@aifabrix/builder 2.33.1 → 2.33.3

package/templates/applications/dataplane/rbac.yaml

@@ -0,0 +1,283 @@
+# AI Fabrix Dataplane - RBAC Configuration
+# Roles and permissions for this application
+#
+# Note: Environment access is managed by MisoClient, not by per-environment roles.
+# MisoClient validates environment access automatically based on user/application permissions.
+
+roles:
+  - name: "AI Fabrix Platform Admin"
+    value: "aifabrix-platform-admin"
+    description: "Full platform infrastructure management and enterprise controller access"
+    groups: ["AI-Fabrix-Platform-Admins"]
+
+  - name: "AI Fabrix Security Admin"
+    value: "aifabrix-security-admin"
+    description: "Security and compliance management for enterprise controller"
+    groups: ["AI-Fabrix-Security-Admins"]
+
+  - name: "AI Fabrix Deployment Admin"
+    value: "aifabrix-deployment-admin"
+    description: "Application deployment orchestration and environment management"
+    groups: ["AI-Fabrix-Deployment-Admins"]
+
+  - name: "AI Fabrix Compliance Admin"
+    value: "aifabrix-compliance-admin"
+    description: "ISO 27001 compliance monitoring and audit management"
+    groups: ["AI-Fabrix-Compliance-Admins"]
+
+  - name: "AI Fabrix Developer"
+    value: "aifabrix-developer"
+    description: "Developer access to deploy applications via GitHub Actions"
+    groups: ["AI-Fabrix-Developers"]
+
+  - name: "AI Fabrix Observer"
+    value: "aifabrix-observer"
+    description: "Read-only access to monitoring, logs, and compliance reports"
+    groups: ["AI-Fabrix-Observers"]
+
+permissions:
+  # Credential management
+  - name: "credential:create"
+    roles: ["aifabrix-platform-admin"]
+    description: "Create credentials"
+  
+  - name: "credential:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin", "aifabrix-observer"]
+    description: "Read credentials"
+  
+  - name: "credential:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin"]
+    description: "Update credentials"
+  
+  - name: "credential:delete"
+    roles: ["aifabrix-platform-admin"]
+    description: "Delete credentials"
+  
+  # External data source management
+  - name: "external-data-source:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create external data sources"
+  
+  - name: "external-data-source:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read external data sources"
+  
+  - name: "external-data-source:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update external data sources"
+  
+  - name: "external-data-source:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete external data sources"
+  
+  - name: "external-data-source:sync"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Sync external data sources"
+  
+  # External system management
+  - name: "external-system:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create external systems"
+  
+  - name: "external-system:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read external systems"
+  
+  - name: "external-system:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update external systems"
+  
+  - name: "external-system:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete external systems"
+  
+  # Document storage management
+  - name: "document-storage:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create document storage"
+  
+  - name: "document-storage:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read document storage"
+  
+  - name: "document-storage:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update document storage"
+  
+  - name: "document-storage:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete document storage"
+  
+  - name: "document-storage:process"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Process documents"
+  
+  # Integration template management
+  - name: "integration-template:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create integration templates"
+  
+  - name: "integration-template:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read integration templates"
+  
+  - name: "integration-template:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Update integration templates"
+  
+  - name: "integration-template:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete integration templates"
+  
+  # Generic dataplane operations
+  - name: "dataplane:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read dataplane data"
+  
+  - name: "dataplane:write"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Write dataplane data"
+  
+  - name: "dataplane:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete dataplane data"
+  
+  - name: "dataplane:process"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Process dataplane operations"
+  
+  # External data source publishing
+  - name: "external-data-source:publish"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Publish external data sources"
+  
+  # External system publishing
+  - name: "external-system:publish"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Publish external systems"
+  
+  # Document record management
+  - name: "document-record:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create document records"
+  
+  - name: "document-record:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read document records"
+  
+  - name: "document-record:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update document records"
+  
+  - name: "document-record:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete document records"
+  
+  - name: "document-record:write"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Write document records"
+  
+  - name: "document-record:validate"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Validate document records"
+  
+  - name: "document-record:approve"
+    roles: ["aifabrix-platform-admin", "aifabrix-compliance-admin"]
+    description: "Approve document records"
+  
+  # External record management
+  - name: "external-record:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create external records"
+  
+  - name: "external-record:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read external records"
+  
+  - name: "external-record:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update external records"
+  
+  - name: "external-record:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete external records"
+  
+  # External data access grant management
+  - name: "external-data-access-grant:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create external data access grants"
+  
+  - name: "external-data-access-grant:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read external data access grants"
+  
+  - name: "external-data-access-grant:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update external data access grants"
+  
+  - name: "external-data-access-grant:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete external data access grants"
+  
+  # User and group management
+  - name: "user:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin", "aifabrix-observer"]
+    description: "Read user information"
+  
+  - name: "group:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin", "aifabrix-observer"]
+    description: "Read group information"
+  
+  # OpenAPI file management
+  - name: "openapi-file:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read OpenAPI files"
+  
+  - name: "openapi-file:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update OpenAPI files"
+  
+  - name: "openapi-file:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete OpenAPI files"
+  
+  # External data source write operations
+  - name: "external-data-source:write"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Write external data source data"
+  
+  # Record relation management
+  - name: "record-relation:create"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Create record relations"
+  
+  - name: "record-relation:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Read record relations"
+  
+  - name: "record-relation:delete"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Delete record relations"
+  
+  # Audit operations
+  - name: "audit:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin", "aifabrix-observer"]
+    description: "Read audit logs and execution history"
+  
+  # Search operations
+  - name: "document:search"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Search documents"
+  
+  - name: "record:search"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]
+    description: "Search records"
+  
+  # IDE simulation operations
+  - name: "dataplane:abac-simulate"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-developer"]
+    description: "Simulate ABAC policy evaluation in IDE"
+  
+  - name: "dataplane:rbac-simulate"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-developer"]
+    description: "Simulate RBAC policy evaluation in IDE"

