libremfg · MattDodsonEnglish · Dec 2, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025
diff --git a/archetypes/releases.md b/archetypes/releases.md
@@ -15,23 +15,18 @@ _Release date:_
 
 The following sections document the changes this release brings to each service.
 
-### Admin
-
-### BPMN engine
-
-### Schema
 
-### BAAS
-
-### Core
+### Admin
 
 ### Agent
 
-### Audit
+### BaaS
+
+### ISA-95
 
-### Keycloak Theme
+### Typescript host service
 
-### Router
+### Workflow
 
 ## Compatibility
 

diff --git a/content/_index.md b/content/_index.md
@@ -1,10 +1,9 @@
 ---
-title: ##Leave only home page without title
 description: User guides, deploy docs, references, and deep dives about the
   Rhize manufacturing data hub.
+type: "docs"
 cascade:
-  type: docs
-  v: "3.2.1"
+  v: "4.2.0"
 ---
 
 <!-- define h1 for all other pages in Title in frontmatter -->

diff --git a/content/deploy/cluster-sizing.md b/content/deploy/cluster-sizing.md
@@ -16,19 +16,18 @@
 
 For high availability,  Rhize recommends a **minimum of three nodes** with the following specifications.
 
-
 | Property              | Value             |
 |-----------------------|-------------------|
 | Number of nodes       | 3                 |
 | CPU Speed (GHz)       | 3.3               |
 | vCPU per Node         | 16                |
 | Memory per node (GiB) | 32 (64 is better) |
-| Persisted volumes     | 12                |
+| Persisted Volumes     | 16                |
 | Persisted Volume IOPS | 5000              |
 | PV Throughput (MBps)  | 500               |
 | Total Disk Space (TB) | 3                 |
 | Disk IOPS             | 5000              |
-| Disk MBps             | 500MBps           |
+| Disk MBps             | 500               |
 
 ### Rhize agent
 
@@ -40,31 +39,29 @@
 | CPU Speed (GHz)       | 2.8   |
 | vCPU per Node         | 2     |
 | Memory per node (GiB) | 1     |
-| Persisted volumes     | 1     |
+| Persisted Volumes     | 1     |
 
 ## Service-level recommendations
 
 The following table lists the **minimum** recommended specifications for the main services.
 Services with stateful PV have a persistent volume per pod.
 
+>![Warn]
+> Avoid NFS or SMB filesystems. These are known to lead to file corruption in BaaS and do not work at all with various other services.
 
 | Service                | Pods for HA (replica count) | vCPU per Pod | Memory Per Pod | Stateful PV | DiskSize (GiB) | Comments                                                             |
 |------------------------|-----------------------------|--------------|----------------|-------------|----------------|----------------------------------------------------------------------|
 | `baas-alpha`           | 3                           | 8            | 16 (at least)  | Yes         | 750            | High throughput and IOPS                                             |
-| `baas-zero`            | 3                           | 2            | 2              | Yes         | 350            | High throughput and IOPS                                             |
-| `libre-core`           | 3                           | 1            | 2              | No          | N/A            | HA requires 2 pods, but 3 is to avoid hotkey issues and balance load |
-| `bpmn-engine`          | 3                           | 1            | 2              | No          | N/A            | HA requires 2 pods, but 3 is to avoid hotkey issues and balance load |
-| `nats`                 | 3                           | 1            | 2              | Yes         | 100            | High IOPS                                                            |
-| `nats-box`             | 1                           | 0.25         | 0.25           | No          | N/A            |                                                                      |
-| `libre-audit`          | 2                           | 1            | 1              | No          | N/A            |                                                                      |
-| `libre-audit-postgres` | 2                           | 1            | 2              | Yes         | 250            | Runs in pod with `libre-audit`                                       |
-| `libre-ui`             | 3                           | 0.25         | 0.25           | No          | N/A            |                                                                      |
-| `keycloak`             | 2                           | 1            | 2              | No          | N/A            |                                                                      |
+| `baas-zero`            | 3                           | 2            | 2              | Yes         | 300            | High throughput and IOPS                                             |
+| `workflow`             | 3                           | 1            | 2              | No          | N/A            | HA requires 2 pods, but 3 is to avoid hotkey issues and balance load |
+| `isa95`                | 1*                          | 1            | 1              | No          | N/A            | *ISA-95 does not support HA                                          |
 | `keycloak-postgres`    | 2                           | 1            | 2              | No          | 200            | Runs in pod with `keycloak`                                          |
-| `router`               | 2                           | 1            | 2              | Yes         | <1             | Requires volume to compose supergraph                                |
-| `grafana`*             | 3                           | 0.5          | 2              | No          | 20-50          | Storage can be in host or in object bucket.                          |
-
- * May run [in separate cluster](#monitoring-stack)
+| `keycloak`             | 2                           | 1            | 2              | No          | N/A            |                                                                      |
+| `libre-ui`             | 3                           | 0.25         | 0.25           | No          | N/A            |                                                                      |
+| `quest-db`             | 1                           | 4            | 8              | Yes         | 250            | High Throughput and IPOS                                             |
+| `redpanda`             | 3                           |              |                | Yes         | 100            | High IOPS                                                            |
+| `restate`              | 3                           |              |                | Yes         | 50             | High Throughput and IPOS                                             |
+| `appsmith`             | 3                           | 4            |                | Yes         | 50             | High Throughput and IPOS                                             |
 
