Owner Abhi

Arivu on Keystone, S3, and CloudFront

Keystone handles identity and the zip download API. S3 and CloudFront serve the Astro build. This note is the infra side; the product overview is under Web → How we built Arivu.

Static site (DevOps)

  • Build: npm run build in the Arivu repo; output in dist/.
  • Host: Upload that tree to an S3 bucket for the environment (e.g. staging).
  • CDN: A CloudFront distribution in front of that bucket, HTTPS to clients.
  • DNS: Staging hostname arivu-staging.cybosapiens.com points at the distribution (CNAME or alias).

HTML, JS, and CSS are served as public objects at the edge. Page loads do not hit a Node server.

SSO and session

Arivu uses Keystone av1 auth with application=arivu.

  • OAuth completes at Keystone; the SPA stores tokens in cookies on the Arivu origin.
  • GET /av1/auth/me (Bearer / cookies as implemented in the client) validates the session.
  • @asymmetriclabs.ai: the Arivu web UI enforces this on the client using the email from /auth/me (Keystone can add its own rules separately).

CORS and OAuth redirect allowlists must include the real Arivu origin (https://arivu-staging.cybosapiens.com and local dev origins as needed).

Packaged markdown zip (presigned GET)

Endpoint: GET /av1/arivu/knowledge-docs/download-url

Auth: Valid Arivu session (same JWT / cookies as the rest of av1 for this app).

Response: JSON with a presigned S3 GET URL and expires_in (seconds).

The zip is not generated from the live static tree on each request. It is a separate object in S3, updated by a job or manual upload, for example:

s3://<AWS_S3_BUCKET_NAME>/arivu/private/knowledge_docs_latest.zip
  • Bucket: AWS_S3_BUCKET_NAME for that env (e.g. asymai-keystone-service-staging).
  • Key: ARIVU_KNOWLEDGE_DOCS_ZIP_S3_KEY, default arivu/private/knowledge_docs_latest.zip.
  • URL lifetime: ARIVU_KNOWLEDGE_DOCS_PRESIGNED_URL_TTL_SECONDS (default 60 in app config; override per env).

Keystone signs the URL with the normal S3 client. No long-lived secret is returned to the browser.

When things break

  1. Wrong or old UI: CloudFront invalidation, cache headers, confirm CI wrote the new dist/ objects.
  2. Login loop: CORS, PUBLIC_API_BASE_URL (Keystone API; keystone-web: VITE_BASE_URL), cookie settings, Keystone redirect URLs for Arivu.
  3. Zip fails: IAM GetObject on that key; confirm the object exists in the bucket named by AWS_S3_BUCKET_NAME.