chore(hosting): wire the agent runner sidecar into compose

[mmabrouk]

Agent-workflows: functional PR set

Sliced by functional area, final code only (no intermediate churn). Most PRs are independent off main; two pairs are stacked. This PR's base is main.

• feat(sdk): agent runtime behind backend/harness ports #4771: SDK agent runtime: ports, adapters, tools, messages protocol
  • feat(agent): agent workflow service and tool-resolution API #4772: Agent service + tool-resolution API
• feat(agent): runner wire contract and tool execution #4773: Runner wire contract + tool execution
  • feat(agent): runner engines, server, and tracing #4774: Runner engines, server, tracing
• feat(frontend): agent config playground controls #4775: Playground agent config UI
• chore(hosting): wire the agent runner sidecar into compose #4776: Hosting compose wiring <- you are here
• docs(agent): agent-workflows design and ground truth #4777: Docs: design + ground truth

Context

The agent runner needs a place to live in the dev stack. The Python service in api/ decides per run whether to call a Pi process in its own checkout or an in-network sidecar. Until now the EE dev compose had no sidecar to call. This PR adds one. It branches off main and is the only hosting change in the agent-workflows slice: the runner stack, nothing else.

What this changes

It adds an agent-pi service to hosting/docker-compose/ee/docker-compose.dev.yml. The service builds from services/agent (the sandbox-agent server runtime) and listens on port 8765.

It also wires the services container to reach the sidecar. Four env vars carry the routing and the run defaults:

• AGENTA_AGENT_PI_URL=http://agent-pi:8765 routes calls to the sidecar over the compose network.
• AGENTA_AGENT_RUNTIME picks the runtime (default rivet).
• AGENTA_AGENT_HARNESS picks the harness (default pi).
• AGENTA_AGENT_SANDBOX picks the sandbox (default local).

The agent-pi service runs with no env_file on purpose. The Pi sandbox must not inherit the stack secrets. It gets only its port, the mounted Pi login, an OTLP export fallback, and the Daytona credentials the SDK reads when the sandbox axis is daytona.

Key architectural decision to review

Confirm the in-network URL wiring lines up with the runner. The service reads AGENTA_AGENT_PI_URL to choose HTTP-to-sidecar over a local subprocess (services/oss/src/agent/app.py:63). The compose value http://agent-pi:8765 (line 398) is the Docker DNS name of the agent-pi service (line 421), so the names must stay in sync.

Confirm the two axes are independent. Harness (pi/claude) and sandbox (local/daytona) are separate choices the Python service sends per run, not a fixed pairing (line 400).

Confirm the licensing note. The comment at line 456 says we ship the snapshot builder, not the snapshot, so we never distribute a Claude-containing image. That matches the posture in services/agent/docker/README.md: Pi (MIT) is baked freely, Claude Code is installed from Anthropic at runtime and never repackaged.

How to review this PR

Read the agent-pi block top to bottom and check the four points above: the matching service name and URL, the empty env_file, the scoped Daytona credentials, and the licensing comment.

The regression to watch: a stack that does not mount the sidecar. If a deploy omits agent-pi but the services container still has AGENTA_AGENT_PI_URL set, every agent run hits an unresolved host. The URL and the service must land together or not at all.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	Jun 19, 2026 4:29pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The EE dev docker-compose config removes named Next.js and Turbo cache volumes from .web, simplifies uvicorn --reload-dir args for api, collapses four workers' watchmedo watchers to a single recursive /app/ path, adds agent env vars to services, and introduces a new agent-pi sidecar service built from services/agent.

