Epic: Brehob Dedicated Account + Enterprise Deploy#

Roadmap item 5 of brehob-launch, split 5a/5b (red-team 6/10) · 5a precedes the corpus load (DB-2 amendment); 5b completes before UAT (M5) · ~3–5 days for 5a + Entra SSO in 5b · → North Star B4 — this is the reusable enterprise-deploy capability; customer #2 is cheap once #1 is parameterized.

Objective#

Vend brehob-prod as a dedicated, segmented member account under the AWS Organization, deploy the full Autri (+ QuoteAI) stack into it, and harden it to enterprise posture — before any Brehob data is loaded anywhere. The account boundary is the isolation Andy was promised; "all Brehob data is processed within Brehob's dedicated AWS account, including AI inference via AWS Bedrock" (the contract sentence, DB-6/DB-7).

5a — Vend (BEFORE the corpus load)#

• S1 — Parameterize the CDK. The 6/10 audit found the de-hardcoding small (~0.5–1 day): the account/region pin in bin/autri-infra.ts (one env block), two pre-created secret ARNs in cdk.json (Google OAuth client-secret + GitHub PAT — recreate in the target account, swap ARNs), two CSP header pins in lib/web/cdn.ts. rootDomain is already a context parameter (~90% of domain refs flow from it). Resource names (autri-*) do NOT need renaming — names only collide within an account.
• S2 — Vend + bootstrap brehob-prod. Organization exists (o-m23dfb4u9r, FeatureSet ALL); there is zero vending code in the repo — this is config + bootstrap + baseline guardrails/SCP, not new architecture.
• S3 — Per-account externals. Recreate the 4 Secrets Manager secrets; Google OAuth app decision (reuse vs new client — interim, until Entra is primary); Cloudflare DNS + ACM validation for the Brehob subdomain; Cognito pool + allowlist seeding.
• S4 — Bedrock model access (definition of done). Request the day the account exists — approval lead time is why item 7's landing page goes live first. Phase-1 inference runs here (DB-7).
• S5 — Deploy + smoke. All 5 stacks up; app reachable on the Brehob subdomain; ingestion round-trip with a test doc. Known footguns: auth deploys need both context flags (-c attachAppAlias=true -c mcpImageTag=<tag> — the latest/attachAppAlias=false traps are structural); prune Docker images+cache before image builds (VM-disk ENOSPC trap); diff deployed-vs-main before deploying.

5b — Enterprise hardening (before UAT)#

• S6 — Entra SSO. Brehob is a Microsoft shop; current IdP wiring is Google-only. Cognito ↔ Entra (SAML/OIDC) federation; needs Brehob's one-person IT on the Entra side — start the conversation at kickoff (Jun 15), not at M5.
• S7 — Alarm routing. Past the single un-escalated SNS email (the 10-day unnoticed DLQ backlog proved why) → Slack/SMS-grade signal.
• S8 — Backup-restore drill. The one RDS restore, timed and documented (RTO). Single-AZ acceptance was a beta-era call; a paying enterprise re-opens it — at minimum, know the restore time.
• S9 — F2 isolation probe (acceptance criterion). The committed runtime probe (autri/scripts/crucible-isolation-probe.mjs + crucible adapters) run live against brehob-prod with 2 accounts, bidirectionally, before UAT.
• S10 — Fixed-infra COGS estimate. RDS/NAT/CloudFront/Cognito baseline (~$200–400/mo order) recorded against $3,000/mo at the 70% margin target, alongside the Gate-0 $/doc numbers.
• S11 — QuoteAI deploy config. Per DB-1 (in-process bundle), likely config on the existing web stack rather than a new stack — confirm during S5.

Acceptance#

App live on the Brehob subdomain in brehob-prod; Entra SSO login works for a real Brehob test user; F2 probe green; restore drill documented with a number; COGS baseline recorded; Bedrock access granted and the drafter runs on it. UAT (M5) happens HERE.

References#

DB-2 (amended), DB-7, the 6/10 CDK audit (resolved brehob-launch annotation thread), deploy playbook footguns (decisions D-series + carried session feedback), item 7 (landing page precedes S4's request).