
# E.D.D.I โ Multi-Agent Orchestration Middleware for Conversational AI
[](https://www.bestpractices.dev/projects/12355) [](https://securityscorecards.dev/viewer/?uri=github.com/labsai/EDDI) [](https://app.codacy.com/organizations/gh/labsai/dashboard?utm_source=github.com&utm_medium=referral&utm_content=labsai/EDDI&utm_campaign=Badge_Grade)
[](https://github.com/labsai/EDDI/actions/workflows/ci.yml) [](https://github.com/labsai/EDDI/actions/workflows/codeql.yml)  
[](https://hub.docker.com/r/labsai/eddi) [](https://github.com/labsai/EDDI/releases) [](AGENTS.md)
**E.D.D.I** (Enhanced Dialog Driven Interface) is a production-grade, **config-driven multi-agent orchestration middleware** for conversational AI. It coordinates users, AI agents, and business systems through **intelligent routing, persistent memory, and API orchestration** โ without writing code.
Built with **Java 25** and **Quarkus**. Ships as a **Red Hat-certified Docker image**. Selected as a **UNIDO Trusted Partner** for Industrial AI. Native support for **MCP** (Model Context Protocol), **A2A** (Agent-to-Agent), **Slack**, **OpenAPI**, and **OAuth 2.0**.
[Website](https://eddi.labs.ai/) ยท [Documentation](https://docs.labs.ai/) ยท License: Apache 2.0
---
## ๐ Table of Contents
- [๐ Quick Start](#-quick-start)
- [๐ก Why EDDI?](#-why-eddi)
- [๐ธ See It In Action](#-see-it-in-action)
- [โจ Features](#-features)
- [๐ Documentation](#-documentation)
- [๐ Compliance & Privacy](#-compliance--privacy)
- [๐๏ธ Development](#๏ธ-development)
- [Prerequisites](#prerequisites)
- [Quarkus Dev Mode](#quarkus-dev-mode)
- [Maven Command Reference](#maven-command-reference)
- [Build & Docker](#build--docker)
- [Kubernetes](#๏ธ-kubernetes)
- [๐ค Contributing](#-contributing)
- [๐ Security](#-security)
- [๐ Code of Conduct](#-code-of-conduct)
---
## ๐ Quick Start
The fastest way to get EDDI running is the **one-command installer**. It sets up EDDI + your choice of database via Docker Compose, deploys the [Agent Father](docs/agent-father-deep-dive.md) starter agent, and walks you through creating your first AI agent.
**Linux / macOS / WSL2:**
```bash
curl -fsSL https://raw.githubusercontent.com/labsai/EDDI/main/install.sh | bash
```
**Windows (PowerShell):**
```powershell
Invoke-WebRequest -UseBasicParsing -Uri "https://raw.githubusercontent.com/labsai/EDDI/main/install.ps1" -OutFile "install.ps1"
Unblock-File .\install.ps1
.\install.ps1
```
Requires [Docker](https://docs.docker.com/get-docker/). The wizard auto-generates a unique vault encryption key for secret management.
๐ง Installer options
```bash
bash install.sh --defaults # All defaults, no prompts
bash install.sh --db=postgres --with-auth # PostgreSQL + Keycloak
bash install.sh --full # Everything enabled (DB + auth + monitoring)
bash install.sh --local # Build Docker image from local source
```
The `--local` flag is for contributors testing pre-release builds:
```bash
./mvnw package -DskipTests # Build the Java app
bash install.sh --local # Build Docker image + start containers
```
### ๐ Updating
The installer creates an `eddi` CLI wrapper that makes updating easy:
```bash
eddi update
```
This pulls the latest Docker image from the registry and restarts the containers. It works even when the same tag (e.g. `latest`) was re-published โ Docker always checks the remote digest for changes.
