ltcai 0.1.31 → 0.2.0

package/latticeai/api/admin.py

@@ -0,0 +1,187 @@
+"""Admin API router: dashboard, users, VPC, SSO, audit, permissions."""
+
+import logging
+from collections import defaultdict
+from typing import Any, Callable, Dict, List, Optional
+
+from fastapi import APIRouter, HTTPException, Request
+from pydantic import BaseModel
+
+
+class AdminUserUpdate(BaseModel):
+    role: Optional[str] = None
+    disabled: Optional[bool] = None
+
+
+class VpcConfigUpdate(BaseModel):
+    provider: Optional[str] = None
+    region: Optional[str] = None
+    cidr_block: Optional[str] = None
+    private_subnets: Optional[List[str]] = None
+    endpoint: Optional[str] = None
+    vpn_status: Optional[str] = None
+    peering_status: Optional[str] = None
+    notes: Optional[str] = None
+
+
+class SsoConfigUpdate(BaseModel):
+    enabled: Optional[bool] = None
+    provider_name: Optional[str] = None
+    discovery_url: Optional[str] = None
+    client_id: Optional[str] = None
+    client_secret: Optional[str] = None
+    redirect_uri: Optional[str] = None
+    scopes: Optional[str] = None
+
+
+def create_admin_router(
+    *,
+    require_admin: Callable,
+    require_user: Callable,
+    load_users: Callable,
+    save_users: Callable,
+    get_user_role: Callable,
+    get_history: Callable,
+    public_user: Callable,
+    load_vpc_config: Callable,
+    save_vpc_config: Callable,
+    build_admin_audit_report: Callable,
+    build_sensitivity_report: Callable,
+    append_audit_event: Callable,
+    public_sso_config: Callable,
+    save_sso_config: Callable,
+    get_graph_stats: Callable,
+    enable_graph: bool,
+    invite_code: str,
+    invite_gate_enabled: bool,
+    default_port: int,
+) -> APIRouter:
+    router = APIRouter()
+
+    @router.get("/admin/summary")
+    async def admin_summary(request: Request):
+        _, users = require_admin(request)
+        history = get_history()
+        user_msgs = [i for i in history if i.get("role") == "user"]
+        asst_msgs = [i for i in history if i.get("role") == "assistant"]
+        return {
+            "total_users": len(users),
+            "active_users": sum(1 for u in users.values() if not u.get("disabled")),
+            "admin_users": sum(1 for e in users if get_user_role(e, users) == "admin"),
+            "total_messages": len(history),
+            "user_messages": len(user_msgs),
+            "assistant_messages": len(asst_msgs),
+            "last_message_at": history[-1].get("timestamp") if history else None,
+        }
+
+    @router.get("/admin/stats")
+    async def admin_stats(request: Request):
+        require_admin(request)
+        history = get_history()
+        daily: dict = defaultdict(lambda: {"user": 0, "assistant": 0})
+        for item in history:
+            ts = item.get("timestamp", "")
+            day = ts[:10] if ts else "unknown"
+            role = item.get("role", "")
+            if role in ("user", "assistant"):
+                daily[day][role] += 1
+        sorted_days = sorted(daily.keys())[-14:]
+        return {"daily": [{"date": d, "user": daily[d]["user"], "assistant": daily[d]["assistant"]} for d in sorted_days]}
+
+    @router.get("/admin/users")
+    async def admin_users(request: Request):
+        _, users = require_admin(request)
+        return [public_user(email, user, users) for email, user in users.items()]
+
+    @router.get("/admin/sensitivity")
+    async def admin_sensitivity(request: Request):
+        require_admin(request)
+        return build_sensitivity_report(get_history())
+
+    @router.get("/admin/audit")
+    async def admin_audit(request: Request):
+        _, users = require_admin(request)
+        report = build_admin_audit_report(users)
+        try:
+            report["graph"] = get_graph_stats() if enable_graph else {"disabled": True}
+        except Exception as e:
+            logging.warning("knowledge graph stats for audit failed: %s", e)
+            report["graph"] = {"error": str(e)}
+        return report
+
+    @router.get("/vpc/status")
+    async def vpc_status(request: Request):
+        require_user(request)
+        return load_vpc_config()
+
+    @router.patch("/admin/vpc")
+    async def admin_update_vpc(req: VpcConfigUpdate, request: Request):
+        require_admin(request)
+        config = load_vpc_config()
+        update = req.dict(exclude_unset=True)
+        if "private_subnets" in update and update["private_subnets"] is not None:
+            update["private_subnets"] = [s.strip() for s in update["private_subnets"] if s.strip()]
+        config.update(update)
+        save_vpc_config(config)
+        return config
+
+    @router.patch("/admin/users/{email:path}")
+    async def admin_update_user(email: str, req: AdminUserUpdate, request: Request):
+        admin_email, users = require_admin(request)
+        if email not in users:
+            raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
+        before = public_user(email, users[email], users)
+        if req.role is not None:
+            if req.role not in {"admin", "user"}:
+                raise HTTPException(status_code=400, detail="role은 admin 또는 user만 가능합니다.")
