feat: Implement secure Authentication system with JWT and AuthScreen UI

app/api/auth_router.py

@@ -0,0 +1,66 @@
+from fastapi import APIRouter, HTTPException, status, Depends
+from pydantic import BaseModel, field_validator
+import re
+
+from app.auth.auth import hash_password, verify_password, create_token, get_current_user
+from app.db.session import create_user, get_user
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+
+
+class AuthRequest(BaseModel):
+    username: str
+    password: str
+
+    @field_validator("username")
+    @classmethod
+    def validate_username(cls, v: str) -> str:
+        v = v.strip()
+        if not 3 <= len(v) <= 30:
+            raise ValueError("Username must be 3–30 characters")
+        if not re.match(r"^[a-zA-Z0-9_]+$", v):
+            raise ValueError("Username can only contain letters, numbers, and underscores")
+        return v
+
+    @field_validator("password")
+    @classmethod
+    def validate_password(cls, v: str) -> str:
+        if len(v) < 6:
+            raise ValueError("Password must be at least 6 characters")
+        return v
+
+
+class TokenResponse(BaseModel):
+    access_token: str
+    token_type: str = "bearer"
+    username: str
+
+
+@router.post("/register", response_model=TokenResponse)
+async def register(req: AuthRequest):
+    hashed = hash_password(req.password)
+    created = create_user(req.username, hashed)
+    if not created:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail="Username already taken"
+        )
+    token = create_token(req.username)
+    return TokenResponse(access_token=token, username=req.username)
+
+
+@router.post("/login", response_model=TokenResponse)
+async def login(req: AuthRequest):
+    row = get_user(req.username)
+    if not row or not verify_password(req.password, row[1]):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password"
+        )
+    token = create_token(req.username)
+    return TokenResponse(access_token=token, username=req.username)
+
+
+@router.get("/me")
+async def me(current_user: str = Depends(get_current_user)):
+    return {"username": current_user}

app/api/endpoints.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, HTTPException, Response
+from fastapi import APIRouter, HTTPException, Depends
 from fastapi.responses import StreamingResponse
 import json
 import asyncio
@@ -11,33 +11,32 @@ from app.services.hippocampus import consolidate_memory
 from app.services.neocortex import extract_and_store_knowledge
 from app.services.sleep_cycle import run_sleep_cycle
 from app.db.neo4j_driver import neo4j_db
-
 from app.services.vitals import get_brain_vitals
+from app.auth.auth import get_current_user
 
 router = APIRouter()
 
+
+# ── Brain Vitals ─────────────────────────────────────────────────
+
 @router.get("/brain/vitals")
-async def fetch_brain_vitals(user_id: str = "default_user"):
-    """Return metrics for Sensory, Semantic, and Working Memory layers."""
-    return get_brain_vitals(user_id)
+async def fetch_brain_vitals(current_user: str = Depends(get_current_user)):
+    return get_brain_vitals(current_user)
+
 
 @router.get("/brain/sparks")
-async def fetch_neural_sparks(user_id: str = "default_user", limit: int = 5):
-    """Retrieve the latest spontaneous background insights."""
-    return get_recent_sparks(user_id=user_id, limit=limit)
+async def fetch_neural_sparks(limit: int = 5, current_user: str = Depends(get_current_user)):
+    return get_recent_sparks(user_id=current_user, limit=limit)
 
 
-# ── Knowledge Graph Endpoints ────────────────────────────────────
+# ── Knowledge Graph ───────────────────────────────────────────────
 
 @router.get("/graph")
-async def get_knowledge_graph(user_id: str = "default_user"):
-    """Return all nodes and edges from the Knowledge Graph for visualization."""
+async def get_knowledge_graph(current_user: str = Depends(get_current_user)):
     if not neo4j_db.driver:
         return {"nodes": [], "edges": [], "status": "offline"}
 
     try:
-        # Fetch all nodes with their connection counts
-        # Include legacy nodes (no user_id) alongside user-specific ones
         node_query = """
         MATCH (n:Entity)
         WHERE n.user_id = $user_id OR n.user_id IS NULL
@@ -45,25 +44,18 @@ async def get_knowledge_graph(user_id: str = "default_user"):
         RETURN n.name AS id, count(r) AS connections
         ORDER BY connections DESC
         """
-        node_results = neo4j_db.query(node_query, {"user_id": user_id}) or []
+        node_results = neo4j_db.query(node_query, {"user_id": current_user}) or []
 
