atlas-chat 0.1.0__py3-none-any.whl

atlas/tests/test_websocket_auth_header.py

@@ -0,0 +1,168 @@
+"""
+Tests for WebSocket authentication using the configured authentication header.
+
+These tests validate that the backend correctly extracts the user email from the
+configured authentication header (default: X-User-Email) for WebSocket connections,
+which is critical for the production authentication flow where the reverse proxy
+sets this header. The tests also ensure that fallback mechanisms (query parameter,
+test user from config) work as expected, and that the header takes precedence when
+both are present.
+"""
+
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+from fastapi.testclient import TestClient
+from main import app
+
+
+@pytest.fixture
+def mock_app_factory():
+    """Mock app factory to avoid initializing full application."""
+    with patch('main.app_factory') as mock_factory:
+        # Mock config manager
+        mock_config = MagicMock()
+        mock_config.app_settings.test_user = 'test@test.com'
+        mock_config.app_settings.debug_mode = False
+        mock_config.app_settings.auth_user_header = 'X-User-Email'
+        mock_config.app_settings.feature_proxy_secret_enabled = False
+        mock_factory.get_config_manager.return_value = mock_config
+
+        # Mock chat service
+        mock_chat_service = MagicMock()
+        mock_chat_service.handle_chat_message = AsyncMock(return_value={})
+        mock_chat_service.handle_attach_file = AsyncMock(return_value={'type': 'file_attach', 'success': True})
+        mock_chat_service.end_session = MagicMock()
+        mock_factory.create_chat_service.return_value = mock_chat_service
+
+        yield mock_factory
+
+
+def test_websocket_uses_x_user_email_header(mock_app_factory):
+    """Test that WebSocket connection uses X-User-Email header for authentication."""
+    client = TestClient(app)
+
+    # Connect with X-User-Email header
+    with client.websocket_connect("/ws", headers={"X-User-Email": "alice@example.com"}) as websocket:
+        # Send a test message
+        websocket.send_json({"type": "attach_file", "s3_key": "users/alice@example.com/test.txt"})
+
+        # Verify that the connection was created with the correct user from header
+        # The user_email should be extracted from X-User-Email header
+        call_args = mock_app_factory.create_chat_service.call_args
+        connection_adapter = call_args[0][0]  # First positional argument
+
+        # The connection adapter should have been created with alice@example.com
+        assert connection_adapter.user_email == "alice@example.com"
+
+
+def test_websocket_rejects_unauthenticated_in_production(mock_app_factory):
+    """Test that WebSocket rejects connections without auth header in production mode."""
+    from starlette.websockets import WebSocketDisconnect
+
+    # Ensure debug_mode is False (production)
+    mock_app_factory.get_config_manager.return_value.app_settings.debug_mode = False
+
+    client = TestClient(app)
+
+    # Connect without header - should be rejected with 1008 (Policy Violation)
+    with pytest.raises(WebSocketDisconnect) as exc_info:
+        with client.websocket_connect("/ws"):
+            pass
+
+    assert exc_info.value.code == 1008
+    assert "Authentication required" in exc_info.value.reason
+
+
+def test_websocket_rejects_query_param_in_production(mock_app_factory):
+    """Test that WebSocket ignores query param auth in production mode."""
+    from starlette.websockets import WebSocketDisconnect
+
+    # Ensure debug_mode is False (production)
+    mock_app_factory.get_config_manager.return_value.app_settings.debug_mode = False
+
+    client = TestClient(app)
+
+    # Connect with query param but no header - should be rejected in production
+    with pytest.raises(WebSocketDisconnect) as exc_info:
+        with client.websocket_connect("/ws?user=bob@example.com"):
+            pass
+
+    assert exc_info.value.code == 1008
+    assert "Authentication required" in exc_info.value.reason
+
+
+@pytest.fixture
+def mock_app_factory_debug_mode():
+    """Mock app factory with debug mode enabled."""
+    with patch('main.app_factory') as mock_factory:
+        # Mock config manager with debug_mode=True
+        mock_config = MagicMock()
+        mock_config.app_settings.test_user = 'test@test.com'
+        mock_config.app_settings.debug_mode = True  # Debug mode enabled
+        mock_config.app_settings.auth_user_header = 'X-User-Email'
+        mock_config.app_settings.feature_proxy_secret_enabled = False
+        mock_factory.get_config_manager.return_value = mock_config
+
+        # Mock chat service
+        mock_chat_service = MagicMock()
+        mock_chat_service.handle_chat_message = AsyncMock(return_value={})
+        mock_chat_service.handle_attach_file = AsyncMock(return_value={'type': 'file_attach', 'success': True})
+        mock_chat_service.end_session = MagicMock()
+        mock_factory.create_chat_service.return_value = mock_chat_service
+
+        yield mock_factory
+
+
+def test_websocket_fallback_to_query_param_debug_mode(mock_app_factory_debug_mode):
+    """Test that WebSocket falls back to query param in debug mode only."""
+    client = TestClient(app)
+
+    # Connect without header but with query param - should work in debug mode
+    with client.websocket_connect("/ws?user=bob@example.com") as websocket:
+        # Send a test message
+        websocket.send_json({"type": "attach_file", "s3_key": "users/bob@example.com/test.txt"})
+
+        # Get the chat service instance
+        call_args = mock_app_factory_debug_mode.create_chat_service.call_args
+        connection_adapter = call_args[0][0]
+
+        # Should use query param in debug mode
+        assert connection_adapter.user_email == "bob@example.com"
+
+
+def test_websocket_fallback_to_test_user_debug_mode(mock_app_factory_debug_mode):
+    """Test that WebSocket falls back to test user in debug mode only."""
+    client = TestClient(app)
+
+    # Connect without header or query param - should work in debug mode
+    with client.websocket_connect("/ws") as websocket:
+        # Send a test message
+        websocket.send_json({"type": "attach_file", "s3_key": "users/test@test.com/test.txt"})
+
+        # Get the chat service instance
+        call_args = mock_app_factory_debug_mode.create_chat_service.call_args
+        connection_adapter = call_args[0][0]
+
+        # Should use test user from config in debug mode
+        assert connection_adapter.user_email == "test@test.com"
+
+
+def test_websocket_header_takes_precedence_over_query_param(mock_app_factory):
+    """Test that X-User-Email header takes precedence over query parameter."""
+    client = TestClient(app)
+
+    # Connect with both header and query param (header should win)
+    with client.websocket_connect(
+        "/ws?user=wrong@example.com",
+        headers={"X-User-Email": "correct@example.com"}
+    ) as websocket:
+        # Send a test message
+        websocket.send_json({"type": "attach_file", "s3_key": "users/correct@example.com/test.txt"})
+
+        # Get the chat service instance
+        call_args = mock_app_factory.create_chat_service.call_args
+        connection_adapter = call_args[0][0]
+
+        # Should use header, not query param
+        assert connection_adapter.user_email == "correct@example.com"

