lightspeed-core
diff --git a/‎docker-compose-library.yaml‎
100644100755
Lines changed: 2 additions & 2 deletions b/‎docker-compose-library.yaml‎
100644100755
Lines changed: 2 additions & 2 deletions
diff --git a/‎docker-compose.yaml‎
100644100755
Lines changed: 6 additions & 3 deletions b/‎docker-compose.yaml‎
100644100755
Lines changed: 6 additions & 3 deletions
diff --git a/‎src/llama_stack_configuration.py‎
Lines changed: 56 additions & 6 deletions b/‎src/llama_stack_configuration.py‎
Lines changed: 56 additions & 6 deletions
diff --git a/‎tests/e2e/features/authorized_noop.feature‎
Lines changed: 4 additions & 5 deletions b/‎tests/e2e/features/authorized_noop.feature‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎tests/e2e/features/authorized_noop_token.feature‎
Lines changed: 5 additions & 52 deletions b/‎tests/e2e/features/authorized_noop_token.feature‎
Lines changed: 5 additions & 52 deletions
diff --git a/‎tests/e2e/features/authorized_rh_identity.feature‎
Lines changed: 4 additions & 20 deletions b/‎tests/e2e/features/authorized_rh_identity.feature‎
Lines changed: 4 additions & 20 deletions
@@ -38,8 +38,8 @@ services:
       - ./run.yaml:/app-root/run.yaml:Z
       - ${GCP_KEYS_PATH:-./tmp/.gcp-keys-dummy}:/opt/app-root/.gcp-keys:ro
       - ./tests/e2e/rag:/opt/app-root/src/.llama/storage/rag:Z
-      - ./tests/e2e/secrets/mcp-token:/tmp/mcp-token:ro
-      - ./tests/e2e/secrets/invalid-mcp-token:/tmp/invalid-mcp-token:ro
+      - ./tests/e2e/secrets/mcp-token:/tmp/mcp-token:ro,z
+      - ./tests/e2e/secrets/invalid-mcp-token:/tmp/invalid-mcp-token:ro,z
     environment:
       # LLM Provider API Keys
       - BRAVE_SEARCH_API_KEY=${BRAVE_SEARCH_API_KEY:-}
 
@@ -30,8 +30,11 @@ services:
         condition: service_healthy
     volumes:
       - ./run.yaml:/opt/app-root/run.yaml:z
+      # Host copies so `docker compose up` picks up script changes without rebuilding llama-stack
+      - ./scripts/llama-stack-entrypoint.sh:/opt/app-root/enrich-entrypoint.sh:ro,z
+      - ./src/llama_stack_configuration.py:/opt/app-root/llama_stack_configuration.py:ro,z
       - ${GCP_KEYS_PATH:-./tmp/.gcp-keys-dummy}:/opt/app-root/.gcp-keys:ro
-      - ./lightspeed-stack.yaml:/opt/app-root/lightspeed-stack.yaml:ro
+      - ./lightspeed-stack.yaml:/opt/app-root/lightspeed-stack.yaml:ro,z
       - llama-storage:/opt/app-root/src/.llama/storage
       - ./tests/e2e/rag:/opt/app-root/src/.llama/storage/rag:z
       - mock-tls-certs:/certs:ro
@@ -90,8 +93,8 @@ services:
       - "8080:8080"
     volumes:
       - ./lightspeed-stack.yaml:/app-root/lightspeed-stack.yaml:z
-      - ./tests/e2e/secrets/mcp-token:/tmp/mcp-token:ro
-      - ./tests/e2e/secrets/invalid-mcp-token:/tmp/invalid-mcp-token:ro
+      - ./tests/e2e/secrets/mcp-token:/tmp/mcp-token:ro,z
+      - ./tests/e2e/secrets/invalid-mcp-token:/tmp/invalid-mcp-token:ro,z
     environment:
       - OPENAI_API_KEY=${OPENAI_API_KEY}
       # Azure Entra ID credentials (AZURE_API_KEY is obtained dynamically)
 
