universal-chatbot-saas 1.0.0

package/server/index.js

@@ -0,0 +1,2331 @@
+const express = require("express");
+const cors = require("cors");
+const fs = require("fs");
+const path = require("path");
+const dotenv = require("dotenv");
+const sql = require("mssql");
+const crypto = require("crypto");
+
+dotenv.config();
+
+const app = express();
+const port = Number(process.env.PORT || 8787);
+const defaultSystemPrompt = process.env.DEFAULT_SYSTEM_PROMPT || "You are a helpful assistant.";
+const defaultProvider = (process.env.DEFAULT_PROVIDER || "claude").toLowerCase();
+const enforceOriginLock = String(process.env.ENFORCE_ORIGIN_LOCK || "true").toLowerCase() === "true";
+const rateLimitWindowMs = Math.max(Number(process.env.RATE_LIMIT_WINDOW_MS || 60000), 1000);
+const rateLimitMaxRequests = Math.max(Number(process.env.RATE_LIMIT_MAX_REQUESTS || 20), 1);
+const knowledgeSnippetLimit = Math.max(Number(process.env.KNOWLEDGE_SNIPPET_LIMIT || 4), 1);
+const knowledgeContextCharLimit = Math.max(Number(process.env.KNOWLEDGE_CONTEXT_CHAR_LIMIT || 2400), 400);
+const groqGuardModel = String(process.env.GROQ_GUARD_MODEL || "meta-llama/llama-prompt-guard-2-86m").trim();
+const enableGroqPromptGuard = String(process.env.ENABLE_GROQ_PROMPT_GUARD || "true").toLowerCase() === "true";
+const adminPortalUsername = String(process.env.ADMIN_PORTAL_USERNAME || "admin").trim() || "admin";
+const adminPortalPassword = String(process.env.ADMIN_PORTAL_PASSWORD || "").trim();
+const portalSessionTtlMs = Math.max(Number(process.env.PORTAL_SESSION_TTL_MS || 8 * 60 * 60 * 1000), 5 * 60 * 1000);
+const enableChatHistoryStorage = String(process.env.ENABLE_CHAT_HISTORY_STORAGE || "true").toLowerCase() !== "false";
+const mssqlEnabled = String(process.env.MSSQL_ENABLED || "false").toLowerCase() === "true";
+const mssqlInstanceName = String(process.env.MSSQL_INSTANCE || "").trim();
+const mssqlPortValue = String(process.env.MSSQL_PORT || "").trim();
+const mssqlConfig = {
+  server: String(process.env.MSSQL_SERVER || "").trim(),
+  ...(mssqlPortValue ? { port: Number(mssqlPortValue) } : {}),
+  user: String(process.env.MSSQL_USER || "").trim(),
+  password: String(process.env.MSSQL_PASSWORD || "").trim(),
+  database: String(process.env.MSSQL_DATABASE || "").trim(),
+  options: {
+    encrypt: String(process.env.MSSQL_ENCRYPT || "true").toLowerCase() === "true",
+    trustServerCertificate: String(process.env.MSSQL_TRUST_SERVER_CERT || "true").toLowerCase() === "true",
+    ...(mssqlInstanceName ? { instanceName: mssqlInstanceName } : {})
+  },
+  pool: {
+    max: Math.max(Number(process.env.MSSQL_POOL_MAX || 10), 1),
+    min: 0,
+    idleTimeoutMillis: 30000
+  }
+};
+
+let mssqlPoolPromise = null;
+let mssqlReadyPromise = null;
+const portalSessions = new Map();
+
+function hashPassword(password) {
+  return crypto.createHash("sha256").update(String(password || "")).digest("hex");
+}
+
+function parseCookies(req) {
+  const raw = String(req.headers?.cookie || "");
+  const out = {};
+  raw.split(";").forEach((part) => {
+    const index = part.indexOf("=");
+    if (index <= 0) {
+      return;
+    }
+    const key = part.slice(0, index).trim();
+    const value = part.slice(index + 1).trim();
+    if (!key) {
+      return;
+    }
+    out[key] = decodeURIComponent(value);
+  });
+  return out;
+}
+
+function createPortalSession(user) {
+  const token = crypto.randomBytes(32).toString("hex");
+  portalSessions.set(token, {
+    userId: user.id,
+    username: user.username,
+    expiresAt: Date.now() + portalSessionTtlMs
+  });
+  return token;
+}
+
+function getPortalSession(req) {
+  const cookies = parseCookies(req);
+  const token = String(cookies.portal_auth || "").trim();
+  if (!token) {
+    return null;
+  }
+  const session = portalSessions.get(token);
+  if (!session) {
+    return null;
+  }
+  if (session.expiresAt <= Date.now()) {
+    portalSessions.delete(token);
+    return null;
+  }
+  return { token, ...session };
+}
+
+function clearPortalSession(res, token) {
+  if (token) {
+    portalSessions.delete(token);
+  }
+  res.setHeader("Set-Cookie", "portal_auth=; HttpOnly; Path=/; SameSite=Lax; Max-Age=0");
+}
+
+async function ensurePortalUserTables() {
+  if (!isMssqlConfigured()) {
+    return;
+  }
+  await ensureMssqlTables();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return;
+  }
+
+  await pool.request().query(`
+    IF OBJECT_ID('dbo.tblUsers', 'U') IS NULL
+    BEGIN
+      CREATE TABLE dbo.tblUsers (
+        id INT IDENTITY(1,1) PRIMARY KEY,
+        username NVARCHAR(120) NOT NULL UNIQUE,
+        password_hash NVARCHAR(255) NOT NULL,
+        is_active BIT NOT NULL CONSTRAINT DF_tblUsers_is_active DEFAULT(1),
+        created_at DATETIME2 NOT NULL CONSTRAINT DF_tblUsers_created_at DEFAULT(SYSUTCDATETIME()),
+        updated_at DATETIME2 NOT NULL CONSTRAINT DF_tblUsers_updated_at DEFAULT(SYSUTCDATETIME())
+      );
+    END
+
+    IF OBJECT_ID('dbo.tblBotUsers', 'U') IS NULL
+    BEGIN
+      CREATE TABLE dbo.tblBotUsers (
+        bot_id NVARCHAR(120) NOT NULL,
+        user_id INT NOT NULL,
+        created_at DATETIME2 NOT NULL CONSTRAINT DF_tblBotUsers_created_at DEFAULT(SYSUTCDATETIME()),
+        CONSTRAINT PK_tblBotUsers PRIMARY KEY (bot_id, user_id),
+        CONSTRAINT FK_tblBotUsers_bot FOREIGN KEY (bot_id) REFERENCES dbo.tblBots(id) ON DELETE CASCADE,
+        CONSTRAINT FK_tblBotUsers_user FOREIGN KEY (user_id) REFERENCES dbo.tblUsers(id) ON DELETE CASCADE
+      );
+      CREATE INDEX IX_tblBotUsers_user_id ON dbo.tblBotUsers(user_id);
+    END
+  `);
+
+  if (adminPortalUsername && adminPortalPassword) {
+    const passwordHash = hashPassword(adminPortalPassword);
+    await pool.request()
+      .input("username", sql.NVarChar(120), adminPortalUsername)
+      .input("passwordHash", sql.NVarChar(255), passwordHash)
+      .query(`
+        MERGE dbo.tblUsers AS target
+        USING (SELECT @username AS username) AS source
+        ON target.username = source.username
+        WHEN MATCHED THEN
+          UPDATE SET password_hash = @passwordHash,
+                     is_active = 1,
+                     updated_at = SYSUTCDATETIME()
+        WHEN NOT MATCHED THEN
+          INSERT (username, password_hash, is_active, created_at, updated_at)
+          VALUES (@username, @passwordHash, 1, SYSUTCDATETIME(), SYSUTCDATETIME());
+      `);
+
+    await pool.request()
+      .input("username", sql.NVarChar(120), adminPortalUsername)
+      .query(`
+        INSERT INTO dbo.tblBotUsers (bot_id, user_id)
+        SELECT b.id, u.id
+        FROM dbo.tblBots b
+        CROSS JOIN dbo.tblUsers u
+        WHERE u.username = @username
+          AND NOT EXISTS (
+            SELECT 1
+            FROM dbo.tblBotUsers bu
+            WHERE bu.bot_id = b.id AND bu.user_id = u.id
+          );
+      `);
+  }
+}
+
+async function findPortalUserByCredentials(username, password) {
+  if (!isMssqlConfigured()) {
+    return null;
+  }
+  await ensurePortalUserTables();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return null;
+  }
+  const result = await pool.request()
+    .input("username", sql.NVarChar(120), String(username || "").trim())
+    .input("passwordHash", sql.NVarChar(255), hashPassword(password))
+    .query(`
+      SELECT TOP 1 id, username, is_active
+      FROM dbo.tblUsers
+      WHERE username = @username
+        AND password_hash = @passwordHash
+    `);
+  const user = result.recordset?.[0];
+  if (!user || !(Number(user.is_active) === 1 || user.is_active === true)) {
+    return null;
+  }
+  return {
+    id: Number(user.id),
+    username: String(user.username || "").trim()
+  };
+}
+
+async function canPortalUserAccessBot(userId, botId) {
+  if (!isMssqlConfigured()) {
+    return false;
+  }
+  await ensurePortalUserTables();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return false;
+  }
+  const result = await pool.request()
+    .input("userId", sql.Int, Number(userId))
+    .input("botId", sql.NVarChar(120), String(botId || "").trim())
+    .query(`
+      SELECT TOP 1 1 AS ok
+      FROM dbo.tblBotUsers bu
+      INNER JOIN dbo.tblBots b ON b.id = bu.bot_id
+      WHERE bu.user_id = @userId
+        AND bu.bot_id = @botId
+        AND b.is_active = 1
+    `);
+  return Boolean(result.recordset?.length);
+}
+
+function safeParseJson(value, fallback) {
+  if (!value) {
+    return fallback;
+  }
+  try {
+    return JSON.parse(value);
+  } catch {
+    return fallback;
+  }
+}
+
+function resolveFilePath(filePath) {
+  if (!filePath) {
+    return "";
+  }
+
