Files
A-Team-Security-Infra-Agent…/backend/app.py
nogueiraguh 2c3fb724bf feat: add RAG pipeline with OCI GenAI embeddings and ADB vector search
Integrate Retrieval-Augmented Generation into the chat flow using OCI
GenAI embed_text API and Oracle Autonomous Database vector storage.
The chat automatically queries ADB for relevant context when an active
ADB config with a linked GenAI config exists.

- Add EMBEDDING_MODELS catalog (Cohere Embed v3.0/light)
- Add _embed_text() using OCI GenAI SDK embed endpoint
- Add _vector_search() with VECTOR_DISTANCE cosine similarity
- Add _get_adb_connection(), _ensure_embeddings_table(), _build_rag_context()
- Add document ingestion endpoint (POST /api/adb/{vid}/ingest)
- Add table creation endpoint (POST /api/adb/{vid}/ensure-table)
- Modify chat endpoint with automatic RAG augmentation (non-fatal)
- Add GenAI config and embedding model selectors to ADB UI
- Add RAG status indicator in chat toolbar
- Add document ingestion section in ADB tab
2026-03-02 19:48:53 -03:00

1152 lines
60 KiB
Python

"""
OCI CIS AI Agent - Backend API v1.1
FastAPI with JWT auth, TOTP MFA, RBAC, OCI GenAI (exact SDK pattern),
OCI Account Explorer, MCP Server registry with VectorDB tool integration,
Autonomous DB vector storage, CIS reports, chat agent, audit log.
"""
import os, json, uuid, hashlib, hmac, time, base64, struct, secrets, subprocess
import shutil, asyncio, sqlite3, logging, socket, re
from datetime import datetime, timedelta
from pathlib import Path
from typing import Optional, List, Dict, Any
from contextlib import contextmanager
from fastapi import (
FastAPI, HTTPException, Depends, Request, UploadFile, File, Form,
Query, BackgroundTasks
)
from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import JSONResponse, FileResponse
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from pydantic import BaseModel
import jwt as pyjwt
# ── Config ────────────────────────────────────────────────────────────────────
APP_SECRET = os.environ.get("APP_SECRET", secrets.token_hex(32))
JWT_ALG = "HS256"
JWT_EXP_H = int(os.environ.get("JWT_EXPIRY_HOURS", "12"))
DATA = Path(os.environ.get("DATA_DIR", "/data"))
DB_PATH = DATA / "agent.db"
OCI_DIR = DATA / "oci_configs"
REPORTS = DATA / "reports"
MCP_DIR = DATA / "mcp_servers"
WALLET_DIR = DATA / "wallets"
VERSION = "1.1"
for d in [DATA, OCI_DIR, REPORTS, MCP_DIR, WALLET_DIR]:
d.mkdir(parents=True, exist_ok=True)
logging.basicConfig(level=logging.INFO)
log = logging.getLogger("agent")
app = FastAPI(title="OCI CIS AI Agent", version=VERSION)
app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_credentials=True,
allow_methods=["*"], allow_headers=["*"])
security = HTTPBearer()
# ── OCI GenAI Models Catalog ──────────────────────────────────────────────────
GENAI_MODELS = {
"cohere.command-a-03-2025": {"provider":"cohere","name":"Cohere Command A","api_format":"COHERE"},
"cohere.command-r-plus-08-2024": {"provider":"cohere","name":"Cohere Command R+ (08-2024)","api_format":"COHERE"},
"cohere.command-r-08-2024": {"provider":"cohere","name":"Cohere Command R (08-2024)","api_format":"COHERE"},
"meta.llama-4-maverick": {"provider":"meta","name":"Meta Llama 4 Maverick","api_format":"GENERIC"},
"meta.llama-4-scout": {"provider":"meta","name":"Meta Llama 4 Scout","api_format":"GENERIC"},
"meta.llama-3.3-70b-instruct": {"provider":"meta","name":"Meta Llama 3.3 (70B)","api_format":"GENERIC"},
"meta.llama-3.2-90b-vision-instruct": {"provider":"meta","name":"Meta Llama 3.2 90B Vision","api_format":"GENERIC"},
"meta.llama-3.1-405b-instruct": {"provider":"meta","name":"Meta Llama 3.1 (405B)","api_format":"GENERIC"},
"google.gemini-2.5-pro": {"provider":"google","name":"Google Gemini 2.5 Pro","api_format":"GENERIC"},
"google.gemini-2.5-flash": {"provider":"google","name":"Google Gemini 2.5 Flash","api_format":"GENERIC"},
"xai.grok-4": {"provider":"xai","name":"xAI Grok 4","api_format":"GENERIC"},
"xai.grok-3": {"provider":"xai","name":"xAI Grok 3","api_format":"GENERIC"},
}
EMBEDDING_MODELS = {
"cohere.embed-english-v3.0": {"name":"Cohere Embed English v3.0","dims":1024},
"cohere.embed-multilingual-v3.0": {"name":"Cohere Embed Multilingual v3.0","dims":1024},
"cohere.embed-english-light-v3.0": {"name":"Cohere Embed English Light v3.0","dims":384},
"cohere.embed-multilingual-light-v3.0": {"name":"Cohere Embed Multilingual Light v3.0","dims":384},
}
GENAI_REGIONS = [
"us-chicago-1","us-ashburn-1","us-phoenix-1","uk-london-1",
"eu-frankfurt-1","ap-tokyo-1","ap-osaka-1","sa-saopaulo-1",
"ca-toronto-1","ap-melbourne-1","ap-mumbai-1","eu-amsterdam-1",
"me-jeddah-1","ap-singapore-1","ap-seoul-1","sa-vinhedo-1",
]
# ── Database ──────────────────────────────────────────────────────────────────
@contextmanager
def db():
conn = sqlite3.connect(str(DB_PATH))
conn.row_factory = sqlite3.Row
conn.execute("PRAGMA journal_mode=WAL")
conn.execute("PRAGMA foreign_keys=ON")
try:
yield conn
conn.commit()
finally:
conn.close()
def init_db():
with db() as c:
c.executescript("""
CREATE TABLE IF NOT EXISTS users (
id TEXT PRIMARY KEY,
first_name TEXT NOT NULL,
last_name TEXT NOT NULL,
username TEXT UNIQUE NOT NULL,
email TEXT,
password_hash TEXT NOT NULL, role TEXT NOT NULL DEFAULT 'viewer',
mfa_secret TEXT, mfa_enabled INTEGER DEFAULT 0,
is_active INTEGER DEFAULT 1,
created_at TEXT DEFAULT (datetime('now')),
last_login TEXT
);
CREATE TABLE IF NOT EXISTS sessions (
id TEXT PRIMARY KEY, user_id TEXT NOT NULL,
created_at TEXT DEFAULT (datetime('now')),
expires_at TEXT NOT NULL, is_active INTEGER DEFAULT 1
);
CREATE TABLE IF NOT EXISTS oci_configs (
id TEXT PRIMARY KEY, user_id TEXT NOT NULL,
tenancy_name TEXT NOT NULL, tenancy_ocid TEXT NOT NULL,
user_ocid TEXT NOT NULL, fingerprint TEXT NOT NULL,
region TEXT NOT NULL, key_file_path TEXT NOT NULL,
compartment_id TEXT,
created_at TEXT DEFAULT (datetime('now'))
);
CREATE TABLE IF NOT EXISTS genai_configs (
id TEXT PRIMARY KEY, user_id TEXT NOT NULL,
name TEXT NOT NULL DEFAULT 'default',
oci_config_id TEXT NOT NULL,
model_id TEXT NOT NULL,
model_ocid TEXT,
compartment_id TEXT NOT NULL,
genai_region TEXT NOT NULL,
endpoint TEXT NOT NULL,
serving_type TEXT DEFAULT 'ON_DEMAND',
dedicated_endpoint_id TEXT,
temperature REAL DEFAULT 1,
max_tokens INTEGER DEFAULT 6000,
top_p REAL DEFAULT 0.95,
top_k INTEGER DEFAULT 1,
frequency_penalty REAL DEFAULT 0,
presence_penalty REAL DEFAULT 0,
is_default INTEGER DEFAULT 0,
created_at TEXT DEFAULT (datetime('now')),
FOREIGN KEY (oci_config_id) REFERENCES oci_configs(id)
);
CREATE TABLE IF NOT EXISTS reports (
id TEXT PRIMARY KEY, user_id TEXT NOT NULL,
tenancy_name TEXT NOT NULL, config_id TEXT,
mcp_server_id TEXT,
status TEXT DEFAULT 'pending', report_data TEXT,
html_path TEXT, json_path TEXT,
created_at TEXT DEFAULT (datetime('now')),
