Developer Documentation

VAGUS

Self-hosted relay deployment and operations guide.

Overview

This guide documents production deployment of the VAGUS relay server from ../relay-server using:

  • Node.js runtime for the relay process.
  • systemd for daemon lifecycle management.
  • nginx as TLS terminator and reverse proxy.
  • Optional Redis persistence (recommended production mode).

Public URL: wss://relay.example.com

Health endpoint: https://relay.example.com/health

Code source: ../relay-server/src/server.js

Note: domain, paths, and port values in this guide are examples; replace with your environment.

Related: Server (Android App) for MCP runtime behavior and Node Client for client-side CLI usage.

Architecture

Layer Role Port
nginxTLS termination, HTTP/WebSocket proxy, public ingress.443
Relay Node processPairing API + WSS routing + session logic.18087 (loopback)
Redis (optional)Session/pair persistence across relay restarts.6379

Endpoints served by relay:

  • POST /pair
  • POST /revoke
  • GET /health
  • WSS /connect/<session_token>?role=app|client

Prerequisites

  • Ubuntu/Debian VPS with sudo access.
  • Domain DNS relay.example.com pointing to the VPS.
  • Node 20+ installed at /usr/bin/node.
  • nginx and systemd installed.
  • Optional: Redis available locally for persistence.
# one-time packages
sudo apt update
sudo apt install -y nginx redis-server certbot python3-certbot-nginx

Install Relay Server

1. Provision target directory

sudo mkdir -p 
sudo chown -R $USER:$USER

2. Copy relay source

# from your repo host
cp -R ../relay-server/. /

3. Install dependencies

cd 
npm install --omit=dev

Environment Configuration

Use .env.example as baseline. Key production settings:

Variable Recommended Production Value
PORT18087 (bind on localhost behind nginx)
TRUST_PROXYtrue (required behind nginx)
REQUIRE_REDIStrue
REDIS_URL
REDIS_PREFIXvagus:relay: (or tenant-specific)
RELAY_BUILDrelease identifier (example 2026.02.25)
REQUIRE_ORIGINfalse unless strict browser-only flows are required
MAX_MESSAGE_BYTES1048576 (1MB default)

Example env file

sudo tee  >/dev/null <<'EOF'
NODE_ENV=production
PORT=
TRUST_PROXY=true
RELAY_BUILD=2026.02.25
REQUIRE_REDIS=true
REDIS_URL=
REDIS_PREFIX=vagus:relay:
REQUIRE_ORIGIN=false
EOF

systemd Service (Daemon)

Service template is provided at ../relay-server/deploy/systemd/vagus-relay.service.

Install service

sudo cp /deploy/systemd/vagus-relay.service /etc/systemd/system/vagus-relay.service

# recommended: use env file instead of inline Environment lines
sudo sed -i 's|^# EnvironmentFile=|EnvironmentFile=|' /etc/systemd/system/vagus-relay.service

sudo systemctl daemon-reload
sudo systemctl enable vagus-relay
sudo systemctl restart vagus-relay
sudo systemctl status vagus-relay --no-pager

Logs

journalctl -u vagus-relay -f

Nginx + SSL

Nginx template is provided at ../relay-server/deploy/nginx/relay.example.com.conf.

1. Install nginx site config

sudo cp /deploy/nginx/relay.example.com.conf /.conf
sudo ln -sf /.conf /.conf
sudo nginx -t
sudo systemctl reload nginx

2. Issue SSL certificate (Let's Encrypt)

sudo certbot --nginx -d relay.example.com
sudo nginx -t
sudo systemctl reload nginx

3. Firewall (if UFW is enabled)

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw status

Relay listens on :. Do not expose publicly.

Verification

Health endpoint

curl -sS https://relay.example.com/health | jq

Expected fields include:

  • status: "ok"
  • mode: "multi-client"
  • relay_build
  • persistence: "redis" (if Redis configured)

Smoke test

cd 
node scripts/smoke-test.js

Operations

Restart relay

sudo systemctl restart vagus-relay

Deploy update

cd 
# sync updated source here
npm install --omit=dev
sudo systemctl restart vagus-relay
curl -sS https://relay.example.com/health

Zero-data guarantees

  • Payloads are relayed in memory and not persisted by relay.
  • Redis stores session metadata only (token/code/session state), not message bodies.

Troubleshooting

Symptom Check Fix
/health returns 502 systemctl status vagus-relay Start/restart service and inspect journal logs.
WSS handshake fails nginx -t, cert validity, DNS Fix TLS config/cert and reload nginx.
Service exits on boot journal logs for Redis error Set REDIS_URL or disable REQUIRE_REDIS temporarily.
Pair requests rate limited HTTP 429 on /pair Tune MAX_PAIR_REQUESTS_PER_WINDOW and RATE_LIMIT_WINDOW_MS.

Security Checklist

  1. Run behind TLS only. Enforce HTTP-to-HTTPS redirect.
  2. Keep relay port private (loopback), expose only 443/80 via nginx.
  3. Use Redis persistence for restart safety and controlled session cleanup.
  4. Set TRUST_PROXY=true when behind nginx for correct client IP rate limiting.
  5. Set RELAY_BUILD per release for traceable health diagnostics.
  6. Review ORIGIN_ALLOWLIST/REQUIRE_ORIGIN only if browser-origin restrictions are needed.
  7. Monitor logs and alert on relay start failures, 5xx spikes, and pair abuse events.