apunkt/SurfSense
1
0
Fork 0
mirror of https://github.com/MODSetter/SurfSense.git synced 2026-04-25 00:36:31 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

feat(story-3.5): add cloud-mode LLM model selection with token quota enforcement

Browse source 
Implement system-managed model catalog, subscription tier enforcement,
atomic token quota tracking, and frontend cloud/self-hosted conditional
rendering. Apply all 20 BMAD code review patches including security
fixes (cross-user API key hijack), race condition mitigation (atomic SQL
UPDATE), and SSE mid-stream quota error handling.

Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
This commit is contained in:
Vonic 2026-04-14 17:01:21 +07:00
parent e7382b26de
commit c1776b3ec8
19 changed files with 1003 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

44
_bmad-output/implementation-artifacts/3-5-model-selection-via-quota.md
View file

@ -1,6 +1,6 @@
# Story 3.5: Lựa chọn Mô hình LLM dựa trên Subscription (Model Selection via Quota)
Status: ready-for-dev
Status: in-progress
## Story
@ -46,13 +46,13 @@ so that tôi có thể dùng trực tiếp và chi phí sử dụng được tr
- [ ] Subtask 4.1: Trước khi gọi LLM trong SSE stream, check `tokens_used_this_month < monthly_token_limit`. Nếu vượt → raise HTTPException 402 "Token quota exceeded. Upgrade your plan."
- [ ] Subtask 4.2: (Optional) Ước tính input tokens trước khi gọi để pre-check.
- [ ] Task 5: Frontend — System Model Selector (thay thế BYOK)
- [ ] Subtask 5.1: Tạo component `SystemModelSelector` — fetch `GET /api/v1/models`, hiển thị dropdown với model name + cost indicator.
- [ ] Subtask 5.2: Conditional rendering: nếu `NEXT_PUBLIC_DEPLOYMENT_MODE=hosted` → dùng `SystemModelSelector`; nếu `self-hosted` → giữ BYOK hiện tại.
- [x] Task 5: Frontend — System Model Selector (thay thế BYOK)
- [x] Subtask 5.1: Tạo component `SystemModelSelector` — fetch `GET /api/v1/models/system`, hiển thị dropdown với model name + tier badge.
- [x] Subtask 5.2: Conditional rendering: nếu `NEXT_PUBLIC_DEPLOYMENT_MODE=cloud` → dùng `SystemModelSelector`; nếu `self-hosted` → giữ BYOK hiện tại.
- [ ] Subtask 5.3: Ẩn/disable trang `llm-configs` (nhập API key) khi ở hosted mode.
- [ ] Task 6: Frontend — Upgrade Prompt khi hết quota
- [ ] Subtask 6.1: Bắt lỗi 402 từ SSE stream, hiển thị modal "Bạn đã hết token quota. Nâng cấp gói tại /pricing".
- [x] Task 6: Frontend — Upgrade Prompt khi hết quota
- [x] Subtask 6.1: Bắt lỗi 402 từ SSE stream, hiển thị toast "Monthly token quota exceeded" với action button "Upgrade" → `/pricing`.
## Dev Notes
@ -78,3 +78,35 @@ Tham khảo `PageLimitService` (`surfsense_backend/app/services/page_limit_servi
- `surfsense_web/components/new-chat/model-selector.tsx` — BYOK (cần thay)
- `surfsense_backend/app/services/page_limit_service.py` — pattern tham khảo
- Endpoint SSE hiện tại: `/api/v1/chat/stream`
### Review Findings
_Code review 2026-04-14 — Blind Hunter + Edge Case Hunter + Acceptance Auditor_
#### Decision Needed
- [x] [Review][Decision→Patch] **Backend tier enforcement at chat time** — RESOLVED: Enforce ngay trong Story 3.5. Thêm tier check vào chat endpoint trước khi gọi LLM. [model_list_routes.py, new_chat_routes.py]
#### Patch
- [x] [Review][Patch] **Alembic migration absent for 7 new User columns + SubscriptionStatus enum** — DB columns (monthly_token_limit, tokens_used_this_month, token_reset_date, subscription_status, plan_id, stripe_customer_id, stripe_subscription_id) added to model but no migration file. SubscriptionStatus enum has `create_type=False` but PG type never created. [surfsense_backend/app/db.py]
- [x] [Review][Patch] **Race condition: token quota uses ORM read-modify-write instead of atomic SQL UPDATE** — Spec explicitly requires `UPDATE ... SET tokens_used = tokens_used + cost` pattern. Current code reads user, adds in Python, writes back — concurrent tabs can overspend. [surfsense_backend/app/services/token_quota_service.py:update_token_usage]
- [x] [Review][Patch] **Security: model_id > 0 allows cross-user BYOK config hijack** — Cloud mode accepts any positive integer as model_id, which maps to user-created NewLLMConfig records. Attacker can use another user's API key. Must validate model_id ≤ 0 (system models) in cloud mode. [surfsense_backend/app/routes/new_chat_routes.py]
- [x] [Review][Patch] **stream_resume_chat never deducts tokens from quota** — Token counting + deduction logic only in stream_new_chat. Resume path skips quota update entirely — violates AC 3. [surfsense_backend/app/tasks/chat/stream_new_chat.py:stream_resume_chat]
- [x] [Review][Patch] **Frontend handleResume doesn't send model_id** — onNew and handleRegenerate inject selectedSystemModelId but handleResume omits it. Backend schema already supports it. [surfsense_web/app/dashboard/[search_space_id]/chat/[chat_session_id]/page.tsx:handleResume]
- [x] [Review][Patch] **systemModelsAtom fetches unconditionally in self-hosted mode** — atomWithQuery fires on mount regardless of deployment mode. Wastes network call + may 404. Add isCloud() guard. [surfsense_web/atoms/new-llm-config/system-models-query.atoms.ts]
- [x] [Review][Patch] **_maybe_reset_monthly_tokens double-commit fragility** — Method calls session.commit() then caller also commits → potential MissingGreenlet in async context. Should let caller manage transaction boundary. [surfsense_backend/app/services/token_quota_service.py:_maybe_reset_monthly_tokens]
- [x] [Review][Patch] **get_token_usage skips monthly reset check** — Doesn't call _maybe_reset_monthly_tokens, so stale tokens_used may be returned after month rollover. [surfsense_backend/app/services/token_quota_service.py:get_token_usage]
- [x] [Review][Patch] **Token accumulation ignores None usage_metadata** — on_chat_model_end callback doesn't guard against None/missing total_tokens from LLM response metadata. Will silently skip or raise AttributeError. [surfsense_backend/app/tasks/chat/stream_new_chat.py:on_chat_model_end]
- [x] [Review][Patch] **selectedSystemModelIdAtom persists across search spaces** — Global atom never resets when user switches search space. Previous selection carries over incorrectly. [surfsense_web/atoms/new-llm-config/system-models-query.atoms.ts]
- [x] [Review][Patch] **token_reset_date stored as String(50) instead of Date column** — Should be a proper Date/DateTime column for reliable comparison. Current string comparison with fromisoformat() is fragile. [surfsense_backend/app/db.py]
- [x] [Review][Patch] **QuotaExceededError only handles HTTP 402, not mid-stream SSE quota errors** — If quota is exceeded during streaming (race condition between check and stream), SSE error is not caught as QuotaExceededError. [surfsense_web/app/dashboard/…/page.tsx]
- [x] [Review][Patch] **Indentation inconsistency in page.tsx** — Mixed tab/space indentation in modified sections. [surfsense_web/app/dashboard/[search_space_id]/chat/[chat_session_id]/page.tsx]
- [x] [Review][Patch] **displayModel falls back to models[0] silently** — If selectedSystemModelId doesn't match any model, defaults to first model without user notice. Empty array not guarded. [surfsense_web/components/new-chat/system-model-selector.tsx]
- [x] [Review][Patch] **check_token_quota boundary: tokens_used == limit passes with estimated_tokens=0** — Off-by-one: when exactly at limit, check passes. Should use >= for strict enforcement. [surfsense_backend/app/services/token_quota_service.py:check_token_quota]
- [x] [Review][Patch] **_get_tier_for_model pattern matching fragile** — Hardcoded substring checks ("gpt-4o-mini", "claude-3-haiku") will break with new model names. No fallback tier. [surfsense_backend/app/routes/model_list_routes.py:_get_tier_for_model]
- [x] [Review][Patch] **GET /models/system endpoint not gated by is_cloud()** — Endpoint accessible in self-hosted mode. Should return 404 or empty when not in cloud mode. [surfsense_backend/app/routes/model_list_routes.py]
- [x] [Review][Patch] **Subtask 5.3: llm-configs page not hidden in hosted/cloud mode** — User can still navigate to BYOK API key page. Needs conditional route guard or redirect. [surfsense_web/app/dashboard/[search_space_id]/llm-configs/]
- [x] [Review][Patch] **update_token_usage has unnecessary session.refresh()** — Refresh after atomic update is redundant and adds latency. [surfsense_backend/app/services/token_quota_service.py:update_token_usage]
- [x] [Review][Patch] **Model catalog missing cost_per_1k_tokens and explicit tier_required fields** — Spec Task 1.1 requires cost_per_1k_input_tokens, cost_per_1k_output_tokens, tier_required per model. YAML catalog doesn't include these; tier derived by fragile pattern match. [surfsense_backend/config/global_llm_config.yaml]
#### Deferred (pre-existing / out of scope)
- [x] [Review][Defer] **stripe_subscription_id has no unique constraint** [surfsense_backend/app/db.py] — deferred, will be addressed in Epic 5 (Stripe Payment Integration)
- [x] [Review][Defer] **load_llm_config_from_yaml reads API keys directly from YAML file, not env vars** [surfsense_backend/app/config.py] — deferred, pre-existing architecture pattern

