HomeGet Started

Choose your DashClaw deployment path

Start with DashClaw-hosted Azure SaaS, or run your own control plane when you need full deployment ownership.

What this page is

A deployment guide for hosted and self-operated control planes

Hosted SaaS changes who runs the platform. Self-hosting changes where governance data and operational responsibility live. In both cases, the runtime depth you reach still depends on how your agents are integrated across evidence import, advisory governance, approval orchestration, and runtime enforcement.

Download Skill View Live Demo SDK Docs Connect your first agent Open Source Repo Check instance status

Hosted SaaS on Azure

Best for design partners and customer rollout. DashClaw operates the platform, Admin Console, billing, and support workflows while your team focuses on onboarding agents and using governed operations.

Self-host or local

Best for internal evaluation, partner pilots in customer-owned environments, or teams that want full deployment and data-plane control.

This section is the self-host path. If you want DashClaw-hosted Azure SaaS, use the operator-run onboarding and keep infrastructure inside the managed service boundary.

Governance workflow templates

Reusable operator playbooks that turn agent setup into governed, replayable workflows.

First Governed Agent

Connect one runtime, send one guarded action, and confirm decision replay is visible.

operator

Install SDK or hooks

Proof: connect surface

Send first guarded action

Proof: decision replay

Terminal Approval Channel

Enable CLI approvals so operators can approve one live action end-to-end.

operator

Install @osuite/cli

Proof: terminal approval

Approve one live action

Proof: approval event

Provision a Postgres database

Use Neon for the fastest self-serve path, or bring your own Postgres if you are mapping to Azure or another managed host.

Choose a Postgres host such as Neon, Azure Database for PostgreSQL, or your own managed cluster
Create a database for DashClaw
Copy the connection string — it should look like postgresql://user:pass@host:5432/database

You'll paste this as DATABASE_URL in the next step.

Deploy the web app

Use Vercel for the quickest self-serve route, or map the same environment variables into Azure Container Apps or another Node.js host.

Fork the source repository to your GitHub account
Deploy it to your preferred host. For the quickest path, import the fork into Vercel
Generate your secrets, then paste them into your host's environment variables:

About the API key: OSUITE_API_KEY is your bootstrap admin key — it authenticates agents and seeds your first organization. After you sign in, you can create and manage additional API keys from the dashboard at /api-keys.

Tables are created automatically on first request.

Set your admin password

No OAuth app required. Add one environment variable and you can sign in immediately.

In your deployment environment settings, add:

OSUITE_LOCAL_ADMIN_PASSWORD = your-strong-password-here

Then redeploy. Visit your app and sign in with your password on the login page.

Use a strong password. This grants full admin access. You can add OAuth later when you want to invite teammates.

Enable Live Updates (Redis)

Use Redis for cross-instance events, background coordination, and production-safe realtime delivery.

Sign up for a free account at upstash.com
Create a Redis database in the same region as your app host
Copy the REST URL and REST Token, or the raw Redis URL
Add these environment variables to your deployment:
- REALTIME_BACKEND=redis
- REDIS_URL=<redis-connection-string>
- REALTIME_ENFORCE_REDIS=true
Redeploy or restart the app to apply the changes

Upstash is a fast path, but any production Redis that exposes a standard connection string works.

Dedicated worker

For SaaS-style operations, run a separate worker process so background billing, trial, and webhook jobs are decoupled from the web process.

If you deploy outside a single all-in-one container, keep the web app focused on HTTP traffic and run the platform job worker independently.

Worker environment

OSUITE_PLATFORM_WORKER_MODE=dedicated
OSUITE_PLATFORM_JOB_BACKEND=database
OSUITE_PLATFORM_WORKER_POLL_MS=5000
npm run worker:platform

The included docker-compose.yml now runs both the web service and a dedicated worker service. In cloud environments, map this same command to a second process/container.

Connect your agents

Agents only need a base URL + API key. Once connected, they can record decisions, enforce policies, score outputs, define quality profiles, manage prompts, and track learning -- all through the SDK.

View prompt

Agent environment

OSUITE_BASE_URL=https://your-app.example.com
OSUITE_API_KEY=<your-secret-api-key>
OSUITE_AGENT_ID=my-agent

Your DashClaw app uses host-level environment variables. Your agent uses its own environment variables.

