Skip to content

[AI Workspace] Refactor AI Workspace setup and configuration #2680

Merged
Thushani-Jayasekera merged 13 commits into
wso2:mainfrom
Thushani-Jayasekera:aiws-defaultcreds
Jul 15, 2026
Merged

[AI Workspace] Refactor AI Workspace setup and configuration #2680
Thushani-Jayasekera merged 13 commits into
wso2:mainfrom
Thushani-Jayasekera:aiws-defaultcreds

Conversation

@Thushani-Jayasekera

@Thushani-Jayasekera Thushani-Jayasekera commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

AI Workspace Setup Refactor — setup.sh and the New Quick Start

What changed and why

Previously the stack could start with no preparation: the Platform API
auto-generated a self-signed TLS certificate at runtime when none was mounted,
APIP_DEMO_MODE (default true) relaxed the auth checks, the compose files
shipped with a hardcoded admin / admin user, and CI carried hardcoded
encryption/JWT keys in the workflow file.

This commit removes all of those defaults. Nothing is auto-generated at
runtime anymore
— every secret, credential, and certificate must exist before
first start, and a new one-shot setup.sh script generates all of them.

The setup.sh script (portals/ai-workspace/setup.sh)

Run once before the first docker compose up. In the repo it sits next to
docker-compose.yaml; in the distribution zip it is shipped as
scripts/setup.sh, one level below the compose root (the script detects this
and cds up, so it always writes its outputs next to docker-compose.yaml).
It generates:

Artifact Contents
api-platform.env APIP_CP_ENCRYPTION_KEY (at-rest encryption key), APIP_CP_AUTH_JWT_SECRET_KEY (JWT signing key), APIP_CP_ADMIN_USERNAME, APIP_CP_ADMIN_PASSWORD_HASH (bcrypt)
resources/certificates/cert.pem / key.pem Self-signed TLS pair shared by the Platform API and the AI Workspace BFF (SANs: localhost, platform-api, ai-workspace, host.docker.internal, 127.0.0.1); being self-signed, the cert also serves as the CA bundle the BFF trusts for the upstream platform-api hop

Behavior details:

  • Idempotent — existing files are kept; --force regenerates everything
    (rotates keys and credentials).
  • --certs-only generates just the TLS pairs; used by make bff-run for
    local development.
  • The admin password is printed once and stored nowhere — only its bcrypt
    hash lands in api-platform.env (written with umask 177, so mode 600).
  • When run interactively, the script prompts for the admin username (default:
    admin) and password (default: a generated random 20-character string);
    ADMIN_USERNAME / ADMIN_PASSWORD env vars skip the prompts and pin the
    credentials (CI pins admin/admin for the Cypress suite).
  • bcrypt hashing uses htpasswd when installed, otherwise falls back to the
    httpd:2.4-alpine Docker image; requires openssl. The password is fed via
    stdin so it never appears in the process list.
  • api-platform.env and resources/certificates/ are git-ignored in the repo,
    and make dist writes a .gitignore into the distribution covering *.env
    and resources/certificates/* for the same reason.

The new quick start flow (QUICKSTART.md)

# 1. Download and unzip the release
curl -sLO .../wso2apip-ai-workspace-1.0.0-alpha.zip && unzip ...

# 2. Generate keys, credentials, and certificates
cd wso2apip-ai-workspace-1.0.0-alpha
./scripts/setup.sh   # save the printed admin username/password!

# 3. Start the stack
docker compose up -d

# 4. Open https://localhost:5380 and sign in with the printed credentials

The only change for users versus the old flow is the extra setup.sh step
(compose loads the generated api-platform.env itself via env_file); login
now uses the generated credentials instead of admin/admin. Certificates are self-signed, so the
browser trust warning remains — drop a CA-issued cert into
resources/certificates/ (same file names, SANs covering both hostnames) to
remove it.

Supporting code changes

Platform API (platform-api/)

  • Demo mode removed entirely. The demoMode() helper and every
    APIP_DEMO_MODE branch are gone. All auth checks are now unconditional:
    • Some auth mode (file-based, JWT, or IDP) must be enabled.
    • auth.jwt.skip_validation=true is always rejected — JWT signatures are
      always verified (SkipValidation is hard-coded to false).
    • cors.allowed_origins may never contain "*" (empty means cross-origin
      disabled, fail-closed); AllowCredentials is now always true.
    • File-based auth is allowed again (it was banned outside demo mode) but
      always logs a not-for-production warning.
  • Self-signed certificate generation deleted (generateSelfSignedCert and
    ~100 lines removed from server.go). buildTLSConfig now just loads
    cert.pem/key.pem from the cert dir and errors with remediation guidance
    if they're missing.
  • Config validation hardened: each file-based auth user must have a
    non-empty username and password_hash (supplied via {{ env }} /
    {{ file }} tokens).

