Unconfirmed — Requires Google Drive/Confluence AuditThe Equa platform was previously deployed on AWS. Evidence of AWS services that remain active in the codebase:
AWS S3 — File storage via aws-sdk/clients/s3 in equa-server/modules/file-storage/src/s3.d.ts
AWS SES — Email sending via equa-server/modules/notifications/src/nodemailer/email-notifier.ts
The full AWS deployment architecture (compute service, database, networking, and migration details) is documented in Google Drive and Confluence but has not yet been audited or exported locally. This section will be completed after that audit.Items to confirm:
The GCP-era public deployment still exists in repository automation. equa-server/cloudbuild.yaml deploys equa-backend to Cloud Run in us-central1 on port 3000, which remains relevant for cost wind-down and legacy endpoint investigations. It is no longer the authoritative browser-routing story for the SPA host.Source:equa-server/cloudbuild.yaml, Lines: 13-46
The current committed interim routing story lives in equa-web/nginx.conf: equa.cc and www.equa.cc return 301 to https://app.equa.cc$request_uri, the default server block accepts the active SPA host, and /api/ proxies to https://equa-server-so-production.up.railway.app/. The container defaults PORT=8080 and exposes 8080, so Railway target-port parity remains the first check if the edge regresses to 502.Sources:
Spec 040 still targets equa.cc as the canonical marketing + app hostname with app.equa.cc eventually redirecting back to apex. Treat that as target-state planning, not as a claim about the live edge today.Source:command-center-so/specs/040-equa-cc-landing-rebuild/spec.md, Section: 3.1
As committed today, equa-web defines two nginx server blocks. One block catches equa.cc and www.equa.cc and issues a 301 to https://app.equa.cc$request_uri; the other block serves the SPA, proxies /api/ to https://equa-server-so-production.up.railway.app/, and inherits ${PORT} from the runtime environment. This is the authoritative routing story for documentation until the repo changes.Sources:
The live edge must be treated as a separate measurement layer. The following snapshot was captured at 2026-05-03T16:09:41Z against equa-web commit 3131f1699ae9df3dcf3655611bc8fb247afbb33e; re-run it before any DNS, OAuth, or cutover decision.
Probe
Observed result
Why it matters
https://equa.cc/
HTTP/2 301 to https://app.equa.cc:443/, then HTTP/2 200 with server: railway-edge
Apex live behavior now follows the committed interim redirect intent and reaches the app host.
dig equa.cc @8.8.8.8
A 136.110.187.76
Apex DNS still resolves to the legacy Google-era address before redirecting to the Railway-backed app host.
https://www.equa.cc/
HTTP/2 301 to https://app.equa.cc:443/, then HTTP/2 200 with server: railway-edge
www now resolves and follows the same redirect path as apex.
dig www.equa.cc @8.8.8.8
A 136.110.187.76
www is no longer NXDOMAIN, but still uses the legacy Google-era A record before redirect.
https://app.equa.cc/
HTTP/2 200 with server: railway-edge and Fastly cache headers
The app host reaches Railway and serves the SPA shell.
dig app.equa.cc @8.8.8.8
CNAME ry6le6wy.up.railway.app. → 151.101.2.15
app.equa.cc is the Railway-backed live host today.
https://app.equa.cc/api/v1/user/current
HTTP 200, body {}
Same-origin API traffic reaches the Railway-backed API route; this validates the browser path shape, not authenticated application semantics.
https://api.equa.cc/
HTTP/2 404 with via: 1.1 google
The direct API host remains legacy/unverified; browser documentation should prefer same-origin https://app.equa.cc/api/v1.
Use this table to distinguish live behavior from committed intent. The runbook explains how to refresh each row and how to prepend captured_at plus equa_web_commit headers when pasting evidence into a PR or ticket.Source:equa-web/specs/037-docs-deploy-truth/VALIDATION-RUNBOOK.md, Sections: 1-5
The repository still contains the previous Cloud Run deploy path for equa-backend. Keep that material for cost, rollback, and historical architecture context only. Do not describe Cloud Run as the sole current browser/API path unless a direct endpoint is re-verified and explicitly labeled as an alternate endpoint.Source:equa-server/cloudbuild.yaml, Lines: 13-46
Spec 040 is still the cutover target: the marketing site and authenticated SPA converge on canonical equa.cc, and app.equa.cc becomes the redirect. That plan remains separate from the interim nginx story and separate from the live-edge baseline above.Source:command-center-so/specs/040-equa-cc-landing-rebuild/spec.md, Section: 3.1
For operator captures, use the read-only validation runbook in equa-web rather than copying shell snippets out of this page. GitHub permalink: Spec 037 validation runbook
NODE_OPTIONS=--openssl-legacy-provider (required for older webpack/SSL compatibility)
API_URL=/api/v1 (baked into the build)
Webpack runs via npx webpack --mode production (changed from direct node_modules/.bin/webpack in PR #501)
A post-install verification step checks for the webpack binary and fails fast with a clear error if missing
Required environment variables for build:
Variable
Purpose
Source
GH_PATTERNLIB_TOKEN
GitHub token for fetching equa-patternlib private dependency
PR #501
API_URL
Backend API base URL (default: /api/v1)
webpack.config.js
The build requiresGH_PATTERNLIB_TOKEN to be set as a Railway service variable. Without it, yarn install silently fails to fetch equa-patternlib (SSH clone fails on Alpine), leaving node_modules corrupt. PR #501 added a verification step that catches this early.
