npm - orbitchat - Versions diffs - 2.14.1 → 3.1.0 - Mend

orbitchat 2.14.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (183) hide show

package/bin/orbitchat.js CHANGED Viewed

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
 /**
  * ORBIT Chat CLI
- *
+ *
  * Serves the chat-app as a standalone application with runtime configuration.
- * Configuration can be provided via CLI arguments, config file, or environment variables.
- *
+ * Configuration is read from orbitchat.yaml (CWD by default, overridable via --config).
+ * Secrets (adapter API keys) come from VITE_ADAPTERS / ORBIT_ADAPTERS env var.
+ *
  * The server acts as a proxy to hide API keys from the client by mapping
  * adapter names to actual API keys.
  */
@@ -12,34 +13,101 @@
 import express from 'express';
 import fs from 'fs';
 import path from 'path';
-import { homedir } from 'os';
 import { execSync } from 'child_process';
 import { fileURLToPath } from 'url';
 import { dirname } from 'path';
 import { createProxyMiddleware } from 'http-proxy-middleware';
+import yaml from 'js-yaml';
+import rateLimit from 'express-rate-limit';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
-// Default configuration matching env.example
-// Note: GitHub stats/owner/repo are hardcoded and only configurable via build-time env vars
-const DEFAULT_CONFIG = {
+// ---- Minimal .env loader (CLI mode) ----
+function parseDotEnvValue(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) return '';
+  if (
+    (trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+    (trimmed.startsWith("'") && trimmed.endsWith("'"))
+  ) {
+    return trimmed.slice(1, -1);
+  }
+  return trimmed;
+}
+function loadDotEnvFromFile(filePath) {
+  if (!fs.existsSync(filePath)) return;
+  const content = fs.readFileSync(filePath, 'utf8');
+  const lines = content.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const trimmed = lines[i].trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const equalsIndex = trimmed.indexOf('=');
+    if (equalsIndex <= 0) continue;
+    const key = trimmed.slice(0, equalsIndex).trim();
+    if (!key) continue;
+    if (process.env[key] !== undefined) continue;
+    let valueRaw = trimmed.slice(equalsIndex + 1);
+    const startsWithDouble = valueRaw.startsWith('"');
+    const startsWithSingle = valueRaw.startsWith("'");
+    // Support simple multiline quoted values, useful for formatted JSON values.
+    if (
+      (startsWithDouble && !valueRaw.endsWith('"')) ||
+      (startsWithSingle && !valueRaw.endsWith("'"))
+    ) {
+      const quote = startsWithDouble ? '"' : "'";
+      while (i + 1 < lines.length) {
+        i += 1;
+        valueRaw += `\n${lines[i]}`;
+        if (lines[i].trim().endsWith(quote)) {
+          break;
+        }
+      }
+    }
+    const value = parseDotEnvValue(valueRaw);
+    process.env[key] = value;
+  }
+}
+function loadDotEnv(baseDir) {
+  // Same precedence idea as Vite: .env then .env.local; do not override exported vars.
+  loadDotEnvFromFile(path.join(baseDir, '.env'));
+  loadDotEnvFromFile(path.join(baseDir, '.env.local'));
+}
+// ---- Defaults (must match DEFAULTS in src/utils/runtimeConfig.ts) ----
+const DEFAULTS = {
   apiUrl: 'http://localhost:3000',
   defaultKey: 'default-key',
   applicationName: 'ORBIT Chat',
   applicationDescription: "Explore ideas with ORBIT's AI copilots, share context, and build together.",
   defaultInputPlaceholder: 'Message ORBIT...',
-  useLocalApi: false,
-  localApiPath: undefined,
   consoleDebug: false,
+  locale: 'en-US',
   enableUploadButton: false,
   enableAudioOutput: false,
   enableAudioInput: false,
   enableFeedbackButtons: false,
+  enableConversationThreads: true,
   enableAutocomplete: false,
   voiceSilenceTimeoutMs: 4000,
   voiceRecognitionLanguage: '',
+  showGitHubStats: true,
   outOfServiceMessage: null,
+  githubOwner: 'schmitech',
+  githubRepo: 'orbit',
   maxFilesPerConversation: 5,
   maxFileSizeMB: 50,
   maxTotalFiles: 100,
@@ -48,14 +116,157 @@ const DEFAULT_CONFIG = {
   maxMessagesPerThread: 1000,
   maxTotalMessages: 10000,
   maxMessageLength: 1000,
+  guestMaxConversations: 1,
+  guestMaxMessagesPerConversation: 10,
+  guestMaxTotalMessages: 10,
+  guestMaxMessagesPerThread: 10,
+  guestMaxFilesPerConversation: 1,
+  guestMaxTotalFiles: 2,
+  guestMaxMessageLength: 500,
+  guestMaxFileSizeMB: 10,
   settingsAboutMsg: 'ORBIT Chat',
+  enableAuth: false,
+  authDomain: '',
+  authClientId: '',
+  authAudience: '',
+  enableHeader: false,
+  headerLogoUrl: '',
+  headerBrandName: '',
+  headerBgColor: '',
+  headerTextColor: '',
+  headerNavLinks: [],
+  enableFooter: false,
+  footerText: '',
+  footerBgColor: '',
+  footerTextColor: '',
+  footerNavLinks: [],
 };
-function parseAdaptersListFromEnv() {
-  const envValue = process.env.ORBIT_ADAPTERS || process.env.VITE_ADAPTERS;
-  if (!envValue) {
-    return [];
+// ---- YAML config loading ----
+function flattenYamlConfig(y) {
+  const f = {};
+  if (y.application) {
+    const a = y.application;
+    if (a.name !== undefined) f.applicationName = a.name;