+            users[email]["role"] = req.role
+        if req.disabled is not None:
+            if email == admin_email and req.disabled:
+                raise HTTPException(status_code=400, detail="자기 자신은 비활성화할 수 없습니다.")
+            users[email]["disabled"] = req.disabled
+        save_users(users)
+        after = public_user(email, users[email], users)
+        append_audit_event("user_update", user_email=admin_email, target_email=email, before=before, after=after)
+        return after
+
+    @router.delete("/admin/users/{email:path}")
+    async def admin_delete_user(email: str, request: Request):
+        admin_email, users = require_admin(request)
+        if email == admin_email:
+            raise HTTPException(status_code=400, detail="자기 자신은 삭제할 수 없습니다.")
+        if email not in users:
+            raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
+        deleted = public_user(email, users[email], users)
+        append_audit_event("user_delete", user_email=admin_email, target_email=email, deleted_user=deleted)
+        del users[email]
+        save_users(users)
+        return {"status": "ok", "deleted": deleted}
+
+    @router.get("/admin/invite-link")
+    async def admin_invite_link(request: Request):
+        require_admin(request)
+        host = request.headers.get("host", f"localhost:{default_port}")
+        scheme = "https" if request.headers.get("x-forwarded-proto") == "https" else "http"
+        url = f"{scheme}://{host}/?code={invite_code}" if invite_gate_enabled else f"{scheme}://{host}/"
+        return {"invite_url": url, "invite_code": invite_code, "gate_enabled": invite_gate_enabled}
+
+    @router.get("/admin/sso")
+    async def admin_sso(request: Request):
+        require_admin(request)
+        return public_sso_config()
+
+    @router.patch("/admin/sso")
+    async def admin_update_sso(req: SsoConfigUpdate, request: Request):
+        admin_email, _ = require_admin(request)
+        update = req.dict(exclude_unset=True)
+        saved = save_sso_config(update)
+        append_audit_event(
+            "sso_config_update",
+            user_email=admin_email,
+            provider_name=saved.get("provider_name"),
+            discovery_url=saved.get("discovery_url"),
+            enabled=bool(saved.get("enabled")),
+        )
+        return public_sso_config(saved)
+
+    return router

package/latticeai/api/auth.py

@@ -0,0 +1,233 @@
+"""Authentication API router: register, login, logout, SSO, profile."""
