Initial OSS release: EVC Team Relay v1.8.7

Self-hosted collaborative editing infrastructure for Obsidian.

Features:
- Real-time CRDT synchronization (y-sweet)
- Document and folder sharing with permissions
- Web publishing with custom domains
- OAuth/OIDC integration
- Webhooks, audit logs, metrics

License: Apache 2.0

Author: venturecrew

.env.example

@@ -0,0 +1,48 @@
+DOMAIN_BASE=example.com
+ACME_EMAIL=ops@example.com
+POSTGRES_PASSWORD=change-me
+MINIO_ROOT_USER=relay
+MINIO_ROOT_PASSWORD=change-this-too
+JWT_SECRET=replace-me
+BOOTSTRAP_ADMIN_EMAIL=admin@example.com
+BOOTSTRAP_ADMIN_PASSWORD=super-secret-pass
+RELAY_PUBLIC_URL=wss://relay.${DOMAIN_BASE}
+
+# Server identity (for multi-server plugin support)
+SERVER_NAME=My Relay Server
+# SERVER_ID=my-server-id  # Optional, defaults to relay_key_id
+
+# Logging configuration
+LOG_LEVEL=INFO           # DEBUG, INFO, WARNING, ERROR
+LOG_FORMAT=json          # json or text
+
+# PostgreSQL backup configuration
+BACKUP_RETENTION=7                    # Days to keep local backups
+BACKUP_HOUR=2                         # Hour to run daily backup (0-23, UTC)
+BACKUP_RUN_ON_STARTUP=true            # Run backup on container startup
+# BACKUP_S3_ENABLED=false             # Enable S3/MinIO upload
+# BACKUP_S3_BUCKET=relay-backups      # S3 bucket name
+
+# Grafana configuration
+GRAFANA_ADMIN_USER=admin
+GRAFANA_ADMIN_PASSWORD=change-me-please
+
+# Email configuration (for notifications)
+EMAIL_ENABLED=false                   # Enable email sending
+SMTP_HOST=                            # SMTP server hostname
+SMTP_PORT=587                         # SMTP port (587 for TLS, 465 for SSL)
+SMTP_USER=                            # SMTP username
+SMTP_PASSWORD=                        # SMTP password
+SMTP_USE_TLS=true                     # Use STARTTLS
+EMAIL_FROM=noreply@example.com        # From address
+EMAIL_REPLY_TO=                       # Reply-to address (optional)
+
+# Background worker configuration
+WEBHOOK_WORKER_INTERVAL=30            # Webhook worker poll interval (seconds)
+WEBHOOK_WORKER_BATCH_SIZE=50          # Max webhooks to process per cycle
+EMAIL_WORKER_INTERVAL=60              # Email worker poll interval (seconds)
+EMAIL_WORKER_BATCH_SIZE=100           # Max emails to process per cycle
+
+# Web Publishing configuration (v1.7)
+WEB_PUBLISH_DOMAIN=                   # Web publishing domain (e.g., docs.example.com)
+                                       # Leave empty to disable web publishing

.github/workflows/agent-bootstrap.yml

@@ -0,0 +1,66 @@
+name: Agent Bootstrap (Cursor)
+
+on:
+  workflow_dispatch:
+    inputs:
+      prompt_file:
+        description: "Prompt file path"
+        required: true
+        default: "PROMPTS/epic-control-plane-v0.md"
+        type: choice
+        options:
+          - "PROMPTS/bootstrap.md"
+          - "PROMPTS/epic-control-plane-v0.md"
+      model:
+        description: "Cursor model"
+        required: true
+        default: "gpt-5.1-codex"
+        type: choice
+        options:
+          - "auto"
+          - "gpt-5.1-codex"
+          - "gpt-5.2"
+          - "gpt-5.1"
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  bootstrap:
+    runs-on: ubuntu-latest
+    environment: staging
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Cursor CLI
+        run: |
+          curl https://cursor.com/install -fsS | bash
+          echo "$HOME/.cursor/bin" >> $GITHUB_PATH
+      - name: Run Cursor Agent
+        env:
+          CURSOR_API_KEY: ${{ secrets.CURSOR_API_KEY }}
+        run: |
+          cursor-agent -p "$(cat '${{ inputs.prompt_file }}')" --model "${{ inputs.model }}"
+      - name: Configure git identity
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Create PR with changes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -e
+          if git diff --quiet; then
+            echo "No changes from agent."
+            exit 0
+          fi
+          BR="bootstrap/${{ github.run_id }}"
+          git checkout -b "$BR"
+          git add -A
+          git commit -m "bootstrap: scaffold relay-onprem stack"
+          git push origin "$BR"
+          gh pr create --title "bootstrap: scaffold stack" --body "Generated by Cursor agent" --base main --head "$BR"

