Initial public v1 source release

Author: EaCognitive

.dockerignore

@@ -0,0 +1,43 @@
+# Git
+.git
+.gitignore
+
+# Python
+__pycache__
+*.py[cod]
+*.egg-info
+.eggs
+dist
+build
+.venv
+venv
+.pytest_cache
+.mypy_cache
+.ruff_cache
+*.egg
+
+# Node (dashboard has its own)
+node_modules
+
+# IDE
+.idea
+.vscode
+*.swp
+
+# Docker
+Dockerfile*
+docker-compose*.yml
+
+# Docs
+*.md
+!README.md
+
+# Tests
+tests/
+htmlcov/
+.coverage
+
+# Local env
+.env
+.env.local
+*.db

.env.example

@@ -0,0 +1,108 @@
+# AgentGate Docker Compose Environment Variables
+# Copy this file to .env and fill in with secure values
+# NEVER commit .env to version control
+
+# Database Configuration
+POSTGRES_USER=agentgate
+POSTGRES_PASSWORD=generate-secure-password-here
+POSTGRES_DB=agentgate
+
+# Backend Configuration
+# Generate SECRET_KEY with: openssl rand -hex 32
+SECRET_KEY=your-secret-key-here
+
+# Identity provider mode
+# local | descope | custom_oidc | hybrid_migration
+IDENTITY_PROVIDER_MODE=local
+# Allow local password auth in non-local modes
+ALLOW_LOCAL_PASSWORD_AUTH=false
+# Production-only local mode override
+ALLOW_PRODUCTION_LOCAL_AUTH=false
+# Legacy role alias compatibility (operator -> approver)
+ROLE_OPERATOR_ALIAS_ENABLED=true
+# API reference access mode: public | authenticated | admin_mcp
+API_REFERENCE_ACCESS_MODE=public
+# Roles allowed for MCP-privileged surfaces
+MCP_PRIVILEGED_ROLES=admin
+# Required scopes when MCP scope enforcement is active
+MCP_REQUIRED_SCOPES=mcp:admin,mcp:access
+# Optional override for scope enforcement (true/false)
+MCP_REQUIRE_SCOPE=false
+# API key scope governance
+API_KEY_WILDCARD_ROLES=admin,security_admin
+API_KEY_MCP_SCOPE_ROLES=admin,security_admin,developer
+API_KEY_ALLOWED_CUSTOM_SCOPES=mcp:read,mcp:write,mcp:access,mcp:admin
+
+# Descope OIDC validation
+DESCOPE_JWKS_URL=
+DESCOPE_ISSUER=
+DESCOPE_AUDIENCE=
+
+# Generic OIDC validation
+OIDC_JWKS_URL=
+OIDC_ISSUER=
+OIDC_AUDIENCE=
+
+# CORS Configuration (production only)
+# Comma-separated list of allowed origins
+ALLOWED_ORIGINS=http://localhost:3000
+
+# Environment (development or production)
+AGENTGATE_ENV=development
+
+# Redis Configuration (for distributed rate limiting)
+REDIS_URL=redis://redis:6379/0
+
+# Distributed health monitoring (optional)
+# Enable periodic checks for API/dashboard/distributed targets.
+AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_ENABLED=false
+# Comma-separated targets:
+#   name=url
+#   name|url|expected_substring
+# Example:
+# AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TARGETS=api=http://server:8000/api/health,dashboard|http://dashboard:3000|<html
+AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TARGETS=
+AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TARGETS_JSON=
+AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_INTERVAL_SECONDS=30
+AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_TIMEOUT_SECONDS=5
+AGENTGATE_DISTRIBUTED_HEALTH_MONITOR_FAILURE_THRESHOLD=2
+AGENTGATE_HEALTH_MONITOR_INCLUDE_DASHBOARD=false
+AGENTGATE_DASHBOARD_HEALTH_URL=http://dashboard:3000
+
+# HMAC secret for policy integrity signatures
+# Generate with: openssl rand -hex 32
+AGENTGATE_HMAC_SECRET=
+
+# Security alert delivery channels
+SECURITY_ALERT_LOG_MIN_PRIORITY=low
+SECURITY_ALERT_WEBHOOK_URL=
+SECURITY_ALERT_WEBHOOK_HEADERS_JSON=
+SECURITY_ALERT_WEBHOOK_MIN_PRIORITY=high
+SECURITY_ALERT_WEBHOOK_TIMEOUT_SECONDS=10
+SECURITY_ALERT_SLACK_WEBHOOK_URL=
+SECURITY_ALERT_SLACK_CHANNEL=
+SECURITY_ALERT_SLACK_MIN_PRIORITY=high
+SECURITY_ALERT_WINDOW_SECONDS=60
+SECURITY_ALERT_MAX_PER_WINDOW=10
+SECURITY_ALERT_COOLDOWN_SECONDS=300
+SECURITY_ALERT_MAX_DURING_COOLDOWN=1
+SECURITY_ALERT_DEDUP_WINDOW_SECONDS=300
+
+# Dashboard Configuration
+NEXTAUTH_URL=http://localhost:3000
+# Generate NEXTAUTH_SECRET with: openssl rand -hex 32
+NEXTAUTH_SECRET=your-nextauth-secret-here
+API_URL=http://server:8000
+# Required for the dashboard playground chat route
+OPENAI_API_KEY=
+
+# Default Admin (OPTIONAL - only for first startup)
+# Leave empty to skip auto-creation (recommended for production)
+# DEFAULT_ADMIN_EMAIL=admin@yourcompany.com
+# DEFAULT_ADMIN_PASSWORD=your-secure-password-here
+
+# hCaptcha Configuration (for login protection)
+# Get keys from: https://www.hcaptcha.com/
+# Required for production to prevent brute force attacks
+HCAPTCHA_SECRET=your_hcaptcha_secret_key_here
+HCAPTCHA_SITE_KEY=your_hcaptcha_site_key_here

