Chat Services

Canonical current state of Phenom chat (chat.thephenom.app): Matrix/Synapse over a Cloudflare-proxied, mTLS-locked AWS ALB, with Cognito auth enforced at the origin. Single source of truth, validated live 2026-05-27.

Categories:

This is the single source of truth for chat services. Validated live 2026-05-27. The detailed reference sub-pages (architecture, deployment, API, admin) are being reconciled to this page; where they disagree, this page wins. Superseded decisions live in Chat: Decisions & History.

Current state (2026-05-27)

chat.thephenom.app is a Matrix/Synapse chat service. The earlier dual-implementation A/B design is gone: Implementation B (Hasura Lite chat) is excised and chat is Matrix/Synapse only. Path: Cloudflare proxy (orange-cloud) to an mTLS-locked AWS ALB (phenom-prod-alb) fronting Synapse 1.105 + Hasura on ECS Fargate (phenom-prod-cluster). The dev-nest and nest web SPAs share this production data layer.

Architecture

flowchart LR
  subgraph Clients
    MOB["PhenomApp (mobile)<br/>Matrix JWT login"]
    SPA["nest / dev-nest SPA<br/>Cognito bearer"]
  end
  MOB --> CF
  SPA --> CF
  CF["Cloudflare edge (orange-cloud)<br/>SSL Full, WAF (COUNT), rate-limit"] -->|"AOP client cert (clientAuth EKU)"| ALB
  ALB[("phenom-prod-alb :443<br/>mTLS mutual_authentication=verify")] -->|"mTLS verified"| ORI["ECS Fargate (phenom-prod-cluster)<br/>Synapse 1.105 (Matrix) + Hasura<br/>origin enforces Cognito"]
  RAW(["raw ALB direct / :80"]) -.->|"rejected / 301"| ALB

Edge and transport security

Origin is locked; the raw-ALB bypass is closed.

SSL = Full (per-hostname rule): Cloudflare to origin is encrypted.
Origin mTLS lock: ALB :443 mutual_authentication=verify, trust store b7481113, AOP leaf cert with the clientAuth EKU. A direct request to the raw origin (no client cert) is rejected; :80 returns a 301 redirect (plaintext bypass closed).
Rate limiting: Cloudflare rule on login + register, 15 requests / 10s per IP.
WAF phenom-prod-chat-protect attached in COUNT (defense-in-depth).
The edge-auth Worker was dropped: chat is a plain Cloudflare proxy and the origin enforces Cognito.
Public root closed (2026-05-28): chat.thephenom.app root and any non-client path now 302-redirect to https://try.thephenom.app (random visitors are sent to the app download). The Synapse-Admin login UI is no longer publicly served (/_synapse/admin returns 404). Client paths (/_matrix, /_synapse client routes, /v1, /mcp) are unaffected. Verified live 2026-05-28.

Full security state, runbook, and incident history: Chat: Decisions & History.

Authentication

Cognito prod pool us-east-1_knEL7cqS3, client 5vlgjrab90897c45ls9jkf9s2p.
Login flows: org.matrix.login.jwt (Cognito ID token) and m.login.sso. After login the client uses its Matrix access token.
Data plane: Hasura /v1/graphql is gated on a Cognito bearer. Unauthenticated requests get no_queries_available (zero data).
Access model: only valid prod-Cognito clients (NEST web + Phenom mobile) can authenticate. Registration is disabled. Random or unauthenticated visitors are redirected (root to try.thephenom.app) or receive 401.

Rooms

Chat uses four rooms. The legacy aliases do not match the room names (alias drift); use the room IDs as the stable identifier.

Room name	Room ID	Legacy alias (does NOT match name)	Notes
The Red Room	`!jFXGFANpXTXXgNkdNi`	`#the-red-room`	Mobile default. Rendered as plain “chat”, no title. New/mobile users auto-join.
Staff	`!WXBotwMKlVifIuEeBL`	`#internal` (legacy)	Team/admins
Analysts	`!NvNAXrFhqFBZXUtEkU`	`#partners` (legacy)	Analysts
Experiencers	`!dhlPzWDEjiJBhrqORG`	`#community` (legacy)	Community

The aliases #internal, #partners, #community are legacy and do not correspond to the Staff / Analysts / Experiencers room names. Do not infer a room from its alias.

Roles and membership

Staff (room admins, power level 100, can add users): Aaron Silverman, Irena Logan, logan@ (Logan), matt@ (M), Jonathan.
Analyst: Mark Waldman (mark@), in the Analysts room.
New / mobile users: auto-join The Red Room.

Provisioning

Cognito PostConfirmation trigger to the chat-user-provisioner lambda, which creates the Matrix user and auto-joins The Red Room, reaching Synapse via Cloud Map synapse.phenom-prod.local:8008. Admin actions use the bot @phenom-provisioner-bot (token in Secrets Manager key phenom-prod-synapse-admin-token). Working as of 2026-05-27.

Mobile

PhenomApp build 20 (Q): a single Red Room, no title, membership-driven, JWT login.

Pending (not yet done)

These are gated and must not be treated as live:

WAF HasuraAdminPaths COUNT to BLOCK (CI-gated)
CI reroute (off the public admin path)
CF-Access-gated admin path: the Synapse-Admin UI is internal-only after the 2026-05-28 public-exposure closure; a gated admin path is the follow-up
Synapse Phase 3 hardening: rotate registration_shared_secret, native rate limits, URL-preview SSRF (registration itself is already disabled)
Terraform codification of the mTLS / AOP / trust store / WAF / IAM
Cleanup (retire unused worker cert + grey records) and branch merges

Repository

Phenom-earth/phenom-infra. Chat modules under modules/chat-*.

Reference and history

Architecture, Deployment, API Reference, Admin & Operations, Mobile Integration: detailed reference (being reconciled to this page; this page is authoritative on conflicts).
Chat: Decisions & History: superseded decisions and the security incident trail (dropped edge-auth Worker, failed IP-allowlist lock, Implementation B excision, retired staging/testing hosts).

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified June 22, 2026: docs(#383): GlitchTip runbook + register in nest-ops asset index (#384) (fbe78ef)