306 lines
9.2 KiB
Markdown
306 lines
9.2 KiB
Markdown
|
|
# GlyphOS Infrastructure Plan
|
||
|
|
|
||
|
|
## Executive Summary
|
||
|
|
|
||
|
|
Proposing a production-grade infrastructure for the 600-glyph monument system. Current prototype (Rust/Axum + JSON files) needs database, auth, observability, and deployment pipeline.
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 1. Data Layer
|
||
|
|
|
||
|
|
### Current State
|
||
|
|
- JSON files in `glyphs/*.json`
|
||
|
|
- Meta-glyph archive: `glyph-complete-600.json` (not yet present)
|
||
|
|
- In-memory `HashMap` with RwLock
|
||
|
|
|
||
|
|
### Proposed Infrastructure
|
||
|
|
|
||
|
|
```
|
||
|
|
┌─────────────────────────────────────────────────────────┐
|
||
|
|
│ Data Layer │
|
||
|
|
├─────────────────────────────────────────────────────────┤
|
||
|
|
│ Primary DB: PostgreSQL 16 │
|
||
|
|
│ - glyphs table (600 rows, canonical + semantic) │
|
||
|
|
│ - meta_glyphs table (600 rows, full JSONB archive) │
|
||
|
|
│ - lineage table (60 lineages, 6 super-families) │
|
||
|
|
│ - hash_index table (FNV-1a → glyph_id mapping) │
|
||
|
|
│ │
|
||
|
|
│ Cache: Redis │
|
||
|
|
│ - LRU cache for hot glyphs (TTL: 5min) │
|
||
|
|
│ - Search index cache (TTL: 1min) │
|
||
|
|
│ - Session/rate-limit counters │
|
||
|
|
│ │
|
||
|
|
│ Search: Meilisearch (or Elasticsearch) │
|
||
|
|
│ - Full-text search across name, meaning, tags │
|
||
|
|
│ - Fuzzy matching, typo tolerance │
|
||
|
|
│ - Lineage/band/period filtering │
|
||
|
|
└─────────────────────────────────────────────────────────┘
|
||
|
|
```
|
||
|
|
|
||
|
|
**Why PostgreSQL?**
|
||
|
|
- JSONB for meta-glyph archive (flexible schema)
|
||
|
|
- ACID compliance for glyph uploads
|
||
|
|
- Row-level locking (better than RwLock contention)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 2. API Layer Enhancements
|
||
|
|
|
||
|
|
### Current Endpoints (12 total)
|
||
|
|
- Health, sample, list, get-by-id, search, reload, stats, upload
|
||
|
|
- Meta-glyph: list, get, search, project
|
||
|
|
|
||
|
|
### Proposed Additions
|
||
|
|
|
||
|
|
| Endpoint | Method | Purpose |
|
||
|
|
|----------|--------|---------|
|
||
|
|
| `/glyph/{id}/resonance` | GET | Compute resonance with other glyphs |
|
||
|
|
| `/glyph/batch` | POST | Bulk upload (10-100 glyphs) |
|
||
|
|
| `/lineage/{id}` | GET | Get all glyphs in lineage |
|
||
|
|
| `/lineage/{id}/activate` | POST | Activate entire lineage cluster |
|
||
|
|
| `/meta-glyph/{id}/diff` | GET | Compare meta vs projected |
|
||
|
|
| `/admin/backup` | POST | Trigger DB backup |
|
||
|
|
| `/admin/restore` | POST | Restore from backup |
|
||
|
|
|
||
|
|
### Authentication Middleware
|
||
|
|
```rust
|
||
|
|
// Proposed auth flow
|
||
|
|
1. API key in `X-API-Key` header
|
||
|
|
2. Rate limiting: 100 req/min per key
|
||
|
|
3. Upload endpoints require admin scope
|
||
|
|
4. JWT for user sessions (optional)
|
||
|
|
```
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 3. Infrastructure Diagram
|
||
|
|
|
||
|
|
```
|
||
|
|
┌───────────────┐
|
||
|
|
│ Cloudflare │
|
||
|
|
│ (CDN + SSL) │
|
||
|
|
└───────┬───────┘
|
||
|
|
│
|
||
|
|
┌───────▼───────┐
|
||
|
|
│ Kong/API │
|
||
|
|
│ Gateway │
|
||
|
|
│ (Auth + RL) │
|
||
|
|
└───────┬───────┘
|
||
|
|
│
|
||
|
|
┌───────────────┼───────────────┐
|
||
|
|
│ │ │
|
||
|
|
┌───────▼───────┐ ┌────▼─────┐ ┌──────▼──────┐
|
||
|
|
│ Glyph API │ │ Monitor │ │ Backup │
|
||
|
|
│ (Rust/Axum) │ │ Service │ │ Service │
|
||
|
|
│ Port 3000 │ │ (Prometheus)│ │ (Scheduled) │
|
||
|
|
└───────┬───────┘ └───────────┘ └──────────────┘
|
||
|
|
│
|
||
|
|
┌───────┴───────┐
|
||
|
|
│ PostgreSQL │
|
||
|
|
│ + Redis │
|
||
|
|
│ + Meilisearch│
|
||
|
|
└───────────────┘
|
||
|
|
```
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 4. Deployment Architecture
|
||
|
|
|
||
|
|
### Containerization
|
||
|
|
```dockerfile
|
||
|
|
# Multi-stage build
|
||
|
|
FROM rust:1.80 AS builder
|
||
|
|
WORKDIR /app
|
||
|
|
COPY . .