Quick integration (Node.js)

agent.js

import { OSuite } from 'osuite';

const dc = new OSuite({
  baseUrl: process.env.OSUITE_BASE_URL,
  apiKey: process.env.OSUITE_API_KEY,
  agentId: 'my-agent',
  guardMode: 'warn',
});

// Record a decision
const action = await dc.createAction({
  actionType: 'deploy',
  declaredGoal: 'Ship auth-service v2.1',
  riskScore: 40,
});

// Guard check (policy enforcement)
const decision = await dc.guard({
  actionType: 'deploy',
  content: 'Deploying to production',
  riskScore: 40,
});

// Score the output quality
await dc.scoreOutput({
  scorer_id: 'es_your_scorer',
  output: deployResult,
  action_id: action.action_id,
});

// Score against your custom quality profile
const profileScore = await dc.scoreWithProfile('sp_your_profile', {
  duration_ms: deployResult.duration,
  confidence: deployResult.confidence,
  action_id: action.action_id,
});

// Update outcome
await dc.updateOutcome(action.action_id, {
  status: 'completed',
  outputSummary: 'Deployed successfully',
});

Quick integration (Python)

agent.py

from osuite import Osuite

dc = OSuite(
    base_url=os.environ["OSUITE_BASE_URL"],
    api_key=os.environ["OSUITE_API_KEY"],
    agent_id="my-agent",
    guard_mode="warn",
)

# Record a decision
action = dc.create_action(
    action_type="deploy",
    declared_goal="Ship auth-service v2.1",
    risk_score=40,
)

# Guard check (policy enforcement)
decision = dc.guard(
    action_type="deploy",
    content="Deploying to production",
    risk_score=40,
)

# Score the output quality
dc.score_output(
    scorer_id="es_your_scorer",
    output=deploy_result,
    action_id=action["action_id"],
)

# Score against your custom quality profile
profile_score = dc.score_with_profile("sp_your_profile", {
    "duration_ms": deploy_result["duration"],
    "confidence": deploy_result["confidence"],
    "action_id": action["action_id"],
})

# Update outcome
dc.update_outcome(action["action_id"],
    status="completed",
    output_summary="Deployed successfully",
)

What you just deployed

Your DashClaw instance ships with the DashClaw control plane: policy evaluation, approvals, replay, evidence, trust, and operator workflows. The governance depth you reach still depends on how your agents are integrated at runtime.

Governance

*Decision audit trail with full action traces
*Behavior guard -- no-code policy enforcement
*Human-in-the-loop approval gates
*Prompt injection scanning

Quality & Evaluation

*5 scorer types (regex, keywords, range, custom, LLM judge)
*Batch evaluation runs across outputs
*Output quality tracking over time
*Action-linked scoring for root-cause analysis

Scoring Profiles

*User-defined weighted quality dimensions with custom scales
*3 composite methods (weighted avg, minimum, geometric mean)
*Risk templates replace hardcoded agent risk numbers
*Auto-calibration from real data (percentile analysis)

Prompt Management

*Version-controlled prompt templates
*Mustache variable rendering (server-side, no LLM)
*One-click rollback to any version
*Usage analytics per template

Observability

*Real-time SSE event stream
*Token usage and cost tracking
*Risk signal monitoring (7 signal types)
*Behavioral drift detection with z-score alerts

Compliance & Audit

*SOC 2, NIST AI RMF, EU AI Act, ISO 42001 mapping
*One-click compliance export bundles
*Evidence packaging (guard decisions + action records)
*Scheduled recurring exports on cron

Learning & Feedback

*Learning velocity -- rate of agent improvement
*6-level agent maturity model (Novice to Master)
*Per-skill learning curves
*User feedback with auto-sentiment and auto-tagging

Agent Operations

*Session handoffs with context preservation
*Inter-agent messaging and broadcasts
*Task routing with agent health monitoring
*Memory health scanning and stale fact detection

Security

*Verified agent identity (RSA signatures)
*Automatic secret redaction
*Assumption tracking and drift reports
*Content scanning for sensitive data

Platform

*Multi-tenant org isolation
*HMAC-signed webhooks
*Full activity audit log
*Docker, Azure, Vercel, or any Node.js host

All features are free, self-hosted, and work without any external AI provider. The only optional LLM feature is the llm_judge scorer type in the Evaluation Framework.

OSuite Platform Skill

Skills are an open standard for giving agents specialized capabilities. Any agent that supports the skill framework can load this skill and become a OSuite platform expert -- with knowledge of 177+ SDK methods across 29 categories.

Works with Claude Code, and the growing ecosystem of skill-compatible agents.

