https://docs.nocfoundry.dev/dev/Recent content on NOCFoundry DocsHugoenhttps://docs.nocfoundry.dev/dev/getting-started/local-quickstart/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/getting-started/local-quickstart/<h1 id="local-quickstart">Local Quickstart</h1> <p>This quickstart gets a local NOCFoundry instance running with the validation demo and UI.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Go 1.25 or later</li> <li>Docker if you want the local Keycloak flow</li> <li>a shell with access to this repository</li> </ul> <h2 id="optional-start-the-local-sr-linux-topology">Optional: start the local SR Linux topology</h2> <p>If you want to test against a realistic network fabric instead of static examples, use the containerlab topology in <code>examples/containerlab/</code>.</p> <p>Install containerlab only when you need it:</p>https://docs.nocfoundry.dev/dev/getting-started/mcp-client-quickstart/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/getting-started/mcp-client-quickstart/<h1 id="mcp-client-quickstart">MCP Client Quickstart</h1> <p>NOCFoundry exposes the Model Context Protocol at:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">http://127.0.0.1:5000/mcp </span></span></code></pre></div><p>With the protected validation example, <code>/mcp</code> is protected by OIDC endpoint auth.</p> <h2 id="what-clients-need">What clients need</h2> <ul> <li>the MCP endpoint URL</li> <li>an access token whose <code>aud</code> matches the configured <code>/mcp</code> audience</li> <li>support for bearer tokens on HTTP-based MCP transports</li> </ul> <p>The protected resource metadata is served from:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">/.well-known/oauth-protected-resource/mcp </span></span></code></pre></div><h2 id="minimal-connection-model">Minimal connection model</h2> <ol> <li>Start NOCFoundry with <code>examples/tools-configs/keycloak-protected-validation.yaml</code> and <code>examples/server-configs/protected-api-mcp-ui.yaml</code>.</li> <li>Obtain an access token from Keycloak.</li> <li>Configure your MCP client to connect to <code>http://127.0.0.1:5000/mcp</code>.</li> <li>Supply <code>Authorization: Bearer &lt;token&gt;</code> on every HTTP request.</li> </ol> <h2 id="audience-reminder">Audience reminder</h2> <p>The access token must match the <code>/mcp</code> audience configured in:</p>https://docs.nocfoundry.dev/dev/configuration/tool-catalogs/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/configuration/tool-catalogs/<h1 id="tool-catalogs">Tool Catalogs</h1> <p>Tool catalogs define the operational resources NOCFoundry loads at startup.</p> <h2 id="supported-catalog-flags">Supported catalog flags</h2> <ul> <li><code>--tools-file</code></li> <li><code>--tools-files</code></li> <li><code>--tools-folder</code></li> <li><code>--prebuilt</code></li> </ul> <p>These are mutually exclusive where appropriate:</p> <ul> <li><code>--tools-file</code>, <code>--tools-files</code>, and <code>--tools-folder</code> cannot be combined</li> <li><code>--prebuilt</code> can be combined with custom tool catalogs when you want bundled capabilities plus your own configs</li> </ul> <h2 id="what-a-catalog-can-contain">What a catalog can contain</h2> <p>Tool catalogs can define:</p> <ul> <li>sources</li> <li>device groups</li> <li>auth services</li> <li>tools</li> <li>toolsets</li> <li>prompts</li> <li>promptsets</li> <li>embedding models</li> </ul> <h2 id="prebuilt-catalogs">Prebuilt catalogs</h2> <p><code>--prebuilt</code> takes a bundled catalog name, not an individual tool name.</p>https://docs.nocfoundry.dev/dev/configuration/server-config/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/configuration/server-config/<h1 id="server-config">Server Config</h1> <p><code>--server-config</code> carries server-wide runtime policy that should not be owned by individual tool catalog files.</p> <h2 id="current-focus">Current focus</h2> <p>Today, the most important server config capabilities are:</p> <ul> <li>endpoint auth for <code>/api</code></li> <li>endpoint auth for <code>/mcp</code></li> <li>browser UI auth configuration for PKCE login</li> </ul> <h2 id="example">Example</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">auth</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">endpointAuth</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">api</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authServices</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;noc-keycloak&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audience</span><span class="p">:</span><span class="w"> </span><span