Initial SFERA platform baseline

2026-05-16 19:03:49 +03:00
commit 3b845c8fce
282 changed files with 55045 additions and 0 deletions
@@ -0,0 +1,282 @@
+# SFERA Stand Runbook
+
+## Network API
+
+- API: `http://192.168.200.60:8000`
+- Swagger: `http://192.168.200.60:8000/docs`
+- Health: `GET /health`
+- Summary: `GET /admin/summary`
+
+## Docker
+
+This OS runs inside a VM. Do not install or use a local Docker Engine here.
+
+Use the shared Docker host for Docker/integration stands:
+
+```bash
+docker -H ssh://test-docker ps
+```
+
+Shared host:
+
+- SSH alias: `test-docker` / `docker-test`
+- Host: `docker-test.cin.su`
+- User: `test`
+
+Integrated SFERA testing must be deployed on `docker-test`, including both backend/server
+services and the frontend service. Do not fall back to local Docker Engine for project testing.
+
+## Neo4j
+
+Neo4j runs on `docker-test` as container `sfera-neo4j`.
+
+- Browser: `http://docker-test.cin.su:17474`
+- Bolt: `bolt://docker-test.cin.su:17687`
+- User: `neo4j`
+- Password: `password`
+
+API uses:
+
+```text
+NEO4J_URI=bolt://docker-test.cin.su:17687
+NEO4J_USER=neo4j
+NEO4J_PASSWORD=password
+```
+
+## Rust BSL Parser
+
+Build the parser locally:
+
+```bash
+cd rust
+cargo build -p bsl-parser
+```
+
+API indexing consumes the Rust JSON contract automatically when the built parser is found at
+`rust\target\debug\bsl-parser.exe`. To force a specific parser binary, set:
+
+```text
+SFERA_BSL_PARSER=rust\target\debug\bsl-parser.exe
+```
+
+If no parser binary is configured or auto-discovered, `semantic-kernel` uses the built-in Python parser fallback.
+
+## Runtime Adapter / 1C Access
+
+`sfera-runtime-adapter` is a separate container/service. It must stay separate from `sfera-api`.
+
+Modes:
+
+```text
+RUNTIME_ADAPTER_MODE=mock
+RUNTIME_ADAPTER_MODE=local_1c
+RUNTIME_ADAPTER_MODE=remote_worker
+```
+
+`mock` is the default Docker mode and does not require a 1C platform inside Linux containers. `local_1c` can normalize EDT/XML/file-tree sources without executing Designer. For `.cf`, `.cfe`, archive, and live infobase sources it first returns a safe `designer_dump_planned` response unless execution is explicitly enabled on a trusted worker.
+
+Platform discovery:
+
+- Set `ONEC_DESIGNER_PATH` when the worker has a known Designer CLI path.
+- If it is empty, runtime-adapter tries common install roots such as `C:\Program Files\1cv8\*\bin\1cv8.exe`.
+- Set `ONEC_DISABLE_AUTO_DISCOVERY=true` to turn discovery off in tests.
+- Check `GET /runtime/platform` for `platform_found`, `designer_path`, `discovered_paths`, capabilities, and diagnostics.
+
+Credentials rule:
+
+- Do not store live 1C credentials in repository files, compose files, docs, fixtures, or logs.
+- Use `credentials_ref` such as `runtime://prompt/live-upo` or a real vault reference.
+- Runtime dump plans redact password-like keys in connection strings before returning diagnostics.
