Prerequisites
Overview
Everything you need to have in place before installing Co-Scientist. Complete these requirements, then proceed to the Bedrock Setup Guide to configure your AWS account.
Co-Scientist requires Seqera Platform Enterprise 25.3.6 or later. It is currently only available on AWS.
Co-Scientist enables users to interact with Seqera Platform through a conversational AI interface, available through both the web (portal) and the CLI. The following components are deployed in sequence:
| Order | Component | Purpose |
|---|---|---|
| 1 | MCP server | Model Context Protocol server providing Platform-aware tools (workflows, datasets, compute environments). Deploy first — the agent backend connects to it at startup. |
| 2 | MySQL database | Dedicated database for session state and conversation history. |
| 3 | Redis | Caching and session management layer for the agent backend. |
| 4 | Agent backend | FastAPI service that orchestrates AI interactions between the CLI/web, Bedrock, and MCP. |
| 5 | Portal web interface | Browser-based interface for Co-Scientist. |
Platform
- Co-Scientist is in Early Access for Platform Enterprise and may require an Enterprise version upgrade. Contact Seqera support for more information.
- OIDC configured in Platform for authentication.
AWS account
Co-Scientist uses Claude models via Amazon Bedrock. You need an AWS account with Bedrock available in your chosen region.
Models
The following Bedrock model access must be enabled in your account:
| Role | Model ID | Used for |
|---|---|---|
| Primary | anthropic.claude-sonnet-4-6 | General AI interactions |
| Fast | anthropic.claude-haiku-4-5-20251001-v1:0 | Quick tasks (search, summaries) |
| Deep | anthropic.claude-opus-4-6-v1 | Complex planning tasks |
Database
- MySQL 8.0+ for Co-Scientist session state and conversation history.
- A dedicated schema, separate from the Seqera Platform schema.
- A dedicated database host is recommended. Co-locating the Co-Scientist schema on the Platform's MySQL host is technically supported, but a separate host isolates resource usage, maintenance windows, and backups across Seqera products.
- You will need the hostname, database name, username, and password ready for Helm configuration.
Redis
- Redis 7.2+ or Valkey 7.2+ for caching, session state, and the automations task queue.
- Redis 8.x is supported (the search/JSON/bloom modules moved into core in Redis 8.0).
- Valkey 7.2+ and 8.x are supported for the default caching and task-queue workload. If you enable the optional Redis-backed knowledge index (off by default), Redis Stack 7.x or Redis 8+ is required — Valkey does not ship the
RediSearchmodule.
- Accessible from your cluster.
- You will need the hostname and port ready for Helm configuration.
Networking and DNS
Three domains are required, each serving a different component:
| Component | Example domain | Purpose |
|---|---|---|
| Agent backend | ai-api.platform.example.com | API endpoint for the CLI and portal |
| MCP server | mcp.platform.example.com | Model Context Protocol server |
| Portal web interface | ai.platform.example.com | Browser-based UI |
- TLS certificates for all three domains.
- Ingress controller configured in your cluster.
Encryption key
Generate a Fernet encryption key for encrypting sensitive tokens at rest:
# using uv Python package manager (installed if not available)
uv --version >/dev/null 2>&1 || curl -LsSf https://astral.sh/uv/install.sh | sh
uv run --with cryptography python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# using Python directly, cryptography dependency module must be installed in environment
python3 -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
Store this as a Kubernetes secret. It will be referenced as AGENT_BACKEND_TOKEN_ENCRYPTION_KEY in the Helm values (this is the default key the agent-backend chart reads from tokenEncryptionKeyExistingSecretName).
Kubernetes secrets
Store the following values as Kubernetes secrets before installing the chart. Do not inline them in values.yaml.
| Secret | Contains | Used by |
|---|---|---|
| Database password | AGENT_BACKEND_DB_PASSWORD | Agent backend |
| Redis password (if applicable) | AGENT_BACKEND_REDIS_PASSWORD | Agent backend |
| Token encryption key | AGENT_BACKEND_TOKEN_ENCRYPTION_KEY | Agent backend |
| Anthropic API key | ANTHROPIC_API_KEY (direct Anthropic path only) | Agent backend |
| MCP JWT seed | MCP_OAUTH_JWT_SECRET 32+ char random string, openssl rand -base64 32 | MCP server |
| MCP initial access token | MCP_OAUTH_INITIAL_ACCESS_TOKEN (standalone MCP deploys only) | MCP server |
When MCP is deployed as a subchart of the Platform parent chart, the initial access token is wired automatically from the Platform backend secret - you do not need to create it separately. When deploying MCP standalone, copy the value out of the Platform backend secret (typically named <platform-release>-backend, e.g. platform-backend, under the data key OIDC_CLIENT_REGISTRATION_TOKEN) into a new secret and reference it via oidcToken.existingSecretName. The MCP container loads this value as MCP_OAUTH_INITIAL_ACCESS_TOKEN at runtime.
Bedrock authentication uses AWS IAM credentials and no API key secret is needed for the Bedrock path. On EKS, EKS Pod Identity is the recommended approach but IRSA or static AWS credentials on the pod are also supported.
Local tooling
Container images
Co-Scientist container images are hosted at cr.seqera.io. The exact repository paths are defined by each component's Helm chart. See the chart READMEs for the authoritative image.registry / image.repository defaults and for vendoring guidance:
| Image | Chart |
|---|---|
| Agent backend | agent-backend chart |
| MCP server | mcp chart |
| Portal web interface | portal-web chart |
Ensure your cluster can pull from cr.seqera.io, or if your cluster runs in a restricted network, mirror these images to your own registry.