Plane AI for Commercial Edition (#219)

* Plane AI for Commercial Edition

* formatting fixes

* formatting fixes

Author: danciaclara

docs/.vitepress/config.mts

@@ -273,6 +273,12 @@ export default withMermaid(
               },
               { text: "DNS for Intake Email", link: "/self-hosting/govern/configure-dns-email-service" },
               { text: "OpenSearch for search", link: "/self-hosting/govern/advanced-search" },
+              {
+                text: "Plane AI",
+                link: "/self-hosting/govern/plane-ai",
+                collapsed: true,
+                items: [{ text: "AWS OpenSearch embedding", link: "/self-hosting/govern/aws-opensearch-embedding" }],
+              },
               { text: "External secrets", link: "/self-hosting/govern/external-secrets" },
               { text: "External reverse proxy", link: "/self-hosting/govern/reverse-proxy" },
               { text: "Private storage buckets", link: "/self-hosting/govern/private-bucket" },

docs/self-hosting/govern/aws-opensearch-embedding.md

@@ -0,0 +1,233 @@
+---
+title: AWS OpenSearch embedding
+description: Step-by-step guide to deploying a Cohere embedding model on AWS OpenSearch for use with Plane AI semantic search.
+keywords: aws opensearch, embedding model, cohere, plane ai, semantic search, ml commons, opensearch connector
+---
+
+# Deploy an embedding model on AWS OpenSearch
+
+This guide walks you through deploying a Cohere embedding model on AWS OpenSearch (managed) for Plane AI semantic search.
+
+For other connector blueprints and embedding model configurations, see the [OpenSearch ML Commons remote inference blueprints](https://github.com/opensearch-project/ml-commons/tree/2.x/docs/remote_inference_blueprints).
+
+## Before you begin
+
+Make sure you have:
+
+- An AWS OpenSearch domain with **fine-grained access control** enabled.
+- Admin access to OpenSearch Dashboards.
+- AWS CLI configured locally.
+- An IAM user with permissions to create roles, policies, and access Secrets Manager.
+- A Cohere API key.
+
+## Create an IAM policy
+
+1. Go to **IAM → Policies → Create Policy**.
+2. Select **JSON** and paste the following:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Sid": "PassRoleAccess",
+         "Effect": "Allow",
+         "Action": "iam:PassRole",
+         "Resource": "arn:aws:iam::<aws-account-number>:role/plane-opensearch-access-role"
+       },
+       {
+         "Sid": "SecretManagerAccess",
+         "Effect": "Allow",
+         "Action": ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecrets"],
+         "Resource": "*"
+       }
+     ]
+   }
+   ```
+
+3. Click **Next**, name the policy `plane-opensearch-access-policy`, and click **Create Policy**.
+
+## Create an IAM role
+
+Create an IAM role that OpenSearch can assume to access Secrets Manager.
+
+1. Go to **IAM → Roles → Create Role**.
+2. Name the role `plane-opensearch-access-role`.
+3. Set this **Trust Relationship**:
+
+   ```json
+   {
+     "Version": "2012-10-17",
+     "Statement": [
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "Service": "ec2.amazonaws.com"
+         },
+         "Action": "sts:AssumeRole"
+       },
+       {
+         "Effect": "Allow",
+         "Principal": {
+           "AWS": "arn:aws:iam::<aws-account-number>:user/<opensearch-user>"
+         },
+         "Action": "sts:AssumeRole"
+       }
+     ]
+   }
+   ```
+
+4. Attach the `plane-opensearch-access-policy` you created in Step 1.
+5. Click **Create Role** and note the role ARN.
+
+## Grant ML permissions to the IAM role
+
+1. Open **OpenSearch Dashboards**.
+2. Go to **Security → Roles → `ml_full_access`**.
+3. Open the **Mapped users** tab and click **Map users**.
+4. Under **Backend roles**, add the role ARN:
+
+   ```
+   arn:aws:iam::<aws-account-number>:role/plane-opensearch-access-role
+   ```
+
+## Assume the role locally
+
+Run this command to get temporary credentials:
+
+```bash
+aws sts assume-role \
+  --role-arn arn:aws:iam::<aws-account-number>:role/plane-opensearch-access-role \
+  --role-session-name session
+```
+
+Export the credentials from the response:
+
+```bash
