From 3c3831076f3ad883b7ff6dcff0475036e6edad14 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 20:05:39 +0000 Subject: [PATCH 01/17] Remove MinIO volumes from version control and add to .gitignore --- .../.minio.sys/buckets/.bloomcycle.bin/xl.meta | Bin 741 -> 0 bytes .../buckets/.usage-cache.bin.bkp/xl.meta | Bin 626 -> 0 bytes .../.minio.sys/buckets/.usage-cache.bin/xl.meta | Bin 626 -> 0 bytes .../.minio.sys/buckets/.usage.json/xl.meta | Bin 1496 -> 0 bytes .../buckets/chatui/.metadata.bin/xl.meta | Bin 1189 -> 0 bytes .../buckets/chatui/.usage-cache.bin.bkp/xl.meta | Bin 615 -> 0 bytes .../buckets/chatui/.usage-cache.bin/xl.meta | Bin 615 -> 0 bytes minio-data/.minio.sys/config/config.json/xl.meta | Bin 9811 -> 0 bytes .../.minio.sys/config/iam/format.json/xl.meta | Bin 434 -> 0 bytes minio-data/.minio.sys/format.json | 1 - minio-data/.minio.sys/pool.bin/xl.meta | Bin 479 -> 0 bytes .../xl.meta.bkp | Bin 626 -> 0 bytes .../xl.meta.bkp | Bin 626 -> 0 bytes .../xl.meta.bkp | Bin 615 -> 0 bytes .../xl.meta.bkp | Bin 1496 -> 0 bytes .../xl.meta.bkp | Bin 615 -> 0 bytes .../xl.meta.bkp | Bin 741 -> 0 bytes .../tmp/83c734b7-1c56-4592-b548-07ac6cfac4a0 | Bin 2049 -> 0 bytes .../xl.meta | Bin 1762 -> 0 bytes .../xl.meta | Bin 1753 -> 0 bytes 20 files changed, 1 deletion(-) delete mode 100644 minio-data/.minio.sys/buckets/.bloomcycle.bin/xl.meta delete mode 100644 minio-data/.minio.sys/buckets/.usage-cache.bin.bkp/xl.meta delete mode 100644 minio-data/.minio.sys/buckets/.usage-cache.bin/xl.meta delete mode 100644 minio-data/.minio.sys/buckets/.usage.json/xl.meta delete mode 100644 minio-data/.minio.sys/buckets/chatui/.metadata.bin/xl.meta delete mode 100644 minio-data/.minio.sys/buckets/chatui/.usage-cache.bin.bkp/xl.meta delete mode 100644 minio-data/.minio.sys/buckets/chatui/.usage-cache.bin/xl.meta delete mode 100644 minio-data/.minio.sys/config/config.json/xl.meta delete mode 100644 minio-data/.minio.sys/config/iam/format.json/xl.meta delete mode 100644 minio-data/.minio.sys/format.json delete mode 100644 minio-data/.minio.sys/pool.bin/xl.meta delete mode 100644 minio-data/.minio.sys/tmp/.trash/11283f9a-eee7-4afe-9672-b402348bd728/xl.meta.bkp delete mode 100644 minio-data/.minio.sys/tmp/.trash/2ef9d3f0-0b8c-4aff-822a-782bcdc424e4/xl.meta.bkp delete mode 100644 minio-data/.minio.sys/tmp/.trash/3a6a0107-c784-43ce-8139-97fe06353af9/xl.meta.bkp delete mode 100644 minio-data/.minio.sys/tmp/.trash/9c57986f-c4c5-405d-862b-472401559738/xl.meta.bkp delete mode 100644 minio-data/.minio.sys/tmp/.trash/af87666d-963d-4716-a312-09d970eb9822/xl.meta.bkp delete mode 100644 minio-data/.minio.sys/tmp/.trash/fe52956f-faa2-47ce-80e5-17b1c18ab882/xl.meta.bkp delete mode 100644 minio-data/.minio.sys/tmp/83c734b7-1c56-4592-b548-07ac6cfac4a0 delete mode 100644 minio-data/chatui/users/test@test.com/generated/1761192788_3c82e86a_presentation.html/xl.meta delete mode 100644 minio-data/chatui/users/test@test.com/generated/1761192856_9014354a_presentation.html/xl.meta diff --git a/minio-data/.minio.sys/buckets/.bloomcycle.bin/xl.meta b/minio-data/.minio.sys/buckets/.bloomcycle.bin/xl.meta deleted file mode 100644 index b94e2efec86bcab09fa925ec71f40f65cdc9c438..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 741 zcma#>F;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHylz>?tbcM_9H7ES|y0#=v-#(W`k$ zNM%7P#Y41$Y1T`;vSadF8kIwJ7Y{^_aPm3|Uy_x6n64p->BR@YOpyNKi5D3SSAirP;oK!47EpMpZ%AftD%>~AeN#&kgDZ<0_f+WS zX69w)>t^Paq!#5R<^UNvnR%(YDTyVCM_5XVN>jmVLyL==mH_pn-&8P2O*Kq4PBBb1 zNi|CZQWmC3#>p0z#%6|wiDo9r7Hg98foA2E=#~J(Xh&i}K~83JVo7Fxo_>CENot91 zaY<2XV(!ASa~XTri=Ml=%k2hZzJQ;zenf>dPuagtF<>ifDb zxiUE?)j2=6ASV?ldxt>)uE1`FmXE?o1ow(+)W2tNuDyW9^+{(CTpv|CCw2t4LsjL9 z7J_?3)g*Htoa?}#>Ja0D;M%CWZF5F&E7aIeBFS!1jchxPko};V^iT)Rb<|OI`e}qoa-c`*1JLl03mh*`Tzg` diff --git a/minio-data/.minio.sys/buckets/.usage-cache.bin.bkp/xl.meta b/minio-data/.minio.sys/buckets/.usage-cache.bin.bkp/xl.meta deleted file mode 100644 index 6082f6987145127434315f8d01444a88208b5cc7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 626 zcma#>F;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHylzY3bPY*NFFpWfg7g+PnU|`Yl30>>gr%gYG!?8iw795g2~bb^O@-u?#H6Iu6w_2A zLkrV1%hc3lqvRyBv_xZbv$T{%gQPXd`9QPsN_0zrVYDN$pdcqRIk6-&KTkhDxg@nj zx45JzH8FQ#*}06p>qXCTi~86yHZI94&B-}(f6FybC3dFcGk@wT{IZeNlcf%c8PkhQ%qlK%%&+cs2tIJY6g*%a{)3ElfVNP#>goBGeS10SrLR ZAhkd_7GQjGNbX8&U@mdwin(Ss696)CF;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHylzY*x**BP@(c4<|6PF)$uw^lDxb zQdyA7xHQbjKPl@TgWw`h7fh{7TwF4XjtIoCRZYDu=C0cJX8(;CWu@oKT$3Gh((@S? zyC(aB2tS79uE|cpnN_Km7=YFTIi7hbsTGVsbuO93B@-D}I0u*Jg0-v&NGvMxE6pvQ z$hZ>3bPY*NFFpWfg7g+PnU|`Yl30>>gr%gYG!?8iw795g2~bb^O@-u?#H6Iu6w_2A zLkrV1%hc3lqvRyBv_xZbv$T{%gQPXd`9QPsN_0zrVYDN$pdcqRIk6-&KTkhDxg@nj zx45JzH8FQ#*}06p>qXDmR8DSXY+RC8nv-+n{+4T=O6*L>Xa3Yx_-%K^^3dBUyM%XS z-4(grZy0RHZzsf|u~q*s3qvm}g9=yE63@J}{FWttiMgo@^;i0(R+KnbCg-GvukuMO zE(t9FdLZ>U4=X4>GyXWqsQ!vJSRI_5S>TbH2=rk3p{34=$r-6l%aSt^OG-047A0p) zSX5kfiGkr+`=b0}mPKX742x58fkbgt@oWYbc)D0rmN6a5TbO)kp*~3GM5rl10~mms ZL27|=EWr5WkldBlz+B?U6?4sOCIE@}HV{5VzH+D`fzI0I7IDAQG^hI7zc5joU^fZksp-u~;wmOX}9KQ`@Opq7E(U zj5?JCBp{*Xqrk)hMIfaeE1&~{fdwXn#6Q5m^GDo#6d~SVy?4L+-Tm%-cP&j1;#eQH zi(z=BuMcmYTW=0vU1$Hq+@1Z|+fNEjUz2J4#QQOP2T$Cr^NSUTH>T+E!pv9f=>1f( zms(FIWxYA@?$+Ru-IvL&#+TZ9<>G4XAuGm}l7>HE#fLR|$4x+t;=0}?Pn(`V{cX#3_3eWi{#rO$&52$K<# zjKD%MSfFS?4@pcBh{Y%q3`UC4&{I)Eu~ai)q8_~fm5L&Zz?3!h@{FOW_vZJex1S%| zd-aR`gfG|Cs-o=p(j)J`&;34md~_wt{@6bA?9}Sn=;_J+H!J5S?`}yKM!wYu1sG<& zf>c2wM$jb91Sm2RW*rN$WP2e-9Qpr z7Sc~hP=O}Q0DTrgt|KzLOkOjAV)c%QF+(K9ct93<^`z9IM#QWN{6wKD&O$FC|g)@ diff --git a/minio-data/.minio.sys/buckets/chatui/.metadata.bin/xl.meta b/minio-data/.minio.sys/buckets/chatui/.metadata.bin/xl.meta deleted file mode 100644 index 9322155613c8b67fa3fac9eff99ebd32a106f373..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1189 zcmZ{iPfQa*6vk(4H8Jr3CPs-dAs)CjmSWp99!zO_0NVm?Atc7bFr6+V+u6E1Yg%vU z#eGEAxmNRuzB<5_s!1tzU`0u znjvt34*eVty-mIV@p-Z6 zU}=(vf{Rj}7vV%iGO|_4L^slS(#YyX_|z(6DJ1L5)zZ@I#q}fGlh#IfZ&|V`(H>2t zXqN1`8BY+7q=G)Yl=oyQqpF88PBexTQ7DuVPa1J#y18bMD%-1TcS=GdZ#H`~!BB{h z;6;DyK&UMc@F5)Z`_sNaFysrhwzW=SRh-4Rhl?4_qg+m*7;&ny3o7P>dvvZ5lzn__ zZSc+XsWr*Hat;ocn4u`Eu10Tp=cKnh^!MBE%-D?Q(MHdoa(?#8MoaO>wd(pv~1 z*aA(ZB+8O8JczhK$0Oo6PSPJw9JR6=+?l+8{@=>wXK@t|#TXh;Nc!DOw<<1Ch^Q<> z)xD5l%&I4 z%&AhTY~N$YtH1g}y){R$-j@?Nx6i5*HEVP4#JoN*4<~Y=J_;vrzAj!TZt>vn;e;+7 Q5`q)E*?b6WCFUgf4+5CYF;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHylzto#Y41$Y1T`;vSadF8kIwBA&{UY!et3&M~xy0Q&B_^gXb4_;4NzZ3o z?3(NgBK#PZyCypYXI7#uQa!K zBI8OB(={Y9z4!o_3DRFY@gl>PRUipRIClw%1r%QD8>;Y{icGcrKw@Exp|6(Nt%JFS)!qVg^{s|fw7rI zT56)9k$Kv}vU3@G*NdLpU)H^jv2jUWX->|OE8j{^HVQJG`nY>_ESr4AioHFZDn+aI zYu|OK&OYCpa!ZLrW2^pO76wyRhASLROFZ+^@>`bpCFZ6sOU_6vDa~Bzms(NcT$!Ac z8otUWvA86(0O*U<<2JkIPv-U;##Vm`;iWwHCF;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHylz%qg-0M_A7C&-Z3zV_-bW=+(R= zq_QBDacP*5e^S;x2Ej$1E|^-ExVU5%9T9l2;78)BbFRkgrhH5{R=nl9%r)6DCq18W zv1_s~i11@r?wafroLQB6i2-OmkmH$`l3KwCROgaeTr!byg>!IeE?CQofW)E_ztY^| ziHs{jOxKXa^x^|xCP;tr#ET4DR)HiO;oK!47EpMpZ%AftD%>~AeN#&kgDZ<0_f+WS zX69w)>t^Paq!#5R<^UNvnR%(YDTyVCM_5XVN>jmVLyL==mH_pn-&8QQG&M{%H&3xJ zNi#4tOEfgFFfukVFgCMDOHDL1GEZBRoDVcBuSB;57)Co13kq^FlM_oa^YirclS@)d zbc;)hQWJ9*mYvJkyI%C1Zq^Go#>ORir8zlAu6!#w*(k_#>f`R!v25}cEB5wusuZo- zuYK2{I{SQY$}J@hjjj5BSr|-N8Ln_NE%D4t%WqlYmzbNnEIA{wq%?D-Uus2(b7gW) zYWOOj#Nv|B0-!HakMppCA~oZWlZ;A#WA*Cb?92j>)I^{!(+@3mPE5{7ZCayWTAW%` z+_5M*W5S~1s!I$E&)OH|7qcuXD`r@nk_#k?tBPkcurM$zD$AI@F!?Y@J-XWKjIyGLM;AQwD2VR*b6OVlDvEc#`64qr`$hg#P0x%&bLT_feeqg->hZN}QlC8ezTZBx-TUB6AOHFr|JwWM z>`$Nm{w{ky3{>}fyKK+>d%1IWm%VUZ-V%T4z~kY|i!m36UBF$F#@^}P`^@z;%BI}= z9M$&aG%|O(KX4y+Z_vQ}BKzp(n>)XM`tA?i!1LwTWA_PuetqwTj6`{wyL-aY>vQw! z&kt848B4V)V=Ht_L--KNSgdkt>B$pTry|3C-smqM!<^uq6}Gjtv$M6eIUKOde0yie zhr-}I-hcX6-|oM;`|kE9KJ~Z1*uVe!t55xdfApVU`_bF?Z++*RuYKbKzgyqC-J^-@ zUA^5Sy{lik-J6Pe?`ltrSt^V*B%+7Ces7zt_B2rcmt7&W!rESy7g9(}tf)2?nRXUB(lE!MuEP`oKiispz z!XE4#;c04B3mOhj4wRk>ZP0|_1{MQe-QhzWG|ah#r(`FTPHl}y3^kU9f}}~PC^v+K zg2rh=GJ^u0piN!Ig7IgG!$fL);=vXMa}f#<`+~KH5t0v=hK^uQic2j(&S%DfK=nZt zqv7C|Oo$rYg!x#oYCJ|Dt&}B{F=0FmUdPO1M#Mfiga`4K$sgnFnCycdLFgEJWiZ&> z+#YOfUfvmQZEp{EHnw|5uN?JzH09EgDIHH~)i*@!1b`0i@7tgG}5YKOK8wg z6Oz=pND<-HtB`~m14hZ4ACavR2{xgzG}tYYkb>u7_mv=Q7(gcA#Lx$6#p^C^ttdrUpF;lP?(4HLQJ@~jnx#$__un^2rK@7xeG=6Er{nb!l z*9e5I;XsTgN=?sc4{T|6O+pUd&t4z)S}53cT!nS>+?ay2$zF2*zs?W)mi<)RVc_~OdNG&XcBRt3cN zvu`{k>41GOAQ=+{!LveUmIUl^Ms{LPIa!Ky8U>lcL5#~A=Ug^tJR)X#p154! zDhP21l&+eX*6g9}uZ1e;uQ9XVUvvDfzh6c@YUO0g=qt&2$bwV_=@NmWEabAl3Nlc0Un7 z!8{qrOf+^*LQa$V!797~?FE7cBrrlb_mfW^s4_~yP2VA&IM=l;D`xo+qpd?tTahCUk zPJsi0tSzjK&gPRNX-lurZf(C}&YJ9;@b+w1T3c7V5ptx-?@Hu#jN5y>|8wNVTCV(~rH3e5K?f{{HL1vqRKhh9WY&5^bP!2tSb`51- z2x(18FV{NuFkGJz#p9b)>6oaKM0M2VG!B9+i+ zwmkj&(Wuo&#i1+a1Dw;4>`q5B_J>RzK_Dwz83#2AQ>rGSF|;I=SG@U~qOyX<%3`xD5jp1NO3F~YujT-#u)zZxs>I4ALRp7{XLHfg zVMXOS386FW6JwV{3oDIg)}GU0^X@GQC&(QaG<_TWrS!(dzBW@hd|}y5g-GC11>#{- zSIrZhD;u+x&{E_QZMT{Wmh0TiPK)C5Hfc#De4v2G4b-(zf5t(J1}X^(Dd%C2RVvAK zFZ~O)m~pF2o^!L($_ASjB&%l+L$({<@=- z*TY6l7X$JR9AvZFwRUSg($XYCt3BebQ=Tn}yR{l1&1aF;JynaK;X0;Pu{fw<6f$=0 zLe3<@t22wcIAmLrL%XsHL*wvT2HXlj^$j7h>BWMq)l_QCLyuL+Yj2cz7tv7Y(w1I{ zODmP@O|&Zpok?67=fuQFTf3O4NvqszA>FfFSu6q#0vfpYMBx2{B8V1OLcmaBXdqWO a4_tS`wU)n|@*(ibQF}k4-YRF;ZY;U}iYRz`&Tr%*=R1ZTb-b1~hP4qL3jt{b-%%5te1F8{`?;7#NQ-+B7c- zsVqokTpDKNpOkfvL2!|$3#Qg3E-slxM+CNZEq-=M+QV?xx~unM-;{+fb4_;4NzZ3o z?3(NgBK#PZyCypYXI7#uQa!K zBI8OB(={Y9z4!o_3DRFYk#`kH*b&NE0-|}B`i5lYro#QP+&8r(F}Sk0aZiPAZf0I) zzHVk-NorAEVh)gzlbM&Qo03?Pc!Z^-s5BLF;ZY;U}iYRz`$6<%*=R1ZTb-b1~hP4qL3jt?dI#NM_Bj`I(r$}7#NQ-x->5d zsVqokTpDKNpOkfvL2!|$3#Qg3E-slxM+AJ`1t*;0^*pu2>3Yrk>p^zQT$3Gh((@S? zyC(aB2tS79uE|cpnN_Km7=YFTIi7hbsTGVsbuO93B@-D}I0u*Jg0-v&NGvMxE6pvQ z$hZ>3bPY*NFFpWfg7gF;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHyl^$^&I?M_9Nv+pS?_V_-bW=+(R= zq_QBDacP*5e^S;x2Ej$1E|^-ExVU5%9T8~T6B)c{m+!mTCfo8ku9d_rb4_;4NzZ3o z?3(NgBK#PZyCypYXI7#uQa!K zBI8OB(={Y9z4!o_3DRFY@gl?iRUipRIClw%1r%QD8)WqC{W#=;Xt`|MGHQE0SW8;#%(wv+l_aFQ(Kb0nOUTSZK=5mhd9FD4*>^GdE zFS!?9vOoIp>(5XQjjj5BSr~d*8C1BMmU!l+<+m*HOUzAOsK3%LwW7qiGC3zTbd^tH zaY<+a&;zN*d00X5neoSQi7M;myQ_n9Fn`z8kkEQxi&J)Uj_haS?4?e diff --git a/minio-data/.minio.sys/tmp/.trash/2ef9d3f0-0b8c-4aff-822a-782bcdc424e4/xl.meta.bkp b/minio-data/.minio.sys/tmp/.trash/2ef9d3f0-0b8c-4aff-822a-782bcdc424e4/xl.meta.bkp deleted file mode 100644 index db6e088873ca78fc6274caec81f71fad3966be33..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 626 zcma#>F;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHyl^%IZeFBP?sKySp&5F)$uw^lDxb zQdyA7xHQbjKPl@TgWw`h7fh{7TwF4XjtE5CXqRoPb-uEW>yTbb?b%DqT$3Gh((@S? zyC(aB2tS79uE|cpnN_Km7=YFTIi7hbsTGVsbuO93B@-D}I0u*Jg0-v&NGvMxE6pvQ z$hZ>3bPY*NFFpWfg7g+PnU|`Yl30>>gr%gYG!?8iw795g2~bb^O@&l5lT?G$L<_@2 z3yY+*R70aQQ;XyzGowUv3kyp#L*q5c`9QPsN_0zrVYDN$pdcqRIk6-&KTkhDxg@nj zx45JzH8FQ#*}06p>qXCf%Uh|**tjIGG$-fC{RjWcPo;^Rm)e`5xtwDaX-mttfG>OwLISUFDNl zToPIU^g!xy9#&9%X8dtnqRM*t?&{#|%mR}n(3nYrGif1#hz|+N|vW)3a-ooTV3-v)dCqhjD8o&V5 a3{ne}V*$n|hvcrb2Idk+u8j=ymjM6(`{rc; diff --git a/minio-data/.minio.sys/tmp/.trash/3a6a0107-c784-43ce-8139-97fe06353af9/xl.meta.bkp b/minio-data/.minio.sys/tmp/.trash/3a6a0107-c784-43ce-8139-97fe06353af9/xl.meta.bkp deleted file mode 100644 index 22dee3fbf64c48c86ee7b073c0c4e4d15e6253c7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 615 zcmZXRKWI}y9LMiyBE>&Y1)&Z?i#2q4hQykfr4W;VX`3jd5pnW*xx9D!{=|3pLXxSC z#db6x1St+pUYn*C6sa_Wio|H?QZROLad2=E#iffVdM`r{6F6Rr zNB_6l(I_>=_|(^@?xkeC)t-IO_*t&3#&B4b4Ooxigj15B5yO{Kv_!fG)aYJ=k1#F2V<`?Ipw5vPXk zH83Y!V%#K1v&Cll;}9mk5Y7gJ!4L@{N0-gkQG4!L5bb% eelR<5@%xF>jnB&b&Y7%dhtYe(QMgsAuKfl3zv=V< diff --git a/minio-data/.minio.sys/tmp/.trash/9c57986f-c4c5-405d-862b-472401559738/xl.meta.bkp b/minio-data/.minio.sys/tmp/.trash/9c57986f-c4c5-405d-862b-472401559738/xl.meta.bkp deleted file mode 100644 index 9e7d03414fcdebf99f7f88c8d9f467e501c5f3fa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1496 zcmb7D&1=(O7*A*skMkhx=E%W|t-eW{t_^r-*Vq-?Y_#bddI)cmw_Ub0sYyEa!IUY2 z2M_Kbo)kYiH)Wt6L?#M?ouG%|2MiS4pWwlZpcmhyY1fa5_#VRhKELPpJiq73^Gs%# zA(HSBZwZ2|`g~;L=*`9e(Q`fzp1<{c!M8l$@c%frn;;Jmo7h+Lgu#){Ls z#G!lXWIwf@OsZyMU~=I0yY!31@6D-$=!Wua@BuH!wX#9p=jE*P5r{QjPUO`E^ohXf z@guD(XpY2wN!7Af$n}wYt>RMF$DwHpwTiVuK6I|U2+P)M_v-Mim5=_wBL|4LpLOSk z&8t~at)O-_YguH&{JgdNaxPd=b=3%}x{XX7YWSk5ItnV#h7G@M){yI4u*^$!%qf2v z8ZL%PpcIKHvEfJALC#{zZigPLmP{o=&gW3t{ zwxM9bGHN<5Qt}kEYbwPpQr13^$C0k6dbuM(hlo98r=Y4KCe^IfxbL_ z9(&#On&wX3C>~m)Y{H6DXMz{c@Vp?=fC(q0xR8`+DVuQrNGBvUu}D}t-3wxOmxnQj zi2KkcGSL>u(o7%P!f4P7F>D0qaicm!CuK+2rl~_~2j&WNp=OLOqN}jUbCtPZD#yn~ zJ|~HzaY5>knc?&KrqOAQFsBhF-z6zPlIFEZP{f zqnWCxLtkIgrWORLwBR44zFO)~uy%2AaBx#x+^l-9LkGR#$M<*l`TmaY-Q{d}2m%jy z2LP;lJkSYDIX>{u`gr8Vwm=(X6Nu|YlhMkg4h5H@ zjJM%jvS6w^mbr__;CWMJZP;^Vx`-t9W=Fby*8Tt%=iP(EZfmF_vpK?1 zVVq68tOr%9Q9VdCP7DnxLMT)t!7}2=@p8i?J8X#=Okpvf75dx zPS~2MD9+Yv`~20D_)2v1$8c{gSbDbT|1%mlf7*e4Ck`w>_*Uy5ejeKPg42CqtG{Vy zw2I!c^GGFKEF*5xUY^u>avUq9G@nI`m#QKKS=-;|eyaQ{VIQBAq$h>zw0e#pky2Xe zBoUTLb0K6hVz5aI%l9nS*aYC~T}x+PtH!`gSrvsf*hAn2z^chp)A+4Rwgm|UC1$Vm dgIm5c-wz#~{UW#4k5vNejNb95;8J61?k{Z9=qdmJ diff --git a/minio-data/.minio.sys/tmp/.trash/fe52956f-faa2-47ce-80e5-17b1c18ab882/xl.meta.bkp b/minio-data/.minio.sys/tmp/.trash/fe52956f-faa2-47ce-80e5-17b1c18ab882/xl.meta.bkp deleted file mode 100644 index bcc7841110843d4ea36cd9ddf63ed1be1f3c63bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 741 zcma#>F;ZY;U}iYRz`$6+%*=R1ZTb-b1~hP4qHyl^D$ZY9j#uQa!K zBI8OB(={Y9z4!o_3DRFY@gk$)Dv*RDoVx_X0tzqn4av++h5Kf?Z)!q>mgp9j6s0ESE&-aHepA8R$UMo|EIBnbIngl9)FQqXDK+&NE*v2jUWX->{j#=tw1>wRKbcj=cJbT4k7w=~pZsZ@U? zPgbSmnM1cXEAOohgGNuw^5oK@BA{CsmgJ>Yl!PrWE&+NwHRU)DD@aAgAIBvsp#kUD zC08crq&ny47UZM?W$!Quz!lgjs2Z!uBe*fD)iD+b?hGv-g_8*G71gMJ&){5p0gdaE z&LFrxs&-E72yTa}$`vgH_lT-V<~}&rfkD+F#s|T*QFq(sjNn$Nv7bbe-J%-Vb{rx5 fK{e^24xH<#qgwgwHiDa>y4r9eg1bbur}``aUdsJB diff --git a/minio-data/.minio.sys/tmp/83c734b7-1c56-4592-b548-07ac6cfac4a0 b/minio-data/.minio.sys/tmp/83c734b7-1c56-4592-b548-07ac6cfac4a0 deleted file mode 100644 index e36ee44665fb70c4cacbf2be6feee8abc1e3a467..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2049 dcmZQz7zLvtFd71*Aut*OqaiRF0wXO1v;YVz04o3h diff --git a/minio-data/chatui/users/test@test.com/generated/1761192788_3c82e86a_presentation.html/xl.meta b/minio-data/chatui/users/test@test.com/generated/1761192788_3c82e86a_presentation.html/xl.meta deleted file mode 100644 index 170bae18b98fc817fe2d88ff21e7918795423b18..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1762 zcmah}OKclO81^bDLPbJF0*T|`3PhxAZ0BJdXKj=wj#@!dqa>)kAkFTK?IE)}%gn4F z1rD^FI8@4o2)OV_X#z!v#}N<*7apK(h4n$jTaCZg zQdcY9sdaXN-cCV!*qjLnZChZs%#_}?_LkNo-?;2mvD9mkuePoIcv;!Nb@i=T#{O#i z*7&a<#TSc%?QXn+<14Eh%%_8DuC7vz*E{OsS8dy80TVV0G?fA7u;479Ho+Qq$F+>; zmm?;g^t#9HU)uTOrirturWrK@p#ZYWxci=M4VqgW>x;2c=(^-=G(vP%ia$^pa1EF($f#Fy!+;X zJb2*NwTauWIFBu#UD`Nbt)Mtn`M4ARAdZ82DNTcPd_XZNA4l*wJ|IC}14~79DZRO| zVi&;T@G8b%N;es8g+l5y>hV!Zw;0il5}{4zQQK@L5iqV9aIHMdX(>0A?T6A#b6T#7 z7L`>2lA!7kBTgo{PO>W90aLS%QMiJ1(95U>GT1fjGu|npMF~kJk-~wp6_u>EfP5@L zi6Y7_pb!%Rq7;GMu)Tm>>}}Phhyr4Jf(uzhCu?)@yMSIDWSLT&5ej(@t&6DDV45C= zj>91wX)%;y)}-)pJ7J)R3fUy7XxplRiD&^NGz*S-_{h48pUh60cPcjl*n}ih+7c5M zDR7SQhPX~`S5mxX;~MmC5n zDJT7^Y*%P4`~g=9p1~ntRsxtoCue5o3&b5%KJd$#a*q-TOq;3c3zuNY87yWB8$B$! zsr)_a>U&2V0*oqab6SHsX8t=hX9MQ}S_5DNEc1bKV?2;?HjyzFwhwhCIU-Dj977Yj zTzFf39uoq4-El-!Q2!n^29fVl30Xs-U}yyNE_Q+JC~i3|!Xiqjm5FFcFZYFhs#fp{ zAmWhFxuG;prZ+@RCYf|6o}%7V6V^l?$4Zsbrs;blY9{{Zot>aem)FgB7%Q6!wzvqh8t`ka}ZqQ2{CIpV)3)$2JOaq85?VQXCWzm)Y6zdYaiCcV;%W zi+U(B2G|oaFMtK0T;?45)wBqAdujI5N~H~CyFcBmF@X??|t9< z-g{nueim7Ysl-=_gmrgn${L)yJ~);*^n8Ef($uvpzgBhz(^ubm^0xI5*jm?L>oAAf({(0cewQp9un~P+gd%}8ekt|1F zD~atz^6Vp>JGv>R9TP&{td5t!TN}z@GZjEF*ul z_3iWz??)H&<841$!SRjd2J`7So9$()@oG=K`gzy(S-^zN0!?LrIV?B}sO@5n2h&=H z^wS9wBFW&vN8UX8*c}sRP0819uiNwfWjhLMFELI7?9)%$k}4W#teFT>E$#C@TzmIW zrdi15&K8>_SHQ%{xR?}aKA+1MW=Zi(wn;uD0@wuF)}Zn&O}jcBd4CjRK++xyybqKJ zC7~591b=69xAn!xkM90md!k@n?FS*}cc=e)`_j+Vqd!^?2Y(#jeR=6b;X%c` zT>SI1^_})l=hn)P*DfqHUaT*oD0=lsIr>2y2VNyfgJg6-v0FWY;3@k+9g!B6it0*o zt+8Ym!D9a^O1P5TWVF*3QYX4{lxCXK zYF%`wtP3a!svnTBoQ|(!RHb`hYSs}8N4P!o3TlFKb`$%I_eyA90>}(fI8e5tk~Qa$ zk0pp#LYX<##;yxGme6db-JL@YCL5jEr0?>ECmAs8km^ophKD0 z(j@@p?kFqU5n2m>tX0fsdfm)b;g;G{jw(A!$N}6rqM@*i@9VC7c+&e zA(w3G^nLOgd50VVOjg$BvJLnEMfu>)dXj85b??fDNMLbaG>;af^dN@SobUf+hXo`kY?XpcoI995XG)+GoQ8V#}@9damvbt) Date: Sat, 25 Oct 2025 20:06:03 +0000 Subject: [PATCH 02/17] Update .gitignore with MinIO volume exclusions --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 1f64780..f18bc00 100644 --- a/.gitignore +++ b/.gitignore @@ -78,6 +78,7 @@ test-results/ # MinIO Data (persistent storage) data/minio/ +minio-data/ # Legacy S3 Mock Storage (deprecated) -mocks/s3-mock/s3-mock-storage/ \ No newline at end of file +mocks/s3-mock/s3-mock-storage/ From 87f5d81f5a69fe3754e52060ff70dce6f5509b01 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 20:41:12 +0000 Subject: [PATCH 03/17] feat(chat): add file attachment functionality to chat sessions - Implement handle_attach_file method in ChatService to attach user files to sessions via S3 key - Update WebSocket connection adapter to authenticate user from query params or config fallback - Handle "attach_file" message type in WebSocket endpoint, calling handle_attach_file with authenticated user - Ensures file ownership verification and adds file to session context securely --- backend/application/chat/service.py | 76 ++++ .../transport/websocket_connection_adapter.py | 9 +- backend/main.py | 26 +- backend/routes/files_routes.py | 50 ++- backend/tests/test_file_library.py | 107 +++++ docs/file_library_implementation.md | 215 +++++++++ frontend/src/components/AllFilesView.jsx | 416 ++++++++++++++++++ frontend/src/components/FileManager.jsx | 134 +----- frontend/src/components/FileManagerPanel.jsx | 105 +++-- frontend/src/components/SessionFilesView.jsx | 133 ++++++ 10 files changed, 1084 insertions(+), 187 deletions(-) create mode 100644 backend/tests/test_file_library.py create mode 100644 docs/file_library_implementation.md create mode 100644 frontend/src/components/AllFilesView.jsx create mode 100644 frontend/src/components/SessionFilesView.jsx diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index cde9d74..4e02a22 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -321,6 +321,82 @@ async def handle_reset_session( "message": "New session created" } + async def handle_attach_file( + self, + session_id: UUID, + s3_key: str, + user_email: Optional[str] = None, + update_callback: Optional[UpdateCallback] = None + ) -> Dict[str, Any]: + """Attach a file from library to the current session.""" + session = self.sessions.get(session_id) + if not session: + session = await self.create_session(session_id, user_email) + + # Verify the file exists and belongs to the user + if not self.file_manager or not user_email: + return { + "type": "file_attach", + "s3_key": s3_key, + "success": False, + "error": "File manager not available or no user email" + } + + try: + # Get file metadata + file_result = await self.file_manager.get_file(user_email, s3_key) + if not file_result: + return { + "type": "file_attach", + "s3_key": s3_key, + "success": False, + "error": "File not found" + } + + filename = file_result.get("filename") + if not filename: + return { + "type": "file_attach", + "s3_key": s3_key, + "success": False, + "error": "Invalid file metadata" + } + + # Add file to session context + session.context = await file_utils.handle_session_files( + session_context=session.context, + user_email=user_email, + files_map={ + filename: { + "key": s3_key, + "content_type": file_result.get("content_type"), + "size": file_result.get("size"), + "filename": filename + } + }, + file_manager=self.file_manager, + update_callback=update_callback + ) + + logger.info(f"Attached file {filename} ({s3_key}) to session {session_id}") + + return { + "type": "file_attach", + "s3_key": s3_key, + "filename": filename, + "success": True, + "message": f"File {filename} attached to session" + } + + except Exception as e: + logger.error(f"Failed to attach file {s3_key} to session {session_id}: {e}") + return { + "type": "file_attach", + "s3_key": s3_key, + "success": False, + "error": str(e) + } + async def _handle_plain_mode( self, session: Session, diff --git