What it does

Instruments any agent with OSuite SDKs (Node.js or Python)
Designs guard policies for cost ceilings, risk thresholds, and action allowlists
Configures evaluation scorers to track output quality (5 built-in types)
Sets up prompt template registries with version control and rollback
Generates compliance export bundles for SOC 2, NIST AI RMF, EU AI Act
Configures behavioral drift detection with statistical baselines
Sets up learning analytics to track agent velocity and maturity
Troubleshoots 401, 403, 429, and 503 errors with guided diagnostics

What's inside

osuite-platform-intelligence/
|-- SKILL.md                          # 15 guided workflows (v2.3)
|-- scripts/
|   |-- validate-integration.mjs      # End-to-end connectivity test
|   |-- diagnose.mjs                  # 5-phase platform diagnostics
|   `-- bootstrap-agent-quick.mjs     # Agent workspace importer
`-- references/
    |-- api-surface.md                # 140+ routes, 29 categories
    |-- platform-knowledge.md         # Architecture, auth chain, ID prefixes
    `-- troubleshooting.md            # Error resolution guide

Skill workflows

The skill includes 15 guided workflows. Your agent picks the right one from the decision tree based on what you ask:

Instrument My Agent

Full SDK integration with action recording and guard checks

Configure Evaluations

5 scorer types: regex, keywords, numeric range, custom, LLM judge

Manage Prompts

Template registry with mustache variables and version history

Collect Feedback

Structured ratings with auto-sentiment and auto-tagging

Export Compliance

Multi-framework bundles with evidence packaging

Monitor Drift

Statistical baselines and z-score deviation alerts

Track Learning

Velocity scoring and 6-level maturity model

Configure Scoring

Weighted quality profiles and risk templates

Design Policies

Guard rules for cost ceilings and risk thresholds

Bootstrap Agent

Auto-discover and import existing agent workspace data

Add a Capability

Full-stack scaffold guide for adding new API routes

Generate Client

Generate a OSuite SDK in any language from OpenAPI

CLI Approval Channel

Approve and deny agent actions from the terminal with osuite approvals

Claude Code Hooks

Govern Claude Code tool calls via PreToolUse and PostToolUse lifecycle hooks

Troubleshoot

Guided error resolution for auth and rate limits

Setup

Download and extract the zip into your project's skills directory (e.g. .claude/skills/ for Claude Code)
Point your agent at the skill directory -- it activates automatically
Ask your agent anything OSuite-related and it routes to the right workflow

Download Skill~32 KB · v2.3 · includes CLI approval channel and Claude Code hooks

Alternative: Local Setup

Run locally with Docker

The installer generates secrets, writes .env.local, installs dependencies, and prints the API key your agents should use.

View prompt

Windows (PowerShell)

./install-windows.bat

Mac / Linux (bash)

bash ./install-mac.sh

When it finishes, open http://localhost:3000.

Optional: enable verified agents (one-click pairing)

If you want cryptographic identity binding, your agent generates a keypair and prints a one-click pairing URL. You approve once (or approve-all).

Agent environment (verified mode)

# Optional: sign actions with a private key
OSUITE_PRIVATE_KEY_PATH=./secrets/cinder-private.jwk

# Optional: server-side enforcement (set on the dashboard host)
ENFORCE_AGENT_SIGNATURES=true

The goal is: no manual public key uploads. Pairing registers the matching public key automatically.

Choose a runtime pathway after you deploy the control plane

Self-hosting the control plane does not choose the runtime pathway for you. Use one of these guides when you are ready to instrument a specific runtime surface.

Claude Code

Hook-based governance

OpenAI Agents SDK

Node.js SDK integration

LangGraph

Python governance node

CrewAI

@tool decorator pattern

This section is the self-host path. If you want DashClaw-hosted Azure SaaS, use the operator-run onboarding and keep infrastructure inside the managed service boundary.

Governance workflow templates

Reusable operator playbooks that turn agent setup into governed, replayable workflows.

First Governed Agent

Connect one runtime, send one guarded action, and confirm decision replay is visible.

operator

Install SDK or hooks

Proof: connect surface

Send first guarded action

Proof: decision replay

Terminal Approval Channel

Enable CLI approvals so operators can approve one live action end-to-end.

operator

Install @osuite/cli

Proof: terminal approval

Approve one live action

Proof: approval event

Provision a Postgres database

Use Neon for the fastest self-serve path, or bring your own Postgres if you are mapping to Azure or another managed host.

Choose a Postgres host such as Neon, Azure Database for PostgreSQL, or your own managed cluster
Create a database for DashClaw
Copy the connection string — it should look like postgresql://user:pass@host:5432/database

You'll paste this as DATABASE_URL in the next step.

