Last Updated: 2026-02-07Audited From: Actual codebase in server/
Protocol Guide's backend serves the national EMS protocol library through a jurisdiction-aware RAG pipeline. Express + tRPC provides type-safe endpoints; the core pipeline normalizes EMS queries, resolves jurisdiction (county → LEMSA/agency), executes scoped vector search against 58,000+ protocol chunks, re-ranks results, and generates cited answers via Claude.
The backend's primary function is jurisdiction-scoped protocol retrieval. Every search flows through this pipeline:
User Query: "epi dose for cardiac arrest"
│
┌───────────────▼───────────────────┐
│ 1. EMS Query Normalizer │ server/_core/ems-query-normalizer.ts
│ • Expand abbreviations │ "epi" → "epinephrine"
│ (150+ EMS terms) │
│ • Classify intent │ → medication_dosing
│ • Detect emergent indicators │ → isEmergent = true
│ • Extract medications/conditions│
└───────────────┬───────────────────┘
│
┌───────────────▼───────────────────┐
│ 2. Jurisdiction Resolution │ server/routers/search.ts
│ • countyId → county_agency_ │ via county_agency_mapping table
│ mapping → agency_id │
│ • Resolves LEMSA/agency for │
│ scoped search │
└───────────────┬───────────────────┘
│
┌───────────────▼───────────────────┐
│ 3. Vector Search (Scoped) │ server/_core/embeddings/
│ • Generate query embedding │ Voyage AI voyage-large-2 (1536 dim)
│ • pgvector cosine similarity │ Supabase search_manus_protocols RPC
│ • WHERE agency_id = X │ Filtered to user's jurisdiction
│ • Optional: multi-query fusion │ For medication/safety queries
└───────────────┬───────────────────┘
│
┌───────────────▼───────────────────┐
│ 4. Re-ranking │ server/_core/rag/scoring.ts
│ • Term frequency (+20 max) │
│ • Synonym matching (+15 max) │
│ • Protocol number match (+50) │
│ • Title relevance (+8) │
│ • Context boost: same agency │ +15 points
│ (+15), same state (+5) │
└───────────────┬───────────────────┘
│
┌───────────────▼───────────────────┐
│ 5. Claude RAG Response │ server/_core/claude.ts
│ • Retrieval-only mode │ No training data generation
│ • Mandatory citations │ [Protocol #XXX]
│ • Model: Haiku (free/simple) │
│ or Sonnet (pro/complex) │
│ • 3-10 sentence limit │
└───────────────┬───────────────────┘
│
▼
"Epinephrine 1mg IV/IO q3-5min [Protocol 4.2 - Cardiac Arrest]"
Safety-Critical Query Detection Certain query types receive enhanced processing regardless of subscription tier:
Trigger
Enhanced Behavior
Medication dosing
Multi-query fusion (3 variations), threshold 0.38
Contraindication checks
Highest priority (100), enhanced accuracy
Emergent patterns (cardiac arrest, anaphylaxis, airway obstruction)
Always enhanced processing
Pediatric + medication
Weight-based dosing alerts, enhanced accuracy
File
Purpose
server/_core/ems-query-normalizer.ts150+ EMS abbreviation expansion, intent classification, emergent detection
server/_core/embeddings/search.tsJurisdiction-scoped vector search via Supabase pgvector
server/_core/rag/search-execution.tsOrchestrates search: cache check → threshold selection → search → re-rank → cache
server/_core/rag/scoring.tsAdvanced re-ranking with intent-specific signal weighting
server/_core/rag/multi-query.tsMulti-query fusion for medication/safety queries
server/_core/claude.tsClaude SDK with retrieval-only system prompt, model routing
server/_core/protocol-chunker.tsSemantic chunking (400-1800 chars) with content type classification
The server is a single Express application that:
Mounts security middleware (Helmet, CORS, CSP nonce)
Registers raw Express routes (webhooks, OAuth, health)
Mounts tRPC router at /api/trpc
Serves static files in production
# Development (with hot reload)# Production&& pnpm start
Platform: RailwayBuild: esbuild bundles to dist/index.jsStatic Assets: Served from dist/ after Expo web build
tRPC provides type-safe API calls. All routers are composed in server/routers.ts.
