Skip to Content
DeploymentOverview

Deployment

TL;DR

Self-hosting is the shipping deployment path today — you run the relay and control plane on your own infrastructure via Docker, Kubernetes, or a manual install, fully functional and free. A managed cloud service (grpc.cmdop.com) is planned, not yet available: there is no central provisioning or billing backend yet.

CMDOP follows a two-plane model: a self-hosted open-source edition you run yourself (shipping today), and a managed cloud edition we run for you (planned). See Pricing & editions for the full breakdown.

The managed cloud service at grpc.cmdop.com is planned, not live. There is no central provisioning or billing backend yet, so there is nothing to sign up for today. To run CMDOP right now, self-host it for free.

What deployment options are available?

OptionStatusBest For
Self-HostedShipping todayFull control, on-premise, air-gapped
DockerShipping todayThe recommended self-host path
KubernetesShipping todayScale, high availability
Managed cloudPlanned — not yet availableZero-setup operation (future)

How do I self-host CMDOP?

Self-hosting is the real, shipping product. You run the open-source server stack on your own infrastructure:

  • Docker — Docker Compose (the recommended path)
  • Self-Hosted Guide — the open-source stack, env-var config, TLS at your proxy
  • Kubernetes — cluster deployment for scale

What you get:

  • Data stays on your infrastructure
  • Custom network configuration
  • No external dependencies — run it air-gapped if you want
  • Full control, no enforced caps

What about the managed cloud?

The managed cloud (grpc.cmdop.com, zero-setup) is on the roadmap, not yet available. When it launches, agents and clients will be able to connect to a relay we run instead of one you run yourself. The central provisioning and billing backend that this depends on is not built yet — there is no purchase date to give. Until then, self-host for free. See Pricing & editions.

What are the system requirements?

What does a single-node deployment need?

A single box (≤ ~50 agents) runs the whole stack comfortably on:

ResourceMinimumRecommended
CPU2 cores4+ cores
Memory4 GB8+ GB
Disk20 GB50+ GB
Network100 Mbps1 Gbps

What database is required?

PostgreSQL 16 (the OSS Compose ships postgres:16-alpine). At scale, move to managed Postgres (RDS / Cloud SQL / Aiven) with connection pooling.

What Redis version is needed?

Redis 7 (the OSS Compose ships redis:7-alpine) for the token cache, brute-force counters, the arq queue, the tunnel registry, and PTY output buffers.

What is the deployment architecture?

The open-source server is a multi-process Python stack sharing one Postgres and one Redis, not a single binary:

  • grpc_server (:50051) — the live relay: the bidi agent stream that routes terminal I/O.
  • api_server (:8000) — the REST control plane: auth, fleets, members, schedules, tunnels, API keys, session metadata.
  • worker — the async queue for cleanup crons and the schedule executor.
  • Postgres + Redis — shared state. The agent stream never blocks on Redis.

(A tunnel_server, a ws_gateway for browser realtime push, and an optional jarvis_server round out the full product.)

What ports does CMDOP use?

PortProtocolPurpose
8000HTTPREST control plane (api_server) — front with a TLS proxy in production
50051gRPC (h2c)Agent connections (grpc_server) — front with a TLS proxy in production

How is the deployment secured?

How is TLS configured?

The open-source Compose ships plain HTTP / h2c by design. You terminate TLS at a reverse proxy in front of the stack (Caddy, Traefik, or Nginx) — gRPC reaches grpc_server over h2c:// on the upstream while the proxy handles the public TLS. mutual-TLS relay↔agent is not built in. See the self-hosted guide for the Traefik file-provider example.

How does authentication work?

  • OAuth / CLI-token login for users (cmdop_<...> tokens)
  • Long-lived API keys for SDK/agents (cmdop_apikey_<...>)
  • Postgres row-level security (RLS) enforces multi-tenant isolation, CI-gated via audit-rls

What are the network requirements?

  • Agents initiate outbound connections only
  • No inbound ports on agents
  • The server needs reachable public (or VPN-internal) access for api_server and grpc_server

What should I do next?

Docker

Docker Compose — the recommended self-host path

Self-Hosted

The open-source stack, config, and TLS

Kubernetes

K8s deployment for scale

Last updated on
Schedules APISelf-Hosted

CMDOP documentation — autonomous AI agents on every machine you register.

Product

Docs

Resources

Company

© 2026 Cmdop. MIT Licensed.GitHub ↗