+
+import base64
+import json
+import logging
+import secrets
+import time
+from typing import Any, Callable, Dict, Optional
+from urllib.parse import urlencode
+
+from fastapi import APIRouter, HTTPException, Request
+from fastapi.responses import JSONResponse, RedirectResponse
+from pydantic import BaseModel
+
+
+class UserRegister(BaseModel):
+    email: str
+    password: str
+    name: str
+    nickname: str
+
+
+class UserLogin(BaseModel):
+    email: str
+    password: str
+
+
+class ChangePasswordRequest(BaseModel):
+    current_password: str
+    new_password: str
+
+
+class UpdateProfileRequest(BaseModel):
+    name: Optional[str] = None
+    nickname: Optional[str] = None
+
+
+_sso_states: Dict[str, float] = {}
+
+
+def create_auth_router(
+    *,
+    load_users: Callable[[], Dict],
+    save_users: Callable[[Dict], None],
+    hash_password: Callable[[str], str],
+    verify_and_migrate: Callable[[str, str, str, Dict], bool],
+    create_session: Callable[[str], str],
+    get_session_email: Callable[[str], Optional[str]],
+    invalidate_session: Callable[[str], None],
+    extract_bearer_token: Callable[[Request], Optional[str]],
+    get_user_role: Callable[[str, Optional[Dict]], str],
+    require_user: Callable[[Request], str],
+    check_ip_rate_limit: Callable[..., None],
+    client_ip: Callable[[Request], str],
+    get_sso_settings: Callable[[], Dict],
+    get_sso_discovery: Callable[[], Any],
+    public_sso_config: Callable[..., Dict],
+    open_registration: bool,
+    session_ttl: int,
+) -> APIRouter:
+    router = APIRouter()
+
+    @router.post("/register")
+    async def register(req: UserRegister, request: Request):
+        check_ip_rate_limit(client_ip(request), "register", max_calls=5, window_secs=3600)
+        if not open_registration:
+            raise HTTPException(status_code=403, detail="회원가입이 비활성화되어 있습니다. 관리자에게 문의하세요.")
+        users = load_users()
+        if req.email in users:
+            raise HTTPException(status_code=400, detail="이미 존재하는 이메일입니다.")
+        role = "admin" if not users else "user"
+        users[req.email] = {
+            "password": hash_password(req.password),
+            "name": req.name,
+            "nickname": req.nickname,
+            "role": role,
+            "disabled": False,
+        }
+        save_users(users)
+        msg = "회원가입 성공! 첫 번째 사용자로 관리자 권한이 부여되었습니다." if role == "admin" else "회원가입 성공!"
+        return {"status": "ok", "message": msg, "role": role}
+
+    @router.post("/login")
+    async def login(req: UserLogin, request: Request):
+        check_ip_rate_limit(client_ip(request), "login", max_calls=10, window_secs=300)
+        users = load_users()
+        user = users.get(req.email)
+        if not user or not verify_and_migrate(req.email, req.password, user.get("password", ""), users):
+            raise HTTPException(status_code=401, detail="이메일 또는 비밀번호가 틀렸습니다.")
+        if user.get("disabled"):
+            raise HTTPException(status_code=403, detail="비활성화된 계정입니다.")
+        role = get_user_role(req.email, users)
+        token = create_session(req.email)
+        response = JSONResponse(content={
+            "status": "ok",
+            "nickname": user["nickname"],
+            "name": user["name"],
+            "email": req.email,
+            "role": role,
+            "is_admin": role == "admin",
+        })
+        response.set_cookie(key="session_token", value=token, httponly=True, samesite="lax", max_age=session_ttl)
+        return response
+
+    @router.get("/auth/sso/config")
+    async def sso_config_endpoint():
+        return public_sso_config()
+
+    @router.get("/auth/sso/login")
+    async def sso_login():
+        settings = get_sso_settings()
+        discovery = await get_sso_discovery()
+        if not settings.get("enabled") or not discovery:
+            raise HTTPException(status_code=503, detail="SSO가 설정되지 않았습니다.")
+        state = secrets.token_urlsafe(16)
+        _sso_states[state] = time.time()
+        params = urlencode({
+            "client_id": settings["client_id"],
+            "response_type": "code",
+            "redirect_uri": settings["redirect_uri"],
+            "scope": settings.get("scopes") or "openid email profile",
+            "state": state,
+        })
+        return RedirectResponse(f"{discovery['authorization_endpoint']}?{params}")
+
+    @router.get("/auth/sso/callback")
+    async def sso_callback(code: str = "", state: str = "", error: str = ""):
+        if error:
+            return RedirectResponse(f"/?sso_error={error}")
+        ts = _sso_states.pop(state, None)
+        if ts is None or time.time() - ts > 300:
+            raise HTTPException(status_code=400, detail="유효하지 않은 SSO 상태입니다.")
