62 KiB
AI Agent — Infrastructure & Security Engineer
Oracle Cloud Infrastructure — CIS Foundations Benchmark 3.0 — AI-Powered Compliance Platform
Overview
AI Agent — Infrastructure & Security Engineer is a self-hosted web application that automates CIS Oracle Cloud Infrastructure Foundations Benchmark 3.0 compliance checks, powered by OCI Generative AI for intelligent analysis and an MCP (Model Context Protocol) server architecture for extensible task execution.
The platform combines security compliance scanning, AI-powered chat with RAG (Retrieval-Augmented Generation), infrastructure exploration, and vector-based knowledge storage into a single, containerized solution with a React 19 SPA (TypeScript, Vite), Oracle Dark Premium theme (light/dark modes), KPI dashboard with compliance gauge, i18n (pt/en), and Recharts visualizations.
Features
🤖 AI Chat Agent with RAG + MCP Tool Use
- OCI Generative AI integration via official SDK (
oci.generative_ai_inference) - RAG (Retrieval-Augmented Generation): automatically queries ADB vector store for relevant context before generating responses — single ADB connection per search, smart table skip (only queries relevant tables based on question topic), CIS recommendation text filter for exact matching, follow-up context enrichment for short questions
- Source hierarchy: findings tables > cisrecom (official remediation) > engineerknowledgebase (complementary) — temporal awareness with extract dates, tenancy isolation via JSON_VALUE filter
- MCP Tool Use (Function Calling): GenAI models can call tools from registered MCP servers during chat — supports both Cohere and Generic (OpenAI-style) function calling formats with automatic tool execution loop (max 5 iterations)
- Chat Memory Compaction: automatic summarization of older messages when conversation exceeds ~6000 tokens — keeps 20 recent messages (10 interactions) intact and generates an LLM-based summary of older context
- Chat Sidebar: collapsible right-side panel with model parameters (temperature, max_tokens, top_p, top_k, penalties) for quick adjustment during conversation
- Multimodal Chat: upload images (PNG/JPG/GIF/WebP), PDFs, and text files directly in the chat for AI analysis — supports up to 5 files per message via OCI GenAI
ImageContentandDocumentContent - Async Background Processing: chat requests return immediately, GenAI + MCP tools process in background via dedicated thread pool (10 threads), frontend polls for results — eliminates 504 timeouts on long-running scans
- Thinking Indicator: button disables and shows spinner + "Pensando..." while waiting for GenAI response, with message timestamps
- 16 chat models + 3 embedding models across 5 providers: Meta (Llama 4), Google (Gemini 2.5), OpenAI (GPT-5.2/5.1/5 Mini/4.1/4o, o3/o4-mini), xAI (Grok 4/3)
- OCID-based model resolution: catalog maps model IDs to OCI resource IDs per region for reliable API calls
- 16 OCI regions supported with auto-generated endpoints
- Provider parameter matrix: automatic parameter segmentation per model — reasoning models (o3/o4-mini) only get
max_completion_tokens+reasoning_effort, OpenAI GPT-4.x gets freq/pres penalties, Google/Meta gettop_k, xAI gets basic params. Unsupported parameters are explicitly nulled to prevent SDK serialization errors - Full parameter control: temperature, max_tokens, top_p, top_k, frequency/presence penalty (when supported by model)
- Toggle MCP tools on/off per chat session
- Conversation history with session management
- On-Demand and Dedicated serving modes
🏗️ Terraform Agent (IaC)
- AI-powered Terraform code generation for OCI infrastructure provisioning
- Dedicated chat interface with OCI Terraform provider context
- Workspace management: create, plan, apply, destroy Terraform workspaces
- Compartment-aware: browse and select target compartment for provisioning, with existing OCI resources injected as context
- Plan/Apply/Destroy lifecycle: full Terraform workflow with real-time output tracking
- File management: view generated
.tffiles, copy, download individually or as bundle - Confirmation modal: type "DESTROY" to confirm resource destruction
- Inline file editor: click any generated
.tffile to edit in-place with monospace editor, Tab support, and save — auto-syncs with workspace code - Split-panel terminal: real-time Plan/Apply/Destroy output in a dark terminal panel alongside files/plan/resources (always visible)
- Multi-file generation: AI generates separate
.tffiles via// filename:markers (main.tf, variables.tf, outputs.tf, etc.) - Smart file correction: when fixing errors, model generates only changed files — frontend merges with existing workspace, preserving untouched files. Existing files, plan output, and apply errors are injected as context automatically
- 14-point validation checklist: system prompt enforces cross-references, CIDRs, security lists, route tables, DRG attachments, RPC peering, HCL block syntax, resource type validation, and variable declarations
- Auto-split pipeline (3 layers): frontend + backend auto-split of monolithic HCL files into categorized files (networking.tf, compute.tf, etc.) + backend deduplication to prevent duplicate resource errors
- HCL syntax fix: automatic expansion of single-line blocks with multiple arguments into valid multi-line HCL format
- Resource type validation: SQLite-based validation of ~937 OCI resource types with
difflib.get_close_matchessuggestions for invalid types — warnings appended automatically to model responses - Chat history: ChatGPT-style session history with rename/delete, shared between Chat Agent and Terraform Agent
- Resizable split view: chat on top (50%), files/plan/resources + terminal on bottom (50%) with drag-to-resize
- Terraform CLI installed in container (v1.14.7)
- Terraform Resource Reference: auto-generated OCI provider resource catalog (~937 resources) injected into system prompt — built from
terraform providers schema -jsonat container startup, stored in SQLite, refreshable via menu button - Official Resource Docs Injection: on-demand fetch of Example Usage + Argument Reference from the official OCI Terraform provider docs (registry.terraform.io) — cached in SQLite, injected into model context based on detected resource types
- Smart variable resolution: auto-generates
terraform.tfvarsby scanning declared variables and mapping them to OCI config values (tenancy_ocid,user_ocid,fingerprint,compartment_id,ssh_public_key) — region is never forced, respecting variable defaults - Multi-region provider management: auto-detects provider aliases and region variables in generated code, generates
provider.tfwith credentials and correct region references (var.regioninstead of hardcoded values) - Region safety guard: plan is blocked if the model does not declare
variable "region"— prevents accidental provisioning in the wrong region by never falling back to hardcoded defaults - Rollback button: when
terraform applyfails, a Rollback button appears allowing manualterraform destroyto clean up partially created resources (requires typing "ROLLBACK" to confirm) - System prompt sync: Terraform system prompt in code is automatically synced to DB on every restart — single source of truth
- Compact system prompt optimized for OCI Terraform provider best practices (100K max_tokens)
- Flat workspace enforcement: system prompt prohibits
moduleblocks (workspace has no subdirectories) and enforces single-file variable declarations (variables.tfonly)
📝 Terraform Prompt Generator
- AI-powered prompt generation for OCI infrastructure — generates structured, optimized prompts to feed into the Terraform Agent
- Dedicated chat interface (sub-menu under Terraform) matching Terraform Agent layout
- Curated model selection: only 7 recommended models (GPT-4.1, o3, o4-mini, GPT-5.1, GPT-5.2, Gemini 2.5 Pro, Gemini 2.5 Flash), grouped by provider
- Same knowledge pipeline as Terraform Agent: compact resource reference + auto-detected resource types + official docs from GitHub (cached in SQLite)
- Official Terraform docs injection: detects resource types from user message (keywords + explicit
oci_*mentions), fetches Example Usage + Argument Reference from GitHub, cached intf_resource_docstable - Conversation history: persistent sessions (agent_type
tf-prompt) with sidebar history panel, rename/delete, session restore - Contextual follow-up: conversation history sent to GenAI for iterative prompt refinement
- Copy & Send: action buttons on assistant messages to copy the prompt or send directly to the Terraform Agent input
