openalicelabs · semantic index

Search

One paraphrase-friendly query across every @feature block, repo summary, manifest goal, museum achievement, knowledge note, and lab digest. Ask in plain language — BAAI/bge-m3 ranks the closest matches by cosine similarity across all six domains at once.

0 hits

972ms · BGE-M3 1024d cosine
  • feature
    71%
    auth.oauth.youtube_start
    openalice-platform · auth/oauth · crates/identity/src/handlers/oauth.rs:113

    Begin a YouTube (Google) OAuth flow — generates a state nonce, persists it server-side, returns the Google authorize URL the client should redirect to. The callback will create a `chat_sources` row with the user's refresh + access tokens.

  • feature
    60%
    auth.token.refresh
    openalice-platform · auth/tokens · crates/identity/src/handlers/session.rs:29

    Exchange a refresh token for a fresh access+refresh JWT pair (rotation).

  • feature
    56%
    auth.user.login
    openalice-platform · auth/users · crates/identity/src/handlers/login.rs:74

    Verify email+password and issue access+refresh JWT pair.

  • feature
    54%
    auth.sessions.revoke
    openalice-platform · auth/sessions · crates/identity/src/handlers/session.rs:230

    Revoke a specific refresh-token session by id. Marks the row revoked and blacklists its current jti so the next /auth/refresh from that device fails. Existing access tokens on that device survive until natural expiry (≤1h).

  • feature
    54%
    auth.mfa.setup
    openalice-platform · auth/mfa · crates/identity/src/handlers/mfa.rs:21

    Begin MFA enrollment — generates a fresh TOTP secret, stores it ENCRYPTED at rest (AES-256-GCM, mfa_secret_encrypted; the legacy plaintext mfa_secret column is no longer written and is NULLed), NOT yet enabled, and returns the secret + otpauth URL so the client can render a QR. Re-running before /auth/mfa/verify rotates the secret. Idempotent against an already-enabled user — returns 409 so the client tells the user to disable first.

  • feature
    53%
    auth.sessions.list
    openalice-platform · auth/sessions · crates/identity/src/handlers/session.rs:188

    List the authenticated user's active refresh-token sessions (one per browser/device login). Each row carries user_agent, created_at, last_used_at, and a `current` flag marking the device this request came from.

  • repo
    53%
    openalice-ml-gateway

    ML Gateway — API key auth, rate limiting, and usage tracking in front of embed/rerank/NER backends.

  • knowledge
    53%
    Streaming product modularization wave — overnight blitz 2026-05-23
    learnings/2026-05-23-streaming-product-modularization-wave · 2026-05-23

    13 refactor waves + 1 ecosystem fix landed in a single overnight session (~6h wall clock). Roughly **22,000 LOC** of monolithic Rust/TypeScript reshaped into **~90 focused submodules** across **13 rep

  • feature
    52%
    auth.user.register
    openalice-platform · auth/users · crates/identity/src/handlers/register.rs:24

    Register a new user with email + username + password (Argon2id), returns access+refresh JWT pair.

  • feature
    52%
    auth.broadcast_config.put
    openalice-platform · auth/broadcast · crates/identity/src/handlers/config.rs:288

    Upsert the user's studio broadcast config. Validates preset_id against the @openalicelabs/presets allowlist; rejects unknown ids with 400. Returns the persisted row so the client can mirror updated_at.

  • feature
    52%
    auth.realtime.chat_event
    openalice-platform · auth/realtime · crates/identity/src/handlers/admin.rs:91

    Service-to-service entry — POST a normalized chat message from any platform connector (openalice-chat-bridge for YouTube/Twitch/Kick/TikTok) and the broadcast owner's connected agent receives it as a `chat_message` event over /auth/ws. Bypasses the notification cooldown (chat is a stream). Authenticated by X-Internal-Secret.

  • knowledge
    52%
    OpenAlice Embed — Optimizations & Basics Backlog
    research/openalice-embed-roadmap-backlog-2026-05-29 · 2026-05-29

    Captured 2026-05-29 (Alex + NAO brainstorm, post-design-handoff). Feeds Tycho **after** MVP (Action 1-3) works end-to-end — except §0 which are MVP-blocking basics.