.github/workflows/ci.yml

@@ -0,0 +1,78 @@
+name: CI
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+    paths:
+      - 'apps/**'
+      - 'infra/**'
+      - '.github/workflows/ci.yml'
+
+jobs:
+  lint-python:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Lint with Ruff
+        working-directory: apps/control-plane
+        run: |
+          uv sync --extra dev --extra test
+          uv run ruff check app/ tests/
+          uv run ruff format --check app/ tests/
+
+  test-python:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          version: "latest"
+
+      - name: Set up Python
+        run: uv python install 3.12
+
+      - name: Run tests
+        working-directory: apps/control-plane
+        run: |
+          uv sync --extra dev --extra test
+          uv run pytest -v --tb=short
+
+  build-docker:
+    runs-on: ubuntu-latest
+    needs: [lint-python, test-python]
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build control-plane
+        uses: docker/build-push-action@v6
+        with:
+          context: apps/control-plane
+          push: false
+          tags: evc-team-relay/control-plane:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Build web-publish
+        uses: docker/build-push-action@v6
+        with:
+          context: apps/web-publish
+          push: false
+          tags: evc-team-relay/web-publish:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/deploy.yml

@@ -0,0 +1,175 @@
+name: Deploy (staging)
+
+on:
+  push:
+    branches: ["main"]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: staging
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup SSH
+        run: |
+          mkdir -p ~/.ssh
+          chmod 700 ~/.ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY_B64 }}" | base64 -d > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keygen -y -f ~/.ssh/id_ed25519 >/dev/null
+          ssh-keyscan -H "${{ secrets.DEPLOY_HOST }}" >> ~/.ssh/known_hosts
+                  
+      - name: Generate infra/.env from secrets
+        run: |
+          cat > infra/.env <<EOF
+          DOMAIN_BASE=${{ secrets.DOMAIN_BASE }}
+          ACME_EMAIL=${{ secrets.ACME_EMAIL }}
+
+          # Postgres (control-plane)
+          POSTGRES_USER=relaycp
+          POSTGRES_DB=relaycp
+          POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
+          DATABASE_URL=postgresql+psycopg://relaycp:${{ secrets.POSTGRES_PASSWORD }}@postgres:5432/relaycp
+
+          # MinIO
+          MINIO_ROOT_USER=${{ secrets.MINIO_ROOT_USER }}
+          MINIO_ROOT_PASSWORD=${{ secrets.MINIO_ROOT_PASSWORD }}
+
+          # Control-plane auth/bootstrap
+          JWT_SECRET=${{ secrets.JWT_SECRET }}
+          BOOTSTRAP_ADMIN_EMAIL=${{ secrets.BOOTSTRAP_ADMIN_EMAIL }}
+          BOOTSTRAP_ADMIN_PASSWORD=${{ secrets.BOOTSTRAP_ADMIN_PASSWORD }}
+
+          # Relay public URL (for clients)
+          RELAY_PUBLIC_URL=wss://relay.${{ secrets.DOMAIN_BASE }}
+
+          # Relay token signing (Ed25519)
+          RELAY_PRIVATE_KEY=$(echo "${{ secrets.RELAY_PRIVATE_KEY }}" | base64 -w 0)
+          RELAY_KEY_ID=${{ secrets.RELAY_KEY_ID }}
+
+          # OAuth/OIDC Configuration
+          OAUTH_ENABLED=${{ secrets.OAUTH_ENABLED }}
+          OAUTH_PROVIDER_NAME=${{ secrets.OAUTH_PROVIDER_NAME }}
+          OAUTH_ISSUER_URL=${{ secrets.OAUTH_ISSUER_URL }}
+          OAUTH_CLIENT_ID=${{ secrets.OAUTH_CLIENT_ID }}
+          OAUTH_CLIENT_SECRET=${{ secrets.OAUTH_CLIENT_SECRET }}
+          OAUTH_AUTO_REGISTER=${{ secrets.OAUTH_AUTO_REGISTER }}
+
+          # Web Publishing (optional)
+          WEB_PUBLISH_DOMAIN=${{ secrets.WEB_PUBLISH_DOMAIN }}
+          EOF
+
+      - name: Extract relay public key from private key
+        run: |
+          cat > extract_pubkey.py <<'PYTHON'
