feat: LAD A-Team CIS Compliance Report, React SPA, i18n, report management, explorer UX fixes
- Professional Oracle-format compliance report with RAG remediation from ADB vector store - React 19 SPA at /app/ (16 pages, TypeScript, Vite, Zustand, i18n pt/en 625 keys) - Report delete endpoint, embed individual report files into vector store - Terraform ZIP download (client-side, pure JS) - Explorer silent polling during start/stop (no flickering) - HTML report and compliance report sections start minimized - Token auth fix for compliance report CSV download links
This commit is contained in:
44
README.md
44
README.md
@@ -9,7 +9,7 @@
|
||||
</p>
|
||||
|
||||
<p align="center">
|
||||
<img src="https://img.shields.io/badge/version-2.6-C74634?style=flat-square" alt="Version">
|
||||
<img src="https://img.shields.io/badge/version-2.7-C74634?style=flat-square" alt="Version">
|
||||
<img src="https://img.shields.io/badge/python-3.12-3776AB?style=flat-square" alt="Python">
|
||||
<img src="https://img.shields.io/badge/FastAPI-0.115-009688?style=flat-square" alt="FastAPI">
|
||||
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
|
||||
@@ -23,7 +23,7 @@
|
||||
|
||||
AI Agent — Infrastructure & Security Engineer is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
|
||||
|
||||
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with an **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, and **Chart.js** visualizations.
|
||||
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **dual frontend** (legacy SPA + React SPA at `/app/`), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en), and **Chart.js** visualizations.
|
||||
|
||||
---
|
||||
|
||||
@@ -127,11 +127,26 @@ The platform combines security compliance scanning, AI-powered chat with **RAG (
|
||||
- **Level 2**: Advanced security controls that may restrict functionality or require more effort to implement. Recommended for high-security environments.
|
||||
- **Multiple output formats**: HTML summary, CSV per section/finding, JSON summary, optional XLSX
|
||||
- **Report history**: full execution history with status, tenancy filter, and download actions (HTML/JSON) in the Reports tab
|
||||
- **Delete reports**: remove completed reports and their associated files from the system
|
||||
- **File browser**: dedicated Downloads tab with expandable cards per completed report, files grouped by category (Summary, CIS Findings, OBP, Raw Data, etc.)
|
||||
- **Embed individual files**: embed any report file (CSV, TXT, JSON, PDF) directly into the ADB vector store for RAG enrichment
|
||||
- Region filtering with multi-select
|
||||
- Real-time progress tracking with phase-based progress bar
|
||||
- **CIS Engine auto-update**: check for new versions of `cis_reports.py` from Oracle's GitHub repository and update with one click (admin only). Custom patches are automatically reapplied after update
|
||||
|
||||
### 📋 LAD A-Team CIS Compliance Report
|
||||
- **Professional compliance report** following Oracle Cloud Security Assessment format (cover page, purpose statement, disclaimer, copyright)
|
||||
- **Table of Contents** with links to each section and recommendation
|
||||
- **Security Overview**: 7 Oracle security pillars (Customer Isolation, Data Encryption, Data Management, etc.)
|
||||
- **CIS Assessment Summary**: table with Domains / Total Controls / Failed / Passed per section
|
||||
- **CIS Benchmark Recommendation Summary**: full table with Item / Description / Status (OK/FAILED)
|
||||
- **Detailed findings**: per-recommendation cards with compliance percentage bar, result description, and remediation steps
|
||||
- **RAG-powered remediation**: enriched remediation steps fetched from ADB vector store (`CISRECOM` table) using cosine similarity search — filters by exact recommendation number, extracts only remediation section from matched chunks
|
||||
- **Affected resources CSV links**: non-compliant findings show a clickable link to download the CSV with affected resource details (authenticated via JWT token)
|
||||
- **Download PDF**: `window.print()` with CSS `@page A4` formatting for professional PDF output
|
||||
- **Caching**: generated HTML cached to disk, subsequent views are instant; "Regenerar" button clears cache and re-generates
|
||||
- **Collapsible sections**: HTML report and compliance report start minimized, expandable on demand
|
||||
|
||||
### 🛡️ Built-in CIS MCP Server (Granular Per-Section)
|
||||
- **Auto-registered** CIS Compliance Scanner MCP server — available out of the box
|
||||
- **12 granular tools** instead of monolithic full-tenancy scan:
|
||||
@@ -418,16 +433,27 @@ Allow group <group-name> to read buckets in compartment <compartment-name>
|
||||
```
|
||||
oci-cis-agent/
|
||||
├── backend/
|
||||
│ ├── app.py # FastAPI application (~5900 lines)
|
||||
│ ├── app.py # FastAPI application (~6700 lines)
|
||||
│ ├── cis_reports.py # Oracle CIS Benchmark checker (6660 lines, report engine)
|
||||
│ ├── mcp_cis_server.py # MCP server with 12 granular CIS tools (~700 lines)
|
||||
│ ├── gen_tf_reference.py # OCI Terraform provider resource catalog generator
|
||||
│ ├── Dockerfile # Python 3.12 + OCI CLI + Terraform CLI
|
||||
│ └── requirements.txt # Dependencies
|
||||
├── frontend/
|
||||
│ └── index.html # SPA with Oracle Dark Premium theme (~3200 lines)
|
||||
│ └── index.html # Legacy SPA with Oracle Dark Premium theme (~2800 lines)
|
||||
├── frontend-react/
|
||||
│ ├── src/ # React 19 SPA (TypeScript, 42 source files, ~12500 lines)
|
||||
│ │ ├── pages/ # 8 page components (Dashboard, Explorer, Reports, Chat, Terraform, etc.)