-        # Fetch all edges
         edge_query = """
         MATCH (s:Entity)-[r]->(t:Entity)
         WHERE (s.user_id = $user_id OR s.user_id IS NULL)
           AND (t.user_id = $user_id OR t.user_id IS NULL)
         RETURN s.name AS source, type(r) AS label, t.name AS target
         """
-        edge_results = neo4j_db.query(edge_query, {"user_id": user_id}) or []
+        edge_results = neo4j_db.query(edge_query, {"user_id": current_user}) or []
 
-        nodes = [
-            {"id": r["id"], "label": r["id"], "connections": r["connections"]}
-            for r in node_results
-        ]
-        edges = [
-            {"source": r["source"], "target": r["target"], "label": r["label"]}
-            for r in edge_results
-        ]
+        nodes = [{"id": r["id"], "label": r["id"], "connections": r["connections"]} for r in node_results]
+        edges = [{"source": r["source"], "target": r["target"], "label": r["label"]} for r in edge_results]
 
         return {"nodes": nodes, "edges": edges, "status": "online"}
     except Exception as e:
@@ -71,8 +63,7 @@ async def get_knowledge_graph(user_id: str = "default_user"):
 
 
 @router.get("/graph/stats")
-async def get_graph_stats(user_id: str = "default_user"):
-    """Return aggregate stats about the Knowledge Graph."""
+async def get_graph_stats(current_user: str = Depends(get_current_user)):
     if not neo4j_db.driver:
         return {"node_count": 0, "edge_count": 0, "top_entities": [], "status": "offline"}
 
@@ -83,7 +74,7 @@ async def get_graph_stats(user_id: str = "default_user"):
         OPTIONAL MATCH (n)-[r]->()
         RETURN count(DISTINCT n) AS nodes, count(DISTINCT r) AS edges
         """
-        counts = neo4j_db.query(count_query, {"user_id": user_id})
+        counts = neo4j_db.query(count_query, {"user_id": current_user})
         node_count = counts[0]["nodes"] if counts else 0
         edge_count = counts[0]["edges"] if counts else 0
 
@@ -94,21 +85,18 @@ async def get_graph_stats(user_id: str = "default_user"):
         ORDER BY connections DESC
         LIMIT 5
         """
-        top_results = neo4j_db.query(top_query, {"user_id": user_id}) or []
+        top_results = neo4j_db.query(top_query, {"user_id": current_user}) or []
         top_entities = [{"entity": r["entity"], "connections": r["connections"]} for r in top_results]
 
-        return {
-            "node_count": node_count,
-            "edge_count": edge_count,
-            "top_entities": top_entities,
-            "status": "online"
-        }
+        return {"node_count": node_count, "edge_count": edge_count, "top_entities": top_entities, "status": "online"}
     except Exception as e:
         return {"node_count": 0, "edge_count": 0, "top_entities": [], "status": "error", "detail": str(e)}
 
+
+# ── Request / Response Models ─────────────────────────────────────
+
 class QueryRequest(BaseModel):
     text: str
-    user_id: str = "default_user"
 
 class QueryResponse(BaseModel):
     response: str
@@ -117,47 +105,49 @@ class QueryResponse(BaseModel):
 class IngestRequest(BaseModel):
     text: str
     metadata: Optional[Dict] = None
-    user_id: str = "default_user"
 
 class IngestResponse(BaseModel):
     message: str
     chunks: int
 
 class ConsolidateRequest(BaseModel):
-    user_id: str
+    pass  # user_id now comes from token
+
+
+# ── Consolidate ───────────────────────────────────────────────────
 
 @router.post("/consolidate", response_model=IngestResponse)
-async def process_consolidation(request: ConsolidateRequest):
+async def process_consolidation(current_user: str = Depends(get_current_user)):
     try:
-        chunks, msg = consolidate_memory(request.user_id)
-        # Assuming consolidate_memory returns chunks > 0 if there was memory
+        chunks, msg = consolidate_memory(current_user)
         if chunks > 0:
-            history = get_recent_messages(request.user_id, exchanges=50)
+            history = get_recent_messages(current_user, exchanges=50)
             doc = "\n".join([f"{m['role']}: {m['content']}" for m in history])
-            triples = extract_and_store_knowledge(doc, request.user_id)
+            triples = extract_and_store_knowledge(doc, current_user)
             msg += f" Extracted {triples} graph relations."
-            
-        return IngestResponse(
-            message=msg,
-            chunks=chunks
-        )
+        return IngestResponse(message=msg, chunks=chunks)
     except Exception as e:
         raise HTTPException(status_code=500, detail=str(e))
 
