Status
Every subproject,
wired up.
Architecture diagrams baked at build time from each subproject's self-emitted slot in data/diagrams/. Live-state strip shows version, last build, and a status pill. The pill is color and icon both — color-blind safe.
AWS cloud-base for every Quantapix surface. Four CloudFront-fronted static sites, one t4g.small EC2 fronting two FastAPI apps, GitHub OIDC for CI, KMS-CMK-backed SecureStrings.
S3
Five buckets total: four site buckets (one per apex domain) + one shared qagents-artifacts. Site buckets are versioned with a 30-day noncurrent lifecycle; artifacts is SSE-KMS encrypted with the account CMK. ~$0.50/mo combined.
CloudFront
One distribution per site. PriceClass_100, OAC origin access, HTTP/2 + HTTP/3, custom 403/404 → /404.html. Cache by content type (HTML short, assets immutable). ~$1–2/mo combined at current traffic.
CF Functions
Single shared viewer-request function astro-rewrite-index, attached to all four distributions. Rewrites /route → /route/index.html for Astro static-build directory-index resolution. Free under the CloudFront free tier.
ACM
One TLS certificate per CloudFront distribution, all issued in us-east-1 (CloudFront's only allowed cert region). DNS-validated against the matching Route 53 hosted zone. Auto-renewed; free.
Route 53
Two hosted zones live today: quantapix.com + femfas.net. Two more arrive at Qnarre + Qresev launch. Each zone hosts apex ALIAS to CloudFront + the relevant API A-record to the EIP. ~$1/mo combined.
IAM
Three principals (qagents-deploy, qagents-deploy-ci, qagents-app-role) + the GitHub OIDC identity provider. All managed by CDK's IdentityStack; permission boundary qagents-deploy-boundary caps deploy permissions. Free.
EC2
Single Graviton t4g.small (2 vCPU, 2 GB RAM). Termination protection on, IMDSv2 required, EBS-encrypted with the account CMK. Hosts both Qnarre + Qresev FastAPI apps + Caddy + the lake build process. ~$11/mo on-demand, ~$7/mo with a 1-year savings-plan commit.
Elastic IP
One IPv4 EIP associated with the EC2 instance. Stable across stop/start so DNS A-records do not chase. $0/mo while attached.
Default VPC
The account default VPC, public subnet only. No NAT Gateway (saves ~$32/mo). EC2 reaches public package mirrors over its own EIP; no internal-private workloads to NAT for at v0.1.
Security Group
Single SG attached to the EC2 instance. Inbound: TCP/443 from 0.0.0.0/0 only. SSM Session Manager works without an inbound rule (uses outbound to the SSM service). No SSH (TCP/22) — explicitly omitted.
SSM Session Mgr
Shell access path. aws-vault exec qagents -- aws ssm start-session --target i-xxxx opens an authenticated, audited, MFA-gated shell to the instance over the AWS data plane. Replaces SSH entirely.
SSM Param Store
SecureString parameters under /qagents/*: Anthropic, Perplexity, Alpaca, Caddy admin tokens. KMS-encrypted with the account CMK. Read by the EC2 app role; rotated manually via SSM CLI. Free for standard parameters.
KMS
One customer-managed symmetric key, alias alias/qagents-cmk. Encrypts EBS volumes, SSM SecureStrings, SSE-KMS S3 artifacts, CloudTrail logs, CloudWatch log groups. ~$1/mo + per-API-call charges (negligible at v0.1 traffic).
CloudWatch Logs
One log group per app (/aws/qagents/qnarre, /aws/qagents/qresev) + Caddy + lake build. KMS-encrypted, 7-day retention by default. ~$0.50/mo at current volume.
CW Alarms + SNS
Three alarms wired to a single SNS topic with email subscription: EC2 CPU > 80% for 15min, EBS disk-usage > 85%, AWS Budgets actual cost > 80% / 100% / 120% of $50/mo. Free under the CloudWatch + SNS free tiers.
AWS Budgets
One monthly cost budget, threshold $50. Three alert tiers (80% forecast, 100% actual, 120% actual) all routed through the SNS topic. Free for the first two budgets per account.
GuardDuty
Account-wide threat detection. Watches CloudTrail, VPC DNS logs, S3 data-events, EKS audit logs (no EKS yet). Findings route to the SNS topic via an EventBridge rule. ~$3–5/mo at v0.1 telemetry volume.
Cost Explorer
Cost-monitoring dashboard. Used to ground-truth the budget alerts and spot drift early. Free.
ALB
Deferred. Adds ~$16/mo + LCU charges. Only justified at horizontal scale (≥2 EC2 instances) or when the API surface needs path-based routing across services. Not at v0.1.
Auto Scaling Group
Deferred. The first scaling lever is vertical (t4g.small → t4g.medium); horizontal-scale via ASG comes after that. Free in itself but requires ALB + adapted state management.
AWS Backup
Deferred. EBS snapshots cover the disaster-recovery story at v0.1; AWS Backup adds policy-managed retention + cross-region copy. Revisit when there is real user data on the instance worth retaining.
AWS WAF
Deferred. CloudFront security-headers + Caddy bot-detection cover the v0.1 threat model. WAF adds ~$5/mo + per-rule + per-request charges; revisit if the Qnarre/Qresev APIs see scraping.
AWS Config
Deferred. CDK-as-source-of-truth + CloudTrail + GuardDuty cover compliance posture at v0.1 scale. Config recorder + rules add ~$10–15/mo; revisit at audit-readiness.
Lean4 axiomatic kernel for the legal domain. RICO + Title VI + §§ 1981/1983/1985(3). Predicates return ⟨bool, evidence, citation⟩; the kernel does no I/O.
Financial-domain Lean4 kernel parallel to proving/. TREND, MOMENTUM, OPTIONS-RISK, SECTOR, DRAWDOWN. Defined-risk options only — strictly enforced at the kernel level.
Axiomatic verifier for legal complaints. Astro + React-island shell fronted by FastAPI; SSE streams predicate events from the proving/ Lean kernel. Early-beta 6/1/2026.
Axiomatic evaluator for stocks and portfolios. Same shape as Qnarre, different OHLCV. Defined-risk options only — six-strategy allow-list enforced at both the UI and the kernel. Early-beta 6/1/2026.
VSCode extension. DuckDB+Parquet OHLCV store, lightweight-charts v5, yfinance/Stooq ingest, Alpaca IEX live feed. Symbols / Sectors / Portfolios trees feed the chart + aggregate panels.
Three competing PMs (aggressive / moderate / conservative) on Alpaca paper. Holding periods are days to months — not day-trading. Defined-risk options only; non-allow-listed strategies hard-refused.
Lean4 expert-track study + open-source contribution roadmap. 10 ranked focus areas in studying/focus-areas.md; toolchain-aligned to whatever proving/ + accounting/ pin.
5 topics × 10 subjects video-explainer arc. Janet narrates animated cards + D3.js / Cytoscape.js graphics. Scripts only here; rendering is a separate voice/lipsync pipeline.
femfas.net v2 — Astro + React islands fronted by S3 + CloudFront. Public dockets, redacted filings, the long-form record.
quantapix.com — Astro + React islands, S3 + CloudFront. The site you are reading. Status page rides this same pipeline.