+    if (a.description !== undefined) f.applicationDescription = a.description;
+    if (a.inputPlaceholder !== undefined) f.defaultInputPlaceholder = a.inputPlaceholder;
+    if (a.settingsAboutMsg !== undefined) f.settingsAboutMsg = a.settingsAboutMsg;
+    if (a.locale !== undefined) f.locale = a.locale;
+  }
+  if (y.api) {
+    if (y.api.url !== undefined) f.apiUrl = y.api.url;
+    if (y.api.defaultAdapter !== undefined) f.defaultKey = y.api.defaultAdapter;
+  }
+  if (y.debug) {
+    if (y.debug.consoleDebug !== undefined) f.consoleDebug = y.debug.consoleDebug;
+  }
+  if (y.features) {
+    const fe = y.features;
+    if (fe.enableUpload !== undefined) f.enableUploadButton = fe.enableUpload;
+    if (fe.enableAudioOutput !== undefined) f.enableAudioOutput = fe.enableAudioOutput;
+    if (fe.enableAudioInput !== undefined) f.enableAudioInput = fe.enableAudioInput;
+    if (fe.enableFeedbackButtons !== undefined) f.enableFeedbackButtons = fe.enableFeedbackButtons;
+    if (fe.enableConversationThreads !== undefined) f.enableConversationThreads = fe.enableConversationThreads;
+    if (fe.enableAutocomplete !== undefined) f.enableAutocomplete = fe.enableAutocomplete;
+  }
+  if (y.voice) {
+    if (y.voice.silenceTimeoutMs !== undefined) f.voiceSilenceTimeoutMs = y.voice.silenceTimeoutMs;
+    if (y.voice.recognitionLanguage !== undefined) f.voiceRecognitionLanguage = y.voice.recognitionLanguage;
+  }
+  if (y.github) {
+    if (y.github.showStats !== undefined) f.showGitHubStats = y.github.showStats;
+    if (y.github.owner !== undefined) f.githubOwner = y.github.owner;
+    if (y.github.repo !== undefined) f.githubRepo = y.github.repo;
   }
+  if (y.outOfServiceMessage !== undefined) f.outOfServiceMessage = y.outOfServiceMessage;
+  if (y.limits) {
+    const l = y.limits;
+    if (l.files) {
+      if (l.files.perConversation !== undefined) f.maxFilesPerConversation = l.files.perConversation;
+      if (l.files.maxSizeMB !== undefined) f.maxFileSizeMB = l.files.maxSizeMB;
+      if (l.files.totalFiles !== undefined) f.maxTotalFiles = l.files.totalFiles;
+    }
+    if (l.conversations) {
+      if (l.conversations.maxConversations !== undefined) f.maxConversations = l.conversations.maxConversations;
+      if (l.conversations.messagesPerConversation !== undefined) f.maxMessagesPerConversation = l.conversations.messagesPerConversation;
+      if (l.conversations.messagesPerThread !== undefined) f.maxMessagesPerThread = l.conversations.messagesPerThread;
+      if (l.conversations.totalMessages !== undefined) f.maxTotalMessages = l.conversations.totalMessages;
+    }
+    if (l.messages) {
+      if (l.messages.maxLength !== undefined) f.maxMessageLength = l.messages.maxLength;
+    }
+  }
+  if (y.guestLimits) {
+    const g = y.guestLimits;
+    if (g.files) {
+      if (g.files.perConversation !== undefined) f.guestMaxFilesPerConversation = g.files.perConversation;
+      if (g.files.maxSizeMB !== undefined) f.guestMaxFileSizeMB = g.files.maxSizeMB;
+      if (g.files.totalFiles !== undefined) f.guestMaxTotalFiles = g.files.totalFiles;
+    }
+    if (g.conversations) {
+      if (g.conversations.maxConversations !== undefined) f.guestMaxConversations = g.conversations.maxConversations;
+      if (g.conversations.messagesPerConversation !== undefined) f.guestMaxMessagesPerConversation = g.conversations.messagesPerConversation;
+      if (g.conversations.messagesPerThread !== undefined) f.guestMaxMessagesPerThread = g.conversations.messagesPerThread;
+      if (g.conversations.totalMessages !== undefined) f.guestMaxTotalMessages = g.conversations.totalMessages;
+    }
+    if (g.messages) {
+      if (g.messages.maxLength !== undefined) f.guestMaxMessageLength = g.messages.maxLength;
+    }
+  }
+  if (y.auth) {
+    if (y.auth.enabled !== undefined) f.enableAuth = y.auth.enabled;
+  }
+  if (y.header) {
+    const h = y.header;
+    if (h.enabled !== undefined) f.enableHeader = h.enabled;
+    if (h.logoUrl !== undefined) f.headerLogoUrl = h.logoUrl;
+    if (h.brandName !== undefined) f.headerBrandName = h.brandName;
+    if (h.bgColor !== undefined) f.headerBgColor = h.bgColor;
+    if (h.textColor !== undefined) f.headerTextColor = h.textColor;
+    if (h.navLinks !== undefined) f.headerNavLinks = h.navLinks;
+  }
+  if (y.footer) {
+    const ft = y.footer;
+    if (ft.enabled !== undefined) f.enableFooter = ft.enabled;
+    if (ft.text !== undefined) f.footerText = ft.text;
+    if (ft.bgColor !== undefined) f.footerBgColor = ft.bgColor;
+    if (ft.textColor !== undefined) f.footerTextColor = ft.textColor;
+    if (ft.navLinks !== undefined) f.footerNavLinks = ft.navLinks;
+  }
+  // Adapters from YAML: include metadata (name, description, notes, apiUrl) but NOT apiKey
+  if (y.adapters !== undefined) {
+    f.adapters = y.adapters.map(a => ({
+      name: a.name,
+      ...(a.apiUrl ? { apiUrl: a.apiUrl } : {}),
+      ...(a.description ? { description: a.description } : {}),
+      ...(a.notes ? { notes: a.notes } : {}),
+    }));
+  }
+  return f;
+}
+function loadYamlConfig(configPath) {
+  try {