+
+# ── Sleep ─────────────────────────────────────────────────────────
+
 @router.post("/sleep")
-async def process_sleep_cycle():
-    """Trigger one full Sleep Cycle — summarize, store, and prune."""
+async def process_sleep_cycle(current_user: str = Depends(get_current_user)):
     try:
         report = run_sleep_cycle(keep_recent=10)
         return report
     except Exception as e:
         raise HTTPException(status_code=500, detail=str(e))
 
+
+# ── Ingest ────────────────────────────────────────────────────────
+
 @router.post("/ingest", response_model=IngestResponse)
-async def process_ingest(request: IngestRequest):
+async def process_ingest(request: IngestRequest, current_user: str = Depends(get_current_user)):
     try:
-        num_chunks = ingest_text(request.text, request.metadata, request.user_id)
-        triples = extract_and_store_knowledge(request.text, request.user_id)
+        num_chunks = ingest_text(request.text, request.metadata, current_user)
+        triples = extract_and_store_knowledge(request.text, current_user)
         return IngestResponse(
             message=f"Sensory data ingested. Extracted {triples} graph relations.",
             chunks=num_chunks
@@ -165,18 +155,17 @@ async def process_ingest(request: IngestRequest):
     except Exception as e:
         raise HTTPException(status_code=500, detail=str(e))
 
+
+# ── Stream Query ──────────────────────────────────────────────────
+
 @router.post("/query/stream")
-async def process_query_stream(request: QueryRequest):
-    """
-    Stream the cognitive process and finally the response as Server-Sent Events.
-    """
+async def process_query_stream(request: QueryRequest, current_user: str = Depends(get_current_user)):
     async def event_generator():
         try:
-            # Step 1: Initial State
-            history = get_recent_messages(request.user_id, exchanges=5)
+            history = get_recent_messages(current_user, exchanges=5)
             state_input = {
                 "input": request.text,
-                "user_id": request.user_id,
+                "user_id": current_user,
                 "chat_history": history,
                 "context": [],
                 "graph_context": [],
@@ -184,44 +173,35 @@ async def process_query_stream(request: QueryRequest):
                 "response": ""
             }
 
-            # Send Initial Perception Trace
             perception_msg = f"Processing query: {request.text[:50]}..."
             yield f"event: trace\ndata: {json.dumps({'phase': 'perception', 'message': perception_msg})}\n\n"
             await asyncio.sleep(0.1)
 
-            # Step 2: Stream LangGraph Execution
-            # orchestrator.stream is a sync iterator, so we use it in a thread or just run it if it's fast enough
-            # For simplicity in this demo, we use the stream directly
             for output in orchestrator.stream(state_input):
                 for node_name, node_output in output.items():
                     if node_name == "reflect":
-                        # Send Internal Reflection Trace
                         reflection = node_output.get("reflection", "")
                         yield f"event: reflection\ndata: {json.dumps({'message': reflection})}\n\n"
-                        await asyncio.sleep(0.3)  # Give user time to read the 'thought'
-                    
+                        await asyncio.sleep(0.3)
+
                     elif node_name == "retrieve":
-                        # Send Recall & Association Trace
                         trace_data = node_output.get("trace_data", {})
                         recall_msg = f"Found {trace_data.get('sensory_count')} sensory memories."
                         assoc_msg = f"Extracted {trace_data.get('graph_count')} graph relations."
-                        
                         yield f"event: trace\ndata: {json.dumps({'phase': 'recall', 'message': recall_msg, 'data': node_output.get('context')})}\n\n"
                         await asyncio.sleep(0.2)
                         yield f"event: trace\ndata: {json.dumps({'phase': 'association', 'message': assoc_msg, 'data': node_output.get('graph_context'), 'touched': trace_data.get('touched')})}\n\n"
                         await asyncio.sleep(0.2)
-                    
+
                     elif node_name == "call_model":
-                        # Send Reasoning & Final Trace
                         reason_msg = "Synthesizing final response via Cortex Node..."
                         yield f"event: trace\ndata: {json.dumps({'phase': 'reasoning', 'message': reason_msg})}\n\n"
                         await asyncio.sleep(0.1)
-                        
+
                         final_response = node_output.get("response", "")
-                        # Save to Working Memory
-                        add_message(request.user_id, "user", request.text)
-                        add_message(request.user_id, "assistant", final_response)
-                        
+                        add_message(current_user, "user", request.text)
+                        add_message(current_user, "assistant", final_response)
+
                         yield f"event: final_result\ndata: {json.dumps({'response': final_response})}\n\n"
 
         except Exception as e:
@@ -229,43 +209,13 @@ async def process_query_stream(request: QueryRequest):
 
     return StreamingResponse(event_generator(), media_type="text/event-stream")
 
