ltcai 0.1.2 → 0.1.4

package/README.md

@@ -10,6 +10,35 @@ LTCAI                      # → http://localhost:4825
 
 ---
 
+## v0.1.4 변경사항
+
+### Added
+- 세션 영속성 — 서버 재시작 후에도 로그인 유지
+- SSO 로그인 — Entra ID / Okta OIDC 지원 (`OIDC_DISCOVERY_URL`, `OIDC_CLIENT_ID`, `OIDC_CLIENT_SECRET`)
+- 채팅 히스토리 검색 — 사이드바 검색창으로 대화 내용 키워드 검색
+- 대화 삭제 — 사이드바 각 대화에 삭제 버튼
+- MCP 서버 관리 UI — 사이드바 "MCP 관리" 버튼으로 설치/목록 모달
+- VS Code 인라인 Diff 뷰 — Edit Selection 결과를 diff로 먼저 확인 후 Apply/Discard
+- VS Code 현재 파일 첨부 — `Lattice AI: Attach Current File to Chat` 명령 추가
+
+---
+
+## v0.1.3 변경사항
+
+### Added
+- 프로필 수정 (`PATCH /account/profile`) — 이름·닉네임 변경
+- 회원가입 폼 — 비밀번호 확인 필드, 인라인 에러 메시지
+- 어드민 패널 초대 링크 섹션 — 원클릭 복사
+- 어드민 대시보드 메시지 활동 차트 (Chart.js, 최근 14일)
+- 웹 UI 한국어 / 영어 전환 (`🌐 Languages` 버튼, localStorage 저장)
+
+### Fixed
+- 로그아웃 시 `/logout` API 호출로 서버 세션 쿠키 정상 만료
+- 인증(`account.html`)과 채팅(`chat.html`) UI 분리 — 레거시 파일 제거
+- 채팅 헤더에서 언어 선택 드롭다운이 ops-strip을 가리는 문제 수정
+
+---
+
 ## 아키텍처
 
 ```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Lattice AI local MLX/cloud LLM workspace server",
   "bin": {
     "ltcai": "bin/ltcai.js",
@@ -32,8 +32,8 @@
     "telegram_bot.py",
     "tools.py",
     "codex_telegram_bot.py",
-    "static/index.html",
-    "static/indexd.html",
+    "static/account.html",
+    "static/chat.html",
     "static/admin.html",
     "requirements.txt",
     "README.md"

package/requirements.txt

@@ -9,3 +9,4 @@ openpyxl
 python-pptx
 python-multipart
 keyring
+authlib

package/server.py

@@ -175,6 +175,31 @@ PUBLIC_MODEL = env_value("LATTICEAI_PUBLIC_MODEL", env_value("LATTICEAI_DEFAULT_
 LOCAL_MODEL = env_value("LATTICEAI_LOCAL_MODEL", "mlx-community/gemma-4-26b-a4b-it-4bit")
 LOCAL_DRAFT_MODEL = env_value("LATTICEAI_LOCAL_DRAFT_MODEL", "")
 
+# ── SSO / OIDC config ─────────────────────────────────────────────────────────
+SSO_DISCOVERY_URL = env_value("OIDC_DISCOVERY_URL", "")
+SSO_CLIENT_ID = env_value("OIDC_CLIENT_ID", "")
+SSO_CLIENT_SECRET = env_value("OIDC_CLIENT_SECRET", "")
+SSO_REDIRECT_URI = env_value("OIDC_REDIRECT_URI", "http://localhost:4825/auth/sso/callback")
+SSO_PROVIDER_NAME = env_value("OIDC_PROVIDER_NAME", "SSO")
+_sso_discovery_cache: Optional[Dict] = None
+_sso_states: Dict[str, float] = {}  # state → timestamp (CSRF protection)
+
+async def _get_sso_discovery() -> Optional[Dict]:
+    global _sso_discovery_cache
+    if _sso_discovery_cache:
+        return _sso_discovery_cache
+    if not SSO_DISCOVERY_URL:
+        return None
+    try:
+        import httpx as _httpx
+        async with _httpx.AsyncClient() as c:
+            r = await c.get(SSO_DISCOVERY_URL, timeout=10)
+            _sso_discovery_cache = r.json()
+    except Exception as e:
+        logging.warning("SSO discovery failed: %s", e)
+        return None
+    return _sso_discovery_cache
+
 # ── Password hashing (stdlib scrypt, no extra deps) ────────────────────────────
 def hash_password(password: str) -> str:
     salt = secrets.token_hex(16)
@@ -199,27 +224,54 @@ def verify_and_migrate_password(email: str, plain: str, stored: str, users: Dict
         return True
     return False
 
-# ── Session store (in-memory, clears on restart) ──────────────────────────────
+# ── Session store (file-backed, survives restarts) ────────────────────────────
 _SESSION_TTL = 60 * 60 * 24 * 7  # 7 days
-_sessions: Dict[str, tuple] = {}  # token → (email, created_at)
+_sessions_lock = threading.Lock()
+
+def _sessions_file() -> Path:
+    return DATA_DIR / "sessions.json"
+
+def _load_sessions() -> Dict[str, tuple]:
+    try:
+        f = _sessions_file()
+        if f.exists():
+            raw = json.loads(f.read_text())
+            return {k: tuple(v) for k, v in raw.items()}