+    if (fs.existsSync(configPath)) {
+      const content = fs.readFileSync(configPath, 'utf8');
+      const parsed = yaml.load(content);
+      if (parsed && typeof parsed === 'object') {
+        return parsed;
+      }
+    }
+  } catch (error) {
+    console.error(`Error: Failed to parse ${configPath}: ${error.message}`);
+    process.exit(1);
+  }
+  return null;
+}
+// ---- Adapter loading (env secrets + YAML metadata) ----
+function parseAdaptersFromEnv() {
+  const envValue = process.env.ORBIT_ADAPTERS || process.env.VITE_ADAPTERS;
+  if (!envValue) return [];
   try {
     const parsed = JSON.parse(envValue);
@@ -63,46 +274,28 @@ function parseAdaptersListFromEnv() {
       console.warn('Warning: ORBIT_ADAPTERS/VITE_ADAPTERS must be a JSON array');
       return [];
     }
-    const adapters = [];
-    for (const adapter of parsed) {
-      if (!adapter.name) {
-        console.warn('Warning: Each adapter must have a "name" property');
-        continue;
-      }
-      adapters.push({
-        name: adapter.name,
-        apiKey: adapter.apiKey || DEFAULT_CONFIG.defaultKey,
-        apiUrl: adapter.apiUrl || DEFAULT_CONFIG.apiUrl,
-        description: adapter.description || adapter.summary,
-        notes: adapter.notes,
-      });
-    }
-    return adapters;
+    return parsed.filter(a => a.name).map(a => ({
+      name: a.name,
+      apiKey: a.apiKey || DEFAULTS.defaultKey,
+      apiUrl: a.apiUrl || DEFAULTS.apiUrl,
+      description: a.description || a.summary,
+      notes: a.notes,
+    }));
   } catch (error) {
     console.warn('Warning: Could not parse ORBIT_ADAPTERS/VITE_ADAPTERS:', error.message);
     return [];
   }
 }
-/**
- * Load adapter mappings from environment variable
- * Format: JSON array of adapter objects
- * Example: ORBIT_ADAPTERS='[{"name":"Simple Chat","apiKey":"key1","apiUrl":"https://api.example.com"}]'
- * @returns {object|null} - Adapters object or null if not found/invalid
- */
 function loadAdaptersConfig() {
-  const adapterList = parseAdaptersListFromEnv();
-  if (adapterList.length === 0) {
-    return null;
-  }
+  const adapterList = parseAdaptersFromEnv();
+  if (adapterList.length === 0) return null;
   const adapters = {};
   for (const adapter of adapterList) {
     adapters[adapter.name] = {
-      apiKey: adapter.apiKey || DEFAULT_CONFIG.defaultKey,
-      apiUrl: adapter.apiUrl || DEFAULT_CONFIG.apiUrl,
+      apiKey: adapter.apiKey || DEFAULTS.defaultKey,
+      apiUrl: adapter.apiUrl || DEFAULTS.apiUrl,
       description: adapter.description,
       notes: adapter.notes,
     };
@@ -112,113 +305,26 @@ function loadAdaptersConfig() {
 }
 function getDefaultAdapterFromEnv() {
-  const adapterList = parseAdaptersListFromEnv();
+  const adapterList = parseAdaptersFromEnv();
   return adapterList.length > 0 ? adapterList[0].name : null;
 }
-/**
- * Parse command-line arguments
- */
+// ---- CLI arg parsing (server flags only) ----
 function parseArgs() {
   const args = process.argv.slice(2);
-  const config = { ...DEFAULT_CONFIG };
   const serverConfig = {
     port: 5173,
     host: 'localhost',
     open: false,
     configFile: null,
     apiOnly: false,
+    corsOrigin: undefined,
   };
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
     switch (arg) {
-      case '--api-url':
-        config.apiUrl = args[++i];
-        break;
-      case '--api-key':
-        config.defaultKey = args[++i];
-        break;
-      case '--default-adapter':
-        config.defaultKey = args[++i];
-        break;
-      case '--default-key':
-        console.warn('Warning: --default-key is deprecated. Use --default-adapter instead.');
-        config.defaultKey = args[++i];
-        break;
-      case '--application-name':
-        config.applicationName = args[++i];
-        break;
-      case '--application-description':
-        config.applicationDescription = args[++i];
-        break;
-      case '--default-input-placeholder':
-        config.defaultInputPlaceholder = args[++i];
-        break;
-      case '--use-local-api':
-        config.useLocalApi = true;
-        break;
-      case '--local-api-path':
-        config.localApiPath = args[++i];
-        break;
-      case '--console-debug':
-        config.consoleDebug = true;
-        break;
-      case '--enable-upload':
-        config.enableUploadButton = true;
-        break;
-      case '--enable-audio':
-        config.enableAudioOutput = true;
-        break;
-      case '--enable-audio-input':
-        config.enableAudioInput = true;
-        break;
-      case '--enable-feedback':
-        config.enableFeedbackButtons = true;
-        break;
-      case '--enable-autocomplete':
-        config.enableAutocomplete = true;
-        break;
-      case '--voice-silence-timeout-ms':
-        config.voiceSilenceTimeoutMs = parseInt(args[++i], 10);
-        break;
-      case '--voice-recognition-lang':
-        config.voiceRecognitionLanguage = args[++i];
-        break;
-      case '--enable-api-middleware':
-        // Ignored — middleware mode is now always enabled
-        break;
-      case '--out-of-service-message':
