diff --git a/.cleanignore b/.cleanignore new file mode 100644 index 0000000..4f007b0 --- /dev/null +++ b/.cleanignore @@ -0,0 +1,36 @@ +# Paths to exclude from the clean branch +# One path per line. Directories end with / +# Lines starting with # are comments + +# Claude Code artifacts (everywhere in the repo) +.claude/ +**/.claude/ + +# Management workspace — not part of the product +features/ + +# Marketing and presentations +presentation.html + +# Not shipping in 0.10 — zero readiness +services/calendar-service/ + +# Not shipping in 0.10 — not properly tested +services/telegram-bot/ + +# Dashboard development artifacts +services/dashboard/agent-flow.js +services/dashboard/agent-inspect.js +services/dashboard/auth-validate.js +services/dashboard/auth-validate2.js +services/dashboard/auth-validate3.js +services/dashboard/auth-validate-final.js +services/dashboard/check-pages.js +services/dashboard/deliver-validate.js +services/dashboard/deliver-validate.ts +services/dashboard/feature-validate.js +services/dashboard/test-agent-panel.mjs +services/dashboard/docs/screenshots/ + +# Orphaned docs +docs/tests/ diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..9d05b6a --- /dev/null +++ b/.dockerignore @@ -0,0 +1,4 @@ +hub/ +.git/ +**/__pycache__/ +**/*.pyc diff --git a/.env b/.env new file mode 100644 index 0000000..d0f8ca6 --- /dev/null +++ b/.env @@ -0,0 +1,117 @@ +# --------------------------------------------------------------------------- +# Base de données externe (Supabase) +# Project Settings → Database → Connection string +# --------------------------------------------------------------------------- +DB_HOST=aws-0-eu-west-1.pooler.supabase.com +DB_PORT=5432 +DB_NAME=postgres +DB_USER=postgres.ogjzkmbvorbcdbfltiib +DB_PASSWORD=o2FeWHSz04kgVRL4 +DB_SSL_MODE=require + +# --------------------------------------------------------------------------- +# Secrets (générer chacun avec : openssl rand -hex 32) +# --------------------------------------------------------------------------- + +# Token pour les endpoints /admin/* de admin-api (header X-Admin-API-Key) +ADMIN_API_TOKEN=3209a9a3af263757e2803625ff7c5931c7f2d61c37aaf9629cd888fd172b553d68 +ADMIN_TOKEN=5622b7e0de1a38e613ba8442231120fb3b94e49ec427abaacf629ad8ac440a81 +# Secret partagé entre admin-api et api-gateway pour /internal/validate +# DOIT être identique dans les deux services +INTERNAL_API_SECRET=a499796b63273356f599a5d592a1c4d0af8009ecd1f6d1729235331197639ffa + +# Token partagé entre meeting-api et runtime-api +RUNTIME_API_TOKEN=408fdf4e7e80f015f6ceb2da182a70d9439e1504c613dd9044ec8eba2cfd4bc2 + +# Token read-only pour les endpoints analytics (optionnel) +# ANALYTICS_API_TOKEN= + +# --------------------------------------------------------------------------- +# Bot +# --------------------------------------------------------------------------- +# En prod (image publique) : +BOT_IMAGE_NAME=vexaai/vexa-bot:latest + +# URL callback baked dans la config des bots spawned +# En local (réseau interne Docker) : +MEETING_API_URL=http://meeting-api:8080 +# En prod : +# MEETING_API_URL=https://cr-meet.ashia.sn + +# --------------------------------------------------------------------------- +# Services optionnels +# La gateway démarre avec ces URLs fictives si les services ne sont pas déployés. +# Les endpoints /transcripts et /mcp retourneront des erreurs à l'usage. +# --------------------------------------------------------------------------- + TRANSCRIPTION_COLLECTOR_URL=http://meeting-api:8080 + TRANSCRIPTION_SERVICE_URL=http://transcription:8083/v1/audio/transcriptions + +# --------------------------------------------------------------------------- +# Divers +# --------------------------------------------------------------------------- +LOG_LEVEL=INFO +CORS_ORIGINS=* +BOT_STOP_DELAY_SECONDS=90 +VEXA_ENV=development # désactive /docs et /openapi.json sur admin-api + +# --------------------------------------------------------------------------- +# Divers +# --------------------------------------------------------------------------- +# Model configuration +MODEL_SIZE=medium + +# Available models (all multilingual): +# - tiny, base, small, medium, large-v2, large-v3, large-v3-turbo +# +# Recommended: large-v3-turbo + INT8 +# - GPU VRAM: ~2.1 GB (validated) +# - Quality: Excellent (95-98% accuracy) +# - Speed: Very fast (>10x real-time) +# - Multilingual: 99+ languages + +# Device configuration +# DEVICE=cuda # For GPU (default) + DEVICE=cpu # For CPU-only + +# Compute type (optimization) + COMPUTE_TYPE=int8 # Default: 50-60% VRAM reduction, 2-4x CPU speedup, minimal accuracy loss +# COMPUTE_TYPE=float16 # GPU only: Maximum speed, higher VRAM usage (~6-8 GB) + +# CPU optimization (only used when DEVICE=cpu) +# CPU_THREADS=4 # Set to number of physical CPU cores (0 = auto-detect) + +# Load management / backpressure +# These control how the service behaves under load. +# Recommended for WhisperLive streaming: FAIL_FAST_WHEN_BUSY=true +MAX_CONCURRENT_TRANSCRIPTIONS=2 # Max concurrent model calls per worker +MAX_QUEUE_SIZE=10 # Max requests waiting (ignored when FAIL_FAST_WHEN_BUSY=true) +FAIL_FAST_WHEN_BUSY=true # Return 503 immediately when busy (lets WhisperLive keep buffering/coalescing) +BUSY_RETRY_AFTER_S=1 # Retry-After header value (seconds) for busy/overload responses + +# Quality parameters (derived from WhisperLive best practices) +# These parameters improve transcription quality and accuracy +BEAM_SIZE=5 # Beam size: 1 = greedy (fast), 5 = beam search (better quality, slower) +BEST_OF=5 # Number of candidates when sampling with non-zero temperature +COMPRESSION_RATIO_THRESHOLD=1.8 # If gzip compression ratio > this, treat as failed (hallucination detection) - lowered to catch repetitions +LOG_PROB_THRESHOLD=-1.0 # If avg log probability < this, treat as failed +NO_SPEECH_THRESHOLD=0.6 # If no_speech_prob > this AND log_prob < threshold, consider silent +CONDITION_ON_PREVIOUS_TEXT=false # Use previous output as prompt for next window - DISABLED to prevent repetition loops +PROMPT_RESET_ON_TEMPERATURE=0.3 # Reset prompt if temperature > this (prevents stuck loops) - lowered for more aggressive reset +REPETITION_PENALTY=1.1 # Penalize repeated tokens (>1.0 = penalize). Prevents "they are saying they are saying..." +NO_REPEAT_NGRAM_SIZE=3 # Hard-block any 3-word phrase from repeating + +# VAD (Voice Activity Detection) parameters +VAD_FILTER=true # Enable VAD to filter out non-speech audio +VAD_FILTER_THRESHOLD=0.5 # VAD onset threshold (0-1): higher = less sensitive to noise +VAD_MIN_SILENCE_DURATION_MS=160 # Minimum silence duration in milliseconds + +# Temperature fallback chain (for quality improvement) +# Uses multiple temperatures and falls back if compression_ratio or log_prob thresholds are exceeded +USE_TEMPERATURE_FALLBACK=true # Enable temperature fallback chain [0.0, 0.2, 0.4, 0.6, 0.8, 1.0] + +# API Token for securing the service +# This token must match TRANSCRIPTION_SERVICE_API_TOKEN in the gateway +# If not set, service will accept all requests (not recommended for production) + +API_TOKEN=271f1e185abcebdf7f610b95d388d7ce3fe7a3a7c28c565cc88ad51a165198c6 + diff --git a/.gitguardian.yml b/.gitguardian.yml new file mode 100644 index 0000000..1788689 --- /dev/null +++ b/.gitguardian.yml @@ -0,0 +1,88 @@ +# GitGuardian configuration +# See: https://docs.gitguardian.com/ggshield-docs/reference/gitguardian-yaml + +secret: + # Paths that contain test fixtures, example files, and dev configs — not real secrets + ignored-paths: + - "**/tests/**" + - "**/test_*" + - "**/conftest.py" + - "**/*.test.