- Robust system prompt with OCI Provider constraints, inference rules, architecture templates, and workspace restrictions
- Example prompts as clickable buttons for quick start
⚡ OCI Resource Actions
- Start/Stop Compute Instances directly from OCI Account Explorer with one click
- Start/Stop Autonomous Databases from Explorer with confirmation prompt
- Start/Stop DB Systems, MySQL, Container Instances — 5 resource types with operational control
- Update Network Access: add your IP to ADB ACL (whitelisted_ips) directly from Explorer
- ACL display: view current whitelisted IPs for Autonomous Databases in Explorer cards
- Auto-refresh: resource state updates automatically after Start/Stop actions (polling)
- Lifecycle state badges (RUNNING/STOPPED/AVAILABLE) with color indicators
- Actions audited in the audit log
🔍 OCI Account Explorer
- KPI stats bar: real-time resource counts per category with tooltip breakdown, cached in SQLite for instant loading
- Tree-view navigation with resizable side panel (280px default) and drag handle
- 36 resource types across 9 categories:
- Compute: Instances, Boot Volumes, Instance Pools
- Networking: VCNs, Subnets, Security Lists, NSGs, Route Tables, NAT/Internet/Service Gateways, Public IPs, Load Balancers
- Storage: Buckets, Block Volumes, File Systems, Mount Targets
- Database: Autonomous Databases, DB Systems, MySQL DB Systems
- Containers: Container Instances, OKE Clusters
- Serverless: Functions, API Gateways
- Observability: Alarms, Log Groups, Notification Topics, Events Rules
- Security: Vaults, DNS Zones, Network Firewalls, Firewall Policies
- IAM: Users, Groups, Policies, Dynamic Groups
- Enhanced views: expandable cards for VCNs (CIDRs, DNS), Subnets (AD, route table), Load Balancers (listeners, backends), Buckets (size, object count, visibility)
- Multi-region support: select and filter by multiple OCI regions with checkbox selection
- Compartment tree: hierarchical compartment browser with full OCID visibility
- Dead state filtering: automatically hides TERMINATED/DELETED/DELETING resources
- Background count refresh: counts cached in SQLite, refreshed on compartment access without blocking UI
- Security list detail: view ingress/egress rules directly in the explorer
- Select which OCI connection to explore
- Real-time API calls via OCI Python SDK
📊 CIS Compliance Reports (Oracle Official Engine)
- Powered by Oracle's official
cis_reports.py(6660 lines, 48 CIS + 11 OBP checks) - Granular execution parameters: CIS Level (1/2), OCI Best Practices, Raw Data, OCID Redaction
- Level 1: Essential security controls that can be implemented with minimal impact on operations. Recommended as baseline for all organizations.
- Level 2: Advanced security controls that may restrict functionality or require more effort to implement. Recommended for high-security environments.
- Multiple output formats: HTML summary, CSV per section/finding, JSON summary, optional XLSX
- Report history: full execution history with status, tenancy filter, and download actions (HTML/JSON) in the Reports tab
- Delete reports: remove completed reports and their associated files from the system
- File browser: files grouped by section (Summary, CIS Findings, OBP, Raw Data, etc.) within the Reports page, with per-section embedding
- Embed individual files: embed any report file (CSV, TXT, JSON, PDF) directly into the ADB vector store for RAG enrichment
- Region filtering with multi-select
- Real-time progress tracking with phase-based progress bar
- CIS Engine auto-update: check for new versions of
cis_reports.pyfrom Oracle's GitHub repository and update with one click (admin only). Custom patches are automatically reapplied after update
📋 LAD A-Team CIS Compliance Report
- Professional compliance report following Oracle Cloud Security Assessment format (cover page, purpose statement, disclaimer, copyright)
- Table of Contents with links to each section and recommendation
- Security Overview: 7 Oracle security pillars (Customer Isolation, Data Encryption, Data Management, etc.)
- CIS Assessment Summary: table with Domains / Total Controls / Failed / Passed per section
- CIS Benchmark Recommendation Summary: full table with Item / Description / Status (OK/FAILED)
- Detailed findings: per-recommendation cards with compliance percentage bar, result description, and remediation steps
- RAG-powered remediation: enriched remediation steps fetched from ADB vector store (
CISRECOMtable) using cosine similarity search — filters by exact recommendation number, extracts only remediation section from matched chunks - Affected resources CSV links: non-compliant findings show a clickable link to download the CSV with affected resource details (authenticated via JWT token)
- Download PDF:
window.print()with CSS@page A4formatting for professional PDF output - Caching: generated HTML cached to disk, subsequent views are instant; "Regenerar" button clears cache and re-generates
- Collapsible sections: HTML report and compliance report start minimized, expandable on demand
🛡️ Built-in CIS MCP Server (Granular Per-Section)
- Auto-registered CIS Compliance Scanner MCP server — available out of the box
- 12 granular tools instead of monolithic full-tenancy scan:
cis_scan_iam— IAM checks (CIS 1.1–1.17): users, policies, groups, MFA, API keyscis_scan_networking— Network checks (CIS 2.1–2.8): security lists, NSGs, VCNscis_scan_compute— Compute checks (CIS 3.1–3.3): instance metadata, monitoringcis_scan_logging_monitoring— Logging/Monitoring checks (CIS 4.1–4.17): audit, alarms, eventscis_scan_storage— Storage checks (CIS 5.1–5.3): buckets, block volumes, file systemscis_scan_asset_management— Asset checks (CIS 6.1–6.2): compartments, taggingcis_list_configs/cis_list_checks— list available OCI configs and CIS checkscis_get_check/cis_get_remediation— detailed findings and remediation guidancecis_get_scan_status/cis_invalidate_cache— session status and cache management
- Per-section data collection: each scan tool collects only the OCI data needed for that section, avoiding unnecessary API calls
- Region-specific scanning: all scan tools accept optional
regionsparameter to target specific OCI regions (e.g.,["us-ashburn-1"]) instead of scanning the entire tenancy - Session caching: collected data is cached per config+regions scope (2-hour TTL), so subsequent scans on different sections reuse shared prerequisites (compartments, identity domains)
- Compartment filtering: scan results can be filtered by specific compartment, showing only relevant findings
- Collection error tracking: errors during data collection are captured per section and reported to the caller
- Parallelized data collection: base collectors and regional collectors run in parallel thread pools (up to 8 workers), with 30-minute timeout per tool call and 1 automatic retry on failure
- Based on Oracle's official
cis_reports.py(6660 lines, 48 CIS + 11 OBP checks)
🔌 MCP Server Registry + Tool Discovery
- Register multiple MCP servers (stdio, SSE, Python module)
- Automatic tool discovery: connect to MCP servers and discover available tools with names, descriptions, and input schemas
- Manual tool definition: add/edit tools with JSON Schema parameter definitions
- Chat Agent integration: discovered tools are automatically available as GenAI function calls during chat
- Upload
.pyscripts directly to servers - Link MCP servers to ADB Vector databases as tools
- Activate/deactivate servers
- Select which MCP server to use per report execution
🗄️ Autonomous Database Vector Storage
- Oracle Autonomous Database connection with mTLS Wallet authentication
python-oracledbThin mode (no Oracle Client needed)- Wallet ZIP upload and automatic extraction
- Connection testing with case-insensitive table validation against ADB
user_tables - Multiple vector tables per ADB: register, edit, toggle active/inactive — tables managed inside the edit connection card
- Multi-table RAG search: queries all active tables across all ADB configs, merges results by cosine distance
- Auto-resolve embedding config: automatically uses existing OCI credentials for GenAI embeddings — no separate GenAI config required
- Case-insensitive table matching: supports both uppercase and lowercase table names in Oracle ADB with quoted identifiers
🧬 Embeddings & Knowledge Base
- Auto-embed CIS Reports: one-click embedding of all report CSVs — each CSV automatically mapped to its ADB table (identityandaccess, networking, computeinstances, etc.)
