Max Mayfield
eb953cdea5
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
CI — P2 Drift (Go + Node) / saas (push) Failing after 5s
CI — P3 Alert / test (push) Failing after 4s
CI — P4 Portal / test (push) Failing after 4s
CI — P5 Cost / test (push) Failing after 4s
CI — P6 Run / saas (push) Failing after 5s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 7s
CI — P3 Alert / build-push (push) Has been skipped
CI — P4 Portal / build-push (push) Has been skipped
CI — P5 Cost / build-push (push) Has been skipped
CI — P6 Run / build-push (push) Failing after 5s
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path
Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'
Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue
Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build
All 6 projects compile clean (tsc --noEmit).
dd0c — DevOps Developer Tools
Six products. One platform. Built for teams that ship.
Products
| Product | Port | Description | Stack |
|---|---|---|---|
| route | 3001 | LLM Cost Router & Dashboard | Rust (proxy + API), React |
| drift | 3002 | IaC Drift Detection | Go (agent), TypeScript/Fastify |
| alert | 3003 | Alert Intelligence | TypeScript/Fastify |
| portal | 3004 | Lightweight Service Catalog | TypeScript/Fastify, Meilisearch |
| cost | 3007 | AWS Cost Anomaly Detection | TypeScript/Fastify |
| run | 3006 | Runbook Automation | Rust (agent), TypeScript/Fastify |
Quick Start
cd products/
# 1. Start shared infra (Postgres, Redis, Meilisearch, Registry)
docker compose up -d postgres redis meilisearch registry
# 2. Build and push all images to local registry
./build-push.sh
# 3. Pull and start all services
docker compose pull && docker compose up -d
Continuous Deployment (NAS)
Replace the old watch command with the smart watch loop:
watch -n300 'cd ~/services/dd0c/products && ./watch-loop.sh'
It detects which products changed, rebuilds only those, pushes to localhost:5000, and redeploys.
Manual rebuild (single service)
./build-push.sh drift # Build + push just drift
docker compose pull drift && docker compose up -d drift
Testing
# Smoke tests (health + auth + basic API)
./smoke-test.sh --base-url 192.168.86.11 --skip-rust
# Integration tests (CRUD flows, webhooks, executions, API keys)
./integration-test.sh
Architecture
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Cloudflare │ │ Fly.io │ │ Fly.io │
│ Pages │ │ (proxy) │ │ (APIs) │
│ React UIs │ │ P1 route │ │ P3-P6 SaaS │
└──────┬───────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
└────────────┬────┘────────────────┘
│
┌─────┴─────┐
│ Neon PG │ ← RLS per tenant
│ + Upstash │ ← Redis cache
└────────────┘
Auth
All products share the same auth pattern:
- JWT (Bearer token) for browser/API access
- API Key (
dd0c_prefix + 32 hex) for agents/CLI - HMAC for webhook endpoints (per-provider secrets)
- RBAC: owner > admin > member > viewer
Shared Patterns
- RLS tenant isolation:
withTenant()wrapper on every DB call - Zod config validation: Environment variables validated at startup
- Fastify: All Node services use Fastify with cors + helmet
- Pino: Structured JSON logging everywhere
- Gitea Actions CI: Test + typecheck + lint on every push
Local Development
Each product can run standalone:
cd products/03-alert-intelligence
npm install
npm run dev # tsx watch mode
Or run the full stack via Docker Compose (see Quick Start).
Deployment
V1 Target: Fly.io (~$5/mo total)
- Each product has a
fly.tomlwith scale-to-zero - Shared Neon Postgres (free tier) + Upstash Redis (free tier)
- Cloudflare Pages for React dashboards
- Caddy for self-hosted TLS (optional)
Scale Target: AWS (ECS Fargate + RDS + ElastiCache)
- Same Docker images, only env vars change
- Migration path documented in each product's
INFRASTRUCTURE.md
CI/CD
All products use Gitea Actions with self-hosted runners:
.gitea/workflows/ci.yml— test, typecheck, lint.gitea/workflows/deploy.yml— build + push to Fly.io (where applicable)
License
Proprietary. © dd0c 2026.