Ops
Environments
| Environment | Hosted on | Purpose | Trade real money? |
|---|---|---|---|
local | Developer's machine | Day-to-day development | Never |
preview | Vercel preview deploys (per PR) | Review changes before merge | Never |
production | Vercel + Fly prod app | The thing users use | Only with mainnet broker + explicit user confirmation |
Environment matrix
| Concern | local | preview | production |
|---|---|---|---|
| Web app | pnpm dev (Next 16) | Vercel preview | Vercel prod |
| Supabase project | Shared dev project | Shared dev project | Dedicated production project |
| Live runner | Local Fly app (optional) | Skipped — previews don't deploy live | agentic-live-runner on Fly |
| AI Gateway | Personal API key, $5 free tier | Shared dev key, capped budget | Production key |
| Hyperliquid | Paper broker only | Paper broker only | Paper or mainnet (per-deployment); testnet removed in ADR-0015 |
| Auth | Supabase Auth (dev project) | Same | Supabase Auth (prod project) |
| Data ingest | Manual / not running | Not running | Vercel Cron, daily |
| News API | Free tier (CryptoPanic) | Free tier | Paid tier (Phase 3+) |
| Sentry | Disabled | Enabled, separate project | Enabled, separate project |
| Database migrations | Applied manually (supabase migration up) | CI applies to preview | CI applies to prod on merge to main |
Branch strategy
main— what's in production. Protected.- Feature branches → PR → preview deploy → code review → merge to
main→ prod deploy. - No long-lived develop branch.
Vercel project setup
One Vercel project: agentic-trading-web.
- Production branch:
main - Preview branches: everything else
- Build command:
pnpm build --filter=web(Turborepo) - Output directory: handled by Next.js
- Install command:
pnpm install --frozen-lockfile - Node version: 24 LTS (Vercel default)
- Functions: Fluid Compute (default)
- Region:
iad(primary), Hyperliquid API is well-served from there
Vercel cron jobs (defined in vercel.ts)
crons: [
{ path: '/api/ingest/bars', schedule: '*/5 * * * *' }, // pull recent bars every 5 min
{ path: '/api/ingest/news', schedule: '*/15 * * * *' }, // news every 15 min
{ path: '/api/ingest/funding', schedule: '0 * * * *' }, // funding hourly
{ path: '/api/jobs/prune-agent-logs', schedule: '0 4 * * *' }, // daily prune
]Fly app setup
One Fly app: agentic-live-runner.
- Image built from
apps/live-runner/Dockerfile, deployed via CI on merge tomain - Machines created on-demand by the web app's deploy-live flow (see
architecture/live-runtime.md) - Machine size default:
shared-1x-512 - Primary region:
nrt(Tokyo) for mainnet runners — closer to Hyperliquid's API/WS edges per ADR-0016 - Auto-destroy stopped machines after 5 min idle (sweep job)
Fly secrets to set (app-wide, injected into every machine)
fly secrets set \
SUPABASE_URL=... \
SUPABASE_SERVICE_ROLE_KEY=... \
OPENROUTER_API_KEY=... \
HYPERLIQUID_LIVE_ENABLED=true \
-a agentic-live-runnerHYPERLIQUID_LIVE_ENABLED is the L7 kill switch — set to anything other than 'true' to refuse all mainnet broker construction platform-wide (paper deployments unaffected). The web app reads the same flag when accepting createDeployment requests.
