ƒxyzƒxyz Docs
SubstrateTheNetwork

Tech · Hetzner + Cloudflare + Coolify

CCX33 Nuremberg, 16 containers, Restic-to-R2 daily.

Canonical statement

Generated HTML, PDF, and mobile artifacts are not authoritative sources of identity. The master branch of the substrate repo is the stable public baseline; any rendered surface is a projection that may drift from substrate truth.

Substrate-grounded claims (6)

  • MEMBERSHIP_SIGNING_KEY environment variable must be configured; membership services refuse to start without it (or AUTH_SECRET fallback) to prevent insecure defaults. Fail-closed posture is structural — no insecure-default vouching is possible. (:Concept claim-membership-signing-key-required-2026-05-20)
  • A single memberDisplayName() helper function must wrap all member-name rendering paths to prevent DID substrings from being returned when names are missing. The helper enforces the PII rule structurally — there is no fallback path that exposes did:privy:* identifiers. (:Concept claim-member-display-name-helper-2026-05-20)
  • Server-side workspace packages must be added to serverExternalPackages in next.config. Missing entries cause server startup crashes that manifest as CORS errors because no response headers are sent from the API, masking the actual MODULE_NOT_FOUND root cause. (:Concept claim-server-external-packages-required-2026-05-20)
  • Production runs on Hetzner CCX33 (Nuremberg) orchestrated by Coolify v4.0.0-beta.474 across 16 Docker containers. Cloudflare provides DNS, CDN, Workers, R2 storage, and tunnel infrastructure. Restic backs up data to R2 daily at 02:00 UTC for offsite redundancy. SSH access uses Tailscale as primary with public-IP fallback. (:Concept claim-hetzner-cloudflare-coolify-trio-2026-05-20)
  • Generated HTML, PDF, and mobile artifacts are not authoritative sources of identity. The master branch of the substrate repo is the stable public baseline; any rendered surface is a projection that may drift from substrate truth. (:Concept claim-master-branch-authoritative-2026-05-20)
  • Docker-published Neo4j ports on public interfaces bypassed UFW default-deny firewall rules. Lesson: Docker port mappings can silently puncture host firewalls; bind to localhost or attach to internal Docker network when firewall isolation matters. Container security must be designed with knowledge of the Docker-firewall interaction. (:Concept claim-docker-ufw-bypass-lesson-2026-05-20)
Last propagated: 2026-05-20T19:58:56.292000000Z

On this page

Canonical statementSubstrate-grounded claims (6)