Fly.io deploy config and /review service endpoint for AM Collective backend
adamwolfe2 ships a Dockerfile, fly.toml, and a new `POST /review` route that lets a sibling service call the backend for Claude-Haiku-powered document analysis without going through Supabase auth. The infrastructure setup is named for AmCollective, but the `/review` endpoint and its auth middleware are portable.
The Dockerfile is Node 22-slim with LibreOffice installed via apt, matching what upstream's nixpacks.toml produces. fly.toml targets shared-cpu-1x at 512MB in the iad region -- the comment notes that 256MB OOMs during LibreOffice DOCX-to-PDF conversion, which is consistent with reports from other forks running the same stack.
The /review route (backend/src/routes/review.ts, 171 lines) accepts a POST with a doc_url, fetches and extracts text using the same pdfjs/mammoth pipeline as chatTools.ts, then calls Claude Haiku and returns { summary, key_clauses, risks, recommendation } JSON. It's stateless: no database writes, no file uploads. Auth is handled by a new requireServiceAuth middleware that does a timing-safe Bearer token comparison against MIKE_SERVICE_TOKEN. The intended caller is a sibling service called Hermes, which exposes this as a legal.review MCP tool.
The middleware implementation is correct: it uses timingSafeEqual from Node's crypto module, pads to equal length before comparing to avoid leaking length via timing, and returns 401 with a generic message on failure. It's reusable without modification if you want a service-to-service auth pattern in your own fork -- just rename the env var.
One thing to flag: review.ts re-implements PDF and DOCX text extraction rather than calling a shared helper. If you pull this endpoint in, the duplication with chatTools.ts will need to be watched. Any future change to the extraction logic (new pdfjs version, changed DOCX handling) will need to be applied in two places.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?