![EDDI Banner Image](/screenshots/EDDI-Readme-banner-image.webp) # E.D.D.I โ€” Multi-Agent Orchestration Middleware for Conversational AI [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12355/badge?v=2)](https://www.bestpractices.dev/projects/12355) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/labsai/EDDI/badge)](https://securityscorecards.dev/viewer/?uri=github.com/labsai/EDDI) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/2c5d183d4bd24dbaa77427cfbf5d4074)](https://app.codacy.com/organizations/gh/labsai/dashboard?utm_source=github.com&utm_medium=referral&utm_content=labsai/EDDI&utm_campaign=Badge_Grade) [![CI](https://github.com/labsai/EDDI/actions/workflows/ci.yml/badge.svg)](https://github.com/labsai/EDDI/actions/workflows/ci.yml) [![CodeQL](https://github.com/labsai/EDDI/actions/workflows/codeql.yml/badge.svg)](https://github.com/labsai/EDDI/actions/workflows/codeql.yml) ![Tests](https://img.shields.io/badge/tests-9%2C000%2B-brightgreen) ![Coverage](https://img.shields.io/badge/coverage-%3E90%25-brightgreen) [![Docker Pulls](https://img.shields.io/docker/pulls/labsai/eddi)](https://hub.docker.com/r/labsai/eddi) [![Latest Release](https://img.shields.io/github/v/release/labsai/EDDI?label=latest&color=blue)](https://github.com/labsai/EDDI/releases) [![Repository: AI Ready](https://img.shields.io/badge/Repository-AI_Ready-blueviolet?logo=robot)](AGENTS.md) **E.D.D.I** (Enhanced Dialog Driven Interface) is a production-grade, **config-driven multi-agent orchestration middleware** for conversational AI. It coordinates users, AI agents, and business systems through **intelligent routing, persistent memory, and API orchestration** โ€” without writing code. Built with **Java 25** and **Quarkus**. Ships as a **Red Hat-certified Docker image**. Selected as a **UNIDO Trusted Partner** for Industrial AI. Native support for **MCP** (Model Context Protocol), **A2A** (Agent-to-Agent), **Slack**, **OpenAPI**, and **OAuth 2.0**. [Website](https://eddi.labs.ai/) ยท [Documentation](https://docs.labs.ai/) ยท License: Apache 2.0 --- ## ๐Ÿ“‘ Table of Contents - [๐Ÿ Quick Start](#-quick-start) - [๐Ÿ’ก Why EDDI?](#-why-eddi) - [๐Ÿ“ธ See It In Action](#-see-it-in-action) - [โœจ Features](#-features) - [๐Ÿ“– Documentation](#-documentation) - [๐Ÿ“‹ Compliance & Privacy](#-compliance--privacy) - [๐Ÿ—๏ธ Development](#๏ธ-development) - [Prerequisites](#prerequisites) - [Quarkus Dev Mode](#quarkus-dev-mode) - [Maven Command Reference](#maven-command-reference) - [Build & Docker](#build--docker) - [Kubernetes](#๏ธ-kubernetes) - [๐Ÿค Contributing](#-contributing) - [๐Ÿ”’ Security](#-security) - [๐Ÿ“œ Code of Conduct](#-code-of-conduct) --- ## ๐Ÿ Quick Start The fastest way to get EDDI running is the **one-command installer**. It sets up EDDI + your choice of database via Docker Compose, deploys the [Agent Father](docs/agent-father-deep-dive.md) starter agent, and walks you through creating your first AI agent. **Linux / macOS / WSL2:** ```bash curl -fsSL https://raw.githubusercontent.com/labsai/EDDI/main/install.sh | bash ``` **Windows (PowerShell):** ```powershell Invoke-WebRequest -UseBasicParsing -Uri "https://raw.githubusercontent.com/labsai/EDDI/main/install.ps1" -OutFile "install.ps1" Unblock-File .\install.ps1 .\install.ps1 ``` Requires [Docker](https://docs.docker.com/get-docker/). The wizard auto-generates a unique vault encryption key for secret management.