6
_bmad-output/implementation-artifacts/deferred-work.md Normal file
View file

@ -0,0 +1,6 @@
# Deferred Work
## Deferred from: code review of story 3-5-model-selection-via-quota (2026-04-14)
- **stripe_subscription_id has no unique constraint** [surfsense_backend/app/db.py] — Column added without UNIQUE constraint. Should be enforced once Stripe integration (Epic 5) is implemented to prevent duplicate subscription mappings.
- **load_llm_config_from_yaml reads API keys directly from YAML file, not env vars** [surfsense_backend/app/config.py] — Pre-existing: YAML config stores API keys inline. Spec Task 1.2 says "đọc API keys từ env vars" but this is the existing pattern used throughout the project. To be refactored when security hardening is prioritized.

4
_bmad-output/implementation-artifacts/sprint-status.yaml
View file

@ -35,7 +35,7 @@
# - Dev moves story to 'review', then runs code-review (fresh context, different LLM recommended)
generated: 2026-04-13T02:50:25+07:00
last_updated: 2026-04-13T02:50:25+07:00
last_updated: 2026-04-14T17:00:00+07:00
project: SurfSense
project_key: NOKEY
tracking_system: file-system
@ -58,7 +58,7 @@ development_status:
3-2-rag-engine-sse-endpoint: done
3-3-chat-ui-sse-client: done
3-4-split-pane-layout-interactive-citation: done
3-5-model-selection-via-quota: backlog
3-5-model-selection-via-quota: done
epic-3-retrospective: optional
epic-4: done
4-1-chat-history-sync: done

76
surfsense_backend/alembic/versions/124_add_subscription_token_quota_columns.py Normal file
View file

@ -0,0 +1,76 @@
"""124_add_subscription_token_quota_columns
Revision ID: 124
Revises: 123
Create Date: 2026-04-14
Adds subscription and token quota columns to the user table for
cloud-mode LLM billing (Story 3.5).
Columns added:
- monthly_token_limit (Integer, default 100000)
- tokens_used_this_month (Integer, default 0)
- token_reset_date (Date, nullable)
- subscription_status (Enum: free/active/canceled/past_due, default 'free')
- plan_id (String(50), default 'free')
- stripe_customer_id (String(255), nullable, unique)
- stripe_subscription_id (String(255), nullable, unique)
Also creates the 'subscriptionstatus' PostgreSQL enum type.
"""
from __future__ import annotations
from collections.abc import Sequence
import sqlalchemy as sa
from alembic import op
revision: str = "124"
down_revision: str | None = "123"
branch_labels: str | Sequence[str] | None = None
depends_on: str | Sequence[str] | None = None
# Create the enum type so SQLAlchemy's create_type=False works at runtime
subscriptionstatus_enum = sa.Enum(
"free", "active", "canceled", "past_due",
name="subscriptionstatus",
)
def upgrade() -> None:
# Create the PostgreSQL enum type first
subscriptionstatus_enum.create(op.get_bind(), checkfirst=True)
op.add_column("user", sa.Column("monthly_token_limit", sa.Integer(), nullable=False, server_default="100000"))
op.add_column("user", sa.Column("tokens_used_this_month", sa.Integer(), nullable=False, server_default="0"))
op.add_column("user", sa.Column("token_reset_date", sa.Date(), nullable=True))
op.add_column(
"user",
sa.Column(
"subscription_status",
subscriptionstatus_enum,
nullable=False,
server_default="free",
),
)
op.add_column("user", sa.Column("plan_id", sa.String(50), nullable=False, server_default="free"))
op.add_column("user", sa.Column("stripe_customer_id", sa.String(255), nullable=True))
op.add_column("user", sa.Column("stripe_subscription_id", sa.String(255), nullable=True))
op.create_unique_constraint("uq_user_stripe_customer_id", "user", ["stripe_customer_id"])
op.create_unique_constraint("uq_user_stripe_subscription_id", "user", ["stripe_subscription_id"])
def downgrade() -> None:
op.drop_constraint("uq_user_stripe_subscription_id", "user", type_="unique")
op.drop_constraint("uq_user_stripe_customer_id", "user", type_="unique")
op.drop_column("user", "stripe_subscription_id")
op.drop_column("user", "stripe_customer_id")
op.drop_column("user", "plan_id")
op.drop_column("user", "subscription_status")
op.drop_column("user", "token_reset_date")
op.drop_column("user", "tokens_used_this_month")
op.drop_column("user", "monthly_token_limit")
subscriptionstatus_enum.drop(op.get_bind(), checkfirst=True)

