7d13f93393
Fase 3 onda 2 — entity synthesis at scale: - scripts/synthesize/20_entity_summary.py: queries DB for entities with total_mentions ≥ threshold + top-K verbatim chunk snippets via entity_mentions JOIN, prompts Sonnet (Holmes-Watson voice, bilingual), writes narrative_summary EN+PT-BR + summary_status=synthesized. Ran on 187 candidates (mentions ≥ 20) → 158 OK · 1 err · 29 skipped (no snippets). Combined with anchor curation: 20 curated + 158 synthesized = 178 entities with real narrative (vs 0 a day ago). Fase 4 — chat with typed artifacts + persistence: - lib/chat/agui.ts: AG-UI v1 typed Artifact union (citation, crop_image, entity_card, evidence_card, hypothesis_card, case_card, navigation_offer) alongside the existing event types. - lib/chat/tools.ts + openrouter.ts: hybrid_search emits up to 6 citation + crop_image artifacts per query. Provider collects them and returns in done.artifacts so the route can persist. - api/sessions/[id]/messages: persist artifacts to messages.citations. - components/chat-bubble.tsx: ArtifactCard renders inline cards (citation, crop_image, entity_card, navigation_offer) for streamed and persisted messages. activeId now persisted in localStorage so navigation between pages keeps the same conversation. New sessions are lazy (only when user has zero). loadMessages hydrates tools + artifacts from server. CRUD UI: rename (✎) + archive (🗑) buttons per session in the list. Home search: - doc-list-filters: input now fires hybrid_search (rerank=0 for speed) in parallel with the local title filter; chunk hits render above the doc grid with snippet + score + classification. - api/search/hybrid: accept ?rerank=0 to skip the cross-encoder (1.3s vs 60s). Auth flow: - infra: SMTP_HOST=mail.spacemail.com:587 + DMARC published; mail now lands in inbox. GOTRUE_MAILER_AUTOCONFIRM=false (real email verification). - kong.yml: proxy /auth/callback on api.disclosure.top → web:3000 so PKCE email links don't 404 at the gateway. - web/app/auth/callback: handle both ?code= (OAuth) and ?token=&type= (PKCE); redirect to the public site host before verifyOtp so the session cookie lands on the right domain. Audit deliverables: - .nirvana/outputs/disclosure-bureau/.../systems-atelier/: 5 docs (code analysis, tech debt, discovery brief, system arch, 5 ADRs) authored by sa-principal that produced this roadmap. Kept in-tree for traceability. |
||
|---|---|---|
| .. | ||
| scripts | ||
| .env.example | ||
| .gitignore | ||
| docker-compose.yml | ||
| init-db.sql | ||
| kong.yml | ||
| README.md | ||
disclosure-stack — portable deployment
Single-folder deployment unit. Edit .env, run scripts, app deploys to the VPS.
When migrating to another VPS: change ONLY the VPS_ block in .env*, run ./scripts/gen-secrets.sh (regenerates per-VPS secrets), then ./scripts/deploy.sh. Done.
Layout
infra/disclosure-stack/
├── .env ← active config (gitignored, secrets in here)
├── .env.example ← template, safe to commit
├── docker-compose.yml ← TODO — supabase + next + meili + imgproxy
└── scripts/
├── _lib.sh ← shared SSH/rsync helpers
├── ssh.sh ← interactive SSH or one-shot remote command
├── status.sh ← VPS + stack health report
├── gen-secrets.sh ← rotate per-VPS secrets (JWT, Postgres, etc.)
├── sync-data.sh ← rsync wiki/processing/raw to VPS
├── deploy.sh ← upload + docker compose up
└── logs.sh ← tail logs of a service
Pre-reqs on your laptop
brew install hudochenkov/sshpass/sshpass # for password SSH (testing VPS)
For real production, generate an SSH key, copy it to the VPS, and switch VPS_AUTH=key in .env.
Daily ops
# Open shell on VPS
./scripts/ssh.sh
# One-shot command
./scripts/ssh.sh "docker ps"
# Full health report
./scripts/status.sh
# Tail Postgres logs
./scripts/logs.sh postgres
# Push fresh wiki data (after running the local pipeline)
./scripts/sync-data.sh
# Deploy stack changes
./scripts/deploy.sh
Migrating to a different VPS
- Edit
.env— changeVPS_HOST,VPS_PASSWORD(or switch toVPS_AUTH=key),VPS_DEPLOY_ROOTif needed. - Rotate secrets:
This regenerates./scripts/gen-secrets.shPOSTGRES_PASSWORD,JWT_SECRET,ANON_KEY,SERVICE_ROLE_KEY,DASHBOARD_PASSWORD, etc., and writes them back to.env. The old.envis backed up. - Sync data:
./scripts/sync-data.sh - Deploy:
./scripts/deploy.sh
That's it. The new VPS now hosts the full stack with fresh secrets, isolated from the old one.
What still needs to be built
The docker-compose.yml itself. Will include:
- Supabase Postgres + GoTrue + PostgREST + Storage + Kong + Studio + Realtime
- Next.js (built from this repo's
/webdir) - Meilisearch
- Imgproxy
- Caddy (TLS + reverse proxy on subdomains from
.env) - restic-cron for backups (if
BACKUP_ENABLED=true)
I'll generate that next.
Coexistence with existing VPS projects
On the testing VPS, 8 other Supabase-based stacks are already running (unimed-, irmed-, v2irmed-, top10-, cf-, nirvana-, plegal-*). This stack:
- Uses unique container names (
disclosure-*prefix) - Uses unique host ports (
PORT_*block in.env, all 18xxx) - Mounts its own data volumes under
/data/disclosure/ - Caddy on this stack only binds to
PORT_KONG_HTTP/HTTPSand friends — does NOT take 80/443
When you move to the dedicated 4cpu/16GB VPS, you can:
- Keep ports as-is (works)
- OR remap PORT_KONG_HTTP=80, PORT_KONG_HTTPS=443 since nothing else uses them
The stack is portable in both directions.