Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / ARXsec.io POC Kit

Documentation

ARXsec.io POC Kit

Project-Agent / poc/README.md

Project-Agent repo-root poc/README.md

A self-contained ARX deployment your security team can stand up inside your sandbox in under 30 minutes. Use it to validate the platform against your real Splunk / Okta / CrowdStrike / ServiceNow before signing.

What you get

| Service | URL | Purpose | |---|---|---| | Frontend | http://localhost:3000 | Dashboard, governance, billing | | API | http://localhost:8000 | REST surface (110 paths) | | API docs | http://localhost:8000/docs | Swagger UI (dev mode only) | | Trust Center | http://localhost:3000/trust | Sub-processors, certifications, security contacts | | Mailhog | http://localhost:8025 | Captures outbound email | | Prometheus | http://localhost:9090 | Scrapes /metrics from arxsec-api | | Vault UI | http://localhost:8200 | Connector credential storage |

Pre-seeded:

  • 1 org (Acme Corp POC) on the business plan
  • 3 users: admin / deployer / auditor
  • 3 sample agents (Splunk alert triage, Okta access cert, patch verify)
  • 10 policies (deny-by-default + 9 specific rules)
  • 50 audit-log entries spread across 30 days
  • 3 approval requests in different states
  • 1 retention policy + 1 starter subscription

Prerequisites

  • Docker Desktop 4.30+ or Docker Engine 24+ with Compose v2
  • ~4 GB free RAM, ~10 GB free disk
  • Free ports: 3000, 3001, 6379, 8000, 8025, 8200, 9090, 9999, 54322
  • openssl on PATH (preinstalled on macOS / most Linux)

Quick start

``bash git clone https://github.com/GetHammerpath/Project-Agent cd Project-Agent ./poc/bootstrap.sh ``

Bootstrap is idempotent — re-runs reuse poc/.env.poc. First run pulls ~3 GB of images; subsequent runs start in <60 seconds.

When it's done you'll see:

`` ARX POC ready. UI http://localhost:3000 API http://localhost:8000 ... Login: admin poc-admin@example.com / <generated password> ``

8-minute happy path

A scripted demo path that hits the most-asked-for capabilities:

  1. Open the dashboard at http://localhost:3000 and sign in as the

admin. The overview shows 3 active agents, 50 audit entries, 3 pending/approved/expired approvals.

  1. Inspect an agent: click "Splunk alert triage". Read the declared

intent — its connector list, max actions, and signing user. This is the contract every action will be checked against.

  1. Browse audit log: filter by policy_verdict = escalate to see

the actions that hit the after-hours / MFA / production-mutation policies.

  1. Approve an approval request: from the Approvals page, walk

through the policy + risk-score reasoning, hit "Approve", confirm the immutable audit row was written.

  1. Try to tamper with the audit log in Postgres directly — the

trigger from migration 013 rejects it. (See checklist §2.)

  1. Visit /trust: certifications, sub-processors, encryption,

pen-test status — a public surface for your procurement team.

  1. Hit /health/components: per-subsystem JSON the customer's

status page can consume.

  1. Generate a SOC 2 evidence PDF from the compliance page; open

the resulting PDF.

By minute 8 the team has touched governance, audit, identity, observability, compliance — enough to fill in 80% of a SIG-Lite.

If your IAM team wants to verify user-onboarding flows specifically (email signup, SCIM, SAML JIT, magic-link invites), follow USER_ONBOARDING.md — each path is a copy-paste runbook with the relevant SIG-Lite controls called out.

Validation

Two things to give the security reviewer:

  • POC_CHECKLIST.md — every box is a clickable / runnable check.
  • sig-lite-responses.md — pre-filled SIG-Lite section-by-section.

Most "Yes" answers can be spot-checked against this stack.

Wiring up your real tools

The seeded connector configs are placeholders. Swap them for your real sandbox credentials:

```bash

Templates with field-by-field comments:

ls poc/connectors/sandbox/

splunk.yaml okta.yaml crowdstrike.yaml servicenow.yaml

Update via the API (admin token from the dashboard):

curl -X PATCH http://localhost:8000/v1/connectors/splunk \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ --data-binary "$(yq -o=json poc/connectors/sandbox/splunk.yaml)"

Or use the UI: Settings → Connectors → Splunk → Edit.

```

For tools without a public API (on-prem Splunk, on-prem ServiceNow, internal apps), the Cloud Broker ships separately — see docs/runner/install.md when available. For the POC, point at any SaaS-reachable sandbox.

Resetting

```bash

Stop containers + drop the seeded DB; keep .env.poc:

./poc/teardown.sh

Same as above, but also regenerate all secrets next bootstrap:

./poc/teardown.sh --full

Stop containers, keep DB volume (config-only re-bootstrap):

./poc/teardown.sh --keep-data ```

What this is NOT

  • Not HA. Single Postgres, single Redis, no replication.
  • Not multi-region. One stack, one host.
  • Not production-tuned. Workers prefetch=1, no autoscaling.
  • Not your production deploy. When you sign, we onboard you to the

hosted ARX (or, on Enterprise, deploy the Helm chart in your VPC).

The POC kit is for evaluation only — when you're ready, the production cutover is documented separately.

Limits & honest caveats

  • The POC bundles Supabase self-hosted services (gotrue,

postgrest) so the same code paths exercise the same auth/RLS guarantees as production. There are a small number of Supabase- specific features (Realtime, Storage) we don't bundle for the POC — they're not on the demo path.

  • The seed is deterministic. Re-bootstraps reproduce the same

agent IDs, audit IDs, etc. Useful for reproducible demos. If your team wants random data instead, edit arxsec-api/scripts/seed_poc.py.

  • First run is slow (image pulls). Plan for 10–15 minutes on

~50 Mbps; <60s on a warm cache.

  • Logs land in container stdout. Tail with

docker compose -f poc/docker-compose.poc.yml logs -f api.

Support during the POC

  • Shared Slack/Teams channel for the duration of the trial. Capped to

~14 days; SLA on responses tracked.

  • 30-min architecture call at kickoff + 30-min wrap-up. Agenda

templated in poc/architecture-call-agenda.md (created on demand).

  • Bugs / questions: open a private issue at

https://github.com/GetHammerpath/Project-Agent/issues with the poc: label or email support@arxsec.io.

File map

`` poc/ ├── README.md # this file ├── docker-compose.poc.yml # full stack ├── bootstrap.sh # idempotent setup ├── teardown.sh # clean reset ├── POC_CHECKLIST.md # 12-section verification list ├── USER_ONBOARDING.md # 4 user-onboarding flows ├── scripts/scim-demo.sh # scripted SCIM walkthrough ├── sig-lite-responses.md # pre-filled questionnaire ├── postgres/init.sql # Supabase-compat roles ├── prometheus/prometheus.yml # /metrics scrape config ├── policies/starter/ # 5 opinionated YAML policies └── connectors/sandbox/ # 4 connector config templates arxsec-api/scripts/seed_poc.py # deterministic seeder ``