Infrastructure
Hosting
Spectral’s runtime sits on three substrate layers: compute, edge, and data. Compute and data are region-co-located for sub-millisecond hot-path latency. Decision lineage in ADR-046; operational detail in docs/runbooks/hosting.md.
Substrate layers
Section titled “Substrate layers”- Compute. Four runtime services + cron jobs in a single workspace, region-co-located with the database for sub-millisecond hot-path latency.
- Edge. Zone management, TLS termination, static-site hosting, and blue/green CNAME-flip routing. The API hostname is DNS-only (not proxied) because SSE and large-upload patterns are incompatible with the proxied-edge constraints.
- Data. Postgres, auth (PKCE + JWKS), vector search, managed backups + point-in-time recovery posture (per ADR-040).
Subdomain layout
Section titled “Subdomain layout”| Hostname | Audience | Edge posture |
|---|---|---|
app.runspectral.com | Customer dashboard | Proxied edge |
ops.runspectral.com | Staff Operations app | Proxied edge |
api.runspectral.com | Programmatic | DNS-only (SSE / upload incompatibility) |
docs.runspectral.com | Public docs | Proxied edge |
codex.runspectral.com | Staff Codex (JWKS-gated) | Proxied edge + Pages Function |
Cookie scope: Domain=runspectral.com eTLD+1 — cross-subdomain session sharing.
Env-var classification
Section titled “Env-var classification”Two classes of runtime configuration, placed differently:
- Rotating key material — Supabase keys, provider API tokens, OAuth secrets — lives in shared environment groups (one per environment), read at startup.
- Code-coupled values —
SPECTRAL_GENERATION, handler concurrency limits, drain parameters — lives as per-service env vars set at deploy time, never in the shared groups. Correctness depends on the running image, so values must move with the image.
Backup isolation
Section titled “Backup isolation”Nightly database dumps are encrypted at rest and uploaded to a backup bucket distinct from any application-data bucket. Per ADR-040 D7, the backup bucket carries:
- Object versioning — overwrites don’t destroy prior backups.
- Retention lock — bucket-level policy prevents premature deletion, including by a compromised runtime credential.
- Distinct service account — the backup-write credential is isolated from any application runtime credential. Credential isolation is the structural guarantee that a compromised runtime cannot exfiltrate or destroy the backup tree.
Restoration drills exercise the read path with a separate drill-only credential.
Compute split triggers
Section titled “Compute split triggers”Single shared compute substrate today. Documented split triggers:
- Workers’ memory consistently > 70% of allocated capacity → workers move to a dedicated tier first.
- Sustained noisy-neighbor effect on API latency → split immediately.
- Multi-region requirement → re-architect.
See also
Section titled “See also”- ADR-046 — hosting decision lineage
- ADR-049 — container strategy + image inventory
- Deployment topology — service inventory and generation stamping
- CD pipeline overview — deployment orchestration
- Frontend architecture — frontend topology + cookie scope
- Secrets management — environment-group placement
docs/runbooks/hosting.md,docs/runbooks/edge.md— operational runbooks