๐Ÿ”ง Installer options ```bash bash install.sh --defaults # All defaults, no prompts bash install.sh --db=postgres --with-auth # PostgreSQL + Keycloak bash install.sh --full # Everything enabled (DB + auth + monitoring) bash install.sh --local # Build Docker image from local source ``` The `--local` flag is for contributors testing pre-release builds: ```bash ./mvnw package -DskipTests # Build the Java app bash install.sh --local # Build Docker image + start containers ```
### ๐Ÿ”„ Updating The installer creates an `eddi` CLI wrapper that makes updating easy: ```bash eddi update ``` This pulls the latest Docker image from the registry and restarts the containers. It works even when the same tag (e.g. `latest`) was re-published โ€” Docker always checks the remote digest for changes. > **`eddi` command not found?** The CLI lives at `~/.eddi/eddi` (Linux/macOS) or `~/.eddi/eddi.cmd` (Windows). Either restart your terminal so the PATH takes effect, or use the full path: > > ```bash > # Linux / macOS > ~/.eddi/eddi update > > # Windows (PowerShell) > & "$HOME\.eddi\eddi.cmd" update > ```
Manual update (without the CLI) If the `eddi` CLI isn't available, run the equivalent docker commands from your install directory (`~/.eddi` by default): ```bash cd ~/.eddi docker compose --env-file .env -f docker-compose.yml pull docker compose --env-file .env -f docker-compose.yml up -d ``` Adjust the `-f` flags to match your setup (e.g. add `-f docker-compose.auth.yml` if using Keycloak).
### ๐Ÿณ Docker Compose (Manual) If you prefer manual control over Docker Compose: ```bash # Default (EDDI + MongoDB) docker compose up # PostgreSQL instead of MongoDB EDDI_DATASTORE_TYPE=postgres docker compose -f docker-compose.yml -f docker-compose.postgres.yml up # With Keycloak authentication docker compose -f docker-compose.yml -f docker-compose.auth.yml up # With Prometheus + Grafana monitoring docker compose -f docker-compose.yml -f docker-compose.monitoring.yml up # Full stack (all overlays) docker compose -f docker-compose.yml -f docker-compose.auth.yml \ -f docker-compose.monitoring.yml -f docker-compose.nats.yml up ``` Available compose overlays: `docker-compose.auth.yml` (Keycloak), `docker-compose.monitoring.yml` (Prometheus+Grafana), `docker-compose.nats.yml` (NATS JetStream), `docker-compose.postgres.yml` / `docker-compose.postgres-only.yml`, `docker-compose.local.yml` (build from source). ```bash docker pull labsai/eddi # Pull latest from Docker Hub ``` โ†’ [hub.docker.com/r/labsai/eddi](https://hub.docker.com/r/labsai/eddi) --- ## ๐Ÿ’ก Why EDDI? Most multi-agent frameworks (LangGraph, CrewAI, AutoGen) are Python/Node libraries โ€” great for prototyping, hard to govern in production. EDDI approaches from the opposite direction: **a deterministic engine built to safely govern non-deterministic AI.** | Dimension | Typical Python/Node Frameworks | EDDI | | ------------------ | ---------------------------------------- | --------------------------------------------------------------------------- | | **Concurrency** | GIL or single-threaded event loop | Java 25 Virtual Threads โ€” true OS-level parallelism | | **Agent Logic** | Embedded in application code | Versioned JSON configurations โ€” update behavior without redeployment | | **Security Model** | Often relies on sandboxed code execution | No dynamic code execution at all; envelope-encrypted vault, SSRF protection | | **Compliance** | Requires custom implementation | GDPR, HIPAA, EU AI Act infrastructure built-in | | **Audit Trail** | Application-level logging | HMAC-SHA256 immutable ledger with cryptographic agent signing | | **Deployment** | pip/npm + manual infrastructure | One-command Docker install, Kubernetes/OpenShift-ready | > _"The engine is strict so the AI can be creative."_ โ€” [Project Philosophy](docs/project-philosophy.md) --- ## ๐Ÿ“ธ See It In Action

