dac, access profiles, tool groups docs

[akshaydeo]

Summary

Briefly explain the purpose of this PR and the problem it solves.

Changes

• What was changed and why
• Any notable design decisions or trade-offs

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Describe the steps to validate this change. Include commands and expected outcomes.

# Core/Transports
go version
go test ./...

# UI
cd ui
pnpm i || npm i
pnpm test || npm test
pnpm build || npm run build

If adding new configs or environment variables, document them here.

Screenshots/Recordings

If UI changes, add before/after screenshots or short clips.

Breaking changes

• Yes
• No

If yes, describe impact and migration instructions.

Related issues

Link related issues and discussions. Example: Closes #123

Security considerations

Note any security implications (auth, secrets, PII, sandboxing, etc.).

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
bifrost	🟢 Ready	View Preview	May 25, 2026, 5:19 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9ad1a95f-3bad-4709-9535-c62cd0f28ec1

📥 Commits

Reviewing files that changed from the base of the PR and between 5e4bfb7 and 737bca5.

⛔ Files ignored due to path filters (12)

• docs/media/access-profiles/access-profile-mcp-config.png is excluded by !**/*.png
• docs/media/access-profiles/access-profile-provider-config.png is excluded by !**/*.png
• docs/media/access-profiles/access-profile-rbac.png is excluded by !**/*.png
• docs/media/access-profiles/access-profiles-duplicate.png is excluded by !**/*.png
• docs/media/access-profiles/access-profiles-home.png is excluded by !**/*.png
• docs/media/access-profiles/access-profiles-save-and-propagate.png is excluded by !**/*.png
• docs/media/access-profiles/new-access-profile.png is excluded by !**/*.png
• docs/media/dac/dac-set-visibility.png is excluded by !**/*.png
• docs/media/enterprise-audit-logs.png is excluded by !**/*.png
• docs/media/mcp/mcp-tool-group.png is excluded by !**/*.png
• docs/media/mcp/mcp-tool-groups-associations.png is excluded by !**/*.png
• docs/media/mcp/mcp-tool-groups-mcp-tool-association.png is excluded by !**/*.png

📒 Files selected for processing (28)

• docs/architecture/core/plugins.mdx
• docs/deployment-guides/config-json/plugins.mdx
• docs/docs.json
• docs/enterprise/access-profiles.mdx
• docs/enterprise/advanced-governance.mdx
• docs/enterprise/audit-logs.mdx
• docs/enterprise/custom-plugins.mdx
• docs/enterprise/data-access-control.mdx
• docs/enterprise/mcp-tool-groups.mdx
• docs/enterprise/mcp-with-fa.mdx
• docs/enterprise/moving-from-oss/cross-region.mdx
• docs/enterprise/moving-from-oss/overview.mdx
• docs/enterprise/moving-from-oss/security-hardening.mdx
• docs/enterprise/moving-from-oss/sizing.mdx
• docs/enterprise/moving-from-oss/versioning.mdx
• docs/enterprise/overview.mdx
• docs/openapi/openapi.json
• docs/openapi/openapi.yaml
• docs/openapi/paths/management/accessprofiles.yaml
• docs/openapi/paths/management/mcptoolgroups.yaml
• docs/openapi/paths/management/rbac.yaml
• docs/openapi/schemas/management/accessprofiles.yaml
• docs/openapi/schemas/management/mcptoolgroups.yaml
• docs/openapi/schemas/management/rbac.yaml
• docs/overview.mdx
• docs/plugins/getting-started.mdx
• docs/plugins/writing-wasm-plugin.mdx
• docs/providers/test-harness-coverage.mdx

---

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Added comprehensive guides for Enterprise features: Access Profiles, Data Access Control, MCP Tool Groups, and migration from open-source to Enterprise.
  • Added new documentation for cross-region deployments, security hardening, and hardware sizing for Enterprise deployments.
  • Updated plugin documentation: WASM plugin development is now deprecated; Go plugins are recommended for new development.
  • Published Management API documentation for RBAC, Access Profile, and MCP Tool Group management endpoints.
  • Reorganized Enterprise overview with improved feature categorization and navigation.

