d5e857dbf7
Implements the full E2E flow against the deployed docker stack and
documents it as a repeatable test playbook.
Surfaced and fixed three real issues while building the E2E:
1. JWT secret mismatch — docker-compose.override.yml backend was using
a NoteLett-only JWT_SECRET that platform-service did not share, so
every Authorization: Bearer call returned 'Invalid or expired token'.
Aligned the override to use platform-service's actual secret
(dev-ecosystem-secret-do-not-use-in-production).
2. CORS preflight missing PATCH/DELETE — @bytelyst/fastify-core registers
@fastify/cors with only { origin }, which leaves Access-Control-Allow-
Methods at the @fastify/cors default of 'GET,HEAD,POST'. Real browser
PATCH/DELETE preflights would fail. Added an onSend hook in
backend/src/server.ts that rewrites the header to
'GET,HEAD,POST,PATCH,PUT,DELETE,OPTIONS' on CORS preflight responses.
3. Product 'notelett' wasn't registered with platform-service — auth
register/login both error with 'Unknown or disabled product: notelett'.
The seed script now POSTs to /api/products idempotently.
Deliverables:
- scripts/e2e-docker-seed.sh — idempotent: registers the notelett product
and creates two test users (admin@notelett.app with role=admin who can
write, user@notelett.app with role=user who is read-only). Re-runs are
no-ops once seeded.
- scripts/e2e-docker-test.sh — 9-step E2E that drives the deployed stack
via HTTP only (no browser): login → CORS preflight for PATCH →
workspace create → note create → note read → note PATCH (status:
draft→active) → note list → note delete → workspace delete.
- docs/testing/E2E_DOCKER_TESTING.md — full playbook covering prereqs,
seed, automated E2E, manual UI smoke, stack architecture diagram,
troubleshooting (JWT mismatch, unknown product, role rejection,
CORS, port conflict, data loss), tear-down, CI wiring guidance.
- package.json — pnpm e2e:docker:seed and pnpm e2e:docker:test
shortcuts.
Verified live on this host's deployed stack:
$ bash scripts/e2e-docker-seed.sh
↷ product 'notelett' already exists
↷ admin user already registered + login works
✓ user created
🟢 Seed complete.
$ bash scripts/e2e-docker-test.sh
✓ user=usr_e094e0c2-... role=admin
✓ CORS allows PATCH
✓ workspace created
✓ note created
✓ note read matches
✓ note patched (status: draft → active)
✓ note list returned (1 item)
✓ note deleted (HTTP 204)
✓ workspace deleted (HTTP 204)
🟢 All 9 E2E steps passed.
Backend regression suite still green: 380/380.
|
||
|---|---|---|
| .gitea/workflows | ||
| .github | ||
| .husky | ||
| backend | ||
| docs | ||
| mobile | ||
| scripts | ||
| shared | ||
| web | ||
| .aider.conf.yml | ||
| .clinerules | ||
| .cursorrules | ||
| .dockerignore | ||
| .editorconfig | ||
| .gitignore | ||
| .npmrc | ||
| .npmrc.docker | ||
| .nvmrc | ||
| .pnpmfile.cjs | ||
| .windsurfrules | ||
| AGENTS.md | ||
| CLAUDE.md | ||
| docker-compose.override.yml | ||
| docker-compose.yml | ||
| package.json | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| README.md | ||
NoteLett
Structured notes platform for humans and AI agents — part of the ByteLyst ecosystem.
Quick Start
Prerequisites:
- pnpm 10.6.5
- sibling common-platform checkout at
../learning_ai_common_plat(override withBYTELYST_COMMON_PLAT_ROOTif your layout differs) - optional local ByteLyst services from common platform:
platform-serviceon port 4003 for auth, flags, telemetry, diagnostics, billing, and blobextraction-serviceon port 4005 for URL/task extractionmcp-serveron port 4007 for agent tooling
# Install against the local common-platform workspace packages.
pnpm run install:common-plat --frozen-lockfile
# Registry fallback when explicitly needed.
source ~/.zshrc
pnpm run install:gitea --frozen-lockfile
# Backend in local memory mode (port 4016)
DB_PROVIDER=memory JWT_SECRET=dev-secret-do-not-use-in-prod \
pnpm --filter @notelett/backend run dev
# Web (port 3000)
pnpm --filter @notelett/web run dev
# Mobile
pnpm --filter @notelett/mobile run start
Auth is expected to come from platform-service. Local development can use the repo's dev/test helpers and memory datastore, but production must use real platform auth, Cosmos, and encryption configuration.
Docker path:
docker compose build
docker compose up -d
curl -sf http://localhost:4016/health
curl -sf http://localhost:4016/api/bootstrap
Local production-readiness smoke:
pnpm run smoke:local
# Use an already-running backend or skip shared service checks when isolating product behavior.
SMOKE_START_BACKEND=0 pnpm run smoke:local -- --no-start
pnpm run smoke:local -- --skip-platform
# Docker compose build/start/health smoke
pnpm run smoke:compose
Architecture
| Surface | Stack | Port |
|---|---|---|
| Backend | Fastify 5 + TypeScript ESM | 4016 |
| Web | Next.js 16 + React 19 | 3000 |
| Mobile | Expo + React Native | 8081 |
| Platform | platform-service (shared) | 4003 |
| Extraction | extraction-service (shared) | 4005 |
| MCP | mcp-server (shared) | 4007 |
Architecture Boundaries
NoteLett keeps product-local domain behavior in this repo: note/workspace CRUD, relationships, tasks, artifacts, agent action audit trails, saved views, prompt templates/runners, intake rules/jobs, note sharing/collaboration, version history, Palace memory/KG UX, and all NoteLett-specific web/mobile workflows.