atlas/version.py

@@ -0,0 +1,6 @@
+"""Application version constant.
+
+Single source of truth for the application version number.
+"""
+
+VERSION = "0.1.0"

atlas_chat-0.1.0.data/data/.env.example

@@ -0,0 +1,253 @@
+#############################################
+# Core / Development
+#############################################
+# Development mode - skip authentication when true
+DEBUG_MODE=true
+
+#############################################
+# RAG Configuration
+# Enable RAG (Retrieval-Augmented Generation) feature
+# Configure RAG sources in config/overrides/rag-sources.json
+# See docs/admin/external-rag-api.md for configuration details
+#############################################
+FEATURE_RAG_ENABLED=false
+
+# RAG source secrets (referenced in rag-sources.json via ${ENV_VAR} syntax)
+# ATLAS_RAG_URL=https://your-atlas-rag-api.example.com
+# ATLAS_RAG_BEARER_TOKEN=your-api-key-here
+
+# Server configuration
+PORT=8000
+APP_NAME=ATLAS
+
+# Network binding configuration
+# ATLAS_HOST controls which network interface the server binds to
+# Default: 127.0.0.1 (localhost only, secure)
+# Set to 0.0.0.0 for production deployments that need external access
+# ATLAS_HOST=127.0.0.1
+
+# Authentication configuration
+# Header name to extract authenticated username from reverse proxy
+# Different reverse proxy setups use different header names (e.g., X-User-Email, X-Authenticated-User, X-Remote-User)
+# Default: X-User-Email
+# AUTH_USER_HEADER=X-User-Email
+
+# Proxy secret authentication (optional security layer)
+# When enabled, the reverse proxy must include a secret header to authenticate itself
+# This ensures the application only accepts requests from the trusted reverse proxy
+# FEATURE_PROXY_SECRET_ENABLED=false
+# PROXY_SECRET_HEADER=X-Proxy-Secret
+# PROXY_SECRET=your-secure-random-secret-here
+# AUTH_REDIRECT_URL=/a
+# API Keys for LLM services
+OPENAI_API_KEY=sk-pro
+ANTHROPIC_API_KEY=your_anthropic_api_key_here
+GOOGLE_API_KEY=your_google_api_key_here
+OPENROUTER_API_KEY=sk-or
+CEREBRAS_API_KEY=your_cerebras_api_key_here
+GROQ_API_KEY=your-groq_api_key_here
+
+
+# Banner system configuration
+BANNER_ENABLED=true
+
+
+# Example .env configuration for OpenTelemetry logging
+
+# Environment mode (development or production)
+ENVIRONMENT=development
+
+#############################################
+# UI / Frontend
+#############################################
+
+# Frontend build-time app name (Vite will inject this into index.html)
+VITE_APP_NAME=ATLAS
+
+# Frontend build-time flag to show the "Powered By Sandia ATLAS" badge
+# on the welcome screen. Other deployments can set this to false
+# to hide the badge while still customizing the main logo.
+VITE_FEATURE_POWERED_BY_ATLAS=false
+
+# OpenTelemetry configuration (optional - for future use)
+# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
+# OTEL_SERVICE_NAME=atlas-ui-3-backend
+# OTEL_SERVICE_VERSION=1.0.0
+
+# Log level configuration (DEBUG, INFO, WARNING, ERROR, CRITICAL)
+# Controls verbosity of application logs and sensitive data logging
+# - DEBUG: Verbose logging including user input/output content (for development/testing only)
+# - INFO: Standard logging with metrics and counts, but no sensitive content (recommended for production)
+# - WARNING/ERROR/CRITICAL: Minimal logging, errors and warnings only
+LOG_LEVEL=INFO
+
+# Metrics logging configuration
+# Enable tracking of user activities without capturing sensitive data
+# When enabled, logs contain only metadata (counts, sizes, types)
+# Excludes prompts, tool arguments, file names, and error details
+FEATURE_METRICS_LOGGING_ENABLED=false
+