-        config.outOfServiceMessage = args[++i];
-        break;
-      case '--max-files-per-conversation':
-        config.maxFilesPerConversation = parseInt(args[++i], 10);
-        break;
-      case '--max-file-size-mb':
-        config.maxFileSizeMB = parseInt(args[++i], 10);
-        break;
-      case '--max-total-files':
-        config.maxTotalFiles = parseInt(args[++i], 10);
-        break;
-      case '--max-conversations':
-        config.maxConversations = parseInt(args[++i], 10);
-        break;
-      case '--max-messages-per-conversation':
-        config.maxMessagesPerConversation = parseInt(args[++i], 10);
-        break;
-      case '--max-messages-per-thread':
-        config.maxMessagesPerThread = parseInt(args[++i], 10);
-        break;
-      case '--max-total-messages':
-        config.maxTotalMessages = parseInt(args[++i], 10);
-        break;
-      case '--max-message-length':
-        config.maxMessageLength = parseInt(args[++i], 10);
-        break;
-      case '--settings-about-msg':
-        config.settingsAboutMsg = args[++i];
-        break;
       case '--port':
         serverConfig.port = parseInt(args[++i], 10);
         break;
@@ -228,22 +334,19 @@ function parseArgs() {
       case '--open':
         serverConfig.open = true;
         break;
+      case '--config':
+        serverConfig.configFile = args[++i];
+        break;
       case '--api-only':
         serverConfig.apiOnly = true;
         break;
       case '--cors-origin':
         serverConfig.corsOrigin = args[++i];
         break;
-      case '--config':
-        serverConfig.configFile = args[++i];
-        break;
       case '--help':
       case '-h':
-        // Handled in main() function
-        break;
       case '--version':
       case '-v':
-        // Handled in main() function
         break;
       default:
         if (arg.startsWith('--')) {
@@ -254,126 +357,15 @@ function parseArgs() {
     }
   }
-  return { config, serverConfig };
+  return serverConfig;
 }
-/**
- * Load configuration from file
- */
-function loadConfigFile(filePath) {
-  try {
-    if (fs.existsSync(filePath)) {
-      const content = fs.readFileSync(filePath, 'utf8');
-      return JSON.parse(content);
-    }
-  } catch (error) {
-    console.warn(`Warning: Could not load config file ${filePath}:`, error.message);
-  }
-  return null;
-}
+// ---- HTML injection ----
-/**
- * Load configuration from environment variables
- */
-function loadConfigFromEnv() {
-  const envConfig = {};
-  // Map VITE_* environment variables to config keys
-  const envMap = {
-    VITE_API_URL: 'apiUrl',
-    VITE_DEFAULT_KEY: 'defaultKey',
-    VITE_APPLICATION_NAME: 'applicationName',
-    VITE_APPLICATION_DESCRIPTION: 'applicationDescription',
-    VITE_DEFAULT_INPUT_PLACEHOLDER: 'defaultInputPlaceholder',
-    VITE_USE_LOCAL_API: 'useLocalApi',
-    VITE_LOCAL_API_PATH: 'localApiPath',
-    VITE_CONSOLE_DEBUG: 'consoleDebug',
-    VITE_ENABLE_UPLOAD: 'enableUploadButton',
-    VITE_ENABLE_AUDIO_OUTPUT: 'enableAudioOutput',
-    VITE_ENABLE_AUDIO_INPUT: 'enableAudioInput',
-    VITE_ENABLE_FEEDBACK: 'enableFeedbackButtons',
-    VITE_ENABLE_AUTOCOMPLETE: 'enableAutocomplete',
-    VITE_VOICE_SILENCE_TIMEOUT_MS: 'voiceSilenceTimeoutMs',
-    VITE_VOICE_RECOGNITION_LANG: 'voiceRecognitionLanguage',
-    VITE_OUT_OF_SERVICE_MESSAGE: 'outOfServiceMessage',
-    VITE_MAX_FILES_PER_CONVERSATION: 'maxFilesPerConversation',
-    VITE_MAX_FILE_SIZE_MB: 'maxFileSizeMB',
-    VITE_MAX_TOTAL_FILES: 'maxTotalFiles',
-    VITE_MAX_CONVERSATIONS: 'maxConversations',
-    VITE_MAX_MESSAGES_PER_CONVERSATION: 'maxMessagesPerConversation',
-    VITE_MAX_MESSAGES_PER_THREAD: 'maxMessagesPerThread',
-    VITE_MAX_TOTAL_MESSAGES: 'maxTotalMessages',
-    VITE_MAX_MESSAGE_LENGTH: 'maxMessageLength',
-    VITE_SETTINGS_ABOUT_MSG: 'settingsAboutMsg',
-  };
-  for (const [envKey, configKey] of Object.entries(envMap)) {
-    const value = process.env[envKey];
-      if (value !== undefined) {
-        if (configKey === 'useLocalApi' || configKey === 'consoleDebug' ||
-          configKey === 'enableUploadButton' || configKey === 'enableAudioOutput' ||
-          configKey === 'enableAudioInput' || configKey === 'enableFeedbackButtons' || configKey === 'enableAutocomplete') {
-        envConfig[configKey] = value === 'true';
-      } else if (configKey === 'voiceSilenceTimeoutMs') {
-        const parsed = parseInt(value, 10);
-        if (!isNaN(parsed)) {
-          envConfig[configKey] = parsed;
-        }
-      } else if (configKey.includes('max') && configKey !== 'maxFileSizeMB') {
-        const parsed = parseInt(value, 10);
-        if (!isNaN(parsed)) {
-          envConfig[configKey] = parsed;
-        }
-      } else {
-        envConfig[configKey] = value;
-      }
-    }
-  }
-  return envConfig;
-}
-/**
- * Merge configurations in priority order: CLI args > config file > env vars > defaults
- * Note: GitHub stats/owner/repo are not included in runtime config - they're hardcoded
- * and only configurable via build-time env vars for developers who fork.
