feat: монорепо миграция, Discover/SearxNG улучшения

- Миграция на монорепозиторий (apps/frontend, apps/chat-service, etc.)
- Discover: проверка SearxNG, понятное empty state при ненастроенном поиске
- searxng.ts: валидация URL, проверка JSON-ответа, авто-добавление http://
- docker/searxng-config: настройки для JSON API SearxNG

Co-authored-by: Cursor <cursoragent@cursor.com>

.gitignore

@@ -34,8 +34,10 @@ logs/
 .DS_Store
 Thumbs.db
 
-# Db
+# Db & data
 db.sqlite
+apps/frontend/data/*
+!apps/frontend/data/.gitignore
 /searxng
 
 certificates

Dockerfile.slim

@@ -1,35 +0,0 @@
-FROM node:24.5.0-slim AS builder
-
-RUN apt-get update && apt-get install -y python3 python3-pip sqlite3 && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /home/gooseek
-
-COPY package.json yarn.lock ./
-RUN yarn install --frozen-lockfile --network-timeout 600000
-
-COPY tsconfig.json next.config.mjs next-env.d.ts postcss.config.js drizzle.config.ts tailwind.config.ts ./
-COPY src ./src
-COPY public ./public
-COPY drizzle ./drizzle
-
-RUN mkdir -p /home/gooseek/data
-RUN yarn build
-
-FROM node:24.5.0-slim
-
-RUN apt-get update && apt-get install -y python3 python3-pip sqlite3 && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /home/gooseek
-
-COPY --from=builder /home/gooseek/public ./public
-COPY --from=builder /home/gooseek/.next/static ./public/_next/static
-
-COPY --from=builder /home/gooseek/.next/standalone ./
-COPY --from=builder /home/gooseek/data ./data
-COPY drizzle ./drizzle
-
-RUN mkdir /home/gooseek/uploads
-
-EXPOSE 3000
-
-CMD ["node", "server.js"]

README.md

@@ -121,10 +121,12 @@ If you prefer to build from source or need more control:
 4. Build and run using Docker:
 
    ```bash
-   docker build -t gooseek .
+   docker build -f docker/Dockerfile -t gooseek .
    docker run -d -p 3000:3000 -v gooseek-data:/home/gooseek/data --name gooseek gooseek
    ```
 
+   Or use compose: `docker compose -f docker/docker-compose.yaml up -d`
+
 5. Access GooSeek at http://localhost:3000 and configure your settings in the setup screen.
 
 **Note**: After the containers are built, you can start GooSeek directly from Docker without having to open a terminal.

apps/auth-mcs/.env.example

@@ -0,0 +1,22 @@
+# Обязательные
+BETTER_AUTH_SECRET=        # openssl rand -base64 32
+BETTER_AUTH_URL=http://localhost:3001
+
+# База данных (опционально, по умолчанию data/auth.db)
+# DATABASE_URL=file:./data/auth.db
+
+# LDAP (опционально — без этих переменных LDAP отключён)
+# LDAP_URL=ldap://ldap.example.com:389
+# LDAP_BIND_DN=cn=admin,dc=example,dc=com
+# LDAP_PASSWORD=admin_password
+# LDAP_BASE_DN=ou=users,dc=example,dc=com
+# LDAP_USERNAME_ATTR=uid
+
+# Показать вкладку LDAP на форме входа
+# NEXT_PUBLIC_LDAP_ENABLED=true
+
+# Trusted OAuth clients (JSON, опционально)
+# TRUSTED_CLIENTS=[{"clientId":"app1","clientSecret":"secret","name":"My App","type":"web","redirectUrls":["http://localhost:3000/callback"],"skipConsent":true}]
+
+# Trusted origins для CORS
+# TRUSTED_ORIGINS=http://app1.local,http://app2.local

apps/auth-mcs/.gitignore

@@ -0,0 +1,6 @@
+node_modules
+.next
+data/
+.env
+.env.local
+*.log

apps/auth-mcs/Dockerfile

@@ -0,0 +1,34 @@
+FROM node:20-alpine AS base
+
+FROM base AS deps
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm ci
+
+FROM base AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+
+# Сборка без env check для статики
+ENV NEXT_TELEMETRY_DISABLED=1
+RUN npm run build
+
+FROM base AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+COPY --from=builder /app/public ./public
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+EXPOSE 3001
+ENV PORT=3001
+ENV HOSTNAME="0.0.0.0"
+
+CMD ["node", "server.js"]