Changes

EE Dev docker-compose Updates

Layer / File(s)	Summary
Hot-reload and cache volume simplification hosting/docker-compose/ee/docker-compose.dev.yml	Removes named nextjs-ee-cache, nextjs-oss-cache, and turbo-ee-cache volume mounts from .web; updates uvicorn --reload-dir paths in api; replaces per-directory watchmedo invocations in all four worker services (worker-evaluations, worker-tracing, worker-webhooks, worker-events) with a single recursive /app/ watcher; adds nextjs_cache to named volume declarations.
agent-pi sidecar service and env wiring hosting/docker-compose/ee/docker-compose.dev.yml	Adds AGENTA_AGENT_PI_URL, AGENTA_AGENT_RUNTIME, AGENTA_AGENT_HARNESS, and AGENTA_AGENT_SANDBOX env vars with defaults to the services container. Defines a new agent-pi service (built from services/agent) with a tsx-based command, explicit env configuration (API keys, Daytona and rivet snapshot settings), mounted Pi login storage from ${HOME}/.pi/agent, and attachment to agenta-network.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: integrating the agent runner sidecar into the docker-compose configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly describes the addition of an agent-pi service to the docker-compose configuration, matching the changeset which adds agent runner sidecar configuration.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/agent-hosting-compose

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e6864c15-c994-4861-8084-b3f87649d438

📥 Commits

Reviewing files that changed from the base of the PR and between a97e608 and 143edd6.

📒 Files selected for processing (1)

• hosting/docker-compose/ee/docker-compose.dev.yml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Inspect worker watch directories and mounted source directories.
# Expected: worker watchmedo commands include the mounted SDK/client paths or those mounts are intentionally not hot-reloaded.

sed -n '141,264p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 5516

---

🏁 Script executed:

# Check structure of SDK and client directories
find ../../../sdks/python -maxdepth 2 -type d 2>/dev/null | head -20
echo "---"
find ../../../clients/python -maxdepth 2 -type d 2>/dev/null | head -20

Repository: Agenta-AI/agenta

Length of output: 64

---

🏁 Script executed:

# Search for API service hot-reload configuration to understand expected pattern
rg -A 10 "watchmedo.*directory=" hosting/docker-compose/ee/ --no-heading

Repository: Agenta-AI/agenta

Length of output: 4521

---

🏁 Script executed:

# Check if there are any existing references to watching SDK/client paths
rg "sdks/python|clients/python" hosting/docker-compose/ -B 2 -A 2

Repository: Agenta-AI/agenta

Length of output: 13615

---

Add SDK and client paths to worker watchmedo scopes.

The four worker services watch only /app/, but they mount SDK and client code at /sdks/python and /clients/python. This means edits to those dependencies will not trigger restarts, unlike the API service in the same file which includes them. Align worker watchers with the OSS version and API service by adding both directories:

♻️ Proposed watcher scope fix

-            watchmedo auto-restart --directory=/app/ --pattern=*.py --recursive --ignore-patterns=*/tests/* --
+            watchmedo auto-restart --directory=/app/ --directory=/sdks/python/agenta --directory=/clients/python/agenta_client --pattern=*.py --recursive --ignore-patterns=*/tests/* --

Apply to lines 146, 183, 220, and 263 (worker-evaluations, worker-tracing, worker-webhooks, worker-events).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	watchmedo auto-restart --directory=/app/ --pattern=*.py --recursive --ignore-patterns=*/tests/* --
	watchmedo auto-restart --directory=/app/ --directory=/sdks/python/agenta --directory=/clients/python/agenta_client --pattern=*.py --recursive --ignore-patterns=*/tests/* --

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Locate sidecar URL usage to decide whether service_started is enough or a healthcheck is required.
# Expected: startup-time probes should be guarded by depends_on + healthcheck; request-time calls should handle connection failures gracefully.

rg -n -C3 'AGENTA_AGENT_PI_URL|agent-pi|8765' services api hosting/docker-compose

Repository: Agenta-AI/agenta

Length of output: 12396

---

🏁 Script executed:

# Get the full services container definition to check if depends_on already exists
head -n 470 hosting/docker-compose/ee/docker-compose.dev.yml | tail -n 100

Repository: Agenta-AI/agenta

Length of output: 5329

---

🏁 Script executed:

# Search for where AGENTA_AGENT_PI_URL is actually used in Python code
rg -t py 'AGENTA_AGENT_PI_URL' --max-count 20

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Check the agent-pi service definition (lines 421-468)
sed -n '421,468p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 2995

---

🏁 Script executed:

# Search more broadly for AGENTA_AGENT_PI_URL usage across all file types
rg 'AGENTA_AGENT_PI_URL' --max-count 30

Repository: Agenta-AI/agenta

Length of output: 289

---

🏁 Script executed:

