@fortytwoservices/ai-universe-setup 1.0.0

package/assets/app.bicep

@@ -0,0 +1,145 @@
+// Patch template — the deployment Fortytwo runs to ship a new kernel image to a
+// customer WITHOUT touching their data or config.
+//
+// This template's deployment graph contains ONLY the container apps and the
+// innovation job. Postgres (all customer data AND all config — providers,
+// models, policies, wisdom, galaxies, connectors, branding, users), the Key
+// Vault secrets, the storage account, and the identity role assignments are
+// referenced as EXISTING resources, never declared here, so a patch can neither
+// recreate nor overwrite them. Customer state survives every image bump.
+//
+// Onboarding (the one-time full provision) uses main.bicep. Patches use this.
+//
+// Deploy:
+//   az deployment group create \
+//     --resource-group <customer>-rg \
+//     --template-file app.bicep \
+//     --parameters portalName=<customer> \
+//       backendImage=<acr>/ai-universe-backend:<new-tag> \
+//       controlGalaxyImage=<acr>/ai-universe-control-galaxy:<new-tag> \
+//       entraTenantId=<...> entraAdminClientId=<...> portalOrgDid=<...>
+//
+// ACA rolls a new revision per app; existing revisions drain. No secret values
+// are re-supplied because the secrets already live in the customer Key Vault.
+
+targetScope = 'resourceGroup'
+
+@description('Short, kebab-case portal name. Must match the original deployment.')
+@minLength(2)
+@maxLength(32)
+param portalName string
+
+@description('Azure region. Defaults to the resource group location.')
+param location string = resourceGroup().location
+
+@description('New backend image reference (login server + repo + tag).')
+param backendImage string
+
+@description('New control-galaxy image reference (login server + repo + tag).')
+param controlGalaxyImage string
+
+@description('Entra tenant id (unchanged from onboarding).')
+param entraTenantId string
+
+@description('Admin/config-plane Entra app registration client id (unchanged).')
+param entraAdminClientId string
+
+@description('Portal organization DID (unchanged).')
+param portalOrgDid string
+
+@description('Portal organization display name (unchanged).')
+param portalOrgName string = portalName
+
+// Conventional secret names written by main.bicep at onboarding.
+var backendConnectionSecretName = 'postgres-connection-string-backend'
+var controlConnectionSecretName = 'postgres-connection-string-control'
+var auditSecretName = 'audit-signing-key'
+var entraClientSecretName = 'entra-client-secret'
+
+// --- Existing resources (read-only; never mutated by this template) --------
+
+resource environment 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
+  name: '${portalName}-cae'
+}
+
+resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
+  name: '${portalName}-platform-id'
+}
+
+resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = {
+  name: take('${replace(portalName, '-', '')}acr', 50)
+}
+
+resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = {
+  // Must match keyVault.bicep's vaultName expression EXACTLY. uniqueString is
+  // deterministic per resource group, so this reconstructs the onboarded name.
+  name: '${take(portalName, 9)}-kv-${take(uniqueString(resourceGroup().id), 6)}'
+}
+
+resource appInsights 'Microsoft.Insights/components@2020-02-02' existing = {
+  name: '${portalName}-insights'
+}
+
+// --- Container apps (the only things this template deploys) -----------------
+
+module backend 'modules/backendApp.bicep' = {
+  name: 'backendApp'
+  params: {
+    portalName: portalName
+    location: location
+    environmentId: environment.id
+    identityId: identity.id
+    acrLoginServer: registry.properties.loginServer
+    backendImage: backendImage
+    keyVaultUri: keyVault.properties.vaultUri
+    databaseSecretName: backendConnectionSecretName
+    auditSecretName: auditSecretName
+    insightsConnectionString: appInsights.properties.ConnectionString
+    entraTenantId: entraTenantId
+    entraAdminClientId: entraAdminClientId
+    portalOrgDid: portalOrgDid
+  }
+}
+
+module controlGalaxy 'modules/controlGalaxyApp.bicep' = {
+  name: 'controlGalaxyApp'
+  params: {
+    portalName: portalName
+    location: location
+    environmentId: environment.id
+    identityId: identity.id
+    acrLoginServer: registry.properties.loginServer
+    controlGalaxyImage: controlGalaxyImage
+    backendBaseUrl: 'https://${backend.outputs.fqdn}'
+    keyVaultUri: keyVault.properties.vaultUri
+    databaseSecretName: controlConnectionSecretName
+    auditSecretName: auditSecretName
+    entraClientSecretName: entraClientSecretName
+    insightsConnectionString: appInsights.properties.ConnectionString
+    entraTenantId: entraTenantId
+    entraAdminClientId: entraAdminClientId
+    portalOrgDid: portalOrgDid
+    portalOrgName: portalOrgName
+  }
+}
+
+// The implementer job is stateless (state lives in the proposal record + the
+// PR it opens), so a patch can safely roll a new implementer image alongside
+// the apps. It references the existing shared environment + identity + vault by
+// name, never recreating them. Keeping the image param default in sync with
+// main.bicep is intentional so a patch and an onboarding produce the same job.
+module innovationJob 'modules/innovationJob.bicep' = {
+  name: 'innovationJob'
+  params: {
+    portalName: portalName
+    location: location
+    environmentId: environment.id
+    identityId: identity.id
+    identityClientId: identity.properties.clientId
+    keyVaultName: keyVault.name
+  }
+}
+
+output backendUrl string = 'https://${backend.outputs.fqdn}'
+output controlGalaxyUrl string = 'https://${controlGalaxy.outputs.fqdn}'
+output implementerJobName string = innovationJob.outputs.jobName

