feat: Enhance admin rules with file upload, drag-and-drop, chunk processing, and improved UI

RULES_EXAMPLES.md

@@ -0,0 +1,266 @@
+# Admin Rules Examples for IntegraChat
+
+This document provides examples of rules you can use with the IntegraChat admin rules system.
+
+## Quick Start
+
+1. **Simple Rules** - Copy from `example_rules.txt` and paste into Gradio UI
+2. **Detailed Rules** - Use `example_rules_detailed.json` for rules with patterns and severity
+3. **API** - Use the `/admin/rules` or `/admin/rules/bulk` endpoints
+
+## Rule Categories
+
+### 🔴 Critical Severity Rules
+
+These rules block the most sensitive information:
+
+```
+Block password disclosure requests
+Prevent sharing of API keys or tokens
+No sharing of credit card information
+Block requests for bank account details
+Prevent sharing of health information
+No disclosure of children's personal information
+```
+
+### 🟠 High Severity Rules
+
+Important security and compliance rules:
+
+```
+Block social security number requests
+Prevent disclosure of proprietary information
+No unauthorized access to financial records
+Block requests to delete system logs
+Prevent unauthorized system configuration changes
+No sharing of infrastructure credentials
+```
+
+### 🟡 Medium Severity Rules
+
+Operational and compliance rules:
+
+```
+Block requests for employee personal information
+Prevent sharing of customer data without authorization
+Block requests for confidential business strategies
+Prevent disclosure of personal data of EU citizens
+Block requests for generating harmful content
+Prevent creation of misleading information
+```
+
+### 🟢 Low Severity Rules
+
+General business rules:
+
+```
+Block requests for competitor pricing information
+Prevent sharing of upcoming product launch details
+No disclosure of vendor contract terms
+Block requests for customer churn analysis data
+```
+
+## Using Rules with Patterns
+
+For more precise matching, you can specify regex patterns:
+
+### Example 1: Password Detection
+```json
+{
+  "rule": "Block password disclosure requests",
+  "pattern": ".*(password|pwd|passcode|credential|login).*",
+  "severity": "high",
+  "description": "Prevents users from requesting or sharing passwords"
+}
+```
+
+### Example 2: API Key Detection
+```json
+{
+  "rule": "Prevent sharing of API keys or tokens",
+  "pattern": ".*(api.?key|token|secret|access.?key|auth.?token).*",
+  "severity": "critical",
+  "description": "Blocks requests to share API keys or tokens"
+}
+```
+
+### Example 3: Credit Card Detection
+```json
+{
+  "rule": "No sharing of credit card information",
+  "pattern": ".*(credit.?card|card.?number|cvv|cvc|expiration).*",
+  "severity": "critical",
+  "description": "Blocks credit card information sharing"
+}
+```
+
+## Adding Rules
+
+### Method 1: Via Gradio UI (Easiest)
+
+1. Open the IntegraChat Gradio interface
+2. Go to "Admin Rules & Compliance" tab
+3. Enter your tenant ID
+4. Paste rules from `example_rules.txt` (one per line)
+5. Click "Upload / Append Rules"
+
+### Method 2: Via API (Programmatic)
+
+**Single Rule:**
+```bash
+curl -X POST http://localhost:8000/admin/rules \
+  -H "Content-Type: application/json" \
+  -H "x-tenant-id: your_tenant_id" \
+  -d '{
+    "rule": "Block password disclosure requests",
+    "pattern": ".*(password|pwd|passcode).*",
+    "severity": "high",
+    "description": "Prevents password sharing"
+  }'
+```
+
+**Bulk Rules:**
+```bash
+curl -X POST http://localhost:8000/admin/rules/bulk \
+  -H "Content-Type: application/json" \
+  -H "x-tenant-id: your_tenant_id" \
+  -d '{
+    "rules": [
+      "Block password disclosure requests",
+      "Prevent sharing of API keys",
+      "No sharing of credit card information"
+    ]
+  }'
+```
+
+### Method 3: Using Python
+
+```python
+import requests
+
+BASE_URL = "http://localhost:8000"
+TENANT_ID = "your_tenant_id"
+
+# Add single rule
+response = requests.post(
+    f"{BASE_URL}/admin/rules",
+    json={
+        "rule": "Block password disclosure requests",
+        "pattern": ".*(password|pwd).*",
+        "severity": "high"
+    },
+    headers={"x-tenant-id": TENANT_ID}
+)
+
+# Add bulk rules
+response = requests.post(
+    f"{BASE_URL}/admin/rules/bulk",
+    json={
+        "rules": [
+            "Block password disclosure requests",
+            "Prevent sharing of API keys"
+        ]
+    },
+    headers={"x-tenant-id": TENANT_ID}
+)
+```
+
+## Rule Enhancement
+
+When you add rules, the LLM will automatically:
+- ✅ Identify edge cases (e.g., "password" → also catches "pwd", "passcode")
+- ✅ Improve regex patterns for better matching
+- ✅ Suggest appropriate severity levels
+- ✅ Write clear descriptions
+
+**Example:**
+- **Input:** `Block password queries`
+- **Enhanced:** 
+  - Pattern: `.*password.*|.*pwd.*|.*passcode.*`
+  - Severity: `high`
+  - Edge cases: ["pwd", "passcode", "login credentials"]
+
+## Testing Rules
+
+After adding rules, test them by asking questions that should be blocked:
+
+```
+❌ "What is the admin password?"
+❌ "Can you share the API key?"
+❌ "Show me credit card numbers"
+❌ "What's the SSN for user 123?"
+
+✅ "How do I reset my password?" (if rule allows)
+✅ "What is password hashing?" (educational, not disclosure)
+```
+
+## Best Practices
+
+1. **Start Simple** - Begin with basic rules, then add patterns
+2. **Test Thoroughly** - Test rules with various phrasings
+3. **Review Edge Cases** - Check if rules block legitimate queries
+4. **Use Appropriate Severity** - Match severity to risk level
+5. **Regular Updates** - Review and update rules periodically
+6. **Document Patterns** - Add descriptions explaining what each rule blocks
+
+## Common Patterns
+
+### Password Detection
+```
+.*(password|pwd|passcode|credential|login|auth).*
+```
+
+### Financial Information
+```
+.*(credit.?card|card.?number|cvv|bank.?account|routing).*
+```
+
+### Personal Information
+```
+.*(ssn|social.?security|tax.?id|personal.?data|pii).*
+```
+
+### API/Security
+```
+.*(api.?key|token|secret|access.?key|auth.?token).*
+```
+
+### Health Information
+```
+.*(health|medical|patient|hipaa|diagnosis).*
+```
+
+## Viewing Rules
+
+```bash
+# Get all rules
+curl http://localhost:8000/admin/rules \
+  -H "x-tenant-id: your_tenant_id"
+
+# Get detailed rules with patterns
+curl "http://localhost:8000/admin/rules?detailed=true" \
+  -H "x-tenant-id: your_tenant_id"
+```
+
+## Deleting Rules
+
+```bash
+curl -X DELETE http://localhost:8000/admin/rules/Block%20password%20disclosure%20requests \
+  -H "x-tenant-id: your_tenant_id"
+```
+
+## Monitoring Violations
+
+```bash
+# Get recent violations
+curl http://localhost:8000/admin/violations \
+  -H "x-tenant-id: your_tenant_id"
+```
+
+## Need Help?
+
+- Check `example_rules.txt` for simple rule examples
+- See `example_rules_detailed.json` for advanced patterns
+- Review the API documentation in `README.md`
+- Test rules in the Gradio UI before deploying
+

SUPABASE_SETUP.md

@@ -0,0 +1,122 @@
+# Supabase Setup for Admin Rules
+
+This guide will help you set up Supabase to store admin rules instead of SQLite.
+
+## Step 1: Create the Table in Supabase
+
+1. **Go to your Supabase Dashboard**
+   - Navigate to: https://app.supabase.com
+   - Select your project
+
+2. **Open SQL Editor**
+   - Click on "SQL Editor" in the left sidebar
+   - Click "New query"
+
+3. **Run the SQL Script**
+   - Copy the contents of `supabase_admin_rules_table.sql`
+   - Paste it into the SQL Editor
+   - Click "Run" to execute
+
+   This will create:
+   - `admin_rules` table with all necessary columns
+   - Indexes for performance
+   - Row Level Security (RLS) policies
+   - Automatic timestamp updates
+
+## Step 2: Configure Environment Variables
+
+Make sure your `.env` file has Supabase credentials:
+
+```env
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_SERVICE_KEY=your_service_role_key_here
+```
+
+**Important:** Use the **Service Role Key** (not the anon key) for full access.
+
+To find your keys:
+1. Go to Supabase Dashboard → Settings → API
+2. Copy the "Project URL" → `SUPABASE_URL`
+3. Copy the "service_role" key → `SUPABASE_SERVICE_KEY`
+
+## Step 3: Verify Setup
+
+The `RulesStore` will automatically use Supabase if:
+- `SUPABASE_URL` is set
+- `SUPABASE_SERVICE_KEY` is set
+- Supabase Python client is installed (`pip install supabase`)
+
+If Supabase is not configured, it will fall back to SQLite automatically.
+
+## Step 4: Test the Integration
+
+You can test if rules are being saved to Supabase:
+
+```python
+from backend.api.storage.rules_store import RulesStore
+
+store = RulesStore()
+print(f"Using Supabase: {store.use_supabase}")
+
+# Add a test rule
+store.add_rule("test_tenant", "Test rule", severity="high")
+print("Rule added!")
+
+# Get rules
+rules = store.get_rules("test_tenant")
+print(f"Rules: {rules}")
+```
+
+## Step 5: View Rules in Supabase
+
+1. Go to Supabase Dashboard → Table Editor
+2. Select the `admin_rules` table
+3. You should see all your rules with tenant isolation
+
+## Migration from SQLite
+
+If you have existing rules in SQLite and want to migrate:
+
+1. Export from SQLite:
+   ```python
+   import sqlite3
+   conn = sqlite3.connect('data/admin_rules.db')
+   cursor = conn.execute("SELECT * FROM admin_rules")
+   rules = cursor.fetchall()
+   ```
+
+2. Import to Supabase:
+   ```python
+   from backend.api.storage.rules_store import RulesStore
+   store = RulesStore(use_supabase=True)
+   for rule in rules:
+       store.add_rule(rule['tenant_id'], rule['rule'], 
+                     pattern=rule.get('pattern'),
+                     severity=rule.get('severity', 'medium'))
+   ```
+
+## Troubleshooting
+
+### Rules not appearing in Supabase
+- Check that RLS policies allow your service role to read/write
+- Verify environment variables are set correctly
+- Check Supabase logs for errors
+
+### Fallback to SQLite
+- If Supabase credentials are missing, it automatically uses SQLite
+- Check your `.env` file has correct values
+- Restart your FastAPI server after changing `.env`
+
+### Permission Errors
+- Make sure you're using the **service_role** key (not anon key)
+- Check RLS policies in Supabase allow service role access
+
+## Benefits of Using Supabase
+
+✅ **Scalability** - Handle millions of rules  
+✅ **Multi-region** - Global availability  
+✅ **Backups** - Automatic backups  
+✅ **Real-time** - Can subscribe to changes  
+✅ **Security** - Row Level Security built-in  
+✅ **Analytics** - Built-in query performance monitoring  
+

app.py

@@ -19,28 +19,34 @@ BACKEND_BASE_URL = os.getenv("BACKEND_BASE_URL", "http://localhost:8000")
 def chat_with_agent(message, tenant_id, history):
     """
     Send a message to the backend MCP agent and return the response.
+    Uses streaming for real-time word-by-word updates.
     
     Args:
         message: User's message text
         tenant_id: Tenant ID for multi-tenant isolation
         history: Chat history (Gradio messages format)
     
-    Returns:
-        Updated chat history with agent response
+    Yields:
+        Updated chat history with agent response (streaming)
     """
     if not message or not message.strip():
-        return history
+        yield history
+        return
     
     if not tenant_id or not tenant_id.strip():
         error_msg = "Please enter a Tenant ID before sending a message."
         history.append({"role": "user", "content": message})
         history.append({"role": "assistant", "content": error_msg})
-        return history
+        yield history
+        return
     
-    # Backend API endpoint
-    backend_url = f"{BACKEND_BASE_URL}/agent/message"
+    # Add user message to history
+    history.append({"role": "user", "content": message})
     
-    # Prepare request payload (matching backend API format)
+    # Backend streaming endpoint
+    backend_url = f"{BACKEND_BASE_URL}/agent/message/stream"
+    
+    # Prepare request payload
     payload = {
         "tenant_id": tenant_id.strip(),
         "message": message,
@@ -49,55 +55,91 @@ def chat_with_agent(message, tenant_id, history):
         "temperature": 0.0
     }
     
-    # Prepare headers
-    headers = {
-        "Content-Type": "application/json"
-    }
-    
     try:
-        # Send POST request to backend
-        # Increased timeout to 120 seconds for complex agent operations
-        # (RAG search, web search, LLM calls can take time)
+        # Make streaming request
         response = requests.post(
             backend_url,
             json=payload,
-            headers=headers,
+            headers={"Content-Type": "application/json"},
+            stream=True,
             timeout=120
         )
         
-        # Check if request was successful
         if response.status_code == 200:
-            response_data = response.json()
-            # Backend returns response in "text" field
-            agent_response = response_data.get("text", "No response received from agent.")
-            history.append({"role": "user", "content": message})
-            history.append({"role": "assistant", "content": agent_response})
+            # Initialize assistant message
+            assistant_message = ""
+            history.append({"role": "assistant", "content": assistant_message})
+            yield history  # Yield initial empty message
+            
+            # Stream tokens - use iter_lines for SSE format
+            for line_bytes in response.iter_lines():
+                if line_bytes:
+                    try:
+                        line = line_bytes.decode('utf-8').strip()
+                        if not line:
+                            continue
+                            
+                        if line.startswith('data: '):
+                            data_str = line[6:]  # Remove 'data: ' prefix
+                            try:
+                                data = json.loads(data_str)
+                                
+                                # Handle status messages
+                                if 'status' in data:
+                                    status_msg = data.get('message', '')
+                                    if status_msg:
+                                        # Show status in the message temporarily
+                                        history[-1] = {"role": "assistant", "content": f"⏳ {status_msg}"}
+                                        yield history
+                                    continue
+                                
+                                # Handle tokens
+                                token = data.get('token', '')
+                                if token:
+                                    assistant_message += token
+                                    # Update the last message in history
+                                    history[-1] = {"role": "assistant", "content": assistant_message}
+                                    yield history  # Yield updated history immediately
+                                
+                                if data.get('done', False):
+                                    break
+                            except json.JSONDecodeError:
+                                continue
+                        elif line.startswith('error:'):
+                            try:
+                                error_data = json.loads(line[6:])
+                                error_msg = error_data.get('error', 'Unknown error')
+                                history[-1] = {"role": "assistant", "content": f"❌ Error: {error_msg}"}
+                                yield history
+                                break
+                            except:
+                                pass
+                    except UnicodeDecodeError:
+                        continue
         else:
             error_msg = f"Error {response.status_code}: {response.text}"
-            history.append({"role": "user", "content": message})
             history.append({"role": "assistant", "content": error_msg})
+            yield history
     
     except requests.exceptions.ConnectionError:
         error_msg = "❌ Connection Error: Could not connect to backend. Please ensure the FastAPI server is running at http://localhost:8000"
-        history.append({"role": "user", "content": message})
         history.append({"role": "assistant", "content": error_msg})
+        yield history
     
     except requests.exceptions.Timeout:
         error_msg = "⏱️ Request Timeout: The backend took longer than 2 minutes to respond. This may happen if:\n- The LLM is processing a complex query\n- Multiple tools (RAG, Web Search) are being used\n- The backend is under heavy load\n\nPlease try again with a simpler query, or check if the backend services (Ollama, MCP servers) are running properly."
-        history.append({"role": "user", "content": message})
         history.append({"role": "assistant", "content": error_msg})
+        yield history
     
     except requests.exceptions.RequestException as e:
         error_msg = f"❌ Request Error: {str(e)}"
-        history.append({"role": "user", "content": message})
         history.append({"role": "assistant", "content": error_msg})
+        yield history
     
     except Exception as e:
         error_msg = f"❌ Unexpected Error: {str(e)}"
-        history.append({"role": "user", "content": message})
         history.append({"role": "assistant", "content": error_msg})
-    
-    return history
+        yield history
 
 
 def ingest_document(
@@ -229,6 +271,70 @@ def fetch_admin_rules(tenant_id: str) -> tuple[str, list[list]]:
         return f"❌ Unexpected error: {exc}", []
 
