Secure gateway for automation engine access — ABAC policies, human-in-the-loop approvals, immutable audit, and SDK wrappers for MCP, n8n, Zapier, and custom engines.
| Language | Python 3.14 |
| Framework | FastAPI + Uvicorn |
| Services | 15 backend microservices + Service Console |
| Status | Alpha — active development |
SAG sits between users/automation clients and automation engines. Every request passes through authentication, policy evaluation, optional approval workflows, and execution-context isolation before an adapter runs the action. All decisions are logged for compliance (SOC2 / ISO 27001 ready).
Core capabilities
- Zero-trust entry — API Gateway validates, rate-limits, and proxies to backends
- ABAC — Attribute-based access control via Open Policy Agent (OPA)
- Approvals — Multi-level workflow engine with escalation and delegation
- Execution isolation — Permission-set impersonation, credential vaulting, sandboxed runs
- Audit & SIEM — Tamper-evident logs, CEF output, real-time event streaming
- Operations — Service Console (topology + secrets UI), monitoring, policy admin
Clients / SDKs
│
▼
┌─────────────┐ ┌──────────────────────────────────────────┐
│ API Gateway │────▶│ Security: Auth · Identity · Policy (PDP) │
│ :8004 │ └──────────────────────────────────────────┘
└─────────────┘ │
│ ▼
│ ┌─────────────────────────────┐
└─────────────▶│ Orchestrator · Workflow · │
│ Notification · Execution │
└─────────────────────────────┘
│
┌─────────────┴─────────────┐
▼ ▼
Adapter Framework Audit · SIEM · Monitoring
│
▼
MCP · n8n · Zapier · Custom
Full diagrams (context, sequence, entity-relationship): see ARCHITECTURE.md
Why we chose this stack: see ADR.md
| Service | Port | Role |
|---|---|---|
| auth-service | 8001 | Login, tokens, MFA, pluggable IdP |
| adapter-framework | 8002 | MCP / n8n / Zapier adapters |
| audit-service | 8003 | Immutable audit trail |
| api-gateway | 8004 | Entry point, proxy /v1/<service>/* |
| execution-context | 8005 | Sandboxed execution, vaulting |
| identity-service | 8006 | Users, attributes, permission-sets |
| monitoring-service | 8007 | Metrics, alerts, dashboards |
| notification-service | 8008 | Email / webhook / in-app alerts |
| orchestrator-service | 8009 | Request state machine, risk scoring |
| policy-service | 8010 | ABAC policy evaluation (PDP) |
| policy-admin-service | 8011 | Policy lifecycle, testing, deploy |
| security-hardening | 8012 | Hardening checks & controls |
| admin-console | 8013 | Admin UI API |
| siem-integration | 8014 | CEF events, SIEM forwarding |
| workflow-service | 8015 | Approval workflows |
| console-service | 8020 | Service topology & secrets UI |
Canonical endpoint list: ENDPOINTS_INVENTORY.md
Gateway routes: /v1/auth/*, /v1/identity/*, /v1/policy/*, etc. — same path forwarded to backend with service token.
- Docker & Docker Compose
- Python 3.11+ (3.14 recommended)
- PostgreSQL 15+ and Redis 7+ (provided by compose)
# Clone and enter repo
cd project-arb
# Copy env template — fill secrets locally (never commit .env)
cp env.example .env
# Start all services
docker-compose up -d
# Service Console (topology + secrets)
open http://localhost:8020
# API Gateway
open http://localhost:8004/docsProduction has no hardcoded users. Bootstrap once:
curl -X POST http://localhost:8001/auth/setup \
-H "Content-Type: application/json" \
-d '{"setup_token": "<SETUP_TOKEN>", "username": "admin", "password": "<strong-password>"}'python -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
pytest tests/ -vCI runs the full suite on Python 3.11 and 3.14 with Postgres and Redis.
project-arb/
├── sag/ # Core application
│ ├── core/ # Auth, audit, policy, security primitives
│ ├── models/ # Pydantic domain models
│ ├── services/ # One FastAPI app per microservice
│ └── config/ # Settings (env-driven)
├── console/ # Service Console (static UI + secrets API)
├── tests/ # Unit, integration, security, compliance
├── docs/ # Runbooks, requirements, security guides
├── gitops/ # Helm charts, ArgoCD app-of-apps
├── k8s/ # Kubernetes manifests
├── Dockerfile.* # Per-service container builds
├── docker-compose.yml # Local dev stack
└── .github/workflows/ # CI (test, lint, scan) + release
| Control | Implementation |
|---|---|
| CORS | ALLOWED_ORIGINS env — no wildcard * in production |
| Rate limiting | Fail-secure — deny when Redis unavailable |
| Secrets | No hardcoded keys; Vault / K8s secrets in prod |
| Headers | SecurityHeadersMiddleware (CSP, HSTS optional) |
| Errors | Sanitized 5xx in production |
| Containers | no-new-privileges, read-only root, tmpfs (prod compose) |
| CI | gitleaks, pip-audit, bandit, black, flake8 |
Known issues & fixes: .memory/cards.md
| Document | Purpose |
|---|---|
| ARCHITECTURE.md | System design, diagrams, data model |
| ADR.md | Architecture decision records |
| arch.md | Original architecture draft (superseded by ARCHITECTURE.md) |
| PROJECT_SUMMARY.md | Stack & rules reference |
| journal.md | Development history & session log |
| ENDPOINTS_INVENTORY.md | All API endpoints |
| docs/operational-runbook.md | Production operations |
| docs/SECRETS_MANAGEMENT.md | Secret storage patterns |
| docs/SECURITY_TESTING.md | Security test cadence |
- REST only — services integrate endpoint-to-endpoint; no shared in-process coupling
- Independent deploy — each service has its own Dockerfile and CI matrix entry
- Plan before code — new modules need a reviewed requirement block
- No hardcoded secrets — use env, Vault, or K8s secrets
- Track issues — update
.memory/cards.mdwhen resolving bugs
MIT — see project metadata in pyproject.toml.