+# Suppress LiteLLM verbose logging (independent of LOG_LEVEL)
+# When true, sets LITELLM_LOG=ERROR to silence LiteLLM's noisy stdout/debug output
+# When false, LiteLLM uses its default logging behavior
+FEATURE_SUPPRESS_LITELLM_LOGGING=true
+
+USE_NEW_FRONTEND=true
+
+#############################################
+# Feature Flags (rollout controls)
+# Toggle advanced capabilities without changing code.
+# Set to true to enable in UI + API; false hides & suppresses data.
+# These are initialized to reflect your current enabled features.
+#############################################
+# Workspace selector (none configured yet)
+FEATURE_WORKSPACES_ENABLED=false
+# Note: RAG is controlled by RAG_PROVIDER setting (see above)
+# MCP / tools panel
+FEATURE_TOOLS_ENABLED=true
+# Marketplace browsing (disabled)
+FEATURE_MARKETPLACE_ENABLED=true
+# Uploaded/session files panel
+FEATURE_FILES_PANEL_ENABLED=true
+# Previous chat history list
+FEATURE_CHAT_HISTORY_ENABLED=false
+# Compliance level filtering for MCP servers and data sources
+FEATURE_COMPLIANCE_LEVELS_ENABLED=false
+# Startup splash screen for displaying policies and information
+FEATURE_SPLASH_SCREEN_ENABLED=false
+# Restrict access to whitelisted email domains (config/defaults/domain-whitelist.json)
+FEATURE_DOMAIN_WHITELIST_ENABLED=false
+# Enable automatic reconnection to failed MCP servers with exponential backoff
+FEATURE_MCP_AUTO_RECONNECT_ENABLED=false
+# Enable automatic file content extraction for uploaded PDFs/images
+# Requires running the file extractor mock service: python mocks/file-extractor-mock/main.py
+FEATURE_FILE_CONTENT_EXTRACTION_ENABLED=false
+
+#############################################
+# File Content Extraction Service Configuration
+# These are optional - only needed when using external extraction services
+# The mock extractor service works without these credentials
+#############################################
+# PDF extractor service credentials (optional for mock service)
+# PDF_EXTRACTOR_API_KEY=your_pdf_extractor_api_key_here
+# PDF_EXTRACTOR_CLIENT_ID=your_pdf_extractor_client_id_here
+# Image vision extractor service credentials (optional for mock service)
+# IMAGE_EXTRACTOR_API_KEY=your_image_extractor_api_key_here
+# OCR extractor service credentials (optional for mock service)
+# OCR_EXTRACTOR_API_KEY=your_ocr_extractor_api_key_here
+
+# (Adjust above to stage rollouts. For a bare-bones chat set them all to false.)
+
+#############################################
+# MCP Auto-Reconnect Settings
+# These settings control the automatic reconnection behavior for failed MCP servers.
+# Only active when FEATURE_MCP_AUTO_RECONNECT_ENABLED=true
+#############################################
+# Base interval in seconds between reconnect attempts (default: 60)
+# MCP_RECONNECT_INTERVAL=60
+# Maximum interval in seconds (caps exponential backoff, default: 300)
+# MCP_RECONNECT_MAX_INTERVAL=300
+# Multiplier for exponential backoff (default: 2.0)
+# MCP_RECONNECT_BACKOFF_MULTIPLIER=2.0
+
+#############################################
+# MCP Timeouts
+# Timeout in seconds for MCP discovery calls - list_tools, list_prompts (default: 30)
+MCP_DISCOVERY_TIMEOUT=30
+# Timeout in seconds for MCP tool calls (default: 120)
+MCP_CALL_TIMEOUT=120
+#############################################
+
+#############################################
+# MCP Per-User Token Storage
+# Encryption key for storing user API keys/tokens for MCP servers
+# If not set, an ephemeral key is generated and tokens won't persist across restarts
+#############################################
+# MCP_TOKEN_ENCRYPTION_KEY=your-random-string-at-least-32-chars
