Answer quality: confidence threshold + low-confidence fallback to contact page
DevBelow a configurable confidence threshold → safe fallback, no guessing; point the resident to a configurable contact page.
Product Roadmap
Where the GovChat chatbot and the Knowledge Management product are headed across their repos
Done & launched 🚀
Below a configurable confidence threshold → safe fallback, no guessing; point the resident to a configurable contact page.
Chatbot (and search AI Overview) replies are rendered as escaped plain text — only \n→<br> and [N] citation links are handled (public/js/chatbot.js renderAnswer(), public/js/ai-overview.js).…
Emergency-intent detection must interrupt the RAG flow and surface emergency contacts (911 / relevant hotline) instead of attempting an answer.
Two related requests for the AI Overview (search) and chatbot citations.
"Spend boldness in one place: the open/collapse." The launcher pill should morph into the panel — panel grows from the launcher's corner on one shared easing curve with continuous header color,…
Track 1 — building the demo spine
I started editing the wrap prompt but I realized I didn't know if it really has good access to the dates of content.
Parent epic for the Track 1 demo spine (spec ) — build to show a friendly agency soon, on a real corpus (MMA site), private demo, no cost/abuse hardening.
Lighter admin that leans on WP editorial workflow.
Every substantive claim cites source(s) with clickable deep links (heading anchor or text fragment), not raw URLs.
Bake in the metadata that makes citations clickable later: chunk content at heading boundaries and store permalink + title + heading anchor on every chunk.
Themeable per agency: launcher label, assistant name, accent color, seal/wordmark. Builds on the existing association/municipal theme switch.
Part of #11 (Demo Spine). Spec Track 1 step 3: turn search into chat.
Emit an audit event on every state transition (actor, from-state, to-state, timestamp, tenant) into the viv-chatbot append-only audit stream (#4) — see PRD. Support a "provenance view": given a…
Consent-time UX integrity: at approval, show the resident exactly what would be published, remind them declining has no effect on getting their answer, and keep no dark patterns — decline as easy…
Enforce the two mandatory gates as hard invariants in the transition layer: redactionpending → consentpending requires a reviewer action, and consentpending → approved requires affirmative…
Parent epic. Be honest, up front, that the system cannot guarantee privacy, and steer sensitive matters to traditional channels.
Parent epic. The first-class subsystem that ensures nothing entering a municipal knowledge base contains personally identifying or sensitive information, and that a human always confirms it before…
Parent epic. Build the explicit, auditable state machine that carries a resident question from chat escalation all the way to a published (or deliberately-not-published) knowledge-base article.
Mandatory human review gate UI: reviewer sees all flagged spans and the proposed redaction, and can accept, add/remove redactions, rewrite the generalized answer, or reject + send back. Also makes…
Handle the non-happy-path exits: resident decline, consent timeout, sensitive-matter diversion, and explicit withdrawal — routing to closednopublish or withdrawn per PRD. A ticket reaching…
PII detection pass over the full resolved Q&A: deterministic detectors (emails, phones, structured account/case/permit/parcel IDs) plus an LLM pass via viv-chatbot's provider interface for…
Redaction proposal generator: produce a redacted draft that generalizes specifics into a reusable answer (e.g. "123 Elm St" → "a residential address") rather than censoring a transcript, presented…
Sensitive-matter off-ramp + emergency interrupt: when a resident indicates (or the system detects) a sensitive/personal matter, offer the traditional-channel route instead of pushing them through…
Model the ticket entity and its states (proposed, open, assigned, awaitingresident, awaitingagent, resolved, redactionpending, consentpending, approved, published, closednopublish, withdrawn) and…
Up-front privacy warning before chat/ticket: persistent, plain-language, WCAG-compliant notice — automated public assistant, can't always ensure privacy, avoid personal details, use traditional…
Track 2 — productionizing after the yes
Parent epic for the real admin console (spec ) — the strategic control layer that the demo only glimpses.
Parent epic for observability (spec /) — the audit trail and the analytics it feeds.
Parent epic for production-grade indexing + retrieval quality (spec, ) — the backend side of ingestion and answer quality, beyond the demo-spine slice.
Parent epic for the productionization foundation (spec /) — everything that must exist before a second agency can be served and before a public endpoint is exposed.
