# Dealspace

M&A deal management platform for investment banks, sellers, and buyers.

## What is Dealspace?

A workflow platform where M&A deals are managed through a structured request-and-answer system. Investment banks issue request lists, sellers provide answers with supporting documents, and buyers access a data room with vetted information.

**Not** a document repository with features bolted on. Designed from first principles around the core primitive: the **Request**.

## Architecture

```
Internet
    │
    ▼
┌─────────┐
│  Caddy  │  (TLS termination, reverse proxy)
└────┬────┘
     │ :8080
     ▼
┌─────────────┐
│  Dealspace  │  (Go binary, single process)
│             │
│  ┌───────┐  │
│  │SQLite │  │  (FTS5, encrypted at rest)
│  │ + WAL │  │
│  └───────┘  │
│  ┌───────┐  │
│  │ Store │  │  (Encrypted object storage)
│  └───────┘  │
└─────────────┘
```

**Key decisions:**
- SQLite with FTS5 for full-text search
- All sensitive data encrypted with AES-256-GCM
- Blind indexes (HMAC-SHA256) for searchable encrypted fields
- Per-request watermarking on document downloads
- Zero external database dependencies

## Quick Start

### Development

```bash
# Clone
git clone git@zurich.inou.com:dealspace.git
cd dealspace

# Build
make build

# Run locally
make run
```

### Production Deployment

```bash
# First time: install service on Shannon
ssh root@82.24.174.112
cd /tmp
scp -r yourhost:/path/to/dealspace/deploy .
cd deploy
./install.sh

# Deploy updates (from dev machine)
make deploy

# View logs
make logs
```

## Environment Variables

| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| `MASTER_KEY` | **Yes** | — | 32-byte hex key for encryption. **Never change after data exists.** |
| `DB_PATH` | No | `./dealspace.db` | SQLite database path |
| `STORE_PATH` | No | `./store` | Object storage directory |
| `PORT` | No | `8080` | HTTP listen port |
| `ENV` | No | `development` | `development` or `production` |
| `SESSION_TTL_HOURS` | No | `1` | Session token TTL |
| `REFRESH_TTL_DAYS` | No | `7` | Refresh token TTL |
| `SMTP_HOST` | No | — | SMTP server for email |
| `SMTP_PORT` | No | `587` | SMTP port |
| `SMTP_USER` | No | — | SMTP username |
| `SMTP_PASS` | No | — | SMTP password |
| `SMTP_FROM` | No | — | From address for emails |
| `FIREWORKS_API_KEY` | No | — | Fireworks AI API key for embeddings |
| `NTFY_URL` | No | — | ntfy URL for alerts |
| `NTFY_TOKEN` | No | — | ntfy auth token |

See `deploy/env.template` for a complete example.

## Development

### Prerequisites

- Go 1.22+
- SQLite3 with FTS5 support
- CGO enabled (required for SQLite)

### Building

```bash
# Development build
make build

# Linux production build (cross-compile)
make build-linux

# Run tests
make test

# Clean build artifacts
make clean
```

### Testing

```bash
# Run all tests
make test

# Run with verbose output
CGO_ENABLED=1 go test -tags fts5 ./... -v
```

### Project Structure

```
dealspace/
├── cmd/server/       # Entry point, config loading
├── lib/              # Core business logic
│   ├── types.go      # All shared types
│   ├── dbcore.go     # EntryRead/Write/Delete (the single throat)
│   ├── rbac.go       # Access control
│   ├── crypto.go     # Encryption, blind indexes
│   ├── store.go      # Object storage
│   └── ...
├── api/              # HTTP handlers (thin layer)
├── portal/           # HTML templates, static assets
├── mcp/              # MCP server for AI tools
├── migrations/       # SQL migration files
├── deploy/           # Deployment scripts
└── website/          # Public marketing site
```

## Operations

### Backup

Daily backups run automatically at 3 AM via cron. Backups are:
- Hot SQLite backups (safe with WAL)
- Compressed with gzip
- Retained for 30 days
- Stored in `/opt/dealspace/backups/`

Manual backup:
```bash
/opt/dealspace/backup.sh
```

### Monitoring

Health checks run every 5 minutes. If the service is down, an alert is sent to ntfy.

Check health manually:
```bash
curl http://localhost:8080/health
# or externally:
curl https://muskepo.com/health
```

### Logs

```bash
# Follow live logs
journalctl -u dealspace -f

# Last 100 lines
journalctl -u dealspace -n 100

# Since specific time
journalctl -u dealspace --since "1 hour ago"
```

### Service Management

```bash
systemctl status dealspace
systemctl start dealspace
systemctl stop dealspace
systemctl restart dealspace
```

## Security

- All content encrypted with AES-256-GCM (BoringCrypto for FIPS 140-3)
- Blind indexes for searchable encrypted fields
- MFA required for IB admin/member roles
- Dynamic watermarking on all document downloads
- Comprehensive audit logging
- Session management with single active session per user

## License

Proprietary. All rights reserved.