Brand chat as Sovereign and implement admin panel, quotas, schedules, network management, and cryptographic compliance audits

README.md

@@ -1,24 +1,26 @@
-# OpenClaw WebUI
+# Sovereign Chat
 
-A modern, OpenWebUI-compatible chat interface for OpenClaw with LDAP SSO support.
+A secure, enterprise-grade, OpenWebUI-compatible chat interface designed for the **Sovereign** AI appliance by Theta42.
 
 ## Features
 
-- **Modern Chat Interface** - Clean, responsive UI inspired by OpenWebUI
-- **Multi-file Upload** - Attach files with content included in context
-- **Code Canvas** - Side panel for code editing and viewing
-- **Chat History** - Persistent conversation storage
-- **Streaming Responses** - Real-time token streaming
-- **LDAP SSO** - Enterprise authentication via LDAP
-- **Model Selection** - Switch between OpenClaw agents
-- **Dark Theme** - Easy on the eyes
+- **Sovereign Chat Interface** - Fully branded premium dark slate theme with fluid transitions and Outfit typography.
+- **LDAP Single Sign-On (SSO)** - Enterprise user authentication and group-based role checking (admins vs. standard users).
+- **Administration Panel** - Dedicated administrative dashboard containing:
+  - **Model Management**: Downloader for Theta42 pre-approved models (e.g. `SmolLM2-135M` & `SmolLM2-360M`), custom GGUF model upload drag-and-drop, and dynamic active model reload.
+  - **Quotas & Scheduling**: Daily token quota configuration per user and operational hours (scheduling access window).
+  - **Live Auditing & Compliance**: Real-time user session activity logs, plus a compliance download manager for cryptographically signed audit archives (`.tar.gz` and `.sig` signatures) aggregated by `cryptographic-audit-logger` on `/tank/audit`.
+  - **Network Configuration**: View and configure the appliance exposed bridge interfaces (e.g. `vmbr0`) and static IP parameters.
+- **RAG & Document Management** - Multi-file upload parsing and retrieval-augmented generation.
+- **Strict Compliance Log Aggregator** - Chat completion requests log SOX-compliant query metadata to `/tank/audit/chat-audit.log` while strictly redacting the prompt text to protect privacy.
+- **Streaming Responses** - Real-time token streaming.
 
 ## Quick Start
 
 ```bash
 # Clone
-git clone https://git.theta42.com/nova/openclaw-webui.git
-cd openclaw-webui
+git clone https://git.theta42.com/theta42/sovereign-chat.git
+cd sovereign-chat
 
 # Install
 npm install
@@ -56,13 +58,13 @@ Files merge in order: `base.json` → `[environment].json` → `secrets.json`
 ```json
 {
   "server": { "port": 8089 },
-  "gateway": { "url": "http://127.0.0.1:18789" },
+  "gateway": { "url": "http://192.168.100.201:8000" },
   "auth": {
     "disabled": false,
     "ldap": {
       "enabled": true,
-      "url": "ldap://10.1.0.55:389",
-      "baseDN": "dc=example,dc=com",
+      "url": "ldap://ldap.internal.theta42.com:389",
+      "baseDN": "dc=theta42,dc=com",
       "searchFilter": "(uid={{username}})"
     }
   }
@@ -76,8 +78,8 @@ Files merge in order: `base.json` → `[environment].json` → `secrets.json`
   "session": { "secret": "random-session-secret" },
   "auth": {
     "ldap": {
-      "bindDN": "cn=service,ou=people,dc=example,dc=com",
-      "bindPassword": "ldap-password"
+      "bindDN": "cn=ldapclient service,ou=People,dc=theta42,dc=com",
+      "bindPassword": "1lovebyte"
     }
   }
 }
@@ -88,7 +90,7 @@ Files merge in order: `base.json` → `[environment].json` → `secrets.json`
 Can override config at runtime:
 