# Check if depends_on already exists in the services container definition
# by looking at the full services block
sed -n '370,420p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 2411

---

🏁 Script executed:

# Search for any healthcheck definition in the agent-pi service
grep -n 'healthcheck' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 301

---

🏁 Script executed:

# Find where AGENTA_AGENT_PI_URL env var is consumed in the services application code
find services -type f -name '*.py' | xargs grep -l 'AGENTA_AGENT_PI_URL' 2>/dev/null

Repository: Agenta-AI/agenta

Length of output: 44

---

🏁 Script executed:

# Also search for 'agent_pi' or 'agent-pi' in services code
rg -t py 'agent.?pi|agent.?runner' services --max-count 20 -i

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Search more broadly for agent pi in all file types, not just Python
rg 'agent.?pi|AGENTA_AGENT_PI' services --max-count 30 -i

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Check if there's a TypeScript/JS implementation in services that uses the env var
rg 'AGENTA_AGENT_PI_URL|agent-pi:8765' services --type ts --type js --max-count 20

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Look at the services entrypoint to understand startup flow
find services -name '__main__.py' -o -name 'main.py' -o -name 'app.py' | head -5 | xargs -I {} sh -c 'echo "=== {} ===" && head -50 {}'

Repository: Agenta-AI/agenta

Length of output: 1733

---

🏁 Script executed:

# Search in the SDK code for agent-pi or AGENTA_AGENT_PI_URL usage
find services/sdk -type f \( -name '*.py' -o -name '*.ts' -o -name '*.js' \) 2>/dev/null | xargs grep -l 'AGENTA_AGENT_PI_URL\|agent.pi\|agent_pi' 2>/dev/null | head -10

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Look for any config or environment initialization that reads AGENTA_AGENT_PI_URL
rg 'getenv|environ\[' services/sdk -t py -B2 -A2 | grep -A5 -B5 'AGENT' | head -40

Repository: Agenta-AI/agenta

Length of output: 113

---

🏁 Script executed:

# Check if depends_on is present anywhere in the services block of the file
sed -n '340,420p' hosting/docker-compose/ee/docker-compose.dev.yml | grep -i 'depends_on'

Repository: Agenta-AI/agenta

Length of output: 80

---

🏁 Script executed:

# Check the full depends_on section for services to see what's listed
sed -n '340,425p' hosting/docker-compose/ee/docker-compose.dev.yml | grep -A 10 'depends_on'

Repository: Agenta-AI/agenta

Length of output: 405

---

🏁 Script executed:

# Look at the services structure more carefully - check lines before and after depends_on
sed -n '400,420p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 1230

---

🏁 Script executed:

# Look for where agent-pi URL is actually called - check for HTTP client initialization or requests
rg -t py 'http://' services --max-count 50 | grep -i 'agent\|8765' | head -20

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Check if agent-pi has a healthcheck
sed -n '421,510p' hosting/docker-compose/ee/docker-compose.dev.yml | grep -A 5 'healthcheck'

Repository: Agenta-AI/agenta

Length of output: 231

---

🏁 Script executed:

# Verify the exact structure: does services.depends_on only have postgres, or does it have agent-pi too?
sed -n '338,408p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 2888

---

🏁 Script executed:

# Verify the complete depends_on for the services container - look for agent-pi anywhere in it
sed -n '338,425p' hosting/docker-compose/ee/docker-compose.dev.yml | grep -A 20 'services:' | grep -A 15 'depends_on'

Repository: Agenta-AI/agenta

Length of output: 42

---

🏁 Script executed:

# Check if there's any other reference to agent-pi in the services container section
sed -n '338,425p' hosting/docker-compose/ee/docker-compose.dev.yml | grep -i 'agent.pi'

Repository: Agenta-AI/agenta

Length of output: 205

---

🏁 Script executed:

# Look at the full structure around lines 397-403 to confirm the exact context
sed -n '390,410p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 1139

---

🏁 Script executed:

# Check if the services container itself has a healthcheck or startup probe
sed -n '338,425p' hosting/docker-compose/ee/docker-compose.dev.yml | tail -40

Repository: Agenta-AI/agenta

Length of output: 2128

---

🏁 Script executed:

# Let's look at the complete file structure around the services definition to see if there's a depends_on after the environment section
sed -n '395,425p' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 1757

---

🏁 Script executed:

# Search the entire docker-compose.dev.yml file for any reference to agent-pi in depends_on
grep -n 'agent-pi' hosting/docker-compose/ee/docker-compose.dev.yml

Repository: Agenta-AI/agenta

Length of output: 217

---

Add startup ordering for the new agent-pi sidecar dependency.

