file, restart the container — a full image rebuild is only needed for code changes:

Terminal window
docker compose restart
Terminal window
# Liveness
curl http://localhost:8080/healthz
# Server logs
docker compose logs -f

Once the health check passes, run a dry-run review to confirm the LLM credentials, agent, and sandbox are wired up, then wire up your first webhook.