+    except Exception:
+        pass
+    return {}
+
+def _persist_sessions(sessions: Dict[str, tuple]) -> None:
+    try:
+        _sessions_file().write_text(json.dumps({k: list(v) for k, v in sessions.items()}, ensure_ascii=False))
+    except Exception:
+        pass
+
+_sessions: Dict[str, tuple] = _load_sessions()
 
 def create_session(email: str) -> str:
     token = secrets.token_urlsafe(32)
-    _sessions[token] = (email, time.time())
+    with _sessions_lock:
+        _sessions[token] = (email, time.time())
+        _persist_sessions(_sessions)
     return token
 
 def get_session_email(token: str) -> Optional[str]:
-    entry = _sessions.get(token)
-    if entry is None:
-        return None
-    email, created_at = entry
-    if time.time() - created_at > _SESSION_TTL:
-        _sessions.pop(token, None)
-        return None
-    return email
+    with _sessions_lock:
+        entry = _sessions.get(token)
+        if entry is None:
+            return None
+        email, created_at = entry
+        if time.time() - created_at > _SESSION_TTL:
+            _sessions.pop(token, None)
+            _persist_sessions(_sessions)
+            return None
+        return email
 
 def invalidate_session(token: str) -> None:
-    _sessions.pop(token, None)
+    with _sessions_lock:
+        _sessions.pop(token, None)
+        _persist_sessions(_sessions)
 
 # ── User Management Logic ──────────────────────────────────────────────────
 BASE_DIR = Path(__file__).resolve().parent
@@ -1232,6 +1284,79 @@ async def login(req: UserLogin):
     response.set_cookie(key="session_token", value=token, httponly=True, samesite="lax", max_age=60 * 60 * 24 * 7)
     return response
 
+@app.get("/auth/sso/config")
+async def sso_config():
+    enabled = bool(SSO_DISCOVERY_URL and SSO_CLIENT_ID and SSO_CLIENT_SECRET)
+    return {"enabled": enabled, "provider_name": SSO_PROVIDER_NAME if enabled else ""}
+
+@app.get("/auth/sso/login")
+async def sso_login():
+    from urllib.parse import urlencode
+    from fastapi.responses import RedirectResponse as _Redirect
+    discovery = await _get_sso_discovery()
+    if not discovery:
+        raise HTTPException(status_code=503, detail="SSO가 설정되지 않았습니다.")
+    state = secrets.token_urlsafe(16)
+    _sso_states[state] = time.time()
+    params = urlencode({
+        "client_id": SSO_CLIENT_ID,
+        "response_type": "code",
+        "redirect_uri": SSO_REDIRECT_URI,
+        "scope": "openid email profile",
+        "state": state,
+    })
+    return _Redirect(f"{discovery['authorization_endpoint']}?{params}")
+
+@app.get("/auth/sso/callback")
+async def sso_callback(code: str = "", state: str = "", error: str = ""):
+    from fastapi.responses import RedirectResponse as _Redirect
+    import base64 as _b64
+    if error:
+        return _Redirect(f"/?sso_error={error}")
+    ts = _sso_states.pop(state, None)
+    if ts is None or time.time() - ts > 300:
+        raise HTTPException(status_code=400, detail="유효하지 않은 SSO 상태입니다.")
+    discovery = await _get_sso_discovery()
+    if not discovery:
+        raise HTTPException(status_code=503, detail="SSO 설정 오류입니다.")
+    import httpx as _httpx
+    async with _httpx.AsyncClient() as c:
+        r = await c.post(discovery["token_endpoint"], data={
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": SSO_REDIRECT_URI,
+            "client_id": SSO_CLIENT_ID,
+            "client_secret": SSO_CLIENT_SECRET,
+        }, headers={"Accept": "application/json"}, timeout=15)
+        tokens = r.json()
+    id_token = tokens.get("id_token")
+    if not id_token:
+        raise HTTPException(status_code=400, detail="ID 토큰을 받지 못했습니다.")
