Appearance
Infrastructure
Cora runs on AWS ECS (Fargate) and is deployed via SST (Serverless Stack Toolkit). The CI/CD pipeline uses GitHub Actions.
Deployment Architecture
CI/CD Pipeline (GitHub Actions)
Two workflows exist in .github/workflows/:
ci.yml — Pull Request Checks
Runs on every PR and push to main:
pnpm lint:ws— workspace health (sherif)pnpm format— Biome formatting checkpnpm typecheck— TypeScript across all packages
Concurrency: in-progress PR checks are cancelled when a new commit is pushed.
sst-deploy.yml — Production Deploy
Runs on push to main or manual workflow_dispatch:
- Checkout + setup pnpm/Node
- Configure AWS credentials via OIDC (no stored access keys)
- Install SST providers
pnpm sst deploy --stage <stage>
The deploy reuses existing VPC and ECS cluster resources (SST_USE_EXISTING_INFRA=true) — SST only updates task definitions and container images.
Required Repository Variables
AWS_REGION=us-east-1
SST_EXISTING_VPC_ID
SST_EXISTING_CLUSTER_ID
SST_EXISTING_APP_SERVICE_NAME
SST_EXISTING_WORKER_SERVICE_NAMEDocker Build
Multi-stage Dockerfile at /docker/Dockerfile:
| Stage | Purpose |
|---|---|
base | Node 20-alpine + pnpm |
builder | Turbo prune — trims monorepo to only the target service |
installer | Install deps + pnpm build |
runner | Minimal production image, non-root user |
Build args per service:
| Variable | app | worker | cloudwatch |
|---|---|---|---|
SERVICE_NAME | @ce-sdr/app | @ce-sdr/worker | @ce-sdr/cloudwatch |
SERVICE_PATH | app | worker | cloudwatch |
SERVICE_PORT | 3000 | 3007 | 3003 |
Environment & Secrets
All environment variables are stored in AWS Secrets Manager and injected at ECS task startup via SST. Variable groups:
| Prefix | Purpose |
|---|---|
GATEWAY.* | API Gateway config (auth secret, DB URL, CORS, API keys) |
LIB.* | External service credentials (Gmail, Twilio, Chargebee, OpenAI, Redis, S3, Kafka) |
AUTH.* | Service-to-service URLs (worker, cloudwatch) |
CLOUDWATCH.* | AWS credentials for CloudWatch Logs |
GOOGLE_OAUTH.* | Google OAuth client credentials |
Health Checks
| Service | Endpoint | Port |
|---|---|---|
app | GET /health | 3000 |
worker | GET /health | 3007 |
cloudwatch | GET /health | 3003 |
ECS performs health checks every 30 seconds. Unhealthy tasks are replaced automatically.
Observability
- AWS CloudWatch Logs — All structured logs from
appandworkerflow throughcloudwatch:3003and are written to CloudWatch Logs with log groups per service. - Bull Board — Queue monitoring UI accessible at
/bullon theappservice (password protected). - Metrics types — HTTP requests, auth events, security events, database operations, business events (campaign sends, lead enrichments).