Welcome, esteemed developer, to the manual of commencement for this most sophisticated AI-First system. To ensure a seamless entry into our modular world, we have streamlined the setup process to be as elegant and straightforward as possible.
In keeping with our philosophy of efficiency, the entire system is designed to be brought to life through a single, authoritative command. This ensures that all components—from our NestJS API and FastAPI intellect to our high-performance Rust modules—awaken in perfect harmony.
To launch every service within the monolithic monorepo simultaneously, one simply needs to execute the following command from the root of the repository:
# Bring the entire system to life
docker-compose up -dThis command orchestrates the creation of all necessary containers, networks, and volumes, leaving the system in a state of ready poise.
Containers are based on alpine linux.
Should you wish only to awaken specific domains for focused development or testing, you may do so by appending the names of the desired services to the command. For example, to launch only the API and the AI inference engine:
# Awaken only the chosen services
docker-compose up -d api aiThis selective approach allows for a more prudent use of system resources during targeted endeavours.
Before one can issue these commands, it is essential that the local environment be prepared with the necessary .env files. Please refer to our Environments Guide for detailed instructions on the required variables and their preferred configurations.
This section maps every external credential used by the repo to its source.
These are created by you and stored in env files:
JWT_SECRET: generate your own random secret, for example withopenssl rand -hex 32AI_INTERNAL_API_KEY: generate your own shared secret betweenapiandaiINTERNAL_API_KEY: same value asAI_INTERNAL_API_KEYfor theaiserviceWHITELIST_ENVIRONMENTS: your own env list, not a provider keyEMAIL_VERIFICATION_BASE_URL: your own URL, not a provider keySTRIPE_SUCCESS_URL: your own frontend/backend success URLSTRIPE_CANCEL_URL: your own frontend/backend cancel URLGRAFANA_ADMIN_USER,GRAFANA_ADMIN_PASSWORD: local Grafana credentials you chooseMINIO_ROOT_USER,MINIO_ROOT_PASSWORD,MINIO_ACCESS_KEY,MINIO_SECRET_KEY: local MinIO credentials you choosePOSTGRES_USER,POSTGRES_PASSWORD,POSTGRES_DB,DATABASE_URL: local or infrastructure database credentials you chooseNATS_URL,AI_SERVICE_URL: internal service URLs, not vendor secrets
Variables:
GOOGLE_CLIENT_IDGOOGLE_CLIENT_SECRETGOOGLE_CALLBACK_URL
Official references:
Where to get them:
- Open Google Cloud Console.
- Go to
Google Auth platformorAPIs & Services -> Credentials. - Create an
OAuth client ID. - Choose
Web application. - Add your redirect URI:
- local example:
http://localhost:3000/api/v1/auth/google/callback - production example:
https://api.yourdomain.com/api/v1/auth/google/callback
- local example:
- Copy the generated
Client IDandClient Secret.
Put them into env:
GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
GOOGLE_CALLBACK_URL=http://localhost:3000/api/v1/auth/google/callbackVariables:
STRIPE_SECRET_KEYSTRIPE_WEBHOOK_SECRETSTRIPE_SUCCESS_URLSTRIPE_CANCEL_URL
Official references:
Where to get them:
- Open the Stripe Dashboard.
- In
Developers -> API keys, copy your secret key:- test starts with
sk_test_ - live starts with
sk_live_
- test starts with
- In
Developers -> Webhooks, create or open your webhook endpoint. - Reveal the endpoint signing secret:
- it usually starts with
whsec_
- it usually starts with
- Decide where Stripe should redirect the browser after checkout:
STRIPE_SUCCESS_URLSTRIPE_CANCEL_URL
Put them into env:
STRIPE_SECRET_KEY=sk_test_...
STRIPE_WEBHOOK_SECRET=whsec_...
STRIPE_SUCCESS_URL=http://localhost:3000/payments/success
STRIPE_CANCEL_URL=http://localhost:3000/payments/cancelImportant:
- this backend uses only the server-side secret key
- if you later add frontend Stripe Elements or client-side flows, you will also need Stripe publishable keys, but the current repo does not use them
Variables:
REVENUECAT_API_KEYREVENUECAT_WEBHOOK_SECRETREVENUECAT_AVAILABLE_PRODUCTS
Official references:
Where to get them:
- Open the RevenueCat dashboard.