+export AWS_ACCESS_KEY_ID=<AccessKeyId>
+export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
+export AWS_SESSION_TOKEN=<SessionToken>
+```
+
+## Store the Cohere API key in Secrets Manager
+
+1. Go to **Secrets Manager → Store a new secret**.
+2. Select **Other type of secret**.
+3. Set the key to `azure_ai_foundry_key_cohere` and the value to your Cohere API key.
+4. Click **Next**, name the secret `plane-ai/cohere`, and click **Store**.
+5. Note the **Secret ARN** — you'll need it in the next step.
+
+## Create a Cohere connector in OpenSearch
+
+Using the temporary credentials from Step 4, send a `POST` request to your OpenSearch cluster.
+
+**Endpoint:** `POST https://<opensearch-domain>/_plugins/_ml/connectors/_create`
+
+**Request body:**
+
+```json
+{
+  "name": "Cohere",
+  "description": "Cohere embedding connector",
+  "version": "1",
+  "protocol": "http",
+  "parameters": {
+    "endpoint": "https://azureaitrials-resource.services.ai.azure.com/models",
+    "model": "embed-v-4-0",
+    "api_version": "2024-05-01-preview",
+    "input_type": "search_document",
+    "truncate": "END"
+  },
+  "credential": {
+    "secretArn": "<cohere-secret-arn>",
+    "roleArn": "arn:aws:iam::<aws-account-number>:role/plane-opensearch-access-role"
+  },
+  "actions": [
+    {
+      "action_type": "predict",
+      "method": "POST",
+      "url": "${parameters.endpoint}/embeddings?api-version=${parameters.api_version}",
+      "headers": {
+        "api-key": "${credential.secretArn.azure_ai_foundry_key_cohere}",
+        "x-ms-model-mesh-model-name": "embed-v-4-0"
+      },
+      "request_body": "{ \"texts\": ${parameters.texts}, \"truncate\": \"${parameters.truncate}\", \"model\": \"${parameters.model}\", \"input_type\": \"${parameters.input_type}\" }",
+      "pre_process_function": "connector.pre_process.cohere.embedding",
+      "post_process_function": "connector.post_process.cohere.embedding"
+    }
+  ]
+}
+```
+
+Save the `connector_id` from the response.
+
+## Configure the OpenSearch cluster
+
+Run these commands in **Dev Tools** in OpenSearch Dashboards.
+
+### Allow the connector's external endpoints
+
+```json
+PUT /_cluster/settings
+{
+  "persistent": {
+    "plugins.ml_commons.trusted_connector_endpoints_regex": [
+      "^https://api\\.cohere\\.ai(/.*)?$",
+      "^https://azureaitrials-resource\\.services\\.ai\\.azure\\.com(/.*)?$"
+    ]
+  }
+}
+```
+
+### Register the embedding model
+
+```json
+POST /_plugins/_ml/models/_register
+{
+  "name": "cohere_4_0_embed",
+  "function_name": "remote",
+  "connector_id": "<connector-id>",
+  "description": "Cohere Embedding Model"
+}
+```
+
+Save the `model_id` from the response.
+
+### Deploy the model
+
+```
+POST /_plugins/_ml/models/<model_id>/_deploy
+```
+
+### Verify deployment status
+
+```
+GET /_plugins/_ml/models/<model_id>
+```
+
+Wait until the response shows:
+
+```json
+"model_state": "DEPLOYED"
+```
+
+### Test inference (optional)
+
+```json
+POST /_plugins/_ml/models/<model_id>/_predict
+{
+  "parameters": {
+    "inputs": ["hello world"]
+  }
+}
+```
+
+## Configure Plane
+
+Add the deployed model ID to `/opt/plane/plane.env`:
+
+```bash
+EMBEDDING_MODEL_ID=<model_id>
+```
+
+Restart Plane and complete the remaining steps in [Enable Plane AI](/self-hosting/govern/plane-ai#configure-an-embedding-model).

docs/self-hosting/govern/environment-variables.md

@@ -152,6 +152,62 @@ This is where you'll make all configuration changes. Remember to restart the ins
 | `OPENSEARCH_PASSWORD`     | Authentication password                                     | `your-secure-password`                 |
 | `OPENSEARCH_INDEX_PREFIX` | Prefix for all index names (useful for multi-tenant setups) | (empty)                                |
 
+### Plane AI
+
+#### Plane AI replicas
+
+To start Plane AI services, set each replica count to `1`:
+
+| Variable               | Description                        | Required |
+| ---------------------- | ---------------------------------- | -------- |
+| `PI_API_REPLICAS`      | Plane AI API replica count         | Yes      |
+| `PI_BEAT_REPLICAS`     | Plane AI Beat Worker replica count | Yes      |