 
+def extract_rules_from_file(file_path) -> str:
+    """
+    Extract rules from uploaded file (TXT, PDF, DOC, DOCX).
+    Returns the extracted text content.
+    """
+    if file_path is None:
+        return ""
+    
+    try:
+        # Gradio File component returns file path as string
+        if isinstance(file_path, str):
+            file_path = Path(file_path)
+        else:
+            # Sometimes it's a file object with .name attribute
+            file_path = Path(file_path.name if hasattr(file_path, 'name') else file_path)
+        
+        if not file_path.exists():
+            return f"❌ File not found: {file_path}"
+        
+        file_ext = file_path.suffix.lower()
+        
+        # Read file based on type
+        if file_ext == '.txt' or file_ext == '.md':
+            # Plain text files
+            with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
+                content = f.read()
+            return content
+        
+        elif file_ext == '.pdf':
+            # PDF files - use PyPDF2
+            try:
+                import PyPDF2
+                with open(file_path, 'rb') as f:
+                    pdf_reader = PyPDF2.PdfReader(f)
+                    content = []
+                    for page in pdf_reader.pages:
+                        content.append(page.extract_text())
+                    return '\n'.join(content)
+            except ImportError:
+                return "❌ PDF extraction requires PyPDF2. Install with: pip install PyPDF2"
+            except Exception as e:
+                return f"❌ Failed to extract text from PDF: {str(e)}"
+        
+        elif file_ext in ['.doc', '.docx']:
+            # DOC/DOCX files - use python-docx
+            try:
+                from docx import Document
+                doc = Document(file_path)
+                content = []
+                for paragraph in doc.paragraphs:
+                    content.append(paragraph.text)
+                return '\n'.join(content)
+            except ImportError:
+                return "❌ DOCX extraction requires python-docx. Install with: pip install python-docx"
+            except Exception as e:
+                return f"❌ Failed to extract text from DOCX: {str(e)}"
+        
+        else:
+            return f"❌ Unsupported file type: {file_ext}. Supported: .txt, .pdf, .doc, .docx"
+    
+    except Exception as e:
+        return f"❌ Error reading file: {str(e)}"
+
+
 def add_admin_rules(tenant_id: str, rules_text: str) -> str:
     if not tenant_id or not tenant_id.strip():
         return "❗ Tenant ID is required."
@@ -236,32 +342,88 @@ def add_admin_rules(tenant_id: str, rules_text: str) -> str:
         return "❗ Provide at least one rule to upload."
 
     tenant_id = tenant_id.strip()
-    rules = [rule.strip() for rule in rules_text.splitlines() if rule.strip()]
+    # Filter out comment lines (starting with #) and empty lines
+    rules = [
+        rule.strip() 
+        for rule in rules_text.splitlines() 
+        if rule.strip() and not rule.strip().startswith("#")
+    ]
     if not rules:
-        return "❗ No valid rules detected."
+        return "❗ No valid rules detected. (Comment lines starting with # are ignored)"
 
     added = []
+    enhanced = []
     errors = []
-    for rule in rules:
+    
+    # Process rules in chunks to avoid timeout
+    CHUNK_SIZE = 5  # Process 5 rules at a time
+    total_rules = len(rules)
+    
+    if total_rules == 1:
+        # Single rule - use regular endpoint
         try:
             resp = requests.post(
                 f"{BACKEND_BASE_URL}/admin/rules",
-                params={"rule": rule},
+                params={"rule": rules[0], "enhance": "true"},
                 headers={"x-tenant-id": tenant_id},
-                timeout=15
+                timeout=30
             )
             if resp.status_code == 200:
-                added.append(rule)
+                data = resp.json()
+                added.append(data.get("added_rule", rules[0]))
+                if data.get("enhanced"):
+                    edge_cases = data.get("edge_cases", [])
+                    improvements = data.get("improvements", [])
+                    if edge_cases or improvements:
+                        enhanced.append(f"**{data.get('added_rule', rules[0])}**:")
+                        if improvements:
+                            enhanced.append(f"  • Improvements: {', '.join(improvements[:3])}")
+                        if edge_cases:
+                            enhanced.append(f"  • Edge cases identified: {len(edge_cases)}")
             else:
-                errors.append(f"{rule} -> {resp.status_code}: {resp.text}")
+                errors.append(f"{rules[0]} -> {resp.status_code}: {resp.text}")
         except Exception as exc:
-            errors.append(f"{rule} -> {exc}")
+            errors.append(f"{rules[0]} -> {exc}")
+    else:
+        # Multiple rules - process in chunks
+        for i in range(0, total_rules, CHUNK_SIZE):
+            chunk = rules[i:i + CHUNK_SIZE]
+            chunk_num = (i // CHUNK_SIZE) + 1
+            total_chunks = (total_rules + CHUNK_SIZE - 1) // CHUNK_SIZE
+            
+            try:
+                resp = requests.post(
+                    f"{BACKEND_BASE_URL}/admin/rules/bulk",
+                    json={"rules": chunk},
+                    headers={"x-tenant-id": tenant_id},
+                    params={"enhance": "true"},
+                    timeout=45  # Timeout per chunk (5 rules)
+                )
+                if resp.status_code == 200:
+                    data = resp.json()
+                    chunk_added = data.get("added_rules", [])
+                    added.extend(chunk_added)
+                    if data.get("enhanced"):
+                        chunk_enhanced = data.get("enhancement_summary", [])
+                        enhanced.extend([f"[Chunk {chunk_num}/{total_chunks}] {e}" for e in chunk_enhanced])
+                else:
+                    errors.append(f"Chunk {chunk_num}/{total_chunks} failed: {resp.status_code}: {resp.text}")
+            except requests.exceptions.Timeout:
+                errors.append(f"Chunk {chunk_num}/{total_chunks} timed out after 45s")
+            except Exception as exc:
+                errors.append(f"Chunk {chunk_num}/{total_chunks} error: {exc}")
 
     summary = []
     if added:
-        summary.append(f"✅ Added {len(added)} rule(s):\n" + "\n".join([f"- {r}" for r in added]))
+        summary.append(f"✅ Added {len(added)}/{total_rules} rule(s):\n" + "\n".join([f"- {r}" for r in added[:10]]))
+        if len(added) > 10:
+            summary.append(f"... and {len(added) - 10} more")
+    if enhanced:
+        summary.append(f"\n🤖 LLM Enhancement Applied:\n" + "\n".join(enhanced[:5]))
+        if len(enhanced) > 5:
+            summary.append(f"... and {len(enhanced) - 5} more enhancements")
     if errors:
-        summary.append("⚠️ Errors:\n" + "\n".join(errors))
+        summary.append("\n⚠️ Errors:\n" + "\n".join(errors))
 
     return "\n\n".join(summary) if summary else "No rules were added."
 
@@ -292,6 +454,34 @@ def delete_admin_rule(tenant_id: str, rule: str) -> str:
         return f"❌ Unexpected error: {exc}"
 
 
+def add_rules_from_file(tenant_id: str, file_path):
+    """
+    Extract rules from uploaded file and add them.
+    """
+    if not tenant_id or not tenant_id.strip():
+        return "❗ Tenant ID is required.", "👉 Click **Refresh Rules** to see existing entries.", []
+    
+    if file_path is None:
+        return "❗ Please select a file to upload.", "👉 Click **Refresh Rules** to see existing entries.", []
+    
+    # Extract text from file
+    extracted_text = extract_rules_from_file(file_path)
+    
+    if extracted_text.startswith("❌"):
+        # Error occurred during extraction
+        summary, rows = fetch_admin_rules(tenant_id)
+        return extracted_text, summary, rows
+    
+    if not extracted_text or not extracted_text.strip():
+        summary, rows = fetch_admin_rules(tenant_id)
+        return "❗ No text could be extracted from the file.", summary, rows
+    
+    # Add rules from extracted text
+    status = add_admin_rules(tenant_id, extracted_text)
+    summary, rows = fetch_admin_rules(tenant_id)
+    return status, summary, rows
+
+
 def add_rules_and_refresh(tenant_id: str, rules_text: str):
     status = add_admin_rules(tenant_id, rules_text)
     summary, rows = fetch_admin_rules(tenant_id)
@@ -951,10 +1141,20 @@ with gr.Blocks(
                         """
                     )
             
-            # Event handlers for chat tab
+            # Event handlers for chat tab with streaming
             def send_message(message, tenant_id, history):
-                updated_history = chat_with_agent(message, tenant_id, history)
-                return updated_history, ""  # Clear message input after sending
+                # Clear message input immediately
+                message_input_value = ""
+                # Use streaming function which yields updates
+                # Gradio will automatically handle the generator and update UI in real-time
+                try:
+                    for updated_history in chat_with_agent(message, tenant_id, history):
+                        yield updated_history, message_input_value
+                except Exception as e:
+                    # Fallback if streaming fails
+                    error_msg = f"Streaming error: {str(e)}"
+                    history.append({"role": "assistant", "content": error_msg})
+                    yield history, message_input_value
             
             send_button.click(
                 fn=send_message,
@@ -1414,9 +1614,15 @@ with gr.Blocks(
                 ### 🛡️ Admin Rules & Regulations
                 Upload or manage tenant-specific governance rules (red-flag patterns, compliance policies, etc.).
                 
-                - Enter one rule per line to upload multiple at once.
-                - Use the delete box to remove an exact rule.
-                - Refresh anytime to view the latest rule set.
+                **Upload Methods:**
+                - **Text Input:** Enter one rule per line in the text box
+                - **File Upload:** Upload rules from TXT, PDF, DOC, or DOCX files
+                
+                **Features:**
+                - Rules are automatically enhanced by LLM (identifies edge cases, improves patterns)
+                - Comment lines (starting with #) are automatically ignored
+                - Use the delete box to remove an exact rule
+                - Refresh anytime to view the latest rule set
                 """
             )
             
@@ -1433,12 +1639,23 @@ with gr.Blocks(
                 refresh_rules_button = gr.Button("Refresh Rules", variant="secondary")
                 gr.Markdown("")
             
-            rules_input = gr.Textbox(
-                label="Rules / Regulations",
-                placeholder="Enter one rule per line...",
-                lines=6
-            )
-            upload_rules_button = gr.Button("Upload / Append Rules", variant="primary")
+            with gr.Row():
+                with gr.Column(scale=1):
+                    rules_input = gr.Textbox(
+                        label="Rules / Regulations (Text Input)",
+                        placeholder="Enter one rule per line...",
+                        lines=6
+                    )
+                    upload_rules_button = gr.Button("Upload / Append Rules", variant="primary")
+                
+                with gr.Column(scale=1):
+                    gr.Markdown("**OR**")
+                    rules_file_upload = gr.File(
+                        label="Upload Rules File",
+                        file_types=[".txt", ".pdf", ".doc", ".docx"],
+                        type="filepath"
+                    )
+                    upload_file_button = gr.Button("Upload Rules from File", variant="primary")
             
             delete_rule_input = gr.Textbox(
                 label="Delete Rule",
@@ -1458,6 +1675,12 @@ with gr.Blocks(
                 outputs=[rules_status, rules_summary, rules_table]
             )
             
+            upload_file_button.click(
+                fn=add_rules_from_file,
+                inputs=[tenant_id_input, rules_file_upload],
+                outputs=[rules_status, rules_summary, rules_table]
+            )
+            
             delete_rule_button.click(
                 fn=delete_rule_and_refresh,
                 inputs=[tenant_id_input, delete_rule_input],

backend/api/routes/admin.py

@@ -1,15 +1,19 @@
-from fastapi import APIRouter, Header, HTTPException, Query
+from fastapi import APIRouter, Header, HTTPException, Query, UploadFile, File
 from pydantic import BaseModel
 from typing import List, Optional, Dict, Any
 from datetime import datetime, timedelta
 
 from backend.api.storage.rules_store import RulesStore
 from backend.api.storage.analytics_store import AnalyticsStore
+from backend.api.services.rule_enhancer import RuleEnhancer
+from backend.api.services.document_ingestion import extract_text_from_file_bytes
 
 router = APIRouter()
 
-rules_store = RulesStore()
+# Initialize stores (table creation disabled by default to avoid blocking startup)
+rules_store = RulesStore(auto_create_table=False)
 analytics_store = AnalyticsStore()
+rule_enhancer = RuleEnhancer()
 
 
 class RulePayload(BaseModel):
@@ -61,10 +65,17 @@ async def get_redflag_rules(
 async def add_redflag_rule(
     payload: Optional[RulePayload] = None,
     rule: Optional[str] = None,
-    x_tenant_id: str = Header(None)
+    x_tenant_id: str = Header(None),
+    enhance: bool = Query(True, description="Use LLM to enhance the rule before saving")
 ):
     """
-    Adds a new red-flag rule to this tenant with optional regex pattern and severity.
+    Adds a new red-flag rule to this tenant.
+    
+    Flow:
+    1. Fetch existing rules for context
+    2. Use LLM to analyze and enhance the rule (identify edge cases, improve pattern)
+    3. Save enhanced rule to database
+    
     Accepts either JSON body or query parameter ?rule=...
     JSON body supports: rule, pattern (regex), severity (low/medium/high/critical), description, enabled
     """
@@ -80,32 +91,76 @@ async def add_redflag_rule(
     if not rule_value:
         raise HTTPException(status_code=400, detail="Rule cannot be empty")
 
-    # Extract optional parameters if payload provided
-    pattern = payload.pattern if payload else None
-    severity = payload.severity if payload else "medium"
-    description = payload.description if payload else None
-    enabled = payload.enabled if payload else True
+    # Step 1: Get existing rules for context
+    existing_rules = rules_store.get_rules(x_tenant_id)
+    
+    # Step 2: Enhance rule using LLM (if enhance=True and LLM available)
+    enhanced_data = None
+    if enhance:
+        try:
+            enhanced_data = await rule_enhancer.enhance_rule(
+                rule_value,
+                existing_rules=existing_rules if existing_rules else None,
+                context=payload.description if payload and payload.description else None
+            )
+        except Exception as e:
+            # If enhancement fails, continue with original rule
+            print(f"Rule enhancement failed: {e}, using original rule")
+            enhanced_data = None
+    
+    # Step 3: Use enhanced data if available, otherwise use provided values
+    if enhanced_data:
+        final_rule = enhanced_data["rule"]
+        final_pattern = enhanced_data["pattern"]
+        final_severity = enhanced_data["severity"]
+        final_description = enhanced_data["description"]
+        edge_cases = enhanced_data.get("edge_cases", [])
+        improvements = enhanced_data.get("improvements", [])
+    else:
+        # Use provided values or defaults
+        final_rule = rule_value
+        final_pattern = payload.pattern if payload else None
+        final_severity = payload.severity if payload else "medium"
+        final_description = payload.description if payload else None
+        edge_cases = []
+        improvements = []
+    
+    # Override with explicit values if provided (user has final say)
+    if payload:
+        if payload.pattern:
+            final_pattern = payload.pattern
+        if payload.severity:
+            final_severity = payload.severity
+        if payload.description:
+            final_description = payload.description
     
     # Validate severity
-    if severity not in ["low", "medium", "high", "critical"]:
-        severity = "medium"
+    if final_severity not in ["low", "medium", "high", "critical"]:
+        final_severity = "medium"
+    
+    enabled = payload.enabled if payload else True
 
+    # Step 4: Save to database
     rules_store.add_rule(
         x_tenant_id,
-        rule_value,
-        pattern=pattern,
-        severity=severity,
-        description=description,
+        final_rule,
+        pattern=final_pattern,
+        severity=final_severity,
+        description=final_description,
         enabled=enabled
     )
     rules = get_rules_for_tenant(x_tenant_id)
 
     return {
         "tenant_id": x_tenant_id,
-        "added_rule": rule_value,
-        "pattern": pattern or rule_value,
-        "severity": severity,
-        "description": description or rule_value,
+        "original_rule": rule_value,
+        "added_rule": final_rule,
+        "pattern": final_pattern or final_rule,
+        "severity": final_severity,
+        "description": final_description or final_rule,
+        "enhanced": enhanced_data is not None,
+        "edge_cases": edge_cases,
+        "improvements": improvements,
         "rules": rules
     }
 
@@ -113,10 +168,16 @@ async def add_redflag_rule(
 @router.post("/rules/bulk")
 async def add_redflag_rules_bulk(
     payload: BulkRulePayload,
-    x_tenant_id: str = Header(None)
+    x_tenant_id: str = Header(None),
+    enhance: bool = Query(True, description="Use LLM to enhance rules before saving")
 ):
     """
     Adds multiple rules in one call.
+    
+    Flow:
+    1. Fetch existing rules for context
+    2. Use LLM to enhance each rule (identify edge cases, improve patterns)
+    3. Save enhanced rules to database
     """
     if not x_tenant_id:
         raise HTTPException(status_code=400, detail="Missing tenant ID")
@@ -124,13 +185,85 @@ async def add_redflag_rules_bulk(
     if not payload.rules:
         raise HTTPException(status_code=400, detail="No rules provided")
 
