Afunana
Afunana Documentation

Administration Guide

Collections, users, tags, builds, configuration, logs, and projects.

← All docs

This guide covers day-to-day administration of Afunana through the Admin panel.


Admin Panel Overview

The Admin panel is accessible at /admin by users with the admin role. It contains the following sections:

Section Purpose
Collections Manage source collections and builds (extract / import / build / build-changes)
Connections Source-platform endpoints (IBM i / Oracle / z/OS)
Users Manage user accounts and roles
Tags Manage classification tags
Project Epics, tasks, and Kanban board
Settings Configuration, AI Config (One AI Hub), Check Settings
Logs App, Security/Audit, Plan, Chat, Build, Deploy
Deploy Application version / update controls
Compliance Audit readiness, hash-chain verify, exports
Operations System operations and IBM i components (Setup Guide)

A collection's platform is derived from the connection it binds to — there is no separate platform field on the collection.

In-Context Field Help

Every admin and settings screen carries per-field help. Each field exposes a short who / what / where / when / why explanation inline, and each page has an Explain modal that describes the screen and its fields in plain language. This lets an administrator understand what a setting does — and when to change it — without leaving the page or consulting this guide.


Managing Collections

A collection represents a set of source from a single system or application. Collections are the primary organizational unit in Afunana. Each collection binds to a connection (Admin > Connections), and it inherits its platform — IBM i, Oracle, or z/OS — from that connection. The source-scope fields differ by platform (an IBM i library vs an Oracle schema), but everything downstream — analysis, docs, checks, chat — is identical.

Creating a Collection

  1. Navigate to Admin > Collections.
  2. Click Create Collection.
  3. Fill in the required fields:
Field Constraint Description
Name 10 chars max Unique identifier for the collection
Description Free text Human-readable description
Language en / he Primary language for generated content
Type Select Collection type
  1. Click Save.

Configuring a Collection

Each collection has additional settings for source extraction. The example below is for an IBM i collection; an Oracle collection instead scopes by schema/owner (and object types).

Field Description Example
Connection The source endpoint this collection extracts from PROD-IBMI
Source Library IBM i library containing source physical files CBLNINJA
Root Program Entry-point program for call tree OVDIM
Call Depth How deep to trace the call hierarchy 9
Max Programs Maximum programs to extract and analyze 99
Library List IBM i libraries for name resolution CBLNINJA QGPL

Assigning Users

Only assigned users (and admins) can view and interact with a collection's content and chat.

  1. Open the collection's edit page.
  2. In the Assigned Users section, add or remove users.
  3. Save changes.

Collection Actions

From a collection you can run these actions; each streams a live log and status on the Collections page:

Action What it does
Extract Pull fresh source and metadata from the bound connection (IBM i SBMJOB + FTP, or Oracle data-dictionary read).
Import Load extracted TT* data into the collection (parse + normalize). Extraction and import can run as one step.
Build Run the full 5-stage analysis pipeline: program docs, file/SQL docs, collection artifacts, embeddings/index, auto-tagging.
Build changes Incremental REFRESH: MD5-hash each member, rebuild only changed programs, surgically update the vector and BM25 indices.

Collection Status

Status Meaning
ready Build completed successfully
building Build is currently in progress
error Last build failed

Managing Connections

Admin > Connections manages the source-platform endpoints collections extract from. Each connection has a type — IBM i (AS/400), Oracle, or z/OS — plus identity fields (name, host, port, username, password, SSL) and platform-specific settings. Passwords are stored encrypted and shown masked.

Type Notable settings Status
IBM i (AS/400) JDBC port 8471, FTP port, SBMJOB user/queue Production
Oracle Service name, default schema (python-oracledb thin mode, port 1521) Supported
z/OS (none yet) Connection type defined; analysis on the roadmap

The editor's left side holds the fixed identity fields; the right side shows the per-type settings (fetched from the connection schema). Admins can also add custom key/value fields per connection. For the full per-platform reference, authorities, and the IBM i component install, see Source Platform Integration.


Managing Users

Creating a User

  1. Navigate to Admin > Users.
  2. Click Add User.
  3. Fill in the fields:
Field Required Description
username Yes Login name (unique)
email Yes Email address
full_name Yes Display name
role Yes admin, qa, user, or viewer
password Yes Initial password
is_active Yes Enable or disable the account

Roles

Role Permissions
admin Full access to Admin panel, all collections, all features
qa Access to assigned collections with QA views, project management
user Access to assigned collections, chat, and documentation
viewer Read-only access to assigned collections and their documentation; no chat or editing

SSO Users

When SSO is configured, users are auto-provisioned on their first login. No manual account creation is needed. SSO users appear in the Users list with their SSO-provided attributes.