completed_at TEXT, error_msg TEXT
);
CREATE TABLE IF NOT EXISTS adb_vector_configs (
id TEXT PRIMARY KEY, user_id TEXT NOT NULL,
config_name TEXT NOT NULL,
dsn TEXT NOT NULL,
username TEXT NOT NULL,
password_enc TEXT NOT NULL,
wallet_dir TEXT,
wallet_password_enc TEXT,
table_name TEXT DEFAULT 'CIS_EMBEDDINGS',
use_mtls INTEGER DEFAULT 1,
is_active INTEGER DEFAULT 1,
created_at TEXT DEFAULT (datetime('now'))
);
CREATE TABLE IF NOT EXISTS mcp_servers (
id TEXT PRIMARY KEY, user_id TEXT NOT NULL,
name TEXT NOT NULL, description TEXT,
server_type TEXT NOT NULL DEFAULT 'stdio',
command TEXT, args TEXT, env_vars TEXT,
url TEXT, module_path TEXT,
tools TEXT,
linked_adb_id TEXT,
is_active INTEGER DEFAULT 1,
created_at TEXT DEFAULT (datetime('now'))
);
CREATE TABLE IF NOT EXISTS chat_messages (
id TEXT PRIMARY KEY, session_id TEXT NOT NULL,
user_id TEXT NOT NULL, role TEXT NOT NULL,
content TEXT NOT NULL,
model_id TEXT,
created_at TEXT DEFAULT (datetime('now'))
);
CREATE TABLE IF NOT EXISTS audit_log (
id TEXT PRIMARY KEY, user_id TEXT, username TEXT,
action TEXT NOT NULL, resource TEXT, details TEXT,
ip TEXT, created_at TEXT DEFAULT (datetime('now'))
);
""")
# ── Migrations ──
for col in ["genai_config_id TEXT", "embedding_model_id TEXT DEFAULT 'cohere.embed-multilingual-v3.0'"]:
try:
c.execute(f"ALTER TABLE adb_vector_configs ADD COLUMN {col}")
except sqlite3.OperationalError:
pass
adm = c.execute("SELECT id FROM users WHERE username='admin'").fetchone()
if not adm:
c.execute(
"INSERT INTO users (id,first_name,last_name,username,email,password_hash,role) VALUES (?,?,?,?,?,?,?)",
(str(uuid.uuid4()), "Admin", "Sistema", "admin", "admin@local", _hash_pw("admin123"), "admin")
)
log.info("Default admin created: admin / admin123")
# ── Crypto helpers ────────────────────────────────────────────────────────────
def _hash_pw(pw): salt=secrets.token_hex(16); h=hashlib.pbkdf2_hmac("sha256",pw.encode(),salt.encode(),100_000); return f"{salt}:{h.hex()}"
def _verify_pw(pw,stored): salt,h=stored.split(":"); return hmac.compare_digest(hashlib.pbkdf2_hmac("sha256",pw.encode(),salt.encode(),100_000).hex(),h)
def _totp_secret(): return base64.b32encode(secrets.token_bytes(20)).decode()
def _totp_verify(secret,code,window=1):
key=base64.b32decode(secret); now=int(time.time())//30
for off in range(-window,window+1):
msg=struct.pack(">Q",now+off); h=hmac.new(key,msg,hashlib.sha1).digest(); o=h[-1]&0x0F
c=str((struct.unpack(">I",h[o:o+4])[0]&0x7FFFFFFF)%1_000_000).zfill(6)
if hmac.compare_digest(c,code): return True
return False
def _totp_uri(secret,user): return f"otpauth://totp/OCI-CIS-Agent:{user}?secret={secret}&issuer=OCI-CIS-Agent"
def _make_token(uid,role,sid):
return pyjwt.encode({"sub":uid,"role":role,"sid":sid,"exp":datetime.utcnow()+timedelta(hours=JWT_EXP_H),"iat":datetime.utcnow()},APP_SECRET,algorithm=JWT_ALG)
def _enc(v): return base64.b64encode(v.encode()).decode()
def _dec(v): return base64.b64decode(v.encode()).decode()
# ── OCI SDK Client Helper ─────────────────────────────────────────────────────
def _get_oci_config(oci_config_id: str) -> dict:
import oci
config_path = str(OCI_DIR / oci_config_id / "config")
return oci.config.from_file(config_path, "DEFAULT")
# ── Auth deps ─────────────────────────────────────────────────────────────────
async def current_user(cred: HTTPAuthorizationCredentials = Depends(security)):
try: p = pyjwt.decode(cred.credentials, APP_SECRET, algorithms=[JWT_ALG])
except pyjwt.ExpiredSignatureError: raise HTTPException(401, "Token expirado")
except pyjwt.InvalidTokenError: raise HTTPException(401, "Token inválido")
with db() as c:
u = c.execute("SELECT * FROM users WHERE id=? AND is_active=1", (p["sub"],)).fetchone()
s = c.execute("SELECT * FROM sessions WHERE id=? AND is_active=1", (p["sid"],)).fetchone()
if not u or not s: raise HTTPException(401, "Sessão inválida")
return dict(u)
def require(*roles):
async def dep(u=Depends(current_user)):
if u["role"] not in roles: raise HTTPException(403, f"Requer role: {', '.join(roles)}")
return u
return dep
def _audit(uid, uname, action, resource=None, details=None, ip=None):
with db() as c:
c.execute("INSERT INTO audit_log (id,user_id,username,action,resource,details,ip) VALUES (?,?,?,?,?,?,?)",
(str(uuid.uuid4()), uid, uname, action, resource, details, ip))
# ── Models ────────────────────────────────────────────────────────────────────
class LoginReq(BaseModel):
username: str; password: str; totp_code: Optional[str] = None
class RegisterReq(BaseModel):
first_name: str; last_name: str; username: str; email: str; password: str; role: str = "viewer"
class TOTPVerify(BaseModel):
totp_code: str
class ChangePwReq(BaseModel):
current_password: str; new_password: str
class UserUpdateReq(BaseModel):
email: Optional[str] = None; role: Optional[str] = None; is_active: Optional[bool] = None
class ChatMsg(BaseModel):
message: str; session_id: Optional[str] = None; genai_config_id: Optional[str] = None
class RunReportReq(BaseModel):
config_id: str; mcp_server_id: Optional[str] = None; regions: Optional[List[str]] = None
class GenAIConfigReq(BaseModel):
name: str = "default"
oci_config_id: str; model_id: str; model_ocid: Optional[str] = None
compartment_id: str; genai_region: str
endpoint: Optional[str] = None
serving_type: str = "ON_DEMAND"; dedicated_endpoint_id: Optional[str] = None
temperature: float = 1; max_tokens: int = 6000; top_p: float = 0.95
top_k: int = 1; frequency_penalty: float = 0; presence_penalty: float = 0
is_default: bool = False
class ADBVectorReq(BaseModel):
config_name: str; dsn: str; username: str; password: str
wallet_password: Optional[str] = None; table_name: str = "CIS_EMBEDDINGS"; use_mtls: bool = True
genai_config_id: Optional[str] = None; embedding_model_id: str = "cohere.embed-multilingual-v3.0"
class IngestDocReq(BaseModel):
adb_config_id: str; documents: List[Dict[str, Any]]
class MCPServerReq(BaseModel):
name: str; description: Optional[str] = None; server_type: str = "stdio"
command: Optional[str] = None; args: Optional[List[str]] = None
env_vars: Optional[Dict[str,str]] = None; url: Optional[str] = None
module_path: Optional[str] = None; tools: Optional[List[str]] = None
linked_adb_id: Optional[str] = None
# ── Auth endpoints ────────────────────────────────────────────────────────────
@app.post("/api/auth/login")
async def login(req: LoginReq, request: Request):
with db() as c:
u = c.execute("SELECT * FROM users WHERE username=? AND is_active=1", (req.username,)).fetchone()
if not u or not _verify_pw(req.password, u["password_hash"]): raise HTTPException(401, "Credenciais inválidas")
u = dict(u)
if u["mfa_enabled"]:
if not req.totp_code: return {"mfa_required": True, "message": "Código MFA necessário"}