package/assets/docker-compose.yml

@@ -0,0 +1,50 @@
+# Fortytwo AI Universe — local evaluation stack
+# Generated by @fortytwoservices/ai-universe-setup --local
+version: '3.9'
+services:
+  backend:
+    image: fortytwoacr.azurecr.io/ai-universe-backend:1.0.0
+    container_name: '${COMPOSE_PROJECT_NAME:-portal}-backend'
+    ports:
+      - '6101:6101'
+    environment:
+      NODE_ENV: development
+      DATABASE_URL: 'postgresql://postgres:postgres@postgres:5432/universe'
+      DEMO_MOCK_CHAT: 'true'
+      AUDIT_SIGNING_KEY: 'local-dev-key-not-for-production'
+    depends_on:
+      postgres:
+        condition: service_healthy
+    restart: unless-stopped
+
+  control-galaxy:
+    image: fortytwoacr.azurecr.io/ai-universe-control-galaxy:1.0.0
+    container_name: '${COMPOSE_PROJECT_NAME:-portal}-control-galaxy'
+    ports:
+      - '5174:5174'
+    environment:
+      BACKEND_BASE_URL: 'http://backend:6101'
+    depends_on:
+      - backend
+    restart: unless-stopped
+
+  postgres:
+    image: postgres:16-alpine
+    container_name: '${COMPOSE_PROJECT_NAME:-portal}-postgres'
+    ports:
+      - '5435:5432'
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: universe
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U postgres']
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    restart: unless-stopped
+
+volumes:
+  postgres_data:

