Sovereign Chat
A secure, enterprise-grade, OpenWebUI-compatible chat interface designed for the Sovereign AI appliance by Theta42.
Features
- Sovereign Chat Interface - Fully branded premium dark slate theme with fluid transitions and Outfit typography.
- LDAP Single Sign-On (SSO) - Enterprise user authentication and group-based role checking (admins vs. standard users).
- Administration Panel - Dedicated administrative dashboard containing:
- Model Management: Downloader for Theta42 pre-approved models (e.g.
SmolLM2-135M&SmolLM2-360M), custom GGUF model upload drag-and-drop, and dynamic active model reload. - Quotas & Scheduling: Daily token quota configuration per user and operational hours (scheduling access window).
- Live Auditing & Compliance: Real-time user session activity logs, plus a compliance download manager for cryptographically signed audit archives (
.tar.gzand.sigsignatures) aggregated bycryptographic-audit-loggeron/tank/audit. - Network Configuration: View and configure the appliance exposed bridge interfaces (e.g.
vmbr0) and static IP parameters.
- Model Management: Downloader for Theta42 pre-approved models (e.g.
- RAG & Document Management - Multi-file upload parsing and retrieval-augmented generation.
- Strict Compliance Log Aggregator - Chat completion requests log SOX-compliant query metadata to
/tank/audit/chat-audit.logwhile strictly redacting the prompt text to protect privacy. - Streaming Responses - Real-time token streaming.
Quick Start
# Clone
git clone https://git.theta42.com/theta42/sovereign-chat.git
cd sovereign-chat
# Install
npm install
# Development (hot reload)
npm run dev
# Production build
npm run build
# Production server
NODE_ENV=production npm start
Configuration
Uses JSON config files in conf/ directory:
conf/
├── base.json # Base config (all environments)
├── development.json # Dev overrides (auth disabled)
├── production.json # Production overrides
├── secrets.json # Secrets (gitignored!)
└── secrets.example.json # Template
Load Order
Files merge in order: base.json → [environment].json → secrets.json
Example Configs
conf/base.json:
{
"server": { "port": 8089 },
"gateway": { "url": "http://192.168.100.201:8000" },
"auth": {
"disabled": false,
"ldap": {
"enabled": true,
"url": "ldap://ldap.internal.theta42.com:389",
"baseDN": "dc=theta42,dc=com",
"searchFilter": "(uid={{username}})"
}
}
}
conf/secrets.json:
{
"gateway": { "token": "your-openclaw-token" },
"session": { "secret": "random-session-secret" },
"auth": {
"ldap": {
"bindDN": "cn=ldapclient service,ou=People,dc=theta42,dc=com",
"bindPassword": "1lovebyte"
}
}
}
Environment Variables
Can override config at runtime:
PORT- Server portOPENCLAW_GATEWAY- Gateway URL (points to AI-Core runtime)OPENCLAW_TOKEN- Gateway auth tokenSESSION_SECRET- Session signing secretLDAP_ENABLED- Enable LDAP auth
LDAP Authentication
Supports standard LDAP servers (OpenLDAP, Active Directory):
- Service binds with
bindDN+bindPassword - Searches for user with
searchFilter - Binds as user to verify password
Search Filter:
Use {{username}} as placeholder:
(&(memberof=cn=app_sovereign_admin,ou=groups,dc=theta42,dc=com)(uid={{username}}))
Architecture
┌─────────────────────────────────────────────────────────┐
│ Sovereign Chat │
├─────────────────────────────────────────────────────────┤
│ Frontend (Vanilla JS + Vite) │
│ ├── Chat Interface (SSO / LDAP login) │
│ ├── File Upload (content included) │
│ ├── Code Canvas │
│ └── Administration Dashboard (Models, Quotas, Logs) │
├─────────────────────────────────────────────────────────┤
│ Backend (Express.js) │
│ ├── LDAP SSO Authentication & Group-based RBAC │
│ ├── Session Management │
│ ├── Chat History Persistence │
│ ├── Append-only HIPAA/SOX Metadata Logger │
│ └── Admin APIs (/api/admin/*) │
├─────────────────────────────────────────────────────────┤
│ AI-Core Engine (port 8000) │
│ └── vLLM Server + Dynamic Model provisioner reload │
└─────────────────────────────────────────────────────────┘
API Endpoints
Authentication
GET /api/auth/status- Check auth statusPOST /api/auth/login- LoginPOST /api/auth/logout- Logout
Conversations
GET /api/conversations- List conversationsPOST /api/conversations- Create conversationPUT /api/conversations/:id- Update conversationDELETE /api/conversations/:id- Delete conversationGET /api/conversations/:id/messages- Get messages
OpenAI-Compatible
POST /v1/chat/completions- Chat completion requests (audited for token quotas and scheduling window)GET /v1/models- List models
Admin Management Panel
GET /api/admin/status- Fetch exposed network interfaces, active model, and statsPOST /api/admin/network- Update static IP configuration (writes to/etc/theta42/network.json)GET /api/admin/audit-logs- Fetch cryptographically signed compliance log archives from/tank/auditGET /api/admin/preapproved- Fetch preapproved model list from manifestPOST /api/admin/models/download- Trigger background download of a model to/tank/stagingPOST /api/admin/models/upload- Upload a custom model file to/tank/stagingPOST /api/admin/settings- Update daily token quotas and active operating hours schedulePOST /api/admin/models/active- Update active model and trigger dynamic engine reloadGET /api/admin/monitoring- View real-time active user query metadata statistics
Production Deployment
Systemd Service:
# Create service file
cp sovereign-chat.service /etc/systemd/system/
# Enable and start
systemctl enable sovereign-chat
systemctl start sovereign-chat
# View logs
journalctl -u sovereign-chat -f
Development
npm run dev
# Frontend: http://localhost:5173 (Vite HMR)
# Backend: http://localhost:3000 (auto-restart)
License
MIT