Clusters > Infrastructure Services
Blast Radius
3
Instances Affected
2
Hosts at Risk
Affected Infrastructure
infra-warden-control-01
159.203.84.204
infra-edge-proxy-01
165.227.223.182
Cluster Info
NameInfrastructure Services
Sluginfrastructure
Typeplatform
TierP1
Description
Edge proxies, fleet dashboard, control plane services
Member Instances (3)
production
| Instance | System | Domain | Env | Role | Primary | Host |
|---|---|---|---|---|---|---|
|
INST-007
Fleet Dashboard - Warden
|
Fleet Dashboard | fleet.threadsync.io | production | fleet-dashboard | ● | infra-warden-control-01 |
|
INST-018
Edge Proxy Production
|
Edge Proxy | edge.threadsync.io | production | edge-proxy | ○ | infra-edge-proxy-01 |
|
INST-012
Excavate API (Warden)
|
Excavate | excavate.threadsync.io | production | edgeproxy | ○ | infra-warden-control-01 |
Cluster Rules (14)
coding
Request Correlation IDs
Every request must get a unique request_id logged with all related log entries
Strict npm ci in Dockerfile
Dockerfile must use npm ci --only=production without fallback to npm install
API Version in All Responses
All JSON API responses should include api_version field
deployment
Backup Before Major Changes
Create a timestamped backup to /opt/backups/ before any significant changes
Local Edit then Deploy Workflow
Edit files in /home/runner/workspace/ first, then deploy via scp to Warden
Rebuild Container After Code Changes
After deploying new server.js or Dockerfile, always run: docker compose down && docker compose up -d --build
forbidden
Never Expose Database Credentials
DATABASE_URL and other credentials must never appear in logs, error messages, or API responses
Never Run as Root in Container
Container must always run as non-root user (appuser:1001)
operational
Read-Only Database Role
Dashboard uses fleet_dashboard_ro role - only SELECT plus limited INSERT on operations_log and instance_context
Log Operations After Significant Work
After completing significant work, POST to /api/operations to create audit trail
security
Environment File Protection
.env file must NEVER be copied to local workspace or included in backups/tarballs
Input Validation with Allow-lists
All filter parameters (env, tier, conformance_status, lifecycle_status) must be validated against allow-lists
No Internal Errors in Responses
Health endpoint and error responses must NOT expose internal error messages or stack traces
XSS Protection Required
All user-facing data must be escaped with escapeHtml() before rendering in HTML templates