CI runs typecheck + tests on every push and builds signed images for the three apps on push to the release branch. On the host, a single deploy script pulls the new images from a private container registry, runs schema migrations, and brings the compose stack up. An automated-TLS edge proxy is the only publicly reachable surface; the api, worker, database and queue all live on a private internal network, isolated from the open internet. Same recipe is reused for the other studio projects on the same footprint, without each app knowing about the other.
- CI pipeline: typecheck + tests on push, signed images on release.
- Private container registry; no public image distribution.
- Single deploy script: pull → migrate → up.
- Edge proxy is the only public surface; api / db / queue stay private.
- Same recipe reused across studio projects, without cross-tenancy.
- Deep dive · 01
Three-app monorepo
web · api · worker, plus one shared zod-contracts package. Postgres 16 + Redis 7 underneath. npm workspaces, no Turborepo.
- Deep dive · 02
Credit ledger booking model
Every booking action emits a typed ledger entry with a deterministic key. Reschedule preserves the hold; cancel inside the window writes a release; complete writes release + use.
- Deep dive · 03
Encryption at rest
AES-256-GCM via a single EncryptionService, shared across messages, therapist notes, and Daily-room join payloads. Round-trip + tamper-detection unit tests.
- Deep dive · 04
Stripe webhook + payment ledger
Adapter pattern with a Mock twin for local. Signature-verified raw-body Nest route. Payment.eventId unique. Renewal pipeline gates credits on exact-period payment evidence.
- Deep dive · 05
Tick-loop worker
One tsx loop runs four jobs per tick — reminder scan, renewal scan, no-show sweep, notification dispatch. NotificationEvent rows carry unique dedupeKeys for safe retries.
Got something
this size?
Big ambitions, we match the energy. Drop a brief — reply within one working day.