-    cleaned = [rule.strip() for rule in payload.rules if rule.strip()]
-    added = rules_store.add_rules_bulk(x_tenant_id, cleaned)
+    # Filter out comment lines (starting with #) and empty lines
+    cleaned = [
+        rule.strip() 
+        for rule in payload.rules 
+        if rule.strip() and not rule.strip().startswith("#")
+    ]
+    
+    # Step 1: Get existing rules for context
+    existing_rules = rules_store.get_rules(x_tenant_id)
+    
+    # Step 2: Enhance rules using LLM (with chunk protection)
+    enhanced_rules_data = []
+    if enhance:
+        try:
+            # Process rules in chunks to avoid timeout
+            # Frontend already chunks to 5, but backend adds extra safety
+            CHUNK_SIZE = 5
+            for i in range(0, len(cleaned), CHUNK_SIZE):
+                chunk = cleaned[i:i + CHUNK_SIZE]
+                try:
+                    chunk_enhanced = await rule_enhancer.enhance_rules_bulk(
+                        chunk,
+                        existing_rules=existing_rules if existing_rules else None
+                    )
+                    enhanced_rules_data.extend(chunk_enhanced)
+                except Exception as e:
+                    print(f"Chunk {i//CHUNK_SIZE + 1} enhancement failed: {e}")
+                    # Add fallback rules for this chunk
+                    for rule in chunk:
+                        enhanced_rules_data.append({
+                            "rule": rule,
+                            "pattern": rule,
+                            "description": rule,
+                            "severity": "medium",
+                            "edge_cases": [],
+                            "improvements": ["Enhancement failed for this chunk"],
+                            "keywords": []
+                        })
+        except Exception as e:
+            print(f"Bulk rule enhancement failed: {e}, using original rules")
+            enhanced_rules_data = []
+    
+    # Step 3: Save enhanced rules to database
+    added = []
+    enhancement_summary = []
+    
+    for i, rule in enumerate(cleaned):
+        try:
+            if enhanced_rules_data and i < len(enhanced_rules_data):
+                enhanced = enhanced_rules_data[i]
+                success = rules_store.add_rule(
+                    x_tenant_id,
+                    enhanced["rule"],
+                    pattern=enhanced["pattern"],
+                    severity=enhanced["severity"],
+                    description=enhanced["description"],
+                    enabled=True
+                )
+                if success:
+                    added.append(enhanced["rule"])
+                    if enhanced.get("improvements") and "failed" not in str(enhanced.get("improvements", [])).lower():
+                        enhancement_summary.append(f"{enhanced['rule']}: {', '.join(enhanced['improvements'][:2])}")
+            else:
+                # Fallback to original rule
+                success = rules_store.add_rule(x_tenant_id, rule)
+                if success:
+                    added.append(rule)
+        except Exception as e:
+            print(f"Error saving rule {i+1}: {e}")
+            # Continue with next rule
+            continue
+    
     rules = get_rules_for_tenant(x_tenant_id)
 
     return {
         "tenant_id": x_tenant_id,
         "added_rules": added,
+        "enhanced": len(enhanced_rules_data) > 0,
+        "enhancement_summary": enhancement_summary,
         "rules": rules
     }
 
@@ -220,6 +353,165 @@ async def get_tool_logs(
     }
 
 
+@router.post("/rules/upload-file")
+async def upload_rules_from_file(
+    file: UploadFile = File(...),
+    x_tenant_id: str = Header(None),
+    enhance: bool = Query(True, description="Use LLM to enhance rules before saving")
+):
+    """
+    Upload rules from a file (TXT, PDF, DOC, DOCX).
+    Extracts text from the file and processes rules.
+    """
+    if not x_tenant_id:
+        raise HTTPException(status_code=400, detail="Missing tenant ID")
+    
+    if not file.filename:
+        raise HTTPException(status_code=400, detail="No file provided")
+    
+    file_ext = file.filename.split('.')[-1].lower() if '.' in file.filename else ''
+    if file_ext not in ['txt', 'pdf', 'doc', 'docx', 'md']:
+        raise HTTPException(
+            status_code=400, 
+            detail=f"Unsupported file type: {file_ext}. Supported: TXT, PDF, DOC, DOCX, MD"
+        )
+    
+    try:
+        # Read file bytes
+        file_bytes = await file.read()
+        if not file_bytes:
+            raise HTTPException(status_code=400, detail="File is empty")
+        
+        # Extract text from file
+        try:
+            extracted_text = extract_text_from_file_bytes(file_bytes, file.filename)
+        except ValueError as e:
+            raise HTTPException(status_code=400, detail=str(e))
+        
+        if not extracted_text or not extracted_text.strip():
+            raise HTTPException(status_code=400, detail="No text could be extracted from file")
+        
+        # Parse rules (filter comments and empty lines)
+        rules = [
+            rule.strip() 
+            for rule in extracted_text.splitlines() 
+            if rule.strip() and not rule.strip().startswith("#")
+        ]
+        
+        if not rules:
+            raise HTTPException(status_code=400, detail="No valid rules found in file (after filtering comments)")
+        
+        # Get existing rules for context
+        existing_rules = rules_store.get_rules(x_tenant_id)
+        
+        # Enhance rules using LLM
+        enhanced_rules_data = []
+        if enhance:
+            try:
+                CHUNK_SIZE = 5
+                for i in range(0, len(rules), CHUNK_SIZE):
+                    chunk = rules[i:i + CHUNK_SIZE]
+                    try:
+                        chunk_enhanced = await rule_enhancer.enhance_rules_bulk(
+                            chunk,
+                            existing_rules=existing_rules if existing_rules else None
+                        )
+                        enhanced_rules_data.extend(chunk_enhanced)
+                    except Exception as e:
+                        print(f"Chunk {i//CHUNK_SIZE + 1} enhancement failed: {e}")
+                        for rule in chunk:
+                            enhanced_rules_data.append({
+                                "rule": rule,
+                                "pattern": rule,
+                                "description": rule,
+                                "severity": "medium",
+                                "edge_cases": [],
+                                "improvements": ["Enhancement failed for this chunk"],
+                                "keywords": []
+                            })
+            except Exception as e:
+                print(f"Bulk rule enhancement failed: {e}, using original rules")
+                enhanced_rules_data = []
+        
+        # Save rules to database
+        added = []
+        enhancement_summary = []
+        
+        for i, rule in enumerate(rules):
+            try:
+                if enhanced_rules_data and i < len(enhanced_rules_data):
+                    enhanced = enhanced_rules_data[i]
+                    success = rules_store.add_rule(
+                        x_tenant_id,
+                        enhanced["rule"],
+                        pattern=enhanced["pattern"],
+                        severity=enhanced["severity"],
+                        description=enhanced["description"],
+                        enabled=True
+                    )
+                    if success:
+                        added.append(enhanced["rule"])
+                        if enhanced.get("improvements") and "failed" not in str(enhanced.get("improvements", [])).lower():
+                            enhancement_summary.append(f"{enhanced['rule']}: {', '.join(enhanced['improvements'][:2])}")
+                else:
+                    success = rules_store.add_rule(x_tenant_id, rule)
+                    if success:
+                        added.append(rule)
+            except Exception as e:
+                print(f"Error saving rule {i+1}: {e}")
+                continue
+        
+        rules_list = get_rules_for_tenant(x_tenant_id)
+        
+        return {
+            "tenant_id": x_tenant_id,
+            "filename": file.filename,
+            "added_rules": added,
+            "total_extracted": len(rules),
+            "enhanced": len(enhanced_rules_data) > 0,
+            "enhancement_summary": enhancement_summary,
+            "rules": rules_list
+        }
+    
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=f"Error processing file: {str(e)}")
+
+
+@router.post("/setup/table")
+async def create_supabase_table(x_tenant_id: str = Header(None)):
+    """
+    Create the admin_rules table in Supabase if it doesn't exist.
+    This endpoint can be called after startup to set up the table.
+    """
+    try:
+        if rules_store.use_supabase:
+            success = rules_store.create_table_if_needed()
+            if success:
+                return {
+                    "status": "success",
+                    "message": "Table created successfully",
+                    "table": "admin_rules"
+                }
+            else:
+                return {
+                    "status": "manual_required",
+                    "message": "Automatic table creation failed. Please run SQL manually.",
+                    "instructions": "Go to Supabase Dashboard → SQL Editor → Run supabase_admin_rules_table.sql"
+                }
+        else:
+            return {
+                "status": "not_applicable",
+                "message": "Using SQLite, not Supabase. Table creation not needed."
+            }
+    except Exception as e:
+        return {
+            "status": "error",
+            "message": str(e)
+        }
+
+
 @router.get("/tenants")
 async def list_tenants():
     """

backend/api/routes/agent.py

@@ -3,10 +3,13 @@
 # =============================================================
 
 from fastapi import APIRouter
+from fastapi.responses import StreamingResponse
 from pydantic import BaseModel
 import os
 import sys
+import json
 from pathlib import Path
+from typing import AsyncGenerator
 
 # Add backend to path for imports
 backend_dir = Path(__file__).parent.parent.parent
@@ -47,6 +50,160 @@ async def agent_chat(req: ChatRequest):
     return await orchestrator.handle(agent_req)
 
 
+@router.post("/message/stream")
+async def agent_chat_stream(req: ChatRequest):
+    """Stream agent response word by word using Server-Sent Events."""
+    agent_req = AgentRequest(
+        tenant_id=req.tenant_id,
+        user_id=req.user_id,
+        message=req.message,
+        conversation_history=req.conversation_history,
+        temperature=req.temperature
+    )
+    
+    async def generate_stream() -> AsyncGenerator[str, None]:
+        """Generate streaming response."""
+        try:
+            # FIRST: Check admin rules - if any rule matches, respond according to rule
+            yield f"data: {json.dumps({'status': 'processing', 'message': 'Checking rules...'})}\n\n"
+            matches = await orchestrator.redflag.check(agent_req.tenant_id, agent_req.message)
+            
+            if matches:
+                # Categorize rules: brief response rules vs blocking rules
+                brief_response_rules = []
+                blocking_rules = []
+                
+                for match in matches:
+                    rule_text = (match.description or match.pattern or "").lower()
+                    is_brief_rule = (
+                        match.severity == "low" and (
+                            "greeting" in rule_text or 
+                            "brief" in rule_text or 
+                            "simple response" in rule_text or
+                            "keep.*response.*brief" in rule_text or
+                            "do not.*verbose" in rule_text or
+                            "respond.*briefly" in rule_text
+                        )
+                    )
+                    
+                    if is_brief_rule:
+                        brief_response_rules.append(match)
+                    else:
+                        blocking_rules.append(match)
+                
+                # Handle brief response rules (greetings, etc.) - return immediately
+                if brief_response_rules and not blocking_rules:
+                    brief_responses = [
+                        "Hello! How can I help you today?",
+                        "Hi there! What can I assist you with?",
+                        "Hello! I'm here to help. What do you need?",
+                        "Hi! How can I assist you?"
+                    ]
+                    import random
+                    brief_response = random.choice(brief_responses)
+                    
+                    # Stream the brief response word by word
+                    yield f"data: {json.dumps({'status': 'streaming', 'message': ''})}\n\n"
+                    words = brief_response.split()
+                    for word in words:
+                        yield f"data: {json.dumps({'token': word + ' ', 'done': False})}\n\n"
+                    yield f"data: {json.dumps({'token': '', 'done': True})}\n\n"
+                    return
+                
+                # Handle blocking rules (security, compliance, etc.)
+                if blocking_rules:
+                    matches = blocking_rules
+            
+            if matches:
+                # For red flags, generate streaming response via LLM
+                violations_details = []
+                for i, m in enumerate(matches, 1):
+                    rule_name = m.description or m.pattern or "Policy violation"
+                    detail = f"{i}. **{rule_name}** (Severity: {m.severity})"
+                    if m.matched_text:
+                        detail += f"\n   - Detected phrase: \"{m.matched_text}\""
+                    violations_details.append(detail)
+                
+                llm_prompt = f"""A user made the following request: "{agent_req.message}"
+
+However, this request violates company policies. The following policy violations were detected:
+
+{chr(10).join(violations_details)}
+
+Your task: Write a clear, professional, and empathetic response to inform the user that:
+1. Their request cannot be processed due to policy violations
+2. Which specific policy was violated (mention it naturally)
+3. The incident has been logged for security review
+4. They should contact an administrator if they need assistance or believe this is an error
+
+Write a natural, conversational response (2-4 sentences) that feels helpful rather than robotic. Be professional but understanding.
+
+Response:"""
+                
+                async for token in orchestrator.llm.stream_call(llm_prompt, agent_req.temperature):
+                    yield f"data: {json.dumps({'token': token, 'done': False})}\n\n"
+                
+                yield f"data: {json.dumps({'token': '', 'done': True})}\n\n"
+                return
+            
+            # STEP 2: ONLY IF NO RULES MATCHED - Proceed with normal flow
+            yield f"data: {json.dumps({'status': 'classifying', 'message': 'Understanding your question...'})}\n\n"
+            intent = await orchestrator.intent.classify(agent_req.message)
+            
+            # Pre-fetch RAG if needed
+            rag_results = []
+            if intent == "rag" or "rag" in intent.lower():
+                yield f"data: {json.dumps({'status': 'searching', 'message': 'Searching knowledge base...'})}\n\n"
+                try:
+                    rag_prefetch = await orchestrator.mcp.call_rag(agent_req.tenant_id, agent_req.message)
+                    if isinstance(rag_prefetch, dict):
+                        rag_results = rag_prefetch.get("results") or rag_prefetch.get("hits") or []
+                except Exception:
+                    pass
+            
+            # Build prompt with context
+            if rag_results:
+                context = "\n\n".join([r.get("text", "")[:500] for r in rag_results[:3]])
+                prompt = f"""Based on the following context, answer the user's question:
+
+Context:
+{context}
+
+User's question: {agent_req.message}
+
+Answer:"""
+            else:
+                prompt = agent_req.message
+            
+            # Signal that streaming is starting
+            yield f"data: {json.dumps({'status': 'streaming', 'message': ''})}\n\n"
+            
+            # Stream LLM response - flush each token immediately
+            # Import asyncio for potential delays if needed
+            import asyncio
+            async for token in orchestrator.llm.stream_call(prompt, agent_req.temperature):
+                if token:  # Only send non-empty tokens
+                    yield f"data: {json.dumps({'token': token, 'done': False})}\n\n"
+                    # Small delay to ensure proper flushing (optional, can remove if not needed)
+                    await asyncio.sleep(0)  # Yield control to event loop
+            
+            yield f"data: {json.dumps({'token': '', 'done': True})}\n\n"
+            
+        except Exception as e:
+            error_msg = json.dumps({'error': str(e), 'done': True})
+            yield f"data: {error_msg}\n\n"
+    
+    return StreamingResponse(
+        generate_stream(),
+        media_type="text/event-stream",
+        headers={
+            "Cache-Control": "no-cache",
+            "Connection": "keep-alive",
+            "X-Accel-Buffering": "no"
+        }
+    )
+
+
 @router.post("/debug")
 async def agent_debug(req: ChatRequest):
     """

backend/api/services/agent_orchestrator.py

@@ -54,50 +54,110 @@ class AgentOrchestrator:
             "message_preview": req.message[:120]
         })
 
-        # 1) Red-flag check (async)
+        # 1) FIRST: Check admin rules - if any rule matches, respond according to rule
         matches: List[RedFlagMatch] = await self.redflag.check(req.tenant_id, req.message)
         reasoning_trace.append({
-            "step": "redflag_check",
+            "step": "admin_rules_check",
             "match_count": len(matches),
             "matches": [m.__dict__ for m in matches]
         })
 
-        # Log red-flag violations
-        for match in matches:
-            self.analytics.log_redflag_violation(
-                tenant_id=req.tenant_id,
-                rule_id=match.rule_id,
-                rule_pattern=match.pattern,
-                severity=match.severity,
-                matched_text=match.matched_text,
-                confidence=match.confidence,
-                message_preview=req.message[:200],
-                user_id=req.user_id
-            )
-
         if matches:
-            # Notify admin asynchronously (do not await blocking the response path if you prefer)
-            # we await here to ensure admin receives the alert before responding
-            try:
-                await self.redflag.notify_admin(req.tenant_id, matches, source_payload={"message": req.message, "user_id": req.user_id})
-            except Exception:
-                pass
-
-            decision = AgentDecision(
-                action="block",
-                tool="admin",
-                tool_input={"violations": [m.__dict__ for m in matches]},
-                reason="redflag_triggered"
-            )
+            # Log all rule matches
+            for match in matches:
+                self.analytics.log_redflag_violation(
+                    tenant_id=req.tenant_id,
+                    rule_id=match.rule_id,
+                    rule_pattern=match.pattern,
+                    severity=match.severity,
+                    matched_text=match.matched_text,
+                    confidence=match.confidence,
+                    message_preview=req.message[:200],
+                    user_id=req.user_id
+                )
             
