feat(BUY-8819): NL query preprocessor in search endpoint

.github/workflows/deploy-api-production.yml

@@ -51,6 +51,13 @@ jobs:
           docker build -t "$FULL_IMAGE" ./api
           docker push "$FULL_IMAGE"
 
+      - name: Generate Artifact Registry auth token
+        id: gar_token
+        run: |
+          TOKEN=$(gcloud auth print-access-token)
+          echo "::add-mask::${TOKEN}"
+          echo "token=${TOKEN}" >> $GITHUB_OUTPUT
+
       - name: Set up SSH
         run: |
           mkdir -p ~/.ssh
@@ -65,13 +72,17 @@ jobs:
           SSH_HOST: ${{ secrets.PRODUCTION_DEPLOY_HOST }}
           SSH_USER: ${{ secrets.PRODUCTION_DEPLOY_USER }}
           APP_DIR: ${{ secrets.PRODUCTION_APP_DIR || '/opt/buywhere' }}
+          GAR_TOKEN: ${{ steps.gar_token.outputs.token }}
         run: |
           ssh -i ~/.ssh/id_ed25519 "${SSH_USER}@${SSH_HOST}" \
-            env FULL_IMAGE="${FULL_IMAGE}" IMAGE_TAG="${IMAGE_TAG}" APP_DIR="${APP_DIR}" \
+            env FULL_IMAGE="${FULL_IMAGE}" IMAGE_TAG="${IMAGE_TAG}" APP_DIR="${APP_DIR}" GAR_TOKEN="${GAR_TOKEN}" \
             bash -s <<'REMOTE'
           set -euo pipefail
           echo "api-deploy: image=${FULL_IMAGE} tag=${IMAGE_TAG}"
 
+          # Authenticate Docker to Artifact Registry using CI-generated token
+          echo "${GAR_TOKEN}" | docker login -u oauth2accesstoken --password-stdin asia-southeast1-docker.pkg.dev
+
           # Pull the new image
           docker pull "${FULL_IMAGE}"
 
@@ -80,17 +91,62 @@ jobs:
           # Tag as latest for docker-compose
           docker tag "${FULL_IMAGE}" buywhere-api:latest
 
+          # Fix: if the default compose network exists without proper labels (pre-compose
+          # creation), docker compose up will fail. Detect and fix by doing a full restart.
+          PROJ=$(basename "${APP_DIR}")
+          NET="${PROJ}_default"
+          if docker network inspect "${NET}" >/dev/null 2>&1; then
+            NETLABEL=$(docker network inspect "${NET}" --format '{{index .Labels "com.docker.compose.network"}}' 2>/dev/null || true)
+            if [ -z "${NETLABEL}" ]; then
+              echo "Network ${NET} missing compose labels — performing full stack restart to fix"
+              docker compose down --remove-orphans 2>/dev/null || true
+              # Force-remove any containers that may still be running (orphans not in compose file)
+              docker ps -a --filter "name=${PROJ}-" --format "{{.Names}}" | xargs -r docker rm -f 2>/dev/null || true
+              # Also free any container holding port 8000 (may have a different name)
+              docker ps -q --filter "publish=8000" | xargs -r docker rm -f 2>/dev/null || true
+              docker network rm "${NET}" 2>/dev/null || true
+              docker compose up -d
+              echo "Full stack restarted — skipping targeted api restart"
+              # Jump straight to health check
+              echo "API container restarted — waiting for health check..."
+              sleep 15
+              HTTP="000"
+              for i in 1 2 3 4 5 6; do
+                HTTP=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 http://localhost:8000/health 2>/dev/null || echo "000")
+                echo "GET /health (attempt ${i}) → HTTP ${HTTP}"
+                if [[ "$HTTP" == "200" ]]; then break; fi
+                sleep 5
+              done
+              if [[ "$HTTP" != "200" ]]; then
+                echo "ERROR: API health check failed after retries (last HTTP ${HTTP})"
+                docker logs buywhere-api-1 --tail 50 2>/dev/null || true
+                exit 1
+              fi
+              echo "API healthy (${IMAGE_TAG})"
+              exit 0
+            fi
+          fi
+
+          # Free port 8000 if occupied by a stale/mismatched container
+          docker ps -q --filter "publish=8000" | xargs -r docker rm -f 2>/dev/null || true
+
           # Restart only the api service (zero-downtime: compose will replace container)
           docker compose up -d --no-deps api
 