apps/auth-mcs/README.md

@@ -0,0 +1,135 @@
+# Auth Microservice — Identity Provider
+
+Отдельный микросервис аутентификации с поддержкой **SSO**, **LDAP** и **OIDC**. Выступает как единый Identity Provider для регистрации и входа во все приложения вашего ландшафта.
+
+## Возможности
+
+- **Email/пароль** — регистрация и вход
+- **LDAP / Active Directory** — вход через корпоративный каталог
+- **SSO** — вход через внешние IdP (Okta, Google, Azure AD, Keycloak и др.)
+- **OIDC Provider** — этот сервис выступает как IdP для других приложений (Perplexica и др.)
+
+## Быстрый старт
+
+### Локально
+
+```bash
+cd auth-microservice
+cp .env.example .env
+# Отредактируйте .env: BETTER_AUTH_SECRET, BETTER_AUTH_URL
+npm install
+npm run db:migrate   # Создание таблиц БД
+npm run dev
+```
+
+Сервис доступен по адресу: **http://localhost:3001**
+
+### Docker
+
+```bash
+docker compose up -d
+```
+
+## Конфигурация
+
+### Обязательные переменные
+
+| Переменная | Описание |
+|------------|----------|
+| `BETTER_AUTH_SECRET` | Секрет для шифрования (минимум 32 символа). Сгенерируйте: `openssl rand -base64 32` |
+| `BETTER_AUTH_URL` | Публичный URL сервиса (например `https://auth.example.com`) |
+
+### LDAP (опционально)
+
+Если заданы переменные LDAP, включается вход через Active Directory / OpenLDAP:
+
+| Переменная | Описание |
+|------------|----------|
+| `LDAP_URL` | URL LDAP-сервера (`ldap://` или `ldaps://`) |
+| `LDAP_BIND_DN` | DN для bind (admin) |
+| `LDAP_PASSWORD` | Пароль для bind |
+| `LDAP_BASE_DN` | Базовый DN для поиска пользователей |
+| `LDAP_USERNAME_ATTR` | Атрибут логина (по умолчанию `uid`) |
+| `NEXT_PUBLIC_LDAP_ENABLED` | `true` — показать вкладку LDAP на форме входа |
+
+### Trusted OAuth Clients
+
+Приложения, которые могут использовать этот IdP. Задаётся через `TRUSTED_CLIENTS` (JSON-массив) или `DEFAULT_CLIENT_ID` / `DEFAULT_CLIENT_SECRET`.
+
+## Интеграция приложений
+
+### OIDC Endpoints
+
+```
+Authorization: {BETTER_AUTH_URL}/api/auth/oauth2/authorize
+Token:         {BETTER_AUTH_URL}/api/auth/oauth2/token
+UserInfo:      {BETTER_AUTH_URL}/api/auth/oauth2/userinfo
+Discovery:     {BETTER_AUTH_URL}/api/auth/.well-known/openid-configuration
+```
+
+### Регистрация клиента
+
+Через API (требуется сессия администратора):
+
+```
+POST /api/auth/oauth2/register
+Content-Type: application/json
+
+{
+  "redirect_uris": ["https://myapp.com/callback"],
+  "client_name": "My Application",
+  "scope": "openid profile email"
+}
+```
+
+### Подключение Perplexica
+
+В Perplexica настройте Better Auth как OIDC провайдер:
+
+```ts
+// В Perplexica
+baseURL: "http://localhost:3001"
+// или URL вашего auth-microservice
+```
+
+И укажите redirect URL Perplexica в `TRUSTED_CLIENTS` auth-сервиса.
+
+## SSO (вход через внешние IdP)
+
+Чтобы пользователи могли входить через Okta, Google и т.п., зарегистрируйте SSO провайдера:
+
+```ts
+await authClient.sso.register({
+  providerId: "okta",
+  issuer: "https://your-tenant.okta.com",
+  domain: "company.com",
+  oidcConfig: {
+    clientId: "...",
+    clientSecret: "...",
+  }
+});
+```
+
+## Структура проекта
+
+```
+auth-microservice/
+├── src/
+│   ├── lib/
+│   │   ├── auth.ts        # Конфигурация Better Auth
+│   │   ├── auth-client.ts # Клиент для React
+│   │   └── db.ts          # SQLite
+│   └── app/
+│       ├── api/auth/      # API Better Auth
+│       ├── sign-in/       # Страница входа
+│       ├── sign-up/       # Регистрация
+│       └── dashboard/     # Личный кабинет
+├── data/                  # SQLite (создаётся автоматически)
+├── .env.example
+├── Dockerfile
+└── docker-compose.yaml
+```
+
+## Лицензия
+
+MIT

apps/auth-mcs/auth.config.ts

@@ -0,0 +1,5 @@
+/**
+ * Re-export для Better Auth CLI (db:migrate, db:generate)
+ */
+export { auth } from './src/lib/auth';
+export { db } from './src/lib/db';