.env.production.example

@@ -0,0 +1,167 @@
+# AgentGate Production Environment Configuration
+# Copy this file to .env.production and fill in the values
+# NEVER commit .env.production to version control
+
+# ============================================================================
+# Database Configuration
+# ============================================================================
+# CRITICAL: Production requires PostgreSQL. SQLite is NOT supported in production.
+# Use passwordless Entra authentication in cloud_strict profile.
+# The URL must not embed static DB password material.
+DATABASE_URL=postgresql+asyncpg://agentgate@your-postgres-host:5432/agentgate?sslmode=require
+
+POSTGRES_USER=agentgate
+# REQUIRED: Generate strong password (minimum 32 characters)
+# Example: openssl rand -base64 32
+POSTGRES_PASSWORD=
+POSTGRES_DB=agentgate
+POSTGRES_DATA_PATH=./data/postgres
+
+# PostgreSQL Performance Tuning (Optional)
+POSTGRES_SHARED_BUFFERS=256MB
+POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
+POSTGRES_MAX_CONNECTIONS=100
+
+# ============================================================================
+# Redis Configuration
+# ============================================================================
+# REQUIRED: Generate strong password (minimum 32 characters)
+# Example: openssl rand -base64 32
+REDIS_PASSWORD=
+REDIS_URL=redis://:${REDIS_PASSWORD}@redis:6379/0
+REDIS_MAX_MEMORY=256mb
+REDIS_DATA_PATH=./data/redis
+
+# ============================================================================
+# Application Security
+# ============================================================================
+# REQUIRED: Generate with: openssl rand -hex 32
+SECRET_KEY=
+# REQUIRED: Generate with: openssl rand -hex 32
+NEXTAUTH_SECRET=
+# REQUIRED: HMAC secret for policy integrity signatures
+# Generate with: openssl rand -hex 32
+AGENTGATE_HMAC_SECRET=
+
+# Docker Secrets (Production)
+POSTGRES_PASSWORD_FILE=./secrets/db_password.txt
+API_SECRET_KEY_FILE=./secrets/api_secret_key.txt
+NEXTAUTH_SECRET_FILE=./secrets/nextauth_secret.txt
+
+# ============================================================================
+# Application Configuration
+# ============================================================================
+AGENTGATE_ENV=production
+AGENTGATE_RUNTIME_PROFILE=cloud_strict
+DATABASE_AUTH_MODE=entra_token
+AGENTGATE_Z3_MODE=enforce
+IDENTITY_PROVIDER_MODE=descope
+ALLOW_LOCAL_PASSWORD_AUTH=false
+ALLOW_PRODUCTION_LOCAL_AUTH=false
+ROLE_OPERATOR_ALIAS_ENABLED=true
+API_REFERENCE_ACCESS_MODE=admin_mcp
+MCP_PRIVILEGED_ROLES=admin
+MCP_REQUIRED_SCOPES=mcp:admin,mcp:access
+MCP_REQUIRE_SCOPE=true
+API_KEY_WILDCARD_ROLES=admin,security_admin
+API_KEY_MCP_SCOPE_ROLES=admin,security_admin,developer
+API_KEY_ALLOWED_CUSTOM_SCOPES=mcp:read,mcp:write,mcp:access,mcp:admin
+
+# Descope OIDC validation (required when IDENTITY_PROVIDER_MODE=descope)
+DESCOPE_JWKS_URL=
+DESCOPE_ISSUER=
+DESCOPE_AUDIENCE=
+
+# CORS - Update with your actual domain
+ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com
+
+# NextAuth - Update with your actual domain
+NEXTAUTH_URL=https://yourdomain.com
+NEXT_PUBLIC_API_URL=https://yourdomain.com/api
+
+# ============================================================================
