> ## Documentation Index
> Fetch the complete documentation index at: https://docs.emergence.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# CRAFT Platform Overview

> The shared platform layer providing governance, asset management, and utilities with built-in identity, authorization, and secrets management.

# Platform Overview

The platform layer gives your solutions shared infrastructure for identity, authorization, resource management, and a unified UI shell. It includes three core services (Governance, Assets, Utilities), a shared common library, and auto-generated SDKs.

<Info>
  The platform is the foundation that every solution depends on. Solutions never implement their own authentication, authorization, or resource management -- they delegate to the platform via SDKs.
</Info>

## Authentication Flow

Authentication uses **Keycloak** with a multi-realm architecture where each organization is a separate realm:

<Steps>
  <Step title="User Authentication">
    The user authenticates via OIDC/PKCE flow against their organization's Keycloak realm. The browser receives a JWT token.
  </Step>

  <Step title="Token Forwarding">
    All API requests include the JWT in the `Authorization` header. The `X-Project-ID` header specifies the active project context.
  </Step>

  <Step title="Governance Validation">
    The Governance service validates the JWT, extracts `org_id` from the realm, and checks OpenFGA for the requested permission.
  </Step>

  <Step title="Permission Result">
    If authorized, the request proceeds. If not, a 403 response is returned. Assets and Utils delegate all permission checks to Governance via SDK calls.
  </Step>
</Steps>

## Authorization Model

Authorization uses **OpenFGA** for Relationship-Based Access Control (ReBAC):

| Concept                  | Description                                                                |
| ------------------------ | -------------------------------------------------------------------------- |
| **Roles**                | `owner`, `admin`, `member`, `developer`, `operator`, `viewer`              |
| **Computed permissions** | `can_read`, `can_write`, `can_delete`, `can_execute`, `can_manage_secrets` |
| **Inheritance**          | Projects inherit from organizations; resources inherit from projects       |
| **Schema**               | Defined in `openfga-schema.fga` (DSL) and `openfga-schema.json` (runtime)  |

<Warning>
  When modifying the OpenFGA schema, always update both the `.fga` DSL file and regenerate the `.json` runtime file. The Governance service reads only the JSON file at startup. Adding new permissions is safe; renaming or removing is a breaking change.
</Warning>

## Next Steps

<CardGroup cols={2}>
  <Card title="Organizations" icon="building" href="/platform/organizations">
    Learn how organizations provide multi-tenant isolation.
  </Card>

  <Card title="Agent Registry" icon="robot" href="/platform/agents">
    Explore the unified registry for A2A agents, MCP servers, and skills.
  </Card>

  <Card title="Authentication" icon="key" href="/platform/authentication">
    Deep dive into Keycloak multi-realm authentication.
  </Card>

  <Card title="Authorization" icon="lock" href="/platform/authorization">
    Understand OpenFGA and the ReBAC permission model.
  </Card>

  <Card title="Build a solution" icon="compass" href="/guides/solution-dev/overview">
    Build a new solution on top of these services — start with the 30-minute quickstart.
  </Card>
</CardGroup>