apps/auth-mcs/docker-compose.yaml

@@ -0,0 +1,15 @@
+services:
+  auth:
+    build: .
+    ports:
+      - "3001:3001"
+    environment:
+      BETTER_AUTH_SECRET: "${BETTER_AUTH_SECRET:-change-me-generate-with-openssl-rand-base64-32}"
+      BETTER_AUTH_URL: "${BETTER_AUTH_URL:-http://localhost:3001}"
+      DATABASE_PATH: /app/data/auth.db
+    volumes:
+      - auth-data:/app/data
+    restart: unless-stopped
+
+volumes:
+  auth-data:

apps/auth-mcs/next-env.d.ts

@@ -0,0 +1,6 @@
+/// <reference types="next" />
+/// <reference types="next/image-types/global" />
+/// <reference path="./.next/types/routes.d.ts" />
+
+// NOTE: This file should not be edited
+// see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

apps/auth-mcs/next.config.js

@@ -0,0 +1,7 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  reactStrictMode: true,
+  output: 'standalone',
+};
+
+export default nextConfig;

apps/auth-mcs/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "auth-microservice",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Standalone Identity Provider microservice with SSO, LDAP, and OIDC",
+  "license": "MIT",
+  "scripts": {
+    "dev": "next dev -p 3001",
+    "build": "next build",
+    "start": "next start -p 3001",
+    "lint": "next lint",
+    "db:generate": "npx @better-auth/cli generate",
+    "db:migrate": "npx @better-auth/cli migrate --yes"
+  },
+  "dependencies": {
+    "better-auth": "^1.4.0",
+    "@better-auth/sso": "^1.3.0",
+    "better-auth-credentials-plugin": "^0.4.0",
+    "ldap-authentication": "^3.3.6",
+    "better-sqlite3": "^11.9.1",
+    "next": "^15.0.0",
+    "react": "^18",
+    "react-dom": "^18",
+    "zod": "^3.23.0"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.12",
+    "@types/node": "^20",
+    "@types/react": "^18",
+    "@types/react-dom": "^18",
+    "typescript": "^5.0.0"
+  }
+}

apps/auth-mcs/src/app/api/auth/[...all]/route.ts

@@ -0,0 +1,4 @@
+import { auth } from '@/lib/auth';
+import { toNextJsHandler } from 'better-auth/next-js';
+
+export const { GET, POST } = toNextJsHandler(auth);

apps/auth-mcs/src/app/dashboard/SignOutButton.tsx

@@ -0,0 +1,31 @@
+'use client';
+
+import { authClient } from '@/lib/auth-client';
+import { useRouter } from 'next/navigation';
+
+export function SignOutButton() {
+  const router = useRouter();
+
+  const handleSignOut = async () => {
+    await authClient.signOut();
+    router.push('/sign-in');
+    router.refresh();
+  };
+
+  return (
+    <button
+      onClick={handleSignOut}
+      type="button"
+      style={{
+        padding: '8px 16px',
+        background: '#f1f5f9',
+        border: '1px solid #e2e8f0',
+        borderRadius: 8,
+        cursor: 'pointer',
+        fontWeight: 500,
+      }}
+    >
+      Выйти
+    </button>
+  );
+}