|
||||
│ │ ├── api/ # API client + endpoint modules
|
||||
│ │ ├── stores/ # Zustand auth store
|
||||
│ │ ├── hooks/ # Custom hooks (theme, i18n)
|
||||
│ │ └── i18n/ # Internationalization (pt/en, 625 keys)
|
||||
│ └── dist/ # Built SPA served at /app/
|
||||
├── scripts/
|
||||
│ ├── reportgenerator.js # n8n reference script (report layout)
|
||||
│ └── *.pdf # Oracle CIS report PDF template
|
||||
├── nginx/
|
||||
│ └── default.conf # Reverse proxy config
|
||||
│ └── default.conf # Reverse proxy (legacy / + React /app/ + API /api/)
|
||||
├── docker-compose.yml # Orchestration
|
||||
├── logo.svg # Project logo (Oracle AI Robot)
|
||||
├── .env.example # Environment template
|
||||
@@ -562,6 +588,7 @@ oci-cis-agent/
|
||||
|--------|----------|-------------|
|
||||
| GET | `/api/embeddings/preview/{rid}` | Preview report chunks before embedding (with tenancy/regions/compartments) |
|
||||
| POST | `/api/embeddings/report/{rid}` | Generate embeddings from CIS report (chunked by section, accepts `table_name`, `report_date`) |
|
||||
| POST | `/api/embeddings/report/{rid}/file/{fid}` | Embed individual report file (CSV/TXT/JSON/PDF) into vector store |
|
||||
| POST | `/api/embeddings/upload` | Upload file (.txt/.pdf/.csv/.json/.md) and generate embeddings |
|
||||
| POST | `/api/embeddings/upload-url` | Import URL (web page or PDF), extract text, and generate embeddings |
|
||||
| POST | `/api/embeddings/consult` | Query embeddings via vector search + GenAI (natural language Q&A) |
|
||||
@@ -601,11 +628,15 @@ oci-cis-agent/
|
||||
| DELETE | `/api/chat/{sid}` | Delete chat session and messages |
|
||||
| POST | `/api/reports/run` | Execute CIS report |
|
||||
| GET | `/api/reports` | List reports |
|
||||
| DELETE | `/api/reports/{rid}` | Delete report and associated files |
|
||||
| GET | `/api/reports/{id}/html` | View HTML report |
|
||||
| GET | `/api/reports/{id}/download` | Download report |
|
||||
| GET | `/api/reports/{rid}/summary` | Report KPI summary (score, pass/fail, sections) |
|
||||
| GET | `/api/reports/{rid}/files` | List report files by category |
|
||||
| GET | `/api/reports/{rid}/files/{fid}/download` | Download individual report file |
|
||||
| GET | `/api/reports/{rid}/compliance-report` | Serve cached LAD A-Team compliance report HTML |
|
||||
| POST | `/api/reports/{rid}/compliance-report/generate` | Generate compliance report (background, with RAG) |
|
||||
| GET | `/api/reports/{rid}/compliance-report/status` | Check if compliance report is ready |
|
||||
|
||||
### CIS Engine
|
||||
|
||||
@@ -680,7 +711,7 @@ All models include OCID mapping for `us-ashburn-1`. For other regions, use the "
|
||||
| Component | Technology |
|
||||
|-----------|-----------|
|
||||
| Backend | Python 3.12, FastAPI 0.115, Uvicorn |
|
||||
| Frontend | Vanilla JS SPA, Oracle Dark Premium theme, Chart.js |
|
||||
| Frontend | React 19 SPA (Vite + TypeScript) at `/app/` + legacy Vanilla JS SPA, Oracle Dark Premium theme, Chart.js, i18n (pt/en) |
|
||||
| Auth | JWT + TOTP MFA + RBAC |
|
||||
| Database | SQLite (WAL mode) |
|
||||
| OCI SDK | `oci` 2.133.0, `oci-cli` |
|
||||
@@ -697,6 +728,7 @@ All models include OCID mapping for `us-ashburn-1`. For other regions, use the "
|
||||
|
||||
| Version | Date | Changes |
|
||||
|---------|------|---------|
|
||||
