Mission Control

Control-Plane Topology

Visual reference for all Space Duck infrastructure surfaces — Lambda, API Gateway, Cognito, DynamoDB, CloudFront, SES, SNS, and fleet control.

● Live Galaxy 1.1 DC-354
Account: 121546003735 Region: us-east-1 Last updated: 2026-03-26

Architecture Diagram

Request flow from client through CloudFront → API Gateway → Lambda → backend services.

AWS Account 121546003735 — us-east-1 PUBLIC ZONE 🦆 Client Browser / Agent HTTPS CDN ZONE ☁️ CloudFront E3HQHA5N2… /prod/* COMPUTE ZONE 🔌 API Gateway czt9d57q83 · REST λ Lambda mission-control-api · v41 python3.12 · 128MB · 30s JWT verify AUTH ZONE 🔐 Cognito · us-east-1_OwEtInqCp DATABASE ZONE 🗄 spaceduck-main 🗄 birth-certificates 🗄 audit-log 🗄 peck-sessions 🗄 agent-registry COMMS ZONE (SANDBOX) 📧 SES Sandbox · 200/day 📣 SNS Sandbox · $1/mo 🪣 S3 Frontend mission-control-* FLEET ZONE 🤖 spaceduck.bot EventBridge Bus spaceduck-events LEGEND Standard request flow Auth / JWT verify Comms (email/SMS) Fleet / peck events Public zone Compute zone Database zone Auth zone Trust boundaries shown by zone colour and dashed border

Resource Inventory

8 surfaces
λ

Lambda — mission-control-api

arn:aws:lambda:us-east-1:121546003735:function:mission-control-api
● Live · v41 Owner: T-JOSH python3.12
Memory128 MB
Timeout30 s
Prod aliasv41
Trust tierInternal — T-JOSH deploy gate
Invoked by API GW No public invoke URL
📋 Runbook: Dead Lambda
🔌

API Gateway — REST

czt9d57q83.execute-api.us-east-1.amazonaws.com
● Live Owner: T-JOSH Stage: /prod
TypeREST API
AuthCognito JWT + Admin key
Routes38+ /beak/* routes
Trust tierSemi-public — JWT required on most routes
Public unauthenticated: /beak/hatch, /beak/pageview
📋 Route audit →
🔐

Cognito — User Pool

us-east-1_OwEtInqCp
● Live Owner: T-JOSH Auth provider
Pool IDus-east-1_OwEtInqCp
SES sendernoreply@spaceduckling.com
MFANot enforced (Galaxy 1.2)
Trust tierAuthority — identity provider
Token issuer for all JWT routes
📋 Auth runbook →
🗄

DynamoDB — 5 Tables

spaceduck-main · birth-certs · audit-log · peck-sessions · agent-registry
● Live Owner: T-JOSH PAY_PER_REQUEST
BillingPAY_PER_REQUEST (all tables)
PITREnabled — 35-day retention
EncryptionAWS managed (SSE)
Trust tierInternal — Lambda IAM only
No public read/write access
📋 Table explorer →
☁️

CloudFront — Frontend CDN

E3HQHA5N284LTS · E1WQP6P5ZWZO5K
● Live Owner: T-JOSH 2 distributions
OriginS3: mission-control-frontend-121546003735
Domain (1)d1rsfp2c29g6x.cloudfront.net
HTTPSEnforced · TLS 1.2+
Trust tierPublic CDN — static assets only
No credentials served via CDN
📋 Deploy log →
📧

SES — Email Delivery

noreply@spaceduckling.com · us-east-1
⚠ Sandbox Owner: T-JOSH 200/day limit
Sendernoreply@spaceduckling.com
Daily quota200 emails/day (sandbox)
StatusProduction request pending
Trust tierInternal — Lambda sends only
Blocked: production access request pending
📋 Comms posture →
📣

SNS — SMS / Notifications

us-east-1 · sandbox mode
⚠ Sandbox Owner: T-JOSH $1/mo spend cap
ModeSandbox (production request pending)
Spend cap$1.00/month
Use caseOTP / phone verification
Trust tierInternal — Lambda sends only
Blocked: sandbox exit request pending
📋 SNS runbook →
🤖

Fleet Control — spaceduck.bot

spaceduck-events · EventBridge bus
● External process Owner: T-JOSH Agent fleet
Busspaceduck-events (EventBridge)
Bonded agents16 spaceducks
Peck protocolPOST /beak/peck/request
Trust tierBeak-key authenticated agents
Peck-key bound connections Pulse via /beak/pulse
📋 Fleet recovery →

Trust Boundaries

4 zones

Defines which entities may invoke or mutate each surface and at what trust level.

🔴 Public Zone — unauthenticated
POST /beak/hatch — new duckling registration · POST /beak/pageview — anonymous analytics · GET /beak — health probe (no auth)
⚠ Input validation required. Rate limit enforced. No data mutation beyond egg creation.
🟡 Authenticated Zone — Cognito JWT required
GET/POST /beak/peck/* — peck protocol (bonded agent + JWT) · GET /beak/metrics — live metrics · POST /beak/audit — audit log access · GET /beak/system/status — platform health
Requires valid Cognito JWT. Token verified by API Gateway authoriser before Lambda invocation.
🟢 Internal Zone — Lambda IAM execution role
DynamoDB read/write (all 5 tables) · SES send via API · SNS publish · EventBridge PutEvents · CloudWatch Logs write
Lambda execution role only. No cross-account access. IAM role: mission-control-api-role.
🟣 Admin Zone — T-JOSH + admin beak key
GET /beak/admin/ducklings — duckling list · POST /beak/admin action=promote_alias — Lambda version promote · POST /beak/admin action=revoke_connection · CloudFront invalidations (deploy key)
Admin beak key + T-JOSH approval gate. No auto-promotion without operator confirmation. Governance log writes on every admin action.

Ownership Matrix

All surfaces owned by T-JOSH
Surface Owner Trust tier Change gate Runbook
Lambda — mission-control-api T-JOSH Internal T-JOSH approval + alias promotion ops-runbook
API Gateway — czt9d57q83 T-JOSH Semi-public Lambda deploy gate route audit
Cognito — us-east-1_OwEtInqCp T-JOSH Authority T-JOSH only — identity freeze operator runbook
DynamoDB — 5 tables T-JOSH Internal Lambda IAM role — no direct access table explorer
CloudFront — E3HQHA5N2… / E1WQP6P5… T-JOSH Public CDN Deploy key — JP-DEPLOY IAM user deploy log
SES — noreply@spaceduckling.com T-JOSH Internal send Lambda IAM only — sandbox pending comms posture
SNS — us-east-1 T-JOSH Internal send Lambda IAM only — sandbox pending region status
Fleet / spaceduck.bot T-JOSH Beak-key Peck protocol — T-JOSH peck approval fleet recovery

Linked Runbooks & Tools

📋 Ops Runbook 🛠 Operator Runbook 🔍 Lambda Route Audit 🗄 DynamoDB Explorer 📦 Deployment Log 🌐 Network Topology 🤖 Fleet Recovery 🔒 Security Posture 📚 All Runbooks 🎛 Mission Control