apps/auth-mcs/src/app/dashboard/page.tsx

@@ -0,0 +1,101 @@
+import { redirect } from 'next/navigation';
+import { headers } from 'next/headers';
+import { auth } from '@/lib/auth';
+import { SignOutButton } from './SignOutButton';
+
+export default async function DashboardPage() {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session) {
+    redirect('/sign-in');
+  }
+
+  const discoveryUrl = `${process.env.BETTER_AUTH_URL || 'http://localhost:3001'}/api/auth/.well-known/openid-configuration`;
+
+  return (
+    <div
+      style={{
+        minHeight: '100vh',
+        padding: 32,
+        background: '#f8fafc',
+      }}
+    >
+      <div style={{ maxWidth: 800, margin: '0 auto' }}>
+        <div
+          style={{
+            display: 'flex',
+            justifyContent: 'space-between',
+            alignItems: 'center',
+            marginBottom: 32,
+          }}
+        >
+          <h1 style={{ margin: 0, fontSize: 28, fontWeight: 700 }}>
+            Auth Service — Identity Provider
+          </h1>
+          <SignOutButton />
+        </div>
+
+        <div
+          style={{
+            background: '#fff',
+            padding: 24,
+            borderRadius: 12,
+            boxShadow: '0 1px 3px rgba(0,0,0,0.1)',
+            marginBottom: 24,
+          }}
+        >
+          <h2 style={{ margin: '0 0 16px', fontSize: 18 }}>Ваш профиль</h2>
+          <p style={{ margin: 0, color: '#64748b' }}>
+            <strong>Email:</strong> {session.user.email}
+          </p>
+          <p style={{ margin: '8px 0 0', color: '#64748b' }}>
+            <strong>Имя:</strong> {session.user.name || '—'}
+          </p>
+        </div>
+
+        <div
+          style={{
+            background: '#fff',
+            padding: 24,
+            borderRadius: 12,
+            boxShadow: '0 1px 3px rgba(0,0,0,0.1)',
+          }}
+        >
+          <h2 style={{ margin: '0 0 16px', fontSize: 18 }}>
+            Интеграция с приложениями
+          </h2>
+          <p style={{ margin: '0 0 16px', color: '#64748b', fontSize: 14 }}>
+            Этот сервис выступает как OIDC Identity Provider. Подключите ваши
+            приложения, указав следующие параметры:
+          </p>
+          <pre
+            style={{
+              padding: 16,
+              background: '#1e293b',
+              color: '#e2e8f0',
+              borderRadius: 8,
+              overflow: 'auto',
+              fontSize: 13,
+            }}
+          >
+            {`Authorization URL: ${process.env.BETTER_AUTH_URL || 'http://localhost:3001'}/api/auth/oauth2/authorize
+Token URL: ${process.env.BETTER_AUTH_URL || 'http://localhost:3001'}/api/auth/oauth2/token
+UserInfo URL: ${process.env.BETTER_AUTH_URL || 'http://localhost:3001'}/api/auth/oauth2/userinfo
+Discovery: ${discoveryUrl}
+
+Scopes: openid profile email`}
+          </pre>
+          <p style={{ margin: '16px 0 0', color: '#64748b', fontSize: 14 }}>
+            Зарегистрируйте клиента через API{' '}
+            <code style={{ background: '#f1f5f9', padding: '2px 6px', borderRadius: 4 }}>
+              POST /api/auth/oauth2/register
+            </code>{' '}
+            или настройте trusted clients в конфигурации сервиса.
+          </p>
+        </div>
+      </div>
+    </div>
+  );
+}

apps/auth-mcs/src/app/layout.tsx

@@ -0,0 +1,18 @@
+import type { Metadata } from 'next';
+
+export const metadata: Metadata = {
+  title: 'Auth Service — Identity Provider',
+  description: 'Централизованный сервис аутентификации с SSO, LDAP и OIDC',
+};
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return (
+    <html lang="ru">
+      <body style={{ margin: 0, fontFamily: 'system-ui, sans-serif' }}>{children}</body>
+    </html>
+  );
+}

apps/auth-mcs/src/app/page.tsx

@@ -0,0 +1,13 @@
+import { redirect } from 'next/navigation';
+import { headers } from 'next/headers';
+import { auth } from '@/lib/auth';
+
+export default async function HomePage() {
+  const session = await auth.api.getSession({ headers: await headers() });
+
+  if (session) {
+    redirect('/dashboard');
+  }
+
+  redirect('/sign-in');
+}