           echo "API container restarted — waiting for health check..."
-          sleep 5
-
-          # Verify health
-          HTTP=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:8000/health)
-          echo "GET /health → HTTP ${HTTP}"
+          sleep 10
+
+          # Verify health with retry (API may take time to initialize DB/Redis connections)
+          HTTP="000"
+          for i in 1 2 3 4 5 6; do
+            HTTP=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 http://localhost:8000/health 2>/dev/null || echo "000")
+            echo "GET /health (attempt ${i}) → HTTP ${HTTP}"
+            if [[ "$HTTP" == "200" ]]; then break; fi
+            sleep 5
+          done
           if [[ "$HTTP" != "200" ]]; then
-            echo "ERROR: API health check failed with ${HTTP}"
+            echo "ERROR: API health check failed after retries (last HTTP ${HTTP})"
+            docker logs buywhere-api-1 --tail 50 2>/dev/null || true
             exit 1
           fi
           echo "API healthy (${IMAGE_TAG})"

.github/workflows/deploy-python-api-vm.yml

@@ -0,0 +1,123 @@
+name: Deploy Python API to Production VM
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to deploy'
+        required: false
+        default: 'release'
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  APP_DIR: /srv/buywhere-api
+
+jobs:
+  deploy:
+    name: Deploy to Production VM
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: Set up SSH agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.PRODUCTION_DEPLOY_SSH_KEY }}
+
+      - name: Trust production host
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -p "${{ secrets.PRODUCTION_DEPLOY_PORT || 22 }}" -H "${{ secrets.PRODUCTION_DEPLOY_HOST }}" >> ~/.ssh/known_hosts
+
+      - name: Pull, migrate, restart
+        env:
+          DEPLOY_HOST: ${{ secrets.PRODUCTION_DEPLOY_HOST }}
+          DEPLOY_PORT: ${{ secrets.PRODUCTION_DEPLOY_PORT || 22 }}
+          DEPLOY_USER: ${{ secrets.PRODUCTION_DEPLOY_USER }}
+          BRANCH: ${{ inputs.branch || 'release' }}
+        run: |
+          ssh -p "$DEPLOY_PORT" "$DEPLOY_USER@$DEPLOY_HOST" "BRANCH=$BRANCH bash -s" << 'ENDSSH'
+            set -euo pipefail
+            echo "=== BuyWhere Python API deploy starting ==="
+
+            # Find the app directory
+            APP_DIR=""
+            for candidate in /srv/buywhere-api /srv/buywhere /opt/buywhere-api /opt/buywhere /home/ubuntu/buywhere /home/buywhere; do
+              if [ -f "$candidate/app/main.py" ]; then
+                APP_DIR="$candidate"
+                break
+              fi
+            done
+
+            if [ -z "$APP_DIR" ]; then
+              echo "ERROR: Could not find app/main.py in any candidate directory"
+              exit 1
+            fi
+            echo "App directory: $APP_DIR"
+
+            cd "$APP_DIR"
+
+            # Pull latest code
+            echo "=== git pull origin $BRANCH ==="
+            git fetch origin
+            git checkout "$BRANCH"
+            git pull origin "$BRANCH"
+            echo "HEAD: $(git log --oneline -1)"
+
+            # Run any pending Alembic migrations
+            echo "=== alembic upgrade head ==="
+            if command -v alembic &>/dev/null; then
+              alembic upgrade head
+            elif [ -f ".venv/bin/alembic" ]; then
+              .venv/bin/alembic upgrade head
+            elif [ -f "venv/bin/alembic" ]; then
+              venv/bin/alembic upgrade head
+            else
+              echo "WARNING: alembic not found in PATH or venv — skipping migration"
+            fi
+
+            # Restart service
+            echo "=== restarting service ==="
+            if systemctl list-unit-files 2>/dev/null | grep -qE 'buywhere-api|buywhere\.service'; then
+              SERVICE=$(systemctl list-units --type=service --all 2>/dev/null | grep -iE 'buywhere-api|buywhere' | awk '{print $1}' | head -1)
+              echo "Restarting systemd service: $SERVICE"
+              systemctl restart "$SERVICE"
+              sleep 3
+              systemctl is-active "$SERVICE" && echo "Service is active" || echo "WARNING: service may not be running"
+            elif command -v supervisorctl &>/dev/null && supervisorctl status 2>/dev/null | grep -qiE 'buywhere|uvicorn'; then
+              PROC=$(supervisorctl status | grep -iE 'buywhere|uvicorn' | awk '{print $1}' | head -1)
+              echo "Restarting supervisor process: $PROC"
+              supervisorctl restart "$PROC"
+            elif command -v pm2 &>/dev/null && pm2 list 2>/dev/null | grep -qiE 'buywhere|api'; then
+              PROC=$(pm2 list | grep -iE 'buywhere|api' | awk '{print $2}' | head -1)
+              echo "Restarting PM2 process: $PROC"
+              pm2 restart "$PROC"
+            else
+              echo "WARNING: Could not detect service manager — service must be restarted manually"
+            fi
+
+            echo "=== Deploy complete ==="
+          ENDSSH
+
+      - name: Health check
+        env:
+          DEPLOY_HOST: ${{ secrets.PRODUCTION_DEPLOY_HOST }}
+          DEPLOY_PORT: ${{ secrets.PRODUCTION_DEPLOY_PORT || 22 }}
+          DEPLOY_USER: ${{ secrets.PRODUCTION_DEPLOY_USER }}
+        run: |
+          echo "Waiting 10s for service to come up..."
+          sleep 10
+          # Check health endpoint
+          for i in 1 2 3 4 5; do
+            HTTP=$(curl -s -o /dev/null -w '%{http_code}' --max-time 10 https://api.buywhere.ai/health || echo "000")
+            if [ "$HTTP" = "200" ]; then
+              echo "Health check passed (attempt $i) — HTTP $HTTP"
+              exit 0
+            fi
+            echo "Health check attempt $i: HTTP $HTTP"
+            sleep 5
+          done
+          echo "WARNING: Health check did not return 200 — check service manually"
+          exit 1

