Installation Guide

Get Contexa AI Native Zero Trust Platform running in your Spring project. Choose between automatic CLI setup or manual configuration.

Quick Install (Recommended)

Install the Contexa CLI and set up everything automatically with a single command.

Step 1 - Install CLI

Shell (Linux / macOS)
curl -fsSL https://install.ctxa.ai | sh

If you encounter Permission Denied — If the script fails due to write permission issues on system-wide directories (e.g., /usr/local/bin), elevate privileges by using sudo sh instead:

curl -fsSL https://install.ctxa.ai | sudo sh

PowerShell (Windows)
irm https://install.ctxa.ai/install.ps1 | iex

Windows users — Requires PowerShell 5.1 or later. The script automatically verifies the SHA-256 checksum, installs contexa.exe to %LOCALAPPDATA%\Programs\Contexa, and prints a PATH hint. If you use Git Bash or WSL, the Linux/macOS command above also works.

Alternatively, download contexa-win-x64.exe directly from the contexa-security/contexa-cli releases page and place it on your PATH.

Step 2 - Initialize your project

Before running the full setup, you can test if your environment meets all requirements by executing the pre-flight check:

Shell
contexa init --check

Once checks pass successfully, proceed with the interactive project setup:

Shell
cd your-spring-project
contexa init

Upon starting, a Pre-installation diagnostic runs automatically. If any Docker daemon issues or Java version conflicts are detected, helpful instructions are displayed. You can also manually invoke contexa doctor to run a complete diagnostic scan.

The CLI will guide you through an interactive setup:

  • Project type - New project (FULL) or legacy system (SANDBOX)
  • AI security mode - Monitor only or block threats immediately
  • AI / LLM Model - Ollama (local), OpenAI, or Anthropic
  • Infrastructure - Standard (PostgreSQL + Ollama, single-server in-memory) by default. PoC / enterprise demo with Redis + Kafka can be enabled via contexa init --distributed

The CLI automatically:

  • Adds spring-boot-starter-contexa dependency to your build file
  • Configures application.yml with the correct settings
  • Generates docker-compose.yml for infrastructure
  • Starts Docker containers and pulls AI models

Step 3 - Add annotations

Java
@EnableAISecurity
@SpringBootApplication
public class MyApplication {
    public static void main(String[] args) {
        SpringApplication.run(MyApplication.class, args);
    }
}

// Protect any endpoint with AI Zero Trust
@Protectable
@GetMapping("/api/customers")
public List<Customer> getCustomers() { ... }

Step 4 - Start your application

Shell
./gradlew bootRun

That's it. Contexa is now active in your application. Request-time enforcement and asynchronous analysis work together around @Protectable endpoints.

Legacy System Integration (SANDBOX Mode)

If your project already has its own authentication system, use SANDBOX mode. Contexa adds AI security on top of your existing login — without modifying it.

Java
@EnableAISecurity(
    mode = SecurityMode.SANDBOX,
    authObjectLocation = AuthObjectLocation.SESSION,
    authObjectAttribute = "loginUser"  // your legacy session attribute name
)
@SpringBootApplication
public class LegacyApplication { }

Zero side effects —SANDBOX mode does not interfere with your existing security. Your login pages, session management, and access control remain untouched. Contexa only activates on @Protectable endpoints.

Contexa CLI Command Reference

Detailed overview of the primary commands provided by the Contexa CLI. You can execute them in your terminal via contexa <command> [options].

Command Description Key Options
init Initializes Contexa security starter, configures DB settings, and starts Docker infrastructure. --yes: Skip prompts, install automatically with defaults
--force: Force reinitialization overwriting existing configs
--distributed: Install distributed PoC demo stack (Postgres + Redis + Kafka)
--simulate: Run isolated simulation containers on shifted ports (+20000)
reset Completely rolls back Contexa configurations, dependencies, and stops Docker container stacks to their pre-installation state. --dir <path>: Target project directory (defaults to current dir)
-s, --simulate: Reset the entire simulation environment (project simulation configs/dependencies and ctxa-sim containers/volumes)
-i, --infra: Reset only project-specific Docker infrastructure (excludes code)
-c, --code: Reset only project source code configurations/dependencies (excludes infra)
-a, --all: Forcefully reset all components (code configs, project infrastructure, and simulation stack)
simulate Manages the lifecycle of the isolated simulation container stack (ctxa-sim-*) (subcommands: up, down, reset, logs, ps). up: Start simulation containers
down: Stop simulation containers
reset: Reset simulation database volumes (restarts as a clean, empty database)
logs: View container logs
ps: Check container running status
mode Dynamically switches the Zero Trust enforcement mode between SHADOW and ENFORCE. --enforce, -e: Block threats in real-time immediately
--shadow, -s: Monitor and log threat events without blocking
doctor Runs environment diagnostics (Java, Docker status, network connectivity) and outputs troubleshooting tips. N/A
status Displays the status of running containers, database connections, and active LLM models. N/A
scan Scans project source files for proper integration of @EnableAISecurity and dependencies. N/A