class="l">${NOCFOUNDRY_BASE_URL:http://127.0.0.1:5000}/api</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">mcp</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authServices</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;noc-keycloak&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">audience</span><span class="p">:</span><span class="w"> </span><span class="l">${NOCFOUNDRY_BASE_URL:http://127.0.0.1:5000}/mcp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ui</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">authService</span><span class="p">:</span><span class="w"> </span><span class="l">noc-keycloak</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">clientId</span><span class="p">:</span><span class="w"> </span><span class="l">${KEYCLOAK_UI_CLIENT_ID:noc-foundry-ui}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scopes</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;openid&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;profile&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;email&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">redirectPath</span><span class="p">:</span><span class="w"> </span><span class="l">/ui/auth/callback</span><span class="w"> </span></span></span></code></pre></div><h2 id="rules-to-remember">Rules to remember</h2> <ul> <li>endpoint auth policy is global to the server, not per tool catalog</li> <li>auth services are still defined in tool catalogs and referenced here by name</li> <li>UI login depends on API endpoint auth being enabled</li> </ul> <h2 id="start-command">Start command</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./nocfoundry <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --tools-file examples/tools-configs/keycloak-protected-validation.yaml <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --server-config examples/server-configs/protected-api-mcp-ui.yaml <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --validation-config examples/validation-runtime-configs/durable-validation-sqlite.yaml <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> --ui </span></span></code></pre></div>https://docs.nocfoundry.dev/dev/configuration/validation-runtime/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/configuration/validation-runtime/<h1 id="validation-runtime">Validation Runtime</h1> <p><code>--validation-config</code> controls how validation runs are executed and stored.</p> <h2 id="key-runtime-settings">Key runtime settings</h2> <ul> <li><code>executionBackend</code></li> <li><code>storeBackend</code></li> <li><code>sqlitePath</code></li> <li><code>durableTaskSQLitePath</code></li> <li><code>maxConcurrentRuns</code></li> <li><code>maxConcurrentSteps</code></li> <li><code>resultRetention</code></li> <li><code>eventRetention</code></li> </ul> <h2 id="example">Example</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">executionBackend</span><span class="p">:</span><span class="w"> </span><span class="l">durabletask</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">storeBackend</span><span class="p">:</span><span class="w"> </span><span class="l">sqlite</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">sqlitePath</span><span class="p">:</span><span class="w"> </span><span class="l">/var/lib/nocfoundry/noc-foundry-validation-runs.sqlite</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">durableTaskSQLitePath</span><span class="p">:</span><span class="w"> </span><span class="l">/var/lib/nocfoundry/noc-foundry-validation-taskhub.sqlite</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">maxConcurrentRuns</span><span class="p">:</span><span class="w"> </span><span class="m">4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">maxConcurrentSteps</span><span class="p">:</span><span class="w"> </span><span class="m">4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">resultRetention</span><span class="p">:</span><span class="w"> </span><span class="l">24h</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">eventRetention</span><span class="p">:</span><span class="w"> </span><span class="l">24h</span><span class="w"> </span></span></span></code></pre></div><h2 id="backend-choices">Backend choices</h2> <ul> <li><code>local</code> is simpler and good for lightweight execution</li> <li><code>durabletask</code> is better for long-running validations that should survive interruption</li> </ul> <h2 id="store-choices">Store choices</h2> <ul> <li><code>memory</code> is ephemeral</li> <li><code>sqlite</code> provides persistence for status, results, and events</li> </ul> <h2 id="recommended-local-lab-setup">Recommended local lab setup</h2> <p>For the protected validation example, use:</p>https://docs.nocfoundry.dev/dev/auth/oidc-endpoint-auth/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/auth/oidc-endpoint-auth/<h1 id="oidc-endpoint-auth">OIDC Endpoint Auth</h1> <p>NOCFoundry can protect the HTTP surfaces themselves, not just individual tool calls.