Router
Path
Description
systemsystem.*Health checks, admin notifications
authauth.*Login/logout, session management (Supabase OAuth)
countiescounties.*U.S. county listing (2,713 counties across 53 states/territories)
useruser.*User profile, county/agency jurisdiction selection, disclaimer acknowledgment
searchsearch.*Core pipeline : jurisdiction-scoped semantic search (county→agency→vector search)
queryquery.*Core pipeline : protocol RAG queries (normalizer→search→Claude response)
voicevoice.*Voice transcription with EMS terminology recognition
feedbackfeedback.*User feedback on protocol accuracy
contactcontact.*Public contact form, waitlist
subscriptionsubscription.*Stripe checkout/portal (free/pro/enterprise)
adminadmin.*Admin-only operations
agencyAdminagencyAdmin.*B2B agency management — protocol upload, team management, analytics
integrationintegration.*ePCR partner tracking (ImageTrend, ESOS, Zoll, EMSCloud)
referralreferral.*Referral/viral growth system
jobsjobs.*Cron job triggers
Procedure
Type
Auth
Description
healthquery
public
Health check
notifyOwnermutation
admin
Send notification to owner
Procedure
Type
Auth
Description
mequery
public (rate limited)
Get current user
logoutmutation
CSRF
Clear session, revoke token
logoutAllDevicesmutation
protected
Revoke all tokens
changePasswordmutation
protected
Change password (verifies current)
updateEmailmutation
protected
Update email address
securityStatusquery
protected
Check token revocation status
Procedure
Type
Auth
Description
listquery
public (rate limited)
List all counties grouped by state
getquery
public (rate limited)
Get county by ID
Procedure
Type
Auth
Description
usagequery
protected
Get daily query usage
acknowledgeDisclaimermutation
protected
Record disclaimer acceptance
hasAcknowledgedDisclaimerquery
protected
Check disclaimer status
selectCountymutation
protected
Set user's selected county
queriesquery
protected
Get query history
savedCountiesquery
protected
Get saved counties (tier-limited)
addCountymutation
protected
Add county to saved list
removeCountymutation
protected
Remove county from saved list
setPrimaryCountymutation
protected
Set primary county
primaryCountyquery
protected
Get primary county
savePushTokenmutation
protected
Save push notification token
Procedure
Type
Auth
Description
semanticquery
public (rate limited)
Semantic search with Voyage AI
getProtocolquery
public (rate limited)
Get protocol by ID
statsquery
public (rate limited)
Protocol statistics
coverageByStatequery
public (rate limited)
Protocol coverage by state
totalStatsquery
public (rate limited)
Total protocol counts
agenciesByStatequery
public (rate limited)
Agencies in a state
agenciesWithProtocolsquery
public (rate limited)
All agencies with protocols
searchByAgencyquery
public (rate limited)
Search within specific agency
summarizequery
public (rate limited)
Summarize protocol content
Procedure
Type
Auth
Description
submitmutation
protected
Submit RAG query to Claude
historyquery
protected
Get query history
searchHistoryquery
protected
Get search history (Pro)
syncHistorymutation
protected (Pro)
Sync local history to cloud
clearHistorymutation
protected
Clear search history
deleteHistoryEntrymutation
protected
Delete single history entry
Procedure
Type
Auth
Description
transcribemutation
rate limited
Transcribe audio (Whisper)
uploadAudiomutation
rate limited
Upload audio for transcription
Procedure
Type
Auth
Description
submitmutation
protected
Submit feedback
myFeedbackquery
protected
Get user's feedback
Procedure
Type
Auth
Description
submitmutation
strict public rate limited
Submit contact form
subscribeWaitlistmutation
strict public rate limited
Join waitlist
Procedure
Type
Auth
Description
createCheckoutmutation
protected
Create Stripe checkout session
createPortalmutation
protected
Create Stripe portal session
statusquery
protected
Get subscription status
createDepartmentCheckoutmutation
protected
Create agency checkout
Procedure
Type
Auth
Description
listFeedbackquery
admin
List all feedback
updateFeedbackmutation
admin
Update feedback status
listUsersquery
admin
List all users
updateUserRolemutation
admin
Change user role
listContactSubmissionsquery
admin
List contact forms
updateContactStatusmutation
admin
Update contact status
getAuditLogsquery
admin
Get audit logs
Procedure
Type
Auth
Description
myAgenciesquery
protected
Get user's agencies
getAgencyquery
protected
Get agency details
updateAgencymutation
protected
Update agency
listMembersquery
protected
List agency members
inviteMembermutation
protected
Invite member
updateMemberRolemutation
protected
Change member role