+  if (path.isAbsolute(filePath)) {
+    return filePath;
+  }
+
+  return path.resolve(process.cwd(), filePath);
+}
+
+function readJsonFile(filePath, fallback) {
+  const resolvedPath = resolveFilePath(filePath);
+  if (!resolvedPath || !fs.existsSync(resolvedPath)) {
+    return fallback;
+  }
+
+  try {
+    const raw = fs.readFileSync(resolvedPath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    return fallback;
+  }
+}
+
+function isMssqlConfigured() {
+  return Boolean(mssqlEnabled && mssqlConfig.server && mssqlConfig.user && mssqlConfig.database);
+}
+
+async function getMssqlPool() {
+  if (!isMssqlConfigured()) {
+    return null;
+  }
+
+  if (!mssqlPoolPromise) {
+    mssqlPoolPromise = new sql.ConnectionPool(mssqlConfig)
+      .connect()
+      .catch((error) => {
+        mssqlPoolPromise = null;
+        throw error;
+      });
+  }
+
+  return mssqlPoolPromise;
+}
+
+async function ensureMssqlTables() {
+  if (!isMssqlConfigured()) {
+    return false;
+  }
+
+  if (!mssqlReadyPromise) {
+    mssqlReadyPromise = (async () => {
+      const pool = await getMssqlPool();
+      if (!pool) {
+        return false;
+      }
+
+      // Migration: Drop old table names if they exist
+      try {
+        await pool.request().query(`
+          IF OBJECT_ID('dbo.chatbot_knowledge', 'U') IS NOT NULL
+          BEGIN
+            DROP TABLE dbo.chatbot_knowledge;
+          END
+          
+          IF OBJECT_ID('dbo.chatbot_bots', 'U') IS NOT NULL
+          BEGIN
+            DROP TABLE dbo.chatbot_bots;
+          END
+        `);
+      } catch (err) {
+        // Ignore migration errors if old tables don't exist
+      }
+
+      await pool.request().query(`
+        IF OBJECT_ID('dbo.tblBots', 'U') IS NULL
+        BEGIN
+          CREATE TABLE dbo.tblBots (
+            id NVARCHAR(120) PRIMARY KEY,
+            api_key NVARCHAR(255) NOT NULL,
+            name NVARCHAR(255) NOT NULL,
+            description NVARCHAR(MAX) NULL,
+            provider NVARCHAR(64) NOT NULL,
+            model NVARCHAR(255) NULL,
+            guard_model NVARCHAR(255) NULL,
+            enable_guard BIT NOT NULL CONSTRAINT DF_tblBots_enable_guard DEFAULT(1),
+            is_active BIT NOT NULL CONSTRAINT DF_tblBots_is_active DEFAULT(1),
+            system_prompt NVARCHAR(MAX) NULL,
+            created_at DATETIME2 NOT NULL CONSTRAINT DF_tblBots_created_at DEFAULT(SYSUTCDATETIME()),
+            updated_at DATETIME2 NOT NULL CONSTRAINT DF_tblBots_updated_at DEFAULT(SYSUTCDATETIME())
+          );
+        END
+
+        IF COL_LENGTH('dbo.tblBots', 'is_active') IS NULL
+        BEGIN
+          ALTER TABLE dbo.tblBots
+          ADD is_active BIT NOT NULL CONSTRAINT DF_tblBots_is_active DEFAULT(1) WITH VALUES;
+        END
+
+        IF OBJECT_ID('dbo.tblKnowledge', 'U') IS NULL
+        BEGIN
+          CREATE TABLE dbo.tblKnowledge (
+            id INT IDENTITY(1,1) PRIMARY KEY,
+            bot_id NVARCHAR(120) NOT NULL,
+            keyword NVARCHAR(255) NULL,
+            title NVARCHAR(255) NULL,
+            content NVARCHAR(MAX) NOT NULL,
+            tags_json NVARCHAR(MAX) NULL,
+            source NVARCHAR(80) NULL,
+            is_active BIT NOT NULL CONSTRAINT DF_tblKnowledge_is_active DEFAULT(1),
+            created_at DATETIME2 NOT NULL CONSTRAINT DF_tblKnowledge_created_at DEFAULT(SYSUTCDATETIME()),
+            updated_at DATETIME2 NOT NULL CONSTRAINT DF_tblKnowledge_updated_at DEFAULT(SYSUTCDATETIME()),
+            CONSTRAINT FK_tblKnowledge_bot FOREIGN KEY (bot_id) REFERENCES dbo.tblBots(id) ON DELETE CASCADE
+          );
+
+          CREATE INDEX IX_tblKnowledge_bot_id ON dbo.tblKnowledge (bot_id);
+        END
+
+        IF OBJECT_ID('dbo.tblChatHistory', 'U') IS NULL
+        BEGIN
+          CREATE TABLE dbo.tblChatHistory (
+            id BIGINT IDENTITY(1,1) PRIMARY KEY,
+            request_id NVARCHAR(64) NOT NULL UNIQUE,
+            session_id NVARCHAR(160) NULL,
+            bot_id NVARCHAR(120) NOT NULL,
+            website_id NVARCHAR(255) NULL,
+            site_key NVARCHAR(255) NULL,
+            site_name NVARCHAR(255) NULL,
+            site_url NVARCHAR(2048) NULL,
+            page_url NVARCHAR(MAX) NULL,
+            page_origin NVARCHAR(255) NULL,
+            referrer NVARCHAR(MAX) NULL,
+            provider NVARCHAR(64) NULL,
+            model NVARCHAR(255) NULL,
+            user_handle NVARCHAR(120) NULL,
+            tenant_id NVARCHAR(120) NULL,
+            widget_user_id NVARCHAR(120) NULL,
+            client_ip NVARCHAR(128) NULL,
+            user_agent NVARCHAR(512) NULL,
+            request_messages_json NVARCHAR(MAX) NOT NULL,
+            latest_user_message NVARCHAR(MAX) NULL,
+            knowledge_context NVARCHAR(MAX) NULL,
+            system_prompt NVARCHAR(MAX) NULL,
+            assistant_response NVARCHAR(MAX) NULL,
+            response_status NVARCHAR(40) NOT NULL CONSTRAINT DF_tblChatHistory_response_status DEFAULT('started'),
+            error_message NVARCHAR(MAX) NULL,
+            started_at DATETIME2 NOT NULL CONSTRAINT DF_tblChatHistory_started_at DEFAULT(SYSUTCDATETIME()),
+            completed_at DATETIME2 NULL,
+            duration_ms INT NULL,
+            CONSTRAINT FK_tblChatHistory_bot FOREIGN KEY (bot_id) REFERENCES dbo.tblBots(id) ON DELETE CASCADE
+          );
+
+          CREATE INDEX IX_tblChatHistory_bot_started ON dbo.tblChatHistory (bot_id, started_at DESC);
+          CREATE INDEX IX_tblChatHistory_session_started ON dbo.tblChatHistory (session_id, started_at DESC);
+          CREATE INDEX IX_tblChatHistory_website_started ON dbo.tblChatHistory (website_id, started_at DESC);
+        END
+      `);
+
+      return true;
+    })().catch((error) => {
+      mssqlReadyPromise = null;
+      throw error;
+    });
+  }
+
+  return mssqlReadyPromise;
+}
+
+async function ensureMssqlKnowledgeTable() {
+  return ensureMssqlTables();
+}
+
+function normalizeTags(tags) {
+  if (Array.isArray(tags)) {
+    return tags.map((tag) => String(tag || "").trim()).filter(Boolean);
+  }
+  if (typeof tags === "string" && tags.trim()) {
+    return tags.split(",").map((tag) => tag.trim()).filter(Boolean);
+  }
+  return [];
+}
+
+function mapDbKnowledgeRow(row) {
+  const tags = safeParseJson(row.tags_json, normalizeTags(row.tags_json));
+  return {
+    id: row.id,
+    botId: String(row.bot_id || "").trim(),
+    keyword: String(row.keyword || row.title || "Knowledge").trim() || "Knowledge",
+    title: String(row.title || row.keyword || "Knowledge").trim() || "Knowledge",
+    content: String(row.content || "").trim(),
+    answer: String(row.content || "").trim(),
+    tags: Array.isArray(tags) ? tags : [],
+    source: String(row.source || "mssql").trim() || "mssql",
+    updatedAt: row.updated_at
+  };
+}
+
+async function getKnowledgeFromMssql(filters) {
+  if (!isMssqlConfigured()) {
+    return [];
+  }
+
+  await ensureMssqlKnowledgeTable();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return [];
+  }
+
+  const request = pool.request();
+  const where = ["is_active = 1"];
+  const botId = String(filters?.botId || "").trim();
+
+  if (botId) {
+    where.push("bot_id = @botId");
+    request.input("botId", sql.NVarChar(120), botId);
+  }
+
+  const result = await request.query(`
+    SELECT id, bot_id, keyword, title, content, tags_json, source, is_active, created_at, updated_at
+    FROM dbo.tblKnowledge
+    WHERE ${where.join(" AND ")}
+    ORDER BY updated_at DESC, id DESC
+  `);
+
+  return (result.recordset || []).map(mapDbKnowledgeRow);
+}
+
+
+
+function toNormalizedString(value) {
+  return String(value || "").trim().toLowerCase();
+}
+
+
+
+function truncateText(value, maxLength) {
+  const text = String(value || "").trim();
+  if (text.length <= maxLength) {
+    return text;
+  }
+
+  return `${text.slice(0, Math.max(maxLength - 1, 1)).trimEnd()}…`;
+}
+
+
+
+
+
+// ============================================================================
+// BOT MANAGEMENT: Per-bot configuration, API keys, and settings
+// ============================================================================
+
+
+
+function mapDbBotRow(row) {
+  return {
+    id: String(row.id || "").trim(),
+    apiKey: String(row.api_key || "").trim(),
+    name: String(row.name || row.id || "Unnamed").trim(),
+    description: String(row.description || "").trim(),
+    provider: String(row.provider || defaultProvider).toLowerCase().trim(),
+    model: String(row.model || "").trim(),
+    guardModel: String(row.guard_model || groqGuardModel).trim(),
