Infrastructure And Dependency Management Policy

Purpose & Scope

This policy covers the runtime environments, dependency lockfiles, build pipeline, configuration management and infrastructure-as-code that underpin Ekosistem App.

Architecture Snapshot

Ekosistem App runs on the following components:

• API: Hono on Node.js 20, deployed to Railway; Socket.io shares the same HTTP server.
• Web: Next.js 14 App Router on Vercel with locale-aware routing via next-intl.
• Persistence: Supabase-managed PostgreSQL accessed via Drizzle ORM; Redis (Upstash) for ephemeral state.
• Object storage: Cloudflare R2 (private bucket) accessed via signed URLs.
• Email: AWS SES for transactional and marketing email with per-brand From: addresses.
• Real-time media: LiveKit for video and voice rooms.

Build & Deployment

Builds and deployments follow these rules:

• pnpm with a committed lockfile pins every direct and transitive dependency.
• Production deploys are triggered by main-branch pushes; preview environments are not exposed publicly.
• TypeScript compilation must pass with strict and noUncheckedIndexedAccess before release.
• Environment variables are validated at boot via a Zod schema; missing or malformed values fail fast.
• Secrets are stored only in provider-native secret stores; never in source control.

Dependency Lifecycle

Open-source dependencies are managed across their lifecycle:

• New dependencies require a justification — preference for well-maintained, widely-used packages with clear licensing.
• pnpm audit is reviewed weekly and after every notable upstream advisory.
• Major version upgrades pass through a feature branch with explicit verification.
• Unused or replaced dependencies are removed promptly to reduce attack surface.
• Build-time and runtime dependencies are separated to keep production minimal.

Review & Contact

Infrastructure and dependency posture is reviewed quarterly. To raise an infrastructure or dependency concern, email developer@plademy.com.