if not _totp_verify(u["mfa_secret"], req.totp_code): raise HTTPException(401, "Código MFA inválido")
sid = str(uuid.uuid4()); exp = (datetime.utcnow()+timedelta(hours=JWT_EXP_H)).isoformat()
with db() as c:
c.execute("INSERT INTO sessions (id,user_id,expires_at) VALUES (?,?,?)", (sid, u["id"], exp))
c.execute("UPDATE users SET last_login=datetime('now') WHERE id=?", (u["id"],))
_audit(u["id"], u["username"], "login", ip=request.client.host if request.client else None)
return {"token":_make_token(u["id"],u["role"],sid),
"user":{"id":u["id"],"first_name":u["first_name"],"last_name":u["last_name"],"username":u["username"],"email":u["email"],"role":u["role"],"mfa_enabled":bool(u["mfa_enabled"])}}
@app.post("/api/auth/logout")
async def logout_ep(u=Depends(current_user)):
with db() as c: c.execute("UPDATE sessions SET is_active=0 WHERE user_id=?", (u["id"],))
return {"ok": True}
@app.post("/api/auth/register")
async def register(req: RegisterReq, adm=Depends(require("admin"))):
if req.role not in ("admin","user","viewer"): raise HTTPException(400, "Role inválida")
uid = str(uuid.uuid4())
with db() as c:
if c.execute("SELECT 1 FROM users WHERE username=?", (req.username,)).fetchone(): raise HTTPException(400, "Usuário já existe")
c.execute("INSERT INTO users (id,first_name,last_name,username,email,password_hash,role) VALUES (?,?,?,?,?,?,?)",
(uid, req.first_name, req.last_name, req.username, req.email, _hash_pw(req.password), req.role))
_audit(adm["id"], adm["username"], "create_user", uid, f"user={req.username} role={req.role}")
return {"id": uid, "username": req.username, "role": req.role}
@app.post("/api/auth/change-password")
async def change_pw(req: ChangePwReq, u=Depends(current_user)):
if not _verify_pw(req.current_password, u["password_hash"]): raise HTTPException(400, "Senha atual incorreta")
with db() as c: c.execute("UPDATE users SET password_hash=? WHERE id=?", (_hash_pw(req.new_password), u["id"]))
return {"ok": True}
# ── MFA ───────────────────────────────────────────────────────────────────────
@app.post("/api/mfa/setup")
async def mfa_setup(u=Depends(current_user)):
sec = _totp_secret()
with db() as c: c.execute("UPDATE users SET mfa_secret=? WHERE id=?", (sec, u["id"]))
return {"secret": sec, "uri": _totp_uri(sec, u["username"])}
@app.post("/api/mfa/verify")
async def mfa_verify(req: TOTPVerify, u=Depends(current_user)):
if not u.get("mfa_secret"): raise HTTPException(400, "Chame /api/mfa/setup primeiro")
if not _totp_verify(u["mfa_secret"], req.totp_code): raise HTTPException(400, "Código inválido")
with db() as c: c.execute("UPDATE users SET mfa_enabled=1 WHERE id=?", (u["id"],))
return {"ok": True, "message": "MFA ativado"}
@app.post("/api/mfa/disable/{user_id}")
async def mfa_disable(user_id: str, adm=Depends(require("admin"))):
with db() as c: c.execute("UPDATE users SET mfa_enabled=0,mfa_secret=NULL WHERE id=?", (user_id,))
_audit(adm["id"], adm["username"], "disable_mfa", user_id)
return {"ok": True}
# ── Users ─────────────────────────────────────────────────────────────────────
@app.get("/api/users")
async def list_users(u=Depends(require("admin"))):
with db() as c: rows = c.execute("SELECT id,first_name,last_name,username,email,role,mfa_enabled,is_active,created_at,last_login FROM users").fetchall()
return [dict(r) for r in rows]
@app.get("/api/users/me")
async def me(u=Depends(current_user)):
return {k: u[k] for k in ("id","first_name","last_name","username","email","role","mfa_enabled")}
@app.put("/api/users/{uid}")
async def update_user(uid: str, req: UserUpdateReq, adm=Depends(require("admin"))):
sets, vals = [], []
if req.email is not None: sets.append("email=?"); vals.append(req.email)
if req.role is not None:
if req.role not in ("admin","user","viewer"): raise HTTPException(400, "Role inválida")
sets.append("role=?"); vals.append(req.role)
if req.is_active is not None: sets.append("is_active=?"); vals.append(int(req.is_active))
if sets:
vals.append(uid)
with db() as c: c.execute(f"UPDATE users SET {','.join(sets)} WHERE id=?", vals)
_audit(adm["id"], adm["username"], "update_user", uid)
return {"ok": True}
@app.delete("/api/users/{uid}")
async def del_user(uid: str, adm=Depends(require("admin"))):
if uid == adm["id"]: raise HTTPException(400, "Não pode desativar a si mesmo")
with db() as c: c.execute("UPDATE users SET is_active=0 WHERE id=?", (uid,))
_audit(adm["id"], adm["username"], "deactivate_user", uid)
return {"ok": True}
# ── OCI Config ────────────────────────────────────────────────────────────────
@app.post("/api/oci/config")
async def save_oci(
tenancy_name: str = Form(...), tenancy_ocid: str = Form(...),
user_ocid: str = Form(...), fingerprint: str = Form(...),
region: str = Form(...), compartment_id: str = Form(""),
private_key: UploadFile = File(...), public_key: Optional[UploadFile] = File(None),
u = Depends(require("admin","user"))
):
cid = str(uuid.uuid4()); cdir = OCI_DIR / cid; cdir.mkdir(parents=True)
kp = cdir / "oci_api_key.pem"
kp.write_bytes(await private_key.read()); kp.chmod(0o600)
if public_key: (cdir / "oci_api_key_public.pem").write_bytes(await public_key.read())
cfg_file = cdir / "config"
cfg_file.write_text(
f"[DEFAULT]\nuser={user_ocid}\nfingerprint={fingerprint}\n"
f"tenancy={tenancy_ocid}\nregion={region}\nkey_file={kp}\n")
cfg_file.chmod(0o600)
with db() as c:
c.execute("INSERT INTO oci_configs (id,user_id,tenancy_name,tenancy_ocid,user_ocid,fingerprint,region,key_file_path,compartment_id) VALUES (?,?,?,?,?,?,?,?,?)",
(cid, u["id"], tenancy_name, tenancy_ocid, user_ocid, fingerprint, region, str(kp), compartment_id or None))
_audit(u["id"], u["username"], "save_oci_config", cid, f"tenancy={tenancy_name}")
return {"id": cid, "tenancy_name": tenancy_name, "region": region}
@app.get("/api/oci/configs")
async def list_oci(u=Depends(current_user)):
with db() as c:
if u["role"]=="admin": rows=c.execute("SELECT id,user_id,tenancy_name,tenancy_ocid,region,compartment_id,created_at FROM oci_configs").fetchall()
else: rows=c.execute("SELECT id,user_id,tenancy_name,tenancy_ocid,region,compartment_id,created_at FROM oci_configs WHERE user_id=?",(u["id"],)).fetchall()
return [dict(r) for r in rows]
@app.delete("/api/oci/configs/{cid}")
async def del_oci(cid: str, u=Depends(require("admin","user"))):
with db() as c:
cfg=c.execute("SELECT * FROM oci_configs WHERE id=?",(cid,)).fetchone()
if not cfg: raise HTTPException(404)
if u["role"]!="admin" and cfg["user_id"]!=u["id"]: raise HTTPException(403)
c.execute("DELETE FROM oci_configs WHERE id=?",(cid,))
d=OCI_DIR/cid
if d.exists(): shutil.rmtree(d)
return {"ok": True}
@app.post("/api/oci/test/{cid}")
async def test_oci(cid: str, u=Depends(require("admin","user"))):
cp = OCI_DIR / cid / "config"
if not cp.exists(): return {"status":"error","message":"Config não encontrada"}