removeMembermutation
protected
Remove member
listProtocolsquery
protected
List agency protocols
uploadProtocolmutation
protected
Upload protocol
getUploadStatusquery
protected
Check upload progress
updateProtocolStatusmutation
protected
Change protocol status
publishProtocolmutation
protected
Publish protocol
archiveProtocolmutation
protected
Archive protocol
listVersionsquery
protected
List protocol versions
createVersionmutation
protected
Create new version
getSearchAnalyticsquery
protected
Search analytics
getProtocolAnalyticsquery
protected
Protocol analytics
getUserAnalyticsquery
protected
User analytics
getErrorAnalyticsquery
protected
Error analytics
exportAnalyticsmutation
protected
Export analytics
Procedure
Type
Auth
Description
logAccessmutation
strict public rate limited
Log partner access
getStatsquery
admin
Integration statistics
getRecentLogsquery
admin
Recent integration logs
getDailyUsagequery
admin
Daily usage charts
Procedure
Type
Auth
Description
getMyReferralCodequery
protected
Get user's referral code
getMyStatsquery
protected
Get referral statistics
getMyReferralsquery
protected
List referrals
validateCodequery
protected
Validate referral code
redeemCodemutation
protected
Redeem referral code
getShareTemplatesquery
protected
Get share templates
getLeaderboardquery
protected
Referral leaderboard
trackViralEventmutation
protected
Track viral event
Procedure
Type
Auth
Description
runDripEmailsmutation
CRON_SECRET
Trigger drip email job
These are raw Express routes outside of tRPC:
Endpoint
Method
Description
/api/healthGET
Basic health check
/api/readyGET
Kubernetes readiness probe
/api/liveGET
Kubernetes liveness probe
/api/resilienceGET
Circuit breaker status
Endpoint
Method
Description
/api/auth/supabase/callbackGET
Supabase OAuth callback
Endpoint
Method
Description
/api/stripe/webhookPOST
Stripe webhook handler
Endpoint
Method
Description
/api/imagetrend/launchGET
ImageTrend deep link
/api/imagetrend/healthGET
ImageTrend integration health
/api/imagetrend/suggestPOST
AI protocol suggestions (mock)
/api/imagetrend/exportPOST
Export to ePCR (mock)
Endpoint
Method
Description
/api/summarizePOST
Protocol summarization (Claude)
/api/client-errorPOST
Client error reporting (Sentry)
Supabase Auth + Custom DB
Login/Signup: Client uses Supabase Auth (email/password or OAuth)Token Exchange: Client receives Supabase JWTAPI Calls: Client sends Authorization: Bearer <jwt>Context Creation: Server validates JWT via Supabase Admin SDKUser Lookup: Server finds/creates user in MySQL by supabase_idToken Blacklist: Check if user's tokens have been revoked
Context Creation (server/_core/context.ts) export async function createContext ( opts ) : Promise < TrpcContext > {
// 1. Extract Bearer token
const token = authHeader ?. replace ( "Bearer " , "" ) ;
// 2. Verify with Supabase
const { data : { user : supabaseUser } } = await supabaseAdmin . auth . getUser ( token ) ;
// 3. Find/create in our DB
user = await db . findOrCreateUserBySupabaseId ( supabaseUser . id , { ...} ) ;
// 4. Check token blacklist
if ( await isTokenRevoked ( user . id ) ) user = null ;
return { req, res, user, trace } ;
}
Pattern: Double-submit cookieCookie: csrf_token (httpOnly: false so JS can read)Header: x-csrf-tokenValidation: Constant-time comparison (prevents timing attacks)Scope: All mutations (queries are exempt)
Order matters. Here's the actual order from server/_core/index.ts:
CSP Nonce Generation - Per-request nonce for inline scriptsHelmet - Security headers (CSP, HSTS, X-Frame-Options, etc.)Timeout - 30s request timeoutHTTP Logger - Pino structured loggingCORS - Whitelist-based origin validationStripe Webhook - Raw body handler (before JSON parsing)JSON Parser - 10MB limitCookie Middleware - Parse cookies, set CSRF tokenOAuth Routes - Supabase callbackHealth Endpoints - With rate limitingAI Endpoint - /api/summarize with AI rate limiterImageTrend Routes - Integration endpointstRPC Middleware - Main API at /api/trpcStatic Files - Production onlySentry Error Handler - Last, catches all errors
Security Headers (Helmet)
contentSecurityPolicy: {
defaultSrc : [ "'self'" ] ,
scriptSrc : [ "'self'" , ( req , res ) => `'nonce-${ res . locals . cspNonce } ] ,
imgSrc : [ "'self'" , "data:" , "blob:" , "https://*.supabase.co" ] ,
connectSrc : [ "'self'" , "https://*.supabase.co" , /* whitelisted domains */ ] ,
}
hsts: { maxAge : 31536000 , preload : true }
frameguard: "deny"
Service
Purpose
Env Variable
Supabase Auth, vector storage (pgvector)
SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY
MySQL Primary database (users, queries, etc.)
