@hiai-gg/hiai-docs 0.0.1

package/CONTRIBUTING.md

@@ -0,0 +1,77 @@
+# Contributing to hiai-docs
+
+Thanks for your interest in contributing!
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork
+3. Create a feature branch: `git checkout -b feature/my-change`
+4. Make your changes
+5. Run checks: `bun run lint && bun run typecheck`
+6. Commit with a clear message
+7. Push and open a Pull Request
+
+## Branch Naming
+
+- `feature/description` — new features
+- `fix/description` — bug fixes
+- `refactor/description` — code refactoring
+- `docs/description` — documentation changes
+
+## Commit Messages
+
+Use [Conventional Commits](https://www.conventionalcommits.org/):
+
+```
+feat: add document version diff view
+fix: resolve search pagination off-by-one
+refactor: extract folder tree into separate component
+docs: update API reference for share endpoints
+```
+
+## Code Style
+
+- **Runtime**: Bun only (no npm/yarn)
+- **Modules**: ESM only (`import`/`export`, no `require`)
+- **TypeScript**: strict mode, no `any` types
+- **Language**: English only — code, comments, docs, commit messages
+- **Validation**: Zod for all API inputs
+- **No Playwright**: use agent-browser for E2E tests
+
+## Project Structure
+
+```
+hiai-docs/
+├── backend/          # Elysia API (Bun)
+├── frontend/         # SvelteKit (Svelte 5 + Tailwind v4)
+├── packages/db/      # Drizzle ORM schema + migrations
+├── docker-compose.yml
+└── .env.example
+```
+
+## Testing
+
+```bash
+# Backend unit tests
+cd backend && bun test
+
+# Frontend tests
+cd frontend && bun run test
+
+# Type check everything
+bun run typecheck
+```
+
+## Pull Request Checklist
+
+- [ ] Code compiles without errors (`bun run typecheck`)
+- [ ] Linting passes (`bun run lint`)
+- [ ] Tests pass (`bun test`)
+- [ ] No hardcoded secrets or paths
+- [ ] Commit messages follow Conventional Commits
+- [ ] Changes are focused — one feature/fix per PR
+
+## Questions?
+
+Open an issue or start a discussion on GitHub.

package/Caddyfile

@@ -0,0 +1,50 @@
+# hiai-docs Caddyfile
+
+:80 {
+	# For local development / Docker internal
+	reverse_proxy /api/* api:50700
+	reverse_proxy web:50701
+
+	encode gzip
+	log
+
+	header {
+		# Restrictive CSP — allows same-origin + dev WebSocket
+		Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' http://localhost:50700 ws://localhost:50700; font-src 'self' data:; frame-ancestors 'none'; form-action 'self'"
+		# HSTS — harmless on plain HTTP, enforced once TLS is provisioned
+		Strict-Transport-Security "max-age=31536000; includeSubDomains"
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		Referrer-Policy "strict-origin-when-cross-origin"
+	}
+}
+
+docs.{$DOMAIN:localhost} {
+	# For production — Caddy auto-provisions TLS
+	reverse_proxy /api/* api:50700
+	reverse_proxy web:50701
+
+	encode gzip
+	log
+
+	rate_limit {
+		zone dynamic {
+			key {remote_host}
+			events 100
+			window 1m
+		}
+	}
+
+	header {
+		# Restrictive CSP — SvelteKit requires 'unsafe-inline' in style-src
+		# because it injects styles at runtime and cannot use nonces.
+		# This is an accepted trade-off for SvelteKit SPAs.
+		Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self' wss:// https://; font-src 'self' data:; frame-ancestors 'none'; form-action 'self'"
+		# HSTS — 1 year, include subdomains, preload-ready
+		Strict-Transport-Security "max-age=31536000; includeSubDomains"
+		X-Content-Type-Options "nosniff"
+		X-Frame-Options "DENY"
+		Referrer-Policy "strict-origin-when-cross-origin"
+	}
+}
+