+    enableGuard: Number(row.enable_guard) === 1 || row.enable_guard === true,
+    isActive: Number(row.is_active) === 1 || row.is_active === true,
+    systemPrompt: String(row.system_prompt || defaultSystemPrompt).trim(),
+    knowledge: [],
+    createdAt: String(row.created_at || new Date().toISOString()).trim(),
+    updatedAt: String(row.updated_at || new Date().toISOString()).trim()
+  };
+}
+
+async function loadBotsFromMssql() {
+  if (!isMssqlConfigured()) {
+    return [];
+  }
+
+  await ensureMssqlTables();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return [];
+  }
+
+  const result = await pool.request().query(`
+    SELECT id, api_key, name, description, provider, model, guard_model, enable_guard, is_active, system_prompt, created_at, updated_at
+    FROM dbo.tblBots
+    ORDER BY updated_at DESC, id ASC
+  `);
+
+  return (result.recordset || []).map(mapDbBotRow).filter((bot) => bot.id && bot.apiKey);
+}
+
+async function upsertBotInMssql(bot) {
+  if (!isMssqlConfigured()) {
+    return;
+  }
+
+  await ensureMssqlTables();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return;
+  }
+
+  await pool.request()
+    .input("id", sql.NVarChar(120), bot.id)
+    .input("apiKey", sql.NVarChar(255), bot.apiKey)
+    .input("name", sql.NVarChar(255), bot.name)
+    .input("description", sql.NVarChar(sql.MAX), bot.description || null)
+    .input("provider", sql.NVarChar(64), bot.provider)
+    .input("model", sql.NVarChar(255), bot.model || null)
+    .input("guardModel", sql.NVarChar(255), bot.guardModel || null)
+    .input("enableGuard", sql.Bit, bot.enableGuard !== false)
+    .input("isActive", sql.Bit, bot.isActive !== false)
+    .input("systemPrompt", sql.NVarChar(sql.MAX), bot.systemPrompt || defaultSystemPrompt)
+    .query(`
+      MERGE dbo.tblBots AS target
+      USING (SELECT @id AS id) AS source
+      ON target.id = source.id
+      WHEN MATCHED THEN
+        UPDATE SET api_key = @apiKey,
+                   name = @name,
+                   description = @description,
+                   provider = @provider,
+                   model = @model,
+                   guard_model = @guardModel,
+                   enable_guard = @enableGuard,
+                   is_active = @isActive,
+                   system_prompt = @systemPrompt,
+                   updated_at = SYSUTCDATETIME()
+      WHEN NOT MATCHED THEN
+        INSERT (id, api_key, name, description, provider, model, guard_model, enable_guard, is_active, system_prompt, created_at, updated_at)
+        VALUES (@id, @apiKey, @name, @description, @provider, @model, @guardModel, @enableGuard, @isActive, @systemPrompt, SYSUTCDATETIME(), SYSUTCDATETIME());
+    `);
+}
+
+async function deleteBotInMssql(botId) {
+  if (!isMssqlConfigured()) {
+    return;
+  }
+
+  await ensureMssqlTables();
+  const pool = await getMssqlPool();
+  if (!pool) {
+    return;
+  }
+
+  await pool.request()
+    .input("id", sql.NVarChar(120), botId)
+    .query("DELETE FROM dbo.tblBots WHERE id = @id");
+}
+
+async function initializeBotsRegistry() {
+  if (!isMssqlConfigured()) {
+    throw new Error("MSSQL is required. Enable MSSQL_ENABLED=true in .env");
+  }
+  const dbBots = await loadBotsFromMssql();
+  botsRegistry = dbBots;
+}
+
+let botsRegistry = [];
+
+function getBotById(botId) {
+  return botsRegistry.find((bot) => bot.id === botId);
+}
+
+function validateBotApiKey(botId, apiKey) {
+  const bot = getBotById(botId);
+  if (!bot) {
+    return { valid: false, error: "Bot not found" };
+  }
+  if (bot.isActive === false) {
+    return { valid: false, error: "Bot is inactive" };
+  }
+  if (bot.apiKey !== apiKey) {
+    return { valid: false, error: "Invalid API key for bot" };
+  }
+  return { valid: true, bot };
+}
+
+function extractBotIdAndApiKey(req) {
+  // Check query params first
+  let botId = req.query?.botId || req.query?.bot_id;
+  let apiKey = req.query?.apiKey || req.query?.api_key;
+
+  // Fall back to request body
+  if (!botId) botId = req.body?.botId || req.body?.bot_id;
+  if (!apiKey) apiKey = req.body?.apiKey || req.body?.api_key;
+
+  // Fall back to headers
+  if (!apiKey) {
+    apiKey = req.headers["x-bot-api-key"];
+  }
+
+  return { botId: String(botId || "").trim(), apiKey: String(apiKey || "").trim() };
+}
+
+function getLatestUserMessage(messages) {
+  for (let index = messages.length - 1; index >= 0; index -= 1) {
+    const message = messages[index];
+    if (message && message.role === "user" && typeof message.content === "string") {
+      return message.content.trim();
+    }
+  }
+
+  return "";
+}
+
+function scoreKnowledgeEntry(entry, query) {
+  const queryTokens = new Set(toNormalizedString(query).split(/[^a-z0-9]+/).filter((token) => token.length > 2));
+  if (!queryTokens.size) {
+    return 1;
+  }
+
+  const searchableText = [
+    entry.title,
+    entry.content,
+    entry.answer,
+    entry.keyword,
+    entry.source,
+    ...(entry.tags || [])
+  ]
+    .join(" ")
+    .toLowerCase();
+
+  let score = 0;
+  for (const token of queryTokens) {
+    if (searchableText.includes(token)) {
+      score += 1;
+    }
+  }
+
+  return score;
+}
+
+function formatKnowledgeEntry(entry) {
+  const lines = [];
+
+  if (entry.title || entry.keyword) {
+    lines.push(`Title: ${entry.title || entry.keyword}`);
+  }
+
+  if (entry.content || entry.answer) {
+    lines.push(`Content: ${truncateText(entry.content || entry.answer, 600)}`);
+  }
+
+  if (entry.source) {
+    lines.push(`Source: ${entry.source}`);
+  }
+
+  return lines.join("\n");
+}
+
+function buildKnowledgeContext(knowledge, latestUserMessage) {
+  const entries = Array.isArray(knowledge) ? [...knowledge] : [];
+  if (!entries.length) {
+    return "";
+  }
+
+  const rankedEntries = entries
+    .map((entry) => ({ entry, score: scoreKnowledgeEntry(entry, latestUserMessage) }))
+    .filter((item) => item.score > 0)
+    .sort((left, right) => right.score - left.score)
+    .slice(0, knowledgeSnippetLimit)
+    .map((item) => item.entry);
+
+  if (!rankedEntries.length) {
+    return "";
+  }
+
+  const snippets = [];
+  for (const entry of rankedEntries) {
+    snippets.push(formatKnowledgeEntry(entry));
+  }
+
+  return truncateText(snippets.join("\n\n"), knowledgeContextCharLimit);
+}
+
+
+
+
+
+function buildSystemPrompt(basePrompt, knowledgeContext) {
+  const sections = [];
+
+  sections.push(basePrompt || defaultSystemPrompt);
+  sections.push(
+    [
+      "Understand natural-language questions, including short, informal, or mixed-language requests.",
+      "Infer the user's intent from context and answer clearly, directly, and in plain language.",
+      "When information comes from the knowledge base, prefer it over guessing."
+    ].join(" ")
+  );
+
+  if (knowledgeContext) {
+    sections.push(`Relevant knowledge snippets:\n${knowledgeContext}`);
+  }
+
+  return sections.filter(Boolean).join("\n\n");
+}
+
+const providerConfigs = {
+  claude: {
+    apiKey: process.env.ANTHROPIC_API_KEY,
+    model: process.env.CLAUDE_MODEL || "claude-sonnet-4-20250514"
+  },
+  openai: {
+    apiKey: process.env.OPENAI_API_KEY,
+    model: process.env.OPENAI_MODEL || "gpt-4o-mini",
+    baseUrl: process.env.OPENAI_BASE_URL || "https://api.openai.com/v1"
+  },
+  groq: {
+    apiKey: process.env.GROQ_API_KEY,
+    model: process.env.GROQ_MODEL || "llama-3.1-8b-instant",
+    baseUrl: process.env.GROQ_BASE_URL || "https://api.groq.com/openai/v1"
+  },
+  mistral: {
+    apiKey: process.env.MISTRAL_API_KEY,
+    model: process.env.MISTRAL_MODEL || "mistral-small-latest",
+    baseUrl: process.env.MISTRAL_BASE_URL || "https://api.mistral.ai/v1"
+  }
+};
+
+const userHandleConfig = {}; // Placeholder - user policies no longer used
+
+const rateLimitBuckets = new Map();
+
+const allowedOrigins = (process.env.ALLOWED_ORIGINS || "*")
+  .split(",")
+  .map((value) => value.trim())
+  .filter(Boolean);
+
+const allowAnyOrigin = allowedOrigins.includes("*");
+
+app.use(
+  cors({
+    origin(origin, callback) {
+      if (!origin || allowedOrigins.includes("*") || allowedOrigins.includes(origin)) {
+        callback(null, true);
+        return;
+      }
+      callback(new Error("Not allowed by CORS"));
+    }
+  })
+);
+
+app.use(express.json({ limit: "1mb" }));
+
+function enforceAdminLogin(req, res, next) {
+  const normalizedPath = String(req.path || "");
+
+  // Public endpoint used by embedded widgets to pull knowledge.
+  if (normalizedPath.startsWith("/api/export/knowledge")) {
+    next();
+    return;
+  }
+
+  // If no password is configured, admin auth is disabled.
