Implement AI configuration management and enhance document handling

- Introduced new API endpoints for managing AI configuration, allowing retrieval and secure storage of API keys.
- Updated the configuration structure to support encryption of AI keys, enhancing security.
- Refactored document listing to include throttled logging for processing counts, improving performance monitoring.
- Enhanced the UI components to support multiple file uploads and provide user feedback during uploads.
- Improved the onboarding experience with contextual messages for new users.

These changes aim to streamline AI integration and improve user experience in document management and configuration settings.

Author: rithulkamesh

demo/docker-compose-prod.yml

@@ -3,7 +3,9 @@
 # Run from demo/: docker compose -f docker-compose-prod.yml up -d
 # Web: http://localhost:3000  API: http://localhost:8080
 #
-# AI credentials: copy demo/.env.example to demo/.env and fill in.
+# AI config: set in the app via Settings (stored encrypted in DB). For CLI-only use, set
+# OPENAI_* / AZURE_* in .env; do not pass them to API/worker here (server uses DB).
+# Set DOCPROC_ENCRYPTION_KEY in .env (32 bytes or passphrase) so the API can encrypt stored keys.
 name: docproc-edu
 
 services:
@@ -66,12 +68,7 @@ services:
       S3_BUCKET: docproc-demo
       AWS_REGION: us-east-1
       MQ_URL: amqp://docproc:docproc@rabbitmq:5672/
-      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
-      OPENAI_MODEL: ${OPENAI_MODEL:-gpt-4o-mini}
-      AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
-      AZURE_OPENAI_ENDPOINT: ${AZURE_OPENAI_ENDPOINT:-}
-      AZURE_OPENAI_DEPLOYMENT: ${AZURE_OPENAI_DEPLOYMENT:-}
-      AZURE_OPENAI_EMBEDDING_DEPLOYMENT: ${AZURE_OPENAI_EMBEDDING_DEPLOYMENT:-}
+      DOCPROC_ENCRYPTION_KEY: ${DOCPROC_ENCRYPTION_KEY:-}
     depends_on:
       postgres: { condition: service_healthy }
       rabbitmq: { condition: service_healthy }
@@ -90,15 +87,6 @@ services:
       S3_BUCKET: docproc-demo
       AWS_REGION: us-east-1
       MQ_URL: amqp://docproc:docproc@rabbitmq:5672/
-      DOCPROC_PRIMARY_AI: ${DOCPROC_PRIMARY_AI:-azure}
-      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
-      OPENAI_MODEL: ${OPENAI_MODEL:-}
-      AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
-      AZURE_OPENAI_ENDPOINT: ${AZURE_OPENAI_ENDPOINT:-}
-      AZURE_OPENAI_DEPLOYMENT: ${AZURE_OPENAI_DEPLOYMENT:-gpt-4o}
-      AZURE_OPENAI_EMBEDDING_DEPLOYMENT: ${AZURE_OPENAI_EMBEDDING_DEPLOYMENT:-text-embedding-ada-002}
-      AZURE_VISION_ENDPOINT: ${AZURE_VISION_ENDPOINT:-}
-      AZURE_VISION_KEY: ${AZURE_VISION_KEY:-}
     depends_on:
       postgres: { condition: service_healthy }
       rabbitmq: { condition: service_healthy }

demo/go/internal/api/documents.go

@@ -7,13 +7,20 @@ import (
 	"net/http"
 	"path"
 	"strings"
+	"sync"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/rithulkamesh/docproc/demo/internal/blob"
 	"github.com/rithulkamesh/docproc/demo/internal/db"
 	"github.com/rithulkamesh/docproc/demo/internal/mq"
 )
 