- */
-function mergeConfig(cliConfig, serverConfig) {
-  // Start with defaults
-  let config = { ...DEFAULT_CONFIG };
-  // Load from environment variables (excluding GitHub config)
-  const envConfig = loadConfigFromEnv();
-  config = { ...config, ...envConfig };
-  // Load from config file (excluding GitHub config)
-  const configDir = path.join(homedir(), '.orbit-chat-app');
-  const defaultConfigFile = path.join(configDir, 'config.json');
-  const configFile = serverConfig.configFile || defaultConfigFile;
-  const fileConfig = loadConfigFile(configFile);
-  if (fileConfig) {
-    // Remove GitHub config from file config if present
-    const { showGitHubStats, githubOwner, githubRepo, ...fileConfigWithoutGitHub } = fileConfig;
-    config = { ...config, ...fileConfigWithoutGitHub };
-  }
-  // CLI arguments override everything (excluding GitHub config)
-  const { showGitHubStats, githubOwner, githubRepo, ...cliConfigWithoutGitHub } = cliConfig;
-  config = { ...config, ...cliConfigWithoutGitHub };
-  return config;
-}
-/**
- * Inject configuration into HTML
- * The config script MUST be placed in <head> BEFORE the main JS module loads,
- * otherwise window.ORBIT_CHAT_CONFIG won't be available when the app initializes.
- */
 function injectConfig(html, config) {
   const configScript = `<script>window.ORBIT_CHAT_CONFIG = ${JSON.stringify(config)};</script>`;
-  // Remove the placeholder script tag (it's in body, too late)
+  // Remove the placeholder script tag
   html = html.replace(
     /<script id="orbit-chat-config" type="application\/json">[\s\S]*?<\/script>/,
     '<!-- Config injected in head -->'
@@ -385,34 +377,86 @@ function injectConfig(html, config) {
       /<title>.*?<\/title>/i,
       `<title>${config.applicationName}</title>`
     );
-    // Also update apple-mobile-web-app-title meta tag
     html = html.replace(
       /<meta name="apple-mobile-web-app-title" content="[^"]*" \/>/i,
       `<meta name="apple-mobile-web-app-title" content="${config.applicationName}" />`
     );
   }
-  // Inject the config script at the START of <head>, before any other scripts
-  // This ensures window.ORBIT_CHAT_CONFIG is available when the main JS bundle loads
+  // Inject the config script at the START of <head>
   return html.replace(
     /<head>/i,
     '<head>\n    ' + configScript
   );
 }
-/**
- * Create Express server
- *
- * @param {string|null} distPath - Path to built UI assets (null in api-only mode)
- * @param {object} config - Merged application config
- * @param {object} serverConfig - Server config (port, host, apiOnly, etc.)
- */
+// ---- Rate limiting ----
+function createRateLimiters(rateLimitConfig) {
+  if (!rateLimitConfig || rateLimitConfig.enabled === false) return null;
+  const windowMs = rateLimitConfig.windowMs || 60000;
+  const maxRequests = rateLimitConfig.maxRequests || 30;
+  const chatWindowMs = rateLimitConfig.chat?.windowMs || 60000;
+  const chatMaxRequests = rateLimitConfig.chat?.maxRequests || 10;
+  const keyGenerator = (req) =>
+    req.ip || req.headers['x-forwarded-for'] || 'unknown';
+  const api = rateLimit({
+    windowMs,
+    max: maxRequests,
+    keyGenerator,
+    standardHeaders: 'draft-7',
+    legacyHeaders: false,
+    validate: { default: true, keyGeneratorIpFallback: false },
+    skip: (req) => req.method === 'OPTIONS' || req.path === '/adapters',
+    handler: (req, res) => {
+      const retryAfterMs = res.getHeader('RateLimit-Reset')
+        ? Number(res.getHeader('RateLimit-Reset')) * 1000
+        : windowMs;
+      res.status(429).json({
+        error: 'Too many requests',
+        message: `Rate limit exceeded. Try again in ${Math.ceil(retryAfterMs / 1000)} seconds.`,
+        retryAfterMs,
+      });
+    },
+  });
+  const chat = rateLimit({
+    windowMs: chatWindowMs,
+    max: chatMaxRequests,
+    keyGenerator,
+    standardHeaders: 'draft-7',
+    legacyHeaders: false,
+    validate: { default: true, keyGeneratorIpFallback: false },
+    handler: (req, res) => {
+      const retryAfterMs = res.getHeader('RateLimit-Reset')
+        ? Number(res.getHeader('RateLimit-Reset')) * 1000
+        : chatWindowMs;
+      res.status(429).json({
+        error: 'Too many requests',
+        message: `Chat rate limit exceeded. Try again in ${Math.ceil(retryAfterMs / 1000)} seconds.`,
+        retryAfterMs,
+      });
+    },
+  });
+  return { api, chat };
+}
+// ---- Express server ----
 function createServer(distPath, config, serverConfig = {}) {
   const app = express();
   const adapters = loadAdaptersConfig();
   const apiOnly = serverConfig.apiOnly || false;
+  const yamlAdapterMetadata = new Map(
+    Array.isArray(config.adapters)
+      ? config.adapters.filter(a => a && a.name).map(a => [a.name, a])
+      : []
+  );
-  // In api-only mode, add CORS middleware so external UIs on other origins can call the API
   if (apiOnly) {
     const allowedOrigin = serverConfig.corsOrigin || '*';
     app.use((req, res, next) => {
@@ -427,10 +471,39 @@ function createServer(distPath, config, serverConfig = {}) {
     });
   }
+  // Guest rate limiting — after CORS, before proxy. Skips authenticated requests.
+  const limiters = createRateLimiters(serverConfig.rateLimit);
+  if (limiters) {
+    app.use('/api', (req, res, next) => {
+      if (req.headers.authorization) return next();
+      limiters.api(req, res, next);
+    });
+    app.use('/api', (req, res, next) => {
+      if (req.headers.authorization) return next();
+      if (req.method === 'POST' && (/\/chat/i.test(req.path) || /\/stream/i.test(req.path))) {
+        return limiters.chat(req, res, next);
+      }
+      next();
+    });
+  }
   // API proxy endpoints - MUST be before body parsers
   if (adapters) {
-    // Pre-create proxy instances for each adapter to avoid memory leaks
-    // Creating proxies on every request adds event listeners that accumulate
+    // Merge adapter metadata from YAML so UI labels/notes are consistent with dev mode.