@@ -117,6 +117,38 @@ def setup_azure_entra_id_token(
 # =============================================================================
 
 
+def _dedupe_vector_io_list(entries: list[Any]) -> list[dict[str, Any]]:
+    """Keep the first dict per stripped ``provider_id``; keep entries without an id."""
+    seen: set[str] = set()
+    out: list[dict[str, Any]] = []
+    for item in entries:
+        if not isinstance(item, dict):
+            continue
+        raw_pid = item.get("provider_id")
+        if raw_pid is None:
+            out.append(item)
+            continue
+        key = str(raw_pid).strip()
+        if not key:
+            out.append(item)
+            continue
+        if key in seen:
+            continue
+        seen.add(key)
+        out.append(item)
+    return out
+
+
+def dedupe_providers_vector_io(ls_config: dict[str, Any]) -> None:
+    """Collapse ``providers.vector_io`` to one entry per ``provider_id``."""
+    if "providers" not in ls_config or "vector_io" not in ls_config["providers"]:
+        return
+    raw = ls_config["providers"]["vector_io"]
+    if not isinstance(raw, list):
+        return
+    ls_config["providers"]["vector_io"] = _dedupe_vector_io_list(raw)
+
+
 def construct_storage_backends_section(
     ls_config: dict[str, Any], byok_rag: list[dict[str, Any]]
 ) -> dict[str, Any]:
@@ -312,19 +344,32 @@ def construct_vector_io_providers_section(
         `provider_type` set from the RAG item, and a `config` with `persistence`
         referencing the corresponding backend.
     """
-    output = []
+    output: list[dict[str, Any]] = []
 
-    # fill-in existing vector_io entries
     if "providers" in ls_config and "vector_io" in ls_config["providers"]:
-        output = ls_config["providers"]["vector_io"].copy()
+        raw = ls_config["providers"]["vector_io"]
+        if isinstance(raw, list):
+            output = _dedupe_vector_io_list(raw)
+        else:
+            output = []
+
+    existing_ids = {
+        str(p["provider_id"]).strip()
+        for p in output
+        if p.get("provider_id") is not None and str(p["provider_id"]).strip()
+    }
 
-    # append new vector_io entries
+    added = 0
     for brag in byok_rag:
         if not brag.get("rag_id"):
             raise ValueError(f"BYOK RAG entry is missing required 'rag_id': {brag}")
-        rag_id = brag["rag_id"]
+        rag_id = str(brag["rag_id"]).strip()
         backend_name = f"byok_{rag_id}_storage"
         provider_id = f"byok_{rag_id}"
+        if provider_id in existing_ids:
+            continue
+        existing_ids.add(provider_id)
+        added += 1
         output.append(
             {
                 "provider_id": provider_id,
@@ -339,7 +384,7 @@ def construct_vector_io_providers_section(
         )
     logger.info(
         "Added %s items into providers/vector_io section, total items %s",
-        len(byok_rag),
+        added,
         len(output),
     )
     return output
@@ -354,6 +399,7 @@ def enrich_byok_rag(ls_config: dict[str, Any], byok_rag: list[dict[str, Any]]) -
     """
     if len(byok_rag) == 0:
         logger.info("BYOK RAG is not configured: skipping")
+        dedupe_providers_vector_io(ls_config)
         return
 
     logger.info("Enriching Llama Stack config with BYOK RAG")
@@ -567,6 +613,8 @@ def generate_configuration(
     with open(input_file, "r", encoding="utf-8") as file:
         ls_config = yaml.safe_load(file)
 
+    dedupe_providers_vector_io(ls_config)
+
     # Enrichment: Azure Entra ID token
     setup_azure_entra_id_token(config.get("azure_entra_id"), env_file)
 