.github/workflows/deploy-site-production.yml

@@ -21,37 +21,53 @@ concurrency:
 
 permissions:
   contents: read
-  packages: write
+  id-token: write
 
 env:
-  REGISTRY: ghcr.io
   GCP_PROJECT_ID: gaia-calendar-488606
   GCP_REGION: asia-southeast1
   CLOUD_RUN_SERVICE: buywhere-site-production
+  AR_REPO: buywhere
+  AR_IMAGE: asia-southeast1-docker.pkg.dev/gaia-calendar-488606/buywhere/site
 
 jobs:
   build:
-    name: Build Site Docker Image
+    name: Build and Push Site Image
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       image_tag: ${{ steps.image_meta.outputs.image_tag }}
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set lowercase image name and tag
-        id: image_meta
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY_PROD || secrets.GCP_SA_KEY }}
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@v2
+
+      - name: Configure Docker for Artifact Registry
+        run: gcloud auth configure-docker ${{ env.GCP_REGION }}-docker.pkg.dev --quiet
+
+      - name: Ensure Artifact Registry repository exists
         run: |
-          REPO_LOWER="${GITHUB_REPOSITORY,,}"
-          echo "image_name=ghcr.io/${REPO_LOWER}-site" >> "$GITHUB_OUTPUT"
-          echo "image_tag=ghcr.io/${REPO_LOWER}-site:sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+          gcloud artifacts repositories describe ${{ env.AR_REPO }} \
+            --location=${{ env.GCP_REGION }} \
+            --project=${{ env.GCP_PROJECT_ID }} \
+            --format="value(name)" 2>/dev/null || \
+          gcloud artifacts repositories create ${{ env.AR_REPO }} \
+            --repository-format=docker \
+            --location=${{ env.GCP_REGION }} \
+            --project=${{ env.GCP_PROJECT_ID }} \
+            --description="BuyWhere container images"
 
-      - uses: docker/setup-buildx-action@v3
+      - name: Set image tag
+        id: image_meta
+        run: echo "image_tag=${{ env.AR_IMAGE }}:sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
 
-      - uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/setup-buildx-action@v3
 
       - name: Build and push site image
         uses: docker/build-push-action@v5
@@ -110,3 +126,6 @@ jobs:
           HTTP=$(curl -sf -o /dev/null -w "%{http_code}" \
             "${{ steps.deploy.outputs.url }}" --max-time 15 || echo "000")
           echo "Cloud Run site health: HTTP ${HTTP}"
+          if [[ "$HTTP" != "200" ]]; then
+            echo "WARN: Cloud Run returned ${HTTP} — check service logs"
+          fi