# Deal Room **Secure Investment Banking Document Sharing Platform** Deal Room is a secure, invite-only document sharing platform designed for Investment Banking deal teams. Built with Go, it provides role-based access control, encrypted file storage, AI-powered document analysis, and comprehensive audit trails for sensitive financial transactions. ## Features - 🔐 **Security First**: End-to-end encryption, RBAC, audit logging - 📊 **AI-Enhanced**: Document analysis and semantic search via K2.5 - 🚀 **Production Ready**: Single binary deployment, zero dependencies - 📱 **Modern UI**: HTMX + Tailwind CSS for responsive interface - 👥 **Collaboration**: Threaded discussions, activity feeds, @mentions - 📈 **Deal Tracking**: Pipeline management and stage tracking ## Tech Stack - **Backend**: Go 1.22+ with SQLite (encrypted) - **Frontend**: HTMX + Tailwind CSS (zero build process) - **Templates**: templ (type-safe Go HTML templates) - **Storage**: AES-256-GCM encrypted files with zstd compression - **AI**: K2.5 integration for document analysis and embeddings ## Quick Start ### Prerequisites - Go 1.22 or later - Make (optional, but recommended) ### Development Setup 1. **Clone and setup**: ```bash git clone cd dealroom make setup ``` 2. **Install dependencies**: ```bash make install ``` 3. **Run in development mode**: ```bash make dev ``` 4. **Access the application**: - Open http://localhost:8080 - Default admin user will be created on first run ### Production Deployment 1. **Build the binary**: ```bash make build ``` 2. **Configure environment variables**: ```bash export DB_KEY="your-32-byte-encryption-key" export SESSION_SECRET="your-session-secret" export BASE_URL="https://dealroom.yourcompany.com" # See Configuration section for all variables ``` 3. **Run the application**: ```bash ./bin/dealroom ``` ### Docker Deployment 1. **Build and run with Docker**: ```bash make docker-run ``` 2. **Or use Docker Compose** (see `docker-compose.yml`): ```bash docker-compose up -d ``` ## Configuration Configure the application using environment variables: ### Required Settings ```bash DB_KEY=your-32-byte-encryption-key # Database encryption key SESSION_SECRET=your-session-secret # Session cookie encryption BASE_URL=https://dealroom.company.com # Public URL for magic links ``` ### Database & Storage ```bash DB_PATH=/data/db/dealroom.db # SQLite database path FILES_PATH=/data/files # Encrypted file storage BACKUP_PATH=/data/backups # Backup directory ``` ### AI Integration ```bash K25_API_URL=http://k2.5:8080 # K2.5 API endpoint K25_API_KEY=your-k2.5-api-key # K2.5 API key ``` ### Email (Magic Links) ```bash SMTP_HOST=smtp.company.com # SMTP server SMTP_USER=dealroom@company.com # SMTP username SMTP_PASS=your-smtp-password # SMTP password ``` ### Server ```bash PORT=8080 # HTTP port (default: 8080) ``` ## Architecture Deal Room follows the **inou pattern** for data-centric design: - **Unified Data Model**: All content types (deal rooms, documents, notes) stored as typed JSON in the `entries` table - **RBAC Engine**: Bitmask permissions (read=1, write=2, delete=4, manage=8) with inheritance - **Encrypted Storage**: Files encrypted with AES-256-GCM and compressed with zstd - **AI Pipeline**: Document analysis and embeddings for semantic search ### Database Schema ```sql -- Users and authentication users (id, email, name, role, created_at, ...) -- Unified content storage entries (id, deal_room_id, entry_type, title, content, file_path, ...) -- Role-based access control access (id, entry_id, user_id, permissions, granted_by, ...) -- Session management sessions (token, user_id, expires_at, ...) -- Audit trail audit_log (id, user_id, entry_id, action, details, ...) ``` ### File Storage ``` data/ ├── db/dealroom.db # Encrypted SQLite database ├── files/ # Encrypted file storage │ ├── 2024/01/ # Date-based partitioning │ │ ├── entry1.enc # AES-256-GCM + zstd │ │ └── entry2.enc │ └── temp/ # Temporary upload staging └── backups/ # Automated backups ``` ## API Reference ### Authentication - `POST /auth/login` - Magic link login - `GET /auth/verify/{token}` - Verify login token - `POST /auth/logout` - End session ### Deal Rooms - `GET /api/deal-rooms` - List accessible deal rooms - `POST /api/deal-rooms` - Create new deal room - `GET /api/deal-rooms/{id}` - Get deal room details - `PUT /api/deal-rooms/{id}` - Update deal room ### Documents & Content - `GET /api/entries` - List entries with permissions - `POST /api/entries` - Create entry (document/note) - `GET /api/entries/{id}` - Get entry details - `GET /api/entries/{id}/file` - Download file ### Access Control - `GET /api/entries/{id}/access` - List permissions - `POST /api/entries/{id}/access` - Grant access - `DELETE /api/entries/{id}/access/{user}` - Revoke access ### Search & AI - `GET /api/search?q={query}` - Semantic search - `POST /api/analyze/{id}` - Trigger AI analysis ## Development ### Project Structure ``` dealroom/ ├── cmd/dealroom/ # Application entry point │ └── main.go ├── internal/ # Internal packages │ ├── db/ # Database layer & migrations │ ├── model/ # Data models │ ├── rbac/ # Role-based access control │ ├── store/ # Encrypted file storage │ ├── handler/ # HTTP handlers │ └── ai/ # K2.5 integration ├── templates/ # templ templates │ ├── layout.templ │ ├── dashboard.templ │ └── ... ├── static/ # Static assets ├── migrations/ # Database migrations ├── Dockerfile ├── Makefile └── README.md ``` ### Available Commands ```bash make build # Build the application make dev # Run in development mode make test # Run tests make lint # Run linter make docker # Build Docker image make migrate # Run database migrations make clean # Clean build artifacts make setup # Setup development environment ``` ### Running Tests ```bash # Run all tests make test # Run with coverage make test-coverage # Run benchmarks make bench ``` ### Code Quality ```bash # Format code make fmt # Run linter make lint # Security scan make security ``` ## Security Deal Room implements defense-in-depth security: ### Data Protection - **Encryption at Rest**: AES-256-GCM for files, encrypted SQLite - **Encryption in Transit**: HTTPS only, HSTS headers - **Key Management**: Configurable encryption keys - **File Access**: No direct file serving, all through API ### Access Control - **RBAC**: Entry-level permissions with inheritance - **Least Privilege**: Users see only what they have access to - **Magic Links**: Passwordless email-based authentication - **Session Management**: Secure HTTP-only cookies ### Audit & Compliance - **Audit Trail**: All actions logged with user attribution - **Activity Feeds**: Real-time activity monitoring - **Access Reviews**: Permission management interface - **Data Retention**: Configurable retention policies ## Production Considerations ### Performance - **Concurrent Users**: ~100-200 with SQLite - **File Storage**: Limited by disk space - **Database Size**: Efficient up to ~100GB - **Response Times**: <200ms for page loads ### Scalability For higher scale requirements: - **Database**: Migrate to PostgreSQL - **File Storage**: Use S3-compatible object storage - **Search**: Dedicated vector database (Pinecone, Weaviate) - **Caching**: Add Redis for sessions and queries ### Monitoring - Health checks at `/health` - Metrics endpoint at `/metrics` (when enabled) - Structured logging with levels - Audit trail for compliance ## Contributing 1. Fork the repository 2. Create a feature branch 3. Make your changes 4. Add tests for new functionality 5. Run the test suite: `make test` 6. Submit a pull request ### Code Style - Follow standard Go formatting (`make fmt`) - Use meaningful variable names - Add comments for public functions - Keep functions focused and small ## License This project is proprietary software owned by Misha Muskepo and licensed for use by authorized parties only. ## Support For support or questions: - **Owner**: Misha Muskepo (michael@muskepo.com) - **Tech Lead**: James - **Documentation**: See `SPEC.md` for detailed architecture --- **Deal Room** - Secure, AI-Enhanced Investment Banking Platform