apps/auth-mcs/src/app/sign-in/page.tsx

@@ -0,0 +1,244 @@
+'use client';
+
+import { useState } from 'react';
+import { useRouter } from 'next/navigation';
+import { authClient } from '@/lib/auth-client';
+import Link from 'next/link';
+
+type Tab = 'password' | 'ldap';
+
+export default function SignInPage() {
+  const router = useRouter();
+  const [tab, setTab] = useState<Tab>('password');
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [credential, setCredential] = useState('');
+  const [error, setError] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  const ldapEnabled = process.env.NEXT_PUBLIC_LDAP_ENABLED === 'true';
+
+  const handleEmailSignIn = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    setLoading(true);
+    try {
+      const { error } = await authClient.signIn.email({ email, password });
+      if (error) throw new Error(error.message);
+      router.push('/dashboard');
+      router.refresh();
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Ошибка входа');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleLdapSignIn = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    setLoading(true);
+    try {
+      const res = await fetch('/api/auth/sign-in/ldap', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ credential, password, callbackURL: '/dashboard' }),
+        credentials: 'include',
+      });
+      const data = await res.json();
+      if (!res.ok || data?.error) throw new Error(data?.message || data?.error?.message || 'Ошибка входа');
+      router.push('/dashboard');
+      router.refresh();
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Ошибка LDAP входа');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div
+      style={{
+        minHeight: '100vh',
+        display: 'flex',
+        alignItems: 'center',
+        justifyContent: 'center',
+        background: 'linear-gradient(135deg, #1a1a2e 0%, #16213e 100%)',
+      }}
+    >
+      <div
+        style={{
+          width: '100%',
+          maxWidth: 400,
+          padding: 32,
+          background: '#fff',
+          borderRadius: 12,
+          boxShadow: '0 8px 32px rgba(0,0,0,0.2)',
+        }}
+      >
+        <h1 style={{ margin: '0 0 24px', fontSize: 24, fontWeight: 600 }}>
+          Вход в систему
+        </h1>
+
+        {ldapEnabled && (
+          <div style={{ marginBottom: 16, display: 'flex', gap: 8 }}>
+            <button
+              type="button"
+              onClick={() => setTab('password')}
+              style={{
+                flex: 1,
+                padding: '10px 16px',
+                border: tab === 'password' ? '2px solid #6366f1' : '1px solid #ddd',
+                borderRadius: 8,
+                background: tab === 'password' ? '#eef2ff' : '#fff',
+                cursor: 'pointer',
+                fontWeight: 500,
+              }}
+            >
+              Email
+            </button>
+            <button
+              type="button"
+              onClick={() => setTab('ldap')}
+              style={{
+                flex: 1,
+                padding: '10px 16px',
+                border: tab === 'ldap' ? '2px solid #6366f1' : '1px solid #ddd',
+                borderRadius: 8,
+                background: tab === 'ldap' ? '#eef2ff' : '#fff',
+                cursor: 'pointer',
+                fontWeight: 500,
+              }}
+            >
+              LDAP / AD
+            </button>
+          </div>
+        )}
+
+        {error && (
+          <div
+            style={{
+              padding: 12,
+              marginBottom: 16,
+              background: '#fef2f2',
+              color: '#dc2626',
+              borderRadius: 8,
+              fontSize: 14,
+            }}
+          >
+            {error}
+          </div>
+        )}
+
+        {tab === 'password' ? (
+          <form onSubmit={handleEmailSignIn}>
+            <input
+              type="email"
+              placeholder="Email"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              required
+              style={{
+                width: '100%',
+                padding: 12,
+                marginBottom: 12,
+                border: '1px solid #ddd',
+                borderRadius: 8,
+                boxSizing: 'border-box',
+              }}
+            />
+            <input
+              type="password"
+              placeholder="Пароль"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              required
+              style={{
+                width: '100%',
+                padding: 12,
+                marginBottom: 16,
+                border: '1px solid #ddd',
+                borderRadius: 8,
+                boxSizing: 'border-box',
+              }}
+            />
+            <button
+              type="submit"
+              disabled={loading}
+              style={{
+                width: '100%',
+                padding: 12,
+                background: '#6366f1',
+                color: '#fff',
+                border: 'none',
+                borderRadius: 8,
+                fontSize: 16,
+                fontWeight: 600,
+                cursor: loading ? 'not-allowed' : 'pointer',
+              }}
+            >
+              {loading ? 'Вход...' : 'Войти'}
+            </button>
+          </form>
+        ) : (
+          <form onSubmit={handleLdapSignIn}>
+            <input
+              type="text"
+              placeholder="Логин или DN"
+              value={credential}
+              onChange={(e) => setCredential(e.target.value)}
+              required
+              style={{
+                width: '100%',
+                padding: 12,
+                marginBottom: 12,
+                border: '1px solid #ddd',
+                borderRadius: 8,
+                boxSizing: 'border-box',
+              }}
+            />
+            <input
+              type="password"
+              placeholder="Пароль"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              required
+              style={{
+                width: '100%',
+                padding: 12,
+                marginBottom: 16,
+                border: '1px solid #ddd',
+                borderRadius: 8,
+                boxSizing: 'border-box',
+              }}
+            />
+            <button
+              type="submit"
+              disabled={loading}
+              style={{
+                width: '100%',
+                padding: 12,
+                background: '#6366f1',
+                color: '#fff',
+                border: 'none',
+                borderRadius: 8,
+                fontSize: 16,
+                fontWeight: 600,
+                cursor: loading ? 'not-allowed' : 'pointer',
+              }}
+            >
+              {loading ? 'Вход...' : 'Войти через LDAP'}
+            </button>
+          </form>
+        )}
+
+        <p style={{ marginTop: 24, textAlign: 'center', fontSize: 14, color: '#666' }}>
+          Нет аккаунта?{' '}
+          <Link href="/sign-up" style={{ color: '#6366f1', textDecoration: 'none' }}>
+            Регистрация
+          </Link>
+        </p>
+      </div>
+    </div>
+  );
+}

