Impulse AI Docs
Intern dokumentasjon
Hopp til innhold
Impulse AI Docs

Infrastructure Audit — March/April 2026

First comprehensive infrastructure audit covering all services, deployments, monitoring, and security.

Period: 2026-03-29 to 2026-04-01

Scope

heading.anchorLabel

11 areas verified across the entire stack:

#AreaComponents
1SupabaseSTG + PRD projects, RLS, auth, migrations
2RailwayAPI deploys, health checks, env vars, logging
3SentryAPI + iOS error monitoring, console integration
4TelemetryDeckiOS analytics, 18 signals, SDK verification
5ConsoleAuth (4 layers), monitoring dashboard, admin API
6DocsStarlight deploy, password gate, custom domain
7Vercel3 apps (console, landing, docs), SSL, security headers
8iOSFastlane, TestFlight, Match signing, Apple secret rotation
9GitHubBranch protection, secrets, 6 CI/CD workflows
10LoggingPino structured logging, log levels per environment
11HardeningSecurity improvements, design fixes, cleanup

Results

heading.anchorLabel

All 11 areas verified and passing.

Supabase

heading.anchorLabel
  • 20 tables with RLS enabled, 52 policies
  • Admin users created for console (STG + PRD)
  • Apple OAuth active, secret expires 2026-09-20 (172 days)
  • Email provider enabled for console auth
  • All 17 migrations applied to both environments

Railway API

heading.anchorLabel
  • Health checks responding (STG + PRD)
  • API key enforcement active (403 without X-API-Key)
  • NODE_ENV=production confirmed
  • HEALTH_SECRET matches railway.toml path
  • Restart policy: on_failure, max 3 retries
  • Structured JSON logging (pino-pretty only in dev)
  • LOG_LEVEL: STG=info, PRD=warn

Sentry

heading.anchorLabel
  • API: @sentry/node v10.45, PII scrubbing, 100% error capture
  • iOS: sentry-cocoa v8+, crash + ANR detection, non-DEBUG only
  • Console: personal token with project:read + event:read scopes
  • dSYM upload: Xcode build phase + SENTRY_AUTH_TOKEN in Doppler
  • 3 tokens correctly configured (ingest DSN, CLI upload, console API)

TelemetryDeck

heading.anchorLabel
  • SDK v2.11.0 initialized and sending signals
  • 18 signals all wired up (conversion, monetization, engagement, errors, navigation)
  • Test mode active in DEBUG builds, filtered in dashboard
  • Free tier: 100K signals/month
  • Unused API project identified for deletion

Console

heading.anchorLabel
  • 4-layer auth: Supabase email/pwd + is_console_admin + email allowlist + bearer token
  • Admin users: console-admin-stg@impulseai.app (STG), console-admin@impulseai.app (PRD)
  • Quick Links section (12 external service links)
  • Anthropic balance tracking (manual entry + burn rate chart)
  • Settings migrated from DB to Doppler env vars
  • Security headers: nosniff, DENY frame, noindex, XSS protection, HSTS

Vercel Deployments

heading.anchorLabel
  • Console (console.impulseai.app): live, SSL valid (Let’s Encrypt)
  • Landing (impulseai.app): live, SSL valid (GoDaddy)
  • Docs (docs.impulseai.app): live, SSL valid, password gate active

iOS Deployments

heading.anchorLabel
  • Fastlane doctor: Xcode 26.3, Gradle OK
  • TestFlight deploys working via fastlane ios beta
  • Match certificates valid (private im-certificates repo)
  • Apple auth secret: 172 days remaining
  • Environment auto-detection: Simulator=DEV, USB=STG, TestFlight=STG, AppStore=PRD

GitHub

heading.anchorLabel
  • 2 branches: main + production (no stale branches)
  • CI Gate required on main, force push blocked
  • DOPPLER_TOKEN_STG + DOPPLER_TOKEN_PRD in repository secrets
  • 6 workflows: ci, deploy-production, db-deploy, ios-release, apple-secret-check, rotate-apple-secret
  • Apple secret check: runs weekly (Mondays), last run successful

Logging

heading.anchorLabel
  • Pino structured JSON in production
  • pino-pretty gated by !isDev (never in production)
  • No console.log in production code (only JSDoc comments + 1 sentry startup log)
  • iOS: AppLogger with WARN+ in release, INFO+ in debug

Changes Implemented

heading.anchorLabel

Security Hardening

heading.anchorLabel
ChangeImpact
Console email allowlist (CONSOLE_ALLOWED_EMAILS)Defense-in-depth for admin login
/admin/* exempt from API key middlewareConsole uses bearer token, not mobile API key
Settings endpoints removedNo writable config via API (moved to Doppler)
Login placeholder removedNo email hints in login UI
Sentry token upgradedPersonal token with correct scopes (was org token with org:ci only)

Architecture Fixes

heading.anchorLabel
ChangeImpact
Cross-env health check removedEach console checks its own API via localhost
CONSOLE_API_PRODUCTION_URL etc. deletedNo cross-environment dependencies in Doppler
maybeSingle() for empty tablesPrevents PostgREST 406 on empty anthropic_balance_entries
Server Action for balance entryAvoids CORS issues (server-side fetch)
DELETE Content-Type fixEmpty body DELETE no longer rejected by Fastify

New Features (Console)

heading.anchorLabel
FeatureDescription
Quick Links12 external service links on Monitoring page
Anthropic Balance LogManual entry form + history table + burn rate chart (recharts)
Console auth docsFull architecture documented in Starlight docs

Doppler Configuration

heading.anchorLabel

New variables added:

VariableConfigPurpose
CONSOLE_ALLOWED_EMAILSstg, prdEmail allowlist for console login
CONSOLE_SENTRY_API_TOKENstg, prdPersonal token for Sentry issue reads
CONSOLE_SENTRY_ORGstg, prddigiteers-as
CONSOLE_SENTRY_PROJECTstg, prdim-api
SENTRY_AUTH_TOKENprddSYM upload for CI builds

Variables removed:

VariableReason
CONSOLE_API_PRODUCTION_URLCross-env dependency removed
CONSOLE_API_PRODUCTION_HEALTH_SECRETUses localhost + existing HEALTH_SECRET
CONSOLE_API_STAGING_URLCross-env dependency removed
CONSOLE_API_STAGING_HEALTH_SECRETCross-env dependency removed

Client Authorization Matrix

heading.anchorLabel
ClientClient AuthUser AuthScope
iOS/AndroidX-API-Key headerSupabase JWTOwn data (RLS)
ConsoleBearer CONSOLE_ADMIN_TOKENSupabase session cookieAll data (admin)
WebhooksPlatform signatureNoneWrite (events)
Health checkSecret URL pathNoneStatus only

Sentry Token Inventory

heading.anchorLabel
TokenNameTypeScopesUsed By
SENTRY_DSNN/AIngest URLN/AAPI error capture
SENTRY_AUTH_TOKENim-ios-dsym-uploadOrgorg:cidSYM upload (Xcode + CI)
CONSOLE_SENTRY_API_TOKENim-console-monitoringPersonalproject:read, event:readConsole error dashboard

Outstanding Items (Low Priority)

heading.anchorLabel
ItemTypeNotes
Sentry KMP migrationSpec readydocs/specs/sentry-kmp-migration.md
Workflow failure notificationsNice-to-haveGitHub notification settings
TelemetryDeck: onboarding.skipped + trial.expiredWired upVerification with real user flow pending