[dev] [tofikwest] tofik/move-logic-from-SSA-to-API (#1853)

* refactor(api): move logic from SSE to API

* chore(api): add knowledge base document management endpoints and refactor document actions

* refactor(soa): moved SOA feature to  API

* feat(trust-portal): add compliance resource management endpoints and update documentation

* refactor(questionnaire): remove unused actions for answering questions

* refactor(questionnaire): clear questionnaire module

* refactor(soa): enhance SOA service with new utility methods and improve answer processing

* refactor(knowledge-base): clear components

* refactor(vector-store-sync): restructure sync logic for policies, contexts, and knowledge base documents

* refactor(knowledge-base): remove unused components and update document formats

* refactor(api): remove duplicate DevicesModule import

* refactor(api): rename compliance framework and update related logic

* refactor(ci): remove Vercel credentials from deployment workflows

* refactor(api): update compliance framework references to use TrustFramework

* refactor(api): enhance SSE handling and add sanitization utilities

* refactor(api): update SSE utilities to enhance security and sanitization

---------

Co-authored-by: Tofik Hasanov <[email protected]>
Co-authored-by: Mariano Fuentes <[email protected]>

Author: 3 people

.env.example

@@ -3,11 +3,11 @@ AUTH_SECRET="" # openssl rand -base64 32
 DATABASE_URL="" # Format: "postgresql://postgres:[email protected]:5432/comp"
 RESEND_DOMAIN="" # Domain configured in Resend, e.g. mail.trycomp.ai
 RESEND_API_KEY="" # API key from Resend for email authentication / invites
-RESEND_FROM_MARKETING="Lewis Carhart <[email protected]>"
-RESEND_FROM_SYSTEM="Comp AI <[email protected]>"
-RESEND_FROM_DEFAULT="Comp AI <[email protected]>"
-RESEND_TO_TEST="[email protected]"
-RESEND_REPLY_TO_MARKETING="[email protected]"
+RESEND_FROM_MARKETING=""
+RESEND_FROM_SYSTEM=""
+RESEND_FROM_DEFAULT=""
+RESEND_TO_TEST=""
+RESEND_REPLY_TO_MARKETING=""
 REVALIDATION_SECRET="" # openssl rand -base64 32
 NEXT_PUBLIC_PORTAL_URL="http://localhost:3002" # The employee portal uses port 3002 by default
 

.github/workflows/trigger-api-tasks-deploy-main.yml

@@ -0,0 +1,42 @@
+name: Deploy API to Trigger.dev (dev)
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: warp-ubuntu-latest-arm64-4x
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22.x" # Updated to match Node.js w/ Vercel
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Clear cache
+        run: rm -rf node_modules .bun
+      - name: Install dependencies
+        run: bun install --frozen-lockfile || bun install --frozen-lockfile --ignore-scripts
+      - name: Install DB package dependencies
+        working-directory: ./packages/db
+        run: bun install --frozen-lockfile --ignore-scripts
+      - name: Build DB package
+        working-directory: ./packages/db
+        run: bun run build
+      - name: Copy schema to api and generate client
+        working-directory: ./apps/api
+        run: |
+          mkdir -p prisma
+          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
+          bunx prisma generate
+      - name: 🚀 Deploy Trigger.dev
+        working-directory: ./apps/api
+        timeout-minutes: 20
+        env:
+          TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
+        run: bunx [email protected] deploy --env staging --log-level debug

.github/workflows/trigger-api-tasks-deploy-release.yml

@@ -0,0 +1,46 @@
+name: Deploy API to Trigger.dev (prod)
+
+on:
+  push:
+    branches:
+      - release
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: warp-ubuntu-latest-arm64-4x
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile || bun install --frozen-lockfile --ignore-scripts
+      - name: Install DB package dependencies
+        working-directory: ./packages/db
+        run: bun install --frozen-lockfile --ignore-scripts
+
+      - name: Build DB package
+        working-directory: ./packages/db
+        run: bun run build
+
+      - name: Copy schema to api and generate client
+        working-directory: ./apps/api
+        run: |
+          mkdir -p prisma
+          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
+          bunx prisma generate
+
+      - name: 🚀 Deploy Trigger.dev
+        working-directory: ./apps/api
+        env:
+          TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
+        run: bunx [email protected] deploy

SELF_HOSTING.md

@@ -46,7 +46,7 @@ App (`apps/app`):
 - **APP_AWS_REGION**, **APP_AWS_ACCESS_KEY_ID**, **APP_AWS_SECRET_ACCESS_KEY**, **APP_AWS_BUCKET_NAME**: AWS S3 credentials for file storage (attachments, general uploads).
 - **APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET**: AWS S3 bucket name specifically for questionnaire file uploads. Required for the Security Questionnaire feature. If not set, users will see an error when trying to parse questionnaires.
 - **APP_AWS_KNOWLEDGE_BASE_BUCKET**: AWS S3 bucket name specifically for knowledge base documents. Required for the Knowledge Base feature in Security Questionnaire. If not set, users will see an error when trying to upload knowledge base documents.
-- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos). Required for logo uploads in organization settings. If not set, logo upload will fail.
+- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos, compliance certificates). Required for logo uploads in organization settings and Trust Portal compliance certificate uploads. If not set, these features will fail.
 - **OPENAI_API_KEY**: Enables AI features that call OpenAI models.
 - **UPSTASH_REDIS_REST_URL**, **UPSTASH_REDIS_REST_TOKEN**: Optional Redis (Upstash) used for rate limiting/queues/caching.
 - **NEXT_PUBLIC_POSTHOG_KEY**, **NEXT_PUBLIC_POSTHOG_HOST**: Client analytics via PostHog; leave unset to disable.
@@ -59,6 +59,17 @@ App (`apps/app`):
 - **GA4_API_SECRET**, **GA4_MEASUREMENT_ID**: Google Analytics 4 server/client tracking.
 - **NEXT_PUBLIC_API_URL**: Override client API base URL (defaults to same origin).
 
+API (`apps/api`):
+
+- **APP_AWS_REGION**, **APP_AWS_ACCESS_KEY_ID**, **APP_AWS_SECRET_ACCESS_KEY**, **APP_AWS_BUCKET_NAME**: AWS S3 credentials for file storage (attachments, general uploads).
+- **APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET**: AWS S3 bucket name specifically for questionnaire file uploads. Required for the Security Questionnaire feature.
+- **APP_AWS_KNOWLEDGE_BASE_BUCKET**: AWS S3 bucket name specifically for knowledge base documents. Required for the Knowledge Base feature in Security Questionnaire.
+- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos, compliance certificates). Required for Trust Portal compliance certificate uploads and organization logo uploads. If not set, these features will fail.
+- **OPENAI_API_KEY**: Enables AI features that call OpenAI models.
+- **UPSTASH_VECTOR_REST_URL**, **UPSTASH_VECTOR_REST_TOKEN**: Required for vector database operations (questionnaire auto-answer, SOA auto-fill, knowledge base search).
+- **BETTER_AUTH_URL**: URL of the Better Auth instance (usually the same as the app URL).
+- **DATABASE_URL**: PostgreSQL database connection string.
+
 Portal (`apps/portal`):
 
 - **NEXT_PUBLIC_POSTHOG_KEY**, **NEXT_PUBLIC_POSTHOG_HOST**: Client analytics via PostHog for portal.

apps/api/.env.example

@@ -0,0 +1,26 @@
+BASE_URL="http://localhost:3333"
+BETTER_AUTH_URL="http://localhost:3000"
+PORT="3333"
+
+APP_AWS_BUCKET_NAME=
+APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET=
+APP_AWS_KNOWLEDGE_BASE_BUCKET=
+APP_AWS_REGION=
+APP_AWS_ACCESS_KEY_ID=
+APP_AWS_SECRET_ACCESS_KEY=
+APP_AWS_ORG_ASSETS_BUCKET=
+
+DATABASE_URL=
+
+
+# Upstash
+UPSTASH_REDIS_REST_URL=
+UPSTASH_REDIS_REST_TOKEN=
+
+UPSTASH_VECTOR_REST_URL=
+UPSTASH_VECTOR_REST_TOKEN=
+
+# Trigger
+TRIGGER_SECRET_KEY=
+
+OPENAI_API_KEY=