</p> <h2 id="protected-surfaces">Protected surfaces</h2> <ul> <li><code>/api</code></li> <li><code>/mcp</code></li> </ul> <p>These surfaces are configured separately in <code>--server-config</code> and can require different audiences.</p> <h2 id="auth-service-model">Auth service model</h2> <ul> <li>OIDC providers are defined as <code>authServices</code> in tool catalog files</li> <li>the server config references those services by name</li> <li>only auth services selected by server policy can satisfy a protected surface</li> </ul> <h2 id="metadata-and-rfc-9728">Metadata and RFC 9728</h2> <p>NOCFoundry serves protected resource metadata for:</p>https://docs.nocfoundry.dev/dev/auth/ui-login-keycloak/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/auth/ui-login-keycloak/<h1 id="ui-login-with-keycloak">UI Login with Keycloak</h1> <p>NOCFoundry’s browser UI acts as an OIDC public client and uses Authorization Code + PKCE to access the protected <code>/api</code> surface.</p> <h2 id="local-demo-flow">Local demo flow</h2> <ol> <li>Start Keycloak:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose -f examples/keycloak/docker-compose.keycloak.yaml up -d </span></span></code></pre></div><ol start="2"> <li>Bootstrap the demo realm and clients:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./examples/keycloak/keycloak-setup.sh </span></span></code></pre></div><ol start="3"> <li>Start NOCFoundry with:</li> </ol> <ul> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/tools-configs/keycloak-protected-validation.yaml"><code>examples/tools-configs/keycloak-protected-validation.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/server-configs/protected-api-mcp-ui.yaml"><code>examples/server-configs/protected-api-mcp-ui.yaml</code></a></li> </ul> <h2 id="important-client-details">Important client details</h2> <p>The setup script creates:</p> <ul> <li><code>noc-foundry</code> for the resource-side auth service</li> <li><code>noc-foundry-ui</code> for the browser PKCE client</li> </ul> <p>The UI client must:</p>https://docs.nocfoundry.dev/dev/workflows/validation-runs/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/workflows/validation-runs/<h1 id="validation-runs">Validation Runs</h1> <p>Validation runs provide a long-running execution model for multi-step network validation workflows.</p> <p>Typical lifecycle:</p> <ol> <li>start a run</li> <li>poll status</li> <li>fetch final result</li> <li>cancel if needed</li> </ol> <p>Use the protected validation example tools for this workflow:</p> <ul> <li><code>start_validation_run</code></li> <li><code>validation_run_status</code></li> <li><code>validation_run_result</code></li> <li><code>cancel_validation_run</code></li> </ul>https://docs.nocfoundry.dev/dev/workflows/skills/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/workflows/skills/<h1 id="skills">Skills</h1> <p>NOCFoundry can generate agent-facing workflow bundles with <code>skills-generate</code>.</p> <p>The current model emphasizes:</p> <ul> <li>one skill per explicit toolset</li> <li>workflow-oriented docs</li> <li>optional prompt guidance</li> <li>direct <code>nocfoundry invoke ...</code> examples instead of generated runtime wrappers</li> </ul>https://docs.nocfoundry.dev/dev/resources/sources/ssh/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/resources/sources/ssh/<h1 id="ssh-source">SSH Source</h1> <p>Use the SSH source for CLI-oriented collection and command execution. In NOCFoundry, SSH timeouts are normalized as full operation timeouts per attempt.</p>https://docs.nocfoundry.dev/dev/resources/sources/netconf/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/resources/sources/netconf/<h1 id="netconf-source">NETCONF Source</h1> <p>Use the NETCONF source for structured operational retrieval and config reads, with operation-scoped timeout behavior and retry-aware collection.</p>https://docs.nocfoundry.dev/dev/resources/sources/gnmi/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/resources/sources/gnmi/<h1 id="gnmi-source">gNMI Source</h1> <p>Use the gNMI source for structured operational state retrieval with source-level timeout control and audience-safe tool workflows.</p>https://docs.nocfoundry.dev/dev/resources/sources/http/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/resources/sources/http/<h1 id="http-source">HTTP Source</h1> <p>Use the HTTP source for adjacent operational systems and service APIs that need to participate in workflows alongside device-facing tools.