Disabling a User

Set is_active to false on the user's edit page. Disabled users cannot log in. Their data and history are preserved for audit purposes.

Force Logout

Revoke all active sessions for a user without deactivating the account. The user must log in again on their next visit.


Tags & Classification

Tags classify programs and files for filtering and organization.

Creating Tags

  1. Navigate to Admin > Tags.
  2. Click Add Tag.
  3. Enter the tag key (internal identifier), display labels, color, and entity type (program or file).

Auto-Tagging

During the build pipeline, the AI automatically assigns tags to programs based on their business function. Tags can be manually overridden after the build completes.

Tag Filtering

Users see tag pills on the Programs and Files pages. Clicking a tag filters the list to matching items.


Build Management

Builds analyze source code and generate documentation, embeddings, and metadata for a collection.

Starting a Build

  1. Navigate to Admin > Collections.
  2. Select a collection.
  3. Click Build.
  4. Choose a build mode.

Build Modes

Choose full, continue, programs_only, files_only, system_only, or changes (incremental delta). Each mode and the five build stages are described in Build Process.

Monitoring a Build

Active builds stream their log output in real time on the Collections page. The log shows each step: source extraction, LLM analysis, embedding generation, and indexing.

Builds can be paused, resumed, or cancelled. Cancelling a build preserves any programs that were already processed.

Note: If a build process is killed or interrupted abruptly (e.g. the container is restarted mid-build), the collection can be left showing a stale error status even though nothing is wrong. Start a new build (or a continue build) to clear it.

Build History

Every build is recorded with:

View build history from the collection's detail page or from Logs > Build History.


Configuration

Navigate to Admin > Settings > Configuration to view and edit application configuration.

Settings are grouped by category: API Keys, AS/400, LLM, Builder, Chat, Organization, Security, Audit, Email, Timeouts. Secret values (API keys, passwords) are masked in the UI — edit them to set a new value; the existing value is never revealed.

For the full list of configuration keys, the two precedence chains (bootstrap keys vs. everything else), and the admin/dev/hidden visibility levels, see the Environment Configuration reference.


AI Config — One AI Hub

Navigate to Admin > Settings > AI Config. Every LLM call in Afunana routes through one governed gateway — the One AI Hub — so the organization controls cost, access, and data, and can switch providers or models with no rebuild.

Providers

Four providers are supported:

Provider provider: prefix Notes
Anthropic anthropic: Claude models
OpenAI openai: GPT models
Azure OpenAI / AI Foundry azure: First-class; model component is the deployment name; endpoint/key/version from AZURE_API_BASE / AZURE_API_KEY / AZURE_API_VERSION
Ollama ollama: Local inference for offline / air-gapped installs; no data leaves the box

Roles and Fallback Chains

Work is routed across 11 specialized roles (program docs / builder, file docs, SQL docs, system overview, chat planner, chat answer, chat answer simple, chat classifier, code developer, spec doc, attachment OCR). Each role takes a comma-separated provider:model fallback chain — the router tries each in order until one succeeds:

Per-call token telemetry is captured, so cost is measurable per role. Changing a model takes effect live (no restart); changing a provider API key requires a restart (the UI notes this).

Presets

Presets are named per-role model bundles stored in the database — e.g. Anthropic+OpenAI, Anthropic-only, OpenAI-only, Azure-only, Local/Ollama. Applying a preset snapshots the current config first, so it is reversible.

Model Advisor

The model advisor calls each provider's live Models API with your own key (not an LLM call — it can't hallucinate model names), classifies the returned models into tiers, maps tiers to roles, and diffs against your current configuration to flag when a newer model is worth adopting. It is read-only; applying its recommendation is a separate, explicit step.

For the role catalog and the shipped per-role defaults, see AI & Analysis Pipeline.


Check Settings

Admin > Settings > Check Settings controls Afunana's deterministic (no-LLM) quality checks — the silent-failure layer that catches defects producing no error message. Each check has a severity you set per customer:

Severity Effect
error Finding is shown and flags the program as review-needed
note Finding is shown but does not gate the program's verdict
off Check is not run

Each check ships a catalog default; the UI groups checks by language and family.

COBOL Checks

Family Check Default
interface param_count_mismatch error
interface byte_size_mismatch error
interface linkage_proc_count_mismatch error
interface linkage_proc_name_mismatch error
data move_size_loss error
data unreferenced_field off
control_flow scope_terminator_mismatch off
control_flow read_without_status_handler off
control_flow unreachable_after_goback off
control_flow goto_into_section off

The parameter/interface mismatch checks (count + byte-size/structure, from a real data-division parser) are the strongest, headline COBOL checks.

PL/SQL Checks (14 rules)

Default error: plsql_swallow_exception, plsql_dml_no_where, plsql_dynamic_sql_injection, plsql_ddl_dynamic, plsql_null_comparison, plsql_hardcoded_credentials, plsql_commit_in_loop.

