# Document Note Service · Deployment notes · Batch 13

**Scope:** internal/team deployment candidate. NOT internet-facing.

## Environment variables

| Var | Default | Effect |
|-----|---------|--------|
| `DNS_HOST` | `127.0.0.1` | bind host |
| `DNS_PORT` | `8091` | bind port |
| `DNS_STORE_PATH` | `./notes_store.json` | file-backed persistence |
| `DNS_REQUIRE_SESSION` | `false` | when `true`, mutation endpoints require a valid DAS session cookie |
| `DNS_DAS_BASE` | `http://127.0.0.1:8090` | Document Access Service base URL used for session validation |
| `DNS_ALLOW_ORIGINS` | `*` | CORS allow-origins; comma-separated |
| `DNS_LOG_LEVEL` | `INFO` | log level |

## Team-usable quick start

```bash
# Assume document-access-service is already running on :8090 with team secret
export DNS_REQUIRE_SESSION=true
export DNS_DAS_BASE="http://127.0.0.1:8090"
export DNS_ALLOW_ORIGINS="https://console.pattayatogether.com"

bash run.sh
```

When `DNS_REQUIRE_SESSION=true`, mutation endpoints (`POST /api/notes/create`,
`PATCH /api/notes/{id}`, `DELETE /api/notes/{id}`) call
`DAS_BASE/api/access/me` with the forwarded cookies. Only authenticated
sessions may write. Read endpoints (`GET /list`, `/aggregate`, `/by-doc`)
remain open for internal observability.

## Endpoints

Unchanged from Batch 11 · see `notes_contract.json`.

## Known limits

- **Single-writer assumption.** One uvicorn worker only. Running multiple
  workers WILL lose updates on concurrent mutations.
- **Session check is advisory.** `_require_session` forwards cookies to
  the access service; if the access service is down, mutations fail with
  503. Read endpoints always open.
- **No per-note ACL.** A signed-in teammate can edit / delete any note in
  the store. Per-note ownership + audit trail are deferred.
- **No websocket / SSE.** Clients must poll.
- **File persistence** via atomic rewrite (temp-file + `os.replace`). Fine
  for dev-sized backlog; use SQLite or Postgres for a real team scale.