DOCUMENTATION HUB·LEVEL_2

Technical Requirements Document (TRD) — Ironframe GRC

REF_PATH: stakeholders/technical-requirementsSOURCE: APP_DOCUMENTS_DB

Technical Requirements Document (TRD) — Ironframe GRC

Authoritative detail: TAS.md. This TRD summarizes architecture, infrastructure, and security for stakeholders.

System overview

[ Browser / Command Center ]
         │
         ▼
[ Next.js 15 App Router — Vercel Edge/Node ]
         │
    ┌────┴────┬──────────────┬─────────────┐
    ▼         ▼              ▼             ▼
 Supabase   Prisma       LangGraph     External APIs
 (Auth+PG)  (ORM)        (19 agents)   (Electricity Maps, Resend, …)

Functional requirements

IDRequirement
FR-01Multi-tenant Command Center with cookie/path scoped tenant UUID
FR-02Threat ingest via Irongate-sanitized DMZ (/api/threats/ingest, /api/ingest)
FR-03ALE and mitigated value stored as BigInt cents — no float on money paths
FR-04Sustainability metrics in physical units (kWh, gCO₂eq/kWh)
FR-05Carbon pulse with live + LKG fallback (/api/sustainability/stats, /api/grc/carbon-pulse)
FR-06Governance maturity scoring with Ironwatch stale-data mode
FR-07Analyst exports (CSV/PDF) tenant-scoped via /dashboard/exports
FR-08Scheduled crons (Ironwatch heartbeat, gridcore rate poll, health triage)
FR-09Simulation / shadow plane isolated from production audit writes

Non-functional requirements

IDRequirementTarget
NFR-01Availability (Command Center)99.5%+
NFR-02Tenant isolationZero cross-tenant reads/writes
NFR-03API authSupabase session + internal cron secrets
NFR-04Build gatenpm run build + lint green on main
NFR-05Integration gateVercel cloud suite pass before promote
NFR-06Audit loggingStructured server logs + Prisma audit tables

Infrastructure

LayerTechnology
HostingVercel (Preview + Production)
DatabaseSupabase PostgreSQL
ORMPrisma 6.x
AuthSupabase SSR (@supabase/ssr)
EmailResend / Nodemailer (Ironcast)
StorageSupabase buckets (WORM policy — Epic 12)
CIGitHub Actions (Postgres 15 service, epic integration matrices)
CronVercel Cron (vercel.json)

Security requirements

  1. Ironguard (Agent 12)x-tenant-id / cookie alignment; cross-tenant fetch throws
  2. Irongate (Agent 14) — No raw external payload to DB without sanitization
  3. RLS — Postgres row-level security per tenant
  4. Secrets.env.example blueprint; no credentials in repo (scan:secrets pre-test)
  5. PKI vault (Epic 11) — Dual-gate bank vault; supervisor public keys in env
  6. Stale lockdown — Sustainability API degraded ≥24h triggers mutation freeze (tripartite waiver path)
  7. Middleware — Session refresh, quarantine paths, sustainability _api_key sanitizer

Environment variables (critical)

See .env.example. Minimum production set:

  • DATABASE_URL, Supabase URL/keys
  • IRONFRAME_CRON_SECRET / IRONFRAME_INTERNAL_GATES_SECRET
  • ELECTRICITY_MAPS_API_KEY (or IRONWATCH_SUSTAINABILITY_FALLBACK_ENABLED=true for staging)
  • RESEND_API_KEY (Ironcast — optional in sandbox)

Testing requirements

SuiteCommand
Unitnpm test
Epic integrationnpm run test:integration:epic{12,13,15,16,17}
Sustainabilitynpm run test:integration:sustainability
Cloud smokenpm run test:vercel-integration:cloud:epic17

Related documents