apps/auth-mcs/src/app/sign-up/page.tsx

@@ -0,0 +1,150 @@
+'use client';
+
+import { useState } from 'react';
+import { useRouter } from 'next/navigation';
+import { authClient } from '@/lib/auth-client';
+import Link from 'next/link';
+
+export default function SignUpPage() {
+  const router = useRouter();
+  const [name, setName] = useState('');
+  const [email, setEmail] = useState('');
+  const [password, setPassword] = useState('');
+  const [error, setError] = useState('');
+  const [loading, setLoading] = useState(false);
+
+  const handleSignUp = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    setLoading(true);
+    try {
+      const { error } = await authClient.signUp.email({
+        name,
+        email,
+        password,
+      });
+      if (error) throw new Error(error.message);
+      router.push('/dashboard');
+      router.refresh();
+    } catch (err: unknown) {
+      setError(err instanceof Error ? err.message : 'Ошибка регистрации');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div
+      style={{
+        minHeight: '100vh',
+        display: 'flex',
+        alignItems: 'center',
+        justifyContent: 'center',
+        background: 'linear-gradient(135deg, #1a1a2e 0%, #16213e 100%)',
+      }}
+    >
+      <div
+        style={{
+          width: '100%',
+          maxWidth: 400,
+          padding: 32,
+          background: '#fff',
+          borderRadius: 12,
+          boxShadow: '0 8px 32px rgba(0,0,0,0.2)',
+        }}
+      >
+        <h1 style={{ margin: '0 0 24px', fontSize: 24, fontWeight: 600 }}>
+          Регистрация
+        </h1>
+
+        {error && (
+          <div
+            style={{
+              padding: 12,
+              marginBottom: 16,
+              background: '#fef2f2',
+              color: '#dc2626',
+              borderRadius: 8,
+              fontSize: 14,
+            }}
+          >
+            {error}
+          </div>
+        )}
+
+        <form onSubmit={handleSignUp}>
+          <input
+            type="text"
+            placeholder="Имя"
+            value={name}
+            onChange={(e) => setName(e.target.value)}
+            required
+            style={{
+              width: '100%',
+              padding: 12,
+              marginBottom: 12,
+              border: '1px solid #ddd',
+              borderRadius: 8,
+              boxSizing: 'border-box',
+            }}
+          />
+          <input
+            type="email"
+            placeholder="Email"
+            value={email}
+            onChange={(e) => setEmail(e.target.value)}
+            required
+            style={{
+              width: '100%',
+              padding: 12,
+              marginBottom: 12,
+              border: '1px solid #ddd',
+              borderRadius: 8,
+              boxSizing: 'border-box',
+            }}
+          />
+          <input
+            type="password"
+            placeholder="Пароль"
+            value={password}
+            onChange={(e) => setPassword(e.target.value)}
+            required
+            minLength={8}
+            style={{
+              width: '100%',
+              padding: 12,
+              marginBottom: 16,
+              border: '1px solid #ddd',
+              borderRadius: 8,
+              boxSizing: 'border-box',
+            }}
+          />
+          <button
+            type="submit"
+            disabled={loading}
+            style={{
+              width: '100%',
+              padding: 12,
+              background: '#6366f1',
+              color: '#fff',
+              border: 'none',
+              borderRadius: 8,
+              fontSize: 16,
+              fontWeight: 600,
+              cursor: loading ? 'not-allowed' : 'pointer',
+            }}
+          >
+            {loading ? 'Регистрация...' : 'Зарегистрироваться'}
+          </button>
+        </form>
+
+        <p style={{ marginTop: 24, textAlign: 'center', fontSize: 14, color: '#666' }}>
+          Уже есть аккаунт?{' '}
+          <Link href="/sign-in" style={{ color: '#6366f1', textDecoration: 'none' }}>
+            Войти
+          </Link>
+        </p>
+      </div>
+    </div>
+  );
+}

apps/auth-mcs/src/lib/auth-client.ts

@@ -0,0 +1,11 @@
+'use client';
+
+import { createAuthClient } from 'better-auth/react';
+import { ssoClient } from '@better-auth/sso/client';
+import { oidcClient } from 'better-auth/client/plugins';
+
+export const authClient = createAuthClient({
+  baseURL:
+    typeof window !== 'undefined' ? window.location.origin : process.env.NEXT_PUBLIC_AUTH_URL,
+  plugins: [ssoClient(), oidcClient()],
+});

