trycompai · Marfuen · Dec 4, 2025 · Dec 2, 2025 · Dec 3, 2025 · Dec 3, 2025
diff --git a/.env.example b/.env.example
@@ -3,11 +3,11 @@ AUTH_SECRET="" # openssl rand -base64 32
 DATABASE_URL="" # Format: "postgresql://postgres:pass@127.0.0.1:5432/comp"
 RESEND_DOMAIN="" # Domain configured in Resend, e.g. mail.trycomp.ai
 RESEND_API_KEY="" # API key from Resend for email authentication / invites
-RESEND_FROM_MARKETING="Lewis Carhart <lewis@mail.trycomp.ai>"
-RESEND_FROM_SYSTEM="Comp AI <mail@mail.trycomp.ai>"
-RESEND_FROM_DEFAULT="Comp AI <mail@mail.trycomp.ai>"
-RESEND_TO_TEST="mail@mail.trycomp.ai"
-RESEND_REPLY_TO_MARKETING="lewis@mail.trycomp.ai"
+RESEND_FROM_MARKETING=""
+RESEND_FROM_SYSTEM=""
+RESEND_FROM_DEFAULT=""
+RESEND_TO_TEST=""
+RESEND_REPLY_TO_MARKETING=""
 REVALIDATION_SECRET="" # openssl rand -base64 32
 NEXT_PUBLIC_PORTAL_URL="http://localhost:3002" # The employee portal uses port 3002 by default
 

diff --git a/.github/workflows/trigger-api-tasks-deploy-main.yml b/.github/workflows/trigger-api-tasks-deploy-main.yml
@@ -0,0 +1,42 @@
+name: Deploy API to Trigger.dev (dev)
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: warp-ubuntu-latest-arm64-4x
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22.x" # Updated to match Node.js w/ Vercel
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Clear cache
+        run: rm -rf node_modules .bun
+      - name: Install dependencies
+        run: bun install --frozen-lockfile || bun install --frozen-lockfile --ignore-scripts
+      - name: Install DB package dependencies
+        working-directory: ./packages/db
+        run: bun install --frozen-lockfile --ignore-scripts
+      - name: Build DB package
+        working-directory: ./packages/db
+        run: bun run build
+      - name: Copy schema to api and generate client
+        working-directory: ./apps/api
+        run: |
+          mkdir -p prisma
+          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
+          bunx prisma generate
+      - name: 🚀 Deploy Trigger.dev
+        working-directory: ./apps/api
+        timeout-minutes: 20
+        env:
+          TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
+        run: bunx trigger.dev@4.0.6 deploy --env staging --log-level debug
diff --git a/.github/workflows/trigger-api-tasks-deploy-release.yml b/.github/workflows/trigger-api-tasks-deploy-release.yml
@@ -0,0 +1,46 @@
+name: Deploy API to Trigger.dev (prod)
+
+on:
+  push:
+    branches:
+      - release
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: warp-ubuntu-latest-arm64-4x
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install dependencies
+        run: bun install --frozen-lockfile || bun install --frozen-lockfile --ignore-scripts
+      - name: Install DB package dependencies
+        working-directory: ./packages/db
+        run: bun install --frozen-lockfile --ignore-scripts
+
+      - name: Build DB package
+        working-directory: ./packages/db
+        run: bun run build
+
+      - name: Copy schema to api and generate client
+        working-directory: ./apps/api
+        run: |
+          mkdir -p prisma
+          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
+          bunx prisma generate
+
+      - name: 🚀 Deploy Trigger.dev
+        working-directory: ./apps/api
+        env:
+          TRIGGER_ACCESS_TOKEN: ${{ secrets.TRIGGER_ACCESS_TOKEN }}
+        run: bunx trigger.dev@4.0.6 deploy
diff --git a/SELF_HOSTING.md b/SELF_HOSTING.md
@@ -46,7 +46,7 @@ App (`apps/app`):
 - **APP_AWS_REGION**, **APP_AWS_ACCESS_KEY_ID**, **APP_AWS_SECRET_ACCESS_KEY**, **APP_AWS_BUCKET_NAME**: AWS S3 credentials for file storage (attachments, general uploads).
 - **APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET**: AWS S3 bucket name specifically for questionnaire file uploads. Required for the Security Questionnaire feature. If not set, users will see an error when trying to parse questionnaires.
 - **APP_AWS_KNOWLEDGE_BASE_BUCKET**: AWS S3 bucket name specifically for knowledge base documents. Required for the Knowledge Base feature in Security Questionnaire. If not set, users will see an error when trying to upload knowledge base documents.
-- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos). Required for logo uploads in organization settings. If not set, logo upload will fail.
+- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos, compliance certificates). Required for logo uploads in organization settings and Trust Portal compliance certificate uploads. If not set, these features will fail.
 - **OPENAI_API_KEY**: Enables AI features that call OpenAI models.
 - **UPSTASH_REDIS_REST_URL**, **UPSTASH_REDIS_REST_TOKEN**: Optional Redis (Upstash) used for rate limiting/queues/caching.
 - **NEXT_PUBLIC_POSTHOG_KEY**, **NEXT_PUBLIC_POSTHOG_HOST**: Client analytics via PostHog; leave unset to disable.
@@ -59,6 +59,17 @@ App (`apps/app`):
 - **GA4_API_SECRET**, **GA4_MEASUREMENT_ID**: Google Analytics 4 server/client tracking.
 - **NEXT_PUBLIC_API_URL**: Override client API base URL (defaults to same origin).
 