๐Ÿ“Š Dashboard

EDDI Dashboard

Platform overview with active agents, workflows, quick actions, and recent conversations

๐Ÿค– Agent Fleet

Agents List

All deployed agents at a glance with status, descriptions, and one-click chat

๐Ÿ’ฌ Live Conversation

Conversation View

Real-time conversation with visible actions, step timing, and tool calls

๐Ÿ—ฃ๏ธ Multi-Agent Debate

Group Conversations

Peer Review with phased discussion: Opinion โ†’ Critique โ†’ Revision โ†’ Synthesis

๐Ÿ›ก๏ธ Secrets Vault

Secrets Vault

Envelope-encrypted secrets with rotation tracking, checksums, and per-agent access control

๐Ÿ’ฐ Tenant Quotas

Tenant Quotas

Rate limits, cost budgets, and live usage monitoring per tenant

More screenshots: LLM Config, Logs, User Memory, Schedules, Agent Detail

โšก LLM Task Configuration

LLM Configuration

System prompt, model parameters, cascading, RAG, context window, and budget settings

๐Ÿ“‹ Real-Time Logs

Logs

Live log stream with per-call cost tracking, token counts, warnings, and errors

๐Ÿง  Persistent User Memory

User Data

Cross-session memory with categorized entries, visibility scoping, and conflict detection

โฐ Scheduled Execution

Schedules

Cron jobs and heartbeats with fire history, retry logic, and dead-letter tracking

๐Ÿ”ง Agent Detail

Agent Detail

Full agent config: environments, workflows, A2A, security, capabilities, and memory policy

