---Docker Sidecar Deployment | Panovista

Sidecar Deployment via Docker

Because Panovista operates as a zero-state, high-performance Go binary, it is perfectly suited for containerized environments. Deploying Panovista as a sidecar container ensures that all outbound or inbound AI tool traffic from your primary application is forced through the proxy loopback before it can reach external networks or internal data stores.

Panovista is distributed as a single, compiled Go binary packaged inside a strict scratch Docker image. This means there is no underlying operating system (no Alpine, no Ubuntu, no shell). It is mathematically impossible for an attacker to exploit OS-level vulnerabilities or gain a terminal session inside the container.


Docker Compose Configuration

The most secure way to spin up the Panovista sidecar alongside your primary AI application or orchestration agent is via docker-compose.

Below is a production-ready docker-compose.yml configuration demonstrating how Panovista isolates an internal database MCP server from the outside world:

version: '3.8'

services:
  # Your primary AI agent or application gateway
  ai-agent-app:
    image: your-company/ai-agent:latest
    environment:
      # Point the agent's tool execution router directly to the Panovista proxy
      - MCP_SERVER_URL=http://panovista-proxy:4321/mcp
    depends_on:
      - panovista-proxy
    networks:
      - public-agent-net

  # The Panovista inline security proxy
  panovista-proxy:
    image: panovista/proxy:v1.2.0
    ports:
      - "4321:4321"
    environment:
      - PANOVISTA_LOG_LEVEL=info
      # The proxy securely manages authorization and token mapping internally
      - PANOVISTA_MODE=sidecar
    volumes:
      # Mount your local JSON-RPC schemas, DLP rules, and RBAC policies
      - ./panovista-config:/etc/panovista/policies:ro
    read_only: true
    networks:
      - mcp-backend-net
      - public-agent-net

  # The raw internal database MCP tool server (Sealed from public access)
  internal-database-mcp:
    image: my-enterprise/db-mcp-server:latest
    expose:
      - "8000"
    networks:
      - mcp-backend-net

Configuration Breakdown


Execution and Logs

To start the secure environment, simply run:

docker-compose up -d

Because Panovista outputs its cryptographically signed logs directly to standard out (stdout), you can instantly tail real-time security and token-swapping events using native Docker commands:

docker logs -f panovista-proxy