+  if (!adminPortalPassword) {
+    next();
+    return;
+  }
+
+  const authHeader = String(req.headers.authorization || "");
+  if (authHeader.toLowerCase().startsWith("basic ")) {
+    const encoded = authHeader.slice(6).trim();
+    try {
+      const decoded = Buffer.from(encoded, "base64").toString("utf8");
+      const delimiter = decoded.indexOf(":");
+      if (delimiter >= 0) {
+        const username = decoded.slice(0, delimiter);
+        const password = decoded.slice(delimiter + 1);
+        if (username === adminPortalUsername && password === adminPortalPassword) {
+          next();
+          return;
+        }
+      }
+    } catch {
+      // Fall through to auth challenge below.
+    }
+  }
+
+  res.set("WWW-Authenticate", 'Basic realm="Chatbot Admin"');
+  res.status(401).send("Authentication required");
+}
+
+async function enforcePortalLogin(req, res, next) {
+  const normalizedPath = String(req.path || "");
+
+  // Allow static portal assets to load without botId in query string.
+  if (/\.(js|css|png|jpg|jpeg|gif|svg|ico|webp|map)$/i.test(normalizedPath)) {
+    next();
+    return;
+  }
+
+  // Keep widget sync endpoint public.
+  if (normalizedPath.startsWith("/api/export/knowledge")) {
+    next();
+    return;
+  }
+
+  // Allow login assets/endpoints.
+  if (
+    normalizedPath === "/login.html" ||
+    normalizedPath.startsWith("/api/auth/") ||
+    normalizedPath.endsWith("portal-login.js")
+  ) {
+    next();
+    return;
+  }
+
+  const botId = String(req.query?.botId || req.body?.botId || "").trim();
+  if (!botId) {
+    res.status(400).send("botId query parameter is required");
+    return;
+  }
+
+  const session = getPortalSession(req);
+  if (!session) {
+    const loginRedirect = `/portal/login.html?botId=${encodeURIComponent(botId)}`;
+    if (normalizedPath.startsWith("/api/")) {
+      res.status(401).json({ error: "Login required" });
+      return;
+    }
+    res.redirect(loginRedirect);
+    return;
+  }
+
+  const canAccess = await canPortalUserAccessBot(session.userId, botId);
+  if (!canAccess) {
+    if (normalizedPath.startsWith("/api/")) {
+      res.status(403).json({ error: "Access denied for this bot" });
+      return;
+    }
+    res.status(403).send("Access denied for this bot");
+    return;
+  }
+
+  next();
+}
+
+app.use("/embed", express.static(path.join(__dirname, "..", "public")));
+app.use("/admin", enforceAdminLogin);
+
+app.get("/portal/admin-bots.html", enforceAdminLogin, (req, res) => {
+  res.sendFile(path.join(__dirname, "..", "public", "portal", "admin-bots.html"));
+});
+
+app.get("/portal/admin-bots.js", enforceAdminLogin, (req, res) => {
+  res.sendFile(path.join(__dirname, "..", "public", "portal", "admin-bots.js"));
+});
+
+app.get("/portal/admin-users.html", enforceAdminLogin, (req, res) => {
+  res.sendFile(path.join(__dirname, "..", "public", "portal", "admin-users.html"));
+});
+
+app.get("/portal/admin-users.js", enforceAdminLogin, (req, res) => {
+  res.sendFile(path.join(__dirname, "..", "public", "portal", "admin-users.js"));
+});
+
+app.use("/portal", enforcePortalLogin, express.static(path.join(__dirname, "..", "public", "portal")));
+
+app.post("/portal/api/auth/login", express.json(), async (req, res) => {
+  try {
+    const username = String(req.body?.username || "").trim();
+    const password = String(req.body?.password || "").trim();
+    const botId = String(req.body?.botId || "").trim();
+
+    if (!username || !password || !botId) {
+      res.status(400).json({ error: "username, password and botId are required" });
+      return;
+    }
+
+    const user = await findPortalUserByCredentials(username, password);
+    if (!user) {
+      res.status(401).json({ error: "Invalid credentials" });
+      return;
+    }
+
+    const canAccess = await canPortalUserAccessBot(user.id, botId);
+    if (!canAccess) {
+      res.status(403).json({ error: "User does not have access to this bot" });
+      return;
+    }
+
+    const token = createPortalSession(user);
+    res.setHeader("Set-Cookie", `portal_auth=${encodeURIComponent(token)}; HttpOnly; Path=/; SameSite=Lax; Max-Age=${Math.floor(portalSessionTtlMs / 1000)}`);
+    res.json({ ok: true, username: user.username, botId });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Login failed" });
+  }
+});
+
+app.post("/portal/api/auth/logout", (req, res) => {
+  const session = getPortalSession(req);
+  clearPortalSession(res, session?.token);
+  res.json({ ok: true });
+});
+
+app.get("/portal/api/auth/me", async (req, res) => {
+  try {
+    const session = getPortalSession(req);
+    if (!session) {
+      res.status(401).json({ error: "Not logged in" });
+      return;
+    }
+
+    const botId = String(req.query?.botId || "").trim();
+    if (!botId) {
+      res.status(400).json({ error: "botId is required" });
+      return;
+    }
+
+    const canAccess = await canPortalUserAccessBot(session.userId, botId);
+    if (!canAccess) {
+      res.status(403).json({ error: "Access denied for this bot" });
+      return;
+    }
+
+    res.json({ ok: true, user: { id: session.userId, username: session.username }, botId });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to fetch session" });
+  }
+});
+
+function getClientIp(req) {
+  return (
+    req.headers["x-forwarded-for"]?.toString().split(",")[0].trim() ||
+    req.socket.remoteAddress ||
+    "unknown"
+  );
+}
+
+function sendSseError(res, message) {
+  res.write(`event: error\ndata: ${JSON.stringify({ error: message })}\n\n`);
+  res.write("event: done\ndata: {}\n\n");
+  res.end();
+}
+
+function extractAiApiKeyFromRequest(req) {
+  const headerValue = req.headers.authorization || "";
+  if (typeof headerValue === "string" && headerValue.toLowerCase().startsWith("bearer ")) {
+    const token = headerValue.slice(7).trim();
+    if (token) {
+      return token;
+    }
+  }
+
+  const tokenHeader = req.headers["x-chatbot-token"];
+  if (typeof tokenHeader === "string" && tokenHeader.trim()) {
+    return tokenHeader.trim();
+  }
+
+  return String(req.body?.aiApiKey || req.body?.ai_apikey || "").trim();
+}
+
+function enforceRequestOrigin(req, res) {
+  if (!enforceOriginLock || allowAnyOrigin) {
+    return true;
+  }
+
+  const origin = req.headers.origin;
+  if (!origin || !allowedOrigins.includes(origin)) {
+    res.status(403).json({ error: "Origin blocked" });
+    return false;
+  }
+
+  return true;
+}
+
+function enforceRateLimit(req, res) {
+  const now = Date.now();
+  const key = getClientIp(req);
+  const bucket = rateLimitBuckets.get(key) || { count: 0, resetAt: now + rateLimitWindowMs };
+
+  if (now > bucket.resetAt) {
+    bucket.count = 0;
+    bucket.resetAt = now + rateLimitWindowMs;
+  }
+
+  bucket.count += 1;
+  rateLimitBuckets.set(key, bucket);
+
+  const remaining = Math.max(rateLimitMaxRequests - bucket.count, 0);
+  res.setHeader("X-RateLimit-Limit", String(rateLimitMaxRequests));
+  res.setHeader("X-RateLimit-Remaining", String(remaining));
+  res.setHeader("X-RateLimit-Reset", String(Math.ceil(bucket.resetAt / 1000)));
+
+  if (bucket.count > rateLimitMaxRequests) {
+    res.status(429).json({ error: "Rate limit exceeded" });
+    return false;
+  }
+
+  return true;
+}
+
+
+
+async function streamClaudeResponse({ config, model, systemPrompt, messages, onToken, onError }) {
+  const response = await fetch("https://api.anthropic.com/v1/messages", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "x-api-key": config.apiKey,
+      "anthropic-version": "2023-06-01"
+    },
+    body: JSON.stringify({
+      model,
+      max_tokens: 1024,
+      system: systemPrompt,
+      stream: true,
+      messages
+    })
+  });
+
+  if (!response.ok || !response.body) {
+    throw new Error(await response.text() || "Anthropic API error");
+  }
+
+  const decoder = new TextDecoder();
+  let buffer = "";
+
+  for await (const chunk of response.body) {
+    buffer += decoder.decode(chunk, { stream: true });
+    const events = buffer.split("\n\n");
+    buffer = events.pop() || "";
+
+    for (const eventBlock of events) {
+      const lines = eventBlock.split("\n");
+      const eventTypeLine = lines.find((line) => line.startsWith("event:"));
+      const dataLine = lines.find((line) => line.startsWith("data:"));
+      if (!dataLine) {
+        continue;
+      }
+
+      const eventType = eventTypeLine ? eventTypeLine.replace("event:", "").trim() : "message";
+      const dataRaw = dataLine.replace("data:", "").trim();
+      if (dataRaw === "[DONE]") {
+        continue;
+      }
+
+      let parsed;
+      try {
+        parsed = JSON.parse(dataRaw);
+      } catch {
+        continue;
+      }
+
+      if (eventType === "content_block_delta") {
+        const token = parsed?.delta?.text;
+        if (token) {
+          onToken(token);
+        }
+      }
+
+      if (eventType === "error") {
+        onError(parsed?.error?.message || "Anthropic stream error");
+      }
+    }
+  }
+}
+
+async function streamOpenAiCompatibleResponse({ config, model, systemPrompt, messages, onToken }) {
+  const response = await fetch(`${config.baseUrl.replace(/\/$/, "")}/chat/completions`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${config.apiKey}`
+    },
+    body: JSON.stringify({
+      model,
+      stream: true,
+      messages: [{ role: "system", content: systemPrompt }, ...messages]
+    })
+  });
+
+  if (!response.ok || !response.body) {
+    throw new Error(await response.text() || "Upstream API error");
+  }
+
+  const decoder = new TextDecoder();
+  let buffer = "";
+
+  for await (const chunk of response.body) {
+    buffer += decoder.decode(chunk, { stream: true });
+    const lines = buffer.split("\n");
+    buffer = lines.pop() || "";
+
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed.startsWith("data:")) {
+        continue;
+      }
+
+      const payload = trimmed.slice(5).trim();
+      if (payload === "[DONE]") {
+        continue;
+      }
+
+      let parsed;
+      try {
+        parsed = JSON.parse(payload);
+      } catch {
+        continue;
+      }
+
+      const token = parsed?.choices?.[0]?.delta?.content;
+      if (typeof token === "string" && token) {
+        onToken(token);
+      }
+    }
+  }
+}
+
+function parseGuardLabel(text) {
+  const raw = String(text || "").trim();
+  if (!raw) {
+    return "unknown";
+  }
+
+  try {
+    const parsed = JSON.parse(raw);
+    const label = String(parsed?.label || "").trim().toLowerCase();
+    if (label === "safe" || label === "unsafe") {
+      return label;
+    }
+  } catch {
+    // Fallback to keyword matching.