+    for (const [adapterName, adapter] of Object.entries(adapters)) {
+      const metadata = yamlAdapterMetadata.get(adapterName);
+      if (!metadata) continue;
+      if (!adapter.description && metadata.description) {
+        adapter.description = metadata.description;
+      }
+      if (!adapter.notes && metadata.notes) {
+        adapter.notes = metadata.notes;
+      }
+      if (!adapter.apiUrl && metadata.apiUrl) {
+        adapter.apiUrl = metadata.apiUrl;
+      }
+    }
     const proxyInstances = {};
     for (const [adapterName, adapter] of Object.entries(adapters)) {
       if (!adapter.apiKey || !adapter.apiUrl) {
@@ -440,33 +513,26 @@ function createServer(distPath, config, serverConfig = {}) {
       proxyInstances[adapterName] = createProxyMiddleware({
         target: adapter.apiUrl,
         changeOrigin: true,
-        // Restore /api prefix for backend paths that need it (files, threads)
         pathRewrite: (path) => {
           if (path.startsWith('/files') || path.startsWith('/threads')) {
             return '/api' + path;
           }
           return path;
         },
-        // Set headers directly - this is more reliable than onProxyReq for some cases
         headers: {
           'X-API-Key': adapter.apiKey,
         },
-        // Critical for SSE streaming - disable response buffering
         selfHandleResponse: false,
         onProxyReq: (proxyReq, req) => {
-          // Remove adapter name header
           proxyReq.removeHeader('x-adapter-name');
-          // Ensure API key is set (backup to headers option above)
           proxyReq.setHeader('X-API-Key', adapter.apiKey);
-          // Preserve important headers
-          const headersToPreserve = ['content-type', 'x-session-id', 'x-thread-id', 'accept', 'content-length'];
+          const headersToPreserve = ['content-type', 'x-session-id', 'x-thread-id', 'accept', 'content-length', 'authorization'];
           headersToPreserve.forEach(header => {
             const value = req.headers[header];
             if (value) {
               proxyReq.setHeader(header, value);
             }
           });
-          // Copy all other headers
           Object.keys(req.headers).forEach(key => {
             const lowerKey = key.toLowerCase();
             if (!['x-adapter-name', 'host', 'connection', 'transfer-encoding'].includes(lowerKey)) {
@@ -478,18 +544,14 @@ function createServer(distPath, config, serverConfig = {}) {
           });
         },
         onProxyRes: (proxyRes, req, res) => {
-          // Handle CORS if needed
           proxyRes.headers['access-control-allow-origin'] = '*';
           proxyRes.headers['access-control-allow-methods'] = 'GET, POST, PUT, DELETE, OPTIONS';
           proxyRes.headers['access-control-allow-headers'] = 'Content-Type, X-API-Key, X-Session-ID, X-Thread-ID, X-Adapter-Name';
-          // Critical for SSE streaming - disable buffering
           const contentType = proxyRes.headers['content-type'] || '';
           if (contentType.includes('text/event-stream')) {
-            // Disable caching and buffering for SSE
             proxyRes.headers['cache-control'] = 'no-cache';
             proxyRes.headers['x-accel-buffering'] = 'no';
-            // Flush response immediately
             if (res.flushHeaders) {
               res.flushHeaders();
             }
@@ -501,12 +563,11 @@ function createServer(distPath, config, serverConfig = {}) {
             res.status(500).json({ error: 'Proxy error', message: err.message });
           }
         },
-        ws: false, // Disable WebSocket proxying
-        logLevel: 'silent', // Reduce logging
+        ws: false,
+        logLevel: 'silent',
       });
     }
-    // Endpoint to list available adapters (only expose names, not URLs or keys)
     app.get('/api/adapters', (req, res) => {
       const adapterList = Object.keys(adapters).map(name => ({
         name,
@@ -516,10 +577,7 @@ function createServer(distPath, config, serverConfig = {}) {
       res.json({ adapters: adapterList });
     });
-    // Proxy middleware for API requests - must be before body parsers to preserve request stream
-    // Note: Uses /api path instead of /api/proxy for security (hides proxy nature)
     app.use('/api', (req, res, next) => {
-      // Skip the /api/adapters route - it's handled separately above
       if (req.path === '/adapters') {
         return next('route');
       }
@@ -539,14 +597,10 @@ function createServer(distPath, config, serverConfig = {}) {
     });
   }
-  // Middleware for parsing JSON - after proxy routes to preserve request body stream
   app.use(express.json());
   app.use(express.urlencoded({ extended: true }));
-  // --- UI serving (skipped in api-only mode) ---
   if (!apiOnly && distPath) {
-    // IMPORTANT: Handle index.html BEFORE express.static to inject runtime config
-    // express.static would serve the file without config injection otherwise
     app.get(['/', '/index.html'], (req, res) => {
       try {
         const indexPath = path.join(distPath, 'index.html');
@@ -560,24 +614,15 @@ function createServer(distPath, config, serverConfig = {}) {
       }
     });
-    // Serve static files (JS, CSS, images, etc.) - index.html is handled above
-    app.use(express.static(distPath, {
-      index: false, // Don't serve index.html automatically - we handle it above
-    }));
+    app.use(express.static(distPath, { index: false }));
-    // SPA fallback - serve index.html for all non-file routes (client-side routing)
     app.get('/{*splat}', (req, res, next) => {
-      // Skip API routes
       if (req.path.startsWith('/api/')) {
         return next();
       }