-            # Build detailed prompt for LLM to generate natural red flag response
-            violations_details = []
-            for i, m in enumerate(matches, 1):
-                rule_name = m.description or m.pattern or "Policy violation"
-                detail = f"{i}. **{rule_name}** (Severity: {m.severity})"
-                if m.matched_text:
-                    detail += f"\n   - Detected phrase: \"{m.matched_text}\""
-                violations_details.append(detail)
+            # Categorize rules: brief response rules vs blocking rules
+            brief_response_rules = []
+            blocking_rules = []
+            
+            for match in matches:
+                rule_text = (match.description or match.pattern or "").lower()
+                is_brief_rule = (
+                    match.severity == "low" and (
+                        "greeting" in rule_text or 
+                        "brief" in rule_text or 
+                        "simple response" in rule_text or
+                        "keep.*response.*brief" in rule_text or
+                        "do not.*verbose" in rule_text or
+                        "respond.*briefly" in rule_text
+                    )
+                )
+                
+                if is_brief_rule:
+                    brief_response_rules.append(match)
+                else:
+                    blocking_rules.append(match)
+            
+            # Handle brief response rules (greetings, etc.) - return immediately
+            if brief_response_rules and not blocking_rules:
+                # Return brief response without proceeding to normal flow
+                brief_responses = [
+                    "Hello! How can I help you today?",
+                    "Hi there! What can I assist you with?",
+                    "Hello! I'm here to help. What do you need?",
+                    "Hi! How can I assist you?"
+                ]
+                import random
+                brief_response = random.choice(brief_responses)
+                
+                reasoning_trace.append({
+                    "step": "brief_response_rule_matched",
+                    "action": "brief_response",
+                    "matched_rules": [m.rule_id for m in brief_response_rules],
+                    "message": "Brief response rule matched, returning brief response (skipping normal flow)"
+                })
+                
+                total_latency_ms = int((time.time() - start_time) * 1000)
+                self.analytics.log_agent_query(
+                    tenant_id=req.tenant_id,
+                    message_preview=req.message[:200],
+                    intent="greeting",
+                    tools_used=[],
+                    total_tokens=len(brief_response) // 4,
+                    total_latency_ms=total_latency_ms,
+                    success=True,
+                    user_id=req.user_id
+                )
+                
+                return AgentResponse(
+                    text=brief_response,
+                    decision=AgentDecision(action="respond", tool=None, tool_input=None, reason="brief_response_rule"),
+                    reasoning_trace=reasoning_trace
+                )
+            
+            # Handle blocking rules (security, compliance, etc.) - block and return immediately
+            if blocking_rules:
+                # Notify admin asynchronously
+                try:
+                    await self.redflag.notify_admin(req.tenant_id, blocking_rules, source_payload={"message": req.message, "user_id": req.user_id})
+                except Exception:
+                    pass
+
+                decision = AgentDecision(
+                    action="block",
+                    tool="admin",
+                    tool_input={"violations": [m.__dict__ for m in blocking_rules]},
+                    reason="admin_rule_violation"
+                )
+                
+                # Build detailed prompt for LLM to generate natural red flag response
+                violations_details = []
+                for i, m in enumerate(blocking_rules, 1):
+                    rule_name = m.description or m.pattern or "Policy violation"
+                    detail = f"{i}. **{rule_name}** (Severity: {m.severity})"
+                    if m.matched_text:
+                        detail += f"\n   - Detected phrase: \"{m.matched_text}\""
+                    violations_details.append(detail)
             
             llm_prompt = f"""A user made the following request: "{req.message}"
 
@@ -157,11 +217,11 @@ Response:"""
             return AgentResponse(
                 text=llm_response,
                 decision=decision,
-                tool_traces=[{"redflags": [m.__dict__ for m in matches]}],
+                tool_traces=[{"redflags": [m.__dict__ for m in blocking_rules]}],
                 reasoning_trace=reasoning_trace
             )
-
-        # 2) Intent classification
+        
+        # 2) ONLY IF NO RULES MATCHED: Proceed with normal flow (intent classification, RAG, etc.)
         intent = await self.intent.classify(req.message)
         reasoning_trace.append({
             "step": "intent_detection",

backend/api/services/llm_client.py

@@ -1,5 +1,6 @@
 import os, json
 import httpx
+from typing import AsyncGenerator
 
 
 class LLMClient:
@@ -51,3 +52,46 @@ class LLMClient:
             except Exception as e:
                 raise RuntimeError(f"LLM call failed: {str(e)}")
         raise RuntimeError("Unsupported backend")
+
+    async def stream_call(self, prompt: str, temperature: float = 0.0) -> AsyncGenerator[str, None]:
+        """Stream LLM response token by token."""
+        if self.backend == "ollama":
+            if not self.url or not self.model:
+                raise RuntimeError(f"LLM not configured: url={self.url}, model={self.model}")
+            
+            try:
+                async with httpx.AsyncClient(timeout=300.0) as client:
+                    async with client.stream(
+                        "POST",
+                        f"{self.url}/api/generate",
+                        json={
+                            "model": self.model,
+                            "prompt": prompt,
+                            "stream": True,
+                            "options": {"temperature": temperature}
+                        }
+                    ) as response:
+                        response.raise_for_status()
+                        async for line in response.aiter_lines():
+                            if line:
+                                try:
+                                    data = json.loads(line)
+                                    token = data.get("response", "")
+                                    if token:
+                                        yield token
+                                    # Check if done
+                                    if data.get("done", False):
+                                        break
+                                except json.JSONDecodeError:
+                                    continue
+                            # Yield empty string to keep connection alive if needed
+                            # This helps with buffering issues
+            except httpx.ConnectError:
+                raise RuntimeError(
+                    f"Cannot connect to Ollama at {self.url}. "
+                    f"Is Ollama running? Start it with: ollama serve"
+                )
+            except Exception as e:
+                raise RuntimeError(f"LLM streaming failed: {str(e)}")
+        else:
+            raise RuntimeError("Streaming not supported for this backend")

backend/api/services/rule_enhancer.py

@@ -0,0 +1,184 @@
+"""
+Rule Enhancement Service using LLM
+Analyzes rules for edge cases and improves them before saving to database.
+"""
+
+import os
+from typing import List, Dict, Any, Optional
+from ..services.llm_client import LLMClient
+
+
+class RuleEnhancer:
+    """
+    Uses LLM to analyze and enhance admin rules.
+    Identifies edge cases, improves patterns, and suggests better descriptions.
+    """
+    
+    def __init__(self, llm_client: Optional[LLMClient] = None):
+        self.llm = llm_client or LLMClient(
+            backend=os.getenv("LLM_BACKEND", "ollama"),
+            url=os.getenv("OLLAMA_URL"),
+            api_key=os.getenv("GROQ_API_KEY"),
+            model=os.getenv("OLLAMA_MODEL", "llama3.1:latest")
+        )
+    
+    async def enhance_rule(
+        self,
+        rule_text: str,
+        existing_rules: Optional[List[str]] = None,
+        context: Optional[str] = None
+    ) -> Dict[str, Any]:
+        """
+        Enhance a single rule using LLM analysis.
+        
+        Args:
+            rule_text: The original rule text
+            existing_rules: List of existing rules for context
+            context: Additional context about the rule
+        
+        Returns:
+            Dictionary with enhanced rule data:
+            - rule: Enhanced rule text
+            - pattern: Improved regex pattern
+            - description: Better description
+            - severity: Suggested severity
+            - edge_cases: List of identified edge cases
+            - improvements: List of suggested improvements
+        """
+        existing_context = ""
+        if existing_rules:
+            existing_context = "\n".join([f"- {r}" for r in existing_rules[:10]])  # Limit to 10 rules
+        
+        context_text = f"\nAdditional context: {context}" if context else ""
+        
+        prompt = f"""You are an expert in policy rule analysis and pattern matching. Analyze the following rule and enhance it.
+
+Original Rule: "{rule_text}"
+
+Existing Rules (for context):
+{existing_context if existing_context else "None"}
+{context_text}
+
+Your task:
+1. Analyze the rule for potential edge cases and improvements
+2. Generate an improved regex pattern that catches more variations
+3. Write a clear, comprehensive description
+4. Suggest an appropriate severity level (low/medium/high/critical)
+5. Identify edge cases that might be missed
+6. Suggest improvements
+
+Respond in JSON format with the following structure:
+{{
+    "rule": "Enhanced rule text (improved version of original)",
+    "pattern": "Improved regex pattern (e.g., '.*password.*|.*pwd.*|.*passcode.*')",
+    "description": "Clear description of what this rule detects",
+    "severity": "low|medium|high|critical",
+    "edge_cases": ["Edge case 1", "Edge case 2", ...],
+    "improvements": ["Improvement 1", "Improvement 2", ...],
+    "keywords": ["keyword1", "keyword2", ...]
+}}
+
+Only return valid JSON, no additional text:"""
+        
+        try:
+            # Add timeout protection - LLM calls can be slow
+            import asyncio
+            response = await asyncio.wait_for(
+                self.llm.simple_call(prompt, temperature=0.3),
+                timeout=30.0  # 30 second timeout per rule
+            )
+            
+            # Clean up response - remove markdown code blocks if present
+            response = response.strip()
+            if response.startswith("```json"):
+                response = response[7:]
+            if response.startswith("```"):
+                response = response[3:]
+            if response.endswith("```"):
+                response = response[:-3]
+            response = response.strip()
+            
+            import json
+            enhanced_data = json.loads(response)
+            
+            # Ensure all required fields exist
+            result = {
+                "rule": enhanced_data.get("rule", rule_text),
+                "pattern": enhanced_data.get("pattern", rule_text),
+                "description": enhanced_data.get("description", rule_text),
+                "severity": enhanced_data.get("severity", "medium"),
+                "edge_cases": enhanced_data.get("edge_cases", []),
+                "improvements": enhanced_data.get("improvements", []),
+                "keywords": enhanced_data.get("keywords", [])
+            }
+            
+            # Validate severity
+            if result["severity"] not in ["low", "medium", "high", "critical"]:
+                result["severity"] = "medium"
+            
+            return result
+            
+        except asyncio.TimeoutError:
+            # Timeout - return original rule
+            print(f"LLM enhancement timeout for rule: {rule_text[:50]}...")
+            return {
+                "rule": rule_text,
+                "pattern": rule_text,
+                "description": rule_text,
+                "severity": "medium",
+                "edge_cases": [],
+                "improvements": ["Enhancement timed out - using original rule"],
+                "keywords": []
+            }
+        except Exception as e:
+            # Fallback to original rule if LLM fails
+            print(f"LLM enhancement error: {e}")
+            return {
+                "rule": rule_text,
+                "pattern": rule_text,
+                "description": rule_text,
+                "severity": "medium",
+                "edge_cases": [],
+                "improvements": [f"Enhancement failed: {str(e)[:50]}"],
+                "keywords": []
+            }
+    
+    async def enhance_rules_bulk(
+        self,
+        rules: List[str],
+        existing_rules: Optional[List[str]] = None
+    ) -> List[Dict[str, Any]]:
+        """
+        Enhance multiple rules at once.
+        Processes rules sequentially with error handling to avoid timeout.
+        
+        Args:
+            rules: List of rule texts to enhance
+            existing_rules: List of existing rules for context
+        
+        Returns:
+            List of enhanced rule dictionaries
+        """
+        enhanced_rules = []
+        
+        for i, rule in enumerate(rules):
+            try:
+                # Enhance each rule individually with timeout protection
+                enhanced = await self.enhance_rule(rule, existing_rules)
+                enhanced_rules.append(enhanced)
+            except Exception as e:
+                # If enhancement fails for one rule, use original rule
+                # This ensures other rules can still be processed
+                print(f"Warning: Rule {i+1}/{len(rules)} enhancement failed: {e}")
+                enhanced_rules.append({
+                    "rule": rule,
+                    "pattern": rule,
+                    "description": rule,
+                    "severity": "medium",
+                    "edge_cases": [],
+                    "improvements": [f"Enhancement skipped due to error"],
+                    "keywords": []
+                })
+        
+        return enhanced_rules
+

backend/api/storage/create_supabase_table.py

@@ -0,0 +1,212 @@
+"""
+Script to create admin_rules table in Supabase programmatically.
+Run this script to set up the table in your Supabase project.
+"""
+
+import os
+import sys
+from pathlib import Path
+
+# Add backend to path
+backend_dir = Path(__file__).resolve().parents[2]
+sys.path.insert(0, str(backend_dir))
+
+try:
+    from supabase import create_client, Client
+except ImportError:
+    print("❌ Supabase client not installed. Run: pip install supabase")
+    sys.exit(1)
+
+
+def create_admin_rules_table():
+    """
+    Create the admin_rules table in Supabase with all necessary columns,
+    indexes, RLS policies, and triggers.
+    """
+    supabase_url = os.getenv("SUPABASE_URL")
+    supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+    
+    if not supabase_url or not supabase_key:
+        print("❌ Supabase credentials missing!")
+        print("   Set SUPABASE_URL and SUPABASE_SERVICE_KEY in your .env file")
+        return False
+    
+    try:
+        client = create_client(supabase_url, supabase_key)
+        
+        print("🔗 Connecting to Supabase...")
+        print(f"   URL: {supabase_url}")
+        
+        # SQL script to create the table
+        sql_script = """
+-- Create admin_rules table
+CREATE TABLE IF NOT EXISTS admin_rules (
+    id BIGSERIAL PRIMARY KEY,
+    tenant_id TEXT NOT NULL,
+    rule TEXT NOT NULL,
+    pattern TEXT,
+    severity TEXT DEFAULT 'medium' CHECK (severity IN ('low', 'medium', 'high', 'critical')),
+    description TEXT,
+    enabled BOOLEAN DEFAULT true,
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW(),
+    UNIQUE(tenant_id, rule)
+);
+
+-- Create indexes for faster queries
+CREATE INDEX IF NOT EXISTS idx_admin_rules_tenant_id ON admin_rules(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_admin_rules_enabled ON admin_rules(enabled);
+CREATE INDEX IF NOT EXISTS idx_admin_rules_tenant_enabled ON admin_rules(tenant_id, enabled);
+
+-- Enable Row Level Security
+ALTER TABLE admin_rules ENABLE ROW LEVEL SECURITY;
+
+-- Drop existing policy if it exists (to avoid conflicts)
+DROP POLICY IF EXISTS "Service role can manage all admin rules" ON admin_rules;
+
+-- Create policy to allow service role to access all rows
+CREATE POLICY "Service role can manage all admin rules"
+    ON admin_rules
+    FOR ALL
+    USING (true)
+    WITH CHECK (true);
+
+-- Create function to automatically update updated_at timestamp
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = NOW();
+    RETURN NEW;
+END;
+$$ language 'plpgsql';
+
+-- Drop existing trigger if it exists
+DROP TRIGGER IF EXISTS update_admin_rules_updated_at ON admin_rules;
+
+-- Create trigger to automatically update updated_at
+CREATE TRIGGER update_admin_rules_updated_at
+    BEFORE UPDATE ON admin_rules
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at_column();
+"""
+        
+        print("\n📝 Executing SQL to create admin_rules table...")
+        
+        # Execute SQL using Supabase REST API
+        # Note: Supabase Python client doesn't have direct SQL execution
+        # We need to use the REST API or rpc function
+        
+        # Alternative: Use the REST API to execute SQL
+        import httpx
+        import json
+        
+        response = httpx.post(
+            f"{supabase_url}/rest/v1/rpc/exec_sql",
+            headers={
+                "apikey": supabase_key,
+                "Authorization": f"Bearer {supabase_key}",
+                "Content-Type": "application/json"
+            },
+            json={"query": sql_script},
+            timeout=30
+        )
+        
+        if response.status_code in [200, 201, 204]:
+            print("✅ Table created successfully!")
+            print("\n📊 Verifying table exists...")
+            
+            # Try to query the table to verify it exists
+            try:
+                result = client.table("admin_rules").select("id").limit(1).execute()
+                print("✅ Table verified - admin_rules table exists and is accessible")
+                return True
+            except Exception as e:
+                # Table might exist but be empty, which is fine
+                if "relation" in str(e).lower() or "does not exist" in str(e).lower():
+                    print("⚠️  Table might not have been created. Check Supabase dashboard.")
+                    return False
+                else:
+                    print("✅ Table exists (empty table)")
+                    return True
+        else:
+            # If rpc doesn't work, try direct SQL execution via PostgREST
+            # Some Supabase setups allow direct SQL execution
+            print("⚠️  RPC method not available, trying alternative method...")
+            print("   You may need to run the SQL manually in Supabase SQL Editor")
+            print(f"   See: supabase_admin_rules_table.sql")
+            return False
+            
+    except Exception as e:
+        print(f"❌ Error creating table: {e}")
+        print("\n💡 Alternative: Run the SQL manually in Supabase SQL Editor")
+        print("   1. Go to Supabase Dashboard → SQL Editor")
+        print("   2. Copy contents of supabase_admin_rules_table.sql")
+        print("   3. Paste and run in SQL Editor")
+        return False
+
+
+def verify_table_structure():
+    """Verify the table structure by checking columns."""
+    supabase_url = os.getenv("SUPABASE_URL")
+    supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+    
+    if not supabase_url or not supabase_key:
+        return False
+    
+    try:
+        client = create_client(supabase_url, supabase_key)
+        
+        # Try to get table info by querying with limit 0
+        result = client.table("admin_rules").select("*").limit(0).execute()
+        
+        print("\n📋 Table Structure Verified:")
+        print("   ✅ admin_rules table exists")
+        print("   ✅ Table is accessible")
+        return True
+    except Exception as e:
+        if "relation" in str(e).lower() or "does not exist" in str(e).lower():
+            print("❌ Table does not exist yet")
+            return False
+        else:
+            print(f"⚠️  Could not verify: {e}")
+            return False
+
+
+if __name__ == "__main__":
+    print("=" * 60)
+    print("Supabase Admin Rules Table Creator")
+    print("=" * 60)
+    print()
+    
+    # Load environment variables
+    from dotenv import load_dotenv
+    load_dotenv()
+    
+    # Check if table already exists
+    print("🔍 Checking if table already exists...")
+    if verify_table_structure():
+        print("\n✅ Table already exists! No need to create it.")
+        response = input("\nDo you want to recreate it? (y/N): ")
+        if response.lower() != 'y':
+            print("Exiting...")
+            sys.exit(0)
+    
+    # Create the table
+    success = create_admin_rules_table()
+    
+    if success:
+        print("\n" + "=" * 60)
+        print("✅ Setup Complete!")
+        print("=" * 60)
+        print("\nYou can now use the RulesStore with Supabase.")
+        print("Rules will be automatically saved to Supabase instead of SQLite.")
+    else:
+        print("\n" + "=" * 60)
+        print("⚠️  Automatic setup failed")
+        print("=" * 60)
+        print("\nPlease run the SQL manually:")
+        print("1. Go to Supabase Dashboard → SQL Editor")
+        print("2. Open: supabase_admin_rules_table.sql")
+        print("3. Copy and paste the SQL into the editor")
+        print("4. Click 'Run' to execute")
+

backend/api/storage/rules_store.py

@@ -1,21 +1,210 @@
 import sqlite3
 import time
+import os
 from pathlib import Path
 from typing import List, Optional, Dict, Any
 
