Services
Hill90 is composed of application services, infrastructure services, and an observability stack.Application Services
| Service | Language | URL | Description |
|---|---|---|---|
| API | TypeScript (Express) | api.hill90.com | REST API gateway — agent CRUD, model management, user profiles |
| AI (Model-Router) | Python (FastAPI) | Internal only | Policy-gated LLM inference gateway for agents |
| Knowledge (AKM) | Python (FastAPI) | Internal only | Persistent agent memory with full-text search |
| MCP | Python (FastAPI) | ai.hill90.com/mcp | Model Context Protocol gateway (JWT-authenticated) |
| Agentbox | Python (Starlette/uvicorn) | Internal only | Sandboxed agent runtime containers |
| Keycloak | Java | auth.hill90.com | OIDC/OAuth2 identity provider |
| UI | TypeScript (Next.js) | hill90.com | Frontend application with Auth.js v5 session management |
API Service
The API service is the primary REST gateway and control plane. It handles:- Agent lifecycle management (create, configure, start, stop, delete)
- Agent container operations (status, logs, config generation)
- Provider connections and user model management (BYOK)
- Model policy management and assignment
- Usage tracking queries
- Knowledge entry browsing and search (proxied from AKM)
- User profile and avatar management
- JWT validation via Keycloak
AI Service (Model-Router)
The AI service is an internal model-router gateway — it is not publicly accessible. Agent containers reach it on the internal network to perform LLM inference. It enforces model access policies (allowed models, rate limits, token budgets), resolves user-owned model configurations, and proxies requests to LLM providers. Supports chat completions (streaming and non-streaming) and embeddings.Knowledge Service (AKM)
The Agent Knowledge Manager provides persistent memory for agent containers. Agents write knowledge entries (plans, decisions, journals, research notes) that survive across sessions. The service provides full-text search, append-only journaling, and intelligent context assembly with configurable token budgets. Knowledge is scoped per agent — agents cannot read each other’s entries. Users can browse and search their agents’ knowledge via the API service proxy.Agentbox
Each agent runs in a sandboxed container with policy-gated functions:- Shell — Command execution with binary allowlists and deny patterns
- Filesystem — File operations with path restrictions and read-only mode
- Identity — Agent personality (SOUL.md) and rules (RULES.md), loaded at startup
- Health — HTTP health endpoint for Docker healthcheck
MCP Service
The MCP (Model Context Protocol) gateway exposes tool-augmented AI capabilities atai.hill90.com/mcp. All requests require Keycloak JWT authentication. This is the only publicly routed service on the ai.hill90.com hostname.
Keycloak
Keycloak provides centralized identity management:- User registration and login
- OIDC/OAuth2 token issuance
- Role-based access control (user, admin)
- Account management
UI
The Next.js frontend provides:- Keycloak-backed authentication (via Auth.js v5)
- Agent management dashboard
- User profile and avatar management
Infrastructure Services
| Service | URL | Description |
|---|---|---|
| Traefik | traefik.hill90.com (VPN-only) | Reverse proxy, load balancer, automatic HTTPS |
| DNS Manager | Internal only | DNS-01 challenge webhook for Let’s Encrypt |
| Portainer | portainer.hill90.com (VPN-only) | Docker container management UI |
| PostgreSQL | Internal only | Relational database |
| MinIO | storage.hill90.com (VPN-only) | S3-compatible object storage |
| OpenBao | vault.hill90.com (VPN-only) | Secrets management (vault) |
| LiteLLM | litellm.hill90.com (VPN-only) | LLM proxy for provider API routing (internal to AI service); admin dashboard exposed via Tailscale |
LiteLLM
LiteLLM is a stateless LLM proxy that routes inference requests to provider APIs (OpenAI, Anthropic). The AI service (model-router) reaches LiteLLM on the internal Docker network athttp://litellm:4000 — it is not publicly accessible for API traffic. The admin dashboard is exposed at litellm.hill90.com for operational visibility, restricted to the Tailscale network (VPN-only).
Observability Stack
| Service | Description |
|---|---|
| Prometheus | Metrics collection and alerting |
| Grafana | Dashboards and data exploration (grafana.hill90.com, VPN-only) |
| Loki | Log aggregation |
| Tempo | Distributed tracing |
| Promtail | Log collector (ships to Loki) |
| Node Exporter | Host-level metrics |
| cAdvisor | Container metrics |
| postgres-exporter | PostgreSQL metrics |