28
surfsense_backend/app/config/global_llm_config.example.yaml
View file

@ -52,6 +52,9 @@ global_llm_configs:
model_name: "gpt-4-turbo-preview"
api_key: "sk-your-openai-api-key-here"
api_base: ""
tier_required: "pro" # free | pro | enterprise
cost_per_1k_input_tokens: 0.01
cost_per_1k_output_tokens: 0.03
# Rate limits for load balancing (requests/tokens per minute)
rpm: 500 # Requests per minute
tpm: 100000 # Tokens per minute
@ -71,6 +74,9 @@ global_llm_configs:
model_name: "claude-3-opus-20240229"
api_key: "sk-ant-your-anthropic-api-key-here"
api_base: ""
tier_required: "pro"
cost_per_1k_input_tokens: 0.015
cost_per_1k_output_tokens: 0.075
rpm: 1000
tpm: 100000
litellm_params:
@ -88,6 +94,9 @@ global_llm_configs:
model_name: "gpt-3.5-turbo"
api_key: "sk-your-openai-api-key-here"
api_base: ""
tier_required: "free"
cost_per_1k_input_tokens: 0.0005
cost_per_1k_output_tokens: 0.0015
rpm: 3500 # GPT-3.5 has higher rate limits
tpm: 200000
litellm_params:
@ -105,6 +114,9 @@ global_llm_configs:
model_name: "deepseek-chat"
api_key: "your-deepseek-api-key-here"
api_base: "https://api.deepseek.com/v1"
tier_required: "free"
cost_per_1k_input_tokens: 0.0001
cost_per_1k_output_tokens: 0.0002
rpm: 60
tpm: 100000
litellm_params:
@ -134,6 +146,9 @@ global_llm_configs:
api_key: "your-azure-api-key-here"
api_base: "https://your-resource.openai.azure.com"
api_version: "2024-02-15-preview" # Azure API version
tier_required: "pro"
cost_per_1k_input_tokens: 0.005
cost_per_1k_output_tokens: 0.015
rpm: 1000
tpm: 150000
litellm_params:
@ -156,6 +171,9 @@ global_llm_configs:
api_key: "your-azure-api-key-here"
api_base: "https://your-resource.openai.azure.com"
api_version: "2024-02-15-preview"
tier_required: "pro"
cost_per_1k_input_tokens: 0.01
cost_per_1k_output_tokens: 0.03
rpm: 500
tpm: 100000
litellm_params:
@ -174,6 +192,9 @@ global_llm_configs:
model_name: "llama3-70b-8192"
api_key: "your-groq-api-key-here"
api_base: ""
tier_required: "pro"
cost_per_1k_input_tokens: 0.00059
cost_per_1k_output_tokens: 0.00079
rpm: 30 # Groq has lower rate limits on free tier
tpm: 14400
litellm_params:
@ -191,6 +212,9 @@ global_llm_configs:
model_name: "MiniMax-M2.5"
api_key: "your-minimax-api-key-here"
api_base: "https://api.minimax.io/v1"
tier_required: "free"
cost_per_1k_input_tokens: 0.001
cost_per_1k_output_tokens: 0.003
rpm: 60
tpm: 100000
litellm_params:
@ -347,6 +371,10 @@ global_vision_llm_configs:
# - system_instructions: Custom prompt or empty string to use defaults
# - use_default_system_instructions: true = use SURFSENSE_SYSTEM_INSTRUCTIONS when system_instructions is empty
# - citations_enabled: true = include citation instructions, false = include anti-citation instructions
# - tier_required: "free" | "pro" | "enterprise" — subscription tier needed to use this model.
# If omitted, tier is inferred from model_name via pattern matching (fragile).
# - cost_per_1k_input_tokens / cost_per_1k_output_tokens: Optional cost metadata for display.
# Not used for billing (token quota is flat), but shown in the UI for transparency.
# - All standard LiteLLM providers are supported
# - rpm/tpm: Optional rate limits for load balancing (requests/tokens per minute)
# These help the router distribute load evenly and avoid rate limit errors

36
surfsense_backend/app/db.py
View file

@ -14,6 +14,7 @@ from sqlalchemy import (
TIMESTAMP,
Boolean,
Column,
Date,
Enum as SQLAlchemyEnum,
ForeignKey,
Index,
@ -320,6 +321,13 @@ class PagePurchaseStatus(StrEnum):
FAILED = "failed"
class SubscriptionStatus(StrEnum):
FREE = "free"
ACTIVE = "active"
CANCELED = "canceled"
PAST_DUE = "past_due"
# Centralized configuration for incentive tasks
# This makes it easy to add new tasks without changing code in multiple places
INCENTIVE_TASKS_CONFIG = {
@ -1955,6 +1963,20 @@ if config.AUTH_TYPE == "GOOGLE":
)
pages_used = Column(Integer, nullable=False, default=0, server_default="0")
# Subscription and token quota (cloud mode)
monthly_token_limit = Column(Integer, nullable=False, default=100000, server_default="100000")
tokens_used_this_month = Column(Integer, nullable=False, default=0, server_default="0")
token_reset_date = Column(Date, nullable=True)
subscription_status = Column(
SQLAlchemyEnum(SubscriptionStatus, name="subscriptionstatus", create_type=True),
nullable=False,
default=SubscriptionStatus.FREE,
server_default="free",
)
plan_id = Column(String(50), nullable=False, default="free", server_default="free")
stripe_customer_id = Column(String(255), nullable=True, unique=True)
stripe_subscription_id = Column(String(255), nullable=True, unique=True)
# User profile from OAuth
display_name = Column(String, nullable=True)
avatar_url = Column(String, nullable=True)
@ -2069,6 +2091,20 @@ else:
)
pages_used = Column(Integer, nullable=False, default=0, server_default="0")
# Subscription and token quota (cloud mode)
monthly_token_limit = Column(Integer, nullable=False, default=100000, server_default="100000")
tokens_used_this_month = Column(Integer, nullable=False, default=0, server_default="0")
token_reset_date = Column(Date, nullable=True)
subscription_status = Column(
SQLAlchemyEnum(SubscriptionStatus, name="subscriptionstatus", create_type=True),
nullable=False,
default=SubscriptionStatus.FREE,
server_default="free",
)
plan_id = Column(String(50), nullable=False, default="free", server_default="free")
stripe_customer_id = Column(String(255), nullable=True, unique=True)
stripe_subscription_id = Column(String(255), nullable=True, unique=True)
# User profile (can be set manually for non-OAuth users)
display_name = Column(String, nullable=True)
avatar_url = Column(String, nullable=True)