+# Try to import Supabase client
+try:
+    from supabase import create_client, Client
+    SUPABASE_AVAILABLE = True
+except ImportError:
+    SUPABASE_AVAILABLE = False
+    Client = None
+
 
 class RulesStore:
     """
-    Lightweight SQLite-backed store for admin rules.
-    Ensures data persists across restarts without requiring external DB setup.
+    Store for admin rules with support for both Supabase and SQLite.
+    Uses Supabase if configured, otherwise falls back to SQLite.
     """
 
-    def __init__(self):
-        root_dir = Path(__file__).resolve().parents[3]  # points to project root
-        data_dir = root_dir / "data"
-        data_dir.mkdir(parents=True, exist_ok=True)
-        self.db_path = data_dir / "admin_rules.db"
-        self._init_db()
+    def __init__(self, use_supabase: Optional[bool] = None, auto_create_table: bool = False):
+        """
+        Initialize RulesStore.
+        
+        Args:
+            use_supabase: If True, use Supabase; if False, use SQLite.
+                          If None, auto-detect based on environment variables.
+            auto_create_table: If True, attempt to create Supabase table if it doesn't exist.
+                              Default False to avoid blocking startup. Use create_table() method separately.
+        """
+        self.use_supabase = use_supabase
+        self._table_verified = False
+        
+        # Auto-detect if Supabase should be used
+        if self.use_supabase is None:
+            supabase_url = os.getenv("SUPABASE_URL")
+            supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+            self.use_supabase = bool(supabase_url and supabase_key and SUPABASE_AVAILABLE)
+        
+        if self.use_supabase:
+            # Initialize Supabase client
+            supabase_url = os.getenv("SUPABASE_URL")
+            supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+            if not supabase_url or not supabase_key:
+                # Don't raise error, fall back to SQLite instead
+                print("⚠️  Supabase credentials missing. Falling back to SQLite.")
+                self.use_supabase = False
+            else:
+                try:
+                    self.supabase_client = create_client(supabase_url, supabase_key)
+                    self.table_name = "admin_rules"
+                    # Only verify table existence, don't create during init
+                    if auto_create_table:
+                        self._ensure_supabase_table()
+                    else:
+                        # Quick check without blocking
+                        self._quick_table_check()
+                except Exception as e:
+                    print(f"⚠️  Failed to initialize Supabase client: {e}. Falling back to SQLite.")
+                    self.use_supabase = False
+        
+        if not self.use_supabase:
+            # Initialize SQLite
+            root_dir = Path(__file__).resolve().parents[3]  # points to project root
+            data_dir = root_dir / "data"
+            data_dir.mkdir(parents=True, exist_ok=True)
+            self.db_path = data_dir / "admin_rules.db"
+            self._init_db()
+    
+    def _quick_table_check(self):
+        """Quick non-blocking check if table exists."""
+        try:
+            self.supabase_client.table(self.table_name).select("id").limit(1).execute()
+            self._table_verified = True
+        except Exception:
+            # Table might not exist, but don't block startup
+            self._table_verified = False
+    
+    def _ensure_supabase_table(self):
+        """Ensure the Supabase table exists, create it if needed."""
+        try:
+            # Try to query the table to see if it exists
+            self.supabase_client.table(self.table_name).select("id").limit(1).execute()
+            # If we get here, table exists
+            self._table_verified = True
+            return True
+        except Exception as e:
+            error_str = str(e).lower()
+            if "relation" in error_str or "does not exist" in error_str or "not found" in error_str:
+                # Table doesn't exist, try to create it (non-blocking)
+                print(f"⚠️  Table '{self.table_name}' does not exist in Supabase.")
+                print("   Run 'python create_supabase_table.py' to create it, or create manually in Supabase SQL Editor.")
+                # Don't block startup - just log the issue
+                return False
+            else:
+                # Other error, assume table exists
+                self._table_verified = True
+                return True
+    
+    def create_table_if_needed(self):
+        """Public method to create table if needed. Can be called after startup."""
+        if not self.use_supabase:
+            return False
+        if self._table_verified:
+            return True
+        return self._create_supabase_table()
+    
+    def _create_supabase_table(self) -> bool:
+        """Create the admin_rules table in Supabase programmatically."""
+        try:
+            # Read SQL file
+            sql_file = Path(__file__).resolve().parents[3] / "supabase_admin_rules_table.sql"
+            if not sql_file.exists():
+                print(f"   ⚠️  SQL file not found: {sql_file}")
+                self._show_manual_instructions()
+                return False
+            
+            with open(sql_file, "r", encoding="utf-8") as f:
+                sql_content = f.read()
+            
+            # Method 1: Try using psql if POSTGRESQL_URL is available (non-blocking with timeout)
+            postgres_url = os.getenv("POSTGRESQL_URL")
+            if postgres_url:
+                try:
+                    import subprocess
+                    print("   🔧 Attempting to create table via psql...")
+                    
+                    # Execute SQL using psql with timeout
+                    result = subprocess.run(
+                        ["psql", postgres_url, "-c", sql_content],
+                        capture_output=True,
+                        text=True,
+                        timeout=10  # Shorter timeout to avoid blocking
+                    )
+                    
+                    if result.returncode == 0:
+                        print("   ✅ Table created successfully via psql!")
+                        self._table_verified = True
+                        return True
+                    else:
+                        print(f"   ⚠️  psql returned error: {result.stderr[:200]}")
+                except FileNotFoundError:
+                    print("   ⚠️  psql not found in PATH")
+                except subprocess.TimeoutExpired:
+                    print("   ⚠️  psql timed out (table creation may still be in progress)")
+                except Exception as e:
+                    print(f"   ⚠️  psql method failed: {e}")
+            
+            # Method 2: Try using Supabase REST API (if custom function exists)
+            try:
+                import httpx
+                
+                # Try different possible RPC endpoints
+                endpoints = [
+                    "/rest/v1/rpc/exec_sql",
+                    "/rest/v1/rpc/execute_sql",
+                    "/rest/v1/rpc/run_sql"
+                ]
+                
+                for endpoint in endpoints:
+                    try:
+                        response = httpx.post(
+                            f"{os.getenv('SUPABASE_URL')}{endpoint}",
+                            headers={
+                                "apikey": os.getenv("SUPABASE_SERVICE_KEY"),
+                                "Authorization": f"Bearer {os.getenv('SUPABASE_SERVICE_KEY')}",
+                                "Content-Type": "application/json",
+                                "Prefer": "return=representation"
+                            },
+                            json={"query": sql_content, "sql": sql_content},
+                            timeout=10  # Shorter timeout
+                        )
+                        
+                        if response.status_code in [200, 201, 204]:
+                            print("   ✅ Table created successfully via API!")
+                            self._table_verified = True
+                            return True
+                    except Exception:
+                        continue
+            except ImportError:
+                pass
+            except Exception as e:
+                print(f"   ⚠️  API method failed: {e}")
+            
+            # Method 3: Show manual instructions (don't block)
+            self._show_manual_instructions()
+            return False
+            
+        except Exception as e:
+            print(f"   ❌ Error: {e}")
+            self._show_manual_instructions()
+            return False
+    
+    def _show_manual_instructions(self):
+        """Show instructions for manual table creation."""
+        sql_file = Path(__file__).resolve().parents[3] / "supabase_admin_rules_table.sql"
+        print("\n   📝 Manual Setup Required:")
+        print("   1. Go to: https://app.supabase.com → Your Project → SQL Editor")
+        print("   2. Click 'New query'")
+        if sql_file.exists():
+            print(f"   3. Open file: {sql_file.name}")
+            print("   4. Copy all SQL and paste into SQL Editor")
+        else:
+            print("   3. Copy the SQL from supabase_admin_rules_table.sql")
+        print("   5. Click 'Run' to execute")
+        print("\n   💡 After creating the table, restart your application.")
 
     def _init_db(self):
         with sqlite3.connect(self.db_path) as conn:
@@ -60,24 +249,63 @@ class RulesStore:
 
     def get_rules(self, tenant_id: str) -> List[str]:
         """Get all rules as a list of rule text strings (backward compatibility)."""
-        with sqlite3.connect(self.db_path) as conn:
-            cursor = conn.execute(
-                "SELECT rule FROM admin_rules WHERE tenant_id = ? AND enabled = 1 ORDER BY id ASC",
-                (tenant_id,),
-            )
-            return [row[0] for row in cursor.fetchall()]
+        if self.use_supabase:
+            try:
+                response = self.supabase_client.table(self.table_name)\
+                    .select("rule")\
+                    .eq("tenant_id", tenant_id)\
+                    .eq("enabled", True)\
+                    .order("id")\
+                    .execute()
+                return [row["rule"] for row in response.data]
+            except Exception as e:
+                print(f"Error fetching rules from Supabase: {e}")
+                return []
+        else:
+            with sqlite3.connect(self.db_path) as conn:
+                cursor = conn.execute(
+                    "SELECT rule FROM admin_rules WHERE tenant_id = ? AND enabled = 1 ORDER BY id ASC",
+                    (tenant_id,),
+                )
+                return [row[0] for row in cursor.fetchall()]
     
     def get_rules_detailed(self, tenant_id: str) -> List[Dict[str, Any]]:
         """Get all rules with full metadata including pattern, severity, etc."""
-        with sqlite3.connect(self.db_path) as conn:
-            conn.row_factory = sqlite3.Row
-            cursor = conn.execute(
-                """SELECT id, tenant_id, rule, pattern, severity, description, enabled, created_at 
-                FROM admin_rules WHERE tenant_id = ? AND enabled = 1 ORDER BY id ASC""",
-                (tenant_id,),
-            )
-            rows = cursor.fetchall()
-            return [dict(row) for row in rows]
+        if self.use_supabase:
+            try:
+                response = self.supabase_client.table(self.table_name)\
+                    .select("*")\
+                    .eq("tenant_id", tenant_id)\
+                    .eq("enabled", True)\
+                    .order("id")\
+                    .execute()
+                # Convert to list of dicts and ensure created_at is a timestamp
+                rules = []
+                for row in response.data:
+                    rule_dict = dict(row)
+                    # Convert created_at to Unix timestamp if it's a string
+                    if "created_at" in rule_dict and isinstance(rule_dict["created_at"], str):
+                        try:
+                            from datetime import datetime
+                            dt = datetime.fromisoformat(rule_dict["created_at"].replace("Z", "+00:00"))
+                            rule_dict["created_at"] = int(dt.timestamp())
+                        except:
+                            rule_dict["created_at"] = int(time.time())
+                    rules.append(rule_dict)
+                return rules
+            except Exception as e:
+                print(f"Error fetching detailed rules from Supabase: {e}")
+                return []
+        else:
+            with sqlite3.connect(self.db_path) as conn:
+                conn.row_factory = sqlite3.Row
+                cursor = conn.execute(
+                    """SELECT id, tenant_id, rule, pattern, severity, description, enabled, created_at 
+                    FROM admin_rules WHERE tenant_id = ? AND enabled = 1 ORDER BY id ASC""",
+                    (tenant_id,),
+                )
+                rows = cursor.fetchall()
+                return [dict(row) for row in rows]
 
     def add_rule(
         self,
@@ -92,44 +320,103 @@ class RulesStore:
         Add a rule with optional regex pattern and severity.
         If pattern is None, the rule text itself is used as the pattern.
         """
-        try:
-            with sqlite3.connect(self.db_path) as conn:
-                # If pattern not provided, use rule text as pattern
-                pattern_value = pattern or rule
-                description_value = description or rule
-                
-                conn.execute(
-                    """INSERT OR IGNORE INTO admin_rules 
-                    (tenant_id, rule, pattern, severity, description, enabled, created_at) 
-                    VALUES (?, ?, ?, ?, ?, ?, ?)""",
-                    (tenant_id, rule, pattern_value, severity, description_value, 1 if enabled else 0, int(time.time())),
-                )
-                conn.commit()
-            return True
-        except sqlite3.Error:
-            return False
+        # If pattern not provided, use rule text as pattern
+        pattern_value = pattern or rule
+        description_value = description or rule
+        
+        if self.use_supabase:
+            try:
+                # Use upsert to handle unique constraint
+                data = {
+                    "tenant_id": tenant_id,
+                    "rule": rule,
+                    "pattern": pattern_value,
+                    "severity": severity,
+                    "description": description_value,
+                    "enabled": enabled
+                }
+                # Supabase upsert - will insert or update based on unique constraint
+                response = self.supabase_client.table(self.table_name)\
+                    .upsert(data)\
+                    .execute()
+                return True
+            except Exception as e:
+                print(f"Error adding rule to Supabase: {e}")
+                return False
+        else:
+            try:
+                with sqlite3.connect(self.db_path) as conn:
+                    conn.execute(
+                        """INSERT OR IGNORE INTO admin_rules 
+                        (tenant_id, rule, pattern, severity, description, enabled, created_at) 
+                        VALUES (?, ?, ?, ?, ?, ?, ?)""",
+                        (tenant_id, rule, pattern_value, severity, description_value, 1 if enabled else 0, int(time.time())),
+                    )
+                    conn.commit()
+                return True
+            except sqlite3.Error:
+                return False
 
     def add_rules_bulk(self, tenant_id: str, rules: List[str]) -> List[str]:
         added = []
-        with sqlite3.connect(self.db_path) as conn:
-            for rule in rules:
-                try:
-                    conn.execute(
-                        "INSERT OR IGNORE INTO admin_rules (tenant_id, rule) VALUES (?, ?)",
-                        (tenant_id, rule),
-                    )
-                    added.append(rule)
-                except sqlite3.Error:
-                    continue
-            conn.commit()
+        if self.use_supabase:
+            try:
+                # Prepare bulk data
+                bulk_data = [
+                    {
+                        "tenant_id": tenant_id,
+                        "rule": rule,
+                        "pattern": rule,  # Use rule text as pattern
+                        "severity": "medium",
+                        "description": rule,
+                        "enabled": True
+                    }
+                    for rule in rules
+                ]
+                # Upsert all rules at once
+                response = self.supabase_client.table(self.table_name)\
+                    .upsert(bulk_data)\
+                    .execute()
+                added = rules  # All rules were attempted
+            except Exception as e:
+                print(f"Error adding bulk rules to Supabase: {e}")
+                # Fallback: try one by one
+                for rule in rules:
+                    if self.add_rule(tenant_id, rule):
+                        added.append(rule)
+        else:
+            with sqlite3.connect(self.db_path) as conn:
+                for rule in rules:
+                    try:
+                        conn.execute(
+                            "INSERT OR IGNORE INTO admin_rules (tenant_id, rule) VALUES (?, ?)",
+                            (tenant_id, rule),
+                        )
+                        added.append(rule)
+                    except sqlite3.Error:
+                        continue
+                conn.commit()
         return added
 
     def delete_rule(self, tenant_id: str, rule: str) -> bool:
-        with sqlite3.connect(self.db_path) as conn:
-            cursor = conn.execute(
-                "DELETE FROM admin_rules WHERE tenant_id = ? AND rule = ?",
-                (tenant_id, rule),
-            )
-            conn.commit()
-            return cursor.rowcount > 0
+        if self.use_supabase:
+            try:
+                response = self.supabase_client.table(self.table_name)\
+                    .delete()\
+                    .eq("tenant_id", tenant_id)\
+                    .eq("rule", rule)\
+                    .execute()
+                # Check if any rows were deleted
+                return len(response.data) > 0 if response.data else False
+            except Exception as e:
+                print(f"Error deleting rule from Supabase: {e}")
+                return False
+        else:
+            with sqlite3.connect(self.db_path) as conn:
+                cursor = conn.execute(
+                    "DELETE FROM admin_rules WHERE tenant_id = ? AND rule = ?",
+                    (tenant_id, rule),
+                )
+                conn.commit()
+                return cursor.rowcount > 0
 

check_rules_db.py

@@ -0,0 +1,43 @@
+"""
+Quick script to check if admin rules are saved in the database
+"""
+import sqlite3
+from pathlib import Path
+
+db_path = Path("data/admin_rules.db")
+
+if db_path.exists():
+    print(f"✅ Database found at: {db_path}")
+    print("\n" + "="*60)
+    
+    conn = sqlite3.connect(db_path)
+    conn.row_factory = sqlite3.Row
+    cursor = conn.cursor()
+    
+    # Get all rules
+    cursor.execute("SELECT * FROM admin_rules ORDER BY created_at DESC")
+    rules = cursor.fetchall()
+    
+    if rules:
+        print(f"📋 Found {len(rules)} rule(s) in database:\n")
+        for rule in rules:
+            print(f"Tenant: {rule['tenant_id']}")
+            print(f"Rule: {rule['rule']}")
+            print(f"Pattern: {rule['pattern'] or 'N/A'}")
+            print(f"Severity: {rule['severity']}")
+            print(f"Enabled: {rule['enabled']}")
+            print(f"Created: {rule['created_at']}")
+            print("-" * 60)
+    else:
+        print("⚠️ No rules found in database.")
+        print("   Add rules via the Gradio UI or API to populate the database.")
+    
+    conn.close()
+else:
+    print(f"❌ Database not found at: {db_path}")
+    print("   The database will be created automatically when you add your first rule.")
+    print("\n💡 To add rules:")
+    print("   1. Open Gradio UI (python app.py)")
+    print("   2. Go to 'Admin Rules & Compliance' tab")
+    print("   3. Add rules in the text box and click 'Upload / Append Rules'")
+

