n-lawOS — the build, end to end

Strict TS everywhere ("strict": true, noUncheckedIndexedAccess). Shared contracts as zod schemas in packages/shared so the web app and the Python services agree on shapes (generate JSON Schema for the Python side). Engine prompts: git init a second private repo.

App Router; one route group (app) with a route per surface (see §B tree). Tenant data is client-rendered against the local sync store (P0.4), not SSR'd off-instance, so nothing renders server-side outside the tenant. A thin server layer only sets the RLS request context (P0.5) and proxies to the redactor/relay/MCP. Layout = left surface nav + top bar + content (the windows you saw in v2).

Postgres 16 + CREATE EXTENSION vector. Drizzle schema in packages/db; migrations in infra/migrations. RLS enabled on every table in the first migration — never "add security later". Each request opens a transaction and sets the actor:

Tables per §A. audit_log: revoke UPDATE/DELETE; add a trigger raising on modify. Edge case: background jobs (no human) run as a service role with its own narrow policies.

ElectricSQL syncs Postgres ↔ a local store in the browser (offline-first, realtime). Define "shapes" (filtered subscriptions) per surface, e.g. matters where owner or member = me. Writes queue locally and replicate on reconnect; conflicts surface to a resolve UI (keep-mine / use-theirs / merge). Replaces Firebase/Firestore — Google-hosted, can't run in-tenant, forbidden.

Auth.js with an OIDC provider = the firm's Microsoft Entra (or Google; Keycloak self-hosted for big firms). On each request, map the session → identity.role → SET LOCAL app.user_id/app.role (the RLS bridge from P0.3). No Firebase auth. Edge cases: leaver = IdP revokes → session dies; role change propagates on next token refresh.

One .env per tenant (§C). Healthchecks + restart policies; nightly pg_dump → encrypted to R2. Single VM (e.g. Hetzner CCX) to start; Kubernetes only at scale. This single-tenant in-tenant deploy is the control behind D6.

Python FastAPI sidecar wrapping Presidio AnalyzerEngine (spaCy en_core_web_lg NER) + custom recognizers (P1.2), ensembled. Stateless HTTP; the only caller is the web server, never the model.

Recall > precision (β=2). Treat vanilla Presidio as a baseline — it misses PII; tuning + custom recognizers lift it materially. Evaluate with presidio-research on representative transcripts; record recall per type.

Validators (checksums/format) raise confidence so true hits clear threshold and noise stays low. Store recognizer configs in services/redactor/recognizers/; version them; re-run eval on every change.

Persist the map in redaction_token (scope = job or matter), readable only by the tenant role; never selected into audit_log/usage_event. Deny-by-default: spans with score < threshold are masked and queued (lowConfidence) for a human to confirm/relabel before the relay call proceeds. Structured fields (DOB, NINO columns) masked by rule, not just ML. Re-hydration (P3.2) reads this table firm-side only.

Plus Gitleaks (secrets) and a runtime assertion in the relay client that rejects input not tagged {masked:true}. Build fails otherwise. This is the machine form of "redactor-before-engine".

LiteLLM proxy runs in-tenant; holds an n-law-issued, scoped, short-lived key (rotated via heartbeat); per-tenant spend caps. Customers can't bring their own key; the key is never loose in app code. The success callback writes usage_event (tokens, tier, job kind — no content).

Live: Azure OpenAI UK South (DataZone EU, ZDR on approved access) for junior/paralegal; Anthropic ZDR for associate. Dev/synthetic only: OpenRouter (never live). Tier is chosen by the job (P3). Confirm ZDR eligibility + region pinning on the actual accounts before go-live.

Each surface exposes an MCP server (packages/mcp) with typed tools, e.g. matter.read, note.draft, time.log, conflict.check. Subagents act only through MCP — never raw DB. A thin askModel(tier, messages) interface makes the provider a one-line config switch.

Worker pulls from pg-boss → calls askModel via the relay on maskedText → validates output against the zod schema (retry on mismatch) → writes job_run + a draft note/time_entry (placeholders still in). Bounded jobs (not chat) keep the AI inside back-office support.

State machine draft → review → signed. Edit-distance is captured per job kind (D10.4) — the running quality + honesty check on the time-equivalent. One write = provenance + audit + bill line.

LiveKit (self-hosted WebRTC SFU) + egress recording → object store; a webhook fires recording.ended {uri, matterHint}. A pg-boss job runs faster-whisper (in-tenant, batch) → transcript. Audio never leaves the tenant. Legacy phone lines: ingest existing call-recording files (bridge), or managed SIP via Twilio if a number is needed. Edge cases: diarisation for who-said-what; partials discarded; failed transcribe → retry then flag.

Microsoft Graph: a /subscriptions webhook on the mailbox (delta query for new mail) + Teams call recordings; validate the webhook token; emails skip transcription. Each door normalises to {text, source, matterId?, participants, ts}. Matter-matching: rules first (caller number → party → matter; email sender/thread-id → matter), then a small MCP subagent for fuzzy cases; the matter list comes from the firm's practice-management system (Clio/LEAP) via API. Unmatched → an intake queue.

• Time-ledger — query over time_entry grouped by actor/tier/day; the billing source.
• Matter timeline — projection over audit_log + events for one matter (event-sourced view).
• Inbox — Graph mirror; each message matched to a matter + an AI action chip.
• Tasks/workflow — board schema (status flow + approval gates); MCP tool task.create/move.
• Knowledge — embeddings in memory.embedding; ORDER BY embedding <=> query (pgvector) for semantic search of precedents.
• Dashboards — materialised views refreshed on a schedule (matters active, time logged, needs-you).

Canvas/co-edit on tldraw + Yjs. Every surface exposes an MCP interface so subagents act on it.

Tokens stay internal cost + spend-cap; the firm's statement shows hours by tier. Stripe metered/invoice-items; monthly cron rollup.

• Conflicts — embed the new party, ORDER BY embedding <=> new over party; threshold → clear/near/conflict; near → human.
• Key-dates — rules engine producing flags (never advice); writes reminders to tasks.
• Intake + engagement — form → create matter + run an engagement_letter job.
• AML/ID — call a checks provider (e.g. Onfido/ComplyAdvantage) API; store the result, not the raw documents beyond retention.
• Precedents — template store in memory (scope=firm), pgvector search.

Jest (unit) + Playwright E2E (call → transcript → redact → draft → sign → audit); a dedicated test asserts the relay received only masked text (the invariant, behaviourally). GlitchTip/Sentry for errors with a PII scrubber; OpenTelemetry counts only. Backups: pg_dump + object-store snapshot, encrypted to R2, restore-tested. Retention: nightly cron deletes where retention_until < now().

Cyber Essentials (self-assessment, ~£300–500, early). Cosign/Sigstore sign every image in CI; Watchtower applies only signed images (controlled promote). Deploy: docker compose pull && up -d on the firm's VM with their .env (§C). ISO 27001 deferred to P9.

Add a tenant_id to every table + a tenant RLS policy layered under the existing role/matter policies; per-tenant LiteLLM keys/quotas; per-tenant config/branding. Do not build before an LOI. Swap pg-boss → BullMQ/Valkey if throughput demands.