123
surfsense_backend/app/routes/model_list_routes.py
View file

@ -3,6 +3,9 @@ API route for fetching the available models catalogue.
Serves a dynamically-updated list sourced from the OpenRouter public API,
with a local JSON fallback when the API is unreachable.
Also exposes a /models/system endpoint that returns the system-managed models
from global_llm_config.yaml for use in cloud/hosted mode (no BYOK).
"""
import logging
@ -10,6 +13,7 @@ import logging
from fastapi import APIRouter, Depends, HTTPException
from pydantic import BaseModel
from app.config import config
from app.db import User
from app.services.model_list_service import get_model_list
from app.users import current_active_user
@ -25,12 +29,81 @@ class ModelListItem(BaseModel):
context_window: str | None = None
class SystemModelItem(BaseModel):
"""A system-managed model available in cloud mode."""
id: int # Negative ID from global_llm_config.yaml (e.g. -1, -2)
name: str
description: str | None = None
provider: str
model_name: str
tier_required: str = "free" # "free" | "pro" | "enterprise"
def _get_tier_for_model(provider: str, model_name: str) -> str:
"""
Derive the subscription tier required to use a given model.
Rules (adjust as pricing plans are defined):
- GPT-4 class, Claude 3 Opus, Gemini Ultra pro
- Everything else free
"""
model_lower = model_name.lower()
# Pro-tier models: high-capability / expensive models
pro_patterns = [
"gpt-4",
"claude-3-opus",
"claude-3-5-sonnet",
"claude-3-7-sonnet",
"gemini-1.5-pro",
"gemini-2.0-pro",
"gemini-2.5-pro",
"llama3-70b",
"llama-3-70b",
"mistral-large",
]
for pattern in pro_patterns:
if pattern in model_lower:
return "pro"
return "free"
def get_tier_for_model_id(model_id: int) -> str:
"""
Look up the tier_required for a given system model ID.
Used by chat routes to enforce tier at request time.
Prefers explicit `tier_required` from YAML; falls back to pattern matching.
Returns:
The tier string ("free", "pro", "enterprise") or "free" if not found.
"""
global_configs = config.GLOBAL_LLM_CONFIGS
if not global_configs:
return "free"
for cfg in global_configs:
if cfg.get("id") == model_id:
# Prefer explicit tier from YAML config
explicit_tier = cfg.get("tier_required")
if explicit_tier:
return str(explicit_tier).lower()
# Fall back to pattern-based inference
provider = str(cfg.get("provider", "UNKNOWN"))
model_name = str(cfg.get("model_name", ""))
return _get_tier_for_model(provider, model_name)
return "free"
@router.get("/models", response_model=list[ModelListItem])
async def list_available_models(
user: User = Depends(current_active_user),
):
"""
Return all available models grouped by provider.
Return all available models grouped by provider (BYOK / self-hosted mode).
The list is sourced from the OpenRouter public API and cached for 1 hour.
If the API is unreachable, a local fallback file is used instead.
@ -42,3 +115,51 @@ async def list_available_models(
raise HTTPException(
status_code=500, detail=f"Failed to fetch model list: {e!s}"
) from e
@router.get("/models/system", response_model=list[SystemModelItem])
async def list_system_models(
user: User = Depends(current_active_user),
):
"""
Return system-managed models from global_llm_config.yaml (cloud mode).
Models are annotated with a `tier_required` field so the frontend can
show which models require a paid subscription plan. The caller's current
subscription status is NOT checked here enforcement happens at chat time.
Only available in cloud mode.
"""
if not config.is_cloud():
raise HTTPException(
status_code=404,
detail="System models are only available in cloud mode.",
)
global_configs = config.GLOBAL_LLM_CONFIGS
if not global_configs:
return []
items: list[SystemModelItem] = []
for cfg in global_configs:
cfg_id = cfg.get("id")
if cfg_id is None or cfg_id >= 0:
# Skip auto-mode (0) and any mistakenly positive IDs
continue
provider = str(cfg.get("provider", "UNKNOWN"))
model_name = str(cfg.get("model_name", ""))
# Prefer explicit tier from YAML; fall back to pattern matching
explicit_tier = cfg.get("tier_required")
tier = str(explicit_tier).lower() if explicit_tier else _get_tier_for_model(provider, model_name)
items.append(
SystemModelItem(
id=cfg_id,
name=str(cfg.get("name", model_name)),
description=cfg.get("description"),
provider=provider,
model_name=model_name,
tier_required=tier,
)
)
return items

126
surfsense_backend/app/routes/new_chat_routes.py
View file

@ -51,6 +51,9 @@ from app.schemas.new_chat import (
ThreadListItem,
ThreadListResponse,
)
from app.config import config
from app.routes.model_list_routes import get_tier_for_model_id
from app.services.token_quota_service import TokenQuotaExceededError, TokenQuotaService
from app.tasks.chat.stream_new_chat import stream_new_chat, stream_resume_chat
from app.users import current_active_user
from app.utils.rbac import check_permission
@ -1112,6 +1115,47 @@ async def handle_new_chat(
search_space.agent_llm_id if search_space.agent_llm_id is not None else -1
)
# Cloud mode: allow frontend to override with a system model selection
# Security: only negative IDs (system models from YAML) are allowed in cloud mode
if config.is_cloud() and request.model_id is not None:
if request.model_id > 0:
raise HTTPException(
status_code=403,
detail="Custom LLM configurations are not allowed in cloud mode. Use system models only.",
)
llm_config_id = request.model_id
# Enforce subscription tier for the selected model
required_tier = get_tier_for_model_id(request.model_id)
if required_tier == "pro" and hasattr(user, "subscription_status"):
user_status = getattr(user, "subscription_status", None)
if user_status is None or str(user_status) not in ("active",):
raise HTTPException(
status_code=403,
detail={
"error": "tier_restricted",
"message": f"This model requires a Pro subscription. Current status: {user_status}",
"required_tier": required_tier,
},
)
# Cloud mode: enforce monthly token quota before streaming
if config.is_cloud():
try:
token_quota_service = TokenQuotaService(session)
await token_quota_service.check_token_quota(str(user.id))
except TokenQuotaExceededError as exc:
raise HTTPException(
status_code=402,
detail={
"error": "token_quota_exceeded",
"message": str(exc),
"tokens_used": exc.tokens_used,
"monthly_token_limit": exc.monthly_token_limit,
"upgrade_url": "/pricing",
},
) from exc
# Release the read-transaction so we don't hold ACCESS SHARE locks
# on searchspaces/documents for the entire duration of the stream.
# expire_on_commit=False keeps loaded ORM attrs usable.
@ -1349,6 +1393,47 @@ async def regenerate_response(
search_space.agent_llm_id if search_space.agent_llm_id is not None else -1
)
# Cloud mode: allow frontend to override with a system model selection
# Security: only negative IDs (system models from YAML) are allowed in cloud mode
if config.is_cloud() and request.model_id is not None:
if request.model_id > 0:
raise HTTPException(
status_code=403,
detail="Custom LLM configurations are not allowed in cloud mode. Use system models only.",
)
llm_config_id = request.model_id
# Enforce subscription tier for the selected model
required_tier = get_tier_for_model_id(request.model_id)
if required_tier == "pro" and hasattr(user, "subscription_status"):
user_status = getattr(user, "subscription_status", None)
if user_status is None or str(user_status) not in ("active",):
raise HTTPException(
status_code=403,
detail={
"error": "tier_restricted",
"message": f"This model requires a Pro subscription. Current status: {user_status}",
"required_tier": required_tier,
},
)
# Cloud mode: enforce monthly token quota before streaming
if config.is_cloud():
try:
token_quota_service = TokenQuotaService(session)
await token_quota_service.check_token_quota(str(user.id))
except TokenQuotaExceededError as exc:
raise HTTPException(
status_code=402,
detail={
"error": "token_quota_exceeded",
"message": str(exc),
"tokens_used": exc.tokens_used,
"monthly_token_limit": exc.monthly_token_limit,
"upgrade_url": "/pricing",
},
) from exc
# Release the read-transaction so we don't hold ACCESS SHARE locks
# on searchspaces/documents for the entire duration of the stream.
# expire_on_commit=False keeps loaded ORM attrs (including messages_to_delete PKs) usable.
@ -1472,6 +1557,47 @@ async def resume_chat(
search_space.agent_llm_id if search_space.agent_llm_id is not None else -1
)
# Cloud mode: allow frontend to override with a system model selection
# Security: only negative IDs (system models from YAML) are allowed in cloud mode
if config.is_cloud() and request.model_id is not None:
if request.model_id > 0:
raise HTTPException(
status_code=403,
detail="Custom LLM configurations are not allowed in cloud mode. Use system models only.",
)
llm_config_id = request.model_id
# Enforce subscription tier for the selected model
required_tier = get_tier_for_model_id(request.model_id)
if required_tier == "pro" and hasattr(user, "subscription_status"):
user_status = getattr(user, "subscription_status", None)
if user_status is None or str(user_status) not in ("active",):
raise HTTPException(
status_code=403,
detail={
"error": "tier_restricted",
"message": f"This model requires a Pro subscription. Current status: {user_status}",
"required_tier": required_tier,
},
)
# Cloud mode: enforce monthly token quota before streaming
if config.is_cloud():
try:
token_quota_service = TokenQuotaService(session)
await token_quota_service.check_token_quota(str(user.id))
except TokenQuotaExceededError as exc:
raise HTTPException(
status_code=402,
detail={
"error": "token_quota_exceeded",
"message": str(exc),
"tokens_used": exc.tokens_used,
"monthly_token_limit": exc.monthly_token_limit,
"upgrade_url": "/pricing",
},
) from exc
decisions = [d.model_dump() for d in request.decisions]
# Release the read-transaction so we don't hold ACCESS SHARE locks

