docs(architecture): extend internal-only policy to shared infra

2026-03-31 06:52:59 +00:00 · 2026-03-31 06:52:59 +00:00 · d4d8c48a4c
commit d4d8c48a4c
parent 4aba0a83cc
2 changed files with 11 additions and 0 deletions
--- a/docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md
+++ b/docs/devops/vercel/CODEX_PROMPTS_TRACK_A_AZURE_VM.md
@ -49,6 +49,16 @@ dig +short admin.bytelyst.com    # must return VM IP
 dig +short tracker.bytelyst.com  # must return VM IP
 ```

+### Internal-only services policy
+
+Keep these classes of services on the VM in Docker and treat them as internal-only:
+
+- admin and operator dashboards
+- monitoring and observability tools such as Grafana, Loki, Prometheus, and Alertmanager
+- future cache and datastore services such as Valkey and PostgreSQL + pgvector
+
+Do not expose raw service ports publicly. If browser access is required, front the service through Caddy with authentication and preferably IP allowlisting, VPN, or SSO.
+
 ---

 ## A1: Caddy Gateway — Replace Traefik with Caddy
--- a/docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md
+++ b/docs/devops/vercel/TRACK_A_HANDOFF_2026-03-29.md
@ -7,6 +7,7 @@ Architecture decision after this handoff:
 - The VM should host self-hosted infrastructure, backend APIs, and internal web tools in Docker
 - `api.bytelyst.com`, `gitea.bytelyst.com`, `admin.bytelyst.com`, and `tracker.bytelyst.com` should point to the VM
 - Monitoring and observability stacks such as Grafana and Loki should stay on the VM as internal-only tools
+- Future shared infrastructure such as Valkey and PostgreSQL + pgvector should also be treated as VM-hosted internal services
 - Only clearly public-facing sites should be considered for Vercel later

 ## What Was Completed