+var (
+	listLogMu   sync.Mutex
+	listLogState = map[string]struct{ lastLogUnix int64; lastCount int }{}
+)
+
 // Document routes: upload, list, get, delete, reindex
 func (h *Handler) documents(w http.ResponseWriter, r *http.Request) {
 	path := strings.TrimPrefix(r.URL.Path, "/documents")
@@ -143,7 +150,18 @@ func (h *Handler) listDocuments(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 	if processingCount > 0 {
-		log.Printf("[documents] list: project_id=%s total=%d processing=%d", projectID, len(list), processingCount)
+		now := time.Now().UnixNano()
+		throttleNanos := int64(30 * time.Second)
+		listLogMu.Lock()
+		state, ok := listLogState[projectID]
+		shouldLog := !ok || state.lastCount != processingCount || (now-state.lastLogUnix) > throttleNanos
+		if shouldLog {
+			listLogState[projectID] = struct{ lastLogUnix int64; lastCount int }{lastLogUnix: now, lastCount: processingCount}
+		}
+		listLogMu.Unlock()
+		if shouldLog {
+			log.Printf("[documents] list: project_id=%s total=%d processing=%d", projectID, len(list), processingCount)
+		}
 	}
 	docs := make([]any, len(list))
 	for i, d := range list {

demo/go/internal/api/handler.go

@@ -49,6 +49,10 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.queryStream(w, r)
 	case path == "/models" && r.Method == http.MethodGet:
 		h.models(w, r)
+	case path == "/ai-config" && r.Method == http.MethodGet:
+		h.getAIConfig(w, r)
+	case path == "/ai-config" && r.Method == http.MethodPut:
+		h.putAIConfig(w, r)
 	case path == "/documents" || path == "/documents/" || strings.HasPrefix(path, "/documents/"):
 		h.documents(w, r)
 	case path == "/projects" || path == "/projects/" || strings.HasPrefix(path, "/projects/"):
@@ -67,22 +71,107 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) status(w http.ResponseWriter, r *http.Request) {
+	// Expose only non-secret server AI config (from .env). API keys are never sent to the client.
+	embedDep := h.cfg.DefaultEmbeddingDeployment()
+	var embedDepVal any = nil
+	if embedDep != "" {
+		embedDepVal = embedDep
+	}
 	writeJSON(w, map[string]any{
-		"ok":                    true,
-		"rag_backend":           "embedding",
-		"rag_configured":        h.rag != nil,
-		"database_provider":     "pgvector",
+		"ok":                   true,
+		"rag_backend":          "embedding",
+		"rag_configured":       h.rag != nil,
+		"database_provider":    "pgvector",
 		"primary_ai":           h.cfg.PrimaryAI(),
-		"namespace":             "default",
-		"default_rag_model":     h.cfg.DefaultRAGModel(),
-		"embedding_deployment":  nil,
+		"namespace":            "default",
+		"default_rag_model":    h.cfg.DefaultRAGModel(),
+		"embedding_deployment": embedDepVal,
 	})
 }
 
 func (h *Handler) embedCheck(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, map[string]any{"ok": h.cfg.HasAI()})
 }
 