package/templates/applications/dataplane/variables.yaml

@@ -0,0 +1,143 @@
+# Application Metadata
+app:
+  key: dataplane
+  displayName: "AI Fabrix Dataplane"
+  description: "Python microservice for AI processing and bulk operations. Handles document processing, external data management, and Flowise integration with MisoClient SDK authentication."
+  type: webapp
+  language: python  # Explicitly specify Python language
+
+# Image Configuration
+# Set tag to match your build (e.g. aifabrix build dataplane -t v1.0.0 then tag: v1.0.0)
+# Registry is required so the controller can pull the image (avoids "docker: not found" on the controller host).
+image:
+  name: aifabrix/dataplane
+  tag: latest
+  registry: devflowiseacr.azurecr.io
+  registryMode: acr
+
+# Port Configuration
+port: 3001
+
+# Azure Requirements
+requires:
+  database: true
+  databases:
+    - name: dataplane          # Main database - configuration only
+    - name: dataplane-vector   # Vector and document store: chunks, embeddings, vector indexes (pgvector)
+    - name: dataplane-logs     # Logs database - execution, audit, ABAC traces
+    - name: dataplane-records  # Records database - external records storage
+  redis: true
+  storage: true
+
+# Health Check
+healthCheck:
+  path: /health
+  interval: 30
+  probePath: /health
+  probeRequestType: GET
+  probeProtocol: Https
+  probeIntervalInSeconds: 120
+
+# Authentication
+authentication:
+  type: azure
+  enableSSO: true
+  requiredRoles: ["aifabrix-user"]
+  endpoints:
+    local: "https://dataplane.aifabrix.ai/auth/callback"
+
+# Build Configuration
+build:
+  context: ../..                # Relative to builder/dataplane/ config location (goes to app root)
+  dockerfile: builder/dataplane/Dockerfile
+  envOutputPath: ../../.env     # Copy to repo root for local dev
+  localPort: 3011               # Port for local development (different from Docker port)
+
+# =============================================================================
+# Portal Input Configuration (Deployment Wizard)
+# =============================================================================
+# Variables defined in env.template with sensible defaults.
+# portalInput allows admin to override before deployment.
+#
+# NOT included (auto-configured):
+# - Database URLs, Redis → auto-generated during Azure install
+# - MISO_*, KEYCLOAK_* → auto-generated during Azure install  
+# - AI params (OPENAI_*, AZURE_OPENAI_*) → from controller config
+# - ENVIRONMENT → set by deployment target
+
+configuration:
+  # -------------------------------------------------------------------------
+  # Operations & Debugging
+  # -------------------------------------------------------------------------
+  - name: LOG_LEVEL
+    portalInput:
+      field: select
+      label: "Log Level"
+      options:
+        - DEBUG
+        - INFO
+        - WARNING
+        - ERROR
+
+  - name: ABAC_AUDIT_DETAIL_LEVEL
+    portalInput:
+      field: select
+      label: "ABAC Audit Detail Level"
+      options:
+        - summary
+        - detailed
+
+  - name: RBAC_AUDIT_DETAIL_LEVEL
+    portalInput:
+      field: select
+      label: "RBAC Audit Detail Level"
+      options:
+        - summary
+        - detailed
+        - explain
+
+  # -------------------------------------------------------------------------
+  # CIP Execution - Resource Limits
+  # -------------------------------------------------------------------------
+  # Tune based on customer data volumes and external API characteristics
+
+  - name: CIP_EXECUTION_MAX_RECORDS
+    portalInput:
+      field: text
+      label: "Max Records per CIP Execution"
+      placeholder: "100000"
+
+  - name: CIP_EXECUTION_MAX_RESPONSE_SIZE_MB
+    portalInput:
+      field: text
+      label: "Max Response Size (MB)"
+      placeholder: "100.0"
+
+  - name: CIP_EXECUTION_OPERATION_TIMEOUT
+    portalInput:
+      field: text
+      label: "Operation Timeout (seconds)"
+      placeholder: "300.0"
+
+  - name: CIP_EXECUTION_HTTP_TIMEOUT
+    portalInput:
+      field: text
+      label: "HTTP Request Timeout (seconds)"
+      placeholder: "30.0"
+
+  # -------------------------------------------------------------------------
+  # CIP Execution - Rate Limiting
+  # -------------------------------------------------------------------------
+  # Tune to match external API rate limits
+
+  - name: CIP_EXECUTION_RATE_LIMIT_REQUESTS_PER_SECOND
+    portalInput:
+      field: text
+      label: "Rate Limit (requests/second)"
+      placeholder: "10.0"
+
+  - name: CIP_EXECUTION_RATE_LIMIT_BURST_SIZE
+    portalInput:
+      field: text
+      label: "Rate Limit Burst Size"
+      placeholder: "20"