Walkthrough

This PR substantially expands Bifrost Enterprise documentation by introducing three core governance feature pages (Access Profiles, MCP Tool Groups, Data Access Control), adding comprehensive migration guides from OSS to Enterprise, defining OpenAPI contracts for all new governance APIs, reorganizing enterprise marketing messaging with numbered feature sections, and marking WASM plugins as deprecated in favor of Go plugins. Navigation is consolidated in docs.json with new redirects for deprecated pages.

Changes

Enterprise Documentation Restructuring and API Contracts

Layer / File(s)	Summary
Enterprise governance and access control feature pages docs/enterprise/access-profiles.mdx, docs/enterprise/mcp-tool-groups.mdx, docs/enterprise/data-access-control.mdx, docs/enterprise/audit-logs.mdx	New documentation for Access Profiles, MCP Tool Groups, and Data Access Control with configuration walkthrough, behavior matrices, and real-world patterns. Audit Logs rewritten as dashboard-focused overview. Removed pages for advanced-governance, custom-plugins, and mcp-with-fa.
Moving from OSS to Enterprise migration guides docs/enterprise/moving-from-oss/overview.mdx, docs/enterprise/moving-from-oss/cross-region.mdx, docs/enterprise/moving-from-oss/security-hardening.mdx, docs/enterprise/moving-from-oss/sizing.mdx, docs/enterprise/moving-from-oss/versioning.mdx	Complete migration guide set covering SQLite-to-PostgreSQL transition via pgloader, cross-region deployment topologies, mandatory security hardening controls (SCIM, virtual-key auth, CORS, headers), hardware sizing for gateway pods and PostgreSQL, and OSS/Enterprise version relationship.
OpenAPI schemas and path definitions for governance APIs docs/openapi/openapi.yaml, docs/openapi/paths/management/accessprofiles.yaml, docs/openapi/paths/management/mcptoolgroups.yaml, docs/openapi/paths/management/rbac.yaml, docs/openapi/schemas/management/accessprofiles.yaml, docs/openapi/schemas/management/mcptoolgroups.yaml, docs/openapi/schemas/management/rbac.yaml	OpenAPI contract definitions for Access Profile lifecycle (CRUD, activate/deactivate, clone, propagate, role binding, versioning, audit logs), MCP Tool Group management (CRUD), and RBAC operations (role/resource/operation/permission management, user role assignment). Request/response schemas for all endpoints.
Enterprise feature overview and marketing presentation docs/enterprise/overview.mdx, docs/overview.mdx	Reorganized enterprise overview into numbered sections (1. Observe & audit, 2. Identity, 3. Safety, 4. Policy, 5. Access, 6. Deploy at scale, 7. Extend); updated main overview card grid replacing MCP with Federated Auth and Custom Plugin Development with In-VPC Deployments, Audit Logs, Datadog Connector, and Log Exports.
Navigation structure and routing in docs.json docs/docs.json	Restructured Enterprise tab navigation adding "Getting Started" group with moving-from-oss pages, compacted pages arrays across tabs, and added redirects: /enterprise/custom-plugins → /plugins/writing-go-plugin, /enterprise/advanced-governance and /enterprise/governance → /enterprise/user-provisioning, /enterprise/mcp-with-fa → /mcp/overview, /enterprise/getting-started → /enterprise/overview.
Plugin documentation updates and WASM deprecation docs/architecture/core/plugins.mdx, docs/deployment-guides/config-json/plugins.mdx, docs/plugins/getting-started.mdx, docs/plugins/writing-wasm-plugin.mdx	Updated internal links from enterprise/custom-plugins to plugins/getting-started and writing-go-plugin; marked WASM plugins as deprecated with notice recommending native Go plugins and mentioning webhook-based plugins as next extension path.
Minor documentation updates and cleanup docs/providers/test-harness-coverage.mdx	Reordered table rows in test harness coverage matrix sections without content changes.

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• maximhq/bifrost#3684: Updates enterprise changelog navigation in docs/docs.json alongside this PR's broader documentation restructuring.

