Enterprise-ready AI agent template with multi-tenant architecture
Features β’ Quick Start β’ Architecture β’ Tech Stack β’ Documentation
Real-time streaming chat with AI agents β’ Semantic memory with automatic extraction
πΊ Watch the full demo video
π¦ Minimal Edition
Due to the high cost of RAM, this is a minimal version of the original template designed to reduce the compute footprint. External services like Langfuse (LLM observability), Infisical (secrets management), and OpenSearch (log aggregation) have been replaced with built-in alternatives:
- Secrets β Encrypted PostgreSQL storage (Fernet/AES-128-CBC)
- Audit Logs β PostgreSQL tables + JSON file backup
- LLM Tracing β Removed (agents work without it)
This reduces memory usage from ~8GB to ~2GB while maintaining all core functionality.
A production-ready full-stack AI agent template built for teams and enterprises. Features real-time streaming chat with LangGraph agents, MCP (Model Context Protocol) tool integration, semantic memory with pgvector, hierarchical multi-tenancy (Organizations β Teams β Users), and enterprise integrations for secrets management, audit logging, and LLM observability.
- Multi-Tenant by Design: Built from the ground up with proper data isolation between organizations and teams
- MCP Tool Integration: Connect external tools via Model Context Protocol with human-in-the-loop approval
- Semantic Memory: Persistent user memory with embedding-based search and deduplication
- Real-Time AI Streaming: SSE-powered chat with graceful cancellation and state persistence
- Multi-Provider LLM Support: Switch between Anthropic, OpenAI, and Google at the org or team level
- Enterprise Security: JWT auth, RBAC, audit logging, secrets management, and compliance-ready architecture
- Developer Experience: One-command setup, hot reload, auto-generated API docs, type-safe modular API client
- LangGraph ReAct Agent β Graph-based agent with PostgreSQL state checkpointing
- Multi-Provider LLM β Anthropic Claude Haiku 4.5, OpenAI GPT-4o, Google Gemini 2.0 Flash
- SSE Streaming β Real-time token streaming with browser-native cancellation
- Hierarchical Prompts β System prompts at org, team, and user levels (auto-concatenated)
- Semantic Memory β Persistent user context with pgvector embeddings and deduplication
- MCP Tool Integration β Connect external HTTP/SSE tools with approval workflow
- Audit Logging β PostgreSQL-based audit logging with frontend viewer
- Multi-Scope Servers β Configure at organization, team, or user level
- Transport Support β HTTP, SSE, and Streamable HTTP protocols
- Auth Options β None, Bearer token, or API key authentication
- Human-in-the-Loop β Configurable tool approval before execution
- Tool Management β Enable/disable servers and individual tools per hierarchy level
- Connection Testing β Verify server connectivity before use
- Organizations β Top-level tenant boundaries with roles (Owner, Admin, Member)
- Teams β Sub-groups within organizations with granular permissions
- Hierarchical Settings β Chat, memory, and MCP settings cascade org β team β user
- Invitations β Email-based invites with secure token validation
- Per-Team API Keys β Store LLM credentials per team (encrypted in database)
- RBAC β 22 org permissions + 17 team permissions with role-based mappings
- Audit Logging β PostgreSQL-based with configurable retention (90 days default)
- Secrets Management β Encrypted database storage using Fernet (AES-128-CBC)
- Rate Limiting β Configurable limits per endpoint category
- Security Headers β CORS, CSP, HSTS, XSS protection
- Auto-Generated Docs β OpenAPI/Swagger at
/v1/docs - Modular API Client β Domain-specific TypeScript modules with full type safety
- Hot Reload β Both backend and frontend with instant updates
- Setup Scripts β One-command infrastructure + migrations
- Docker & Docker Compose
- Python 3.11+ with uv
- Node.js 20+