AI Workspace compose (portals/ai-workspace/docker-compose.yaml)

  • Both services now mount the setup.sh-generated certificates
    (previously commented-out optional mounts); there is no runtime fallback.
  • api-platform.env is loaded via env_file with format: raw — required because
    the bcrypt hash contains $, which compose would otherwise treat as
    interpolation.
  • The BFF verifies the Platform API's certificate on the internal hop: the
    platform-api cert is mounted as a CA bundle at the [platform_api] ca_file
    default in configs/config.toml, instead of
    APIP_AIW_PLATFORM_API_TLS_SKIP_VERIFY=true.
  • All APIP_DEMO_MODE and hardcoded-secret environment entries removed. The
    services carry no environment: blocks at all — every value comes from the
    config TOMLs (whose defaults are the compose deployment's values) plus the
    single env_file entry, api-platform.env. Optional overrides go there too
    — e.g. the APIP_CP_AUTH_IDP_* / APIP_AIW_OIDC_* keys (including
    APIP_AIW_OIDC_CLIENT_SECRET) that switch the stack to an OIDC provider. The
    old .env.example file was deleted.

BFF (portals/ai-workspace/bff/)

  • Config and tlsutil simplified in line with the no-fallback model — TLS
    cert/key files are required, no self-signed generation.
  • make bff-run calls ./setup.sh --certs-only and points
    APIP_AIW_TLS_CERT_FILE / APIP_AIW_TLS_KEY_FILE at the generated pair.

CI (.github/workflows/ai-workspace-pr-check.yml)

  • The hardcoded APIP_CP_ENCRYPTION_KEY / APIP_CP_AUTH_JWT_SECRET_KEY
    values were removed from the workflow. CI now runs
    ADMIN_USERNAME=admin ADMIN_PASSWORD=admin ./setup.sh and starts the stack
    with docker compose up -d --wait.

Other compose files

Developer Portal, distribution, all-in-one, and integration/e2e compose files
were updated consistently with the same generated-keys pattern (no hardcoded
secrets, no demo mode).

Documentation updates

  • QUICKSTART.md — rewritten around the setup.shdocker compose up flow
    (see above).
  • README.md, production/README.md, docs/ai-workspace/configuration.md,
    platform-api/README.md, developer-portal quick start — demo-mode
    references removed; generated credentials and required certificates
    documented.
  • Config templates (configs/config-template.toml, the Platform API
    reference template, and the shipped TOMLs) updated to resolve the admin
    user and keys from the api-platform.env values via {{ env }} tokens.
  • The Platform API reference template is now maintained at
    platform-api/config/config-template.toml and copied into the
    distribution zip by make dist as
    configs/config-platform-api-template.toml, so it cannot drift from the
    Platform API's actual config surface.

Tryout

thushanij@thushani wso2apip-ai-workspace-1.0.0-alpha2 % ./scripts/setup.sh
[setup] Provisioning TLS certificate ...
[setup]   - self-signed certificate generated at resources/certificates/cert.pem
Admin username [admin]: 
Admin password [press Enter to generate one]: 
[setup] Generating secrets into api-platform.env ...
[setup]   - APIP_CP_ENCRYPTION_KEY generated
[setup]   - APIP_CP_AUTH_JWT_SECRET_KEY generated
[setup] Provisioning admin credentials ...
[setup]   - APIP_CP_ADMIN_PASSWORD_HASH generated (bcrypt)
[setup]   - api-platform.env written

[setup] Setup complete.

  ------------------------------------------------------------------
   Admin login:  admin / A5S1RENi6GSeU0Esf0Di
   This password will not be shown again — copy it now.
   (It is stored, bcrypt-hashed, in api-platform.env)
  ------------------------------------------------------------------

  Next step:
    docker compose up

- Remove hardcoded encryption and JWT secret keys from the GitHub Actions workflow.
- Introduce a setup script to generate required keys, credentials, and TLS certificates for the AI Workspace and Platform API.
- Update Docker Compose files to utilize generated keys and certificates, ensuring no self-signed fallback is used.
- Revise documentation to reflect changes in setup and configuration processes, emphasizing the use of generated credentials and certificates.
- Remove references to demo mode, enforcing strict production requirements for all configurations.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Thushani-Jayasekera, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 28 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ccce8870-33e8-4ede-8593-0b1dedff0b0f

📥 Commits

Reviewing files that changed from the base of the PR and between 6f032dc and db7c8e3.

📒 Files selected for processing (4)
  • portals/ai-workspace/README.md
  • tests/integration-e2e/docker-compose.sqlite.yaml
  • tests/integration-e2e/docker-compose.sqlserver.yaml
  • tests/integration-e2e/docker-compose.yaml
📝 Walkthrough

Walkthrough

Changes

The PR removes demo-mode configuration and self-signed TLS fallbacks. Platform API and AI Workspace now require explicit secrets, authentication settings, and mounted certificates. Quickstart scripts provision credentials and certificates, while Compose, CI, tests, and documentation adopt the new configuration flow.

