Skip to content
AskFlorence
Main Navigation ArchitectureFlorence AIAgentsMembersAgent PlatformValidationInfrastructure

Appearance

Sidebar Navigation

Overview

Home

Glossary

System Architecture

Consumer & Agent Flow

Florence AI

Overview

Principles

Runtime

Tool surface

Adding a tool

Tool registry

Knowledge: SBC scenarios & CSR

Voice

Evals & observability

Provider risk & portability

Outage playbook

Roadmap

Build plan

Agents

Overview

Workflows & pain points

Members

Overview

Medicaid coverage gap

Carriers

Overview

Marketplaces

Overview

Agency

Overview

Regulations

Overview

Agent Platform

Overview

Auth Architecture

MongoDB Permissioning

Compliance Model

Data Models

Data Sources

Overview

CMS Marketplace API

CMS dependency map

PUF Data

State Subsidies

SBE Ingestion Playbook

SBE State Watchouts + Decisions

CA Phase C/D Playbook

NY Phase C/D Playbook

Validation

Overview

Methodology

APTC Formula

California 2026

New York 2026

CAPS Formula

Scenario Results

Infrastructure

Account Inventory

AWS Setup Runbook

AWS Organizations

CloudTrail

GuardDuty

Security Hub

Config

CloudFront + WAFv2

Data sources & ingest

Phase 4 DNS

Change Log

Vulnerability Management

MongoDB Setup

Access Control

Data Classification

Documentation Hosting

Post-deploy Smoke

Development

Preflight (local CI mirror)

Testing strategy

Compliance

Overview (auditor entry point)

SOC 2 Control Mapping

HIPAA Control Mapping

CMS EDE Appendix A Mapping

Risk Assessment

Encryption Policy

Data Retention Policy

Privacy Impact Assessment

Consent Capture & Versioning

Incident Response Plan

Access Control Policy

Marketing vs. Portal Analytics

Vendor / Subprocessor Register

Dependency Vulnerability Policy

BAA / Compliance Evidence

Compliance-Automation Integration

Compliance-Automation Vendor Evaluation

Penetration Test Reports

Architecture

Portal entry handoff

Mobile app strategy

Deferred architecture decisions

Session cookie architecture

Share flows

Decisions (ADRs)

Index

0001 — Atlas project isolation

0002 — Append-only audit log

0003 — Narrow-scoped Mongo users

0004 — Cross-cluster Atlas PrivateLink

0005 — Delayed-job architecture

0006 — Mongo user simplification

0007 — Terraform owns ECS task def

0008 — E2E testing strategy

0009 — Self-hosted analytics + observability (superseded)

0010 — PostHog HIPAA Cloud (supersedes 0009)

Runbooks

Security Incident Response

Break-Glass Root Login

Onboard Team Member

Offboard Team Member

Atlas user provisioning

Deploy via Terraform (ENG-277)

Rollback via Terraform (ENG-277)

S3 data bucket migration (planned Phase 11)

Access Reviews

2026-Q2 Review

Session log

Index

2026-04-23 — Phase 10 DNS cutover

2026-04-22 — Phase 8 prod AWS mirror

2026-04-22 — Phase 7 Atlas VPC peering

2026-04-22 — Phase 6 CloudFront + WAF

2026-04-21 — Phase 5 staging go-live

2026-04-17 — Atlas staging

Briefs

Index

Member portal plan (ENG-187)

2026-04-16/17 handoff

2026-04-17 Atlas handoff

System briefing (2026-04-17)

Creative AdBundance proposal brief

Creative AdBundance analytics brief

ElevenLabs RN integration research

Policies

Overview

On this page

MongoDB Atlas Setup Runbook ​

Status: Phase 1 in progress. Last updated April 12, 2026. Purpose: SOC 2 evidence for CC7.1 (Infrastructure Management), CC8.1 (Change Management)

Cluster Details ​

FieldValue
Atlas OrganizationAskFlorence
Atlas ProjectAskFlorence
Cluster Nameaskflorence-prod-01
TierM10 (HIPAA-eligible)
Cloud ProviderAWS
Regionus-east-1
MongoDB Version7.x (latest stable)
Created DateApril 12, 2026
Created ByTaha Abbasi (Founder)

Compliance Configuration ​

SettingStatusNotes
BAA (HIPAA)Pending signatureAvailable in Atlas Organization → Compliance
Encryption at RestEnabledAES-256, Atlas default on M10+
Encryption in TransitRequiredTLS for all connections, Atlas default
Atlas Audit LoggingPending enablementCaptures auth events, CRUD operations
Continuous BackupEnabledAtlas default on M10+, verify ≥7 day retention
Network AccessIP allowlistDevelopment IPs only; VPC peering deferred until ECS deployment

Database ​

FieldValue
Database Nameaskflorence
CreatedApril 12, 2026

Phase 1 Collections ​

CollectionPurposeCreated
plan_yearsState+year configuration (FPL, SLCSP, contribution brackets, Essential Plan tiers, tier multipliers, standard cost-sharing)April 12, 2026
plansFull plan data: premiums by region, ~54 benefit/copay fields, deductible, MOOP, issuer, metal, URLs, counties servedApril 12, 2026
regionsRating regions with county lists, SLCSP, lowest Silver premium, plan countApril 12, 2026
zip_countyZip code → county name, FIPS code, state, region lookupApril 12, 2026
audit_logAPI access events, data ingestion actions, PHI access trailApril 12, 2026

Cross-cluster reference reads (Phase 11 — live 2026-05-08) ​

The doctor + Rx coverage flow on prod (askflorence.health) reads non-PHI public CMS marketplace reference data from the staging Atlas cluster over AWS PrivateLink. This avoids duplicating 2.14M provider docs + 12,557 RxCUI / ~30M drug-plan tuples onto the prod cluster (which would have forced an M10 → M30 tier upgrade at +$326/mo).

