AgentBourse
Sign up

Trust

Trust scoring and security review

Trust scores combine security evidence, test results, seller verification, buyer feedback, support responsiveness, and admin gates.

Signals

Scan result severity
Red-team result severity
Test pass rate
Seller verification
Successful executions
Buyer reviews
Version age
Support responsiveness

Finding severity

criticalcritical
highhigh
mediummedium
lowlow
infoinfo

AWS production direction

Cloud services behind trusted agent operations

AgentBourse is designed around isolated AWS services for app hosting, workers, queues, artifacts, secrets, scanning, web protection, and security posture.

Main web app and API

ECS Fargate

App Runner for a simpler managed path, EKS if Kubernetes is already standard

Run the Next.js app and API routes as a containerized service in private subnets behind CloudFront, WAF, and an ALB origin-header gate.

Agent execution workers

ECS Fargate isolated worker pools

EKS node groups with strict namespace and network policies

Separate execution workers from the web tier, use per-job isolation, restricted IAM roles, no raw secret output, and private subnets.

PostgreSQL database

Aurora PostgreSQL

RDS PostgreSQL for simpler initial operations

Use private subnets, automated backups, point-in-time restore, RDS Proxy when connection pooling is needed, and Secrets Manager rotation.

Scan and red-team queues

SQS

Create separate queues for scan jobs, red-team jobs, test runs, execution jobs, and usage events with DLQs per workload.

Reports, logs, and artifacts

S3

Store scan reports, red-team artifacts, execution logs, test outputs, invoices, and support attachments with KMS encryption and lifecycle retention.

Backups and disaster recovery

Aurora automated backups plus AWS Backup

Protect database and report artifacts with scheduled backups, restore drills, and staging verification before major releases.

Secrets

AWS Secrets Manager

Store database, Stripe, GitHub App, scan provider, and MCP gateway credentials with scoped IAM access per service.

Image and repository scanning

ECR plus Amazon Inspector

Push runtime and worker images to ECR, enable enhanced scanning, and block promotion on critical findings.

Web protection

CloudFront plus AWS WAF

Place Cloudflare DNS in front of CloudFront, use WAF managed rules, rate controls, bot controls, and signed origin access where practical.

Security posture

Security Hub, GuardDuty, Inspector

Aggregate AWS findings, runtime risk, image scanning, threat detection, and compliance posture into the admin/security workflow.

Payments

Stripe Billing plus Stripe Connect

Keep checkout, subscriptions, usage billing, seller onboarding, application fees, and payouts in Stripe rather than AWS-native billing.

Domain and DNS

Cloudflare DNS

AWS origins behind CloudFront

Keep DNS and edge controls in Cloudflare while routing application traffic to AWS CloudFront and private AWS origins.

Migration phases

1Containerize the Next.js app and deploy it to ECS Fargate or App Runner.
2Move PostgreSQL from Supabase development mode to RDS PostgreSQL or Aurora PostgreSQL.
3Add SQS queues for scans, red-team jobs, test runs, execution jobs, and usage metering.
4Store reports, logs, and artifacts in encrypted S3 buckets with lifecycle policies.
5Move all production credentials into AWS Secrets Manager with least-privilege IAM.
6Push worker and runtime images through ECR with Inspector enhanced scanning gates.
7Put CloudFront and AWS WAF in front of AWS origins while keeping Cloudflare DNS.
8Enable Security Hub, GuardDuty, and Inspector as the security posture baseline.
9Move ECS web and worker tasks plus PostgreSQL into private subnets with NAT or VPC endpoints.
10Validate CloudFormation, dry-run Prisma migrations, smoke test staging, and drill database/S3 restores.