SanMarcSoft SOP Runbook
Internal operational runbook for all SanMarcSoft infrastructure, services, deployments, and compliance procedures.
Access: This site is restricted to authorized SanMarcSoft personnel via Cloudflare Access (GitHub OAuth).
Quick Links
Infrastructure
- Cloudflare DNS Management – Adding and modifying DNS records
- Cloudflare Workers – Deploying and managing Workers
- Scaleway Containers – Serverless Container deployment via Pulumi
- AWS App Runner – Phenom Drop App Runner deployment
- Docker Builds – Building images on ai.matthewstevens.org
- Nix Builds – Sovereign Architecture Nix builds
Services
- Verifieddit Deployment – Full verifieddit.com deployment pipeline
- Stripe Backend – Stripe billing backend service
- Badges Worker – Cloudflare badges worker
- Badge Signer – C2PA signing service
- Phenom Drop – Media intake and consent pipeline
- TTS Server – Percy TTS server (Qwen3-TTS)
- Clerk Authentication – Clerk auth configuration and management
Operations
- Cache Purge – Cloudflare cache purge procedures
- Secret Rotation – Credential management and rotation
- AI Detection – Sightengine AI detection integration
- User Migration – Migrating users between Clerk instances
- Database Operations – D1 database management
- Monitoring – Health checks and monitoring
Compliance
- GDPR Procedures – Data subject request handling
- Data Breach Response – Breach notification and response
- Legal Pages – Legal page maintenance
Troubleshooting
- Common Issues – Frequently encountered problems and fixes
Setup
- Cloudflare Access – Access control configuration for this site
Governing Principles
All SanMarcSoft operations are governed by the Sovereign Architecture SOP (effective 2026-03-13):
- The Nix Law – Zero Dockerfiles for production builds. All images built with
nix build+pkgs.dockerTools.buildLayeredImage. - The Cross-Compile Law – Development on Apple Silicon (
aarch64-darwin), all images targetx86_64-linux. - The Sovereign Registry Law – Production images go to Scaleway Container Registry (
rg.fr-par.scw.cloud/sanmarcsoft/), EU data sovereign. - The IaC Law – All infrastructure via Pulumi TypeScript. State backend on Scaleway Object Storage (fr-par).
What stays on Cloudflare (not migrated)
- DNS + CDN (all domains)
- Zero Trust Access
- Workers (badges, URL shortener, waitlist)
- KV + D1 databases
Infrastructure
Standard operating procedures for SanMarcSoft infrastructure management
6 procedures
Services
Standard operating procedures for SanMarcSoft service deployment and management
7 procedures
Operations
Standard operating procedures for day-to-day SanMarcSoft operations
6 procedures
Compliance
GDPR compliance, data breach response, and legal page maintenance procedures
3 procedures
Troubleshooting
Common issues, root cause analysis, and resolution steps
1 procedures
Setup
Setup and configuration procedures for SanMarcSoft infrastructure
1 procedures