Setup
Setup is now split into mode-focused guides:
Desktop Setup — Tkinter/desktop installation and launch
Web Setup — non-Tk web install, server startup, host/port, load balancer, and browser access-key login flow
MCP Container Instance Setup — build/push MCP image to OCIR and deploy to OCI Container Instances with instance principal
If you are not sure which to choose:
Use Desktop Setup for single-user exploratory work on a local machine.
Use Web Setup for team/server-hosted browser workflows.
Use MCP Container Instance Setup for standalone MCP in OCI using OCIR + private subnet container runtime.
For a high-level capability comparison by startup mode, see Overview.
Permissions Required and Authentication
All modes use the same OCI IAM permissions and auth choices:
Named OCI profile
Instance principal
Session token
Resource principal for OCI Container Instance deployments
Required baseline policies:
allow group <your_group> to {POLICY_READ, COMPARTMENT_INSPECT, DOMAIN_INSPECT, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, USER_INSPECT, LIMITS_VIEW_INSPECT} in tenancy
allow group <your_group> to use generative-ai-family in tenancy
For dynamic-group/instance-principal usage, grant equivalent policies to the dynamic group.
allow dynamic-group <your_group> to {POLICY_READ, COMPARTMENT_INSPECT, DOMAIN_INSPECT, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, USER_INSPECT, LIMITS_VIEW_INSPECT} in tenancy
allow dynamic-group <your_group> to use generative-ai-family in tenancy
For resource principal usage with a container instance, grant as follows:
allow any-user to {POLICY_READ, COMPARTMENT_INSPECT, DOMAIN_INSPECT, DYNAMIC_GROUP_INSPECT, GROUP_INSPECT, USER_INSPECT, LIMITS_VIEW_INSPECT} in tenancy where all { request.principal.type = 'containerinstance', request.principal.id = '<ocid of container instance>' }
Server-first pip installs (no git clone)
If you are starting on a non-desktop server and want quick copy/paste commands, use one of the install profiles below.
python3 -m venv .venv
source .venv/bin/activate
python -m pip install --upgrade pip
CLI only (minimal)
pip install oci-policy-analysis
oci-policy-analysis-cli --help
MCP mode
pip install "oci-policy-analysis[mcp]"
oci-policy-analysis-mcp --help
Web mode
pip install "oci-policy-analysis[web]"
oci-policy-analysis-web --host 0.0.0.0 --port 8000
On startup, the web server logs a runtime access key. Use that key in the browser login modal to unlock pages for the current server session.
All optional extras
pip install "oci-policy-analysis[all]"
Pin a specific version
pip install "oci-policy-analysis[all]==5.1.1"
See available versions on PyPI
pip index versions oci-policy-analysis