2026-06-11 15:55:12 +02:00
3 changed files with 1017 additions and 1063 deletions
--- a/README.md
+++ b/README.md
@ -11,11 +11,11 @@
 <a href="https://trendshift.io/repositories/17291" target="_blank"><img src="https://trendshift.io/api/badge/repositories/17291" alt="trustgraph-ai%2Ftrustgraph | Trendshift" style="width: 250px; height: 55px;" width="250" height="55"/></a>
-# The semantic deployment platform
+# The agent runtime platform
 </div>
-TrustGraph is a comprehensive semantic infrastructure for agents built around context graphs — structured, queryable representations of your domain knowledge that ground every agent query in verified, explainable facts in private deployments with sovereign control. The platform is the full stack for agentic systems: context graphs, memory, retrieval, orchestration, and inference for deterministic agent workloads.
+TrustGraph is an agent runtime platform built around context graphs — structured, queryable representations of your domain knowledge that ground every agent query in verified, explainable facts in private deployments with sovereign control. The platform is the full stack for agentic systems: context graphs, memory, retrieval, orchestration, and inference for precision-critical agent workloads.
 The platform:
 - [x] Multi-model and multimodal database system
@ -99,21 +99,23 @@ For a browser based configuration, try the [Configuration Terminal](https://conf
 - [**Developer APIs and CLI**](https://docs.trustgraph.ai/reference)
 - [**Deployment Guides**](https://docs.trustgraph.ai/deployment)
-## Context Graph UI
+## Workbench
-<img width="1389" height="961" alt="Image" src="https://github.com/user-attachments/assets/35c9250d-0f01-40cb-9294-1ee8fd9a1b56" />
+The **Workbench** provides tools for all major features of TrustGraph. The **Workbench** is on port `8888` by default.
-The UI provides tools for all major features of TrustGraph. The UI deploys on port `8888` by default.
+- **Vector Search**: Search the installed knowledge bases
-
+- **Agentic, GraphRAG and LLM Chat**: Chat interface for agents, GraphRAG queries, or direct to LLMs
- **Agent Console** — Query your agents directly with streaming responses and live explainability event tracking, so you can watch reasoning unfold in real time
+- **Relationships**: Analyze deep relationships in the installed knowledge bases
- **GraphRAG View** — Interactive graph RAG queries with a visual explainability DAG and inline provenance display, making it easy to see exactly where answers came from
+- **Graph Visualizer**: 3D GraphViz of the installed knowledge bases
- **Context Explorer** — An interactive 3D context graph explorer with dynamic graph loading, BFS neighborhood extraction, edge pulse animation, and multiple navigation views
+- **Library**: Staging area for installing knowledge bases
- **Document Ingestion** — A complete upload and submission workflow with page and chunk inspection and document structure browsing
+- **Flow Classes**: Workflow preset configurations
- **Ontology Workbench** — A full ontology editor with class and property trees, OWL/XML and Turtle import/export with round-trip fidelity, circular dependency detection, and safe-delete confirmation dialogs
+- **Flows**: Create custom workflows and adjust LLM parameters during runtime
- **Schema Workbench** — Interactive schema management with list, create, edit, and delete operations including field and index management
+- **Knowledge Cores**: Manage resuable knowledge bases
- **Flow Management** — Flow creation and detail views with configurable parameters, temperature controls, and grouped storage layout
+- **Prompts**: Manage and adjust prompts during runtime
- **Workspace UX** — Workspace selection and management surfaced directly in the interface
+- **Schemas**: Define custom schemas for structured data knowledge bases
- **Prompt Editor** — A dedicated prompt editing workflow
+- **Ontologies**: Define custom ontologies for unstructured data knowledge bases
 - **Agent Tools**: Define tools with collections, knowledge cores, MCP connections, and tool groups
 - **MCP Tools**: Connect to MCP servers
 ## TypeScript Library for UIs
--- a/trustgraph-mcp/trustgraph/mcp_server/mcp.py
+++ b/trustgraph-mcp/trustgraph/mcp_server/mcp.py
--- a/trustgraph-mcp/trustgraph/mcp_server/tg_socket.py
+++ b/trustgraph-mcp/trustgraph/mcp_server/tg_socket.py
@ -1,110 +1,49 @@
 from dataclasses import dataclass
 from websockets.asyncio.client import connect
 from urllib.parse import urlencode, urlparse, urlunparse, parse_qs
 import asyncio
 import logging
 import json
 import uuid
-import hashlib
+import time
 logger = logging.getLogger(__name__)
 def _token_key(token):
    """Derive a dict key from a token without storing the raw secret."""
    return hashlib.sha256(token.encode()).hexdigest()[:16]
 class WebSocketManager:
    """Manages an authenticated WebSocket connection to the TrustGraph
    gateway on behalf of a single caller.
-    Each caller token gets its own WebSocketManager so that gateway-side
+    def __init__(self, url, token=None):
    identity, workspace, and capability scoping are preserved end-to-end.
    """
    def __init__(self, url, token):
        self.url = url
        # ── Security boundary: token storage ──
        # This is the MCP caller's Bearer token, forwarded verbatim to
        # the gateway.  It MUST NOT be logged, persisted, or shared
        # across callers.  It is held only for the lifetime of this
        # connection so that re-auth (e.g. after a reconnect) is
        # possible.
        self.token = token
        self.socket = None
-        self.identity = None
+
-        self.last_used = None
+    # FIXME: authentication is broken. The /api/v1/socket endpoint uses
    # in-band auth (first-frame protocol via the Mux dispatcher), not
    # query-parameter tokens. This query-string token is silently ignored.
    # Fix: after connect(), send an auth frame with the bearer token as
    # the first message, matching the gateway's in-band auth protocol.
    def _build_url(self):
        if not self.token:
            return self.url
        parsed = urlparse(self.url)
        params = parse_qs(parsed.query)
        params["token"] = [self.token]
        new_query = urlencode(params, doseq=True)
        return urlunparse(parsed._replace(query=new_query))
    async def start(self):
-        """Connect and authenticate via the gateway's in-band auth
+        self.socket = await connect(self._build_url())
        protocol.  Raises on auth failure."""
