Internal-docs RAG · citations · ACL · gap report · injection defenses

Your company almanac, indexed and queryable.

The single most-listed AI project on Upwork right now reads "build us an AI assistant on our company docs." Almanac is the version that doesn't punt on the load-bearing parts — citations that stream inline, ACL propagated from the source, a content-gap report on what the system couldn't answer, and prompt-injection defenses on every retrieved chunk.

Open the live demo Why your RAG demo isn't production-ready Source on GitHub

Try it on the fixture corpus

The public demo runs against a fictional company's docs across Drive, Notion, and Slack — ~22 documents on PTO, deploy process, on-call, security escalation, contractor onboarding, and so on. Role toggle changes ACL (Engineer can see deploy docs, Contractor cannot). Injection-bait docs sit in the corpus — the defenses are demonstrably exercised.

What's different from a ChatGPT-with-file-uploads demo

Citations that stream inline

Inline <cite id="…"/> tokens translate into SSE event: citation frames emitted next to the supporting text span. Copy-with-citations produces a pre-rendered markdown block — the footnotes survive paste.

ACL is propagated, not faked

Drive file permissions, Notion page-share rules, Slack channel membership → doc_acls. Caller identity → principal set → ACL-aware retrieval using pgvector hnsw.iterative_scan = strict_order. Demo includes a role toggle so prospects watch the boundary hold.

The no-answer gap report

Queries Almanac couldn't answer land in unanswered_questions. A nightly clustering job groups them. The admin sees "23 people asked variants of 'PTO policy' — there's no doc on PTO." The signal nobody else captures because it requires owning the retrieval layer.

Prompt injection is a primary threat

Retrieved chunks wrapped in <retrieved_chunk> tags treated as data, not instructions. Structured-output schema validation per provider. Output filter rejects URLs outside source domains, image tags, hallucinated citations. Trips land in prompt_injection_signals visible in admin.

Re-index is observable and atomic

Manual reindex per source. Full reindex enters degraded mode; chat serves from a snapshot until alias-swap. No mixed stale/fresh results mid-flight. Per-source health on the admin: last sync, doc count, embed-queue depth, DLQ depth, last error with fix hint.

pgvector only, no managed sidecar

Per-workspace partial HNSW indexes. The 0.8.0 floor is load-bearing — earlier versions can't do the iterative-scan pre-filter without destroying recall. The "no managed vector DB dependency" line is the docs-site selling point for the regulated-buyer audience.

Stack

Laravel 13 + Filament 5
Chat API, admin, connector OAuth, ACL model. Per-workspace partial HNSW index lifecycle.
FastAPI (Python 3.12)
Embed + chunker + LLM-judge sidecar. supervisord-managed, numprocs=2 from day one.
PostgreSQL 16 + pgvector ≥ 0.8
Per-workspace partial HNSW + iterative-scan ACL pre-filter. No Pinecone, no Weaviate.
Next.js 16 + Scalar
Docs / marketing / live chat demo, OpenAPI-driven API reference.