> **`eddi` command not found?** The CLI lives at `~/.eddi/eddi` (Linux/macOS) or `~/.eddi/eddi.cmd` (Windows). Either restart your terminal so the PATH takes effect, or use the full path:
>
> ```bash
> # Linux / macOS
> ~/.eddi/eddi update
>
> # Windows (PowerShell)
> & "$HOME\.eddi\eddi.cmd" update
> ```
Manual update (without the CLI)
If the `eddi` CLI isn't available, run the equivalent docker commands from your install directory (`~/.eddi` by default):
```bash
cd ~/.eddi
docker compose --env-file .env -f docker-compose.yml pull
docker compose --env-file .env -f docker-compose.yml up -d
```
Adjust the `-f` flags to match your setup (e.g. add `-f docker-compose.auth.yml` if using Keycloak).
### ๐ณ Docker Compose (Manual)
If you prefer manual control over Docker Compose:
```bash
# Default (EDDI + MongoDB)
docker compose up
# PostgreSQL instead of MongoDB
EDDI_DATASTORE_TYPE=postgres docker compose -f docker-compose.yml -f docker-compose.postgres.yml up
# With Keycloak authentication
docker compose -f docker-compose.yml -f docker-compose.auth.yml up
# With Prometheus + Grafana monitoring
docker compose -f docker-compose.yml -f docker-compose.monitoring.yml up
# Full stack (all overlays)
docker compose -f docker-compose.yml -f docker-compose.auth.yml \
-f docker-compose.monitoring.yml -f docker-compose.nats.yml up
```
Available compose overlays: `docker-compose.auth.yml` (Keycloak), `docker-compose.monitoring.yml` (Prometheus+Grafana), `docker-compose.nats.yml` (NATS JetStream), `docker-compose.postgres.yml` / `docker-compose.postgres-only.yml`, `docker-compose.local.yml` (build from source).
```bash
docker pull labsai/eddi # Pull latest from Docker Hub
```
โ [hub.docker.com/r/labsai/eddi](https://hub.docker.com/r/labsai/eddi)
---
## ๐ก Why EDDI?
Most multi-agent frameworks (LangGraph, CrewAI, AutoGen) are Python/Node libraries โ great for prototyping, hard to govern in production. EDDI approaches from the opposite direction: **a deterministic engine built to safely govern non-deterministic AI.**
| Dimension | Typical Python/Node Frameworks | EDDI |
| ------------------ | ---------------------------------------- | --------------------------------------------------------------------------- |
| **Concurrency** | GIL or single-threaded event loop | Java 25 Virtual Threads โ true OS-level parallelism |
| **Agent Logic** | Embedded in application code | Versioned JSON configurations โ update behavior without redeployment |
| **Security Model** | Often relies on sandboxed code execution | No dynamic code execution at all; envelope-encrypted vault, SSRF protection |
| **Compliance** | Requires custom implementation | GDPR, HIPAA, EU AI Act infrastructure built-in |
| **Audit Trail** | Application-level logging | HMAC-SHA256 immutable ledger with cryptographic agent signing |
| **Deployment** | pip/npm + manual infrastructure | One-command Docker install, Kubernetes/OpenShift-ready |
> _"The engine is strict so the AI can be creative."_ โ [Project Philosophy](docs/project-philosophy.md)
---
## ๐ธ See It In Action
|
๐ Dashboard
Platform overview with active agents, workflows, quick actions, and recent conversations
|
๐ค Agent Fleet
All deployed agents at a glance with status, descriptions, and one-click chat
|
|
๐ฌ Live Conversation
Real-time conversation with visible actions, step timing, and tool calls
|
๐ฃ๏ธ Multi-Agent Debate
Peer Review with phased discussion: Opinion โ Critique โ Revision โ Synthesis
|
|
๐ก๏ธ Secrets Vault
Envelope-encrypted secrets with rotation tracking, checksums, and per-agent access control
|
๐ฐ Tenant Quotas
Rate limits, cost budgets, and live usage monitoring per tenant
|
More screenshots: LLM Config, Logs, User Memory, Schedules, Agent Detail
