Address PR #4142 review comments

kemister85 · kemister85 · commit 4a01875ed571 · 2026-05-25T16:04:30.000+10:00
- Fix wildcard (*) rendering bug in JWT permissions table
- Clarify ENVIRONMENTS_MANAGEMENT_SECRET_KEY description
- Simplify filesystem storage IMPORTANT admonition
- Un-collapse PostgreSQL compose file for consistency
- Promote MySQL version pinning to WARNING admonition
- Align Redis description with overview diagram label
diff --git a/modules/ROOT/pages/tinymceai-on-premises-database.adoc b/modules/ROOT/pages/tinymceai-on-premises-database.adoc
@@ -6,7 +6,7 @@
 This page covers the *data layer*: the SQL database, Redis, and file storage. These components must be running and accessible before the AI service container can start — the service connects to them on boot and will not proceed without them.
 
 * *SQL database*: stores persistent data such as configurations, conversations, files, and documents.
-* *Redis*: handles temporary data and inter-instance communication for scaling. When multiple application instances are running, Redis ensures that data is shared correctly across all of them.
+* *Redis*: caching and coordination (SSE delivery, rate limits, pub/sub). Enables the AI service to remain stateless.
 * *File storage*: stores uploaded files and documents.
 
 Configure the data layer first, then proceed to xref:tinymceai-on-premises-providers.adoc[LLM providers] and xref:tinymceai-on-premises-jwt.adoc[JWT authentication]. For container runtimes, reverse proxies, Transport Layer Security (TLS), Kubernetes, and ECS deployment, see the xref:tinymceai-on-premises-production.adoc[Production deployment guide].
@@ -85,7 +85,7 @@ TIP: Pin specific major versions for all data layer images (`mysql:8.0`, `postgr
 [[mysql-version-pinning]]
 === MySQL
 
-Do *not* use `mysql:8`. That tag now floats to the latest MySQL, which removes the `default-authentication-plugin=mysql_native_password` startup flag the AI service relies on. The container crashloops with:
+WARNING: Do *not* use `mysql:8`. That tag now floats to the latest MySQL, which removes the `default-authentication-plugin=mysql_native_password` startup flag the AI service relies on. The container crashloops with:
 
 ....
 [ERROR] [MY-000067] [Server] unknown variable 'default-authentication-plugin=mysql_native_password'.
@@ -206,8 +206,6 @@ volumes:
 ----
 
 .PostgreSQL compose file
-[%collapsible]
-====
 [source,yaml]
 ----
 services:
@@ -240,7 +238,6 @@ services:
 volumes:
   pg_data:
 ----
-====
 
 If using PostgreSQL and not using `DATABASE_SCHEMA=public`, after `docker compose up -d`, create the schema:
 
@@ -620,7 +617,7 @@ STORAGE_DRIVER=filesystem
 STORAGE_LOCATION=/tmp/ai-storage
 ----
 
-IMPORTANT: The container runs as a non-root user and cannot write under `/var`. Mount a writable volume and point `STORAGE_LOCATION` at the mount point: `-v ./ai-storage:/tmp/ai-storage`.
+IMPORTANT: The AI service container runs as a non-root user. Mount a writable volume and point `STORAGE_LOCATION` at the mount path (for example, `-v ./ai-storage:/tmp/ai-storage`).
 
 === Database
 
diff --git a/modules/ROOT/pages/tinymceai-on-premises-jwt.adoc b/modules/ROOT/pages/tinymceai-on-premises-jwt.adoc
@@ -52,7 +52,7 @@ The API Secret is generated when creating an access key inside an environment, i
 |===
 |Credential |Purpose |Used by
 |*API Secret* |Signs user-facing JWTs presented to the AI runtime endpoints. Created per access key inside an environment. |The application token endpoint. Never appears in any management call.
-|*`ENVIRONMENTS_MANAGEMENT_SECRET_KEY`* |Signs Management Panel logins. Set as an environment variable on the AI service container. |The Management Panel UI.
+|*`ENVIRONMENTS_MANAGEMENT_SECRET_KEY`* |Password to log in to the Management Panel. Set as an environment variable on the AI service container. |The Management Panel UI.
 |===
 
 These two credentials are unrelated. Using one in place of the other produces `invalid-jwt-signature`.
@@ -70,7 +70,7 @@ Every token MUST contain the following claims.
 |`iat` |number |Issued-at, seconds since epoch (UTC).
 |`exp` |number |Expiry, seconds since epoch (UTC). Recommend `iat {plus} 3600` for demos, `iat {plus} 900` for production. The server applies 60 seconds of clock-skew leeway; tokens up to 60 seconds past `exp` still verify.
 |`sub` |string |Unique, stable user identifier. Conversation history is isolated per-`sub`; do not reuse one `sub` across users or conversations will leak between them.
-|`auth.ai.permissions` |`string[]` |Array of feature permission strings. See the permissions reference below. Wildcards (`*`) are accepted only in the documented positions; the bare string `"*"` is rejected.
+|`auth.ai.permissions` |`string[]` |Array of feature permission strings. See the permissions reference below. Wildcards (pass:[*]) are accepted only in the documented positions; the bare string `"*"` is rejected.
 |===
 
 == Optional claims
diff --git a/modules/ROOT/pages/tinymceai-on-premises.adoc b/modules/ROOT/pages/tinymceai-on-premises.adoc
@@ -15,7 +15,7 @@ The infrastructure consists of three layers:
 * The *application layer* runs the AI service container and communicates with LLM providers to process AI requests. It may consist of one or more instances behind a load balancer (round-robin recommended). Each instance runs the same stateless container image.
 * The *data layer* consists of a SQL database, a Redis instance, and file storage:
 ** *SQL database*: stores persistent data: configurations, conversations, files, and documents.
-** *Redis*: handles temporary data and inter-instance communication for scaling. When multiple instances are running, Redis ensures data is shared correctly across all of them.
+** *Redis*: caching and coordination (SSE delivery, rate limits, pub/sub). Enables the AI service to remain stateless.
 ** *File storage*: stores uploaded files and documents (S3, Azure Blob, filesystem, or the database itself).
 
 [.text-center]
