Components
- API Gateway (HTTP API) — two auth tiers:
x-lifebot-keyheader for machine ingest (/ingest/*,/advice), Cognito JWT for the browser app (/api/*). Rate-throttled. - Lambdas (all
python3.12· arm64 · permissions-boundary-capped):ingest(archive + normalize),advice(Bedrock daily + on-demand),chat(Bedrock Q&A over your data),stats(dashboard reads + goal setting),hevy_sync(pull Hevy). - Storage — DynamoDB
lifebot-records(on-demand) + S3 raw archive (versioned, AES256, private). - Auth/identity — Cognito user pool (admin-create-only, no public signup, PKCE web client).
- Frontend — CloudFront + S3 static SPA (
web/), custom domain, Cognito hosted-UI login. - AI — Bedrock Claude Haiku 4.5 (EU inference profile); model adapter in
model.py. - Secrets — SSM SecureString (
/lifebot/*), KMS-decrypt gated; never in Terraform state. - Security — least-privilege per-Lambda IAM under a permissions boundary the deploy user cannot exceed. Full audit: Bobs-lifebot/security-review.
Stack
Terraform · AWS Lambda / API Gateway (HTTP) / DynamoDB / S3 / EventBridge / SSM / KMS / Bedrock / Cognito / CloudFront / IAM.
Docs
- Bobs-lifebot/HLD — architecture, auth model, cost, security
- Bobs-lifebot/LLD — resources, IAM, config, sequences
- Bobs-lifebot/security-review — security audit (2026-07-03)
Source
~/Terraform/Bobs-lifebot/ (design in its CLAUDE.md). terraform/ (all infra) ·
lambdas/{ingest,advice,chat,stats,hevy_sync}/ · web/ (SPA) · iam/ (boundary + policies).
wiki/projects/Bobs-lifebot/README.md · git is the source of truth