Go to file

saravanakumardb1 91b859746b fix(docker): bake NEXT_PUBLIC_* values at build time, drop hardcoded api.bytelyst.com Root cause: docker-compose.yml hardcoded NEXT_PUBLIC_NOTES_API_URL to https://api.bytelyst.com/notelett — a production URL that doesn't exist on this network — as the build arg for the web image. The docker-compose.override.yml correctly set localhost:4016/api but only on the runtime environment, which has no effect because NEXT_PUBLIC_* values are baked into the Next.js bundle at build time (pnpm run build inside the Dockerfile), not read at runtime. Symptom: every authenticated client-side fetch from the deployed web container went to https://api.bytelyst.com/notelett/... which the corporate proxy intercepted with a blockpage. The saved-views client in particular fired on every (app)/ layout mount, surfacing a 'Failed to fetch' toast on dashboard load. 4 release-flows.spec tests failed because page.route('/api/') couldn't match the api.bytelyst.com URLs at all. Discovery: inspected the deployed bundle inside the running container. 'grep -oE "api.bytelyst.com" /app/web/web/.next/static/chunks/.js' returned multiple hits across the (app)/ layout, (auth)/ pages, and share page. The string was absent from the source tree, which proved it had been injected at build time via the broken arg default. Discovery debug pattern (kept for future use): page.on('requestfailed', r => console.log(r.method(), r.url())); page.route('/api/', route => route.fulfill({status:200,body:'{}'})); await page.goto('/dashboard'); // FAILED REQUESTS will list any URL not under /api/* that the SPA // attempted, exposing baked-in production URLs immediately. Fix (three layers, defense in depth): 1. docker-compose.yml — replace hardcoded 'NEXT_PUBLIC_NOTES_API_URL: https://api.bytelyst.com/notelett' in the build.args block with '${NEXT_PUBLIC_NOTES_API_URL:-http://localhost:4016/api}'. Same treatment for the runtime environment block. Add build args for the four other NEXT_PUBLIC_* values (extraction, MCP, diagnostics, product name/id, telemetry transport) so a single env var on the host controls both build and runtime layers. 2. web/Dockerfile — declare ARG and ENV lines for all seven NEXT_PUBLIC_* values so the build args reach 'pnpm run build'. Previously only NOTES_API_URL and PLATFORM_SERVICE_URL were declared, which meant overriding extraction/MCP/diagnostics via docker compose silently had no effect on the bundle. 3. docker-compose.override.yml — add a build.args block mirroring the four URL overrides so the local-only override also reaches build time, not just runtime. Comment block explains the bake-time vs runtime distinction so future contributors don't repeat the bug. Verified end-to-end after the fix: - docker compose build --no-cache web + up -d → grep of bundle now shows 'localhost:4016/api', api.bytelyst.com fully gone. - Debug interception test: zero requestfailed events on /dashboard. - Playwright release-flows.spec.ts: 4 failed → 4 passed (after URL fix; no test code changed for these four tests). - Full Playwright suite (--ignore-snapshots): 43 passed. - scripts/e2e-docker-test.sh: 9/9 backend API lifecycle steps pass. - pnpm run verify: backend 380/380, web 96/96, mobile 97/97.		2026-05-23 10:04:36 -07:00
.gitea/workflows	ci: fix YAML formatting — normalize blank lines	2026-03-29 11:04:16 -07:00
.github	feat(web/ui8): remove legacy global classes + tighten audit regex + lock CI gate	2026-05-23 01:55:36 -07:00
.husky	chore: add Husky pre-commit hooks + secret-scan scripts	2026-03-27 23:07:30 -07:00
backend	test(e2e): docker compose E2E test + seed scripts + 9-step verification	2026-05-23 01:16:19 -07:00
docs	docs(roadmap): mark sprints 3-6 complete; record post-Sprint-B UI migration	2026-05-23 02:04:09 -07:00
mobile	test(mobile): verify platform lifecycle clients	2026-05-05 13:02:14 -07:00
scripts	feat(web/ui8): remove legacy global classes + tighten audit regex + lock CI gate	2026-05-23 01:55:36 -07:00
shared	fix: normalize product.json + replace --ml-* with --nl-* CSS namespace	2026-03-21 20:20:40 -07:00
web	fix(docker): bake NEXT_PUBLIC_* values at build time, drop hardcoded api.bytelyst.com	2026-05-23 10:04:36 -07:00
.aider.conf.yml	chore(docs): regenerate AI agent config files	2026-03-10 22:56:39 -07:00
.clinerules	chore(docs): regenerate AI agent config files	2026-03-10 22:56:39 -07:00
.cursorrules	chore(docs): regenerate AI agent config files	2026-03-10 22:56:39 -07:00
.dockerignore	feat(repo): migrate notelett workspace to pnpm	2026-03-22 15:50:54 -07:00
.editorconfig	chore(docs): regenerate AI agent config files	2026-03-10 22:56:39 -07:00
.gitignore	chore: gitignore .docker-deps/ directory	2026-04-13 14:36:43 -07:00
.npmrc	feat(ux): add UX testing setup guide and common platform integration	2026-05-09 22:09:43 +00:00
.npmrc.docker	fix: Update docker configuration for production deployment	2026-05-12 08:20:12 +00:00
.nvmrc	chore: add .nvmrc pinning Node 22	2026-03-29 10:48:30 -07:00
.pnpmfile.cjs	fix(workspace): canonicalize common-plat path to ../learning_ai_common_plat	2026-05-22 15:08:30 -07:00
.windsurfrules	chore(docs): regenerate AI agent config files	2026-03-10 22:56:39 -07:00
AGENTS.md	docs(cleanup): move historical roadmaps to docs/archive/ and update AGENTS.md	2026-05-22 23:23:50 -07:00
CLAUDE.md	feat(repo): migrate notelett workspace to pnpm	2026-03-22 15:50:54 -07:00
docker-compose.override.yml	fix(docker): bake NEXT_PUBLIC_* values at build time, drop hardcoded api.bytelyst.com	2026-05-23 10:04:36 -07:00
docker-compose.yml	fix(docker): bake NEXT_PUBLIC_* values at build time, drop hardcoded api.bytelyst.com	2026-05-23 10:04:36 -07:00
package.json	test(e2e): docker compose E2E test + seed scripts + 9-step verification	2026-05-23 01:16:19 -07:00
pnpm-lock.yaml	test(e2e): fix 4 pre-existing E2E failures and make port-conflict-proof	2026-05-23 00:50:29 -07:00
pnpm-workspace.yaml	fix(workspace): canonicalize common-plat path to ../learning_ai_common_plat	2026-05-22 15:08:30 -07:00
README.md	docs(sprint-a): record build restoration and refreshed sprint plan	2026-05-22 15:08:42 -07:00

