v0.237.001

application/single_app/config.py

@@ -88,7 +88,7 @@
 EXECUTOR_TYPE = 'thread'
 EXECUTOR_MAX_WORKERS = 30
 SESSION_TYPE = 'filesystem'
-VERSION = "0.236.012"
+VERSION = "0.237.001"
 
 
 SECRET_KEY = os.getenv('SECRET_KEY', 'dev-secret-key-change-in-production')

docs/explanation/features/v0.237.001/CONTROL_CENTER_APPLICATION_ROLES.md

@@ -0,0 +1,154 @@
+# Control Center Application Roles
+
+## Overview
+
+Added two new application roles for finer-grained access control to the Control Center, enabling organizations to delegate administrative functions while maintaining security boundaries.
+
+**Version Implemented:** v0.237.001
+
+## New Roles
+
+### Control Center Admin
+
+| Property | Value |
+|----------|-------|
+| **Role Name** | Control Center Admin |
+| **Description** | Full administrative access to Control Center functionality |
+| **Access Level** | Full read/write access to all Control Center features |
+
+**Permissions:**
+- View all Control Center dashboards and metrics
+- Manage user access and permissions
+- Execute administrative operations (take ownership, transfer, delete)
+- Approve/reject workflow requests
+- Configure Control Center settings
+
+### Control Center Dashboard Reader
+
+| Property | Value |
+|----------|-------|
+| **Role Name** | Control Center Dashboard Reader |
+| **Description** | Read-only access to Control Center dashboards |
+| **Access Level** | View-only access to dashboards and metrics |
+
+**Permissions:**
+- View Control Center dashboard
+- View activity trends and metrics
+- View user statistics
+- View group and workspace information
+- **Cannot** perform administrative actions
+- **Cannot** modify settings or configurations
+
+## Use Cases
+
+### Scenario 1: IT Operations Team
+- **Need**: Monitor system health and usage without admin capabilities
+- **Solution**: Assign "Control Center Dashboard Reader" role
+- **Benefit**: Visibility into metrics without risk of accidental changes
+
+### Scenario 2: Delegated Administration
+- **Need**: Department leads manage their users' access
+- **Solution**: Assign "Control Center Admin" role to specific individuals
+- **Benefit**: Distributed administration without full application admin access
+
+### Scenario 3: Compliance Auditors
+- **Need**: Review activity logs and usage patterns
+- **Solution**: Assign "Control Center Dashboard Reader" role
+- **Benefit**: Audit capability without modification access
+
+## Configuration
+
+### Adding Roles to Entra ID Enterprise Application
+
+1. Navigate to Azure Portal → Entra ID → Enterprise Applications
+2. Find your SimpleChat application registration
+3. Go to **App roles** 
+4. Add the new roles from `appRegistrationRoles.json`
+
+### Role Assignment
+
+```json
+{
+  "roles": [
+    {
+      "allowedMemberTypes": ["User"],
+      "description": "Full administrative access to Control Center",
+      "displayName": "Control Center Admin",
+      "isEnabled": true,
+      "value": "ControlCenterAdmin"
+    },
+    {
+      "allowedMemberTypes": ["User"],
+      "description": "Read-only access to Control Center dashboards",
+      "displayName": "Control Center Dashboard Reader",
+      "isEnabled": true,
+      "value": "ControlCenterDashboardReader"
+    }
+  ]
+}
+```
+
+### Assigning Roles to Users
+
+1. Navigate to Enterprise Application → Users and groups
+2. Click **Add user/group**
+3. Select user(s) to assign
+4. Select the appropriate role
+5. Click **Assign**
+
+## Role Hierarchy
+
+```
+┌─────────────────────────────────────┐
+│              Admin                   │  ← Full application admin
+│  (All permissions)                   │
+└─────────────────┬───────────────────┘
+                  │
+┌─────────────────▼───────────────────┐
+│       Control Center Admin           │  ← Control Center admin only
+│  (Full CC access, no app settings)   │
+└─────────────────┬───────────────────┘
+                  │
+┌─────────────────▼───────────────────┐
+│  Control Center Dashboard Reader     │  ← View-only access
+│  (Read-only dashboard access)        │
+└─────────────────────────────────────┘
+```
+
+## Integration with Existing Roles
+
+| Existing Role | Control Center Access |
+|---------------|----------------------|
+| Admin | Full access (includes all CC permissions) |
+| User | No Control Center access by default |
+| Owner | Group-level access only |
+| DocumentManager | No Control Center access |
+
+| New Role | Control Center Access |
+|----------|----------------------|
+| ControlCenterAdmin | Full CC admin access |
+| ControlCenterDashboardReader | Read-only CC dashboard access |
+
+## Security Considerations
+
+1. **Principle of Least Privilege**: Assign Dashboard Reader by default, escalate to Admin only when needed
+2. **Audit Trail**: All Control Center actions are logged regardless of role
+3. **Role Separation**: Dashboard Reader cannot perform any destructive operations
+4. **Admin Oversight**: Full Admin role retains visibility into all role assignments
+
+## Files Modified
+
+- `appRegistrationRoles.json` - Added new role definitions
+
+## Related Features
+
+- [Control Center](../v0.235.001/control_center.md) - Main Control Center functionality
+- [Approval Workflow System](../v0.235.001/APPROVAL_WORKFLOW_SYSTEM.md) - Protected operations requiring approval
+- [Enhanced User Management](../v0.235.001/ENHANCED_USER_MANAGEMENT.md) - User metrics and management
+
+## Migration Notes
+
+Existing deployments should:
+1. Update the Entra ID app registration with new roles
+2. Assign appropriate roles to users who need Control Center access
+3. Review existing Admin role assignments for potential role refinement