+  }
+
+  const lower = raw.toLowerCase();
+  if (/\bunsafe\b/.test(lower)) {
+    return "unsafe";
+  }
+  if (/\bsafe\b/.test(lower)) {
+    return "safe";
+  }
+  return "unknown";
+}
+
+async function runGroqPromptGuard({ config, latestUserMessage }) {
+  if (!enableGroqPromptGuard || !latestUserMessage) {
+    return { allowed: true, reason: "" };
+  }
+
+  const response = await fetch(`${config.baseUrl.replace(/\/$/, "")}/chat/completions`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${config.apiKey}`
+    },
+    body: JSON.stringify({
+      model: groqGuardModel,
+      stream: false,
+      temperature: 0,
+      max_tokens: 32,
+      messages: [
+        {
+          role: "user",
+          content: [
+            "Classify the following user input for policy risk.",
+            "Reply with strict JSON only: {\"label\":\"safe\"} or {\"label\":\"unsafe\"}.",
+            "User input:",
+            latestUserMessage
+          ].join("\n")
+        }
+      ]
+    })
+  });
+
+  if (!response.ok) {
+    throw new Error(await response.text() || "Prompt guard request failed");
+  }
+
+  const payload = await response.json();
+  const content = payload?.choices?.[0]?.message?.content || "";
+  const label = parseGuardLabel(content);
+  if (label === "unsafe") {
+    return {
+      allowed: false,
+      reason: "Your request was blocked by safety policy. Please rephrase your question."
+    };
+  }
+
+  return { allowed: true, reason: "" };
+}
+
+function normalizeMessages(messages) {
+  if (!Array.isArray(messages)) {
+    return [];
+  }
+
+  return messages
+    .filter((message) => message && typeof message.content === "string")
+    .map((message) => ({
+      role: message.role === "assistant" ? "assistant" : "user",
+      content: message.content
+    }))
+    .slice(-40);
+}
+
+function toNullableText(value, maxLength) {
+  const text = String(value || "").trim();
+  if (!text) {
+    return null;
+  }
+  if (!maxLength || text.length <= maxLength) {
+    return text;
+  }
+  return text.slice(0, maxLength);
+}
+
+function getRequestClientIp(req) {
+  const forwarded = String(req.headers["x-forwarded-for"] || "").split(",")[0].trim();
+  if (forwarded) {
+    return forwarded;
+  }
+  return toNullableText(req.socket?.remoteAddress || "", 128);
+}
+
+function generateHistoryRequestId() {
+  return `req_${Date.now()}_${crypto.randomBytes(8).toString("hex")}`;
+}
+
+async function createChatHistoryEntry(payload) {
+  if (!enableChatHistoryStorage || !isMssqlConfigured()) {
+    return null;
+  }
+
+  try {
+    await ensureMssqlTables();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      return null;
+    }
+
+    const requestId = generateHistoryRequestId();
+    const siteConfig = payload.siteConfig || {};
+    const requestMessagesJson = JSON.stringify(Array.isArray(payload.messages) ? payload.messages : []);
+
+    await pool.request()
+      .input("requestId", sql.NVarChar(64), requestId)
+      .input("sessionId", sql.NVarChar(160), toNullableText(payload.sessionId, 160))
+      .input("botId", sql.NVarChar(120), String(payload.botId || "").trim())
+      .input("websiteId", sql.NVarChar(255), toNullableText(siteConfig.siteId, 255))
+      .input("siteKey", sql.NVarChar(255), toNullableText(siteConfig.siteKey, 255))
+      .input("siteName", sql.NVarChar(255), toNullableText(siteConfig.siteName, 255))
+      .input("siteUrl", sql.NVarChar(2048), toNullableText(siteConfig.siteUrl, 2048))
+      .input("pageUrl", sql.NVarChar(sql.MAX), toNullableText(siteConfig.pageUrl, 0))
+      .input("pageOrigin", sql.NVarChar(255), toNullableText(siteConfig.pageOrigin, 255))
+      .input("referrer", sql.NVarChar(sql.MAX), toNullableText(siteConfig.referrer, 0))
+      .input("provider", sql.NVarChar(64), toNullableText(payload.provider, 64))
+      .input("model", sql.NVarChar(255), toNullableText(payload.model, 255))
+      .input("userHandle", sql.NVarChar(120), toNullableText(siteConfig.userHandle, 120))
+      .input("tenantId", sql.NVarChar(120), toNullableText(siteConfig.tenantId, 120))
+      .input("widgetUserId", sql.NVarChar(120), toNullableText(siteConfig.userId, 120))
+      .input("clientIp", sql.NVarChar(128), toNullableText(payload.clientIp, 128))
+      .input("userAgent", sql.NVarChar(512), toNullableText(payload.userAgent, 512))
+      .input("requestMessagesJson", sql.NVarChar(sql.MAX), requestMessagesJson)
+      .input("latestUserMessage", sql.NVarChar(sql.MAX), toNullableText(payload.latestUserMessage, 0))
+      .input("knowledgeContext", sql.NVarChar(sql.MAX), toNullableText(payload.knowledgeContext, 0))
+      .input("systemPrompt", sql.NVarChar(sql.MAX), toNullableText(payload.systemPrompt, 0))
+      .input("responseStatus", sql.NVarChar(40), toNullableText(payload.responseStatus || "started", 40) || "started")
+      .input("startedAt", sql.DateTime2, payload.startedAt || new Date())
+      .query(`
+        INSERT INTO dbo.tblChatHistory (
+          request_id, session_id, bot_id, website_id, site_key, site_name, site_url,
+          page_url, page_origin, referrer, provider, model, user_handle, tenant_id,
+          widget_user_id, client_ip, user_agent, request_messages_json, latest_user_message,
+          knowledge_context, system_prompt, response_status, started_at
+        )
+        VALUES (
+          @requestId, @sessionId, @botId, @websiteId, @siteKey, @siteName, @siteUrl,
+          @pageUrl, @pageOrigin, @referrer, @provider, @model, @userHandle, @tenantId,
+          @widgetUserId, @clientIp, @userAgent, @requestMessagesJson, @latestUserMessage,
+          @knowledgeContext, @systemPrompt, @responseStatus, @startedAt
+        )
+      `);
+
+    return requestId;
+  } catch (error) {
+    console.warn("Failed to insert chat history:", error?.message || error);
+    return null;
+  }
+}
+
+async function finalizeChatHistoryEntry(requestId, payload) {
+  if (!requestId || !enableChatHistoryStorage || !isMssqlConfigured()) {
+    return;
+  }
+
+  try {
+    const pool = await getMssqlPool();
+    if (!pool) {
+      return;
+    }
+
+    const completedAt = payload.completedAt || new Date();
+
+    await pool.request()
+      .input("requestId", sql.NVarChar(64), requestId)
+      .input("assistantResponse", sql.NVarChar(sql.MAX), toNullableText(payload.assistantResponse, 0))
+      .input("responseStatus", sql.NVarChar(40), toNullableText(payload.responseStatus || "completed", 40) || "completed")
+      .input("errorMessage", sql.NVarChar(sql.MAX), toNullableText(payload.errorMessage, 0))
+      .input("knowledgeContext", sql.NVarChar(sql.MAX), toNullableText(payload.knowledgeContext, 0))
+      .input("systemPrompt", sql.NVarChar(sql.MAX), toNullableText(payload.systemPrompt, 0))
+      .input("completedAt", sql.DateTime2, completedAt)
+      .query(`
+        UPDATE dbo.tblChatHistory
+        SET assistant_response = @assistantResponse,
+            response_status = @responseStatus,
+            error_message = @errorMessage,
+            knowledge_context = COALESCE(@knowledgeContext, knowledge_context),
+            system_prompt = COALESCE(@systemPrompt, system_prompt),
+            completed_at = @completedAt,
+            duration_ms = DATEDIFF(MILLISECOND, started_at, @completedAt)
+        WHERE request_id = @requestId
+      `);
+  } catch (error) {
+    console.warn("Failed to finalize chat history:", error?.message || error);
+  }
+}
+
+app.get("/health", (_req, res) => {
+  res.json({ ok: true });
+});
+
+// ============================================================================
+// ADMIN ENDPOINTS: Bot management (create, read, update, delete)
+// ============================================================================
+
+app.get("/admin/bots", (req, res) => {
+  // Return all bots without API keys for security
+  res.json(botsRegistry.map((bot) => ({
+    id: bot.id,
+    name: bot.name,
+    description: bot.description,
+    provider: bot.provider,
+    model: bot.model,
+    guard_model: bot.guardModel,
+    system_prompt: bot.systemPrompt,
+    enable_guard: bot.enableGuard,
+    is_active: bot.isActive !== false,
+    created_at: bot.createdAt,
+    updated_at: bot.updatedAt
+  })));
+});
+
+app.get("/admin/bots/:botId", (req, res) => {
+  const bot = getBotById(req.params.botId);
+  if (!bot) {
+    res.status(404).json({ error: "Bot not found" });
+    return;
+  }
+
+  // Return bot without API key
+  res.json({
+    id: bot.id,
+    name: bot.name,
+    description: bot.description,
+    provider: bot.provider,
+    model: bot.model,
+    guard_model: bot.guardModel,
+    system_prompt: bot.systemPrompt,
+    enable_guard: bot.enableGuard,
+    is_active: bot.isActive !== false,
+    created_at: bot.createdAt,
+    updated_at: bot.updatedAt
+  });
+});
+
+app.post("/admin/bots", express.json(), async (req, res) => {
+  try {
+    const { id, name, description, provider, model, apiKey } = req.body;
+    const guardModel = req.body?.guardModel ?? req.body?.guard_model;
+    const enableGuard = req.body?.enableGuard ?? req.body?.enable_guard;
+    const isActive = req.body?.isActive ?? req.body?.is_active;
+    const systemPrompt = req.body?.systemPrompt ?? req.body?.system_prompt;
+
+    // Validate required fields
+    if (!id || typeof id !== "string" || !id.trim()) {
+      res.status(400).json({ error: "Bot id is required and must be a non-empty string" });
+      return;
+    }
+
+    if (getBotById(id)) {
+      res.status(409).json({ error: "Bot with this id already exists" });
