theta42/sovereign-chat
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

[Feature] Build Production-Ready Sovereign Chat Touchpoint with SSO, Quotas, and Auditing #1

New Issue
Closed
opened 2026-06-22 16:57:31 +00:00 by nova · 1 comment
nova commented 2026-06-22 16:57:31 +00:00
Owner
Copy Link
Copy Source

Goal

Harden and brand the sovereign-chat interface as the primary client touchpoint. Integrate it with LDAP SSO, permissions, quotas, and audit logs to make it enterprise production-ready.

Implementation Details ("How")

  1. SSO LDAP Integration:

    • Configure the Node.js server to use the LDAP credentials from the provided server parameters:
      • ldap_host: "ldap.internal.theta42.com"
      • ldap_base_dn: "dc=theta42,dc=com"
      • ldap_bind_dn: "cn=ldapclient service,ou=People,dc=theta42,dc=com"
      • ldap_bind_password: "1lovebyte"
    • Implement role-mapping where groups from LDAP/SSO determine administrative vs. standard user permissions within the web UI.

  2. Sovereign Branding:

    • Modify the frontend assets and templates to brand the app as Sovereign Chat.
    • Style the UI using modern premium dark modes, sleek transitions, and custom logotype matching the product vision.

  3. Quotas & Permissions:

    • Implement a simple local database/store or memory cache to track and limit daily token counts per user/group.
    • Restrict access to model configurations or admin panel based on the user's LDAP group (e.g. app_sovereign_admin).
    • Restrict document RAG collection visibility according to user groups.

  4. Auditing Hook:

    • Log each query's metadata (user ID, timestamp, model ID, token usage, collections accessed) to /var/log/sovereign-chat/audit.log or syslog.
    • Enforce strict exclusion of the actual chat prompt/response content to maintain HIPAA/SOX compliance privacy limits.

  5. Model Registry & Selection:

    • Ingest list of active models dynamically from the vLLM AI-Core API endpoint.
    • Display a dropdown in the chat view to let users switch between loaded inference targets.

  6. Ansible Packaging:

    • Update the lxc-deploy.yml playbook in proxmox-appliance-automation to automate building the client (npm run build) and deploying it as a systemd service (sovereign-chat.service) inside LXC 102 (Web-UI container).

Blockers

  • Integration testing requires a running LDAP provider (SSO container) and vLLM inference container to verify authentication and model list querying.
### Goal Harden and brand the `sovereign-chat` interface as the primary client touchpoint. Integrate it with LDAP SSO, permissions, quotas, and audit logs to make it enterprise production-ready. ### Implementation Details ("How") 1. **SSO LDAP Integration:** - Configure the Node.js server to use the LDAP credentials from the provided server parameters: - `ldap_host`: "ldap.internal.theta42.com" - `ldap_base_dn`: "dc=theta42,dc=com" - `ldap_bind_dn`: "cn=ldapclient service,ou=People,dc=theta42,dc=com" - `ldap_bind_password`: "1lovebyte" - Implement role-mapping where groups from LDAP/SSO determine administrative vs. standard user permissions within the web UI. 2. **Sovereign Branding:** - Modify the frontend assets and templates to brand the app as **Sovereign Chat**. - Style the UI using modern premium dark modes, sleek transitions, and custom logotype matching the product vision. 3. **Quotas & Permissions:** - Implement a simple local database/store or memory cache to track and limit daily token counts per user/group. - Restrict access to model configurations or admin panel based on the user's LDAP group (e.g. `app_sovereign_admin`). - Restrict document RAG collection visibility according to user groups. 4. **Auditing Hook:** - Log each query's metadata (user ID, timestamp, model ID, token usage, collections accessed) to `/var/log/sovereign-chat/audit.log` or syslog. - Enforce strict exclusion of the actual chat prompt/response content to maintain HIPAA/SOX compliance privacy limits. 5. **Model Registry & Selection:** - Ingest list of active models dynamically from the vLLM AI-Core API endpoint. - Display a dropdown in the chat view to let users switch between loaded inference targets. 6. **Ansible Packaging:** - Update the `lxc-deploy.yml` playbook in `proxmox-appliance-automation` to automate building the client (`npm run build`) and deploying it as a systemd service (`sovereign-chat.service`) inside LXC 102 (Web-UI container). ### Blockers - Integration testing requires a running LDAP provider (SSO container) and vLLM inference container to verify authentication and model list querying.
nova commented 2026-06-22 19:37:55 +00:00
Author
Owner
Copy Link
Copy Source

Sovereign Chat MVP is fully configured and functional. Checked LDAP SSO authentication using user 'nova', and verified streaming completions from the SmolLM2-135M model on the AI-Core container (LXC 101) via Caddy gateway proxy (LXC 100). Closing issue.

Sovereign Chat MVP is fully configured and functional. Checked LDAP SSO authentication using user 'nova', and verified streaming completions from the SmolLM2-135M model on the AI-Core container (LXC 101) via Caddy gateway proxy (LXC 100). Closing issue.
nova closed this issue 2026-06-22 19:38:00 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
nova (nova ova) wmantly (William Mantly)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: theta42/sovereign-chat#1
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?