|
||
|
|
RUN cargo build --release
|
||
|
|
|
||
|
|
FROM debian:12-slim
|
||
|
|
RUN apt-get update && apt-get install -y ca-certificates
|
||
|
|
COPY --from=builder /app/target/release/glyph_backend /usr/local/bin
|
||
|
|
EXPOSE 3000
|
||
|
|
CMD ["glyph_backend"]
|
||
|
|
```
|
||
|
|
|
||
|
|
### Orchestration (Kubernetes)
|
||
|
|
```yaml
|
||
|
|
# Deployment
|
||
|
|
replicas: 3
|
||
|
|
resources:
|
||
|
|
requests: { cpu: "500m", memory: "512Mi" }
|
||
|
|
limits: { cpu: "2", memory: "2Gi" }
|
||
|
|
|
||
|
|
# HPA (Horizontal Pod Autoscaler)
|
||
|
|
minReplicas: 3
|
||
|
|
maxReplicas: 10
|
||
|
|
targetCPUUtilization: 70%
|
||
|
|
|
||
|
|
# Pod Disruption Budget
|
||
|
|
minAvailable: 2
|
||
|
|
```
|
||
|
|
|
||
|
|
### CI/CD Pipeline
|
||
|
|
```
|
||
|
|
GitHub → Actions → Build → Test → Docker → Deploy
|
||
|
|
├─ cargo test
|
||
|
|
├─ cargo clippy
|
||
|
|
├─ cargo fmt --check
|
||
|
|
├─ Integration tests (glyph upload/search)
|
||
|
|
└─ Security scan (cargo audit)
|
||
|
|
```
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 5. Observability Stack
|
||
|
|
|
||
|
|
### Metrics (Prometheus + Grafana)
|
||
|
|
- Request rate per endpoint
|
||
|
|
- Response latency (p50, p95, p99)
|
||
|
|
- Glyph cache hit rate
|
||
|
|
- DB connection pool usage
|
||
|
|
- Error rate by endpoint
|
||
|
|
|
||
|
|
### Logging (Loki or ELK)
|
||
|
|
- Structured JSON logs
|
||
|
|
- Correlation IDs per request
|
||
|
|
- Glyph upload/change audit trail
|
||
|
|
|
||
|
|
### Tracing (OpenTelemetry)
|
||
|
|
- Request flow: Gateway → API → DB → Cache
|
||
|
|
- Slow query detection
|
||
|
|
- Cross-service latency breakdown
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 6. Backup & Recovery
|
||
|
|
|
||
|
|
### Strategy
|
||
|
|
| Type | Frequency | Retention | Storage |
|
||
|
|
|------|-----------|-----------|---------|
|
||
|
|
| DB Snapshot | Hourly | 7 days | S3/GCS |
|
||
|
|
| DB Backup | Daily | 30 days | S3 + Glacier |
|
||
|
|
| Glyph JSON Export | Weekly | 90 days | S3 |
|
||
|
|
| Meta-glyph Archive | On-change | Permanent | S3 + Versioning |
|
||
|
|
|
||
|
|
### Recovery RTO/RPO
|
||
|
|
- **RTO (Recovery Time Objective):** < 1 hour
|
||
|
|
- **RPO (Recovery Point Objective):** < 5 minutes
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 7. Security Hardening
|
||
|
|
|
||
|
|
### Input Validation
|
||
|
|
- Glyph JSON schema validation (serde validator)
|
||
|
|
- Max payload size: 1MB per glyph
|
||
|
|
- Rate limiting: 100 req/min per API key
|
||
|
|
|
||
|
|
### Network Security
|
||
|
|
- TLS 1.3 only (Cloudflare)
|
||
|
|
- API Gateway (Kong) for auth/rate-limiting
|
||
|
|
- Private DB network (no public access)
|
||
|
|
|
||
|
|
### Audit Logging
|
||
|
|
- All `/glyph/upload` requests logged
|
||
|
|
- User/IP/timestamp in audit table
|
||
|
|
- Immutable log storage (WORM)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 8. Scaling Strategy
|
||
|
|
|
||
|
|
### Horizontal Scaling
|
||
|
|
- Stateless API pods (scale to 10 replicas)
|
||
|
|
- DB read replicas for search queries
|
||
|
|
- Redis cluster for cache
|
||
|
|
|
||
|
|
### Vertical Scaling
|
||
|
|
- Current: 2 CPU / 2GiB per pod
