The central nervous system of a software organisation. Beta β actively developed; APIs and schemas may change.
Connects GitHub, Datadog, Linear, K8s, Loki, Prometheus, Jira, ArgoCD, PagerDuty, Terraform, and any cloud provider into a single intelligence surface. Every person in the org β SRE, PM, BA, Dev β queries, acts, and governs the entire software lifecycle through one orchestrator.
Not a devtool. The connective tissue between Product, Eng and SRE.Every connector added = more intelligence for the entire org. Ask once, see everything across every tool, act with confidence behind a governed write path.
π Website: www.anway.dev Β· π¬ Demo: watch the 90-second walkthrough below.
https://github.com/anway-dev/anway/releases/download/v0.1.0-beta/anway-demo.mp4
If the player above doesn't load,
[β or click the thumbnail:]βΆ watch the 90-second demo on anway.dev
A signal fires β ask once β agents trace the root cause across every tool β gated action, then a tour of services, pipelines, connectors and the audit trail.
Anway is split across repositories under the anway-dev org:
| Repo | What it is |
|---|---|
| (this repo) | |
| The platform β web UI, gateway, agent harness, agent-service, CLI, connectors, and infra. | |
| Cloud / e2e test environment β Terraform, k8s manifests, runners, service defs. |
The product demo video and its capture harness live in this repo under apps/web/demo/.
ArchitecturePrerequisitesLocal DevelopmentDemo ModeConfiguration ReferenceRunning TestsProduction DeploymentTroubleshooting
apps/
web/ Next.js UI (port 3000)
gateway/ Fastify BFF β auth, RBAC, audit, connector proxy (port 4000)
agent-service/ Python FastAPI β LLM inference, episodic graph (port 8000)
cli/ anway CLI
packages/
agent/ Orchestrator harness, specialist agents, IModelProvider
k8s/ Cluster client
ui/ Shared components
types/ Shared TypeScript types
infra/
docker-compose.yml Dev dependencies (Postgres, Redis, Neo4j)
docker-compose.dev.yml Extended dev stack (Prometheus, Grafana, OTEL)
helm/anway/ Production Helm chart
terraform/ AWS / GCP / Azure Terraform modules
Storage:
| Layer | Technology |
|---|---|
| Primary DB | PostgreSQL 16 + pgvector + Apache AGE |
| Session memory | Redis (TTL = session lifetime) |
| Episodic graph | Neo4j 5 (via Graphiti library) |
| Job queue | BullMQ (Redis-backed) |
| SSE fan-out | Redis Pub/Sub |
| Dependency | Min version | Notes |
|---|---|---|
| Node.js | 20 LTS | |
| pnpm | 9 | npm i -g pnpm |
| Docker + Compose | 24 | For local infra |
| Python | 3.11 | Only if running agent-service locally |
git clone <repo>
cd anway
pnpm install
docker compose -f infra/docker-compose.yml up -d
This starts: Postgres (5432), Redis (6379), Neo4j (7474/7687).
Verify:
docker compose -f infra/docker-compose.yml ps
All services should show healthy
.
cp apps/gateway/.env.example apps/gateway/.env
The defaults work out of the box for local dev. The only value you may want to set immediately:
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
If no LLM key is set, the chat endpoint returns { error: "No LLM provider configured", code: "NO_PROVIDER" }
with status 200 and the UI shows an inline prompt to configure one. No crash.
cd apps/gateway
pnpm prisma migrate deploy
pnpm prisma db seed # populates demo tenant with 22 services, alerts, incidents, pipelines
cd ../..
The seed is idempotent β safe to re-run.
Two terminals:
cd apps/gateway && pnpm dev
cd apps/web && pnpm dev
Open http://localhost:3000.
Demo mode provisions a single pre-seeded tenant and lets anyone log in without credentials. Intended for live demos and internal reviews β never enable in production.
DEMO_MODE=true
curl -X POST http://localhost:4000/api/auth/demo
The web UI shows a Try Demo button on the login page when DEMO_MODE=true
.