# Clone the repository
git clone https://github.com/davidgaribay-dev/agentic-ai-template.git
cd agentic-ai-template
# Run setup (starts infrastructure, runs migrations)
./setup-local.sh
# Start dev servers in separate terminals
cd backend && uv run uvicorn backend.main:app --reload # Terminal 1: API on :8000
cd frontend && npm run dev # Terminal 2: UI on :5173# Start infrastructure services
docker compose -f docker-compose-local.yml up -d
# Backend setup
cd backend
uv sync
uv run alembic upgrade head
uv run uvicorn backend.main:app --reload
# Frontend setup (new terminal)
cd frontend
npm install
npm run dev| Service | URL | Description |
|---|---|---|
| Frontend | http://localhost:5173 | React application |
| API | http://localhost:8000 | FastAPI backend |
| API Docs | http://localhost:8000/v1/docs | Swagger/OpenAPI |
- Superuser:
admin@example.com/changethis
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Frontend (React 19) β
β ββββββββββββ βββββββββββββββββ βββββββββββββ βββββββββββββββββ β
β β TanStack β β SSE Chat β β Zustand β β shadcn/ui β β
β β Router β β Streaming β β Store β β Components β β
β ββββββββββββ βββββββββββββββββ βββββββββββββ βββββββββββββββββ β
βββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β /api/* proxy
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Backend (FastAPI) β
β ββββββββββββ βββββββββββββββββ βββββββββββββ βββββββββββββββββ β
β β REST β β LangGraph β β MCP β β Memory β β
β β API β β Agent β β Tools β β Store β β
β ββββββββββββ βββββββββββββββββ βββββββββββββ βββββββββββββββββ β
ββββββββββ¬ββββββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββ¬ββββββββββββ
β β β β
βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββ
β PostgreSQL + pgvector β β SeaweedFS β
β (Data + Audit Logs + Encrypted Secrets) β β (S3) β
βββββββββββββββββββββββββββββββββββββββββββββββ βββββββββββββ
Organization (tenant boundary)
βββ OrganizationMember
β βββ role: OWNER | ADMIN | MEMBER
βββ Team (sub-group)
β βββ TeamMember
β βββ role: ADMIN | MEMBER | VIEWER
βββ Conversation (scoped to org + team)
βββ Prompt (hierarchical: org β team β user)
βββ MCP Servers (hierarchical: org β team β user)
βββ Chat Settings (hierarchical: org β team β user)
βββ Memory (scoped to org + team + user)
βββ API Keys (encrypted in database)
βββ setup.sh # Full setup (CI/first-time)
βββ setup-local.sh # Local dev setup
βββ docker-compose.yml # Full stack containers
βββ docker-compose-local.yml # Infrastructure only
βββ tests/ # Playwright E2E tests
β βββ tests/
β β βββ api/ # API tests (no browser)
β β βββ auth/ # Auth UI tests
β β βββ teams/ # Team management tests
β β βββ invitations/ # Invitation flow tests
β βββ pages/ # Page objects
β βββ utils/ # Test utilities
β βββ playwright.config.ts
β
βββ backend/
β βββ src/backend/
β β βββ agents/ # LangGraph agent, tools, LLM providers
β β βββ mcp/ # MCP server registry, client, tool loading
β β βββ memory/ # Semantic memory store with pgvector
β β βββ api/routes/ # REST endpoints (/v1 prefix)
β β βββ auth/ # JWT, user model, dependencies
β β βββ rbac/ # Permissions, role mappings
β β βββ organizations/ # Org + member management
β β βββ teams/ # Team + member management
β β βββ conversations/ # Chat history (soft delete)
β β βββ prompts/ # System prompts (org/team/user)
β β βββ settings/ # Chat settings hierarchy
β β βββ audit/ # PostgreSQL audit logging
β β βββ core/ # Config, DB, security, encrypted secrets
β βββ tests/ # Unit + integration tests (pytest)
β βββ scripts/ # Setup automation
β βββ alembic/ # Database migrations
β
βββ frontend/
βββ src/
βββ routes/ # File-based routing (auto-gen)
βββ components/
β βββ ui/ # shadcn/ui components
β βββ chat/ # Chat UI, markdown, code blocks
β βββ settings/ # Settings panels
βββ hooks/ # useChat, useAuth, useWorkspace
βββ lib/
βββ api/ # Modular API client
β βββ agent.ts
β βββ auth.ts
β βββ conversations.ts
β βββ mcp-servers.ts
β βββ memory.ts
β βββ chat-settings.ts
β βββ ...
