refactor: harden security, optimize deployment, and project-wide cleanup

- Initialized app.py for deployment tool compatibility
- Secured auth_utils by removing unsafe JWT fallbacks and implementing strict secret validation
- Cleaned up redundant routes and static mounts in main.py
- Aligned Dockerfile to Python 3.11 for dependency stability (PaddleOCR fix)
- Rewrote render.yaml to include managed Redis and dedicated Celery worker services
- Sanitized .gitignore and updated .env.example with missing critical secrets

.gitignore

@@ -1,5 +1,4 @@
 .env
-D:\Work\replacements.txt
 __pycache__/
 *.pyc
 *.pyo
@@ -16,4 +15,4 @@ intent_feedback.jsonl
 note_to_me.txt
 *.pkl
 
-.dual-graph/
+.dual-graph/

ARCHITECTURE.md

@@ -1,15 +1,17 @@
-# Nexus — Architecture Guide
+# Morpheus — Architecture Guide
+
+> Ask anything. Your documents answer.
 
 > Read this when starting a new session, onboarding someone, or after a long break.
 > Everything the system does, how the pieces connect, and why decisions were made the way they were.
 
 ---
 
-## What Is Nexus?
+## What Is Morpheus?
 
-Nexus is a **multi-tenant RAG (Retrieval-Augmented Generation) platform**.
+Morpheus is a **multi-tenant RAG (Retrieval-Augmented Generation) platform**.
 
-Users upload PDF documents. They ask questions in natural language. Nexus finds the most relevant passages and uses an AI to generate accurate, streamed answers with source citations.
+Users upload PDF documents. They ask questions in natural language. Morpheus finds the most relevant passages and uses an AI to generate accurate, streamed answers with source citations.
 
 **What makes it non-trivial:**
 - Each user sees only their own documents, enforced at the database level (RLS)
@@ -26,7 +28,7 @@ Users upload PDF documents. They ask questions in natural language. Nexus finds
 ## Project Structure
 
 ```
-nexus/
+morpheus/
 ├── backend/
 │   ├── main.py                  FastAPI app, CORS, rate limiter, Celery lifespan
 │   ├── api/
@@ -363,7 +365,7 @@ After classification, the winning category's centroid is updated with this docum
 
 ## The Three Self-Improvement Loops
 
-Nexus has three feedback loops that make it more accurate over time:
+Morpheus has three feedback loops that make it more accurate over time:
 
 **Loop 1 — Intent classifier (every 25 queries)**
 User queries logged to `intent_feedback`. Every 25 new rows, the model retrains automatically and saves to disk. Learns the specific query patterns of your users.

Dockerfile

@@ -1,16 +1,16 @@
 # 1. Use an official lightweight Python image
-FROM python:3.10-slim
+FROM python:3.11-slim
 
 # 2. Install system dependencies required for 'unstructured' PDF OCR
 RUN apt-get update && apt-get install -y \
-    tesseract-ocr \
-    poppler-utils \
-    libmagic-dev \
-    libgl1 \
-    libglib2.0-0 \
-    libgomp1 \
-    libgthread-2.0-0 \
-    && rm -rf /var/lib/apt/lists/*
+  tesseract-ocr \
+  poppler-utils \
+  libmagic-dev \
+  libgl1 \
+  libglib2.0-0 \
+  libgomp1 \
+  libgthread-2.0-0 \
+  && rm -rf /var/lib/apt/lists/*
 
 # 3. Create a non-root user (Required by Hugging Face for security)
 RUN useradd -m -u 1000 user
@@ -31,10 +31,10 @@ COPY --chown=user:user . .
 ARG PREBUILD_ML_ASSETS=1
 ARG NEXUS_BUILD_ASSETS_MODE=light
 RUN if [ "$PREBUILD_ML_ASSETS" = "1" ]; then \
-      NEXUS_BUILD_ASSETS_MODE=$NEXUS_BUILD_ASSETS_MODE python -m backend.core.build_ml_assets ; \
-    else \
-      echo "Skipping ML asset pre-build"; \
-    fi
+  NEXUS_BUILD_ASSETS_MODE=$NEXUS_BUILD_ASSETS_MODE python -m backend.core.build_ml_assets ; \
+  else \
+  echo "Skipping ML asset pre-build"; \
+  fi
 
 # 8. Start FastAPI (7860 is the HF standard, but Railway uses $PORT)
 ENV PORT=7860

README.md

@@ -1,5 +1,5 @@
 ---
-title: Nexus RAG
+title: Morpheus RAG
 emoji: 🧠
 colorFrom: green
 colorTo: blue
@@ -8,7 +8,9 @@ app_port: 7860
 pinned: false
 ---
 
-# Nexus — Multimodal RAG Engine
+# Morpheus
+
+> Ask anything. Your documents answer.
 
 A multi-tenant Retrieval-Augmented Generation platform. Upload PDFs, ask questions in natural language, get accurate answers with source citations — streamed token by token, scoped strictly to your documents.
 
@@ -26,7 +28,7 @@ A multi-tenant Retrieval-Augmented Generation platform. Upload PDFs, ask questio
 ## Project Structure
 
