AgentWatch
Technical Deep Dive

System Architecture

A three-component Node.js monorepo designed for enterprise scale โ€” with Express API, React UI, and MCP knowledge server working together as a unified platform.

See All Features View Comparison
System Design

Three-Component Platform

AgentWatch is a monorepo containing three independent Node.js applications that work together as a complete LLM management platform.

Clients
๐ŸŒ
Web Browser
Dashboard UI
๐Ÿ’ป
API Clients
SDKs / HTTP
๐Ÿ”ง
IDE Extensions
VS Code / JetBrains
All traffic flows through AgentWatch
AgentWatch Platform (Port 8787)
โšก
Express API Server
REST + Proxy
๐Ÿ”
Auth & RBAC
JWT + Roles
๐Ÿ›ก๏ธ
DLP Engine
30+ patterns
๐Ÿ“Š
Metrics Collector
Prometheus
Routes to best available provider
LLM Providers
๐ŸŸข
OpenAI
GPT-4o / GPT-4
๐ŸŸ 
Anthropic
Claude 3.x
๐Ÿ”ต
Google
Gemini Pro
๐ŸŸฃ
OpenRouter
100+ models
โš™๏ธ
Custom
Any OpenAI endpoint
Main Server ยท Port 8787
Express API Server
  • LLM proxy handler with provider routing
  • JWT auth & RBAC middleware
  • DLP scanning engine
  • Response caching
  • Prometheus metrics collection
  • Multi-tenant billing via Stripe
Web UI ยท Vite / Static
React Admin Dashboard
  • React 18.3 + TypeScript SPA
  • Real-time observability dashboards
  • Provider management UI
  • Budget & team management
  • Compliance configuration
  • Knowledge graph visualization
MCP Server ยท Port 4000
Knowledge Extractor
  • Repository ingestion pipeline
  • Tree-sitter AST parsing
  • Semgrep security scanning
  • Trivy infrastructure scanning
  • LanceDB vector store
  • Semantic code search API
Technology

Technology Stack

Built on proven, production-ready technologies with a TypeScript-first codebase.

Main Server

RuntimeNode.js 24+
LanguageTypeScript
FrameworkExpress.js
DatabaseSQLite 3 / PostgreSQL
ORMPrisma
AuthJWT + bcrypt
HTTP ClientAxios
QueuePQueue
Tokensjs-tiktoken
BillingStripe SDK

Web UI

FrameworkReact 18.3
LanguageTypeScript
Build ToolVite
StylingTailwindCSS
StateTanStack Query
RoutingReact Router
ChartsRecharts
GraphsCytoscape, vis-network
IconsLucide React
FormsReact Hook Form

MCP Server

RuntimeNode.js
ProtocolMCP SDK
Vector DBLanceDB
Key-ValueLevelDB
ParserTree-sitter
SASTSemgrep
Infra ScanTrivy
CLICommander.js
EmbeddingsOpenAI text-embedding
GraphCustom symbol graph
Request Lifecycle

How a Request is Processed

Every LLM request goes through a multi-stage processing pipeline with auth, DLP, routing, and usage recording.

๐Ÿ“จ
1. Request In
POST /v1/chat
๐Ÿ”
2. Auth Check
Validate API key
๐Ÿ“Š
3. Quota Check
Budget & rate limits
๐Ÿ›ก๏ธ
4. DLP Scan
30+ data patterns
๐Ÿ’พ
5. Cache Check
Identical requests
๐Ÿ”€
6. Route
Provider selection
โ˜๏ธ
7. LLM Call
With retry logic
๐Ÿ“
8. Log & Meter
Async recording
Application Services
What Runs at Runtime
  • Authentication Service: JWT tokens, RBAC, password policies
  • LLM Proxy Service: Request routing, provider selection, failover
  • Compliance Service: DLP scanning, guardrails, audit logging
  • Billing Service: Token counting, budget enforcement, Stripe sync
  • Knowledge Service: MCP proxy, repository indexing
Design Patterns
Key Architectural Decisions
  • Circuit Breaker: Prevent cascading failures across providers
  • Retry with Backoff: Handle transient network errors gracefully
  • Request Queue: Backpressure management under load
  • Connection Pool: Efficient HTTP keep-alive connections
  • Async Recording: Non-blocking usage tracking doesn't add latency
Data Model

Database Schema

SQLite for development, PostgreSQL for production. Full Prisma ORM with migrations.

Core Entities

TablePurposeKey Fields
organizationsSaaS billing tenantname, slug, stripe_customer_id
teamsOrg sub-groupsname, org_id, budget
usersAuthenticationemail, password_hash, role, org_id
tenantsAPI consumerapi_key, rate_limit, budgets
providersLLM providersname, base_url, status
api_keysProvider keysencrypted_key, concurrency_limit

Usage & Compliance

TablePurposeKey Fields
usage_recordsRequest logtokens, cost, model, latency
audit_logsCompliance trailaction, user_id, ip_address
conversationsChat historymessages, dlp_events, risk_score
subscription_plansSaaS tiersfeatures, limits, stripe_price_id
org_rolesRBAC rolesname, permissions
modelsModel catalogmodel_id, pricing, context_window
๐Ÿ—„๏ธ
Dual-database support: SQLite (via @internal/prisma-sqlite) for development and PostgreSQL (via @prisma/client) for production. Two separate Prisma schemas with the same model structure ensure smooth migration.
Security Architecture

Security by Design

Security isn't a feature โ€” it's the foundation. Every layer of the stack is designed with security in mind.

๐Ÿ”‘
Key Encryption
AES-256-GCM encryption for all provider API keys at rest. Random IVs and HMAC authentication tags.
๐ŸŽซ
JWT Sessions
24-hour JWT tokens with organization context, role claims, and super-admin flag embedded.
๐Ÿ”’
IDOR Prevention
Organization ID always sourced from JWT, never from request body or params. Super admin override via header only.
๐Ÿ“‹
Security Headers
Full CSP, HSTS, X-Frame-Options, and other security headers set on every response.
Operations

Deployment & Scaling

From a single Docker Compose command to full Kubernetes at scale โ€” AgentWatch fits your operational model.

Quick Start
Docker Compose
# Single command deploy docker-compose up -d # Services started: โœ“ agentwatch:8787 โœ“ mcp-server:4000 โœ“ PostgreSQL database
Production
Kubernetes
  • Helm chart for K8s deployment
  • Horizontal Pod Autoscaling (HPA)
  • Liveness & readiness probes
  • ConfigMap + Secrets management
  • PersistentVolume for SQLite
  • Service mesh compatible (Istio)
Configuration
Environment Variables
  • DATABASE_URL โ€” DB connection string
  • JWT_SECRET โ€” Token signing key
  • ENCRYPTION_KEY โ€” Key encryption
  • STRIPE_SECRET_KEY โ€” Billing
  • HTTPS_PROXY โ€” Enterprise proxy
  • PORT โ€” Default 8787
See How It Compares
Compare AgentWatch against LiteLLM, Helicone, Portkey, and Kong.
View Comparison Login to Dashboard