|
โก LLM Task Configuration
System prompt, model parameters, cascading, RAG, context window, and budget settings
|
๐ Real-Time Logs
Live log stream with per-call cost tracking, token counts, warnings, and errors
|
|
๐ง Persistent User Memory
Cross-session memory with categorized entries, visibility scoping, and conflict detection
|
โฐ Scheduled Execution
Cron jobs and heartbeats with fire history, retry logic, and dead-letter tracking
|
|
๐ง Agent Detail
Full agent config: environments, workflows, A2A, security, capabilities, and memory policy
|
|
---
## โจ Features
### ๐ค Multi-Agent Orchestration
- ๐ **Intelligent Routing** โ Direct conversations to different agents based on context, rules, and intent
- ๐ฃ๏ธ **Group Conversations** โ Multi-agent debates with 6 built-in discussion styles: Round Table, Peer Review, Devil's Advocate, Delphi, Debate, and Task Force
- ๐ฌ **Slack Integration** โ Deploy agents to Slack channels and run multi-agent debates directly in threads
- ๐ช **Nested Groups** โ Compose groups of groups for tournament brackets, red-team vs blue-team, and panel reviews
- ๐ค **Dynamic Agents** โ Create, recruit, and delegate to new agents at runtime during group discussions with configurable guardrails
- ๐ฅ **Managed Conversations** โ Intent-based auto-routing with one conversation per user per intent
- ๐ฏ **Capability Matching** โ Discover and route to agents by skill, confidence score, and custom attributes
- ๐ง **Agent Father** โ Meta-agent that creates other agents through conversation (ships out of the box)
### ๐ง LLM Provider Support (12 Providers)
| Category | Providers |
| -------------------- | --------------------------------------------------------------------- |
| **Cloud APIs** | OpenAI ยท Anthropic Claude ยท Google Gemini ยท Mistral AI |
| **Enterprise Cloud** | Azure OpenAI ยท Amazon Bedrock ยท Oracle GenAI ยท Google Vertex AI |
| **Self-Hosted** | Ollama ยท Jlama ยท Hugging Face |
| **Compatible** | Any OpenAI-compatible endpoint (DeepSeek, Cohere, etc.) via `baseUrl` |
### ๐ Standards & Interoperability
EDDI implements open standards โ not proprietary APIs:
| Standard | Role | What It Enables |
| -------------------------------------------------------------------- | ------------------------------- | -------------------------------------------------------------------------------------------------------- |
| **[MCP](https://modelcontextprotocol.io/)** (Model Context Protocol) | Server (60+ tools) + Client | Control EDDI from Antigravity, Claude Desktop, Cursor, Windsurf, or any MCP client โ [setup guide](docs/mcp-server.md#client-configuration). Connect agents to external MCP tool servers |
| **[A2A](https://google.github.io/A2A/)** (Agent-to-Agent Protocol) | Full implementation | Cross-platform agent communication, Agent Cards, and skill discovery |
| **[OpenAPI](https://www.openapis.org/)** 3.1 | Native generation + consumption | Auto-generated spec. Paste any OpenAPI spec โ get a fully deployed API-calling agent |
| **OAuth 2.0 / OIDC** | Keycloak integration | Authentication, authorization, and multi-tenant isolation |
| **SSE** (Server-Sent Events) | Streaming transport | Real-time chat responses, group discussion feeds, and live log streaming |
### ๐ญ Memory & Context Management
- ๐พ **Persistent User Memory** โ Agents remember facts, preferences, and context across conversations via structured key-value entries with visibility scoping (`global`, `agent`, `group`)
- ๐ง **LLM Memory Tools** โ Built-in tools agents can call to read, write, and search their own persistent memory