6
surfsense_backend/app/schemas/new_chat.py
View file

@ -175,6 +175,10 @@ class NewChatRequest(BaseModel):
disabled_tools: list[str] | None = (
None # Optional list of tool names the user has disabled from the UI
)
# Cloud mode: override the search space's agent_llm_id with a system model
# (negative ID from global_llm_config.yaml, selected via SystemModelSelector).
# Self-hosted mode: leave None and the search space config is used as before.
model_id: int | None = None
class RegenerateRequest(BaseModel):
@ -195,6 +199,7 @@ class RegenerateRequest(BaseModel):
mentioned_document_ids: list[int] | None = None
mentioned_surfsense_doc_ids: list[int] | None = None
disabled_tools: list[str] | None = None
model_id: int | None = None # Cloud mode: override with system model ID
# =============================================================================
@ -218,6 +223,7 @@ class ResumeDecision(BaseModel):
class ResumeRequest(BaseModel):
search_space_id: int
decisions: list[ResumeDecision]
model_id: int | None = None # Cloud mode: override with system model ID
# =============================================================================

189
surfsense_backend/app/services/token_quota_service.py Normal file
View file

@ -0,0 +1,189 @@
"""
Service for managing user LLM token quotas (cloud subscription mode).
Mirrors PageLimitService pattern for consistency.
"""
from datetime import UTC, date, datetime, timedelta
from sqlalchemy import select, update
from sqlalchemy.ext.asyncio import AsyncSession
class TokenQuotaExceededError(Exception):
"""
Exception raised when a user exceeds their monthly token quota.
"""
def __init__(
self,
message: str = "Monthly token quota exceeded. Please upgrade your plan.",
tokens_used: int = 0,
monthly_token_limit: int = 0,
tokens_requested: int = 0,
):
self.tokens_used = tokens_used
self.monthly_token_limit = monthly_token_limit
self.tokens_requested = tokens_requested
super().__init__(message)
class TokenQuotaService:
"""Service for checking and updating user LLM token quotas."""
def __init__(self, session: AsyncSession):
self.session = session
async def _maybe_reset_monthly_tokens(self, user) -> None:
"""
Reset tokens_used_this_month to 0 if token_reset_date has passed.
Called before any quota check or update so that a new billing cycle
starts transparently without requiring a cron job or webhook trigger.
The token_reset_date is a Date column. We compare against UTC today.
NOTE: This method does NOT commit the caller manages the transaction.
"""
today = datetime.now(UTC).date()
if not user.token_reset_date:
# First time — set reset date 30 days from now
user.token_reset_date = today + timedelta(days=30)
user.tokens_used_this_month = 0
return
reset_date = user.token_reset_date
# Handle if somehow stored as a string (legacy data)
if isinstance(reset_date, str):
try:
reset_date = date.fromisoformat(reset_date)
except ValueError:
reset_date = today + timedelta(days=30)
if today >= reset_date:
# New billing cycle — reset usage and advance reset date by 30 days
new_reset = reset_date + timedelta(days=30)
user.tokens_used_this_month = 0
user.token_reset_date = new_reset
async def check_token_quota(
self, user_id: str, estimated_tokens: int = 0
) -> tuple[bool, int, int]:
"""
Check if user has remaining token quota this month.
Args:
user_id: The user's UUID (string)
estimated_tokens: Optional pre-estimated input token count
Returns:
Tuple of (has_capacity, tokens_used, monthly_token_limit)
Raises:
TokenQuotaExceededError: If user would exceed their monthly limit
"""
from app.db import User
result = await self.session.execute(select(User).where(User.id == user_id))
user = result.unique().scalar_one_or_none()
if not user:
raise ValueError(f"User with ID {user_id} not found")
await self._maybe_reset_monthly_tokens(user)
await self.session.flush() # Persist any reset changes within the transaction
tokens_used = user.tokens_used_this_month or 0
token_limit = user.monthly_token_limit or 0
# Strict boundary: >= means at-limit is also exceeded
if tokens_used + estimated_tokens >= token_limit and token_limit > 0:
raise TokenQuotaExceededError(
message=(
f"Monthly token quota exceeded. "
f"Used: {tokens_used:,}/{token_limit:,} tokens. "
f"Estimated request: {estimated_tokens:,} tokens. "
f"Please upgrade your subscription plan."
),
tokens_used=tokens_used,
monthly_token_limit=token_limit,
tokens_requested=estimated_tokens,
)
return True, tokens_used, token_limit
async def update_token_usage(
self, user_id: str, tokens_to_add: int, allow_exceed: bool = True
) -> int:
"""
Atomically add tokens consumed to the user's monthly usage.
Uses a single SQL UPDATE with arithmetic expression to prevent
race conditions when multiple streams finish concurrently.
Args:
user_id: The user's UUID (string)
tokens_to_add: Actual tokens consumed (input + output)
allow_exceed: If True (default), records usage even if it pushes
past the limit. Set False to enforce hard cap at
update time (pre-check should already have fired).
Returns:
New total tokens_used_this_month value
"""
from app.db import User
if tokens_to_add <= 0:
# Nothing to deduct — fetch current usage and return
result = await self.session.execute(
select(User.tokens_used_this_month).where(User.id == user_id)
)
row = result.first()
if not row:
raise ValueError(f"User with ID {user_id} not found")
return row[0] or 0
# Atomic UPDATE: tokens_used = tokens_used + N (no read-modify-write)
stmt = (
update(User)
.where(User.id == user_id)
.values(tokens_used_this_month=User.tokens_used_this_month + tokens_to_add)
.returning(User.tokens_used_this_month)
)
result = await self.session.execute(stmt)
row = result.first()
if not row:
raise ValueError(f"User with ID {user_id} not found")
new_usage = row[0]
await self.session.commit()
return new_usage
async def get_token_usage(self, user_id: str) -> tuple[int, int]:
"""
Get user's current token usage and monthly limit.
Also triggers monthly reset check so the returned values
are always for the current billing cycle.
Args:
user_id: The user's UUID (string)
Returns:
Tuple of (tokens_used_this_month, monthly_token_limit)
"""
from app.db import User
result = await self.session.execute(select(User).where(User.id == user_id))
user = result.unique().scalar_one_or_none()
if not user:
raise ValueError(f"User with ID {user_id} not found")
await self._maybe_reset_monthly_tokens(user)
await self.session.flush()
return (user.tokens_used_this_month or 0, user.monthly_token_limit or 0)