 ```
-nexus/
+morpheus/
 ├── backend/
 │   ├── main.py                  FastAPI entry point, rate limiter, Celery lifespan
 │   ├── api/
@@ -87,8 +89,8 @@ nexus/
 ### 2. Clone and install
 
 ```bash
-git clone https://github.com/your-username/nexus.git
-cd nexus
+git clone https://github.com/your-username/morpheus.git
+cd morpheus
 python -m venv .venv
 source .venv/bin/activate  # Windows: .venv\Scripts\activate
 pip install -r requirements.txt
@@ -146,10 +148,10 @@ Create a user account via Supabase Auth (Auth → Users → Invite), then sign i
 
 ```bash
 # Downloads embedding model, trains intent classifier
-NEXUS_BUILD_ASSETS_MODE=full python -m backend.core.build_ml_assets
+Morpheus_BUILD_ASSETS_MODE=full python -m backend.core.build_ml_assets
 
 # Downloads embedding model only (faster, recommended for first run)
-NEXUS_BUILD_ASSETS_MODE=light python -m backend.core.build_ml_assets
+Morpheus_BUILD_ASSETS_MODE=light python -m backend.core.build_ml_assets
 ```
 
 ### 8. Seed the document classifier (after your first ingestion)
@@ -166,8 +168,8 @@ curl -X POST http://localhost:8000/api/v1/admin/warmup \
 Build and run the full stack as a single container:
 
