Merge pull request #90: Refactor compute architecture with workerized ONNX PDF/Whisper pipeline

- Monorepo Architecture: Separates processing into compute/core and compute/worker Fastify service.
- NATS JetStream: Migrates processing queues to NATS JetStream with lazy connection and 120s idle sleep for Railway.
- ONNX PDF Layout: Upgrades to PP-DocLayout-V3 with block overlay UI, force reparse, and block-level skip playback rules.
- ONNX Whisper Alignment: Replaces whisper.cpp with a pure JS ONNX alignment decoder.
- Onboarding Coordinator: Integrates OnboardingFlowContext to manage sequential modals (Privacy, Claim Guest Data, Dexie Cloud Migration).
- Database Schema: Adds documentSettings table and tracks parsing stages (parseState, parsedJsonKey) in the documents table.
- Error Contracts: Standardizes API endpoints on ServerAppError responses.

Author: richardr1126

.env.example

@@ -1,4 +1,10 @@
 
+# Logging
+# pretty (default): human-readable logs
+# json: structured logs for log platforms
+# LOG_FORMAT=pretty
+# LOG_LEVEL=info
+
 # Local / OpenAI TTS API Configuration (default)
 # Suggest using https://github.com/remsky/Kokoro-FastAPI
 #
@@ -77,22 +83,52 @@ RUN_FS_MIGRATIONS=
 IMPORT_LIBRARY_DIR=
 IMPORT_LIBRARY_DIRS=
 
-# (Required without Docker) Path to your local whisper.cpp CLI binary for STT timestamp generation
-WHISPER_CPP_BIN=/whisper.cpp/build/bin/whisper-cli
+# Compute
+# Embedded/local (default): leave COMPUTE_WORKER_URL empty.
+# External worker: set COMPUTE_WORKER_URL + COMPUTE_WORKER_TOKEN.
+# External worker split:
+# - App side (this root `.env`): set only routing/auth + shared timeout/stale overrides.
+# - Worker side (`compute/worker/.env*` or worker platform env): set NATS_*, S3_*, model base URLs, and worker tuning.
+# Details: docs/deploy/compute-worker
+# COMPUTE_WORKER_URL=http://localhost:8081
+# COMPUTE_WORKER_TOKEN=local-compute-token
+# Optional embedded startup controls:
+# EMBEDDED_COMPUTE_WORKER_PORT=8081
+# EMBEDDED_NATS_PORT=4222
+# EMBEDDED_NATS_MONITOR_PORT=8222
+# EMBEDDED_NATS_STORE_DIR=docstore/nats/jetstream
+# `NATS_URL` here is for embedded startup only. In external worker mode, set `NATS_URL` on the worker service env.
+# NATS_URL=nats://127.0.0.1:4222
+# Optional worker log level:
+# COMPUTE_LOG_LEVEL=info
+# Optional shared compute tuning:
+# COMPUTE_JOB_CONCURRENCY=1
+# COMPUTE_WHISPER_TIMEOUT_MS=30000
+# COMPUTE_PDF_TIMEOUT_MS=300000
+# COMPUTE_OP_STALE_MS=1800000
+
+# Optional Whisper ONNX base URL override (must contain all expected files)
+# Default expected Whisper variant is q4:
+# - onnx/encoder_model_q4.onnx
+# - onnx/decoder_model_merged_q4.onnx
+# - onnx/decoder_with_past_model_q4.onnx
+# WHISPER_MODEL_BASE_URL=https://huggingface.co/onnx-community/whisper-base_timestamped/resolve/main
+
+# Optional PDF layout ONNX base URL override (must contain all expected files)
+# PDF_LAYOUT_MODEL_BASE_URL=https://huggingface.co/Bei0001/PP-DocLayoutV3-ONNX/resolve/main
 