package/assets/main.bicep

@@ -0,0 +1,233 @@
+// Fortytwo AI Universe — Azure provisioning orchestrator (galaxy platform).
+//
+// One deployment = one customer, self-hosted in the customer's tenant
+// (Fortytwo runs the deploy). Provisions, in the customer's resource group:
+//   - Container Registry (images imported from the Fortytwo central ACR)
+//   - Shared user-assigned identity (AcrPull + Key Vault Secrets User)
+//   - Key Vault, Postgres (two databases), App Insights, Storage
+//   - Container Apps environment
+//   - Backend kernel container app (gateway /v1, MCP /mcp, control-plane /admin/api)
+//   - Control galaxy container app (admin SPA + BFF over the backend config API)
+//   - Innovation Implementer job (short-lived, on the shared environment)
+//
+// NOT created here (manual one-time setup):
+//   - Entra ID app registrations. The admin/config plane uses ONE shared app
+//     registration (backend + control galaxy share its audience); the customer's
+//     IT admin creates it and supplies the client id + tenant id as parameters.
+//     Per-galaxy product registrations are minted by the backend provisioner at
+//     "create Galaxy" time, not here.
+//   - Image push/import. Fortytwo CI pushes images to the central Fortytwo ACR;
+//     the deploy step imports them into this customer ACR (see README).
+
+targetScope = 'resourceGroup'
+
+@description('Short, kebab-case name for the customer deployment (e.g. "acme-portal"). Used as a prefix for every resource.')
+@minLength(2)
+@maxLength(32)
+param portalName string
+
+@description('Azure region. Defaults to the resource group location.')
+param location string = resourceGroup().location
+
+@description('Postgres administrator login.')
+param postgresAdmin string = 'portal_admin'
+
+@secure()
+@description('Postgres administrator password. Pass via parameter file env var; never commit.')
+param postgresAdminPassword string
+
+@secure()
+@description('Audit HMAC signing key shared by the backend and control galaxy. Pass via env var; never commit.')
+param auditSigningKey string
+
+@secure()
+@description('Entra app-registration client secret for connector OBO (used by the control galaxy). Pass via env var; never commit.')
+param entraClientSecret string
+
+@description('Postgres Flexible Server SKU.')
+@allowed([
+  'Standard_B1ms'
+  'Standard_B2s'
+  'Standard_D2s_v3'
+])
+param postgresSku string = 'Standard_B1ms'
+
+@description('Postgres storage size in GB.')
+param postgresStorageGb int = 32
+
+@description('Container Registry SKU.')
+@allowed([
+  'Standard'
+  'Premium'
+])
+param registrySku string = 'Standard'
+
+@description('Fully qualified backend image reference (login server + repo + tag).')
+param backendImage string
+
+@description('Fully qualified control-galaxy image reference (login server + repo + tag).')
+param controlGalaxyImage string
+
+@description('Entra ID tenant id.')
+param entraTenantId string
+
+@description('Admin/config-plane Entra app registration client id (shared audience: backend + control galaxy).')
+param entraAdminClientId string
+
+@description('Portal organization DID (identity namespace for agents and audit).')
+param portalOrgDid string
+
+@description('Portal organization display name.')
+param portalOrgName string = portalName
+
+// --- Foundational resources ------------------------------------------------
+
+module insights 'modules/insights.bicep' = {
+  name: 'insights'
+  params: {
+    portalName: portalName
+    location: location
+  }
+}
+
+module storage 'modules/storage.bicep' = {
+  name: 'storage'
+  params: {
+    portalName: portalName
+    location: location
+  }
+}
+
+module keyVault 'modules/keyVault.bicep' = {
+  name: 'keyVault'
+  params: {
+    portalName: portalName
+    location: location
+    tenantId: entraTenantId
+  }
+}
+
+module registry 'modules/registry.bicep' = {
+  name: 'registry'
+  params: {
+    portalName: portalName