The demo tenant (ID 00000000-0000-0000-0000-000000000001
) is populated by the seed script with:
- 22 services across 3 environments (staging / preprod / prod)
- 5 namespaces
- 10+ alerts (mix of severities)
- 10+ incidents (mix of active / resolved)
- 10+ deploys
- 3 pipelines with stage runs and gate events
Required for production:
| Variable | Example | Purpose |
|---|---|---|
DATABASE_URL |
||
postgresql://anway:pass@host:5432/anway |
||
| Postgres connection | ||
JWT_SECRET |
||
| 64 random chars | HS256 signing secret (dev only) | |
JWT_PRIVATE_KEY |
||
| RSA PEM | RS256 private key (production β use instead of JWT_SECRET) | |
JWT_PUBLIC_KEY |
||
| RSA PEM | RS256 public key | |
REDIS_URL |
||
redis://host:6379 |
||
| Redis connection |
LLM provider (one required for chat):
| Variable | Notes |
|---|---|
ANTHROPIC_API_KEY |
|
| Claude β recommended | |
OPENAI_API_KEY |
|
| GPT-4o | |
GROQ_API_KEY |
|
| Groq (fast, cheap) | |
MISTRAL_API_KEY |
|
| Mistral | |
OLLAMA_ENDPOINT |
|
Local Ollama β default http://localhost:11434/v1 |
|
OPENAI_BASE_URL + key |
|
| Any OpenAI-compatible endpoint |
Optional services:
| Variable | Default | Purpose |
|---|---|---|
DEMO_MODE |
||
false |
||
| Enable demo login endpoint | ||
SENTRY_DSN |
||
| β | Error tracking | |
OTEL_EXPORTER_OTLP_ENDPOINT |
||
| β | Traces (OTEL collector) | |
NEO4J_URI |
||
| β | Episodic graph (agent-service) | |
NEO4J_USER / NEO4J_PASSWORD |
||
| β | Neo4j credentials | |
OIDC_ISSUER_URL |
||
| β | SSO via OIDC (Azure AD, Dex, Okta) | |
OIDC_CLIENT_ID / OIDC_CLIENT_SECRET |
||
| β | OIDC app credentials | |
SLACK_SIGNING_SECRET |
||
| β | ChatOps slash commands | |
GITHUB_WEBHOOK_SECRET |
||
| β | Webhook HMAC verification | |
DD_WEBHOOK_SECRET |
||
| β | Datadog webhook HMAC | |
ANWAY_WEBHOOK_TOKEN |
||
| β | Static bearer token for Alertmanager / CI | |
ALLOW_DEV_TOKEN |
||
false |
||
Accept dev-token header (e2e tests only) |
Connector API keys:
CONNECTOR_API_KEYS=e2e-key:00000000-0000-0000-0000-000000000001
GATEWAY_URL=http://127.0.0.1:4000 # gateway base URL (server-side only)
All other config (LLM keys, connector tokens) lives in the gateway β never in the web app.
cd apps/gateway && npx tsc --noEmit
cd apps/web && npx tsc --noEmit
Both must return 0 errors before any merge.
pnpm test # run all workspace tests
cd apps/gateway && pnpm test # gateway only
Requires the full stack running (gateway + web + infra):
cd apps/web && pnpm exec playwright test
pnpm exec playwright test e2e/99-certification.spec.ts
The certification spec (99-certification.spec.ts
) is the gate β it verifies all 37 acceptance criteria across every wave.
docker build -t anway-gateway:latest apps/gateway
docker build -t anway-web:latest apps/web
cp apps/gateway/.env.example apps/gateway/.env.prod
docker compose -f infra/docker-compose.yml \
-f infra/prod/docker-compose.override.yml \
up -d
The Helm chart at infra/helm/anway/
includes: gateway deployment, web deployment, HPA (2β10 pods, CPU 70%), PDB (minAvailable: 1), NetworkPolicy, Ingress (nginx), ServiceAccount with IRSA annotations.