+# Directory to store encrypted tokens (default: config/secure/)
+# MCP_TOKEN_STORAGE_DIR=config/secure
+
+#############################################
+# Configuration File Names
+# Override the default names for configuration files.
+# Useful for testing or managing multiple configurations.
+#############################################
+# Splash screen configuration file name
+# SPLASH_CONFIG_FILE=splash-config.json
+# MCP servers configuration file name
+# MCP_CONFIG_FILE=mcp.json
+# LLM models configuration file name
+# LLM_CONFIG_FILE=llmconfig.yml
+# Help page configuration file name
+# HELP_CONFIG_FILE=help-config.json
+
+
+# ths might be need for mcp serves to know where to download the files.
+# CHATUI_BACKEND_BASE_URL=http://127.0.0.1:8000
+
+#############################################
+# File Access for Remote MCP Servers
+#############################################
+# Public URL of the backend API for file downloads by remote MCP servers
+# This should be the publicly accessible URL (including protocol and port if non-standard)
+# Examples:
+#   - Production: https://atlas-ui.example.com
+#   - Development: http://localhost:8000
+#   - With non-standard port: https://atlas-ui.example.com:8443
+# If not set, relative URLs will be used (only works for local/stdio servers on the same machine)
+# BACKEND_PUBLIC_URL=https://atlas-ui.example.com
+
+# Whether to include base64 encoded file content as fallback in tool arguments
+# This allows MCP servers to access files even if they cannot reach the backend URL
+# WARNING: Enabling this can significantly increase message sizes for large files
+# Default: false (recommended - use URL-based access instead)
+# INCLUDE_FILE_CONTENT_BASE64=false
+
+
+# Agent mode configuration
+AGENT_MAX_STEPS=30
+AGENT_DEFAULT_ENABLED=true
+# Agent mode availability (renamed to align with other FEATURE_* flags)
+FEATURE_AGENT_MODE_AVAILABLE=true
+# Agent loop strategy: react (structured reasoning) or think-act (faster, concise)
+AGENT_LOOP_STRATEGY=think-act
+
+# Tool approval configuration
+# Require approval by default for all tools (can be overridden per-tool in mcp.json)
+REQUIRE_TOOL_APPROVAL_BY_DEFAULT=false
+# Force approval for all tools (admin-enforced) regardless of per-tool or default settings
+# Set to true to require approval for every tool call
+FORCE_TOOL_APPROVAL_GLOBALLY=false
+
+# APP_LOG_DIR defaults to <project_root>/logs when unset
+# APP_LOG_DIR=/path/to/logs
+
+CAPABILITY_TOKEN_SECRET=blablah
+
+#############################################
+# S3/MinIO Storage Configuration
+#############################################
+# Choose ONE option below (comment out the other)
+
+# --- Option 1: Mock S3 (Default - No Docker required) ---
+USE_MOCK_S3=true
+
+# --- Option 2: MinIO (Requires Docker) ---
+# Uncomment below and set USE_MOCK_S3=false to use MinIO
+# USE_MOCK_S3=false
+# S3_ENDPOINT=http://localhost:9000
+# # Must match bucket created in docker-compose.yml
+# S3_BUCKET_NAME=atlas-files
+# S3_ACCESS_KEY=minioadmin
+# S3_SECRET_KEY=minioadmin
+# S3_REGION=us-east-1
+# S3_TIMEOUT=30
+# S3_USE_SSL=false
+
+
+# Content Security Policy (CSP) configuration
+# IMPORTANT: To allow external URLs in iframes (for MCP tools that use iframe display),
+# add the URLs to the frame-src directive. Example:
+# SECURITY_CSP_VALUE="... frame-src 'self' blob: data: https://example.com https://dashboard.example.com; ..."
+# HERE the www.sandia.gov is added as an allowed iframe source.
+SECURITY_CSP_VALUE="default-src 'self'; img-src 'self' data: blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-src 'self' blob: data: https://www.sandia.gov; frame-ancestors 'self'"

