Deployment & Auth
Deploy Sentra with clear demo/production boundaries, Cognito groups, AWS services, and required environment values.
Sentra uses one codebase for demo and production, but the environment configuration changes the dependency boundary.
Demo/local mode
Local demo mode may use:
- Mock login.
- Mock OpenAI-compatible LLM service.
- Local file storage fallback.
- In-memory queues.
- Inline ingest/training workers.
Run locally:
cp .env.example .env
make dev
make seedInvestor-style seed:
make seed-investorLocal URLs:
| Service | URL |
|---|---|
| Console | http://localhost:3000 |
| API | http://localhost:8000 |
| LLM mock | http://localhost:9001 |
| MinIO | http://localhost:9002 |
Mock tokens:
- Analyst:
local-analyst - Admin:
local-admin
Production mode
Production mode should use:
- Cognito Hosted UI.
- FastAPI JWT verification.
- Cognito groups:
Analyst,Admin. - AWS S3 buckets.
- AWS SQS queues.
- Aurora Postgres.
- Redis.
- CloudWatch logs/metrics/alarms.
- Self-hosted Qwen2.5-7B-Instruct on vLLM if AI enrichment is enabled.
Production mode must not depend on mock auth, mock LLM, local file storage, or in-memory queues.
Roles
| Role | Permissions |
|---|---|
Analyst | Score transactions, view cases, update cases, submit feedback, view transactions and entities. |
Admin | Analyst permissions plus config, model activation, ingest, training, data contract, and LLM trigger. |
Console environment
NEXT_PUBLIC_API_PROXY_BASE=https://your-sentra-api.example.com
NEXT_PUBLIC_AUTH_MODE=cognito
NEXT_PUBLIC_COGNITO_DOMAIN=your-domain.auth.us-east-1.amazoncognito.com
NEXT_PUBLIC_COGNITO_CLIENT_ID=...
NEXT_PUBLIC_COGNITO_REDIRECT_URI=https://your-console.example.com/api/auth/callback
NEXT_PUBLIC_COGNITO_LOGOUT_URI=https://your-console.example.com/loginAPI environment
APP_ENV=production
SENTRA_POSTGRES_DSN=postgresql+psycopg://...
SENTRA_REDIS_URL=redis://...
SENTRA_LLM_BASE_URL=http://sentra-llm.internal:8000
SENTRA_RAW_BUCKET=sentra-raw-data
SENTRA_PROCESSED_BUCKET=sentra-processed-data
SENTRA_MODEL_BUCKET=sentra-model-registry
SENTRA_KYC_BUCKET=sentra-kyc-docs
SENTRA_INGEST_QUEUE_NAME=sentra-ingest-jobs
SENTRA_TRAIN_QUEUE_NAME=sentra-train-jobs
SENTRA_LLM_QUEUE_NAME=sentra-llm-jobs
SENTRA_AUTH_MODE=cognito
COGNITO_REGION=us-east-1
COGNITO_USER_POOL_ID=...
COGNITO_APP_CLIENT_ID=...
COGNITO_ISSUER=...
SENTRA_MODEL_REGISTRY_MODE=s3_pointer
SENTRA_ACTIVE_MODEL_KEY=models/active-model.jsonAWS storage
| Bucket | Purpose |
|---|---|
sentra-raw-data | Partner uploads and raw ingest files. |
sentra-processed-data | Processed snapshots and ingest quality output. |
sentra-model-registry | Model artifacts, metrics, feature schema, and active model pointer. |
sentra-kyc-docs | KYC/KYB documents or parsed text references. |
Readiness checklist
Before production:
/healthzreturns{"status":"ok"}./v1/risk/scoreworks with Cognito auth.- Active model pointer is present in S3.
- Console can access API through
NEXT_PUBLIC_API_PROXY_BASE. - Analyst and Admin users exist.
- Data contract has been accepted by the payment team.
- Private dataset validates locally.
- KYC/KYB retention and masking policy is approved.
- Demo-only fallbacks are disabled.