Auto Bot

Your whole team on one board. Auto Bot is a voice-first place where people and agents work side by side. Assign a task to a teammate or to an autonomous agent; the agent picks it up, ships it, updates the board, and shows up to standup to report. An AI scrum-master agent runs the meeting by voice, tracks who is speaking, and creates, moves, opens, and closes tickets in real time. Any timezone, any language, human or AI. Syncs with Jira (Linear coming soon).

---

Architecture

flowchart TB
    subgraph Browser
        UI["Kanban UI + livekit-client"]
    end

    subgraph Edge["Ingress / Edge"]
        ING["Ingress Controller<br/>(Traefik / nginx)"]
    end

    subgraph K8s["Kubernetes cluster"]
        direction TB
        POD["auto-bot pod<br/>(Go server :3000)"]
        SQLITE[("SQLite board state<br/>PVC /srv/data")]
        SIDECAR["aws_signing_helper<br/>sidecar (IMDS :9911)"]
        POD --- SQLITE
        POD -. "AWS creds" .- SIDECAR
    end

    subgraph Cloud["External services"]
        LK["LiveKit Cloud<br/>(WebRTC media / SFU)"]
        BR["AWS Bedrock<br/>Nova Sonic + Claude"]
    end

    UI -- "HTTPS + WebSocket<br/>(board, chat, control)" --> ING --> POD
    UI -- "WebRTC media<br/>(audio/video)" --> LK
    POD -- "room tokens" --> LK
    SIDECAR -- "X.509 → short-lived STS" --> BR
    POD -- "speech-to-speech<br/>+ agent runs" --> BR
    LK -. "agent audio" .-> POD

Loading

How it fits together:

• The browser loads the Kanban UI and connects two ways: HTTPS/WebSocket to the app for board state and control, and WebRTC directly to LiveKit Cloud for audio/video media.
• The app pod mints LiveKit room tokens, holds board state in a local SQLite file (on a persistent volume), and drives the AI agent.
• The agent talks to AWS Bedrock — Nova Sonic for speech-to-speech, Claude for board reasoning.
• AWS is reached with no long-lived keys: an IAM Roles Anywhere sidecar exchanges an X.509 client cert for short-lived STS credentials.

You bring your own ingress (any controller), put whatever access control you like in front of it (SSO, a private network, a tunnel), and the app stays the same.

---

Quickstart — deploy to Kubernetes

Prerequisites: a Kubernetes cluster (k3s, kind, EKS, …), kubectl, helm, a LiveKit Cloud project, and an AWS account with Bedrock access in us-east-1 or us-west-2 (Nova Sonic is not in us-east-2).

1. Create the app Secret

kubectl create secret generic auto-bot-secrets \
  --from-literal=APP_API_TOKEN="$(openssl rand -hex 32)" \
  --from-literal=LIVEKIT_URL="wss://your-project.livekit.cloud" \
  --from-literal=LIVEKIT_API_KEY="..." \
  --from-literal=LIVEKIT_API_SECRET="..." \
  --from-literal=LIVEKIT_BROWSER_URL="wss://your-project.livekit.cloud"

The container image is published — you don't need to build it. The chart defaults to ghcr.io/somoore/auto-bot (signed with cosign; see docs/deployment.md).

Supported platforms: linux/amd64 and linux/arm64 (from v0.0.3-prealpha on) — Intel/AMD servers and ARM (Apple Silicon, AWS Graviton, Raspberry Pi). Per-tag arches are listed on the GHCR package page; see releases for the latest.

For GitOps, seal this with Sealed Secrets or External Secrets instead. See deploy/helm/auto-bot/secret.example.yaml.

2. Set up Bedrock access (IAM Roles Anywhere)

Heads up: the credential-helper sidecar image is not published — you build it yourself (a few lines; see docs/deployment.md) and point awsRolesAnywhere.image at your own registry. The main app image is published.

cd deploy/terraform/roles-anywhere
./gen-certs.sh                      # creates certs/ca.crt, certs/leaf.crt, certs/leaf.key
cp terraform.tfvars.example terraform.tfvars   # fill in agent_model_arns for your region
terraform init && terraform apply   # prints trustAnchorArn / profileArn / roleArn

# store the leaf cert the sidecar will use:
kubectl create secret generic auto-bot-ra-cert \
  --from-file=leaf.crt=certs/leaf.crt --from-file=leaf.key=certs/leaf.key

3. Install the chart

helm install auto-bot deploy/helm/auto-bot \
  --set ingress.host=auto-bot.example.com \
  --set ingress.className=traefik \
  --set awsRolesAnywhere.enabled=true \
  --set awsRolesAnywhere.trustAnchorArn=<from terraform> \
  --set awsRolesAnywhere.profileArn=<from terraform> \
  --set awsRolesAnywhere.roleArn=<from terraform>

Or copy values-example.yaml, edit it, and helm install auto-bot deploy/helm/auto-bot -f my-values.yaml.

4. Open it

Visit https://auto-bot.example.com, start a meeting, and talk to your board.

📖 Full guide: docs/deployment.md — ingress patterns, TLS, access control, the no-popup auth trick, and troubleshooting.

---

Run locally (Docker Compose)

cp .env.example .env     # fill in APP_API_TOKEN, LiveKit, AWS
make up                  # docker compose up --build -d
# open http://localhost:3001
make logs                # tail app + livekit
make down

---

Configuration & layout

The voice provider, environment variables (config / secretEnvKeys), and the repository layout are documented in docs/configuration.md.

Extending

The stable contract package is internal/core; runtime implementations live outside it, and scripts/check-import-boundaries.sh keeps provider-specific code out of the contract surface.

• docs/architecture.md — runtime boundaries
• docs/codebase-map.md — source → responsibility map
• docs/extension-contracts.md — voice/connector/model/ledger contracts
• docs/api/openapi.yaml — HTTP control plane

Security

Browser control APIs are protected by an HttpOnly session cookie; the page never receives APP_API_TOKEN. For multi-user/public use, put SSO in front of the ingress: the app natively derives a distinct per-user identity from a verified email via Cloudflare Access or AWS ALB OIDC (see docs/deployment.md). See security.md and docs/threat-model.md.

Contributing

See contributing.md and code_of_conduct.md.

License

MIT