feat: add multi-tenancy and teams support

.dockerignore

@@ -82,4 +82,14 @@ coverage/
 *.tmp
 *.temp
 .cache/
-
+# ============================================================================
+# Storybook
+# ============================================================================
+# Development-only UI component documentation
+.storybook/
+services/platform/.storybook/
+**/*.stories.tsx
+**/*.stories.ts
+**/*.stories.jsx
+**/*.stories.js
+storybook-static/

README.md

@@ -119,13 +119,15 @@ TRUSTED_HEADERS_ENABLED=true
 TRUSTED_EMAIL_HEADER=X-Auth-Email      # optional, default shown
 TRUSTED_NAME_HEADER=X-Auth-Name        # optional, default shown
 TRUSTED_ROLE_HEADER=X-Auth-Role        # optional, default shown
+TRUSTED_TEAMS_HEADER=X-Auth-Teams      # optional, default shown
 ```
 
 Your proxy must send these headers with every request:
 
 - `X-Auth-Email`: User's email address
 - `X-Auth-Name`: User's display name
 - `X-Auth-Role`: One of `admin`, `developer`, `editor`, or `member`
+- `X-Auth-Teams` (optional): Comma-separated list of teams in `id:name` format (e.g., `abc123:Engineering, def456:Design`). The external IdP is the single source of truth - team IDs are passed through directly without any internal database lookup. Omit the header to leave teams unchanged, send empty to remove from all teams.
 
 ⚠️ **Security**: Only enable this when Tale is behind a trusted proxy that strips these headers from external requests.
 

compose.blue.yml

@@ -85,7 +85,7 @@ services:
     environment:
       - RAG_CHUNK_SIZE=512
       - RAG_CHUNK_OVERLAP=50
-      # Disable cognee multi-user access control mode (required for kuzu-remote)
+      # Disable cognee multi-user access control mode
       - ENABLE_BACKEND_ACCESS_CONTROL=false
 
     restart: unless-stopped

compose.green.yml

@@ -85,7 +85,7 @@ services:
     environment:
       - RAG_CHUNK_SIZE=512
       - RAG_CHUNK_OVERLAP=50
-      # Disable cognee multi-user access control mode (required for kuzu-remote)
+      # Disable cognee multi-user access control mode
       - ENABLE_BACKEND_ACCESS_CONTROL=false
 
     restart: unless-stopped

compose.yml

@@ -90,45 +90,53 @@ services:
       - internal
 
   # ============================================================================
-  # Tale Graph DB (Kuzu)
+  # Tale Crawler (Crawl4AI)
   # ============================================================================
-  # Stateful service - Kuzu requires exclusive file lock, cannot run two instances
-  graph-db:
+  # Stateless service - no container_name for blue-green deployment
+  crawler:
     # Image from GHCR (used when PULL_POLICY=always)
-    image: ghcr.io/tale-project/tale/tale-graph-db:${VERSION:-latest}
+    image: ghcr.io/tale-project/tale/tale-crawler:${VERSION:-latest}
     # Pull policy: 'build' for local dev, 'always' for production
     pull_policy: ${PULL_POLICY:-build}
-    # Build from local Dockerfile (used when PULL_POLICY=build)
+    # Build configuration (used when PULL_POLICY=build)
     build:
-      context: ./services/graph-db
-      dockerfile: Dockerfile
+      context: .
+      dockerfile: services/crawler/Dockerfile
       args:
         VERSION: ${VERSION:-dev}
 
-    # Container name - stateful service like db
-    container_name: tale-graph-db
-
-    # No port mapping needed - only accessed by other services (rag)
-    # internally via http://graph-db:8000
+    # Port mapping: host:container (for development)
+    # Access Crawler API at localhost:8002
+    ports:
+      - '8002:8002'
 
-    # Volume mounts
-    # Persist graph database data
-    volumes:
-      - graph-db-data:/data
+    # Environment file
+    # Create a .env file in the project root with your configuration
+    env_file:
+      - .env
 
     # Restart policy
     # Automatically restart the container if it crashes
     restart: unless-stopped
 
     # Health check - optimized for faster blue-green deployment
     # Docker will check if the service is healthy
-    # Note: Using Python since curl is not available in python:3.11-slim
     healthcheck:
-      test: ['CMD', 'python', '-c', 'import urllib.request; urllib.request.urlopen("http://localhost:8000/health")']
+      test: ['CMD', 'curl', '-f', 'http://localhost:8002/health']
       interval: 5s
       timeout: 3s