AI Workspace and Platform API runtime
platform-api validates authentication, CORS, JWT verification, file-based users, and TLS certificates. The AI Workspace BFF requires mounted certificates and reports authentication failures using structured error fields.

Provisioning and deployments
setup.sh generates api-platform.env, bcrypt admin credentials, and shared certificates. Compose distributions and integration environments add certificate-init containers and shared certificate volumes.

Estimated code review effort: 4 (Complex) | ~60 minutes

Possibly related PRs

Suggested reviewers: thivindu, renuka-fernando, malinthaprasan, virajsalaka, tharindu1st

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers the main changes but does not follow the required template headings and omits sections like User stories, Security checks, and Test environment. Reformat the PR description to match the template and add the missing sections, especially Purpose, Goals, Approach, Automation tests, Security checks, and Test environment.
Docstring Coverage ⚠️ Warning Docstring coverage is 78.85% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the setup/configuration refactor in this PR.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

- Introduce a new configuration template for the Platform API, detailing all configurable keys and their defaults.
- Update the Makefile to copy the new configuration template into the distribution directory.
- Revise README to reflect the new location of the Platform API configuration reference.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 10

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
platform-api/internal/server/server.go (1)

485-493: 🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift

Migrate local JWT auth off shared HMAC secrets. platform-api/internal/server/server.go and platform-api/internal/handler/auth_login.go still use cfg.Auth.JWT.SecretKey with HS256/HMAC, and platform-api/config/config.go / platform-api/config/config_test.go still enforce a 32-byte shared-secret contract. Switch this flow to an asymmetric allowlist and reject HS*/none.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@platform-api/internal/server/server.go` around lines 485 - 493, Replace
shared-secret JWT validation in server.go ranges 485-493 and 548-560 and the
auth_login.go login flow with asymmetric JWT verification using an explicit
allowed public-key list; reject HS* and none algorithms. Update config.go range
561-573 to remove the 32-byte SecretKey contract and define the asymmetric
key/algorithm configuration, and update config_test.go range 103-129 to validate
the new configuration and rejection rules. Ensure LocalJWTAuthMiddleware and
token issuance use the same asymmetric allowlist.

Source: Coding guidelines

portals/developer-portal/docs/administer/manage-organizations.md (1)

145-151: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Stale JWT secret wording

This still implies the secret is auto-generated and only needs pinning for persistence. The compose config now requires APIP_CP_AUTH_JWT_SECRET_KEY at startup, so reword this section to say the key is mandatory instead of optional.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/developer-portal/docs/administer/manage-organizations.md` around
lines 145 - 151, Update the “Session persistence and scripted access” section to
state that APIP_CP_AUTH_JWT_SECRET_KEY is mandatory and must be configured at
startup in both services, removing the implication that the key is
auto-generated or only needed to preserve sessions. Keep the existing
shared-value configuration example.
🧹 Nitpick comments (2)
portals/ai-workspace/Makefile (1)

62-62: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low value

Consider trusting the generated certificate explicitly instead of skipping verification.

Now that setup.sh generates a platform-api.crt certificate, you can explicitly trust it using ca_file instead of skipping TLS verification entirely. This aligns the make bff-run local development workflow with the production recommendations in config-template.toml.

💡 Proposed change to use the generated CA file
-		APIP_AIW_PLATFORM_API_TLS_SKIP_VERIFY=true \
+		APIP_AIW_PLATFORM_API_CA_FILE=../certs/platform-api.crt \
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/ai-workspace/Makefile` at line 62, Update the make bff-run
environment configuration around APIP_AIW_PLATFORM_API_TLS_SKIP_VERIFY to trust
the generated platform-api.crt through the supported ca_file setting instead of
disabling TLS verification, matching the production configuration guidance.
portals/developer-portal/docker-compose.platform-api.yaml (1)

37-69: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Same platform-api-certgen block copy-pasted in four compose files, each with the same permission gap. openssl req doesn't restrict output-file permissions (umask-based, typically world-readable), so the generated key.pem ends up readable by any process with volume access, and the consumer-side mount is read-write when it only needs read access.

  • portals/developer-portal/docker-compose.platform-api.yaml#L37-L69: add chmod 600 /certs/key.pem to the certgen command, and mount platform-api-certs:/app/data/certs:ro on the platform-api service.
  • portals/developer-portal/docker-compose.yaml#L68-L99: same chmod 600 addition and :ro mount on platform-api.
  • portals/developer-portal/it/docker-compose.test.postgres.yaml#L44-L71: same chmod 600 addition and :ro mount on platform-api.
  • portals/developer-portal/it/docker-compose.test.yaml#L28-L55: same chmod 600 addition and :ro mount on platform-api.