try:
r = subprocess.run(["oci","iam","region","list","--config-file",str(cp),"--output","json"], capture_output=True, text=True, timeout=30)
if r.returncode == 0: return {"status":"success","message":"Conexão OK","data":json.loads(r.stdout)}
return {"status":"error","message":r.stderr[:500]}
except FileNotFoundError: return {"status":"error","message":"OCI CLI não disponível no container."}
except subprocess.TimeoutExpired: return {"status":"error","message":"Timeout na conexão"}
except Exception as e: return {"status":"error","message":str(e)}
# ── OCI Account Explorer ──────────────────────────────────────────────────────
@app.get("/api/oci/explore/{cid}/compartments")
async def explore_compartments(cid: str, u=Depends(current_user)):
try:
import oci
config = _get_oci_config(cid)
identity = oci.identity.IdentityClient(config)
with db() as c:
cfg = c.execute("SELECT tenancy_ocid,compartment_id FROM oci_configs WHERE id=?", (cid,)).fetchone()
root = cfg["compartment_id"] or cfg["tenancy_ocid"]
comps = identity.list_compartments(root, compartment_id_in_subtree=True).data
return [{"id":cp.id,"name":cp.name,"lifecycle_state":cp.lifecycle_state,"description":cp.description or ""} for cp in comps if cp.lifecycle_state == "ACTIVE"]
except Exception as e:
return {"error": str(e)[:500]}
@app.get("/api/oci/explore/{cid}/regions")
async def explore_regions(cid: str, u=Depends(current_user)):
try:
import oci
config = _get_oci_config(cid)
identity = oci.identity.IdentityClient(config)
with db() as c:
cfg = c.execute("SELECT tenancy_ocid FROM oci_configs WHERE id=?", (cid,)).fetchone()
regions = identity.list_region_subscriptions(cfg["tenancy_ocid"]).data
return [{"name":r.region_name,"key":r.region_key,"status":r.status,"is_home":r.is_home_region} for r in regions]
except Exception as e:
return {"error": str(e)[:500]}
@app.get("/api/oci/explore/{cid}/vcns")
async def explore_vcns(cid: str, compartment_id: str = Query(None), u=Depends(current_user)):
try:
import oci
config = _get_oci_config(cid)
vn = oci.core.VirtualNetworkClient(config)
with db() as c:
cfg = c.execute("SELECT tenancy_ocid,compartment_id FROM oci_configs WHERE id=?", (cid,)).fetchone()
comp = compartment_id or cfg["compartment_id"] or cfg["tenancy_ocid"]
vcns = vn.list_vcns(comp).data
return [{"id":v.id,"display_name":v.display_name,"cidr_blocks":v.cidr_blocks,"lifecycle_state":v.lifecycle_state} for v in vcns]
except Exception as e:
return {"error": str(e)[:500]}
@app.get("/api/oci/explore/{cid}/instances")
async def explore_instances(cid: str, compartment_id: str = Query(None), u=Depends(current_user)):
try:
import oci
config = _get_oci_config(cid)
compute = oci.core.ComputeClient(config)
with db() as c:
cfg = c.execute("SELECT tenancy_ocid,compartment_id FROM oci_configs WHERE id=?", (cid,)).fetchone()
comp = compartment_id or cfg["compartment_id"] or cfg["tenancy_ocid"]
insts = compute.list_instances(comp).data
return [{"id":i.id,"display_name":i.display_name,"shape":i.shape,"lifecycle_state":i.lifecycle_state,"region":i.region,"time_created":str(i.time_created)} for i in insts]
except Exception as e:
return {"error": str(e)[:500]}
@app.get("/api/oci/explore/{cid}/databases")
async def explore_databases(cid: str, compartment_id: str = Query(None), u=Depends(current_user)):
try:
import oci
config = _get_oci_config(cid)
db_client = oci.database.DatabaseClient(config)
with db() as c:
cfg = c.execute("SELECT tenancy_ocid,compartment_id FROM oci_configs WHERE id=?", (cid,)).fetchone()
comp = compartment_id or cfg["compartment_id"] or cfg["tenancy_ocid"]
adbs = db_client.list_autonomous_databases(comp).data
return [{"id":a.id,"display_name":a.display_name,"db_name":a.db_name,"lifecycle_state":a.lifecycle_state,
"cpu_core_count":a.cpu_core_count,"data_storage_size_in_tbs":a.data_storage_size_in_tbs,
"is_free_tier":a.is_free_tier} for a in adbs]
except Exception as e:
return {"error": str(e)[:500]}
@app.get("/api/oci/explore/{cid}/buckets")
async def explore_buckets(cid: str, compartment_id: str = Query(None), u=Depends(current_user)):
try:
import oci
config = _get_oci_config(cid)
os_client = oci.object_storage.ObjectStorageClient(config)
namespace = os_client.get_namespace().data
with db() as c:
cfg = c.execute("SELECT tenancy_ocid,compartment_id FROM oci_configs WHERE id=?", (cid,)).fetchone()
comp = compartment_id or cfg["compartment_id"] or cfg["tenancy_ocid"]
buckets = os_client.list_buckets(namespace, comp).data
return [{"name":b.name,"namespace":b.namespace,"time_created":str(b.time_created)} for b in buckets]
except Exception as e:
return {"error": str(e)[:500]}
# ── OCI GenAI Config & Chat ───────────────────────────────────────────────────
@app.get("/api/genai/models")
async def list_genai_models(u=Depends(current_user)):
return {"models": GENAI_MODELS, "regions": GENAI_REGIONS, "embedding_models": EMBEDDING_MODELS}
@app.post("/api/genai/config")
async def save_genai(req: GenAIConfigReq, u=Depends(require("admin","user"))):
gid = str(uuid.uuid4())
ep = req.endpoint or f"https://inference.generativeai.{req.genai_region}.oci.oraclecloud.com"
with db() as c:
if req.is_default:
c.execute("UPDATE genai_configs SET is_default=0 WHERE user_id=?", (u["id"],))
c.execute(
"""INSERT INTO genai_configs (id,user_id,name,oci_config_id,model_id,model_ocid,compartment_id,
genai_region,endpoint,serving_type,dedicated_endpoint_id,temperature,max_tokens,top_p,top_k,
frequency_penalty,presence_penalty,is_default) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)""",
(gid, u["id"], req.name, req.oci_config_id, req.model_id, req.model_ocid,
req.compartment_id, req.genai_region, ep, req.serving_type, req.dedicated_endpoint_id,
req.temperature, req.max_tokens, req.top_p, req.top_k,
req.frequency_penalty, req.presence_penalty, int(req.is_default)))
_audit(u["id"], u["username"], "save_genai_config", gid, req.model_id)
return {"id": gid, "model_id": req.model_id, "endpoint": ep}
@app.get("/api/genai/configs")
async def list_genai(u=Depends(current_user)):
with db() as c:
if u["role"]=="admin": rows=c.execute("SELECT * FROM genai_configs").fetchall()
else: rows=c.execute("SELECT * FROM genai_configs WHERE user_id=?",(u["id"],)).fetchall()
return [dict(r) for r in rows]
@app.delete("/api/genai/configs/{gid}")
async def del_genai(gid: str, u=Depends(require("admin","user"))):
with db() as c: c.execute("DELETE FROM genai_configs WHERE id=?", (gid,))
return {"ok": True}
@app.post("/api/genai/test/{gid}")
async def test_genai(gid: str, u=Depends(require("admin","user"))):
with db() as c:
gc = c.execute("SELECT * FROM genai_configs WHERE id=?",(gid,)).fetchone()
if not gc: raise HTTPException(404)
try:
resp = _call_genai(dict(gc), "Say 'connection successful' in one short sentence.")