βββ auth.ts # Token management
βββ workspace.tsx # Org/team context
| Technology | Version | Purpose |
|---|---|---|
| FastAPI | 0.124+ | Async REST API with auto-docs |
| SQLModel | 0.0.27 | ORM (SQLAlchemy + Pydantic) |
| PostgreSQL | 17 | Primary database (with pgvector) |
| LangGraph | 0.6+ | Agent orchestration with state |
| LangChain | 0.3+ | LLM provider integrations |
| Alembic | 1.16+ | Database migrations |
| Cryptography | 41.0+ | Secrets encryption (Fernet) |
| Technology | Version | Purpose |
|---|---|---|
| React | 19.2 | UI framework (concurrent mode) |
| TypeScript | 5.9 | Type safety |
| Vite | 7.2 | Build tool |
| TanStack Router | 1.141 | File-based routing |
| TanStack Query | 5.90 | Server state management |
| Zustand | 5.0 | Client state |
| shadcn/ui | Latest | Component library |
| Tailwind CSS | 4.1 | Styling |
| Streamdown | 1.6 | Markdown streaming |
| Service | Port | Purpose |
|---|---|---|
| PostgreSQL | 5432 | Application database (pgvector) + audit logs + encrypted secrets |
| SeaweedFS | 8333 | S3-compatible storage |
# Backend (from backend/)
uv run uvicorn backend.main:app --reload # Dev server
uv run pytest # Run tests
uv run alembic revision --autogenerate -m "description" # Create migration
uv run alembic upgrade head # Apply migrations
# Frontend (from frontend/)
npm run dev # Dev server with HMR
npm run build # Production build
npm run lint # ESLint
npx shadcn@latest add <name> # Add UI component
# E2E Tests (from tests/)
npm run test # All E2E tests
npm run test:api-only # API tests only
npm run test:ui-only # UI tests only
npm run test:headed # Visible browser
npm run report # View HTML reportBackend (backend/.env):
# Database
POSTGRES_SERVER=localhost
POSTGRES_PORT=5432
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
POSTGRES_DB=app
# Security
SECRET_KEY=your-secret-key # Also used for secrets encryption
FRONTEND_URL=http://localhost:5173
# LLM Providers (optional - can be set via UI)
ANTHROPIC_API_KEY=sk-ant-...
OPENAI_API_KEY=sk-...
GOOGLE_API_KEY=...
# Audit logging
AUDIT_LOG_RETENTION_DAYS=90
APP_LOG_RETENTION_DAYS=30Frontend (frontend/.env):
VITE_API_URL=http://localhost:8000
VITE_PORT=5173| Task | Steps |
|---|---|
| New API Route | Create in backend/api/routes/, add to api/main.py |
| New Page | Add file to frontend/src/routes/ (auto-generates) |
| New DB Model | Add SQLModel class, import in alembic/env.py, run migrations |
| New Agent Tool | Add @tool function in backend/agents/tools.py |
| New MCP Server | Add via UI at org/team/user settings, or via API |
| New API Module | Add to frontend/src/lib/api/, export in index.ts |
# Login (OAuth2 form-encoded)
curl -X POST http://localhost:8000/v1/auth/login \
-d "username=admin@example.com&password=changethis"
# Use token
curl -H "Authorization: Bearer <token>" \
http://localhost:8000/v1/users/me| Endpoint | Description |
|---|---|
POST /v1/auth/login |
OAuth2 login (form-encoded) |
POST /v1/auth/signup |
Register + create org |
GET /v1/organizations |
List user's orgs |
GET /v1/conversations |
List conversations |
POST /v1/agent/chat |
SSE streaming chat |
GET /v1/prompts/* |
Manage system prompts |
GET /v1/mcp-servers/* |
Manage MCP servers |
GET /v1/memory/users/me/memories |
List user memories |
GET /v1/settings/effective |
Get computed settings |
Full documentation at http://localhost:8000/v1/docs
- Authentication: JWT tokens (30min access, 7-day refresh)
- Password Hashing: bcrypt with timing-safe comparison
- RBAC: Fine-grained org and team permissions (22 org + 17 team permissions)
- Secrets: Encrypted in database using Fernet (AES-128-CBC)
- MCP Auth: Bearer/API key secrets stored encrypted in PostgreSQL
- Audit Trail: All actions logged to PostgreSQL (90-day retention)
- Headers: CORS, CSP, HSTS, X-Frame-Options
- Rate Limiting: Per-endpoint configurable limits
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.