@aifabrix/builder 2.38.0 → 2.39.0

package/templates/applications/dataplane/env.template

@@ -6,12 +6,19 @@
 # APPLICATION ENVIRONMENT
 # =============================================================================
 
+# HTTP port for the app
 PORT=3001
+# development | staging | production
 ENVIRONMENT=development
+# Enable debug mode
 DEBUG=false
+# Logging level: DEBUG, INFO, WARNING, ERROR, CRITICAL
 LOG_LEVEL=INFO
+# Log format: json or text
 LOG_FORMAT=json
+# Path for log file output
 LOG_FILE_PATH=/mnt/data/logs/app.log
+# If true, run without Redis/Celery (single process)
 LOCAL_MODE=false
 
 # When API_KEY is set, a matching Bearer token bypasses OAuth2 validation
@@ -19,7 +26,10 @@ API_KEY=kv://miso-controller-api-key-secretKeyVault
 
 # API Configuration
 API_V1_STR=/api/v1
-VERSION=1.6.0
+VERSION=1.7.0
+# Base URL for the dataplane web server (used for default OAuth2 callback URL when redirectUri is omitted)
+DATAPLANE_WEB_SERVER_URL=kv://dataplane-web-server-urlKeyVault
+DATAPLANE_INTERNAL_URL=kv://dataplane-internal-server-urlKeyVault
 
 # CORS Configuration
 ALLOWED_ORIGINS=http://localhost:*
@@ -32,6 +42,7 @@ ENCRYPTION_KEY=kv://secrets-encryptionKeyVault
 # DATABASE CONFIGURATION
 # =============================================================================
 
+# Primary app database URL
 DATABASE_URL=kv://databases-dataplane-0-urlKeyVault
 DB_0_PASSWORD=kv://databases-dataplane-0-passwordKeyVault
 
@@ -59,8 +70,11 @@ REDIS_URL=kv://redis-url
 # CACHE CONFIGURATION
 # =============================================================================
 
+# Enable in-memory cache
 CACHE_ENABLED=true
+# TTL in seconds for CIP execution cache
 CACHE_CIP_EXECUTION_TTL=1800
+# TTL in seconds for metadata filter cache
 CACHE_METADATA_FILTER_TTL=3600
 
 # =============================================================================
@@ -72,12 +86,25 @@ MISO_CLIENTID=kv://dataplane-client-idKeyVault
 MISO_CLIENTSECRET=kv://dataplane-client-secretKeyVault
 
 # Keycloak Configuration (for OAuth2 endpoints)
+# Public: used by OpenAPI OAuth2 / browser (authorizationUrl, tokenUrl).
 KEYCLOAK_SERVER_URL=kv://keycloak-server-urlKeyVault
+# Internal (same role as MISO_CONTROLLER_URL): future server-side Keycloak (e.g. JWKS). Not used by dataplane today.
+KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-urlKeyVault
 KEYCLOAK_REALM=aifabrix
 
-# MISO Controller URL
+# =============================================================================
+# MISO CONTROLLER CONFIGURATION
+# =============================================================================
+# Public: browser redirects and CORS for client_token; set when controller is behind a different public URL.
+MISO_WEB_SERVER_URL=kv://miso-controller-web-server-urlKeyVault
+# Internal: server-to-controller API calls (auth, pipeline, status, RBAC).
 MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
 
+# Pipeline env key for controller URLs: /api/v1/pipeline/{envKey}/validate and /deploy.
+# Set MISO_PIPELINE_ENV_KEY=dev when controller uses dev (e.g. MISO_CLIENTID=miso-controller-dev-dataplane).
+# If unset, derived from MISO_CLIENTID (e.g. dev from miso-controller-dev-dataplane).
+MISO_PIPELINE_ENV_KEY=
+
 # =============================================================================
 # AI/LLM CONFIGURATION
 # =============================================================================
@@ -102,12 +129,14 @@ AUTH_AUDIT_ENABLED=true
 
 # ABAC Audit Configuration
 ABAC_AUDIT_ENABLED=true
+# ABAC audit detail: summary | detailed
 ABAC_AUDIT_DETAIL_LEVEL=summary
 ABAC_EXPLAIN_MODE_ENABLED=false
 ABAC_PERFORMANCE_THRESHOLD_MS=1000
 
 # RBAC Audit Configuration
 RBAC_AUDIT_ENABLED=true
+# RBAC audit detail: summary | detailed | explain
 RBAC_AUDIT_DETAIL_LEVEL=summary
 RBAC_EXPLAIN_MODE_ENABLED=false
 

package/templates/applications/dataplane/rbac.yaml

@@ -280,4 +280,4 @@ permissions:
   
