Deploy Center — Magic Runtime

Current Release

Magic Runtime v3.1.0 is the current production release. All packages are signed with our GPG key and include SHA256 checksums for verification. Packages contain Docker Compose files, configuration, and scripts; container images are pulled on first docker compose up.

Production Stack

Complete stack: Nginx + Runtime + PostgreSQL + Redis + Prometheus

SHA256: b6e7400e0f81715072fb8480682efc5ab7cabaf4313da87210078fad5a4191a6

Download

Hardened Stack

Production + security hardening, ops runbooks, compliance templates, dev tools

SHA256: 23cb0ccb647fe55a9657e5d10355cd36e9dac312528992cac792d6c4b8be1934

Download

All Packages

Choose the deployment package that fits your infrastructure. All packages include Docker Compose configuration and documentation. Container images (~500 MB total) are pulled automatically on first deploy.

Minimal

Runtime Core

Just the controller runtime. Bring your own Nginx, Postgres, Redis.

Planned for v2.1 Planned

Recommended

Production Stack

Complete stack with Nginx, Postgres, Redis, Prometheus.

v3.1.0 · 55 KB Download

Enterprise

Hardened Stack

Production + security hardening, ops runbooks, compliance templates, dev tools.

v3.1.0 · 47 KB Download

Looking for v1.0.0? Download legacy release

Verification

Every release is GPG-signed and includes SHA256 checksums. We recommend verifying all downloads before deployment.

Quick Verify (SHA256)

# SHA256SUMS covers ALL artifacts (Production Stack + Hardened Stack)
wget https://magic.threadsync.io/deploy/SHA256SUMS

# Verify whichever package you downloaded
sha256sum -c SHA256SUMS --ignore-missing

Signed Checksums (Recommended)

# Step 1: Import ThreadSync public key (one-time)
wget https://magic.threadsync.io/deploy/threadsync-releases.asc
gpg --import threadsync-releases.asc

# Step 2: Verify the signed checksums file
wget https://magic.threadsync.io/deploy/SHA256SUMS.sig
gpg --verify SHA256SUMS.sig SHA256SUMS
# Expected: "Good signature from "ThreadSync Releases <releases@threadsync.io>"

# Step 3: Verify your downloaded artifact against the signed checksums
sha256sum -c SHA256SUMS --ignore-missing

This is the recommended path. SHA256SUMS.sig covers all artifacts in a single signature.

Per-Artifact GPG Signatures

# Every artifact also ships with its own .asc detached signature.
# Production Stack:
gpg --verify magic-runtime-2.0.0-production.tar.gz.asc magic-runtime-2.0.0-production.tar.gz

# Hardened Stack:
gpg --verify magic-runtime-2.0.0-complete.tar.gz.asc magic-runtime-2.0.0-complete.tar.gz

# Key fingerprint: 9386 38C7 62E1 3E60 324E 8EFF 92A0 0A9E F162 D394

Release Signing Key

Algorithm	RSA-4096
Key ID	`F162D394`
Fingerprint	`9386 38C7 62E1 3E60 324E 8EFF 92A0 0A9E F162 D394`
UID	ThreadSync Releases <releases@threadsync.io>
Expires	2028-02-11
Public Key	threadsync-releases.asc

manifest.json SBOM (CycloneDX) SHA256SUMS SHA256SUMS.sig

Quick Deploy

Get Magic Runtime running with Docker Compose in five steps.

Download Package

Get the v3.1.0 Production Stack

wget https://magic.threadsync.io/deploy/magic-runtime-2.0.0-production.tar.gz

Verify & Extract

Verify checksum and unpack

sha256sum magic-runtime-2.0.0-production.tar.gz
# Verify: b6e7400e0f81715072fb8480682efc5ab7cabaf4313da87210078fad5a4191a6
tar -xzf magic-runtime-2.0.0-production.tar.gz && cd magic-runtime

Configure

Set environment variables

cp .env.example .env
# Edit .env with your values

Start Services

Launch the complete stack

docker compose up -d

Initialize Database

Run migrations

./scripts/init_db.sh

Documentation

Guides and references to help you deploy, configure, and operate Magic Runtime.

Quick Start Get running in 5 minutes with Docker

User Guide Complete reference for contracts and operations

Security Model Threat model, sandbox design, hardening checklist

Contract Specification Full schema reference for controller contracts

Ops Runbook Operational procedures for production

Kubernetes Helm charts and K8s deployment guide

Requirements

Ensure your environment meets these requirements before deploying.

Docker 20.10+ and Docker Compose 2.0+ Container runtime and orchestration
Linux server with 4GB+ RAM (8GB recommended) Ubuntu 20.04+, Debian 11+, or RHEL 8+
Ports 80 and 8000 available HTTP ingress and runtime API
10GB+ free disk space Container images, logs, and PostgreSQL data

Hardened Deployment Kit

Enterprise customers can request the full hardened deployment kit with security documentation, compliance templates, and architecture review.

Request Hardened Deployment Kit

Includes deployment hardening guides, compliance templates, and architecture documentation under NDA.

Security Hardening Guide Production hardening checklist & procedures

Compliance Templates SOC 2 control mapping & evidence package

Architecture Diagram Network topology & data flow

Incident Response Plan IR procedures & escalation matrix

Supply Chain Transparency

Magic Runtime provides machine-readable supply chain metadata for automated security tooling and compliance workflows.

Release Manifest

Machine-readable JSON with artifact filenames, sizes, SHA256 digests, signature URLs, and signing key metadata.

SBOM (CycloneDX 1.5)

Software Bill of Materials listing all container images, frameworks, and dependencies in the production stack.

Gateway Activation

LLM Gateway activates in two stages: first inside Magic Runtime (embedded mode), then optionally as a public direct endpoint.

Embedded Mode

Set LLM_GATEWAY_URL and LLM_GATEWAY_API_KEY in your .env, restart magic-api.

Verify: GET /api/v1/llm/health

Direct Public Mode (optional)

Set LLM_GATEWAY_DIRECT_MODE_PUBLIC=true after verifying DNS, TLS, and edge routing for the standalone hostname.

Verify: curl https://llmgateway.threadsync.io/health