        # ── Security boundary: MCP server → gateway ──
        # The WebSocket connects to the gateway and authenticates using
        # the caller's Bearer token via the in-band first-frame auth
        # protocol.  The token belongs to the MCP client — we forward
        # it as-is and never interpret its contents.
        self.socket = await connect(self.url)
        self.pending_requests = {}
        self.running = True
        await self._authenticate()
        self.reader_task = asyncio.create_task(self.reader())
    async def _authenticate(self):
        """Send in-band auth frame and wait for auth-ok / auth-failed.
        The gateway expects ``{"type": "auth", "token": "..."}`` as the
        first frame on a new WebSocket.  Any service frame sent before
        auth-ok is rejected.
        """
        await self.socket.send(json.dumps({
            "type": "auth",
            "token": self.token,
        }))
        response_text = await asyncio.wait_for(self.socket.recv(), 10)
        response = json.loads(response_text)
        if response.get("type") == "auth-ok":
            logger.info(
                "WebSocket authenticated, default workspace: %s",
                response.get("workspace"),
            )
            return
        # Auth failed — close immediately, do not leave an
        # unauthenticated socket open.
        await self.socket.close()
        self.socket = None
        if response.get("type") == "auth-failed":
            raise RuntimeError(
                "Gateway rejected the authentication token"
            )
        raise RuntimeError(
            f"Unexpected auth response type: {response.get('type')}"
        )
    async def whoami(self):
        """Verify the token by calling the gateway's whoami endpoint.
        Returns the identity dict and caches it on ``self.identity``.
        """
        gen = self.request("iam", {"operation": "whoami"}, flow_id=None)
        async for response in gen:
            self.identity = response
            return response
    async def stop(self):
        self.running = False
-        if hasattr(self, "reader_task"):
+        await self.reader_task
            await self.reader_task
    async def reader(self):
-        """Background task: read WebSocket frames and route them to the
+        """
-        correct pending-request queue by ``id``."""
+        Background task to read websocket responses and route to correct
        request
        """
        while self.running:
            try:
@ -120,21 +59,23 @@ class WebSocketManager:
                request_id = response.get("id")
                if request_id and request_id in self.pending_requests:
                    # Put the response in the queue
                    queue = self.pending_requests[request_id]
                    await queue.put(response)
                else:
-                    logger.warning(
+                    logging.warning(
-                        "Response for unknown request ID: %s", request_id
+                        f"Response for unknown request ID: {request_id}"
                    )
            except Exception as e:
-                logger.error("Error in websocket reader: %s", e)
+                logging.error(f"Error in websocket reader: {e}")
                # Put error in all pending queues
                for queue in self.pending_requests.values():
                    try:
                        await queue.put({"error": str(e)})
-                    except Exception:
+                    except:
                        pass
                self.pending_requests.clear()
@ -145,29 +86,25 @@ class WebSocketManager:
    async def request(
            self, service, request_data, flow_id="default",
            workspace=None,
    ):
-        """Send a request via WebSocket and yield responses.
+        """
-
+        Send a request via websocket and handle single or streaming responses
        Args:
            service: Gateway service name (e.g. "graph-rag", "config").
            request_data: Inner request payload.
            flow_id: Optional flow identifier.  ``None`` omits the field
                (workspace-level services don't use flows).
            workspace: Optional workspace override.  When ``None`` the
                gateway uses the caller's default workspace.
        """
-        import time
+        # Generate unique request ID
        self.last_used = time.monotonic()
        request_id = f"{uuid.uuid4()}"
        # Determine if this service streams responses
        streaming_services = {"agent"}
        is_streaming = service in streaming_services
        # Create a queue for all responses (streaming and single)
        response_queue = asyncio.Queue()
        self.pending_requests[request_id] = response_queue
        try:
            # Build request message
            message = {
                "id": request_id,
                "service": service,
@ -177,16 +114,7 @@ class WebSocketManager:
            if flow_id is not None:
                message["flow"] = flow_id
-            # ── Security boundary: workspace scoping ──
+            # Send request
            # When the caller supplies a workspace, we set it on the
            # message envelope.  The gateway's enforce_workspace()
            # validates that the authenticated identity is permitted
            # to access the target workspace — we MUST NOT skip or
            # override that check.  When workspace is None, the
            # gateway default-fills from the identity's bound workspace.
            if workspace is not None:
                message["workspace"] = workspace
            await self.socket.send(json.dumps(message))
            while self.running:
@ -199,17 +127,19 @@ class WebSocketManager:
                    continue
                if "error" in response:
-                    if isinstance(response["error"], dict):
+                    if "message" in response["error"]:
-                        raise RuntimeError(
+                        raise RuntimeError(response["error"]["text"])
                            response["error"].get("message", str(response["error"]))
                        )
                    else:
                        raise RuntimeError(str(response["error"]))
                yield response["response"]
-                if response.get("complete"):
+                if "complete" in response:
-                    break
+                    if response["complete"]:
                        break
-        finally:
+        except Exception as e:
            # Clean up on error
            self.pending_requests.pop(request_id, None)
            raise e