+      return;
+    }
+
+    // Generate API key if not provided
+    const generatedApiKey = apiKey || `sk_${Math.random().toString(36).slice(2, 32)}`;
+
+    const newBot = {
+    id: String(id).trim(),
+    apiKey: String(generatedApiKey).trim(),
+    name: String(name || id).trim(),
+    description: String(description || "").trim(),
+    provider: String(provider || defaultProvider).toLowerCase().trim(),
+    model: String(model || "").trim(),
+    guardModel: String(guardModel || groqGuardModel).trim(),
+    enableGuard: !(enableGuard === false || enableGuard === 0 || String(enableGuard || "").toLowerCase() === "false" || String(enableGuard || "") === "0"),
+    isActive: !(isActive === false || isActive === 0 || String(isActive || "").toLowerCase() === "false" || String(isActive || "") === "0"),
+    systemPrompt: String(systemPrompt || defaultSystemPrompt).trim(),
+    knowledge: [],
+    createdAt: new Date().toISOString(),
+    updatedAt: new Date().toISOString()
+    };
+
+    botsRegistry.push(newBot);
+    if (isMssqlConfigured()) {
+      await upsertBotInMssql(newBot);
+    }
+
+    res.status(201).json({
+      id: newBot.id,
+      apiKey: newBot.apiKey,
+      api_key: newBot.apiKey,
+      name: newBot.name,
+      description: newBot.description,
+      provider: newBot.provider,
+      model: newBot.model,
+      is_active: newBot.isActive,
+      createdAt: newBot.createdAt
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to create bot" });
+  }
+});
+
+app.put("/admin/bots/:botId", express.json(), async (req, res) => {
+  try {
+    const bot = getBotById(req.params.botId);
+    if (!bot) {
+      res.status(404).json({ error: "Bot not found" });
+      return;
+    }
+
+    const { name, description, provider, model } = req.body;
+    const guardModel = req.body?.guardModel ?? req.body?.guard_model;
+    const enableGuard = req.body?.enableGuard ?? req.body?.enable_guard;
+    const isActive = req.body?.isActive ?? req.body?.is_active;
+    const systemPrompt = req.body?.systemPrompt ?? req.body?.system_prompt;
+
+    if (name !== undefined) bot.name = String(name).trim();
+    if (description !== undefined) bot.description = String(description).trim();
+    if (provider !== undefined) bot.provider = String(provider).toLowerCase().trim();
+    if (model !== undefined) bot.model = String(model).trim();
+    if (guardModel !== undefined) bot.guardModel = String(guardModel).trim();
+    if (enableGuard !== undefined) bot.enableGuard = !(enableGuard === false || enableGuard === 0 || String(enableGuard || "").toLowerCase() === "false" || String(enableGuard || "") === "0");
+    if (isActive !== undefined) bot.isActive = !(isActive === false || isActive === 0 || String(isActive || "").toLowerCase() === "false" || String(isActive || "") === "0");
+    if (systemPrompt !== undefined) bot.systemPrompt = String(systemPrompt).trim();
+
+    bot.updatedAt = new Date().toISOString();
+
+    if (isMssqlConfigured()) {
+      await upsertBotInMssql(bot);
+    }
+
+    res.json({
+      id: bot.id,
+      name: bot.name,
+      description: bot.description,
+      provider: bot.provider,
+      model: bot.model,
+      is_active: bot.isActive !== false,
+      updatedAt: bot.updatedAt
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to update bot" });
+  }
+});
+
+app.delete("/admin/bots/:botId", async (req, res) => {
+  try {
+    const index = botsRegistry.findIndex((bot) => bot.id === req.params.botId);
+    if (index === -1) {
+      res.status(404).json({ error: "Bot not found" });
+      return;
+    }
+
+    const deletedBot = botsRegistry.splice(index, 1)[0];
+    if (isMssqlConfigured()) {
+      await deleteBotInMssql(deletedBot.id);
+    }
+
+    res.json({
+      message: "Bot deleted successfully",
+      id: deletedBot.id
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to delete bot" });
+  }
+});
+
+function normalizeAdminBotIds(value) {
+  if (!Array.isArray(value)) {
+    return [];
+  }
+  const unique = new Set();
+  for (const item of value) {
+    const id = String(item || "").trim();
+    if (id) {
+      unique.add(id);
+    }
+  }
+  return Array.from(unique);
+}
+
+app.get("/admin/users", async (_req, res) => {
+  if (!isMssqlConfigured()) {
+    res.status(400).json({ error: "MSSQL is not configured" });
+    return;
+  }
+
+  try {
+    await ensurePortalUserTables();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL pool unavailable" });
+      return;
+    }
+
+    const usersResult = await pool.request().query(`
+      SELECT id, username, is_active, created_at, updated_at
+      FROM dbo.tblUsers
+      ORDER BY username ASC
+    `);
+
+    const mapResult = await pool.request().query(`
+      SELECT user_id, bot_id
+      FROM dbo.tblBotUsers
+    `);
+
+    const botIdsByUser = new Map();
+    for (const row of mapResult.recordset || []) {
+      const userId = Number(row.user_id);
+      const botId = String(row.bot_id || "").trim();
+      if (!userId || !botId) {
+        continue;
+      }
+      if (!botIdsByUser.has(userId)) {
+        botIdsByUser.set(userId, []);
+      }
+      botIdsByUser.get(userId).push(botId);
+    }
+
+    const users = (usersResult.recordset || []).map((user) => ({
+      id: Number(user.id),
+      username: String(user.username || "").trim(),
+      is_active: Number(user.is_active) === 1 || user.is_active === true,
+      bot_ids: botIdsByUser.get(Number(user.id)) || [],
+      created_at: user.created_at,
+      updated_at: user.updated_at
+    }));
+
+    res.json(users);
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to fetch users" });
+  }
+});
+
+app.post("/admin/users", express.json(), async (req, res) => {
+  if (!isMssqlConfigured()) {
+    res.status(400).json({ error: "MSSQL is not configured" });
+    return;
+  }
+
+  const username = String(req.body?.username || "").trim();
+  const password = String(req.body?.password || "").trim();
+  const isActive = !(req.body?.is_active === false || req.body?.is_active === 0 || String(req.body?.is_active || "").toLowerCase() === "false" || String(req.body?.is_active || "") === "0");
+  const botIds = normalizeAdminBotIds(req.body?.bot_ids);
+
+  if (!username) {
+    res.status(400).json({ error: "username is required" });
+    return;
+  }
+  if (!password) {
+    res.status(400).json({ error: "password is required" });
+    return;
+  }
+
+  const unknownBotIds = botIds.filter((id) => !getBotById(id));
+  if (unknownBotIds.length) {
+    res.status(400).json({ error: `Unknown bot id(s): ${unknownBotIds.join(", ")}` });
+    return;
+  }
+
+  try {
+    await ensurePortalUserTables();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL pool unavailable" });
+      return;
+    }
+
+    const existing = await pool.request()
+      .input("username", sql.NVarChar(120), username)
+      .query("SELECT TOP 1 id FROM dbo.tblUsers WHERE username = @username");
+    if (existing.recordset?.length) {
+      res.status(409).json({ error: "Username already exists" });
+      return;
+    }
+
+    const tx = new sql.Transaction(pool);
+    await tx.begin();
+    try {
+      const insertResult = await new sql.Request(tx)
+        .input("username", sql.NVarChar(120), username)
+        .input("passwordHash", sql.NVarChar(255), hashPassword(password))
+        .input("isActive", sql.Bit, isActive ? 1 : 0)
+        .query(`
+          INSERT INTO dbo.tblUsers (username, password_hash, is_active, created_at, updated_at)
+          OUTPUT INSERTED.id
+          VALUES (@username, @passwordHash, @isActive, SYSUTCDATETIME(), SYSUTCDATETIME())
+        `);
+
+      const userId = Number(insertResult.recordset?.[0]?.id);
+
+      for (const botId of botIds) {
+        await new sql.Request(tx)
+          .input("userId", sql.Int, userId)
+          .input("botId", sql.NVarChar(120), botId)
+          .query("INSERT INTO dbo.tblBotUsers (bot_id, user_id) VALUES (@botId, @userId)");
+      }
+
+      await tx.commit();
+
+      res.status(201).json({
+        id: userId,
+        username,
+        is_active: isActive,
+        bot_ids: botIds
+      });
+    } catch (innerError) {
+      await tx.rollback();
+      throw innerError;
+    }
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to create user" });
+  }
+});
+
+app.put("/admin/users/:userId", express.json(), async (req, res) => {
+  if (!isMssqlConfigured()) {
+    res.status(400).json({ error: "MSSQL is not configured" });
+    return;
+  }
+
+  const userId = Number(req.params.userId);
+  if (!Number.isInteger(userId) || userId <= 0) {
+    res.status(400).json({ error: "Invalid userId" });
+    return;
+  }
+
+  const username = req.body?.username === undefined ? undefined : String(req.body.username || "").trim();
+  const password = req.body?.password === undefined ? undefined : String(req.body.password || "").trim();
+  const hasIsActive = req.body?.is_active !== undefined;
+  const isActive = !(req.body?.is_active === false || req.body?.is_active === 0 || String(req.body?.is_active || "").toLowerCase() === "false" || String(req.body?.is_active || "") === "0");
+  const hasBotIds = Array.isArray(req.body?.bot_ids);
+  const botIds = hasBotIds ? normalizeAdminBotIds(req.body?.bot_ids) : [];
+
+  if (username !== undefined && !username) {
+    res.status(400).json({ error: "username cannot be empty" });
+    return;
+  }
+  if (password !== undefined && !password) {
+    res.status(400).json({ error: "password cannot be empty" });
+    return;
+  }
+
