# Core Concepts This page covers Adapterly's core concepts in depth. ## Systems A system represents an external service that Adapterly connects to. The hierarchy is: ``` System └── Interface (API endpoint) └── Resource (data entity) └── Action (operation) ``` **Example:** ``` My System └── REST API └── projects ├── list ├── get └── create ``` ### Interface An interface defines the API basics: - **Base URL** - API root address - **Authentication** - How to authenticate - **Rate limit** - Request limits ### Resource A resource is an API data entity, such as `projects`, `users`, or `orders`. ### Action An action is an operation on a resource: - `list` - List all - `get` - Get single - `create` - Create new - `update` - Update - `delete` - Delete Each action with `is_mcp_enabled = true` becomes an MCP tool. --- ## Projects and Project Integrations ### Projects A **Project** is a scoped workspace that controls which systems and tools are available to AI agents. - Projects belong to an Account - Each project has a name, slug, and optional description - API keys can be bound to a specific project ### Project Integrations A **ProjectIntegration** links a system to a project: - Controls which systems are accessible within a project - Each integration references a specific System - AI agents with a project-scoped API key can only access systems linked via ProjectIntegration **Example:** ``` "My Project" ├── ProjectIntegration → System A ├── ProjectIntegration → System B └── ProjectIntegration → Google Sheets ``` --- ## API Keys and Modes ### API Keys MCP API keys authenticate AI agents. Key format: `ak_live_xxx` (production) or `ak_test_xxx` (test). Each key has: - **Mode** - Safe (read-only) or Power (read/write) - **Project** (optional) - Restricts access to a specific project's systems - **Agent Profile** (optional) - Applies a reusable permission profile - **is_admin** - Can switch projects via header ### Modes | Mode | Description | |------|-------------| | **Safe** (default) | Only read actions (list, get) are allowed | | **Power** | All actions allowed (list, get, create, update, delete) | --- ## Permissions and Access Control ### Permission Layers Access is controlled at multiple levels, intersected together: ``` Effective permissions = Agent policies ∩ Project policies ∩ User policies ``` ### Tool Categories Tools are organized into categories (e.g., `construction.read`, `logistics.write`). Categories are mapped to tools via fnmatch patterns in `ToolCategoryMapping`. ### Agent Profiles Reusable permission profiles that can be attached to API keys: - **allowed_categories** - Which tool categories are permitted - **include_tools** - Explicitly included tools (override categories) - **exclude_tools** - Explicitly excluded tools - **mode** - Safe or Power ### User Roles | Role | Permissions | |------|-------------| | **Admin** | Full access: systems, projects, API keys, user management | | **User** | View projects and systems assigned to them | --- ## Audit Logging ### What is Logged Every MCP tool call is recorded in the audit log with: - Timestamp - API key used - Tool name and parameters - Response status and data - Duration - Account and project context ### Viewing Logs - **UI**: MCP Gateway → Audit Log - **API**: `GET /api/mcp/audit-logs/` --- ## Gateway Architecture Adapterly supports two deployment modes: ### Monolith (Default) Everything runs on a single server: - Django handles UI and REST API - FastAPI handles MCP protocol (Streamable HTTP) - PostgreSQL stores all data ### Control Plane + Gateway For distributed or on-premise deployments: **Control Plane** (Django at adapterly.ai): - Manages accounts, systems, adapter definitions - Provides Gateway Sync API for gateways to pull configuration **Gateway** (standalone FastAPI + SQLite): - Runs independently (e.g., on-premise, Docker) - Syncs adapter specs and API keys from control plane - Credentials stay on the gateway (never sent to control plane) - Provides MCP endpoint for AI agents The `gateway_core` shared package contains executor, crypto, models, auth, and diagnostics code used by both deployment modes.