+
+Useful local checks, without storing secrets:
+
+```powershell
+Test-Path "C:\EDT\projects\iFCM-UPO"
+Invoke-WebRequest -UseBasicParsing -Uri "http://192.168.200.95/upo/ru_RU/" -TimeoutSec 10
+Get-ChildItem "C:\Program Files\1cv8","C:\Program Files (x86)\1cv8" -Recurse -Filter 1cv8.exe -ErrorAction SilentlyContinue
+```
+
+## Smoke Flow
+
+```bash
+POST /projects/demo/index
+POST /projects/{project_id}/incremental/file
+POST /projects/demo/graph/neo4j/project
+GET  /projects/demo/graph/neo4j/callees/Проведение
+GET  /projects/demo/graph/neo4j/writes/Проведение
+GET  /projects/{project_id}/objects/impact/{object_name}
+GET  /projects/{project_id}/objects/attributes/{object_name}
+GET  /projects/{project_id}/objects/schema/{object_name}
+GET  /projects/{project_id}/objects/tabular-sections/{object_name}
+GET  /projects/{project_id}/objects/tabular-sections/{object_name}/columns
+GET  /projects/{project_id}/objects/ui/{object_name}
+GET  /projects/{project_id}/graph/neo4j/objects/attributes/{object_name}
+GET  /projects/{project_id}/graph/neo4j/objects/schema/{object_name}
+GET  /projects/{project_id}/graph/neo4j/objects/tabular-sections/{object_name}
+GET  /projects/{project_id}/graph/neo4j/objects/tabular-sections/{object_name}/columns
+GET  /projects/{project_id}/graph/neo4j/objects/impact/{object_name}
+GET  /projects/{project_id}/graph/neo4j/objects/ui/{object_name}
+GET  /projects/{project_id}/access/objects/{object_name}/roles
+GET  /projects/{project_id}/access/roles/{role_name}/objects
+GET  /projects/{project_id}/jobs/scheduled
+GET  /projects/{project_id}/integrations
+GET  /projects/{project_id}/graph/neo4j/integrations
+GET  /projects/{project_id}/graph/neo4j/integrations/{integration_name}/modules
+GET  /projects/{project_id}/graph/neo4j/access/objects/{object_name}/roles
+GET  /projects/{project_id}/graph/neo4j/access/roles/{role_name}/objects
+POST /knowledge/packs
+GET  /knowledge/packs
+GET  /projects/{project_id}/knowledge/schema-coverage
+GET  /projects/{project_id}/patterns
+POST /projects/{project_id}/comments
+GET  /projects/{project_id}/comments
+GET  /projects/{project_id}/comments/{target_id}
+POST /projects/{project_id}/ownership
+GET  /projects/{project_id}/ownership
+GET  /projects/{project_id}/objects/ownership/{object_name}
+POST /projects/{project_id}/privacy/markers
+GET  /projects/{project_id}/privacy/markers
+GET  /projects/{project_id}/objects/privacy/{object_name}
+POST /ai/usage
+GET  /ai/usage
+GET  /ai/usage/summary
+GET  /ai/policy
+POST /projects/{project_id}/ai/answer-policy
+GET  /projects/{project_id}/review
+GET  /projects/{project_id}/report
+GET  /graph/neo4j/status
+```
+
+## Frontend
+
+Frontend app:
+
+```text
+Z:\codex\SFERA\frontend\sfera-web
+```
+
+Use the mapped `Z:` drive. It points to `\\nas\MST` and avoids Windows tooling issues with UNC current directories:
+
+```bat
+cd /d Z:\codex\SFERA\frontend\sfera-web
+npm run dev
+```
+
+Always run frontend `npm` commands from the mapped `Z:` drive. Do not use `\\nas\MST\...` as the current directory: Windows `cmd.exe` does not support UNC current directories and falls back to `C:\Windows`, which makes npm scripts fail with missing `package.json`.
+
+Default URL:
+
+```text
+http://192.168.200.60:3000
+```
+
+Editor direct links:
+
+```text
+http://192.168.200.60:3000/editor?project=demo&mode=module
+http://192.168.200.60:3000/editor?project=demo&mode=form
+http://192.168.200.60:3000/editor?project=demo&mode=events
+http://192.168.200.60:3000/editor?project=demo&mode=learning
+```
+
+Lightweight frontend smoke check against the running stand:
+
+```bat
+cd /d Z:\codex\SFERA\frontend\sfera-web
+npm run smoke:editor
+```
+
+Browser runtime smoke check against the running stand:
+
+```bat
+cd /d Z:\codex\SFERA\frontend\sfera-web
+npm run smoke:editor:runtime
+```
+
+Project Setup / Import Center runtime smoke check against the running stand:
+
+```bat
+cd /d Z:\codex\SFERA\frontend\sfera-web
+npm run smoke:project-setup
+```
+
+Full editor smoke check:
+
+```bat
+cd /d Z:\codex\SFERA\frontend\sfera-web
+npm run smoke:editor:all
+```
+
+Override the checked frontend URL when needed:
+
+```bat
+set SFERA_WEB_URL=http://docker-test.cin.su:3000
+npm run smoke:editor:all
+```
+
+`smoke:editor` checks server-rendered HTML for the overview and editor modes and retries briefly while a freshly started stand settles. `smoke:editor:runtime` launches the installed Chrome/Edge through `playwright-core`, catches browser runtime errors, verifies Monaco in module mode, opens the Versions tab, clicks a version row, checks full version payload details, and exercises metadata draft preview/apply through the API. `smoke:project-setup` prepares the `default` project through the web API proxy, verifies the new Project Setup / IDE Shell route, and saves a metadata draft to workspace history. Set `SFERA_BROWSER_PATH` if Chrome/Edge is installed in a non-standard location.
