_ _ ___ ____ _____ ____ _ _ _ ____ ____ _____ ____ | \ | |/ _ \| _ \| ____/ ___| | | | / \ | _ \| _ \| ____| _ \ | \| | | | | | | | _|| | _| | | |/ _ \ | |_) | | | | _| | |_) | | |\ | | | | |_| | |__| |_| | |_| / ___ \| _ <| |_| | |___| _ < |_| \_|\___/|____/|_____\____|\___/_/ \_\_| \_\____/|_____|_| \_\
Self-hosted fleet management for NodeGuarder agents.
--- overview -----------------------------------------------------------
The React admin UI is served via Docker (Nginx). Everything is self-hosted,
MIT / Apache 2.0 licensed, and free.
| Service | Port | Purpose |
|---|---|---|
| REST API | 3000 | Admin UI backend, agent management |
| gRPC | 50051 | Agent enrollment, heartbeat, log sync, policy pull |
| Web UI | 80 (prod) / 5173 (dev) | React admin frontend via Nginx |
| PostgreSQL | 5433 (host) / 5432 (container) | Central database |
| PgBouncer | 6432 | Connection pooling |
--- docker compose setup -------------------------------------------------
Download the portal bundle from
GitHub Releases
(ng-portal-bundle-x.x.x.zip) and run:
Open
Required environment variables:
docker load -i ng-portal-images-x.x.x.tar.gz cp .env.example .env # edit .env — set DB_PASSWORD and JWT_SECRET docker compose up -d
Open
http://localhost:5173 (dev) or http://localhost:80 (prod).
Required environment variables:
DB_PASSWORD=change_this_to_a_secure_password JWT_SECRET=change_this_to_a_long_random_secret
--- agent enrollment ---------------------------------------------------
1. In the portal UI, generate an enrollment code
(Settings → Enrollment Codes → Generate Code).
2. On each developer machine, open the agent's Settings → Enterprise Management tab and enter:
Portal gRPC URL:
Enrollment code: the code from step 1
3. The agent calls
For automated deployments (MDM / Intune), place a provisioning file at
The agent auto-enrolls on first launch and deletes the provisioning file.
2. On each developer machine, open the agent's Settings → Enterprise Management tab and enter:
Portal gRPC URL:
https://your-portal:50051
Enrollment code: the code from step 1
3. The agent calls
RegisterAgent via gRPC,
receives an mTLS certificate, and transitions to enrolled mode
(tray icon turns blue).
For automated deployments (MDM / Intune), place a provisioning file at
%PROGRAMDATA%\NodeGuarder\provisioning.toml:
[provisioning] enrollment_code = "ABC123XYZ789" admin_url = "https://your-portal:50051"
The agent auto-enrolls on first launch and deletes the provisioning file.
--- portal features -----------------------------------------------------
Dashboard
Agent counts, 24-hour flag stats, active policies, LLM landscape overview, recent activity feed, enrollment code generation.
Policy Engine
Create and version policies that remotely enforce:
Action mode (
Upstream routes with glob-pattern matching
Bearer token, bind port, OCR toggle, detection category toggles
Custom regex patterns and allowlists
Target specific agent groups or hostname patterns
Agent Fleet Management
List, search, group, and revoke agents. View per-agent detail with environment reports (detected IDEs, LLM endpoints, env vars) and usage metrics.
Audit Logs
Centralized, searchable, filterable log of all detection events across the fleet. CSV export. Partitioned by date for performance.
Compliance Reports
Generate reports for EU AI Act, SOC 2, or custom frameworks. Control-level scoring with evidence. Downloadable as JSON or styled HTML.
Usage Analytics
Per-model token usage, daily trends, per-agent breakdowns, block/redact rates.
User Management
Role-based access (ADMIN, SECURITYOPS, AUDITOR). Create and manage users, reset passwords.
Agent counts, 24-hour flag stats, active policies, LLM landscape overview, recent activity feed, enrollment code generation.
Policy Engine
Create and version policies that remotely enforce:
Action mode (
enforced_redact, auto_block, etc.)
Upstream routes with glob-pattern matching
Bearer token, bind port, OCR toggle, detection category toggles
Custom regex patterns and allowlists
Target specific agent groups or hostname patterns
Agent Fleet Management
List, search, group, and revoke agents. View per-agent detail with environment reports (detected IDEs, LLM endpoints, env vars) and usage metrics.
Audit Logs
Centralized, searchable, filterable log of all detection events across the fleet. CSV export. Partitioned by date for performance.
Compliance Reports
Generate reports for EU AI Act, SOC 2, or custom frameworks. Control-level scoring with evidence. Downloadable as JSON or styled HTML.
Usage Analytics
Per-model token usage, daily trends, per-agent breakdowns, block/redact rates.
User Management
Role-based access (ADMIN, SECURITYOPS, AUDITOR). Create and manage users, reset passwords.
--- production deployment ------------------------------------------------
A
• Secrets via Docker secrets files (not plain env vars)
• Read-only root filesystem for the API container
• Container resource limits (API: 256M, Postgres: 512M)
• Healthchecks on all services
• Internal Docker network isolates backend services
Set up a reverse proxy (Caddy, Nginx, or Cloudflare Tunnel) in front of the web UI and API if exposing to the internet. Agent gRPC connections are secured with mutual TLS.
PostgreSQL 15+ is required. PgBouncer handles connection pooling for up to 1000 concurrent agent connections.
docker-compose.prod.yml file is included with hardened defaults:
• Secrets via Docker secrets files (not plain env vars)
• Read-only root filesystem for the API container
• Container resource limits (API: 256M, Postgres: 512M)
• Healthchecks on all services
• Internal Docker network isolates backend services
Set up a reverse proxy (Caddy, Nginx, or Cloudflare Tunnel) in front of the web UI and API if exposing to the internet. Agent gRPC connections are secured with mutual TLS.
PostgreSQL 15+ is required. PgBouncer handles connection pooling for up to 1000 concurrent agent connections.