package/templates/applications/keycloak/Dockerfile

@@ -34,4 +34,4 @@ EXPOSE 8080
 
 # Default Keycloak command (can be overridden in docker-compose.yaml)
 # Health checks are enabled via the build step above
-CMD ["start-dev"]
+CMD ["start-dev"]

package/templates/applications/keycloak/README.md

@@ -0,0 +1,193 @@
+# Keycloak Builder
+
+Build, run, and deploy Keycloak using `@aifabrix/builder`.
+
+---
+
+## Quick Start
+
+### 1. Install
+
+```bash
+pnpm install -g @aifabrix/builder
+```
+
+### 2. First Time Setup
+
+```bash
+# Check your environment
+aifabrix doctor
+
+# Login to controller
+aifabrix login --method device --environment dev --controller http://localhost:3100 --offline
+
+# Register your application (gets you credentials automatically)
+aifabrix app register keycloak --environment dev
+```
+
+### 3. Build & Run Locally
+
+```bash
+# Build the Docker image
+aifabrix build keycloak
+
+# Generate environment variables
+aifabrix resolve keycloak
+
+# Run locally
+aifabrix run keycloak
+```
+
+**Access your app:** <http://dev.aifabrix:8082>
+
+**View logs:**
+
+```bash
+docker logs aifabrix-keycloak -f
+```
+
+**Stop:**
+
+```bash
+docker stop aifabrix-keycloak
+```
+
+### 4. Deploy to Azure
+
+```bash
+# Build with version tag
+aifabrix build keycloak --tag v1.0.0
+
+# Push to registry
+aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest"
+
+# Deploy to miso-controller
+aifabrix deploy keycloak --controller https://controller.aifabrix.ai --environment dev
+```
+
+---
+
+## Using miso-client
+
+> [miso-client](https://github.com/esystemsdev/aifabrix-miso-client)
+
+After registering your app, you automatically get credentials in your secret file. Use miso-client for login, RBAC, audit logs, etc.
+
+**Rotate credentials if needed:**
+
+```bash
+aifabrix app rotate-secret keycloak --environment dev
+```
+
+---
+
+## Reference
+
+### Common Commands
+
+```bash
+# Development
+aifabrix build keycloak                        # Build app
+aifabrix run keycloak                          # Run locally
+aifabrix dockerfile keycloak --force           # Generate Dockerfile
+aifabrix resolve keycloak                      # Generate .env file
+
+# Deployment
+aifabrix json keycloak                         # Preview deployment JSON
+aifabrix genkey keycloak                       # Generate deployment key
+aifabrix push keycloak --registry myacr.azurecr.io # Push to ACR
+aifabrix deploy keycloak --controller <url>    # Deploy to Azure
+
+# Management
+aifabrix app register keycloak --environment dev
+aifabrix app list --environment dev
+aifabrix app rotate-secret keycloak --environment dev
+
+# Utilities
+aifabrix doctor                                   # Check environment
+aifabrix login --method device --environment dev  # Login
+aifabrix --help                                   # Get help
+```
+
+### Build Options
+
+```bash
+aifabrix build keycloak --tag v1.0.0           # Custom tag
+aifabrix build keycloak --force-template       # Force template regeneration
+aifabrix build keycloak --language typescript  # Override language detection
+```
+
+### Run Options
+
+```bash
+aifabrix run keycloak --port 8082          # Custom port
+aifabrix run keycloak --debug                  # Debug output
+```
+
+### Push Options
+
+```bash
+aifabrix push keycloak --registry myacr.azurecr.io --tag v1.0.0
+aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest,stable"
+```
+
+### Deploy Options
+
+```bash
+aifabrix deploy keycloak --controller <url> --environment dev
+aifabrix deploy keycloak --controller <url> --environment dev --no-poll
+```
+
+### Login Methods
+