kubectl create namespace anway
kubectl create secret generic anway-secrets \
--namespace anway \
--from-literal=database-url="postgresql://..." \
--from-literal=redis-url="redis://..." \
--from-literal=jwt-private-key="$(cat jwt.key)" \
--from-literal=jwt-public-key="$(cat jwt.key.pub)"
helm install anway infra/helm/anway \
--namespace anway \
--set gateway.image.tag=<version> \
--set web.image.tag=<version> \
--set ingress.host=anway.yourdomain.com
kubectl apply -f infra/k8s/migrate-job.yaml -n anway
cd infra/terraform/environments/aws
cp terraform.tfvars.example terraform.tfvars
terraform init
terraform plan
terraform apply
This provisions: EKS cluster, RDS PostgreSQL (Multi-AZ in prod), ElastiCache Redis, ECR repositories, IAM roles (IRSA), S3 bucket for TF state. GCP (environments/gcp
) and Azure (environments/azure
) modules follow the same pattern.
[ ] DATABASE_URL + REDIS_URL reachable from pods
[ ] JWT_PRIVATE_KEY + JWT_PUBLIC_KEY set (RS256, not HS256 secret)
[ ] DEMO_MODE absent or set to false
[ ] ALLOW_DEV_TOKEN absent (never set in prod)
[ ] Postgres migrations applied (prisma migrate deploy)
[ ] Seed run if using demo tenant
[ ] Health check responding: GET /health/live β 200, GET /health/ready β 200
[ ] SENTRY_DSN configured for error tracking
[ ] OTEL collector reachable if telemetry required
[ ] Connector API keys rotated from dev defaults
[ ] ANWAY_WEBHOOK_TOKEN set and matches alertmanager/CI config
[ ] RDS automated backups enabled (Terraform does this automatically)
| Endpoint | Purpose |
|---|---|
GET /health/live |
|
| Liveness β always returns 200 if process is up | |
GET /health/ready |
|
| Readiness β checks Postgres + Redis connectivity |
Configure Kubernetes probes to use /health/ready
.
| Role | Capabilities |
|---|---|
admin |
|
| All operations | |
sre |
|
| Approve gates, create incidents, trigger deploys | |
dev |
|
| Create pipelines, run stages on non-prod envs | |
pm / ba |
|
| Read only |
Roles are set at user provisioning time via the Access view or API.
Anway supports any OIDC-compliant provider (Azure AD, Okta, Google Workspace, Keycloak, Dex).
OIDC_ISSUER_URL=https://login.microsoftonline.com/<tenant>/v2.0
OIDC_CLIENT_ID=<app-id>
OIDC_CLIENT_SECRET=<secret>
OIDC_REDIRECT_URI=https://anway.yourdomain.com/auth/oidc/callback
OIDC_TENANT_ID=<anway-tenant-uuid>
For local testing, the demo compose stack includes Dex (infra/demo/dex/
) as a mock OIDC provider.
Chat shows "No AI model configured"
Set at least one LLM provider key in apps/gateway/.env
. Restart the gateway.
Seed fails with "relation does not exist"
Migrations haven't run. Run cd apps/gateway && pnpm prisma migrate deploy
first.
** GET /health/ready returns 503** Either Postgres or Redis is unreachable. Check
DATABASE_URL
and REDIS_URL
. Confirm infra containers are healthy: docker compose ps
.TypeScript errors after pulling
Run pnpm install
at the repo root to pick up any new dependencies, then npx tsc --noEmit
again.
Playwright tests fail with "demo user not found"
Re-run the seed: cd apps/gateway && pnpm prisma db seed
.
SSE streams drop under load
Redis is required for SSE fan-out across multiple gateway pods. Ensure REDIS_URL
is set. Single-pod deployments work without Redis but cannot fan-out.
Contributions are welcome β see CONTRIBUTING.md for setup, workflow and guidelines, and
CODE_OF_CONDUCT.md
Found a vulnerability? Please report it privately β see SECURITY.md. Do
not open a public issue for anything exploitable. Note the non-production defaults table there before deploying.
MIT Β© Anway.