--- ## โœจ Features ### ๐Ÿค– Multi-Agent Orchestration - ๐Ÿ”€ **Intelligent Routing** โ€” Direct conversations to different agents based on context, rules, and intent - ๐Ÿ—ฃ๏ธ **Group Conversations** โ€” Multi-agent debates with 6 built-in discussion styles: Round Table, Peer Review, Devil's Advocate, Delphi, Debate, and Task Force - ๐Ÿ’ฌ **Slack Integration** โ€” Deploy agents to Slack channels and run multi-agent debates directly in threads - ๐Ÿช† **Nested Groups** โ€” Compose groups of groups for tournament brackets, red-team vs blue-team, and panel reviews - ๐Ÿค– **Dynamic Agents** โ€” Create, recruit, and delegate to new agents at runtime during group discussions with configurable guardrails - ๐Ÿ‘ฅ **Managed Conversations** โ€” Intent-based auto-routing with one conversation per user per intent - ๐ŸŽฏ **Capability Matching** โ€” Discover and route to agents by skill, confidence score, and custom attributes - ๐Ÿง™ **Agent Father** โ€” Meta-agent that creates other agents through conversation (ships out of the box) ### ๐Ÿง  LLM Provider Support (12 Providers) | Category | Providers | | -------------------- | --------------------------------------------------------------------- | | **Cloud APIs** | OpenAI ยท Anthropic Claude ยท Google Gemini ยท Mistral AI | | **Enterprise Cloud** | Azure OpenAI ยท Amazon Bedrock ยท Oracle GenAI ยท Google Vertex AI | | **Self-Hosted** | Ollama ยท Jlama ยท Hugging Face | | **Compatible** | Any OpenAI-compatible endpoint (DeepSeek, Cohere, etc.) via `baseUrl` | ### ๐Ÿ”— Standards & Interoperability EDDI implements open standards โ€” not proprietary APIs: | Standard | Role | What It Enables | | -------------------------------------------------------------------- | ------------------------------- | -------------------------------------------------------------------------------------------------------- | | **[MCP](https://modelcontextprotocol.io/)** (Model Context Protocol) | Server (60+ tools) + Client | Control EDDI from Antigravity, Claude Desktop, Cursor, Windsurf, or any MCP client โ€” [setup guide](docs/mcp-server.md#client-configuration). Connect agents to external MCP tool servers | | **[A2A](https://google.github.io/A2A/)** (Agent-to-Agent Protocol) | Full implementation | Cross-platform agent communication, Agent Cards, and skill discovery | | **[OpenAPI](https://www.openapis.org/)** 3.1 | Native generation + consumption | Auto-generated spec. Paste any OpenAPI spec โ†’ get a fully deployed API-calling agent | | **OAuth 2.0 / OIDC** | Keycloak integration | Authentication, authorization, and multi-tenant isolation | | **SSE** (Server-Sent Events) | Streaming transport | Real-time chat responses, group discussion feeds, and live log streaming | ### ๐Ÿ’ญ Memory & Context Management - ๐Ÿ’พ **Persistent User Memory** โ€” Agents remember facts, preferences, and context across conversations via structured key-value entries with visibility scoping (`global`, `agent`, `group`) - ๐Ÿง  **LLM Memory Tools** โ€” Built-in tools agents can call to read, write, and search their own persistent memory - ๐Ÿ’ค **Dream Consolidation** โ€” Background memory maintenance: stale entry pruning, contradiction detection, and fact summarization (inspired by [Anthropic's](https://www.anthropic.com/research) research on background memory consolidation) - ๐ŸชŸ **Token-Aware Windowing** โ€” Intelligent context packing with model-specific tokenizer support and anchored opening steps - ๐Ÿ“ **Rolling Summary** โ€” Incremental LLM-powered summarization of older turns with a **Conversation Recall Tool** for drill-back into compressed history - ๐Ÿ”ง **Property Extraction** โ€” Config-driven slot-filling with `longTerm` / `conversation` / `step` scoping โ€” EDDI's importance extraction mechanism - ๐Ÿ›ก๏ธ **Memory Policy (Commit Flags)** โ€” Strict write discipline marks failed task output as uncommitted (hidden from LLM context) and injects concise error digests for graceful degradation - ๐Ÿ”„ **Conversation State** โ€” Full history with undo/redo support ### ๐Ÿ“š RAG (Retrieval-Augmented Generation) - ๐Ÿ“ฆ **7 Embedding Providers** โ€” OpenAI, Ollama, Azure OpenAI, Mistral, Bedrock, Cohere, Vertex AI - ๐Ÿ—„๏ธ **5 Vector Stores** โ€” pgvector, In-Memory, MongoDB Atlas, Elasticsearch, Qdrant - ๐ŸŒ **httpCall RAG** โ€” Zero-infrastructure