return {"status":"success","message":"GenAI OK","response":resp[:300]}
except Exception as e:
return {"status":"error","message":str(e)[:500]}
def _call_genai(gc: dict, message: str, history: list = None) -> str:
"""
Call OCI Generative AI using the exact SDK pattern from chat_demo.py.
Uses oci.generative_ai_inference with proper Message/TextContent objects.
"""
import oci
# Load OCI config from stored credentials (same as ~/.oci/config)
config_path = str(OCI_DIR / gc["oci_config_id"] / "config")
config = oci.config.from_file(config_path, "DEFAULT")
# Service endpoint - built from region
endpoint = gc["endpoint"]
# Create inference client with retry strategy and timeout
generative_ai_inference_client = oci.generative_ai_inference.GenerativeAiInferenceClient(
config=config,
service_endpoint=endpoint,
retry_strategy=oci.retry.NoneRetryStrategy(),
timeout=(10, 240)
)
# Build ChatDetails
chat_detail = oci.generative_ai_inference.models.ChatDetails()
# Determine API format from model catalog
model_info = GENAI_MODELS.get(gc["model_id"], {})
api_format = model_info.get("api_format", "GENERIC")
if api_format == "COHERE":
# ── Cohere models (CohereChatRequest) ──
chat_request = oci.generative_ai_inference.models.CohereChatRequest()
chat_request.api_format = oci.generative_ai_inference.models.BaseChatRequest.API_FORMAT_COHERE
chat_request.message = message
chat_request.max_tokens = int(gc.get("max_tokens", 6000))
chat_request.temperature = float(gc.get("temperature", 1))
chat_request.frequency_penalty = float(gc.get("frequency_penalty", 0))
chat_request.presence_penalty = float(gc.get("presence_penalty", 0))
chat_request.top_p = float(gc.get("top_p", 0.95))
chat_request.top_k = int(gc.get("top_k", 1))
if history:
chat_history = []
for h in history:
entry = oci.generative_ai_inference.models.CohereMessage()
entry.role = "USER" if h["role"] == "user" else "CHATBOT"
entry.message = h["content"]
chat_history.append(entry)
chat_request.chat_history = chat_history
else:
# ── Generic format (Meta Llama, Google, xAI) - exact chat_demo.py pattern ──
chat_request = oci.generative_ai_inference.models.GenericChatRequest()
chat_request.api_format = oci.generative_ai_inference.models.BaseChatRequest.API_FORMAT_GENERIC
chat_request.max_tokens = int(gc.get("max_tokens", 6000))
chat_request.temperature = float(gc.get("temperature", 1))
chat_request.frequency_penalty = float(gc.get("frequency_penalty", 0))
chat_request.presence_penalty = float(gc.get("presence_penalty", 0))
chat_request.top_p = float(gc.get("top_p", 0.95))
chat_request.top_k = int(gc.get("top_k", 1))
messages = []
if history:
for h in history:
content = oci.generative_ai_inference.models.TextContent()
content.text = h["content"]
msg = oci.generative_ai_inference.models.Message()
msg.role = "USER" if h["role"] == "user" else "ASSISTANT"
msg.content = [content]
messages.append(msg)
# Current user message
content = oci.generative_ai_inference.models.TextContent()
content.text = message
user_message = oci.generative_ai_inference.models.Message()
user_message.role = "USER"
user_message.content = [content]
messages.append(user_message)
chat_request.messages = messages
# Serving mode - supports model_id or model_ocid
model_ref = gc.get("model_ocid") or gc["model_id"]
if gc.get("serving_type") == "DEDICATED" and gc.get("dedicated_endpoint_id"):
chat_detail.serving_mode = oci.generative_ai_inference.models.DedicatedServingMode(
endpoint_id=gc["dedicated_endpoint_id"]
)
else:
chat_detail.serving_mode = oci.generative_ai_inference.models.OnDemandServingMode(
model_id=model_ref
)
chat_detail.chat_request = chat_request
chat_detail.compartment_id = gc["compartment_id"]
# Execute
chat_response = generative_ai_inference_client.chat(chat_detail)
# Extract text from response
resp = chat_response.data.chat_response
if api_format == "COHERE":
return resp.text if hasattr(resp, 'text') else str(resp)
else:
if hasattr(resp, 'choices') and resp.choices:
choice = resp.choices[0]
if hasattr(choice, 'message') and choice.message and hasattr(choice.message, 'content'):
contents = choice.message.content
if contents and len(contents) > 0:
return contents[0].text
return str(resp)
# ── RAG Helpers ───────────────────────────────────────────────────────────────
RAG_SYSTEM_PROMPT = """You are the OCI CIS AI Agent, an expert assistant for Oracle Cloud Infrastructure security and compliance.
You have been provided with relevant context documents retrieved from a knowledge base. Use this context to provide accurate, specific answers. If the context does not contain relevant information for the question, say so and answer based on your general knowledge.
Always cite the source documents when using information from the context.
--- RETRIEVED CONTEXT ---
{context}
--- END CONTEXT ---
User question: {question}"""
def _get_adb_connection(cfg: dict):
"""Create an oracledb connection from an adb_vector_configs row."""
import oracledb
params = {"user": cfg["username"], "password": _dec(cfg["password_enc"]), "dsn": cfg["dsn"]}
if cfg["use_mtls"] and cfg.get("wallet_dir"):
params["config_dir"] = cfg["wallet_dir"]
params["wallet_location"] = cfg["wallet_dir"]
if cfg.get("wallet_password_enc"):
params["wallet_password"] = _dec(cfg["wallet_password_enc"])
return oracledb.connect(**params)
def _ensure_embeddings_table(cfg: dict):
"""Create the embeddings table in ADB if it doesn't exist."""
table_name = cfg.get("table_name", "CIS_EMBEDDINGS")
emb_model = cfg.get("embedding_model_id", "cohere.embed-multilingual-v3.0")
dims = EMBEDDING_MODELS.get(emb_model, {}).get("dims", 1024)
conn = _get_adb_connection(cfg)
try:
cur = conn.cursor()
cur.execute("SELECT COUNT(*) FROM user_tables WHERE table_name = :1", (table_name.upper(),))
if cur.fetchone()[0] == 0:
cur.execute(f"""
CREATE TABLE {table_name} (
ID VARCHAR2(100) PRIMARY KEY,
CONTENT CLOB,
EMBEDDING VECTOR({dims}, FLOAT64),
METADATA VARCHAR2(4000),
SOURCE VARCHAR2(500),
CREATED_AT TIMESTAMP DEFAULT SYSTIMESTAMP
)
""")
conn.commit()
log.info(f"Created embeddings table: {table_name} (dims={dims})")
cur.close()
finally:
conn.close()
def _embed_text(text: str, genai_cfg: dict, embedding_model_id: str) -> list:
"""Generate embedding using OCI GenAI embed endpoint."""