Common-platform responsibilities come from ../learning_ai/learning_ai_common_plat: auth/session primitives, API clients, datastore/Cosmos abstractions, shared error/config/logging conventions, telemetry, diagnostics, feature flags, kill switch, blob access, extraction-service clients, design tokens, shared UI primitives where appropriate, MCP server integration, webhook dispatch, encryption helpers, and cross-repo automation scripts.
Package resolution defaults to local common-platform packages through .pnpmfile.cjs (BYTELYST_PACKAGE_SOURCE=common-plat). Use pnpm run install:common-plat for local development and pnpm run install:gitea only when you intentionally want registry versions. Override the local checkout with BYTELYST_COMMON_PLAT_ROOT=/path/to/learning_ai_common_plat.
Do not move NoteLett-specific notes logic into common platform unless another product has a concrete reuse need. Do not create repo-local substitutes for platform concerns already covered by @bytelyst/* packages or platform services.
Key Features
- Backend modules: notes, workspaces, relationships, tasks, artifacts, agent actions, saved views, Smart Actions, intake, collaborators, shares, versions, Palace, and ecosystem import routes
- 8 MCP tools: list, get, search, create_draft, update, link_notes, extract_tasks, attach_artifact
- Smart Actions: 20 built-in prompt templates, copilot text transforms, scheduler, webhooks, URL extraction
- Intake and Palace: URL/text intake jobs, intake rules, MemPalace memory/search/KG/wake-up routes
- Agent audit trail: every write tool records agent action history
- Datastore abstraction: Cosmos DB in production, in-memory for tests
- Platform integrations: auth (JWT), telemetry, diagnostics, feature flags, kill-switch, blob storage
- LLM integration:
@bytelyst/llmwith retry, timeout, and fallback heuristics
Environment
Copy backend/.env.example to backend/.env and web/.env.example to web/.env.local as needed.
Local memory mode:
NODE_ENV=developmentDB_PROVIDER=memoryJWT_SECRET=dev-secret-do-not-use-in-prodLLM_PROVIDER=mock- shared service URLs can point at local common-platform ports or remain disabled for isolated backend tests
Production requirements:
NODE_ENV=production- strong
JWT_SECRETshared with platform-service or the production auth verification mechanism DB_PROVIDER=cosmosCOSMOS_ENDPOINT,COSMOS_KEY, andCOSMOS_DATABASEFIELD_ENCRYPT_ENABLED=truewithFIELD_ENCRYPT_KEY_PROVIDER=akvor a managed key provider and required key materialPLATFORM_SERVICE_URL,EXTRACTION_SERVICE_URL, andMCP_SERVER_URLNEXT_PUBLIC_MCP_SERVER_URL=http://localhost:4007/apifor local web settings/agent guidanceTELEMETRY_ENABLED=trueandFEATURE_FLAGS_ENABLED=truewhen platform services are availableLLM_PROVIDERplus provider credentials (OPENAI_API_KEYor Azure OpenAI settings) for non-mock AI behavior
The May 5 production-readiness pass hardened production config to fail closed on unsafe defaults; see docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md.
Tests
pnpm --filter @notelett/backend run typecheck
pnpm --filter @notelett/backend run test
pnpm --filter @notelett/backend run lint
pnpm --filter @notelett/web run typecheck
pnpm --filter @notelett/web run test
pnpm --filter @notelett/web run lint
pnpm --filter @notelett/web run test:e2e
pnpm --filter @notelett/mobile run typecheck
pnpm --filter @notelett/mobile run test
pnpm --filter @notelett/mobile run lint
pnpm run verify
Current May 5 production-readiness status:
pnpm run verifypasses backend/web/mobile typecheck and tests, plus backend/web production builds.- backend, web, and mobile lint commands exit 0 with tracked advisory warnings.
- web Playwright release flows pass.
- release-guard audits pass common-platform secret scan, hardcoded color/token checks, and active product/API drift checks.
- Docker compose smoke and live shared-service smoke are explicit environment deferrals on this host because Docker is unavailable and platform-service/extraction-service/mcp-server are not running with Cosmos credentials.
See docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md Phase P10 for exact commands, commit hashes, warnings, and deferral notes.
Docs
AGENTS.md— AI agent onboarding guidedocs/PRD.md— Product requirementsdocs/ROADMAP.md— Master execution trackerdocs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md— Active production-readiness checklistdocs/PLATFORM_SMOKE_CHECKS.md— Shared platform and NoteLett smoke commandsdocs/MOBILE_PRODUCTION_BUILD_AND_SMOKE.md— Expo build notes and iOS/Android smoke checklistdocs/RELEASE_CHECKLIST.md— Release notes template, deploy checklist, rollback, migrations, and monitoring placeholdersdocs/COSMOS_DATA_OPERATIONS.md— Cosmos containers, indexes, retention, and backup/restore approachdocs/SEED_BOOTSTRAP_STRATEGY.md— Built-in prompt, intake rule, onboarding workspace, and feature-flag bootstrap strategydocs/DATA_MIGRATION_AND_BACKFILL_PLAN.md— Encrypted-field, schema-change, and backfill migration plandocs/TELEMETRY_AND_DIAGNOSTICS_TAXONOMY.md— Event taxonomy and diagnostic breadcrumb contractdocs/OPERATOR_RUNBOOK.md— Incident triage and recovery steps for dependencies, scheduler/webhooks, blob, LLM/extraction, reviews, and MCPdocs/UI_UX_PLATFORM_CORE_ROADMAP.md— UI/UX migration plan for moving reusable components into common-platform core UI while keeping a thin NoteLett adapter