Given it's identical in all four files, consider extracting it into one shared compose fragment (e.g. via Compose include:) so future changes to the cert-gen logic don't need to be applied four times.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/developer-portal/docker-compose.platform-api.yaml` around lines 37 -
69, Update the platform-api-certgen command to restrict the generated key.pem
permissions to 600 and make the platform-api certificate-volume mount read-only
in portals/developer-portal/docker-compose.platform-api.yaml (lines 37-69),
portals/developer-portal/docker-compose.yaml (lines 68-99),
portals/developer-portal/it/docker-compose.test.postgres.yaml (lines 44-71), and
portals/developer-portal/it/docker-compose.test.yaml (lines 28-55). Consider
extracting the identical cert-generation configuration into a shared Compose
fragment so future changes are centralized.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@distribution/all-in-one/docker-compose.yaml`:
- Around line 82-100: Update the platform-api service’s depends_on configuration
to include platform-api-certgen with condition service_completed_successfully,
while preserving the existing postgres service_healthy dependency. Ensure
platform-api waits for certificate generation before starting.

In `@platform-api/config/config.go`:
- Around line 563-571: The validateJWTConfig function currently requires
SecretKey only when JWT authentication is enabled; update its condition to
require and validate the shared key whenever either JWT or file-based
authentication is enabled. Preserve the early return only when both
authentication modes are disabled, and keep the existing key validation and
error behavior.

In `@platform-api/internal/server/server_tls_test.go`:
- Around line 20-25: Update the TLS test setup to reuse the checked-in
cert.pem/key.pem fixture, or extract that copying logic into a shared helper,
instead of generating a new P-256 ECDSA key pair. Remove the now-unneeded
certificate-generation imports and keep the test’s temporary-directory setup and
TLS behavior unchanged.

In `@platform-api/internal/server/server.go`:
- Around line 471-477: Update the operator-facing messages near the CORS
configuration and the related HTTP configuration block to use
APIP_CP_CORS_ALLOWED_ORIGINS and APIP_CP_HTTP_ENABLED instead of the unprefixed
environment-variable names. Preserve the existing warning behavior and message
context.
- Around line 642-648: Update Start to perform all listener configuration and
buildTLSConfig TLS certificate validation before launching the HTTP server,
background jobs, or listener goroutines. Move the buildTLSConfig call and
related preflight checks ahead of the existing server startup path, preserving
current error propagation and startup behavior after validation succeeds.

In `@platform-api/README.md`:
- Around line 232-242: The configuration documentation must state that
environment variables affect TOML values only through explicit `{{ env "NAME"
}}` interpolation, not by overriding literal values via the `APIP_CP_` prefix.
Update the README text around the `APIP_CP_` and
`APIP_CONFIG_FILE_SOURCE_ALLOWLIST` descriptions, preserving the interpolation
examples and aligning the documented behavior with the loader contract.
- Around line 261-273: Update the JWT validation documentation in the README so
the stated startup requirement and local-development command describe the same
supported behavior. Choose whether APIP_CP_AUTH_JWT_SKIP_VALIDATION=true is
permitted for development or rejected unconditionally, then revise the
requirement, variable description, and example consistently so the documented
command is executable.
- Around line 304-309: Update the claim-mapping environment variable names in
the README table to use the APIP_CP_AUTH_IDP_CLAIM_MAPPINGS_* prefix, matching
docs/ai-workspace/configuration.md and the AI Workspace config template.
Preserve the existing claim defaults and descriptions while correcting each
affected identifier.

In `@portals/ai-workspace/setup.sh`:
- Around line 95-104: Update bcrypt_hash so the plaintext password is supplied
through standard input rather than the command arguments for both the local
htpasswd and docker run paths. Use the appropriate interactive/input flags and
preserve the existing bcrypt options, output extraction, and fallback error
behavior.
- Around line 110-121: Update the ADMIN_PASSWORD_HASH value generated in
setup.sh before writing the ENV_FILE so every `$` in the bcrypt hash is replaced
with `$$`, preventing Docker Compose interpolation. Keep the bcrypt_hash result
unchanged for authentication while emitting the escaped value in the generated
environment file.

---

Outside diff comments:
In `@platform-api/internal/server/server.go`:
- Around line 485-493: Replace shared-secret JWT validation in server.go ranges
485-493 and 548-560 and the auth_login.go login flow with asymmetric JWT
verification using an explicit allowed public-key list; reject HS* and none
algorithms. Update config.go range 561-573 to remove the 32-byte SecretKey
contract and define the asymmetric key/algorithm configuration, and update
config_test.go range 103-129 to validate the new configuration and rejection
rules. Ensure LocalJWTAuthMiddleware and token issuance use the same asymmetric
allowlist.

