Where the kingdom runs.
Deployment Topology
The JEXXXUS Kingdom runs across multiple platforms, each chosen for specific strengths. No single point of failure. No vendor lock-in.
┌─────────────────────────────────────────────────┐
│ INTERNET │
│ │ │
│ ┌───────────────┼───────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────┐ ┌──────────┐ ┌─────────┐ │
│ │Vercel│ │ Railway │ │ Supabase│ │
│ │(Edge)│ │(Container│ │ (DB + │ │
│ │ │ │ + API) │ │ Auth) │ │
│ └──┬───┘ └────┬─────┘ └────┬────┘ │
│ │ │ │ │
│ └──────────────┴───────────────┘ │
│ │ │
│ ┌─────┴─────┐ │
│ │ ChromaDB │ │
│ │ (Vectors) │ │
│ └───────────┘ │
└─────────────────────────────────────────────────┘
Platform Roles
| Platform | Role | Services Hosted |
|---|
| Vercel | Edge hosting, serverless functions, auto-deploy | VEIL, TV, Law, Docs, BLXCKBOOK landing, wing6, BLXCKCHAT, xdmin |
| Railway | Container hosting, backend APIs, long-running processes | jexxx.us landing, Chatterbox (where containerized) |
| Supabase | PostgreSQL database, Row Level Security, Edge Functions | MAMAbase (api schema), auth bridge |
| ChromaDB | Vector database, semantic search | DADAbase (embeddings, AI context) |
| Clerk | Authentication, session management | Cross-subdomain identity (modal pattern) |
| 1Password | Secrets management | API keys, tokens, credentials (never in public docs) |
MAMAbase (Supabase)
The relational backbone of the kingdom. PostgreSQL with Row Level Security (RLS) enforced on every table.
| Table | Schema | Purpose | RLS |
|---|
contacts | api | Relationship memory records (BLXCKBOOK) | ✅ Clerk-scoped |
content_embeddings | api | Vector-adjacent metadata for semantic search | ✅ |
| User prefs / journals | api | Per-user app data | ✅ |
Note: Legacy public.vessels migrations are deprecated. Live apps read/write api.contacts only.
Bulk import: Operators use JEXXXUS CLI with managed operator credentials and explicit --user ownership—not exposed to end users.
DADAbase (ChromaDB)
The semantic layer. ChromaDB stores vector embeddings for AI context retrieval and semantic search.
| Collection | Purpose |
|---|
blackbook_hitlist | Primary knowledge base for AI agents |
Observability: All vector operations are traced through Langfuse for performance monitoring and cost tracking.
Authentication Flow
User arrives at *.jexxx.us
│
▼
┌─────────────┐
│ Clerk │ ← Multi-subdomain SSO
│ Middleware │
└──────┬──────┘
│
┌─────┴─────┐
│ Verified │──▶ Service renders with user context
└─────┬─────┘
│
┌─────┴─────┐
│ Rejected │──▶ Redirect to sign-in
└───────────┘
Clerk handles authentication across all *.jexxx.us subdomains. A single sign-in grants access to BLXCKCHAT, wing6, BLXCKBOOK, and all other authenticated services.
Secrets Management
All secrets are managed through an external secret manager and injected at runtime. No plaintext credentials are committed to source code or checked into environment files.
# Example (sanitized): runtime secret injection
DATABASE_URL=${SECRET_DATABASE_URL}
AUTH_SECRET=${SECRET_AUTH_KEY}
AI_PROVIDER_KEY=${SECRET_AI_KEY}
Secret material is rotated and audited through controlled workflows. Pre-commit and CI checks scan for accidental credential exposure.
CI/CD Pipeline
| Trigger | Action | Platform |
|---|
Push to main | Auto-deploy production | Vercel / Railway |
| Pull request | Preview deployment | Vercel |
| Manual | vercel --prod or railway up | CLI |
| Autonomous | Luna Verde agent sweep | VPS |
Luna Verde Operational Automation
Luna Verde contributes to operational monitoring and runbook-driven remediation workflows where enabled. Public documentation describes behavior at a high level; internal control-plane details remain private.
Learn more about Divinities →
Monitoring & Observability
| Tool | Purpose |
|---|
| Langfuse | AI interaction tracing, cost tracking, model performance |
| Luna Verde | Service health monitoring, autonomous recovery |
| Vercel Analytics | Edge performance, Web Vitals |
| Railway Metrics | Container resource usage, deployment logs |
Security Layers
| Layer | Implementation |
|---|
| Network | Twingate zero-trust access for internal services |
| Auth | Clerk with multi-factor support |
| Database | Supabase RLS—row-level access policies on every table |
| Secrets | Managed secret injection with no plaintext credentials in repo |
| Git | SSH commit signing via op-ssh-sign |
| Scanning | Pre-commit hooks for credential detection |
| Proxy | Caido for security testing on *.jexxx.us |
The infrastructure is invisible until it isn't. We build so it never isn't.