+          import base64
+          import os
+          from cryptography.hazmat.primitives import serialization
+
+          private_pem = os.environ['RELAY_PRIVATE_KEY']
+          private_key = serialization.load_pem_private_key(
+              private_pem.encode('utf-8'),
+              password=None
+          )
+          public_bytes = private_key.public_key().public_bytes(
+              encoding=serialization.Encoding.Raw,
+              format=serialization.PublicFormat.Raw
+          )
+          public_base64 = base64.b64encode(public_bytes).decode('utf-8')
+          print(public_base64)
+          PYTHON
+
+          pip install cryptography
+          export RELAY_PUBLIC_KEY=$(python extract_pubkey.py)
+          echo "RELAY_PUBLIC_KEY=$RELAY_PUBLIC_KEY" >> $GITHUB_ENV
+        env:
+          RELAY_PRIVATE_KEY: ${{ secrets.RELAY_PRIVATE_KEY }}
+
+      - name: Generate relay.toml from secrets
+        run: |
+          mkdir -p infra/relay
+          cat > infra/relay/relay.toml <<EOF
+          [server]
+          url = "https://relay.${{ secrets.DOMAIN_BASE }}"
+          host = "0.0.0.0"
+          port = 8080
+
+          [metrics]
+          port = 9090
+
+          [logging]
+          level = "info"
+          format = "pretty"
+
+          # Control-plane authentication
+          [[auth]]
+          key_id = "${{ secrets.RELAY_KEY_ID }}"
+          public_key = "${{ env.RELAY_PUBLIC_KEY }}"
+
+          [store]
+          type = "minio"
+          bucket = "relay"
+          endpoint = "http://minio:9000"
+          access_key = "${{ secrets.MINIO_ROOT_USER }}"
+          secret_key = "${{ secrets.MINIO_ROOT_PASSWORD }}"
+          prefix = ""
+          EOF
+
+      - name: Sync repo to VPS (exclude runtime data)
+        run: |
+          rsync -az --delete \
+            --exclude ".git/" \
+            --exclude "infra/data/" \
+            ./ "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}:~/relay-onprem/"
+
+      - name: Compose up + smoke checks
+        run: |
+          ssh "${{ secrets.DEPLOY_USER }}@${{ secrets.DEPLOY_HOST }}" <<'SSH'
+          set -euo pipefail
+          cd ~/relay-onprem/infra
+
+          docker compose up -d --build || {
+            echo "compose up failed — dumping logs"
+            docker compose ps -a || true
+            docker compose logs --tail=200 postgres control-plane-migrate control-plane caddy || true
+            exit 1
+          }
+          docker compose ps
+
+          retries=10
+          delay=6
+
+          check_cp() {
+            docker compose exec -T control-plane python -c 'import sys,urllib.request; r=urllib.request.urlopen("http://control-plane:8000/health",timeout=5); sys.exit(0 if r.status==200 else 1)'
+          }
+
+          check_relay() {
+            docker compose exec -T control-plane python -c 'import sys,urllib.request; r=urllib.request.urlopen("http://relay-server:9090/metrics",timeout=5); r.read(200); sys.exit(0 if r.status==200 else 1)'
+          }
+
+          n=0
+          until check_cp; do
+            n=$((n+1))
+            if [ "$n" -ge "$retries" ]; then
+              echo "control-plane health failed after $n attempts"
+              docker compose ps
+              docker compose logs --tail=200 caddy control-plane
+              exit 1
+            fi
+            sleep "$delay"
+          done
+
+          n=0
+          until check_relay; do
+            n=$((n+1))
+            if [ "$n" -ge "$retries" ]; then
+              echo "relay-server health failed after $n attempts"
+              docker compose ps
+              docker compose logs --tail=200 caddy relay-server
+              exit 1
+            fi
+            sleep "$delay"
+          done
+          SSH