In `@portals/developer-portal/docs/administer/manage-organizations.md`:
- Around line 145-151: Update the “Session persistence and scripted access”
section to state that APIP_CP_AUTH_JWT_SECRET_KEY is mandatory and must be
configured at startup in both services, removing the implication that the key is
auto-generated or only needed to preserve sessions. Keep the existing
shared-value configuration example.

---

Nitpick comments:
In `@portals/ai-workspace/Makefile`:
- Line 62: Update the make bff-run environment configuration around
APIP_AIW_PLATFORM_API_TLS_SKIP_VERIFY to trust the generated platform-api.crt
through the supported ca_file setting instead of disabling TLS verification,
matching the production configuration guidance.

In `@portals/developer-portal/docker-compose.platform-api.yaml`:
- Around line 37-69: Update the platform-api-certgen command to restrict the
generated key.pem permissions to 600 and make the platform-api
certificate-volume mount read-only in
portals/developer-portal/docker-compose.platform-api.yaml (lines 37-69),
portals/developer-portal/docker-compose.yaml (lines 68-99),
portals/developer-portal/it/docker-compose.test.postgres.yaml (lines 44-71), and
portals/developer-portal/it/docker-compose.test.yaml (lines 28-55). Consider
extracting the identical cert-generation configuration into a shared Compose
fragment so future changes are centralized.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c15a1747-02a7-4859-b824-0558a533b0ec

📥 Commits

Reviewing files that changed from the base of the PR and between 08549e9 and f778128.

⛔ Files ignored due to path filters (1)
  • platform-api/go.sum is excluded by !**/*.sum
📒 Files selected for processing (47)
  • .github/workflows/ai-workspace-pr-check.yml
  • distribution/all-in-one/docker-compose.yaml
  • docs/ai-workspace/configuration.md
  • docs/ai-workspace/features/secrets-management.md
  • gateway/examples/llm-provider.yaml
  • platform-api/README.md
  • platform-api/config/config.go
  • platform-api/config/config.toml
  • platform-api/config/config_test.go
  • platform-api/go.mod
  • platform-api/internal/integration/harness_test.go
  • platform-api/internal/repository/api_deployments_test.go
  • platform-api/internal/repository/subscription_repository.go
  • platform-api/internal/server/server.go
  • platform-api/internal/server/server_tls_test.go
  • platform-api/plugins/eventgateway/service/websub_api_hmac_secret.go
  • portals/ai-workspace/.gitignore
  • portals/ai-workspace/Makefile
  • portals/ai-workspace/QUICKSTART.md
  • portals/ai-workspace/README.md
  • portals/ai-workspace/bff/internal/config/config.go
  • portals/ai-workspace/bff/internal/config/shipped_config_test.go
  • portals/ai-workspace/bff/internal/tlsutil/tls.go
  • portals/ai-workspace/bff/main.go
  • portals/ai-workspace/configs/config-platform-api-template.toml
  • portals/ai-workspace/configs/config-platform-api.toml
  • portals/ai-workspace/configs/config-template.toml
  • portals/ai-workspace/configs/config.toml
  • portals/ai-workspace/docker-compose.yaml
  • portals/ai-workspace/package.json
  • portals/ai-workspace/production/README.md
  • portals/ai-workspace/setup.sh
  • portals/developer-portal/README.md
  • portals/developer-portal/configs/config-platform-api.toml.example
  • portals/developer-portal/distribution/docker-compose.yaml
  • portals/developer-portal/docker-compose.platform-api.yaml
  • portals/developer-portal/docker-compose.yaml
  • portals/developer-portal/docs/administer/manage-organizations.md
  • portals/developer-portal/docs/introduction/quick-start.md
  • portals/developer-portal/it/configs/config-platform-api-it.toml
  • portals/developer-portal/it/docker-compose.test.postgres.yaml
  • portals/developer-portal/it/docker-compose.test.yaml
  • tests/integration-e2e/README.md
  • tests/integration-e2e/docker-compose.sqlite.yaml
  • tests/integration-e2e/docker-compose.sqlserver.yaml
  • tests/integration-e2e/docker-compose.yaml
  • tests/integration-e2e/platform-api-config.toml

Comment thread distribution/all-in-one/docker-compose.yaml
Comment thread platform-api/config/config.go Outdated
Comment thread platform-api/internal/server/server_tls_test.go
Comment thread platform-api/internal/server/server.go
Comment thread platform-api/internal/server/server.go
Comment thread platform-api/README.md Outdated
Comment thread platform-api/README.md Outdated
Comment thread platform-api/README.md Outdated
Comment thread portals/ai-workspace/setup.sh
Comment thread portals/ai-workspace/setup.sh Outdated
…space setup