Per-tenant: volume, deflection, fallback rate, CSAT, usage/cost; content-gap list (questions with no confident answer) to guide editorial.
Append-only, per-tenant audit of every interaction: question, retrieved chunks, sources, answer, fallback/escalation outcome. No cross-tenant visibility. Feeds content-gap + analytics.
Per-tenant token/request metering (billing backbone); per-tenant spend ceiling with alerting + graceful 'service paused'; per-tenant and per-IP/session rate limits on the public widget endpoint;…
Collection-per-tenant in Typesense; tenantid on every relational row; tenant resolved server-side from the widget's site key, never client-supplied. Site-key issuance + per-tenant deletion…
Part of #13 (Indexing & Retrieval Quality). Spec — the production ingestion pipeline (backend side).
No OpenAI-specific format should leak past a single internal interface, so Azure OpenAI / Bedrock can be swapped via one adapter.
Connect site / issue site key; indexed post-types/fields/taxonomies; guardrails (out-of-scope, threshold, canned responses); escalation config; off-site allowlist + referral directory;…
Part of #13 (Indexing & Retrieval Quality). Spec — production-grade answer quality.
Agent reply composer: write a reply that goes out via the email round-trip (Epic: Email), move the ticket to awaitingresident, and mark a ticket resolved when the matter is answered — handing it…
Ticket queue/inbox for agents: list open/assigned tickets for the current tenant, with assignment (pick up / route), filtering, and the current state badge. Respects role (Agent/Reviewer/Admin)…
Article lifecycle vs. source content: handle re-review/expiry when underlying policy changes (reuse GovChat effective-date filtering, spec ), and decide version history on edit/re-approval for…
Consent record + revocation: store affirmative consent (who, exact version approved, when, channel) for the consent gate; support later revocation that moves a published article to withdrawn and…
Parent epic. Two required gates and the writer that puts an approved answer into the RAG corpus.
Parent epic. The interface a real government agent uses to pick up an escalated ticket, read the originating GovChat conversation, and reply to the resident.
Publish-to-KB writer: index the approved, redacted Q&A as a document in the tenant's existing Typesense collection (the same one GovChat searches), tagged sourcetype: "kmarticle" for…
Ticket detail view: render the originating GovChat conversation (from viv-typesense wpvivtsmessages / ?vts= token, referenced not copied), the captured contact info, retrieved sources, and the…
Consent over email: deliver the proposed redacted Q&A with clear approve/decline actions, and record the resident's decision as the consent gate input (PRD, ). Approval/decline is captured with…
Consume viv-chatbot #7 escalation payload as the ticket-creation input (conversation summary, captured contact, source citations), instead of a parallel capture path (PRD ). Map the payload onto…
Parent epic. Run the agent↔resident loop over email so residents don't have to stay in the chat. Outbound agent replies / consent requests carry a signed, opaque, per-ticket+tenant token; inbound…
Parent epic. Wire KM into the existing stack without duplicating it.
Inbound email ingestion: receive resident replies (provider webhook or mailbox poll — PRD Q1), verify sender/token binding, strip quoted history + signatures, sanitize HTML, enforce…
Outbound email: send agent replies and consent requests from a per-tenant sender identity. Each message embeds a signed, opaque, single-purpose, expiring token binding it to one ticket + tenant…
Tenant isolation + deletion guarantees for KM data: tenantid on every KM row; KM tickets/articles/KB documents never cross tenants; a published article for Town A is never retrievable by Town B;…
REST surface + provider routing: expose KM endpoints under a parallel viv-km/v1 namespace reusing viv-typesense/viv-chatbot auth + tenant-resolution conventions; route every KM LLM call (PII…
Post-launch enhancements
Parent epic for Phase-2 engagement & escalation (spec //) — the wow features built after the demo proves the concept and the foundation is in place.
Optional, off by default, ephemeral: last N page titles, in-memory, not stored as a profile; disclosed in the privacy notice when enabled.
Relates to vivwebsolutions/viv-typesense#15 (Ticketing system attached to chat). Bot summarizes the conversation into a structured payload and submits via a configurable webhook or email (generic…
Simple v1 referral directory ("for X, go to agency Y at URL Z") + an exit interstitial / external-link marker every time a resident is sent off-site.
Backend half of the chat share permalink feature. UI is tracked in vivwebsolutions/viv-typesense#34.