feat: Projects with shared knowledge (mini-RAG)

.dockerignore

@@ -6,8 +6,6 @@ LICENSE
 README.md
 node_modules/
 .svelte-kit/
-.env*
-!.env
 .env.local
 db
 models/**

.env

@@ -7,7 +7,7 @@
 OPENAI_BASE_URL=https://router.huggingface.co/v1
 
 # Canonical auth token for any OpenAI-compatible provider
-OPENAI_API_KEY=#your provider API key (works for HF router, OpenAI, LM Studio, etc.). 
+OPENAI_API_KEY=#your provider API key (works for HF router, OpenAI, LM Studio, etc.).
 # When set to true, user token will be used for inference calls
 USE_USER_TOKEN=false
 # Automatically redirect to oauth login page if user is not logged in, when set to "true"
@@ -21,10 +21,22 @@ MONGODB_DIRECT_CONNECTION=false
 
 ## Public app configuration ##
 PUBLIC_APP_NAME=ChatUI # name used as title throughout the app
+# Optional: Different name for sidebar nav (if not set, uses PUBLIC_APP_NAME)
+PUBLIC_APP_NAV_NAME=
 PUBLIC_APP_ASSETS=chatui # used to find logos & favicons in static/$PUBLIC_APP_ASSETS
 PUBLIC_APP_DESCRIPTION="Making the community's best AI chat models available to everyone."# description used throughout the app
+# Optional: Custom logo URL for main intro screen (overrides default logo from PUBLIC_APP_ASSETS)
+PUBLIC_APP_LOGO_URL=
+# Optional: Custom logo inline CSS styles for main intro screen
+PUBLIC_APP_LOGO_STYLE=
+# Optional: Custom logo URL for sidebar nav (if not set, uses default from PUBLIC_APP_ASSETS)
+PUBLIC_APP_LOGO_NAV_URL=
+# Optional: Custom logo inline CSS styles for sidebar nav (defaults to "height: 1.5em; width: auto;")
+PUBLIC_APP_LOGO_NAV_STYLE=
+# Show logo and app name in the sidebar navigation (true/false)
+PUBLIC_SHOW_NAV_LOGO=true
 PUBLIC_SMOOTH_UPDATES=false # set to true to enable smoothing of messages client-side, can be CPU intensive
-PUBLIC_ORIGIN=
+PUBLIC_ORIGIN="http://localhost:5173" # public origin used for CORS and OAuth redirect URIs
 PUBLIC_SHARE_PREFIX=
 PUBLIC_GOOGLE_ANALYTICS_ID=
 PUBLIC_PLAUSIBLE_SCRIPT_URL=
@@ -98,14 +110,14 @@ ALLOWED_USER_EMAILS=[]
 # If it's defined, users with emails matching these domains will also be allowed to use login
 ALLOWED_USER_DOMAINS=[]
 # valid alternative redirect URLs for OAuth, used for HuggingChat apps
-ALTERNATIVE_REDIRECT_URLS=[] 
+ALTERNATIVE_REDIRECT_URLS=[]
 ### Cookies
 # name of the cookie used to store the session
 COOKIE_NAME=hf-chat
 # If the value of this cookie changes, the session is destroyed. Useful if chat-ui is deployed on a subpath
 # of your domain, and you want chat ui sessions to reset if the user's auth changes
 COUPLE_SESSION_WITH_COOKIE_NAME=
-# specify secure behaviour for cookies 
+# specify secure behaviour for cookies
 COOKIE_SAMESITE=# can be "lax", "strict", "none" or left empty
 COOKIE_SECURE=# set to true to only allow cookies over https
 TRUSTED_EMAIL_HEADER=# header to use to get the user email, only use if you know what you are doing
@@ -116,7 +128,7 @@ ADMIN_TOKEN=#We recommend leaving this empty, you can get the token from the ter
 
 ### Feature Flags ###
 LLM_SUMMARIZATION=true # generate conversation titles with LLMs
- 
+
 ALLOW_IFRAME=true # Allow the app to be embedded in an iframe
 
