HASSAR.AI Platform Documentation

Standard Operating Procedures

Version 1.0
Date July 2026
Classification Operations Team Confidential
Audience Administrators & Support Staff
01

Overview

This document defines Standard Operating Procedures for HASSAR.AI — a B2B smart home intelligence platform. These procedures govern day-to-day operation, monitoring, incident response, and maintenance for system administrators and operations staff.

Scope

These SOPs apply to: Frontend application (Next.js 16, hosted on Cloudflare) · Backend API (FastAPI, hosted on Railway) · PostgreSQL database (Railway managed) · AI services (AGIM external, Ollama local)

02

System Architecture

ComponentTechnologyHosting
FrontendNext.js 16 + React 19 + Tailwind CSS 4Cloudflare
Backend APIFastAPI (Python)Railway
DatabasePostgreSQLRailway (managed)
Primary AIAGIM (Agentic Intelligence Manager)External service
Fallback AIOllamaLocal / self-hosted
AuthJWT (access 30 min + refresh 7 days)Backend
Blueprint EncryptionAES-256-GCM, PBKDF2-SHA256Client-side only
Authentication Flow
  1. User submits credentials to POST /auth/login
  2. Backend verifies credentials, issues JWT access token (30 min) + refresh token (7 days httpOnly cookie)
  3. Frontend stores access token in sessionStorage
  4. All API requests include Authorization: Bearer <token> header
  5. On 401, frontend calls POST /auth/refresh to get new access token
03

Deployment & Environment Setup

Backend Environment Variables
VariableDescription
DATABASE_URLPostgreSQL connection string
SECRET_KEYJWT signing secret (minimum 32 chars, random)
APP_ENVproduction, staging, or development

AGIM URL/Key and Ollama URL/Model are managed through System Admin → AI Config and stored in the database. No hardcoded environment variables needed for AI config.

Frontend Environment Variables
VariableDescription
NEXT_PUBLIC_API_URLBackend API base URL
Deploying a New Backend Version
  1. Merge feature branch into main via Pull Request.
  2. Railway auto-deploys on push to main.
  3. Verify deployment in Railway dashboard — check build logs.
  4. Smoke test: GET /health{"status": "ok"}; login with test credentials.
  5. Monitor error logs for 10 minutes post-deployment.
Rolling Back a Deployment

Backend: In Railway dashboard → Deployments tab → select previous successful deployment → Redeploy.

Frontend: In Cloudflare dashboard → select previous deployment → Promote to Production.

04

User Account Management

Creating an Admin Account
  1. Log in as an existing admin.
  2. Navigate to System Admin → Users.
  3. Find the target user account.
  4. Click Promote to Admin and confirm.

Emergency (database direct):

UPDATE users SET role = 'admin' WHERE email = 'user@example.com';
Deleting a User Account
WarningDeletion is permanent and cannot be undone.

Navigate to System Admin → Users, select the user, click Delete Account, and confirm.

Password Reset (Admin-Assisted)
  1. Generate a bcrypt hash for a temporary password:
    import bcrypt
    hash = bcrypt.hashpw(b"TempPassword123!", bcrypt.gensalt()).decode()
    print(hash)
  2. Update the database:
    UPDATE users SET password_hash = '<hash>' WHERE email = 'user@example.com';
  3. Communicate the temporary password via secure channel; instruct user to change it immediately.
Role Definitions
RoleCapabilities
userMy IoT Blueprint, Talk to Jim, own profile
adminAll user capabilities + System Admin panel (user management, logs, AI config)
05

Blueprint Operations

ImportantHASSAR.AI does not store any blueprint data on the server. Encryption and decryption happen entirely in the user's browser.
Blueprint Lifecycle
  1. Created — user completes 5-step wizard in Blueprint Hub
  2. Encrypted — user enters passphrase; AES-256-GCM encryption applied client-side
  3. Exported.hassar file downloaded to user's device
  4. Used — uploaded to Jim chat or Review Existing Blueprint for inspection
  5. Archived — user retains the file; no server-side storage
Supporting Users with Lost Passphrases
ImportantBlueprint passphrases are not stored anywhere. Recovery is not possible.
  1. Inform the user that recovery is not possible.
  2. Guide the user to recreate the blueprint using the 5-step wizard.
  3. Remind the user to store the new passphrase securely (e.g. password manager).
06

AI Service Management

TierServiceCondition
PrimaryAGIM (Agentic Intelligence Manager)Default for all production AI requests
FallbackOllama (local)Automatic fallback if AGIM is unavailable
Configuring AI Settings
  1. Navigate to System Admin → AI Config.
  2. Update: AGIM URL · AGIM API Key · Ollama URL · Ollama Model.
  3. Click Save. Changes apply immediately to new AI requests.
Ollama Maintenance
TaskCommand
Start Ollamaollama serve
Pull a modelollama pull llama3.2
List available modelsollama list
Check running modelsollama ps
Diagnosing AI Issues
  1. Check System Admin → Logs for AI-related errors.
  2. Verify AGIM service is reachable from the backend server.
  3. Verify Ollama is running: curl http://localhost:11434/api/tags
  4. Check AI Config — verify API keys and endpoints are correctly set.
  5. Test with a simple query through the chat interface.
  6. If unresolved, escalate to Level 2 (see Escalation Matrix).
07

System Monitoring & Logs

Health Check
GET /health
Response: {"status": "ok"}

Monitor every 60 seconds. Alert on non-200 responses or response time > 5 seconds.