- Per-section embedding: embed individual sections (Identity, Networking, Compute, etc.) with dedicated button per section
- CIS Recommendation tagging: each embedded document includes CIS recommendation number, section, and status in the content for precise search
- Auto-detect embedding dimension: detects table dimension (1536/3072) and selects correct model automatically
- Purge before re-embed: automatically deletes old data for same tenancy/date before inserting new embeddings
- Real-time progress: progress bar with current section, global progress, queue of upcoming sections
- Background persistence: embedding continues when navigating away, progress resumes on return
- Text chunking: large CSV rows split into 8000-char chunks with context header (Tenancy, Resource, CIS Recommendation) repeated
- CIS Recommendations: upload CIS PDF to populate the
cisrecomvector table - Knowledge Base: upload documents (
.txt,.pdf,.csv,.json,.md) or import URLs to populateengineerknowledgebase - Consult Embeddings: chat-like interface with tenancy selector — queries vector store with CIS number detection for exact matching, smart table skip, source citations
- OCI GenAI Embeddings: uses OpenAI Text Embedding 3 Large/Small via OCI GenAI
- 11 ADB vector tables supported (9 CIS report + 2 knowledge base)
📜 Configuration & Chat Logs
- Persistent activity log per configuration tab (OCI, GenAI, ADB, MCP)
- Chat audit logs: all chat interactions (user messages, AI responses, tool calls, errors) logged with session/message ID, severity, and source
- Logs all test, save, upload, report, and ingest operations with severity (success/error/info)
- Inline log panel at the bottom of each config tab with severity filter
- Auto-cleanup of logs older than 30 days
- Admin can view all logs; users see only their own
- API endpoints for listing and clearing logs
🔄 Export / Import Configuration
- Full config export as JSON: OCI credentials (with private keys), GenAI configs, MCP servers, system prompts, app settings, ADB vector configs
- Import from exported JSON with merge-by-ID (skips existing, prevents duplicates)
- Private keys exported as base64 and restored to disk on import
- Enables full environment migration between machines (Mac ↔ Windows ↔ Linux)
🎨 Theme System & UI
- Light/Dark mode toggle in the sidebar footer
- Oracle Dark Premium design: deep dark backgrounds (#0D0F12), dark cards (#1A1D24), Oracle Red accent (#C74634)
- Oracle-branded light mode: warm light backgrounds (original theme)
- Theme preference persisted in localStorage across sessions
- All CSS driven by CSS custom properties — zero hardcoded colors
- SVG icon system: 45+ Lucide-based inline SVG icons replace all emojis for cross-platform consistency (Windows/Mac/Linux)
- KPI Dashboard: compliance score gauge (SVG semicircular arc with gradient), pass/fail/total KPI cards, donut chart (severity distribution), horizontal bar chart (findings by section) — powered by Recharts
- Animated UI: staggered fade-in for cards/KPIs/tables, smooth theme transitions, hover effects with transforms, shimmer loading states, pulse alerts
✏️ Terraform Prompt Editor
- Inline prompt editor accessible from the Terraform menu (3-dot menu → Editar Prompt)
- Edit the active Terraform system prompt name and content
- Auto-save with debounce (800ms): changes saved to database automatically as you type
- Visual "Salvando..." → "Salvo ✓" indicator
🔐 Security
- JWT authentication with configurable expiry
- TOTP MFA (Google Authenticator / Authy compatible)
- RBAC with 3 roles: Admin, User, Viewer
- Audit logging for all operations
- Encrypted credential storage
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Docker Compose │
│ │
│ ┌──────────────┐ ┌──────────────────────────────┐ │
│ │ Nginx │ │ FastAPI Backend │ │
│ │ (Frontend) │──────▶│ (Python 3.12) │ │
│ │ :8080 │ │ :8000 │ │
│ └──────────────┘ │ │ │
│ │ ┌─────────────┐ │ │
│ │ │ OCI SDK │──▶ OCI APIs │ │
│ │ ├─────────────┤ │ │
│ │ │ GenAI Client │──▶ LLM │ │
│ │ ├─────────────┤ (tools) │ │
│ │ │ MCP Client │──▶ MCP Svrs │ │
│ │ ├─────────────┤ (discover │ │
│ │ │ │ +execute) │ │
│ │ ├─────────────┤ │ │
│ │ │ Terraform │──▶ Plan / │ │
│ │ │ │ Apply │ │
│ │ ├─────────────┤ │ │
│ │ │ oracledb │──▶ ADB │ │
│ │ ├─────────────┤ │ │
│ │ │ RAG Pipeline │──▶ Embed + │ │
│ │ │ │ Search │ │
│ │ └─────────────┘ │ │
│ │ │ │
│ │ SQLite (agent.db) │ │
│ └──────────────────────────────┘ │
│ │ │
│ agent-data volume │
└─────────────────────────────────────────────────────────────┘
Quick Start
Prerequisites
- Docker and Docker Compose
- OCI API Key pair (private
.pemkey + fingerprint) - OCI Tenancy OCID, User OCID, Compartment OCID
1. Clone & Configure
git clone https://github.com/nogueiragustavo/oci-cis-agent.git
cd oci-cis-agent
cp .env.example .env
Edit .env:
APP_SECRET=your-very-long-random-secret-string-here-at-least-64-chars
JWT_EXPIRY_HOURS=12
PORT=8080
2. Build & Run
docker compose up -d --build
3. Access
Open http://localhost:8080
Default credentials:
- Username:
admin - Password:
admin123
⚠️ Change the default password immediately after first login.