import oci
config_path = str(OCI_DIR / genai_cfg["oci_config_id"] / "config")
config = oci.config.from_file(config_path, "DEFAULT")
endpoint = genai_cfg["endpoint"]
client = oci.generative_ai_inference.GenerativeAiInferenceClient(
config=config, service_endpoint=endpoint,
retry_strategy=oci.retry.NoneRetryStrategy(), timeout=(10, 120)
)
embed_detail = oci.generative_ai_inference.models.EmbedTextDetails()
embed_detail.inputs = [text]
embed_detail.serving_mode = oci.generative_ai_inference.models.OnDemandServingMode(model_id=embedding_model_id)
embed_detail.compartment_id = genai_cfg["compartment_id"]
embed_detail.truncate = "NONE"
embed_detail.input_type = "SEARCH_QUERY"
response = client.embed_text(embed_detail)
return response.data.embeddings[0]
def _vector_search(cfg: dict, query_embedding: list, top_k: int = 5) -> list:
"""Search ADB vector store using cosine similarity. Returns top-K documents."""
import array
table_name = cfg.get("table_name", "CIS_EMBEDDINGS")
conn = _get_adb_connection(cfg)
try:
cur = conn.cursor()
vec = array.array('d', query_embedding)
cur.execute(f"""
SELECT ID, CONTENT, METADATA, SOURCE,
VECTOR_DISTANCE(EMBEDDING, :1, COSINE) AS distance
FROM {table_name}
ORDER BY distance ASC
FETCH FIRST :2 ROWS ONLY
""", [vec, top_k])
results = []
for row in cur:
content = row[1]
if hasattr(content, 'read'):
content = content.read()
results.append({
"id": row[0], "content": content or "",
"metadata": row[2], "source": row[3], "distance": float(row[4])
})
cur.close()
return results
finally:
conn.close()
def _build_rag_context(documents: list) -> str:
"""Format retrieved documents into a context string for the LLM prompt."""
if not documents:
return ""
parts = []
for i, doc in enumerate(documents, 1):
source = doc.get("source", "unknown")
content = doc.get("content", "")
if len(content) > 2000:
content = content[:2000] + "..."
parts.append(f"[Document {i} | Source: {source}]\n{content}")
return "\n\n---\n\n".join(parts)
def _get_active_adb_config(user_id: str) -> dict | None:
"""Get the first active ADB vector config with a linked GenAI config."""
with db() as c:
cfg = c.execute(
"SELECT * FROM adb_vector_configs WHERE user_id=? AND is_active=1 AND genai_config_id IS NOT NULL ORDER BY created_at DESC LIMIT 1",
(user_id,)
).fetchone()
if not cfg:
cfg = c.execute(
"SELECT * FROM adb_vector_configs WHERE is_active=1 AND genai_config_id IS NOT NULL ORDER BY created_at DESC LIMIT 1"
).fetchone()
return dict(cfg) if cfg else None
# ── MCP Servers ───────────────────────────────────────────────────────────────
@app.post("/api/mcp/servers")
async def register_mcp(req: MCPServerReq, u=Depends(require("admin","user"))):
mid = str(uuid.uuid4())
with db() as c:
c.execute(
"INSERT INTO mcp_servers (id,user_id,name,description,server_type,command,args,env_vars,url,module_path,tools,linked_adb_id) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)",
(mid, u["id"], req.name, req.description, req.server_type,
req.command, json.dumps(req.args) if req.args else None,
json.dumps(req.env_vars) if req.env_vars else None, req.url, req.module_path,
json.dumps(req.tools) if req.tools else None, req.linked_adb_id))
_audit(u["id"], u["username"], "register_mcp", mid, req.name)
return {"id": mid, "name": req.name, "server_type": req.server_type}
@app.get("/api/mcp/servers")
async def list_mcp(u=Depends(current_user)):
with db() as c:
if u["role"]=="admin": rows=c.execute("SELECT * FROM mcp_servers ORDER BY created_at DESC").fetchall()
else: rows=c.execute("SELECT * FROM mcp_servers WHERE user_id=? ORDER BY created_at DESC",(u["id"],)).fetchall()
res = []
for r in rows:
d = dict(r)
for k in ("args","env_vars","tools"):
if d.get(k):
try: d[k] = json.loads(d[k])
except: pass
res.append(d)
return res
@app.delete("/api/mcp/servers/{mid}")
async def del_mcp(mid: str, u=Depends(require("admin","user"))):
with db() as c: c.execute("DELETE FROM mcp_servers WHERE id=?", (mid,))
return {"ok": True}
@app.put("/api/mcp/servers/{mid}/toggle")
async def toggle_mcp(mid: str, u=Depends(require("admin","user"))):
with db() as c:
cur = c.execute("SELECT is_active FROM mcp_servers WHERE id=?",(mid,)).fetchone()
if not cur: raise HTTPException(404)
c.execute("UPDATE mcp_servers SET is_active=? WHERE id=?",(0 if cur["is_active"] else 1, mid))
return {"ok": True, "is_active": not cur["is_active"]}
@app.post("/api/mcp/servers/{mid}/upload")
async def upload_mcp_file(mid: str, file: UploadFile = File(...), u=Depends(require("admin","user"))):
sdir = MCP_DIR / mid; sdir.mkdir(parents=True, exist_ok=True)
fp = sdir / file.filename
fp.write_bytes(await file.read())
with db() as c: c.execute("UPDATE mcp_servers SET module_path=? WHERE id=?", (str(fp), mid))
return {"ok": True, "path": str(fp)}
@app.put("/api/mcp/servers/{mid}/link-adb")
async def link_mcp_adb(mid: str, adb_id: str = Query(...), u=Depends(require("admin","user"))):
with db() as c: c.execute("UPDATE mcp_servers SET linked_adb_id=? WHERE id=?", (adb_id, mid))
return {"ok": True, "mcp_id": mid, "linked_adb_id": adb_id}
# ── ADB Vector DB Config ─────────────────────────────────────────────────────
@app.post("/api/adb/config")
async def save_adb(req: ADBVectorReq, u=Depends(require("admin","user"))):
vid = str(uuid.uuid4())
with db() as c:
c.execute(
"INSERT INTO adb_vector_configs (id,user_id,config_name,dsn,username,password_enc,wallet_password_enc,table_name,use_mtls,genai_config_id,embedding_model_id) VALUES (?,?,?,?,?,?,?,?,?,?,?)",
(vid, u["id"], req.config_name, req.dsn, req.username, _enc(req.password),
_enc(req.wallet_password) if req.wallet_password else None, req.table_name, int(req.use_mtls),
req.genai_config_id, req.embedding_model_id))
_audit(u["id"], u["username"], "save_adb_config", vid, req.config_name)
return {"id": vid, "config_name": req.config_name}
@app.post("/api/adb/{vid}/upload-wallet")
async def upload_wallet(vid: str, wallet: UploadFile = File(...), u=Depends(require("admin","user"))):
wdir = WALLET_DIR / vid; wdir.mkdir(parents=True, exist_ok=True)
zp = wdir / "wallet.zip"
zp.write_bytes(await wallet.read())
import zipfile
with zipfile.ZipFile(str(zp), 'r') as z: z.extractall(str(wdir))
with db() as c: c.execute("UPDATE adb_vector_configs SET wallet_dir=? WHERE id=?", (str(wdir), vid))
return {"ok": True, "wallet_dir": str(wdir), "files": os.listdir(str(wdir))}
@app.get("/api/adb/configs")
async def list_adb(u=Depends(current_user)):
with db() as c:
cols = "id,config_name,dsn,username,table_name,use_mtls,is_active,wallet_dir,genai_config_id,embedding_model_id,created_at"
if u["role"]=="admin": rows=c.execute(f"SELECT {cols} FROM adb_vector_configs").fetchall()
else: rows=c.execute(f"SELECT {cols} FROM adb_vector_configs WHERE user_id=?",(u["id"],)).fetchall()
return [dict(r) for r in rows]
@app.post("/api/adb/test/{vid}")
async def test_adb(vid: str, u=Depends(require("admin","user"))):
with db() as c:
cfg = c.execute("SELECT * FROM adb_vector_configs WHERE id=?",(vid,)).fetchone()
if not cfg: raise HTTPException(404)
try:
conn = _get_adb_connection(dict(cfg))
cur = conn.cursor(); cur.execute("SELECT 1 FROM DUAL"); cur.close(); conn.close()
return {"status":"success","message":"Conexão Autonomous DB OK!"}
except ImportError:
return {"status":"error","message":"python-oracledb não disponível no container."}
except Exception as e:
return {"status":"error","message":str(e)[:500]}
@app.delete("/api/adb/configs/{vid}")
async def del_adb(vid: str, u=Depends(require("admin","user"))):
with db() as c: c.execute("DELETE FROM adb_vector_configs WHERE id=?", (vid,))
d = WALLET_DIR / vid
if d.exists(): shutil.rmtree(d)
return {"ok": True}
@app.post("/api/adb/{vid}/ensure-table")
async def ensure_table(vid: str, u=Depends(require("admin","user"))):
with db() as c:
cfg = c.execute("SELECT * FROM adb_vector_configs WHERE id=?", (vid,)).fetchone()
if not cfg: raise HTTPException(404)
try:
_ensure_embeddings_table(dict(cfg))
return {"ok": True, "table": cfg["table_name"]}
except Exception as e:
raise HTTPException(500, f"Falha ao criar tabela: {str(e)[:500]}")
@app.post("/api/adb/{vid}/ingest")
async def ingest_documents(vid: str, req: IngestDocReq, bg: BackgroundTasks, u=Depends(require("admin","user"))):
with db() as c:
cfg = c.execute("SELECT * FROM adb_vector_configs WHERE id=?", (vid,)).fetchone()
if not cfg: raise HTTPException(404, "ADB config not found")
cfg = dict(cfg)
if not cfg.get("genai_config_id"):
raise HTTPException(400, "GenAI config not linked to this ADB connection")
with db() as c:
gc = c.execute("SELECT * FROM genai_configs WHERE id=?", (cfg["genai_config_id"],)).fetchone()
if not gc: raise HTTPException(400, "Linked GenAI config not found")
bg.add_task(_ingest_documents_task, cfg, dict(gc), req.documents, u["id"], u["username"])
return {"ok": True, "message": f"Ingestão iniciada para {len(req.documents)} documentos", "config_id": vid}
def _ingest_documents_task(cfg: dict, genai_cfg: dict, documents: list, user_id: str, username: str):
"""Background task: embed and insert documents into ADB via OCI GenAI."""
import array
emb_model = cfg.get("embedding_model_id", "cohere.embed-multilingual-v3.0")
table_name = cfg.get("table_name", "CIS_EMBEDDINGS")
_ensure_embeddings_table(cfg)
conn = _get_adb_connection(cfg)
try:
cur = conn.cursor()
inserted = 0
for doc in documents:
try:
content = doc.get("content", "")
if not content: continue
embedding = _embed_text(content, genai_cfg, emb_model)
vec = array.array('d', embedding)
cur.execute(f"""
INSERT INTO {table_name} (ID, CONTENT, EMBEDDING, METADATA, SOURCE)
VALUES (:1, :2, :3, :4, :5)
""", [str(uuid.uuid4()), content, vec, doc.get("metadata", ""), doc.get("source", "manual_upload")])
inserted += 1
except Exception as e:
log.error(f"Failed to ingest document: {e}")
conn.commit()
cur.close()
log.info(f"Ingested {inserted}/{len(documents)} documents into {table_name}")
_audit(user_id, username, "ingest_documents", cfg["id"], f"{inserted} documents")
except Exception as e:
log.error(f"Ingestion task failed: {e}")
finally:
conn.close()
# ── Reports ───────────────────────────────────────────────────────────────────
@app.post("/api/reports/run")
async def run_report(req: RunReportReq, bg: BackgroundTasks, u=Depends(require("admin","user"))):
with db() as c:
cfg = c.execute("SELECT * FROM oci_configs WHERE id=?",(req.config_id,)).fetchone()
if not cfg: raise HTTPException(404, "Config não encontrada")
rid = str(uuid.uuid4())
c.execute("INSERT INTO reports (id,user_id,tenancy_name,config_id,mcp_server_id,status) VALUES (?,?,?,?,?,?)",
(rid, u["id"], cfg["tenancy_name"], req.config_id, req.mcp_server_id, "running"))
bg.add_task(_exec_report, rid, dict(cfg), req.regions, req.mcp_server_id)
_audit(u["id"], u["username"], "run_report", rid)
return {"report_id": rid, "status": "running"}
async def _exec_report(rid, cfg, regions, mcp_server_id):
rdir = REPORTS / rid; rdir.mkdir(parents=True, exist_ok=True)
config_path = str(OCI_DIR / cfg["id"] / "config")
try:
cmd = ["python3", "/app/cis_runner.py", "--config", config_path,
"--output", str(rdir), "--tenancy-name", cfg["tenancy_name"]]
if regions: cmd += ["--regions", ",".join(regions)]
if mcp_server_id:
with db() as c:
mcp = c.execute("SELECT * FROM mcp_servers WHERE id=?",(mcp_server_id,)).fetchone()
if mcp:
if mcp["module_path"]: cmd += ["--mcp-module", mcp["module_path"]]
if mcp.get("linked_adb_id"):
adb_cfg = c.execute("SELECT * FROM adb_vector_configs WHERE id=?",(mcp["linked_adb_id"],)).fetchone()
if adb_cfg:
cmd += ["--adb-dsn", adb_cfg["dsn"], "--adb-user", adb_cfg["username"]]
if adb_cfg.get("wallet_dir"): cmd += ["--adb-wallet", adb_cfg["wallet_dir"]]
proc = await asyncio.create_subprocess_exec(*cmd, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE)
stdout, stderr = await proc.communicate()
jp = rdir / "report.json"; hp = rdir / "report.html"
with db() as c:
if proc.returncode == 0 and jp.exists():
c.execute("UPDATE reports SET status='completed',report_data=?,html_path=?,json_path=?,completed_at=datetime('now') WHERE id=?",
(jp.read_text()[:500_000], str(hp) if hp.exists() else None, str(jp), rid))
else:
c.execute("UPDATE reports SET status='failed',error_msg=?,completed_at=datetime('now') WHERE id=?",
((stderr.decode() if stderr else "Unknown")[:2000], rid))
except Exception as e:
with db() as c:
c.execute("UPDATE reports SET status='failed',error_msg=?,completed_at=datetime('now') WHERE id=?", (str(e)[:2000], rid))
@app.get("/api/reports")
async def list_reports(u=Depends(current_user)):
with db() as c:
q = "SELECT id,user_id,tenancy_name,status,mcp_server_id,created_at,completed_at,error_msg FROM reports"
rows = c.execute(q+" ORDER BY created_at DESC").fetchall() if u["role"]=="admin" \
else c.execute(q+" WHERE user_id=? ORDER BY created_at DESC",(u["id"],)).fetchall()
return [dict(r) for r in rows]
@app.get("/api/reports/{rid}")
async def get_report(rid, u=Depends(current_user)):
with db() as c: r=c.execute("SELECT * FROM reports WHERE id=?",(rid,)).fetchone()
if not r: raise HTTPException(404)
if u["role"]!="admin" and r["user_id"]!=u["id"]: raise HTTPException(403)
d=dict(r)
if d.get("report_data"):
try: d["report_data"]=json.loads(d["report_data"])
except: pass
return d
@app.get("/api/reports/{rid}/html")