*" + - "**/testdata/**" + - "deploy/env-example" + - "features/**/tests/**" + - "tests2/**" + - "tests3/**" + # Backup env files (deleted from tree, exist only in git history) + - ".env.backup" + - "deploy/compose/.env.bak" + # Notebook test fixtures with test API keys + - "packages/vexa-client/tests.ipynb" + - "packages/vexa-client/tests/tutorial.ipynb" + # Example/template files with placeholder credentials + - "**/.pypirc.example" + # Dashboard validation scripts with test tokens + - "services/dashboard/agent-inspect.js" + - "services/dashboard/agent-flow.js" + - "services/dashboard/auth-validate*.js" + - "services/dashboard/feature-validate.js" + + # Known test/dev patterns that are not real secrets + ignored-matches: + # Test admin tokens (hardcoded in test fixtures) + - name: "test-admin-token" + match: "test-admin-token*" + - name: "changeme-default" + match: "changeme" + + # Test API key prefixes (fake tokens in unit tests) + - name: "test-vxa-bot-tokens" + match: "vxa_bot_abc*" + - name: "test-vxa-bot-testkey" + match: "vxa_bot_testkey*" + - name: "test-vxa-user-tokens" + match: "vxa_user_*" + + # Chrome password-store flag (not a secret) + - name: "chrome-password-store" + match: "password-store=basic" + + # Helm chart template placeholders + - name: "helm-changeme" + match: "CHANGE_ME" + + # vexa-internal-secret default (used in dev only) + - name: "internal-secret-default" + match: "vexa-internal-secret" + + # staging admin token (dev-only, not production) + - name: "staging-admin-token" + match: "staging-admin-token" + + # test-admin-token-t3 (tests3 test cluster) + - name: "test-cluster-token" + match: "test-admin-token-t3" + + # Dev-only default database password (postgres:postgres for local dev) + - name: "dev-postgres-password" + match: "POSTGRES_PASSWORD=postgres" + - name: "dev-db-password" + match: "DB_PASSWORD=postgres" + - name: "dev-db-password-value" + match: "password: \"postgres\"" + - name: "dev-db-url-password" + match: "postgres:postgres@" + + # Dev-only MinIO defaults (non-production) + - name: "dev-minio-access-key" + match: "vexa-access-key" + - name: "dev-minio-secret-key" + match: "vexa-secret-key" + + # Dev-only JWT secret + - name: "dev-jwt-secret" + match: "vexa-dev-jwt-secret" + + # PyPI example placeholder + - name: "pypi-placeholder" + match: "your-pypi-api-token-here" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..581bf00 --- /dev/null +++ b/.gitignore @@ -0,0 +1,173 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +!packages/transcript-rendering/dist/ +downloads/ +eggs/ +.eggs/ +lib/ +!services/dashboard/src/lib/ +!tests3/lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# celery beat schedule file +celerybeat-schedule + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +!deploy/env-example +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# IDE specific files +.idea/ +.vscode/ +*.swp +*.swo + +# Project specific +model_weights/ +*.pt +*.pth + +# Node +node_modules/ + +# Docker +.docker/ +docker-volumes/ +.last-tag + + +hub/ + +*.mp3 + +# Service directories that should not be tracked +services/vexa-bot-zoom-sdk/ + +# Image files +*.png + +# WhisperLive optimization outputs +data/ +results/ +test_data/ +*.wav +!tests/testdata/test-speech-en.wav +*.webm +*.mp4 +*.txt +!**/requirements.txt +manifest.csv +docker-compose.override.yml +.env.test +hub +test.log +.worktrees/ +secrets/ + +# tests3: per-deployment state (VM IPs, tokens, kubeconfigs, per-run reports). +# Credentials live here. Never commit. +tests3/.state +tests3/.state-lite +tests3/.state-compose +tests3/.state-helm + +tests3/.current-stage \ No newline at end of file