Production: TypeScript

git clone https://github.com/AEEF-AI/aeef-production.git

The Production tier for TypeScript deploys a fully Dockerized Next.js application with comprehensive CI workflows, drift detection, incident response automation, and monitoring integration. This guide walks through every component.

Full Platform Walkthrough

Application Architecture

The Production tier upgrades the application from a development-focused setup to a production-ready deployment:

production-typescript/
  src/
    app/            # Next.js App Router pages
    lib/            # Business logic and utilities
    middleware/     # Request validation, auth, logging
    monitoring/     # Health checks, metrics exporters
  tests/
    unit/           # Jest unit tests
    integration/    # API contract tests
    e2e/            # Playwright end-to-end tests
    load/           # k6 load test scripts
  docker/
    Dockerfile      # Multi-stage production build
    Dockerfile.dev  # Development with hot reload
  .github/
    workflows/
      ci.yml        # Full 10-stage CI pipeline
      drift.yml     # Scheduled drift detection
      incident.yml  # Incident response automation

Dockerized Deployment

The multi-stage Dockerfile produces a minimal production image:

# Build stage
FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --production=false
COPY . .
RUN npm run build

# Production stage
FROM node:22-alpine AS runner
WORKDIR /app
RUN addgroup --system aeef && adduser --system --ingroup aeef app
COPY --from=builder --chown=app:aeef /app/.next/standalone ./
COPY --from=builder --chown=app:aeef /app/.next/static ./.next/static
COPY --from=builder --chown=app:aeef /app/public ./public
USER app
EXPOSE 3000
CMD ["node", "server.js"]

All CI Workflows Explained

Primary CI Pipeline (`ci.yml`)

The Production tier extends the Transformation pipeline to 10 stages:

lint --> typecheck --> unit-test --> mutation --> integration-test -->
SAST --> SCA+license --> SBOM --> schema-validate --> provenance

New stages beyond Transformation:

Integration Tests:

- name: Integration Tests
  run: npm run test:integration
  env:
    DATABASE_URL: ${{ secrets.TEST_DATABASE_URL }}

SBOM Generation:

- name: Generate SBOM
  run: |
    npx @cyclonedx/cyclonedx-npm --output-format json --output-file sbom.json
    npx cosign attest --predicate sbom.json --type cyclonedx

Provenance with Attestation:

- name: Generate Provenance
  run: |
    node scripts/generate-provenance.js --output provenance/
    npx cosign attest --predicate provenance/latest.json --type custom

Drift Detection Pipeline (`drift.yml`)

Runs on a schedule (every 6 hours) to detect configuration drift:

name: Drift Detection
on:
  schedule:
    - cron: '0 */6 * * *'

jobs:
  detect:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check ESLint Config Drift
        run: |
          node scripts/drift-detect.js --category linting \
            --baseline .aeef/baselines/eslint.json \
            --current eslint.config.mjs
      - name: Check CI Pipeline Drift
        run: |
          node scripts/drift-detect.js --category ci \
            --baseline .aeef/baselines/ci-stages.json \
            --current .github/workflows/ci.yml
      - name: Check Security Policy Drift
        run: |
          node scripts/drift-detect.js --category security \
            --baseline .aeef/baselines/semgrep-rules.json \
            --current .semgrep/
      - name: Alert on Drift
        if: failure()
        run: |
          node scripts/alert-drift.js --channel slack \
            --webhook ${{ secrets.SLACK_WEBHOOK }}

Incident Response Pipeline (`incident.yml`)

Triggered by monitoring alerts or manual dispatch:

name: Incident Response
on:
  workflow_dispatch:
    inputs:
      severity:
        description: 'Incident severity (P1-P4)'
        required: true
      description:
        description: 'Incident description'
        required: true

jobs:
  triage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Automated Triage
        run: node scripts/triage.js --severity ${{ inputs.severity }}
      - name: Rollback if P1
        if: inputs.severity == 'P1'
        run: node scripts/rollback.js --to-last-known-good
      - name: Create Incident Record
        run: |
          node scripts/create-incident.js \
            --severity "${{ inputs.severity }}" \
            --description "${{ inputs.description }}" \
            --output incidents/

Drift Detection Pipeline

The drift detection system compares the current state of governance configurations against declared baselines:

Baselines are snapshots stored in .aeef/baselines/ capturing the approved state of each configuration category.
Detection runs scripts that compare current files against baselines and flag any differences.
Alerting sends notifications via Slack, PagerDuty, or email when drift is detected.
Remediation can be automated (auto-fix and PR) or manual (alert with diff).

Incident Response Automation

See Incident Response Automation for the full guide, including:

Automated triage scripts that classify incidents by type and severity
Rollback automation that reverts to the last known good deployment
Alert routing configuration for different severity levels
Incident record schema for post-incident analysis

Next Steps

Set up monitoring: Monitoring Setup
Apply sovereign overlays: Sovereign Compliance Overlays
Configure incident response: Incident Response Automation

Full Platform Walkthrough​

Application Architecture​

Dockerized Deployment​

All CI Workflows Explained​

Primary CI Pipeline (ci.yml)​

Drift Detection Pipeline (drift.yml)​

Incident Response Pipeline (incident.yml)​

Drift Detection Pipeline​

Incident Response Automation​

Next Steps​