+# Server Configuration
+# ============================================================================
+# Number of Uvicorn workers (adjust based on CPU cores)
+WORKERS=4
+UVICORN_WORKERS=4
+
+# Logging
+LOG_LEVEL=info
+LOG_FORMAT=json
+
+# ============================================================================
+# Deployment Configuration
+# ============================================================================
+# Number of service replicas (for Docker Swarm or scaling)
+SERVER_REPLICAS=2
+DASHBOARD_REPLICAS=2
+
+# Build metadata
+VERSION=1.0.0
+BUILD_DATE=2025-01-28T00:00:00Z
+
+# ============================================================================
+# Monitoring and Observability (Optional)
+# ============================================================================
+ENABLE_METRICS=true
+METRICS_PORT=9090
+
+# ============================================================================
+# Audit Event Pipeline
+# ============================================================================
+# sync: writes audit events directly to DB within request (default)
+# redis_stream: publishes to Redis Stream for async batch processing
+AUDIT_PIPELINE=sync
+
+# ============================================================================
+# Feature Flags
+# ============================================================================
+ENABLE_RATE_LIMITING=true
+ENABLE_CORS=true
+ENABLE_CSRF=true
+
+# ============================================================================
+# Admin User (DO NOT USE IN PRODUCTION)
+# ============================================================================
+# SECURITY WARNING: Do not use auto-creation in production
+# Create admin users manually through the CLI or database
+DEFAULT_ADMIN_EMAIL=
+DEFAULT_ADMIN_PASSWORD=
+
+# ============================================================================
+# Azure Key Vault (Production Secret Management)
+# ============================================================================
+# REQUIRED in production: URL of the Azure Key Vault instance
+# Secrets are fetched via DefaultAzureCredential (Managed Identity on Azure,
+# az login / service principal locally)
+AZURE_KEY_VAULT_URL=https://your-vault-name.vault.azure.net
+
+# ============================================================================
+# Backup Configuration
+# ============================================================================
+# Local backup settings
+BACKUP_DIR=/var/backups/agentgate
+RETENTION_DAYS=30
+
+# Cloud Backup Provider (s3 or azure)
+# Set to enable automatic cloud backup uploads
+CLOUD_PROVIDER=azure
+CLOUD_BUCKET=agentgate-backups
+CLOUD_AUTO_CREATE_BUCKET=false  # Set to true to auto-create bucket if missing
+
+# AWS S3 Configuration (if CLOUD_PROVIDER=s3)
+# Credentials are stored in Azure Key Vault:
+#   - aws-access-key-id
+#   - aws-secret-access-key
+# Or set them directly (not recommended for production):
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+AWS_REGION=us-east-1
+
+# Azure Blob Storage Configuration (if CLOUD_PROVIDER=azure)
+# Uses DefaultAzureCredential (Managed Identity on Azure, az login locally)
+# No additional configuration needed beyond AZURE_KEY_VAULT_URL
+
+# Backup Schedule (for cron)
+# BACKUP_SCHEDULE=0 2 * * *  # Daily at 2 AM