Configuration Guide
Step 1 — OCI Credentials
Navigate to OCI Credentials tab and add:
| Field | Description |
|---|---|
| Tenancy Name | Friendly name (e.g., my-company) |
| OCID Tenancy | ocid1.tenancy.oc1..xxxxx |
| OCID User | ocid1.user.oc1..xxxxx |
| Fingerprint | aa:bb:cc:dd:ee:ff:... |
| Region | sa-saopaulo-1, us-ashburn-1, etc. |
| Compartment OCID | ocid1.compartment.oc1..xxxxx |
| Private Key | .pem file |
| Key Passphrase | (optional) Only required if the private key is encrypted |
Click Testar to validate the connection.
Step 2 — GenAI Model
Navigate to GenAI Config tab:
- Select the OCI Credential created in Step 1 — Region and Compartment OCID are auto-filled from the selected credential
- Choose a model from the catalog
- Adjust the GenAI region if needed (auto-populated, must have Generative AI service available)
- Adjust parameters (temperature, max_tokens, etc.)
- The endpoint is auto-generated:
https://inference.generativeai.{region}.oci.oraclecloud.com
For dedicated endpoints, switch Serving Type to DEDICATED and provide the endpoint ID.
The GenAI connection follows Oracle's official SDK pattern:
# Auth via stored OCI config
config = oci.config.from_file(config_path, "DEFAULT")
# Client with endpoint, retry, and timeout
client = oci.generative_ai_inference.GenerativeAiInferenceClient(
config=config,
service_endpoint=endpoint,
retry_strategy=oci.retry.NoneRetryStrategy(),
timeout=(10, 240)
)
# Chat with TextContent + Message objects
chat_detail = oci.generative_ai_inference.models.ChatDetails()
chat_detail.serving_mode = OnDemandServingMode(model_id="...")
chat_detail.chat_request = GenericChatRequest(messages=[...])
chat_detail.compartment_id = compartment_id
Step 3 — MCP Servers (Optional)
Register MCP servers for extended task execution and Chat Agent tool use:
| Type | Use Case |
|---|---|
stdio |
Local Python scripts (e.g., CIS check runner) |
SSE |
Remote HTTP servers |
module |
Upload .py files directly |
MCP servers can be linked to ADB Vector databases, enabling them to use the vector store as a tool during report execution.
Tool Discovery: After registering a server, click "Descobrir Tools" to automatically discover available tools via MCP protocol. You can also add tools manually with name, description, and JSON Schema parameters. Discovered tools are automatically available as function calls in the Chat Agent.
Step 4 — ADB Vector + RAG (Optional)
For persistent vector storage and RAG-powered chat:
- Add DSN (TNS name from tnsnames.ora, e.g.,
myatp_high) - Set credentials (username/password)
- Select an Embedding Model (Cohere Embed v4.0 recommended)
- Upload Wallet ZIP (for mTLS)
- Test the connection
- Register vector tables: add the names of existing tables in your ADB. Table names are case-insensitive and validated against ADB. Toggle tables active/inactive to control which are queried during RAG.
GenAI Config is optional — the app auto-resolves embedding credentials from your existing OCI config.
Required ADB Vector Tables
Important
: These tables must be created in your Autonomous Database before using the embedding and RAG features. Without them, the auto-embedding and historical data consultation will not work.
All tables must use the following schema:
CREATE TABLE <table_name> (
ID RAW(16),
TEXT CLOB,
METADATA JSON,
EMBEDDING VECTOR
);
Run the SQL below to create all 11 required tables:
-- CIS Report tables (auto-populated via "Embed Report")
CREATE TABLE summaryreportcsvvector (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE identityandaccess (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE networking (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE computeinstances (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE loggingandmonitoring (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE objectstorage (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE storageblockvolume (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE filestorageservice (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE assetmanagement (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
-- Knowledge base tables (populated manually via Embeddings tab)
CREATE TABLE cisrecom (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CREATE TABLE engineerknowledgebase (ID RAW(16), TEXT CLOB, METADATA JSON, EMBEDDING VECTOR);
CIS Report Tables — auto-populated when you click "Embed Report":
| Table Name | Purpose | Source CSVs |
|---|---|---|
summaryreportcsvvector |
CIS report summary — compliance scores per section, total controls passed/failed | cis_summary_report.csv |
identityandaccess |
IAM findings — users, policies, MFA status, API keys, password policies | cis_Identity_and_Access_Management_*.csv |
networking |
Network findings — security lists, NSGs, VCNs, open ports, ICMP rules | cis_Networking_*.csv |
computeinstances |
Compute findings — instances, metadata service, secure boot, encryption | cis_Compute_*.csv |
loggingandmonitoring |
Logging findings — alarms, events, notifications, flow logs, Cloud Guard | cis_Logging_and_Monitoring_*.csv |
objectstorage |
Object Storage findings — bucket visibility, encryption, versioning | cis_Storage_Object_Storage_*.csv |
storageblockvolume |
Block Volume findings — encryption with CMK | cis_Storage_Block_Volumes_*.csv |
filestorageservice |
File Storage findings — encryption with CMK | cis_Storage_File_Storage_Service_*.csv |
assetmanagement |
Asset Management findings — compartment usage, resource tagging | cis_Asset_Management_*.csv |
Knowledge Base Tables — populated manually via Embeddings tab:
| Table Name | Purpose | How to populate |
|---|---|---|
cisrecom |
CIS Benchmark official recommendations — remediation steps, rationale, audit procedures per control | Upload CIS PDF in Embeddings tab |
engineerknowledgebase |
General knowledge base — blogs, documentation, PDFs, URLs for complementary context | Upload files or import URLs in Embeddings tab |
How embedding works: When you click "Embed Report" on a completed CIS report, the system automatically:
- Maps each CSV file to its corresponding table based on the filename
- Adds CIS recommendation number, section name, tenancy, and extract date to each document
- Purges old data for the same tenancy/date before inserting (prevents duplicates)
- Shows real-time progress with current section and queue
Each embedded document contains structured metadata (
tenancy,extract_date,cis_recommendation) enabling precise filtered searches by the Chat Agent and Consult Embeddings.
Step 5 — Embeddings (Optional)
Navigate to the Embeddings tab to populate the vector store:
- CIS Recommendations: Upload the CIS PDF to populate the
cisrecomtable with Oracle Cloud security recommendations - Knowledge Base: Upload documents (
.txt,.pdf,.csv,.json,.md) or paste a URL to import web pages — all content goes to theengineerknowledgebasetable - From CIS Reports (Reports tab): Click "Embed Report" to auto-embed all findings CSVs into their mapped tables
- Browse and inspect embeddings per table
Once embeddings exist, the chat automatically uses RAG — it queries all active vector tables across all ADB configs for relevant context before generating responses with the selected GenAI model.