DATABASE_URL
Anthropic (Claude) RAG responses
ANTHROPIC_API_KEY
Voyage AI Embedding generation
VOYAGE_API_KEY
Stripe Payments
STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET
Service
Purpose
Env Variable
Redis/Upstash Distributed rate limiting, caching
UPSTASH_REDIS_REST_URL, UPSTASH_REDIS_REST_TOKEN
Resend Transactional emails
RESEND_API_KEY
Sentry Error tracking
SENTRY_DSN
OpenAI Voice transcription (Whisper)
OPENAI_API_KEY
Forge Storage File uploads
BUILT_IN_FORGE_API_URL, BUILT_IN_FORGE_API_KEY
Tier
Query Type
Model
Cost
Free
All queries
Claude Haiku 4.5
~$0.0003-0.0005/query
Pro
Simple queries
Claude Haiku 4.5
~$0.0003-0.0005/query
Pro
Complex queries
Claude Sonnet 4.6
~$0.002-0.004/query
Complex query indicators: "multiple", "compare", "differential", "pediatric", "pregnancy", "mechanism"
Custom Error Types (server/_core/errors.ts) // Base class
class ProtocolGuideError extends Error {
code : string ;
userMessage : string ;
statusCode : number ;
retryable : boolean ;
requestId ?: string ;
}
// Claude errors
ClaudeRateLimitError // 429 - retryable
ClaudeAuthError // 500 - not retryable
ClaudeServerError // 503 - retryable
ClaudeOverloadedError // 503 - retryable
ClaudeTimeoutError // 504 - retryable
// Voyage errors
VoyageRateLimitError
VoyageAuthError
VoyageServerError
VoyageTimeoutError Claude API calls use exponential backoff:
Max retries: 3
Initial delay: 1000ms
Max delay: 10000ms
Backoff multiplier: 2x
Jitter: 10-20% random variation
All tRPC errors include:
{
"code" : " UNAUTHORIZED" "message" : " User-friendly message" "data" : {
"requestId" : " uuid-for-support" "timestamp" : " ISO-8601"
Procedure Type
Limit
Notes
publicProcedureNone
Open access
publicRateLimitedProcedure10 req/15min per IP
Public endpoints
strictPublicRateLimitedProcedure5 req/15min per IP
Sensitive public endpoints
rateLimitedProcedureTier-based daily limits
Authenticated endpoints
Daily Query Limits (tRPC)
Tier
Daily Queries
Free
10/day
Pro
100/day
Enterprise
Unlimited
Express Rate Limiters (Redis-based)
Limiter
Endpoint
Limit
publicLimiterMost endpoints
Tier-aware, IP-based
searchLimiterSearch endpoints
Free: 30/min, Pro: 100/min
aiLimiter/api/summarizeFree: 10/min, Pro: 50/min
Rate Limit Headers
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1706054400
X-RateLimit-Daily-Limit: 10
X-RateLimit-Daily-Remaining: 8
X-RateLimit-Daily-Reset: 1706140800
Retry-After: 300
Dual Database Architecture
MySQL (Drizzle ORM) - Primary database
Users, queries, feedback, agencies
Connection pooling with resilience wrapper
Supabase (PostgreSQL + pgvector) - Vector storage
Protocol embeddings
Semantic search via search_protocols_semantic RPC
Database Modules (server/db/)
Module
Purpose
connection.tsConnection management, pooling
users.tsUser CRUD
users-auth.tsOAuth, auth operations
users-usage.tsUsage tracking, tier management
counties.tsCounty operations
protocols.tsProtocol CRUD
protocols-search.tsSemantic search
queries.tsQuery history
feedback.tsFeedback, contact forms
admin.tsAdmin ops, audit logs
agencies.tsAgency management
protocol-versions.tsVersion control
Circuit Breaker: Prevents cascade failuresFallback Cache: In-memory cache when Redis unavailableSlow Query Monitoring: Logs queries >500ms as warning, >2000ms as error
