Skip to main content

Deployment

ProcureIQ runs as a multi-service deployment spanning frontend apps, the API, AI services, workers, and supporting data stores.

Core deployment units

  • web app
  • admin app
  • API server
  • AI agent
  • crawler
  • image processing service

Environment checklist

  • Postgres, Redis, and Mongo connectivity
  • payment provider secrets
  • AI provider credentials
  • S3 and CDN configuration
  • webhook signing secrets

Automation outbound network policy

The API task must run with workload-level egress controls before AUTOMATION_EGRESS_POLICY_ENFORCED=true is configured. Permit DNS and HTTPS only to the destinations represented by AUTOMATION_HTTP_ALLOWED_HOSTS; deny loopback, link-local, RFC1918, VPC metadata, database, Redis, and internal service address ranges. The application independently revalidates HTTPS, allowlisted hostnames, DNS answers, headers, and redirects, but the network policy is the final DNS-rebinding boundary.

Credential-bearing automation headers must store {{secret:NAME}}, never a literal credential. Inject the corresponding AUTOMATION_SECRET_NAME value from the platform secret manager into the API task at runtime.

Admin production promotion uses the environment-protected Deploy Admin Production workflow. It requires approval, re-runs the staging Admin security journey, verifies Prisma migration state, scans the immutable image, and waits for ECS service stability.