create_supabase_table.py

@@ -0,0 +1,185 @@
+"""
+Create admin_rules table in Supabase programmatically.
+This script uses the Supabase Python client to set up the table.
+"""
+
+import os
+import sys
+from pathlib import Path
+from dotenv import load_dotenv
+
+load_dotenv()
+
+def create_table_using_supabase_client():
+    """
+    Create the admin_rules table using Supabase client.
+    Since Supabase doesn't allow direct SQL execution via REST API,
+    we'll use a workaround or provide clear instructions.
+    """
+    supabase_url = os.getenv("SUPABASE_URL")
+    supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
+    
+    if not supabase_url or not supabase_key:
+        print("❌ Missing Supabase credentials!")
+        print("   Set SUPABASE_URL and SUPABASE_SERVICE_KEY in .env file")
+        return False
+    
+    try:
+        from supabase import create_client
+        import httpx
+        
+        print("🔗 Connecting to Supabase...")
+        client = create_client(supabase_url, supabase_key)
+        
+        # Read SQL from file
+        sql_file = Path(__file__).parent / "supabase_admin_rules_table.sql"
+        if not sql_file.exists():
+            print(f"❌ SQL file not found: {sql_file}")
+            return False
+        
+        with open(sql_file, "r", encoding="utf-8") as f:
+            sql_content = f.read()
+        
+        print("📝 Attempting to create table via Supabase API...")
+        
+        # Method 1: Try using Supabase Management API (if available)
+        # This requires the project to have pg_net extension enabled
+        try:
+            # Use the REST API to execute SQL via a custom function
+            # First, check if we can use the SQL execution endpoint
+            response = httpx.post(
+                f"{supabase_url}/rest/v1/rpc/exec_sql",
+                headers={
+                    "apikey": supabase_key,
+                    "Authorization": f"Bearer {supabase_key}",
+                    "Content-Type": "application/json",
+                    "Prefer": "return=representation"
+                },
+                json={"query": sql_content},
+                timeout=30
+            )
+            
+            if response.status_code in [200, 201, 204]:
+                print("✅ Table created successfully via API!")
+                return True
+            else:
+                print(f"⚠️  API method returned: {response.status_code}")
+                print(f"   Response: {response.text[:200]}")
+        except Exception as e:
+            print(f"⚠️  API method failed: {e}")
+        
+        # Method 2: Try using Supabase Python client's table operations
+        # This won't work for DDL, but we can verify if table exists
+        print("\n🔍 Checking if table already exists...")
+        try:
+            result = client.table("admin_rules").select("id").limit(1).execute()
+            print("✅ Table 'admin_rules' already exists!")
+            return True
+        except Exception as e:
+            error_str = str(e).lower()
+            if "relation" in error_str or "does not exist" in error_str:
+                print("⚠️  Table does not exist yet.")
+            else:
+                print(f"⚠️  Error checking table: {e}")
+        
+        # Method 3: Since direct SQL execution isn't supported, show instructions
+        print("\n" + "=" * 70)
+        print("📋 MANUAL SETUP REQUIRED")
+        print("=" * 70)
+        print("\nSupabase doesn't allow programmatic SQL execution for security.")
+        print("Please run the SQL manually in Supabase Dashboard:\n")
+        print("1. Go to: https://app.supabase.com")
+        print("2. Select your project")
+        print("3. Click 'SQL Editor' (left sidebar)")
+        print("4. Click 'New query'")
+        print("5. Copy the SQL below and paste it:")
+        print("\n" + "-" * 70)
+        print(sql_content)
+        print("-" * 70)
+        print("\n6. Click 'Run' button (or press Ctrl+Enter)")
+        print("7. Wait for success confirmation")
+        print("\n✅ After running, the table will be created automatically!")
+        
+        return False
+        
+    except ImportError:
+        print("❌ Supabase client not installed")
+        print("   Run: pip install supabase")
+        return False
+    except Exception as e:
+        print(f"❌ Error: {e}")
+        import traceback
+        traceback.print_exc()
+        return False
+
+
+def create_table_via_psql():
+    """
+    Alternative: Use psql (PostgreSQL client) to execute SQL directly.
+    This requires POSTGRESQL_URL to be set.
+    """
+    postgres_url = os.getenv("POSTGRESQL_URL")
+    if not postgres_url:
+        print("⚠️  POSTGRESQL_URL not set, skipping psql method")
+        return False
+    
+    sql_file = Path(__file__).parent / "supabase_admin_rules_table.sql"
+    if not sql_file.exists():
+        return False
+    
+    try:
+        import subprocess
+        print("📝 Attempting to create table via psql...")
+        
+        # Execute SQL using psql
+        result = subprocess.run(
+            ["psql", postgres_url, "-f", str(sql_file)],
+            capture_output=True,
+            text=True,
+            timeout=30
+        )
+        
+        if result.returncode == 0:
+            print("✅ Table created successfully via psql!")
+            return True
+        else:
+            print(f"⚠️  psql failed: {result.stderr}")
+            return False
+    except FileNotFoundError:
+        print("⚠️  psql not found in PATH")
+        return False
+    except Exception as e:
+        print(f"⚠️  psql method failed: {e}")
+        return False
+
+
+if __name__ == "__main__":
+    print("=" * 70)
+    print("Supabase Admin Rules Table Creator")
+    print("=" * 70)
+    print()
+    
+    # Try Method 1: Supabase client
+    success = create_table_using_supabase_client()
+    
+    if not success:
+        # Try Method 2: psql (if available)
+        print("\n" + "=" * 70)
+        print("Trying alternative method: psql")
+        print("=" * 70)
+        success = create_table_via_psql()
+    
+    if success:
+        print("\n" + "=" * 70)
+        print("✅ SUCCESS!")
+        print("=" * 70)
+        print("\nThe admin_rules table has been created in Supabase.")
+        print("RulesStore will now use Supabase instead of SQLite.")
+    else:
+        print("\n" + "=" * 70)
+        print("📝 Manual Setup Required")
+        print("=" * 70)
+        print("\nPlease run the SQL manually in Supabase SQL Editor.")
+        print("The SQL script is ready in: supabase_admin_rules_table.sql")
+        print("\nAfter creating the table, RulesStore will automatically use Supabase.")
+

create_supabase_table_simple.py

@@ -0,0 +1,70 @@
+"""
+Simple script to create admin_rules table in Supabase.
+This uses the Supabase Management API or direct SQL execution.
+"""
+
+import os
+from dotenv import load_dotenv
+import httpx
+import json
+
+load_dotenv()
+
+SUPABASE_URL = os.getenv("SUPABASE_URL")
+SUPABASE_SERVICE_KEY = os.getenv("SUPABASE_SERVICE_KEY")
+
+if not SUPABASE_URL or not SUPABASE_SERVICE_KEY:
+    print("❌ Missing Supabase credentials!")
+    print("   Set SUPABASE_URL and SUPABASE_SERVICE_KEY in .env file")
+    exit(1)
+
+# Read the SQL file
+sql_file = Path("supabase_admin_rules_table.sql")
+if not sql_file.exists():
+    print(f"❌ SQL file not found: {sql_file}")
+    exit(1)
+
+with open(sql_file, "r") as f:
+    sql_content = f.read()
+
+print("🔗 Connecting to Supabase...")
+print(f"   URL: {SUPABASE_URL[:50]}...")
+
+# Method 1: Try using Supabase REST API with SQL execution
+# Note: This requires the pg_net extension or a custom function
+# Most Supabase projects don't allow direct SQL execution via REST API
+
+# Method 2: Use Supabase Python client to execute via RPC
+try:
+    from supabase import create_client
+    
+    client = create_client(SUPABASE_URL, SUPABASE_SERVICE_KEY)
+    
+    # Split SQL into individual statements
+    statements = [s.strip() for s in sql_content.split(";") if s.strip() and not s.strip().startswith("--")]
+    
+    print(f"\n📝 Executing {len(statements)} SQL statements...")
+    
+    # Execute each statement
+    # Note: Supabase Python client doesn't support direct SQL execution
+    # We'll need to use a workaround or manual execution
+    
+    print("\n⚠️  Direct SQL execution via Python client is not supported.")
+    print("   Supabase requires SQL to be executed via the SQL Editor.")
+    print("\n📋 Please follow these steps:")
+    print("   1. Go to: https://app.supabase.com")
+    print("   2. Select your project")
+    print("   3. Click 'SQL Editor' in the left sidebar")
+    print("   4. Click 'New query'")
+    print("   5. Copy the contents of: supabase_admin_rules_table.sql")
+    print("   6. Paste into the SQL Editor")
+    print("   7. Click 'Run' (or press Ctrl+Enter)")
+    print("\n✅ After running the SQL, the table will be created!")
+    
+except ImportError:
+    print("❌ Supabase client not installed")
+    print("   Run: pip install supabase")
+except Exception as e:
+    print(f"❌ Error: {e}")
+    print("\n💡 Manual setup required - see instructions above")
+

example_rules.txt

@@ -0,0 +1,133 @@
+# Admin Rules Examples for IntegraChat
+# Copy and paste these rules into the Admin Rules & Compliance tab in Gradio UI
+
+# ============================================================
+# HIGH PRIORITY SECURITY RULES
+# ============================================================
+
+Block password disclosure requests
+Prevent sharing of authentication credentials
+No sharing of API keys or tokens
+Block requests for user account passwords
+Prevent disclosure of security credentials
+Block social security number requests
+No sharing of credit card information
+Prevent disclosure of personal identification numbers
+Block requests for bank account details
+No sharing of confidential access codes
+
+# ============================================================
+# MEDIUM PRIORITY COMPLIANCE RULES
+# ============================================================
+
+Block requests for employee personal information
+Prevent sharing of customer data without authorization
+No unauthorized access to financial records
+Block requests for confidential business strategies
+Prevent disclosure of proprietary information
+No sharing of trade secrets
+Block requests for competitor analysis data
+Prevent unauthorized data export
+No sharing of internal process documentation
+Block requests for customer contact lists
+
+# ============================================================
+# DATA PRIVACY RULES
+# ============================================================
+
+Block requests for personal data of EU citizens
+Prevent sharing of health information
+No disclosure of medical records
+Block requests for biometric data
+Prevent sharing of location tracking information
+No disclosure of children's personal information
+Block requests for genetic information
+Prevent sharing of religious or political affiliations
+No disclosure of sexual orientation data
+Block requests for financial transaction history
+
+# ============================================================
+# OPERATIONAL RULES
+# ============================================================
+
+Block requests to delete system logs
+Prevent unauthorized system configuration changes
+No sharing of infrastructure credentials
+Block requests for production database access
+Prevent disclosure of deployment procedures
+No sharing of monitoring tool credentials
+Block requests for backup restoration procedures
+Prevent unauthorized access to cloud resources
+No sharing of encryption keys
+Block requests for system administrator privileges
+
+# ============================================================
+# CONTENT MODERATION RULES
+# ============================================================
+
+Block requests for generating harmful content
+Prevent creation of offensive material
+No sharing of inappropriate content
+Block requests for generating misleading information
+Prevent creation of fake news content
+No sharing of defamatory statements
+Block requests for generating hate speech
+Prevent creation of discriminatory content
+No sharing of violent content
+Block requests for generating illegal content
+
+# ============================================================
+# SPECIFIC KEYWORD-BASED RULES
+# ============================================================
+
+Block queries containing "password" and "reset"
+Prevent requests with "API key" and "generate"
+No queries containing "SSN" or "social security"
+Block requests with "credit card" and "number"
+Prevent queries containing "bank account" and "details"
+No requests with "admin" and "access"
+Block queries containing "delete" and "all data"
+Prevent requests with "export" and "customer list"
+No queries containing "encryption key" and "show"
+Block requests with "root password" and "share"
+
+# ============================================================
+# REGULATORY COMPLIANCE RULES
+# ============================================================
+
+Block requests violating GDPR regulations
+Prevent sharing of data without consent
+No disclosure of information to unauthorized parties
+Block requests for data subject to HIPAA
+Prevent sharing of protected health information
+No disclosure of financial data subject to PCI-DSS
+Block requests violating SOX compliance
+Prevent sharing of audit trail information
+No disclosure of information subject to FERPA
+Block requests violating industry-specific regulations
+
+# ============================================================
+# RESPONSE BEHAVIOR RULES
+# ============================================================
+
+Keep greeting responses brief and simple
+Do not provide verbose responses to simple greetings
+Respond to hello and hi with short friendly greetings only
+Avoid mentioning RAG or documentation sources in greeting responses
+Keep casual conversation responses concise
+
+# ============================================================
+# CUSTOM BUSINESS RULES (Examples)
+# ============================================================
+
+Block requests for competitor pricing information
+Prevent sharing of upcoming product launch details
+No disclosure of merger and acquisition information
+Block requests for employee salary information
+Prevent sharing of vendor contract terms
+No disclosure of strategic partnership details
+Block requests for customer churn analysis data
+Prevent sharing of marketing campaign strategies
+No disclosure of research and development projects
+Block requests for intellectual property information
+

example_rules_detailed.json

@@ -0,0 +1,131 @@
+{
+  "rules": [
+    {
+      "rule": "Block password disclosure requests",
+      "pattern": ".*(password|pwd|passcode|credential|login).*",
+      "severity": "high",
+      "description": "Prevents users from requesting or sharing passwords, credentials, or authentication information"
+    },
+    {
+      "rule": "Prevent sharing of API keys or tokens",
+      "pattern": ".*(api.?key|token|secret|access.?key|auth.?token).*",
+      "severity": "critical",
+      "description": "Blocks requests to share, generate, or disclose API keys, tokens, or authentication secrets"
+    },
+    {
+      "rule": "Block social security number requests",
+      "pattern": ".*(ssn|social.?security|tax.?id|ein).*",
+      "severity": "high",
+      "description": "Prevents disclosure of social security numbers or tax identification numbers"
+    },
+    {
+      "rule": "No sharing of credit card information",
+      "pattern": ".*(credit.?card|card.?number|cvv|cvc|expiration).*",
+      "severity": "critical",
+      "description": "Blocks requests to share or store credit card numbers, CVV codes, or payment card information"
+    },
+    {
+      "rule": "Block requests for bank account details",
+      "pattern": ".*(bank.?account|routing.?number|account.?number|swift|iban).*",
+      "severity": "high",
+      "description": "Prevents disclosure of bank account numbers, routing numbers, or financial account information"
+    },
+    {
+      "rule": "Prevent sharing of employee personal information",
+      "pattern": ".*(employee.?data|staff.?info|personnel.?record|hr.?data).*",
+      "severity": "medium",
+      "description": "Blocks requests to access or share employee personal information without authorization"
+    },
+    {
+      "rule": "No unauthorized access to financial records",
+      "pattern": ".*(financial.?record|accounting|bookkeeping|financial.?data).*",
+      "severity": "high",
+      "description": "Prevents unauthorized access to financial records, accounting data, or bookkeeping information"
+    },
+    {
+      "rule": "Block requests for confidential business strategies",
+      "pattern": ".*(business.?strategy|strategic.?plan|confidential.?plan|roadmap).*",
+      "severity": "medium",
+      "description": "Prevents disclosure of confidential business strategies, plans, or roadmaps"
+    },
+    {
+      "rule": "Prevent disclosure of proprietary information",
+      "pattern": ".*(proprietary|trade.?secret|intellectual.?property|ip).*",
+      "severity": "high",
+      "description": "Blocks requests to share proprietary information, trade secrets, or intellectual property"
+    },
+    {
+      "rule": "Block requests for personal data of EU citizens",
+      "pattern": ".*(gdpr|eu.?citizen|personal.?data|data.?subject).*",
+      "severity": "critical",
+      "description": "Prevents unauthorized access to personal data of EU citizens, violating GDPR regulations"
+    },
+    {
+      "rule": "Prevent sharing of health information",
+      "pattern": ".*(health.?info|medical.?record|patient.?data|hipaa).*",
+      "severity": "critical",
+      "description": "Blocks requests to share health information or medical records, protecting HIPAA compliance"
+    },
+    {
+      "rule": "No disclosure of children's personal information",
+      "pattern": ".*(child|minor|under.?18|coppa).*",
+      "severity": "critical",
+      "description": "Prevents disclosure of personal information of children under 18, ensuring COPPA compliance"
+    },
+    {
+      "rule": "Block requests to delete system logs",
+      "pattern": ".*(delete.?log|remove.?log|clear.?log|purge.?log).*",
+      "severity": "high",
+      "description": "Prevents deletion or modification of system logs, which are critical for security and compliance"
+    },
+    {
+      "rule": "Prevent unauthorized system configuration changes",
+      "pattern": ".*(system.?config|change.?setting|modify.?config|update.?config).*",
+      "severity": "high",
+      "description": "Blocks unauthorized changes to system configuration that could compromise security"
+    },
+    {
+      "rule": "No sharing of infrastructure credentials",
+      "pattern": ".*(infrastructure|server.?credential|deployment.?key|cloud.?access).*",
+      "severity": "critical",
+      "description": "Prevents sharing of infrastructure credentials, server access, or cloud deployment keys"
+    },
+    {
+      "rule": "Block requests for generating harmful content",
+      "pattern": ".*(harmful|violent|hate.?speech|offensive|illegal).*",
+      "severity": "medium",
+      "description": "Prevents generation of harmful, violent, hateful, or illegal content"
+    },
+    {
+      "rule": "Prevent creation of misleading information",
+      "pattern": ".*(misleading|fake.?news|false.?info|disinformation).*",
+      "severity": "medium",
+      "description": "Blocks creation of misleading information, fake news, or disinformation"
+    },
+    {
+      "rule": "No sharing of defamatory statements",
+      "pattern": ".*(defamatory|libel|slander|defame).*",
+      "severity": "medium",
+      "description": "Prevents creation or sharing of defamatory statements that could cause legal issues"
+    },
+    {
+      "rule": "Block requests for competitor pricing information",
+      "pattern": ".*(competitor|pricing|competitive.?intelligence).*",
+      "severity": "low",
+      "description": "Prevents sharing of competitor pricing information or competitive intelligence"
+    },
+    {
+      "rule": "Prevent sharing of upcoming product launch details",
+      "pattern": ".*(product.?launch|upcoming.?release|new.?product).*",
+      "severity": "medium",
+      "description": "Blocks disclosure of upcoming product launches or new product information"
+    }
+  ],
+  "usage_instructions": {
+    "simple": "Copy rules from example_rules.txt and paste into Gradio UI",
+    "detailed": "Use the JSON format with patterns and severity levels for more control",
+    "bulk_upload": "Use the /admin/rules/bulk endpoint with the rules array",
+    "individual": "Add rules one by one using the /admin/rules endpoint with JSON payload"
+  }
+}
+

frontend/app/admin-rules/page.tsx

@@ -1,6 +1,6 @@
 "use client";
 