README.md

NoteLett

Structured notes platform for humans and AI agents — part of the ByteLyst ecosystem.

Quick Start

Prerequisites:

pnpm 10.6.5
sibling common-platform checkout at ../learning_ai_common_plat (override with BYTELYST_COMMON_PLAT_ROOT if your layout differs)
optional local ByteLyst services from common platform:
- platform-service on port 4003 for auth, flags, telemetry, diagnostics, billing, and blob
- extraction-service on port 4005 for URL/task extraction
- mcp-server on port 4007 for agent tooling

# Install against the local common-platform workspace packages.
pnpm run install:common-plat --frozen-lockfile

# Registry fallback when explicitly needed.
source ~/.zshrc
pnpm run install:gitea --frozen-lockfile

# Backend in local memory mode (port 4016)
DB_PROVIDER=memory JWT_SECRET=dev-secret-do-not-use-in-prod \
pnpm --filter @notelett/backend run dev

# Web (port 3000)
pnpm --filter @notelett/web run dev

# Mobile
pnpm --filter @notelett/mobile run start

Auth is expected to come from platform-service. Local development can use the repo's dev/test helpers and memory datastore, but production must use real platform auth, Cosmos, and encryption configuration.

Docker path:

docker compose build
docker compose up -d
curl -sf http://localhost:4016/health
curl -sf http://localhost:4016/api/bootstrap

Local production-readiness smoke:

pnpm run smoke:local

# Use an already-running backend or skip shared service checks when isolating product behavior.
SMOKE_START_BACKEND=0 pnpm run smoke:local -- --no-start
pnpm run smoke:local -- --skip-platform

# Docker compose build/start/health smoke
pnpm run smoke:compose

Architecture

Surface	Stack	Port
Backend	Fastify 5 + TypeScript ESM	4016
Web	Next.js 16 + React 19	3000
Mobile	Expo + React Native	8081
Platform	platform-service (shared)	4003
Extraction	extraction-service (shared)	4005
MCP	mcp-server (shared)	4007

Architecture Boundaries

NoteLett keeps product-local domain behavior in this repo: note/workspace CRUD, relationships, tasks, artifacts, agent action audit trails, saved views, prompt templates/runners, intake rules/jobs, note sharing/collaboration, version history, Palace memory/KG UX, and all NoteLett-specific web/mobile workflows.

Common-platform responsibilities come from ../learning_ai/learning_ai_common_plat: auth/session primitives, API clients, datastore/Cosmos abstractions, shared error/config/logging conventions, telemetry, diagnostics, feature flags, kill switch, blob access, extraction-service clients, design tokens, shared UI primitives where appropriate, MCP server integration, webhook dispatch, encryption helpers, and cross-repo automation scripts.

Package resolution defaults to local common-platform packages through .pnpmfile.cjs (BYTELYST_PACKAGE_SOURCE=common-plat). Use pnpm run install:common-plat for local development and pnpm run install:gitea only when you intentionally want registry versions. Override the local checkout with BYTELYST_COMMON_PLAT_ROOT=/path/to/learning_ai_common_plat.

