ADR-005: Deployment Strategy β UAT on Render, Production TBD
Status: β Accepted (UAT) Β· π² Pending (Production) Date: 2026-03-22 Decision Makers: Tilak Kumar
Contextβ
ThreatWeaver needs to deploy a React SPA (frontend) and a Node.js API server (backend). The deployment platform affects cost, latency, developer experience, and operational complexity.
The key constraints:
- Backend runs long-lived WebSocket connections for scan sensors (rules out serverless functions with 30s timeouts)
- Backend requires persistent process memory (in-memory scan state, agent concurrency tracking)
- Frontend is a pure static SPA β no server-side rendering needed
- Database is PostgreSQL β hosted on Render (UAT) or to be decided for production
- Budget: keep infrastructure costs minimal during development phase
Decisionβ
UAT environment: Deploy everything to Render (backend + static site + PostgreSQL).
Production environment: Infrastructure not yet decided β will be finalized at launch using the main branch.
Active environments:
Local (dev machines):
Frontend β localhost:3005 (npm run dev, native)
Backend β localhost:4005 (npm run dev, native)
Database β Docker PostgreSQL (port 5432)
UAT (dev.threatweaver.ai):
Frontend β Render Static Site (dev.threatweaver.ai)
Backend β Render Pro Plus (threatweaver-backend.onrender.com)
Database β Render PostgreSQL Pro 8GB
Branch β dev (auto-deploys on push)
Production (TBD):
Frontend β TBD at launch (Vercel / Cloudflare Pages / Render)
Backend β TBD at launch (Render / Railway / AWS)
Database β TBD at launch (Supabase / Render / Neon)
Branch β main (protected, manual release only)
Git branch β environment mapping:β
| Branch | Deploys to | Who triggers |
|---|---|---|
local | Localhost only | Developer manually |
dev | UAT (Render) | Auto on push |
main | Production (TBD) | Manual release process |
Consequencesβ
Positive (UAT on Render):
- Single platform (Render) for backend + frontend + database simplifies UAT management
- No cross-platform coordination β one dashboard, one billing account
- Render's persistent Node.js process supports WebSockets and long-running scans
- UAT database is isolated from local dev β safe to test migrations against
- Auto-deploy on
devpush means UAT always reflects latest code
Negative / Trade-offs:
- Render is Singapore region (ap-southeast-1) β slightly higher latency for US/EU users
- No built-in horizontal scaling β manual instance scaling required
- Render's PostgreSQL backup schedule is less flexible than Supabase
- Production hosting decision is deferred β will require migration work when decided
What was removed:
kinavulnerabilitymanagement.vercel.appβ old Vercel frontend URL, no longer activekina-vulnerability-management-uq1t.onrender.comβ old Render backend URL, no longer active- These URLs appeared in vercel.json, docusaurus.config.ts, and several docs β all cleaned up
Alternatives Consideredβ
| Option | Status |
|---|---|
| Vercel (frontend) + Render (backend) split | Used previously, removed. Re-evaluate at production launch. |
| Full Render (frontend + backend + DB) | Current UAT approach β working well |
| AWS (ECS + CloudFront) | Candidate for production β higher control, higher operational cost |
| Cloudflare Pages + Workers | Candidate for production β edge performance, but Workers have execution limits |
| Railway | Similar to Render, less mature β evaluate at launch |
| Self-hosted VPS | Too much operational overhead for small team |
Production Decision Criteria (When Ready)β
When production hosting is selected, evaluate against:
- WebSocket support β scan sensors require long-lived connections
- Persistent process β no cold starts, no serverless timeout limits
- PostgreSQL managed service β daily backups, PITR, SSL enforced
- Latency β target < 100ms p95 for API responses (Singapore β global)
- Cost at scale β estimate for 50 concurrent tenants
- Zero-downtime deploys β rolling restart or blue/green