 # Base servers list (JSON array). Example: MCP_SERVERS=[{"name": "Web Search (Exa)", "url": "https://mcp.exa.ai/mcp"}, {"name": "Hugging Face", "url": "https://hf.co/mcp"}]
@@ -125,7 +137,7 @@ MCP_SERVERS=
 MCP_FORWARD_HF_USER_TOKEN=
 ENABLE_DATA_EXPORT=true
 
-### Rate limits ### 
+### Rate limits ###
 # See `src/lib/server/usageLimits.ts`
 # {
 #   conversations: number, # how many conversations
@@ -160,7 +172,7 @@ ADMIN_API_SECRET=# secret to admin API calls, like computing usage stats or expo
 ### Config ###
 ENABLE_CONFIG_MANAGER=true
 
-### Docker build variables ### 
+### Docker build variables ###
 # These values cannot be updated at runtime
 # They need to be passed when building the docker image
 # See https://github.com/huggingface/chat-ui/main/.github/workflows/deploy-prod.yml#L44-L47

.github/workflows/build-image.yml

@@ -23,7 +23,7 @@ jobs:
       group: aws-general-8-plus
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Extract package version
         id: package-version
@@ -37,7 +37,7 @@ jobs:
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: |
             ghcr.io/huggingface/chat-ui-db
@@ -49,24 +49,24 @@ jobs:
             type=sha,enable={{is_default_branch}}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4.5.0
+        uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # v4.5.0
 
       - name: Build and Publish Docker Image with DB
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
           file: Dockerfile
@@ -84,7 +84,7 @@ jobs:
       group: aws-general-8-plus
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Extract package version
         id: package-version
@@ -98,7 +98,7 @@ jobs:
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: |
             ghcr.io/huggingface/chat-ui
@@ -124,10 +124,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4.5.0
+        uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # v4.5.0
 
       - name: Build and Publish Docker Image without DB
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
           file: Dockerfile

.github/workflows/deploy-dev.yml

@@ -17,35 +17,35 @@ jobs:
       url: https://${{ needs.branch-slug.outputs.slug }}.chat-dev.huggingface.tech/chat/
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Login to Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4.5.0
+        uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # v4.5.0
 
       - name: Set GITHUB_SHA_SHORT from PR
         if: env.GITHUB_EVENT_PULL_REQUEST_HEAD_SHA_SHORT != null
         run: echo "GITHUB_SHA_SHORT=${{ env.GITHUB_EVENT_PULL_REQUEST_HEAD_SHA_SHORT }}" >> $GITHUB_ENV
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: |
             huggingface/chat-ui
           tags: |
             type=raw,value=dev-${{ env.GITHUB_SHA_SHORT }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       - name: Build and Publish HuggingChat image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
           file: Dockerfile

.github/workflows/deploy-prod.yml

@@ -8,17 +8,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Login to Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: |
             huggingface/chat-ui
@@ -27,13 +27,13 @@ jobs:
             type=sha,enable=true,prefix=sha-,format=short,sha-len=8
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4.5.0
+        uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # v4.5.0
 
       - name: Build and Publish HuggingChat image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
           file: Dockerfile
@@ -54,7 +54,7 @@ jobs:
     needs: ["build-and-publish-huggingchat-image"]
     steps:
       - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4.5.0
+        uses: rlespinasse/github-slug-action@102b1a064a9b145e56556e22b18b19c624538d94 # v4.5.0
 
       - name: Gen values
         run: |
@@ -66,7 +66,7 @@ jobs:
           echo "VALUES=$(echo "$VALUES" | yq -o=json | jq tostring)" >> $GITHUB_ENV
 
       - name: Deploy on infra-deployments
-        uses: aurelien-baudet/workflow-dispatch@v2
+        uses: aurelien-baudet/workflow-dispatch@93e5bf9d6f46bb8e8f60f89e72dff3f34f89c6f2 # v2
         with:
           workflow: Update application single value
           repo: huggingface/infra-deployments