 ### Monitoring stack
 
@@ -90,3 +87,9 @@
 | `tempo-distributor`     | 1                           | 0.25               | 0.5            | 0.25           |
 | `tempo-query-frontend`  | 1                           | 0.25               | 0.5            | 0.25           |
 | `temp-memcache`         | 1                           | 0.25               | 0.1            | 0.25           |
+
+## Back up
+
+You can [back up Rhize to S3](/deploy/backup/binary/) .
+Consider including an S3 bucket as part of your deployment.
+
diff --git a/content/deploy/get-keycloak-token.md b/content/deploy/get-keycloak-token.md
@@ -38,9 +38,11 @@ The `access_token` property has the token value.
 ```json
 {
   "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldU...",
-  "expires_in": 300,
+  "expires_in": 28800,
+  "refresh_expires_in": 0,
   "token_type": "Bearer",
-  "scope": "email profile"
+  "not-before-policy": 0,
+  "scope": "profile email"
 }
 ```
 
diff --git a/content/deploy/install/keycloak.md b/content/deploy/install/keycloak.md
@@ -49,7 +49,7 @@
 1. In the side menu, select **Realm Settings**.
 1. Enter the following values:
   | Field        | value                 |
-  |--------------|-----------------------|
+  | ------------ | --------------------- |
   | Frontend URL | Keycloak frontend URL |
   | Require SSL  | External requests     |
 
@@ -141,9 +141,9 @@
 
 1. Configure the **Access Settings**:
 
-   - **Root URL**: `<UI_SUBDOMAIN>.<YOUR_DOMAIN>` without trailing slashes
-   - **Home URL**: `<UI_SUBDOMAIN>.<YOUR_DOMAIN>` without trailing slashes
-   - **Web Origins**: `<UI_SUBDOMAIN>.<YOUR_DOMAIN>` without trailing slashes
+   - **Root URL**: `<UI_URL>` without trailing slashes
+   - **Home URL**: `<UI_URL>` without trailing slashes
+   - **Web Origins**: `<UI_URL>` without trailing slashes
 
 1. Select **Next**, then **Save**.
 
@@ -168,8 +168,8 @@
 
 1. Configure the **Access Settings**:
 
-   - **Root URL**: `<DASHBOARD_SUBDOMAIN>.<YOUR_DOMAIN>` without trailing slashes
-   - **Home URL**: `<DASHBOARD_SUBDOMAIN>.<YOUR_DOMAIN>` without trailing slashes
+   - **Root URL**: `<DASHBOARD_URL>` without trailing slashes
+   - **Home URL**: `<DASHBOARD_URL>` without trailing slashes
    - **Valid redirect URIs**: `<DASHBOARD_URL>/login/generic_oauth` without trailing slashes
    - **Valid post logout redirect URIs**: `+` without trailing slashes
    - **Web origins**: `<DASHBOARD_SUBDOMAIN>.<YOUR_DOMAIN>` without trailing slashes
@@ -181,22 +181,26 @@
 The other services do not need authorization but do need client authentication.
 By default you need to add only the client ID.
 
-For example, to create the BPMN engine client:
+For example, to create the Workflow client:
 1. In the side menu, select **Clients > create client**.
-1. For **Client ID**, enter `{{< param application_name >}}Bpmn`
+1. For **Client ID**, enter `{{< param application_name >}}Workflow`
+1. **Name**: `{{< param brand_name >}} Workflow Engine`
+1. **Description**: `{{< param brand_name >}} Workflow Engine`
 1. Configure the **Capability config**:
     - **Client Authentication**: On
 1. Select **Next**, then **Save**.
 
-**Repeat this process for each of the following services:**
+Repeat the preceding process for each of the following services with the corresponding values in the table.
 