-@router.post("/query", response_model=QueryResponse)
-async def process_query(request: QueryRequest):
-    try:
-        # Step 3: Working Memory - Load the last 5 exchanges
-        history = get_recent_messages(request.user_id, exchanges=5)
-        
-        # Step 2: Sensory Memory Logic - invoke the retrieval-augmented graph
-        state_input = {
-            "input": request.text,
-            "user_id": request.user_id,
-            "chat_history": history,
-            "context": [],
-            "graph_context": [],
-            "response": ""
-        }
-        
-        # Run the graph
-        result = orchestrator.invoke(state_input)
-        final_response = result.get("response", "No response generated.")
-        
-        # Step 3 (cont): Save the new exchange to Working Memory
-        add_message(request.user_id, "user", request.text)
-        add_message(request.user_id, "assistant", final_response)
-        
-        return QueryResponse(
-            response=final_response,
-            sources=["Step 2: Sensory Memory (ChromaDB)", "Step 3: Working Memory (SQLite)"]
-        )
-    except Exception as e:
-        raise HTTPException(status_code=500, detail=str(e))
+
+# ── History ───────────────────────────────────────────────────────
 
 @router.get("/history")
-async def fetch_chat_history(user_id: str = "default_user"):
-    """Fetch the recent SQLite conversation when switching personas."""
+async def fetch_chat_history(current_user: str = Depends(get_current_user)):
     try:
-        history = get_recent_messages(user_id, exchanges=20)
+        history = get_recent_messages(current_user, exchanges=20)
         return {"messages": history}
     except Exception as e:
         raise HTTPException(status_code=500, detail=str(e))
-

app/auth/auth.py

@@ -0,0 +1,56 @@
+from datetime import datetime, timedelta
+from typing import Optional
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from jose import JWTError, jwt
+from passlib.context import CryptContext
+
+from app.core.config import settings
+
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+bearer_scheme = HTTPBearer()
+
+
+# ── Password helpers ──────────────────────────────────────────────
+
+def hash_password(plain: str) -> str:
+    return pwd_context.hash(plain)
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return pwd_context.verify(plain, hashed)
+
+
+# ── JWT helpers ───────────────────────────────────────────────────
+
+def create_token(username: str) -> str:
+    expire = datetime.utcnow() + timedelta(days=settings.JWT_EXPIRE_DAYS)
+    payload = {"sub": username, "exp": expire}
+    return jwt.encode(payload, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
+
+
+def decode_token(token: str) -> Optional[str]:
+    """Return username from a valid token, or None."""
+    try:
+        payload = jwt.decode(token, settings.JWT_SECRET_KEY, algorithms=[settings.JWT_ALGORITHM])
+        return payload.get("sub")
+    except JWTError:
+        return None
+
+
+# ── FastAPI dependency ────────────────────────────────────────────
+
+def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(bearer_scheme)) -> str:
+    """
+    Validates the Bearer token and returns the username (used as user_id).
+    Raises 401 if the token is missing, expired, or invalid.
+    """
+    username = decode_token(credentials.credentials)
+    if not username:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or expired token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    return username

app/core/config.py

@@ -32,6 +32,11 @@ class Settings(BaseSettings):
     # SQLite Path
     SQLITE_DB_PATH: str = os.getenv("SQLITE_DB_PATH", os.path.join(os.getcwd(), "data", "soma_sessions.db"))
 
+    # Auth
+    JWT_SECRET_KEY: str = os.getenv("JWT_SECRET_KEY", "change-this-in-production-please")
+    JWT_ALGORITHM: str = "HS256"
+    JWT_EXPIRE_DAYS: int = 30
+
     model_config = SettingsConfigDict(case_sensitive=True)
 
 @lru_cache()

app/db/session.py

@@ -5,6 +5,14 @@ DB_PATH = settings.SQLITE_DB_PATH
 
 def init_session_db():
     with sqlite3.connect(DB_PATH) as db:
+        db.execute('''
+            CREATE TABLE IF NOT EXISTS users (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                username TEXT UNIQUE NOT NULL,
+                hashed_password TEXT NOT NULL,
+                created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+            )
+        ''')
         db.execute('''
             CREATE TABLE IF NOT EXISTS messages (
                 id INTEGER PRIMARY KEY AUTOINCREMENT,
@@ -23,13 +31,37 @@ def init_session_db():
                 timestamp DATETIME DEFAULT CURRENT_TIMESTAMP
             )
         ''')
-        # Migration: add user_id to existing databses gracefully
+        # Migration: add user_id to existing databases gracefully
         try:
             db.execute("ALTER TABLE neural_sparks ADD COLUMN user_id TEXT DEFAULT 'default_user'")
         except sqlite3.OperationalError:
             pass
         db.commit()
 