RAG via any search API (BM25, Elasticsearch, custom) - ๐Ÿ“ฅ **REST Ingestion API** โ€” Async document ingestion with status tracking ### ๐Ÿ› ๏ธ Built-In AI Agent Tools | Tool | Description | | ---------------------------------------------- | ----------------------------------------------------------------------------- | | ๐Ÿ” **Web Search** | DuckDuckGo or Google Custom Search | | ๐Ÿงฎ **Calculator** | Sandboxed recursive-descent math parser (no `eval()`, no code injection) | | ๐ŸŒ **Web Scraper** | SSRF-protected content extraction from web pages | | ๐Ÿ“„ **PDF Reader** | SSRF-protected document extraction | | โ˜๏ธ **Weather** ยท ๐Ÿ• **DateTime** | Real-time data tools | | ๐Ÿ“Š **Data Formatter** ยท ๐Ÿ“ **Text Summarizer** | Data transformation tools | | ๐Ÿ”Œ **HTTP Calls as Tools** | Expose your own REST APIs as LLM-callable tools with full security sandboxing | | ๐Ÿง  **User Memory** | Read/write/search persistent user memory | | ๐Ÿ”™ **Conversation Recall** | Drill back into summarized conversation history | | ๐Ÿ“Ž **Multimodal Attachments** | Image, PDF, audio, and video input with MIME-based routing | ### โฐ Scheduled Execution & Heartbeats - ๐Ÿซ€ **Heartbeat Triggers** โ€” Periodic agent wake-ups at configurable intervals for proactive behavior (inspired by [OpenClaw's](https://openclaw.ai) heartbeat architecture) - โฒ๏ธ **Cron Scheduling** โ€” Standard cron expressions for timed agent execution - ๐Ÿ”„ **Conversation Strategies** โ€” `persistent` (reuse same conversation across fires) or `new` (fresh context each time) - ๐Ÿ“Š **Fire Logging** โ€” Complete execution history with status, duration, cost tracking, and retry logic - ๐ŸŒ™ **Dream Cycles** โ€” Scheduled background memory consolidation with cost ceilings per run ### ๐Ÿ“ˆ Smart Model Cascading - ๐Ÿ“‰ **Cost Optimization** โ€” Try cheap/fast models first, escalate to powerful models only when confidence is low - ๐Ÿ“Š **4 Confidence Strategies** โ€” Structured output, heuristic, judge model, or none - ๐Ÿ’ฐ **Per-Conversation Budgets** โ€” Automatic cost tracking with budget caps and eviction - ๐Ÿข **Tenant Cost Ceilings** โ€” Monthly cost budgets per tenant with automatic enforcement ### ๐Ÿ” Enterprise Security & Compliance
Security Architecture - ๐Ÿฆ **Secrets Vault** โ€” Envelope encryption (PBKDF2 + AES-256) with tenant-scoped DEK/KEK rotation. Never plaintext in DB - ๐Ÿ›ก๏ธ **SSRF Protection** โ€” All tools validate URLs against private IPs, internal hostnames, and non-HTTP schemes before any request - ๐Ÿ”’ **Sandboxed Evaluation** โ€” Recursive-descent math parser only. No `eval()`, no script engines, no reflection-based execution - ๐Ÿ”‘ **OAuth 2.0 / Keycloak** โ€” Multi-tenant authentication, authorization, and role-based access control - โœ๏ธ **Agent Signing** โ€” Ed25519 cryptographic identity per agent; audit entries signed with agent private keys - ๐Ÿšซ **No Dynamic Code Execution** โ€” Custom logic runs in external MCP servers, outside the EDDI security perimeter
Regulatory Compliance | Regulation | EDDI Support | | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | | **[EU AI Act](https://artificialintelligenceact.eu/)** | Immutable HMAC-SHA256 audit ledger, decision traceability, risk classification guidance | | **[GDPR](https://gdpr.eu/)** | Cascading data erasure (Art. 17), data portability (Art. 15/20), restriction of processing (Art. 18), per-category retention, pseudonymization | | **[CCPA](https://oag.ca.gov/privacy/ccpa)** | Right to delete, right to know, data portability | | **[HIPAA](https://www.hhs.gov/hipaa/)** | Deployment guide, BAA template, LLM provider BAA matrix, session timeout guidance | | **International** | PIPEDA ๐Ÿ‡จ๐Ÿ‡ฆ ยท LGPD ๐Ÿ‡ง๐Ÿ‡ท ยท APPI ๐Ÿ‡ฏ๐Ÿ‡ต ยท POPIA ๐Ÿ‡ฟ๐Ÿ‡ฆ ยท PDPA ๐Ÿ‡ธ๐Ÿ‡ฌ๐Ÿ‡น๐Ÿ‡ญ๐Ÿ‡ฒ๐Ÿ‡พ ยท PIPL ๐Ÿ‡จ๐Ÿ‡ณ compatibility documented | - ๐Ÿ“œ **Audit Ledger** โ€” Every agent decision recorded in a write-once, HMAC-secured, append-only ledger - ๐Ÿ” **Compliance Startup Checks** โ€” Advisory warnings on boot for TLS and database encryption gaps - ๐Ÿ—‘๏ธ **GDPR Orchestration** โ€” One-call cascading erasure across 6 stores + audit trail pseudonymization - ๐Ÿ“ค **Data Portability** โ€” Complete user data export (memories, conversations, audit entries) via REST and MCP