Do not move NoteLett-specific notes logic into common platform unless another product has a concrete reuse need. Do not create repo-local substitutes for platform concerns already covered by @bytelyst/* packages or platform services.

Key Features

Backend modules: notes, workspaces, relationships, tasks, artifacts, agent actions, saved views, Smart Actions, intake, collaborators, shares, versions, Palace, and ecosystem import routes
8 MCP tools: list, get, search, create_draft, update, link_notes, extract_tasks, attach_artifact
Smart Actions: 20 built-in prompt templates, copilot text transforms, scheduler, webhooks, URL extraction
Intake and Palace: URL/text intake jobs, intake rules, MemPalace memory/search/KG/wake-up routes
Agent audit trail: every write tool records agent action history
Datastore abstraction: Cosmos DB in production, in-memory for tests
Platform integrations: auth (JWT), telemetry, diagnostics, feature flags, kill-switch, blob storage
LLM integration: @bytelyst/llm with retry, timeout, and fallback heuristics

Environment

Copy backend/.env.example to backend/.env and web/.env.example to web/.env.local as needed.

Local memory mode:

NODE_ENV=development
DB_PROVIDER=memory
JWT_SECRET=dev-secret-do-not-use-in-prod
LLM_PROVIDER=mock
shared service URLs can point at local common-platform ports or remain disabled for isolated backend tests

Production requirements:

NODE_ENV=production
strong JWT_SECRET shared with platform-service or the production auth verification mechanism
DB_PROVIDER=cosmos
COSMOS_ENDPOINT, COSMOS_KEY, and COSMOS_DATABASE
FIELD_ENCRYPT_ENABLED=true with FIELD_ENCRYPT_KEY_PROVIDER=akv or a managed key provider and required key material
PLATFORM_SERVICE_URL, EXTRACTION_SERVICE_URL, and MCP_SERVER_URL
NEXT_PUBLIC_MCP_SERVER_URL=http://localhost:4007/api for local web settings/agent guidance
TELEMETRY_ENABLED=true and FEATURE_FLAGS_ENABLED=true when platform services are available
LLM_PROVIDER plus provider credentials (OPENAI_API_KEY or Azure OpenAI settings) for non-mock AI behavior

The May 5 production-readiness pass hardened production config to fail closed on unsafe defaults; see docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md.

Tests

pnpm --filter @notelett/backend run typecheck
pnpm --filter @notelett/backend run test
pnpm --filter @notelett/backend run lint
pnpm --filter @notelett/web run typecheck
pnpm --filter @notelett/web run test
pnpm --filter @notelett/web run lint
pnpm --filter @notelett/web run test:e2e
pnpm --filter @notelett/mobile run typecheck
pnpm --filter @notelett/mobile run test
pnpm --filter @notelett/mobile run lint
pnpm run verify

Current May 5 production-readiness status:

pnpm run verify passes backend/web/mobile typecheck and tests, plus backend/web production builds.
backend, web, and mobile lint commands exit 0 with tracked advisory warnings.
web Playwright release flows pass.
release-guard audits pass common-platform secret scan, hardcoded color/token checks, and active product/API drift checks.
Docker compose smoke and live shared-service smoke are explicit environment deferrals on this host because Docker is unavailable and platform-service/extraction-service/mcp-server are not running with Cosmos credentials.

See docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md Phase P10 for exact commands, commit hashes, warnings, and deferral notes.

Docs

AGENTS.md — AI agent onboarding guide
docs/PRD.md — Product requirements
docs/ROADMAP.md — Master execution tracker
docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md — Active production-readiness checklist
docs/PLATFORM_SMOKE_CHECKS.md — Shared platform and NoteLett smoke commands
docs/MOBILE_PRODUCTION_BUILD_AND_SMOKE.md — Expo build notes and iOS/Android smoke checklist
docs/RELEASE_CHECKLIST.md — Release notes template, deploy checklist, rollback, migrations, and monitoring placeholders
docs/COSMOS_DATA_OPERATIONS.md — Cosmos containers, indexes, retention, and backup/restore approach
docs/SEED_BOOTSTRAP_STRATEGY.md — Built-in prompt, intake rule, onboarding workspace, and feature-flag bootstrap strategy
docs/DATA_MIGRATION_AND_BACKFILL_PLAN.md — Encrypted-field, schema-change, and backfill migration plan
docs/TELEMETRY_AND_DIAGNOSTICS_TAXONOMY.md — Event taxonomy and diagnostic breadcrumb contract
docs/OPERATOR_RUNBOOK.md — Incident triage and recovery steps for dependencies, scheduler/webhooks, blob, LLM/extraction, reviews, and MCP
docs/UI_UX_PLATFORM_CORE_ROADMAP.md — UI/UX migration plan for moving reusable components into common-platform core UI while keeping a thin NoteLett adapter