+        settings = get_sso_settings()
+        discovery = await get_sso_discovery()
+        if not settings.get("enabled") or not discovery:
+            raise HTTPException(status_code=503, detail="SSO 설정 오류입니다.")
+        import httpx as _httpx
+        async with _httpx.AsyncClient() as c:
+            r = await c.post(discovery["token_endpoint"], data={
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": settings["redirect_uri"],
+                "client_id": settings["client_id"],
+                "client_secret": settings["client_secret"],
+            }, headers={"Accept": "application/json"}, timeout=15)
+            tokens = r.json()
+        id_token = tokens.get("id_token")
+        if not id_token:
+            raise HTTPException(status_code=400, detail="ID 토큰을 받지 못했습니다.")
+        padded = id_token.split(".")[1] + "=="
+        payload = json.loads(base64.urlsafe_b64decode(padded))
+        email = payload.get("email") or payload.get("preferred_username") or payload.get("upn") or ""
+        if not email:
+            raise HTTPException(status_code=400, detail="이메일을 확인할 수 없습니다.")
+        users = load_users()
+        if email not in users:
+            is_first = len(users) == 0
+            users[email] = {
+                "password": "",
+                "name": payload.get("name", email.split("@")[0]),
+                "nickname": payload.get("given_name", email.split("@")[0]),
+                "role": "admin" if is_first else "user",
+                "disabled": False,
+                "sso": True,
+            }
+            save_users(users)
+        if users[email].get("disabled"):
+            raise HTTPException(status_code=403, detail="비활성화된 계정입니다.")
+        token = create_session(email)
+        resp = RedirectResponse("/chat", status_code=302)
+        resp.set_cookie("session_token", token, httponly=True, samesite="lax", max_age=session_ttl)
+        return resp
+
+    @router.post("/logout")
+    async def logout(request: Request):
+        token = extract_bearer_token(request)
+        if token:
+            invalidate_session(token)
+        response = JSONResponse(content={"status": "ok"})
+        response.delete_cookie("session_token")
+        return response
+
+    @router.post("/account/change-password")
+    async def change_password(req: ChangePasswordRequest, request: Request):
+        email = require_user(request)
+        if not email:
+            raise HTTPException(status_code=401, detail="인증이 필요합니다.")
+        if len(req.new_password) < 4:
+            raise HTTPException(status_code=400, detail="새 비밀번호는 4자 이상이어야 합니다.")
+        users = load_users()
+        user = users.get(email)
+        if not user:
+            raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
+        if not verify_and_migrate(email, req.current_password, user.get("password", ""), users):
+            raise HTTPException(status_code=401, detail="현재 비밀번호가 틀렸습니다.")
+        users[email]["password"] = hash_password(req.new_password)
+        save_users(users)
+        return {"status": "ok", "message": "비밀번호가 변경되었습니다."}
+
+    @router.patch("/account/profile")
+    async def update_profile(req: UpdateProfileRequest, request: Request):
+        email = require_user(request)
+        if not email:
+            raise HTTPException(status_code=401, detail="인증이 필요합니다.")
+        if req.name is not None and not req.name.strip():
+            raise HTTPException(status_code=400, detail="이름을 입력해주세요.")
+        if req.nickname is not None and not req.nickname.strip():
+            raise HTTPException(status_code=400, detail="닉네임을 입력해주세요.")
+        users = load_users()
+        user = users.get(email)
+        if not user:
+            raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
+        if req.name is not None:
+            users[email]["name"] = req.name.strip()
+        if req.nickname is not None:
+            users[email]["nickname"] = req.nickname.strip()
+        save_users(users)
+        return {"status": "ok", "name": users[email]["name"], "nickname": users[email]["nickname"]}
+
+    @router.get("/account/profile")
+    async def get_profile(request: Request):
+        email = require_user(request)
+        if not email:
+            raise HTTPException(status_code=401, detail="인증이 필요합니다.")