-      // Skip requests for files with extensions (let them 404)
       if (path.extname(req.path)) {
         return res.status(404).send('Not Found');
       }
-      // Serve index.html for SPA routes
       try {
         const indexPath = path.join(distPath, 'index.html');
         let content = fs.readFileSync(indexPath, 'utf8');
@@ -594,173 +639,104 @@ function createServer(distPath, config, serverConfig = {}) {
   return app;
 }
-/**
- * Get MIME type for file extension
- */
-function getMimeType(filePath) {
-  const ext = path.extname(filePath).toLowerCase();
-  const mimeTypes = {
-    '.html': 'text/html',
-    '.js': 'application/javascript',
-    '.mjs': 'application/javascript',
-    '.json': 'application/json',
-    '.css': 'text/css',
-    '.png': 'image/png',
-    '.jpg': 'image/jpeg',
-    '.jpeg': 'image/jpeg',
-    '.gif': 'image/gif',
-    '.svg': 'image/svg+xml',
-    '.ico': 'image/x-icon',
-    '.woff': 'font/woff',
-    '.woff2': 'font/woff2',
-    '.ttf': 'font/ttf',
-    '.eot': 'application/vnd.ms-fontobject',
-  };
-  return mimeTypes[ext] || 'application/octet-stream';
-}
+// ---- Utilities ----
-/**
- * Open browser
- */
 function openBrowser(url) {
   const platform = process.platform;
   let command;
-  if (platform === 'darwin') {
-    command = `open "${url}"`;
-  } else if (platform === 'linux') {
-    command = `xdg-open "${url}"`;
-  } else if (platform === 'win32') {
-    command = `start "${url}"`;
-  } else {
-    return;
-  }
+  if (platform === 'darwin') command = `open "${url}"`;
+  else if (platform === 'linux') command = `xdg-open "${url}"`;
+  else if (platform === 'win32') command = `start "${url}"`;
+  else return;
-  try {
-    execSync(command, { stdio: 'ignore' });
-  } catch (error) {
-    // Ignore errors
-  }
+  try { execSync(command, { stdio: 'ignore' }); } catch { /* ignore */ }
 }
-/**
- * Get version from package.json
- */
 function getVersion() {
   try {
     const packagePath = path.join(__dirname, '..', 'package.json');
     const packageContent = fs.readFileSync(packagePath, 'utf8');
-    const packageJson = JSON.parse(packageContent);
-    return packageJson.version || 'unknown';
-  } catch (error) {
-    return 'unknown';
-  }
-}
-/**
- * Print version
- */
-function printVersion() {
-  console.log(getVersion());
+    return JSON.parse(packageContent).version || 'unknown';
+  } catch { return 'unknown'; }
 }
-/**
- * Print help message
- */
 function printHelp() {
   console.log(`
 ORBIT Chat CLI
 Usage: orbitchat [options]
+All application settings are configured in orbitchat.yaml (see orbitchat.yaml.example).
+Secrets (adapter API keys) go in VITE_ADAPTERS / ORBIT_ADAPTERS env var.
 Options:
-  --api-url URL                    API URL (default: http://localhost:3000)
-  --default-adapter NAME           Default adapter to preselect (middleware mode)
-  --api-key KEY                    Default API key (default: default-key)
-  --application-name NAME          Application name shown in browser tab (default: ORBIT Chat)
-  --application-description TEXT   Subtitle shown under the welcome heading
-  --default-input-placeholder TEXT Message input placeholder text (default: Message ORBIT...)
-  --use-local-api                  Use local API build (default: false)
-  --local-api-path PATH            Path to local API
-  --console-debug                  Enable console debug (default: false)
-  --enable-upload                  Enable upload button (default: false)
-  --enable-audio                   Enable audio output button (default: false)
-  --enable-audio-input             Enable microphone input button (default: false)
-  --enable-feedback                Enable feedback buttons (default: false)
-  --enable-autocomplete            Enable autocomplete suggestions (default: false)
-  --voice-silence-timeout-ms N     Auto-stop voice capture after N ms of silence (default: 4000)
-  --voice-recognition-lang LANG    BCP-47 language code for speech recognition (default: browser locale)
-  --enable-api-middleware          Ignored (middleware mode is always enabled)
-  --out-of-service-message TEXT    Show maintenance screen blocking access
-  --max-files-per-conversation N   Max files per conversation (default: 5)
-  --max-file-size-mb N             Max file size in MB (default: 50)
-  --max-total-files N              Max total files (default: 100, 0 = unlimited)
-  --max-conversations N            Max conversations (default: 10, 0 = unlimited)
-  --max-messages-per-conversation N Max messages per conversation (default: 1000, 0 = unlimited)
-  --max-messages-per-thread N      Max messages per thread (default: 1000, 0 = unlimited)
-  --max-total-messages N           Max total messages (default: 10000, 0 = unlimited)
-  --max-message-length N           Max message length (default: 1000)
-  --settings-about-msg TEXT        About message in settings page (default: ORBIT Chat)
-  --port PORT                      Server port (default: 5173)
-  --host HOST                      Server host (default: localhost)
-  --open                           Open browser automatically
-  --api-only                       Run API proxy only (no UI serving, no build required)
-  --cors-origin ORIGIN             Allowed CORS origin in api-only mode (default: *)
-  --config PATH                    Path to config file (default: ~/.orbit-chat-app/config.json)
-  --help, -h                       Show this help message
-  --version, -v                    Show version number
-Configuration Priority:
-  1. CLI arguments
-  2. Config file (~/.orbit-chat-app/config.json)
-  3. Environment variables (VITE_*)
-  4. Default values
-Environment Variables for Middleware Mode:
