Release Notes: Feb 6-13, 2026
~63 commits | Project inception — from forked template to standalone hospital search system
This was Week 0/1 — laying the foundation for everything that followed. The codebase was forked from s4u-rag and fully consolidated into zol-rag, replacing all external library dependencies with inline implementations. Two rounds of security hardening locked down the API surface. The RAG pipeline gained enrichment capabilities (canonical questions, BM25), graph ingestion was restructured around SOURCED_FROM relationships, and the frontend received full Dutch internationalization plus an animated pipeline visualization.
Project Bootstrap
The project started as a fork of the generic s4u-rag template and was consolidated into a standalone, self-contained codebase with zero proprietary library dependencies.
What changed:
- s4u-rag to zol-rag: Full rename across the entire codebase — imports, configs, Docker labels, environment variables
- s4u-observability replaced: Swapped the shared observability library for direct Logfire integration
- s4u-llm-client replaced: Replaced the shared LLM client with an inline OpenAI SDK wrapper
- s4u-llm-eval replaced: Replaced the shared evaluation framework with an inline DeepEval evaluator
- s4u-audit-compliance replaced: Replaced the shared audit models with inline equivalents
- Dockerfile cleanup: Removed repository bloat, unused dependencies, and dead configuration files
Security Hardening
Two back-to-back security phases addressed critical vulnerabilities before any external deployment.
What changed:
- Phase 1 (SEC-001 through SEC-010): Emergency security fixes covering authentication bypass vectors, input validation, rate limiting, and error information leakage
- Phase 2: Critical bug fixes and safety hardening — tightened the medical safety layer, added response filtering, and hardened the query pipeline against prompt injection
RAG Pipeline Foundation
The retrieval pipeline was extended beyond basic vector search with enrichment and hybrid retrieval capabilities.
What changed:
- ADR-007: Defined the RAG pipeline enrichment strategy — canonical questions generated per chunk, BM25 keyword index alongside vector similarity
- BM25 OR-logic: Natural language queries are tokenized and matched with OR semantics, improving recall for multi-term Dutch medical queries
- Concurrent session fix: Resolved a race condition where parallel search requests could corrupt shared pipeline state
Graph and Ingestion
The knowledge graph structure was redesigned and the document ingestion pipeline was extended to handle PDFs.
What changed:
- SOURCED_FROM relationships: Replaced the
source_page_idsarray field with explicit graph relationships linking entities to their source documents - PDF ingestion: Added PDF document processing with
doc_typetracking to distinguish brochures from web pages - Crawl improvements: Domain normalization, safe deletion of stale pages, and image URL filtering to avoid ingesting non-text resources
- Database health remediation: Fixed compatibility issues between pgvector and Neo4j connection pooling
Frontend
The frontend received internationalization support and a rich pipeline visualization to make the RAG process transparent.
What changed:
- Complete i18n: All UI components internationalized with Dutch as the primary language
- Pipeline animation: Real-time visualization of the RAG pipeline stages — retrieval, reranking, generation — with expandable chunk previews and source citations
- Think Harder visualization: BGE cross-encoder reranking pipeline rendered as a distinct visual stage
- LLM diagnostics: Entity validation results, contextual retrieval metadata, and database health status exposed in the developer tools panel
Architecture Foundations
Core architectural patterns were established that would carry through the entire project lifecycle.
What changed:
- 5-tier LLM routing (ADR-0014): Queries routed to different model tiers based on complexity, with per-request cost tracking
- RBAC viewer role: Read-only role added to the permission model for stakeholder access
- Frozen taxonomy: Hospital taxonomy locked to prevent accidental mutations during development
- Multi-site preparation: Initial abstractions for hospital-agnostic configuration, anticipating multi-tenant deployment
System State at End of Sprint
| Component | Value |
|---|---|
| Codebase | Fully consolidated, zero external s4u dependencies |
| Security | SEC-001 through SEC-010 resolved |
| RAG pipeline | Vector + BM25 hybrid retrieval |
| Graph | SOURCED_FROM relationship model |
| Frontend | Full i18n + pipeline animation |
| LLM routing | 5-tier with cost tracking |
| Medical advice incidents | ZERO |