- Open your project.
- Go to
Project settings -> API keys. - Create or copy a
Secret API keyfor backend use. - Go to
Integrations -> Webhooks. - Add your webhook endpoint URL:
- local tunnel example:
https://your-ngrok-url/api/v1/payments/revenuecat/webhook - production example:
https://api.yourdomain.com/api/v1/payments/revenuecat/webhook
- local tunnel example:
- Set an authorisation header value in RevenueCat for webhook calls and reuse that value as
REVENUECAT_WEBHOOK_SECRET. - Add your product identifiers to
REVENUECAT_AVAILABLE_PRODUCTS, comma-separated.
Put them into env:
REVENUECAT_API_KEY=rcb_...or_your_secret_key
REVENUECAT_WEBHOOK_SECRET=your-shared-webhook-secret
REVENUECAT_AVAILABLE_PRODUCTS=pro_monthly,pro_yearlyImportant:
- use a RevenueCat secret server key on the backend
- do not expose secret keys in the app or browser
- RevenueCat also has public SDK keys for mobile/web clients, but this repo currently reads only the backend secret key
Variables:
OPENAI_API_KEY
Official references:
Where to get it:
- Open the OpenAI platform dashboard.
- Create an API key on the API keys page.
- Copy it once and store it securely.
Put it into env:
OPENAI_API_KEY=sk-...Variables:
GEMINI_API_KEY
Official references:
Where to get it:
- Open Google AI Studio.
- Open
Projectsif needed and select or import a Google Cloud project. - Open
API Keys. - Create a Gemini API key.
Put it into env:
GEMINI_API_KEY=your-gemini-keyNotes:
- the project supports multiple Gemini keys separated by commas for rotation
- example:
GEMINI_API_KEY=key1,key2,key3
Variables:
OPENROUTER_API_KEY
Official references:
Where to get it:
- Open the OpenRouter dashboard.
- Create an API key.
- Optionally set a credit limit on the key.
Put it into env:
OPENROUTER_API_KEY=sk-or-v1-...Notes:
- the project supports multiple OpenRouter keys separated by commas
Variables:
ONESIGNAL_APP_IDONESIGNAL_REST_API_KEY
Official references:
Where to get them:
- Create or open your app in OneSignal.
- Configure the target platform.
- In the OneSignal dashboard, open app settings and copy:
App IDREST API Key
Variables:
MANDRILL_API_KEYMANDRILL_FROM_EMAILMANDRILL_FROM_NAME
Official references:
- Mailchimp Transactional quick start
- Mailchimp Transactional API reference
- Mailchimp email authentication
Where to get them:
- Open Mailchimp Transactional.
- Go to settings and create a new API key.
- Verify the sender e-mail or sending domain you want to use.
- Set
MANDRILL_FROM_EMAILto that verified sender.
Variables:
MINIO_ROOT_USERMINIO_ROOT_PASSWORDMINIO_ACCESS_KEYMINIO_SECRET_KEYMINIO_BUCKET
Where to get them:
- for local Docker setup, you choose them yourself
- if you later switch from local MinIO to a managed S3-compatible storage, those credentials will come from that provider instead
If you want the shortest possible checklist, these are the keys most teams actually need to collect from vendor dashboards:
- Google:
GOOGLE_CLIENT_ID,GOOGLE_CLIENT_SECRET - Stripe:
STRIPE_SECRET_KEY,STRIPE_WEBHOOK_SECRET - RevenueCat:
REVENUECAT_API_KEY,REVENUECAT_WEBHOOK_SECRET - OpenAI:
OPENAI_API_KEY - Gemini:
GEMINI_API_KEY - OpenRouter:
OPENROUTER_API_KEY - OneSignal:
ONESIGNAL_APP_ID,ONESIGNAL_REST_API_KEY - Mandrill:
MANDRILL_API_KEY
The api service now includes:
GET /api/v1/notifications/onesignal/auth-hash- event-driven notification processing for:
auth.email_verificationauth.loginauth.registration_completepayment.subscription_purchased
Current behaviour:
- on registration: sends email verification email
- on login: sends push + e-mail notification
- on successful email verification: sends push + e-mail welcome notification
- on
payment.subscription_purchased: sends push + e-mail payment confirmation
Add these values to root .env and, if you run NestJS directly, to api/.env:
ONESIGNAL_APP_ID=
ONESIGNAL_REST_API_KEY=
MANDRILL_API_KEY=
MANDRILL_FROM_EMAIL=hello@example.com
MANDRILL_FROM_NAME=The Project
EMAIL_VERIFICATION_BASE_URL=http://localhost:3000/api/v1/auth/verify_emailWhat this backend uses from OneSignal:
ONESIGNAL_APP_IDONESIGNAL_REST_API_KEY
Official references:
Where to get them:
- Create or open your app in OneSignal.