+```bash
+# Device code flow
+aifabrix login --method device --environment dev
+
+# Credentials (reads from secrets.local.yaml)
+aifabrix login --method credentials --app keycloak --environment dev
+
+# Explicit credentials
+aifabrix login --method credentials --app keycloak --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --environment dev
+```
+
+### Environment Variables
+
+```bash
+export AIFABRIX_HOME=/custom/path
+export AIFABRIX_SECRETS=/path/to/secrets.yaml
+```
+
+---
+
+## Troubleshooting
+
+- **"Docker not running"** → Start Docker Desktop
+- **"Not logged in"** → Run `aifabrix login` first
+- **"Port already in use"** → Use `--port` flag or change `build.localPort` in `variables.yaml` (default: 8082)
+- **"Authentication failed"** → Run `aifabrix login` again
+- **"Build fails"** → Check Docker is running and `variables.yaml` → `build.secrets` path is correct
+- **"Can't connect"** → Verify infrastructure is running and PostgreSQL is accessible
+
+**Regenerate files:**
+
+```bash
+aifabrix resolve keycloak --force
+aifabrix json keycloak
+aifabrix genkey keycloak
+```
+
+---
+
+## Prerequisites
+
+- `@aifabrix/builder` installed globally
+- Docker Desktop running
+- Azure CLI installed (for push command)
+- Authenticated with controller (for deploy command)
+- PostgreSQL database (ensure infrastructure is running)
+- Authentication/RBAC configured
+
+---
+
+**Application**: keycloak | **Port**: 8082 | **Registry**: myacr.azurecr.io | **Image**: aifabrix/keycloak:latest

package/templates/applications/keycloak/variables.yaml

@@ -38,9 +38,8 @@ authentication:
 
 # Build Configuration
 build:
-  context: ..                                           # Docker build context (relative to builder/)
-  dockerfile: builder/Dockerfile                        # Dockerfile name (empty = use template)
-  envOutputPath: .env                                   # Copy .env to repo root for local dev
-  localPort: 8082                                       # Port for local development (different from Docker port)
-  containerPort: 8080                                   # Container port (different from local port)
-  language: typescript                                  # Runtime language for template selection
+  context: .. # Docker build context (relative to builder/)
+  dockerfile: builder/Dockerfile # Dockerfile name (empty = use template)
+  localPort: 8082 # Port for local development (different from Docker port)
+  containerPort: 8080 # Container port (different from local port)
+  language: typescript # Runtime language for template selection

package/templates/applications/miso-controller/Dockerfile

@@ -1,16 +1,16 @@
 # AI Fabrix Miso Controller - Build from base image
-FROM aifabrix/miso-controller:latest
+# This repo has no application source; use the published image as baseline.
+# Build: docker build -t aifabrix/miso-controller:local .
+# Or use the image directly: docker run aifabrix/miso-controller:latest
 
-# Set default data paths (can be overridden by environment variables)
-ENV LOG_PATH=/mnt/data/logs
-ENV DATA_PATH=/mnt/data/data
-ENV BACKUP_PATH=/mnt/data/backup
-ENV CONFIG_PATH=/mnt/data/config
+FROM aifabrix/miso-controller:latest
 
-# Expose port
+# Expose port (documentation; base image may already set this)
 EXPOSE 3000
 
-# Health check
+# Health check (documentation; base image may already set this)
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
   CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1
 
+# CMD inherited from base image; override only if needed
+# CMD inherited: node -r tsconfig-paths/register dist/src/server.js