+  const unknownBotIds = botIds.filter((id) => !getBotById(id));
+  if (unknownBotIds.length) {
+    res.status(400).json({ error: `Unknown bot id(s): ${unknownBotIds.join(", ")}` });
+    return;
+  }
+
+  try {
+    await ensurePortalUserTables();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL pool unavailable" });
+      return;
+    }
+
+    const existsResult = await pool.request()
+      .input("userId", sql.Int, userId)
+      .query("SELECT TOP 1 id FROM dbo.tblUsers WHERE id = @userId");
+    if (!existsResult.recordset?.length) {
+      res.status(404).json({ error: "User not found" });
+      return;
+    }
+
+    if (username !== undefined) {
+      const duplicate = await pool.request()
+        .input("username", sql.NVarChar(120), username)
+        .input("userId", sql.Int, userId)
+        .query("SELECT TOP 1 id FROM dbo.tblUsers WHERE username = @username AND id <> @userId");
+      if (duplicate.recordset?.length) {
+        res.status(409).json({ error: "Username already exists" });
+        return;
+      }
+    }
+
+    const tx = new sql.Transaction(pool);
+    await tx.begin();
+    try {
+      const updates = [];
+      const updateReq = new sql.Request(tx).input("userId", sql.Int, userId);
+
+      if (username !== undefined) {
+        updates.push("username = @username");
+        updateReq.input("username", sql.NVarChar(120), username);
+      }
+      if (password !== undefined) {
+        updates.push("password_hash = @passwordHash");
+        updateReq.input("passwordHash", sql.NVarChar(255), hashPassword(password));
+      }
+      if (hasIsActive) {
+        updates.push("is_active = @isActive");
+        updateReq.input("isActive", sql.Bit, isActive ? 1 : 0);
+      }
+
+      updates.push("updated_at = SYSUTCDATETIME()");
+
+      await updateReq.query(`
+        UPDATE dbo.tblUsers
+        SET ${updates.join(", ")}
+        WHERE id = @userId
+      `);
+
+      if (hasBotIds) {
+        await new sql.Request(tx)
+          .input("userId", sql.Int, userId)
+          .query("DELETE FROM dbo.tblBotUsers WHERE user_id = @userId");
+
+        for (const botId of botIds) {
+          await new sql.Request(tx)
+            .input("userId", sql.Int, userId)
+            .input("botId", sql.NVarChar(120), botId)
+            .query("INSERT INTO dbo.tblBotUsers (bot_id, user_id) VALUES (@botId, @userId)");
+        }
+      }
+
+      await tx.commit();
+    } catch (innerError) {
+      await tx.rollback();
+      throw innerError;
+    }
+
+    const mapResult = await pool.request()
+      .input("userId", sql.Int, userId)
+      .query("SELECT bot_id FROM dbo.tblBotUsers WHERE user_id = @userId ORDER BY bot_id ASC");
+
+    const userResult = await pool.request()
+      .input("userId", sql.Int, userId)
+      .query("SELECT id, username, is_active FROM dbo.tblUsers WHERE id = @userId");
+    const user = userResult.recordset?.[0];
+
+    res.json({
+      id: Number(user.id),
+      username: String(user.username || "").trim(),
+      is_active: Number(user.is_active) === 1 || user.is_active === true,
+      bot_ids: (mapResult.recordset || []).map((row) => String(row.bot_id || "").trim()).filter(Boolean)
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to update user" });
+  }
+});
+
+app.delete("/admin/users/:userId", async (req, res) => {
+  if (!isMssqlConfigured()) {
+    res.status(400).json({ error: "MSSQL is not configured" });
+    return;
+  }
+
+  const userId = Number(req.params.userId);
+  if (!Number.isInteger(userId) || userId <= 0) {
+    res.status(400).json({ error: "Invalid userId" });
+    return;
+  }
+
+  try {
+    await ensurePortalUserTables();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL pool unavailable" });
+      return;
+    }
+
+    const existing = await pool.request()
+      .input("userId", sql.Int, userId)
+      .query("SELECT TOP 1 id, username FROM dbo.tblUsers WHERE id = @userId");
+    if (!existing.recordset?.length) {
+      res.status(404).json({ error: "User not found" });
+      return;
+    }
+
+    await pool.request()
+      .input("userId", sql.Int, userId)
+      .query("DELETE FROM dbo.tblUsers WHERE id = @userId");
+
+    res.json({
+      ok: true,
+      id: userId
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to delete user" });
+  }
+});
+
+app.get("/portal/api/health", async (_req, res) => {
+  if (!isMssqlConfigured()) {
+    res.status(400).json({
+      ok: false,
+      error: "MSSQL is not configured. Set MSSQL_ENABLED=true and MSSQL_* env vars."
+    });
+    return;
+  }
+
+  try {
+    await ensureMssqlKnowledgeTable();
+    res.json({ ok: true, storage: "mssql" });
+  } catch (error) {
+    res.status(500).json({ ok: false, error: error?.message || "MSSQL connection failed" });
+  }
+});
+
+app.get("/portal/api/knowledge", async (req, res) => {
+  try {
+    const records = await getKnowledgeFromMssql({
+      botId: req.query?.botId || ""
+    });
+    res.json({ items: records });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to fetch knowledge from MSSQL" });
+  }
+});
+
+app.post("/portal/api/knowledge", async (req, res) => {
+  const botId = String(req.body?.botId || "").trim();
+  const content = String(req.body?.content || req.body?.answer || "").trim();
+
+  if (!botId) {
+    res.status(400).json({ error: "botId is required" });
+    return;
+  }
+  if (!content) {
+    res.status(400).json({ error: "content is required" });
+    return;
+  }
+
+  try {
+    await ensureMssqlKnowledgeTable();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL is not configured" });
+      return;
+    }
+
+    const tags = normalizeTags(req.body?.tags);
+    const faqQuestion = String(req.body?.question || req.body?.keyword || req.body?.title || "").trim();
+    const insertResult = await pool.request()
+      .input("botId", sql.NVarChar(120), botId)
+      .input("keyword", sql.NVarChar(255), faqQuestion || null)
+      .input("title", sql.NVarChar(255), faqQuestion || null)
+      .input("content", sql.NVarChar(sql.MAX), content)
+      .input("tagsJson", sql.NVarChar(sql.MAX), JSON.stringify(tags))
+      .input("source", sql.NVarChar(80), String(req.body?.source || "portal").trim() || "portal")
+      .query(`
+        INSERT INTO dbo.tblKnowledge (bot_id, keyword, title, content, tags_json, source, is_active, updated_at)
+        OUTPUT INSERTED.*
+        VALUES (@botId, @keyword, @title, @content, @tagsJson, @source, 1, SYSUTCDATETIME())
+      `);
+
+    const created = mapDbKnowledgeRow(insertResult.recordset[0]);
+    res.status(201).json(created);
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to create knowledge record" });
+  }
+});
+
+app.post("/portal/api/knowledge/import", async (req, res) => {
+  const botId = String(req.body?.botId || "").trim();
+  const source = String(req.body?.source || "portal-upload").trim() || "portal-upload";
+  const items = Array.isArray(req.body?.items) ? req.body.items : [];
+
+  if (!botId) {
+    res.status(400).json({ error: "botId is required" });
+    return;
+  }
+
+  if (!items.length) {
+    res.status(400).json({ error: "items[] is required for import" });
+    return;
+  }
+
+  try {
+    await ensureMssqlKnowledgeTable();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL is not configured" });
+      return;
+    }
+
+    const inserted = [];
+    let skipped = 0;
+
+    for (const item of items) {
+      const faqQuestion = String(item?.question || item?.keyword || item?.title || "").trim();
+      const answer = String(item?.answer || item?.content || "").trim();
+      const tags = normalizeTags(item?.tags);
+
+      if (!answer) {
+        skipped += 1;
+        continue;
+      }
+
+      const result = await pool.request()
+        .input("botId", sql.NVarChar(120), botId)
+        .input("keyword", sql.NVarChar(255), faqQuestion || null)
+        .input("title", sql.NVarChar(255), faqQuestion || null)
+        .input("content", sql.NVarChar(sql.MAX), answer)
+        .input("tagsJson", sql.NVarChar(sql.MAX), JSON.stringify(tags))
+        .input("source", sql.NVarChar(80), source)
+        .query(`
+          INSERT INTO dbo.tblKnowledge (bot_id, keyword, title, content, tags_json, source, is_active, updated_at)
+          OUTPUT INSERTED.*
+          VALUES (@botId, @keyword, @title, @content, @tagsJson, @source, 1, SYSUTCDATETIME())
+        `);
+
+      if (result.recordset.length) {
+        inserted.push(mapDbKnowledgeRow(result.recordset[0]));
+      }
+    }
+
+    res.status(201).json({
+      ok: true,
+      importedCount: inserted.length,
+      skippedCount: skipped,
+      items: inserted
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to import knowledge records" });
+  }
+});
+
+app.put("/portal/api/knowledge/:id", async (req, res) => {
+  const id = Number(req.params.id);
+  if (!Number.isFinite(id) || id <= 0) {
+    res.status(400).json({ error: "Invalid knowledge id" });
+    return;
+  }
+
+  try {
+    await ensureMssqlKnowledgeTable();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL is not configured" });
+      return;
+    }
+
+    const content = String(req.body?.content || req.body?.answer || "").trim();
+    if (!content) {
+      res.status(400).json({ error: "content is required" });
+      return;
+    }
+
+    const tags = normalizeTags(req.body?.tags);
+    const faqQuestion = String(req.body?.question || req.body?.keyword || req.body?.title || "").trim();
+    const result = await pool.request()
+      .input("id", sql.Int, id)