FieldValue
Source clusteraskflorence-staging (project_id 69e31af12fd2c0aef51bbb41, M30)
Source collectionsformularies_staging (12,557 RxCUIs / ~30M tuples), providers_staging (2.14M NPIs)
Connection pathProd VPC → AWS Interface VPC Endpoint vpce-0c81aea11e29bb928 → Atlas endpoint service com.amazonaws.vpce.us-east-1.vpce-svc-0d8138ea0f6542afa → staging cluster
Atlas userapp_read_staging (read-only role on askflorence database)
Connection stringmongodb+srv://askflorence-staging-pl-0.… — populated in AWS Secrets Manager prod/mongodb/reference-uri (project CMK encrypted)
Application contractgetReferenceDb() in src/lib/db.ts — distinct connection pool from getDb(). Routes via MONGODB_REFERENCE_URI; falls back to MONGODB_URI when unset (dev + staging unaffected by code path)
Network postureAWS-backbone-only (no public internet path); identity-bound at AWS account level; TLS 1.2+ at app layer (doubly-protected encryption per HIPAA §164.312(e)(1))

Decision record: ADR 0004 — Cross-cluster Atlas reads from prod via AWS PrivateLink. Cost analysis + path comparison: #101.

Operational notes:

  • The ingest pipeline that writes formularies_staging + providers_staging runs in the staging AWS account (549136075525), not prod. Prod app picks up refreshes automatically via PrivateLink — no prod-side cron, no double-ingest, no cluster cutover needed.
  • Refresh cadence + delta-aware ingest design tracked in #98.
  • Drift guard: #100 (CI guard) protects against PHI-class data ever landing on the staging cluster — that would silently break the "non-PHI cross-cluster read" architectural claim.

Phase D follow-on (#96): the provider-network fallback (lookupStagingProviderNetwork()) mirrors today's drug-tier-fallback (lookupStagingDrugTiers()) using the same getReferenceDb() helper. Cross-cluster path is already wired; just needs the analogous lookup function + route handler.

Indexes ​

plan_years ​

{ state: 1, year: 1 }         — unique

plans ​

{ state: 1, year: 1, program: 1 }
{ countiesServed: 1 }
{ hiosId: 1, year: 1 }        — unique
{ state: 1, year: 1, metal: 1 }

regions ​

{ state: 1, year: 1, regionId: 1 }  — unique

zip_county ​

{ zip: 1 }                    — unique

audit_log ​

{ timestamp: -1 }             — query ordering
{ timestamp: 1 }              — TTL: 7 years (220,752,000 seconds)

Database Users ​

Bootstrap User (created during setup) ​

UserRolePurpose
atlas-admin-tahaAtlas adminInitial setup and administration

Scoped Service Users (deferred — to be created after collections exist) ​

UserAccessPurpose
app-readRead-only on plan_years, plans, regions, zip_countyAPI server queries
app-writeRead-write on all Phase 1 collectionsData ingestion scripts
audit-writeInsert-only on audit_logAPI audit trail writes

Status: Scoped users are intentionally deferred until Phase 1 collections are created and verified. This ensures permissions are scoped against real database resources, not overly broad bootstrap grants.

Connection String Format ​

mongodb+srv://<user>:<password>@askflorence-prod-01.njkihm.mongodb.net/askflorence?retryWrites=true&w=majority

Credentials are stored in:

  • Development: .env.local (gitignored)
  • Production: AWS Secrets Manager (future)

Never committed to source control. See .env.example for placeholder format.

Backup Configuration ​

SettingValue
Backup typeContinuous (Atlas managed)
RetentionMinimum 7 days
Point-in-time recoveryAvailable within retention window
Backup encryptionSame as cluster encryption (AES-256)

Network Access ​

EntryIP/CIDRPurposeAddedRemove By
Development (open)0.0.0.0/0Development phase — open accessApril 12, 2026Before production launch

Future: VPC peering with AWS ECS when the API service is deployed. At that point, development IPs will be removed and all access will flow through the VPC peer.

Setup Script ​

Database and collection creation is automated via:

node scripts/db/setup-collections.js

This script:

  • Connects using MONGODB_URI from .env.local
  • Creates the askflorence database
  • Creates all 5 Phase 1 collections
  • Creates all indexes (idempotent — safe to re-run)
  • Prints verification summary

Next Steps ​

  • [ ] Sign Atlas BAA
  • [ ] Enable Atlas audit logging
  • [ ] Create scoped service users after collections are verified
  • [ ] Verify backup retention is ≥7 days
  • [ ] Load NY 2026 plan data (Issue #45)
  • [ ] Set up VPC peering when ECS is deployed
Pager
Previous pageVulnerability Management
Next pageAccess Control

AskFlorence Internal Documentation. Not for public distribution.

AskFlorence

Internal Documentation

Access restricted. Not for public distribution.