  • feature
    52%
    dashboard.shell.root-layout
    openalice-platform · dashboard/shell · apps/dashboard/src/app/layout.tsx:2

    Root layout — mounts AuthProvider (JWT lifecycle) + ToastProvider around the entire app. Binds the SDK client to NEXT_PUBLIC_API_URL (default api.blal.pro). Sets Open Graph metadata and forces `robots: noindex` (internal tool).

  • feature
    52%
    auth.user.me
    openalice-platform · auth/users · crates/identity/src/handlers/profile.rs:22

    Return current authenticated user's profile (id, email, username, status). Side effect — bumps users.last_seen so the user surfaces in the online-users feed.

  • feature
    51%
    auth.password.reset
    openalice-platform · auth/password · crates/identity/src/handlers/email.rs:374

    Consume a password-reset token (looked up by SHA-256 hash) and rewrite the user's password. Marks the token used and revokes ALL outstanding refresh tokens for the user (forces re-login on every device).

  • achievement
    51%
    Backend security hardening wave — RS256, RLS, CI gates across 7 repos
    infra · 2026-06-15 · breakthrough · openalice-tenants

    A coordinated security wave landed across the backend fleet: openalice-auth deployed RS256 + validate_aud=true across all services (closing the HS256 mint-anywhere gap); openalice-tenants enforced team roles (owner/admin/member/viewer) in all /me/* handlers, activated set_tenant_context + FORCE ROW LEVEL SECURITY, and moved the app off the superuser platform role to NOSUPERUSER/NOBYPASSRLS; openalice-rag added GDPR Art.17 purge of vector chunks on tenant erasure; recurring billing money-flow fixed end-to-end; distributed tracing (Tempo) enabled for auth + tenants + agent-lite; and CI security gates (cargo-deny + audit + clippy) went live across all 7 backend repos.

  • feature
    51%
    auth.internal.mfa.activate
    openalice-platform · auth/internal · crates/identity/src/handlers/account.rs:260

    Internal X-Internal-Secret-gated sibling for the embed dashboard's MFA activate (openalice-tenants POST /me/account/mfa/activate). Verifies a TOTP code (±1 step skew, constant-time) against the pending encrypted secret, then flips mfa_enabled=true so subsequent logins require a second factor. Replay-aware: persists the matched TOTP step to mfa_last_step so the activate code can't be replayed at the login verify challenge. 400 if no setup is pending.

  • feature
    50%
    auth.broadcast_config.get
    openalice-platform · auth/broadcast · crates/identity/src/handlers/config.rs:250

    Read the user's current studio broadcast config (preset_id + per-stream overrides). Defaults to {preset_id="qa-host", overrides={}} when no row has been saved yet — first-time streamers don't have to click anything before going live.

  • feature
    50%
    dashboard.auth.login
    openalice-platform · dashboard/auth · apps/dashboard/src/app/login/page.tsx:2

    Login page — email + password form using useLoginAction from @openalicelabs/ui. Auto-redirects authenticated users to /. Displays inline Banner on auth failure. Entry point for the entire dashboard; all protected pages redirect here on 401.

  • achievement
    50%
    Landing audit fix wave — 15 viewport fixes + infinite hero chat
    product · 2026-06-12 · medium · openalice-landing

    openalice-landing audit-and-fix wave: 15 viewport fixes, added delights, and an infinite hero-chat surface — part of the brand wave that moved the landing visuals to living surfaces.

  • feature
    50%
    auth.devices.pair_start
    openalice-platform · auth/devices · crates/identity/src/devices.rs:75

    Generate a short-lived pairing code (8 chars, 10 min TTL) the user types into openalice-stream-host. Code is single-use; claiming it issues a 90-day device-scoped JWT.

  • feature
    50%
    auth.internal.api_keys.create
    openalice-platform · auth/internal · crates/identity/src/handlers/account.rs:42

    Internal X-Internal-Secret-gated sibling for the embed dashboard's "create API key" flow (openalice-tenants POST /me/account/api-keys). Mints a fresh key, persists ONLY its SHA-256 hash + non-secret prefix + scopes (never the plaintext), and returns the PLAINTEXT key exactly once so the UI can show "copy now — it won't be shown again". Owner is the path {user_id}; IDOR-safe.