- ๐ค **Dream Consolidation** โ Background memory maintenance: stale entry pruning, contradiction detection, and fact summarization (inspired by [Anthropic's](https://www.anthropic.com/research) research on background memory consolidation)
- ๐ช **Token-Aware Windowing** โ Intelligent context packing with model-specific tokenizer support and anchored opening steps
- ๐ **Rolling Summary** โ Incremental LLM-powered summarization of older turns with a **Conversation Recall Tool** for drill-back into compressed history
- ๐ง **Property Extraction** โ Config-driven slot-filling with `longTerm` / `conversation` / `step` scoping โ EDDI's importance extraction mechanism
- ๐ก๏ธ **Memory Policy (Commit Flags)** โ Strict write discipline marks failed task output as uncommitted (hidden from LLM context) and injects concise error digests for graceful degradation
- ๐ **Conversation State** โ Full history with undo/redo support
### ๐ RAG (Retrieval-Augmented Generation)
- ๐ฆ **7 Embedding Providers** โ OpenAI, Ollama, Azure OpenAI, Mistral, Bedrock, Cohere, Vertex AI
- ๐๏ธ **5 Vector Stores** โ pgvector, In-Memory, MongoDB Atlas, Elasticsearch, Qdrant
- ๐ **httpCall RAG** โ Zero-infrastructure RAG via any search API (BM25, Elasticsearch, custom)
- ๐ฅ **REST Ingestion API** โ Async document ingestion with status tracking
### ๐ ๏ธ Built-In AI Agent Tools
| Tool | Description |
| ---------------------------------------------- | ----------------------------------------------------------------------------- |
| ๐ **Web Search** | DuckDuckGo or Google Custom Search |
| ๐งฎ **Calculator** | Sandboxed recursive-descent math parser (no `eval()`, no code injection) |
| ๐ **Web Scraper** | SSRF-protected content extraction from web pages |
| ๐ **PDF Reader** | SSRF-protected document extraction |
| โ๏ธ **Weather** ยท ๐ **DateTime** | Real-time data tools |
| ๐ **Data Formatter** ยท ๐ **Text Summarizer** | Data transformation tools |
| ๐ **HTTP Calls as Tools** | Expose your own REST APIs as LLM-callable tools with full security sandboxing |
| ๐ง **User Memory** | Read/write/search persistent user memory |
| ๐ **Conversation Recall** | Drill back into summarized conversation history |
| ๐ **Multimodal Attachments** | Image, PDF, audio, and video input with MIME-based routing |
### โฐ Scheduled Execution & Heartbeats
- ๐ซ **Heartbeat Triggers** โ Periodic agent wake-ups at configurable intervals for proactive behavior (inspired by [OpenClaw's](https://openclaw.ai) heartbeat architecture)
- โฒ๏ธ **Cron Scheduling** โ Standard cron expressions for timed agent execution
- ๐ **Conversation Strategies** โ `persistent` (reuse same conversation across fires) or `new` (fresh context each time)
- ๐ **Fire Logging** โ Complete execution history with status, duration, cost tracking, and retry logic
- ๐ **Dream Cycles** โ Scheduled background memory consolidation with cost ceilings per run
### ๐ Smart Model Cascading
- ๐ **Cost Optimization** โ Try cheap/fast models first, escalate to powerful models only when confidence is low
- ๐ **4 Confidence Strategies** โ Structured output, heuristic, judge model, or none
- ๐ฐ **Per-Conversation Budgets** โ Automatic cost tracking with budget caps and eviction
- ๐ข **Tenant Cost Ceilings** โ Monthly cost budgets per tenant with automatic enforcement
### ๐ Enterprise Security & Compliance
Security Architecture
- ๐ฆ **Secrets Vault** โ Envelope encryption (PBKDF2 + AES-256) with tenant-scoped DEK/KEK rotation. Never plaintext in DB
- ๐ก๏ธ **SSRF Protection** โ All tools validate URLs against private IPs, internal hostnames, and non-HTTP schemes before any request
- ๐ **Sandboxed Evaluation** โ Recursive-descent math parser only. No `eval()`, no script engines, no reflection-based execution
- ๐ **OAuth 2.0 / Keycloak** โ Multi-tenant authentication, authorization, and role-based access control