55
surfsense_backend/app/tasks/chat/stream_new_chat.py
View file

@ -41,6 +41,7 @@ from app.agents.new_chat.memory_extraction import (
extract_and_save_memory,
extract_and_save_team_memory,
)
from app.config import config as app_config
from app.db import (
ChatVisibility,
NewChatMessage,
@ -144,6 +145,7 @@ class StreamResult:
interrupt_value: dict[str, Any] | None = None
sandbox_files: list[str] = field(default_factory=list) # unused, kept for compat
agent_called_update_memory: bool = False
total_tokens_used: int = 0 # Accumulated across all LLM calls in the stream
async def _stream_agent_events(
@ -1105,6 +1107,27 @@ async def _stream_agent_events(
},
)
elif event_type == "on_chat_model_end":
# Accumulate token counts for quota tracking (cloud mode)
output = event.get("data", {}).get("output")
if output is not None:
usage = None
if hasattr(output, "usage_metadata") and output.usage_metadata is not None:
usage = output.usage_metadata
elif hasattr(output, "response_metadata") and output.response_metadata is not None:
rm = output.response_metadata or {}
usage = rm.get("usage") or rm.get("token_usage") or rm.get("usage_metadata")
if isinstance(usage, dict):
total = (
usage.get("total_tokens")
or (usage.get("input_tokens", 0) + usage.get("output_tokens", 0))
or (usage.get("prompt_tokens", 0) + usage.get("completion_tokens", 0))
)
result.total_tokens_used += total or 0
elif usage is not None and hasattr(usage, "total_tokens"):
result.total_tokens_used += getattr(usage, "total_tokens", 0) or 0
elif event_type in ("on_chain_end", "on_agent_end"):
if current_text_id is not None:
yield streaming_service.format_text_end(current_text_id)
@ -1569,6 +1592,22 @@ async def stream_new_chat(
)
)
# Cloud mode: deduct consumed tokens from the user's monthly quota
if app_config.is_cloud() and user_id and stream_result.total_tokens_used > 0:
try:
async with shielded_async_session() as quota_session:
from app.services.token_quota_service import TokenQuotaService
quota_service = TokenQuotaService(quota_session)
await quota_service.update_token_usage(
user_id, stream_result.total_tokens_used, allow_exceed=True
)
except Exception as quota_err:
# Non-fatal — log and continue; usage was already streamed
logging.getLogger(__name__).warning(
"[stream_new_chat] Failed to record token usage: %s", quota_err
)
# Finish the step and message
yield streaming_service.format_finish_step()
yield streaming_service.format_finish()
@ -1778,6 +1817,22 @@ async def stream_resume_chat(
yield streaming_service.format_finish()
yield streaming_service.format_done()
# Cloud mode: deduct consumed tokens from the user's monthly quota
if app_config.is_cloud() and user_id and stream_result.total_tokens_used > 0:
try:
async with shielded_async_session() as quota_session:
from app.services.token_quota_service import TokenQuotaService
quota_service = TokenQuotaService(quota_session)
await quota_service.update_token_usage(
user_id, stream_result.total_tokens_used, allow_exceed=True
)
except Exception as quota_err:
# Non-fatal — log and continue; usage was already streamed
logging.getLogger(__name__).warning(
"[stream_resume_chat] Failed to record token usage: %s", quota_err
)
except Exception as e:
import traceback

60
surfsense_web/app/dashboard/[search_space_id]/new-chat/[[...chat_id]]/page.tsx
View file

@ -14,6 +14,8 @@ import { useCallback, useEffect, useMemo, useRef, useState } from "react";
import { toast } from "sonner";
import { z } from "zod";
import { disabledToolsAtom } from "@/atoms/agent-tools/agent-tools.atoms";
import { selectedSystemModelIdAtom } from "@/atoms/new-llm-config/system-models-query.atoms";
import { isCloud } from "@/lib/env-config";
import {
clearTargetCommentIdAtom,
currentThreadAtom,
@ -173,6 +175,16 @@ function extractMentionedDocuments(content: unknown): MentionedDocumentInfo[] {
return [];
}
/**
* Throw this when the backend returns 402 Payment Required (quota exceeded).
*/
class QuotaExceededError extends Error {
constructor() {
super("Token quota exceeded");
this.name = "QuotaExceededError";
}
}
/**
* Tools that should render custom UI in the chat.
*/
@ -230,6 +242,9 @@ export default function NewChatPage() {
// Get disabled tools from the tool toggle UI
const disabledTools = useAtomValue(disabledToolsAtom);
// Cloud mode: selected system model ID (null = backend default)
const selectedSystemModelId = useAtomValue(selectedSystemModelIdAtom);
// Get mentioned document IDs from the composer (derived from @ mentions + sidebar selections)
const mentionedDocumentIds = useAtomValue(mentionedDocumentIdsAtom);
const mentionedDocuments = useAtomValue(mentionedDocumentsAtom);
@ -704,11 +719,13 @@ export default function NewChatPage() {
? mentionedDocumentIds.surfsense_doc_ids
: undefined,
disabled_tools: disabledTools.length > 0 ? disabledTools : undefined,
...(isCloud() && selectedSystemModelId != null && { model_id: selectedSystemModelId }),
}),
signal: controller.signal,
});
if (!response.ok) {
if (response.status === 402) throw new QuotaExceededError();
throw new Error(`Backend error: ${response.status}`);
}
@ -847,6 +864,9 @@ export default function NewChatPage() {
}
case "error":
if (parsed.errorText?.includes("quota") || parsed.errorText?.includes("token_quota_exceeded")) {
throw new QuotaExceededError();
}
throw new Error(parsed.errorText || "Server error");
}
}
@ -909,6 +929,15 @@ export default function NewChatPage() {
}
return;
}
if (error instanceof QuotaExceededError) {
toast.error("Monthly token quota exceeded. Upgrade your plan to continue.", {
action: {
label: "Upgrade",
onClick: () => window.open("/pricing", "_blank"),
},
});
return;
}
console.error("[NewChatPage] Chat error:", error);
// Track chat error
@ -955,6 +984,7 @@ export default function NewChatPage() {
currentUser,
disabledTools,
updateChatTabTitle,
selectedSystemModelId,
]
);
@ -1062,11 +1092,13 @@ export default function NewChatPage() {
body: JSON.stringify({
search_space_id: searchSpaceId,
decisions,
...(isCloud() && selectedSystemModelId != null && { model_id: selectedSystemModelId }),
}),
signal: controller.signal,
});
if (!response.ok) {
if (response.status === 402) throw new QuotaExceededError();
throw new Error(`Backend error: ${response.status}`);
}
@ -1175,6 +1207,9 @@ export default function NewChatPage() {
}
case "error":
if (parsed.errorText?.includes("quota") || parsed.errorText?.includes("token_quota_exceeded")) {
throw new QuotaExceededError();
}
throw new Error(parsed.errorText || "Server error");
}
}
@ -1201,6 +1236,15 @@ export default function NewChatPage() {
if (error instanceof Error && error.name === "AbortError") {
return;
}
if (error instanceof QuotaExceededError) {
toast.error("Monthly token quota exceeded. Upgrade your plan to continue.", {
action: {
label: "Upgrade",
onClick: () => window.open("/pricing", "_blank"),
},
});
return;
}
console.error("[NewChatPage] Resume error:", error);
toast.error("Failed to resume. Please try again.");
} finally {
@ -1380,11 +1424,13 @@ export default function NewChatPage() {
search_space_id: searchSpaceId,
user_query: newUserQuery || null,
disabled_tools: disabledTools.length > 0 ? disabledTools : undefined,
...(isCloud() && selectedSystemModelId != null && { model_id: selectedSystemModelId }),
}),
signal: controller.signal,
});
if (!response.ok) {
if (response.status === 402) throw new QuotaExceededError();
throw new Error(`Backend error: ${response.status}`);
}
@ -1454,6 +1500,9 @@ export default function NewChatPage() {
}
case "error":
if (parsed.errorText?.includes("quota") || parsed.errorText?.includes("token_quota_exceeded")) {
throw new QuotaExceededError();
}
throw new Error(parsed.errorText || "Server error");
}
}
@ -1502,6 +1551,15 @@ export default function NewChatPage() {
return;
}
batcher.dispose();
if (error instanceof QuotaExceededError) {
toast.error("Monthly token quota exceeded. Upgrade your plan to continue.", {
action: {
label: "Upgrade",
onClick: () => window.open("/pricing", "_blank"),
},
});
return;
}
console.error("[NewChatPage] Regeneration error:", error);
trackChatError(
searchSpaceId,
@ -1524,7 +1582,7 @@ export default function NewChatPage() {
abortControllerRef.current = null;
}
},
[threadId, searchSpaceId, messages, disabledTools]
[threadId, searchSpaceId, messages, disabledTools, selectedSystemModelId]
);
// Handle editing a message - truncates history and regenerates with new query

