History

Luiz Gustavo 54a26f8db8 Some checks failed CI / Web — typecheck + lint + build (push) Failing after 46s Details CI / Scripts — Python smoke (push) Failing after 4s Details CI / Web — npm audit (push) Failing after 34s Details CI / Retrieval — golden set (Recall@5 + MRR) (push) Failing after 4s Details W3 followup: drop _FOR_WEB token, fix claude CLI args + writer guards, BIGSERIAL grants Token consolidation: - docker-compose web service now reads ${CLAUDE_CODE_OAUTH_TOKEN} directly, drop the W1-F8 CLAUDE_CODE_OAUTH_TOKEN_FOR_WEB indirection (user feedback: one var name, no _FOR_WEB suffix). investigator-runtime claude.ts: - --system-prompt silently dropped by CLI v2.1.150 for multi-KB prompts; inline the system content into the user prompt with a separator (mirrors scripts/reextract/run.py pattern). - Multi-line prompts via positional -- broke ("Input must be provided …"); pipe via stdin instead. - --allowedTools "" is rejected; when no tools wanted, omit it and explicitly --disallowedTools the writer/reader set so the model can't reach for any. investigator-runtime locard.ts: - Log the raw response (first 600 chars) to container stderr — saved hours of debugging when the writer rejected. - Grade fallback: when Locard omits `grade` but provides custody_steps, infer the highest grade that fits (≥3 → A, ≥2 → B, ≥1 → C). investigator-runtime write_evidence.ts: - Filter related_hypotheses entries with empty/null hypothesis_id silently (Locard sometimes emits [{}] when it knows no link yet) instead of failing the whole write. Migration 0006_investigator_serial_sequences.sql: - BIGSERIAL on the 7 investigation tables created auto-sequences (evidence_evidence_pk_seq etc) that 0004 forgot to GRANT to the investigator role. Without those grants every INSERT failed with "permission denied for sequence …". Grant USAGE/SELECT/UPDATE on each auto-seq. Verified live: Locard wrote E-0002 + E-0003 from real Sandia chunks (green fireball Feb 1949; cobalt particle analysis). Grade B, confidence high, custody chain of 3 steps with honest gaps. Cost $0.09 for both, ~70s wall. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-05-23 21:05:35 -03:00
..
scripts	baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack	2026-05-17 22:44:36 -03:00
.env.example	baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack	2026-05-17 22:44:36 -03:00
.gitignore	baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack	2026-05-17 22:44:36 -03:00
docker-compose.yml	W3 followup: drop _FOR_WEB token, fix claude CLI args + writer guards, BIGSERIAL grants	2026-05-23 21:05:35 -03:00
init-db.sql	baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack	2026-05-17 22:44:36 -03:00
kong.yml	ship: synthesize 158 entities, AG-UI artifacts, chat persistence, auth flow	2026-05-18 03:52:59 -03:00
README.md	baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack	2026-05-17 22:44:36 -03:00

README.md

disclosure-stack — portable deployment

Single-folder deployment unit. Edit .env, run scripts, app deploys to the VPS.

When migrating to another VPS: change ONLY the VPS_ block in .env*, run ./scripts/gen-secrets.sh (regenerates per-VPS secrets), then ./scripts/deploy.sh. Done.

Layout

infra/disclosure-stack/
├── .env                    ← active config (gitignored, secrets in here)
├── .env.example            ← template, safe to commit
├── docker-compose.yml      ← TODO — supabase + next + meili + imgproxy
└── scripts/
    ├── _lib.sh             ← shared SSH/rsync helpers
    ├── ssh.sh              ← interactive SSH or one-shot remote command
    ├── status.sh           ← VPS + stack health report
    ├── gen-secrets.sh      ← rotate per-VPS secrets (JWT, Postgres, etc.)
    ├── sync-data.sh        ← rsync wiki/processing/raw to VPS
    ├── deploy.sh           ← upload + docker compose up
    └── logs.sh             ← tail logs of a service

Pre-reqs on your laptop

brew install hudochenkov/sshpass/sshpass  # for password SSH (testing VPS)

For real production, generate an SSH key, copy it to the VPS, and switch VPS_AUTH=key in .env.

Daily ops

# Open shell on VPS
./scripts/ssh.sh

# One-shot command
./scripts/ssh.sh "docker ps"

# Full health report
./scripts/status.sh

# Tail Postgres logs
./scripts/logs.sh postgres

# Push fresh wiki data (after running the local pipeline)
./scripts/sync-data.sh

# Deploy stack changes
./scripts/deploy.sh

Migrating to a different VPS

Edit .env — change VPS_HOST, VPS_PASSWORD (or switch to VPS_AUTH=key), VPS_DEPLOY_ROOT if needed.
Rotate secrets:
```
./scripts/gen-secrets.sh
```
This regenerates POSTGRES_PASSWORD, JWT_SECRET, ANON_KEY, SERVICE_ROLE_KEY, DASHBOARD_PASSWORD, etc., and writes them back to .env. The old .env is backed up.
Sync data:
```
./scripts/sync-data.sh
```
Deploy:
```
./scripts/deploy.sh
```

That's it. The new VPS now hosts the full stack with fresh secrets, isolated from the old one.

What still needs to be built

The docker-compose.yml itself. Will include:

Supabase Postgres + GoTrue + PostgREST + Storage + Kong + Studio + Realtime
Next.js (built from this repo's /web dir)
Meilisearch
Imgproxy
Caddy (TLS + reverse proxy on subdomains from .env)
restic-cron for backups (if BACKUP_ENABLED=true)

I'll generate that next.

Coexistence with existing VPS projects

On the testing VPS, 8 other Supabase-based stacks are already running (unimed-, irmed-, v2irmed-, top10-, cf-, nirvana-, plegal-*). This stack:

Uses unique container names (disclosure-* prefix)
Uses unique host ports (PORT_* block in .env, all 18xxx)
Mounts its own data volumes under /data/disclosure/
Caddy on this stack only binds to PORT_KONG_HTTP/HTTPS and friends — does NOT take 80/443

When you move to the dedicated 4cpu/16GB VPS, you can:

Keep ports as-is (works)
OR remap PORT_KONG_HTTP=80, PORT_KONG_HTTPS=443 since nothing else uses them

The stack is portable in both directions.