atlas_chat-0.1.0.data/data/config/defaults/compliance-levels.json

@@ -0,0 +1,44 @@
+{
+  "version": "2.0",
+  "description": "Defines compliance level types and their allowed combinations",
+  "levels": [
+    {
+      "name": "Public",
+      "description": "Publicly accessible data, no restrictions",
+      "aliases": [],
+      "allowed_with": ["Public"]
+    },
+    {
+      "name": "External",
+      "description": "External services with basic enterprise security",
+      "aliases": [],
+      "allowed_with": ["External"]
+    },
+    {
+      "name": "Internal",
+      "description": "Internal systems, can handle company IP information",
+      "aliases": [],
+      "allowed_with": ["Internal"]
+    },
+    {
+      "name": "SOC2",
+      "description": "SOC 2 Type II compliant systems",
+      "aliases": ["SOC-2", "SOC 2"],
+      "allowed_with": ["SOC2"]
+    },
+    {
+      "name": "HIPAA",
+      "description": "HIPAA compliant systems for healthcare data",
+      "aliases": ["HIPAA-Compliant"],
+      "allowed_with": ["HIPAA", "SOC2"]
+    },
+    {
+      "name": "FedRAMP",
+      "description": "FedRAMP authorized systems for government data",
+      "aliases": ["FedRAMP-Moderate", "FedRAMP-High"],
+      "allowed_with": ["FedRAMP", "SOC2"]
+    }
+  ],
+  "mode": "explicit_allowlist",
+  "mode_description": "Each compliance level explicitly defines which other levels can be used in the same session. For example, HIPAA can use HIPAA and SOC2 resources, but not Public or External to prevent data leakage."
+}