 ```bash
-docker build -t nexus-rag .
-docker run -p 8000:7860 --env-file .env nexus-rag
+docker build -t morpheus-rag .
+docker run -p 8000:7860 --env-file .env morpheus-rag
 ```
 
 > The Dockerfile is configured for HuggingFace Spaces (port 7860, non-root user). For local use, the container maps 8000 → 7860.
@@ -183,14 +185,14 @@ docker run -p 8000:7860 --env-file .env nexus-rag
 3. Render reads `render.yaml` automatically
 4. In the Render dashboard → Environment tab, add all your `.env` values
 5. Add a Redis service: Render → New → Redis (free tier) → copy the internal URL to `REDIS_URL`
-6. Deploy — copy your Render URL (e.g. `https://nexus-api.onrender.com`)
+6. Deploy — copy your Render URL (e.g. `https://morpheus-api.onrender.com`)
 
 ### Frontend → Vercel
 
 1. Update `API_URL` in `frontend/js/config.js` to your Render URL
 2. [vercel.com](https://vercel.com) → New Project → connect your repo
 3. Vercel reads `vercel.json` automatically
-4. Deploy — copy your Vercel URL (e.g. `https://nexus.vercel.app`)
+4. Deploy — copy your Vercel URL (e.g. `https://morpheus.vercel.app`)
 
 ### After both are deployed
 

app.py

@@ -1 +1,4 @@
-from backend.main import app
+# Entry point for deployments that expect app.py at the project root.
+# All app logic lives in backend/main.py — this just re-exports the app object
+# so tools like gunicorn can target either `app:app` or `backend.main:app`.
+from backend.main import app  # noqa: F401

backend/core/auth_utils.py

@@ -19,6 +19,7 @@ from fastapi import Header, HTTPException, status
 
 # ── Low-level JWT helpers ─────────────────────────────────────────────────────
 
+
 def extract_jwt_sub(access_token: str) -> str:
     """
     Extract the Supabase user id (JWT `sub`) while strictly verifying the signature.
@@ -31,28 +32,29 @@ def extract_jwt_sub(access_token: str) -> str:
     import jwt
 
     if not config.SUPABASE_JWT_SECRET:
-        # Fallback to insecure decoding ONLY if secret is missing 
-        # (e.g., local testing without full env)
-        import logging
-        logging.getLogger("nexus.auth").warning("SUPABASE_JWT_SECRET missing! Decoding JWT unsafely.")
-        payload = jwt.decode(access_token, options={"verify_signature": False})
-    else:
-        try:
-            payload = jwt.decode(
-                access_token,
-                key=config.SUPABASE_JWT_SECRET,
-                algorithms=["HS256"],
-                audience="authenticated",
-            )
-        except jwt.ExpiredSignatureError:
-            raise ValueError("JWT has expired")
-        except jwt.InvalidTokenError as e:
-            raise ValueError(f"Invalid JWT signature or payload: {e}")
+        raise RuntimeError(
+            "SUPABASE_JWT_SECRET is not configured. "
+            "Set it in your .env (Supabase → Settings → API → JWT Settings)."
+        )
+
+    try:
+        payload = jwt.decode(
+            access_token,
+            key=config.SUPABASE_JWT_SECRET,
+            algorithms=["HS256"],
+            audience="authenticated",
+        )
+    except jwt.ExpiredSignatureError:
+        raise ValueError("JWT has expired")
+    except jwt.InvalidTokenError as e:
+        raise ValueError(f"Invalid JWT signature or payload: {e}")
 
     # Supabase uses `sub` for the user UUID.
     sub = payload.get("sub") or payload.get("user_id") or payload.get("uid")
     if not sub:
-        raise ValueError("JWT does not contain a user id claim (`sub` / `uid` / `user_id`).")
+        raise ValueError(
+            "JWT does not contain a user id claim (`sub` / `uid` / `user_id`)."
+        )
 
     return str(sub)
 
@@ -63,12 +65,14 @@ def safe_extract_jwt_sub(access_token: Optional[str]) -> Optional[str]:
         return extract_jwt_sub(access_token) if access_token else None
     except Exception as e:
         import logging
-        logging.getLogger("nexus.auth").debug("JWT extraction failed: %s", e)
+
+        logging.getLogger("morpheus.auth").debug("JWT extraction failed: %s", e)
         return None
 
 