package/Dockerfile.backend

@@ -0,0 +1,60 @@
+FROM oven/bun:1.3.14-alpine AS base
+WORKDIR /app
+
+# --- Install dependencies ---
+# A root install creates /app/node_modules with hoisted deps. Then per-workspace
+# installs populate each package's local node_modules. This is required because
+# bun's resolver, when run from a workspace package, only looks in that
+# package's own node_modules (not the parent's) — and the build runs from
+# /app/backend/, so it needs backend/node_modules with workspace symlinks.
+FROM base AS deps
+COPY package.json bun.lock* ./
+COPY backend/package.json ./backend/
+COPY frontend/package.json ./frontend/
+COPY packages/db/package.json ./packages/db/
+COPY .packages/hiai-ui /packages/hiai-ui
+ENV BUN_INSTALL_CONCURRENCY=1
+RUN bun install --no-verify
+RUN bun install --cwd backend --no-verify
+RUN bun install --cwd packages/db --no-verify
+
+# --- Build ---
+# Carry node_modules (workspace symlinks) from the deps stage, then layer
+# backend source and the workspace package source (packages/db) on top. We
+# pull packages/db from the build context because the deps stage only has
+# its package.json (just enough for `bun install` to discover it).
+FROM base AS build
+COPY --from=deps /app/node_modules ./node_modules
+COPY --from=deps /app/backend/node_modules ./backend/node_modules
+COPY --from=deps /app/packages/db/node_modules ./packages/db/node_modules
+COPY --from=deps /packages/hiai-ui /packages/hiai-ui
+COPY packages/db/ ./packages/db/
+COPY backend/src ./backend/src
+COPY backend/tsconfig.json ./backend/
+COPY backend/package.json ./backend/
+RUN cd backend && bun run build
+
+# --- Runtime ---
+# Slim image: only the compiled dist + the node_modules needed at runtime.
+FROM base AS runtime
+COPY --from=deps /app/node_modules ./node_modules
+COPY --from=build /app/backend/dist ./backend/dist
+COPY backend/package.json ./backend/
+
+ENV NODE_ENV=production
+ENV API_PORT=50700
+WORKDIR /app/backend
+
+# Create non-root user and give it ownership of the app directory.
+# Files copied above are owned by root, so we chown to make them readable/writable
+# by the unprivileged `app` user that runs the runtime stage.
+RUN addgroup -S app && adduser -S app -G app \
+    && chown -R app:app /app/backend /app/node_modules  # COPY files are root-owned by default; chown is required for non-root USER
+
+USER app
+
+HEALTHCHECK --interval=30s CMD wget -qO- http://localhost:50700/api/health || exit 1
+
+EXPOSE 50700
+
+CMD ["bun", "run", "dist/index.js"]