 # (Optional) Override ffmpeg binary path used for audiobook processing
 FFMPEG_BIN=
 
 # (Optional) Client feature flags — seeded into the admin-managed runtime
 # config on first boot, then ignored. Edit values from Settings → Admin →
 # Site features instead of redeploying. SSR-injected so they take effect
-# without rebuilding (unlike the old NEXT_PUBLIC_* build-time pattern).
-# NEXT_PUBLIC_ENABLE_DOCX_CONVERSION=true
-# NEXT_PUBLIC_ENABLE_DESTRUCTIVE_DELETE_ACTIONS=true
-# NEXT_PUBLIC_ENABLE_TTS_PROVIDERS_TAB=true
-# NEXT_PUBLIC_ENABLE_USER_SIGNUPS=true
-# NEXT_PUBLIC_RESTRICT_USER_API_KEYS=true
-# NEXT_PUBLIC_DEFAULT_TTS_PROVIDER=custom-openai
-# NEXT_PUBLIC_CHANGELOG_FEED_URL=https://docs.openreader.richardr.dev/changelog/manifest.json
-# NEXT_PUBLIC_ENABLE_AUDIOBOOK_EXPORT=true
-# NEXT_PUBLIC_ENABLE_WORD_HIGHLIGHT=true
+# without rebuilding (unlike the old build-time public-env pattern).
+# RUNTIME_SEED_ENABLE_DOCX_CONVERSION=true
+# RUNTIME_SEED_ENABLE_DESTRUCTIVE_DELETE_ACTIONS=true
+# RUNTIME_SEED_ENABLE_TTS_PROVIDERS_TAB=true
+# RUNTIME_SEED_ENABLE_USER_SIGNUPS=true
+# RUNTIME_SEED_RESTRICT_USER_API_KEYS=true
+# RUNTIME_SEED_DEFAULT_TTS_PROVIDER=custom-openai
+# RUNTIME_SEED_CHANGELOG_FEED_URL=https://docs.openreader.richardr.dev/changelog/manifest.json
+# RUNTIME_SEED_ENABLE_AUDIOBOOK_EXPORT=true

.github/workflows/docker-publish.yml

@@ -22,30 +22,17 @@ jobs:
   prepare:
     runs-on: ubuntu-24.04
     outputs:
-      image_name: ${{ steps.image-name.outputs.image_name }}
-      legacy_image_name: ${{ steps.image-name.outputs.legacy_image_name }}
-      tags: ${{ steps.meta.outputs.tags }}
-      labels: ${{ steps.meta.outputs.labels }}
+      web_image_name: ${{ steps.image-name.outputs.web_image_name }}
+      web_legacy_image_name: ${{ steps.image-name.outputs.web_legacy_image_name }}
+      compute_worker_image_name: ${{ steps.image-name.outputs.compute_worker_image_name }}
     steps:
       - name: Compute Docker image names
         id: image-name
         run: |
           owner="${GITHUB_REPOSITORY_OWNER,,}"
-          echo "image_name=${owner}/openreader" >> "$GITHUB_OUTPUT"
-          echo "legacy_image_name=${owner}/openreader-webui" >> "$GITHUB_OUTPUT"
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@v6
-        with:
-          images: |
-            ${{ env.REGISTRY }}/${{ steps.image-name.outputs.image_name }}
-            ${{ env.REGISTRY }}/${{ steps.image-name.outputs.legacy_image_name }}
-          tags: |
-            type=raw,value=latest,enable=${{ (github.event_name == 'push' && !contains(github.ref, '-pre')) || (github.event_name == 'workflow_dispatch' && inputs.use_latest_tag == true) }},priority=1000
-            type=semver,pattern={{version}}
-            type=ref,event=tag
-            type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' && inputs.use_latest_tag != true }}
+          echo "web_image_name=${owner}/openreader" >> "$GITHUB_OUTPUT"
+          echo "web_legacy_image_name=${owner}/openreader-webui" >> "$GITHUB_OUTPUT"
+          echo "compute_worker_image_name=${owner}/openreader-compute-worker" >> "$GITHUB_OUTPUT"
 