Default note: plsql_when_others_no_reraise, plsql_high_complexity, plsql_dead_private, plsql_select_star, plsql_insert_no_columns, plsql_goto, plsql_dbms_output.

Severities persist in the CHECK_SETTINGS config key as JSON — edit them here rather than by hand.


Logs & Monitoring

App Log

Logs > App Log shows the live application log stream. Filter by log level (DEBUG, INFO, WARNING, ERROR) and search by keyword.

Security Audit Log

Logs > Audit Log displays security-relevant events: logins, failed login attempts, configuration changes, user management actions, and data exports.

Each audit entry is part of a hash chain. The system verifies chain integrity and flags any gaps or tampering.

Filtering options: event type, actor, severity, date range. Export as CSV or JSON.

Chat Log

Logs > Chat Log shows chat session transcripts. Filter by user, collection, and date range. Each session shows the full conversation with timestamps and token counts.

Plan Log

Logs > Plan Log records change plans generated in Plan mode — the structured, validated modification plans (title, summary, steps) grounded in the live codebase. Each entry shows the plan, its status (pending_approval / approved / rejected), and, where execution is enabled, the outcome of applying it.

Build History

Logs > Build History lists all builds across all collections with status, duration, program count, and error count.

Deploy History

Logs > Deploy History tracks application version changes with version numbers and timestamps.

SQL Trace

Logs > SQL Trace captures database queries for debugging. This is a developer tool and is disabled by default.


Deploy

Admin > Deploy shows the running application version and whether a newer version is available (checked hourly against latest-version.json, non-blocking). For customers, updating means pulling a new image and restarting — see Deployment & Updates. Versions use the zero-padded XX.XX.XX format (e.g. 00.18.57). The developer-side deploy pipeline (GitHub Actions → Docker Hub) is separate and never touches customer servers.


Compliance

The Compliance section provides an overview of audit readiness and exposes the evidence surfaces auditors ask for.

Surface Description
Integrity verification Walks the audit hash chain and reports whether it is intact
Hash chain health Number of verified entries and any detected breaks
Retention policy Current audit-log retention and storage usage
SIEM status Syslog / webhook forwarding status and last transmission
Audit query & export Query and export audit events (CSV / JSON)
Session revocation Revoke a user's active sessions
Data export / portability Export a user's or collection's data

Afunana's controls are mapped to OWASP Top 10 (2021), ISO/IEC 27001:2022, and SOC 2 — a documented control mapping, not a third-party certification (formal certification is in progress). The compliance status flags assert configuration (e.g. TLS, DB encryption) rather than actively probing your transport, so treat them as configuration attestations, not live proof.


Project Management

The Project tab provides lightweight project management for tracking documentation and migration work.

Epics

Group related work into high-level initiatives. Each epic contains a set of tasks and shows aggregate progress.

Tasks

Create, assign, and track individual work items. Each task has a title, description, assignee, priority, and status.

Kanban Board

Visualize tasks across workflow stages: To Do, In Progress, Done. Drag tasks between columns to update their status.

Project management is accessible to users with admin or qa roles.


Specification Documents

Formal specification documents (Business Specification, Systems Analysis, Program Specification) can be generated on demand from the Programs page (per-program) or the System Overview page (collection-wide), and exported as DOCX or PDF. See Program Documentation for the three levels and their contents.


Prompt Management

Admin > Prompts allows editing the system prompts that control AI behavior.

Prompt Group Purpose
Build -- Program Docs Prompts for program analysis and documentation
Build -- File Docs Prompts for file/field documentation
Build -- System Overview Prompts for system architecture analysis
Chat -- Classifier Prompts for intent classification
Chat -- Planner Prompts for query planning
Chat -- Tools Prompts for tool-use and code generation

Changes take effect on the next build or chat query.


Report a Bug

Afunana includes an in-app Report a Bug page so users can send a problem report — a description plus the context of what they were doing — to the support mailbox without leaving the application. The feature is gated by configuration: the page appears only when BUG_REPORT_ENABLED is on, and submitted reports are emailed to the address set in BUG_REPORT_EMAIL. If no destination address is configured, reports are stored rather than emailed. Both keys are covered in Environment Configuration.


Operations & Setup Guide

Admin > Operations hosts system operations and the IBM i Components installer (pre-flight, install, and update of the TTDOC library — see Source Platform Integration).

The Setup Guide is an in-app operations checklist that walks a new administrator through first-run configuration in order: create a source connection, install the IBM i component (if applicable), set at least one LLM provider key and per-role models, set the organization name and public URL, configure SMTP and SSO if wanted, and run the first build. It mirrors the steps in Installation so an admin can complete setup without leaving the app.