 # ── FastAPI dependency ────────────────────────────────────────────────────────
 
+
 async def require_auth_token(
     x_auth_token: Optional[str] = Header(default=None, alias="X-Auth-Token"),
 ) -> str:
@@ -100,4 +104,4 @@ async def require_auth_token(
             headers={"WWW-Authenticate": "Bearer"},
         )
 
-    return user_id
+    return user_id

backend/core/cache_manager.py

@@ -21,7 +21,7 @@ import os
 import time
 from typing import Any, Dict, List, Optional
 
-log = logging.getLogger("nexus.cache")
+log = logging.getLogger("morpheus.cache")
 
 # ── Config ────────────────────────────────────────────────────────────────────
 TTL_BY_DOCTYPE = {
@@ -45,8 +45,8 @@ SHAREABLE_TYPES = {
     "reference_chart",
 }
 
-PREFIX_CACHE = "nexus:qcache"
-PREFIX_VERSION = "nexus:kb_version"
+PREFIX_CACHE = "morpheus:qcache"
+PREFIX_VERSION = "morpheus:kb_version"
 
 
 def _get_redis():

backend/main.py

@@ -4,6 +4,7 @@ backend/main.py — FastAPI entry point.
 Local:       uvicorn backend.main:app --reload --port 8000
 Production:  gunicorn -w 1 -k uvicorn.workers.UvicornWorker backend.main:app --bind 0.0.0.0:$PORT --timeout 120
 """
+
 import os
 import sys
 from slowapi import Limiter, _rate_limit_exceeded_handler
@@ -31,13 +32,12 @@ from dotenv import load_dotenv  # noqa: E402
 
 load_dotenv()
 
-from backend.api import auth, corpus, ingest, query, admin,frontend_config  # noqa: E402
+from backend.api import auth, corpus, ingest, query, admin, frontend_config  # noqa: E402
 from backend.core.intent_classifier import get_intent_classifier_status  # noqa: E402
 
 log = logging.getLogger("morpheus.main")
 
 
-
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     log.info("MORPHEUS API starting")
@@ -47,13 +47,18 @@ async def lifespan(app: FastAPI):
     celery_process = None
     if os.getenv("AUTO_START_CELERY", "true").lower() == "true":
         try:
-            celery_process = subprocess.Popen([
-                sys.executable, "-m", "celery",
-                "-A", "backend.core.tasks",
-                "worker",
-                "--pool=solo",
-                "--loglevel=info",
-            ])
+            celery_process = subprocess.Popen(
+                [
+                    sys.executable,
+                    "-m",
+                    "celery",
+                    "-A",
+                    "backend.core.tasks",
+                    "worker",
+                    "--pool=solo",
+                    "--loglevel=info",
+                ]
+            )
             log.info("Celery worker auto-started (PID %s)", celery_process.pid)
         except Exception as exc:
             log.warning("Could not auto-start Celery worker: %s", exc)
@@ -73,26 +78,36 @@ async def lifespan(app: FastAPI):
 
 
 app = FastAPI(
-    title="Morpheus RAG API", version="1.0.0", lifespan=lifespan,
-    docs_url  = "/docs"  if os.getenv("DOCS_ENABLED", "true").lower() == "true" else None,
-    redoc_url = "/redoc" if os.getenv("DOCS_ENABLED", "true").lower() == "true" else None,
+    title="Morpheus RAG API",
+    version="1.0.0",
+    lifespan=lifespan,
+    docs_url="/docs" if os.getenv("DOCS_ENABLED", "true").lower() == "true" else None,
+    redoc_url="/redoc" if os.getenv("DOCS_ENABLED", "true").lower() == "true" else None,
 )
 
 # ── Rate limiting ─────────────────────────────────────────────────────────────
 app.state.limiter = limiter
 app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
 
-_origins = [o.strip() for o in os.getenv("ALLOWED_ORIGINS", "*").split(",") if o.strip()]
-app.add_middleware(CORSMiddleware, allow_origins=_origins,
-                   allow_credentials=True, allow_methods=["*"], allow_headers=["*"])
+_origins = [
+    o.strip() for o in os.getenv("ALLOWED_ORIGINS", "*").split(",") if o.strip()
+]
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=_origins,
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
 
-app.include_router(auth.router,   prefix="/api/v1/auth",   tags=["auth"])
+app.include_router(auth.router, prefix="/api/v1/auth", tags=["auth"])