       retries: 2
-      start_period: 10s
+      start_period: 40s
+
+    # Resource limits (optional, adjust based on your needs)
+    # deploy:
+    #   resources:
+    #     limits:
+    #       cpus: '2'
+    #       memory: 4G
+    #     reservations:
+    #       cpus: '1'
+    #       memory: 2G
 
     # Logging configuration
     logging:
@@ -142,53 +150,52 @@ services:
       - internal
 
   # ============================================================================
-  # Tale Crawler (Crawl4AI)
+  # Tale Graph DB (FalkorDB)
   # ============================================================================
-  # Stateless service - no container_name for blue-green deployment
-  crawler:
+  # Redis-based graph database optimized for GraphRAG
+  # - Native multi-tenant support (10K+ graphs per instance)
+  # - Low latency (~140ms p99)
+  # - Client-server architecture (no file-level locking issues)
+  # - Combined graph and vector storage via hybrid adapter
+  # Replaces embedded Kuzu (archived) and LanceDB
+  graph-db:
     # Image from GHCR (used when PULL_POLICY=always)
-    image: ghcr.io/tale-project/tale/tale-crawler:${VERSION:-latest}
+    image: ghcr.io/tale-project/tale/tale-graph-db:${VERSION:-latest}
     # Pull policy: 'build' for local dev, 'always' for production
     pull_policy: ${PULL_POLICY:-build}
     # Build configuration (used when PULL_POLICY=build)
     build:
       context: .
-      dockerfile: services/crawler/Dockerfile
+      dockerfile: services/graph-db/Dockerfile
       args:
         VERSION: ${VERSION:-dev}
 
-    # Port mapping: host:container (for development)
-    # Access Crawler API at localhost:8002
+    # Port mapping: host:container
+    # Access FalkorDB at localhost:6379 (Redis protocol)
+    # Access FalkorDB Browser UI at localhost:6380 (mapped from internal 3000)
     ports:
-      - '8002:8002'
+      - '6379:6379'
+      - '6380:3000'
+
+    # Volume mounts
+    # Persist graph and vector data
+    # FalkorDB stores data in /var/lib/falkordb/data (not /data)
+    volumes:
+      - graph-db-data:/var/lib/falkordb/data
 
     # Environment file
-    # Create a .env file in the project root with your configuration
     env_file:
       - .env
 
     # Restart policy
-    # Automatically restart the container if it crashes
     restart: unless-stopped
 
-    # Health check - optimized for faster blue-green deployment
-    # Docker will check if the service is healthy
+    # Health check
     healthcheck:
-      test: ['CMD', 'curl', '-f', 'http://localhost:8002/health']
-      interval: 5s
-      timeout: 3s
-      retries: 2
-      start_period: 40s
-
-    # Resource limits (optional, adjust based on your needs)
-    # deploy:
-    #   resources:
-    #     limits:
-    #       cpus: '2'
-    #       memory: 4G
-    #     reservations:
-    #       cpus: '1'
-    #       memory: 2G
+      test: ['CMD', 'redis-cli', 'ping']
+      interval: 10s
+      timeout: 5s
+      retries: 3
 
     # Logging configuration
     logging:
@@ -239,8 +246,6 @@ services:
       # Smaller chunks (512) reduce LLM output size for knowledge graph extraction
       - RAG_CHUNK_SIZE=512
       - RAG_CHUNK_OVERLAP=50
-      # Disable cognee multi-user access control mode (required for kuzu-remote)
-      - ENABLE_BACKEND_ACCESS_CONTROL=false
 
     # Restart policy
     # Automatically restart the container if it crashes
@@ -256,7 +261,7 @@ services:
       start_period: 40s
 
     # Dependencies
-    # Wait for database and graph DB to be ready
+    # Wait for database and graph-db (FalkorDB) to be ready
     depends_on:
       - db
       - graph-db
@@ -342,7 +347,6 @@ services:
     # Wait for backend services to be ready
     depends_on:
       - db
-      - graph-db
       - rag
       - crawler
       - search
@@ -539,12 +543,12 @@ volumes:
   db-backup:
     driver: local
 
-  # Persistent storage for graph database data (Kuzu)
-  graph-db-data:
+  # Persistent storage for RAG service data (temp files, document processing)
+  rag-data:
     driver: local
 
-  # Persistent storage for RAG service data
-  rag-data:
+  # Persistent storage for graph-db (FalkorDB graph + vector data)
+  graph-db-data:
     driver: local
 
   # Persistent storage for Platform Convex local backend