Deploy the web app

Use Vercel for the quickest self-serve route, or map the same environment variables into Azure Container Apps or another Node.js host.

Fork the source repository to your GitHub account
Deploy it to your preferred host. For the quickest path, import the fork into Vercel
Generate your secrets, then paste them into your host's environment variables:

Tables are created automatically on first request.

Set your admin password

No OAuth app required. Add one environment variable and you can sign in immediately.

In your deployment environment settings, add:

OSUITE_LOCAL_ADMIN_PASSWORD = your-strong-password-here

Then redeploy. Visit your app and sign in with your password on the login page.

Use a strong password. This grants full admin access. You can add OAuth later when you want to invite teammates.

Enable Live Updates (Redis)

Use Redis for cross-instance events, background coordination, and production-safe realtime delivery.

Sign up for a free account at upstash.com
Create a Redis database in the same region as your app host
Copy the REST URL and REST Token, or the raw Redis URL
Add these environment variables to your deployment:
- REALTIME_BACKEND=redis
- REDIS_URL=<redis-connection-string>
- REALTIME_ENFORCE_REDIS=true
Redeploy or restart the app to apply the changes

Upstash is a fast path, but any production Redis that exposes a standard connection string works.

Dedicated worker

For SaaS-style operations, run a separate worker process so background billing, trial, and webhook jobs are decoupled from the web process.

If you deploy outside a single all-in-one container, keep the web app focused on HTTP traffic and run the platform job worker independently.

Worker environment

OSUITE_PLATFORM_WORKER_MODE=dedicated
OSUITE_PLATFORM_JOB_BACKEND=database
OSUITE_PLATFORM_WORKER_POLL_MS=5000
npm run worker:platform

The included docker-compose.yml now runs both the web service and a dedicated worker service. In cloud environments, map this same command to a second process/container.

Connect your agents

Agents only need a base URL + API key. Once connected, they can record decisions, enforce policies, score outputs, define quality profiles, manage prompts, and track learning -- all through the SDK.

View prompt

Agent environment

OSUITE_BASE_URL=https://your-app.example.com
OSUITE_API_KEY=<your-secret-api-key>
OSUITE_AGENT_ID=my-agent

Your DashClaw app uses host-level environment variables. Your agent uses its own environment variables.

Quick integration (Node.js)

agent.js

import { OSuite } from 'osuite';

const dc = new OSuite({
  baseUrl: process.env.OSUITE_BASE_URL,
  apiKey: process.env.OSUITE_API_KEY,
  agentId: 'my-agent',
  guardMode: 'warn',
});

// Record a decision
const action = await dc.createAction({
  actionType: 'deploy',
  declaredGoal: 'Ship auth-service v2.1',
  riskScore: 40,
});

// Guard check (policy enforcement)
const decision = await dc.guard({
  actionType: 'deploy',
  content: 'Deploying to production',
  riskScore: 40,
});

// Score the output quality
await dc.scoreOutput({
  scorer_id: 'es_your_scorer',
  output: deployResult,
  action_id: action.action_id,
});

// Score against your custom quality profile
const profileScore = await dc.scoreWithProfile('sp_your_profile', {
  duration_ms: deployResult.duration,
  confidence: deployResult.confidence,
  action_id: action.action_id,
});

// Update outcome
await dc.updateOutcome(action.action_id, {
  status: 'completed',
  outputSummary: 'Deployed successfully',
});

Quick integration (Python)

agent.py

from osuite import Osuite

dc = OSuite(
    base_url=os.environ["OSUITE_BASE_URL"],
    api_key=os.environ["OSUITE_API_KEY"],
    agent_id="my-agent",
    guard_mode="warn",
)

# Record a decision
action = dc.create_action(
    action_type="deploy",
    declared_goal="Ship auth-service v2.1",
    risk_score=40,
)

# Guard check (policy enforcement)
decision = dc.guard(
    action_type="deploy",
    content="Deploying to production",
    risk_score=40,
)

# Score the output quality
dc.score_output(
    scorer_id="es_your_scorer",
    output=deploy_result,
    action_id=action["action_id"],
)

# Score against your custom quality profile
profile_score = dc.score_with_profile("sp_your_profile", {
    "duration_ms": deploy_result["duration"],
    "confidence": deploy_result["confidence"],
    "action_id": action["action_id"],
})

# Update outcome
dc.update_outcome(action["action_id"],
    status="completed",
    output_summary="Deployed successfully",
)