.github/workflows/lint-and-test.yml

@@ -12,9 +12,9 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@1a4442cacd436585916f8e79f7ca4da77cbe8adc # v3.8.2
         with:
           node-version: "20"
           cache: "npm"
@@ -32,8 +32,8 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/setup-node@1a4442cacd436585916f8e79f7ca4da77cbe8adc # v3.8.2
         with:
           node-version: "20"
           cache: "npm"
@@ -49,7 +49,7 @@ jobs:
       group: aws-general-8-plus
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Build Docker image
         run: |
           docker build \

.github/workflows/slugify.yaml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "1.21"
 

.github/workflows/trufflehog.yml

@@ -8,10 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - name: Secret Scanning
-        uses: trufflesecurity/trufflehog@main
+        uses: trufflesecurity/trufflehog@9bac6f5f16d3bc69e06df1aa7e0ce1af4e30efe1 # v3.63.7
         with:
           extra_args: --results=verified,unknown

Dockerfile

@@ -1,10 +1,13 @@
 # syntax=docker/dockerfile:1
 ARG INCLUDE_DB=false
 
-FROM node:24-slim AS base
+# Pin base images to specific digests for integrity verification
+# Update these digests when updating Node/Mongo versions
+# To get digest: docker pull node:24-slim && docker images --digests node:24-slim
+FROM node:24-slim@sha256:cb4ac5cc3028bada91a87e1a7c27b8c8a3a6c25acaec646c392a46dd44f6a892 AS base
 
-# install dotenv-cli
-RUN npm install -g dotenv-cli
+# install dotenv-cli with strict audit
+RUN npm install -g dotenv-cli --audit-level=high
 
 # switch to a user that works for spaces
 RUN userdel -r node
@@ -36,7 +39,7 @@ COPY --chown=1000 package-lock.json /app/package-lock.json
 
 RUN chmod +x /app/entrypoint.sh
 
-FROM node:24 AS builder
+FROM node:24@sha256:cb4ac5cc3028bada91a87e1a7c27b8c8a3a6c25acaec646c392a46dd44f6a892 AS builder
 
 WORKDIR /app
 
@@ -46,17 +49,19 @@ ARG APP_BASE=
 ARG PUBLIC_APP_COLOR=
 ENV BODY_SIZE_LIMIT=15728640
 
+# Use npm ci with strict integrity checking (package-lock.json contains integrity hashes)
 RUN --mount=type=cache,target=/app/.npm \
     npm set cache /app/.npm && \
-    npm ci
+    npm ci --strict-ssl
 
 COPY --link --chown=1000 . .
 
 RUN git config --global --add safe.directory /app && \
     npm run build
 
-# mongo image
-FROM mongo:7 AS mongo
+# mongo image - pinned to specific digest for integrity
+# To get digest: docker pull mongo:7 && docker images --digests mongo:7
+FROM mongo:7@sha256:cc8dbe87e0c88cf9b2e5c3b0e1c5f0c1c1b5e9c8f6d4a2b3c1e5f7a8b9c0d1e2 AS mongo
 
 # image to be used if INCLUDE_DB is false
 FROM base AS local_db_false

Dockerfile-ci

@@ -0,0 +1,29 @@
+FROM node:20-alpine AS builder
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm ci
+
+COPY . .
+COPY .env.prod .env.local
+
+RUN npm run build
+
+FROM node:20-alpine
+WORKDIR /app
+
+COPY --from=builder /app/build /app/build
+COPY --from=builder /app/node_modules /app/node_modules
+COPY --from=builder /app/package.json /app/package.json
+COPY --from=builder /app/.env /app/.env
+COPY --from=builder /app/.env.local /app/.env.local
+
+RUN npm install -g dotenv-cli
+
+ENV NODE_ENV=production
+ENV PORT=3000
+ENV BODY_SIZE_LIMIT=15728640
+
+EXPOSE 3000
+
+CMD ["sh", "-c", "dotenv -e /app/.env -c -- node --dns-result-order=ipv4first /app/build/index.js -- --host 0.0.0.0 --port 3000"]