+# ── User account helpers ──────────────────────────────────────────
+
+def create_user(username: str, hashed_password: str) -> bool:
+    """Insert a new user. Returns False if username already taken."""
+    try:
+        with sqlite3.connect(DB_PATH) as db:
+            db.execute(
+                'INSERT INTO users (username, hashed_password) VALUES (?, ?)',
+                (username, hashed_password)
+            )
+            db.commit()
+        return True
+    except sqlite3.IntegrityError:
+        return False
+
+def get_user(username: str):
+    """Return (username, hashed_password) row or None."""
+    with sqlite3.connect(DB_PATH) as db:
+        cursor = db.execute(
+            'SELECT username, hashed_password FROM users WHERE username = ?',
+            (username,)
+        )
+        return cursor.fetchone()
+
 def add_message(session_id: str, role: str, content: str):
     """Save a single message to the Working Memory."""
     with sqlite3.connect(DB_PATH) as db:

app/main.py

@@ -2,6 +2,7 @@ from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 from app.core.config import settings
 from app.api.endpoints import router as api_router
+from app.api.auth_router import router as auth_router
 from app.db.session import init_session_db
 from app.services.dreaming import idle_brain_cycle
 import asyncio
@@ -27,7 +28,8 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-# Include the API router
+# Include routers
+app.include_router(auth_router, prefix=settings.API_V1_STR)
 app.include_router(api_router, prefix=settings.API_V1_STR)
 
 # Serve React frontend if built

frontend/src/App.jsx

@@ -4,11 +4,14 @@ import BrainProcess from './components/BrainProcess'
 import KnowledgeGraph from './components/KnowledgeGraph'
 import DreamSequence from './components/DreamSequence'
 import Onboarding from './components/Onboarding'
+import AuthScreen from './components/AuthScreen'
+import { apiFetch } from './api'
 import './App.css'
 
 function App() {
-  const [messages, setMessages]     = useState([])
-  const [brainState, setBrainState] = useState({
+  const [currentUser,     setCurrentUser]     = useState(() => localStorage.getItem('soma_username') || null)
+  const [messages,        setMessages]        = useState([])
+  const [brainState,      setBrainState]      = useState({
     sensoryDocuments: 0,
     graphRelations:   0,
     workingMemory:    0,
@@ -20,17 +23,16 @@ function App() {
     cognitiveState:   'IDLE',
     traces:           []
   })
-  const [rightPanel,      setRightPanel]      = useState('graph')
-  const [currentPersona,  setCurrentPersona]  = useState('User_Alpha')
-  const [showOnboarding,  setShowOnboarding]  = useState(false)
-  const [theme,           setTheme]           = useState(() => localStorage.getItem('soma_theme') || 'dark')
-  const [graphRefreshTick, setGraphRefreshTick] = useState(0)   // increments → graph re-fetches
-  const [sleepModal,      setSleepModal]      = useState(null)  // null | { pruned, relations }
+  const [rightPanel,       setRightPanel]       = useState('graph')
+  const [showOnboarding,   setShowOnboarding]   = useState(false)
+  const [theme,            setTheme]            = useState(() => localStorage.getItem('soma_theme') || 'dark')
+  const [graphRefreshTick, setGraphRefreshTick] = useState(0)
+  const [sleepModal,       setSleepModal]       = useState(null)
 
   // ── Resizable columns ──
   const [colWidths, setColWidths] = useState([30, 32, 38])
-  const dragRef   = useRef(null)
-  const layoutRef = useRef(null)
+  const dragRef    = useRef(null)
+  const layoutRef  = useRef(null)
 
   const startDrag = useCallback((dividerIndex, e) => {
     e.preventDefault()
@@ -68,19 +70,22 @@ function App() {
     localStorage.setItem('soma_theme', theme)
   }, [theme])
 
-  // ── First visit ──
+  // ── First visit onboarding ──
   useEffect(() => {
-    if (!localStorage.getItem('soma_visited')) {
+    if (currentUser && !localStorage.getItem('soma_visited')) {
       setShowOnboarding(true)
       localStorage.setItem('soma_visited', 'true')
     }
-  }, [])
+  }, [currentUser])
 