Nginx configuration (equa-web/nginx.conf):
Feature
Configuration
Listen port
${PORT} (templated via envsubst at container startup; Dockerfile ENV PORT=8080 provides the fallback)
Apex redirect
equa.cc and www.equa.cc return 301 to https://app.equa.cc$request_uri when this config is the active edge
/usr/share/nginx/html with 1-year cache (Cache-Control: public, immutable)
SPA fallback
All routes serve index.html
Gzip
Enabled for text, CSS, JSON, JS, XML
Health check
GET /health returns 200 OK
Dynamic PORT (PR #516): Prior to 2026-04-02, nginx.conf hard-coded listen 8080. Railway injects a $PORT env var per service instance and the hard-coded value worked only because it happened to match the Dockerfile EXPOSE. PR #516 changed the config to listen ${PORT} and runs envsubst on the template before nginx starts, so the container honours whatever port Railway assigns. Local docker run still defaults to 8080 via the Dockerfile ENV PORT=8080.Source:equa-web/Dockerfile (full file), equa-web/nginx.conf (full file), PR #516 (2026-04-02).
www.equa.cc was intentionally a soft check in the automated smoke workflow while DNS was missing. As of the 2026-05-03T16:09:41Z capture, it resolves and redirects successfully; keep the soft-check behavior until the cutover contract is explicitly tightened.Source: equa-web/.github/workflows/equa-cc-domain-smoke.yml, Lines: 31-46
Headers set on the backend hop: Host (equa-server-so-production.up.railway.app), X-Real-IP, X-Forwarded-For, X-Forwarded-Proto.Source:equa-web/nginx.conf, Lines: 4-29
The notifications module uses AWS SES as the primary email transport with SMTP as fallback:Source:equa-server/modules/notifications/src/nodemailer/email-notifier.ts
Unconfirmed: SES region, verified sender domains/emails, and sending limits.
All modules use persistence helpers, not direct TypeORM calls
equa-server/README.md line 106
Connection environment variables:
DATABASE_TYPE=postgresDATABASE_HOST=localhostDATABASE_USERNAME=postgresDATABASE_PASSWORD=passwordDATABASE_NAME=equaDATABASE_LOGS=query,error # optionalDATABASE_SCHEMA= # optionalDATABASE_SYNC= # auto-sync in development
Unconfirmed — Requires GCP Console AccessThe production database is likely a managed PostgreSQL service, with Cloud SQL as the leading historical candidate, based on:
stacks-ranking-priorities/runbooks/EQUA_CC_COST_CHECK.md identifies Cloud SQL as the #1 cost driver
The wind-down runbook at equabot/threads/wind-down-equa-cc-public-instance/WIND-DOWN-RUNBOOK.md explicitly marks the database type as unknown (“Cloud SQL? Firestore? both?”)
Items to confirm:
Managed database provider, instance name, tier, and PostgreSQL version
Connection method (provider proxy, direct IP, Unix socket, or equivalent)
Partially VerifiedPublic TLS termination is currently split by host. The 2026-05-03 baseline saw equa.cc reply through Google-managed infrastructure while app.equa.cc replied with Railway headers, so certificate ownership and edge termination must be re-verified per host before treating any DNS/HTTP prose as authoritative.
The equa-server supports optional SSL termination at the application level:
Env Var
Purpose
API_SSL
Enable HTTPS server
SSL_PRIVATE_KEY_PATH
Path to private key file
SSL_PUBLIC_KEY_PATH
Path to public certificate file
When enabled, Express starts an HTTPS server instead of HTTP. This is typically not needed when running behind Cloud Run or a reverse proxy that handles TLS termination.Source:equa-server/modules/api/src/server.ts lines 53-80.
The following items cannot be verified from source code alone and require access to external systems. Use the Phase 1 Audit Runbook for step-by-step instructions to complete these audits and then update this document.