- Configure the platform you actually need:
- Web Push for browser notifications
- iOS for APNS
- Android for FCM
- In the OneSignal dashboard open your app settings and copy:
App IDREST API Key
- Put them into
.envas:
ONESIGNAL_APP_ID=your-app-id
ONESIGNAL_REST_API_KEY=your-rest-api-keyBackend usage:
- the server sends push notifications through OneSignal REST API
- the server targets users by
external_id = user.id - the protected endpoint
GET /api/v1/notifications/onesignal/auth-hashreturns:app_idexternal_idhash
Example response:
{
"app_id": "01234567-89ab-cdef-0123-456789abcdef",
"external_id": "2d1f8f6b-4e41-4e59-b2ff-63b8f6188de2",
"hash": "7d4f2f7e6f8d70b6f0db7e8f3d4ce5ad0d7747f1309a2e5f5f9b1cb3361a8a12"
}Frontend integration example:
const token = '<JWT_TOKEN>';
const authRes = await fetch('http://localhost:3000/api/v1/notifications/onesignal/auth-hash', {
headers: {
Authorization: `Bearer ${token}`,
},
});
const auth = await authRes.json();
await OneSignal.init({
appId: auth.app_id,
});
await OneSignal.login(auth.external_id);Important:
- this project follows the contract from
docs/NOTIFICATIONS.mdand exposes theauth-hashendpoint - the latest OneSignal identity-verification flow may use JWT-based verification on the client/platform side, but the current project contract remains HMAC hash based
- if you use web push, you must also finish the site setup inside OneSignal and install their SDK in the frontend app
What this backend uses from Mandrill:
MANDRILL_API_KEYMANDRILL_FROM_EMAILMANDRILL_FROM_NAME
Official references:
- Mailchimp Transactional API quick start
- Mailchimp Transactional API reference
- Mailchimp email domain authentication
Where to get them:
- Open Mailchimp Transactional / Mandrill.
- Create an API key.
- Verify the sender identity or domain you want to send from.
- Put the values into
.env:
MANDRILL_API_KEY=your-api-key
MANDRILL_FROM_EMAIL=hello@yourdomain.com
MANDRILL_FROM_NAME=Your Product NameBackend usage:
- the server sends email via
https://mandrillapp.com/api/1.0/messages/send - verification emails use
EMAIL_VERIFICATION_BASE_URL
Example:
EMAIL_VERIFICATION_BASE_URL=https://api.yourdomain.com/api/v1/auth/verify_emailIf your frontend has a dedicated verify-email page, point this variable there instead, for example:
EMAIL_VERIFICATION_BASE_URL=https://app.yourdomain.com/verify-emailThen make that page forward the token to the backend endpoint.
- Fill the notification env variables.
- Start the stack with
docker-compose up -d. - Register a new user through Swagger or the API.
- Confirm that:
- a Mandrill email send attempt happens on
auth.email_verification GET /api/v1/notifications/onesignal/auth-hashreturns data for an authorised user
- a Mandrill email send attempt happens on
- Login with the same user.
- Confirm that login triggers:
- OneSignal push send attempt
- Mandrill e-mail send attempt
- Trigger RevenueCat webhook with
SUBSCRIPTION_PURCHASEDand confirm the purchase notification path.
Start everything:
cd docker
docker-compose up -dStart only API + AI:
cd docker
docker-compose up -d api aiRun API e2e tests through Docker profile:
cd docker
docker-compose -f docker-compose.test.yml up --build --abort-on-container-exit e2e-testsReset local artefacts:
./scripts/resetShould the system require a complete reset or a "pruning of the hedges," our scripts/reset utility is at your disposal for clearing temporary directories and build artifacts. For more persistent issues, pray, consult our Support Documentation.
May your deployment be swift and your system remain ever splendid.