# dd0c/drift — Dual-Mode Deployment Addendum

**Template:** Based on dd0c/route dual-mode pattern (`01-llm-cost-router/architecture/dual-mode-addendum.md`)

---

## Cloud → Self-Hosted Service Mapping

| Cloud Service | Self-Hosted Replacement | Notes |
|--------------|----------------------|-------|
| SQS FIFO | PostgreSQL pgmq | Agent pushes drift reports to pgmq instead of SQS |
| RDS PostgreSQL | PostgreSQL container | Same schema, same RLS |
| Cognito | Local JWT (HS256) | Same AuthProvider trait pattern |
| S3 (drift report archive) | MinIO or local FS | Configurable via ObjectStore trait |
| CloudWatch | Prometheus + Grafana | Bundled in compose |
| SES | SMTP relay | For email notifications |
| KMS | Local AES-256-GCM | Key file mounted as volume |

## Self-Hosted Compose Services

```yaml
services:
  agent-gateway:    # gRPC endpoint for agents (replaces SQS ingestion)
    image: ghcr.io/dd0c/drift-gateway:latest
  event-processor:  # Normalizes drift reports, scores severity
    image: ghcr.io/dd0c/drift-processor:latest
  api:              # Dashboard API
    image: ghcr.io/dd0c/drift-api:latest
  dashboard:        # React SPA
    image: ghcr.io/dd0c/drift-dashboard:latest
  postgres:         # Config + drift data (with RLS)
    image: postgres:16-alpine
  redis:            # mTLS cert cache, circuit breakers
    image: redis:7-alpine
  caddy:            # Reverse proxy + auto-TLS
    image: caddy:2-alpine
```

## Agent Changes

The Go agent already connects via gRPC — it just needs a configurable endpoint:
- Cloud: `grpcs://ingest.drift.dd0c.dev`
- Self-hosted: `grpc://localhost:50051` (or user's domain with Caddy TLS)

mTLS certs: self-hosted uses a local CA (generated during install) instead of ACM.

## Epic Impact

| Epic | Change | Effort |
|------|--------|--------|
| 1 (Agent) | Add configurable gRPC endpoint | 1 pt |
| 2 (Communication) | Local CA for mTLS, pgmq instead of SQS | 3 pts |
| 3 (Event Processor) | Already PostgreSQL — no change | 0 |
| 4 (Notifications) | SMTP fallback | 1 pt |
| 5 (Remediation) | No change — agent-side | 0 |
| 6 (Dashboard UI) | Local login form | 2 pts |
| 7 (Dashboard API) | LocalAuthProvider | 2 pts |
| 8 (Infrastructure) | docker-compose.yml + install.sh | 5 pts |
| 9 (Onboarding) | Local signup, remove Stripe req | 3 pts |
| 10 (TF Tenets) | No change | 0 |
| **Total** | | **17 pts** |