FastReAct 当前主线是 fastreact-nano:一个面向 PSKA 和其他上层系统的
多租户 headless agentic service。它的核心形态不是 Web 应用,而是通过
HTTP/SSE 提供 agent loop、工具编排、MCP 调用、审批、run/trace/task
管理、事件流和 workspace/profile 管理。
当前后端版本:fastreact-nano 2.4.2。
给其他开发者先看这一段:
- 当前产品入口是 HTTP/SSE daemon,
fastreact.adapters.gateway已废弃。 - HTTP daemon 默认以
Agent(multitenant=True)启动;不要把测试里的Agent(config)当作服务入口行为。 - 身份来源是外部认证层:
service_token、trusted_headers或jwt。 FastReAct 不做用户名密码登录、不保存密码、不维护组织后台。 - 多租户路径固定为
{workspaces_root}/tenants/{tenant_key}/users/{safe_user_id}/,默认根目录是~/FastReAct_workspaces。 - native file/exec tools 在有
UserContext时会被锁进当前用户 workspace。 这是应用层隔离,不是 OS/container 沙箱。 - MCP 调用会透传
tenant_key/user_key。PSKA 自己负责知识 ACL,FastReAct 不替 PSKA 判断知识是否可见。 - 各项目运行独立:FastReAct 的
./start.sh只启动 FastReAct,不启动 AuthNode 或 PSKA;容器部署时也是各自镜像、各自入口。
推荐从仓库根目录启动完整本地服务:
cd $FASTREACT_REPO
./start.sh首次运行时如果还没有配置,脚本会自动创建
.fastreact/config.json。FastReAct 的启动脚本只启动 FastReAct 本身,
不会跨仓库启动 AuthNode 或 PSKA。
默认地址:
Service console: http://127.0.0.1:3000/service
HTTP daemon: http://127.0.0.1:18741
如果配置使用 AuthNode JWT(auth.mode=jwt 且 auth.jwt_issuer=authnode.local),
请在 AuthNode、FastReAct、PSKA 各自仓库分别运行自己的 ./start.sh。
本地或容器部署时通过同一个 JWT secret、issuer/audience、反向代理或
AuthNode proxy 把它们接起来;FastReAct 不读取 AuthNode 项目目录。
FastReAct 配置可通过环境变量接收部署层注入的共享 secret:
{
"auth": {
"mode": "jwt",
"jwt_secret_env": "AUTHNODE_JWT_SECRET",
"jwt_issuer": "authnode.local",
"jwt_audience": "fastreact",
"jwt_tenant_claims": ["tenant_key", "tenant_id", "tenant", "org_id"],
"jwt_user_claim": "sub"
}
}指定配置运行:
cd $FASTREACT_REPO
./start.sh ~/.fastreact/config.json完整文档入口:
- FastReAct Nano README
- 5-minute quick start
- HTTP/SSE service manual
- Multi-tenant guide
- Security notes
- Documentation index
FastReAct 使用 tenant_key + user_key 作为运行态身份边界。
user_key 建议使用 {provider}:{subject} 格式,例如:
sso:alice
pska:user_primary
local:dev
tenant_key 来自 AuthNode/JWT/header/metadata。缺失时会从 user_key 冒号前缀
推断,以兼容旧调用;正式多租户调用应显式传入 tenant_key。
默认 workspace 布局:
~/FastReAct_workspaces/
└── tenants/
└── tenant_default/
└── users/
└── pska_user_primary/
├── config.json
├── memory.json
└── skills/
配置项:
{
"paths": {
"workspaces_root": "~/FastReAct_workspaces",
"gateway_workspace": "~/FastReAct_workspaces/single/default"
}
}paths.gateway_workspace 只保留为 legacy/single-workspace profile 兼容项;
新运行态数据应放在 workspaces_root 下。
FastReAct 的认证边界是“验证外部身份声明”,不是“提供登录系统”。
支持模式:
service_token:本地开发或后端服务调用。调用方必须提供user_key, 需要隔离时也要提供metadata.tenant_key。trusted_headers:平台网关或 AuthNode proxy 注入X-FastReAct-User-Key、X-FastReAct-Tenant-Key等可信 header。jwt:验证外部 IdP/AuthNode 签发的 Bearer JWT,推荐生产和 SSO 集成使用。
JWT 配置推荐通过部署层 secret 注入:
{
"auth": {
"mode": "jwt",
"jwt_secret_env": "AUTHNODE_JWT_SECRET",
"jwt_issuer": "authnode.local",
"jwt_audience": "fastreact",
"jwt_tenant_claims": ["tenant_key", "tenant_id", "tenant", "org_id"],
"jwt_user_claim": "sub"
}
}开发和部署约定:
- 客户已有平台/SSO:平台登录,FastReAct 验证平台 JWT 或可信 header。
- 客户没有统一平台:外置 AuthNode/Identity Broker,FastReAct 只验证它签发的身份。
- 不要让 FastReAct 读取 AuthNode 或 PSKA 的本地配置文件;用环境变量、secret、 URL、反向代理把服务接起来。
/ready会暴露auth.mode、multitenant.enabled和multitenant.workspaces_root, 可用于部署排查。
Primary endpoint:
POST /v1/chat/completionsCommon service endpoints:
GET /healthGET /readyGET /v1/setupGET /v1/metricsPOST /v1/chat/completionsPOST /v1/runsGET /v1/runsGET /v1/tracesGET /v1/tasksGET /v1/approvalsGET /v1/policyGET /v1/toolsGET /v1/skillsGET /v1/workspace/profile
If service.service_token is configured, protected endpoints require either:
X-FastReAct-Service-Token: replace-with-local-service-tokenor:
Authorization: Bearer replace-with-local-service-tokenUser-facing POST /v1/chat/completions and POST /v1/runs will bind the run
to the verified identity. In service_token mode, the caller-provided
user_key and metadata.tenant_key become that identity. In trusted_headers
or jwt mode, request-body identity fields are overridden by verified claims.