a/backend/infrastructure/transport/websocket_connection_adapter.py b/backend/infrastructure/transport/websocket_connection_adapter.py index cb0a735..4b2ba7a 100644 --- a/backend/infrastructure/transport/websocket_connection_adapter.py +++ b/backend/infrastructure/transport/websocket_connection_adapter.py @@ -1,6 +1,6 @@ """WebSocket connection adapter implementing ChatConnectionProtocol.""" -from typing import Any, Dict +from typing import Any, Dict, Optional from fastapi import WebSocket @@ -12,10 +12,11 @@ class WebSocketConnectionAdapter: Adapter that wraps FastAPI WebSocket to implement ChatConnectionProtocol. This isolates the application layer from FastAPI-specific types. """ - - def __init__(self, websocket: WebSocket): - """Initialize with FastAPI WebSocket.""" + + def __init__(self, websocket: WebSocket, user_email: Optional[str] = None): + """Initialize with FastAPI WebSocket and associated user.""" self.websocket = websocket + self.user_email = user_email async def send_json(self, data: Dict[str, Any]) -> None: """Send JSON data to the client.""" diff --git a/backend/main.py b/backend/main.py index 1838c3f..140dd70 100644 --- a/backend/main.py +++ b/backend/main.py @@ -176,10 +176,18 @@ async def websocket_endpoint(websocket: WebSocket): Main chat WebSocket endpoint using new architecture. """ await websocket.accept() + + # Basic auth: derive user from query parameters or use test user + user_email = websocket.query_params.get('user') + if not user_email: + # Fallback to test user or require auth + config_manager = app_factory.get_config_manager() + user_email = config_manager.app_settings.test_user or 'test@test.com' + session_id = uuid4() - - # Create connection adapter and chat service - connection_adapter = WebSocketConnectionAdapter(websocket) + + # Create connection adapter with authenticated user and chat service + connection_adapter = WebSocketConnectionAdapter(websocket, user_email) chat_service = app_factory.create_chat_service(connection_adapter) logger.info(f"WebSocket connection established for session {session_id}") @@ -237,7 +245,17 @@ async def websocket_endpoint(websocket: WebSocket): user_email=data.get("user") ) await websocket.send_json(response) - + + elif message_type == "attach_file": + # Handle file attachment to session (use authenticated user, not client-sent) + response = await chat_service.handle_attach_file( + session_id=session_id, + s3_key=data.get("s3_key"), + user_email=user_email, # Use authenticated user from connection + update_callback=lambda message: websocket_update_callback(websocket, message) + ) + await websocket.send_json(response) + else: logger.warning(f"Unknown message type: {message_type}") await websocket.send_json({ diff --git a/backend/routes/files_routes.py b/backend/routes/files_routes.py index 3f1e0d7..69b9083 100644 --- a/backend/routes/files_routes.py +++ b/backend/routes/files_routes.py @@ -11,7 +11,7 @@ from fastapi import APIRouter, Depends, HTTPException, Request, Response from fastapi import Query import base64 -from pydantic import BaseModel +from pydantic import BaseModel, Field from core.utils import get_current_user from infrastructure.app_factory import app_factory @@ -26,7 +26,7 @@ class FileUploadRequest(BaseModel): filename: str content_base64: str content_type: Optional[str] = "application/octet-stream" - tags: Optional[Dict[str, str]] = {} + tags: Optional[Dict[str, str]] = Field(default_factory=dict) class FileResponse(BaseModel): @@ -57,6 +57,15 @@ async def upload_file( current_user: str = Depends(get_current_user) ) -> FileResponse: """Upload a file to S3 storage.""" + # Validate base64 content size (configurable limit to prevent abuse) + try: + content_size = len(request.content_base64) * 3 // 4 # approximate decoded size + max_size = 50 * 1024 * 1024 # 50MB default (configurable) + if content_size > max_size: + raise HTTPException(status_code=413, detail=f"File too large. Maximum size is {max_size // (1024*1024)}MB") + except Exception: + raise HTTPException(status_code=400, detail="Invalid base64 content") + try: s3_client = app_factory.get_file_storage() result = await s3_client.upload_file( @@ -75,21 +84,6 @@ async def upload_file( raise HTTPException(status_code=500, detail=f"Upload failed: {str(e)}") -# Place health endpoint before dynamic /files/{file_key} routes to avoid capture -@router.get("/files/healthz") -async def files_health_check(): - """Health check for files service.""" - s3_client = app_factory.get_file_storage() - return { - "status": "healthy", - "service": "files-api", - "s3_config": { - "endpoint": s3_client.endpoint_url if hasattr(s3_client, 'endpoint_url') else "unknown", - "bucket": s3_client.bucket_name if hasattr(s3_client, 'bucket_name') else "unknown" - } - } - - @router.get("/files/{file_key}", response_model=FileContentResponse) async def get_file( file_key: str, @@ -128,9 +122,25 @@ async def list_files( file_type=file_type, limit=limit ) - - return [FileResponse(**file_data) for file_data in result] - + + # Convert any datetime objects to ISO format strings for pydantic validation + processed_files = [] + for file_data in result: + processed_file = file_data.copy() + if isinstance(processed_file.get('last_modified'), str): + # If already a string, keep it + pass + else: + # Convert datetime to ISO format string + try: + processed_file['last_modified'] = processed_file['last_modified'].isoformat() + except AttributeError: + # If it's not a datetime object, convert to string + processed_file['last_modified'] = str(processed_file['last_modified']) + processed_files.append(processed_file) + + return [FileResponse(**file_data) for file_data in processed_files] + except Exception as e: logger.error(f"Error listing files: {str(e)}") raise HTTPException(status_code=500, detail=f"Failed to list files: {str(e)}") diff --git a/backend/tests/test_file_library.py b/backend/tests/test_file_library.py new file mode 100644 index 0000000..0cbed69 --- /dev/null +++ b/backend/tests/test_file_library.py @@ -0,0 +1,107 @@ +#!/usr/bin/env python3 +""" +Unit tests for File Library implementation. +Tests the new file library feature including: +- AllFilesView component functionality +- SessionFilesView component +- FileManagerPanel tab switching +- Backend attach_file endpoint +- WebSocket attach_file message handling +""" + + + +# Test the backend attach_file functionality +class TestAttachFileBackend: + def test_handle_attach_file_success(self): + """Test successful file attachment to session""" + # This would be a full integration test when backend is running + pass + + def test_handle_attach_file_file_not_found(self): + """Test handling of file not found error""" + pass + + def test_handle_attach_file_unauthorized(self): + """Test handling of unauthorized access""" + pass + +# Frontend component tests would go here +# These would typically use a testing framework like Jest or Vitest + +class TestAllFilesView: + def test_fetch_all_files(self): + """Test fetching all user files""" + pass + + def test_search_filter(self): + """Test file search functionality""" + pass + + def test_sort_functionality(self): + """Test file sorting by different criteria""" + pass + + def test_type_filter(self): + """Test filtering by file type (uploaded vs generated)""" + pass + + def test_load_to_session(self): + """Test loading file to current session""" + pass + + def test_download_file(self): + """Test file download functionality""" + pass + + def test_delete_file(self): + """Test file deletion""" + pass + +class TestSessionFilesView: + def test_display_session_files(self): + """Test displaying files in current session""" + pass + + def test_file_actions(self): + """Test download, delete, and tagging actions""" + pass + +class TestFileManagerPanel: + def test_tab_switching(self): + """Test switching between Session Files and File Library tabs""" + pass + + def test_initial_tab_state(self): + """Test that panel opens on Session Files tab by default""" + pass + +# Integration test scenarios +class TestFileLibraryIntegration: + def test_end_to_end_workflow(self): + """ + Test end-to-end workflow: + 1. Upload file in session A + 2. Start new session B + 3. Open File Library tab + 4. Search for and find file from session A + 5. Load file into session B + 6. Verify file appears in Session Files + """ + pass + +if __name__ == "__main__": + print("File Library unit tests") + print("Note: Most testing should be done manually through the UI") + print("because the functionality primarily involves user interaction.") + print("") + print("Manual testing checklist:") + print("- Open File Manager panel") + print("- Switch between 'Session Files' and 'File Library' tabs") + print("- Verify files are displayed correctly in each tab") + print("- Search, filter, and sort files in File Library") + print("- Download files from File Library") + print("- Delete files from File Library") + print("- Load files from File Library to current session") + print("- Verify loaded files appear in Session Files tab") + print("- Test error handling for failed operations") diff --git a/docs/file_library_implementation.md b/docs/file_library_implementation.md new file mode 100644 index 0000000..42eb2e6 --- /dev/null +++ b/docs/file_library_implementation.md @@ -0,0 +1,215 @@ +# File Library Implementation Plan + +## Overview + +Add a "File Library" feature to show all user files across all sessions (not just current session files), with download, delete, and load-to-session capabilities. + +## Current State + +### Already Implemented (Backend) + +All core backend functionality exists: + +- `GET /api/files` - List all user files (files_routes.py:117) +- `GET /api/files/download/{file_key}` - Download file (files_routes.py:197) +- `DELETE /api/files/{file_key}` - Delete file (files_routes.py:139) +- `GET /api/users/{user_email}/files/stats` - User stats (files_routes.py:163) +- S3Client with full CRUD operations (modules/file_storage/s3_client.py) +- Authorization and auth checks already integrated + +### Current Frontend + +- `FileManager.jsx` - Shows session files only +- `FileManagerPanel.jsx` - Modal wrapper for file manager +- Download/delete actions work for session files + +## Implementation Plan + +### Phase 1: Frontend Tab UI (1 day) + +**Add tab switcher to FileManagerPanel:** + +1. Add state for active tab: `useState('session' | 'library')` +2. Add tab buttons in header +3. Conditionally render SessionFilesView or AllFilesView + +**Create new components:** + +``` +frontend/src/components/ +├── AllFilesView.jsx - New component (similar to FileManager) +└── SessionFilesView.jsx - Rename/refactor existing FileManager +``` + +**AllFilesView features:** +- Fetch from `GET /api/files?limit=1000` +- Display file list with same UI as FileManager +- Add search/filter (client-side) +- Show file metadata: name, size, type, date, source +- Actions: Download, Delete, "Load to Session" + +### Phase 2: Load to Session Feature (0.5 days) + +**Backend:** + +Add new endpoint or WebSocket message type: + +```python +# Option A: REST endpoint +POST /api/sessions/current/files +Body: { "s3_key": "users/..." } + +# Option B: WebSocket message +{ "type": "attach_file", "s3_key": "users/..." } +``` + +Implementation: +- Fetch file metadata from S3 +- Add to session context files dictionary +- Emit files_update to frontend +- Return success/error + +**Frontend:** +- Add "Load to Session" button in AllFilesView +- Call new endpoint/send WS message +- Show success notification +- Refresh session files view + +### Phase 3: Polish (0.5 days) + +**UX improvements:** +- Add loading states +- Add confirmation modal for delete +- Show which files are already in current session +- Add sort by (name, date, size, type) +- Add filter by type (code, image, document, data, other) +- Display storage stats + +**Error handling:** +- Handle failed downloads +- Handle delete errors +- Handle network errors + +## Implementation Details + +### Tab UI Structure + +```jsx +// FileManagerPanel.jsx +const [activeTab, setActiveTab] = useState('session') + +
+ + +
+ +{activeTab === 'session' ? ( + +) : ( + +)} +``` + +### AllFilesView API Integration + +```javascript +// AllFilesView.jsx +useEffect(() => { + fetch('/api/files?limit=1000', { + headers: { 'Authorization': `Bearer ${token}` } + }) + .then(res => res.json()) + .then(files => { + // Convert to organized format + const organized = organizeFiles(files) + setAllFiles(organized) + }) +}, []) +``` + +### Load to Session Logic + +```javascript +const handleLoadToSession = async (file) => { + try { + const response = await fetch('/api/sessions/current/files', { + method: 'POST', + headers: { 'Content-Type': 'application/json' }, + body: JSON.stringify({ s3_key: file.key }) + }) + + if (response.ok) { + showNotification('File loaded to session') + // Session files will update via WebSocket + } + } catch (error) { + showError('Failed to load file') + } +} +``` + +## File Organization + +``` +frontend/src/components/ +├── FileManagerPanel.jsx - Modal container with tabs (MODIFY) +├── SessionFilesView.jsx - Current session files (RENAME from FileManager.jsx) +└── AllFilesView.jsx - All user files (NEW) + +backend/routes/ +└── files_routes.py - Add attach endpoint (MODIFY) + +backend/application/chat/ +└── service.py - Add attach_file method (MODIFY) +``` + +## Testing + +**Backend:** +- Test attach file to session +- Test authorization (can't attach other user's files) +- Test session context updates + +**Frontend:** +- Test tab switching +- Test file list rendering +- Test download/delete actions +- Test load to session flow +- Test search/filter + +**E2E:** +1. Upload file in session A +2. Start new session B +3. Open File Library +4. Find file from session A +5. Load into session B +6. Verify file appears in session B files + +## Success Criteria + +- Users can view all their files across all sessions +- Users can download any file +- Users can delete any file +- Users can load old files into current session +- UI is responsive and intuitive +- No regressions to existing session file functionality + +## Estimated Time + +- Phase 1 (Frontend tabs): 1 day +- Phase 2 (Load to session): 0.5 days +- Phase 3 (Polish): 0.5 days +- **Total: 2 days** + +## Future Enhancements + +- Pagination for large file lists +- Bulk delete +- File preview modal +- User-defined tags/labels +- Storage quota display +- Auto-cleanup of old files diff --git a/frontend/src/components/AllFilesView.jsx b/frontend/src/components/AllFilesView.jsx new file mode 100644 index 0000000..15191df --- /dev/null +++ b/frontend/src/components/AllFilesView.jsx @@ -0,0 +1,416 @@ +import { useState, useEffect } from 'react' +import { + File, + Image, + Database, + FileText, + Code, + Download, + Trash2, + ArrowUpToLine, + Search, + SortAsc, + SortDesc, + Filter, + Loader +} from 'lucide-react' +import { useChat } from '../contexts/ChatContext' +import { useWS } from '../contexts/WSContext' + +const AllFilesView = () => { + const { token, user: userEmail } = useChat() + const { sendMessage } = useWS() + const [allFiles, setAllFiles] = useState([]) + const [filteredFiles, setFilteredFiles] = useState([]) + const [loading, setLoading] = useState(true) + const [error, setError] = useState(null) + const [notification, setNotification] = useState(null) + const [searchQuery, setSearchQuery] = useState('') + const [sortBy, setSortBy] = useState('last_modified') + const [sortOrder, setSortOrder] = useState('desc') + const [typeFilter, setTypeFilter] = useState('all') + + useEffect(() => { + fetchAllFiles() + }, []) + + useEffect(() => { + applyFiltersAndSort() + }, [allFiles, searchQuery, sortBy, sortOrder, typeFilter]) + + const fetchAllFiles = async () => { + try { + setLoading(true) + const response = await fetch('/api/files?limit=1000', { + headers: { + 'Authorization': `Bearer ${token}` + } + }) + + if (!response.ok) { + throw new Error(`Failed to fetch files: ${response.statusText}`) + } + + const files = await response.json() + setAllFiles(files) + } catch (err) { + setError(err.message) + console.error('Error fetching all files:', err) + } finally { + setLoading(false) + } + } + + const applyFiltersAndSort = () => { + let filtered = [...allFiles] + + // Apply search filter + if (searchQuery) { + filtered = filtered.filter(file => + file.filename.toLowerCase().includes(searchQuery.toLowerCase()) + ) + } + + // Apply type filter + if (typeFilter !== 'all') { + filtered = filtered.filter(file => file.tags?.source === typeFilter) + } + + // Apply sorting + filtered.sort((a, b) => { + let aVal, bVal + + switch (sortBy) { + case 'name': + aVal = a.filename.toLowerCase() + bVal = b.filename.toLowerCase() + break + case 'size': + aVal = a.size + bVal = b.size + break + case 'last_modified': + aVal = new Date(a.last_modified) + bVal = new Date(b.last_modified) + break + default: + return 0 + } + + if (aVal < bVal) return sortOrder === 'asc' ? -1 : 1 + if (aVal > bVal) return sortOrder === 'asc' ? 1 : -1 + return 0 + }) + + setFilteredFiles(filtered) + } + + const getFileIcon = (file) => { + const extension = file.filename.split('.').pop()?.toLowerCase() + switch (extension) { + case 'js': + case 'jsx': + case 'ts': + case 'tsx': + case 'py': + case 'java': + case 'cpp': + case 'c': + case 'go': + case 'rs': + return + case 'jpg': + case 'jpeg': + case 'png': + case 'gif': + case 'svg': + case 'webp': + return + case 'json': + case 'csv': + case 'xlsx': + case 'xls': + return + case 'pdf': + case 'doc': + case 'docx': + case 'txt': + case 'md': + return + default: + return + } + } + + const formatFileSize = (bytes) => { + if (bytes === 0) return '0 B' + const k = 1024 + const sizes = ['B', 'KB', 'MB', 'GB'] + const i = Math.floor(Math.log(bytes) / Math.log(k)) + return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i] + } + + const formatDate = (dateString) => { + const date = new Date(dateString) + return date.toLocaleDateString() + ' ' + date.toLocaleTimeString([], { hour: '2-digit', minute: '2-digit' }) + } + + const showNotification = (message, type = 'success', duration = 3000) => { + setNotification({ message, type }) + setTimeout(() => setNotification(null), duration) + } + + const handleDownloadFile = async (file) => { + try { + const response = await fetch(`/api/files/download/${encodeURIComponent(file.key)}`, { + headers: { + 'Authorization': `Bearer ${token}` + } + }) + + if (!response.ok) { + throw new Error('Download failed') + } + + const blob = await response.blob() + const url = window.URL.createObjectURL(blob) + const a = document.createElement('a') + a.href = url + a.download = file.filename + a.click() + window.URL.revokeObjectURL(url) + } catch (err) { + console.error('Error downloading file:', err) + showNotification('Failed to download file', 'error') + } + } + + const handleDeleteFile = async (file) => { + const confirmed = window.confirm(`Are you sure you want to delete "${file.filename}"? This action cannot be undone.`) + if (!confirmed) { + return + } + + try { + const response = await fetch(`/api/files/${encodeURIComponent(file.key)}`, { + method: 'DELETE', + headers: { + 'Authorization': `Bearer ${token}` + } + }) + + if (!response.ok) { + throw new Error('Delete failed') + } + + // Refresh the file list + fetchAllFiles() + showNotification('File deleted successfully', 'success') + } catch (err) { + console.error('Error deleting file:', err) + showNotification('Failed to delete file', 'error') + } + } + + const handleLoadToSession = async (file) => { + try { + sendMessage({ + type: 'attach_file', + s3_key: file.key, + user: userEmail + }) + showNotification(`File "${file.filename}" loaded to current session`, 'success') + } catch (error) { + console.error('Error loading file to session:', error) + showNotification('Failed to load file to session', 'error') + } + } + + const toggleSort = (field) => { + if (sortBy === field) { + setSortOrder(sortOrder === 'asc' ? 'desc' : 'asc') + } else { + setSortBy(field) + setSortOrder('desc') + } + } + + if (loading) { + return ( +
+ +

