# Deployment Production deployment considerations for the Agent Smith server. ## Environment Variables | Variable | Description | Default | |----------|-------------|---------| | `NODE_ENV` | Controls static file serving. When set to anything other than `"development"`, the server serves files from the project root directory. | (unset) | The server port is hardcoded to **5184** in `server/src/server/server.ts`. To change it, modify the `app.listen()` call or wrap with a reverse proxy. ## CORS Configuration CORS is enabled by default via `@koa/cors` with credentials support: ```typescript app.use(cors({ credentials: true })); ``` This allows cross-origin requests that include cookies or authentication headers. For production, restrict the allowed origins in the `cors()` options: ```typescript app.use(cors({ origin: "https://your-domain.com", credentials: true })); ``` ## Static File Serving The server can serve static files via `koa-static`. In `server/src/index.ts`, static serving is enabled automatically when `NODE_ENV` is not `"development"` — the project root directory is served as the static root. To configure a custom static directory, use the programmatic API: ```typescript import { runServer } from "@agent-smith/server"; runServer(undefined, "/path/to/static/files"); ``` ## Security Considerations - The server has no built-in authentication. It is made for local use. Deploy behind a reverse proxy with access controls for production use. - CORS is enabled with credentials by default — restrict origins in production. - Keep the server on a private network or use TLS via a reverse proxy. - Monitor logs: the server outputs request logging (`METHOD URL - STATUS - DURATIONms`) to stdout.