Owner Abhi

Arivu on Keystone, S3, and CloudFront

Keystone handles identity and the zip download API. The built Arivu UI is static files in S3, delivered through CloudFront. Product routing and repo layout are in Web → How we built Arivu. Build, CI, cache, and URL rewrites are in Backend → DevOps → Arivu deploy and static hosting.

Astro and payload size

The UI is Astro with output: "static". Markdown under knowledge_docs/ is compiled to HTML at build time. There is no Node server in production: the browser loads HTML, CSS, and JS from the CDN only.

That choice keeps hosting simple (object storage + CDN) and the shipped tree small. A typical npm run build produces a dist/ folder whose files sum to on the order of ~150 KB uncompressed (exact size grows slightly as docs and client JS change). Transfer sizes are lower when CloudFront serves compressed responses.

What S3 and CloudFront do

The dist/ output is uploaded to an environment bucket. CloudFront terminates TLS and caches objects. The public hostname (e.g. arivu-staging.cybosapiens.com) points at that distribution. No application process runs on page view.

SSO and session

Arivu uses Keystone av1 auth with application=arivu.

  • OAuth completes at Keystone; the client stores tokens in cookies on the Arivu origin.
  • GET /av1/auth/me (Bearer and cookies as implemented in the client) validates the session.
  • @asymmetriclabs.ai: the Arivu web UI enforces this on the client using the email from /auth/me (Keystone may enforce additional rules).

CORS and OAuth redirect allowlists must include the real Arivu origin (https://arivu-staging.cybosapiens.com and local dev origins as needed).

Packaged markdown zip (presigned GET)

Endpoint: GET /av1/arivu/knowledge-docs/download-url

Auth: Valid Arivu session (same JWT / cookies as the rest of av1 for this app).

Response: JSON with a presigned S3 GET URL and expires_in (seconds).

The zip is not generated from the live static tree on each request. It is a separate object in S3, updated by a job or manual upload, for example:

s3://<AWS_S3_BUCKET_NAME>/arivu/private/knowledge_docs_latest.zip
  • Bucket: AWS_S3_BUCKET_NAME for that env (e.g. asymai-keystone-service-staging).
  • Key: ARIVU_KNOWLEDGE_DOCS_ZIP_S3_KEY, default arivu/private/knowledge_docs_latest.zip.
  • URL lifetime: ARIVU_KNOWLEDGE_DOCS_PRESIGNED_URL_TTL_SECONDS (default 300 / five minutes in app config; override per env).

Keystone signs the URL with the normal S3 client. No long-lived secret is returned to the browser.

When things break (API and zip)

  1. Login loop: CORS, PUBLIC_API_BASE_URL in the web build (Keystone API base), cookie settings, Keystone redirect URLs for Arivu.
  2. Zip fails: IAM GetObject on that key; confirm the object exists in the bucket named by AWS_S3_BUCKET_NAME.

Stale HTML, CloudFront invalidation, and pretty URLs (/login vs login/index.html) are covered in the deploy and static hosting note.