   - name: "dataplane:rbac-simulate"
     roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-developer"]
-    description: "Simulate RBAC policy evaluation in IDE"
+    description: "Simulate RBAC policy evaluation in IDE"

package/templates/applications/dataplane/variables.yaml

@@ -2,9 +2,10 @@
 app:
   key: dataplane
   displayName: "AI Fabrix Dataplane"
-  description: "Python microservice for AI processing and bulk operations. Handles document processing, external data management, and Flowise integration with MisoClient SDK authentication."
+  description: "AI Fabrix Dataplane is a secure, in-tenant integration and automation layer that supplies governed, normalized, and explainable enterprise data to AI agents. Using CIP as a declarative standard, it enforces RBAC and ABAC, executes integrations, and exposes trusted data via MCP and OpenAPI."
   type: webapp
   language: python  # Explicitly specify Python language
+  version: 1.7.0
 
 # Image Configuration
 # Set tag to match your build (e.g. aifabrix build dataplane -t v1.0.0 then tag: v1.0.0)

package/templates/applications/keycloak/env.template

@@ -20,10 +20,13 @@ KC_HTTP_ENABLED=true
 # controller expects (KEYCLOAK_SERVER_URL).
 # - Users log in via http://localhost:${KEYCLOAK_PUBLIC_PORT} (browser/CLI)
 # - Server calls Keycloak at http://keycloak:8080 for token exchange and refresh
-# Without KC_HOSTNAME/KC_HOSTNAME_PORT, Keycloak would put issuer keycloak:8080
-# in tokens when the server calls internally, and validation would fail.
-KC_HOSTNAME=localhost
+# - Controller sends Host: localhost:${KEYCLOAK_PUBLIC_PORT} so Keycloak validates issuer
+#   against public URL (requires KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true)
+# When KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true, hostname must be a full URL
+KC_HOSTNAME=http://localhost:${KEYCLOAK_PUBLIC_PORT}
 KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}
+# Required for Host header to work: Keycloak resolves backchannel URL from request headers
+KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
 
 # =============================================================================
 # HEALTH CHECK CONFIGURATION

package/templates/applications/keycloak/variables.yaml

@@ -4,6 +4,7 @@ app:
   displayName: 'AI Fabrix Keycloak'
   description: 'Identity and Access Management'
   type: webapp
+  version: '26.5.2'
 
 # Image Configuration
 image:

package/templates/applications/miso-controller/env.template

@@ -110,12 +110,11 @@ KEYCLOAK_EVENTS_ENABLED=true
 KEYCLOAK_EVENTS_VERIFY_SIGNATURE=true
 KEYCLOAK_EVENTS_SECRET=kv://keycloak-events-secretKeyVault
 
-# Keycloak Startup Wait Configuration (optional)
-# Auto-detected in Azure (WEBSITE_SITE_NAME present) - waits 20min by default
-# Local environments skip the wait automatically
-# Override if needed:
-# WAIT_FOR_KEYCLOAK=true|false
-# KEYCLOAK_WAIT_TIMEOUT=1200
+# Keycloak Startup Wait Configuration
+# When true, controller waits for Keycloak before onboarding (ensures admin user creation succeeds).
+# Recommended for local Docker and Azure where Keycloak and controller start together.
+WAIT_FOR_KEYCLOAK=true
+# KEYCLOAK_WAIT_TIMEOUT=60
 
 # =============================================================================
 # AZURE AD PROVIDER CONFIGURATION
@@ -161,8 +160,7 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 # DEPLOYMENT=local: Local Docker Deployment (Localhost Controller)
 # -----------------------------------------------------------------------------
 #   - Does NOT touch Azure at all (completely skips all Azure operations)
-#   - Deploys applications as Docker containers on localhost
-#   - Uses docker-compose for container orchestration
+#   - Deploys applications as Docker containers on localhost (runs "docker run")
 #   - Works with local PostgreSQL and Redis containers
 #   - Fastest mode for local development (no Azure SDK overhead)
 #   - No Azure SDK initialization (reduces startup time)
@@ -172,13 +170,22 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Local development and testing of applications
 #   - Testing deployment workflows with actual containers
 #   - Development when Azure SDK is not needed
-#   - Fastest startup time for development
 #
-#   Requirements:
-#   - Docker must be installed and running
-#   - docker-compose must be available
-#   - Docker network (infra-aifabrix-network) must exist
-#   - Local PostgreSQL container for database (if required)
+#   Requirements (controller must be able to run "docker" successfully):
+#   - Docker must be installed and running where the controller runs
+#   - Docker network (e.g. infra-<env>-aifabrix-network) must exist
+#
+#   When miso-controller runs INSIDE a Docker container (e.g. aifabrix up-miso):
+#   - The controller has no Docker CLI or host daemon by default, so deployments
+#     will fail with "docker: not found" unless you either:
+#     (A) Mount the host Docker socket and install Docker CLI in the controller
+#         image (e.g. -v /var/run/docker.sock:/var/run/docker.sock and docker
+#         client in the image), or
+#     (B) Use DEPLOYMENT=database instead and start apps from the host, e.g.:
+#         "aifabrix up-dataplane" (controller will only update DB; you run
+#         dataplane/other apps via aifabrix on the host).
+#   - Recommended when controller is in Docker: DEPLOYMENT=database and start
+#     dataplane with "aifabrix up-dataplane" (see QUICK-START.md).
 #
 # -----------------------------------------------------------------------------
 # DEPLOYMENT=database: Database-Only Mode (DB Updates Only)
@@ -236,7 +243,7 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Want to run applications locally in Docker? → DEPLOYMENT=local
 #   - Only need DB updates and RBAC sync (no containers/Azure)? → DEPLOYMENT=database
 #
-DEPLOYMENT=local
+DEPLOYMENT=database
 
