typelets
diff --git a/‎.env.example‎
Lines changed: 27 additions & 29 deletions b/‎.env.example‎
Lines changed: 27 additions & 29 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 3 additions & 1 deletion b/‎Dockerfile‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎Dockerfile.alloy‎
Lines changed: 8 additions & 0 deletions b/‎Dockerfile.alloy‎
Lines changed: 8 additions & 0 deletions
@@ -56,7 +56,7 @@ API_URL=http://localhost:3000
 # SECURITY CONFIGURATION
 # ================================================================
 
-# WebSocket Message Authentication
+# Message Authentication Secret
 # Generate with: openssl rand -hex 32
 # CRITICAL: Use a strong random string (minimum 32 characters) in production
 MESSAGE_AUTH_SECRET=your-very-secure-random-string-here-min-32-chars
@@ -72,17 +72,9 @@ MESSAGE_AUTH_SECRET=your-very-secure-random-string-here-min-32-chars
 # HTTP_RATE_LIMIT_MAX_REQUESTS=1000   # Max requests per window per user/IP
 # HTTP_FILE_RATE_LIMIT_MAX=100        # Max file operations per window
 
-# WebSocket Rate Limiting
-WS_RATE_LIMIT_WINDOW_MS=60000# Time window: 1 minute (in milliseconds)
-WS_RATE_LIMIT_MAX_MESSAGES=300# Max messages per window per connection
-WS_MAX_CONNECTIONS_PER_USER=20# Max concurrent connections per user
-WS_AUTH_TIMEOUT_MS=30000# Authentication timeout: 30 seconds
-
 # Production Rate Limiting Recommendations:
 # - HTTP: 500-1000 requests per 15 minutes per user
-# - WebSocket: 100-300 messages per minute per connection
 # - File uploads: 50-100 operations per 15 minutes per user
-# - Connections: 10-20 per user depending on multi-device usage
 
 # ================================================================
 # FILE UPLOAD CONFIGURATION
@@ -98,15 +90,15 @@ MAX_FILE_SIZE_MB=50# Maximum size per file (default: 50MB)
 # Add new types in: src/lib/validation.ts
 
 # ================================================================
-# CODE EXECUTION CONFIGURATION (Judge0 API)
+# CODE EXECUTION CONFIGURATION (Self-hosted Piston)
 # ================================================================
 
-# Judge0 API Configuration (OPTIONAL - for code execution features)
-# Get your API key from: https://rapidapi.com/judge0-official/api/judge0-ce
-# JUDGE0_API_KEY=your_judge0_rapidapi_key_here
+# Piston API Configuration (OPTIONAL - for code execution features)
+# Self-hosted Piston: https://github.com/engineer-man/piston
+# Run with Docker: docker run -d --name piston -p 2000:2000 ghcr.io/engineer-man/piston
+# PISTON_API_URL=http://localhost:2000
 
 # Code execution rate limits
-# Adjust based on your Judge0 plan limits (defaults: development=200, production=50)
 # CODE_EXEC_RATE_LIMIT_MAX=50         # Max code executions per 15 minutes per user
 
 # ================================================================
@@ -132,24 +124,33 @@ FREE_TIER_NOTE_LIMIT=100# Note count limit for free users (default: 100)
 # 3. Copy the export commands provided (they will look like the examples below)
 # 4. Set the environment variables in your deployment
 
-# OpenTelemetry Configuration (use values from Grafana Cloud setup)
-# Copy the export commands from Grafana Cloud OpenTelemetry setup page
-# OTEL_EXPORTER_OTLP_ENDPOINT=https://otlp-gateway-prod-<region>.grafana.net/otlp
-# OTEL_EXPORTER_OTLP_HEADERS=Authorization=Basic%20<base64-encoded-token>
+# OpenTelemetry Configuration (via Grafana Alloy)
+# IMPORTANT: Logs/traces/metrics are sent to local Grafana Alloy, which forwards to Grafana Cloud
+# For local dev: docker-compose -f docker-compose.alloy.yml up -d
+# For production: Run Alloy as ECS sidecar container (see docker-compose.alloy.yml)
+
+# OTEL Configuration - Point to Alloy (localhost for both dev and prod sidecar)
+# OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4318
+# OTEL_EXPORTER_OTLP_PROTOCOL=http/protobuf
 # OTEL_TRACES_EXPORTER=otlp
 # OTEL_METRICS_EXPORTER=otlp
 # OTEL_LOGS_EXPORTER=otlp
 # OTEL_NODE_RESOURCE_DETECTORS=env,host,os
 # OTEL_SERVICE_NAME=typelets-api
-# OTEL_RESOURCE_ATTRIBUTES=service.name=typelets-api,deployment.environment=production
+# OTEL_RESOURCE_ATTRIBUTES=deployment.environment=production,service.name=typelets-api
+
+# Grafana Cloud Configuration (required for Alloy container, NOT in app)
+# Get these from Grafana Cloud: Connections > Add new connection > OpenTelemetry
+# GRAFANA_CLOUD_ENDPOINT=your_otlp_gateway_endpoint_here
+# GRAFANA_CLOUD_INSTANCE_ID=your_instance_id_here
+# GRAFANA_CLOUD_TOKEN=your_grafana_cloud_token_here
 