-  // ── Poll vitals & sparks ──
+  // ── Poll vitals & sparks (only when logged in) ──
   useEffect(() => {
+    if (!currentUser) return
+
     const fetchVitals = async () => {
       try {
-        const res  = await fetch(`/api/v1/brain/vitals?user_id=${currentPersona}`)
+        const res  = await apiFetch(`/api/v1/brain/vitals`)
+        if (!res.ok) return
         const data = await res.json()
         setBrainState(prev => ({
           ...prev,
@@ -91,35 +96,40 @@ function App() {
         }))
       } catch { /* backend offline */ }
     }
+
     const fetchSparks = async () => {
       try {
-        const res  = await fetch(`/api/v1/brain/sparks?user_id=${currentPersona}`)
+        const res  = await apiFetch(`/api/v1/brain/sparks`)
+        if (!res.ok) return
         const data = await res.json()
         setBrainState(prev => ({ ...prev, sparks: data }))
       } catch { /* silent */ }
     }
+
     fetchVitals(); fetchSparks()
     const id = setInterval(() => { fetchVitals(); fetchSparks() }, 20000)
     return () => clearInterval(id)
-  }, [currentPersona])
+  }, [currentUser])
 
-  // ── Chat history on persona change ──
+  // ── Chat history on login ──
   useEffect(() => {
+    if (!currentUser) return
     const load = async () => {
       try {
-        const res  = await fetch(`/api/v1/history?user_id=${currentPersona}`)
+        const res  = await apiFetch(`/api/v1/history`)
+        if (!res.ok) return
         const data = await res.json()
         setMessages(data.messages || [])
       } catch { /* silent */ }
     }
     load()
-  }, [currentPersona])
+  }, [currentUser])
 
   // ── Sleep ──
   const handleSleep = async () => {
     setBrainState(prev => ({ ...prev, isLoading: true, cognitiveState: 'SLEEPING' }))
     try {
-      const res  = await fetch('/api/v1/sleep', { method: 'POST' })
+      const res  = await apiFetch('/api/v1/sleep', { method: 'POST' })
       const data = await res.json()
       setBrainState(prev => ({ ...prev, isLoading: false, cognitiveState: 'IDLE', statusMessage: 'Memory consolidated.' }))
       setSleepModal({ pruned: data.messages_pruned ?? 0, relations: data.graph_relations_extracted ?? 0 })
@@ -128,11 +138,34 @@ function App() {
     }
   }
 
-  // ── Called by ChatPanel after each AI response ──
+  // ── Graph refresh after chat ──
   const handleChatComplete = useCallback(() => {
     setGraphRefreshTick(t => t + 1)
   }, [])
 
+  // ── Auth ──
+  const handleAuth = (username) => {
+    setCurrentUser(username)
+    setMessages([])
+  }
+
+  const handleLogout = () => {
+    localStorage.removeItem('soma_token')
+    localStorage.removeItem('soma_username')
+    setCurrentUser(null)
+    setMessages([])
+    setBrainState(prev => ({ ...prev, sensoryDocuments: 0, graphRelations: 0, workingMemory: 0, sparks: [] }))
+  }
+
+  // ── Show auth screen if not logged in ──
+  if (!currentUser) {
+    return (
+      <div data-theme={theme}>
+        <AuthScreen onAuth={handleAuth} />
+      </div>
+    )
+  }
+
   return (
     <div className={`app-root state-${brainState.cognitiveState.toLowerCase()}`}>
 
@@ -188,11 +221,11 @@ function App() {
             Sleep
           </button>
 
-          <select className="persona-select t-label" value={currentPersona} onChange={e => setCurrentPersona(e.target.value)}>
-            <option value="User_Alpha">Alpha</option>
-            <option value="User_Beta">Beta</option>
-            <option value="System_Admin">Admin</option>
-          </select>
+          {/* Logged-in user + logout */}
+          <div className="user-chip">
+            <span className="user-chip-name t-label">{currentUser}</span>
+            <button className="user-logout-btn t-label" onClick={handleLogout} title="Sign out">↩</button>
+          </div>
 
           <button className="theme-toggle" onClick={() => setTheme(t => t === 'dark' ? 'light' : 'dark')} title="Toggle theme">
             {theme === 'dark' ? (
@@ -224,7 +257,7 @@ function App() {
             brainState={brainState}
             setBrainState={setBrainState}
             isLoading={brainState.isLoading}
-            currentPersona={currentPersona}
+            currentUser={currentUser}
             onChatComplete={handleChatComplete}
           />
         </div>
@@ -244,7 +277,7 @@ function App() {
           {rightPanel === 'graph'
             ? <KnowledgeGraph
                 highlightedNodes={brainState.highlightedNodes}
-                currentPersona={currentPersona}
+                currentUser={currentUser}
                 refreshTick={graphRefreshTick}
               />
             : <DreamSequence sparks={brainState.sparks} />

