26 docs tagged with "infrastructure"

Cloudflare Zero Trust Access configuration for non-prod SecurityV0 environments. Prod is gated by WorkOS hosted login only.

Migrate documentation site from MkDocs Material to Docusaurus 3

Adopt Terraform + hybrid repo structure (new sv0-infrastructure for cross-cutting, existing in-repo modules stay) + Terraform Cloud free tier for state and runners. Design modules so each customer tenant can be stamped out as an independent stack for dedicated-deployment clients.

Lock the Azure compute landing zone for sv0-platform: westeurope, IaaS primitives only, Cloudflare Tunnel ingress (no public IPs / no Azure LB), HA prod fleet across two zones, ephemeral per-PR VMs, OIDC-federated TF auth, and a cloud-portability rule set that keeps the design migratable to AWS/GCP.

Operationalises ADR-022 §3 (Phase 3f) for the dev tier: the stable demo VM at dev-azure.securityv0.com deploys on every main CI success via Azure Run Command using a new tightly-scoped Entra app + OIDC federation from GitHub Actions. No SSH key in the deploy path. Hetzner stays warm as fallback during cutover (no behavior change on the Hetzner side). PR-preview ephemeral VMs are explicitly out of scope; the design for that surface is banked in [docs/infrastructure/azure-ephemeral-pr-previews-design.md](../../infrastructure/azure-ephemeral-pr-previews-design.md) for re-activation when triggered.

Controls GitHub Actions minute consumption by cutting per-run cost, not PR count. The org's 50k included-minute pool is effectively a single-repo pool that follows active development; in May 2026 sv0-platform's ci.yml alone was ~80% of it (~36k measured minutes), dominated by a tail of multi-arch (amd64+arm64-via-QEMU) image builds that HUNG for hours on PR pushes (67 runs over 300 min, worst 18h). Decision: amd64-only image builds on PRs (multi-arch stays on main/release tags), cancel superseded PR runs, path-gate the non-required image build, and cap heavy jobs with timeout-minutes. Keeps the PR-per-change workflow intact. Shipped in sv0-platform#1301 (issue #1300); timeout follow-up pending.

Unified strategy for moving SecurityV0 from manual scans to autonomous operations with built-in cross-validation, observability, and an Azure VM hosting lane — ahead of the MediaPro pilot.

AWS Organization structure, account inventory, and Terraform conventions for SecurityV0

Deferred design for ephemeral Azure PR-preview VMs with a cap-of-3 hard-fail policy, deployment-stacks lifecycle, drift sweeper, and composite RBAC. NOT active infrastructure — the implementation work was cut from ADR-024 (2026-05-14) on the grounds that (a) Hetzner already runs PR previews and (b) no concrete trigger demands the move. This document preserves the design so it can be lifted into an active ADR when a trigger materialises (Hetzner OOM pattern, partner with concurrent-review load, regulatory data-residency requirement, etc.). Lives in docs/infrastructure/ alongside operational infra docs but is distinguishable by the `-design` filename suffix and `status: deferred` frontmatter.

Implementation plan for ADR-022: current Hetzner inventory, target Azure topology, five-phase migration sequencing, secrets delivery via Key Vault + Managed Identity, and the executable break-glass procedure for the case where TFC is unreachable.

GitHub Actions workflows across the SecurityV0 workspace. All repos live under the securityv0 GitHub organization.

How to add a Service Auth policy to a Cloudflare Access application so bots can access protected sites programmatically

How connectors actually run inside the SecurityV0 platform — VM topology, credential delivery chain (1Password → Key Vault → Managed Identity → VM env → broker → subprocess), scheduler/driver path, tenant isolation invariants, and failure topology. Complements 05-connectors.md (interface contract) with the runtime/infra view.

One-page operations index — every SecurityV0 environment and the links to its dashboards, logs, uptime monitors, and infra consoles.

Canonical inventory of every GitHub Environment / repo secret used by sv0 deploys, CI, and tooling. One row per secret: name, repo, scope, exact workflow files that consume it, purpose, status. Includes a VM ↔ secret mapping for migration planning.

Step-by-step plan to create a Hetzner Cloud instance and deploy sv0-platform (API + UI + MongoDB) from local machine

Phased rollout of Infrastructure-as-Code per ADR-019. Four phases, each 1-3 days. Phase 1 is urgent (Cloudflare baseline with health-probe Bypass app); Phases 2-4 queue behind pilot-readiness work.

Infrastructure automation for SecurityV0 — dev environment provisioning, cloud identity setup, and source system configuration

Operational resiliency plan — error capture, Grafana Cloud log aggregation, external probing, Slack alerting. Middle ground: shared visibility without overengineering.

Registry of recurring automations and scheduled routines across SecurityV0 — what runs unattended, when, where, who owns it, and how to pause it

Implementation plan for hardening the multi-perspective review process with visual UI capture, structured orchestration, and recurring acceptance measurement.

SecurityV0 infrastructure strategy: AWS credits, connector automation, AWS Organization account structure, budget protection, demo lab environments, and phased migration plan from Hetzner.

Plan for isolated self-hosted GitHub Actions runner on Mac mini to eliminate Actions minutes billing limit

How the SecurityV0 team coordinates work across research, implementation, and infrastructure

Manual one-time config to brand the WorkOS AuthKit hosted-login page with the SecurityV0 [S] mark — field-by-field panel values, logo asset, and verification, repeated per WorkOS environment (Staging + Production).

Operational truth for the prod WorkOS environment — orgs, DNS, Google OAuth client, auth methods, cookie config, and cutover gotchas. Single source to check before touching any auth-adjacent record.