- โ๏ธ **Agent Signing** โ Ed25519 cryptographic identity per agent; audit entries signed with agent private keys
- ๐ซ **No Dynamic Code Execution** โ Custom logic runs in external MCP servers, outside the EDDI security perimeter
Regulatory Compliance
| Regulation | EDDI Support |
| ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| **[EU AI Act](https://artificialintelligenceact.eu/)** | Immutable HMAC-SHA256 audit ledger, decision traceability, risk classification guidance |
| **[GDPR](https://gdpr.eu/)** | Cascading data erasure (Art. 17), data portability (Art. 15/20), restriction of processing (Art. 18), per-category retention, pseudonymization |
| **[CCPA](https://oag.ca.gov/privacy/ccpa)** | Right to delete, right to know, data portability |
| **[HIPAA](https://www.hhs.gov/hipaa/)** | Deployment guide, BAA template, LLM provider BAA matrix, session timeout guidance |
| **International** | PIPEDA ๐จ๐ฆ ยท LGPD ๐ง๐ท ยท APPI ๐ฏ๐ต ยท POPIA ๐ฟ๐ฆ ยท PDPA ๐ธ๐ฌ๐น๐ญ๐ฒ๐พ ยท PIPL ๐จ๐ณ compatibility documented |
- ๐ **Audit Ledger** โ Every agent decision recorded in a write-once, HMAC-secured, append-only ledger
- ๐ **Compliance Startup Checks** โ Advisory warnings on boot for TLS and database encryption gaps
- ๐๏ธ **GDPR Orchestration** โ One-call cascading erasure across 6 stores + audit trail pseudonymization
- ๐ค **Data Portability** โ Complete user data export (memories, conversations, audit entries) via REST and MCP
### โ๏ธ Configuration-Driven Architecture
- ๐ **JSON Configs, Not Code** โ Agent behavior defined in versioned, diffable JSON documents
- ๐ง **Lifecycle Pipeline** โ Pluggable task pipeline: Input โ Parse โ Rules โ API/LLM โ Output
- ๐ฆ **Composable Agents** โ Agents assembled from reusable, version-controlled workflows and extensions
- ๐งช **Behavior Rules** โ IF-THEN logic engine for routing, orchestration, and business logic
- ๐ค **Import / Export** โ Agents portable as ZIP files with automatic secret scrubbing on export
- ๐ **Agent Sync** โ Live instance-to-instance sync with structural matching, content diffing, and selective resource picking โ no ZIP intermediary needed
- ๐ **Prompt Snippets** โ Reusable, versioned system prompt building blocks available as `{{snippets.safety_rules}}`
- ๐ **Content Type Routing** โ MIME-based behavior rule conditions for multimodal attachment routing
### ๐ Cloud-Native & Observable
- ๐ณ **One-Command Install** โ Interactive wizard sets up EDDI + database + starter agent via Docker
- โธ๏ธ **Kubernetes / OpenShift** โ Kustomize overlays, Helm charts, HPA, PDB, NetworkPolicy
- ๐ **Prometheus & Grafana** โ 50+ Micrometer metrics at `/q/metrics` (tools, vault, memory, scheduling, conversations). Pre-built [Grafana dashboard](docs/monitoring/eddi-grafana-dashboard.json) included
- ๐ญ **OpenTelemetry Tracing** โ Per-task distributed traces via OTLP (Jaeger, Tempo, Datadog). Every pipeline task emits spans with `task.id`, `task.type`, `conversation.id`, and `agent.id`
- ๐ฉบ **Health Checks** โ Liveness & readiness probes at `/q/health/live` and `/q/health/ready`
- ๐ **NATS JetStream** โ Async event bus for distributed processing
- โก **Virtual Threads** โ Java 25 virtual threads for true OS-level concurrency (no Python GIL or Node.js event loop bottleneck)
- ๐๏ธ **DB-Agnostic** โ Choose MongoDB or PostgreSQL; switch with one env var. Single Docker image for both
- ๐๏ธ **Red Hat Certified** โ Container certification with automated preflight checks in CI/CD
> **๐ Monitoring Guide:** See [docs/monitoring/monitoring-guide.md](docs/monitoring/monitoring-guide.md) for architecture overview, metrics reference, alerting rules, and a production checklist.