-| Client ID                              | Description           |
-|----------------------------------------|-----------------------|
-| `{{< param application_name >}}Audit`  | The audit log service |
-| `{{< param application_name >}}Core`   | The edge agent        |
-| `{{< param application_name >}}Router` | API router            |
+| Client ID                               | Name                                    | Description                 |
+| --------------------------------------- | --------------------------------------- | --------------------------- |
+| `{{< param application_name >}}Agent`   | {{< param brand_name >}} Agent          | The agent data service      |
+| `{{< param application_name >}}Audit`*  | {{< param brand_name >}} Audit Log      | The audit log service       |
+| `{{< param application_name >}}ISA95`   | {{< param brand_name >}} ISA-95 Model   | The ISA-95 model service    |
+| `{{< param application_name >}}KPI`*    | {{< param brand_name >}} KPI Calculator | The ISO22400 KPI calculator |
+| `{{< param application_name >}}Router`* | {{< param brand_name >}} API Router     | The API router              |
 
-Based on your architecture, repeat for any Libre Edge Agents, `{{< param application_name >}}Agent`.
+*- Optional based on your architecture.
 
 ### Scope services
 
@@ -216,31 +220,28 @@
     - **Display on consent screen**: `On`
     - **Include in token scope**: `On`
 1. **Create**.
-1. Select the **Mappers** tab, then **Configure new mapper**. Add an audience mapper for the DB client:
-    - **Mapper Type**: `Audience`
-    - **Name**: `{{< param db >}}AudienceMapper`
-    - **Include Client Audience**: `{{< param db >}}`
-    - **Add to ID Token**: `On`
-    - **Add to access token**: `On`
-1. Repeat the preceding step for a mapper for the UI client:
-    - **Mapper Type**: `Audience`
-    - **Name**: `{{< param application_name >}}UIAudienceMapper`
-    - **Include Client Audience**: `{{< param application_name >}}UI`
-    - **Add to ID Token**: `On`
-    - **Add to access token**: `Off`
-1. Repeat the preceding step for a mapper for the BPMN client:
-    - **Mapper Type**: `Audience`
-    - **Name**: `{{< param application_name >}}BpmnAudienceMapper`
-    - **Include Client Audience**: `{{< param application_name >}}Bpmn`
-    - **Add to ID Token**: `On`
-    - **Add to access token**: `On`
-1. If using the Rhize Audit microservice, repeat the preceding step for an Audit scope and audience mapper:
-    - **Mapper Type**: `Audience`
-    - **Name**: `{{< param application_name >}}AuditAudienceMapper`
-    - **Include Client Audience**:
-    - **Included Custom Audience**: `audit`
-    - **Add to ID Token**: `On`
-    - **Add to access token**: `On`
+
+#### Create audience mappers
+Select the **Mappers** tab, then **Configure new mapper**. Add an audience mapper for the DB client:
+   - **Mapper Type**: `Audience`
+   - **Name**: `{{< param db >}}AudienceMapper`
+   - **Include Client Audience**: `{{< param db >}}`
+   - **Add to ID Token**: `On`
+   - **Add to access token**: `On`
+
+Repeat the preceding process for each of the following services with the corresponding values in the table.
+
+| Name                                                   | Include Client Audience                  | ID Token | Access Token |
+| ------------------------------------------------------ | ---------------------------------------- | :------: | :----------: |
+| `{{< param application_name >}}AuditAudienceMapper`*   | `audit`**                                |   `On`   |     `On`     |
+| `{{< param application_name >}}AgentAudienceMapper`    | `{{< param application_name >}}Agent`    |   `On`   |     `On`     |
+| `{{< param application_name >}}ISA95AudienceMapper`    | `{{< param application_name >}}ISA95`    |   `On`   |     `On`     |
+| `{{< param application_name >}}KPIAudienceMapper`*     | `{{< param application_name >}}KPI`      |   `On`   |     `On`     |
+| `{{< param application_name >}}UIAudienceMapper`       | `{{< param application_name >}}UI`       |   `On`   |    `Off`     |
+| `{{< param application_name >}}WorkflowAudienceMapper` | `{{< param application_name >}}Workflow` |   `On`   |     `On`     |
+
+*- Optional based on your architecture.<br />
+**- Included as a Custom Audience.
 
 #### Add services to the scope
 
@@ -250,14 +251,24 @@
 1. Select `{{< param application_name >}}ClientScope` from the list.
 1. **Add > Default**.
 
-Repeat this process for the `dashboard`, `{{< param application_name >}}UI`, `{{< param application_name >}}Bpmn`, `{{< param application_name >}}Core`, `{{< param application_name >}}Router`, `{{< param application_name >}}Audit` (if applicable). Based on your architecture repeat for any Libre Edge Agent clients.
+Repeat the preceding process above for each of the following services:
+
+- `dashboard`
+- `{{< param application_name >}}Audit`*
+- `{{< param application_name >}}Agent`
+- `{{< param application_name >}}ISA95`
+- `{{< param application_name >}}KPI`*
+- `{{< param application_name >}}Router`*
+- `{{< param application_name >}}UI`
+- `{{< param application_name >}}Workflow`
+
+*- Optional based on your architecture.
 