- Change references from `keys.env` to `api-platform.env` in various configuration files and documentation to reflect the new environment variable structure.
- Update Docker Compose and setup scripts to utilize the new `api-platform.env` for managing secrets and credentials.
- Revise paths for TLS certificates to ensure they are correctly referenced in the new directory structure.
- Remove the obsolete `.env.example` file and update the `.gitignore` to include `api-platform.env` instead of `keys.env`.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

- Changed the setup script reference from `./setup.sh` to `./scripts/setup.sh` in the AI Workspace quickstart guide.
- Updated instructions for rotating the admin password to use the new script path.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 15, 2026
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 15, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

- Added a step in the GitHub Actions workflow to export quickstart credentials as environment variables for subsequent job steps.
- Updated JWT configuration in multiple TOML files to include `skip_validation` option, ensuring consistency across platform API, integration tests, and developer portal configurations.
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Validation Results

Dependency name: github.com/knadh/koanf/providers/confmap
Version: v1.0.0
Allowed range: >=v1.0.0
Approved: ✅ Yes

⚠️ Please verify the scope of the dependencies usage is necessary

- Removed deprecated DevPortal integration settings from `config-template.toml` and `config.toml`.
- Updated `default_config.go` to set DevPortal integration as disabled by default.
- Simplified `docker-compose.yaml` by removing unnecessary comments and clarifying service configurations.
- Enhanced `setup.sh` to streamline the provisioning of TLS certificates and secrets, with improved documentation in `README.md`.
- Adjusted AI Workspace and Platform API configuration files to reflect changes in environment variable handling and TLS settings.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
portals/ai-workspace/README.md (1)

293-300: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Set the BFF to OIDC mode in the OIDC setup.

This section enables Platform API IDP authentication but explicitly says to leave auth_mode = "basic". Following these instructions leaves the BFF on file-based login, so the documented OIDC flow cannot work. Set auth_mode = "oidc" (or APIP_AIW_AUTH_MODE=oidc) and describe basic mode as the alternative quickstart configuration.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@portals/ai-workspace/README.md` around lines 293 - 300, The OIDC setup
instructions leave the BFF in basic mode, preventing the documented OIDC flow.
Update the `[oidc]` configuration to set `auth_mode = "oidc"` (or the equivalent
`APIP_AIW_AUTH_MODE=oidc`), and describe `auth_mode = "basic"` only as the
alternative file-based quickstart configuration.
platform-api/config/config-template.toml (1)

129-137: 🔒 Security & Privacy | 🔴 Critical | 🏗️ Heavy lift

Replace symmetric HMAC keys with asymmetric keys for JWT validation.

The configuration relies on symmetric HMAC (secret_key) for JWT signatures. As per coding guidelines, when verifying JWT signatures, allow only asymmetric signing methods such as RSA/RSA-PSS/EdDSA and explicitly reject symmetric algorithms (HS256/HS384/HS512).

  • platform-api/config/config-template.toml#L129-L137: Update the [auth.jwt] section to require an asymmetric public key (e.g., public_key_path) instead of a symmetric secret_key, and remove HMAC references.
  • platform-api/config/config-template.toml#L26-L27: Change the quickstart instructions to generate an asymmetric keypair (e.g., using openssl genpkey) rather than a random hex string for JWT auth.
  • platform-api/config/config.toml#L49-L53: Update the shipped configuration defaults to align with asymmetric JWT validation.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@platform-api/config/config-template.toml` around lines 129 - 137, Replace
symmetric JWT HMAC configuration with asymmetric public-key validation: in
platform-api/config/config-template.toml lines 129-137, update the [auth.jwt]
settings to use a public key path and remove secret_key/HMAC references; in
lines 26-27, change quickstart key generation to create an asymmetric keypair
with openssl genpkey; and in platform-api/config/config.toml lines 49-53, align
the shipped JWT defaults with the public-key configuration and restrict
validation to asymmetric algorithms.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@platform-api/config/config-template.toml`:
- Around line 331-333: Add a TOML comment immediately above private_key_path
documenting the existing RSA dependency and marking it with “TODO(pqc):
migrate,” including the applicable tracking issue if one is available. Keep the
current configuration key and explanatory comments unchanged.

In `@portals/ai-workspace/bff/internal/server/composite_handlers_test.go`:
- Around line 298-302: The authentication failure response is using a
nonstandard code/message payload. Update the corresponding handler and, if
needed, writeErrorJSON to return exactly
{"error":"unauthorized","message":"Invalid or expired credentials."}, then
revise the assertions in the affected test to validate those fields and values.