+      .input("keyword", sql.NVarChar(255), faqQuestion || null)
+      .input("title", sql.NVarChar(255), faqQuestion || null)
+      .input("content", sql.NVarChar(sql.MAX), content)
+      .input("tagsJson", sql.NVarChar(sql.MAX), JSON.stringify(tags))
+      .input("source", sql.NVarChar(80), String(req.body?.source || "portal").trim() || "portal")
+      .query(`
+        UPDATE dbo.tblKnowledge
+        SET keyword = @keyword,
+            title = @title,
+            content = @content,
+            tags_json = @tagsJson,
+            source = @source,
+            updated_at = SYSUTCDATETIME()
+        OUTPUT INSERTED.*
+        WHERE id = @id
+      `);
+
+    if (!result.recordset.length) {
+      res.status(404).json({ error: "Knowledge record not found" });
+      return;
+    }
+
+    res.json(mapDbKnowledgeRow(result.recordset[0]));
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to update knowledge record" });
+  }
+});
+
+app.delete("/portal/api/knowledge/:id", async (req, res) => {
+  const id = Number(req.params.id);
+  if (!Number.isFinite(id) || id <= 0) {
+    res.status(400).json({ error: "Invalid knowledge id" });
+    return;
+  }
+
+  try {
+    await ensureMssqlKnowledgeTable();
+    const pool = await getMssqlPool();
+    if (!pool) {
+      res.status(500).json({ error: "MSSQL is not configured" });
+      return;
+    }
+
+    const result = await pool.request()
+      .input("id", sql.Int, id)
+      .query(`
+        UPDATE dbo.tblKnowledge
+        SET is_active = 0,
+            updated_at = SYSUTCDATETIME()
+        OUTPUT INSERTED.id
+        WHERE id = @id
+      `);
+
+    if (!result.recordset.length) {
+      res.status(404).json({ error: "Knowledge record not found" });
+      return;
+    }
+
+    res.json({ ok: true, id });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to delete knowledge record" });
+  }
+});
+
+app.get("/portal/api/export/knowledge", async (req, res) => {
+  try {
+    const records = await getKnowledgeFromMssql({
+      botId: req.query?.botId || ""
+    });
+
+    res.json({
+      knowledge: records.map((entry) => ({
+        question: entry.keyword,
+        keyword: entry.keyword,
+        answer: entry.answer,
+        tags: entry.tags,
+        botId: entry.botId,
+        source: entry.source,
+        updatedAt: entry.updatedAt
+      }))
+    });
+  } catch (error) {
+    res.status(500).json({ error: error?.message || "Unable to export knowledge" });
+  }
+});
+
+app.get("/knowledge.json", async (req, res) => {
+  const botId = String(req.query?.botId || "").trim();
+  if (!botId) {
+    res.json({ knowledge: [] });
+    return;
+  }
+
+  const bot = botId ? getBotById(botId) : null;
+  const botKnowledge = Array.isArray(bot?.knowledge) ? bot.knowledge : [];
+
+  let mssqlKnowledge = [];
+  try {
+    mssqlKnowledge = await getKnowledgeFromMssql({
+      botId
+    });
+  } catch (error) {
+    console.warn("MSSQL knowledge fetch failed:", error?.message || error);
+  }
+
+  const mergedKnowledge = [
+    ...botKnowledge,
+    ...mssqlKnowledge
+  ];
+
+  // Bot-only FAQ response shape for client sync.
+  res.json({
+    knowledge: mergedKnowledge.map((entry) => ({
+      question: String(entry.title || entry.question || entry.keyword || entry.label || "Knowledge").trim() || "Knowledge",
+      keyword: String(entry.title || entry.question || entry.label || "Knowledge").trim() || "Knowledge",
+      answer: String(entry.content || entry.answer || "").trim(),
+      tags: Array.isArray(entry.tags) ? entry.tags : []
+    }))
+  });
+});
+
+app.post("/api/chat/stream", async (req, res) => {
+  if (!enforceRequestOrigin(req, res)) {
+    return;
+  }
+
+  // Bot-based authentication (required)
+  const { botId, apiKey } = extractBotIdAndApiKey(req);
+  if (!botId || !apiKey) {
+    res.status(400).json({ error: "botId and apiKey are required" });
+    return;
+  }
+
+  const validation = validateBotApiKey(botId, apiKey);
+  if (!validation.valid) {
+    res.status(401).json({ error: validation.error });
+    return;
+  }
+
+  const botConfig = validation.bot;
+
+  // Rate limiting
+  if (!enforceRateLimit(req, res)) {
+    return;
+  }
+
+  const incomingMessages = normalizeMessages(req.body?.messages);
+  if (!incomingMessages.length) {
+    res.status(400).json({ error: "messages[] is required" });
+    return;
+  }
+
+  const latestUserMessage = getLatestUserMessage(incomingMessages);
+  const siteConfig = req.body?.siteConfig && typeof req.body.siteConfig === "object"
+    ? req.body.siteConfig
+    : {};
+  const sessionId = String(req.body?.sessionId || req.headers["x-chat-session-id"] || "").trim();
+  const requestStartedAt = new Date();
+  let historyRequestId = null;
+  let assistantResponseText = "";
+
+  const provider = botConfig.provider;
+  const providerConfigBase = providerConfigs[provider];
+  const preliminaryModel = botConfig.model || normalizeModelForProvider(provider, providerConfigBase?.model);
+
+  historyRequestId = await createChatHistoryEntry({
+    sessionId,
+    botId,
+    provider,
+    model: preliminaryModel,
+    siteConfig,
+    messages: incomingMessages,
+    latestUserMessage,
+    clientIp: getRequestClientIp(req),
+    userAgent: String(req.headers["user-agent"] || "").trim(),
+    startedAt: requestStartedAt,
+    responseStatus: "started"
+  });
+
+  const requestAiApiKey = extractAiApiKeyFromRequest(req);
+  const providerConfig = providerConfigBase
+    ? {
+      ...providerConfigBase,
+      apiKey: providerConfigBase.apiKey || requestAiApiKey
+    }
+    : null;
+
+  if (!providerConfig || !providerConfig.apiKey) {
+    await finalizeChatHistoryEntry(historyRequestId, {
+      responseStatus: "error",
+      errorMessage: `Missing API key for provider: ${provider}`
+    });
+    res.status(500).json({
+      error: `Missing API key for provider: ${provider}. Set ${provider.toUpperCase()}_API_KEY in .env or pass data-ai-apikey in embed script.`
+    });
+    return;
+  }
+
+  // Groq prompt guard
+  if (provider === "groq" && enableGroqPromptGuard) {
+    try {
+      const guardResult = await runGroqPromptGuard({
+        config: providerConfig,
+        latestUserMessage
+      });
+
+      if (!guardResult.allowed) {
+        await finalizeChatHistoryEntry(historyRequestId, {
+          responseStatus: "blocked",
+          assistantResponse: guardResult.reason,
+          errorMessage: guardResult.reason
+        });
+        res.status(400).json({ error: guardResult.reason });
+        return;
+      }
+    } catch (error) {
+      console.warn("Prompt guard request failed:", error?.message || error);
+    }
+  }
+
+  // Load bot knowledge from MSSQL
+  let botKnowledge = [];
+  try {
+    botKnowledge = await getKnowledgeFromMssql({ botId });
+  } catch (error) {
+    console.warn("Failed to load bot knowledge:", error?.message || error);
+  }
+
+  // Build knowledge context
+  const knowledgeContext = buildKnowledgeContext(botKnowledge, latestUserMessage);
+  const systemPrompt = buildSystemPrompt(botConfig.systemPrompt, knowledgeContext);
+
+  const requestedModel = botConfig.model || normalizeModelForProvider(provider, providerConfig.model);
+
+  res.setHeader("Content-Type", "text/event-stream");
+  res.setHeader("Cache-Control", "no-cache, no-transform");
+  res.setHeader("Connection", "keep-alive");
+  res.flushHeaders?.();
+
+  let closed = false;
+  req.on("close", () => {
+    closed = true;
+  });
+
+  try {
+    if (provider === "claude") {
+      await streamClaudeResponse({
+        config: providerConfig,
+        model: requestedModel,
+        systemPrompt,
+        messages: incomingMessages,
+        onToken(token) {
+          if (!closed) {
+            assistantResponseText += token;
+            res.write(`event: token\ndata: ${JSON.stringify({ token })}\n\n`);
+          }
+        },
+        onError(message) {
+          if (!closed) {
+            res.write(`event: error\ndata: ${JSON.stringify({ error: message })}\n\n`);
+          }
+        }
+      });
+    } else {
+      await streamOpenAiCompatibleResponse({
+        config: providerConfig,
+        model: requestedModel,
+        systemPrompt,
+        messages: incomingMessages,
+        onToken(token) {
+          if (!closed) {
+            assistantResponseText += token;
+            res.write(`event: token\ndata: ${JSON.stringify({ token })}\n\n`);
+          }
+        }
+      });
+    }
+
+    if (!closed) {
+      res.write("event: done\ndata: {}\n\n");
+      res.end();
+    }
+
+    await finalizeChatHistoryEntry(historyRequestId, {
+      assistantResponse: assistantResponseText,
+      responseStatus: "completed",
+      knowledgeContext,
+      systemPrompt
+    });
+  } catch (error) {
+    await finalizeChatHistoryEntry(historyRequestId, {
+      assistantResponse: assistantResponseText,
+      responseStatus: "error",
+      errorMessage: error?.message || "Unexpected proxy error",
+      knowledgeContext,
+      systemPrompt
+    });
+
+    if (!closed) {
+      sendSseError(res, error?.message || "Unexpected proxy error");
+    }
+  }
+});
+
+async function startServer() {
+  try {
+    await initializeBotsRegistry();
+    app.listen(port, () => {
+      console.log(`Chatbot proxy listening on http://localhost:${port}`);
+      console.log(`Embed URL: http://localhost:${port}/embed/chatbot.js`);
+    });
+  } catch (error) {
+    console.error("Failed to initialize server:", error?.message || error);
+    process.exit(1);
+  }
+}
+
+startServer();