apps/auth-mcs/src/lib/auth.ts

@@ -0,0 +1,97 @@
+import { betterAuth } from 'better-auth';
+import { sso } from '@better-auth/sso';
+import { oidcProvider } from 'better-auth/plugins';
+import { credentials } from 'better-auth-credentials-plugin';
+import { authenticate } from 'ldap-authentication';
+import { z } from 'zod';
+import { db } from './db';
+
+const baseUrl = process.env.BETTER_AUTH_URL || 'http://localhost:3001';
+
+export const auth = betterAuth({
+  database: db,
+  basePath: '/api/auth',
+  baseURL: baseUrl,
+  trustedOrigins: [
+    baseUrl,
+    'http://localhost:3000',
+    'http://localhost:3001',
+    ...(process.env.TRUSTED_ORIGINS || '').split(',').filter(Boolean),
+  ],
+  emailAndPassword: {
+    enabled: true,
+  },
+  plugins: [
+    // SSO — вход через внешние IdP (Okta, Google, Azure AD)
+    sso(),
+
+    // OIDC Provider — этот сервис выступает как IdP для других приложений
+    oidcProvider({
+      loginPage: '/sign-in',
+      allowDynamicClientRegistration: true,
+      trustedClients: (() => {
+        try {
+          if (process.env.TRUSTED_CLIENTS) {
+            return JSON.parse(process.env.TRUSTED_CLIENTS);
+          }
+        } catch {
+          /* ignore */
+        }
+        return [
+            {
+              clientId: process.env.DEFAULT_CLIENT_ID || 'perplexica',
+              clientSecret: process.env.DEFAULT_CLIENT_SECRET || 'perplexica-secret-change-me',
+              name: 'Perplexica',
+              type: 'web',
+              redirectUrls: ['http://localhost:3000/api/auth/callback/better-auth'],
+              disabled: false,
+              skipConsent: true,
+            },
+          ];
+      })(),
+    }),
+
+    // LDAP — вход через Active Directory / OpenLDAP
+    ...(process.env.LDAP_URL
+      ? [
+          credentials({
+            autoSignUp: true,
+            linkAccountIfExisting: true,
+            providerId: 'ldap',
+            path: '/sign-in/ldap',
+            inputSchema: z.object({
+              credential: z.string().min(1, 'Username or DN required'),
+              password: z.string().min(1, 'Password required'),
+            }),
+            async callback(_ctx, parsed) {
+              const ldapResult = await authenticate({
+                ldapOpts: {
+                  url: process.env.LDAP_URL!,
+                  connectTimeout: 5000,
+                  ...(process.env.LDAP_URL!.startsWith('ldaps://')
+                    ? { tlsOptions: { minVersion: 'TLSv1.2' } }
+                    : {}),
+                },
+                adminDn: process.env.LDAP_BIND_DN || '',
+                adminPassword: process.env.LDAP_PASSWORD || '',
+                userSearchBase: process.env.LDAP_BASE_DN || '',
+                usernameAttribute: process.env.LDAP_USERNAME_ATTR || 'uid',
+                username: parsed.credential,
+                userPassword: parsed.password,
+              });
+
+              const uid = ldapResult[process.env.LDAP_USERNAME_ATTR || 'uid'];
+              const email =
+                (Array.isArray(ldapResult.mail) ? ldapResult.mail[0] : ldapResult.mail) ||
+                `${uid}@local`;
+
+              return {
+                email,
+                name: ldapResult.displayName || ldapResult.cn || String(uid),
+              };
+            },
+          }),
+        ]
+      : []),
+  ],
+});

apps/auth-mcs/src/lib/db.ts

@@ -0,0 +1,15 @@
+import Database from 'better-sqlite3';
+import path from 'node:path';
+import fs from 'node:fs';
+
+const defaultPath = path.join(process.cwd(), 'data', 'auth.db');
+const dbPath = process.env.DATABASE_URL?.startsWith('file:')
+  ? process.env.DATABASE_URL.replace(/^file:/, '')
+  : process.env.DATABASE_PATH || defaultPath;
+
+const dir = path.dirname(dbPath);
+if (!fs.existsSync(dir)) {
+  fs.mkdirSync(dir, { recursive: true });
+}
+
+export const db = new Database(dbPath);

apps/auth-mcs/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2017",
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [{ "name": "next" }],
+    "paths": { "@/*": ["./src/*"] }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}

apps/frontend/drizzle.config.ts

@@ -0,0 +1,15 @@
+import { defineConfig } from 'drizzle-kit';
+import path from 'path';
+
+const dataDir = process.env.DATA_DIR
+  ? path.join(path.resolve(process.cwd(), process.env.DATA_DIR), 'data')
+  : path.join(process.cwd(), 'data');
+
+export default defineConfig({
+  dialect: 'sqlite',
+  schema: './src/lib/db/schema.ts',
+  out: './drizzle',
+  dbCredentials: {
+    url: path.join(dataDir, 'db.sqlite'),
+  },
+});