In `@portals/ai-workspace/README.md`:
- Around line 267-285: The README setup instructions currently imply that
api-platform.env is loaded into both services, exposing Platform API secrets to
the BFF. Update the docker-compose configuration and documented environment
setup so the BFF receives only APIP_AIW_* values, while the Platform API retains
its APIP_CP_* settings and secrets; preserve the required shared IDP
configuration for the service that consumes it.
- Around line 445-460: Update the TLS setup documentation around setup.sh and
docker-compose.yaml to require separate certificate/key pairs for the
platform-api and ai-workspace services, rather than sharing
resources/certificates/cert.pem and key.pem. Document the dedicated CA trust
configuration needed for each service and adjust the replacement and restart
instructions to match the isolated certificate paths and mounts.

---

Outside diff comments:
In `@platform-api/config/config-template.toml`:
- Around line 129-137: Replace symmetric JWT HMAC configuration with asymmetric
public-key validation: in platform-api/config/config-template.toml lines
129-137, update the [auth.jwt] settings to use a public key path and remove
secret_key/HMAC references; in lines 26-27, change quickstart key generation to
create an asymmetric keypair with openssl genpkey; and in
platform-api/config/config.toml lines 49-53, align the shipped JWT defaults with
the public-key configuration and restrict validation to asymmetric algorithms.

In `@portals/ai-workspace/README.md`:
- Around line 293-300: The OIDC setup instructions leave the BFF in basic mode,
preventing the documented OIDC flow. Update the `[oidc]` configuration to set
`auth_mode = "oidc"` (or the equivalent `APIP_AIW_AUTH_MODE=oidc`), and describe
`auth_mode = "basic"` only as the alternative file-based quickstart
configuration.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 14570c2f-b671-4bbc-a404-a0d32f8996dc

📥 Commits

Reviewing files that changed from the base of the PR and between f778128 and aa7f162.

📒 Files selected for processing (26)
  • .github/workflows/ai-workspace-pr-check.yml
  • docs/ai-workspace/authentication/asgardeo-setup.md
  • docs/ai-workspace/authentication/oidc-auth.md
  • docs/ai-workspace/configuration.md
  • docs/ai-workspace/features/secrets-management.md
  • platform-api/config/config-template.toml
  • platform-api/config/config.toml
  • platform-api/config/default_config.go
  • portals/ai-workspace/.env.example
  • portals/ai-workspace/.gitignore
  • portals/ai-workspace/Makefile
  • portals/ai-workspace/QUICKSTART.md
  • portals/ai-workspace/README.md
  • portals/ai-workspace/bff/internal/config/config.go
  • portals/ai-workspace/bff/internal/config/shipped_config_test.go
  • portals/ai-workspace/bff/internal/server/composite_handlers_test.go
  • portals/ai-workspace/configs/config-platform-api.toml
  • portals/ai-workspace/configs/config-template.toml
  • portals/ai-workspace/configs/config.toml
  • portals/ai-workspace/distribution/README.md
  • portals/ai-workspace/docker-compose.yaml
  • portals/ai-workspace/production/README.md
  • portals/ai-workspace/setup.sh
  • portals/developer-portal/distribution/docker-compose.yaml
  • portals/developer-portal/docker-compose.yaml
  • portals/developer-portal/it/configs/config-platform-api-it.toml
💤 Files with no reviewable changes (1)
  • portals/ai-workspace/.env.example
🚧 Files skipped from review as they are similar to previous changes (7)
  • portals/ai-workspace/production/README.md
  • portals/ai-workspace/bff/internal/config/shipped_config_test.go
  • portals/ai-workspace/configs/config-platform-api.toml
  • docs/ai-workspace/configuration.md
  • portals/ai-workspace/configs/config.toml
  • portals/ai-workspace/configs/config-template.toml
  • portals/ai-workspace/bff/internal/config/config.go

Comment thread platform-api/config/config-template.toml
Comment thread portals/ai-workspace/bff/internal/server/composite_handlers_test.go Outdated
Comment thread portals/ai-workspace/README.md
Comment thread portals/ai-workspace/README.md Outdated
thivindu added a commit to thivindu/api-platform that referenced this pull request Jul 15, 2026
- Removed deprecated file-based authentication settings from `config.toml`.
- Enhanced `README.md` to clarify production setup for OIDC client secrets and TLS certificate usage.
- Updated error messages in `composite_handlers.go` and `composite_handlers_test.go` to provide clearer feedback for unauthorized access.
- Modified environment variable handling in `config-platform-api.toml` and `config-template.toml` for improved flexibility.
- Ensured TLS certificate permissions are set correctly in `docker-compose` files for integration tests.
- Introduced new intercepts for GET requests to fetch server details in the Cypress tests for MCP secret management.
- Ensured that the tests wait for the server details to be fetched before proceeding with tab navigation, preventing race conditions.
- Updated test logic to improve reliability and accuracy in the server management workflow.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
tests/integration-e2e/docker-compose.yaml (1)

52-59: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Make all certificate-generation init containers fail closed.

A failed openssl req can be masked by a successful final chmod, causing Compose to consider certgen successful while platform-api has unusable TLS files.