The services container references http://agent-pi:8765 via AGENTA_AGENT_PI_URL but has no depends_on entry for agent-pi. Docker Compose will not guarantee startup order, risking race conditions where the services container initializes before the sidecar is ready.

🔧 Startup-order fix

         # === NETWORK ============================================== #
         networks:
             - agenta-network
         extra_hosts:
             - "host.docker.internal:host-gateway"
+        # === ORCHESTRATION ======================================== #
+        depends_on:
+            agent-pi:
+                condition: service_started
         # === LABELS =============================================== #

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not default telemetry to a public HTTP IP.

Line 446 sends the sidecar’s fallback tracing export to http://144.76.237.122:8280 whenever AGENTA_HOST is unset. For a dev stack, that can leak local trace data/metadata to an external endpoint by default.

🛡️ Proposed safer default

-            AGENTA_HOST: ${AGENTA_HOST:-http://144.76.237.122:8280}
+            # Set AGENTA_HOST explicitly when exporting traces outside the local stack.
+            AGENTA_HOST: ${AGENTA_HOST:-}

If tracing must work out of the box, default this to an in-stack service URL instead of a public IP.

[mmabrouk]

Reviewer guide: interesting code

A dev-compose-only change. The spots worth a close look:

• hosting/docker-compose/ee/docker-compose.dev.yml:398 — AGENTA_AGENT_PI_URL: http://agent-pi:8765 wires the services container to the sidecar in-network. The host and port must match the agent-pi service name and its PORT. This is read by services/oss/src/agent/app.py.
• hosting/docker-compose/ee/docker-compose.dev.yml:402 — AGENTA_AGENT_HARNESS and AGENTA_AGENT_SANDBOX set the per-run defaults for the two independent axes (harness pi/claude, sandbox local/daytona). A request can override either. Defaults are also resolved in services/agent/src/engines/rivet.ts:679.
• hosting/docker-compose/ee/docker-compose.dev.yml:436 — "Deliberately NO env_file": the sidecar never inherits the stack secrets. It only gets its own port, the Pi login, the OTLP fallback, and the Daytona credentials. Worth confirming this scoping is intended.
• hosting/docker-compose/ee/docker-compose.dev.yml:458 — AGENTA_RIVET_DAYTONA_SNAPSHOT points at a prebaked snapshot so Daytona runs skip a slow per-invoke npm install pi. The repo ships the builder, not the snapshot, so no Claude-containing image is distributed.

[mmabrouk]

Reviewer guide: interesting code

A short tour of the parts worth a close read. All paths are in hosting/docker-compose/ee/docker-compose.dev.yml.

• hosting/docker-compose/ee/docker-compose.dev.yml:398 — the in-network wiring. AGENTA_AGENT_PI_URL: http://agent-pi:8765 is what flips the runner from a local subprocess to the sidecar (services/oss/src/agent/app.py:63). The host part must equal the service name below.
• hosting/docker-compose/ee/docker-compose.dev.yml:400 — the axes note. Harness (pi/claude) and sandbox (local/daytona) are independent choices the Python service sends per run. The defaults here are just dev defaults, not a fixed pairing.
• hosting/docker-compose/ee/docker-compose.dev.yml:421 — the agent-pi service. Note the deliberate absence of env_file: the sandbox does not inherit stack secrets. It gets its port, the mounted Pi login, an OTLP fallback, and the Daytona keys only.
• hosting/docker-compose/ee/docker-compose.dev.yml:456 — the licensing comment. We ship the snapshot builder, not a built snapshot, so we never distribute a Claude-containing image. Cross-check against services/agent/docker/README.md.