Loading files...

+
+ ) + } + + if (error) { + return ( +
+
Error loading files
+

{error}

+
+ ) + } + + return ( +
+ {/* Notification */} + {notification && ( +
+ {notification.message} +
+ )} + + {/* Section Header */} +
+

+ All Files ({filteredFiles.length}) +

+

+ All files across all your sessions +

+
+ + {/* Search and Filters */} +
+
+ {/* Search */} +
+ + setSearchQuery(e.target.value)} + className="w-full pl-10 pr-4 py-2 bg-gray-700 border border-gray-600 rounded-lg text-white placeholder-gray-400 focus:outline-none focus:border-blue-500" + /> +
+ + {/* Type Filter */} + +
+ + {/* Sort Options */} +
+ Sort by: + {[ + { key: 'last_modified', label: 'Date' }, + { key: 'name', label: 'Name' }, + { key: 'size', label: 'Size' } + ].map(({ key, label }) => ( + + ))} +
+
+ + {/* Files List */} + {filteredFiles.length === 0 ? ( +
+ +
+ {searchQuery || typeFilter !== 'all' ? 'No files match your filters' : 'No files found'} +
+

+ {searchQuery || typeFilter !== 'all' + ? 'Try adjusting your search or filter criteria' + : 'Files from all sessions will appear here' + } +

+
+ ) : ( +
+ {filteredFiles.map((file, index) => ( +
+
+ {/* File Icon */} +
+ {getFileIcon(file)} +
+ + {/* File Content */} +
+
+

+ {file.filename} +

+
+ + {file.tags?.source === 'user' ? 'Uploaded' : 'Generated'} + + + {formatDate(file.last_modified)} + +
+
+
+ {formatFileSize(file.size)} + + {file.filename.split('.').pop()} +
+
+ + {/* Action Buttons */} +
+ + + + + +
+
+
+ ))} +
+ )} +
+ ) +} + +export default AllFilesView diff --git a/frontend/src/components/FileManager.jsx b/frontend/src/components/FileManager.jsx index 2a2f8c6..e0a510c 100644 --- a/frontend/src/components/FileManager.jsx +++ b/frontend/src/components/FileManager.jsx @@ -1,133 +1 @@ -import { useState, useEffect } from 'react' -import { - File, - Image, - Database, - FileText, - Code, - Download, - Trash2, - Tag -} from 'lucide-react' - -const FileManager = ({ files, onDownloadFile, onDeleteFile, taggedFiles, onToggleFileTag }) => { - - - const getFileIcon = (file) => { - switch (file.type) { - case 'code': - return - case 'image': - return - case 'data': - return - case 'document': - return - default: - return - } - } - - - const formatFileSize = (bytes) => { - if (bytes === 0) return '0 B' - const k = 1024 - const sizes = ['B', 'KB', 'MB', 'GB'] - const i = Math.floor(Math.log(bytes) / Math.log(k)) - return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i] - } - - if (!files || files.total_files === 0) { - return ( -
- -
No files in this session
-

- Upload files or use tools that generate files to see them here -

-
- ) - } - - return ( -
- {/* Section Header */} -
-

- Session Files ({files.total_files}) -

-

- All files from your current chat session -

-
- -
- {files.files.map((file, index) => ( -
-
- {/* File Icon */} -
- {getFileIcon(file)} -
- - {/* File Content */} -
-
-

- {file.filename} -

- {taggedFiles?.has(file.filename) && ( - - Tagged - - )} -
-
- {formatFileSize(file.size)} - - {file.extension} -
-
- - {/* Action Buttons */} -
- - - - - -
-
-
- ))} -
-
- ) -} - -export default FileManager \ No newline at end of file +export { default } from './SessionFilesView' diff --git a/frontend/src/components/FileManagerPanel.jsx b/frontend/src/components/FileManagerPanel.jsx index 56c2b42..f28fd35 100644 --- a/frontend/src/components/FileManagerPanel.jsx +++ b/frontend/src/components/FileManagerPanel.jsx @@ -1,9 +1,12 @@ +import { useState } from 'react' import { X, FolderOpen, Download } from 'lucide-react' import { useChat } from '../contexts/ChatContext' -import FileManager from './FileManager' +import SessionFilesView from './SessionFilesView' +import AllFilesView from './AllFilesView' const FileManagerPanel = ({ isOpen, onClose }) => { const { sessionFiles, downloadFile, deleteFile, taggedFiles, toggleFileTag } = useChat() + const [activeTab, setActiveTab] = useState('session') const downloadAllFiles = () => { if (sessionFiles.total_files === 0) { @@ -59,38 +62,88 @@ const FileManagerPanel = ({ isOpen, onClose }) => { + {/* Tabs */} +
+ + +
+ {/* Content */}
- - + {activeTab === 'session' ? ( + + ) : ( + + )} + {/* Info Section */} -
-

About Session Files

-
-

- This panel shows all files in your current chat session, including: -

-
    -
  • Files you've uploaded
    • -
  • Files generated by tools
    • -
  • Data exports and reports
    • -
  • Code snippets and plots
    • -
-

- Files are automatically organized by type and persist throughout your session. -

+ {activeTab === 'session' && ( +
+

About Session Files

+
+

+ This panel shows all files in your current chat session, including: +

+
    +
  • Files you've uploaded
    • +
  • Files generated by tools
    • +
  • Data exports and reports
    • +
  • Code snippets and plots
    • +
+

+ Files are automatically organized by type and persist throughout your session. +

+
-
+ )} + + {activeTab === 'library' && ( +
+

About File Library

+
+

+ This shows all files across all your sessions, including: +

+
    +
  • Files from previous sessions
    • +
  • Historical uploads and generated files
    • +
  • Search and filter capabilities
    • +
  • Load files into current session
    • +
+

+ Use the search and filters above to find specific files. +

+
+
+ )}
) } -export default FileManagerPanel \ No newline at end of file +export default FileManagerPanel diff --git a/frontend/src/components/SessionFilesView.jsx b/frontend/src/components/SessionFilesView.jsx new file mode 100644 index 0000000..1afee51 --- /dev/null +++ b/frontend/src/components/SessionFilesView.jsx @@ -0,0 +1,133 @@ +import { useState, useEffect } from 'react' +import { + File, + Image, + Database, + FileText, + Code, + Download, + Trash2, + Tag +} from 'lucide-react' + +const SessionFilesView = ({ files, onDownloadFile, onDeleteFile, taggedFiles, onToggleFileTag }) => { + + + const getFileIcon = (file) => { + switch (file.type) { + case 'code': + return + case 'image': + return + case 'data': + return + case 'document': + return + default: + return + } + } + + + const formatFileSize = (bytes) => { + if (bytes === 0) return '0 B' + const k = 1024 + const sizes = ['B', 'KB', 'MB', 'GB'] + const i = Math.floor(Math.log(bytes) / Math.log(k)) + return parseFloat((bytes / Math.pow(k, i)).toFixed(2)) + ' ' + sizes[i] + } + + if (!files || files.total_files === 0) { + return ( +
+ +
No files in this session
+

+ Upload files or use tools that generate files to see them here +

+
+ ) + } + + return ( +
+ {/* Section Header */} +
+

+ Session Files ({files.total_files}) +

+

+ All files from your current chat session +

+
+ +
+ {files.files.map((file, index) => ( +
+
+ {/* File Icon */} +
+ {getFileIcon(file)} +
+ + {/* File Content */} +
+
+

+ {file.filename} +

+ {taggedFiles?.has(file.filename) && ( + + Tagged + + )} +
+
+ {formatFileSize(file.size)} + + {file.extension} +
+
+ + {/* Action Buttons */} +
+ + + + + +
+
+
+ ))} +
+
+ ) +} + +export default SessionFilesView From fee54a4e67f8edeae64039066833788110ec490e Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 20:53:01 +0000 Subject: [PATCH 04/17] addressed bot identified issues --- backend/main.py | 8 ++++---- backend/routes/files_routes.py | 14 ++++++-------- frontend/src/components/SessionFilesView.jsx | 1 - 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/backend/main.py b/backend/main.py index 140dd70..cba2d5a 100644 --- a/backend/main.py +++ b/backend/main.py @@ -177,12 +177,12 @@ async def websocket_endpoint(websocket: WebSocket): """ await websocket.accept() - # Basic auth: derive user from query parameters or use test user + # Basic auth: derive user from query parameters - reject if not provided user_email = websocket.query_params.get('user') if not user_email: - # Fallback to test user or require auth - config_manager = app_factory.get_config_manager() - user_email = config_manager.app_settings.test_user or 'test@test.com' + # Reject connection if user is not provided or authentication fails + await websocket.close(code=4401, reason="Unauthorized: user authentication required") + return session_id = uuid4() diff --git a/backend/routes/files_routes.py b/backend/routes/files_routes.py index 69b9083..00e39ec 100644 --- a/backend/routes/files_routes.py +++ b/backend/routes/files_routes.py @@ -60,12 +60,13 @@ async def upload_file( # Validate base64 content size (configurable limit to prevent abuse) try: content_size = len(request.content_base64) * 3 // 4 # approximate decoded size - max_size = 50 * 1024 * 1024 # 50MB default (configurable) - if content_size > max_size: - raise HTTPException(status_code=413, detail=f"File too large. Maximum size is {max_size // (1024*1024)}MB") except Exception: raise HTTPException(status_code=400, detail="Invalid base64 content") + max_size = 250 * 1024 * 1024 # 250MB default (configurable) + if content_size > max_size: + raise HTTPException(status_code=413, detail=f"File too large. Maximum size is {max_size // (1024*1024)}MB") + try: s3_client = app_factory.get_file_storage() result = await s3_client.upload_file( @@ -127,11 +128,8 @@ async def list_files( processed_files = [] for file_data in result: processed_file = file_data.copy() - if isinstance(processed_file.get('last_modified'), str): - # If already a string, keep it - pass - else: - # Convert datetime to ISO format string + if not isinstance(processed_file.get('last_modified'), str): + # Convert datetime to ISO format string if it's not already a string try: processed_file['last_modified'] = processed_file['last_modified'].isoformat() except AttributeError: diff --git a/frontend/src/components/SessionFilesView.jsx b/frontend/src/components/SessionFilesView.jsx index 1afee51..0a9261d 100644 --- a/frontend/src/components/SessionFilesView.jsx +++ b/frontend/src/components/SessionFilesView.jsx @@ -1,4 +1,3 @@ -import { useState, useEffect } from 'react' import { File, Image, From 5dd900c7507c55ece17bac39e1811ea1ec3f2480 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 21:15:02 +0000 Subject: [PATCH 05/17] feat(websocket): implement secure user authentication via reverse proxy Update websocket endpoint to authenticate users primarily through X-Authenticated-User header set by authenticated reverse proxy in production, falling back to insecure query parameter for local development. Add comprehensive security documentation explaining the authentication flow, production requirements, and risks of direct access. This ensures secure connections in production while maintaining development flexibility. --- backend/main.py | 35 +++- docs/security_architecture.md | 319 ++++++++++++++++++++++++++++++++++ 2 files changed, 352 insertions(+), 2 deletions(-) create mode 100644 docs/security_architecture.md diff --git a/backend/main.py b/backend/main.py index cba2d5a..a45eb31 100644 --- a/backend/main.py +++ b/backend/main.py @@ -174,11 +174,42 @@ async def logo_png(): async def websocket_endpoint(websocket: WebSocket): """ Main chat WebSocket endpoint using new architecture. + + SECURITY NOTE - Production Architecture: + ========================================== + This endpoint appears to lack authentication when viewed in isolation, + but in production it sits behind a reverse proxy with a separate + authentication service. The authentication flow is: + + 1. Client connects to WebSocket endpoint + 2. Reverse proxy intercepts WebSocket handshake (HTTP Upgrade request) + 3. Reverse proxy delegates to authentication service + 4. Auth service validates JWT/session from cookies or headers + 5. If valid: Auth service returns X-Authenticated-User header + 6. Reverse proxy forwards connection to this app with X-Authenticated-User header + 7. This app trusts the header (already validated by auth service) + + SECURITY REQUIREMENTS: + - This app MUST ONLY be accessible via reverse proxy + - Direct public access to this app bypasses authentication + - Use network isolation to prevent direct access + - The /login endpoint lives in the separate auth service + + DEVELOPMENT vs PRODUCTION: + - Production: Extracts user from X-Authenticated-User header (set by reverse proxy) + - Development: Falls back to 'user' query parameter (INSECURE, local only) + + See docs/security_architecture.md for complete architecture details. """ await websocket.accept() - # Basic auth: derive user from query parameters - reject if not provided - user_email = websocket.query_params.get('user') + # Production: get user from reverse proxy-set header after auth validation + user_email = websocket.headers.get('X-Authenticated-User') + + # Development fallback: query parameter (insecure, only for local dev without reverse proxy) + if not user_email: + user_email = websocket.query_params.get('user') + if not user_email: # Reject connection if user is not provided or authentication fails await websocket.close(code=4401, reason="Unauthorized: user authentication required") diff --git a/docs/security_architecture.md b/docs/security_architecture.md new file mode 100644 index 0000000..a6e292c --- /dev/null +++ b/docs/security_architecture.md @@ -0,0 +1,319 @@ +# Security Architecture + +## Overview + +This application is designed to operate as part of a multi-service architecture with defense-in-depth security. Authentication and authorization are handled by external components, not within this application itself. + +## Production Architecture + +### Component Separation + +This application consists of multiple isolated services: + +- **Authentication Service**: Handles user authentication, session management, and authorization +- **Main Application**: This codebase (chat UI backend and API) +- **Reverse Proxy**: Edge layer handling TLS termination, routing, and authentication delegation + +### Network Topology + +``` +Internet → Reverse Proxy → Authentication Service + → Main Application (this repo) +``` + +**Critical Security Requirement:** +- Main application MUST NOT be directly accessible from the internet +- All traffic MUST flow through the reverse proxy +- Use network isolation (Docker networks, VPCs, firewalls) to enforce this + +## Authentication Flow + +### HTTP API Requests + +``` +1. Client → Reverse Proxy (with credentials) +2. Reverse Proxy → Auth Service (validates credentials) +3. If invalid → Redirect to /login +4. If valid → Auth Service returns user identity +5. Reverse Proxy → Main App (with authenticated user header) +6. Main App processes request for authenticated user +``` + +### WebSocket Connections + +``` +1. Client → Reverse Proxy (WebSocket handshake with credentials) +2. Reverse Proxy → Auth Service (validates during handshake) +3. If invalid → Connection rejected (HTTP 401) +4. If valid → Auth Service returns user identity header +5. Reverse Proxy → Main App (with X-Authenticated-User header) +6. Main App accepts WebSocket connection +7. All subsequent messages occur over established connection +``` + +**Important Differences from HTTP:** +- Authentication occurs ONCE during initial handshake +- WebSocket cannot redirect to /login (not HTTP) +- Client must handle rejection and redirect to login page +- Token expiration requires WebSocket reconnection + +## Trust Model + +### Header-Based Trust + +The main application trusts the `X-Authenticated-User` header because: + +1. **Network Isolation**: Main app is not publicly accessible +2. **Single Entry Point**: Only reverse proxy can reach main app +3. **Upstream Validation**: Auth service validates before header is set +4. **No Client Control**: Clients cannot set headers directly on main app + +### Why This Looks Insecure + +When examining this codebase in isolation, the WebSocket endpoint appears to lack authentication: + +```python +user_email = websocket.headers.get('X-Authenticated-User') +``` + +This is **intentional by design**. The security controls exist in the infrastructure layer, not the application layer. + +**This design is secure IF AND ONLY IF:** +- Main app has no direct public access +- Reverse proxy is properly configured +- Network isolation is enforced +- Auth service validates correctly + +## Development vs Production + +### Development Environment + +For local development without the full infrastructure: + +```python +# Falls back to query parameter +user_email = websocket.query_params.get('user') +``` + +**This is INSECURE** and only suitable for local development. + +### Production Environment + +Production deployments MUST: + +1. Deploy reverse proxy with auth delegation +2. Deploy separate authentication service +3. Isolate main app from public access +4. Configure reverse proxy to set X-Authenticated-User header +5. Never expose main app ports publicly + +### Example Network Configuration + +```yaml +services: + reverse-proxy: + ports: + - "443:443" # Only component with public port + networks: + - frontend + + auth-service: + expose: + - "8001" # Exposed to internal network only + networks: + - frontend + + main-app: + expose: + - "8000" # Exposed to internal network only + networks: + - frontend +``` + +## Authentication Service Requirements + +The external authentication service must: + +1. **Validate credentials** (JWT, session cookies, API keys, etc.) +2. **Extract user identity** from valid credentials +3. **Return user information** in response header +4. **Reject invalid requests** with appropriate HTTP status + +### Expected Interface + +**Request from Reverse Proxy:** +```http +GET /auth/validate HTTP/1.1 +Cookie: session_token=xyz +Authorization: Bearer jwt_token_here +``` + +**Response if Valid:** +```http +HTTP/1.1 200 OK +X-User-Email: user@example.com +``` + +**Response if Invalid:** +```http +HTTP/1.1 401 Unauthorized +``` + +## Custom Authorization Logic + +### backend/core/auth.py + +This file contains **mock authorization logic** that must be replaced with your organization's custom business logic before production deployment. + +**Current Implementation:** + +The file provides: +- `is_user_in_group(user_id, group_id)` - Mock group membership checks +- `get_user_from_header(x_email_header)` - Header parsing utility + +**Mock Data (Development Only):** + +```python +mock_groups = { + "test@test.com": ["users", "mcp_basic", "admin"], + "user@example.com": ["users", "mcp_basic"], + "admin@example.com": ["admin", "users", "mcp_basic", "mcp_advanced"] +} +``` + +**Production Requirements:** + +Replace mock implementation with integration to your authorization system: + +- LDAP/Active Directory group lookups +- Database-backed role management +- External authorization service (OAuth scopes, RBAC, ABAC) +- Custom business logic (department-based, hierarchy-based, etc.) + +**Example Integration:** + +```python +def is_user_in_group(user_id: str, group_id: str) -> bool: + """Production implementation example.""" + # Option 1: Query your authorization database + # return db.query_user_groups(user_id).contains(group_id) + + # Option 2: Call external auth service + # return auth_service.check_permission(user_id, group_id) + + # Option 3: LDAP/AD lookup + # return ldap_client.is_member(user_id, f"cn={group_id},ou=groups") +``` + +**Where It's Used:** + +This authorization logic controls access to: +- MCP server groups (group-based tool access control) +- Admin endpoints +- Feature flags and capabilities + +**Important:** This is **authorization** (what a user can do), separate from **authentication** (who the user is). Authentication is handled by the external auth service, while authorization logic in this file determines permissions for authenticated users. + +## Security Considerations + +### Token Expiration + +Since WebSocket authentication happens only at handshake: + +- Long-lived connections won't detect expired tokens +- Implement periodic reconnection or heartbeat +- Client should reconnect before token expiration +- Server can close connections after max lifetime + +### Header Injection Prevention + +**Risk:** If main app is publicly accessible, attackers can inject headers + +**Mitigation:** +- Network isolation (main app not reachable publicly) +- Reverse proxy strips client-provided headers +- Only reverse proxy can set X-Authenticated-User + +### Defense in Depth + +Additional security layers: + +- TLS/SSL for all external connections +- Rate limiting at reverse proxy +- CORS restrictions +- Content Security Policy headers +- Regular security audits +- Monitoring and alerting + +## Deployment Checklist + +Before deploying to production: + +- [ ] Main application is NOT publicly accessible +- [ ] Reverse proxy is configured with auth delegation +- [ ] Authentication service is deployed and tested +- [ ] Network isolation is enforced (firewall rules, VPC, etc.) +- [ ] TLS certificates are valid and renewed +- [ ] WebSocket upgrade is properly proxied +- [ ] X-Authenticated-User header is set by reverse proxy +- [ ] Client-provided headers are stripped +- [ ] Logging and monitoring are configured +- [ ] Token expiration and refresh are tested + +## Testing Authentication + +### Manual Testing + +1. **Test without credentials:** + ```bash + curl -i --no-buffer \ + -H "Connection: Upgrade" \ + -H "Upgrade: websocket" \ + http://proxy-url/ws + # Should return 401 + ``` + +2. **Test with invalid credentials:** + ```bash + curl -i --no-buffer \ + -H "Connection: Upgrade" \ + -H "Upgrade: websocket" \ + -H "Cookie: invalid_token" \ + http://proxy-url/ws + # Should return 401 + ``` + +3. **Test direct access (should fail):** + ```bash + curl -i --no-buffer \ + -H "Connection: Upgrade" \ + -H "Upgrade: websocket" \ + -H "X-Authenticated-User: attacker@example.com" \ + http://main-app:8000/ws + # Should NOT be reachable from outside network + ``` + +### Automated Testing + +Include in CI/CD pipeline: +- Infrastructure validation tests +- Network isolation tests +- Authentication flow tests +- Header injection tests + +## References + +- OAuth 2.0 and JWT best practices +- WebSocket security considerations +- Reverse proxy security patterns +- Zero-trust architecture principles + +## Incident Response + +If this application is found to be directly accessible: + +1. Immediately block public access via firewall +2. Review access logs for unauthorized access +3. Rotate all tokens and sessions +4. Audit infrastructure configuration +5. Update deployment procedures From 829377c93994696f4be3c0f4c0acb6d8b408f871 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 21:24:44 +0000 Subject: [PATCH 06/17] reverted changes that were breaking the websocket setup --- backend/main.py | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/backend/main.py b/backend/main.py index a45eb31..44de853 100644 --- a/backend/main.py +++ b/backend/main.py @@ -203,17 +203,12 @@ async def websocket_endpoint(websocket: WebSocket): """ await websocket.accept() - # Production: get user from reverse proxy-set header after auth validation - user_email = websocket.headers.get('X-Authenticated-User') - - # Development fallback: query parameter (insecure, only for local dev without reverse proxy) - if not user_email: - user_email = websocket.query_params.get('user') - + # Basic auth: derive user from query parameters or use test user + user_email = websocket.query_params.get('user') if not user_email: - # Reject connection if user is not provided or authentication fails - await websocket.close(code=4401, reason="Unauthorized: user authentication required") - return + # Fallback to test user or require auth + config_manager = app_factory.get_config_manager() + user_email = config_manager.app_settings.test_user or 'test@test.com' session_id = uuid4() From db126407faa6c8a1291a0ca9fb2c60a88a59c793 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 21:34:37 +0000 Subject: [PATCH 07/17] feat: Move files health check endpoint before dynamic route Relocated the /files/healthz endpoint to appear before the /files/{file_key:path} route in files_routes.py to avoid path capture conflicts in the router. The endpoint now includes an explanatory note in its docstring for clarity. --- backend/routes/files_routes.py | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/backend/routes/files_routes.py b/backend/routes/files_routes.py index 00e39ec..d89ee39 100644 --- a/backend/routes/files_routes.py +++ b/backend/routes/files_routes.py @@ -51,6 +51,23 @@ class FileContentResponse(BaseModel): tags: Dict[str, str] +@router.get("/files/healthz") +async def files_health_check(): + """Health check for files service. + + Note: Declared before the dynamic /files/{file_key} route to avoid path capture. + """ + s3_client = app_factory.get_file_storage() + return { + "status": "healthy", + "service": "files-api", + "s3_config": { + "endpoint": s3_client.endpoint_url if hasattr(s3_client, 'endpoint_url') else "unknown", + "bucket": s3_client.bucket_name if hasattr(s3_client, 'bucket_name') else "unknown" + } + } + + @router.post("/files", response_model=FileResponse) async def upload_file( request: FileUploadRequest, @@ -188,20 +205,6 @@ async def get_user_file_stats( raise HTTPException(status_code=500, detail=f"Failed to get stats: {str(e)}") -@router.get("/files/healthz") -async def files_health_check(): - """Health check for files service.""" - s3_client = app_factory.get_file_storage() - return { - "status": "healthy", - "service": "files-api", - "s3_config": { - "endpoint": s3_client.endpoint_url if hasattr(s3_client, 'endpoint_url') else "unknown", - "bucket": s3_client.bucket_name if hasattr(s3_client, 'bucket_name') else "unknown" - } - } - - @router.get("/files/download/{file_key:path}") async def download_file( file_key: str, From 332073f9177911bed9b22e44d52dbb0cf7b9bd37 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 21:40:18 +0000 Subject: [PATCH 08/17] ci: fix SHA tagging for branches and PRs to avoid invalid prefix Prevent leading '-' in tags by conditionally enabling SHA types: use branch prefix for branches and 'pr-' for pull requests. --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9567243..76ebe24 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,9 @@ jobs: tags: | type=ref,event=branch type=ref,event=pr - type=sha,prefix={{branch}}- + # Add SHA tags safely for both branches and PRs without generating an invalid leading '-' + type=sha,enable={{is_branch}},prefix={{branch}}- + type=sha,enable={{is_pr}},prefix=pr- type=raw,value=latest,enable={{is_default_branch}} - name: Build test Docker image From 09582107f681f0f528c20fc53eb0b567bcded9f5 Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 21:47:33 +0000 Subject: [PATCH 09/17] feat(ci): update Docker image tagging to use GitHub ref variables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replace template variables with ${{ github.ref_name }}, ${{ github.event_name }}, and ${{ github.ref }} for safer and more accurate branch/PR tagging - Simplify enabling conditions for SHA tags on branches and PRs - Set 'latest' tag only on main branch push - Remove trailing newline_clip económicallyselectedocument at the end of the file. --- .github/workflows/ci.yml | 7 +- mocks/s3-mock/README.md | 91 -------- mocks/s3-mock/main.py | 453 --------------------------------------- 3 files changed, 3 insertions(+), 548 deletions(-) delete mode 100644 mocks/s3-mock/README.md delete mode 100644 mocks/s3-mock/main.py diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 76ebe24..7e61f2e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,9 +35,9 @@ jobs: type=ref,event=branch type=ref,event=pr # Add SHA tags safely for both branches and PRs without generating an invalid leading '-' - type=sha,enable={{is_branch}},prefix={{branch}}- - type=sha,enable={{is_pr}},prefix=pr- - type=raw,value=latest,enable={{is_default_branch}} + type=sha,enable=true,prefix=${{ github.ref_name }}- + type=sha,enable=${{ github.event_name == 'pull_request' }},prefix=pr- + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - name: Build test Docker image uses: docker/build-push-action@v6 @@ -74,4 +74,3 @@ jobs: VITE_APP_NAME=Chat UI tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - diff --git a/mocks/s3-mock/README.md b/mocks/s3-mock/README.md deleted file mode 100644 index 5faf7f4..0000000 --- a/mocks/s3-mock/README.md +++ /dev/null @@ -1,91 +0,0 @@ -# S3 Mock Service - -A lightweight mock S3 storage service for development and testing purposes. - -## Features - -- In-memory file storage -- User-based file isolation -- S3-compatible API endpoints -- Base64 content handling -- File tagging support -- Authorization via Bearer tokens - -## API Endpoints - -### Upload File -``` -POST /files -Authorization: Bearer -Content-Type: application/json - -{ - "filename": "example.txt", - "content_base64": "SGVsbG8gV29ybGQ=", - "content_type": "text/plain", - "tags": { - "source": "user" - } -} -``` - -### Get File -``` -GET /files/{file_key} -Authorization: Bearer -``` - -### List Files -``` -GET /files?file_type=user&limit=50 -Authorization: Bearer -``` - -### Delete File -``` -DELETE /files/{file_key} -Authorization: Bearer -``` - -### Get File Statistics -``` -GET /users/{user_email}/files/stats -Authorization: Bearer -``` - -### Health Check -``` -GET /health -``` - -## File Organization - -Files are stored with keys following this pattern: -- User uploads: `users/{email}/uploads/{timestamp}_{uuid}_{filename}` -- Tool generated: `users/{email}/generated/{timestamp}_{uuid}_{filename}` - -## Running the Service - -```bash -cd mocks/s3-mock -python main.py -``` - -The service will start on `http://127.0.0.1:8003` by default. - -## Environment Variables - -- `HOST`: Service host (default: 127.0.0.1) -- `PORT`: Service port (default: 8003) - -## Authorization - -For the mock service, the Bearer token is used directly as the user email. In production, this would be replaced with proper JWT validation. - -## File Types - -The service supports tagging files with different types: -- `user`: User-uploaded files -- `tool`: Tool-generated files - -This allows for proper categorization and different handling of files based on their source. \ No newline at end of file diff --git a/mocks/s3-mock/main.py b/mocks/s3-mock/main.py deleted file mode 100644 index 0447481..0000000 --- a/mocks/s3-mock/main.py +++ /dev/null @@ -1,453 +0,0 @@ -""" -Mock S3 Storage Service - -This mock provides a persistent S3-compatible storage service for development and testing. -It supports basic S3 operations like PUT, GET, DELETE, and LIST with user-based file isolation. -Files are persisted to disk and survive service restarts. -""" - -import base64 -import hashlib -import json -import logging -import os -import shutil -import time -import uuid -from typing import Dict, List, Optional, Any -from pathlib import Path -from contextlib import asynccontextmanager - -from fastapi import FastAPI, HTTPException, Depends, Request -from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials -from pydantic import BaseModel -from datetime import datetime - -# Configure logging -logging.basicConfig(level=logging.INFO) -logger = logging.getLogger(__name__) - -@asynccontextmanager -async def lifespan(app: FastAPI): - """Lifespan context to handle startup and shutdown tasks. - - Replaces deprecated on_event handlers for startup/shutdown. - """ - # Startup - logger.info("Initializing S3 Mock Storage (lifespan startup)...") - initialize_storage() - logger.info(f"S3 Mock Storage initialized with {len(file_storage)} existing files") - try: - yield - finally: - # Shutdown - logger.info("Shutting down S3 Mock Storage (lifespan shutdown)...") - save_metadata() - logger.info("Metadata saved successfully") - - -app = FastAPI(title="S3 Mock Service", version="1.0.0", lifespan=lifespan) -security = HTTPBearer(auto_error=False) # Make auth optional for single-user scenario - -# Storage configuration -STORAGE_ROOT = Path("./s3-mock-storage") -METADATA_FILE = STORAGE_ROOT / "metadata.json" - -# In-memory cache of metadata (loaded from disk on startup) -file_storage: Dict[str, Dict[str, Any]] = {} # key -> file_data -user_files: Dict[str, List[str]] = {} # user_email -> list of file keys - - -class FileUploadRequest(BaseModel): - filename: str - content_base64: str - content_type: Optional[str] = "application/octet-stream" - tags: Optional[Dict[str, str]] = {} - - -class FileResponse(BaseModel): - key: str - filename: str - size: int - content_type: str - last_modified: datetime - etag: str - tags: Dict[str, str] - user_email: str - - -class FileContentResponse(BaseModel): - key: str - filename: str - content_base64: str - content_type: str - size: int - last_modified: datetime - etag: str - tags: Dict[str, str] - - -def initialize_storage(): - """Initialize storage directory and load existing metadata.""" - global file_storage, user_files - - # Create storage directory if it doesn't exist - STORAGE_ROOT.mkdir(exist_ok=True) - - # Load metadata if it exists - if METADATA_FILE.exists(): - try: - with open(METADATA_FILE, 'r') as f: - data = json.load(f) - file_storage = data.get('file_storage', {}) - user_files = data.get('user_files', {}) - - # Convert datetime strings back to datetime objects - for file_data in file_storage.values(): - if 'last_modified' in file_data: - file_data['last_modified'] = datetime.fromisoformat(file_data['last_modified']) - - logger.info(f"Loaded {len(file_storage)} files from metadata") - except Exception as e: - logger.error(f"Error loading metadata: {e}") - file_storage = {} - user_files = {} - else: - logger.info("No existing metadata found, starting fresh") - - -def save_metadata(): - """Save metadata to disk.""" - try: - # Convert datetime objects to strings for JSON serialization - serializable_storage = {} - for key, file_data in file_storage.items(): - serialized_data = file_data.copy() - if 'last_modified' in serialized_data: - serialized_data['last_modified'] = serialized_data['last_modified'].isoformat() - serializable_storage[key] = serialized_data - - data = { - 'file_storage': serializable_storage, - 'user_files': user_files - } - - with open(METADATA_FILE, 'w') as f: - json.dump(data, f, indent=2) - - except Exception as e: - logger.error(f"Error saving metadata: {e}") - - -def get_file_path(s3_key: str) -> Path: - """Get the file system path for an S3 key.""" - # Replace path separators and create safe filename - safe_key = s3_key.replace('/', '_').replace('\\', '_') - return STORAGE_ROOT / safe_key - - -def get_user_from_token(credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)) -> str: - """Extract user email from the authorization token (simplified for mock).""" - # For single-user scenarios, allow requests without auth and default to a user - if not credentials or not credentials.credentials: - return "default@atlas-ui-3.local" # Default user for single-user scenarios - - # In a real implementation, this would validate the JWT and extract user info - # For mock purposes, we'll just use the token as the user email - return credentials.credentials # Using token as user email for simplicity - - -def generate_s3_key(user_email: str, filename: str, file_type: str = "user") -> str: - """Generate an S3-style key with user isolation.""" - timestamp = int(time.time()) - unique_id = str(uuid.uuid4())[:8] - safe_filename = filename.replace(" ", "_").replace("/", "_") - - if file_type == "tool": - # Tool-generated files go in a special directory - return f"users/{user_email}/generated/{timestamp}_{unique_id}_{safe_filename}" - else: - # User-uploaded files - return f"users/{user_email}/uploads/{timestamp}_{unique_id}_{safe_filename}" - - -def calculate_etag(content: str) -> str: - """Calculate ETag for file content.""" - return hashlib.md5(content.encode()).hexdigest() - - -@app.post("/files", response_model=FileResponse) -async def upload_file( - request: FileUploadRequest, - user_email: str = Depends(get_user_from_token) -) -> FileResponse: - """Upload a file to S3 mock storage.""" - try: - # Decode base64 content to validate it - content_bytes = base64.b64decode(request.content_base64) - - # Generate S3 key - file_type = request.tags.get("source", "user") if request.tags else "user" - s3_key = generate_s3_key(user_email, request.filename, file_type) - - # Calculate metadata - etag = calculate_etag(request.content_base64) - now = datetime.utcnow() - - # Store file data - file_data = { - "key": s3_key, - "filename": request.filename, - "content_base64": request.content_base64, - "content_type": request.content_type, - "size": len(content_bytes), - "last_modified": now, - "etag": etag, - "tags": request.tags or {}, - "user_email": user_email - } - - # Save file to disk - file_path = get_file_path(s3_key) - try: - with open(file_path, 'wb') as f: - f.write(content_bytes) - logger.info(f"File saved to disk: {file_path}") - except Exception as e: - logger.error(f"Error saving file to disk: {e}") - raise HTTPException(status_code=500, detail=f"Failed to save file: {str(e)}") - - # Store metadata (without content_base64 to save memory) - file_data_meta = file_data.copy() - del file_data_meta["content_base64"] # Don't store content in metadata - file_storage[s3_key] = file_data_meta - - # Update user's file list - if user_email not in user_files: - user_files[user_email] = [] - user_files[user_email].append(s3_key) - - # Save metadata to disk - save_metadata() - - logger.info(f"File uploaded: {s3_key} by user {user_email}") - - return FileResponse(**file_data_meta) - - except Exception as e: - logger.error(f"Error uploading file: {str(e)}") - raise HTTPException(status_code=500, detail=f"Upload failed: {str(e)}") - - -@app.get("/files/{file_key:path}", response_model=FileContentResponse) -async def get_file( - file_key: str, - user_email: str = Depends(get_user_from_token) -) -> FileContentResponse: - """Get a file from S3 mock storage.""" - if file_key not in file_storage: - raise HTTPException(status_code=404, detail="File not found") - - file_data = file_storage[file_key] - - # Check authorization - user can only access their own files - if file_data["user_email"] != user_email: - raise HTTPException(status_code=403, detail="Access denied") - - # Read file content from disk - file_path = get_file_path(file_key) - try: - with open(file_path, 'rb') as f: - content_bytes = f.read() - content_base64 = base64.b64encode(content_bytes).decode() - except Exception as e: - logger.error(f"Error reading file from disk: {e}") - raise HTTPException(status_code=500, detail="Failed to read file") - - # Return file data with content - response_data = file_data.copy() - response_data["content_base64"] = content_base64 - - return FileContentResponse(**response_data) - - -@app.get("/files", response_model=List[FileResponse]) -async def list_files( - user_email: str = Depends(get_user_from_token), - file_type: Optional[str] = None, - limit: int = 100 -) -> List[FileResponse]: - """List files for the authenticated user.""" - if user_email not in user_files: - return [] - - user_file_keys = user_files[user_email] - result = [] - - for key in user_file_keys: - if key in file_storage: - file_data = file_storage[key] - - # Filter by file type if specified - if file_type and file_data.get("tags", {}).get("source") != file_type: - continue - - result.append(FileResponse(**file_data)) - - if len(result) >= limit: - break - - # Sort by last modified, newest first - result.sort(key=lambda f: f.last_modified, reverse=True) - - return result - - -@app.delete("/files/{file_key:path}") -async def delete_file( - file_key: str, - user_email: str = Depends(get_user_from_token) -) -> Dict[str, str]: - """Delete a file from S3 mock storage.""" - if file_key not in file_storage: - raise HTTPException(status_code=404, detail="File not found") - - file_data = file_storage[file_key] - - # Check authorization - if file_data["user_email"] != user_email: - raise HTTPException(status_code=403, detail="Access denied") - - # Delete file from disk - file_path = get_file_path(file_key) - try: - if file_path.exists(): - file_path.unlink() - logger.info(f"File deleted from disk: {file_path}") - except Exception as e: - logger.error(f"Error deleting file from disk: {e}") - # Continue with metadata cleanup even if file deletion fails - - # Remove from storage - del file_storage[file_key] - - # Remove from user's file list - if user_email in user_files and file_key in user_files[user_email]: - user_files[user_email].remove(file_key) - - # Save updated metadata - save_metadata() - - logger.info(f"File deleted: {file_key} by user {user_email}") - - return {"message": "File deleted successfully", "key": file_key} - - -@app.get("/users/{user_email}/files/stats") -async def get_user_file_stats( - user_email: str, - current_user: str = Depends(get_user_from_token) -) -> Dict[str, Any]: - """Get file statistics for a user.""" - # Users can only see their own stats - if current_user != user_email: - raise HTTPException(status_code=403, detail="Access denied") - - if user_email not in user_files: - return { - "total_files": 0, - "total_size": 0, - "upload_count": 0, - "generated_count": 0 - } - - user_file_keys = user_files[user_email] - total_size = 0 - upload_count = 0 - generated_count = 0 - - for key in user_file_keys: - if key in file_storage: - file_data = file_storage[key] - total_size += file_data["size"] - - if file_data.get("tags", {}).get("source") == "tool": - generated_count += 1 - else: - upload_count += 1 - - return { - "total_files": len(user_file_keys), - "total_size": total_size, - "upload_count": upload_count, - "generated_count": generated_count - } - - -@app.get("/health") -async def health_check(): - """Health check endpoint.""" - storage_size = 0 - file_count = 0 - - # Calculate storage statistics - try: - if STORAGE_ROOT.exists(): - for file_path in STORAGE_ROOT.iterdir(): - if file_path.is_file() and file_path.name != "metadata.json": - storage_size += file_path.stat().st_size - file_count += 1 - except Exception as e: - logger.warning(f"Error calculating storage size: {e}") - - return { - "status": "healthy", - "service": "s3-mock", - "timestamp": datetime.utcnow(), - "storage": { - "root": str(STORAGE_ROOT.absolute()), - "persistent": True, - "total_files": len(file_storage), - "disk_files": file_count, - "disk_size_bytes": storage_size, - "metadata_exists": METADATA_FILE.exists() - }, - "users": { - "total_users": len(user_files), - "single_user_mode": True - } - } - - -## Removed deprecated on_event handlers; functionality handled in lifespan above. - - -@app.get("/") -async def root(): - """Root endpoint with service info.""" - return { - "service": "S3 Mock Storage", - "version": "1.0.0", - "description": "Persistent mock S3 service for development and testing", - "storage_root": str(STORAGE_ROOT.absolute()), - "persistent": True, - "single_user_mode": True, - "endpoints": { - "upload": "POST /files", - "get": "GET /files/{key}", - "list": "GET /files", - "delete": "DELETE /files/{key}", - "stats": "GET /users/{email}/files/stats", - "health": "GET /health" - } - } - - -if __name__ == "__main__": - import uvicorn - - port = int(os.environ.get("PORT", 8003)) - host = os.environ.get("HOST", "127.0.0.1") - - logger.info(f"Starting S3 Mock Service on {host}:{port}") - uvicorn.run(app, host=host, port=port) \ No newline at end of file From 4a6f56ac17c7cfd2a2d3ef6aa3c70932c588257a Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 21:54:45 +0000 Subject: [PATCH 10/17] refactor: simplify logging messages and remove unused code - In chat service, reduced verbosity in log messages by removing server/prompt_name and filename details to streamline output. - Removed unused response variable assignment in websocket endpoint. - Eliminated unused Filter icon import from frontend component. --- backend/application/chat/service.py | 6 ++---- backend/main.py | 2 +- frontend/src/components/AllFilesView.jsx | 1 - 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index 4e02a22..97a6d74 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -219,9 +219,7 @@ async def handle_chat_message( # Prepend as system message override messages = [{"role": "system", "content": prompt_text}] + messages logger.info( - "Applied MCP system prompt override from %s:%s (len=%d)", - server, - prompt_name, + "Applied MCP system prompt override (len=%d)", len(prompt_text), ) break # apply only one @@ -378,7 +376,7 @@ async def handle_attach_file( update_callback=update_callback ) - logger.info(f"Attached file {filename} ({s3_key}) to session {session_id}") + logger.info(f"Attached file ({s3_key}) to session {session_id}") return { "type": "file_attach", diff --git a/backend/main.py b/backend/main.py index 44de853..5b082c6 100644 --- a/backend/main.py +++ b/backend/main.py @@ -226,7 +226,7 @@ async def websocket_endpoint(websocket: WebSocket): if message_type == "chat": # Handle chat message with streaming updates try: - response = await chat_service.handle_chat_message( + await chat_service.handle_chat_message( session_id=session_id, content=data.get("content", ""), model=data.get("model", ""), diff --git a/frontend/src/components/AllFilesView.jsx b/frontend/src/components/AllFilesView.jsx index 15191df..da0df53 100644 --- a/frontend/src/components/AllFilesView.jsx +++ b/frontend/src/components/AllFilesView.jsx @@ -11,7 +11,6 @@ import { Search, SortAsc, SortDesc, - Filter, Loader } from 'lucide-react' import { useChat } from '../contexts/ChatContext' From edddee1d61fa1274f70622d566a3543ca4c1772c Mon Sep 17 00:00:00 2001 From: Anthony Garland Bot 7 Date: Sat, 25 Oct 2025 15:58:45 -0600 Subject: [PATCH 11/17] Potential fix for code scanning alert no. 275: Log Injection Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- backend/application/chat/service.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index 97a6d74..477a224 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -376,7 +376,8 @@ async def handle_attach_file( update_callback=update_callback ) - logger.info(f"Attached file ({s3_key}) to session {session_id}") + sanitized_s3_key = s3_key.replace('\r', '').replace('\n', '') + logger.info(f"Attached file ({sanitized_s3_key}) to session {session_id}") return { "type": "file_attach", From 058abd812efe32e63548e0bef42b61987719a8eb Mon Sep 17 00:00:00 2001 From: Anthony Date: Sat, 25 Oct 2025 22:04:27 +0000 Subject: [PATCH 12/17] fix(chat): sanitize log message by removing newlines from s3_key and error Previously, the error log for failed file attachments included raw s3_key and exception details, potentially introducing multi-line entries or injection risks. This update strips '\n' and '\r' characters from both to ensure clean, single-line log output for better readability and security. --- backend/application/chat/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index 97a6d74..dba58da 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -387,7 +387,7 @@ async def handle_attach_file( } except Exception as e: - logger.error(f"Failed to attach file {s3_key} to session {session_id}: {e}") + logger.error(f"Failed to attach file {s3_key.replace('\n', '').replace('\r', '')} to session {session_id}: {str(e).replace('\n', '').replace('\r', '')}") return { "type": "file_attach", "s3_key": s3_key, From 7153a449e9071877aa3255555d3559bbe8fe76d9 Mon Sep 17 00:00:00 2001 From: Anthony Date: Tue, 28 Oct 2025 01:09:45 +0000 Subject: [PATCH 13/17] use can select agent --- .env.example | 2 + backend/application/chat/agent/__init__.py | 1 + backend/application/chat/agent/factory.py | 131 +++++++++++++++++++++ backend/application/chat/service.py | 64 +++++----- backend/main.py | 1 + backend/modules/config/manager.py | 2 +- backend/modules/file_storage/s3_client.py | 8 ++ config/overrides/messages.txt | 1 + frontend/src/components/SettingsPanel.jsx | 31 ++++- frontend/src/contexts/ChatContext.jsx | 1 + frontend/src/hooks/useSettings.js | 3 +- 11 files changed, 213 insertions(+), 32 deletions(-) create mode 100644 backend/application/chat/agent/factory.py diff --git a/.env.example b/.env.example index 1b11e21..c5bf0bc 100644 --- a/.env.example +++ b/.env.example @@ -73,6 +73,8 @@ AGENT_MAX_STEPS=30 AGENT_DEFAULT_ENABLED=true # Agent mode availability (renamed to align with other FEATURE_* flags) FEATURE_AGENT_MODE_AVAILABLE=true +# Agent loop strategy: react (structured reasoning) or think-act (faster, concise) +AGENT_LOOP_STRATEGY=think-act # (Adjust above to stage rollouts. For a bare-bones chat set them all to false.) APP_LOG_DIR=/workspaces/atlas-ui-3-11/logs diff --git a/backend/application/chat/agent/__init__.py b/backend/application/chat/agent/__init__.py index 688cac1..042fd11 100644 --- a/backend/application/chat/agent/__init__.py +++ b/backend/application/chat/agent/__init__.py @@ -3,3 +3,4 @@ from .protocols import AgentLoopProtocol, AgentContext, AgentEvent, AgentResult, AgentEventHandler from .react_loop import ReActAgentLoop from .think_act_loop import ThinkActAgentLoop +from .factory import AgentLoopFactory diff --git a/backend/application/chat/agent/factory.py b/backend/application/chat/agent/factory.py new file mode 100644 index 0000000..c26dc9c --- /dev/null +++ b/backend/application/chat/agent/factory.py @@ -0,0 +1,131 @@ +"""Factory for creating agent loop instances based on strategy.""" + +import logging +from typing import Any, Optional + +from interfaces.llm import LLMProtocol +from interfaces.tools import ToolManagerProtocol +from interfaces.transport import ChatConnectionProtocol +from modules.prompts.prompt_provider import PromptProvider + +from .protocols import AgentLoopProtocol +from .react_loop import ReActAgentLoop +from .think_act_loop import ThinkActAgentLoop + +logger = logging.getLogger(__name__) + + +class AgentLoopFactory: + """ + Factory for creating agent loop instances. + + This factory pattern allows for easy addition of new agent loop strategies + without modifying existing code. Simply add a new strategy to the registry. + """ + + def __init__( + self, + llm: LLMProtocol, + tool_manager: Optional[ToolManagerProtocol] = None, + prompt_provider: Optional[PromptProvider] = None, + connection: Optional[ChatConnectionProtocol] = None, + ): + """ + Initialize factory with shared dependencies. + + Args: + llm: LLM protocol implementation + tool_manager: Optional tool manager + prompt_provider: Optional prompt provider + connection: Optional connection for sending updates + """ + self.llm = llm + self.tool_manager = tool_manager + self.prompt_provider = prompt_provider + self.connection = connection + + # Registry of available strategies + self._strategy_registry = { + "react": ReActAgentLoop, + "think-act": ThinkActAgentLoop, + "think_act": ThinkActAgentLoop, + "thinkact": ThinkActAgentLoop, + } + + # Cache of instantiated loops for performance + self._loop_cache: dict[str, AgentLoopProtocol] = {} + + def create(self, strategy: str = "think-act") -> AgentLoopProtocol: + """ + Create an agent loop instance for the given strategy. + + Args: + strategy: Strategy name (react, think-act, etc.) + + Returns: + AgentLoopProtocol instance + + Raises: + ValueError: If strategy is not recognized + """ + strategy_normalized = strategy.lower().strip() + + # Check cache first + if strategy_normalized in self._loop_cache: + logger.info(f"Using agent loop strategy: {strategy_normalized}") + return self._loop_cache[strategy_normalized] + + # Look up strategy in registry + loop_class = self._strategy_registry.get(strategy_normalized) + + if loop_class is None: + logger.warning( + f"Unknown agent loop strategy '{strategy}', falling back to 'react'" + ) + loop_class = self._strategy_registry["react"] + strategy_normalized = "react" + + # Instantiate the loop + loop_instance = loop_class( + llm=self.llm, + tool_manager=self.tool_manager, + prompt_provider=self.prompt_provider, + connection=self.connection, + ) + + # Cache for future use + self._loop_cache[strategy_normalized] = loop_instance + + logger.info(f"Created and using agent loop strategy: {strategy_normalized}") + return loop_instance + + def get_available_strategies(self) -> list[str]: + """ + Get list of available strategy names. + + Returns: + List of strategy identifiers + """ + # Return unique strategy names (deduplicated) + unique_strategies = set() + for strategy in self._strategy_registry.keys(): + # Normalize to primary name + if strategy in ("react",): + unique_strategies.add("react") + elif strategy in ("think-act", "think_act", "thinkact"): + unique_strategies.add("think-act") + return sorted(unique_strategies) + + def register_strategy(self, name: str, loop_class: type[AgentLoopProtocol]) -> None: + """ + Register a new agent loop strategy. + + This allows for dynamic extension of available strategies. + + Args: + name: Strategy identifier + loop_class: Agent loop class to instantiate + """ + name_normalized = name.lower().strip() + self._strategy_registry[name_normalized] = loop_class + logger.info(f"Registered new agent loop strategy: {name_normalized}") diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index 54cca5a..f3f3e58 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -24,7 +24,7 @@ # Import utilities from .utilities import tool_utils, file_utils, notification_utils, error_utils -from .agent import AgentLoopProtocol, ReActAgentLoop, ThinkActAgentLoop +from .agent import AgentLoopProtocol, AgentLoopFactory from .agent.protocols import AgentContext, AgentEvent from core.prompt_risk import calculate_prompt_injection_risk, log_high_risk_event from core.auth_utils import create_authorization_manager @@ -48,17 +48,18 @@ def __init__( connection: Optional[ChatConnectionProtocol] = None, config_manager: Optional[ConfigManager] = None, file_manager: Optional[Any] = None, - agent_loop: Optional[AgentLoopProtocol] = None, + agent_loop_factory: Optional[AgentLoopFactory] = None, ): """ Initialize chat service with dependencies. - + Args: llm: LLM protocol implementation tool_manager: Optional tool manager connection: Optional connection for sending updates config_manager: Configuration manager file_manager: File manager for S3 operations + agent_loop_factory: Factory for creating agent loops (optional) """ self.llm = llm self.tool_manager = tool_manager @@ -69,31 +70,27 @@ def __init__( PromptProvider(self.config_manager) if self.config_manager else None ) self.file_manager = file_manager - # Agent loop DI (default to ReActAgentLoop). Allow override via config/env. - if agent_loop is not None: - self.agent_loop = agent_loop + + # Agent loop factory - create if not provided + if agent_loop_factory is not None: + self.agent_loop_factory = agent_loop_factory else: - strategy = None - try: - if self.config_manager: - strategy = self.config_manager.app_settings.agent_loop_strategy - except Exception: - strategy = None - strategy = (strategy or "react").lower() - if strategy in ("think-act", "think_act", "thinkact"): - self.agent_loop = ThinkActAgentLoop( - llm=self.llm, - tool_manager=self.tool_manager, - prompt_provider=self.prompt_provider, - connection=self.connection, - ) - else: - self.agent_loop = ReActAgentLoop( - llm=self.llm, - tool_manager=self.tool_manager, - prompt_provider=self.prompt_provider, - connection=self.connection, - ) + self.agent_loop_factory = AgentLoopFactory( + llm=self.llm, + tool_manager=self.tool_manager, + prompt_provider=self.prompt_provider, + connection=self.connection, + ) + + # Get default strategy from config + self.default_agent_strategy = "think-act" + try: + if self.config_manager: + config_strategy = self.config_manager.app_settings.agent_loop_strategy + if config_strategy: + self.default_agent_strategy = config_strategy.lower() + except Exception: + pass async def create_session( self, @@ -243,6 +240,7 @@ async def handle_chat_message( max_steps=kwargs.get("agent_max_steps", 30), update_callback=update_callback, temperature=temperature, + agent_loop_strategy=kwargs.get("agent_loop_strategy"), ) elif selected_tools and not only_rag: # Enforce MCP tool ACLs: filter tools to authorized servers only @@ -663,12 +661,20 @@ async def _handle_agent_mode_via_loop( max_steps: int, update_callback: Optional[UpdateCallback] = None, temperature: float = 0.7, + agent_loop_strategy: Optional[str] = None, ) -> Dict[str, Any]: - """Handle agent mode using the injected AgentLoopProtocol with event streaming. + """Handle agent mode using the factory-created AgentLoopProtocol with event streaming. Translates AgentEvents to UI notifications and persists artifacts; appends final assistant message to history and returns a chat response. + + Args: + agent_loop_strategy: Strategy name (react, think-act). Falls back to config default. """ + # Get agent loop from factory based on strategy + strategy = agent_loop_strategy or self.default_agent_strategy + agent_loop = self.agent_loop_factory.create(strategy) + # Build agent context agent_context = AgentContext( session_id=session.id, @@ -713,7 +719,7 @@ async def handle_event(evt: AgentEvent) -> None: await notification_utils.notify_agent_update(update_type="agent_error", connection=self.connection, message=p.get("message")) # Run the loop - result = await self.agent_loop.run( + result = await agent_loop.run( model=model, messages=messages, context=agent_context, diff --git a/backend/main.py b/backend/main.py index 5b082c6..7d21446 100644 --- a/backend/main.py +++ b/backend/main.py @@ -239,6 +239,7 @@ async def websocket_endpoint(websocket: WebSocket): agent_mode=data.get("agent_mode", False), agent_max_steps=data.get("agent_max_steps", 10), temperature=data.get("temperature", 0.7), + agent_loop_strategy=data.get("agent_loop_strategy"), update_callback=lambda message: websocket_update_callback(websocket, message), files=data.get("files") ) diff --git a/backend/modules/config/manager.py b/backend/modules/config/manager.py index 6a74ce3..75bc164 100644 --- a/backend/modules/config/manager.py +++ b/backend/modules/config/manager.py @@ -103,7 +103,7 @@ class AppSettings(BaseSettings): ) # Accept both old and new env var names agent_max_steps: int = 10 agent_loop_strategy: str = Field( - default="react", + default="think-act", description="Agent loop strategy selector (react, think-act)", validation_alias=AliasChoices("AGENT_LOOP_STRATEGY"), ) diff --git a/backend/modules/file_storage/s3_client.py b/backend/modules/file_storage/s3_client.py index 8fd45d5..eed4fc8 100644 --- a/backend/modules/file_storage/s3_client.py +++ b/backend/modules/file_storage/s3_client.py @@ -20,6 +20,14 @@ logger = logging.getLogger(__name__) +def _sanitize_for_logging(value: str) -> str: + """Sanitize user-controlled values for safe logging to prevent log injection attacks.""" + if isinstance(value, str): + # Escape or remove control characters that could enable log injection + return value.replace('\n', '\\n').replace('\r', '\\r').replace('\t', '\\t') + return str(value) + + class S3StorageClient: """Client for interacting with S3-compatible storage (MinIO/AWS S3).""" diff --git a/config/overrides/messages.txt b/config/overrides/messages.txt index e69de29..be4076a 100644 --- a/config/overrides/messages.txt +++ b/config/overrides/messages.txt @@ -0,0 +1 @@ +This is a test message. diff --git a/frontend/src/components/SettingsPanel.jsx b/frontend/src/components/SettingsPanel.jsx index 5491581..f41bb7e 100644 --- a/frontend/src/components/SettingsPanel.jsx +++ b/frontend/src/components/SettingsPanel.jsx @@ -5,7 +5,8 @@ const SettingsPanel = ({ isOpen, onClose }) => { // Default settings const defaultSettings = { llmTemperature: 0.7, - maxIterations: 10 + maxIterations: 10, + agentLoopStrategy: 'think-act' } // State for settings @@ -149,6 +150,34 @@ const SettingsPanel = ({ isOpen, onClose }) => { + {/* Agent Loop Strategy Setting */} +
+
+ + + {settings.agentLoopStrategy === 'react' ? 'ReAct' : 'Think-Act'} + +
+
+ +

+ Think-Act: Concise, unified reasoning approach. + Faster iterations with fewer LLM calls. Better for most workflows and quick tasks. +

+

+ ReAct: Structured reasoning with Reason-Act-Observe phases. + Better for complex tasks requiring multiple tools and detailed planning. Slower but more thorough. +

+
+
+ {/* Future Settings Placeholder */}

Coming Soon

diff --git a/frontend/src/contexts/ChatContext.jsx b/frontend/src/contexts/ChatContext.jsx index e529ab1..6a7ef27 100644 --- a/frontend/src/contexts/ChatContext.jsx +++ b/frontend/src/contexts/ChatContext.jsx @@ -104,6 +104,7 @@ export const ChatProvider = ({ children }) => { agent_mode: agent.agentModeEnabled, agent_max_steps: settings.maxIterations || agent.agentMaxSteps, temperature: settings.llmTemperature || 0.7, + agent_loop_strategy: settings.agentLoopStrategy || 'think-act', }) }, [addMessage, currentModel, selectedTools, selectedPrompts, selectedDataSources, config, selections.toolChoiceRequired, selections, agent, files, isWelcomeVisible, sendMessage, settings]) diff --git a/frontend/src/hooks/useSettings.js b/frontend/src/hooks/useSettings.js index 69ee663..a3acde0 100644 --- a/frontend/src/hooks/useSettings.js +++ b/frontend/src/hooks/useSettings.js @@ -2,7 +2,8 @@ import { useState, useEffect } from 'react' const DEFAULT_SETTINGS = { llmTemperature: 0.7, - maxIterations: 10 + maxIterations: 10, + agentLoopStrategy: 'think-act' } export function useSettings() { From a16e23ad21e112009ac10947f5746766c08dca55 Mon Sep 17 00:00:00 2001 From: Anthony Date: Tue, 28 Oct 2025 01:24:48 +0000 Subject: [PATCH 14/17] feat: Add custom output filename parameter to json_to_pptx tool - Introduced new `output_filename` parameter with default "presentation" - Added `_sanitize_filename` helper to clean filenames (remove non-alphanumeric/underscore/dash, truncate to 50 chars) - Updated output paths for PPTX/HTML to use sanitized custom names instead of hardcoded ones - Reflected changes in artifacts, metadata, and display primary file references - Improves file identification for generated presentations and exports when used across multiple instances --- backend/mcp/pptx_generator/main.py | 52 +++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/backend/mcp/pptx_generator/main.py b/backend/mcp/pptx_generator/main.py index 3c407bb..e7ef930 100644 --- a/backend/mcp/pptx_generator/main.py +++ b/backend/mcp/pptx_generator/main.py @@ -65,6 +65,16 @@ mcp = FastMCP("pptx_generator") +def _sanitize_filename(filename: str, max_length: int = 50) -> str: + """Sanitize filename by removing bad characters and truncating.""" + import re + # Remove bad characters (anything not alphanumeric, underscore, or dash) + sanitized = re.sub(r'[^\w\-]', '', filename) + # Remove newlines and extra spaces + sanitized = re.sub(r'\s+', '', sanitized) + # Truncate to max length + return sanitized[:max_length] if sanitized else "presentation" + def _is_backend_download_path(s: str) -> bool: """Detect backend-relative download paths like /api/files/download/....""" return isinstance(s, str) and s.startswith("/api/files/download/") @@ -166,6 +176,7 @@ def _add_image_to_slide(slide_obj, image_bytes: bytes, left: Inches = Inches(1), @mcp.tool def json_to_pptx( input_data: Annotated[str, "JSON string containing slide data in this format: {\"slides\": [{\"title\": \"Slide 1\", \"content\": \"- Item 1\\n- Item 2\\n- Item 3\"}, {\"title\": \"Slide 2\", \"content\": \"- Item A\\n- Item B\"}]}"], + output_filename: Annotated[str, "Base name for output files (without extension)"] = "presentation", image_filename: Annotated[str, "Optional image filename to integrate into the presentation"] = "", image_data_base64: Annotated[str, "Framework may supply Base64 image content as fallback"] = "" ) -> Dict[str, Any]: @@ -239,6 +250,7 @@ def json_to_pptx( Args: input_data: JSON string with slide definitions (title and content pairs with bullet points) + output_filename: Base name for output files (without extension, default: "presentation") image_filename: Optional image file to embed in presentation (supports various formats) image_data_base64: Alternative Base64-encoded image content (automatically provided by framework) @@ -252,6 +264,9 @@ def json_to_pptx( """ print("Starting json_to_pptx execution...") try: + # Sanitize the output filename + output_filename = _sanitize_filename(output_filename) + import json data = json.loads(input_data) @@ -330,13 +345,13 @@ def json_to_pptx( # Write outputs to a temporary directory and clean up after encoding with tempfile.TemporaryDirectory() as tmpdir: # Save presentation - pptx_output_path = os.path.join(tmpdir, "output_presentation.pptx") + pptx_output_path = os.path.join(tmpdir, f"output_{output_filename}.pptx") prs.save(pptx_output_path) if VERBOSE: logger.info(f"Saved PowerPoint presentation to {pptx_output_path}") # Create HTML file instead of PDF - html_output_path = os.path.join(tmpdir, "output_presentation.html") + html_output_path = os.path.join(tmpdir, f"output_{output_filename}.html") if VERBOSE: logger.info(f"Starting HTML creation to {html_output_path}") @@ -440,7 +455,7 @@ def json_to_pptx( # Prepare artifacts artifacts = [ { - "name": "presentation.pptx", + "name": f"{output_filename}.pptx", "b64": pptx_b64, "mime": "application/vnd.openxmlformats-officedocument.presentationml.presentation", } @@ -449,7 +464,7 @@ def json_to_pptx( # Add HTML if creation was successful if html_b64: artifacts.append({ - "name": "presentation.html", + "name": f"{output_filename}.html", "b64": html_b64, "mime": "text/html", }) @@ -469,14 +484,14 @@ def json_to_pptx( "artifacts": artifacts, "display": { "open_canvas": True, - "primary_file": "presentation.pptx", + "primary_file": f"{output_filename}.pptx", "mode": "replace", "viewer_hint": "powerpoint", }, "meta_data": { "generated_slides": len(slides), - "output_files": [f"presentation.pptx", "presentation.html"] if html_b64 else ["presentation.pptx"], - "output_file_paths": ["temp:output_presentation.pptx", "temp:output_presentation.html"] if html_b64 else ["temp:output_presentation.pptx"], + "output_files": [f"{output_filename}.pptx", f"{output_filename}.html"] if html_b64 else [f"{output_filename}.pptx"], + "output_file_paths": [f"temp:output_{output_filename}.pptx", f"temp:output_{output_filename}.html"] if html_b64 else [f"temp:output_{output_filename}.pptx"], }, } except Exception as e: @@ -488,17 +503,19 @@ def json_to_pptx( @mcp.tool def markdown_to_pptx( markdown_content: Annotated[str, "Markdown content with headers (# or ##) as slide titles and content below each header"], + output_filename: Annotated[str, "Base name for output files (without extension)"] = "presentation", image_filename: Annotated[str, "Optional image filename to integrate into the presentation"] = "", image_data_base64: Annotated[str, "Framework may supply Base64 image content as fallback"] = "" ) -> Dict[str, Any]: """ Converts markdown content to PowerPoint presentation with support for bullet point lists and optional image integration - + Args: markdown_content: Markdown content where headers (# or ##) become slide titles and content below becomes slide content + output_filename: Base name for output files (without extension, default: "presentation") image_filename: Optional image filename to integrate into the presentation image_data_base64: Framework may supply Base64 image content as fallback - + Returns: Dictionary with 'results' and 'artifacts' keys: - 'results': Success message or error message @@ -507,6 +524,9 @@ def markdown_to_pptx( if VERBOSE: logger.info("Starting markdown_to_pptx execution...") try: + # Sanitize the output filename + output_filename = _sanitize_filename(output_filename) + # Parse markdown into slides slides = _parse_markdown_slides(markdown_content) if VERBOSE: @@ -588,13 +608,13 @@ def markdown_to_pptx( # Write outputs to a temporary directory and clean up after encoding with tempfile.TemporaryDirectory() as tmpdir: # Save presentation - pptx_output_path = os.path.join(tmpdir, "output_presentation.pptx") + pptx_output_path = os.path.join(tmpdir, f"output_{output_filename}.pptx") prs.save(pptx_output_path) if VERBOSE: logger.info(f"Saved PowerPoint presentation to {pptx_output_path}") # Create HTML file instead of PDF - html_output_path = os.path.join(tmpdir, "output_presentation.html") + html_output_path = os.path.join(tmpdir, f"output_{output_filename}.html") if VERBOSE: logger.info(f"Starting HTML creation to {html_output_path}") @@ -711,7 +731,7 @@ def markdown_to_pptx( # Prepare artifacts artifacts = [ { - "name": "presentation.pptx", + "name": f"{output_filename}.pptx", "b64": pptx_b64, "mime": "application/vnd.openxmlformats-officedocument.presentationml.presentation", } @@ -720,7 +740,7 @@ def markdown_to_pptx( # Add HTML if creation was successful if html_b64: artifacts.append({ - "name": "presentation.html", + "name": f"{output_filename}.html", "b64": html_b64, "mime": "text/html", }) @@ -740,14 +760,14 @@ def markdown_to_pptx( "artifacts": artifacts, "display": { "open_canvas": True, - "primary_file": "presentation.pptx", + "primary_file": f"{output_filename}.pptx", "mode": "replace", "viewer_hint": "powerpoint", }, "meta_data": { "generated_slides": len(slides), - "output_files": [f"presentation.pptx", "presentation.html"] if html_b64 else ["presentation.pptx"], - "output_file_paths": ["temp:output_presentation.pptx", "temp:output_presentation.html"] if html_b64 else ["temp:output_presentation.pptx"], + "output_files": [f"{output_filename}.pptx", f"{output_filename}.html"] if html_b64 else [f"{output_filename}.pptx"], + "output_file_paths": [f"temp:output_{output_filename}.pptx", f"temp:output_{output_filename}.html"] if html_b64 else [f"temp:output_{output_filename}.pptx"], }, } except Exception as e: From dbc1735882268ba2b9327d6425113068ad5cb177 Mon Sep 17 00:00:00 2001 From: Anthony Date: Tue, 28 Oct 2025 01:29:18 +0000 Subject: [PATCH 15/17] feat: make pptx tool parameters optional for improved flexibility Update json_to_pptx and markdown_to_pptx function signatures to accept Annotated[Optional[str], ...] instead of Annotated[str, ...] for output_filename, image_filename, and image_data_base64 parameters. Add None-handling logic in function bodies to use default values ("presentation" for output_filename, empty strings otherwise), preventing potential errors from None inputs and enhancing API robustness and usability. --- backend/mcp/pptx_generator/main.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/backend/mcp/pptx_generator/main.py b/backend/mcp/pptx_generator/main.py index e7ef930..88ed1c6 100644 --- a/backend/mcp/pptx_generator/main.py +++ b/backend/mcp/pptx_generator/main.py @@ -176,9 +176,9 @@ def _add_image_to_slide(slide_obj, image_bytes: bytes, left: Inches = Inches(1), @mcp.tool def json_to_pptx( input_data: Annotated[str, "JSON string containing slide data in this format: {\"slides\": [{\"title\": \"Slide 1\", \"content\": \"- Item 1\\n- Item 2\\n- Item 3\"}, {\"title\": \"Slide 2\", \"content\": \"- Item A\\n- Item B\"}]}"], - output_filename: Annotated[str, "Base name for output files (without extension)"] = "presentation", - image_filename: Annotated[str, "Optional image filename to integrate into the presentation"] = "", - image_data_base64: Annotated[str, "Framework may supply Base64 image content as fallback"] = "" + output_filename: Annotated[Optional[str], "Base name for output files (without extension)"] = "presentation", + image_filename: Annotated[Optional[str], "Optional image filename to integrate into the presentation"] = "", + image_data_base64: Annotated[Optional[str], "Framework may supply Base64 image content as fallback"] = "" ) -> Dict[str, Any]: """ Create professional PowerPoint presentations from structured JSON data with advanced formatting and multimedia support. @@ -264,8 +264,10 @@ def json_to_pptx( """ print("Starting json_to_pptx execution...") try: - # Sanitize the output filename - output_filename = _sanitize_filename(output_filename) + # Handle None values and sanitize the output filename + image_filename = image_filename or "" + image_data_base64 = image_data_base64 or "" + output_filename = _sanitize_filename(output_filename or "presentation") import json data = json.loads(input_data) @@ -503,9 +505,9 @@ def json_to_pptx( @mcp.tool def markdown_to_pptx( markdown_content: Annotated[str, "Markdown content with headers (# or ##) as slide titles and content below each header"], - output_filename: Annotated[str, "Base name for output files (without extension)"] = "presentation", - image_filename: Annotated[str, "Optional image filename to integrate into the presentation"] = "", - image_data_base64: Annotated[str, "Framework may supply Base64 image content as fallback"] = "" + output_filename: Annotated[Optional[str], "Base name for output files (without extension)"] = "presentation", + image_filename: Annotated[Optional[str], "Optional image filename to integrate into the presentation"] = "", + image_data_base64: Annotated[Optional[str], "Framework may supply Base64 image content as fallback"] = "" ) -> Dict[str, Any]: """ Converts markdown content to PowerPoint presentation with support for bullet point lists and optional image integration @@ -524,8 +526,10 @@ def markdown_to_pptx( if VERBOSE: logger.info("Starting markdown_to_pptx execution...") try: - # Sanitize the output filename - output_filename = _sanitize_filename(output_filename) + # Handle None values and sanitize the output filename + image_filename = image_filename or "" + image_data_base64 = image_data_base64 or "" + output_filename = _sanitize_filename(output_filename or "presentation") # Parse markdown into slides slides = _parse_markdown_slides(markdown_content) From ff84b40e6cf61f48cdddca412cfe0ad76d581b88 Mon Sep 17 00:00:00 2001 From: Anthony Date: Wed, 29 Oct 2025 01:17:22 +0000 Subject: [PATCH 16/17] feat(agent): introduce act loop strategy with pure action execution - Add ActAgentLoop for fast, minimal-overhead tasks without reasoning steps - Update AgentLoopFactory to register "act" strategy - Document new strategy in CLAUDE.md alongside existing ReAct and Think-Act loops - Add file naming guidelines and emoji policy to CLAUDE.md - Mark agent start events with strategy type for better traceability --- CLAUDE.md | 18 +- backend/application/chat/agent/act_loop.py | 173 ++++++++++++ backend/application/chat/agent/factory.py | 4 + backend/application/chat/agent/react_loop.py | 6 +- .../application/chat/agent/think_act_loop.py | 108 ++++---- backend/application/chat/service.py | 2 +- backend/modules/llm/litellm_caller.py | 6 +- config/overrides/llmconfig.yml | 4 +- docs/service-refactor-plan.md | 256 ++++++++++++++++++ frontend/src/components/SettingsPanel.jsx | 7 +- .../src/handlers/chat/websocketHandlers.js | 2 +- 11 files changed, 513 insertions(+), 73 deletions(-) create mode 100644 backend/application/chat/agent/act_loop.py create mode 100644 docs/service-refactor-plan.md diff --git a/CLAUDE.md b/CLAUDE.md index f6a66df..ab86e49 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -14,7 +14,9 @@ Atlas UI 3 is a full-stack LLM chat interface with Model Context Protocol (MCP) # Style note -No Emojis should ever be added in this repo. If you find one, then remove it. +No Emojis should ever be added in this repo. If you find one, then remove it. + +**File Naming**: Do not use generic names like `main.py`, `cli.py`, `utils.py`, or `helpers.py`. Use descriptive names that reflect the file's purpose (e.g., `chat_service.py`, `mcp_tool_manager.py`, `websocket_handler.py`). Exception: top-level entry points like `backend/main.py` are acceptable. # Tests @@ -166,9 +168,10 @@ backend/ 1. **Protocol-Based Dependency Injection**: Uses Python `Protocol` (structural subtyping) instead of ABC inheritance for loose coupling -2. **Agent Loop Strategy Pattern**: Two implementations selectable via `APP_AGENT_LOOP_STRATEGY`: - - `ReActAgentLoop`: Reasoning-Act (faster, better for tools) - - `ThinkActAgentLoop`: Extended thinking (slower, complex reasoning) +2. **Agent Loop Strategy Pattern**: Three implementations selectable via `APP_AGENT_LOOP_STRATEGY`: + - `react`: Reason-Act-Observe cycle (structured reasoning) + - `think-act`: Extended thinking (slower, complex reasoning) + - `act`: Pure action loop (fastest, minimal overhead) 3. **MCP Transport Auto-Detection**: Automatically detects stdio, HTTP, or SSE based on config @@ -232,9 +235,10 @@ MCP servers defined in `config/defaults/mcp.json`. The backend: 4. Supports group-based access control ### Agent Modes -Two agent loop strategies implement different reasoning patterns: -- **ReAct** (`backend/application/chat/agent/react_agent_loop.py`): Fast iteration, good for tool-heavy tasks -- **Think-Act** (`backend/application/chat/agent/think_act_agent_loop.py`): Deep reasoning, slower but more thoughtful +Three agent loop strategies implement different reasoning patterns: +- **ReAct** (`backend/application/chat/agent/react_loop.py`): Reason-Act-Observe cycle, good for tool-heavy tasks with structured reasoning +- **Think-Act** (`backend/application/chat/agent/think_act_loop.py`): Deep reasoning with explicit thinking steps, slower but more thoughtful +- **Act** (`backend/application/chat/agent/act_loop.py`): Pure action loop without explicit reasoning steps, fastest with minimal overhead. LLM calls tools directly and signals completion via the "finished" tool ### File Storage S3-compatible storage via `backend/modules/file_storage/s3_client.py`: diff --git a/backend/application/chat/agent/act_loop.py b/backend/application/chat/agent/act_loop.py new file mode 100644 index 0000000..4b7169d --- /dev/null +++ b/backend/application/chat/agent/act_loop.py @@ -0,0 +1,173 @@ +from __future__ import annotations + +import json +from typing import Any, Dict, List, Optional + +from interfaces.llm import LLMProtocol +from interfaces.tools import ToolManagerProtocol +from modules.prompts.prompt_provider import PromptProvider + +from .protocols import AgentContext, AgentEvent, AgentEventHandler, AgentLoopProtocol, AgentResult +from ..utilities import error_utils, tool_utils + + +class ActAgentLoop(AgentLoopProtocol): + """Pure action agent loop - just execute tools in a loop until done. + + No explicit reasoning or observation steps. The LLM directly decides which + tools to call and when to finish. Fastest strategy with minimal overhead. + + Exit conditions: + - LLM calls the "finished" tool with a final_answer + - No tool calls returned (LLM provides text response) + - Max steps reached + """ + + def __init__( + self, + *, + llm: LLMProtocol, + tool_manager: Optional[ToolManagerProtocol], + prompt_provider: Optional[PromptProvider], + connection: Any = None, + ) -> None: + self.llm = llm + self.tool_manager = tool_manager + self.prompt_provider = prompt_provider + self.connection = connection + + def _extract_finished_args(self, tool_calls: List[Dict[str, Any]]) -> Optional[str]: + """Extract final_answer from finished tool call if present.""" + try: + for tc in tool_calls: + f = tc.get("function") if isinstance(tc, dict) else None + if f and f.get("name") == "finished": + raw_args = f.get("arguments") + if isinstance(raw_args, str): + try: + args = json.loads(raw_args) + return args.get("final_answer") + except Exception: + return None + if isinstance(raw_args, dict): + return raw_args.get("final_answer") + return None + except Exception: + return None + + async def run( + self, + *, + model: str, + messages: List[Dict[str, Any]], + context: AgentContext, + selected_tools: Optional[List[str]], + data_sources: Optional[List[str]], + max_steps: int, + temperature: float, + event_handler: AgentEventHandler, + ) -> AgentResult: + await event_handler(AgentEvent(type="agent_start", payload={"max_steps": max_steps, "strategy": "act"})) + + steps = 0 + final_answer: Optional[str] = None + + # Define the "finished" control tool + finished_tool_schema = { + "type": "function", + "function": { + "name": "finished", + "description": "Call this when you have completed the task and are ready to provide a final answer to the user.", + "parameters": { + "type": "object", + "properties": { + "final_answer": { + "type": "string", + "description": "The final response to provide to the user", + }, + }, + "required": ["final_answer"], + "additionalProperties": False, + }, + }, + } + + while steps < max_steps and final_answer is None: + steps += 1 + await event_handler(AgentEvent(type="agent_turn_start", payload={"step": steps})) + + # Build tools schema: user tools + finished tool + tools_schema: List[Dict[str, Any]] = [finished_tool_schema] + if selected_tools and self.tool_manager: + user_tools = await error_utils.safe_get_tools_schema(self.tool_manager, selected_tools) + tools_schema.extend(user_tools) + + # Call LLM with tools + if data_sources and context.user_email: + llm_response = await self.llm.call_with_rag_and_tools( + model, messages, data_sources, tools_schema, context.user_email, "required", temperature=temperature + ) + else: + llm_response = await self.llm.call_with_tools( + model, messages, tools_schema, "required", temperature=temperature + ) + + # Process response + if llm_response.has_tool_calls(): + tool_calls = llm_response.tool_calls or [] + + # Check if finished tool was called + final_answer = self._extract_finished_args(tool_calls) + if final_answer: + break + + # Execute first non-finished tool call + first_call = None + for tc in tool_calls: + f = tc.get("function") if isinstance(tc, dict) else None + if f and f.get("name") != "finished": + first_call = tc + break + + if first_call is None: + # Only finished tool or no valid tools + final_answer = llm_response.content or "Task completed." + break + + # Execute the tool + messages.append({ + "role": "assistant", + "content": llm_response.content, + "tool_calls": [first_call], + }) + + result = await tool_utils.execute_single_tool( + tool_call=first_call, + session_context={ + "session_id": context.session_id, + "user_email": context.user_email, + "files": context.files, + }, + tool_manager=self.tool_manager, + update_callback=(self.connection.send_json if self.connection else None), + ) + + messages.append({ + "role": "tool", + "content": result.content, + "tool_call_id": result.tool_call_id, + }) + + # Emit tool results for artifact ingestion + await event_handler(AgentEvent(type="agent_tool_results", payload={"results": [result]})) + else: + # No tool calls - treat content as final answer + final_answer = llm_response.content or "Task completed." + break + + # Fallback if no final answer after max steps + if not final_answer: + final_answer = await self.llm.call_plain(model, messages, temperature=temperature) + + await event_handler(AgentEvent(type="agent_completion", payload={"steps": steps})) + return AgentResult(final_answer=final_answer, steps=steps, metadata={"agent_mode": True, "strategy": "act"}) diff --git a/backend/application/chat/agent/factory.py b/backend/application/chat/agent/factory.py index c26dc9c..9ea90d6 100644 --- a/backend/application/chat/agent/factory.py +++ b/backend/application/chat/agent/factory.py @@ -11,6 +11,7 @@ from .protocols import AgentLoopProtocol from .react_loop import ReActAgentLoop from .think_act_loop import ThinkActAgentLoop +from .act_loop import ActAgentLoop logger = logging.getLogger(__name__) @@ -50,6 +51,7 @@ def __init__( "think-act": ThinkActAgentLoop, "think_act": ThinkActAgentLoop, "thinkact": ThinkActAgentLoop, + "act": ActAgentLoop, } # Cache of instantiated loops for performance @@ -114,6 +116,8 @@ def get_available_strategies(self) -> list[str]: unique_strategies.add("react") elif strategy in ("think-act", "think_act", "thinkact"): unique_strategies.add("think-act") + elif strategy in ("act",): + unique_strategies.add("act") return sorted(unique_strategies) def register_strategy(self, name: str, loop_class: type[AgentLoopProtocol]) -> None: diff --git a/backend/application/chat/agent/react_loop.py b/backend/application/chat/agent/react_loop.py index 4e04095..0c271cc 100644 --- a/backend/application/chat/agent/react_loop.py +++ b/backend/application/chat/agent/react_loop.py @@ -100,7 +100,7 @@ async def run( event_handler: AgentEventHandler, ) -> AgentResult: # Agent start - await event_handler(AgentEvent(type="agent_start", payload={"max_steps": max_steps})) + await event_handler(AgentEvent(type="agent_start", payload={"max_steps": max_steps, "strategy": "react"})) steps = 0 final_response: Optional[str] = None @@ -213,11 +213,11 @@ async def run( if tools_schema: if data_sources and context.user_email: llm_response = await self.llm.call_with_rag_and_tools( - model, messages, data_sources, tools_schema, context.user_email, "auto", temperature=temperature + model, messages, data_sources, tools_schema, context.user_email, "required", temperature=temperature ) else: llm_response = await self.llm.call_with_tools( - model, messages, tools_schema, "auto", temperature=temperature + model, messages, tools_schema, "required", temperature=temperature ) if llm_response.has_tool_calls(): diff --git a/backend/application/chat/agent/think_act_loop.py b/backend/application/chat/agent/think_act_loop.py index 7c254b5..41f8b0a 100644 --- a/backend/application/chat/agent/think_act_loop.py +++ b/backend/application/chat/agent/think_act_loop.py @@ -45,7 +45,7 @@ async def run( temperature: float, event_handler: AgentEventHandler, ) -> AgentResult: - await event_handler(AgentEvent(type="agent_start", payload={"max_steps": max_steps})) + await event_handler(AgentEvent(type="agent_start", payload={"max_steps": max_steps, "strategy": "think-act"})) steps = 0 final_answer: Optional[str] = None @@ -96,65 +96,67 @@ def parse_args(resp: LLMResponse) -> Dict[str, Any]: async def emit_think(text: str, step: int) -> None: await event_handler(AgentEvent(type="agent_reason", payload={"message": text, "step": step})) - # First think + # First think - ALWAYS happens before entering the loop steps += 1 await event_handler(AgentEvent(type="agent_turn_start", payload={"step": steps})) first_think = await self.llm.call_with_tools(model, messages, think_tools_schema, "required", temperature=temperature) think_args = parse_args(first_think) await emit_think(first_think.content or "", steps) + + # Check if we can finish immediately after first think if think_args.get("finish"): final_answer = think_args.get("final_answer") or first_think.content - else: - # Action loop - while steps < max_steps and final_answer is None: - # Act: single tool selection and execution - tools_schema: List[Dict[str, Any]] = [] - if selected_tools and self.tool_manager: - tools_schema = await error_utils.safe_get_tools_schema(self.tool_manager, selected_tools) - - if tools_schema: - if data_sources and context.user_email: - llm_response = await self.llm.call_with_rag_and_tools( - model, messages, data_sources, tools_schema, context.user_email, "auto", temperature=temperature - ) - else: - llm_response = await self.llm.call_with_tools( - model, messages, tools_schema, "auto", temperature=temperature - ) - - if llm_response.has_tool_calls(): - first_call = (llm_response.tool_calls or [None])[0] - if first_call is None: - final_answer = llm_response.content or "" - break - messages.append({"role": "assistant", "content": llm_response.content, "tool_calls": [first_call]}) - result = await tool_utils.execute_single_tool( - tool_call=first_call, - session_context={ - "session_id": context.session_id, - "user_email": context.user_email, - "files": context.files, - }, - tool_manager=self.tool_manager, - update_callback=(self.connection.send_json if self.connection else None), - ) - messages.append({"role": "tool", "content": result.content, "tool_call_id": result.tool_call_id}) - # Notify service to ingest artifacts - await event_handler(AgentEvent(type="agent_tool_results", payload={"results": [result]})) - else: - if llm_response.content: - final_answer = llm_response.content - break - - # Think after action - steps += 1 - await event_handler(AgentEvent(type="agent_turn_start", payload={"step": steps})) - think_resp = await self.llm.call_with_tools(model, messages, think_tools_schema, "required", temperature=temperature) - think_args = parse_args(think_resp) - await emit_think(think_resp.content or "", steps) - if think_args.get("finish"): - final_answer = think_args.get("final_answer") or think_resp.content - break + + # Action loop - entered after first think + while steps < max_steps and final_answer is None: + # Act: single tool selection and execution + tools_schema: List[Dict[str, Any]] = [] + if selected_tools and self.tool_manager: + tools_schema = await error_utils.safe_get_tools_schema(self.tool_manager, selected_tools) + + if tools_schema: + if data_sources and context.user_email: + llm_response = await self.llm.call_with_rag_and_tools( + model, messages, data_sources, tools_schema, context.user_email, "required", temperature=temperature + ) + else: + llm_response = await self.llm.call_with_tools( + model, messages, tools_schema, "required", temperature=temperature + ) + + if llm_response.has_tool_calls(): + first_call = (llm_response.tool_calls or [None])[0] + if first_call is None: + final_answer = llm_response.content or "" + break + messages.append({"role": "assistant", "content": llm_response.content, "tool_calls": [first_call]}) + result = await tool_utils.execute_single_tool( + tool_call=first_call, + session_context={ + "session_id": context.session_id, + "user_email": context.user_email, + "files": context.files, + }, + tool_manager=self.tool_manager, + update_callback=(self.connection.send_json if self.connection else None), + ) + messages.append({"role": "tool", "content": result.content, "tool_call_id": result.tool_call_id}) + # Notify service to ingest artifacts + await event_handler(AgentEvent(type="agent_tool_results", payload={"results": [result]})) + else: + if llm_response.content: + final_answer = llm_response.content + break + + # Think after action + steps += 1 + await event_handler(AgentEvent(type="agent_turn_start", payload={"step": steps})) + think_resp = await self.llm.call_with_tools(model, messages, think_tools_schema, "required", temperature=temperature) + think_args = parse_args(think_resp) + await emit_think(think_resp.content or "", steps) + if think_args.get("finish"): + final_answer = think_args.get("final_answer") or think_resp.content + break if not final_answer: final_answer = await self.llm.call_plain(model, messages, temperature=temperature) diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index f3f3e58..d1352ab 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -689,7 +689,7 @@ async def handle_event(evt: AgentEvent) -> None: p = evt.payload or {} # UI notifications (guard on connection) if et == "agent_start" and self.connection: - await notification_utils.notify_agent_update(update_type="agent_start", connection=self.connection, max_steps=p.get("max_steps")) + await notification_utils.notify_agent_update(update_type="agent_start", connection=self.connection, max_steps=p.get("max_steps"), strategy=p.get("strategy")) elif et == "agent_turn_start" and self.connection: await notification_utils.notify_agent_update(update_type="agent_turn_start", connection=self.connection, step=p.get("step")) elif et == "agent_reason" and self.connection: diff --git a/backend/modules/llm/litellm_caller.py b/backend/modules/llm/litellm_caller.py index 85fc3d3..8e4965a 100644 --- a/backend/modules/llm/litellm_caller.py +++ b/backend/modules/llm/litellm_caller.py @@ -191,12 +191,8 @@ async def call_with_tools( litellm_model = self._get_litellm_model_name(model_name) model_kwargs = self._get_model_kwargs(model_name, temperature) - # Handle tool_choice parameter - some providers don't support "required" + # Handle tool_choice parameter - try "required" first, fallback to "auto" if unsupported final_tool_choice = tool_choice - if tool_choice == "required": - # Try with "required" first, fallback to "auto" if unsupported - final_tool_choice = "auto" - logger.info(f"Using tool_choice='auto' instead of 'required' for better compatibility") try: total_chars = sum(len(str(msg.get('content', ''))) for msg in messages) diff --git a/config/overrides/llmconfig.yml b/config/overrides/llmconfig.yml index a94151c..31d4f69 100644 --- a/config/overrides/llmconfig.yml +++ b/config/overrides/llmconfig.yml @@ -10,9 +10,9 @@ models: openrouter-gpt-oss: model_url: "https://openrouter.ai/api/v1/chat/completions" - model_name: "openai/gpt-oss-20b" + model_name: "openai/gpt-oss-120b" api_key: "${OPENROUTER_API_KEY}" - description: "OpenRouter aggregated GPT-4o model" + description: "OpenRouter aggregated openai gpt-oss 120B model" extra_headers: HTTP-Referer: "${OPENROUTER_SITE_URL}" X-Title: "${OPENROUTER_SITE_NAME}" diff --git a/docs/service-refactor-plan.md b/docs/service-refactor-plan.md new file mode 100644 index 0000000..2443ad9 --- /dev/null +++ b/docs/service-refactor-plan.md @@ -0,0 +1,256 @@ +# Service Refactor Plan + +## Objective + +Make the backend—and especially `backend/application/chat/service.py`—clearer, more modular, and easier to test by separating concerns into well-defined layers and services, without changing behavior. + +--- + +## What’s off today + +From `backend/application/chat/service.py` and the current repo layout: + +- ChatService is doing too much: + - Session management (in-memory) + - Request orchestration and branching (plain, tools, RAG, agent) + - MCP prompt override injection + - Tool ACL filtering + - File ingestion and artifact persistence + - Agent-loop event translation to UI + - Streaming notifications + - Error wrapping +- Inconsistent message typing (`List[Dict[str, str]]` vs `List[Dict[str, Any]]`) and ad-hoc message shapes. +- Large handler `handle_chat_message` with many flags and deep branching logic. +- Inline authorization and inline prompt override hide important policies in orchestration code. +- Transport concerns (WebSocket streaming) are coupled into application logic via direct `connection` + `notification_utils` calls. +- Legacy remnants and duplication (commented-out older implementation blocks). + +Net effect: lower testability, higher change risk, and difficulty adding new modes/transports. + +--- + +## Target architecture (ports and adapters) + +- Domain (pure): entities/models, errors, value objects + - Existing: `domain/messages`, `domain/sessions`, `domain/errors` + - Add: typed DTOs where needed (LLMMessage, ChatRequest, ChatResponse) +- Application (use-cases/orchestration): + - ChatOrchestrator: single entrypoint that wires steps but delegates to strategies/services + - Mode runners/strategies: PlainMode, ToolsMode, RagMode, AgentMode + - Preprocessors: MessageBuilder (history + files manifest), PromptOverrideService (MCP), RiskCheck (optional) + - Policy services: ToolAuthorizationService (ACL filtering), ToolSelectionPolicy (required/auto) + - ArtifactIngestor: updates session context with tool artifacts and emits file/canvas updates + - SessionManager: get/create/update session (backed by repository) + - EventPublisher: abstraction for UI updates (no direct transport dependency) +- Interfaces (ports/contracts): + - LLMCaller (reuse `LLMProtocol`) + - ToolManager (existing interface), plus a PromptOverrideProvider port if helpful + - FileStorage (file_manager port) + - SessionRepository (in-memory now; replaceable later) + - EventPublisher (UI transport-agnostic) + - Authorization (tool ACL port) +- Infrastructure (adapters): + - WebSocketEventPublisher (wraps `notification_utils` and `connection.send_json`) + - MCP ToolManager adapter and MCP PromptProvider adapter + - S3/MinIO FileStorage adapter (existing) + - InMemorySessionRepository (drop-in for current dict) + - Config-backed AuthorizationManager adapter (wraps `create_authorization_manager()`) + +Outcome: ChatOrchestrator stays thin and stable; each part evolves independently with strong contracts. + +--- + +## Key design decisions + +- Strong DTOs + - ChatRequest: model, content, selected_tools, selected_prompts, selected_data_sources, flags, temperature, user_email + - ChatResponse: final text + metadata + - LLMMessage: type-safe shape used across runners (role, content, optional tool_calls) +- Strategies for modes + - PlainModeRunner: LLM plain + - ToolsModeRunner: tool schemas + LLM + tool workflow + final synthesis + - RagModeRunner: rag-aware call + - AgentModeRunner: bridges AgentLoopProtocol, delegates EventPublisher and ArtifactIngestor +- Preprocessing pipeline + - Build base messages (history + files manifest) + - Apply MCP prompt override (first valid only, as today) + - Optional risk scoring/logging (from `core.prompt_risk`) +- Policies extracted out of orchestrator + - ToolAuthorizationService handles ACL per user, including special cases (e.g., `canvas_canvas`) + - ToolSelectionPolicy enforces “required” vs “auto” +- Eventing decoupled + - EventPublisher abstracts all UI updates; mapping to `notification_utils` lives in infra + - Agent events translation moved to an AgentEventRelay using EventPublisher +- Session management separated + - SessionManager + SessionRepository port (keep in-memory impl initially) +- Cleanup + - Remove legacy commented code + - Normalize message typing and signatures (no more `Dict[str, Any]` everywhere) + +--- + +## Proposed file structure and new modules + +- `backend/application/chat/` + - `orchestrator.py` (ChatOrchestrator – replaces most of ChatService’s `handle_chat_message`) + - `service.py` (Thin façade delegating to Orchestrator; retains public API temporarily) + - `modes/` + - `plain.py` (PlainModeRunner) + - `tools.py` (ToolsModeRunner) + - `rag.py` (RagModeRunner) + - `agent.py` (AgentModeRunner; wraps AgentLoopFactory/Protocol and event relay) + - `preprocessors/` + - `message_builder.py` (history + files manifest) + - `prompt_override_service.py` (MCP prompt override extraction/injection) + - `risk_check.py` (optional prompt risk logger using `core.prompt_risk`) + - `policies/` + - `tool_authorization.py` (ACL filtering) + - `tool_selection.py` (required vs auto) + - `artifacts/` + - `ingestor.py` (wraps `file_utils.process_tool_artifacts` and session context updates) + - `events/` + - `publisher.py` (EventPublisher interface; could live under `interfaces/`) + - `agent_event_relay.py` (maps AgentEvents -> EventPublisher calls) + - `sessions/` + - `manager.py` (SessionManager orchestrates fetch/update) + - `repository.py` (SessionRepository port + InMemory implementation) +- `backend/interfaces/` + - `transport.py` (existing `ChatConnectionProtocol`; add `EventPublisher`) + - `tools.py` (existing `ToolManagerProtocol`; add prompt retrieval port if needed) + - `prompts.py` (PromptProvider / PromptOverrideProvider port) + - `storage.py` (FileStorage port if not already abstracted) + - `authorization.py` (AuthorizationManager port) + - `sessions.py` (SessionRepository port) +- `backend/infrastructure/` + - `events/websocket_publisher.py` (wraps `notification_utils` + connection) + - `prompts/mcp_prompt_provider.py` (bridge `tool_manager.get_prompt` to PromptOverrideProvider) + - `sessions/in_memory.py` (in-memory session repo) + - `authorization/manager_adapter.py` (wrap `create_authorization_manager()`) + +Note: keep existing utilities but progressively move their usage into the appropriate application/infrastructure modules. + +--- + +## Phased refactor roadmap (no behavior change per phase) + +Phase 0: Preparations +- Remove dead/commented blocks (old `_handle_tools_mode_with_utilities` copy). +- Introduce DTOs: ChatRequest, ChatResponse, LLMMessage. +- Normalize message typing in `ChatService` and internal methods. + +Phase 1: Extract policies and preprocessing (low-risk) +- Move Tool ACL filtering into `policies/tool_authorization.py`. +- Extract MCP prompt override logic into `preprocessors/prompt_override_service.py` with an adapter using current `tool_manager.get_prompt`. +- Extract message building (history + files manifest) into `preprocessors/message_builder.py`. +- Keep `ChatService` calling these new modules. + +Phase 2: EventPublisher and AgentEventRelay +- Create `events/publisher.py` interface and `infrastructure/events/websocket_publisher.py` implementation (wraps `notification_utils` and `connection.send_json`). +- Extract agent event mapping into `events/agent_event_relay.py`. +- Replace direct `notification_utils` calls in `ChatService` with EventPublisher calls through a thin wrapper, but keep `notification_utils` usage inside the infra publisher. + +Phase 3: Mode strategies +- Extract `_handle_plain_mode`, `_handle_tools_mode_with_utilities`, `_handle_rag_mode`, `_handle_agent_mode_via_loop` into separate classes under `modes/`. +- Keep `ChatService.handle_chat_message` delegating to the proper ModeRunner based on flags. +- Ensure tool workflow + artifact ingest path is preserved, but routed through `artifacts/ingestor.py`. + +Phase 4: Orchestrator + SessionManager +- Create `orchestrator.py` consolidating preprocessing, policy checks, mode dispatch, and event publisher wiring. +- `ChatService` becomes a thin façade: takes ChatRequest, delegates to Orchestrator. +- Introduce SessionManager + SessionRepository; replace internal `self.sessions` dict progressively. + +Phase 5: Cleanup and documentation +- Update docstrings and docs/architecture notes. +- Remove transport-level calls from application layer. +- Consolidate `error_utils` usage into well-defined error boundaries in orchestrator and runners. + +--- + +## Acceptance criteria + +- Behavior unchanged: + - Same inputs produce same UI updates and final assistant messages (including MCP prompt override behavior, tool ACL filtering, canvas/file events). + - Existing tests pass without modification. +- Type hygiene: + - No stray `Any` in new code paths; DTOs and protocols are typed. +- Clear separation: + - No transport-level imports or calls in application layer. + - Policies and preprocessing are not embedded in orchestrator code. +- Backwards compatibility: + - `ChatService` public method signatures preserved for at least one release cycle (wrapping Orchestrator). +- Observability: + - Logging remains at parity; sensitive fields still sanitized. + +--- + +## File-by-file highlights (first waves) + +- `backend/application/chat/service.py` + - Keep class but reduce responsibility: delegate to Orchestrator + - Remove inline tool ACL and prompt override; call services + - Remove commented legacy block + - Normalize messages typing via LLMMessage DTO +- `backend/application/chat/preprocessors/prompt_override_service.py` + - Move MCP prompt override injection logic; keep “first valid prompt” rule +- `backend/application/chat/policies/tool_authorization.py` + - Move ACL filtering logic, including `canvas_canvas` special-case and authorized server prefix check +- `backend/application/chat/modes/tools.py` + - Hold tool schema resolution, LLM call with tools, tool workflow execution, artifact ingest, final synthesis and event publishing via EventPublisher +- `backend/application/chat/modes/agent.py` + - Wrap AgentLoopFactory; use AgentEventRelay to publish updates and ingest artifacts +- `backend/application/chat/artifacts/ingestor.py` + - Wrap `file_utils.process_tool_artifacts` and session context updates +- `backend/infrastructure/events/websocket_publisher.py` + - All calls to `notification_utils.*` live here; application layer only publishes events + +--- + +## Testing and migration + +- Unit tests + - PromptOverrideService: parses and injects system message correctly from varying MCP prompt shapes + - ToolAuthorizationService: filters tools given user and servers, including underscore server names and the canvas special-case + - Mode runners: happy path + “no tool calls” path + failure path + - EventPublisher/WebSocketPublisher: calls the correct `notification_utils` functions +- Integration tests + - Full chat flow (plain, tools, rag, agent) using LLM/ToolManager fakes or existing mocks in `mocks/` + - Verify artifacts ingestion triggers file/canvas updates as before +- E2E + - Re-use `./test/run_tests.sh all` as-is (per project docs) +- Migration plan + - Phased PRs per phase above; each PR keeps tests green + - Introduce DTOs and strategies without changing routes or API payloads + - Keep `ChatService` API stable; wire new orchestrator under the hood +- Rollback plan + - Each phase is reversible by toggling orchestrator/strategy injection back to legacy code path for that mode + +--- + +## Risks and mitigations + +- Behavior drift in event ordering or content + - Mitigation: capture golden recordings of `notification_utils` calls in tests before refactor; assert on order and payloads +- Tool ACL discrepancies + - Mitigation: explicit tests with multiple server names (including underscores) and the canvas special-case +- Async/event coupling in Agent mode + - Mitigation: encapsulate AgentEventRelay; keep exact mapping semantics; add tests for sequence of events +- Message shape mismatches + - Mitigation: introduce LLMMessage early; add adapters where legacy dicts still exist +- MCP prompt variations + - Mitigation: preserve robust parsing with fallback to `str(prompt_obj)`; unit tests with multiple prompt shapes + +--- + +## Small adjacent improvements + +- Replace ad-hoc log sanitization calls with a `LogContext` helper used consistently. +- Cache tool schemas and MCP prompts per session to reduce repeated lookups. +- Standardize metadata keys in assistant messages, e.g., `{ "mode": "tools", "tools": [...], "data_sources": [...] }`. + +--- + +## Next steps + +- Start with Phase 1 (policies + preprocessors) — lowest risk, highest clarity gain. +- Scaffold modules and wire them into `ChatService` without changing behavior. +- Add focused unit tests for new modules and keep integration/E2E tests passing. diff --git a/frontend/src/components/SettingsPanel.jsx b/frontend/src/components/SettingsPanel.jsx index f41bb7e..6c8f841 100644 --- a/frontend/src/components/SettingsPanel.jsx +++ b/frontend/src/components/SettingsPanel.jsx @@ -155,7 +155,7 @@ const SettingsPanel = ({ isOpen, onClose }) => {
- {settings.agentLoopStrategy === 'react' ? 'ReAct' : 'Think-Act'} + {settings.agentLoopStrategy === 'react' ? 'ReAct' : settings.agentLoopStrategy === 'act' ? 'Act' : 'Think-Act'}
@@ -166,6 +166,7 @@ const SettingsPanel = ({ isOpen, onClose }) => { > +

Think-Act: Concise, unified reasoning approach. @@ -175,6 +176,10 @@ const SettingsPanel = ({ isOpen, onClose }) => { ReAct: Structured reasoning with Reason-Act-Observe phases. Better for complex tasks requiring multiple tools and detailed planning. Slower but more thorough.

+

+ Act: Pure action loop without explicit reasoning steps. + Fastest strategy with minimal overhead. LLM calls tools directly and signals completion via the "finished" tool. +

diff --git a/frontend/src/handlers/chat/websocketHandlers.js b/frontend/src/handlers/chat/websocketHandlers.js index 3a52552..988c8b5 100644 --- a/frontend/src/handlers/chat/websocketHandlers.js +++ b/frontend/src/handlers/chat/websocketHandlers.js @@ -22,7 +22,7 @@ export function createWebSocketHandler(deps) { const kind = data.update_type || data.type switch (kind) { case 'agent_start': - addMessage({ role: 'system', content: `Agent Mode Started (max steps: ${data.max_steps ?? '?'})`, type: 'agent_status', timestamp: new Date().toISOString(), agent_mode: true }) + addMessage({ role: 'system', content: `Agent Mode Started (strategy: ${data.strategy ?? 'unknown'}, max steps: ${data.max_steps ?? '?'})`, type: 'agent_status', timestamp: new Date().toISOString(), agent_mode: true }) break case 'agent_turn_start': { const step = data.step || data.turn || 1 From 48f063492f5e26064add5742380c9e691da875c6 Mon Sep 17 00:00:00 2001 From: Anthony Date: Wed, 29 Oct 2025 01:27:50 +0000 Subject: [PATCH 17/17] fix: address PR code review comments - Remove unused imports (Any, AgentLoopProtocol) - Add explanatory comment to empty except clause - Remove redundant 're' import in pptx_generator - Fix factory.py docstring (falls back instead of raising ValueError) - Add comments explaining tool_choice='required' with fallback logic - Rename 'sanitized' variable to 'cleaned_filename' for clarity Generated with Claude Code Co-Authored-By: Claude --- backend/application/chat/agent/act_loop.py | 3 ++- backend/application/chat/agent/factory.py | 8 ++++---- backend/application/chat/agent/react_loop.py | 2 ++ backend/application/chat/agent/think_act_loop.py | 2 ++ backend/application/chat/service.py | 3 ++- backend/mcp/pptx_generator/main.py | 7 +++---- 6 files changed, 15 insertions(+), 10 deletions(-) diff --git a/backend/application/chat/agent/act_loop.py b/backend/application/chat/agent/act_loop.py index 4b7169d..f74c818 100644 --- a/backend/application/chat/agent/act_loop.py +++ b/backend/application/chat/agent/act_loop.py @@ -102,7 +102,8 @@ async def run( user_tools = await error_utils.safe_get_tools_schema(self.tool_manager, selected_tools) tools_schema.extend(user_tools) - # Call LLM with tools + # Call LLM with tools - using "required" to force tool calling during Act phase + # The LiteLLM caller has fallback logic to "auto" if "required" is not supported if data_sources and context.user_email: llm_response = await self.llm.call_with_rag_and_tools( model, messages, data_sources, tools_schema, context.user_email, "required", temperature=temperature diff --git a/backend/application/chat/agent/factory.py b/backend/application/chat/agent/factory.py index 9ea90d6..c7538a5 100644 --- a/backend/application/chat/agent/factory.py +++ b/backend/application/chat/agent/factory.py @@ -1,7 +1,7 @@ """Factory for creating agent loop instances based on strategy.""" import logging -from typing import Any, Optional +from typing import Optional from interfaces.llm import LLMProtocol from interfaces.tools import ToolManagerProtocol @@ -62,13 +62,13 @@ def create(self, strategy: str = "think-act") -> AgentLoopProtocol: Create an agent loop instance for the given strategy. Args: - strategy: Strategy name (react, think-act, etc.) + strategy: Strategy name (react, think-act, act, etc.) Returns: AgentLoopProtocol instance - Raises: - ValueError: If strategy is not recognized + Note: + If the strategy is not recognized, falls back to 'react' with a warning. """ strategy_normalized = strategy.lower().strip() diff --git a/backend/application/chat/agent/react_loop.py b/backend/application/chat/agent/react_loop.py index 0c271cc..016ee3f 100644 --- a/backend/application/chat/agent/react_loop.py +++ b/backend/application/chat/agent/react_loop.py @@ -210,6 +210,8 @@ async def run( tools_schema = await error_utils.safe_get_tools_schema(self.tool_manager, selected_tools) tool_results: List[ToolResult] = [] + # Use "required" to force tool calling during Act phase + # The LiteLLM caller has fallback logic to "auto" if "required" is not supported if tools_schema: if data_sources and context.user_email: llm_response = await self.llm.call_with_rag_and_tools( diff --git a/backend/application/chat/agent/think_act_loop.py b/backend/application/chat/agent/think_act_loop.py index 41f8b0a..3447dc3 100644 --- a/backend/application/chat/agent/think_act_loop.py +++ b/backend/application/chat/agent/think_act_loop.py @@ -114,6 +114,8 @@ async def emit_think(text: str, step: int) -> None: if selected_tools and self.tool_manager: tools_schema = await error_utils.safe_get_tools_schema(self.tool_manager, selected_tools) + # Use "required" to force tool calling during Act phase + # The LiteLLM caller has fallback logic to "auto" if "required" is not supported if tools_schema: if data_sources and context.user_email: llm_response = await self.llm.call_with_rag_and_tools( diff --git a/backend/application/chat/service.py b/backend/application/chat/service.py index d1352ab..299ae00 100644 --- a/backend/application/chat/service.py +++ b/backend/application/chat/service.py @@ -24,7 +24,7 @@ # Import utilities from .utilities import tool_utils, file_utils, notification_utils, error_utils -from .agent import AgentLoopProtocol, AgentLoopFactory +from .agent import AgentLoopFactory from .agent.protocols import AgentContext, AgentEvent from core.prompt_risk import calculate_prompt_injection_risk, log_high_risk_event from core.auth_utils import create_authorization_manager @@ -90,6 +90,7 @@ def __init__( if config_strategy: self.default_agent_strategy = config_strategy.lower() except Exception: + # Ignore config errors - fall back to default strategy pass async def create_session( diff --git a/backend/mcp/pptx_generator/main.py b/backend/mcp/pptx_generator/main.py index 88ed1c6..4e1e742 100644 --- a/backend/mcp/pptx_generator/main.py +++ b/backend/mcp/pptx_generator/main.py @@ -67,13 +67,12 @@ def _sanitize_filename(filename: str, max_length: int = 50) -> str: """Sanitize filename by removing bad characters and truncating.""" - import re # Remove bad characters (anything not alphanumeric, underscore, or dash) - sanitized = re.sub(r'[^\w\-]', '', filename) + cleaned_filename = re.sub(r'[^\w\-]', '', filename) # Remove newlines and extra spaces - sanitized = re.sub(r'\s+', '', sanitized) + cleaned_filename = re.sub(r'\s+', '', cleaned_filename) # Truncate to max length - return sanitized[:max_length] if sanitized else "presentation" + return cleaned_filename[:max_length] if cleaned_filename else "presentation" def _is_backend_download_path(s: str) -> bool: """Detect backend-relative download paths like /api/files/download/...."""