+
+Docker health smoke can include the Project Setup browser smoke:
+
+```powershell
+.\scripts\smoke-test-docker.ps1 `
+  -ApiUrl http://docker-test.cin.su:8000 `
+  -WebUrl http://docker-test.cin.su:3000 `
+  -Neo4jUrl http://docker-test.cin.su:7474 `
+  -QdrantUrl http://docker-test.cin.su:6333 `
+  -ObjectStorageUrl http://docker-test.cin.su:9000 `
+  -IncludeProjectSetupSmoke
+```
+
+The frontend resolves the API endpoint in this order:
+
+1. `SFERA_API_URL`
+2. `NEXT_PUBLIC_SFERA_API_URL`
+3. the current panel host with API port `8000`
+
+Examples:
+
+```text
+http://192.168.200.60:3000       -> http://192.168.200.60:8000
+http://docker-test.cin.su:3000   -> http://docker-test.cin.su:8000
+http://127.0.0.1:3001            -> http://localhost:8000
+```
+
+If the API moves to another address or port, set:
+
+```text
+SFERA_API_URL=http://api-host:8080
+```
+
+If only the derived API port changes, set:
+
+```text
+SFERA_API_PORT=8080
+```
+
+Do not use `127.0.0.1:8000` as the panel default, because browsers are normally opened from another computer in the LAN. Full Docker stands should run on `docker-test`; local mode is only for the current API + Next.js development loop without a local Docker Engine.
+
+Browser-side editor actions call the API directly, so API CORS must allow the panel origin. By default the API allows localhost, LAN `192.168.*.*` origins, and `docker-test.cin.su`. Override with `SFERA_CORS_ORIGIN_REGEX` only when the stand moves to a different trusted host pattern.
+
+Expected demo projection:
+
+```text
+nodes: 5
+edges: 6
+```
+
+After a project has been projected once to Neo4j, `POST /projects/{project_id}/incremental/file` automatically applies the SIR delta to that project's Neo4j graph. Check `neo4j_projected` / `neo4j_error` in the response.
+
+Object impact includes 1C role access when XML contains role rights, for example `Role -> Right object="Документ.ЗаказПокупателя"`.
+
+Knowledge packs are stored in `knowledge_packs`; importing a BSP/vendor pack also persists enriched `knowledge` records with `pack:{pack_id}` and `vendor:{vendor}` tags for search and coverage.
+
+Pattern mining is available via `GET /projects/{project_id}/patterns?min_support=2` and reports repeated table reads/writes and repeated routine read/write shapes.
+
+Ownership is stored in `collaboration_ownership` and is scoped by project + target lineage. Project review reports `Missing 1C object owner` for root 1C objects without an assigned owner; project report includes ownership and unowned-object counters.
+
+Privacy markers are stored in `privacy_markers` and are scoped by project + target lineage. Review reports `Unclassified sensitive 1C field` for likely sensitive 1C attributes such as ИНН, паспорт, телефон, email, адрес when no privacy classification exists.
+
+AI usage records are stored in `ai_usage`. Use `GET /ai/usage/summary?project_id=...` for dashboard counters and `GET /ai/policy?user_id=...` before AI actions to show token limits and remaining allowance.
+
+AI answer policy is available via `POST /projects/{project_id}/ai/answer-policy`. It does not generate an answer; it returns `allowed`, blocking reasons, warnings, matching knowledge records, privacy markers, and remaining token budget.