feat: distribution v1.0 — professional README, OKE/K8s moved to private

This commit is contained in:
nogueiraguh
2026-04-02 14:38:34 -03:00
parent abf248d714
commit db983935b1
2 changed files with 156 additions and 55 deletions

View File

@@ -1,8 +1,8 @@
<p align="center">
<img src="logo.svg" alt="AI Agent" width="96" height="96">
<img src="logo.svg" alt="A-Team Security — Infrastructure & Security Agent Engineer" width="96" height="96">
</p>
<h1 align="center">AI Agent — Infrastructure & Security Engineer</h1>
<h1 align="center">A-Team Security — Infrastructure & Security Agent Engineer</h1>
<p align="center">
<strong>Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform</strong>
@@ -13,40 +13,93 @@
<img src="https://img.shields.io/badge/OCI-GenAI-C74634?style=flat-square" alt="OCI">
<img src="https://img.shields.io/badge/docker-compose-2496ED?style=flat-square" alt="Docker">
<img src="https://img.shields.io/badge/terraform-7B42BC?style=flat-square" alt="Terraform">
<img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="License">
</p>
---
## Overview
AI Agent is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and **MCP (Model Context Protocol)** for extensible task execution.
A-Team Security Agent is a self-hosted web application that automates **CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0** compliance checks, powered by **OCI Generative AI** for intelligent analysis and an **MCP (Model Context Protocol)** server architecture for extensible task execution.
The platform runs as pre-built Docker containers — no source code required.
The platform combines security compliance scanning, AI-powered chat with **RAG (Retrieval-Augmented Generation)**, infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a **React 19 SPA** (TypeScript, Vite), **Oracle Dark Premium** theme (light/dark modes), **KPI dashboard** with compliance gauge, **i18n** (pt/en/es), and **Recharts** visualizations.
Distributed as pre-built Docker containers via **Oracle Container Registry (OCIR)** — no source code required.
---
## Features
- **AI Chat Agent** with RAG (Retrieval-Augmented Generation) + MCP Tool Use
- **Terraform Agent** for AI-powered IaC generation (plan/apply/destroy)
- **OCI Account Explorer** — 36 resource types, KPI dashboard, start/stop actions
- **OCI CLI Terminal** — web terminal with Tab autocomplete, OCID auto-lookup
- **CIS Compliance Reports** — 48 CIS + 11 OBP checks, PDF/DOCX export
- **Compliance Report** — professional Oracle-format assessment with RAG remediation
- **OCI Services Status** — auto-detect security services + OCI Health (49 regions)
- **Embeddings & Knowledge Base** — CIS PDF chunker, ADB vector store
- **Oracle IAM OIDC** — SSO via Oracle Identity Domains
- **Security** — JWT + TOTP MFA + RBAC (3 roles) + Fernet encryption + WAF
- **i18n** — Portuguese, English, Spanish
### AI Chat Agent with RAG + MCP Tool Use
- **OCI Generative AI** integration via official SDK
- **RAG (Retrieval-Augmented Generation)**: queries ADB vector store for relevant context before generating responses
- **MCP Tool Use (Function Calling)**: GenAI models call tools from registered MCP servers during chat
- **Chat Memory Compaction**: automatic summarization when conversation exceeds token limit
- **Multimodal Chat**: upload images, PDFs, and text files for AI analysis
- 16 chat models + 3 embedding models across 5 providers: **Meta** (Llama 4), **Google** (Gemini 2.5), **OpenAI** (GPT-5.2/5.1/4.1/4o, o3/o4-mini), **xAI** (Grok 4/3)
### Terraform Agent (IaC)
- **AI-powered Terraform code generation** for OCI infrastructure provisioning
