Deployment
ProcureIQ runs as a multi-service deployment spanning frontend apps, the API, AI services, workers, and supporting data stores.
Core deployment units
- web app
- admin app
- API server
- AI agent
- crawler
- image processing service
Environment checklist
- Postgres, Redis, and Mongo connectivity
- payment provider secrets
- AI provider credentials
- S3 and CDN configuration
- webhook signing secrets
Automation outbound network policy
The API task must run with workload-level egress controls before
AUTOMATION_EGRESS_POLICY_ENFORCED=true is configured. Permit DNS and HTTPS only
to the destinations represented by AUTOMATION_HTTP_ALLOWED_HOSTS; deny
loopback, link-local, RFC1918, VPC metadata, database, Redis, and internal
service address ranges. The application independently revalidates HTTPS,
allowlisted hostnames, DNS answers, headers, and redirects, but the network
policy is the final DNS-rebinding boundary.
Credential-bearing automation headers must store {{secret:NAME}}, never a
literal credential. Inject the corresponding AUTOMATION_SECRET_NAME value
from the platform secret manager into the API task at runtime.
Admin production promotion uses the environment-protected Deploy Admin Production workflow. It requires approval, re-runs the staging Admin security
journey, verifies Prisma migration state, scans the immutable image, and waits
for ECS service stability.