Phenom Drop

Phenom Drop: Docker build, App Runner deployment, backend Python server, email/consent flow

Overview

Phenom Drop is the media intake system for the Phenom app ecosystem. It handles user media submissions with consent tracking, email collection, and C2PA credential signing. The backend runs on AWS App Runner.

Repository: thephenom-app/phenom-drop

Architecture

phenom-drop/
  backend/
    server.py          -- Python HTTP server
    requirements.txt   -- Python dependencies
  docker-compose.yml   -- Local development
  Dockerfile           -- Docker build (legacy, pre-Sovereign Architecture)

Components

Backend Server (Python)

The Python server handles:

  • Media file uploads (images, video)
  • Consent form processing
  • Email collection (submitterEmail)
  • Firestore payload storage
  • S3 media storage
  • C2PA signing integration

Email/Consent Flow

  1. User submits media via the Phenom app drop interface
  2. Backend collects submitterEmail from the consent form
  3. Media files are uploaded to S3
  4. Drop payload (including submitterEmail) is stored in Firestore
  5. C2PA credentials are generated for the submitted media

Firestore Payload Structure

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

{
  "dropId": "unique-drop-id",
  "submitterEmail": "user@example.com",
  "mediaFiles": [
    {
      "filename": "photo.jpg",
      "s3Key": "drops/<drop-id>/photo.jpg",
      "contentType": "image/jpeg",
      "size": 2048576
    }
  ],
  "consent": {
    "agreed": true,
    "timestamp": "2026-03-21T12:00:00Z"
  },
  "createdAt": "2026-03-21T12:00:00Z"
}

Deployment

Build

Phenom Drop uses Docker builds (legacy pattern). Build on ai.matthewstevens.org:

1
2
3
4
5

ssh ai
export PATH=/usr/local/bin:/opt/homebrew/bin:$HOME/.orbstack/bin:$PATH

cd /path/to/phenom-drop
docker buildx build --platform linux/amd64 --builder multiarch -t phenom-drop-backend .

Push to ECR

1
2
3
4
5
6
7
8
9

AWS_ACCOUNT_ID=$(pass aws/account-id)
AWS_REGION="us-east-1"
ECR_REPO="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/phenom-drop-backend"

aws ecr get-login-password --region ${AWS_REGION} | \
  docker login --username AWS --password-stdin ${ECR_REPO}

docker tag phenom-drop-backend:latest ${ECR_REPO}:latest
docker push ${ECR_REPO}:latest

App Runner Deployment

App Runner automatically deploys when a new image is pushed to ECR. Manual trigger:

1
2

SERVICE_ARN=$(pass aws/phenom-drop/apprunner-arn)
aws apprunner start-deployment --service-arn ${SERVICE_ARN}

See AWS App Runner SOP for full details.

NAS Deployment (Testing)

For NAS-based testing:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

ssh a1

# Ensure containers are on the same Docker network
docker network create phenom-net 2>/dev/null || true

# Run the backend
docker run -d \
  --name phenom-drop-backend \
  --network phenom-net \
  --restart unless-stopped \
  -p 8085:8080 \
  -e S3_BUCKET=phenom-drop-media \
  applepublicdotcom/phenom-drop-backend:testing

Docker Network Requirements

The phenom-drop backend must be on the same Docker network as related services (e.g., drop-hash-log). If containers are on different networks, DNS resolution fails and you get 502 errors.

1
2

# Connect existing container to network
docker network connect phenom-net drop-hash-log

S3 Configuration

  • Bucket: phenom-drop-media
  • Region: us-east-1
  • CORS: Configured for the Phenom app domain
  • Access: Via AWS credentials (not public)

Known Issues

  • Large file C2PA error: Files over 100MB may fail C2PA signing due to memory constraints. Increase App Runner memory if needed.
  • Docker network isolation: Containers must be on the same Docker network for inter-service communication on the NAS.
  • S3 CORS: If uploads fail with CORS errors, verify the S3 bucket CORS configuration includes the app domain.