 # Application Logging
 # Structured JSON logs are automatically generated for:
 # - Authentication events
 # - Rate limiting violations
 # - Security events (failed auth, suspicious activity)
 # - Billing limit violations
-# - WebSocket connection events
 # - File upload events
 # - HTTP requests and responses
 # - Database queries
@@ -178,7 +179,6 @@ FREE_TIER_NOTE_LIMIT=100# Note count limit for free users (default: 100)
 
 # API Testing
 # Health check: GET http://localhost:3000/health
-# WebSocket status: GET http://localhost:3000/websocket/status
 # API documentation: https://github.com/typelets/typelets-api
 
 # ================================================================
@@ -188,7 +188,7 @@ FREE_TIER_NOTE_LIMIT=100# Note count limit for free users (default: 100)
 # 🔒 NEVER commit actual secrets to version control
 # 🔒 Use different secrets for development and production
 # 🔒 Rotate secrets regularly in production
-# 🔒 MESSAGE_AUTH_SECRET is critical for WebSocket security
+# 🔒 MESSAGE_AUTH_SECRET is critical for message authentication
 # 🔒 CLERK_SECRET_KEY controls all authentication
 # 🔒 DATABASE_URL contains database credentials
 
@@ -197,12 +197,11 @@ FREE_TIER_NOTE_LIMIT=100# Note count limit for free users (default: 100)
 # API Keys: Use your service provider's dashboard
 # Database passwords: Use password managers
 
-# Judge0 API Key Setup:
-# 1. Go to https://rapidapi.com/judge0-official/api/judge0-ce
-# 2. Sign up/login to RapidAPI
-# 3. Subscribe to Judge0 CE (free tier available)
-# 4. Copy your API key and uncomment JUDGE0_API_KEY above
-# 5. Code execution endpoints will be available: /api/code/*
+# Piston Setup (Self-hosted code execution):
+# 1. Run Piston with Docker: docker run -d --name piston -p 2000:2000 ghcr.io/engineer-man/piston
+# 2. Set PISTON_API_URL=http://localhost:2000
+# 3. Code execution endpoints will be available: /api/code/*
+# See: https://github.com/engineer-man/piston
 
 # ================================================================
 # PRODUCTION DEPLOYMENT NOTES
@@ -234,7 +233,6 @@ FREE_TIER_NOTE_LIMIT=100# Note count limit for free users (default: 100)
 # 2. "Authentication failed" → Verify CLERK_SECRET_KEY is correct
 # 3. "CORS error" → Add your frontend URL to CORS_ORIGINS
 # 4. "Too many requests" → Increase rate limits or check for loops
-# 5. "WebSocket connection failed" → Check authentication and rate limits
 
 # Useful Commands:
 # Check database connection: npx drizzle-kit studio
 
@@ -81,3 +81,7 @@ deploy.local.ps1
 *.local.bat
 *.local.ps1
 deployment-scripts/
+
+# ECS task definitions - contain secrets, DO NOT COMMIT
+ecs-task-definition*.json
+*task-definition*.json
@@ -38,7 +38,9 @@ RUN pnpm install --frozen-lockfile --prod
 
 # Copy built application from builder stage
 COPY --from=builder /app/dist ./dist
-# Application configuration complete
+
+# Copy instrumentation.js (needed for OTEL auto-instrumentation)
+COPY --from=builder /app/instrumentation.js ./instrumentation.js
 
 # Change ownership to non-root user
 RUN chown -R typelets:nodejs /app
 
@@ -0,0 +1,8 @@
+# Grafana Alloy with embedded configuration for ECS
+FROM grafana/alloy:latest
+
+# Copy the Alloy configuration into the image
+COPY alloy-config.alloy /etc/alloy/config.alloy
+
+# Default command (can be overridden in ECS task definition)
+CMD ["run", "/etc/alloy/config.alloy", "--server.http.listen-addr=0.0.0.0:12345"]