+    location: location
+    sku: registrySku
+  }
+}
+
+// Shared identity must exist (with AcrPull + KV Secrets User) before any
+// container app references it for image pull and secret resolution.
+module identity 'modules/platformIdentity.bicep' = {
+  name: 'platformIdentity'
+  params: {
+    portalName: portalName
+    location: location
+    registryName: registry.outputs.registryName
+    keyVaultName: keyVault.outputs.vaultName
+  }
+}
+
+module postgres 'modules/postgres.bicep' = {
+  name: 'postgres'
+  params: {
+    portalName: portalName
+    location: location
+    administratorLogin: postgresAdmin
+    administratorPassword: postgresAdminPassword
+    sku: postgresSku
+    storageGb: postgresStorageGb
+    keyVaultName: keyVault.outputs.vaultName
+  }
+}
+
+// Audit HMAC signing key, shared by backend + control galaxy.
+module auditSecret 'modules/auditSecret.bicep' = {
+  name: 'auditSecret'
+  params: {
+    keyVaultName: keyVault.outputs.vaultName
+    auditSigningKey: auditSigningKey
+  }
+}
+
+// Entra app-registration client secret for connector OBO (control galaxy).
+module entraClientSecretModule 'modules/entraClientSecret.bicep' = {
+  name: 'entraClientSecret'
+  params: {
+    keyVaultName: keyVault.outputs.vaultName
+    entraClientSecret: entraClientSecret
+  }
+}
+
+// --- Compute ---------------------------------------------------------------
+
+module caeEnv 'modules/containerAppsEnv.bicep' = {
+  name: 'containerAppsEnv'
+  params: {
+    portalName: portalName
+    location: location
+  }
+}
+
+module backend 'modules/backendApp.bicep' = {
+  name: 'backendApp'
+  params: {
+    portalName: portalName
+    location: location
+    environmentId: caeEnv.outputs.environmentId
+    identityId: identity.outputs.identityId
+    acrLoginServer: registry.outputs.loginServer
+    backendImage: backendImage
+    keyVaultUri: keyVault.outputs.vaultUri
+    databaseSecretName: postgres.outputs.backendConnectionSecretName
+    auditSecretName: auditSecret.outputs.secretName
+    insightsConnectionString: insights.outputs.connectionString
+    entraTenantId: entraTenantId
+    entraAdminClientId: entraAdminClientId
+    portalOrgDid: portalOrgDid
+  }
+}
+
+module controlGalaxy 'modules/controlGalaxyApp.bicep' = {
+  name: 'controlGalaxyApp'
+  params: {
+    portalName: portalName
+    location: location
+    environmentId: caeEnv.outputs.environmentId
+    identityId: identity.outputs.identityId
+    acrLoginServer: registry.outputs.loginServer
+    controlGalaxyImage: controlGalaxyImage
+    backendBaseUrl: 'https://${backend.outputs.fqdn}'
+    keyVaultUri: keyVault.outputs.vaultUri
+    databaseSecretName: postgres.outputs.controlConnectionSecretName
+    auditSecretName: auditSecret.outputs.secretName
+    entraClientSecretName: entraClientSecretModule.outputs.secretName
+    insightsConnectionString: insights.outputs.connectionString
+    entraTenantId: entraTenantId
+    entraAdminClientId: entraAdminClientId
+    portalOrgDid: portalOrgDid
+    portalOrgName: portalOrgName
+  }
+}
+
+module innovationJob 'modules/innovationJob.bicep' = {
+  name: 'innovationJob'
+  params: {
+    portalName: portalName
+    location: location
+    environmentId: caeEnv.outputs.environmentId
+    identityId: identity.outputs.identityId
+    identityClientId: identity.outputs.clientId
+    keyVaultName: keyVault.outputs.vaultName
+  }
+}
+
+// --- Outputs ---------------------------------------------------------------
+
+output backendUrl string = 'https://${backend.outputs.fqdn}'
+output controlGalaxyUrl string = 'https://${controlGalaxy.outputs.fqdn}'
+output registryLoginServer string = registry.outputs.loginServer
+output postgresFqdn string = postgres.outputs.fqdn
+output keyVaultName string = keyVault.outputs.vaultName
+output storageAccountName string = storage.outputs.accountName
+output implementerJobName string = innovationJob.outputs.jobName