### ๐ฅ๏ธ Manager Dashboard & Chat UI
- ๐จ **React 19 Manager** โ Modern admin dashboard for agent building, testing, deployment, and monitoring
- ๐ฌ **Chat Widget** โ Embeddable React chat UI with SSE streaming and Keycloak auth
- ๐ **Audit Trail Viewer** โ Timeline-based compliance and debugging UI
- ๐ **Logs Panel** โ Live SSE log streaming + searchable history
- ๐ **Secrets Manager** โ Write-only vault UI with copy-reference support
- ๐ **11 Languages** โ English, German, Spanish, French, Portuguese, Chinese, Japanese, Korean, Arabic (RTL), Hindi, Thai
---
## ๐ Documentation
| Guide | Description |
| ------------------------------------------------------------ | -------------------------------------------------- |
| **[Getting Started](docs/getting-started.md)** | Setup and first steps |
| **[Developer Quickstart](docs/developer-quickstart.md)** | Build your first agent in 5 minutes |
| **[Architecture](docs/architecture.md)** | Deep dive into EDDI's design and pipeline |
| **[LLM Configuration](docs/langchain.md)** | Connecting to 12 LLM providers |
| **[Behavior Rules](docs/behavior-rules.md)** | Configuring agent routing logic |
| **[HTTP Calls](docs/httpcalls.md)** | External API integration |
| **[RAG](docs/rag.md)** | Knowledge base retrieval setup |
| **[MCP Server](docs/mcp-server.md)** | 60+ tools for AI-assisted agent management |
| **[A2A Protocol](docs/a2a-protocol.md)** | Agent-to-Agent peer communication |
| **[Slack Integration](docs/slack-integration.md)** | Deploy agents to Slack and run group discussions |
| **[Group Conversations](docs/group-conversations.md)** | Multi-agent debate orchestration |
| **[User Memory](docs/user-memory.md)** | Cross-conversation fact retention |
| **[Memory Policy](docs/memory-policy.md)** | Commit flags and strict write discipline |
| **[Model Cascading](docs/model-cascade.md)** | Cost-optimized multi-model routing |
| **[Scheduling & Heartbeats](docs/scheduling.md)** | Cron schedules, heartbeats, dream consolidation |
| **[Agent Sync](docs/agent-sync-guide.md)** | Live instance-to-instance sync and upgrade imports |
| **[Import / Export](docs/import-export-an-agent.md)** | ZIP-based agent portability and merge |
| **[Prompt Snippets](docs/prompt-snippets-guide.md)** | Reusable system prompt building blocks |
| **[Attachments](docs/attachments-guide.md)** | Multimodal attachment pipeline |
| **[Capability Matching](docs/capability-match-guide.md)** | A2A skill discovery and routing |
| **[Security](docs/security.md)** | SSRF protection, sandboxing, and hardening |
| **[Secrets Vault](docs/secrets-vault.md)** | Envelope encryption and auto-vaulting |
| **[Audit Ledger](docs/audit-ledger.md)** | EU AI Act-compliant audit trail |
| **[Kubernetes](docs/kubernetes.md)** | Deploy with Kustomize or Helm |
| **[Monitoring & Tracing](docs/monitoring/monitoring-guide.md)** | Prometheus, Grafana, OpenTelemetry, alerting |