### โš™๏ธ Configuration-Driven Architecture - ๐Ÿ“„ **JSON Configs, Not Code** โ€” Agent behavior defined in versioned, diffable JSON documents - ๐Ÿ”ง **Lifecycle Pipeline** โ€” Pluggable task pipeline: Input โ†’ Parse โ†’ Rules โ†’ API/LLM โ†’ Output - ๐Ÿ“ฆ **Composable Agents** โ€” Agents assembled from reusable, version-controlled workflows and extensions - ๐Ÿงช **Behavior Rules** โ€” IF-THEN logic engine for routing, orchestration, and business logic - ๐Ÿ“ค **Import / Export** โ€” Agents portable as ZIP files with automatic secret scrubbing on export - ๐Ÿ”„ **Agent Sync** โ€” Live instance-to-instance sync with structural matching, content diffing, and selective resource picking โ€” no ZIP intermediary needed - ๐Ÿ“ **Prompt Snippets** โ€” Reusable, versioned system prompt building blocks available as `{{snippets.safety_rules}}` - ๐Ÿ“Ž **Content Type Routing** โ€” MIME-based behavior rule conditions for multimodal attachment routing ### ๐Ÿš€ Cloud-Native & Observable - ๐Ÿณ **One-Command Install** โ€” Interactive wizard sets up EDDI + database + starter agent via Docker - โ˜ธ๏ธ **Kubernetes / OpenShift** โ€” Kustomize overlays, Helm charts, HPA, PDB, NetworkPolicy - ๐Ÿ“Š **Prometheus & Grafana** โ€” 50+ Micrometer metrics at `/q/metrics` (tools, vault, memory, scheduling, conversations). Pre-built [Grafana dashboard](docs/monitoring/eddi-grafana-dashboard.json) included - ๐Ÿ”ญ **OpenTelemetry Tracing** โ€” Per-task distributed traces via OTLP (Jaeger, Tempo, Datadog). Every pipeline task emits spans with `task.id`, `task.type`, `conversation.id`, and `agent.id` - ๐Ÿฉบ **Health Checks** โ€” Liveness & readiness probes at `/q/health/live` and `/q/health/ready` - ๐Ÿ”„ **NATS JetStream** โ€” Async event bus for distributed processing - โšก **Virtual Threads** โ€” Java 25 virtual threads for true OS-level concurrency (no Python GIL or Node.js event loop bottleneck) - ๐Ÿ—ƒ๏ธ **DB-Agnostic** โ€” Choose MongoDB or PostgreSQL; switch with one env var. Single Docker image for both - ๐Ÿ—๏ธ **Red Hat Certified** โ€” Container certification with automated preflight checks in CI/CD > **๐Ÿ“– Monitoring Guide:** See [docs/monitoring/monitoring-guide.md](docs/monitoring/monitoring-guide.md) for architecture overview, metrics reference, alerting rules, and a production checklist. ### ๐Ÿ–ฅ๏ธ Manager Dashboard & Chat UI - ๐ŸŽจ **React 19 Manager** โ€” Modern admin dashboard for agent building, testing, deployment, and monitoring - ๐Ÿ’ฌ **Chat Widget** โ€” Embeddable React chat UI with SSE streaming and Keycloak auth - ๐Ÿ” **Audit Trail Viewer** โ€” Timeline-based compliance and debugging UI - ๐Ÿ“‹ **Logs Panel** โ€” Live SSE log streaming + searchable history - ๐Ÿ”‘ **Secrets Manager** โ€” Write-only vault UI with copy-reference support - ๐ŸŒ **11 Languages** โ€” English, German, Spanish, French, Portuguese, Chinese, Japanese, Korean, Arabic (RTL), Hindi, Thai --- ## ๐Ÿ“– Documentation | Guide | Description | | ------------------------------------------------------------ | -------------------------------------------------- | | **[Getting Started](docs/getting-started.md)** | Setup and first steps | | **[Developer Quickstart](docs/developer-quickstart.md)** | Build your first agent in 5 minutes | | **[Architecture](docs/architecture.md)** | Deep dive into EDDI's design and pipeline | | **[LLM Configuration](docs/langchain.md)** | Connecting to 12 LLM providers | | **[Behavior Rules](docs/behavior-rules.md)** | Configuring agent routing logic | | **[HTTP Calls](docs/httpcalls.md)** | External API integration | | **[RAG](docs/rag.md)** | Knowledge base retrieval setup | | **[MCP Server](docs/mcp-server.md)** | 60+ tools for AI-assisted agent management | | **[A2A Protocol](docs/a2a-protocol.md)** | Agent-to-Agent peer communication | | **[Slack Integration](docs/slack-integration.md)** | Deploy agents to Slack and run group discussions | | **[Group Conversations](docs/group-conversations.md)** | Multi-agent debate orchestration | | **[User Memory](docs/user-memory.md)** | Cross-conversation fact retention | | **[Memory Policy](docs/memory-policy.md)** | Commit flags and strict write discipline | | **[Model Cascading](docs/model-cascade.md)** | Cost-optimized multi-model routing | | **[Scheduling & Heartbeats](docs/scheduling.md)** | Cron schedules, heartbeats, dream consolidation | | **[Agent Sync](docs/agent-sync-guide.md)** | Live