@@ -576,6 +624,8 @@ def generate_configuration(
     # Enrichment: Solr - enabled when "okp" appears in either inline or tool list
     enrich_solr(ls_config, config.get("rag", {}), config.get("okp", {}))
 
+    dedupe_providers_vector_io(ls_config)
+
     logger.info("Writing Llama Stack configuration into file %s", output_file)
 
     with open(output_file, "w", encoding="utf-8") as file:
 
@@ -2,10 +2,13 @@ Feature: Authorized endpoint API tests for the noop authentication module
 
   Background:
     Given The service is started locally
+      And The system is in default state
       And REST API service prefix is /v1
+      And the Lightspeed stack configuration directory is "tests/e2e/configuration"
+      And The service uses the lightspeed-stack.yaml configuration
+      And The service is restarted
 
   Scenario: Check if the authorized endpoint works fine when user_id and auth header are not provided 
-    Given The system is in default state
      When I access endpoint "authorized" using HTTP POST method
      """
      {"placeholder":"abc"}
@@ -17,7 +20,6 @@ Feature: Authorized endpoint API tests for the noop authentication module
           """
 
   Scenario: Check if the authorized endpoint works when auth token is not provided 
-    Given The system is in default state
      When I access endpoint "authorized" using HTTP POST method with user_id "test_user"
      Then The status code of the response is 200
       And The body of the response is the following
@@ -26,7 +28,6 @@ Feature: Authorized endpoint API tests for the noop authentication module
           """
 
   Scenario: Check if the authorized endpoint works when user_id is not provided 
-    Given The system is in default state
     And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
      When I access endpoint "authorized" using HTTP POST method without user_id
      Then The status code of the response is 200
@@ -36,7 +37,6 @@ Feature: Authorized endpoint API tests for the noop authentication module
           """
 
   Scenario: Check if the authorized endpoint rejects empty user_id
-    Given The system is in default state
     And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
      When I access endpoint "authorized" using HTTP POST method with user_id ""
      Then The status code of the response is 400
@@ -46,7 +46,6 @@ Feature: Authorized endpoint API tests for the noop authentication module
           """
 
   Scenario: Check if the authorized endpoint works when providing proper user_id
-    Given The system is in default state
     And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
      When I access endpoint "authorized" using HTTP POST method with user_id "test_user"
      Then The status code of the response is 200
 
@@ -3,28 +3,14 @@ Feature: Authorized endpoint API tests for the noop-with-token authentication mo
 
   Background:
     Given The service is started locally
+      And The system is in default state
+      And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
       And REST API service prefix is /v1
-
-  Scenario: Check if the authorized endpoint fails when user_id and auth header are not provided 
-    Given The system is in default state
-     When I access endpoint "authorized" using HTTP POST method
-     """
-     {"placeholder":"abc"}
-     """
-     Then The status code of the response is 401
-      And The body of the response is the following
-          """
-          {
-            "detail": {
-                        "response": "Missing or invalid credentials provided by client",
-                        "cause": "No Authorization header found"
-                    }
-          }
-          """
+      And the Lightspeed stack configuration directory is "tests/e2e/configuration"
+      And The service uses the lightspeed-stack-auth-noop-token.yaml configuration
+      And The service is restarted
 
   Scenario: Check if the authorized endpoint works when user_id is not provided 
-    Given The system is in default state
-    And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
      When I access endpoint "authorized" using HTTP POST method without user_id
      Then The status code of the response is 200
       And The body of the response is the following
@@ -33,8 +19,6 @@ Feature: Authorized endpoint API tests for the noop-with-token authentication mo
           """
 
   Scenario: Check if the authorized endpoint rejects empty user_id
-    Given The system is in default state
-    And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
      When I access endpoint "authorized" using HTTP POST method with user_id ""
      Then The status code of the response is 400
       And The body of the response is the following
@@ -43,40 +27,9 @@ Feature: Authorized endpoint API tests for the noop-with-token authentication mo
           """
 