 # =============================================================================
 # SECURITY & ENCRYPTION

package/templates/applications/miso-controller/rbac.yaml

@@ -352,3 +352,18 @@ permissions:
   - name: 'delegation:admin:delete'
     roles: ['aifabrix-platform-admin', 'aifabrix-security-admin']
     description: 'Administrative delete access to all delegated credentials'
+
+  # Onboarding
+  - name: 'onboarding:read'
+    roles:
+      [
+        'aifabrix-platform-admin',
+        'aifabrix-infrastructure-admin',
+        'aifabrix-deployment-admin',
+        'aifabrix-observer'
+      ]
+    description: 'View onboarding status and configuration'
+
+  - name: 'onboarding:config'
+    roles: ['aifabrix-platform-admin', 'aifabrix-infrastructure-admin']
+    description: 'Configure onboarding (license, Entra ID, subscription config)'

package/templates/applications/miso-controller/variables.yaml

@@ -2,8 +2,9 @@
 app:
   key: miso-controller
   displayName: 'Miso Controller'
-  description: 'AI Fabrix Miso Controller - Backend API and orchestration service'
+  description: 'Miso is the AI Fabrix in-tenant controller and portal layer for securely operating enterprise AI apps inside a customer’s Azure tenant. It provides Entra ID SSO, RBAC, audit logs, environment/app configuration via schemas, and safe secret handling via Key Vault references—ensuring governance, traceability, and predictable UX across portal, SDK, and CLI.'
   type: webapp
+  version: '1.8.0'
 
 # Image Configuration
 image:
@@ -11,7 +12,7 @@ image:
   registry: devflowiseacr.azurecr.io
   registryMode: acr
 
-# Port Configuration
+# Port Configuration (container port; host port = 3000 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 3000
 
 # Azure Requirements
@@ -64,7 +65,7 @@ configuration:
   - name: LOG_LEVEL
     portalInput:
       field: select
-      label: "Log Level"
+      label: 'Log Level'
       options:
         - debug
         - info
@@ -74,26 +75,26 @@ configuration:
   - name: ENABLE_API_DOCS
     portalInput:
       field: select
-      label: "Enable API Documentation (Swagger/ReDoc)"
+      label: 'Enable API Documentation (Swagger/ReDoc)'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   - name: FAST_STARTUP
     portalInput:
       field: select
-      label: "Fast Startup (skip non-critical init)"
+      label: 'Fast Startup (skip non-critical init)'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   - name: LOG_TO_FILE
     portalInput:
       field: select
-      label: "Log to File"
+      label: 'Log to File'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   # -------------------------------------------------------------------------
   # Keycloak Events (feature flag)
@@ -101,10 +102,10 @@ configuration:
   - name: KEYCLOAK_EVENTS_ENABLED
     portalInput:
       field: select
-      label: "Keycloak Events (sync users/groups)"
+      label: 'Keycloak Events (sync users/groups)'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   # -------------------------------------------------------------------------
   # Rate Limiting (tune for environment)
@@ -112,14 +113,14 @@ configuration:
   - name: RATE_LIMIT_WINDOW_MS
     portalInput:
       field: text
-      label: "Rate Limit Window (milliseconds)"
-      placeholder: "900000"
+      label: 'Rate Limit Window (milliseconds)'
+      placeholder: '900000'
 
   - name: RATE_LIMIT_MAX
     portalInput:
       field: text
-      label: "Rate Limit Max Requests per Window"
-      placeholder: "100"
+      label: 'Rate Limit Max Requests per Window'
+      placeholder: '100'
 
   # -------------------------------------------------------------------------
   # Redis Cache TTL (seconds) – RBAC/roles caching
@@ -127,11 +128,11 @@ configuration:
   - name: REDIS_ROLES_TTL
     portalInput:
       field: text
-      label: "Redis Roles Cache TTL (seconds)"
-      placeholder: "900"
+      label: 'Redis Roles Cache TTL (seconds)'
+      placeholder: '900'
 
   - name: REDIS_PERMISSIONS_TTL
     portalInput:
       field: text
-      label: "Redis Permissions Cache TTL (seconds)"
-      placeholder: "900"
+      label: 'Redis Permissions Cache TTL (seconds)'
+      placeholder: '900'