</p>https://docs.nocfoundry.dev/dev/resources/tools/nokia-validate/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/resources/tools/nokia-validate/<h1 id="nokia-validate"><code>nokia-validate</code></h1> <p><code>nokia-validate</code> is a read-only validation tool for Nokia devices and blast-radius checks. It collects evidence from one or more devices, evaluates configured assertions, and returns structured pass/fail results for a selected phase such as <code>pre</code>, <code>during</code>, or <code>post</code>.</p> <p>This tool is intentionally not a change engine. Agents and operators should use it as a deterministic validation primitive inside a larger maintenance workflow.</p> <h2 id="what-it-is-good-for">What it is good for</h2> <ul> <li>pre-change readiness validation</li> <li>post-change verification</li> <li>blast-radius checks across multiple devices</li> <li>structured result collection for async validation runs</li> </ul> <h2 id="key-behavior">Key behavior</h2> <ul> <li>supports either a single <code>source</code> or a fleet-oriented <code>sourceSelector</code></li> <li>runs ordered phases made up of <code>collect</code> and <code>assert</code> steps</li> <li>uses protocol-aware transport selection for network retrieval</li> <li>returns structured evidence, step status, and overall validation outcomes</li> <li>integrates with durable validation runs through the <code>validation_run_*</code> lifecycle tools</li> </ul> <h2 id="runtime-parameters">Runtime parameters</h2> <ul> <li><code>phase</code>: required when more than one phase is defined</li> <li><code>device</code>: optional when <code>sourceSelector</code> is used and you want to narrow execution</li> </ul> <h2 id="example-operator-flow">Example operator flow</h2> <ol> <li>run the <code>pre</code> phase before maintenance</li> <li>perform the network change outside the tool</li> <li>run the <code>post</code> phase</li> <li>compare results and decide whether rollback is required</li> </ol> <h2 id="example-configuration">Example configuration</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">tools</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">maintenance_validation</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l">nokia-validate</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">authRequired</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">noc-keycloak</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">sourceSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">validation_demo</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;true&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">phases</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">pre</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">collect_control_version</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">collect</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">into</span><span class="p">:</span><span class="w"> </span><span class="l">control_versions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">targets</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;control_plane&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">operation</span><span class="p">:</span><span class="w"> </span><span class="l">get_system_version</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">assert_versions</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">assert</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">expected_version</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">from</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;control_versions&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">scope</span><span class="p">:</span><span class="w"> </span><span class="l">per_record</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">expr</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;.payload.software_version == &#34;23.10.R1&#34;&#39;</span><span class="w"> </span></span></span></code></pre></div><h2 id="related-examples">Related examples</h2> <ul> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/tools-configs/keycloak-protected-validation.yaml"><code>examples/tools-configs/keycloak-protected-validation.yaml</code></a></li> <li><a href="https://docs.nocfoundry.dev/dev/workflows/validation-runs/">Validation runs</a></li> </ul>https://docs.nocfoundry.dev/dev/reference/cli/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/reference/cli/<h1 id="cli-reference">CLI Reference</h1> <p>The root command is:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nocfoundry </span></span></code></pre></div><p>Core entry points include:</p> <ul> <li><code>nocfoundry invoke</code></li> <li><code>nocfoundry skills-generate</code></li> <li><code>nocfoundry --ui</code></li> </ul> <h2 id="prebuilt-catalogs">Prebuilt catalogs</h2> <p>The <code>--prebuilt</code> flag loads a bundled tool catalog by name.