frontend/src/api.js

@@ -0,0 +1,16 @@
+/**
+ * Authenticated fetch wrapper.
+ * Reads the JWT from localStorage and attaches it as a Bearer token
+ * on every request. Drop-in replacement for fetch().
+ */
+export function apiFetch(url, options = {}) {
+  const token = localStorage.getItem('soma_token');
+  return fetch(url, {
+    ...options,
+    headers: {
+      'Content-Type': 'application/json',
+      ...(token ? { Authorization: `Bearer ${token}` } : {}),
+      ...options.headers,
+    },
+  });
+}

frontend/src/components/AuthScreen.css

@@ -0,0 +1,184 @@
+.auth-overlay {
+  position: fixed;
+  inset: 0;
+  background: var(--bg-0);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  z-index: 1000;
+  padding: 24px;
+}
+
+.auth-card {
+  width: 100%;
+  max-width: 380px;
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 20px;
+  animation: soma-rise 0.4s cubic-bezier(0.22, 1, 0.36, 1) both;
+}
+
+/* ── Logo ── */
+.auth-logo {
+  display: flex;
+  align-items: center;
+  gap: 14px;
+}
+
+.auth-orb {
+  width: 36px;
+  height: 36px;
+  position: relative;
+  transform-style: preserve-3d;
+  animation: orb-spin 10s linear infinite;
+}
+
+@keyframes orb-spin {
+  from { transform: perspective(80px) rotateY(0deg)   rotateX(15deg); }
+  to   { transform: perspective(80px) rotateY(360deg) rotateX(15deg); }
+}
+
+.auth-orb-ring {
+  position: absolute;
+  inset: 2px;
+  border-radius: 50%;
+  border: 1.5px solid var(--pulse);
+  opacity: 0.6;
+}
+.auth-orb-ring.r2 { transform: rotateX(60deg); }
+.auth-orb-ring.r3 { transform: rotateX(-60deg); }
+
+.auth-orb-core {
+  position: absolute;
+  inset: 11px;
+  background: var(--pulse);
+  border-radius: 50%;
+  opacity: 0.75;
+  filter: blur(1px);
+  box-shadow: 0 0 10px var(--pulse);
+}
+
+.auth-logo-name {
+  font-family: var(--font-mono);
+  font-size: 1.4rem;
+  font-weight: 700;
+  letter-spacing: 0.45em;
+  color: var(--text-0);
+}
+
+/* ── Headings ── */
+.auth-title {
+  font-family: var(--font-display);
+  font-style: italic;
+  font-size: 1.5rem;
+  font-weight: 400;
+  color: var(--text-0);
+  margin: 0;
+  text-align: center;
+}
+
+.auth-sub {
+  font-size: 0.78rem;
+  color: var(--text-2);
+  text-align: center;
+  line-height: 1.7;
+  max-width: 300px;
+  margin: -8px 0 0;
+}
+
+/* ── Form ── */
+.auth-form {
+  width: 100%;
+  display: flex;
+  flex-direction: column;
+  gap: 14px;
+  background: var(--bg-2);
+  border: 1px solid var(--border-1);
+  border-radius: 16px;
+  padding: 24px;
+}
+
+.auth-field {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.auth-label {
+  font-family: var(--font-mono);
+  font-size: 0.52rem;
+  letter-spacing: 0.18em;
+  text-transform: uppercase;
+  color: var(--text-2);
+}
+
+.auth-input {
+  background: var(--bg-1);
+  border: 1px solid var(--border-0);
+  border-radius: 8px;
+  padding: 10px 14px;
+  color: var(--text-0);
+  font-family: var(--font-body);
+  font-size: 0.9rem;
+  outline: none;
+  transition: border-color 0.2s ease;
+}
+
+.auth-input:focus {
+  border-color: var(--pulse);
+  box-shadow: 0 0 0 2px var(--border-0);
+}
+
+.auth-input::placeholder { color: var(--text-2); }
+
+/* ── Error ── */
+.auth-error {
+  font-size: 0.75rem;
+  color: var(--error, #e05252);
+  background: rgba(224, 82, 82, 0.08);
+  border: 1px solid rgba(224, 82, 82, 0.2);
+  border-radius: 6px;
+  padding: 8px 12px;
+  margin: 0;
+}
+
+/* ── Submit ── */
+.auth-submit {
+  padding: 11px;
+  border-radius: 9px;
+  background: var(--pulse);
+  color: var(--bg-0);
+  border: none;
+  font-family: var(--font-mono);
+  font-size: 0.7rem;
+  font-weight: 700;
+  letter-spacing: 0.12em;
+  text-transform: uppercase;
+  cursor: pointer;
+  transition: opacity 0.2s ease;
+  margin-top: 4px;
+}
+
+.auth-submit:hover:not(:disabled) { opacity: 0.88; }
+.auth-submit:disabled { opacity: 0.4; cursor: not-allowed; }
+
+/* ── Toggle ── */
+.auth-toggle {
+  font-size: 0.75rem;
+  color: var(--text-2);
+  margin: 0;
+}
+
+.auth-toggle-btn {
+  background: none;
+  border: none;
+  color: var(--pulse);
+  font-size: 0.75rem;
+  cursor: pointer;
+  padding: 0;
+  text-decoration: underline;
+  text-underline-offset: 2px;
+}
+
+.auth-toggle-btn:hover { opacity: 0.8; }