| **v2.7** | 2026-03 | **LAD A-Team CIS Compliance Report**: professional Oracle-format compliance report with cover page, TOC, Security Overview (7 pillars), CIS Assessment Summary, detailed findings with compliance % bars, RAG-powered remediation from ADB vector store (`CISRECOM` table with strict recommendation number filtering), affected resources CSV download links per non-compliant finding (JWT auth via query param). **React SPA**: 16-page React 19 frontend at `/app/` (TypeScript, Vite, Zustand, 42 source files), dual-served alongside legacy SPA via nginx. **i18n**: full internationalization with 625 keys (pt/en), language switcher persisted in localStorage. **Report management**: delete reports endpoint, embed individual report files (CSV/TXT/JSON/PDF) into vector store. **Terraform ZIP download**: replaced individual file downloads with client-side ZIP generation (pure JS, no external lib). **Explorer UX**: silent polling during start/stop actions eliminates flickering (resources update in-place without clearing the list). **Report sections collapsed by default**: HTML report and compliance report iframes start minimized. |
|
||||
| **v2.6** | 2026-03 | **Rename**: app renamed to "AI Agent — Infrastructure & Security Engineer". **Session Token Auth**: OCI session token authentication support (type selector API Key/Session Token, conditional form fields, collapsible credential form, type tags in credentials table, `SecurityTokenSigner` backend). **Terraform Workspaces submenu**: sidebar sub-tab listing all workspaces grouped by date with accordion UI, filtered by existing chat sessions (INNER JOIN), actions (plan/apply/destroy/delete/open). **Retry on failure**: "Reenviar" button on failed messages across Chat Agent, Terraform Agent, and Prompt Generator. **Terraform fixes**: `f2` undefined variable in dedup logic, `oci_core_services` false positive validation (data sources excluded), `S.tfCode` reconstruction from `S.tfFiles` for Re-plan, auto-fix button visible without pre-selected model, DRG attachment rules in system prompt. **Resilience**: stuck workspace recovery on container restart (planning/applying/destroying → reset + lock file cleanup). |
|
||||
| **v2.5** | 2026-03 | **Explorer Expansion**: KPI stats bar with per-category resource counts (cached in SQLite `explorer_counts_cache`, background refresh on compartment access), enhanced views for VCNs/Subnets/Load Balancers/Buckets with expandable cards, start/stop for DB Systems + MySQL + Container Instances (5 resource types total), dead state filtering (`TERMINATED`/`DELETED`/`DELETING` hidden across all 36 endpoints), wider compartment tree (280px), IAM excluded from compartment totals. **Prompt Generator Intelligence**: same knowledge pipeline as Terraform Agent — auto-detects resource types from user message, fetches official docs (Example Usage + Arguments) from GitHub cached in SQLite, uses compact categorized resource reference. **Network Firewall fix**: `NetworkFirewallPolicySummaryCollection` not iterable — added `.items` accessor for collection objects. |
|
||||
| **v2.4** | 2026-03 | **Terraform Safety & UX**: region safety guard (plan blocked if model omits `variable "region"` — prevents wrong-region provisioning), rollback button on apply failure (manual `terraform destroy` with "ROLLBACK" confirmation), SSH public key field in OCI configs (auto-injected into `terraform.tfvars` for compute instances), reasoning_effort uppercase fix for OCI SDK, split-panel layout (terminal right 40%, files/plan/resources below chat 60%), plan button persists after destroy. **Terraform tfvars**: expanded `oci_var_map` with `ssh_public_key`/`ssh_authorized_keys` auto-mapping from OCI config |
|
||||
|
||||
Reference in New Issue
Block a user