|
||
|
|
- Max: 4 CPU / 8GiB per pod (before horizontal)
|
||
|
|
|
||
|
|
### Glyph Count Scaling
|
||
|
|
- 600 glyphs: Current architecture fine
|
||
|
|
- 6,000 glyphs: Add read replicas, increase cache
|
||
|
|
- 60,000 glyphs: Sharding by lineage ID
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 9. Cost Estimate (Monthly)
|
||
|
|
|
||
|
|
| Component | Provider | Cost |
|
||
|
|
|-----------|----------|------|
|
||
|
|
| Compute (3 pods) | AWS EKS | $150 |
|
||
|
|
| PostgreSQL (managed) | AWS RDS | $100 |
|
||
|
|
| Redis (managed) | AWS ElastiCache | $50 |
|
||
|
|
| Search (Meilisearch) | Self-hosted | $0 |
|
||
|
|
| Storage (S3) | AWS S3 | $20 |
|
||
|
|
| CDN + SSL | Cloudflare | $0 (free tier) |
|
||
|
|
| **Total** | | **~$320/mo** |
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## 10. Implementation Phases
|
||
|
|
|
||
|
|
### Phase 1: Foundation (Week 1-2)
|
||
|
|
- [ ] PostgreSQL schema design + migration
|
||
|
|
- [ ] Replace JSON loader with DB loader
|
||
|
|
- [ ] Add Redis cache layer
|
||
|
|
- [ ] Basic auth middleware
|
||
|
|
|
||
|
|
### Phase 2: Observability (Week 3)
|
||
|
|
- [ ] Prometheus metrics export
|
||
|
|
- [ ] Structured logging
|
||
|
|
- [ ] Grafana dashboards
|
||
|
|
|
||
|
|
### Phase 3: Hardening (Week 4)
|
||
|
|
- [ ] Rate limiting
|
||
|
|
- [ ] Input validation
|
||
|
|
- [ ] Audit logging
|
||
|
|
- [ ] Backup automation
|
||
|
|
|
||
|
|
### Phase 4: Deployment (Week 5)
|
||
|
|
- [ ] Docker containerization
|
||
|
|
- [ ] Kubernetes manifests
|
||
|
|
- [ ] CI/CD pipeline
|
||
|
|
- [ ] Load testing
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Tradeoffs & Questions
|
||
|
|
|
||
|
|
### Tradeoffs
|
||
|
|
1. **PostgreSQL vs SQLite** - PostgreSQL adds complexity but scales better. SQLite simpler for <10k glyphs.
|
||
|
|
2. **Meilisearch vs Postgres FTS** - Meilisearch better UX, but adds infra. Postgres FTS sufficient for 600 glyphs.
|
||
|
|
3. **Kubernetes vs Docker Compose** - K8s overkill for single server. Compose simpler for MVP.
|
||
|
|
|
||
|
|
### Questions for You
|
||
|
|
1. **Expected glyph count growth?** (600 → 6,000 or stay at 600?)
|
||
|
|
2. **Concurrent user load?** (10 users or 10,000?)
|
||
|
|
3. **Budget constraints?** (Self-hosted vs managed services)
|
||
|
|
4. **Deployment preference?** (Single server, K8s, or serverless?)
|
||
|
|
5. **Auth requirements?** (API keys, OAuth, or open?)
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
## Recommendation for MVP
|
||
|
|
|
||
|
|
For 600 glyphs with moderate traffic:
|
||
|
|
|
||
|
|
```
|
||
|
|
┌─────────────────────┐
|
||
|
|
│ Single EC2/Docker │
|
||
|
|
│ - Rust API │
|
||
|
|
│ - PostgreSQL │
|
||
|
|
│ - Redis (optional) │
|
||
|
|
│ - Daily S3 backup │
|
||
|
|
└─────────────────────┘
|
||
|
|
Cost: ~$50/mo
|
||
|
|
```
|
||
|
|
|
||
|
|
Scale to full infrastructure when:
|
||
|
|
- Glyph count > 5,000
|
||
|
|
- Concurrent users > 100
|
||
|
|
- Upload frequency > 10/day
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
**Ready to proceed with implementation?** I can start with Phase 1 (DB schema + migration) once you confirm the direction.
|