| **[Red Hat & OpenShift](docs/redhat-openshift.md)** | RHEL support, certified container, automated release |
| **[Agent Father Deep Dive](docs/agent-father-deep-dive.md)** | How the meta-agent works |
| **[Full Documentation](https://docs.labs.ai/)** | Complete documentation site |
---
## ๐ Compliance & Privacy
EDDI provides built-in infrastructure for regulatory compliance:
| Guide | Covers |
| -------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- |
| **[GDPR / CCPA](docs/gdpr-compliance.md)** | Data erasure, export, Art. 18 restriction of processing, per-category retention, and consent guidance |
| **[HIPAA](docs/hipaa-compliance.md)** | Healthcare deployment guide โ encryption, BAAs, LLM provider matrix, session management |
| **[EU AI Act](docs/eu-ai-act-compliance.md)** | AI risk classification, decision traceability, immutable audit ledger |
| **[Privacy & Data Processing](PRIVACY.md)** | Data flows, LLM provider matrix, international regulations (PIPEDA, LGPD, APPI, POPIA, PDPA, PIPL) |
| **[Compliance Data Flow](docs/compliance-data-flow.md)** | Single-page data flow diagram for auditors |
| **[Incident Response](docs/incident-response.md)** | Breach response runbook (GDPR 72h, CCPA 45 days, HIPAA 60 days) |
---
## ๐๏ธ Development
### Prerequisites
| Tool | Version | Notes |
| -------------- | ------- | ----------------------------------------------------------------- |
| **Java (JDK)** | 25 | [Eclipse Temurin](https://adoptium.net/) recommended |
| **Maven** | 3.9+ | Bundled via `mvnw` / `mvnw.cmd` wrapper โ no install needed |
| **MongoDB** | 6.0+ | Local instance or Docker (`docker run -d -p 27017:27017 mongo:7`) |
| **Docker** | Latest | For integration tests and container builds |
> **Windows users:** Replace `./mvnw` with `.\mvnw.cmd` in all commands below.
### Quarkus Dev Mode
Dev mode starts the application with **live reload** โ code changes are picked up automatically without restarting:
```bash
# Linux / macOS
./mvnw compile quarkus:dev
# Windows (PowerShell)
.\mvnw.cmd compile quarkus:dev
```
Then open [http://localhost:7070](http://localhost:7070). The Quarkus Dev UI is available at [http://localhost:7070/q/dev](http://localhost:7070/q/dev).
Dev mode also enables:
- **Continuous testing** โ press `r` in the terminal to re-run tests on changes
- **Dev UI** โ browse endpoints, CDI beans, configuration, and health checks
- **Live reload** โ Java and resource changes apply instantly
> **๐ก Secrets Vault:** To use the secrets vault (storing API keys encrypted), set the master key before starting:
>
> ```bash
> # Linux/macOS
> export EDDI_VAULT_MASTER_KEY=my-dev-passphrase
>
> # Windows (PowerShell)
> $env:EDDI_VAULT_MASTER_KEY = "my-dev-passphrase"
>
> # Or in a .env file (already in .gitignore)
> echo "EDDI_VAULT_MASTER_KEY=my-dev-passphrase" > .env
> ```
>
> Without this, the vault is disabled and secret management returns HTTP 503. Any passphrase works for local development. See [Secrets Vault](docs/secrets-vault.md) for production setup.