   Scenario: Check if the authorized endpoint works when providing proper user_id
-    Given The system is in default state
-    And I set the Authorization header to Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
      When I access endpoint "authorized" using HTTP POST method with user_id "test_user"
      Then The status code of the response is 200
       And The body of the response is the following
           """
             {"user_id": "test_user","username": "lightspeed-user","skip_userid_check": true}
           """
-
-   Scenario: Check if the authorized endpoint works with proper user_id but bearer token is not present
-    Given The system is in default state
-     When I access endpoint "authorized" using HTTP POST method with user_id "test_user"
-     Then The status code of the response is 401
-      And The body of the response is the following
-          """
-            {
-              "detail": {
-                "response": "Missing or invalid credentials provided by client",
-                "cause": "No Authorization header found"
-              }
-            }
-          """
-
-  Scenario: Check if the authorized endpoint works when auth token is malformed
-    Given The system is in default state
-    And I set the Authorization header to BearereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpva
-     When I access endpoint "authorized" using HTTP POST method with user_id "test_user"
-     Then The status code of the response is 401
-      And The body of the response is the following
-          """
-            {
-              "detail": {
-                "response": "Missing or invalid credentials provided by client",
-                "cause": "No token found in Authorization header"
-              }
-            }
-          """
@@ -3,22 +3,13 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
 
   Background:
     Given The service is started locally
+      And The system is in default state
       And REST API service prefix is /v1
-
-  Scenario: Request fails when x-rh-identity header is missing
-    Given The system is in default state
-     When I access endpoint "authorized" using HTTP POST method
-     """
-     {"placeholder":"abc"}
-     """
-     Then The status code of the response is 401
-      And The body of the response is the following
-          """
-            {"detail": "Missing x-rh-identity header"}
-          """
+      And the Lightspeed stack configuration directory is "tests/e2e/configuration"
+      And The service uses the lightspeed-stack-auth-rh-identity.yaml configuration
+      And The service is restarted
 
   Scenario: Request fails when identity field is missing
-    Given The system is in default state
       And I set the x-rh-identity header with JSON
       """
       {"entitlements": {"rhel": {"is_entitled": true}}}
@@ -31,7 +22,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
       And The body of the response contains Invalid identity data
 
   Scenario: Request succeeds with valid User identity and required entitlements
-    Given The system is in default state
       And I set the x-rh-identity header with valid User identity
           | field        | value               |
           | user_id      | test-user-123       |
@@ -49,7 +39,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
           """
 
   Scenario: Request succeeds with valid System identity and required entitlements
-    Given The system is in default state
       And I set the x-rh-identity header with valid System identity
           | field          | value                                |
           | cn             | c87dcb4c-8af1-40dd-878e-60c744edddd0 |
@@ -67,7 +56,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
           """
 
   Scenario: Request fails when required entitlement is missing
-    Given The system is in default state
       And I set the x-rh-identity header with valid User identity
           | field        | value               |
           | user_id      | test-user-123       |
@@ -82,7 +70,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
       And The body of the response contains Insufficient entitlements
 
   Scenario: Request fails when entitlement exists but is_entitled is false
-    Given The system is in default state
       And I set the x-rh-identity header with JSON
       """
       {
@@ -102,7 +89,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
       And The body of the response contains Insufficient entitlements
 
   Scenario: Request fails when User identity is missing user_id
-    Given The system is in default state
       And I set the x-rh-identity header with JSON
       """
       {
@@ -122,7 +108,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
       And The body of the response contains Invalid identity data
 
   Scenario: Request fails when User identity is missing username
-    Given The system is in default state
       And I set the x-rh-identity header with JSON
       """
       {
@@ -142,7 +127,6 @@ Feature: Authorized endpoint API tests for the rh-identity authentication module
       And The body of the response contains Invalid identity data
 
   Scenario: Request fails when System identity is missing cn
-    Given The system is in default state
       And I set the x-rh-identity header with JSON
       """
       {