+func (h *Handler) getAIConfig(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	cfg, err := h.pool.GetAIConfig(ctx)
+	if err != nil {
+		writeError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if cfg == nil {
+		writeJSON(w, map[string]any{
+			"provider":            "openai",
+			"model":               "gpt-4o-mini",
+			"api_key_configured":  false,
+			"base_url":            "",
+			"endpoint":            "",
+			"deployment":          "",
+			"embedding_deployment": "",
+		})
+		return
+	}
+	writeJSON(w, map[string]any{
+		"provider":            cfg.Provider,
+		"model":               cfg.Model,
+		"api_key_configured":  cfg.APIKeyConfigured,
+		"base_url":            cfg.BaseURL,
+		"endpoint":            cfg.Endpoint,
+		"deployment":          cfg.Deployment,
+		"embedding_deployment": cfg.EmbeddingDeployment,
+	})
+}
+
+func (h *Handler) putAIConfig(w http.ResponseWriter, r *http.Request) {
+	if len(h.cfg.EncryptionKey) != 32 {
+		writeError(w, "DOCPROC_ENCRYPTION_KEY must be set (32 bytes or passphrase) to store API keys securely", http.StatusBadRequest)
+		return
+	}
+	var in db.AIConfigSaveInput
+	if err := json.NewDecoder(r.Body).Decode(&in); err != nil {
+		writeError(w, "invalid JSON", http.StatusBadRequest)
+		return
+	}
+	if in.Provider == "" {
+		in.Provider = "openai"
+	}
+	if in.Model == "" {
+		in.Model = "gpt-4o-mini"
+	}
+	if err := h.pool.SaveAIConfig(r.Context(), h.cfg.EncryptionKey, &in); err != nil {
+		writeError(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	h.getAIConfig(w, r)
+}
+
+// openaiClientFromDBConfig builds an OpenAI client from DB config (for query/stream when no key in body).
+func openaiClientFromDBConfig(cfg *db.AIConfigDecrypted) (*openai.Client, string) {
+	if cfg == nil || cfg.APIKey == "" {
+		return nil, ""
+	}
+	model := cfg.Model
+	if model == "" {
+		model = "gpt-4o-mini"
+	}
+	switch cfg.Provider {
+	case "azure":
+		endpoint := cfg.Endpoint
+		if endpoint == "" {
+			return nil, ""
+		}
+		clientConfig := openai.DefaultAzureConfig(cfg.APIKey, endpoint)
+		return openai.NewClientWithConfig(clientConfig), model
+	default:
+		clientConfig := openai.DefaultConfig(cfg.APIKey)
+		if cfg.BaseURL != "" {
+			clientConfig.BaseURL = cfg.BaseURL
+		}
+		return openai.NewClientWithConfig(clientConfig), model
+	}
+}
+
 func (h *Handler) query(w http.ResponseWriter, r *http.Request) {
 	var body struct {
 		Query    string `json:"query"`
@@ -103,15 +192,23 @@ func (h *Handler) query(w http.ResponseWriter, r *http.Request) {
 		writeError(w, "missing query or prompt", http.StatusBadRequest)
 		return
 	}
-	// RAG is required for embeddings and retrieval; api_key/model in body override chat only
+	// RAG is required for embeddings and retrieval; api_key/model in body override; else use DB-stored config.
 	if h.rag == nil {
-		writeJSON(w, map[string]any{"answer": "RAG not configured. Set OPENAI_API_KEY or AZURE_OPENAI_* in .env.", "sources": []any{}})
+		writeJSON(w, map[string]any{"answer": "RAG not configured. Configure AI in Settings or set OPENAI_API_KEY / AZURE_OPENAI_* in .env.", "sources": []any{}})
 		return
 	}
 	var chatClient *openai.Client
 	model := strings.TrimSpace(body.Model)
 	if body.APIKey != "" {
 		chatClient = openai.NewClient(strings.TrimSpace(body.APIKey))
+	} else if len(h.cfg.EncryptionKey) == 32 {
+		dbCfg, _ := h.pool.GetAIConfigDecrypted(r.Context(), h.cfg.EncryptionKey)
+		if dbCfg != nil && dbCfg.APIKey != "" {
+			chatClient, model = openaiClientFromDBConfig(dbCfg)
+			if model == "" {
+				model = dbCfg.Model
+			}
+		}
 	}
 	answer, sources, err := h.rag.QueryWithClient(r.Context(), q, chatClient, model)
 	if err != nil {
@@ -189,6 +286,14 @@ func (h *Handler) queryStream(w http.ResponseWriter, r *http.Request) {
 	model := strings.TrimSpace(body.Model)
 	if body.APIKey != "" {
 		streamClient = openai.NewClient(strings.TrimSpace(body.APIKey))
+	} else if len(h.cfg.EncryptionKey) == 32 {
+		dbCfg, _ := h.pool.GetAIConfigDecrypted(ctx, h.cfg.EncryptionKey)
+		if dbCfg != nil && dbCfg.APIKey != "" {
+			streamClient, model = openaiClientFromDBConfig(dbCfg)
+			if model == "" {
+				model = dbCfg.Model
+			}
+		}
 	}
 	if err := h.rag.StreamCompletionWithClient(ctx, prompt, w, streamClient, model); err != nil {
 		return

demo/go/internal/config/config.go

@@ -3,6 +3,7 @@ package config
 import (
 	"os"
 
