Docker Compose Deployment Guide
This guide walks through deploying the AgentSuite-Blue protection stack on a single host using Docker Compose. This guide covers integrating the target agent through Virtue Gateway. Hook-based integration is simpler and requires fewer Docker images. All services run as containers; no Kubernetes or external infrastructure is required.
Prerequisites
| Requirement | Details |
|---|---|
| Docker | Docker Engine 24+ with Docker Compose v2 |
| Python | 3.10 or higher (for running the bundled setup scripts) |
| RAM | 16 GB minimum (32 GB recommended) |
| Disk | ~20 GB free (for Docker images) |
| NVIDIA GPU | Required for Action Guard (16 GB+ VRAM). Without a GPU, set ACTION_GUARD_ENABLED=True in .env to enable the guard model. |
| Registry credentials | A GCP service-account key file provided by your Virtue AI representative |
Container Images
All images are hosted in us-docker.pkg.dev/customer-docker-virtueai/<your-tenant>/ and fall into two categories.
Protection Service
Core product images that secure agent tool calls:
| Image | Description |
|---|---|
protection/mcp-gateway | Agent gateway API and MCP endpoint |
protection/mcp-gateway-worker | Background task worker |
protection/mcp-gateway-scheduler | Scheduled task runner |
protection/action-guard | Tool-call safety evaluator |
protection/action-guard-worker | Action Guard background worker |
protection/action-guard-scheduler | Action Guard scheduler |
protection/virtue-auth | Authentication and user management |
protection/dashboard | VirtueGuard management UI |
protection/vllm-topicguard | Local LLM server backing Action Guard (requires GPU) |
protection/postgres | PostgreSQL for gateway and auth databases |
protection/redis | Redis for the gateway task queue |
Test Suite Sandbox (optional)
Only required if you also start the bundled demo with --demo:
| Image | Description |
|---|---|
test-suite/attack-manager | Test orchestrator |
test-suite/sandbox-api | Sandbox backend APIs (Gmail, PayPal, Slack, Zoom, Calendar, …) |
test-suite/sandbox-ui | Sandbox frontend UIs |
test-suite/sandbox-postgres | Sandbox databases |
test-suite/atlassian-api | Jira API backend |
test-suite/mailpit | Email server for the Gmail sandbox |
Deployment process
Step 1: Extract the Code Bundle
Your Virtue AI representative will provide a bundle (e.g. agentsuite-docker.zip) containing the Docker Compose files, setup scripts, and example agent.
unzip agentsuite-docker.zip
cd agentsuite-docker
Step 2: Authenticate to the Image Registry
Log in to the GCP Artifact Registry using the service-account credentials provided with your bundle:
docker login -u _json_key --password-stdin https://us-docker.pkg.dev < serviceaccount.json
For details on the credential format, see the GCP Artifact Access Guide.
Step 3: Configure the Environment
Create a .env file in the project root with your model and Action Guard settings:
# Backbone model used by the demo agent
MODEL=bedrock/global.anthropic.claude-sonnet-4-6
AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...
AWS_REGION_NAME=us-east-1
# Set to false if no NVIDIA GPU is available
ACTION_GUARD_ENABLED=true
Step 4: Start the Stack
Run the setup script. By default it starts only the protection stack; pass --demo to additionally start the test sandbox.
# Protection stack only (gateway, auth, dashboard, DB, Redis, Action Guard)
bash setup.sh
# Protection stack + demo sandbox
bash setup.sh --demo
Under the hood the script composes two files:
docker-compose.yml— protection stack (always started)docker-compose.demo.yml— test sandbox (started with--demo)
Step 5: Verify the Deployment
Once setup finishes, the dashboard is available at http://localhost:23000 with the default credentials admin / admin. The MCP gateway listens on http://localhost:22001 and the auth service on http://localhost:22002.
Check container health:
docker compose ps
All protection services should report Up (healthy).
Connecting Your Agent
After the gateway and guard model are running, point your agent at the gateway's MCP endpoint instead of the upstream MCP servers — see the Hook Integration docs for framework-specific examples (Google ADK, OpenAI Agents SDK, Claude Agent SDK, LangChain, Strands, Microsoft 365). The values you'll need (GATEWAY_SERVER_URL, ACCESS_TOKEN) are written to .env by setup.sh and are also visible in the dashboard under Gateways → <your gateway>.