  • tests/integration-e2e/docker-compose.yaml#L52-L59: add set -e/set -eu or chain generation and permission updates with &&.
  • tests/integration-e2e/docker-compose.sqlserver.yaml#L51-L58: apply the same fail-closed shell handling.
  • tests/integration-e2e/docker-compose.sqlite.yaml#L12-L19: apply the same fail-closed shell handling.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/integration-e2e/docker-compose.yaml` around lines 52 - 59, Make every
certificate-generation init container fail closed by enabling strict shell error
handling or chaining the OpenSSL generation and chmod commands. Update the
certificate-generation blocks in tests/integration-e2e/docker-compose.yaml lines
52-59, tests/integration-e2e/docker-compose.sqlserver.yaml lines 51-58, and
tests/integration-e2e/docker-compose.sqlite.yaml lines 12-19 so a failed openssl
req propagates a nonzero exit status and cannot be masked by chmod.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@portals/ai-workspace/bff/internal/server/composite_handlers.go`:
- Line 138: Replace the authentication failure response in writeErrorJSON’s
handler path with the exact payload {"error":"unauthorized","message":"Invalid
or expired credentials."} rather than the code-based helper output. In
portals/ai-workspace/bff/internal/server/composite_handlers.go lines 138-138,
write the standardized JSON directly; in
portals/ai-workspace/bff/internal/server/composite_handlers_test.go lines
298-302, update assertions from body["code"] to body["error"] equal to
"unauthorized".

In `@portals/ai-workspace/README.md`:
- Line 463: Update the certificate replacement instructions in the README to
explicitly restart the affected services, replacing `docker compose up -d` with
`docker compose restart` or `docker compose up -d --force-recreate` so
containers reload the new certificates.

In `@tests/integration-e2e/docker-compose.yaml`:
- Around line 57-59: Restrict generated TLS private keys by changing ownership
to UID 10001 and permissions to 0600. Apply this in
tests/integration-e2e/docker-compose.yaml lines 57-59,
tests/integration-e2e/docker-compose.sqlserver.yaml lines 56-58, and
tests/integration-e2e/docker-compose.sqlite.yaml lines 17-19.

---

Outside diff comments:
In `@tests/integration-e2e/docker-compose.yaml`:
- Around line 52-59: Make every certificate-generation init container fail
closed by enabling strict shell error handling or chaining the OpenSSL
generation and chmod commands. Update the certificate-generation blocks in
tests/integration-e2e/docker-compose.yaml lines 52-59,
tests/integration-e2e/docker-compose.sqlserver.yaml lines 51-58, and
tests/integration-e2e/docker-compose.sqlite.yaml lines 12-19 so a failed openssl
req propagates a nonzero exit status and cannot be masked by chmod.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b88f8f34-471b-4c7b-9241-f50ecd01fb45

📥 Commits

Reviewing files that changed from the base of the PR and between aa7f162 and 6f032dc.

📒 Files selected for processing (13)
  • platform-api/README.md
  • platform-api/config/config.go
  • platform-api/config/config.toml
  • platform-api/internal/server/server.go
  • portals/ai-workspace/README.md
  • portals/ai-workspace/bff/internal/server/composite_handlers.go
  • portals/ai-workspace/bff/internal/server/composite_handlers_test.go
  • portals/ai-workspace/configs/config-platform-api.toml
  • portals/ai-workspace/configs/config-template.toml
  • portals/ai-workspace/cypress/e2e/002-mcp-proxies/004-mcp-secret-management-update.cy.js
  • tests/integration-e2e/docker-compose.sqlite.yaml
  • tests/integration-e2e/docker-compose.sqlserver.yaml
  • tests/integration-e2e/docker-compose.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • platform-api/internal/server/server.go

Comment thread portals/ai-workspace/bff/internal/server/composite_handlers.go
Comment thread portals/ai-workspace/README.md Outdated
Comment thread tests/integration-e2e/docker-compose.yaml Outdated
- Enhanced README.md to clarify the use of `--force-recreate` when restarting the Docker stack to ensure new certificates are loaded.
- Modified `docker-compose` files for SQLite, SQL Server, and general integration tests to improve TLS certificate permissions by changing ownership and restricting access to the private key.
- Added error handling with `set -e` to ensure the script exits on failure during certificate generation.
@Thushani-Jayasekera

Copy link
Copy Markdown
Contributor Author

@CodeRabbit approve

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.

@Thushani-Jayasekera

Copy link
Copy Markdown
Contributor Author

@CodeRabbit review

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@Thushani-Jayasekera

Copy link
Copy Markdown
Contributor Author

@CodeRabbit approve

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Comments resolved and changes approved.

@Thushani-Jayasekera
Thushani-Jayasekera merged commit dcc0d77 into wso2:main Jul 15, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants