Workspaces

echo/.devcontainer/devcontainer.json

@@ -1,7 +1,7 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/universal
 {
-  "name": "dembrane/echo",
+  "name": "dembrane",
   // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
   // "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
   "dockerComposeFile": "docker-compose.yml",
@@ -49,8 +49,8 @@
     "5432": {
       "label": "postgres"
     },
-    "9001": {
-      "label": "minio-ui"
+    "2222": {
+      "label": "ssh"
     }
   },
   // Configure tool-specific properties.

echo/.devcontainer/docker-compose.yml

@@ -21,22 +21,6 @@ services:
     networks:
       - dembrane-network
 
-  neo4j:
-    image: neo4j:5.26.16-community
-    restart: unless-stopped
-    volumes:
-      - ./neo4j_data/logs:/logs
-      - ./neo4j_data/config:/config
-      - ./neo4j_data/data:/data
-      - ./neo4j_data/plugins:/plugins
-    ports:
-      - 7474:7474 # Neo4j Browser
-      - 7687:7687 # Neo4j Bolt protocol
-    environment:
-      - NEO4J_AUTH=neo4j/admin@dembrane
-    networks:
-      - dembrane-network
-
   directus:
     build:
       context: ../directus
@@ -104,6 +88,7 @@ services:
       - 8000:8000
       - 5173:5173
       - 5174:5174
+      - 2222:22
     environment:
       - DIRECTUS_SECRET=secret
       - DIRECTUS_TOKEN=admin
@@ -120,9 +105,6 @@ services:
       - STORAGE_S3_SECRET=dembrane
       - STORAGE_S3_BUCKET=dembrane
       - STORAGE_S3_ENDPOINT=http://minio:9000
-      - NEO4J_URI=bolt://neo4j:7687
-      - NEO4J_USERNAME=neo4j
-      - NEO4J_PASSWORD=admin@dembrane
 
     volumes:
       - ../..:/workspaces:cached
@@ -134,7 +116,6 @@ services:
     depends_on:
       - postgres
       - redis
-      - neo4j
 
 networks:
   dembrane-network:

echo/.devcontainer/setup.sh

@@ -247,6 +247,66 @@ install_server_deps() {
     fi
 }
 
+install_ssh_server() {
+    if command_exists sshd && [ -f /etc/ssh/sshd_config ]; then
+        log_info "openssh-server already installed"
+    else
+        ensure_apt_packages openssh-server
+        log_info "openssh-server installed"
+    fi
+
+    # Generate host keys if missing
+    if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
+        log_info "Generating SSH host keys..."
+        ssh-keygen -A
+    fi
+
+    # Ensure /var/run/sshd exists (required for sshd to start)
+    mkdir -p /var/run/sshd
+
+    # Configure sshd: allow root login (dev container runs as root),
+    # enable password auth for first-time setup, permit public key auth.
+    local sshd_config="/etc/ssh/sshd_config.d/99-devcontainer.conf"
+    cat > "$sshd_config" <<'CONF'
+# Devcontainer SSH config
+Port 22
+PermitRootLogin yes
+PasswordAuthentication yes
+PubkeyAuthentication yes
+AuthorizedKeysFile .ssh/authorized_keys
+PermitEmptyPasswords no
+X11Forwarding yes
+AllowAgentForwarding yes
+AllowTcpForwarding yes
+PrintMotd no
+UsePAM yes
+AcceptEnv LANG LC_*
+Subsystem sftp /usr/lib/openssh/sftp-server
+CONF
+
+    # Set a default root password so initial SSH works
+    # (override in your own setup with ssh-copy-id to switch to key auth)
+    if ! passwd -S root 2>/dev/null | grep -q "^root P "; then
+        log_info "Setting default root password (change after first login)"
+        echo 'root:dembrane' | chpasswd
+    fi
+
+    # Ensure .ssh dir exists for authorized_keys
+    mkdir -p /root/.ssh
+    chmod 700 /root/.ssh
+    touch /root/.ssh/authorized_keys
+    chmod 600 /root/.ssh/authorized_keys
+
+    # Start sshd (not systemd-managed in container — run directly)
+    if pgrep -x sshd > /dev/null; then
+        log_info "sshd already running"
+    else
+        log_info "Starting sshd..."
+        /usr/sbin/sshd
+    fi
+    log_info "SSH server ready on port 22 (user: root, password: dembrane)"
+}
+
 install_postgresql_client() {
     if command_exists psql && psql --version | grep -q "psql (PostgreSQL) 16"; then
         log_info "PostgreSQL client 16 already installed: $(psql --version)"
@@ -289,6 +349,7 @@ Options:
   --skip-server       Skip server dependency installation
   --skip-python       Skip managed Python setup for uv
   --skip-postgres     Skip PostgreSQL client installation
+  --skip-ssh          Skip SSH server installation
 
 Environment overrides:
   NODE_VERSION (default: ${NODE_VERSION})
@@ -305,6 +366,7 @@ parse_args() {
     SKIP_SERVER="false"
     SKIP_PYTHON="false"
     SKIP_POSTGRES="false"
+    SKIP_SSH="false"
 
     while [[ $# -gt 0 ]]; do
         case "$1" in
@@ -340,6 +402,10 @@ parse_args() {
                 SKIP_POSTGRES="true"
                 shift
                 ;;
+            --skip-ssh)
+                SKIP_SSH="true"
+                shift
+                ;;
             *)
                 log_error "Unknown option: $1"
                 show_help
@@ -412,6 +478,12 @@ main() {
         log_info "Skipping PostgreSQL client installation"
     fi
 
+    if [ "$SKIP_SSH" = "false" ]; then
+        install_ssh_server
+    else
+        log_info "Skipping SSH server installation"
+    fi
+
     if [ "$SKIP_FRONTEND" = "false" ]; then
         install_frontend_deps
     else

echo/.gitignore

@@ -32,4 +32,4 @@ echo-gitops/
 
 cypress/reports/
 
-cookies.txt
+cookies.txtscripts/__pycache__/

echo/.vscode/sessions.json

@@ -1,7 +1,7 @@
 {
     "$schema": "https://cdn.statically.io/gh/nguyenngoclongdev/cdn/main/schema/v11/terminal-keeper.json",
     "active": "default",
-    "keepExistingTerminals": false,
+    "keepExistingTerminals": true,
     "sessions": {
         "default": [
             {