Suggested Reviewers

• danpiths

---

🐰 The docs now tell a story so grand,
With profiles and tools and governance planned,
From OSS we migrate with PostgreSQL's might,
While WASM fades into the night. 🌙

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-25-dac_access_profiles_tool_groups_docs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[akshaydeo]

• dac, access profiles, tool groups docs #3738 👈 (View in Graphite)
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[akshaydeo]

Merge activity

• May 26, 7:28 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 26, 7:28 PM UTC: @akshaydeo merged this pull request with Graphite.

[greptile-apps]

Confidence Score: 4/5

Safe to merge; all changes are documentation and OpenAPI spec additions with no runtime code affected.

The two stale alt-text strings and the 200/201 status-code inconsistency on createRole are the only issues; neither prevents the docs from rendering correctly, but the status-code mismatch could trip up SDK generators.

docs/openapi/paths/management/rbac.yaml (createRole response code) and docs/enterprise/access-profiles.mdx (two incorrect alt-text strings).

Important Files Changed

Filename	Overview
docs/enterprise/access-profiles.mdx	New page documenting Access Profiles feature; two images carry incorrect alt text copied from the list-page image.
docs/enterprise/data-access-control.mdx	New DAC documentation page covering row-level scoping; content is clear and internally consistent.
docs/enterprise/mcp-tool-groups.mdx	New MCP Tool Groups documentation page; well-structured with mermaid diagram and usage patterns.
docs/openapi/paths/management/rbac.yaml	New RBAC paths spec; createRole POST returns 200 instead of 201 used by the other two new create endpoints.
docs/openapi/paths/management/accessprofiles.yaml	New Access Profiles paths spec; create returns 201, activate/deactivate/propagate endpoints are well-documented.
docs/openapi/paths/management/mcptoolgroups.yaml	New MCP Tool Groups paths spec; create returns 201 and CRUD operations are consistent.
docs/docs.json	Navigation updated: new pages added, deleted files redirected via the redirects array; no broken references detected.
docs/enterprise/audit-logs.mdx	Significantly simplified to focus on accurate, operational content; removed speculative/unimplemented sections.
docs/enterprise/overview.mdx	Restructured enterprise overview with new sections for Policy and Access covering the newly documented features.
docs/openapi/openapi.json	Large generated file adding 5700+ lines for RBAC, Access Profiles, and MCP Tool Groups endpoints; mirrors the YAML sources.

_{Reviews (1): Last reviewed commit: "dac, access profiles, tool groups docs" | Re-trigger Greptile}

[greptile-apps]

The alt text for the "new access profile" form image was copied from the list-page image and no longer describes what the screenshot actually shows. This hurts screen-reader accessibility and image SEO.

Suggested change

	<img
	src="/media/access-profiles/new-access-profile.png"
	alt="Access Profiles list page with table columns and create button"
	/>
	<img
	src="/media/access-profiles/new-access-profile.png"
	alt="New Access Profile creation form showing name and description fields"
	/>

[greptile-apps]

Same stale alt text issue: this image shows the provider configuration accordion, not the list page.

Suggested change

	<img
	src="/media/access-profiles/access-profile-provider-config.png"
	alt="Access Profiles list page with table columns and create button"
	/>
	<img
	src="/media/access-profiles/access-profile-provider-config.png"
	alt="Access Profile provider configuration showing allowed models, budget, and rate limit settings"
	/>

[greptile-apps]

The createRole POST responds with 200 while both createAccessProfile and createMCPToolGroup — added in the same PR — respond with 201. REST convention reserves 201 Created for successful resource creation; using 200 here is inconsistent and may confuse SDK generators or clients that check for 201 after a POST.

Suggested change

	responses:
	'200':
	description: Role created
	content:
	application/json:
	schema:
	$ref: '../../schemas/management/rbac.yaml#/RoleResponse'
	'400':
	$ref: '../../openapi.yaml#/components/responses/BadRequest'
	'500':
	$ref: '../../openapi.yaml#/components/responses/InternalError'
	roles-by-id:
	responses:
	'201':
	description: Role created
	content:
	application/json:
	schema:
	$ref: '../../schemas/management/rbac.yaml#/RoleResponse'
	'400':
	$ref: '../../openapi.yaml#/components/responses/BadRequest'
	'500':
	$ref: '../../openapi.yaml#/components/responses/InternalError'
	roles-by-id: