Merge remote-tracking branch 'origin/main' into copilot/fix-access-denied-error

Author: garland3

.env.example

@@ -10,6 +10,12 @@ MOCK_RAG=true
 PORT=8000
 APP_NAME=Chat UI 13
 
+# Authentication configuration
+# Header name to extract authenticated username from reverse proxy
+# Different reverse proxy setups use different header names (e.g., X-User-Email, X-Authenticated-User, X-Remote-User)
+# Default: X-User-Email
+# AUTH_USER_HEADER=X-User-Email
+
 # Agent mode configuration
 AGENT_MAX_STEPS=10
 AGENT_DEFAULT_ENABLED=true
@@ -56,9 +62,9 @@ USE_NEW_FRONTEND=true
 #############################################
 FEATURE_WORKSPACES_ENABLED=false    # Workspace selector (none configured yet)
 FEATURE_RAG_ENABLED=false            # RAG sources (MOCK_RAG currently true)
-FEATURE_TOOLS_ENABLED=false          # MCP / tools panel
-FEATURE_MARKETPLACE_ENABLED=false   # Marketplace browsing (disabled)
-FEATURE_FILES_PANEL_ENABLED=false    # Uploaded/session files panel
+FEATURE_TOOLS_ENABLED=true          # MCP / tools panel
+FEATURE_MARKETPLACE_ENABLED=true   # Marketplace browsing (disabled)
+FEATURE_FILES_PANEL_ENABLED=true    # Uploaded/session files panel
 FEATURE_CHAT_HISTORY_ENABLED=false   # Previous chat history list
 FEATURE_COMPLIANCE_LEVELS_ENABLED=false  # Compliance level filtering for MCP servers and data sources
 

.github/copilot-instructions.md

@@ -34,7 +34,7 @@ frontend/ React 19 + Vite + Tailwind; state via contexts (Chat/WS/Marketplace)
 - Feature flags (AppSettings): FEATURE_TOOLS_ENABLED, FEATURE_RAG_MCP_ENABLED, FEATURE_COMPLIANCE_LEVELS_ENABLED, FEATURE_AGENT_MODE_AVAILABLE.
 
 ## MCP + RAG conventions
-- MCP servers live in mcp.json (tools/prompts) and mcp-rag.json (RAG-only inventory). Fields: groups, is_exclusive, transport|type, url|command/cwd, compliance_level.
+- MCP servers live in mcp.json (tools/prompts) and mcp-rag.json (RAG-only inventory). Fields: groups, transport|type, url|command/cwd, compliance_level.
 - Transport detection order: explicit transport → command (stdio) → URL protocol (http/sse) → type fallback.
 - Tool names exposed to LLM are fully-qualified: server_toolName. “canvas_canvas” is a pseudo-tool always available.
 - RAG over MCP tools expected: rag_discover_resources, rag_get_raw_results, optional rag_get_synthesized_results. RAG resources and servers may include complianceLevel.
@@ -68,4 +68,8 @@ frontend/ React 19 + Vite + Tailwind; state via contexts (Chat/WS/Marketplace)
 - Add a RAG provider: edit config/overrides/mcp-rag.json; ensure it exposes rag_* tools; UI consumes /api/config.rag_servers.
 - Change agent loop: set AGENT_LOOP_STRATEGY to react | think-act | act; ChatService uses app_settings.agent_loop_strategy.
 
-Common pitfalls: “uv not found” → install uv; frontend not loading → npm run build; missing tools → check MCP transport/URL and server logs; empty lists → check auth groups and compliance filtering.
+Common pitfalls: “uv not found” → install uv; frontend not loading → npm run build; missing tools → check MCP transport/URL and server logs; empty lists → check auth groups and compliance filtering.
+
+# Style
+
+No emojis please

.github/workflows/build-artifacts.yml

@@ -21,7 +21,7 @@ jobs:
     - name: Set up Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '18'
+        node-version: '22.12'
         cache: 'npm'
         cache-dependency-path: frontend/package-lock.json
 

.github/workflows/ci.yml

@@ -73,4 +73,4 @@ jobs:
         build-args: |
           VITE_APP_NAME=Chat UI
         tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
+        labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -7,8 +7,13 @@ WORKDIR /app
 # Create non-root user
 RUN groupadd -r appuser && useradd -r -g appuser appuser
 
-# Install system dependencies including Python and Node.js
-RUN dnf update -y && dnf install -y     python3     python3-pip     python3-virtualenv     nodejs     npm     curl     hostname     sudo     && dnf clean all
+# Install system dependencies including Python
+RUN dnf update -y && dnf install -y     python3     python3-pip     python3-virtualenv     curl     hostname     sudo     && dnf clean all
+
+# Install Node.js 20.x from NodeSource
+RUN curl -fsSL https://rpm.nodesource.com/setup_20.x | bash - && \
+    dnf install -y nodejs && \
+    dnf clean all
 
 # Install uv for better Python dependency management
 RUN curl -LsSf https://astral.sh/uv/install.sh | sh && \

Dockerfile-test

@@ -7,20 +7,23 @@ WORKDIR /app
 # Create non-root user
 RUN groupadd -r appuser && useradd -r -g appuser appuser
 
-# Install system dependencies including Node.js
+# Install system dependencies
 RUN dnf update -y && dnf install -y \
     python3 \
     python3-pip \
     python3-virtualenv \
-    nodejs \
-    npm \
     curl \
     hostname \
     wget \
     ca-certificates \
     dos2unix \
     && dnf clean all
 
+# Install Node.js 20.x from NodeSource
+RUN curl -fsSL https://rpm.nodesource.com/setup_20.x | bash - && \
+    dnf install -y nodejs && \
+    dnf clean all
+
 # Install uv for better Python dependency management
 RUN curl -LsSf https://astral.sh/uv/install.sh | sh && \
     mkdir -p /root/.local/bin

backend/core/auth.py

@@ -61,7 +61,7 @@ async def is_user_in_group(user_id: str, group_id: str) -> bool:
 
 
 def get_user_from_header(x_email_header: Optional[str]) -> Optional[str]:
-    """Extract user email from X-User-Email header."""
+    """Extract user email from authentication header value."""
     if not x_email_header:
         return None
     return x_email_header.strip()

backend/core/middleware.py

@@ -17,9 +17,10 @@
 class AuthMiddleware(BaseHTTPMiddleware):
     """Middleware to handle authentication and logging."""
 
-    def __init__(self, app, debug_mode: bool = False):
+    def __init__(self, app, debug_mode: bool = False, auth_header_name: str = "X-User-Email"):
         super().__init__(app)
         self.debug_mode = debug_mode
+        self.auth_header_name = auth_header_name
 
     async def dispatch(self, request: Request, call_next) -> Response:
         # Log request
@@ -50,11 +51,11 @@ async def dispatch(self, request: Request, call_next) -> Response:
                 else:
                     logger.warning("Invalid capability token provided")
 
-        # Check authentication via X-User-Email header
+        # Check authentication via configured header (default: X-User-Email)
         user_email = None
         if self.debug_mode:
-            # In debug mode, honor X-User-Email header if provided, otherwise use config test user
-            x_email_header = request.headers.get('X-User-Email')
+            # In debug mode, honor auth header if provided, otherwise use config test user
+            x_email_header = request.headers.get(self.auth_header_name)
             if x_email_header:
                 user_email = get_user_from_header(x_email_header)
             else:
@@ -63,7 +64,7 @@ async def dispatch(self, request: Request, call_next) -> Response:
                 user_email = config_manager.app_settings.test_user
             # logger.info(f"Debug mode: using user {user_email}")
         else:
-            x_email_header = request.headers.get('X-User-Email')
+            x_email_header = request.headers.get(self.auth_header_name)
             user_email = get_user_from_header(x_email_header)
 
             if not user_email:
@@ -72,7 +73,7 @@ async def dispatch(self, request: Request, call_next) -> Response:
                     logger.warning(f"Missing authentication for API endpoint: {request.url.path}")
                     raise HTTPException(status_code=401, detail="Unauthorized")
                 else:
-                    logger.warning("Missing X-User-Email, redirecting to auth")
+                    logger.warning(f"Missing {self.auth_header_name}, redirecting to auth")
                     return RedirectResponse(url="/auth", status_code=302)
 
         # Add user to request state

backend/main.py

@@ -124,7 +124,11 @@ async def lifespan(app: FastAPI):
 """
 app.add_middleware(SecurityHeadersMiddleware)
 app.add_middleware(RateLimitMiddleware)
-app.add_middleware(AuthMiddleware, debug_mode=config.app_settings.debug_mode)
+app.add_middleware(
+    AuthMiddleware, 
+    debug_mode=config.app_settings.debug_mode,
+    auth_header_name=config.app_settings.auth_user_header
+)
 
 # Include essential routes (add files API)
 app.include_router(config_router)
@@ -187,9 +191,12 @@ async def websocket_endpoint(websocket: WebSocket):
     2. Reverse proxy intercepts WebSocket handshake (HTTP Upgrade request)
     3. Reverse proxy delegates to authentication service
     4. Auth service validates JWT/session from cookies or headers
-    5. If valid: Auth service returns X-User-Email header
-    6. Reverse proxy forwards connection to this app with X-User-Email header
+    5. If valid: Auth service returns authenticated user header
+    6. Reverse proxy forwards connection to this app with authenticated user header
     7. This app trusts the header (already validated by auth service)
+    
+    The header name is configurable via AUTH_USER_HEADER environment variable
+    (default: X-User-Email). This allows flexibility for different reverse proxy setups.
 
     SECURITY REQUIREMENTS:
     - This app MUST ONLY be accessible via reverse proxy
@@ -200,7 +207,7 @@ async def websocket_endpoint(websocket: WebSocket):
       (otherwise attackers can inject headers: X-User-Email: [email protected])
 
     DEVELOPMENT vs PRODUCTION:
-    - Production: Extracts user from X-User-Email header (set by reverse proxy)
+    - Production: Extracts user from configured auth header (set by reverse proxy)
     - Development: Falls back to 'user' query parameter (INSECURE, local only)
 
     See docs/security_architecture.md for complete architecture details.

backend/modules/config/cli.py

@@ -85,8 +85,6 @@ def list_servers(args) -> None:
             print(f"   URL: {server.url}")
         if server.groups:
             print(f"   Groups: {', '.join(server.groups)}")
-        if server.is_exclusive:
-            print("   Exclusive: ⚠️  Yes")
         print()