  • feature
    50%
    auth.realtime.broadcast
    openalice-platform · auth/realtime · crates/identity/src/handlers/admin.rs:40

    Service-to-service entry point — POST a notification (optionally targeted at a specific user) and the auth WS hub fans it out to every connected client. Authenticated by a shared secret in the `X-Internal-Secret` header (env `INTERNAL_BROADCAST_SECRET`). Producers: social-api on DM, persona on session events, billing on plan changes.

  • knowledge
    50%
    💰 20 клиентов = €5k MRR = default-alive
    roadmaps/embed

    Источник исполнения: `marketing/campaigns/openalice-embed-launch/EMBED-LAUNCH-IRON-PLAN-2026-07-01.md` (война-комната `alex-x-tycho`; волны Тихо W1-W5 ≈ 2-3 недели до пилота). Золотая тропа помечена `

  • feature
    50%
    landing.api.waitlist
    openalice-platform · landing/api · apps/landing/src/test/waitlist-route.test.ts:2

    Tests for POST /api/waitlist — the real lead-capture endpoint. Contract under test: 1. A valid {email, product} appends one JSONL line and returns { ok:true, status:"added" } (email lowercased + trimmed in the record). 2. A re-submit of the same (email, product) returns status:"already" without a second append. 3. Invalid email → 400 { error:{ code:"invalid_email" } }. 4. Unknown product → 400 { error:{ code:"invalid_product" } }. 5. Malformed JSON → 400 { error:{ code:"bad_json" } }. 6. Over the per-IP rate limit → 429 { error:{ code:"rate_limited" } }. 7. De-dupe survives a "restart": a fresh module load whose readFile returns a persisted lead reads that lead back as "already" with no second append (the boot-replay hydration of the seen-set, W1.2). fs is mocked so the test never touches disk; we assert the appended payload.

  • feature
    50%
    auth.user.login_mfa
    openalice-platform · auth/users · crates/identity/src/handlers/login.rs:322

    Exchange a pre-MFA token + TOTP code for a full session. Issued only when /auth/login responds with mfa_required=true. Pre-MFA token is audience-restricted so it can't be used against any downstream service if leaked.

  • feature
    50%
    auth.portal
    openalice-platform · auth/portal · crates/identity/src/handlers/portal.rs:5

    The dashboard's data API, carved onto openalice-auth so the

  • feature
    49%
    axum-common.crate.shared-http-plumbing
    openalice-platform · axum-common/crate · crates/oa-framework/src/lib.rs:1

    Shared Axum HTTP plumbing crate consumed by every OpenAlice backend service. Centralises JWT auth, SSO cookies, CORS, health, Prometheus metrics, per-tenant rate limiting, circuit breaking, and cluster-wide audit logging so security fixes and ecosystem-wide changes land in one place. Consumers: openalice-auth, social-api, voice, persona, atlas-api, rt, a2a.

  • feature
    49%
    auth.internal.mfa.setup
    openalice-platform · auth/internal · crates/identity/src/handlers/account.rs:188

    Internal X-Internal-Secret-gated sibling for the embed dashboard's MFA setup (openalice-tenants POST /me/account/mfa/setup). Mints a fresh TOTP secret stored ENCRYPTED (AES-256-GCM), plus backup codes stored HASHED, in the `pending` state (NOT enabled). Returns secret + otpauth_uri (for QR) + plaintext backup codes ONCE. 409 if MFA is already enabled — disable first.

  • knowledge
    49%
    OpenAlice Embed — Visitor Identity & Memory Spec (§0.1)
    research/openalice-embed-visitor-identity-memory-spec-2026-05-29 · 2026-05-29

    > **For Tycho (engineering) + Norbert (persona/memory model).** > Resolves the §0.1 spec conflict flagged in `openalice-embed-roadmap-backlog-2026-05-29.md`. > Status: **proposed** (NAO greenlit writi