package/assets/modules/auditSecret.bicep

@@ -0,0 +1,28 @@
+// Audit HMAC signing key, shared by the backend and the control galaxy.
+// Written here (not in keyVault.bicep) so the @secure() value stays inside a
+// module that references the vault by name param, keeping it out of the
+// orchestration deployment graph as an output.
+
+@description('Name of the existing Key Vault to write the secret into.')
+param keyVaultName string
+
+@secure()
+@description('Audit HMAC signing key value.')
+param auditSigningKey string
+
+@description('Secret name.')
+param secretName string = 'audit-signing-key'
+
+resource vault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = {
+  name: keyVaultName
+}
+
+resource secret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' = {
+  parent: vault
+  name: secretName
+  properties: {
+    value: auditSigningKey
+  }
+}
+
+output secretName string = secret.name

package/assets/modules/backendApp.bicep

@@ -0,0 +1,107 @@
+// Backend kernel as a Container App. This is the headless control plane:
+// it serves the AI gateway (/v1), the MCP hub (/mcp), the galaxy registry +
+// provisioner, the durable audit, identity verification, and the control-plane
+// config API (/admin/api/*). External ingress on 6101 because galaxies reach
+// /v1 with a per-galaxy key, developer tools reach /mcp, and the control galaxy
+// reaches /admin/api with the forwarded operator token, all across the network
+// boundary. minReplicas is 1: the gateway is on the runtime hot path (ADR-0003).
+//
+// Secrets (DATABASE_URL, AUDIT_SIGNING_KEY) resolve from Key Vault over the
+// shared user-assigned identity. Images pull from the customer ACR over the
+// same identity (AcrPull granted in platformIdentity.bicep). No stored secret.
+
+@description('Short, kebab-case portal name.')
+param portalName string
+
+@description('Azure region.')
+param location string
+
+@description('Container Apps managed environment id (containerAppsEnv.bicep).')
+param environmentId string
+
+@description('User-assigned managed identity resource id (platformIdentity.bicep).')
+param identityId string
+
+@description('ACR login server (e.g. acmeacr.azurecr.io).')
+param acrLoginServer string
+
+@description('Fully qualified backend image reference, including tag.')
+param backendImage string
+
+@description('Key Vault URI (https://<vault>.vault.azure.net/).')
+param keyVaultUri string
+
+@description('Key Vault secret name holding the backend database connection string.')
+param databaseSecretName string
+
+@description('Key Vault secret name holding the audit HMAC signing key.')
+param auditSecretName string
+
+@description('Application Insights connection string.')
+param insightsConnectionString string
+
+@description('Entra tenant id for token validation.')
+param entraTenantId string
+
+@description('Admin/config-plane Entra app registration client id (shared audience with the control galaxy).')
+param entraAdminClientId string
+
+@description('Portal organization DID (identity namespace for agents and audit).')
+param portalOrgDid string
+
+@description('CPU cores.')
+param cpuCores string = '1.0'
+
+@description('Memory.')
+param memorySize string = '2Gi'
+
+// Domain-specific secrets[] and env[]. These literal arrays stay here (rather
+// than in containerApp.bicep) so the infra contract test can parse the env
+// contract from this module. The shared containerApps scaffolding lives in
+// containerApp.bicep.
+var backendSecrets = [
+  {
+    name: 'database-url'
+    keyVaultUrl: '${keyVaultUri}secrets/${databaseSecretName}'
+    identity: identityId
+  }
+  {
+    name: 'audit-signing-key'
+    keyVaultUrl: '${keyVaultUri}secrets/${auditSecretName}'
+    identity: identityId
+  }
+]
+
+var backendEnv = [
+  { name: 'NODE_ENV', value: 'production' }
+  { name: 'HOST', value: '0.0.0.0' }
+  { name: 'PORT', value: '6101' }
+  { name: 'DATABASE_URL', secretRef: 'database-url' }
+  { name: 'AUDIT_SIGNING_KEY', secretRef: 'audit-signing-key' }
+  { name: 'APPLICATIONINSIGHTS_CONNECTION_STRING', value: insightsConnectionString }
+  { name: 'ENTRA_TENANT_ID', value: entraTenantId }
+  { name: 'BACKEND_API_AUDIENCE', value: 'api://${entraAdminClientId}' }
+  { name: 'PORTAL_ORG_DID', value: portalOrgDid }
+]
+
+module backend 'containerApp.bicep' = {
+  name: 'backendContainerApp'
+  params: {
+    portalName: portalName
+    appSuffix: 'backend'
+    location: location
+    environmentId: environmentId
+    identityId: identityId
+    acrLoginServer: acrLoginServer
+    image: backendImage
+    port: 6101
+    maxReplicas: 3
+    cpuCores: cpuCores
+    memorySize: memorySize
+    secrets: backendSecrets
+    env: backendEnv
+  }
+}
+
+output appName string = backend.outputs.appName
+output fqdn string = backend.outputs.fqdn