fastreact-nano separates framework instructions from workspace/persona
instructions at prompt assembly time:
core_framework
-> safety/tool policy note
-> workspace AGENTS.md / .fastreact/AGENT.md
-> persona SOUL.md / .fastreact/SOUL.md
-> tools and skills
-> task context
Rules for developers:
- Core framework and safety policy cannot be overridden by workspace or persona text.
AGENTS.mdis for project/framework instructions.SOUL.mdis for voice, tone, expression density, and interaction style only.- Prompt files are still text inputs, so treat them as untrusted and keep policy checks in code, not in prompt conventions.
Native tools:
read_file,write_file, andedit_fileresolve relative paths inside the current user workspace whenUserContextexists.- absolute paths are accepted only if they remain inside that workspace.
execruns with the current user workspace as cwd in multi-tenant mode.
MCP:
- FastReAct passes
user_keyandtenant_keyto HTTP MCP tool calls. - PSKA MCP should treat FastReAct identity as caller context, then enforce PSKA's
own ACLs. Do not trust LLM-supplied
tenant_id/user_idover FastReAct-supplied context.
Policy and approval:
- Policy actions are
allow,caution,require_approval, anddeny. - Evaluation order is built-in forbidden exec patterns, then configured
user_rules,tenant_rules,tool_rules,tool:*,default_action, and finally built-in safety classification. - Approval requests are persisted and must be resolved through HTTP in headless use.
Before changing multi-tenant behavior:
- Verify normal daemon startup, not only direct
Agent(...)tests. - Keep
tenant_keyexplicit in HTTP/JWT/header/MCP contracts. - Add tests for both positive isolation and negative cross-tenant access.
- Do not add cross-repo startup coupling.
./start.shmust only start this repo. - Do not bring back
fastreact.adapters.gatewaycompatibility shims. - Prefer adding small contract tests under
fastreact-nano/tests/contracts/.
Useful checks:
PYTHONPATH=fastreact-nano/src pytest fastreact-nano/tests -q
git diff --checkFastReAct/
├── README.md # Repository entry point
├── start.sh # Starts daemon and optional service console from one JSON config
├── docs/ # Pointer only; current docs live under fastreact-nano/docs
├── docs_archive/ # Pre-nano, v1, migration, and historical project docs
├── fastreact-nano/ # Current Python service implementation
├── fastreact-nano/docs/ # Current maintained documentation
├── fastreact-nano/docs_archive/ # Nano-era historical reports and implementation notes
└── fastreact-nano-web/ # Optional Next.js service console
Runtime/test generated text such as fastreact-nano/MagicMock/..., workspaces/default/HISTORY.md, and workspaces/default/MEMORY.md is not part of the maintained documentation set.
./start.sh resolves config in this order:
- Explicit path passed to
./start.sh /path/to/config.json .fastreact/config.json~/.fastreact/config.jsonfastreact-nano/.fastreact/config.jsonfastreact-nano/config.json
The backend Config.load() also supports --config, then falls back to ~/.fastreact/config.json, ./.fastreact/config.json, and ./config.json relative to the backend working directory.
See configuration file locations for details.
FastReAct and PSKA integrate through service and tool protocols, not direct imports.
PSKA owns knowledge storage, ACLs, review/jobs, citations, and PSKA MCP tools. FastReAct owns agent planning, LLM calls, tool orchestration, session/runtime control, approvals, runs, traces, and event streaming.
Protocol details live in PSKA_FASTREACT_PROTOCOL.md.
Current docs belong in fastreact-nano/docs/. Short-lived implementation notes, sprint summaries, and historical audits belong in the appropriate archive. Before adding a new document, check DOCS_INDEX.md and update an existing page when possible.