- **Workspace management**: create, plan, apply, destroy Terraform workspaces
- **14-point validation checklist**: cross-references, CIDRs, security lists, HCL syntax
- **Resource type validation**: ~937 OCI resource types with close-match suggestions
- **Prompt Generator**: dedicated sub-menu for AI-powered prompt generation
### OCI Account Explorer
- **36 resource types** across 9 categories (Compute, Networking, Storage, Database, Containers, Serverless, Observability, Security, IAM)
- **KPI stats bar**: real-time resource counts per category
- **Start/Stop** Compute Instances, Autonomous Databases, DB Systems, MySQL, Container Instances
- **Tree-view navigation** with resizable compartment panel
- **Multi-region support** with checkbox selection
### OCI CLI Terminal
- **Linux-style web terminal** for OCI CLI interaction
- **Tab autocomplete**, **OCID auto-lookup** (60+ resource types), **find by name/IP**
- Per-user command history, state persists across navigation
### OCI Services
- **Service Status**: auto-detect 6 security services per tenancy via OCI API
- **OCI Health**: real-time Oracle service health from 49 regions
### CIS Compliance Reports
- Oracle's official CIS engine (48 CIS + 11 OBP checks)
- **Multiple formats**: HTML, CSV, JSON, XLSX
- **Professional Compliance Report**: Oracle-format PDF/DOCX with RAG-powered remediation
- Real-time progress tracking with phase-based progress bar
### Built-in CIS MCP Server
- **12 granular tools** for per-section scanning (IAM, Networking, Compute, Logging, Storage, Assets)
- **Parallelized data collection** with session caching
### Embeddings & Knowledge Base
- **CIS PDF Chunker**: segments by recommendation, 7000-char chunks with overlap
- **Auto-detect embedding dimension** and model selection
- **Knowledge Base**: upload documents or import URLs
- **Consult Embeddings**: chat-like interface for vector Q&A
### Security
- **JWT + TOTP MFA** (Google Authenticator / Authy compatible)
- **Oracle IAM OIDC**: SSO via Oracle Identity Domains with JIT provisioning
- **RBAC** with 3 roles: Admin, User, Viewer
- **Fernet encryption** (AES) for credentials and sensitive settings
- **User isolation**: ownership checks, private reports, per-user embeddings
- **Force password change** on first login
- Rate limiting, audit logging, non-root container execution
### Theme & UI
- **Light/Dark mode** with Oracle Dark Premium design
- **KPI Dashboard**: compliance gauge, pass/fail cards, donut chart, bar chart
- **i18n**: Portuguese, English, Spanish (850+ keys)
- **20 pages**, code splitting, Zustand state persistence
---
## Quick Start (Docker Compose)
## Quick Start
### Prerequisites
- Docker and Docker Compose
- Access to the OCI Container Registry (OCIR) with pull credentials
- Docker and Docker Compose v2
- Access to the OCI Container Registry (OCIR)
### 1. Configure
@@ -67,8 +120,8 @@ APP_SECRET=<generate with: openssl rand -hex 64>
docker login ${OCIR_REGION}.ocir.io
```
Username: `<namespace>/<username>` (or `<namespace>/oracleidentitycloudservice/<email>`)
Password: Auth Token (generate in OCI Console > Profile > Auth Tokens)
- **Username:** `<namespace>/<username>` or `<namespace>/oracleidentitycloudservice/<email>`
- **Password:** Auth Token (generate in OCI Console > Profile > Auth Tokens)
### 3. Run
@@ -97,14 +150,24 @@ For production deployment on Oracle Cloud Infrastructure with Load Balancer, WAF
### Architecture
```
Internet --> WAF --> Load Balancer (HTTPS 443)
|
Private Subnet
|
Compute Instance (ARM, Free Tier eligible)
+-- Backend container (FastAPI)
+-- Frontend container (nginx)
+-- Block Volume (/data)
+--------------------------------------------------------------+
| Oracle Cloud |
| |
| +-----------------+ +--------------------------------+ |
| | | | | |
| | WAF Policy | | Private Subnet | |
| | (OWASP rules) | | | |
| +-----------------+ | +---------------------------+ | |
| | | | Compute Instance | | |
| +-----------------+ | | (ARM, Free Tier eligible) | | |
| | | | | | | |
| | Load Balancer |---->| | Backend (FastAPI :8000) | | |
| | (HTTPS / 443) | | | Frontend (nginx :80) | | |
| | Public Subnet | | | Block Volume (/data) | | |
| | | | +---------------------------+ | |
| +-----------------+ +--------------------------------+ |
| |
+--------------------------------------------------------------+
```
### Setup
@@ -128,22 +191,23 @@ terraform apply
| Resource | Description |
|----------|-------------|
| VCN | Virtual Cloud Network with public/private subnets |
| Compute | VM.Standard.A1.Flex (ARM, Free Tier eligible) |
| Block Volume | 50GB persistent storage for /data |
| Load Balancer | Flexible 10-100 Mbps with SSL |
| WAF | OWASP protection (XSS, SQLi, path traversal) |
| OCIR | 2 private container repositories |
| DNS | Conditional — OCI DNS Zone + A record (when domain configured) |
| VCN | 10.0.0.0/16 with public/private subnets, gateways, security lists |
| Compute | VM.Standard.A1.Flex — 2 OCPU, 16GB RAM (ARM, Free Tier eligible) |
| Block Volume | 50GB persistent storage for application data |
| Load Balancer | Flexible 10-100 Mbps with SSL (self-signed or Let's Encrypt) |
| WAF | OWASP protection XSS, SQL injection, path traversal + rate limiting |
| OCIR | 2 private container repositories (backend + frontend) |
| DNS | OCI DNS Zone + A record (conditional — when domain is configured) |
### Outputs
After `terraform apply`:
```bash
terraform output load_balancer_ip # Public IP
terraform output app_url # https://<IP>
terraform output ocir_backend_url # OCIR image URL
terraform output load_balancer_ip # Public IP address
terraform output app_url # Application URL
terraform output ocir_backend_url # Backend image URL
terraform output ocir_frontend_url # Frontend image URL
```
---
@@ -152,28 +216,44 @@ terraform output ocir_backend_url # OCIR image URL
### Step 1 — OCI Credentials
Navigate to **OCI Credentials** and add your tenancy details:
Navigate to **OCI Credentials** tab and add:
| Field | Description |
|-------|-------------|
| Tenancy Name | Friendly name |
| Tenancy Name | Friendly name (e.g., `my-company`) |
| OCID Tenancy | `ocid1.tenancy.oc1..xxxxx` |
| OCID User | `ocid1.user.oc1..xxxxx` |
| Fingerprint | `aa:bb:cc:dd:...` |
| Region | `us-ashburn-1` |
| Fingerprint | `aa:bb:cc:dd:ee:ff:...` |
| Region | `sa-saopaulo-1`, `us-ashburn-1`, etc. |
| Compartment OCID | `ocid1.compartment.oc1..xxxxx` |
| Private Key | `.pem` file |
Click **Test** to validate the connection.
### Step 2 — GenAI Model
Select an OCI credential, choose a model from the catalog, and adjust parameters.
1. Select the **OCI Credential** created in Step 1
2. Choose a **model** from the catalog (16 models across 5 providers)
3. Adjust parameters (temperature, max_tokens, etc.)
### Step 3 — ADB Vector (Optional)
### Step 3 — ADB Vector + RAG (Optional)
For RAG-powered chat, configure an Autonomous Database with vector tables.
For persistent vector storage and RAG-powered chat:
1. Add DSN (from tnsnames.ora)
2. Set credentials and upload Wallet ZIP
3. Select an **Embedding Model**
4. Register vector tables
### Step 4 — MCP Servers (Optional)
Register MCP servers for extended tool use in the Chat Agent.