-import { useCallback, useMemo, useState } from "react";
+import { useCallback, useMemo, useState, useRef, useEffect } from "react";
 import Link from "next/link";
 
 import { AdminRulesPanel } from "@/components/admin-rules-panel";
@@ -19,6 +19,14 @@ export default function AdminRulesPage() {
   const [rules, setRules] = useState<string[]>([]);
   const [loading, setLoading] = useState(false);
   const [status, setStatus] = useState<StatusState>(null);
+  const [isDragging, setIsDragging] = useState(false);
+  const [lastUpdated, setLastUpdated] = useState<string>("");
+  const fileInputRef = useRef<HTMLInputElement>(null);
+
+  // Set initial time only on client side to avoid hydration mismatch
+  useEffect(() => {
+    setLastUpdated(new Date().toLocaleTimeString());
+  }, []);
 
   const headers = useMemo(() => {
     if (!tenantId.trim()) return undefined;
@@ -50,6 +58,7 @@ export default function AdminRulesPage() {
       }
       const data = await response.json();
       setRules(data.rules ?? []);
+      setLastUpdated(new Date().toLocaleTimeString());
       setStatus({ tone: "success", message: "Rules synced." });
     } catch (error: any) {
       setStatus({ tone: "error", message: error.message || "Failed to fetch rules" });
@@ -63,17 +72,17 @@ export default function AdminRulesPage() {
     const lines = rulesInput
       .split("\n")
       .map((line) => line.trim())
-      .filter(Boolean);
+      .filter((line) => line && !line.startsWith("#")); // Filter out comments and empty lines
 
     if (!lines.length) {
-      setStatus({ tone: "error", message: "Add at least one rule to upload." });
+      setStatus({ tone: "error", message: "Add at least one rule to upload. (Comment lines starting with # are ignored)" });
       return;
     }
 
     try {
       setLoading(true);
-      setStatus({ tone: "info", message: "Uploading rules..." });
-      const response = await fetch(`${BACKEND_BASE_URL}/admin/rules/bulk`, {
+      setStatus({ tone: "info", message: `Uploading ${lines.length} rule(s)...` });
+      const response = await fetch(`${BACKEND_BASE_URL}/admin/rules/bulk?enhance=true`, {
         method: "POST",
         headers,
         body: JSON.stringify({ rules: lines }),
@@ -82,9 +91,11 @@ export default function AdminRulesPage() {
         const details = await response.text();
         throw new Error(details || `Backend error ${response.status}`);
       }
+      const data = await response.json();
       await handleRefresh();
       setRulesInput("");
-      setStatus({ tone: "success", message: "Rules uploaded successfully." });
+      const enhancedMsg = data.enhanced ? " (enhanced by LLM)" : "";
+      setStatus({ tone: "success", message: `Uploaded ${data.added_rules?.length || lines.length} rule(s)${enhancedMsg}.` });
     } catch (error: any) {
       setStatus({ tone: "error", message: error.message || "Failed to upload rules" });
     } finally {
@@ -92,6 +103,123 @@ export default function AdminRulesPage() {
     }
   }, [handleRefresh, headers, requireTenant, rulesInput]);
 
+  const processFile = useCallback(async (file: File) => {
+    if (!requireTenant()) return;
+
+    const fileExt = file.name.split('.').pop()?.toLowerCase();
+    if (!fileExt || !['txt', 'pdf', 'doc', 'docx', 'md'].includes(fileExt)) {
+      setStatus({ tone: "error", message: "Unsupported file type. Supported: TXT, PDF, DOC, DOCX, MD" });
+      return;
+    }
+
+    try {
+      setLoading(true);
+      setStatus({ tone: "info", message: `Uploading and processing ${file.name}...` });
+
+      // For TXT files, read client-side for faster processing
+      if (fileExt === 'txt' || fileExt === 'md') {
+        const fileContent = await file.text();
+        const lines = fileContent
+          .split("\n")
+          .map((line) => line.trim())
+          .filter((line) => line && !line.startsWith("#"));
+
+        if (!lines.length) {
+          setStatus({ tone: "error", message: "No valid rules found in file (after filtering comments)." });
+          setLoading(false);
+          return;
+        }
+
+        // Upload rules via bulk endpoint
+        setStatus({ tone: "info", message: `Uploading ${lines.length} rule(s)...` });
+        const response = await fetch(`${BACKEND_BASE_URL}/admin/rules/bulk?enhance=true`, {
+          method: "POST",
+          headers,
+          body: JSON.stringify({ rules: lines }),
+        });
+
+        if (!response.ok) {
+          const details = await response.text();
+          throw new Error(details || `Backend error ${response.status}`);
+        }
+
+        const data = await response.json();
+        await handleRefresh();
+        const enhancedMsg = data.enhanced ? " (enhanced by LLM)" : "";
+        setStatus({ tone: "success", message: `Uploaded ${data.added_rules?.length || lines.length} rule(s) from ${file.name}${enhancedMsg}.` });
+        return;
+      }
+
+      // For PDF, DOC, DOCX - use backend file upload endpoint
+      const formData = new FormData();
+      formData.append('file', file);
+
+      setStatus({ tone: "info", message: `Extracting text from ${file.name}...` });
+      const response = await fetch(`${BACKEND_BASE_URL}/admin/rules/upload-file?enhance=true`, {
+        method: "POST",
+        headers: {
+          "x-tenant-id": tenantId.trim(),
+        },
+        body: formData,
+      });
+
+      if (!response.ok) {
+        const details = await response.text();
+        throw new Error(details || `Backend error ${response.status}`);
+      }
+
+      const data = await response.json();
+      await handleRefresh();
+      const enhancedMsg = data.enhanced ? " (enhanced by LLM)" : "";
+      setStatus({ 
+        tone: "success", 
+        message: `Uploaded ${data.added_rules?.length || data.total_extracted || 0} rule(s) from ${file.name}${enhancedMsg}.` 
+      });
+    } catch (error: any) {
+      setStatus({ tone: "error", message: error.message || "Failed to upload rules from file" });
+    } finally {
+      setLoading(false);
+    }
+  }, [handleRefresh, headers, requireTenant, tenantId]);
+
+  const handleFileUpload = useCallback(async (event: React.ChangeEvent<HTMLInputElement>) => {
+    const file = event.target.files?.[0];
+    if (!file) return;
+    await processFile(file);
+    if (fileInputRef.current) {
+      fileInputRef.current.value = "";
+    }
+  }, [processFile]);
+
+  const handleDragOver = useCallback((e: React.DragEvent) => {
+    e.preventDefault();
+    e.stopPropagation();
+    setIsDragging(true);
+  }, []);
+
+  const handleDragLeave = useCallback((e: React.DragEvent) => {
+    e.preventDefault();
+    e.stopPropagation();
+    setIsDragging(false);
+  }, []);
+
+  const handleDrop = useCallback(async (e: React.DragEvent) => {
+    e.preventDefault();
+    e.stopPropagation();
+    setIsDragging(false);
+
+    const file = e.dataTransfer.files?.[0];
+    if (!file) return;
+
+    const fileExt = file.name.split('.').pop()?.toLowerCase();
+    if (!fileExt || !['txt', 'pdf', 'doc', 'docx', 'md'].includes(fileExt)) {
+      setStatus({ tone: "error", message: "Unsupported file type. Supported: TXT, PDF, DOC, DOCX, MD" });
+      return;
+    }
+
+    await processFile(file);
+  }, [processFile]);
+
   const handleDelete = useCallback(async () => {
     if (!requireTenant()) return;
     if (!deleteInput.trim()) {
@@ -140,105 +268,258 @@ export default function AdminRulesPage() {
             </Link>
           </div>
         </div>
-        <p className="text-sm text-slate-300">
-          Push governance policies, compliance workflows, and red-flag patterns to the backend&apos;s persistent rules
-          store using the MCP admin services.
-        </p>
+        <div className="space-y-2">
+          <p className="text-sm text-slate-300">
+            Upload governance policies, compliance workflows, and red-flag patterns. Rules are automatically enhanced by LLM and stored in the backend.
+          </p>
+          <div className="flex flex-wrap gap-2 text-xs text-slate-400">
+            <span className="flex items-center gap-1 rounded-full bg-white/5 px-3 py-1">
+              <span>✨</span>
+              <span>LLM Enhanced</span>
+            </span>
+            <span className="flex items-center gap-1 rounded-full bg-white/5 px-3 py-1">
+              <span>📄</span>
+              <span>File Upload</span>
+            </span>
+            <span className="flex items-center gap-1 rounded-full bg-white/5 px-3 py-1">
+              <span>🔄</span>
+              <span>Chunk Processing</span>
+            </span>
+          </div>
+        </div>
       </header>
 
       <AdminRulesPanel />
 
       <section className="rounded-3xl border border-white/10 bg-white/5 p-6 shadow-2xl shadow-slate-950/40">
         <div className="flex flex-col gap-6">
-          <div className="flex items-center justify-end gap-3">
+          <div className="flex items-center justify-between gap-3">
+            {lastUpdated && (
+              <div className="flex items-center gap-2 text-sm text-slate-400">
+                <span>🔄</span>
+                <span>Last updated: {lastUpdated}</span>
+              </div>
+            )}
+            {!lastUpdated && <div></div>}
             <button
               onClick={handleRefresh}
               disabled={loading}
-              className="flex-1 rounded-full bg-gradient-to-r from-cyan-400 to-blue-500 px-6 py-3 text-sm font-semibold text-slate-950 shadow-lg shadow-cyan-500/30 disabled:opacity-60"
+              className="flex items-center gap-2 rounded-xl bg-gradient-to-r from-cyan-400 to-blue-500 px-6 py-3 text-sm font-semibold text-slate-950 shadow-lg shadow-cyan-500/30 transition hover:shadow-cyan-500/50 disabled:opacity-50 disabled:cursor-not-allowed"
             >
-              Refresh Rules
+              {loading ? (
+                <>
+                  <span className="animate-spin">⏳</span>
+                  <span>Refreshing...</span>
+                </>
+              ) : (
+                <>
+                  <span>🔄</span>
+                  <span>Refresh Rules</span>
+                </>
+              )}
             </button>
           </div>
 
-          <div className="grid gap-4 lg:grid-cols-2">
-            <label className="flex flex-col gap-2 text-sm font-semibold text-slate-200">
-              Bulk Upload Rules (one per line)
-              <textarea
-                value={rulesInput}
-                onChange={(e) => setRulesInput(e.target.value)}
-                placeholder="Disallow sharing salaries\nBlock deleting production data"
-                rows={6}
-                className="rounded-2xl border border-white/10 bg-slate-900/50 px-4 py-3 text-base text-white outline-none ring-0 focus:border-cyan-400"
-              />
-            </label>
-            <label className="flex flex-col gap-2 text-sm font-semibold text-slate-200">
-              Delete Rule (exact text match)
-              <textarea
-                value={deleteInput}
-                onChange={(e) => setDeleteInput(e.target.value)}
-                placeholder="Enter the exact rule text to remove..."
-                rows={6}
-                className="rounded-2xl border border-white/10 bg-slate-900/50 px-4 py-3 text-base text-white outline-none ring-0 focus:border-cyan-400"
-              />
-            </label>
-          </div>
+          <div className="grid gap-6 lg:grid-cols-2">
+            {/* Left Column: Upload Rules */}
+            <div className="flex flex-col gap-4 rounded-2xl border border-white/10 bg-slate-900/30 p-6">
+              <div className="flex items-center gap-2">
+                <span className="text-lg">📝</span>
+                <h3 className="text-lg font-semibold text-slate-200">Add Rules</h3>
+              </div>
+              
+              <label className="flex flex-col gap-2 text-sm font-semibold text-slate-200">
+                <span>Bulk Upload Rules (one per line)</span>
+                <textarea
+                  value={rulesInput}
+                  onChange={(e) => setRulesInput(e.target.value)}
+                  placeholder="Block password disclosure requests\nPrevent sharing of API keys\nNo sharing of credit card information"
+                  rows={8}
+                  className="rounded-xl border border-white/10 bg-slate-900/50 px-4 py-3 text-sm text-white placeholder:text-slate-500 outline-none ring-0 transition focus:border-cyan-400 focus:ring-2 focus:ring-cyan-400/20"
+                />
+                <span className="text-xs text-slate-400">
+                  💡 Tip: Comment lines (starting with #) are automatically ignored
+                </span>
+              </label>
+              
+              <button
+                onClick={handleUpload}
+                disabled={loading || !rulesInput.trim()}
+                className="rounded-xl bg-gradient-to-r from-emerald-400 to-lime-400 px-6 py-3 text-sm font-semibold text-slate-900 shadow-lg shadow-emerald-500/30 transition hover:shadow-emerald-500/50 disabled:opacity-50 disabled:cursor-not-allowed"
+              >
+                {loading ? "⏳ Uploading..." : "✅ Upload / Append Rules"}
+              </button>
+              
+              <div className="flex items-center gap-3 py-2">
+                <span className="h-px flex-1 bg-white/10"></span>
+                <span className="text-xs font-semibold uppercase tracking-wider text-slate-400">OR</span>
+                <span className="h-px flex-1 bg-white/10"></span>
+              </div>
+              
+              <label className="flex flex-col gap-2 text-sm font-semibold text-slate-200">
+                <span>📄 Upload Rules from File</span>
+                <div
+                  onDragOver={handleDragOver}
+                  onDragLeave={handleDragLeave}
+                  onDrop={handleDrop}
+                  className={`relative rounded-xl border-2 border-dashed transition-all ${
+                    isDragging
+                      ? "border-cyan-400 bg-cyan-500/10 scale-[1.02]"
+                      : "border-white/20 bg-slate-900/50 hover:border-cyan-400/50 hover:bg-slate-900/70"
+                  }`}
+                >
+                  <input
+                    ref={fileInputRef}
+                    type="file"
+                    accept=".txt,.pdf,.doc,.docx,.md"
+                    onChange={handleFileUpload}
+                    disabled={loading}
+                    className="hidden"
+                    id="file-upload-input"
+                  />
+                  <label
+                    htmlFor="file-upload-input"
+                    className="flex flex-col items-center justify-center gap-3 p-8 cursor-pointer"
+                  >
+                    {isDragging ? (
+                      <>
+                        <span className="text-4xl animate-bounce">📥</span>
+                        <span className="text-sm font-semibold text-cyan-300">Drop file here</span>
+                      </>
+                    ) : (
+                      <>
+                        <span className="text-4xl">📄</span>
+                        <div className="text-center">
+                          <span className="text-sm font-semibold text-slate-200">
+                            Drag & drop file here
+                          </span>
+                          <span className="text-xs text-slate-400 block mt-1">or click to browse</span>
+                        </div>
+                        <button
+                          type="button"
+                          disabled={loading}
+                          className="mt-2 rounded-lg bg-gradient-to-r from-cyan-500 to-blue-500 px-4 py-2 text-xs font-semibold text-slate-900 transition hover:from-cyan-400 hover:to-blue-400 disabled:opacity-50"
+                        >
+                          Choose File
+                        </button>
+                      </>
+                    )}
+                  </label>
+                </div>
+                <span className="text-xs text-slate-400">
+                  Supported: TXT, PDF, DOC, DOCX, MD • Files processed server-side with LLM enhancement
+                </span>
+              </label>
+            </div>
 