OCI IAM Policies
The following policies are required in your tenancy:
Allow group <group-name> to use generative-ai-family in compartment <compartment-name>
Allow group <group-name> to read all-resources in tenancy
Allow group <group-name> to inspect compartments in tenancy
Allow group <group-name> to inspect autonomous-databases in compartment <compartment-name>
Allow group <group-name> to read virtual-network-family in compartment <compartment-name>
Allow group <group-name> to read instance-family in compartment <compartment-name>
Allow group <group-name> to read objectstorage-namespaces in tenancy
Allow group <group-name> to read buckets in compartment <compartment-name>
Project Structure
oci-cis-agent/
├── backend/
│ ├── app.py # FastAPI application (~7700 lines)
│ ├── cis_reports.py # Oracle CIS Benchmark checker (6660 lines, report engine)
│ ├── mcp_cis_server.py # MCP server with 12 granular CIS tools (~700 lines)
│ ├── gen_tf_reference.py # OCI Terraform provider resource catalog generator
│ ├── Dockerfile # Python 3.12 + OCI CLI + Terraform 1.14.7 + Chromium
│ └── requirements.txt # Dependencies
├── frontend-react/
│ ├── src/ # React 19 SPA (TypeScript, 38 source files, ~15500 lines)
│ │ ├── pages/ # 15 page components (Chat, Terraform, Explorer, Reports, Config, Admin)
│ │ ├── api/ # API client + endpoint modules
│ │ ├── stores/ # Zustand stores (app state persistence across navigation)
│ │ ├── hooks/ # Custom hooks (theme, polling)
│ │ └── i18n/ # Internationalization (pt/en, 700+ keys)
│ └── dist/ # Built SPA served at /
├── nginx/
│ └── default.conf # Reverse proxy (React SPA + API /api/)
├── docker-compose.yml # Orchestration
├── logo.svg # Project logo (Oracle AI Robot)
├── .env.example # Environment template
├── .gitignore
└── README.md
API Reference
Authentication
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/auth/login |
Login (username + password + optional TOTP) |
| POST | /api/auth/logout |
Logout and invalidate session |
| POST | /api/auth/register |
Create user (admin only) |
| POST | /api/auth/change-password |
Change password |
OCI Management
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/oci/config |
Save OCI credentials (multipart) |
| GET | /api/oci/configs |
List OCI credentials |
| PUT | /api/oci/configs/{id} |
Update OCI credential (multipart) |
| POST | /api/oci/test/{id} |
Test OCI connection |
| DELETE | /api/oci/configs/{id} |
Delete OCI credential |
OCI Account Explorer
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/oci/explore/{id}/compartments |
List compartments |
| GET | /api/oci/explore/{id}/compartment-tree |
Hierarchical compartment tree |
| GET | /api/oci/explore/{id}/regions |
List subscribed regions |
| GET | /api/oci/explore/{id}/vcns |
List VCNs |
| GET | /api/oci/explore/{id}/subnets |
List Subnets |
| GET | /api/oci/explore/{id}/security_lists |
List Security Lists (with rules) |
| GET | /api/oci/explore/{id}/nsgs |
List Network Security Groups |
| GET | /api/oci/explore/{id}/route_tables |
List Route Tables (with rules) |
| GET | /api/oci/explore/{id}/nat_gateways |
List NAT Gateways |
| GET | /api/oci/explore/{id}/internet_gateways |
List Internet Gateways |
| GET | /api/oci/explore/{id}/service_gateways |
List Service Gateways |
| GET | /api/oci/explore/{id}/network_firewalls |
List Network Firewalls |
| GET | /api/oci/explore/{id}/network_firewall_policies |
List Firewall Policies |
| GET | /api/oci/explore/{id}/public_ips |
List Public IPs |
| GET | /api/oci/explore/{id}/instances |
List Compute Instances |
| GET | /api/oci/explore/{id}/instance_pools |
List Instance Pools |
| GET | /api/oci/explore/{id}/container_instances |
List Container Instances |
| GET | /api/oci/explore/{id}/databases |
List Autonomous Databases |
| GET | /api/oci/explore/{id}/db_systems |
List DB Systems |
| GET | /api/oci/explore/{id}/mysql_db_systems |
List MySQL DB Systems |
| GET | /api/oci/explore/{id}/buckets |
List Object Storage Buckets |
| GET | /api/oci/explore/{id}/block_volumes |
List Block Volumes |
| GET | /api/oci/explore/{id}/boot_volumes |
List Boot Volumes |
| GET | /api/oci/explore/{id}/file_systems |
List File Systems |
| GET | /api/oci/explore/{id}/mount_targets |
List Mount Targets |
| GET | /api/oci/explore/{id}/oke_clusters |
List OKE Clusters |
| GET | /api/oci/explore/{id}/load_balancers |
List Load Balancers |
| GET | /api/oci/explore/{id}/functions |
List Functions |
| GET | /api/oci/explore/{id}/iam_users |
List IAM Users |
| GET | /api/oci/explore/{id}/iam_groups |
List IAM Groups |
| GET | /api/oci/explore/{id}/iam_policies |
List IAM Policies |
| GET | /api/oci/explore/{id}/iam_dynamic_groups |
List Dynamic Groups |
| GET | /api/oci/explore/{id}/vaults |
List Vaults |
| GET | /api/oci/explore/{id}/dns_zones |
List DNS Zones |
| GET | /api/oci/explore/{id}/api_gateways |
List API Gateways |
| GET | /api/oci/explore/{id}/alarms |
List Alarms |
| GET | /api/oci/explore/{id}/log_groups |
List Log Groups |
| GET | /api/oci/explore/{id}/notification_topics |
List Notification Topics |
| GET | /api/oci/explore/{id}/events_rules |
List Events Rules |
| GET | /api/oci/explore/{id}/counts |
Get cached resource counts (instant from SQLite) |
| POST | /api/oci/explore/{id}/counts/refresh |
Refresh all resource counts in background |
OCI Resource Actions
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/oci/instances/{id}/action |
Start/Stop compute instance |
| POST | /api/oci/autonomous-databases/{id}/action |
Start/Stop Autonomous Database |
| POST | /api/oci/db-systems/{id}/action |
Start/Stop DB System |
| POST | /api/oci/mysql-db-systems/{id}/action |
Start/Stop MySQL DB System |
| POST | /api/oci/container-instances/{id}/action |
Start/Stop Container Instance |
Generative AI
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/genai/models |
List available models and regions |
| POST | /api/genai/config |
Save GenAI configuration |
| GET | /api/genai/configs |
List GenAI configurations |
| PUT | /api/genai/configs/{id} |
Update GenAI configuration |
| POST | /api/genai/test/{id} |
Test GenAI connection |
| DELETE | /api/genai/configs/{id} |
Delete GenAI config |
MCP Servers
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/mcp/servers |
Register MCP server |
| GET | /api/mcp/servers |
List MCP servers |
| PUT | /api/mcp/servers/{id} |
Update MCP server |
| PUT | /api/mcp/servers/{id}/toggle |
Activate/deactivate |
| POST | /api/mcp/servers/{id}/upload |
Upload script file |
| PUT | /api/mcp/servers/{id}/link-adb |
Link to ADB Vector |
| POST | /api/mcp/servers/{id}/discover-tools |
Auto-discover tools from MCP server |
