What it is live
NWZ ("No Wake Zone") is the cross-portfolio helpdesk and ticket system. Every SPS product routes its bug reports, feature requests, and customer questions through here. Surfaces include an admin UI for the SPS team, a magic-link-authenticated customer portal for external testers, a per-product docs hub, ops reports (volume, latency, by-product), an org chart of humans + AI personas + reporting lines, and an Android mobile companion app for ticket triage on the go.
The product was renamed from "Help Desk" / "nowakezone" during Phase 1; the public marketing site is at nowakezone.app, and the internal team surface is at nwz.sandpointstudios.ltd.
Hosting
| Component | Location |
|---|---|
| Backend code | /opt/nowakezone/ on vigil-server |
| API container | nwz-api (port 8005 internally; fronted by cloudflared) |
| Production DB | nwz database on shared vigil-postgres |
| Dev DB | nwz-postgres docker container at :5435 (dev-only) |
| Prod env file | /etc/nwz/env (root:root 0600) — NOT /opt/nowakezone/.env |
| Public hostname | nwz.sandpointstudios.ltd (via the multi-tenant cloudflared tunnel) |
| Customer portal | nwz.sandpointstudios.ltd/portal/ — magic-link auth (no CF Access; the portal is for external testers) |
| Admin UI | nwz.sandpointstudios.ltd/admin/ — CF Access + SPS team allowlist |
| Mobile companion source | c:\dev\nowakezone\mobile\ (Expo + RN) |
| Mobile APK distribution | dl.teaganwins.net/<token>/nwz-companion.apk |
Env file gotcha. Prod values live at
/etc/nwz/env and are referenced by /opt/nowakezone/docker-compose.yml via env_file. The repo-local .env.example is documentation only. Values not in /etc/nwz/env fall through to pydantic-settings defaults in shared/config.py, which include literal dev-only-... placeholders for session secret, mobile JWT secret, and DB password. Audit on every secret rotation. Rotated secrets are stored in BW SPS Service item 0b1d1bbf-e8d7-4da3-9c70-b4490113b863.
System architecture
flowchart TB
subgraph EXT[External]
USR[Customer / tester]
DEV[SPS contributor]
PHONE[Phone — NWZ Companion app]
end
subgraph EDGE[Cloudflare]
CF[cloudflared tunnel]
ACC[CF Access
admin gated] end subgraph SRV[vigil-server] API[nwz-api
FastAPI :8005] QD[Qdrant
vector index] PG[(vigil-postgres
nwz DB)] GT[GlitchTip
error stream] end USR -->|magic link| CF DEV --> ACC PHONE -->|JWT auth| CF ACC --> CF CF --> API API --> PG API --> QD GT -.error events.-> API API -.AI triage.-> ANT[Anthropic API]
admin gated] end subgraph SRV[vigil-server] API[nwz-api
FastAPI :8005] QD[Qdrant
vector index] PG[(vigil-postgres
nwz DB)] GT[GlitchTip
error stream] end USR -->|magic link| CF DEV --> ACC PHONE -->|JWT auth| CF ACC --> CF CF --> API API --> PG API --> QD GT -.error events.-> API API -.AI triage.-> ANT[Anthropic API]
Surfaces
| Surface | Path | Audience | Auth |
|---|---|---|---|
| Admin UI | /admin/ | SPS team | CF Access + SPS allowlist |
| Customer portal | /portal/ | External testers | Magic-link email auth |
| Docs hub | /admin/docs | SPS team | CF Access |
| Reports | /admin/reports | SPS team | CF Access |
| Org chart | /admin/org | SPS team | CF Access |
| Health | /health | monitors | none |
| Marketing site | nowakezone.app | public | none |
Mobile companion
Android-only Expo + RN app at c:\dev\nowakezone\mobile\. Phases 1 and 2 shipped together as of 2026-05-10 — one APK build covers both ticket reading and action triggers (kick fix-bot, approve deploy). Backend Sessions 1-6 are locked and tested green (100/100 mobile tests across migrations 006-008, 4 router files, 4 service modules, 4 test files).