instance-to-instance sync and upgrade imports | | **[Import / Export](docs/import-export-an-agent.md)** | ZIP-based agent portability and merge | | **[Prompt Snippets](docs/prompt-snippets-guide.md)** | Reusable system prompt building blocks | | **[Attachments](docs/attachments-guide.md)** | Multimodal attachment pipeline | | **[Capability Matching](docs/capability-match-guide.md)** | A2A skill discovery and routing | | **[Security](docs/security.md)** | SSRF protection, sandboxing, and hardening | | **[Secrets Vault](docs/secrets-vault.md)** | Envelope encryption and auto-vaulting | | **[Audit Ledger](docs/audit-ledger.md)** | EU AI Act-compliant audit trail | | **[Kubernetes](docs/kubernetes.md)** | Deploy with Kustomize or Helm | | **[Monitoring & Tracing](docs/monitoring/monitoring-guide.md)** | Prometheus, Grafana, OpenTelemetry, alerting | | **[Red Hat & OpenShift](docs/redhat-openshift.md)** | RHEL support, certified container, automated release | | **[Agent Father Deep Dive](docs/agent-father-deep-dive.md)** | How the meta-agent works | | **[Full Documentation](https://docs.labs.ai/)** | Complete documentation site | --- ## ๐Ÿ“‹ Compliance & Privacy EDDI provides built-in infrastructure for regulatory compliance: | Guide | Covers | | -------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | | **[GDPR / CCPA](docs/gdpr-compliance.md)** | Data erasure, export, Art. 18 restriction of processing, per-category retention, and consent guidance | | **[HIPAA](docs/hipaa-compliance.md)** | Healthcare deployment guide โ€” encryption, BAAs, LLM provider matrix, session management | | **[EU AI Act](docs/eu-ai-act-compliance.md)** | AI risk classification, decision traceability, immutable audit ledger | | **[Privacy & Data Processing](PRIVACY.md)** | Data flows, LLM provider matrix, international regulations (PIPEDA, LGPD, APPI, POPIA, PDPA, PIPL) | | **[Compliance Data Flow](docs/compliance-data-flow.md)** | Single-page data flow diagram for auditors | | **[Incident Response](docs/incident-response.md)** | Breach response runbook (GDPR 72h, CCPA 45 days, HIPAA 60 days) | --- ## ๐Ÿ—๏ธ Development ### Prerequisites | Tool | Version | Notes | | -------------- | ------- | ----------------------------------------------------------------- | | **Java (JDK)** | 25 | [Eclipse Temurin](https://adoptium.net/) recommended | | **Maven** | 3.9+ | Bundled via `mvnw` / `mvnw.cmd` wrapper โ€” no install needed | | **MongoDB** | 6.0+ | Local instance or Docker (`docker run -d -p 27017:27017 mongo:7`) | | **Docker** | Latest | For integration tests and container builds | > **Windows users:** Replace `./mvnw` with `.\mvnw.cmd` in all commands below. ### Quarkus Dev Mode Dev mode starts the application with **live reload** โ€” code changes are picked up automatically without restarting: ```bash # Linux / macOS ./mvnw compile quarkus:dev # Windows (PowerShell) .\mvnw.cmd compile quarkus:dev ``` Then open [http://localhost:7070](http://localhost:7070). The Quarkus Dev UI is available at [http://localhost:7070/q/dev](http://localhost:7070/q/dev). Dev mode also enables: - **Continuous testing** โ€” press `r` in the terminal to re-run tests on changes - **Dev UI** โ€” browse endpoints, CDI beans, configuration, and health checks - **Live reload** โ€” Java and resource changes apply instantly > **๐Ÿ’ก Secrets Vault:** To use the secrets vault (storing API keys encrypted), set the master key before starting: > > ```bash > # Linux/macOS > export EDDI_VAULT_MASTER_KEY=my-dev-passphrase > > # Windows (PowerShell) > $env:EDDI_VAULT_MASTER_KEY = "my-dev-passphrase" > > # Or in a .env file (already in .gitignore) > echo "EDDI_VAULT_MASTER_KEY=my-dev-passphrase" > .env > ``` > > Without this, the vault is disabled and secret management returns HTTP 503. Any passphrase works for local development. See [Secrets Vault](docs/secrets-vault.md) for production setup. ### Maven Command Reference | Command | What It Does | | ------------------------------------------------------------- | --------------------------------------------------------------------------- | | `./mvnw compile quarkus:dev` | **Start dev mode** with live reload (port 7070) | | `./mvnw compile` | Compile sources only (fast feedback) | | `./mvnw clean compile` | Clean build โ€” delete `target/` and