From 274a189f4556fdbba502780773388e2d38bfb946 Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Fri, 5 Jun 2026 16:07:38 +0200
Subject: [PATCH] Update deployment topology docs

* Mentions that API server is stateless beyond DB and file storage, and includes a separate management server.
* Clarifies that frontend is served by Nginx, not the LB or a CDN. We ship it as container image, so that's what we should document. CDN is an option that we don't directly advertise.

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 .../vocabularies/DependencyTrack/accept.txt   | 23 +++++++++--------
 docs/concepts/architecture/deployment.md      | 25 ++++++++-----------
 2 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/.vale/styles/config/vocabularies/DependencyTrack/accept.txt b/.vale/styles/config/vocabularies/DependencyTrack/accept.txt
index 12728411..63525075 100644
--- a/.vale/styles/config/vocabularies/DependencyTrack/accept.txt
+++ b/.vale/styles/config/vocabularies/DependencyTrack/accept.txt
@@ -11,9 +11,9 @@ Atlassian
 BOMs?
 Bento
 CPEs
+CSAF
 CWEs
 Cognito
-CSAF
 CycloneDX
 DEKs
 DNs
@@ -26,7 +26,6 @@ Exploitability
 Fedora 389 Directory Server
 Flashpoint
 GUIDs
-UUIDs?
 GitLab
 HDDs
 Hackage
@@ -49,6 +48,7 @@ MkDocs
 Modus
 Modus[Cc]reate
 NVME
+Nginx
 Nixpkgs
 Novell
 OAuth
@@ -66,22 +66,24 @@ Podman
 Postgres
 Protobuf
 SBOMs?
-Sigstore
+SPIs?
 SSDs
+Sigstore
 Snyk
 Sonatype
-SPIs?
 TTLs
 Timescale
 Tink
 Trino
 Trivy
 URIs
+UUIDs?
 VDRs?
 VEX
 Vanlightly's?
 VulnDB
 Webex
+[Aa]ccessors?
 [Aa]ggregate
 [Aa]llowlists?
 [Aa]utodetect
@@ -89,13 +91,8 @@ Webex
 [Bb]ackpressure
 [Bb]locklists?
 [Bb]ooleans?
-[Aa]ccessors?
 [Cc]amelCase
 [Cc]lassloaders?
-[Dd]eserializ(e[ds]?|ing|ation)
-[Nn]amespacing
-[Pp]laintext
-[Tt]ooltips?
 [Cc]lasspath
 [Cc]onfigs?
 [Cc]ron
@@ -109,6 +106,7 @@ Webex
 [Dd]efault[Mm]ode
 [Dd]eloyments
 [Dd]eployments
+[Dd]eserializ(e[ds]?|ing|ation)
 [Dd]ex
 [Dd]tapac
 [Ee]num
@@ -129,7 +127,9 @@ Webex
 [Mm]ixeway
 [Nn]amespaced?
 [Nn]amespaces
+[Nn]amespacing
 [Oo]utbox
+[Pp]laintext
 [Pp]luggable
 [Pp]oolers?
 [Pp]roxied
@@ -140,15 +140,15 @@ Webex
 [Rr]etryable
 [Rr]ollouts
 [Ss]andbox(es|ed|ing)?
-[Vv]endor(ed|ing)
 [Ss]bomify
-[Ss]ortability
 [Ss]cheduler's
+[Ss]ortability
 [Ss]ubdomain
 [Ss]ubquery
 [Ss]uppressions
 [Tt]imespan
 [Tt]inkey
+[Tt]ooltips?
 [Tt]riaged
 [Tt]ruststores
 [Tt]yposquatting
@@ -156,6 +156,7 @@ Webex
 [Uu]nprefixed
 [Uu]pserts?
 [Vv]alidators?
+[Vv]endor(ed|ing)
 [Vv]ers
 [Vv]ulns
 apiserver
diff --git a/docs/concepts/architecture/deployment.md b/docs/concepts/architecture/deployment.md
index a34ce0b6..3b5f1164 100644
--- a/docs/concepts/architecture/deployment.md
+++ b/docs/concepts/architecture/deployment.md
@@ -7,12 +7,12 @@ operational steps.
 
 ## Components
 
-A production deployment has three required components plus a frontend, typically served by the same
-ingress:
+A production deployment has four components, typically fronted by the same ingress:
 
 ```mermaid
 flowchart LR
-    LB[Load balancer / ingress] --> A[API server instance 1]
+    LB[Load balancer / ingress] --> FE[Frontend instance]
+    LB --> A[API server instance 1]
     LB --> B[API server instance 2]
     LB --> N[API server instance N]
 
@@ -23,24 +23,21 @@ flowchart LR
     A --> F[(File storage)]
     B --> F
     N --> F
-
-    FE[Frontend] -.served by.-> LB
 ```
 
-- **API server.** Java service exposing the REST API and running background workers. Stateless
-  beyond what it commits to PostgreSQL and file storage. One or more instances run side by side
-  (see [Coordination](#coordination)).
+- **API server.** Java service exposing the REST API on port `8080` and running background workers.
+  Stateless beyond what it commits to PostgreSQL and file storage. One or more instances run side
+  by side (see [Coordination](#coordination)). Each instance also exposes a separate management
+  server on port `9000` for health checks and metrics.
 - **PostgreSQL.** Single source of truth for product data, the durable execution engine's workflow
   records, and node coordination.
 - **File storage.** Shared store for short-lived intermediate files (uploaded BOMs, analysis
   artifacts). Either a shared persistent volume (`local` provider) or an S3-compatible bucket
   (`s3` provider). See [File storage](../../reference/configuration/file-storage.md).
-- **Frontend.** Static Vue.js single-page app, typically served by the same load balancer or a CDN.
-  Stateless.
-
-Each instance exposes a separate management server for health and metrics that starts before
-[init tasks](../../reference/configuration/init-tasks.md) such as schema migration, so probes
-stay reachable while the main server initializes.
+- **Frontend.** Vue.js single-page app distributed as a container image that serves the static
+  assets through Nginx. Stateless. One or more instances run behind the ingress alongside the API
+  server. The browser then calls the API server's REST API directly, so the frontend container
+  does not proxy or aggregate API traffic.
 
 ## Coordination