System Administration Documentation¶
Welcome to the SYNDI system administration documentation. This guide serves system administrators, DevOps engineers, and developers responsible for deploying, configuring, and maintaining CLAIRE, PAUL, and SAM systems.
📚 Complete Documentation Index¶
Getting Started
System Architecture
Authentication & RBAC
Monitoring & Maintenance
🏗️ Infrastructure Overview¶
SYNDI supports multiple deployment architectures:
Local Development¶
Backend: FastAPI server with hot reload (
localhost:8000)Frontend: Vite development server (
localhost:3000)Storage: Local filesystem simulating S3 (
.local/s3/)Authentication: Mock authentication for development
Command:
make start-dev ENV=dev ORG=myorg
AWS Cloud (Production)¶
Backend: Lambda function with API Gateway
Frontend: S3 + CloudFront CDN
Storage: S3 buckets with encryption and versioning
Authentication: AWS Cognito with role-based access control
Command:
ORG=myorg ENV=prod make rs-deploy
Multi-Organization Support¶
Isolation: Separate Cognito User Pools per organization
Resources: Separate Lambda functions and S3 buckets per organization
Data: Complete data and user isolation between organizations
Scaling: Independent scaling and monitoring per organization
🔧 Key Concepts¶
Configuration Hierarchy¶
SYNDI uses a three-tier configuration system:
CloudFormation Outputs → Lambda environment variables (infrastructure values)
Base JSON configs → Application behavior settings
Org-specific overrides → Organization-specific customizations
Read more: Configuration System Architecture
Deployment Parameters¶
All deployments use four key parameters:
ENV: Environment (dev,test,stage,prod)ORG: Organization identifier (required, no default)ENABLE_AUTH: Enable Cognito authentication (true/false)CREATE_BUCKETS: Create S3 buckets (truefor first deploy,falsefor updates)
Read more: Makefile Deployment Guide
Resource Naming Convention¶
All AWS resources follow this pattern:
Lambda:
rawscribe-{env}-{org}-backendAPI Gateway:
rawscribe-{env}-{org}-apiS3 Buckets:
rawscribe-{service}-{env}-{org}-{accountid}Cognito:
rawscribe-{env}-{org}-userpool
Read more: AWS Resources Reference
📋 Common Tasks Quick Reference¶
Initial Setup¶
# First-time organization deployment
ENABLE_AUTH=true CREATE_BUCKETS=true \
ADMIN_USERNAME=admin@myorg.com ADMIN_PASSWORD=SecurePass! \
ORG=myorg ENV=stage make rs-deploy
# Sync configuration files
make sync-configs ENV=stage ORG=myorg
Daily Development¶
# Start local development servers
make setup-local ENV=dev ORG=myorg
make start-dev ENV=dev ORG=myorg
# Run tests
make test-all ORG=myorg
Deployment Updates¶
# Quick code-only update (30 seconds)
ORG=myorg ENV=stage make rs-deploy-function
# Configuration changes (2 minutes)
ORG=myorg ENV=stage make rs-deploy-only
# Full rebuild (5 minutes)
ORG=myorg ENV=stage make rs-deploy
Monitoring¶
# Check deployment status
ORG=myorg ENV=stage make check-rs
# View Lambda logs
ORG=myorg ENV=stage make rs-watch-log
# Test authentication
ORG=myorg ENV=stage make test-jwt-aws
⚠️ Important Security Notes¶
No Default Organization: ORG parameter is required for all commands (prevents accidental deployments)
Environment Isolation: Each ENV/ORG combination is completely isolated
Credentials: Never hardcode credentials; use environment variables or AWS Secrets Manager
Config Files:
infra/.config/directory is NOT in version controlProduction Deployments: Always use
ENABLE_AUTH=truefor production
🆘 Getting Help¶
Deployment Issues: See Deployment Troubleshooting
Configuration Problems: See Configuration System
Authentication Issues: See Testing Authentication
General Troubleshooting: See Monitoring