apps/frontend/next-env.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import './.next/dev/types/routes.d.ts';
+import "./.next/dev/types/routes.d.ts";
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

apps/frontend/package.json

@@ -0,0 +1,73 @@
+{
+  "name": "frontend",
+  "version": "1.12.1",
+  "private": true,
+  "scripts": {
+    "dev": "next dev --webpack",
+    "build": "next build --webpack",
+    "start": "next start",
+    "lint": "next lint"
+  },
+  "dependencies": {
+    "@google/genai": "^1.34.0",
+    "@headlessui/react": "^2.2.0",
+    "@headlessui/tailwindcss": "^0.2.2",
+    "@huggingface/transformers": "^3.8.1",
+    "@icons-pack/react-simple-icons": "^12.3.0",
+    "@phosphor-icons/react": "^2.1.10",
+    "@radix-ui/react-tooltip": "^1.2.8",
+    "@tailwindcss/typography": "^0.5.12",
+    "@toolsycc/json-repair": "^0.1.22",
+    "axios": "^1.8.3",
+    "better-sqlite3": "^11.9.1",
+    "clsx": "^2.1.0",
+    "drizzle-orm": "^0.40.1",
+    "js-tiktoken": "^1.0.21",
+    "jspdf": "^3.0.4",
+    "lightweight-charts": "^5.0.9",
+    "lucide-react": "^0.556.0",
+    "mammoth": "^1.9.1",
+    "markdown-to-jsx": "^7.7.2",
+    "mathjs": "^15.1.0",
+    "motion": "^12.23.26",
+    "next": "^16.0.7",
+    "next-themes": "^0.3.0",
+    "officeparser": "^5.2.2",
+    "ollama": "^0.6.3",
+    "openai": "^6.9.0",
+    "partial-json": "^0.1.7",
+    "pdf-parse": "^2.4.5",
+    "react": "^18",
+    "react-dom": "^18",
+    "react-syntax-highlighter": "^16.1.0",
+    "react-text-to-speech": "^0.14.5",
+    "react-textarea-autosize": "^8.5.3",
+    "rfc6902": "^5.1.2",
+    "sonner": "^1.4.41",
+    "tailwind-merge": "^2.2.2",
+    "turndown": "^7.2.2",
+    "yahoo-finance2": "^3.10.2",
+    "yet-another-react-lightbox": "^3.17.2",
+    "zod": "^4.1.12"
+  },
+  "devDependencies": {
+    "@types/better-sqlite3": "^7.6.12",
+    "@types/jspdf": "^2.0.0",
+    "@types/node": "^24.8.1",
+    "@types/pdf-parse": "^1.1.4",
+    "@types/react": "^18",
+    "@types/react-dom": "^18",
+    "@types/react-syntax-highlighter": "^15.5.13",
+    "@types/turndown": "^5.0.6",
+    "autoprefixer": "^10.0.1",
+    "drizzle-kit": "^0.30.5",
+    "eslint": "^8",
+    "eslint-config-next": "14.1.4",
+    "postcss": "^8",
+    "tailwindcss": "^3.3.0",
+    "typescript": "^5.9.3"
+  },
+  "optionalDependencies": {
+    "@napi-rs/canvas": "^0.1.87"
+  }
+}

apps/frontend/src/app/api/discover/route.ts

@@ -1,4 +1,5 @@
 import { searchSearxng } from '@/lib/searxng';
+import { getSearxngURL } from '@/lib/config/serverRegistry';
 
 const websitesForTopic = {
   tech: {
@@ -27,6 +28,17 @@ type Topic = keyof typeof websitesForTopic;
 
 export const GET = async (req: Request) => {
   try {
+    const searxngURL = getSearxngURL();
+    if (!searxngURL?.trim()) {
+      return Response.json(
+        {
+          message:
+            'SearxNG is not configured. Please set the SearxNG URL in Settings → Search.',
+        },
+        { status: 503 },
+      );
+    }
+
     const params = new URL(req.url).searchParams;
 
     const mode: 'normal' | 'preview' =
@@ -85,14 +97,17 @@ export const GET = async (req: Request) => {
       },
     );
   } catch (err) {
-    console.error(`An error occurred in discover route: ${err}`);
+    const message =
+      err instanceof Error ? err.message : 'An error has occurred';
+    console.error(`Discover route error:`, err);
     return Response.json(
       {
-        message: 'An error has occurred',
-      },
-      {
-        status: 500,
+        message:
+          message.includes('fetch') || message.includes('ECONNREFUSED')
+            ? 'Cannot connect to SearxNG. Check that it is running and the URL is correct in Settings.'
+            : message,
       },
+      { status: 500 },
     );
   }
 };