Register MCP servers for extended AI task execution:
| Type | Use Case |
|------|----------|
| `stdio` | Local Python scripts |
| `SSE` | Remote HTTP servers |
| `module` | Upload `.py` files directly |
---
@@ -196,10 +276,10 @@ Allow group <group-name> to read buckets in compartment <compartment-name>
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| `OCIR_REGION` | Yes | — | OCI region (e.g., `us-ashburn-1`) |
| `OCIR_NAMESPACE` | Yes | — | OCIR namespace |
| `APP_SECRET` | Yes | — | 64-byte hex key for JWT/encryption |
| `JWT_EXPIRY_HOURS` | No | `12` | Token expiry |
| `OCIR_REGION` | Yes | — | OCI region for container registry |
| `OCIR_NAMESPACE` | Yes | — | OCIR tenancy namespace |
| `APP_SECRET` | Yes | — | 64-byte hex key for JWT/encryption (`openssl rand -hex 64`) |
| `JWT_EXPIRY_HOURS` | No | `12` | Token expiry in hours |
| `PORT` | No | `8080` | Frontend port |
| `CORS_ORIGINS` | No | — | Allowed origins (comma-separated) |
| `TZ` | No | `America/Sao_Paulo` | Timezone |
@@ -212,13 +292,13 @@ Allow group <group-name> to read buckets in compartment <compartment-name>
Verify your `docker login` credentials and that the OCIR repositories exist in your namespace.
**Backend health check fails:**
Check logs: `docker compose logs backend`. Ensure `APP_SECRET` is set.
Check logs: `docker compose logs backend`. Ensure `APP_SECRET` is set in `.env`.
**ADB connection fails:**
Ensure the wallet ZIP is uploaded and the DSN matches a service in `tnsnames.ora`.
**ADB connection fails (`DPY-6005`):**
Ensure the wallet ZIP contains `tnsnames.ora` and `ewallet.pem`. The DSN must match a service name in `tnsnames.ora`.
**GenAI returns 401/403:**
Verify the IAM policy for `generative-ai-family` exists for your user/group.
Verify the IAM policy `Allow group ... to use generative-ai-family in compartment ...` exists.
---
@@ -229,5 +309,5 @@ MIT
---
<p align="center">
<sub>Built for Oracle Cloud Infrastructure security compliance</sub>
<sub>Built for Oracle Cloud Infrastructure security compliance by LAD A-Team</sub>
</p>

21
distribution/logo.svg Normal file
View File

@@ -0,0 +1,21 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 36 36" width="128" height="128">
<!-- Oracle-style rounded rectangle -->
<rect x="2" y="5" width="32" height="26" rx="13" ry="13" fill="rgba(199,70,52,0.08)" stroke="#C74634" stroke-width="2"/>
<!-- Robot head -->
<rect x="11" y="11" width="14" height="14" rx="4" fill="#fff" stroke="#C74634" stroke-width="0.5"/>
<!-- Eyes -->
<circle cx="15" cy="17" r="2" fill="#C74634"/>
<circle cx="21" cy="17" r="2" fill="#C74634"/>
<circle cx="15" cy="16.7" r="0.7" fill="#fff"/>
<circle cx="21" cy="16.7" r="0.7" fill="#fff"/>
<!-- Mouth -->
<rect x="14" y="21" width="8" height="1.5" rx="0.75" fill="#C74634" opacity="0.6"/>
<!-- Antenna -->
<line x1="18" y1="11" x2="18" y2="6" stroke="#C74634" stroke-width="1.2" stroke-linecap="round"/>
<circle cx="18" cy="5.5" r="1.5" fill="#C74634" opacity="0.3" stroke="#C74634" stroke-width="0.8"/>
<!-- Ears/signal -->
<line x1="11" y1="18" x2="6" y2="18" stroke="#C74634" stroke-width="1" stroke-linecap="round" opacity="0.5"/>
<line x1="25" y1="18" x2="30" y2="18" stroke="#C74634" stroke-width="1" stroke-linecap="round" opacity="0.5"/>
<circle cx="5.5" cy="18" r="1" fill="#C74634" opacity="0.4"/>
<circle cx="30.5" cy="18" r="1" fill="#C74634" opacity="0.4"/>
</svg>

After

Width:  |  Height:  |  Size: 1.3 KiB