echo/CLAUDE.md

@@ -0,0 +1,117 @@
+# CLAUDE.md
+
+Rules and conventions for working on the ECHO codebase. Follow these precisely.
+
+## Directus Rules (Critical)
+
+**Never hand-write Directus sync/snapshot JSON files.** To create or modify Directus collections:
+
+1. Write a Python script (e.g., `scripts/create_schema.py`) that uses the Directus REST API (`POST /collections`, `POST /fields`, `POST /relations`) with the admin token
+2. Make scripts idempotent (check `collection_exists()` / `field_exists()` before creating)
+3. Run the script step-by-step to verify each change
+4. After all changes, pull the schema: `cd directus && bash sync.sh -u http://directus:8055 -e admin@dembrane.com -p admin pull`
+5. Commit the sync output (the JSON files in `directus/sync/snapshot/`)
+
+See `scripts/create_schema.py` for the established pattern (Session 2 workspaces schema).
+
+### Python DirectusClient
+
+- `create_item` / `update_item` return `{"data": {...}}` — **MUST** unwrap with `["data"]`
+- `get_items` / `get_item` return data directly (no wrapper)
+- `get_items` requires `{"query": {filter, fields, sort, ...}}` wrapper
+- `search()` silently returns `{"error": "..."}` on failure — always validate return is a list before iterating
+
+```python
+# CORRECT
+new = client.create_item("collection", {...})["data"]
+items = client.get_items("collection", {"query": {"filter": {...}}})
+if not isinstance(items, list):
+    items = []
+
+# WRONG — missing ["data"] unwrap
+new = client.create_item("collection", {...})
+# WRONG — missing "query" wrapper
+items = client.get_items("collection", {"filter": {...}})
+```
+
+### TypeScript Directus SDK
+
+- Auto-unwraps everything — no `["data"]` needed
+- If there's a type error with `<relationship>.count`, add it to `typesDirectus.d.ts` and use `count("<relationship>")` in fields
+
+See `memory/directus-rules.md` for comprehensive patterns.
+
+## Brand & UI Copy
+
+Follow `brand/STYLE_GUIDE.md` for all user-facing text:
+
+- **Never say "AI"** — use "language model" or just describe the action ("Generating your report..." not "Generating report with AI...")
+- **Never say "successfully"** — just state what happened ("Saved" not "Successfully saved")
+- **"dembrane" always lowercase**, even at sentence start
+- **Never use bold for emphasis** — use Royal Blue (#4169e1) or italics
+- Say "participants/hosts" not "users"
+- Dutch translations: use informal "je/jij" form, keep English terms when they sound better (Dashboard, Upload, Chat)
+
+## UI Rules
+
+- **Never stack multiple Alert components** — show either the error alert or the info alert, not both
+- **Don't use `@mantine/charts`** — use better charting libraries
+- **Loading spinners**: always use `alwaysDembrane` prop on `DembraneLoadingSpinner` for whitelabel safety; never `animate-spin` on custom logos
+- **Show emails only on hover** — don't display them by default in lists
+- **Conversations come from QR codes or uploads** — never add "new conversation" buttons in the UI
+- **Prefer text buttons over icon-only buttons** for important actions (e.g., "Go full screen" should be a text button)
+
+## Architecture Preferences
+
+- **BFF pattern**: move frontend Directus SDK calls to backend `/bff/` routes. Frontend should call aggregated API endpoints, not make multiple Directus queries
+- **URL-driven state**: use URL search params (not React state) so state is shareable and persistent
+- **SSE for progress**: use Server-Sent Events + Redis pub/sub for real-time progress (report generation, health streams)
+- **No asyncio in Dramatiq actors**: use gevent pools + dramatiq groups instead. Report generation is fully synchronous
+- **gevent.pool.Pool only in `network` queue** (uses `dramatiq-gevent`). CPU queue runs standard dramatiq
+- **Use `gevent.sleep()` not `time.sleep()`** in network-queue actors
+
+## LLM Model Groups
+
+- `MULTI_MODAL_PRO` (Gemini 2.5 Pro) — chat, report generation, transcript correction. **Do not downgrade chat to Flash.**
+- `MULTI_MODAL_FAST` (Gemini 2.5 Flash) — suggestions, verification, stateless endpoints, lightweight tasks
+- `TEXT_FAST` (Azure GPT-4.1) — being deprecated, migrating to Gemini
+- Report prompt templates are written IN the target language (not just instructing the LLM to write in that language)
+
+## Translations
+
+```bash
+cd frontend
+pnpm messages:extract    # Extract new strings to .po files
+# Edit .po files in src/locales/ (en-US, nl-NL, de-DE, fr-FR, es-ES, it-IT)
+pnpm messages:compile    # Compile for production
+```
+
+Use `<Trans>` component or `` t` `` template literal from Lingui.
+
+## Branching Strategy & Deployment
+
+See [docs/branching_and_releases.md](docs/branching_and_releases.md) for the full guide.
+
+Quick reference:
+- **Feature flow**: branch off `main` → (optional) merge to `testing` for testing → PR to `main` → auto-deploys to Echo Next
+- **Releases**: tagged from `main` every ~2 weeks → auto-deploys to production
+- **Hotfixes**: branch off release tag → fix → new release → cherry-pick into main
+- Always check for Directus data migrations before deploying (see `docs/database_migrations.md`)
+
+## Transcription
+
+- AssemblyAI `universal-3-pro` supports: en, es, pt, fr, de, it
+- Dutch ("nl") requires `universal-2` fallback — `universal-3-pro` does NOT support it
+- Production uses webhook mode (`ASSEMBLYAI_WEBHOOK_URL`), polling is only a fallback
+
+## Dramatiq Tasks
+
+- Restart workers after changing task signatures (positional args are serialized)
+- `SkipRetryOnUnrecoverableError` middleware skips retries for TypeError, SyntaxError, AttributeError, ImportError, NotImplementedError
+- When invoking async code from Dramatiq actors, use `run_async_in_new_loop` from `dembrane.async_helpers`
+
+## Project Management
+
+- Linear for issue tracking — tickets are `ECHO-xxx`
+- Two-week cycles/sprints
+- GitOps repo: `dembrane/echo-gitops` (separate repo)

echo/directus/.env.sample

@@ -13,4 +13,9 @@ EMAIL_SMTP_PORT=587
 EMAIL_SMTP_USER=""
 EMAIL_SMTP_PASSWORD=""
 EMAIL_SMTP_SECURE=false
-EMAIL_SMTP_IGNORE_TLS=false
+EMAIL_SMTP_IGNORE_TLS=false
+# URL allow lists (Directus 11 requires these for auth redirect flows).
+# Comma-separated. Add production + staging + local dev URLs.
+PASSWORD_RESET_URL_ALLOW_LIST="https://dashboard.dembrane.com/password-reset"
+USER_REGISTER_URL_ALLOW_LIST="https://dashboard.dembrane.com/verify-email"
+USER_INVITE_URL_ALLOW_LIST="https://dashboard.dembrane.com/accept-invite"