-          <div className="flex flex-wrap gap-3">
-            <button
-              onClick={handleUpload}
-              disabled={loading}
-              className="rounded-full bg-gradient-to-r from-emerald-400 to-lime-400 px-6 py-3 text-sm font-semibold text-slate-900 shadow-lg shadow-emerald-500/30 disabled:opacity-60"
-            >
-              Upload / Append Rules
-            </button>
-            <button
-              onClick={handleDelete}
-              disabled={loading}
-              className="rounded-full border border-rose-500 px-6 py-3 text-sm font-semibold text-rose-300 transition hover:bg-rose-500/10 disabled:opacity-60"
-            >
-              Delete Rule
-            </button>
+            {/* Right Column: Delete Rules */}
+            <div className="flex flex-col gap-4 rounded-2xl border border-white/10 bg-slate-900/30 p-6">
+              <div className="flex items-center gap-2">
+                <span className="text-lg">🗑️</span>
+                <h3 className="text-lg font-semibold text-slate-200">Delete Rule</h3>
+              </div>
+              
+              <label className="flex flex-col gap-2 text-sm font-semibold text-slate-200">
+                <span>Enter exact rule text to remove</span>
+                <textarea
+                  value={deleteInput}
+                  onChange={(e) => setDeleteInput(e.target.value)}
+                  placeholder="Paste the exact rule text here to delete it..."
+                  rows={8}
+                  className="rounded-xl border border-white/10 bg-slate-900/50 px-4 py-3 text-sm text-white placeholder:text-slate-500 outline-none ring-0 transition focus:border-rose-400 focus:ring-2 focus:ring-rose-400/20"
+                />
+                <span className="text-xs text-slate-400">
+                  ⚠️ This action cannot be undone. Make sure the text matches exactly.
+                </span>
+              </label>
+              
+              <button
+                onClick={handleDelete}
+                disabled={loading || !deleteInput.trim()}
+                className="rounded-xl border-2 border-rose-500 bg-rose-500/10 px-6 py-3 text-sm font-semibold text-rose-300 transition hover:bg-rose-500/20 hover:border-rose-400 disabled:opacity-50 disabled:cursor-not-allowed"
+              >
+                {loading ? "⏳ Deleting..." : "🗑️ Delete Rule"}
+              </button>
+            </div>
           </div>
 
           {status && (
             <div
-              className={`rounded-2xl border px-4 py-3 text-sm ${
+              className={`rounded-xl border-2 px-5 py-4 text-sm font-medium shadow-lg ${
                 status.tone === "error"
-                  ? "border-rose-500/40 bg-rose-500/10 text-rose-200"
+                  ? "border-rose-500/50 bg-rose-500/10 text-rose-200 shadow-rose-500/20"
                   : status.tone === "success"
-                    ? "border-emerald-500/40 bg-emerald-500/10 text-emerald-200"
-                    : "border-cyan-500/40 bg-cyan-500/10 text-cyan-200"
+                    ? "border-emerald-500/50 bg-emerald-500/10 text-emerald-200 shadow-emerald-500/20"
+                    : "border-cyan-500/50 bg-cyan-500/10 text-cyan-200 shadow-cyan-500/20"
               }`}
             >
-              {status.message}
+              <div className="flex items-start gap-3">
+                <span className="text-lg">
+                  {status.tone === "error" ? "❌" : status.tone === "success" ? "✅" : "ℹ️"}
+                </span>
+                <span className="flex-1">{status.message}</span>
+              </div>
             </div>
           )}
 
-          <div className="rounded-2xl border border-white/10 bg-slate-950/40">
-            <div className="flex items-center justify-between border-b border-white/5 px-5 py-3 text-xs uppercase tracking-[0.3em] text-slate-400">
-              <span>Rule Set</span>
-              <span>{rules.length} entries</span>
+          <div className="rounded-2xl border border-white/10 bg-gradient-to-br from-slate-900/60 to-slate-950/60 shadow-xl">
+            <div className="flex items-center justify-between border-b border-white/10 bg-white/5 px-6 py-4">
+              <div className="flex items-center gap-3">
+                <span className="text-xl">📋</span>
+                <h3 className="text-base font-semibold uppercase tracking-[0.2em] text-slate-300">Rule Set</h3>
+              </div>
+              <div className="flex items-center gap-3">
+                <button
+                  onClick={handleRefresh}
+                  disabled={loading}
+                  className="flex items-center gap-2 rounded-lg border border-cyan-500/30 bg-cyan-500/10 px-4 py-2 text-xs font-semibold text-cyan-300 transition hover:bg-cyan-500/20 hover:border-cyan-400/50 disabled:opacity-50 disabled:cursor-not-allowed"
+                  title="Refresh rules from database"
+                >
+                  {loading ? (
+                    <>
+                      <span className="animate-spin">⏳</span>
+                      <span>Refreshing...</span>
+                    </>
+                  ) : (
+                    <>
+                      <span>🔄</span>
+                      <span>Refresh</span>
+                    </>
+                  )}
+                </button>
+                <div className="flex items-center gap-2 rounded-full bg-cyan-500/20 px-4 py-2">
+                  <span className="text-sm font-semibold text-cyan-300">{rules.length}</span>
+                  <span className="text-xs text-slate-400">entries</span>
+                </div>
+              </div>
             </div>
-            <div className="overflow-x-auto">
-              <table className="w-full text-left text-sm text-slate-200">
-                <thead className="bg-white/5 text-xs uppercase tracking-[0.2em] text-slate-400">
+            <div className="overflow-x-auto max-h-[500px] overflow-y-auto">
+              <table className="w-full text-left text-sm">
+                <thead className="sticky top-0 bg-slate-900/95 backdrop-blur-sm text-xs uppercase tracking-[0.2em] text-slate-400">
                   <tr>
-                    <th className="px-4 py-3">#</th>
-                    <th className="px-4 py-3">Rule</th>
+                    <th className="px-6 py-4 font-semibold">#</th>
+                    <th className="px-6 py-4 font-semibold">Rule</th>
                   </tr>
                 </thead>
                 <tbody>
                   {rules.length === 0 && (
                     <tr>
-                      <td colSpan={2} className="px-4 py-6 text-center text-slate-500">
-                        No rules loaded. Use the refresh button above.
+                      <td colSpan={2} className="px-6 py-12 text-center">
+                        <div className="flex flex-col items-center gap-3">
+                          <span className="text-4xl">📝</span>
+                          <p className="text-slate-400">No rules loaded</p>
+                          <p className="text-xs text-slate-500">Use the refresh button above to load rules</p>
+                        </div>
                       </td>
                     </tr>
                   )}
                   {rules.map((rule, idx) => (
-                    <tr key={`${rule}-${idx}`} className="border-t border-white/5">
-                      <td className="px-4 py-3 text-slate-400">{idx + 1}</td>
-                      <td className="px-4 py-3">{rule}</td>
+                    <tr 
+                      key={`${rule}-${idx}`} 
+                      className="border-t border-white/5 transition hover:bg-white/5"
+                    >
+                      <td className="px-6 py-4 text-slate-400 font-mono">{idx + 1}</td>
+                      <td className="px-6 py-4 text-slate-200">{rule}</td>
                     </tr>
                   ))}
                 </tbody>

frontend/components/admin-rules-panel.tsx

@@ -1,32 +1,36 @@
 export function AdminRulesPanel() {
   const highlights = [
     {
+      icon: "📝",
       title: "Bulk Upload",
-      description: "Paste multiple compliance rules at once and push them to the MCP backend.",
+      description: "Paste multiple rules or upload from files (TXT, PDF, DOC, DOCX).",
     },
     {
-      title: "Governance Timeline",
-      description: "Track when each rule was last updated for audit-readiness.",
+      icon: "🤖",
+      title: "LLM Enhancement",
+      description: "Rules are automatically enhanced with edge cases and improved patterns.",
     },
     {
-      title: "Rule Severity",
-      description: "Tag entries as advisory, warning, or block-listed for automated enforcement.",
+      icon: "⚡",
+      title: "Chunk Processing",
+      description: "Large rule sets processed in chunks to avoid timeouts.",
     },
     {
+      icon: "🔒",
       title: "Tenant Isolation",
       description: "Rules are scoped per tenant, ensuring zero data leakage.",
     },
   ];
 
   return (
-    <div className="rounded-3xl border border-slate-800/80 bg-slate-900/60 p-8 shadow-2xl shadow-slate-950/40">
-      <div className="flex flex-col gap-4">
+    <div className="rounded-3xl border border-white/10 bg-gradient-to-br from-slate-900/80 to-slate-950/80 p-8 shadow-2xl shadow-slate-950/40">
+      <div className="flex flex-col gap-6">
         <div>
-          <p className="text-sm font-semibold uppercase tracking-[0.3em] text-cyan-400">Admin Controls</p>
-          <h2 className="mt-3 text-3xl font-semibold text-white">Admin Rule Ingestion</h2>
-          <p className="mt-3 text-base text-slate-300">
-            Upload governance policies, red-flag keywords, and compliance workflows directly into the IntegraChat admin
-            service. Rules are stored in the backend&apos;s SQLite demo store and enforced across all MCP toolchains.
+          <p className="text-sm font-semibold uppercase tracking-[0.3em] text-cyan-400">🛡️ Admin Controls</p>
+          <h2 className="mt-3 text-3xl font-bold text-white">Admin Rule Management</h2>
+          <p className="mt-3 text-base leading-relaxed text-slate-300">
+            Upload governance policies, red-flag keywords, and compliance workflows. Rules are automatically enhanced by LLM,
+            stored in Supabase/SQLite, and enforced across all MCP toolchains with intelligent pattern matching.
           </p>
         </div>
 
@@ -34,22 +38,18 @@ export function AdminRulesPanel() {
           {highlights.map((item) => (
             <div
               key={item.title}
-              className="rounded-2xl border border-white/5 bg-white/5 p-4 text-slate-200 transition hover:border-cyan-400/40"
+              className="group rounded-xl border border-white/10 bg-white/5 p-5 text-slate-200 transition-all hover:border-cyan-400/40 hover:bg-white/10 hover:shadow-lg hover:shadow-cyan-500/10"
             >
-              <p className="text-sm font-semibold text-cyan-300">{item.title}</p>
-              <p className="mt-2 text-sm text-slate-300">{item.description}</p>
+              <div className="flex items-start gap-3">
+                <span className="text-2xl">{item.icon}</span>
+                <div>
+                  <p className="text-sm font-semibold text-cyan-300">{item.title}</p>
+                  <p className="mt-2 text-sm leading-relaxed text-slate-300">{item.description}</p>
+                </div>
+              </div>
             </div>
           ))}
         </div>
-
-        <div className="flex flex-wrap gap-3">
-          <button className="rounded-full bg-gradient-to-r from-cyan-400 to-blue-500 px-6 py-2 text-sm font-semibold text-slate-950 shadow-lg shadow-cyan-500/30">
-            Launch Admin Console
-          </button>
-          <button className="rounded-full border border-white/20 px-6 py-2 text-sm font-semibold text-white hover:border-cyan-400/60">
-            View Rule Templates
-          </button>
-        </div>
       </div>
     </div>
   );

setup_supabase_table.py

@@ -0,0 +1,121 @@
+"""
+Automated Supabase Table Setup
+Creates the admin_rules table in Supabase using the Management API.
+"""
+
+import os
+import sys
+from pathlib import Path
+from dotenv import load_dotenv
+
+# Load environment variables
+load_dotenv()
+
+SUPABASE_URL = os.getenv("SUPABASE_URL")
+SUPABASE_SERVICE_KEY = os.getenv("SUPABASE_SERVICE_KEY")
+
+if not SUPABASE_URL or not SUPABASE_SERVICE_KEY:
+    print("❌ Missing Supabase credentials!")
+    print("   Please set SUPABASE_URL and SUPABASE_SERVICE_KEY in your .env file")
+    sys.exit(1)
+
+def create_table_via_supabase():
+    """
+    Create table using Supabase client and direct table operations.
+    Since Supabase doesn't allow direct SQL execution via REST API,
+    we'll create the table structure using the Supabase client.
+    """
+    try:
+        from supabase import create_client
+        
+        print("🔗 Connecting to Supabase...")
+        client = create_client(SUPABASE_URL, SUPABASE_SERVICE_KEY)
+        
+        # Read SQL file
+        sql_file = Path(__file__).parent / "supabase_admin_rules_table.sql"
+        if not sql_file.exists():
+            print(f"❌ SQL file not found: {sql_file}")
+            return False
+        
+        with open(sql_file, "r", encoding="utf-8") as f:
+            sql_content = f.read()
+        
+        print("📝 SQL Script loaded from supabase_admin_rules_table.sql")
+        print("\n" + "=" * 60)
+        print("⚠️  IMPORTANT: Supabase Python client cannot execute raw SQL")
+        print("=" * 60)
+        print("\nYou need to run the SQL manually in Supabase Dashboard:")
+        print("\n📋 Steps:")
+        print("   1. Open: https://app.supabase.com")
+        print("   2. Select your project")
+        print("   3. Go to: SQL Editor (left sidebar)")
+        print("   4. Click: 'New query'")
+        print("   5. Copy the SQL below and paste it:")
+        print("\n" + "-" * 60)
+        print(sql_content)
+        print("-" * 60)
+        print("\n   6. Click 'Run' button (or press Ctrl+Enter)")
+        print("   7. Wait for success message")
+        print("\n✅ After running, the table will be created!")
+        
+        # Try to verify table exists (after user runs SQL)
+        print("\n🔍 Checking if table exists...")
+        try:
+            result = client.table("admin_rules").select("id").limit(1).execute()
+            print("✅ Table 'admin_rules' exists and is accessible!")
+            return True
+        except Exception as e:
+            if "relation" in str(e).lower() or "does not exist" in str(e).lower():
+                print("⚠️  Table does not exist yet.")
+                print("   Please run the SQL script in Supabase SQL Editor first.")
+                return False
+            else:
+                # Table might be empty, which is fine
+                print("✅ Table exists (might be empty)")
+                return True
+                
+    except ImportError:
+        print("❌ Supabase client not installed")
+        print("   Run: pip install supabase")
+        return False
+    except Exception as e:
+        print(f"❌ Error: {e}")
+        return False
+
+
+def create_table_via_http():
+    """
+    Alternative: Try to create table via HTTP POST to Supabase REST API.
+    This method uses the PostgREST API to create tables.
+    Note: This typically requires admin privileges and may not work.
+    """
+    import httpx
+    
+    # This approach won't work because Supabase doesn't allow DDL via REST API
+    # But we can try to use the pg_net extension if available
+    print("⚠️  Direct HTTP table creation is not supported by Supabase REST API")
+    print("   Supabase requires SQL execution via the SQL Editor for security reasons")
+    return False
+
+
+if __name__ == "__main__":
+    print("=" * 60)
+    print("Supabase Admin Rules Table Setup")
+    print("=" * 60)
+    print()
+    
+    # Method 1: Try via Supabase client (will show instructions)
+    success = create_table_via_supabase()
+    
+    if not success:
+        print("\n" + "=" * 60)
+        print("📝 Manual Setup Required")
+        print("=" * 60)
+        print("\nSince Supabase doesn't allow programmatic SQL execution")
+        print("for security reasons, you need to run the SQL manually.")
+        print("\nThe SQL script is ready in: supabase_admin_rules_table.sql")
+        print("\nAfter running the SQL in Supabase Dashboard:")
+        print("  - The table will be created")
+        print("  - RulesStore will automatically use Supabase")
+        print("  - All rules will be saved to Supabase instead of SQLite")
+

supabase_admin_rules_table.sql

@@ -0,0 +1,59 @@
+ -- =============================================================
+-- Supabase Table Schema for Admin Rules
+-- =============================================================
+-- Run this SQL in your Supabase SQL Editor to create the admin_rules table
+-- =============================================================
+
+CREATE TABLE IF NOT EXISTS admin_rules (
+    id BIGSERIAL PRIMARY KEY,
+    tenant_id TEXT NOT NULL,
+    rule TEXT NOT NULL,
+    pattern TEXT,
+    severity TEXT DEFAULT 'medium' CHECK (severity IN ('low', 'medium', 'high', 'critical')),
+    description TEXT,
+    enabled BOOLEAN DEFAULT true,
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW(),
+    UNIQUE(tenant_id, rule)
+);
+
+-- Create index for faster tenant-based queries
+CREATE INDEX IF NOT EXISTS idx_admin_rules_tenant_id ON admin_rules(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_admin_rules_enabled ON admin_rules(enabled);
+
+-- Create index for faster lookups by tenant and enabled status
+CREATE INDEX IF NOT EXISTS idx_admin_rules_tenant_enabled ON admin_rules(tenant_id, enabled);
+
+-- Enable Row Level Security (RLS) - optional, adjust based on your needs
+ALTER TABLE admin_rules ENABLE ROW LEVEL SECURITY;
+
+-- Create policy to allow service role to access all rows
+-- Adjust this policy based on your security requirements
+CREATE POLICY "Service role can manage all admin rules"
+    ON admin_rules
+    FOR ALL
+    USING (true)
+    WITH CHECK (true);
+
+-- Create a function to automatically update updated_at timestamp
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = NOW();
+    RETURN NEW;
+END;
+$$ language 'plpgsql';
+
+-- Create trigger to automatically update updated_at
+CREATE TRIGGER update_admin_rules_updated_at
+    BEFORE UPDATE ON admin_rules
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at_column();
+
+-- =============================================================
+-- Example queries to verify the table:
+-- =============================================================
+-- SELECT * FROM admin_rules WHERE tenant_id = 'your_tenant_id';
+-- SELECT * FROM admin_rules WHERE enabled = true;
+-- =============================================================
+