package/assets/modules/containerApp.bicep

@@ -0,0 +1,99 @@
+// Shared Container App scaffolding for the platform's HTTP surfaces (backend
+// kernel, control galaxy). Both wrap this module: they assemble their own
+// domain-specific secrets[] and env[] arrays and pass them in here, so the
+// identity, ACR registry binding, Key-Vault secret wiring, external ingress,
+// and single-revision scale shape live in exactly one place.
+//
+// What stays in the wrapper modules (backendApp.bicep, controlGalaxyApp.bicep):
+// the literal env[] and secrets[] arrays. The infra contract test parses those
+// arrays from the wrapper files, so keeping them there preserves both the
+// env-contract guard and the per-app readability of the config.
+
+@description('Short, kebab-case portal name.')
+param portalName string
+
+@description('Suffix appended to portalName for the app + container name (e.g. backend, control-galaxy).')
+param appSuffix string
+
+@description('Azure region.')
+param location string
+
+@description('Container Apps managed environment id (containerAppsEnv.bicep).')
+param environmentId string
+
+@description('User-assigned managed identity resource id (platformIdentity.bicep).')
+param identityId string
+
+@description('ACR login server (e.g. acmeacr.azurecr.io).')
+param acrLoginServer string
+
+@description('Fully qualified container image reference, including tag.')
+param image string
+
+@description('Ingress target port.')
+param port int
+
+@description('Maximum replica count. minReplicas is fixed at 1 (runtime hot path, ADR-0003).')
+param maxReplicas int
+
+@description('CPU cores.')
+param cpuCores string
+
+@description('Memory.')
+param memorySize string
+
+@description('Key-Vault-backed container secrets ({ name, keyVaultUrl, identity }).')
+param secrets array
+
+@description('Container env entries ({ name, value } or { name, secretRef }).')
+param env array
+
+resource app 'Microsoft.App/containerApps@2024-03-01' = {
+  name: '${portalName}-${appSuffix}'
+  location: location
+  identity: {
+    type: 'UserAssigned'
+    userAssignedIdentities: {
+      '${identityId}': {}
+    }
+  }
+  properties: {
+    managedEnvironmentId: environmentId
+    configuration: {
+      activeRevisionsMode: 'Single'
+      ingress: {
+        external: true
+        targetPort: port
+        transport: 'auto'
+        allowInsecure: false
+      }
+      registries: [
+        {
+          server: acrLoginServer
+          identity: identityId
+        }
+      ]
+      secrets: secrets
+    }
+    template: {
+      containers: [
+        {
+          name: appSuffix
+          image: image
+          resources: {
+            cpu: json(cpuCores)
+            memory: memorySize
+          }
+          env: env
+        }
+      ]
+      scale: {
+        minReplicas: 1
+        maxReplicas: maxReplicas
+      }
+    }
+  }
+}
+
+output appName string = app.name
+output fqdn string = app.properties.configuration.ingress.fqdn