+API (`apps/api`):
+
+- **APP_AWS_REGION**, **APP_AWS_ACCESS_KEY_ID**, **APP_AWS_SECRET_ACCESS_KEY**, **APP_AWS_BUCKET_NAME**: AWS S3 credentials for file storage (attachments, general uploads).
+- **APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET**: AWS S3 bucket name specifically for questionnaire file uploads. Required for the Security Questionnaire feature.
+- **APP_AWS_KNOWLEDGE_BASE_BUCKET**: AWS S3 bucket name specifically for knowledge base documents. Required for the Knowledge Base feature in Security Questionnaire.
+- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos, compliance certificates). Required for Trust Portal compliance certificate uploads and organization logo uploads. If not set, these features will fail.
+- **OPENAI_API_KEY**: Enables AI features that call OpenAI models.
+- **UPSTASH_VECTOR_REST_URL**, **UPSTASH_VECTOR_REST_TOKEN**: Required for vector database operations (questionnaire auto-answer, SOA auto-fill, knowledge base search).
+- **BETTER_AUTH_URL**: URL of the Better Auth instance (usually the same as the app URL).
+- **DATABASE_URL**: PostgreSQL database connection string.
+
 Portal (`apps/portal`):
 
 - **NEXT_PUBLIC_POSTHOG_KEY**, **NEXT_PUBLIC_POSTHOG_HOST**: Client analytics via PostHog for portal.

diff --git a/apps/api/.env.example b/apps/api/.env.example
@@ -0,0 +1,26 @@
+BASE_URL="http://localhost:3333"
+BETTER_AUTH_URL="http://localhost:3000"
+PORT="3333"
+
+APP_AWS_BUCKET_NAME=
+APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET=
+APP_AWS_KNOWLEDGE_BASE_BUCKET=
+APP_AWS_REGION=
+APP_AWS_ACCESS_KEY_ID=
+APP_AWS_SECRET_ACCESS_KEY=
+APP_AWS_ORG_ASSETS_BUCKET=
+
+DATABASE_URL=
+
+
+# Upstash
+UPSTASH_REDIS_REST_URL=
+UPSTASH_REDIS_REST_TOKEN=
+
+UPSTASH_VECTOR_REST_URL=
+UPSTASH_VECTOR_REST_TOKEN=
+
+# Trigger
+TRIGGER_SECRET_KEY=
+
+OPENAI_API_KEY=