 app.include_router(corpus.router, prefix="/api/v1/corpus", tags=["corpus"])
 app.include_router(ingest.router, prefix="/api/v1/ingest", tags=["ingest"])
-app.include_router(query.router,  prefix="/api/v1/query",  tags=["query"])
-app.include_router(admin.router,  prefix="/api/v1/admin",  tags=["admin"])
+app.include_router(query.router, prefix="/api/v1/query", tags=["query"])
+app.include_router(admin.router, prefix="/api/v1/admin", tags=["admin"])
 app.include_router(frontend_config.router, prefix="/api/v1/config", tags=["config"])
 
+
 @app.get("/health")
 def health():
     return {"status": "healthy"}
@@ -105,10 +120,12 @@ def health_details():
         "intent_classifier": get_intent_classifier_status(),
     }
 
+
 @app.get("/api/status")
 def status():
     return {"status": "ok", "service": "Morpheus RAG API", "version": "1.0.0"}
 
+
 # ── Static Frontend ───────────────────────────────────────────────────────────
 # Mount the entire frontend folder at the root of the app so it serves the index.html.
 # This makes it a self-contained single-container app for deployment.
@@ -120,9 +137,8 @@ if os.path.isdir(frontend_path):
 else:
     log.warning("Frontend directory not found at %s. API-only mode.", frontend_path)
 
-app.mount("/css", StaticFiles(directory="frontend/css"), name="css")
-app.mount("/js",  StaticFiles(directory="frontend/js"),  name="js")
+# /css and /js are already served by the root StaticFiles mount above.
+# Separate mounts removed to avoid routing conflicts.
 
-@app.get("/")
-async def serve_index():
-    return FileResponse("frontend/index.html")
+# Note: StaticFiles(html=True) above already serves frontend/index.html for GET /
+# The explicit route below is intentionally removed to avoid a dead route.

render.yaml

@@ -1,24 +1,74 @@
 services:
   - type: web
-    name: nexus-api
+    name: morpheus-api
     runtime: python
-    buildCommand: pip install -r backend/requirements.txt
+    buildCommand: pip install -r requirements.txt
     startCommand: gunicorn -w 1 -k uvicorn.workers.UvicornWorker backend.main:app --bind 0.0.0.0:$PORT --timeout 120
     envVars:
       - key: OPENROUTER_API_KEY
-        sync: false          # set manually in Render dashboard
+        sync: false
       - key: SUPABASE_URL
         sync: false
       - key: SUPABASE_SERVICE_KEY
         sync: false
+      - key: SUPABASE_ANON_KEY
+        sync: false
+      - key: SUPABASE_JWT_SECRET
+        sync: false
+      - key: GROQ_API_KEY
+        sync: false
+      - key: GEMINI_API_KEY
+        sync: false
       - key: COHERE_API_KEY
         sync: false
       - key: MASTER_ADMIN_KEY
         sync: false
+      - key: REDIS_URL
+        fromService:
+          name: morpheus-redis
+          type: redis
+          property: connectionString
       - key: ALLOWED_ORIGINS
-        value: "https://your-nexus.vercel.app"   # ← update after Vercel deploy
+        value: "https://your-morpheus.vercel.app"
       - key: DOCS_ENABLED
         value: "false"
       - key: LOG_LEVEL
         value: "INFO"
+      - key: AUTO_START_CELERY
+        value: "false"
     healthCheckPath: /health
+
+  - type: worker
+    name: morpheus-celery
+    runtime: python
+    buildCommand: pip install -r requirements.txt
+    startCommand: python -m celery -A backend.core.tasks worker --pool=solo --loglevel=info
+    envVars:
+      - key: OPENROUTER_API_KEY
+        sync: false
+      - key: SUPABASE_URL
+        sync: false
+      - key: SUPABASE_SERVICE_KEY
+        sync: false
+      - key: SUPABASE_ANON_KEY
+        sync: false
+      - key: SUPABASE_JWT_SECRET
+        sync: false
+      - key: GROQ_API_KEY
+        sync: false
+      - key: GEMINI_API_KEY
+        sync: false
+      - key: COHERE_API_KEY
+        sync: false
+      - key: REDIS_URL
+        fromService:
+          name: morpheus-redis
+          type: redis
+          property: connectionString
+      - key: LOG_LEVEL
+        value: "INFO"
+
+databases:
+  - type: redis
+    name: morpheus-redis
+    plan: free