| PUT | /api/mcp/servers/{id}/tools |
Manually update tool definitions |
| DELETE | /api/mcp/servers/{id} |
Delete MCP server |
ADB Vector
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/adb/config |
Save ADB connection (with GenAI config + embedding model) |
| GET | /api/adb/configs |
List ADB connections (includes vector tables) |
| PUT | /api/adb/configs/{id} |
Update ADB connection (multipart) |
| POST | /api/adb/parse-wallet |
Parse wallet ZIP and extract DSN names |
| POST | /api/adb/{id}/upload-wallet |
Upload wallet ZIP |
| POST | /api/adb/test/{id} |
Test ADB connection |
| GET | /api/adb/{id}/tables |
List vector tables for ADB config |
| POST | /api/adb/{id}/tables |
Add vector table |
| PUT | /api/adb/{id}/tables/{tid} |
Update vector table (name, description, active) |
| POST | /api/adb/{id}/tables/check |
Validate registered tables against ADB (case-insensitive) |
| DELETE | /api/adb/{id}/tables/{tid} |
Remove vector table |
| DELETE | /api/adb/configs/{id} |
Delete ADB config |
Embeddings
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/embeddings/preview/{rid} |
Preview report chunks before embedding (with tenancy/regions/compartments) |
| POST | /api/embeddings/report/{rid} |
Generate embeddings from CIS report (chunked by section, accepts table_name, report_date) |
| POST | /api/embeddings/report/{rid}/file/{fid} |
Embed individual report file (CSV/TXT/JSON/PDF) into vector store |
| POST | /api/embeddings/upload |
Upload file (.txt/.pdf/.csv/.json/.md) and generate embeddings |
| POST | /api/embeddings/upload-url |
Import URL (web page or PDF), extract text, and generate embeddings |
| POST | /api/embeddings/consult |
Query embeddings via vector search + GenAI (natural language Q&A) |
| POST | /api/embeddings/{vid}/purge |
Purge old embeddings by table + tenancy before re-embedding |
| GET | /api/embeddings/{vid}/list |
List embeddings in ADB (paginated, accepts table_name query param) |
| DELETE | /api/embeddings/{vid}/{doc_id} |
Delete individual embedding (accepts table_name query param) |
Terraform Agent
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/terraform/chat |
Send message to Terraform Agent |
| GET | /api/terraform/resources |
List OCI resources in compartment (for context) |
| POST | /api/terraform/workspaces |
Create Terraform workspace |
| GET | /api/terraform/workspaces |
List user's workspaces |
| GET | /api/terraform/workspaces/{wid} |
Get workspace details |
| PUT | /api/terraform/workspaces/{wid}/code |
Update workspace Terraform code |
| POST | /api/terraform/workspaces/{wid}/plan |
Run terraform plan |
| POST | /api/terraform/workspaces/{wid}/apply |
Run terraform apply |
| POST | /api/terraform/workspaces/{wid}/destroy |
Run terraform destroy |
| GET | /api/terraform/workspaces/{wid}/status |
Poll workspace execution status |
| GET | /api/terraform/workspaces/{wid}/download |
Download workspace .tf files |
| POST | /api/terraform/workspaces/{wid}/cancel |
Cancel running Terraform operation |
| DELETE | /api/terraform/workspaces/{wid} |
Delete workspace |
| POST | /api/terraform/refresh-reference |
Regenerate OCI Terraform resource reference (UI button) |
| POST | /api/terraform/generate-prompt |
Generate structured Terraform prompt via AI (Prompt Generator) |
Chat & Reports
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/chat |
Send message (with RAG + MCP tool use, accepts use_tools flag) |
| POST | /api/chat/upload |
Send message with file attachments (multipart, images/PDFs/text) |
| GET | /api/chat/sessions |
List chat sessions (history) with agent type filter |
| GET | /api/chat/sessions/{sid}/messages |
Get messages for a session |
| PUT | /api/chat/sessions/{sid}/title |
Rename a chat session |
| DELETE | /api/chat/{sid} |
Delete chat session and messages |
| POST | /api/reports/run |
Execute CIS report |
| GET | /api/reports |
List reports |
| DELETE | /api/reports/{rid} |
Delete report and associated files |
| GET | /api/reports/{id}/html |
View HTML report |
| GET | /api/reports/{id}/download |
Download report |
| GET | /api/reports/{rid}/summary |
Report KPI summary (score, pass/fail, sections) |
| GET | /api/reports/{rid}/files |
List report files by category |
| GET | /api/reports/{rid}/files/{fid}/download |
Download individual report file |
| GET | /api/reports/{rid}/compliance-report |
Serve cached LAD A-Team compliance report HTML |
| POST | /api/reports/{rid}/compliance-report/generate |
Generate compliance report (background, with RAG) |
| GET | /api/reports/{rid}/compliance-report/status |
Check if compliance report is ready |
CIS Engine
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/cis-engine/version |
Current CIS engine version |
| GET | /api/cis-engine/check-update |
Check GitHub for newer version (admin) |
| POST | /api/cis-engine/update |
Download + apply update with patches (admin) |
Config Logs
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/config-logs |
List config logs (filterable by config_type, severity, config_id) |
| DELETE | /api/config-logs |
Clear config logs (admin, filterable by config_type, config_id) |
Admin
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/users |
List users (admin) |
| PUT | /api/users/{id} |
Update user role/status |
| POST | /api/mfa/setup |
Generate MFA secret |
| POST | /api/mfa/verify |
Activate MFA |
| GET | /api/audit-log |
View audit log (admin) |
| GET | /api/health |
Health check |
Supported GenAI Models (16 Chat + 3 Embedding)
All models include OCID mapping for us-ashburn-1. For other regions, use the "Personalizado (usar OCID)" option.
Chat Models
| Provider | Model | Model ID | API Format |
|---|---|---|---|
| Meta | Llama 4 Maverick | meta.llama-4-maverick-17b-128e-instruct-fp8 |
GENERIC |
| Meta | Llama 4 Scout | meta.llama-4-scout-17b-16e-instruct |
GENERIC |
| Gemini 2.5 Pro | google.gemini-2.5-pro |
GENERIC | |
| Gemini 2.5 Flash | google.gemini-2.5-flash |
GENERIC | |
| OpenAI | GPT-5.2 | openai.gpt-5.2 |
GENERIC |
| OpenAI | GPT-5.1 | openai.gpt-5.1 |
GENERIC |
| OpenAI | GPT-5 Mini | openai.gpt-5-mini |
GENERIC |
| OpenAI | GPT-4.1 (Default) | openai.gpt-4.1 |
GENERIC |
| OpenAI | GPT-4.1 Mini | openai.gpt-4.1-mini |
GENERIC |
| OpenAI | GPT-4o | openai.gpt-4o |
GENERIC |
| OpenAI | o4-mini | openai.o4-mini |
GENERIC |
| OpenAI | o3 | openai.o3 |
GENERIC |
| xAI | Grok 4 | xai.grok-4 |
GENERIC |
| xAI | Grok 3 | xai.grok-3 |
GENERIC |
| xAI | Grok 3 Mini Fast | xai.grok-3-mini-fast |
GENERIC |
Custom OCID: You can also use any model available in your region by selecting "Personalizado (usar OCID)" and providing the full model OCID.