+| `PI_WORKER_REPLICAS`   | Plane AI Worker replica count      | Yes      |
+| `PI_MIGRATOR_REPLICAS` | Plane AI Migrator replica count    | Yes      |
+
+#### LLM provider API keys
+
+Plane AI supports multiple LLM providers. Configure one or more by adding their API keys.
+
+| Variable                 | Description                                                     | Required |
+| ------------------------ | --------------------------------------------------------------- | -------- |
+| `OPENAI_API_KEY`         | API key for OpenAI models                                       | Optional |
+| `CLAUDE_API_KEY`         | API key for Anthropic models                                    | Optional |
+| `GROQ_API_KEY`           | API key for speech-to-text features                             | Optional |
+| `CUSTOM_LLM_ENABLED`     | Set to `true` to use a custom LLM with an OpenAI-compatible API | Optional |
+| `CUSTOM_LLM_MODEL_KEY`   | Identifier key for the custom model                             | Optional |
+| `CUSTOM_LLM_BASE_URL`    | Base URL of the custom model's OpenAI-compatible endpoint       | Optional |
+| `CUSTOM_LLM_API_KEY`     | API key for the custom endpoint                                 | Optional |
+| `CUSTOM_LLM_NAME`        | Display name for the custom model                               | Optional |
+| `CUSTOM_LLM_DESCRIPTION` | Description of the custom model                                 | Optional |
+| `CUSTOM_LLM_MAX_TOKENS`  | Maximum token limit for the custom model                        | Optional |
+
+#### Provider base URLs
+
+Use these when routing requests through self-hosted gateways, proxies, or compatible third-party endpoints.
+
+| Variable          | Description                                | Default   |
+| ----------------- | ------------------------------------------ | --------- |
+| `OPENAI_BASE_URL` | Custom base URL for OpenAI-compatible APIs | OpenAI    |
+| `CLAUDE_BASE_URL` | Custom base URL for Claude-compatible APIs | Anthropic |
+| `COHERE_BASE_URL` | Custom base URL for Cohere APIs            | Cohere    |
+| `GROQ_BASE_URL`   | Custom base URL for Groq APIs              | Groq      |
+
+#### Embedding model configuration
+
+These settings are required for semantic search and Plane AI Chat. Configure one of the following options.
+
+| Variable                   | Description                                                                                                                                                              | Required    |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------- |
+| `EMBEDDING_MODEL_ID`       | ID of an existing embedding model deployed in OpenSearch (works with both self-hosted and AWS OpenSearch)                                                                | Conditional |
+| `EMBEDDING_MODEL`          | Embedding model to automatically deploy (e.g., `cohere/embed-v4.0`, `openai/text-embedding-3-small`, `bedrock/amazon.titan-embed-text-v1`). Self-hosted OpenSearch only. | Conditional |
+| `COHERE_API_KEY`           | API key for Cohere embedding models                                                                                                                                      | Conditional |
+| `BR_AWS_ACCESS_KEY_ID`     | AWS access key ID for Bedrock Titan embedding                                                                                                                            | Conditional |
+| `BR_AWS_SECRET_ACCESS_KEY` | AWS secret access key for Bedrock Titan embedding                                                                                                                        | Conditional |
+| `BR_AWS_REGION`            | AWS region for Bedrock Titan embedding                                                                                                                                   | Conditional |
+
+For setup instructions, supported models, and IAM permissions, see [Enable Plane AI](/self-hosting/govern/plane-ai).
+
 ### API settings
 
 | Variable               | Description                                                             | Default Value |