### Maven Command Reference
| Command | What It Does |
| ------------------------------------------------------------- | --------------------------------------------------------------------------- |
| `./mvnw compile quarkus:dev` | **Start dev mode** with live reload (port 7070) |
| `./mvnw compile` | Compile sources only (fast feedback) |
| `./mvnw clean compile` | Clean build โ delete `target/` and recompile from scratch |
| `./mvnw test` | Run **unit tests** (excludes `*IT.java` integration tests) |
| `./mvnw verify -DskipITs` | Compile + unit tests + package (no integration tests) |
| `./mvnw verify` | **Full build** โ compile + unit tests + integration tests (requires Docker) |
| `./mvnw validate` | Run **Checkstyle** code style checks |
| `./mvnw formatter:format` | **Auto-format** Java sources using the project Eclipse formatter |
| `./mvnw package -DskipTests` | Build the JAR without running tests (for `install.sh --local`) |
| `./mvnw clean package '-Dquarkus.container-image.build=true'` | Build the app **+ Docker image** |
| `./mvnw package -Plicense-gen -DskipTests` | Generate **third-party licenses** (Red Hat certification) |
| `./mvnw quarkus:dev -Dsuspend` | Start dev mode and **wait for debugger** on port 5005 |
| `./mvnw quarkus:dev -Ddebug=false` | Start dev mode **without** the debug agent |
Code coverage
JaCoCo is configured to run automatically during `./mvnw test`. After tests complete, find the coverage report at:
```
target/site/jacoco/index.html
```
Useful system properties
| Property | Default | Description |
| ------------------------------------------- | --------------------------- | ---------------------------------------------- |
| `-Dquarkus.http.port=` | `7070` | Override the HTTP port |
| `-Dquarkus.mongodb.connection-string=` | `mongodb://localhost:27017` | MongoDB connection |
| `-Dquarkus.profile=` | `dev` | Active Quarkus profile (`dev`, `test`, `prod`) |
| `-DskipTests` | `false` | Skip all tests |
| `-DskipITs` | `true` | Skip integration tests only |
### Build & Docker
```bash
# Build app + Docker image
./mvnw clean package '-Dquarkus.container-image.build=true'
# Build without container (for install.sh --local)
./mvnw package -DskipTests
# Generate third-party licenses (Red Hat certification)
./mvnw package -Plicense-gen -DskipTests
```
### โธ๏ธ Kubernetes
```bash
# Quickstart (one-file deployment)
kubectl apply -f https://raw.githubusercontent.com/labsai/EDDI/main/k8s/quickstart.yaml
# Kustomize overlays
kubectl apply -k k8s/overlays/mongodb/ # MongoDB backend
kubectl apply -k k8s/overlays/postgres/ # PostgreSQL backend
# Helm
helm install eddi ./helm/eddi --namespace eddi --create-namespace
```
Includes overlays for auth (Keycloak), monitoring (Prometheus/Grafana), NATS messaging, Ingress, and production hardening (HPA, PDB, NetworkPolicy).
See the [Kubernetes Guide](docs/kubernetes.md) for details.
---
## ๐ค Contributing
We welcome contributions! Please read our [Contributing Guide](CONTRIBUTING.md) for details on setting up your development environment, code style, commit conventions, and the pull request process.
Every PR is automatically checked by CI (build + tests), CodeQL (security), dependency review, and AI-powered code review.
## ๐ Security
EDDI ships with security-by-default for production deployments:
- **Authentication enforced** โ `AuthStartupGuard` fails startup if OIDC is disabled in production without explicit opt-out
- **Secrets encrypted at rest** โ Envelope encryption (PBKDF2 โ AES-256-GCM) with per-deployment salt. Never plaintext in DB
- **SSRF protection** โ All LLM tool HTTP calls go through `SafeHttpClient` with private IP blocking, redirect validation, and scheme enforcement
- **Security headers** โ `X-Content-Type-Options`, `X-Frame-Options`, `Content-Security-Policy` configured out of the box
- **CI/CD security gates** โ Every push/PR is scanned by:
- **CodeQL** โ Semantic SAST analysis with `security-extended` queries
- **Trivy** โ CVE scanning for both filesystem dependencies and Docker images (blocking on CRITICAL/HIGH)
- **Gitleaks** โ Git history scanning to prevent secret/credential leakage
- **ZAP** โ DAST API scanning against the live Docker image (report-only)
- **CycloneDX** โ SBOM generation for supply chain transparency
- **Jazzer** โ Coverage-guided fuzz testing for security-critical parsers (PathNavigator, MatchingUtilities)
- All actions SHA-pinned to prevent supply-chain attacks
For vulnerability reports, see our [Security Policy](SECURITY.md). For architecture details, see [Security Architecture](docs/security.md).
## ๐ Code of Conduct
This project follows the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md).