async def report_html(rid):
with db() as c: r=c.execute("SELECT html_path FROM reports WHERE id=?",(rid,)).fetchone()
if not r or not r["html_path"] or not Path(r["html_path"]).exists(): raise HTTPException(404)
return FileResponse(r["html_path"], media_type="text/html")
@app.get("/api/reports/{rid}/download")
async def report_dl(rid, fmt: str = Query("json"), u=Depends(current_user)):
with db() as c: r=c.execute("SELECT * FROM reports WHERE id=?",(rid,)).fetchone()
if not r: raise HTTPException(404)
p = r["json_path"] if fmt=="json" else r["html_path"]
if not p or not Path(p).exists(): raise HTTPException(404)
return FileResponse(p, filename=f"cis_{r['tenancy_name']}_{rid[:8]}.{fmt}")
# ── Chat Agent ────────────────────────────────────────────────────────────────
@app.post("/api/chat")
async def chat(msg: ChatMsg, u=Depends(current_user)):
sid = msg.session_id or str(uuid.uuid4())
with db() as c:
c.execute("INSERT INTO chat_messages (id,session_id,user_id,role,content,model_id) VALUES (?,?,?,?,?,?)",
(str(uuid.uuid4()), sid, u["id"], "user", msg.message, None))
genai_cfg = None
if msg.genai_config_id:
with db() as c:
genai_cfg = c.execute("SELECT * FROM genai_configs WHERE id=?", (msg.genai_config_id,)).fetchone()
if genai_cfg:
try:
history = []
with db() as c:
prev = c.execute("SELECT role,content FROM chat_messages WHERE session_id=? AND role IN ('user','assistant') ORDER BY created_at ASC", (sid,)).fetchall()
history = [{"role":r["role"],"content":r["content"]} for r in prev]
# ── RAG: augment with vector context if ADB config is active ──
rag_context = ""
adb_cfg = _get_active_adb_config(u["id"])
if adb_cfg:
try:
with db() as c:
emb_genai = c.execute("SELECT * FROM genai_configs WHERE id=?", (adb_cfg["genai_config_id"],)).fetchone()
if emb_genai:
emb_model = adb_cfg.get("embedding_model_id", "cohere.embed-multilingual-v3.0")
query_embedding = _embed_text(msg.message, dict(emb_genai), emb_model)
documents = _vector_search(adb_cfg, query_embedding, top_k=5)
if documents:
rag_context = _build_rag_context(documents)
log.info(f"RAG: Retrieved {len(documents)} documents for query")
except Exception as e:
log.warning(f"RAG retrieval failed (non-fatal): {e}")
augmented_message = RAG_SYSTEM_PROMPT.format(context=rag_context, question=msg.message) if rag_context else msg.message
resp = _call_genai(dict(genai_cfg), augmented_message, history[:-1] if len(history) > 1 else None)
except Exception as e:
resp = f"❌ Erro GenAI: {str(e)[:400]}"
else:
resp = _agent_respond(msg.message, u)
mid = genai_cfg["model_id"] if genai_cfg else None
with db() as c:
c.execute("INSERT INTO chat_messages (id,session_id,user_id,role,content,model_id) VALUES (?,?,?,?,?,?)",
(str(uuid.uuid4()), sid, u["id"], "assistant", resp, mid))
return {"session_id": sid, "response": resp, "model_id": mid}
def _agent_respond(msg, user):
m = msg.lower().strip()
if any(k in m for k in ["status","health","como está","saúde"]):
cli = "✅ Instalado" if shutil.which("oci") else "❌ Não instalado"
with db() as c:
nc=c.execute("SELECT COUNT(*) n FROM oci_configs").fetchone()["n"]
nr=c.execute("SELECT COUNT(*) n FROM reports").fetchone()["n"]
nu=c.execute("SELECT COUNT(*) n FROM users WHERE is_active=1").fetchone()["n"]
nm=c.execute("SELECT COUNT(*) n FROM mcp_servers WHERE is_active=1").fetchone()["n"]
ng=c.execute("SELECT COUNT(*) n FROM genai_configs").fetchone()["n"]
return (f"📊 **Status do Sistema**\n\n• OCI CLI: {cli}\n• Configs OCI: {nc}\n• GenAI Models: {ng}\n• MCP Servers: {nm}\n• Relatórios: {nr}\n• Usuários ativos: {nu}\n• Servidor: ✅ Online\n• Versão: v{VERSION}")
if any(k in m for k in ["ajuda","help","comandos"]):
return ("🤖 **Comandos disponíveis:**\n\n• `status` — Status do sistema\n• `listar configs` — Configurações OCI\n• `verificar cis` — Checks CIS 3.0\n• `modelos` — Modelos GenAI disponíveis\n• `ajuda` — Esta mensagem\n\n💡 Configure um modelo GenAI para chat com IA.")
if any(k in m for k in ["modelo","modelos","genai"]):
lines = ["🧠 **Modelos OCI Generative AI disponíveis:**\n"]
for mid, info in GENAI_MODELS.items():
lines.append(f"• `{mid}` — {info['name']} ({info['provider']})")
lines.append("\nConfigure em **GenAI Config** para usar no chat.")
return "\n".join(lines)
if any(k in m for k in ["cis","benchmark","checks","verificar"]):
return ("🔒 **CIS OCI Foundations Benchmark 3.0**\n\n54 controles em 8 domínios:\n• IAM: 17 controles\n• Networking: 8 controles\n• Compute: 3 controles\n• Logging & Monitoring: 18 controles\n• Storage: 6 controles\n• Asset Management: 2 controles\n\nConfigure OCI e execute um relatório na aba **Report**.")
return ("Sou o **OCI CIS AI Agent v" + VERSION + "**. Sem modelo GenAI configurado, uso respostas locais.\n\n"
"Para chat com IA:\n1. Configure **OCI Credentials**\n2. Configure **GenAI** com modelo e região\n3. Selecione o modelo no chat\n\nDigite **ajuda** para ver os comandos.")
@app.delete("/api/chat/{sid}")
async def clear_chat(sid, u=Depends(current_user)):
with db() as c: c.execute("DELETE FROM chat_messages WHERE session_id=? AND user_id=?", (sid, u["id"]))
return {"ok": True}
# ── Downloads ─────────────────────────────────────────────────────────────────
@app.get("/api/downloads")
async def list_dl(u=Depends(current_user)):
with db() as c:
q="SELECT id,tenancy_name,status,created_at,completed_at FROM reports WHERE status='completed'"
rows=c.execute(q+" ORDER BY created_at DESC").fetchall() if u["role"]=="admin" \
else c.execute(q+" AND user_id=? ORDER BY created_at DESC",(u["id"],)).fetchall()
res=[]
for r in rows:
d=dict(r); d["files"]=[]
rd=REPORTS/d["id"]
if rd.exists(): d["files"]=[{"name":f.name,"size":f.stat().st_size} for f in rd.iterdir() if f.is_file()]
res.append(d)
return res
@app.get("/api/downloads/{rid}/{fname}")
async def dl_file(rid, fname, u=Depends(current_user)):
p=REPORTS/rid/fname
if not p.exists(): raise HTTPException(404)
return FileResponse(p, filename=fname)
# ── Audit ─────────────────────────────────────────────────────────────────────
@app.get("/api/audit-log")
async def audit_log(limit:int=Query(100,le=500), u=Depends(require("admin"))):
with db() as c: rows=c.execute("SELECT * FROM audit_log ORDER BY created_at DESC LIMIT ?",(limit,)).fetchall()
return [dict(r) for r in rows]
# ── Health ────────────────────────────────────────────────────────────────────
@app.get("/api/health")
async def health():
return {"status":"ok","ts":datetime.utcnow().isoformat(),"version":VERSION}
@app.on_event("startup")
async def startup():
init_db()
log.info(f"OCI CIS AI Agent v{VERSION} API started")
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=8000)