atlas_chat-0.1.0.data/data/config/defaults/domain-whitelist.json

@@ -0,0 +1,123 @@
+{
+  "version": "1.0",
+  "description": "Email domain whitelist for user access control. Enable/disable via FEATURE_DOMAIN_WHITELIST_ENABLED environment variable. When enabled, only users with email addresses from whitelisted domains can access the application.",
+  "domains": [
+    {
+      "domain": "doe.gov",
+      "description": "Department of Energy",
+      "category": "Government - DOE HQ"
+    },
+    {
+      "domain": "nnsa.doe.gov",
+      "description": "National Nuclear Security Administration",
+      "category": "Government - DOE HQ"
+    },
+    {
+      "domain": "hq.doe.gov",
+      "description": "DOE Headquarters",
+      "category": "Government - DOE HQ"
+    },
+    {
+      "domain": "anl.gov",
+      "description": "Argonne National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "bnl.gov",
+      "description": "Brookhaven National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "fnal.gov",
+      "description": "Fermi National Accelerator Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "inl.gov",
+      "description": "Idaho National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "lbl.gov",
+      "description": "Lawrence Berkeley National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "lanl.gov",
+      "description": "Los Alamos National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "llnl.gov",
+      "description": "Lawrence Livermore National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "ornl.gov",
+      "description": "Oak Ridge National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "pnnl.gov",
+      "description": "Pacific Northwest National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "sandia.gov",
+      "description": "Sandia National Laboratories",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "srnl.doe.gov",
+      "description": "Savannah River National Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "ameslab.gov",
+      "description": "Ames Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "jlab.org",
+      "description": "Thomas Jefferson National Accelerator Facility",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "princeton.edu",
+      "description": "Princeton University (PPPL host institution)",
+      "category": "University"
+    },
+    {
+      "domain": "pppl.gov",
+      "description": "Princeton Plasma Physics Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "slac.stanford.edu",
+      "description": "SLAC National Accelerator Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "pppl.gov",
+      "description": "Princeton Plasma Physics Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "nrel.gov",
+      "description": "National Renewable Energy Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "netl.doe.gov",
+      "description": "National Energy Technology Laboratory",
+      "category": "National Laboratory"
+    },
+    {
+      "domain": "stanford.edu",
+      "description": "Stanford University (SLAC host institution)",
+      "category": "University"
+    }
+  ],
+  "subdomain_matching": true,
+  "subdomain_matching_description": "When true, subdomains are automatically allowed (e.g., mail.sandia.gov matches sandia.gov)"
+}

atlas_chat-0.1.0.data/data/config/defaults/file-extractors.json

@@ -0,0 +1,74 @@
+{
+  "enabled": true,
+  "default_behavior": "extract",
+
+  "extractors": {
+    "pdf-text": {
+      "url": "http://localhost:8011/extract",
+      "method": "POST",
+      "timeout_seconds": 30,
+      "max_file_size_mb": 50,
+      "preview_chars": 2000,
+      "request_format": "multipart",
+      "form_field_name": "file",
+      "response_field": "text",
+      "enabled": true
+    },
+    "image-vision": {
+      "url": "http://localhost:8010/analyze",
+      "method": "POST",
+      "timeout_seconds": 60,
+      "max_file_size_mb": 20,
+      "preview_chars": 1000,
+      "request_format": "base64",
+      "response_field": "description",
+      "enabled": false,
+      "api_key": "${IMAGE_EXTRACTOR_API_KEY}"
+    },
+    "ocr": {
+      "url": "http://localhost:8010/ocr",
+      "method": "POST",
+      "timeout_seconds": 45,
+      "max_file_size_mb": 20,
+      "preview_chars": 2000,
+      "request_format": "base64",
+      "response_field": "text",
+      "enabled": false,
+      "api_key": "${OCR_EXTRACTOR_API_KEY}"
+    },
+    "pptx-text": {
+      "url": "http://localhost:8011/extract-pptx",
+      "method": "POST",
+      "timeout_seconds": 120,
+      "max_file_size_mb": 100,
+      "preview_chars": 2000,
+      "request_format": "base64",
+      "response_field": "text",
+      "enabled": false
+    }
+  },
+
+  "extension_mapping": {
+    ".pdf": "pdf-text",
+    ".png": "image-vision",
+    ".jpg": "image-vision",
+    ".jpeg": "image-vision",
+    ".gif": "image-vision",
+    ".webp": "image-vision",
+    ".tiff": "ocr",
+    ".tif": "ocr",
+    ".bmp": "ocr",
+    ".pptx": "pptx-text"
+  },
+
+  "mime_mapping": {
+    "application/pdf": "pdf-text",
+    "image/png": "image-vision",
+    "image/jpeg": "image-vision",
+    "image/gif": "image-vision",
+    "image/webp": "image-vision",
+    "image/tiff": "ocr",
+    "image/bmp": "ocr",
+    "application/vnd.openxmlformats-officedocument.presentationml.presentation": "pptx-text"
+  }
+}