Located in netlify/edge-functions/:
Function
Path
Purpose
cache-static.ts/api/static/*CDN caching for stats/coverage
geo-route.ts-
Geo-based routing
server/
├── _core/ # Core infrastructure
│ ├── index.ts # Express server entry
│ ├── trpc.ts # tRPC setup, procedures
│ ├── context.ts # Request context creation
│ ├── claude.ts # Claude AI integration
│ ├── errors.ts # Custom error types
│ ├── logger.ts # Pino logging
│ ├── rateLimit.ts # In-memory rate limiting
│ ├── rateLimitRedis.ts # Redis rate limiting
│ ├── redis.ts # Redis client
│ ├── sentry.ts # Sentry integration
│ ├── health.ts # Health check handlers
│ ├── oauth.ts # OAuth routes
│ ├── email.ts # Resend email service
│ ├── cookies.ts # Cookie utilities
│ ├── csrf.ts # CSRF (deprecated, use tRPC)
│ ├── tier-validation.ts # Subscription tier checks
│ ├── token-blacklist.ts # Token revocation
│ ├── timeout.ts # Request timeout
│ ├── tracing.ts # Distributed tracing
│ ├── env.ts # Environment validation
│ ├── embeddings/ # Voyage AI embeddings
│ ├── guardrails/ # Dose safety checks
│ ├── rag/ # RAG optimization
│ └── resilience/ # Circuit breakers, caches
│
├── api/ # Express route handlers
│ ├── imagetrend.ts # ImageTrend launch
│ ├── imagetrend-suggest.ts # AI suggestions
│ ├── summarize.ts # Protocol summarization
│ └── client-error.ts # Error reporting
│
├── routers/ # tRPC routers
│ ├── index.ts # Router exports
│ ├── auth.ts
│ ├── counties.ts
│ ├── user.ts
│ ├── search.ts
│ ├── query.ts
│ ├── voice.ts
│ ├── feedback.ts
│ ├── contact.ts
│ ├── subscription.ts
│ ├── admin.ts
│ ├── integration.ts
│ ├── jobs.ts
│ ├── agency-admin/ # Agency management
│ │ ├── agency.ts
│ │ ├── analytics.ts
│ │ ├── middleware.ts
│ │ ├── protocols.ts
│ │ ├── staff.ts
│ │ └── versions.ts
│ └── referral/ # Referral system
│ ├── analytics-procedures.ts
│ ├── code-procedures.ts
│ ├── constants.ts
│ └── user-procedures.ts
│
├── db/ # Database modules
│ ├── index.ts
│ ├── config.ts
│ ├── connection.ts
│ ├── users.ts
│ ├── users-auth.ts
│ ├── users-usage.ts
│ ├── counties.ts
│ ├── protocols.ts
│ ├── protocols-search.ts
│ ├── queries.ts
│ ├── feedback.ts
│ ├── admin.ts
│ ├── agencies.ts
│ └── protocol-versions.ts
│
├── webhooks/
│ └── stripe.ts # Stripe webhook handler
│
├── jobs/
│ ├── protocol-processor.ts
│ └── send-drip-emails.ts
│
├── emails/
│ └── templates/
│ └── index.ts # Email templates
│
├── lib/
│ ├── pricing.ts # Pricing configuration
│ └── state-codes.ts # State code utilities
│
├── routers.ts # Main router composition
├── db.ts # DB re-exports
├── storage.ts # File storage (Forge)
├── stripe.ts # Stripe client
└── subscription-access.ts # Subscription helpers
Adding a New tRPC Procedure
Create procedure in appropriate router (server/routers/*.ts)
Choose correct procedure type:
publicProcedure - No authpublicRateLimitedProcedure - No auth + rate limitprotectedProcedure - Auth + CSRFadminProcedure - Admin onlyrateLimitedProcedure - Auth + daily limits
Add to router export
Types auto-propagate to client via lib/trpc.ts
Adding a New Express Route
Add handler in server/api/*.ts
Register in server/_core/index.ts
Add appropriate rate limiter
Update CORS if needed
See docs/ENVIRONMENT.md for complete list. Critical ones:
# Required# Production