{"id":51510288,"url":"https://github.com/man4ish/omnibioai-api-gateway","last_synced_at":"2026-07-08T05:01:59.742Z","repository":{"id":360805791,"uuid":"1238285076","full_name":"man4ish/omnibioai-api-gateway","owner":"man4ish","description":"Zero-trust API gateway for OmniBioAI — handles authentication (JWT verification), policy enforcement (RBAC/ABAC), request routing to downstream services, rate limiting, and secure service-to-service communication. All inbound traffic to the platform passes through this gateway; no service is directly addressable without authorization.","archived":false,"fork":false,"pushed_at":"2026-06-17T04:02:34.000Z","size":34,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-17T06:06:05.520Z","etag":null,"topics":["authentication","jwt","observability","omnibioai","policy-engine","python","zero-trust"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/man4ish.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-14T01:42:11.000Z","updated_at":"2026-06-17T04:02:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/man4ish/omnibioai-api-gateway","commit_stats":null,"previous_names":["man4ish/omnibioai-api-gateway"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/man4ish/omnibioai-api-gateway","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-api-gateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-api-gateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-api-gateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-api-gateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/man4ish","download_url":"https://codeload.github.com/man4ish/omnibioai-api-gateway/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/man4ish%2Fomnibioai-api-gateway/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35252324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","jwt","observability","omnibioai","policy-engine","python","zero-trust"],"created_at":"2026-07-08T05:01:57.401Z","updated_at":"2026-07-08T05:01:59.698Z","avatar_url":"https://github.com/man4ish.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# omnibioai-api-gateway\n\n**Zero-trust API gateway for the OmniBioAI platform.**\n\nSingle enforced entry point for all service traffic. Every request\nis authenticated, authorized, quota-checked, and audited before\nreaching any backend service.\n\n---\n\n## Architecture\n\n```\nInternet / Client / Studio\n\n↓\n\napi-gateway :8080        ← single entry point\n\n↓\n\nTraceMiddleware          ← generates X-Trace-Id UUID\n\n↓\n\nAuthMiddleware           ← JWT validation via IAM client + Redis cache\n\n↓\n\nPolicyMiddleware         ← RBAC/ABAC via policy-engine\n\n↓\n\nHPCMiddleware            ← GPU/CPU quota via hpc-policy-engine\n\n↓\n\nAuditMiddleware          ← async audit log via security-audit\n\n↓\n\ntarget service           ← workbench / tes / toolserver / rag / lims\n```\n\n**Failure policy:**\n\n| Layer | On failure |\n|-------|-----------|\n| Auth | FAIL CLOSED → HTTP 401 |\n| Policy | FAIL CLOSED → HTTP 403 |\n| HPC quota | FAIL CLOSED → HTTP 403 |\n| Audit | FAIL OPEN → ignored |\n\n---\n\n## Features\n\n- JWT authentication via IAM client (Redis-cached, sub-ms validation)\n- RBAC/ABAC policy enforcement on every request\n- GPU/CPU quota governance for compute requests\n- Async audit logging via Redis Streams (never blocks requests)\n- Service-to-service (S2S) token validation\n- Distributed trace ID propagation (X-Trace-Id header)\n- Redis pub/sub cache invalidation on logout\n- Rate limiting on auth endpoints (via nginx — 10 req/min, burst 5)\n\n---\n\n## Middleware Stack\n\nMiddleware is applied LIFO — last added runs first for requests:\n\n| Order | Middleware | Responsibility |\n|-------|-----------|----------------|\n| 1 | TraceMiddleware | Generate X-Trace-Id, attach to request state |\n| 2 | AuthMiddleware | Validate JWT via IAM client |\n| 3 | PolicyMiddleware | RBAC/ABAC authorization decision |\n| 4 | HPCMiddleware | GPU/CPU quota check (compute paths only) |\n| 5 | AuditMiddleware | Fire async audit event to Redis Streams |\n\n---\n\n## API Endpoints\n\n| Endpoint | Method | Auth | Description |\n|----------|--------|------|-------------|\n| `/health` | GET | — | Gateway health check |\n| `/auth/verify` | GET | JWT | Verify token (used by nginx auth_request) |\n| `/api/*` | ALL | JWT | Proxy to target service |\n\n### Health check\n```bash\ncurl http://localhost:8080/health\n# {\"status\": \"ok\"}\n```\n\n### All other requests require JWT\n```bash\ncurl -H \"Authorization: Bearer \u003ctoken\u003e\" \\\n  http://localhost:8080/api/tools\n```\n\n---\n\n## Service Routing\n\n| Path prefix | Target service |\n|-------------|----------------|\n| `/api/workbench/*` | workbench :8000 |\n| `/api/tes/*` | tes :8081 |\n| `/api/tools/*` | toolserver :9090 |\n| `/api/models/*` | model-registry :8095 |\n| `/api/rag/*` | rag :8096 |\n| `/api/lims/*` | lims :7000 |\n\n---\n\n## Internal Headers Propagated\n\n| Header | Description |\n|--------|-------------|\n| `X-Trace-Id` | UUID per request for distributed tracing |\n| `X-User-Id` | Authenticated user ID |\n| `X-Internal-Service` | Marks request as internal (gateway-verified) |\n\n---\n\n## Running\n\n### Via OmniBioAI Studio (recommended)\n\n```bash\ncd ~/Desktop/machine/omnibioai-studio\ndocker compose up -d api-gateway\n```\n\nAccess: `http://localhost:8080`\n\n### Environment variables\n\nSet in `omnibioai-studio/.env`:\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `IAM_URL` | `http://omnibioai-auth:8000` | Auth service URL |\n| `POLICY_URL` | `http://omnibioai-policy-engine:8001` | Policy engine URL |\n| `HPC_URL` | `http://omnibioai-hpc-policy-engine:8002` | HPC policy URL |\n| `REDIS_URL` | `redis://redis:6379` | Redis for token cache + pub/sub |\n| `JWT_SECRET` | — | JWT signing secret (auto-generated) |\n| `ROUTE_TIMEOUT` | `15` | Upstream request timeout (seconds) |\n\n---\n\n## Testing\n\n```bash\ncd ~/Desktop/machine/omnibioai-api-gateway\npytest tests/ -v --cov=app\n\n# 33 tests passing\n# 74% coverage\n# Covers: auth middleware, policy middleware, HPC middleware,\n#         trace middleware, config, gateway router\n```\n\n---\n\n## Tech Stack\n\n| Layer | Technology |\n|-------|-----------|\n| Framework | FastAPI + Uvicorn |\n| Auth | IAM client (httpx async + Redis cache) |\n| Cache invalidation | Redis pub/sub |\n| Tracing | UUID trace IDs via middleware |\n| Proxying | httpx reverse proxy |\n\n---\n\n## Related Services\n\n| Service | Role |\n|---------|------|\n| `omnibioai-auth` | JWT issuance and validation |\n| `omnibioai-iam-client` | Async IAM client with Redis cache |\n| `omnibioai-policy-engine` | RBAC/ABAC authorization decisions |\n| `omnibioai-hpc-policy-engine` | GPU/CPU quota governance |\n| `omnibioai-security-audit` | Async audit event consumer |\n| `omnibioai-security-sdk` | SDK wrapping the full security stack |\n| `omnibioai-studio` | Manages gateway container lifecycle |\n\n---\n\n## License\n\nApache 2.0\n\n---\n\n*Part of the [OmniBioAI](https://github.com/man4ish/omnibioai-studio) platform.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-api-gateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fman4ish%2Fomnibioai-api-gateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fman4ish%2Fomnibioai-api-gateway/lists"}