Humaniti — Deployment

Current tasks

Tracking the 6-step deployment flow from the project's Miro mapping board.

✅1. Fork repo
All 6 source repos cloned to a working dir, on a fresh humaniti branch off each repo's existing default. No upstream remote pointing to Aseel — repos are operationally standalone.
- ASEEL-APP/humaniti_medusa_admin — React/Vite admin SPA
- ASEEL-APP/humaniti_Backend — Medusa 1.20 server
- ASEEL-APP/humaniti_StoreFront — Next.js 14 SSR storefront
- ASEEL-APP/Humaniti_HumanitiOS_Frontend — React/Vite SPA
- ASEEL-APP/Humaniti_AidOS_Widgets — Next 16 (currently OpenNext / Cloudflare Workers; needs port to AWS)
- ASEEL-APP/Humaniti_StaticAssets_CDN — precompiled static JS
Notes
Fine-grained GitHub PAT scoped to only these 6 repos, Contents R/W, expires 2026-06-05. Stored at ~/.config/humaniti/github-pat, mode 600.
⬜2. Empty (remove all Aseel data)

Code still contains Aseel-specific integrations and copy: Hesabpay payments, Mailchimp lists, Apple Sign-In config, Recombee ML, Aseel branding strings, asset URLs. Deferred until after first successful deploy — the principle is "deploy as-is, then rebrand one repo at a time" so we have a known-working baseline to compare against.

Notes
Aseel-specifics inventory comes naturally from a grep pass once the system is running. No work here yet.
🟡3. Get a new Amazon server up with a new user humaniti@aseelapp.com
The original plan was a separate AWS account (Organizations member, root email humaniti+staging@aseelapp.com). The org's management account 267897643464 turned out to be inaccessible in this session, so account creation from a child account is blocked by AWS.

Pivot: single-account isolation. Humaniti lives inside account 805102729295 (the same account that hosts GoodSmith) but is fenced off by:
- Naming prefix humaniti-{staging|prod}-* on every resource
- Tags Project=Humaniti, Env=staging|prod, ManagedBy=terraform
- Separate VPCs per environment (10.10.0.0/16 staging, 10.20.0.0/16 prod)
- Always passing --profile on AWS CLI calls — never running unscoped commands
Notes
To upgrade to true multi-account later, the management-account holder runs aws organizations create-account for humaniti+staging@aseelapp.com and humaniti+prod@aseelapp.com; the existing Terraform modules can be re-pointed via profile/role assumption with no resource recreation.
✅4. Figure out the domain and get access

Using humaniti.nasratkhalid.com for now (registrar Name.com, owned by the team). The smith DigitalOcean droplet at smith.nasratkhalid.com is untouched.

Subdomain delegation set up: 4 NS records added at Name.com for host humaniti, pointing to AWS Route 53 hosted zone Z06723031XBY2LQL2JD8Q. Verified resolving end-to-end from Google DNS and AWS authoritative nameservers.

From this point on, Name.com is never touched again — every record under humaniti.nasratkhalid.com is managed by Terraform in the shared environment.

Notes
When the real Humaniti production domain arrives, it's a single aws_route53_zone swap in environments/shared/main.tf — all sub-records port over.
⬜5. Get Ferri customized + live
"Ferri" is the Backend (Medusa server). Live = reachable behind an ALB at a stable URL, with DB migrations run, talking to a Postgres in RDS, a Redis in ElastiCache, and a MeiliSearch on Fargate.

Foundation is in place (VPCs, subnets, NAT, state buckets, hosted zone). Compute layer is the next phase:
1. ECR repos + push first container image
2. RDS Postgres + ElastiCache Redis (~15 min provisioning wait for RDS)
3. MeiliSearch Fargate task with EBS
4. ECS cluster + ALB + Backend API + Backend worker services
5. Run migrations, hit the API, verify HTTP 200
Notes
Order matters: we should boot the Backend locally first via its docker-compose.yml to inventory the ~100 env vars before populating Secrets Manager. Catches missing config in seconds vs. 5 min per failed ECS task retry.
🟦6. Page design

The page you're looking at right now is the start of this. Static site hosted on AWS (S3 + CloudFront + ACM cert), HTTPS via the ACM cert in us-east-1, served at humaniti.nasratkhalid.com. No backend yet — pure static, vanilla HTML/CSS, no frameworks.

This page is also itself the deployment-status dashboard. As the rest of the system comes online, more buttons in the top nav will activate (Repos, Deploys, Services, Runbook).

Notes
Replace this scaffold once branding is finalized. Currently neutral — no Humaniti logos or colors locked in.

What's live in AWS right now

Account 805102729295, region us-east-1. All resources tagged Project=Humaniti.

Networking

Staging VPC vpc-0a2bb148366347393 — 10.10.0.0/16, 6 subnets (3 tiers × 2 AZs), 1 NAT gateway
Prod VPC vpc-0d4e17bb27e1d88c3 — 10.20.0.0/16, 6 subnets, 2 NAT gateways (per-AZ HA)

State + locking

S3 humaniti-staging-tfstate-805102729295
S3 humaniti-prod-tfstate-805102729295
DynamoDB humaniti-staging-tflock
DynamoDB humaniti-prod-tflock

DNS

Route 53 hosted zone Z06723031XBY2LQL2JD8Q for humaniti.nasratkhalid.com
Delegated from Name.com via 4 NS records (one-time, never touched again)

This page

S3 bucket humaniti-status-site-805102729295 (private, OAC-only)
CloudFront distribution + ACM cert for humaniti.nasratkhalid.com

Not yet built

ECR repositories (one per service)
Secrets Manager namespace (per env)
RDS Postgres (staging + prod)
ElastiCache Redis (staging + prod)
MeiliSearch on Fargate + EBS
ECS cluster + ALB
Backend API service + Backend worker service
StoreFront SSR service
Admin SPA + HumanitiOS SPA + StaticAssets CDN (S3 + CloudFront)
GitHub Actions OIDC trust → AWS for CI/CD
Aseel-data removal pass (after first green deploy)
AidOS Widgets port from Cloudflare Workers
Real Humaniti production domain swap