Embedding Models
| Provider | Model | Model ID | Dimensions |
|---|---|---|---|
| Cohere | Embed v4.0 (Multimodal) | cohere.embed-v4.0 |
1536 |
| OpenAI | Text Embedding 3 Large | openai.text-embedding-3-large |
3072 |
| OpenAI | Text Embedding 3 Small | openai.text-embedding-3-small |
1536 |
GenAI Regions
us-chicago-1 · us-ashburn-1 · us-phoenix-1 · uk-london-1 · eu-frankfurt-1 · ap-tokyo-1 · ap-osaka-1 · sa-saopaulo-1 · ca-toronto-1 · ap-melbourne-1 · ap-mumbai-1 · eu-amsterdam-1 · me-jeddah-1 · ap-singapore-1 · ap-seoul-1 · sa-vinhedo-1
Tech Stack
| Component | Technology |
|---|---|
| Backend | Python 3.12, FastAPI 0.115, Uvicorn |
| Frontend | React 19 SPA (Vite + TypeScript), Oracle Dark Premium theme, Recharts, i18n (pt/en), rehype-highlight |
| Auth | JWT + TOTP MFA + RBAC |
| Database | SQLite (WAL mode) |
| OCI SDK | oci 2.133.0, oci-cli |
| ADB | python-oracledb 2.4.1 (Thin mode) |
| GenAI | oci.generative_ai_inference |
| Container | Docker Compose, Nginx reverse proxy |
| MCP | Model Context Protocol SDK (stdio/SSE) with tool discovery + execution |
| Terraform | Terraform CLI 1.14.7, OCI Provider |
| CIS Scanner | Oracle CIS Foundations Benchmark 3.0 checker (cis_reports.py) |
Versioning
| Version | Date | Changes |
|---|---|---|
| v2.8 | 2026-03 | Legacy frontend removed: React SPA now served at root / (no more /app/ prefix), legacy vanilla JS SPA removed. Compliance Report ZIP download: Chromium headless PDF generation (identical to browser print) + CSV findings bundled in ZIP. Compliance generation state persisted server-side: .compliance_generating marker file ensures generation status survives page navigation — spinner auto-resumes on return. RAG remediation enriched: extracts Description, Rationale, Audit, and Remediation sections from CIS vector chunks, combines up to 3 matched chunks. Chat markdown styling: full markdown rendering with syntax highlighting (Catppuccin Mocha theme via rehype-highlight), styled headings, lists, tables, blockquotes, inline/block code. Default model auto-select: Chat Agent auto-selects first GenAI config on page load. Explorer silent polling: no more flickering during start/stop resource actions. |
| v2.7 | 2026-03 | LAD A-Team CIS Compliance Report: professional Oracle-format compliance report with cover page, TOC, Security Overview (7 pillars), CIS Assessment Summary, detailed findings with compliance % bars, RAG-powered remediation from ADB vector store (CISRECOM table with strict recommendation number filtering), affected resources CSV download links per non-compliant finding (JWT auth via query param). React SPA: 15-page React 19 frontend (TypeScript, Vite, Zustand, 38 source files). i18n: full internationalization with 625 keys (pt/en), language switcher persisted in localStorage. Report management: delete reports endpoint, embed individual report files (CSV/TXT/JSON/PDF) into vector store. Terraform ZIP download: replaced individual file downloads with client-side ZIP generation (pure JS, no external lib). Explorer UX: silent polling during start/stop actions eliminates flickering (resources update in-place without clearing the list). Report sections collapsed by default: HTML report and compliance report iframes start minimized. |
| v2.6 | 2026-03 | Rename: app renamed to "AI Agent — Infrastructure & Security Engineer". Session Token Auth: OCI session token authentication support (type selector API Key/Session Token, conditional form fields, collapsible credential form, type tags in credentials table, SecurityTokenSigner backend). Terraform Workspaces submenu: sidebar sub-tab listing all workspaces grouped by date with accordion UI, filtered by existing chat sessions (INNER JOIN), actions (plan/apply/destroy/delete/open). Retry on failure: "Reenviar" button on failed messages across Chat Agent, Terraform Agent, and Prompt Generator. Terraform fixes: f2 undefined variable in dedup logic, oci_core_services false positive validation (data sources excluded), S.tfCode reconstruction from S.tfFiles for Re-plan, auto-fix button visible without pre-selected model, DRG attachment rules in system prompt. Resilience: stuck workspace recovery on container restart (planning/applying/destroying → reset + lock file cleanup). |
| v2.5 | 2026-03 | Explorer Expansion: KPI stats bar with per-category resource counts (cached in SQLite explorer_counts_cache, background refresh on compartment access), enhanced views for VCNs/Subnets/Load Balancers/Buckets with expandable cards, start/stop for DB Systems + MySQL + Container Instances (5 resource types total), dead state filtering (TERMINATED/DELETED/DELETING hidden across all 36 endpoints), wider compartment tree (280px), IAM excluded from compartment totals. Prompt Generator Intelligence: same knowledge pipeline as Terraform Agent — auto-detects resource types from user message, fetches official docs (Example Usage + Arguments) from GitHub cached in SQLite, uses compact categorized resource reference. Network Firewall fix: NetworkFirewallPolicySummaryCollection not iterable — added .items accessor for collection objects. |
| v2.4 | 2026-03 | Terraform Safety & UX: region safety guard (plan blocked if model omits variable "region" — prevents wrong-region provisioning), rollback button on apply failure (manual terraform destroy with "ROLLBACK" confirmation), SSH public key field in OCI configs (auto-injected into terraform.tfvars for compute instances), reasoning_effort uppercase fix for OCI SDK, split-panel layout (terminal right 40%, files/plan/resources below chat 60%), plan button persists after destroy. Terraform tfvars: expanded oci_var_map with ssh_public_key/ssh_authorized_keys auto-mapping from OCI config |
| v2.3 | 2026-03 | Consult Embeddings: dedicated sub-menu with chat-like interface for natural language Q&A against vector store — queries all active tables via cosine similarity, returns contextual answers with source citations (works with or without GenAI config). Knowledge Base & RAG Enhancements: Knowledge Base (Base de Conhecimento) with file upload + URL import to engineerknowledgebase vector table, CIS Recommendations upload to cisrecom table, URL content extraction (HTML tag/script stripping, remote PDF parsing), auto-resolve embedding config from OCI credentials (no separate GenAI config required), report_date metadata tracking for embedding freshness, purge & re-embed flow for updated reports. ADB Vector Improvements: case-insensitive table matching with quoted identifiers for Oracle ADB, table validation endpoint against user_tables, tables section moved inside edit connection card, case-preserving table registration (removed forced uppercase). Vector search fix: FLOAT32 compatibility for VECTOR_DISTANCE queries, base64-decoded compartment_id for auto-resolved OCI configs. Embeddings tab cleanup: removed delete buttons, simplified to read-only view, updated descriptions. Dependencies: added PyPDF2 for PDF text extraction |