-  ORBIT_ADAPTERS or VITE_ADAPTERS   JSON array of adapter configurations
-                                    Example: '[{"name":"Chat","apiKey":"key1","apiUrl":"https://api.example.com"}]'
+  --port PORT        Server port (default: 5173)
+  --host HOST        Server host (default: localhost)
+  --open             Open browser automatically
+  --config PATH      Path to orbitchat.yaml (default: ./orbitchat.yaml)
+  --api-only         Run API proxy only (no UI serving)
+  --cors-origin URL  Allowed CORS origin in api-only mode (default: *)
+  --help, -h         Show this help message
+  --version, -v      Show version number
+Environment Variables:
+  ORBIT_ADAPTERS or VITE_ADAPTERS   JSON array of adapter configurations (secrets)
+    Example: '[{"name":"Chat","apiKey":"key1","apiUrl":"https://api.example.com"}]'
 Examples:
-  orbitchat --api-url http://localhost:3000 --port 8080
-  orbitchat --api-key my-key --open
-  orbitchat --enable-audio --enable-audio-input --enable-upload --console-debug
-  orbitchat --config /path/to/config.json
-  ORBIT_ADAPTERS='[{"name":"Chat","apiKey":"mykey","apiUrl":"https://api.example.com"}]' orbitchat
-  orbitchat --api-only --port 5174
+  orbitchat --port 8080
+  orbitchat --config /path/to/orbitchat.yaml --open
   orbitchat --api-only --cors-origin http://localhost:3001
 `);
 }
-/**
- * Main function
- */
+// ---- Main ----
 function main() {
-  // Check for version flag first
   if (process.argv.includes('--version') || process.argv.includes('-v')) {
-    printVersion();
+    console.log(getVersion());
     return;
   }
-  // Check for help flag
   if (process.argv.includes('--help') || process.argv.includes('-h')) {
     printHelp();
     return;
   }
-  const { config: cliConfig, serverConfig } = parseArgs();
-  const config = mergeConfig(cliConfig, serverConfig);
+  const serverConfig = parseArgs();
+  loadDotEnv(process.cwd());
+  // Load YAML config
+  const yamlPath = serverConfig.configFile || path.join(process.cwd(), 'orbitchat.yaml');
+  const yamlObj = loadYamlConfig(yamlPath);
+  const yamlFlat = yamlObj ? flattenYamlConfig(yamlObj) : {};
+  if (yamlObj) {
+    console.debug(`Loaded config from ${yamlPath}`);
+  }
+  // Merge: DEFAULTS < YAML config < auth secrets from env
+  const config = { ...DEFAULTS, ...yamlFlat };
+  // Auth secrets from env
+  if (process.env.VITE_AUTH_DOMAIN) config.authDomain = process.env.VITE_AUTH_DOMAIN;
+  if (process.env.VITE_AUTH_CLIENT_ID) config.authClientId = process.env.VITE_AUTH_CLIENT_ID;
+  if (process.env.VITE_AUTH_AUDIENCE) config.authAudience = process.env.VITE_AUTH_AUDIENCE;
+  // Default adapter fallback
   const trimmedDefaultKey = (config.defaultKey || '').trim();
-  if (!trimmedDefaultKey || trimmedDefaultKey === DEFAULT_CONFIG.defaultKey) {
+  if (!trimmedDefaultKey || trimmedDefaultKey === DEFAULTS.defaultKey) {
     const fallbackAdapter = getDefaultAdapterFromEnv();
     if (fallbackAdapter) {
       config.defaultKey = fallbackAdapter;
-      console.debug(`ℹ️ Using '${fallbackAdapter}' as the default adapter (first entry from VITE_ADAPTERS).`);
     }
   }
-  // Find dist directory (not required in api-only mode)
+  // Guest rate limiting (server-only, never sent to browser)
+  if (yamlObj && yamlObj.guestLimits?.rateLimit) {
+    serverConfig.rateLimit = yamlObj.guestLimits.rateLimit;
+  }
+  // Find dist directory
   const distPath = path.join(__dirname, '..', 'dist');
   if (!serverConfig.apiOnly && !fs.existsSync(distPath)) {
@@ -768,7 +744,6 @@ function main() {
     process.exit(1);
   }
-  // Create and start server
   const app = createServer(
     serverConfig.apiOnly ? null : distPath,
     config,
@@ -785,9 +760,15 @@ function main() {
     console.debug('Configuration:');
     console.debug(`  Mode: ${serverConfig.apiOnly ? 'API-only (no UI)' : 'Full (API + UI)'}`);
     console.debug(`  API URL: ${config.apiUrl}`);
-    console.debug(`  Default Key/Adapter: ${config.defaultKey || '(not set)'}`);
+    console.debug(`  Default Adapter: ${config.defaultKey || '(not set)'}`);
     console.debug(`  Port: ${serverConfig.port}`);
     console.debug(`  Host: ${serverConfig.host}`);
+    if (yamlObj) {
+      console.debug(`  Config: ${yamlPath}`);
+    }
+    if (serverConfig.rateLimit && serverConfig.rateLimit.enabled !== false) {
+      console.debug(`  Guest Rate Limiting: enabled (${serverConfig.rateLimit.maxRequests || 30} req/${(serverConfig.rateLimit.windowMs || 60000) / 1000}s, chat: ${serverConfig.rateLimit.chat?.maxRequests || 10} req/${(serverConfig.rateLimit.chat?.windowMs || 60000) / 1000}s)`);
+    }
     const startupAdapters = loadAdaptersConfig();
     if (startupAdapters) {
       console.debug(`  Available Adapters: ${Object.keys(startupAdapters).join(', ')}`);
@@ -795,21 +776,19 @@ function main() {
       console.debug(`  Warning: No adapters configured. Set ORBIT_ADAPTERS or VITE_ADAPTERS environment variable.`);
     }
     console.debug('');
     if (serverConfig.open) {
       openBrowser(url);
     }
   });
-  // Handle graceful shutdown
   process.on('SIGINT', () => {
     console.debug('\n\nShutting down server...');
     process.exit(0);
   });
 }
-// Run if called directly (ES module equivalent of require.main === module)
-// For ES modules, we check if this file is being executed directly
+// Run if called directly
 const isMainModule = process.argv[1] && (
   import.meta.url === `file://${process.argv[1]}` ||
   import.meta.url.endsWith(process.argv[1].replace(/\\/g, '/')) ||
@@ -821,4 +800,4 @@ if (isMainModule) {
   main();
 }
-export { main, parseArgs, mergeConfig, createServer, loadAdaptersConfig };
+export { main, createServer, loadAdaptersConfig };