[mmabrouk]

This is the single line that routes runs to the sidecar. The runner reads AGENTA_AGENT_PI_URL and only goes over HTTP when it is set; unset means a local subprocess (services/oss/src/agent/app.py:63). The agent-pi host here must match the service name at line 421, or every run hits an unresolved host.

[mmabrouk]

The agent-pi service has no env_file by design. The sandbox must not inherit the stack secrets (Composio, Stripe, PostHog, Google). It gets only its port, the mounted Pi login, the OTLP fallback, and the Daytona keys for the daytona sandbox axis. Tools run server-side via /tools/call, so the sandbox never needs the broad secret set. Worth confirming this stays empty as the stack grows.

[mmabrouk]

Codex subagent review for #4776

Blocking finding:

• hosting/docker-compose/ee/docker-compose.dev.yml:426 / :427 adds agent-pi with build.context: ../../../services/agent and dockerfile: docker/Dockerfile.dev, but this PR is based on main and services/agent/* is not present on main. I checked the related runner PR #4778, and that is where services/agent/package.json, services/agent/src/server.ts, and services/agent/docker/Dockerfile.dev are introduced. As-is, if #4776 merges independently as advertised, ./hosting/docker-compose/run.sh --build --license ee --dev ... fails before the dev stack can start because the build context/dockerfile is missing. Please either stack/retarget this PR on the runner PR, enforce merge order by landing #4778 first, or include/gate the sidecar so the compose file remains buildable from its declared base.

Context checked:

• hosting/docker-compose/ee/docker-compose.dev.yml:398 matches the #4772 service contract: AGENTA_AGENT_PI_URL selects the HTTP sidecar transport, and http://agent-pi:8765 matches the new service name and runner server port from #4778.
• hosting/docker-compose/ee/docker-compose.dev.yml:421 keeps the sidecar outside the stack env_file, which looks like the right secret boundary. The explicit Daytona and trace envs are scoped rather than inheriting the full API/service secret set.
• Residual risk after the stack/base issue is fixed: because AGENTA_AGENT_PI_URL is unconditional, any override/profile that drops or fails agent-pi leaves services configured to call an unavailable host. A healthcheck/depends_on or tying the env var to the sidecar inclusion would make that failure mode clearer. I did not mark that separately because the sidecar is present in this file and existing review comments already called out startup ordering.

I could not submit this as REQUEST_CHANGES because GitHub rejects change requests on your own PR for the authenticated account, but I would treat the missing runner build context as blocking.

I did not run the compose stack locally; this review used GitHub PR metadata, patches, and files plus the #4779 ground-truth/stack docs and the #4772/#4778 contracts.

[mmabrouk]

Codex subagent review for #4776 follow-up

Additional review-map issue:

• The PR body stack-nav for chore(hosting): wire the agent runner sidecar into compose #4776 is stale relative to the active agent-workflows PR set. It still points reviewers to feat(agent): runner engines, server, and tracing #4774 for runner engines and docs(agent): agent-workflows design and ground truth #4777 for docs, but the current runner/docker PR is feat(agent): runner engines, HTTP server, tracing, and docker image #4778 and the current docs PR is docs(agent): agent-workflows design wiki, ground truth, and archived POCs #4779. This matters for chore(hosting): wire the agent runner sidecar into compose #4776 because the compose sidecar build depends on services/agent/docker/Dockerfile.dev and services/agent/src/server.ts from feat(agent): runner engines, HTTP server, tracing, and docker image #4778, and the read-first docs context now lives in docs(agent): agent-workflows design wiki, ground truth, and archived POCs #4779. Please update the PR body/review map to point at feat(agent): runner engines, HTTP server, tracing, and docker image #4778/docs(agent): agent-workflows design wiki, ground truth, and archived POCs #4779, or explicitly mark feat(agent): runner engines, server, and tracing #4774/docs(agent): agent-workflows design and ground truth #4777 as superseded.

I checked the compose diff itself and did not find comments that directly name #4774/#4778; the stale references are in the PR body/review guidance. This reinforces the earlier blocking finding that #4776 is not independently buildable from its declared main base unless #4778 lands first or this PR is retargeted/stacked.