 ### Create roles and groups
 
 In Keycloak, _roles_ identify a category or type of user.
 _Groups_ are a common set of attributes for a set of users.
 
-
 #### Add the Admin Group
 
 1. In the left hand menu, select **Groups > Create group**.
@@ -305,7 +316,7 @@
 1. Select the **Client scopes** tab.
 1. **Add client scope**.
 1. Select `groups`.
-1. **Add > Default**.
+1. **Add Default**.
 
 ### Add Client Policy
 
@@ -314,7 +325,7 @@
 
 1. In the left hand menu, select **Clients**, and then `{{< param db >}}`.
 1. Select the **Authorization** tab.
-1. Select the **Policies** sub-tab.
+1. Select the **Policies** subtab.
 1. Select **Create Policy > Group**.
 1. Name the policy `{{< param application_name >}}AdminGroupPolicy`.
 1. Select **Add Groups**.
@@ -342,43 +353,18 @@
 1. For **Temporary**, choose `Off`.
 1. **Save**.
 
-Repeat this process for the following accounts:
-
-- Audit:
-    - **Username**: `{{< param application_name >}}Audit@{{< param domain_name >}}`
-    - **Email**: `{{< param application_name >}}Audit@{{< param domain_name >}}`
-    - **Email Verified**: `On`
-    - **First name**: `Audit`
-    - **Last name**: `{{< param brand_name >}}`
-    - **Join Groups**: `{{< param application_name >}}AdminGroup`
-- Core:
-    - **Username**: `{{< param application_name >}}Core@{{< param domain_name >}}`
-    - **Email**: `{{< param application_name >}}Core@{{< param domain_name >}}`
-    - **Email Verified**: `On`
-    - **First name**: `Core`
-    - **Last name**: `{{< param brand_name >}}`
-    - **Join Groups**: `{{< param application_name >}}AdminGroup`
--  BPMN
-     - **Username**: `{{< param application_name >}}Bpmn@{{< param domain_name >}}`
-     - **Email**: `{{< param application_name >}}Bpmn@{{< param domain_name >}}`
-     - **Email Verified**: `On`
-     - **First name**: `Bpmn`
-     - **Last name**: `{{< param brand_name >}}`
-     - **Join Groups**: `{{< param application_name >}}AdminGroup`
-- Router
-    - **Username**: `{{< param application_name >}}Router@{{< param domain_name >}}`
-    - **Email**: `{{< param application_name >}}Router@{{< param domain_name >}}`
-    - **Email Verified**: `On`
-    - **First name**: `Router`
-    - **Last name**: `{{< param brand_name >}}`
-    - **Join Groups**: `{{< param application_name >}}AdminGroup`
-- Agent
-    - **Username**: `{{< param application_name >}}Agent@{{< param domain_name >}}`
-    - **Email**: `{{< param application_name >}}Agent@{{< param domain_name >}}`
-    - **Email Verified**: `On`
-    - **First name**: `Agent`
-    - **Last name**: `{{< param brand_name >}}`
-    - **Join Groups**: `{{< param application_name >}}AdminGroup`
+Repeat the preceding process for each of the following services with the corresponding values in the table.
+
+| Username                                                           | First name |
+| ------------------------------------------------------------------ | ---------- |
+| `{{< param application_name >}}Audit@{{< param domain_name >}}`*   | Audit      |
+| `{{< param application_name >}}Agent@{{< param domain_name >}}`    | Agent      |
+| `{{< param application_name >}}ISA95@{{< param domain_name >}}`    | ISA95      |
+| `{{< param application_name >}}KPI@{{< param domain_name >}}`*     | KPI        |
+| `{{< param application_name >}}Router@{{< param domain_name >}}`*  | Router     |
+| `{{< param application_name >}}Workflow@{{< param domain_name >}}` | Workflow   |
+
+*- Optional based on your architecture.
 
 {{% /steps %}}
 

diff --git a/content/deploy/install/row-level-access-control.md b/content/deploy/install/row-level-access-control.md
@@ -23,7 +23,7 @@ Consider the following scenario: Acme Inc. contracts part of its supply chain to
 
 1. Create an OIDC Role: Define a role called `cmoAccess` in your OIDC provider (e.g., Keycloak).
 2. Define a Hierarchy Scope. Create a hierarchy scope in Rhize called `CMO`. This scope is applied to objects or nodes in the graph that relate to the CMO.
-3. Add a Rule to the Scope Map: Define a rule in the `scopemap.json` file as follows:
+3. Add a Rule to the Scope Map. Define a rule in the `scopemap.scopemap.json` file as follows:
 
 ```json
 {