Deployment
Deployment
Deployment for this app is owned by the Jenkins pipeline defined in
Jenkinsfile at the repository root.
Pipeline
The Jenkinsfile is the source of truth for build, lint, type-check, test, dependency audit, image push, and ECS rolling-update stages, plus CloudFront cache invalidation post-deploy. The target AWS account is derived at runtime from the branch; ECR/ECS/CloudFront credentials are referenced by Jenkins credential IDs configured on the controller. No secrets are committed to this repository.
Branch policy
| Branch | Target environment | Promotion |
|---|---|---|
dev |
cwt-dev |
Automatic on merge |
main |
cwt-prod |
Manual approval gate |
Local workflows
Use the Makefile for local development. The most common targets are:
| Target | Purpose |
|---|---|
dev |
Start the Next.js dev server |
build |
Produce the Next.js standalone build |
test |
Run the Playwright suite (Chromium project) |
lint |
Run ESLint |
type-check |
Run tsc --noEmit strict type check |
audit |
Run dependency audits (npm audit, npm outdated) |
cwt-* |
ECR/ECS helpers (cwt-ecr-login, cwt-docker-build, |
cwt-docker-push, cwt-deploy) shared with the Jenkins job |
Production gating
The app loads app/src/instrumentation.ts on boot. When NODE_ENV=production
or APP_ENV=prod, the instrumentation hook fails fast if any of
STUDIO_API_URL, NEXT_PUBLIC_STUDIO_API_URL, or SESSION_SECRET are
missing or pointing at localhost. The same hook strips chatty session/auth
log lines that were only useful during local development.
Image build
The repo’s root Dockerfile produces a standalone Next.js image based on
the next build --output=standalone artifact. The image is built and
pushed by the Jenkins pipeline against the runtime-resolved ECR registry,
with NEXT_PUBLIC_STUDIO_API_URL and NEXT_PUBLIC_ENABLE_MOCKS baked in
as build args and STUDIO_API_URL / SESSION_SECRET injected at ECS
task-definition runtime.
Environment variables
Build-time (NEXT_PUBLIC_* — baked into the image)
| Variable | Description |
|---|---|
NEXT_PUBLIC_STUDIO_API_URL |
Studio Backend URL used by the browser bundle |
NEXT_PUBLIC_ENABLE_MOCKS |
Mock-data toggle (false for real environments) |
Runtime (ECS task definition / Jenkins-provided)
| Variable | Description |
|---|---|
STUDIO_API_URL |
Studio Backend URL for server-side calls (server-only) |
SESSION_SECRET |
Cookie encryption key (32+ chars, AWS Secrets Manager) |
NODE_ENV |
production |
PORT |
Container port (3000) |
Domains
| Stage | Domain |
|---|---|
| Dev | sentinel-dev.centricitywealth.tech |
| Prod | sentinel.centricitywealth.tech |
Monitoring
CloudWatch log group /ecs/sentinel-frontend-dev captures container
output. ALB target health and ECS service status are surfaced in the AWS
console; the Jenkins post-deploy stage waits on services-stable before
marking the build green.