recompile from scratch | | `./mvnw test` | Run **unit tests** (excludes `*IT.java` integration tests) | | `./mvnw verify -DskipITs` | Compile + unit tests + package (no integration tests) | | `./mvnw verify` | **Full build** โ€” compile + unit tests + integration tests (requires Docker) | | `./mvnw validate` | Run **Checkstyle** code style checks | | `./mvnw formatter:format` | **Auto-format** Java sources using the project Eclipse formatter | | `./mvnw package -DskipTests` | Build the JAR without running tests (for `install.sh --local`) | | `./mvnw clean package '-Dquarkus.container-image.build=true'` | Build the app **+ Docker image** | | `./mvnw package -Plicense-gen -DskipTests` | Generate **third-party licenses** (Red Hat certification) | | `./mvnw quarkus:dev -Dsuspend` | Start dev mode and **wait for debugger** on port 5005 | | `./mvnw quarkus:dev -Ddebug=false` | Start dev mode **without** the debug agent |
Code coverage JaCoCo is configured to run automatically during `./mvnw test`. After tests complete, find the coverage report at: ``` target/site/jacoco/index.html ```
Useful system properties | Property | Default | Description | | ------------------------------------------- | --------------------------- | ---------------------------------------------- | | `-Dquarkus.http.port=` | `7070` | Override the HTTP port | | `-Dquarkus.mongodb.connection-string=` | `mongodb://localhost:27017` | MongoDB connection | | `-Dquarkus.profile=` | `dev` | Active Quarkus profile (`dev`, `test`, `prod`) | | `-DskipTests` | `false` | Skip all tests | | `-DskipITs` | `true` | Skip integration tests only |
### Build & Docker ```bash # Build app + Docker image ./mvnw clean package '-Dquarkus.container-image.build=true' # Build without container (for install.sh --local) ./mvnw package -DskipTests # Generate third-party licenses (Red Hat certification) ./mvnw package -Plicense-gen -DskipTests ``` ### โ˜ธ๏ธ Kubernetes ```bash # Quickstart (one-file deployment) kubectl apply -f https://raw.githubusercontent.com/labsai/EDDI/main/k8s/quickstart.yaml # Kustomize overlays kubectl apply -k k8s/overlays/mongodb/ # MongoDB backend kubectl apply -k k8s/overlays/postgres/ # PostgreSQL backend # Helm helm install eddi ./helm/eddi --namespace eddi --create-namespace ``` Includes overlays for auth (Keycloak), monitoring (Prometheus/Grafana), NATS messaging, Ingress, and production hardening (HPA, PDB, NetworkPolicy). See the [Kubernetes Guide](docs/kubernetes.md) for details. --- ## ๐Ÿค Contributing We welcome contributions! Please read our [Contributing Guide](CONTRIBUTING.md) for details on setting up your development environment, code style, commit conventions, and the pull request process. Every PR is automatically checked by CI (build + tests), CodeQL (security), dependency review, and AI-powered code review. ## ๐Ÿ”’ Security EDDI ships with security-by-default for production deployments: - **Authentication enforced** โ€” `AuthStartupGuard` fails startup if OIDC is disabled in production without explicit opt-out - **Secrets encrypted at rest** โ€” Envelope encryption (PBKDF2 โ†’ AES-256-GCM) with per-deployment salt. Never plaintext in DB - **SSRF protection** โ€” All LLM tool HTTP calls go through `SafeHttpClient` with private IP blocking, redirect validation, and scheme enforcement - **Security headers** โ€” `X-Content-Type-Options`, `X-Frame-Options`, `Content-Security-Policy` configured out of the box - **CI/CD security gates** โ€” Every push/PR is scanned by: - **CodeQL** โ€” Semantic SAST analysis with `security-extended` queries - **Trivy** โ€” CVE scanning for both filesystem dependencies and Docker images (blocking on CRITICAL/HIGH) - **Gitleaks** โ€” Git history scanning to prevent secret/credential leakage - **ZAP** โ€” DAST API scanning against the live Docker image (report-only) - **CycloneDX** โ€” SBOM generation for supply chain transparency - **Jazzer** โ€” Coverage-guided fuzz testing for security-critical parsers (PathNavigator, MatchingUtilities) - All actions SHA-pinned to prevent supply-chain attacks For vulnerability reports, see our [Security Policy](SECURITY.md). For architecture details, see [Security Architecture](docs/security.md). ## ๐Ÿ“œ Code of Conduct This project follows the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md).