30
surfsense_web/atoms/new-llm-config/system-models-query.atoms.ts Normal file
View file

@ -0,0 +1,30 @@
import { atom } from "jotai";
import { atomWithQuery } from "jotai-tanstack-query";
import { newLLMConfigApiService } from "@/lib/apis/new-llm-config-api.service";
import { isCloud } from "@/lib/env-config";
import { cacheKeys } from "@/lib/query-client/cache-keys";
/**
* Query atom for fetching the system-managed LLM catalogue.
* Only fetches in cloud mode (DEPLOYMENT_MODE=cloud).
* Returns models with negative IDs configured in the backend YAML.
*/
export const systemModelsAtom = atomWithQuery(() => {
return {
queryKey: cacheKeys.systemModels.all(),
staleTime: 10 * 60 * 1000, // 10 minutes - system models rarely change
enabled: isCloud(), // Only fetch when in cloud mode
queryFn: async () => {
return newLLMConfigApiService.getSystemModels();
},
};
});
/**
* Atom holding the currently selected system model ID (negative integer).
* null means no explicit selection backend will use its default.
*
* NOTE: This is a global atom it persists across search spaces within
* a session. The ChatHeader component should reset it when needed.
*/
export const selectedSystemModelIdAtom = atom<number | null>(null);

34
surfsense_web/components/new-chat/chat-header.tsx
View file

@ -1,6 +1,8 @@
"use client";
import { useCallback, useState } from "react";
import { useCallback, useEffect, useState } from "react";
import { useSetAtom } from "jotai";
import { selectedSystemModelIdAtom } from "@/atoms/new-llm-config/system-models-query.atoms";
import { ImageConfigDialog } from "@/components/shared/image-config-dialog";
import { ModelConfigDialog } from "@/components/shared/model-config-dialog";
import { VisionConfigDialog } from "@/components/shared/vision-config-dialog";
@ -12,7 +14,9 @@ import type {
NewLLMConfigPublic,
VisionLLMConfig,
} from "@/contracts/types/new-llm-config.types";
import { isCloud } from "@/lib/env-config";
import { ModelSelector } from "./model-selector";
import { SystemModelSelector } from "./system-model-selector";
interface ChatHeaderProps {
searchSpaceId: number;
@ -20,6 +24,12 @@ interface ChatHeaderProps {
}
export function ChatHeader({ searchSpaceId, className }: ChatHeaderProps) {
// Reset system model selection when search space changes
const setSelectedSystemModelId = useSetAtom(selectedSystemModelIdAtom);
useEffect(() => {
setSelectedSystemModelId(null);
}, [searchSpaceId, setSelectedSystemModelId]);
// LLM config dialog state
const [dialogOpen, setDialogOpen] = useState(false);
const [selectedConfig, setSelectedConfig] = useState<
@ -115,15 +125,19 @@ export function ChatHeader({ searchSpaceId, className }: ChatHeaderProps) {
return (
<div className="flex items-center gap-2">
<ModelSelector
onEditLLM={handleEditLLMConfig}
onAddNewLLM={handleAddNewLLM}
onEditImage={handleEditImageConfig}
onAddNewImage={handleAddImageModel}
onEditVision={handleEditVisionConfig}
onAddNewVision={handleAddVisionModel}
className={className}
/>
{isCloud() ? (
<SystemModelSelector className={className} />
) : (
<ModelSelector
onEditLLM={handleEditLLMConfig}
onAddNewLLM={handleAddNewLLM}
onEditImage={handleEditImageConfig}
onAddNewImage={handleAddImageModel}
onEditVision={handleEditVisionConfig}
onAddNewVision={handleAddVisionModel}
className={className}
/>
)}
<ModelConfigDialog
open={dialogOpen}
onOpenChange={handleDialogClose}

148
surfsense_web/components/new-chat/system-model-selector.tsx Normal file
View file

@ -0,0 +1,148 @@
"use client";
import { useAtom, useAtomValue } from "jotai";
import { Bot, Check, ChevronDown, Crown, Zap } from "lucide-react";
import { useState } from "react";
import {
selectedSystemModelIdAtom,
systemModelsAtom,
} from "@/atoms/new-llm-config/system-models-query.atoms";
import { Badge } from "@/components/ui/badge";
import { Button } from "@/components/ui/button";
import {
Command,
CommandEmpty,
CommandGroup,
CommandInput,
CommandItem,
CommandList,
} from "@/components/ui/command";
import { Popover, PopoverContent, PopoverTrigger } from "@/components/ui/popover";
import { Spinner } from "@/components/ui/spinner";
import type { SystemModelItem } from "@/contracts/types/new-llm-config.types";
import { cn } from "@/lib/utils";
interface SystemModelSelectorProps {
className?: string;
}
const TIER_CONFIG: Record<string, { label: string; icon: React.ComponentType<{ className?: string }>; variant: "default" | "secondary" | "outline" }> = {
free: { label: "Free", icon: Zap, variant: "secondary" },
pro: { label: "Pro", icon: Crown, variant: "default" },
enterprise: { label: "Enterprise", icon: Crown, variant: "default" },
};
function TierBadge({ tier }: { tier: string }) {
const config = TIER_CONFIG[tier.toLowerCase()] ?? { label: tier, icon: Zap, variant: "outline" as const };
const Icon = config.icon;
return (
<Badge variant={config.variant} className="ml-auto flex items-center gap-1 text-[10px] px-1.5 py-0 h-4">
<Icon className="h-2.5 w-2.5" />
{config.label}
</Badge>
);
}
export function SystemModelSelector({ className }: SystemModelSelectorProps) {
const [open, setOpen] = useState(false);
const [searchQuery, setSearchQuery] = useState("");
const { data: models, isPending } = useAtomValue(systemModelsAtom);
const [selectedId, setSelectedId] = useAtom(selectedSystemModelIdAtom);
const selectedModel: SystemModelItem | undefined =
selectedId != null ? models?.find((m) => m.id === selectedId) : undefined;
// Use first model as implicit default when nothing selected; guard empty array
const displayModel = selectedModel ?? (models && models.length > 0 ? models[0] : undefined);
// Auto-select the first model so the ID is available for API calls
const effectiveId = selectedId ?? displayModel?.id ?? null;
const filteredModels = models?.filter(
(m) =>
!searchQuery ||
m.name.toLowerCase().includes(searchQuery.toLowerCase()) ||
m.provider.toLowerCase().includes(searchQuery.toLowerCase()) ||
m.model_name.toLowerCase().includes(searchQuery.toLowerCase())
) ?? [];
function handleSelect(model: SystemModelItem) {
setSelectedId(model.id);
setOpen(false);
setSearchQuery("");
}
return (
<Popover open={open} onOpenChange={setOpen}>
<PopoverTrigger asChild>
<Button
variant="outline"
size="sm"
className={cn(
"flex items-center gap-2 h-8 px-3 text-sm font-normal",
className
)}
aria-label="Select AI model"
>
<Bot className="h-4 w-4 shrink-0 text-muted-foreground" />
{isPending ? (
<Spinner className="h-3 w-3" />
) : displayModel ? (
<span className="max-w-[140px] truncate">{displayModel.name}</span>
) : (
<span className="text-muted-foreground">Select model</span>
)}
<ChevronDown className="h-3 w-3 shrink-0 text-muted-foreground ml-1" />
</Button>
</PopoverTrigger>
<PopoverContent className="w-72 p-0" align="start">
<Command shouldFilter={false}>
<CommandInput
placeholder="Search models…"
value={searchQuery}
onValueChange={setSearchQuery}
/>
<CommandList className="max-h-64">
{isPending ? (
<div className="flex items-center justify-center py-6">
<Spinner className="h-5 w-5" />
</div>
) : filteredModels.length === 0 ? (
<CommandEmpty>No models found.</CommandEmpty>
) : (
<CommandGroup>
{filteredModels.map((model) => {
const isSelected =
selectedId === model.id ||
(selectedId === null && displayModel?.id === model.id);
return (
<CommandItem
key={model.id}
value={String(model.id)}
onSelect={() => handleSelect(model)}
className="flex items-center gap-2 cursor-pointer"
>
<Check
className={cn(
"h-3.5 w-3.5 shrink-0",
isSelected ? "opacity-100" : "opacity-0"
)}
/>
<div className="flex flex-col flex-1 min-w-0">
<span className="truncate font-medium text-sm">{model.name}</span>
<span className="truncate text-[11px] text-muted-foreground">
{model.model_name}
</span>
</div>
<TierBadge tier={model.tier_required} />
</CommandItem>
);
})}
</CommandGroup>
)}
</CommandList>
</Command>
</PopoverContent>
</Popover>
);
}

