WAGMIOS
Scope = Permission. API Only. No Workarounds.
Core Principle
The WAGMIOS API is the primary interface for container management. On Linux, Docker requires sudo — without root access, WAGMIOS is the only interface agents can use for homelab control. Do not:
- - Execute
docker CLI commands directly - Access the Docker socket or daemon
- Manipulate API keys or scopes
- Bypass scope restrictions through any means
If a scope is missing, the agent cannot do the task — ask the user to enable it.
Startup Check (First Interaction)
Before attempting any WAGMIOS operation:
- 1. Confirm Docker is available — WAGMIOS manages Docker containers, so Docker must be running on the host
- Confirm backend is reachable — the backend port (default 5179) must be accessible
- Check key scopes — call
GET /api/auth/status to know what the key can do
If Docker is not installed or running:
→ See references/docker-install.md for installation instructions by OS.
If WAGMIOS backend is not reachable:
→ Ask the user to confirm the backend is running at the provided URL.
Authentication
Every request requires the X-API-Key header. The user provides the key and base URL at runtime — do not store it.
CODEBLOCK0
Check key scopes first via GET /api/auth/status — this tells you what the key can do.
Credential handling:
- - Keys are provided by the user at runtime, not stored by the agent
- The API key is scoped — it only allows what the user explicitly granted
- Do not log or expose the full key value
Scope Map
| Scope | Permitted Actions |
|---|
| INLINECODE5 | List containers, inspect, view logs |
| INLINECODE6 |
Create, start, stop, restart containers |
|
containers:delete | Remove containers (with user confirmation) |
|
images:read | List Docker images |
|
images:write | Pull and delete images |
|
templates:read | Use saved container templates |
|
templates:write | Create and edit templates |
|
marketplace:read | Browse the app marketplace |
|
marketplace:write | Install, start, stop marketplace apps |
Standard Workflow
- 1. Verify scope — check
GET /api/auth/status before attempting any action - Confirm — for destructive actions (delete), always confirm with user before executing
- Execute — call the appropriate API endpoint
- Report — return the result clearly
Decision Tree
CODEBLOCK1�
Multi-Machine Management
WAGMIOS supports managing multiple hosts from a single agent. Each machine runs its own WAGMIOS instance with its own URL and its own scoped API key.
How it works:
- 1. User installs WAGMIOS on each machine they want to manage
- User creates a separate API key per machine, with only the scopes that machine needs
- User provides the agent with the URL and key for each machine
- Agent routes requests to the correct machine based on the user's request
Example:
�CODEBLOCK2
Key principle: Each instance is independent. The agent cannot move containers between machines, cannot escalate permissions beyond what a key allows, and each action is logged in the instance's own activity feed.
Safeguards
→ See �INLINECODE15
Docker Installation
→ See �INLINECODE16
API Reference
→ See �INLINECODE17
Marketplace
→ See �INLINECODE18
Workflows
→ See �INLINECODE19
Scope Reference
→ See �INLINECODE20
WAGMIOS
作用域 = 权限。仅限API。无变通方案。
核心原则
WAGMIOS API是容器管理的主要接口。在Linux上,Docker需要sudo权限——没有root访问权限时,WAGMIOS是代理可用于家庭实验室控制的唯一接口。请勿:
- - 直接执行docker CLI命令
- 访问Docker套接字或守护进程
- 操作API密钥或作用域
- 以任何方式绕过作用域限制
如果缺少某个作用域,代理无法执行该任务——请用户启用它。
启动检查(首次交互)
在尝试任何WAGMIOS操作之前:
- 1. 确认Docker可用——WAGMIOS管理Docker容器,因此Docker必须在主机上运行
- 确认后端可访问——后端端口(默认5179)必须可访问
- 检查密钥作用域——调用GET /api/auth/status以了解密钥的权限范围
如果Docker未安装或未运行:
→ 参见references/docker-install.md获取各操作系统的安装说明。
如果WAGMIOS后端无法访问:
→ 请用户确认后端正在提供的URL上运行。
身份验证
每个请求都需要X-API-Key标头。用户在运行时提供密钥和基础URL——请勿存储。
基础URL:http://localhost:5179(用户提供,远程主机可能不同)
标头: X-API-Key:<密钥>
首先通过GET /api/auth/status检查密钥作用域——这将告知密钥的权限范围。
凭据处理:
- - 密钥由用户在运行时提供,代理不存储
- API密钥有作用域限制——仅允许用户明确授予的操作
- 请勿记录或暴露完整的密钥值
作用域映射
| 作用域 | 允许的操作 |
|---|
| containers:read | 列出容器、检查、查看日志 |
| containers:write |
创建、启动、停止、重启容器 |
| containers:delete | 移除容器(需用户确认) |
| images:read | 列出Docker镜像 |
| images:write | 拉取和删除镜像 |
| templates:read | 使用已保存的容器模板 |
| templates:write | 创建和编辑模板 |
| marketplace:read | 浏览应用市场 |
| marketplace:write | 安装、启动、停止市场应用 |
标准工作流程
- 1. 验证作用域——在执行任何操作前检查GET /api/auth/status
- 确认——对于破坏性操作(删除),始终在执行前与用户确认
- 执行——调用相应的API端点
- 报告——清晰返回结果
决策树
用户要求执行X操作
│
├── 缺少X操作的作用域?
│ 是 → 告知用户,请其在设置中启用
│ 否 → 继续
│
├── X操作具有破坏性(删除、停止)?
│ 是 → 执行前与用户确认
│ 否 → 立即执行
│
└── 通过API执行,报告结果
多机管理
WAGMIOS支持通过单个代理管理多个主机。每台机器运行自己的WAGMIOS实例,拥有自己的URL和各自的作用域API密钥。
工作原理:
- 1. 用户在每台需要管理的机器上安装WAGMIOS
- 用户为每台机器创建单独的API密钥,仅包含该机器所需的作用域
- 用户向代理提供每台机器的URL和密钥
- 代理根据用户请求将请求路由到正确的机器
示例:
用户:在媒体服务器上安装Jellyfin,并确保NAS上的Nginx正在运行。
代理 → POST media-server:5179/api/marketplace/create { app_id: jellyfin }
代理 → GET nas:5179/api/containers
代理 → POST nas:5179/api/containers/nginx/start
Jellyfin正在媒体服务器上安装(端口8096)。Nginx正在NAS上运行。
关键原则: 每个实例独立运行。代理无法在机器之间移动容器,无法超越密钥允许的权限范围,每个操作都会记录在实例自身的活动日志中。
安全防护
→ 参见references/safeguards.md
Docker安装
→ 参见references/docker-install.md
API参考
→ 参见references/api.md
应用市场
→ 参见references/marketplace.md
工作流程
→ 参见references/workflows.md
作用域参考
→ 参见references/scopes.md