Authentication
- Google OAuth client (Android):
132304520090-9ks8fck3tiahse7uti1ea6j8b03ge6l4.apps.googleusercontent.com - Package:
app.nowakezone.companion - SHA-1: default Android debug keystore (stable across
expo prebuild --clean; matches Right Bower + OneCut convention) - GCloud project: "No Wake Zone" under personal
twistedyeti@gmail.com(separate from Vigil Steward's project) - Scopes: only
openid/email/profile. External / published audience; no Google verification needed. - Backend auth: mobile session JWTs minted by
mobile_session.py; verified Google ID tokens viagoogle_id_token.py; attachment tokens viaattachment_token.py.
Build + distribution
Local gradle build, debug-keystore-signed. tool/publish.sh mirrors the Right Bower pattern — bumps versionCode, runs expo prebuild --clean, runs gradle assembleRelease, scp's to vigil-server:/srv/dl/<token>/nwz-companion.apk, prints share URL. JDK 17 + Android SDK from scoop.
Backend deploy still owed. The mobile app's
app.json sets extra.apiBaseUrl = https://nwz.sandpointstudios.ltd. The hostname is reserved in DNS but the cloudflared tunnel ingress rule for nwz-api:8005 at that hostname is NOT yet wired AND nwz-api needs NWZ_MOBILE_GOOGLE_CLIENT_IDS in its env. Until that lands, mobile sign-in 5xx's. Tracked in architecture-tickets.md §14.
Data
| Store | Purpose |
|---|---|
Postgres nwz DB | Tickets, threads, customer accounts, magic-link tokens, mobile sessions, docs metadata, deploy_approvals |
| Qdrant vector index | Embeddings for the docs hub's AI search |
| Object storage (file attachments) | Signed-URL tokens issued by attachment_token.py for thread attachments |
Migrations of note
- 006 — mobile companion tables (sessions, bins, action jobs).
- 007 — seed default bins.
- 008 —
products.deploy_strategy+approver_configcolumns (used by approve-deploy flow).
Dependencies
- vigil-postgres — production DB lives here as the
nwzdatabase. - GlitchTip at
glitchtip.sandpointstudios.ltd— error events from every other product feed NWZ tickets. - Anthropic API — used directly for AI triage classification (not routed through Iris yet; see roadmap).
- Mailcow — magic-link delivery to external testers; reply-handling for ticket comments.
- Cloudflare Access — admin gating for the team UI.
- Cloudflare tunnel — exposes nwz-api to
nwz.sandpointstudios.ltd. - dl.teaganwins.net — APK distribution.
- Google OAuth — mobile sign-in identity provider.
Roadmap
- Owed now: public deploy of
nwz-apiatnwz.sandpointstudios.ltd. Two writes: cloudflared ingress rule +NWZ_MOBILE_GOOGLE_CLIENT_IDSin/etc/nwz/env. Unblocks mobile sign-in. - Phase 3: push notifications to the mobile app for ticket assignments + approval requests.
- Phase 3: webhooks fire on approve-deploy (currently only recorded in
deploy_approvals+ thread message). Per-product webhook config. - Phase 4: Play Store internal track (decision pending on the $25 dev account).
- Vigil bot integration: NWZ's AI triage layer was the source of the help@ bot hallucination problem. The Iris-as-reviewer + tool-grounded action redesign (documented under Vigil Steward roadmap) eventually replaces NWZ's local triage with calls to Iris for review-before-send.
- Mobile UI gaps: full-screen attachment viewer, promote-to-ticket flow, markdown rendering in thread, app icon + splash (currently Expo defaults).
Related
- Vigil Steward / Iris — will replace the local AI triage in NWZ once the tool-grounded reviewer pattern is built.
- Shared infrastructure — Mailcow (magic-link delivery), vigil-postgres, cloudflared tunnel, GlitchTip.