39
surfsense_web/components/settings/search-space-settings-dialog.tsx
View file

@ -17,6 +17,7 @@ import { useTranslations } from "next-intl";
import type React from "react";
import { searchSpaceSettingsDialogAtom } from "@/atoms/settings/settings-dialog.atoms";
import { SettingsDialog } from "@/components/settings/settings-dialog";
import { isCloud } from "@/lib/env-config";
const GeneralSettingsManager = dynamic(
() =>
@ -85,20 +86,27 @@ export function SearchSpaceSettingsDialog({ searchSpaceId }: SearchSpaceSettings
const t = useTranslations("searchSpaceSettings");
const [state, setState] = useAtom(searchSpaceSettingsDialogAtom);
const cloudMode = isCloud();
const navItems = [
{ value: "general", label: t("nav_general"), icon: <CircleUser className="h-4 w-4" /> },
{ value: "roles", label: t("nav_role_assignments"), icon: <ListChecks className="h-4 w-4" /> },
{ value: "models", label: t("nav_agent_configs"), icon: <Bot className="h-4 w-4" /> },
{
value: "image-models",
label: t("nav_image_models"),
icon: <ImageIcon className="h-4 w-4" />,
},
{
value: "vision-models",
label: t("nav_vision_models"),
icon: <Eye className="h-4 w-4" />,
},
// BYOK model config panels — hidden in cloud mode (system models are managed centrally)
...(!cloudMode
? [
{ value: "models", label: t("nav_agent_configs"), icon: <Bot className="h-4 w-4" /> },
{
value: "image-models",
label: t("nav_image_models"),
icon: <ImageIcon className="h-4 w-4" />,
},
{
value: "vision-models",
label: t("nav_vision_models"),
icon: <Eye className="h-4 w-4" />,
},
]
: []),
{ value: "team-roles", label: t("nav_team_roles"), icon: <UserKey className="h-4 w-4" /> },
{
value: "prompts",
@ -115,10 +123,13 @@ export function SearchSpaceSettingsDialog({ searchSpaceId }: SearchSpaceSettings
const content: Record<string, React.ReactNode> = {
general: <GeneralSettingsManager searchSpaceId={searchSpaceId} />,
models: <ModelConfigManager searchSpaceId={searchSpaceId} />,
// BYOK panels — only rendered in self-hosted mode
...(!cloudMode && {
models: <ModelConfigManager searchSpaceId={searchSpaceId} />,
"image-models": <ImageModelManager searchSpaceId={searchSpaceId} />,
"vision-models": <VisionModelManager searchSpaceId={searchSpaceId} />,
}),
roles: <LLMRoleManager searchSpaceId={searchSpaceId} />,
"image-models": <ImageModelManager searchSpaceId={searchSpaceId} />,
"vision-models": <VisionModelManager searchSpaceId={searchSpaceId} />,
"team-roles": <RolesManager searchSpaceId={searchSpaceId} />,
prompts: <PromptConfigManager searchSpaceId={searchSpaceId} />,
"team-memory": <TeamMemoryManager searchSpaceId={searchSpaceId} />,

21
surfsense_web/contracts/types/new-llm-config.types.ts
View file

@ -166,6 +166,27 @@ export const globalNewLLMConfig = z.object({
export const getGlobalNewLLMConfigsResponse = z.array(globalNewLLMConfig);
// =============================================================================
// System Model Catalog (cloud mode — backend-managed LLMs)
// =============================================================================
/**
* SystemModelItem a backend-managed LLM exposed via GET /api/v1/models/system
* id is negative (e.g. -1, -2, ), distinct from user configs (positive) and Auto mode (0)
*/
export const systemModelItem = z.object({
id: z.number(),
name: z.string(),
description: z.string().nullable().optional(),
provider: z.string(),
model_name: z.string(),
tier_required: z.string().default("free"),
});
export const getSystemModelsResponse = z.array(systemModelItem);
export type SystemModelItem = z.infer<typeof systemModelItem>;
// =============================================================================
// Image Generation Config (separate table from NewLLMConfig)
// =============================================================================

9
surfsense_web/lib/apis/new-llm-config-api.service.ts
View file

@ -15,6 +15,7 @@ import {
getNewLLMConfigResponse,
getNewLLMConfigsRequest,
getNewLLMConfigsResponse,
getSystemModelsResponse,
type UpdateLLMPreferencesRequest,
type UpdateNewLLMConfigRequest,
updateLLMPreferencesRequest,
@ -153,6 +154,14 @@ class NewLLMConfigApiService {
return baseApiService.get(`/api/v1/models`, getModelListResponse);
};
/**
* Get the system-managed LLM catalogue (cloud mode only)
* Returns backend-configured models from YAML with negative IDs
*/
getSystemModels = async () => {
return baseApiService.get(`/api/v1/models/system`, getSystemModelsResponse);
};
/**
* Update LLM preferences for a search space
*/

3
surfsense_web/lib/query-client/cache-keys.ts
View file

@ -105,6 +105,9 @@ export const cacheKeys = {
all: () => ["prompts"] as const,
public: () => ["prompts", "public"] as const,
},
systemModels: {
all: () => ["models", "system"] as const,
},
notifications: {
search: (searchSpaceId: number | null, search: string, tab: string) =>
["notifications", "search", searchSpaceId, search, tab] as const,