docs/explanation/features/v0.237.001/CONVERSATION_DEEP_LINKING.md

@@ -0,0 +1,141 @@
+# Conversation Deep Linking
+
+## Overview
+
+SimpleChat now supports conversation deep linking through URL query parameters. Users can share direct links to specific conversations, and the application will automatically navigate to and load the referenced conversation when the link is accessed.
+
+**Version Implemented:** v0.237.001
+
+## Key Features
+
+- **Direct Conversation Links**: Share URLs that open a specific conversation
+- **URL Parameter Support**: Supports both `conversationId` and `conversation_id` parameters
+- **Automatic URL Updates**: Current conversation ID is automatically added to the URL
+- **Browser History Integration**: Uses `replaceState` to update URLs without creating new history entries
+- **Error Handling**: Graceful handling of invalid or inaccessible conversation IDs
+
+## How It Works
+
+### URL Format
+
+Conversations can be linked using either parameter format:
+
+```
+https://your-simplechat.com/?conversationId=<conversation-uuid>
+https://your-simplechat.com/?conversation_id=<conversation-uuid>
+```
+
+### Automatic URL Updates
+
+When users select a conversation in the sidebar, the URL is automatically updated to include the conversation ID:
+
+```javascript
+function updateConversationUrl(conversationId) {
+  if (!conversationId) return;
+
+  try {
+    const url = new URL(window.location.href);
+    url.searchParams.set('conversationId', conversationId);
+    window.history.replaceState({}, '', url.toString());
+  } catch (error) {
+    console.warn('Failed to update conversation URL:', error);
+  }
+}
+```
+
+### Deep Link Loading
+
+On page load, the application checks for a `conversationId` parameter and loads that conversation:
+
+```javascript
+// Deep-link: conversationId query param
+const conversationId = getUrlParameter("conversationId") || getUrlParameter("conversation_id");
+if (conversationId) {
+    try {
+        await ensureConversationPresent(conversationId);
+        await selectConversation(conversationId);
+    } catch (err) {
+        console.error('Failed to load conversation from URL param:', err);
+        showToast('Could not open that conversation.', 'danger');
+    }
+}
+```
+
+## User Experience
+
+### Sharing Conversations
+
+1. Navigate to any conversation
+2. Copy the URL from the browser address bar
+3. Share the URL with colleagues
+4. Recipients with access can open the link to view the conversation
+
+### Receiving Shared Links
+
+1. Click or paste a shared conversation link
+2. The application loads and displays the referenced conversation
+3. If the conversation doesn't exist or isn't accessible, an error toast is shown
+
+### Error Handling
+
+When a deep link fails to load:
+- A toast notification appears: "Could not open that conversation."
+- The user remains on the default view
+- Console logging captures the error details for debugging
+
+## Technical Architecture
+
+### Frontend Components
+
+| File | Purpose |
+|------|---------|
+| [chat-onload.js](../../../../application/single_app/static/js/chat/chat-onload.js) | Handles deep link loading on page initialization |
+| [chat-conversations.js](../../../../application/single_app/static/js/chat/chat-conversations.js) | `updateConversationUrl()` function for URL management |
+
+### Functions Involved
+
+| Function | Purpose |
+|----------|---------|
+| `getUrlParameter(name)` | Retrieves query parameter value from current URL |
+| `ensureConversationPresent(id)` | Ensures conversation exists in the local list |
+| `selectConversation(id)` | Loads and displays the specified conversation |
+| `updateConversationUrl(id)` | Updates URL with current conversation ID |
+
+## Use Cases
+
+### Team Collaboration
+- Share conversation links in chat or email for review
+- Direct colleagues to specific AI interactions for discussion
+
+### Support and Troubleshooting
+- Users can share conversation links with support staff
+- Administrators can reference specific conversations in reports
+
+### Documentation
+- Bookmark important conversations for future reference
+- Create documentation links to example interactions
+
+## Security Considerations
+
+1. **Access Control**: Deep links respect existing conversation access permissions
+2. **User Ownership**: Only accessible if the user has rights to the conversation
+3. **No Authentication Bypass**: Users must still be logged in to access conversations
+4. **Workspace Boundaries**: Workspace permissions still apply
+
+## Browser Compatibility
+
+- Uses standard `URL` and `URLSearchParams` APIs
+- `history.replaceState()` for seamless URL updates
+- Compatible with all modern browsers
+
+## Known Limitations
+
+- Deep links only work for conversations the current user has access to
+- Links to deleted conversations will show an error
+- Group/public workspace conversations require appropriate membership
+
+## Related Features
+
+- Conversation management and history
+- Sidebar conversation navigation
+- Chat workspace functionality