| v2.2 | 2026-03 | UI Modernization (Phases 1B-5): Oracle Dark Premium theme, 45+ Lucide SVG icons replacing all emojis, KPI dashboard with compliance gauge + Recharts donut/bar charts, report summary API endpoint, Phase 5 animations (staggered fade-in, smooth theme transitions, hover effects) — animations scoped to tab switch only (no flickering on re-render). Terraform Intelligence: official resource docs injection from registry.terraform.io (Example Usage + Argument Reference, on-demand fetch + SQLite cache), smart tfvars auto-generation from declared variables, multi-region provider management with var.region support, RPC anti-cycle rule, system prompt auto-sync to DB, 60-min polling timeout for long-running applies. ADB fix: wallet_password always passed for thin mode mTLS (fixes DPY-6005). CIS_EMBEDDINGS default removed from ADB config |
| v2.1 | 2026-03 | Terraform Agent (AI-powered IaC generation with plan/apply/destroy lifecycle, workspace management, Terraform CLI in container, inline file editor, split-panel terminal, multi-file generation via // filename: markers, smart file correction with merge-based updates, 14-point validation checklist, 100K max_tokens), 3-layer auto-split pipeline (frontend + backend monolithic HCL splitting into categorized files + backend deduplication), HCL syntax auto-fix (single-line blocks expanded to multi-line), SQLite-based resource type validation (~937 types with difflib suggestions for invalid types), Terraform Resource Reference (auto-generated OCI provider catalog from terraform providers schema -json, generated at startup to survive volume mounts, stored in SQLite, refreshable via menu button), compact system prompt for Terraform agent, ChatGPT-style chat history for both Chat Agent and Terraform Agent (rename/delete sessions), OCI Resource Actions (start/stop instances and Autonomous DBs from OCI Account Explorer), OCI Explorer expanded to 40+ resource types across 8 categories with tree-view navigation and resizable panels, compartment filtering for MCP CIS scans, chat sidebar with model parameters, chat audit logs, collection error tracking in MCP server, tool timeout increased to 30min with auto-retry, memory compaction tuned (6K threshold, 20 recent messages), model catalog trimmed from 69 to 15 curated models, improved GenAI response extraction with fallback for empty responses, fixed layout overflow (no page scroll), provider alias detection with brace-matching parser, multi-region Terraform support |
| v2.0 | 2026-03 | Async background chat processing (no more 504 timeouts), frontend polling with timestamps, 8 uvicorn workers + 16-thread chat executor for ~12 simultaneous chats, parallelized MCP data collection (5-thread base + 8-thread regional), 2-hour MCP session cache, 5-min tool timeout, full dead code cleanup across backend/frontend/MCP |
| v1.9 | 2026-03 | Multimodal chat (image/PDF/text file upload with OCI GenAI ImageContent/DocumentContent), region-specific MCP scanning (regions param on all scan tools), orphaned report auto-detection on progress poll, nginx timeout increased to 15min, improved API error handling for non-JSON responses |
| v1.8 | 2026-03 | CIS Engine auto-update from Oracle GitHub with automatic patch reapplication, version check UI card (admin), new /api/cis-engine/* endpoints, report file listing and individual download endpoints, reorganized Reports tab (execution history + status) and Downloads tab (file browser only with expandable cards per report), CIS Level description tooltip, persistent log expand during report generation |
| v1.7 | 2026-03 | Oracle official CIS report engine (replaces lightweight checker), granular report parameters (Level, OBP, Raw Data, Redact), per-report file storage with category browser, tenancy filter in Downloads, individual file download |
| v1.6 | 2026-03 | Granular CIS MCP server (12 per-section scan tools: IAM, Networking, Compute, Logging/Monitoring, Storage, Asset Management), chat memory compaction with LLM-based summarization, GenAI tool use loop fix (accumulated conversation), chat thinking indicator, auto-registered CIS MCP server |
| v1.5 | 2026-03 | MCP Tool Use in Chat (GenAI function calling with auto tool discovery + execution via MCP SDK), multi-table ADB vector search, preview chunks before embedding, enriched embeddings with tenancy/regions/compartments, searchable dropdowns, editable vector tables, orphaned report cleanup on restart |
| v1.4 | 2026-03 | In-place config editing, 69 chat + 11 embedding models with OCID resolution (OpenAI GPT-5.3/5.2/5.1/5/4.1/4o/Codex/Image/Audio, xAI, Google, Meta, ProtectAI), OpenAI Text Embedding 3, custom OCID support, wallet auto-parse with DSN extraction |
| v1.3 | 2026-03 | Persistent config logs per tab, GenAI auto-fill from OCI credentials, inline UX feedback with loading spinners, MCP type-switch fix, encrypted key passphrase support, Docker stdin hang fix |
| v1.2 | 2026-03 | RAG pipeline (OCI GenAI embeddings + ADB vector search), dedicated Embeddings tab, CIS report chunking, file upload embedding |
| v1.1 | 2025-02 | OCI SDK GenAI (exact pattern), OCI Account Explorer, MCP↔ADB linking, full chat parameters |
| v1.0 | 2025-02 | Initial release: OCI theme, GenAI integration, MCP servers, ADB vector, JWT+MFA+RBAC |
Development
Run Backend Locally
cd backend
pip install -r requirements.txt
DATA_DIR=./data uvicorn app:app --reload --port 8000
Run with Docker
docker compose up -d --build
docker compose logs -f backend
Rebuild After Changes
docker compose down
docker compose up -d --build
Troubleshooting
OCI CLI test fails with timeout: Check that your API key is correctly configured and the tenancy OCID is valid. Ensure outbound HTTPS (443) is allowed.
GenAI returns 401/403:
Verify the IAM policy Allow group ... to use generative-ai-family in compartment ... exists. Check that the compartment OCID in the GenAI config matches the policy.
OCI CLI test hangs with passphrase prompt (Docker):
If your private key is encrypted (ENCRYPTED in the PEM header), provide the passphrase in the Key Passphrase field when saving the credential. Unencrypted keys work without a passphrase. The app automatically detects encrypted keys and blocks upload if no passphrase is provided.
ADB connection fails (DPY-6005: cannot connect):
Ensure the wallet ZIP contains tnsnames.ora and ewallet.pem. The DSN must match a service name in tnsnames.ora (e.g., myatp_high). If using an auto-login wallet without a custom password, leave the wallet password field empty — the app automatically passes an empty string for wallet_password which is required by python-oracledb thin mode even for auto-login wallets.
Container won't start:
docker compose logs backend
License
MIT
Built with ❤️ for Oracle Cloud Infrastructure security compliance