+	"github.com/rithulkamesh/docproc/demo/internal/secure"
 	"github.com/sashabaranov/go-openai"
 )
 
@@ -14,16 +15,19 @@ type Config struct {
 	S3Region    string
 	MQURL       string // RabbitMQ AMQP URL
 	DocprocCLI  string // Path to docproc binary (default: docproc)
-	OpenAIKey   string // For embeddings + LLM (RAG)
-	OpenAIModel string
+	// EncryptionKey is 32 bytes for encrypting/decrypting AI API keys in DB. From DOCPROC_ENCRYPTION_KEY.
+	EncryptionKey []byte
+	OpenAIKey     string // For embeddings + LLM (RAG) — fallback when no DB config
+	OpenAIModel   string
 	// Azure OpenAI (used when OPENAI_API_KEY is not set)
-	AzureAPIKey               string
-	AzureEndpoint             string
-	AzureDeployment            string
-	AzureEmbeddingDeployment   string
+	AzureAPIKey             string
+	AzureEndpoint           string
+	AzureDeployment          string
+	AzureEmbeddingDeployment string
 }
 
 // Load reads config from environment. Uses OPENAI_API_KEY if set; otherwise AZURE_OPENAI_*.
+// DOCPROC_ENCRYPTION_KEY is used to encrypt AI keys stored in the DB (32 bytes or passphrase).
 func Load() (*Config, error) {
 	c := &Config{
 		DatabaseURL: getEnv("DATABASE_URL", "postgresql://docproc:docproc@localhost:5432/docproc?sslmode=disable"),
@@ -32,6 +36,7 @@ func Load() (*Config, error) {
 		S3Region:    getEnv("AWS_REGION", "us-east-1"),
 		MQURL:       getEnv("MQ_URL", "amqp://docproc:docproc@localhost:5672/"),
 		DocprocCLI:  getEnv("DOCPROC_CLI", "docproc"),
+		EncryptionKey: keyFromEnvOrNil(os.Getenv("DOCPROC_ENCRYPTION_KEY")),
 		OpenAIKey:   os.Getenv("OPENAI_API_KEY"),
 		OpenAIModel: getEnv("OPENAI_MODEL", "gpt-4o-mini"),
 		AzureAPIKey:             os.Getenv("AZURE_OPENAI_API_KEY"),
@@ -69,6 +74,15 @@ func (c *Config) DefaultRAGModel() string {
 	return c.OpenAIModel
 }
 
+// DefaultEmbeddingDeployment returns the Azure embedding deployment name when Azure is primary, else empty.
+// Used only for /status so the frontend can show server defaults; never exposes keys or endpoints.
+func (c *Config) DefaultEmbeddingDeployment() string {
+	if c.PrimaryAI() == "azure" && c.AzureEmbeddingDeployment != "" {
+		return c.AzureEmbeddingDeployment
+	}
+	return ""
+}
+
 // AIClient returns an OpenAI-compatible client and model names (chat, embedding) using the default provider:
 // OPENAI_API_KEY if set, else AZURE_OPENAI_* if set. Returns (nil, "", "") when neither is configured.
 func (c *Config) AIClient() (client *openai.Client, chatModel, embeddingModel string) {
@@ -88,3 +102,11 @@ func getEnv(key, defaultVal string) string {
 	}
 	return defaultVal
 }
+
+// keyFromEnvOrNil returns a 32-byte key derived from passphrase, or nil if passphrase is empty.
+func keyFromEnvOrNil(passphrase string) []byte {
+	if passphrase == "" {
+		return nil
+	}
+	return secure.KeyFromEnv(passphrase)
+}