</p> <p>Current bundled prebuilt:</p> <ul> <li><code>validation-runs</code></li> </ul> <p>Example:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./nocfoundry --prebuilt validation-runs </span></span></code></pre></div><p><code>--prebuilt</code> is not a boolean flag, and it does not take an individual tool name. This is invalid:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./nocfoundry --prebuilt start_validation_run </span></span></code></pre></div><p>because <code>start_validation_run</code> is a tool inside the <code>validation-runs</code> catalog, not the catalog name itself.</p>https://docs.nocfoundry.dev/dev/reference/faq/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/reference/faq/<h1 id="faq">FAQ</h1> <h2 id="does-nocfoundry-execute-prompts-itself">Does NOCFoundry execute prompts itself?</h2> <p>No. Prompt resources are exposed for clients and agents to consume. NOCFoundry does not execute prompts against an LLM.</p> <h2 id="why-is-api-returning-401">Why is <code>/api</code> returning 401?</h2> <p>If endpoint auth is enabled, callers must present a bearer token that matches the configured <code>/api</code> audience.</p> <h2 id="does-the-ui-require-login">Does the UI require login?</h2> <p>The UI shell can remain public while its backing <code>/api</code> calls are protected. When UI auth is enabled, the browser signs in through OIDC + PKCE.</p>https://docs.nocfoundry.dev/dev/examples/local-lab-with-keycloak/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/examples/local-lab-with-keycloak/<h1 id="local-lab-with-keycloak">Local Lab with Keycloak</h1> <p>Use this protected local lab stack when you want to test:</p> <ul> <li>Keycloak-backed OIDC auth services</li> <li>endpoint auth on <code>/api</code> and <code>/mcp</code></li> <li>browser PKCE login for the UI</li> <li>durable validation runs</li> </ul> <p>Main files:</p> <ul> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/tools-configs/keycloak-protected-validation.yaml"><code>examples/tools-configs/keycloak-protected-validation.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/server-configs/protected-api-mcp-ui.yaml"><code>examples/server-configs/protected-api-mcp-ui.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/validation-runtime-configs/durable-validation-sqlite.yaml"><code>examples/validation-runtime-configs/durable-validation-sqlite.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/keycloak/docker-compose.keycloak.yaml"><code>examples/keycloak/docker-compose.keycloak.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/keycloak/keycloak-setup.sh"><code>examples/keycloak/keycloak-setup.sh</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/containerlab/noc-foundry-lab.clab.yaml"><code>examples/containerlab/noc-foundry-lab.clab.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/containerlab/install-containerlab.sh"><code>examples/containerlab/install-containerlab.sh</code></a></li> </ul> <p>For contributors who want a realistic local network instead of static sample targets, pair this protected stack with the SR Linux containerlab fabric.</p> <ul> <li>install containerlab on demand with <code>./examples/containerlab/install-containerlab.sh</code></li> <li>deploy the lab with <code>sudo containerlab deploy -t examples/containerlab/noc-foundry-lab.clab.yaml</code></li> <li>destroy it with <code>sudo containerlab destroy -t examples/containerlab/noc-foundry-lab.clab.yaml</code></li> </ul> <h2 id="start-keycloak">Start Keycloak</h2> <p>Start the local Keycloak example:</p>https://docs.nocfoundry.dev/dev/examples/containerlab-srlinux-lab/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/examples/containerlab-srlinux-lab/<h1 id="containerlab-sr-linux-lab">Containerlab SR Linux Lab</h1> <p>Use this example when you want a realistic local network topology for NOCFoundry development and validation testing.</p> <p>Main files:</p> <ul> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/containerlab/noc-foundry-lab.clab.yaml"><code>examples/containerlab/noc-foundry-lab.clab.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/containerlab/install-containerlab.sh"><code>examples/containerlab/install-containerlab.sh</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/tree/main/examples/containerlab/configs/noc-foundry-lab"><code>examples/containerlab/configs/noc-foundry-lab/</code></a></li> </ul> <h2 id="topology">Topology</h2> <p>This lab deploys:</p> <ul> <li>2 SR Linux spines: <code>srl-b</code>, <code>srl-c</code></li> <li>3 SR Linux leaves: <code>srl-a</code>, <code>srl-d</code>, <code>srl-e</code></li> </ul> <p>Each node is configured with:</p> <ul> <li>ISIS on the underlay links</li> <li>a loopback address on <code>system0</code></li> <li>NETCONF enabled on the management plane</li> <li>native SR Linux gNMI enabled on the management plane</li> </ul> <p>The lab also uses a dedicated management network:</p>