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 hiai-gg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,284 @@
+# hiai-docs
+
+**The lightest AI-native self-hosted knowledge vault.**
+
+[![MIT License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+[![Release](https://img.shields.io/github/v/release/hiai-gg/hiai-docs?sort=semver)](https://github.com/hiai-gg/hiai-docs/releases)
+[![Stars](https://img.shields.io/github/stars/hiai-gg/hiai-docs)](https://github.com/hiai-gg/hiai-docs/stargazers)
+[![CI](https://github.com/hiai-gg/hiai-docs/actions/workflows/ci.yml/badge.svg)](https://github.com/hiai-gg/hiai-docs/actions/workflows/ci.yml)
+[![Bun](https://img.shields.io/badge/Runtime-Bun_1.3-black?logo=bun&logoColor=white)](https://bun.sh)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.x-3178C6?logo=typescript&logoColor=white)](https://www.typescriptlang.org)
+[![Svelte](https://img.shields.io/badge/Svelte-5.x-FF3E00?logo=svelte&logoColor=white)](https://svelte.dev)
+[![Elysia](https://img.shields.io/badge/Elysia-1.4-lightgrey?logo=elysia&logoColor=white)](https://elysiajs.com)
+[![Tailwind_CSS](https://img.shields.io/badge/Tailwind_CSS-v4-06B6D4?logo=tailwindcss&logoColor=white)](https://tailwindcss.com)
+[![Drizzle_ORM](https://img.shields.io/badge/Drizzle_ORM-0.45-C5F74F?logo=drizzle&logoColor=black)](https://orm.drizzle.team)
+[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](CONTRIBUTING.md)
+
+hiai-docs is a lightweight **self-hosted knowledge base** built for users who want speed, full data ownership, and strong AI capabilities without heavy enterprise overhead. 
+
+If you are looking for a **local LLM knowledge base** or a **lightweight Outline alternative** / **Docmost alternative** that runs fully offline with **Ollama self-hosted** embeddings, hiai-docs offers an elegant, **RAG-ready knowledge vault** that automatically generates vector embeddings on every save (via Ollama), supports hybrid semantic search, and provides a clean REST API for AI agent integration.
+
+---
+
+## Table of Contents
+
+- [Features](#features)
+- [Screenshots](#screenshots)
+- [Quick Start](#quick-start)
+- [Stack](#stack)
+- [Comparison](#comparison)
+- [Project Structure](#project-structure)
+- [Configuration](#configuration)
+- [API Documentation](#api-documentation)
+- [Contributing](#contributing)
+- [License](#license)
+- [Related Projects](#related-projects)
+
+---
+
+## Features
+
+- **Rich WYSIWYG editor** — powerful visual editing with TipTap v3 + svelte-tiptap
+- **AI-native** — automatic chunking + vector embeddings (Ollama) on every save
+- **Semantic search** — hybrid full-text + pgvector search
+- **Folder hierarchy** — nested folders to organize your documents
+- **Sharing** — token-protected links with password, expiration, and guest access
+- **Import / Export** — support for Markdown (.md) files
+- **Agent-ready** — clean REST API for AI agents (Mastra compatible and others)
+- **Self-hosted** — full data ownership with minimal resource usage
+
+## Screenshots
+
+<!--
+  TODO: Add screenshots of the dashboard, editor, search, and dark mode.
+  Use 1200x675 (16:9) PNGs.
+  <img src="docs/screenshots/dashboard.png" width="100%" alt="hiai-docs dashboard with document grid" />
+-->
+
+---
+
+## Quick Start
+
+### Docker (Production-style)
+
+```bash
+git clone https://github.com/hiai-gg/hiai-docs.git
+cd hiai-docs
+cp .env.example .env
+# Edit .env with your settings
+
+docker compose up -d
+```
+
+Open http://localhost:50701
+
+## Agentic Quickstart (AI-Powered Setup)
+
+Don't want to run setup commands manually? Copy-paste this unified prompt into your AI assistant (OpenCode, Claude Code, Cursor, Copilot, etc.) and let it do the work:
+
+```text
+Set up and launch the hiai-docs project on my local system:
+1. Clone the repository at https://github.com/hiai-gg/hiai-docs (if not already cloned)
+2. Copy .env.example to .env
+3. Generate a secure random auth secret using openssl or a secure generator, and set it as BETTER_AUTH_SECRET in .env
+4. Install all dependencies with "bun install"
+5. Boot up the developer Docker container dependencies (Postgres, Redis, Ollama, MinIO) by running:
+   bun run docker:dev
+6. Generate and apply database migrations to setup schemas by running:
+   bun run db:push
+7. Spin up the application services (Elysia API and SvelteKit web) in development/watch mode:
+   bun run dev
+8. Verify health status by checking:
+   - SvelteKit Web UI: http://localhost:50701
+   - Elysia API Health: http://localhost:50700/api/health
+```
+
+### Local Development (Recommended for hacking)
+
+Two equivalent workflows — pick one. Both give you live-reload at http://localhost:50701.
+
+#### Option A — Hybrid (infra in Docker, api+web on host)
+
+This is the fastest dev loop. `bun run dev` runs `vite dev` (port 50701) and `bun --watch` for the api in parallel; both auto-reload on file changes.
+
+```bash
+# 1. Install JS deps once
+bun install
+
+# 2. Start infrastructure in Docker
+bun run docker:dev          # brings up postgres, redis, ollama, minio
+
+# 3. Push DB schema (one-time, or after schema changes)
+bun run db:push
+
+# 4. Start api + web on the host, with live reload
+bun run dev
+# vite dev → http://localhost:50701
+# api      → http://localhost:50700
+```
+
+Stop the infra when done: `bun run stop`
+
+#### Option B — Full Docker with live-reload bind mounts
+
+`docker-compose.dev.yml` mounts the source into the api/web containers, so editing a file on the host is picked up inside the container (vite HMR + bun --watch). Useful when you want everything isolated in Docker.
+
+```bash
+bun run docker:dev
+# Open http://localhost:50701
+```
+
+> The `web` and `api` services in `docker-compose.dev.yml` bind `./:/app`, so any edit on the host is reflected inside the container without rebuilding.
+
+### Why is port 50701 special?
+
+The frontend dev server is pinned to port 50701 in `frontend/vite.config.ts` with `strictPort: true`. That last flag is important: if 50701 is already taken (e.g. a stale container from a previous run), vite will **fail loudly** instead of silently falling back to 5173 — which would leave you staring at an old build at http://localhost:50701. If you see "port 50701 in use", run `docker compose down` (or `bun run stop`) and retry.
+
+### Troubleshooting
+
+- **Port 50701 already in use** — `docker compose down` to stop stale containers, then retry `bun run dev` or `bun run docker:dev`.
+- **Changes not showing up** — `bun run dev` already wires HMR. If running via Docker, confirm the bind mount is in `docker-compose.dev.yml` (not the prod `docker-compose.yml`, which builds an immutable image).
+- **`bun install` complains about the lockfile** — ensure `bun.lock` is in sync: `bun install`.
+- **Docker `web` build works without paraglide patches** — As of `@inlang/paraglide-js@2.x`, the `@inlang/sdk@2.x` rewrite no longer emits the `data:` URLs that triggered Bun's `NameTooLong` error. The old `sed` patch on `frontend/Dockerfile` was removed. i18n is now driven by `@inlang/paraglide-js@2.x` directly (the SvelteKit adapter is deprecated) via `paraglideVitePlugin` in `vite.config.ts` and `paraglideMiddleware` in `src/hooks.server.ts`.
+
+---
+
+## Stack
+
+| Layer | Technology |
+|-------|-----------|
+| Runtime | [Bun](https://bun.sh) 1.3.14+ |
+| Backend | [Elysia](https://elysiajs.com) 1.4.28+ |
+| ORM | [Drizzle ORM](https://orm.drizzle.team) 0.45.2+ |
+| Database | [PostgreSQL](https://postgresql.org) 18 + [pgvector](https://github.com/pgvector/pgvector) |
+| Cache | [Redis](https://redis.io) 8.6+ |
+| Auth | [Better Auth](https://better-auth.com) |
+| Frontend | [SvelteKit](https://kit.svelte.dev) 2.60+ |
+| UI | [shadcn-svelte](https://shadcn-svelte.com) (new-york style) |
+| Editor | [svelte-tiptap](https://github.com/sibiraj-s/svelte-tiptap) + [TipTap v3](https://tiptap.dev) |
+| Embeddings | [Ollama](https://ollama.ai) (configurable) |
+| Storage | [MinIO](https://min.io) (S3-compatible) |
+
+---
+
+## Comparison with other self-hosted solutions
+
+| Project            | Best For                              | hiai-docs vs them                              | License / Limitations                          |
+|--------------------|---------------------------------------|------------------------------------------------|------------------------------------------------|
+| **La Suite Docs**  | Government & teams, strong block editor | Much lighter and faster                        | MIT (fully unrestricted)                       |
+| **Outline**        | Teams with integrations               | Lighter + built-in RAG out of the box          | BSL 1.1 – free for self-hosting, restrictions on offering as hosted service |
+| **Docmost**        | Confluence / Notion replacement       | Simpler, faster, lower resource usage          | AGPL-3.0 (Community) – fully open, Enterprise features extra |
+| **Wiki.js**        | Markdown + Git sync                   | Better AI & semantic search                    | AGPL-3.0                                       |
+| **hiai-docs**      | **Lightweight AI-first vault**        | —                                              | MIT (fully unrestricted)                       |
+| **AFFiNE**         | Notion + whiteboard experience        | Much lighter, far lower overhead               | MIT (frontend) + restrictive EE license (backend) – production limits (10 users / 100 GB on free tier) |
+| **Trilium Notes**  | Personal knowledge + scripting        | Better sharing & semantic search               | AGPL-3.0                                       |
+| **SilverBullet**   | Extensible Markdown notes             | Better AI integration & sharing                | MIT                                            |
+
+**hiai-docs** sits in the **lightweight AI-first** niche — ideal when you want built-in embeddings, fast performance, and minimal resource consumption rather than heavy collaboration features or enterprise complexity.
+
+---
+
+## Project Structure
+
+```
+hiai-docs/
+├── backend/              # Elysia REST API
+│   ├── src/
+│   │   ├── api/          # Routes + middleware
+│   │   ├── lib/          # Shared utilities
+│   │   ├── embedding/    # Embedding pipeline
+│   │   └── index.ts      # Entry point
+│   ├── package.json
+│   └── tsconfig.json
+├── frontend/             # SvelteKit web UI
+│   ├── src/
+│   │   ├── routes/       # Pages
+│   │   ├── lib/          # Components + utils
+│   │   └── app.css       # Tailwind + theme
+│   ├── package.json
+│   └── svelte.config.js
+├── packages/db/          # Drizzle schema + migrations
+│   ├── src/
+│   │   ├── schema.ts     # Table definitions
+│   │   ├── migrations/   # SQL migrations
+│   │   └── index.ts      # DB client
+│   └── package.json
+├── docker-compose.yml    # Production Docker setup
+├── .env.example          # Environment template
+├── AGENTS.md             # Agent instructions
+├── README.md             # This file
+├── LICENSE               # MIT
+└── todo.md               # Development roadmap
+```
+
+---
+
+## Configuration
+
+All configuration via environment variables. Copy `.env.example` to `.env` and configure:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `DB_USER` | aiuser | PostgreSQL username |
+| `DB_PASSWORD` | changeme | PostgreSQL password |
+| `BETTER_AUTH_SECRET` | — | Auth secret (generate random) |
+| `BETTER_AUTH_URL` | http://localhost:50700 | Auth base URL |
+| `MINIO_ACCESS_KEY` | minioadmin | MinIO access key |
+| `MINIO_SECRET_KEY` | minioadmin | MinIO secret key |
+| `EMBEDDING_PROVIDER` | ollama | Embedding provider (ollama/openrouter/voyage) |
+| `EMBEDDING_MODEL` | nomic-embed-text | Embedding model name |
+| `OPENROUTER_API_KEY` | — | OpenRouter API key (fallback) |
+
+See `.env.example` for full list.
+
+---
+
+## API Documentation
+
+REST API available at `http://localhost:50700/api/`.
+
+Key endpoints:
+- `POST /api/documents` — Create document
+- `GET /api/documents/:id` — Get document with tags
+- `GET /api/search?q=query` — Hybrid full-text + semantic search
+- `POST /api/share` — Create share link
+- `GET /api/share/:token` — Access shared content (public)
+- `POST /api/documents/:id/attachments` — Upload image
+- `WS /ws/collab/:documentId` — Real-time collaborative editing
+
+Full API documentation available in [docs/API.md](docs/API.md).
+
+---
+
+## Contributing
+
+1. Fork the repository
+2. Create a feature branch (`git checkout -b feature/amazing`)
+3. Commit changes (`git commit -m 'feat: add amazing feature'`)
+4. Push to branch (`git push origin feature/amazing`)
+5. Open a Pull Request
+
+### Development Rules
+
+- **Bun only** — no npm/yarn
+- **ESM only** — no CommonJS
+- **TypeScript strict** — no `any`
+- **English only** — code, comments, docs, commits
+- **No Playwright** — use agent-browser for E2E
+
+---
+
+## License
+
+[MIT](LICENSE)
+
+---
+
+## Related Projects
+
+Part of the [HiAi](https://hiai.gg) open-source ecosystem:
+
+| Project | Description |
+|---------|-------------|
+| [hiai-opencode](https://github.com/hiai-gg/hiai-opencode) | AI coding agent |
+| [hiai-observe](https://github.com/hiai-gg/hiai-observe) | Observability platform |

package/RELEASE_CHECKLIST.md

@@ -0,0 +1,34 @@
+# Release Checklist - hiai-docs
+
+> Use this checklist for every release. Tick items as they are completed.
+
+## Pre-Release
+
+- [ ] **Bump version** — Update version in `package.json`, `backend/package.json`, `frontend/package.json`, `packages/db/package.json`
+- [ ] **Regenerate secrets** — Generate fresh values for `BETTER_AUTH_SECRET`, `CSRF_SECRET`, `WEBHOOK_SECRET`, `HIAI_DOCS_API_KEY`:
+      ```bash
+      openssl rand -hex 32   # repeat for each secret
+      ```
+- [ ] **Update `.env.example`** if any new env vars were added
+- [ ] **Run full typecheck** — `bun run typecheck` (0 errors)
+- [ ] **Run full test suite** — `bun test` (all passing)
+- [ ] **Run lint** — `bun run lint` in backend (0 errors)
+
+## Build
+
+- [ ] **Build Docker images** — `docker compose build` (both `api` and `web`)
+- [ ] **Verify Docker health** — `docker compose up -d && curl -fsS http://localhost:50700/api/health`
+- [ ] **Run DB migrations** — `docker compose exec api bun run db:migrate`
+
+## Release
+
+- [ ] **Commit and tag** — `git tag -a v<version> -m "v<version>"`
+- [ ] **Push** — `git push origin dev --tags`
+- [ ] **Create GitHub release** — Use the tag, include changelog summary
+- [ ] **Verify CI** — Confirm CI pipeline passes on GitHub Actions
+
+## Post-Release
+
+- [ ] **Deploy to staging** — Pull latest on staging host
+- [ ] **Smoke test** — Sign up, create doc, search, share, verify
+- [ ] **Deploy to production** — Pull latest on production host

package/SECURITY.md

@@ -0,0 +1,60 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in hiai-docs, please report it responsibly.
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Instead, please email: **hiai@webs.cool**
+
+### What to include
+
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Suggested fix (if any)
+
+### Response timeline
+
+- **Acknowledgment**: within 48 hours
+- **Initial assessment**: within 5 business days
+- **Fix or mitigation**: within 30 days for critical/high severity
+
+### Scope
+
+In-scope vulnerabilities include:
+
+- Authentication/authorization bypass
+- SQL injection or data leakage between users
+- Cross-site scripting (XSS) in rendered content
+- Remote code execution
+- Path traversal or file upload abuse
+- Rate limiting bypass on public endpoints
+- Exposure of secrets or credentials
+
+### Out of scope
+
+- Social engineering attacks
+- Denial of service (DoS)
+- Issues in third-party dependencies (report upstream)
+- Issues requiring physical access to the server
+
+## Security Architecture
+
+- **Data isolation**: All queries filter by `owner_id` — no cross-user data access
+- **Auth**: Better Auth with session cookies (7-day expiry) + optional API key (Bearer token)
+- **CSRF**: HMAC-signed double-submit cookie pattern on all unsafe methods
+- **Rate limiting**: Redis-based sliding window rate limiters on all public endpoints (search, documents, sharing, health)
+- **Sharing**: Token-based links with optional password + expiration
+- **Validation**: Zod schemas on all API inputs
+- **Secrets**: All configuration via environment variables, zero hardcoded secrets
+- **Encryption**: Passwords hashed with Bun.password (bcrypt)
+- **CSP**: Content Security Policy headers on all pages
+- **Webhook verification**: HMAC-SHA256 signature verification for MinIO webhooks

package/backend/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@hiai-docs/backend",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "license": "MIT",
+  "scripts": {
+    "dev": "bun run --watch src/index.ts",
+    "build": "bun build src/index.ts --outdir dist --target bun",
+    "start": "bun run dist/index.js",
+    "lint": "biome check src/",
+    "lint:fix": "biome check --fix src/",
+    "typecheck": "tsc --noEmit",
+    "test": "bun test --path-ignore-patterns='*node_modules*' src/ tests/"
+  },
+  "dependencies": {
+    "@elysiajs/cors": "^1.4.2",
+    "@elysiajs/swagger": "^1.3.1",
+    "@hiai-docs/db": "workspace:*",
+    "@tiptap/core": "^3.26.1",
+    "@tiptap/extension-highlight": "^3.26.1",
+    "@tiptap/extension-image": "^3.26.1",
+    "@tiptap/extension-link": "^3.26.1",
+    "@tiptap/html": "^3.26.1",
+    "@tiptap/starter-kit": "^3.26.1",
+    "better-auth": "^1.6.18",
+    "drizzle-orm": "^0.45.2",
+    "elysia": "^1.4.28",
+    "ioredis": "^5.11.1",
+    "marked": "^18.0.5",
+    "minio": "^8.0.7",
+    "nanoid": "^5.1.11",
+    "pino": "^10.3.1",
+    "postgres": "^3.4.9",
+    "yjs": "^13.6.31",
+    "zod": "^4.4.3"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.4.15",
+    "@types/bun": "^1.3.14",
+    "typescript": "^5.8.0"
+  }
+}