   build:
     needs: prepare
@@ -58,12 +45,30 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - arch: amd64
+          - image_target: web
+            arch: amd64
             platform: linux/amd64
             runner: ubuntu-24.04
-          - arch: arm64
+            context: .
+            dockerfile: ./Dockerfile
+          - image_target: web
+            arch: arm64
             platform: linux/arm64
             runner: ubuntu-24.04-arm
+            context: .
+            dockerfile: ./Dockerfile
+          - image_target: compute-worker
+            arch: amd64
+            platform: linux/amd64
+            runner: ubuntu-24.04
+            context: .
+            dockerfile: ./compute/worker/Dockerfile
+          - image_target: compute-worker
+            arch: arm64
+            platform: linux/arm64
+            runner: ubuntu-24.04-arm
+            context: .
+            dockerfile: ./compute/worker/Dockerfile
 
     steps:
       - name: Checkout repository
@@ -82,46 +87,63 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image (${{ matrix.arch }})
+      - name: Select image name
+        id: image
+        run: |
+          if [ "${{ matrix.image_target }}" = "web" ]; then
+            echo "image_name=${{ needs.prepare.outputs.web_image_name }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "image_name=${{ needs.prepare.outputs.compute_worker_image_name }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Build and push Docker image (${{ matrix.image_target }} / ${{ matrix.arch }})
         id: build
         uses: docker/build-push-action@v7
         with:
-          context: .
+          context: ${{ matrix.context }}
+          file: ${{ matrix.dockerfile }}
           platforms: ${{ matrix.platform }}
-          labels: ${{ needs.prepare.outputs.labels }}
-          cache-from: type=gha,scope=${{ matrix.arch }}
-          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
+          cache-from: type=gha,scope=${{ matrix.image_target }}-${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.image_target }}-${{ matrix.arch }}
           provenance: false
-          outputs: type=image,name=${{ env.REGISTRY }}/${{ needs.prepare.outputs.image_name }},push-by-digest=true,name-canonical=true,push=true
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ steps.image.outputs.image_name }},push-by-digest=true,name-canonical=true,push=true
 
       - name: Export digest
         run: |
-          mkdir -p /tmp/digests
+          mkdir -p /tmp/digests/${{ matrix.image_target }}
           digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
+          touch "/tmp/digests/${{ matrix.image_target }}/${digest#sha256:}"
 
       - name: Upload digest
         uses: actions/upload-artifact@v7
         with:
-          name: digests-${{ matrix.arch }}
-          path: /tmp/digests
+          name: digests-${{ matrix.image_target }}-${{ matrix.arch }}
+          path: /tmp/digests/${{ matrix.image_target }}
           if-no-files-found: error
           retention-days: 1
 
   merge:
     needs: [prepare, build]
-    runs-on: ubuntu-24.04
+    runs-on: ${{ matrix.runner }}
     permissions:
       actions: read
       contents: read
       packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - image_target: web
+            runner: ubuntu-24.04
+          - image_target: compute-worker
+            runner: ubuntu-24.04
 
     steps:
       - name: Download digests
         uses: actions/download-artifact@v8
         with:
-          path: /tmp/digests
-          pattern: digests-*
+          path: /tmp/digests/${{ matrix.image_target }}
+          pattern: digests-${{ matrix.image_target }}-*
           merge-multiple: true
 