Accessing System Logs

Navigate to System Admin → Logs. The log table shows timestamp, log level, and message for recent system events.

Log Levels and Actions
LevelMeaningAction Required
INFONormal operationNo action required
WARNINGUnusual but non-critical eventMonitor; investigate if recurring
ERROROperation failedInvestigate immediately
Key Metrics to Monitor
MetricTargetAlert Threshold
API response time (p95)< 500 ms> 2000 ms
Error rate< 1%> 5%
AI request success rate> 95%< 80%
Database connection pool< 80% used> 95% used
08

Incident Response

LevelDescriptionResponse Time
P1 CriticalPlatform completely unavailable15 minutes
P2 HighMajor feature broken (login, blueprints, AI)1 hour
P3 MediumMinor feature degraded4 hours
P4 LowCosmetic issues, minor bugsNext business day
P1 — Platform Outage Response
  1. Detect: Uptime monitor alerts or multiple user reports.
  2. Acknowledge: Assign incident owner within 15 minutes.
  3. Assess: Check Railway/Cloudflare dashboards. Check database status.
  4. Communicate: Post status update to stakeholders.
  5. Mitigate: Roll back most recent deployment if outage followed a deploy.
  6. Verify: Confirm /health returns 200 and core flows work.
  7. Post-mortem: Document root cause within 24 hours.
P2 — AI Service Failure
  1. Check system logs for AI error messages.
  2. Check AGIM service status.
  3. Verify Ollama fallback is working.
  4. If both failing, check AI Config for misconfiguration.
  5. Escalate to AGIM support if AGIM is confirmed down.
P2 — Authentication Failure
  1. Check system logs for AUTH event errors.
  2. Verify SECRET_KEY environment variable is set.
  3. Check database connectivity.
  4. If JWT secret was rotated, all sessions are invalidated — users must log in again.
09

Backup & Recovery

Database Backup

Railway automatic backups: Verify daily automated backups are enabled in Railway project settings.

Manual backup:

pg_dump $DATABASE_URL > backup_$(date +%Y%m%d).sql

Store backups off-platform (e.g. encrypted S3 bucket). Minimum retention: 30 days.

Database Restore
psql $DATABASE_URL < backup_YYYYMMDD.sql

Test restores quarterly in a non-production environment.

What Is NOT Backed Up

Blueprint files (stored locally by users) · Chat history (stored in user browsers) · Blueprint passphrases (never stored anywhere).

Disaster Recovery
  1. Provision new Railway project with PostgreSQL.
  2. Restore database from latest backup.
  3. Set all environment variables (see Section 3).
  4. Deploy backend and frontend from main branch.
  5. Verify all services operational.

RTO: 4 hours  ·  RPO: 24 hours

10

Security Procedures

Secret Rotation

JWT Secret Key

  1. Generate new secret: openssl rand -hex 32
  2. Update SECRET_KEY in Railway environment variables.
  3. Redeploy backend. All existing sessions will be invalidated.

AGIM API Key

  1. Rotate key in AGIM dashboard.
  2. Update in System Admin → AI Config.
Security Incident Response
  1. Immediately rotate all secrets (JWT, AGIM API key, database password).
  2. Invalidate all sessions (JWT secret rotation achieves this).
  3. Review system logs for AUTH events to identify affected accounts.
  4. Notify affected users.
  5. Preserve logs for forensic investigation.
Access Control Review (Quarterly)
  1. Navigate to System Admin → Users.
  2. Filter by Role = admin.
  3. Remove admin privileges from accounts that no longer require them.
11

Maintenance Schedules

CadenceTasks
DailyVerify uptime · Review ERROR-level logs · Check Railway dashboard
WeeklyReview WARNING-level logs · Check AI request success rates · Verify DB backup completed
MonthlyReview AGIM API usage · Check Ollama model version
QuarterlyDB restore test · Rotate JWT secret · Review admin account list · DR walkthrough
AnnuallyFull security audit · Dependency and platform version review · SOP review
12

Escalation Matrix

L1
Operations / Support
First response, standard procedures
L2
System Administrator
Advanced troubleshooting, config changes, deployments
L3
Backend Developer
Code-level issues, database schema, API bugs
L4
External Vendor
AGIM service issues, Railway platform issues
TriggerIf L1 cannot resolve within the P-level response time, escalate to L2. If L2 cannot resolve within double the response time, escalate to L3.