Prerequisites

Required for both CLI and manual installation:

Requirement Version Purpose
Java 17+ Runtime (configured via Gradle toolchain)
Spring Boot 3.x Application framework (4.x is NOT supported)
Docker Latest Infrastructure services (PostgreSQL, Ollama)

Distributed deployment (PoC / enterprise demo) — Run contexa init --distributed to provision PostgreSQL + Ollama plus Redis, Kafka and Zookeeper containers, set contexa.infrastructure.mode: DISTRIBUTED, and add the spring-kafka + redisson dependencies automatically. For production, use Kubernetes + Helm.

Manual Installation

If you prefer not to use the CLI, follow these steps manually.

1. Add Dependency

Gradle (Groovy)
dependencies {
    implementation 'ai.ctxa:spring-boot-starter-contexa:0.1.0'
}
Maven
<dependency>
    <groupId>ai.ctxa</groupId>
    <artifactId>spring-boot-starter-contexa</artifactId>
    <version>0.1.0</version>
</dependency>

2. Start Infrastructure

Shell
# Standard mode (PostgreSQL + Ollama)
docker compose up -d

# Pull AI models
docker exec contexa-ollama ollama pull qwen2.5:14b
docker exec contexa-ollama ollama pull mxbai-embed-large

# Distributed mode for PoC/enterprise demo (PostgreSQL + Ollama + Redis + Kafka)
# Run `contexa init --distributed` so docker-compose.yml includes Redis & Kafka.
docker compose up -d

3. Infrastructure Services

Service Image Port Mode
PostgreSQL pgvector/pgvector:pg16 5432 Standard
Ollama ollama/ollama:latest 11434 Standard
Redis redis:7.2-alpine 6379 Distributed
Kafka cp-kafka:7.4.0 9092 Distributed

Troubleshooting

Using Diagnostic Tools — If you encounter any issues during setup or execution, run contexa doctor in your terminal to check your environment. For a catalog of common errors and OS-specific fixes, visit the dedicated Troubleshooting Guide.

@EnableAISecurity startup error guide

If you went through the manual install (added only spring-boot-starter-contexa and declared @EnableAISecurity), you may hit the following three errors in sequence at startup. The only dependency contexa-cli auto-injects is spring-boot-starter-contexa; the rest must be added by you. Each error below shows the exact message, root cause, and fix.

Error 1 — contexa.datasource.url must be configured for @EnableAISecurity

Full message: java.lang.IllegalStateException: contexa.datasource.url must be configured for @EnableAISecurity. Use a dedicated Contexa database by default; sharing the application database requires explicit POC approval.

Root cause — Contexa stores security policy, sessions and the vector index in a dedicated PostgreSQL instance, isolated from your application database. When @EnableAISecurity is on, contexa.datasource.url must be set or ContexaDataSourceIsolation fails fast.

Fix — add a Contexa-owned datasource block to your application.yml:

application.yml
contexa:
  datasource:
    url: jdbc:postgresql://localhost:5432/contexa
    username: ${CONTEXA_DB_USERNAME:contexa}
    password: ${CONTEXA_DB_PASSWORD:contexa1234!@#}
    driver-class-name: org.postgresql.Driver
    isolation:
      contexa-owned-application: true

You may share the application's PostgreSQL instance via a separate schema if your operations team explicitly approves it. The default is a separate database (recommended).

Error 2 — No Spring AI ChatModel is configured for CONTEXA

Full message: No Spring AI ChatModel is configured for CONTEXA. Add at least one Spring AI chat provider starter to your application dependencies (for example org.springframework.ai:spring-ai-starter-model-openai, org.springframework.ai:spring-ai-starter-model-anthropic, or org.springframework.ai:spring-ai-starter-model-ollama), then configure the matching provider under spring.ai.*

Root cause — Contexa's tiered LLM auto-configuration (CoreLLMTieredAutoConfiguration) requires a ChatModel bean, but no Spring AI provider starter is on the classpath. spring-boot-starter-contexa intentionally does not pull a ChatModel starter as a transitive dependency — the choice of provider (Ollama / OpenAI / Anthropic) is yours.

