This is the primary setup guide for users and contributors.
It is organized by goal so you can pick the fastest path:
| Path | Best For | Time |
|---|---|---|
| Path A | Run the web app locally against an existing backend | ~10-20 min |
| Path B | Contribute code locally (lint/typecheck/tests) | ~15-30 min |
| Path C | Deploy your own full stack (Cloudflare + Modal + Vercel) | ~1-3 hours |
Open-Inspect is designed for single-tenant use. Everyone in your deployment shares the same GitHub App installation scope. Read the security model in README.md before production use.
Required:
- Node.js
22+(minimum supported:20+) - npm
- Git
Optional (needed for modal-infra development):
- Python
3.12+ uv(recommended) orpip- Modal CLI (
modal)
Optional (needed for full deployment):
- Terraform
1.6+ - Wrangler CLI
Quick check:
node -v
npm -v
git --versionFrom repository root:
bash .openinspect/setup.shWhat this does:
- installs JS dependencies
- builds
@open-inspect/shared - installs git hooks
- sets up Python env for
packages/modal-infrawhen possible
Use this when you already have a deployed control plane and Modal backend, and only need local UI development.
cp packages/web/.env.example packages/web/.env.localEdit packages/web/.env.local:
# GitHub App OAuth
GITHUB_CLIENT_ID=your_github_app_client_id
GITHUB_CLIENT_SECRET=your_github_app_client_secret
# NextAuth
NEXTAUTH_URL=http://localhost:3000
NEXTAUTH_SECRET=your_generated_secret
# Backend endpoints (deployed)
CONTROL_PLANE_URL=https://open-inspect-control-plane-<name>.<subdomain>.workers.dev
NEXT_PUBLIC_WS_URL=wss://open-inspect-control-plane-<name>.<subdomain>.workers.dev
# Must match control-plane INTERNAL_CALLBACK_SECRET
INTERNAL_CALLBACK_SECRET=your_shared_secret
# Optional access control
ALLOWED_USERS=
ALLOWED_EMAIL_DOMAINS=Do not commit packages/web/.env.local.
Generate a secret value:
openssl rand -base64 32If you are using someone else's deployed backend, do not generate your own
INTERNAL_CALLBACK_SECRET. Use the value configured in that backend deployment.
In GitHub App settings, include:
http://localhost:3000/api/auth/callback/github
If this does not match exactly, sign-in will fail.
npm run dev -w @open-inspect/webOpen http://localhost:3000.
- Sign in with GitHub.
- Open or create a session.
- Send a prompt.
- Confirm live events stream in the session page.
If session actions fail, validate:
CONTROL_PLANE_URLNEXT_PUBLIC_WS_URLINTERNAL_CALLBACK_SECRET
These must align with your deployed backend.
Use this for day-to-day engineering work in the monorepo.
# Build shared first if it changed
npm run build -w @open-inspect/shared
# Monorepo checks
npm run lint
npm run typecheck
npm test# Control plane
npm test -w @open-inspect/control-plane
npm run test:integration -w @open-inspect/control-plane
# Web
npm test -w @open-inspect/web
# Bots
npm test -w @open-inspect/github-bot
npm test -w @open-inspect/slack-bot
npm test -w @open-inspect/linear-botcd packages/modal-infra
# preferred (sandbox-runtime resolved automatically via uv.lock)
uv sync --frozen --extra dev
# alternative (install sandbox-runtime sibling package first)
pip install -e ../sandbox-runtime
pip install -e ".[dev]"
pytest tests/ -vFor full infrastructure setup, use:
Critical notes before deploy:
- Build workers before running Terraform apply.
- Build
@open-inspect/sharedfirst. - Use two-phase Terraform deploy for DO/service bindings.
- Deploy Modal with
modal deploy deploy.py(notsrc/app.py).
Your GitHub callback URL does not exactly match the running app URL.
Check ALLOWED_USERS and ALLOWED_EMAIL_DOMAINS in packages/web/.env.local.
INTERNAL_CALLBACK_SECRET in web env does not match the control plane secret.
For deployed control plane use wss://..., for local control plane use ws://....
Control plane cannot reach Modal (or Modal is not properly configured/deployed).
- Architecture and internals: docs/HOW_IT_WORKS.md
- Full production deployment: docs/GETTING_STARTED.md
- Debugging and observability: docs/DEBUGGING_PLAYBOOK.md
- OpenAI model setup: docs/OPENAI_MODELS.md
- Contribution workflow: CONTRIBUTING.md