       - name: Set up Docker Buildx
@@ -134,20 +156,46 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Select image names
+        id: image
+        run: |
+          if [ "${{ matrix.image_target }}" = "web" ]; then
+            echo "image_name=${{ needs.prepare.outputs.web_image_name }}" >> "$GITHUB_OUTPUT"
+            echo "metadata_images<<EOF" >> "$GITHUB_OUTPUT"
+            echo "${{ env.REGISTRY }}/${{ needs.prepare.outputs.web_image_name }}" >> "$GITHUB_OUTPUT"
+            echo "${{ env.REGISTRY }}/${{ needs.prepare.outputs.web_legacy_image_name }}" >> "$GITHUB_OUTPUT"
+            echo "EOF" >> "$GITHUB_OUTPUT"
+          else
+            echo "image_name=${{ needs.prepare.outputs.compute_worker_image_name }}" >> "$GITHUB_OUTPUT"
+            echo "metadata_images=${{ env.REGISTRY }}/${{ needs.prepare.outputs.compute_worker_image_name }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ steps.image.outputs.metadata_images }}
+          tags: |
+            type=raw,value=latest,enable=${{ (github.event_name == 'push' && !contains(github.ref, '-pre')) || (github.event_name == 'workflow_dispatch' && inputs.use_latest_tag == true) }},priority=1000
+            type=semver,pattern={{version}}
+            type=ref,event=tag
+            type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' && inputs.use_latest_tag != true }}
+
       - name: Create manifest list and push
-        working-directory: /tmp/digests
+        working-directory: /tmp/digests/${{ matrix.image_target }}
         run: |
           docker buildx imagetools create \
             $(echo "$TAGS" | xargs -I {} echo -t {}) \
-            $(printf '${{ env.REGISTRY }}/${{ needs.prepare.outputs.image_name }}@sha256:%s ' *)
+            $(printf '${{ env.REGISTRY }}/${{ steps.image.outputs.image_name }}@sha256:%s ' *)
         env:
-          TAGS: ${{ needs.prepare.outputs.tags }}
+          TAGS: ${{ steps.meta.outputs.tags }}
 
       - name: Output build information
         run: |
-          echo "✅ Docker images built and pushed successfully!"
+          echo "✅ Docker image built and pushed successfully!"
+          echo "🐋 Target: ${{ matrix.image_target }}"
           echo "🐋 Images:"
-          echo '${{ needs.prepare.outputs.tags }}' | sed 's/^/  - /'
+          echo '${{ steps.meta.outputs.tags }}' | sed 's/^/  - /'
           echo "📝 Event: ${{ github.event_name }}"
           if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
             echo "📝 Triggered by manual workflow dispatch on branch: ${{ github.ref_name }}"

.github/workflows/playwright.yml

@@ -34,8 +34,19 @@ jobs:
         sudo install -m 0755 ./weed /usr/local/bin/weed
         rm -f ./weed
         weed version
+    - name: Install NATS server binary
+      run: |
+        curl -fsSL -o /tmp/nats-server.tar.gz \
+          https://github.com/nats-io/nats-server/releases/download/v2.12.1/nats-server-v2.12.1-linux-amd64.tar.gz
+        tar -xzf /tmp/nats-server.tar.gz -C /tmp
+        sudo install -m 0755 /tmp/nats-server-v2.12.1-linux-amd64/nats-server /usr/local/bin/nats-server
+        nats-server -v
     - name: Install dependencies
       run: pnpm install --frozen-lockfile
+    - name: Build app and enforce bundle guard
+      run: |
+        pnpm build
+        pnpm build:bundle-guard
     - name: Verify ffprobe
       run: ffprobe -version
     - name: Install Playwright Browsers