+    # Decode JWT payload (no signature verification — trust IdP redirect)
+    padded = id_token.split(".")[1] + "=="
+    payload = json.loads(_b64.urlsafe_b64decode(padded))
+    email = payload.get("email") or payload.get("preferred_username") or payload.get("upn") or ""
+    if not email:
+        raise HTTPException(status_code=400, detail="이메일을 확인할 수 없습니다.")
+    users = load_users()
+    if email not in users:
+        is_first = len(users) == 0
+        users[email] = {
+            "password": "",
+            "name": payload.get("name", email.split("@")[0]),
+            "nickname": payload.get("given_name", email.split("@")[0]),
+            "role": "admin" if is_first else "user",
+            "disabled": False,
+            "sso": True,
+        }
+        save_users(users)
+    if users[email].get("disabled"):
+        raise HTTPException(status_code=403, detail="비활성화된 계정입니다.")
+    token = create_session(email)
+    resp = _Redirect("/chat", status_code=302)
+    resp.set_cookie("session_token", token, httponly=True, samesite="lax", max_age=_SESSION_TTL)
+    return resp
+
 @app.post("/logout")
 async def logout(request: Request):
     token = _extract_bearer_token(request)
@@ -1295,7 +1420,9 @@ async def get_profile(request: Request):
     user = users.get(email)
     if not user:
         raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
-    return {"email": email, "name": user.get("name", ""), "nickname": user.get("nickname", "")}
+    role = get_user_role(email, users)
+    return {"email": email, "name": user.get("name", ""), "nickname": user.get("nickname", ""),
+            "role": role, "is_admin": role == "admin"}
 
 @app.get("/admin/summary")
 async def admin_summary(request: Request):
@@ -1402,20 +1529,20 @@ INVITE_GATE_ENABLED = env_bool("LATTICEAI_INVITE_GATE_ENABLED", default=False)
 
 @app.get("/")
 async def root(request: Request, code: Optional[str] = None, authorized: Optional[str] = Cookie(None)):
-    """기본은 즉시 진입. 필요 시 초대 링크 게이트를 env로 활성화할 수 있습니다."""
+    """로그인/회원가입 페이지. 초대 게이트 활성화 시 코드 검증 후 진입."""
     if not INVITE_GATE_ENABLED:
-        return FileResponse(STATIC_DIR / "indexd.html")
+        return FileResponse(STATIC_DIR / "account.html")
 
     # 1. 이미 쿠키로 인증된 경우
     if authorized == "true":
-        return FileResponse(STATIC_DIR / "indexd.html")
+        return FileResponse(STATIC_DIR / "account.html")
 
     # 2. 초대 코드가 일치하는 경우 (최초 진입)
     if code == INVITE_CODE:
-        response = FileResponse(STATIC_DIR / "indexd.html")
+        response = FileResponse(STATIC_DIR / "account.html")
         response.set_cookie(key="authorized", value="true", httponly=True, samesite="lax", max_age=60*60*24*7)
         return response
-    
+
     # 3. 인증 실패 시 차단 화면
     return HTMLResponse(content=f"""
         <body style="background:#0f1115; color:white; display:flex; flex-direction:column; align-items:center; justify-content:center; height:100vh; font-family:sans-serif;">
@@ -1429,6 +1556,11 @@ async def root(request: Request, code: Optional[str] = None, authorized: Optiona
     """, status_code=403)
 
 
+@app.get("/chat")
+async def chat_page(request: Request):
+    return FileResponse(STATIC_DIR / "chat.html")
+
+
 @app.get("/admin")
 async def admin_page():
     admin_path = STATIC_DIR / "admin.html"
@@ -2398,6 +2530,23 @@ async def delete_history(request: Request, keep_last: int = 0):
     require_user(request)
     return clear_history(keep_last)
 
+@app.get("/history/search")
+async def search_history(q: str, request: Request):
+    """키워드로 채팅 히스토리를 검색합니다."""
+    require_user(request)
+    if not q or not q.strip():
+        return {"results": [], "query": q}
+    q_lower = q.strip().lower()
+    history = get_history()
+    matches = [item for item in history if q_lower in (item.get("content") or "").lower()]
+    grouped: Dict[str, Dict] = {}
+    for item in matches:
+        cid = item.get("conversation_id") or "legacy"
+        if cid not in grouped:
+            grouped[cid] = {"conversation_id": cid, "title": conversation_title(item), "messages": []}
+        grouped[cid]["messages"].append(item)
+    return {"results": list(grouped.values())[-30:], "query": q}
+
 
 async def _stream_chat(req: ChatRequest, context: str = "", image_data: str = None) -> AsyncIterator[str]:
     full_response = ""