+        users = load_users()
+        user = users.get(email)
+        if not user:
+            raise HTTPException(status_code=404, detail="사용자를 찾을 수 없습니다.")
+        role = get_user_role(email, users)
+        return {"email": email, "name": user.get("name", ""), "nickname": user.get("nickname", ""),
+                "role": role, "is_admin": role == "admin"}
+
+    return router

package/latticeai/core/__init__.py

@@ -0,0 +1 @@
+"""Core utilities: security, sessions, audit."""

package/latticeai/core/audit.py

@@ -0,0 +1,245 @@
+"""Audit logging, sensitivity analysis, and admin reporting."""
+
+import json
+import logging
+import os
+import re
+import threading
+from datetime import datetime
+from pathlib import Path
+from typing import Any, Callable, Dict, List, Optional
+
+_history_lock = threading.Lock()
+
+SENSITIVE_PATTERNS = [
+    {"key": "rrn", "label": "주민등록번호", "severity": "high", "pattern": r"\b\d{6}[- ]?[1-4]\d{6}\b"},
+    {"key": "card", "label": "카드번호", "severity": "high", "pattern": r"\b(?:\d[ -]?){13,19}\b"},
+    {"key": "account", "label": "계좌번호", "severity": "medium", "pattern": r"(?:계좌|account|bank).{0,12}\d[\d -]{8,24}"},
+    {"key": "password", "label": "비밀번호/인증정보", "severity": "high", "pattern": r"(?:password|passwd|비밀번호|암호|token|api[_ -]?key|secret)\s*[:=]\s*[^\s,;]{4,}"},
+    {"key": "email", "label": "이메일", "severity": "low", "pattern": r"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b"},
+    {"key": "phone", "label": "전화번호", "severity": "medium", "pattern": r"\b(?:01[016789]|02|0[3-6][1-5])[- ]?\d{3,4}[- ]?\d{4}\b"},
+    {"key": "address", "label": "주소", "severity": "medium", "pattern": r"(?:[가-힣]+(?:시|도)\s*)?[가-힣]+(?:시|군|구)\s+[가-힣0-9\s-]+(?:로|길)\s*\d*"},
+    {"key": "health", "label": "건강/의료정보", "severity": "medium", "pattern": r"(?:진단|병명|처방|복용|수술|장애|임신|혈액형|알레르기|medical|diagnosis)"},
+]
+SEVERITY_SCORE = {"low": 1, "medium": 2, "high": 3}
+AUDIT_DELETE_EVENTS = {"conversation_delete", "history_delete", "user_delete"}
+
+
+def get_audit_log(audit_file: Path) -> List[Dict]:
+    if not os.path.exists(audit_file):
+        return []
+    try:
+        with open(audit_file, "r", encoding="utf-8") as f:
+            data = json.load(f)
+        return data if isinstance(data, list) else []
+    except Exception as e:
+        logging.warning("get_audit_log failed: %s", e)
+        return []
+
+
+def append_audit_event(audit_file: Path, event_type: str, **payload) -> None:
+    try:
+        event = {
+            "event_type": event_type,
+            "timestamp": datetime.now().isoformat(),
+            **payload,
+        }
+        with _history_lock:
+            events = get_audit_log(audit_file)
+            events.append(event)
+            if len(events) > 5000:
+                events = events[-5000:]
+            tmp_path = str(audit_file) + ".tmp"
+            with open(tmp_path, "w", encoding="utf-8") as f:
+                json.dump(events, f, ensure_ascii=False, indent=2)
+            os.replace(tmp_path, audit_file)
+    except Exception as e:
+        logging.warning("append_audit_event failed: %s", e)
+
+
+def mask_sensitive_text(text: str, matches: List[Dict]) -> str:
+    masked = text
+    for item in sorted(matches, key=lambda m: m["start"], reverse=True):
+        value = masked[item["start"]:item["end"]]
+        if len(value) <= 4:
+            replacement = "*" * len(value)
+        else:
+            replacement = value[:2] + "*" * min(len(value) - 4, 12) + value[-2:]
+        masked = masked[:item["start"]] + replacement + masked[item["end"]:]
+    return masked
+
+
+def classify_sensitive_message(item: Dict, index: int) -> Dict:
+    content = str(item.get("content", ""))
+    found = []
+    seen: set = set()
+    for rule in SENSITIVE_PATTERNS:
+        for match in re.finditer(rule["pattern"], content, flags=re.IGNORECASE):
+            key = (rule["key"], match.start(), match.end())
+            if key in seen:
+                continue
+            seen.add(key)
+            found.append({
+                "type": rule["key"],
+                "label": rule["label"],
+                "severity": rule["severity"],
+                "start": match.start(),
+                "end": match.end(),
+            })
+    severity = "none"
+    if found:
+        severity = max(found, key=lambda m: SEVERITY_SCORE[m["severity"]])["severity"]
+    preview_text = content[:240]
+    preview_matches = [m for m in found if m["start"] < len(preview_text)]
+    return {
+        "index": index,
+        "role": item.get("role", ""),
+        "user_email": item.get("user_email"),
+        "user_nickname": item.get("user_nickname") or item.get("user_email") or "Unknown",
+        "timestamp": item.get("timestamp"),
+        "sensitivity": severity,
+        "labels": sorted({m["label"] for m in found}),
+        "risk_fields": found,
+        "compliance_fields": [] if found else ["민감정보 미검출"],
+        "preview": mask_sensitive_text(preview_text, preview_matches),
+    }
+
+
+def build_sensitivity_report(history: List[Dict]) -> Dict:
+    items = [classify_sensitive_message(item, i) for i, item in enumerate(history)]
+    risky = [x for x in items if x["risk_fields"]]
+    compliant = [x for x in items if not x["risk_fields"]]
+    field_counts: Dict[str, int] = {}
+    user_counts: Dict[str, int] = {}
+    severity_counts = {"high": 0, "medium": 0, "low": 0, "none": len(compliant)}
+    for item in risky:
+        severity_counts[item["sensitivity"]] += 1
+        user_key = item.get("user_email") or item.get("user_nickname") or "Unknown"
+        user_counts[user_key] = user_counts.get(user_key, 0) + 1
+        for field in item["risk_fields"]:
+            field_counts[field["label"]] = field_counts.get(field["label"], 0) + 1
+    return {
+        "summary": {
+            "total_messages": len(items),
+            "risky_messages": len(risky),
+            "compliant_messages": len(compliant),
+            "risk_rate": round((len(risky) / len(items)) * 100, 1) if items else 0,
+            "severity_counts": severity_counts,
+            "field_counts": field_counts,
+            "user_counts": user_counts,
+        },
+        "risk_fields": risky[-30:],
+        "compliance_fields": compliant[-30:],
+    }
+
+
+def build_admin_audit_report(
+    audit_file: Path,
+    users: Dict,
+    *,
+    get_user_role: Callable[[str, Optional[Dict]], str],
+    graph_stats: Optional[Dict] = None,
+) -> Dict:
+    events = get_audit_log(audit_file)
+
+    def _user_bucket(email: Optional[str], nickname: Optional[str] = None) -> Dict:
+        user = users.get(email or "", {})
+        return {
+            "email": email or "Unknown",
+            "nickname": nickname or user.get("nickname") or user.get("name") or email or "Unknown",
+            "role": get_user_role(email, users) if email else "unknown",
+            "disabled": bool(user.get("disabled")) if user else False,
+            "user_messages": 0, "assistant_messages": 0, "document_uploads": 0,
+            "clear_events": 0, "delete_events": 0, "sensitive_events": 0,
+            "high_sensitive_events": 0, "total_content_chars": 0, "last_activity_at": None,
+        }
+
+    per_user: Dict[str, Dict] = {}
+
+    def ensure(email: Optional[str], nickname: Optional[str] = None) -> Dict:
+        key = email or nickname or "Unknown"
+        if key not in per_user:
+            per_user[key] = _user_bucket(email, nickname)
+        elif nickname and per_user[key].get("nickname") in {"Unknown", email, None}:
+            per_user[key]["nickname"] = nickname
+        return per_user[key]
+
+    for email, user in users.items():
+        ensure(email, user.get("nickname") or user.get("name"))
+
+    summary: Dict[str, Any] = {
+        "total_events": len(events), "chat_events": 0, "user_messages": 0,
+        "assistant_messages": 0, "document_uploads": 0, "clear_events": 0,
+        "delete_events": 0, "sensitive_events": 0, "high_sensitive_events": 0,
+    }
+    sensitive_events: List[Dict] = []
+    deletion_events: List[Dict] = []
+
+    for event in events:
+        event_type = event.get("event_type")
+        email = event.get("user_email")
+        u = ensure(email, event.get("user_nickname"))
+        ts = event.get("timestamp")
+        if ts and (not u["last_activity_at"] or ts > u["last_activity_at"]):
+            u["last_activity_at"] = ts
+        u["total_content_chars"] += int(event.get("content_chars") or event.get("extracted_chars") or 0)
+        sensitivity = event.get("sensitivity") or "none"
+        labels = event.get("sensitive_labels") or []
+        is_sensitive = sensitivity != "none" or bool(labels)
+
+        if event_type == "chat_message":
+            summary["chat_events"] += 1
+            if event.get("role") == "user":
+                summary["user_messages"] += 1
+                u["user_messages"] += 1
+            elif event.get("role") == "assistant":
+                summary["assistant_messages"] += 1
+                u["assistant_messages"] += 1
+        elif event_type == "document_upload":
+            summary["document_uploads"] += 1
+            u["document_uploads"] += 1
+        elif event_type == "clear_command":
+            summary["clear_events"] += 1
+            u["clear_events"] += 1
+        elif event_type in AUDIT_DELETE_EVENTS:
+            summary["delete_events"] += 1
+            u["delete_events"] += 1
+            deletion_events.append(_public_audit_event(event))
+
+        if is_sensitive:
+            summary["sensitive_events"] += 1
+            u["sensitive_events"] += 1
+            if sensitivity == "high":
+                summary["high_sensitive_events"] += 1
+                u["high_sensitive_events"] += 1
+            sensitive_events.append(_public_audit_event(event))
+
+    allowed_keys = {
+        "event_type", "timestamp", "role", "user_email", "user_nickname", "source",
+        "conversation_id", "command", "scope", "target_email", "filename", "mime_type",
+        "ext", "bytes", "extracted_chars", "graph_node", "keep_last", "removed", "kept",
+        "started_at", "sensitivity", "sensitive_labels", "content_preview", "content_chars",
+    }
+    recent = [_public_audit_event(e) for e in events[-50:]]
+
+    result: Dict[str, Any] = {
+        "summary": summary,
+        "per_user": sorted(per_user.values(), key=lambda u: u.get("last_activity_at") or "", reverse=True),
+        "recent_events": list(reversed(recent)),
+        "sensitive_events": sensitive_events[-30:],
+        "deletion_events": deletion_events[-30:],
+    }
+    if graph_stats:
+        result["summary"]["graph_nodes"] = graph_stats.get("total_nodes", 0)
+        result["summary"]["graph_edges"] = graph_stats.get("total_edges", 0)
+    return result
+
+
+def _public_audit_event(event: Dict) -> Dict:
+    allowed = {
+        "event_type", "timestamp", "role", "user_email", "user_nickname", "source",
+        "conversation_id", "command", "scope", "target_email", "filename", "mime_type",
+        "ext", "bytes", "extracted_chars", "graph_node", "keep_last", "removed", "kept",
+        "started_at", "sensitivity", "sensitive_labels", "content_preview", "content_chars",
+    }
+    return {k: event.get(k) for k in allowed if k in event}