.gitignore

@@ -33,7 +33,9 @@ yarn-error.log*
 
 # env files (can opt-in for committing if needed)
 .env
+.env.prod
 .dockerignore
+*.creds
 
 # vercel
 .vercel

Dockerfile

@@ -1,24 +1,14 @@
-# Stage 1: build whisper.cpp (no model download – the app handles that)
-FROM alpine:3.23 AS whisper-builder
-
-RUN apk add --no-cache git cmake build-base
-
-WORKDIR /opt
-
-ARG TARGETARCH
-
-RUN git clone --depth 1 https://github.com/ggml-org/whisper.cpp.git && \
-    cd whisper.cpp && \
-    cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DGGML_NATIVE=OFF $( [ "$TARGETARCH" = "arm64" ] && echo "-DGGML_CPU_ARM_ARCH=armv8-a" || true ) && \
-    cmake --build build -j
-
-# Stage 1b: extract seaweedfs weed binary (for optional embedded weed mini)
+# Stage 1: extract seaweedfs weed binary (for optional embedded weed mini)
 # Pin to 4.18 because CI observed upload regressions on 4.19.
 FROM chrislusf/seaweedfs:4.18 AS seaweedfs-builder
 RUN cp "$(command -v weed)" /tmp/weed && \
     (wget -qO /tmp/SeaweedFS-LICENSE.txt "https://raw.githubusercontent.com/seaweedfs/seaweedfs/master/LICENSE" || \
      wget -qO /tmp/SeaweedFS-LICENSE.txt "https://raw.githubusercontent.com/seaweedfs/seaweedfs/main/LICENSE")
 
+# Stage 1b: extract nats-server binary for embedded single-container worker mode.
+FROM nats:2.11-alpine AS nats-builder
+RUN cp "$(command -v nats-server)" /tmp/nats-server
+
 
 # Stage 2: build the Next.js app
 FROM node:lts-alpine AS app-builder
@@ -29,8 +19,10 @@ RUN npm install -g pnpm@11.1.2
 # Create app directory
 WORKDIR /app
 
-# Copy package files
+# Copy workspace manifests needed for dependency installation
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY compute/core/package.json ./compute/core/package.json
+COPY compute/worker/package.json ./compute/worker/package.json
 
 # Install dependencies
 RUN pnpm install --frozen-lockfile
@@ -59,29 +51,30 @@ FROM node:lts-alpine AS runner
 # ffmpeg is provided by ffmpeg-static from node_modules.
 RUN apk add --no-cache ca-certificates libreoffice-writer
 
-# Install pnpm globally for running the app
-RUN npm install -g pnpm@11.1.2
+# Install pnpm for runtime process commands.
+RUN npm install -g pnpm@10.33.4
 
 # App runtime directory
 WORKDIR /app
 
-# Copy built app and dependencies from the builder stage
+# Copy built app and runtime files from the builder stage (non-standalone runtime).
 COPY --from=app-builder /app ./
 # Include third-party license report and copied license texts at a stable path in the image.
 COPY --from=app-builder /app/THIRD_PARTY_LICENSES /licenses
 # Include SeaweedFS license text for the copied weed binary.
 COPY --from=seaweedfs-builder /tmp/SeaweedFS-LICENSE.txt /licenses/SeaweedFS-LICENSE.txt
+# Include static model notices for runtime-downloaded assets.
+COPY --from=app-builder /app/compute/core/src/pdf/assets/LICENSE.txt /licenses/pp-doclayoutv3-LICENSE.txt
 
-# Copy the compiled whisper.cpp build output into the runtime image
-# (includes whisper-cli and its shared libraries, e.g. libwhisper.so, libggml.so)
-COPY --from=whisper-builder /opt/whisper.cpp/build /opt/whisper.cpp/build
 # Copy seaweedfs weed binary for optional embedded local S3.
 COPY --from=seaweedfs-builder /tmp/weed /usr/local/bin/weed
 RUN chmod +x /usr/local/bin/weed
+# Copy nats-server binary for embedded local JetStream.
+COPY --from=nats-builder /tmp/nats-server /usr/local/bin/nats-server
+RUN chmod +x /usr/local/bin/nats-server
 
-# Point the app at the compiled whisper-cli binary and ensure its libs are discoverable
-ENV WHISPER_CPP_BIN=/opt/whisper.cpp/build/bin/whisper-cli
-ENV LD_LIBRARY_PATH=/opt/whisper.cpp/build
+# Include OpenAI Whisper license text for runtime-downloaded ONNX artifacts.
+COPY --from=app-builder /app/compute/core/src/whisper/assets/LICENSE.txt /licenses/openai-whisper-LICENSE.txt
 
 # Expose the port the app runs on
 EXPOSE 3003