Static Site Builder — System Architecture

localseoservices.org · Fastify + React + Astro · Docker VPS → Cloudflare Pages

INTERNET CLOUDFLARE SECURITY LAYER GITHUB · CLOUDFLARE PAGES VPS — DOCKER CONTAINER (localseoservices.org) HTTPS HTTP proxy serve + API SQL R/W file R/W Astro src preview :4321 git push (PAT) webhook static HTML create CNAME form submit read via CF API magic link AI API calls (sk-ant-***) visit site Team Browser localseoservices.org @localseoservices.org SSO admin · editor · viewer SendGrid email delivery magic links · invites admin@localseoservices.org Client Browser site visitors · form users static sites on CF Pages no auth required Anthropic API Claude Sonnet 4 · AI site builder key stored in SQLite (AES-256) plan mode · direct mode · scaffold CF Access zero-trust auth SSO · JWT · no VPN @localseoservices.org only CF Tunnel no open VPS ports outbound-only encrypted tunnel CF DNS staging subdomains CNAME records *.localseoservices.org CF Worker + D1 form endpoint serverless · global D1 SQLite storage GitHub client site repos lemur001/ org fine-grained PAT CF Pages auto-build on git push staging + live domains *.pages.dev + custom domain Client Sites static HTML · Astro build CF CDN · global edge clean HTML · no client-side vars staging subdomain + live domain Fastify Backend Node.js · port 3000 · same origin as React UI ▸ Auth magic links · CF Access JWT · role guards ▸ Sites API CRUD · brand_voice JSON · wizard flags ▸ Deploy git push · CF Pages · CF DNS CNAME ▸ AI Chat Anthropic · plan/direct · scaffold gen ▸ Settings encrypted keys · AI providers · test ▸ Audit Log test results · errors · deploys only SQLite-backed · nanoid IDs · AES-256 key encryption · Fastify v4 React UI Dashboard · Workspace Settings · Guided Setup Vite + Tailwind · dark theme served at :3000 (same origin) Astro Dev Server HMR live preview · :4321 1 per active workspace /api/preview/:siteId/ proxy SQLite · /data/ users · sites · settings audit_log · ai_providers API keys AES-256 encrypted .encryption.key (persists) Docker volume — survives rebuilds /sites/ volume Astro project per site pages/ · public/ · src/ global.css · CSS vars /{nanoid}/ per project git repo per site (versions) .encryption.key AES-256 master key shared /data/ volume never rotated · never leaks survives Docker rebuilds Legend Frontend / Client HTML Backend / Server process Cloudflare service Database / Storage AI / LLM provider Security / Encryption External service VPS zone boundary Cloudflare zone boundary request / data flow async / optional All inter-zone arrows routed through gap corridors — never through boxes

← swipe or scroll to explore the full diagram →

Internet
Team Browser@localseoservices.org SSO · admin/editor/viewer
SendGridmagic links · invites · admin@localseoservices.org
Client Browsersite visitors · no auth required
Anthropic APIClaude Sonnet 4 · key in SQLite (AES-256)
HTTPS → CF Access (SSO) → CF Tunnel → VPS (zero open ports)
Cloudflare Security Layer
CF Accesszero-trust · SSO · JWT
CF Tunneloutbound-only · encrypted
CF DNSstaging CNAMEs · *.localseoservices.org
CF Worker + D1form endpoint · serverless · global
proxied HTTP into Docker container · port 3000
VPS — Docker Container
Fastify Backend :3000Auth · Sites API · Deploy · AI Chat · Settings · Audit Log
React UIDashboard · Workspace · Settings · Guided Setup · Vite + Tailwind
Astro Dev Server :4321HMR live preview · 1 per workspace · /api/preview/:id/
SQLite /data/ volumeusers · sites · audit_log · ai_providers · AES-256 keys
/sites/ volumeAstro project per site · git versions · pages/ · global.css
.encryption.keyAES-256 master · survives Docker rebuilds
git push (PAT) → GitHub → CF Pages webhook → static build
Deploy Pipeline
GitHublemur001/ · fine-grained PAT · auto-build trigger
CF Pages*.pages.dev + custom domain · global CDN
Client Sitespure static HTML · staging + live · no client-side vars

Security Model

  • • CF Access gates all team routes — SSO only
  • • CF Tunnel: zero open ports on the VPS
  • • Magic links for external client access (SendGrid)
  • • All API keys AES-256 encrypted before SQLite storage
  • • .encryption.key in /data/ volume — survives rebuilds
  • • Roles: admin · editor · viewer
  • • Audit log: test failures, deploys, destructive actions

Deploy Pipeline

  • • AI edits Astro source in /sites/{nanoid}/pages/
  • • Platform commits + pushes to GitHub (fine-grained PAT)
  • • CF Pages auto-builds on push webhook → static HTML
  • • Staging: Fastify calls CF DNS API → CNAME created
  • • Live: CF Pages custom domain → client domain
  • • Version history: git log per site, restore via checkout
  • • Output: pure static HTML, no client-side variable rendering

AI + Workspace

  • • Claude Sonnet 4 via Anthropic API (encrypted key in DB)
  • • Direct mode: edits Astro files immediately on response
  • • Plan mode: describes changes → Execute button to apply
  • • Astro dev server per site — HMR at port 4321
  • • Preview proxied via /api/preview/:siteId/
  • • CSS var system: --color-primary/secondary/accent
  • • 5-step setup wizard — re-runnable from Project Settings

Static Site Builder · localseoservices.org · Architecture v3 · 2025