frontend/src/components/AuthScreen.jsx

@@ -0,0 +1,117 @@
+import { useState } from 'react';
+import './AuthScreen.css';
+
+function AuthScreen({ onAuth }) {
+  const [mode,     setMode]     = useState('login');  // 'login' | 'register'
+  const [username, setUsername] = useState('');
+  const [password, setPassword] = useState('');
+  const [error,    setError]    = useState('');
+  const [loading,  setLoading]  = useState(false);
+
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+    setError('');
+    setLoading(true);
+
+    try {
+      const res  = await fetch(`/api/v1/auth/${mode}`, {
+        method:  'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body:    JSON.stringify({ username: username.trim(), password }),
+      });
+      const data = await res.json();
+
+      if (!res.ok) {
+        // FastAPI validation errors come back as { detail: [...] }
+        const msg = Array.isArray(data.detail)
+          ? data.detail[0]?.msg ?? 'Invalid input'
+          : data.detail ?? 'Something went wrong';
+        setError(msg);
+        return;
+      }
+
+      localStorage.setItem('soma_token',    data.access_token);
+      localStorage.setItem('soma_username', data.username);
+      onAuth(data.username);
+    } catch {
+      setError('Could not reach the server. Is it running?');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div className="auth-overlay">
+      <div className="auth-card">
+
+        {/* Logo */}
+        <div className="auth-logo">
+          <div className="auth-orb">
+            <div className="auth-orb-ring r1" />
+            <div className="auth-orb-ring r2" />
+            <div className="auth-orb-ring r3" />
+            <div className="auth-orb-core" />
+          </div>
+          <span className="auth-logo-name">SOMA</span>
+        </div>
+
+        <h1 className="auth-title">
+          {mode === 'login' ? 'Welcome back' : 'Create your brain'}
+        </h1>
+        <p className="auth-sub">
+          {mode === 'login'
+            ? 'Sign in to access your personal neural space.'
+            : 'Your conversations, memories, and knowledge graph — private to you.'}
+        </p>
+
+        <form className="auth-form" onSubmit={handleSubmit}>
+          <div className="auth-field">
+            <label className="auth-label">Username</label>
+            <input
+              className="auth-input"
+              type="text"
+              value={username}
+              onChange={e => setUsername(e.target.value)}
+              placeholder="e.g. komal"
+              autoFocus
+              autoComplete="username"
+              required
+            />
+          </div>
+
+          <div className="auth-field">
+            <label className="auth-label">Password</label>
+            <input
+              className="auth-input"
+              type="password"
+              value={password}
+              onChange={e => setPassword(e.target.value)}
+              placeholder="Min. 6 characters"
+              autoComplete={mode === 'login' ? 'current-password' : 'new-password'}
+              required
+            />
+          </div>
+
+          {error && <p className="auth-error">{error}</p>}
+
+          <button className="auth-submit" type="submit" disabled={loading}>
+            {loading ? 'Please wait…' : mode === 'login' ? 'Sign In' : 'Create Account'}
+          </button>
+        </form>
+
+        <p className="auth-toggle">
+          {mode === 'login' ? "Don't have an account? " : 'Already have an account? '}
+          <button
+            className="auth-toggle-btn"
+            onClick={() => { setMode(m => m === 'login' ? 'register' : 'login'); setError(''); }}
+          >
+            {mode === 'login' ? 'Sign Up' : 'Sign In'}
+          </button>
+        </p>
+
+      </div>
+    </div>
+  );
+}
+
+export default AuthScreen;

requirements.txt

@@ -1,5 +1,7 @@
 fastapi
 uvicorn
+python-jose[cryptography]
+passlib[bcrypt]
 langgraph
 langchain
 langchain-groq