Teams, Admin Roles and Infrastructure (current state)

Live now

1. Prod chat images run from AWS ECR by digest

Prod chat images (Synapse + the MCP service) run from AWS ECR in us-east-1, pulled by digest, and prod ECS pulls from ECR. The Sanmarcsoft Sovereign SOP (EU data residency, Scaleway, no US registries) does not apply to Phenom LLC: Phenom runs on AWS us-east-1, near where the site is served.

2. Admin roles via the nest-admin Cognito group

A Cognito group named nest-admin on the prod pool (us-east-1_knEL7cqS3) grants the Hasura admin role through the pre-token-generation Lambda. This is decoupled from chat_members.role (the legacy chat-tier lookup) and is fail-closed: absence of the group means no admin role.

Current admin roster (5 staff): Matt, Lenval, Irena, Jonathan, Aaron. Mark Waldman is intentionally user-only (analyst, not admin). chadmin team create and view works for admins.

This supersedes the older statement that the Hasura admin role derives from chat_members.role: the admin role now comes from nest-admin Cognito-group membership via the pre-token Lambda. (nest-access, the reach-N.E.S.T.-at-all gate, remains separate.)

3. Teams schema live in prod Hasura

Live tables in prod Hasura: teams, team_members (role in {member, lead}), user_presence, push_subscriptions.

Migration doctrine (important): prod Hasura migrations run internally, behind the edge, via an in-VPC Fargate runner (phenom-prod-hasura-migrate to graphql.phenom-prod.local:8080). They are not applied through public GitHub Actions.

4. dev-nest authenticates against prod

dev-nest.thephenom.app authenticates against the prod Cognito pool (us-east-1_knEL7cqS3) and prod Hasura (chat.thephenom.app). The default nest-api Worker serves both nest and dev-nest with per-Host prod overrides; nest-api-prod serves nest-prod.

5. Web push (Phase B)

VAPID keys and HASURA_ADMIN_SECRET are set on the nest-api Worker; a per-minute presence-detector cron is live. The public VAPID key is wired into the SPA as VITE_VAPID_PUBLIC_KEY.

6. CI: prod-infra-ci Tier 2 plan validates prod for real

The prod-infra-ci Tier 2 plan now genuinely validates prod (it was previously silently failing-as-pass). Apply remains a manual workflow_dispatch gated on a CONFIRM input.

7. Cloudflare edge protections restored

Full CF bot protections are restored; the temporary #327 CI-bypass rule was dropped (prod Hasura migrations now run internally, so the public-CI bypass is no longer needed).

Landed (apply pending)

Coordinated with the phenom-backend owner.

8. Avatars move to durable S3

Avatars move from ephemeral Synapse media to durable S3 (phenom-prod-media-storage, private / proxy-only). Per-user keys avatars/users/{cognito-sub}, team keys avatars/teams/{team_id}, stored as a bare key plus Content-Type. firebase-media remains for legacy event media only.

9. Editable @username

The sync Lambda makes users.username insert-only; uniqueness is enforced by a DB constraint.

In progress (phenom-backend)

Profile gains separate first_name and last_name fields plus a username field (requires first_name / last_name columns); teams.avatar_url and chat_color are being added.

Related

• Nest-access gate
• Chat Authentication
• N.E.S.T. Infrastructure
• Production N.E.S.T.