Vercel env vars (web app)
| Variable | Purpose |
|---|---|
FLY_API_TOKEN | Fly Machines API token; rotates via Fly dashboard |
FLY_LIVE_RUNNER_APP | Default agentic-live-runner |
FLY_LIVE_RUNNER_IMAGE | Pinned image SHA written by CI on Fly deploy (e.g. registry.fly.io/agentic-live-runner@sha256:...) |
FLY_LIVE_RUNNER_REGION | Default nrt |
FLY_LIVE_RUNNER_MEMORY_MB | Default 512 |
HYPERLIQUID_LIVE_ENABLED | Mirror of Fly app flag; web blocks mainnet createDeployment if not 'true' |
DEPLOYMENTS_DISABLED | If 'true', refuses ALL new deployments (paper + mainnet) — emergency-only |
NEXT_PUBLIC_THIRDWEB_CLIENT_ID | thirdweb public client id — powers wallet connect/sign (HL agent approval) + the USDC top-up widget |
CRON_SECRET | Bearer token Vercel cron uses to call /api/jobs/*. Generate with openssl rand -hex 32. Required for heartbeat sweeper + pending-agent GC. |
Supabase project setup
Two projects:
agentic-trading-dev— used bylocalandpreviewenvironments. Shared, expectations are that data may be wiped.agentic-trading-prod— production only. Users' real Skills and deployments live here.
Marketplace integration with Vercel
Provision via Vercel Marketplace so env vars auto-populate:
- Vercel dashboard → Storage → Add Marketplace Integration → Supabase
- Link to production project for the prod Vercel environment
- Link to dev project for preview + development Vercel environments
Migrations
- All migrations in
packages/db/migrations/ - CI applies on merge:
- Preview branches: apply to
agentic-trading-dev mainmerges: apply toagentic-trading-prod
- Preview branches: apply to
- Backups: Supabase auto-backups; production also has a nightly logical dump to a separate bucket (Phase 3)
AI Gateway setup
In Vercel dashboard → AI Gateway → API Keys:
- Dev key: monthly budget cap = $50, alert at 80%
- Prod key: monthly budget cap = $500 to start, scale up as needed, alert at 80%
User BYOK keys are stored in the DB and forwarded per request — they don't count against platform budget.
CI/CD (GitHub Actions)
.github/workflows/ci.yml:
- On PR: lint, typecheck, unit tests, package builds
- On PR: apply migrations to
agentic-trading-devif any inpackages/db/migrations/ - On PR: Vercel auto-deploys preview (no GH action needed)
- On merge to
main:- Apply migrations to
agentic-trading-prod - Vercel auto-deploys prod
- Build live-runner Docker image, push to Fly registry, deploy via
fly deploy
- Apply migrations to
.github/workflows/scheduled.yml:
- Daily: prune Fly machines for stopped deployments
- Weekly: dependency update PR (Renovate / Dependabot)
Local development
See docs/development/setup.md for the full first-time setup. Short version:
pnpm install
cp .env.example .env.local # fill in dev Supabase + AI Gateway keys
pnpm dev # runs web app on :3000Local development uses the shared dev Supabase project. There is no per-developer database in MVP — keep it simple.
To run a sim locally:
pnpm sim --skill <skill-id> --from 2026-04-01 --to 2026-05-01To run the live runner locally (paper broker by default; mainnet only when intentionally testing real-money flow — ADR-0015):
DEPLOYMENT_ID=<existing-deployment-uuid> pnpm --filter live-runner devDomain / DNS
- Production:
app.agentic-trading.example(final domain TBD) → Vercel - Preview:
*.agentic-trading-web.vercel.app(Vercel default) - Local:
localhost:3000
Cost monitoring
| Service | Free tier | Budget alert at |
|---|---|---|
| Vercel | Hobby tier for dev | n/a in MVP |
| Supabase | Free tier ($25 if Pro) | $50/mo |
| Fly | Free machines limit | $50/mo |
| AI Gateway | $5/mo dev credits | 80% of cap |
| CryptoPanic | Free | n/a |
| Sentry | Free dev tier | n/a in MVP |
Total MVP infra cost target: < $100/mo at single-developer scale.
Secrets Management
1. No secret in code, ever. All secrets via env vars or secret stores.
Launch checklist
This doc is operational, not aspirational. Every step has a specific command, SQL query, or UI gesture. If you find yourself improvising, slow down — the platform is designed so the slow path is the safe path.