 - `PORT` - Server port
-- `OPENCLAW_GATEWAY` - Gateway URL
+- `OPENCLAW_GATEWAY` - Gateway URL (points to AI-Core runtime)
 - `OPENCLAW_TOKEN` - Gateway auth token
 - `SESSION_SECRET` - Session signing secret
 - `LDAP_ENABLED` - Enable LDAP auth
@@ -104,28 +106,30 @@ Supports standard LDAP servers (OpenLDAP, Active Directory):
 **Search Filter:**
 Use `{{username}}` as placeholder:
 ```
-(&(memberof=cn=app_access,ou=groups,dc=example,dc=com)(uid={{username}}))
+(&(memberof=cn=app_sovereign_admin,ou=groups,dc=theta42,dc=com)(uid={{username}}))
 ```
 
 ## Architecture
 
 ```
 ┌─────────────────────────────────────────────────────────┐
-│                     OpenClaw WebUI                       │
+│                    Sovereign Chat                       │
 ├─────────────────────────────────────────────────────────┤
 │  Frontend (Vanilla JS + Vite)                           │
-│  ├── Chat Interface                                      │
+│  ├── Chat Interface (SSO / LDAP login)                  │
 │  ├── File Upload (content included)                      │
 │  ├── Code Canvas                                         │
-│  └── History Sidebar                                     │
+│  └── Administration Dashboard (Models, Quotas, Logs)     │
 ├─────────────────────────────────────────────────────────┤
 │  Backend (Express.js)                                    │
-│  ├── LDAP SSO Authentication                             │
+│  ├── LDAP SSO Authentication & Group-based RBAC          │
 │  ├── Session Management                                  │
 │  ├── Chat History Persistence                            │
-│  └── /v1/chat/completions Proxy                          │
+│  ├── Append-only HIPAA/SOX Metadata Logger               │
+│  └── Admin APIs (/api/admin/*)                           │
 ├─────────────────────────────────────────────────────────┤
-│  OpenClaw Gateway (port 18789)                           │
+│  AI-Core Engine (port 8000)                             │
+│  └── vLLM Server + Dynamic Model provisioner reload      │
 └─────────────────────────────────────────────────────────┘
 ```
 
@@ -144,36 +148,33 @@ Use `{{username}}` as placeholder:
 - `GET /api/conversations/:id/messages` - Get messages
 
 ### OpenAI-Compatible
-- `POST /v1/chat/completions` - Chat (proxied to OpenClaw)
+- `POST /v1/chat/completions` - Chat completion requests (audited for token quotas and scheduling window)
 - `GET /v1/models` - List models
 
+### Admin Management Panel
+- `GET /api/admin/status` - Fetch exposed network interfaces, active model, and stats
+- `POST /api/admin/network` - Update static IP configuration (writes to `/etc/theta42/network.json`)
+- `GET /api/admin/audit-logs` - Fetch cryptographically signed compliance log archives from `/tank/audit`
+- `GET /api/admin/preapproved` - Fetch preapproved model list from manifest
+- `POST /api/admin/models/download` - Trigger background download of a model to `/tank/staging`
+- `POST /api/admin/models/upload` - Upload a custom model file to `/tank/staging`
+- `POST /api/admin/settings` - Update daily token quotas and active operating hours schedule
+- `POST /api/admin/models/active` - Update active model and trigger dynamic engine reload
+- `GET /api/admin/monitoring` - View real-time active user query metadata statistics
+
 ## Production Deployment
 
 **Systemd Service:**
 ```bash
 # Create service file
-mkdir -p ~/.config/systemd/user
-cp openclaw-webui.service ~/.config/systemd/user/
+cp sovereign-chat.service /etc/systemd/system/
 
 # Enable and start
-systemctl --user enable openclaw-webui
-systemctl --user start openclaw-webui
+systemctl enable sovereign-chat
+systemctl start sovereign-chat
 
 # View logs
-journalctl --user -u openclaw-webui -f
-```
-
-**Requirements:**
-- OpenClaw Gateway running on port 18789
-- Enable HTTP chat completions in gateway config:
-```json
-{
-  "gateway": {
-    "http": {
-      "endpoints": { "chatCompletions": { "enabled": true } }
-    }
-  }
-}
+journalctl -u sovereign-chat -f
 ```
 
 ## Development