Fix — add at least one provider starter to your build and configure the matching contexa.llm.* block (Contexa bypasses Spring AI's default autoconfiguration and manages model creation via its dedicated contexa.llm namespace):

build.gradle (Ollama example)
dependencies {
    implementation 'ai.ctxa:spring-boot-starter-contexa:0.1.0'
    // Add only when you declare @EnableAISecurity (one provider or more)
    implementation 'org.springframework.ai:spring-ai-starter-model-ollama'
}
application.yml (Ollama example)
contexa:
  llm:
    selection:
      chat:
        mode: dynamic-priority
        priority: ollama,openai,anthropic
    chat:
      ollama:
        baseUrl: ${CONTEXA_CHAT_OLLAMA_BASE_URL:http://127.0.0.1:11434}
        model: ${CONTEXA_CHAT_OLLAMA_MODEL:qwen2.5:7b}
        keepAlive: ${CONTEXA_OLLAMA_CHAT_KEEP_ALIVE:30m}
    embedding:
      ollama:
        dedicatedRuntimeEnabled: false
        model: ${CONTEXA_EMBEDDING_OLLAMA_MODEL:mxbai-embed-large}
        dimensions: ${CONTEXA_EMBEDDING_OLLAMA_DIMENSIONS:1024}

For OpenAI or Anthropic, swap in spring-ai-starter-model-openai / spring-ai-starter-model-anthropic and set the API key under contexa.llm.openai.* / contexa.llm.anthropic.*.

Error 3 — rag-vector capability unresolved / SecurityDecisionPostProcessor not created

Full message (excerpt): [ContexaCapability] rag-vector ... Resolve rag-vector first; SecurityDecisionPostProcessor is created only after UnifiedVectorService is available.

Root cause — the @EnableAISecurity decision post-processor (SecurityDecisionPostProcessor) depends on UnifiedVectorService, which in turn requires a Spring AI VectorStore bean. Without the pgvector vector-store starter on the classpath, the rag-vector capability stays unresolved and the downstream bean tree never wires up.

Fix — add the pgvector vector-store starter and configure contexa.vectorstore.pgvector.*. Use the pgvector/pgvector:pg16 Docker image so the vector extension is enabled out of the box.

build.gradle
dependencies {
    implementation 'org.springframework.ai:spring-ai-starter-vector-store-pgvector'
}
application.yml
contexa:
  vectorstore:
    pgvector:
      dimensions: 1024
      initialize-schema: true

Why doesn't contexa-cli auto-add spring-ai-*? — Auto-injecting Spring AI provider and vector-store starters into every customer would break customers who depend on spring-boot-starter-contexa without declaring @EnableAISecurity: PgVectorStore and ChatModel beans would try to instantiate against missing infrastructure and fail startup. Contexa's contract is "one line (spring-boot-starter-contexa) only, the rest is yours". contexa init's next.steps section prints the exact dependency lines you need to add by hand.

Infrastructure issues

Container name conflict — The container name "/contexa-postgres" is already in use

Full message (excerpt): Error response from daemon: Conflict. The container name "/contexa-postgres" is already in use by container "<hash>". You have to remove (or rename) that container to be able to reuse that name.

Followed by contexa-cli: × Docker start failed. Run manually: docker compose up -d

Root cause — a container with the same name (contexa-postgres, contexa-ollama, ...) already exists on the host. The Docker daemon does not allow two containers to share a name. Two common cases:

  • A previous contexa init run left those containers up — safe to reuse as-is.
  • Another project occupies the same name — clean it up, or switch to the isolated simulate mode.

Option 1 — keep the existing containers (recommended, preserves data)

Shell
# 1) confirm the containers are running
docker ps --filter "name=contexa-" --format "table {{.Names}}\t{{.Status}}"

# 2) leave them up and just start the app
./gradlew bootRun

Option 2 — remove and recreate (DATA LOSS WARNING)

Shell
# Stop + remove (volumes are preserved)
docker rm -f contexa-postgres contexa-ollama
# Distributed mode also needs:
docker rm -f contexa-redis contexa-zookeeper contexa-kafka

# Recreate
contexa init --distributed

Option 3 — switch to the isolated simulation mode (protects production containers)

Shell
contexa init --simulate

--simulate namespaces the containers under the ctxa-sim- prefix and shifts ports by +20000, so the simulation stack runs side-by-side with production without colliding.

Problem Solution
PostgreSQL connection refused Check Docker is running: docker ps. Verify port 5432 is not in use.
Ollama connection refused Check container: docker logs contexa-ollama. Verify port 11434.
AI model not found Pull models: docker exec contexa-ollama ollama pull qwen2.5:14b and ... pull mxbai-embed-large
vector extension missing (PostgreSQL) Use the pgvector/pgvector:pg16 image, or on an existing DB run CREATE EXTENSION IF NOT EXISTS vector; once.
Port conflicts Default ports: PostgreSQL 5432, Ollama 11434, Redis 6379, Kafka 9092
contexa init —arrow keys not working Windows: use winpty contexa init in Git Bash, or run in Windows Terminal

Need more help? —Check the Configuration Reference or visit GitHub Discussions.