System Topology
Network topology, Docker services, and zone model: how Traefik, frontend, backend, Redis, Qdrant, TypeSense, and external APIs connect.
This page traces how data and control flow across the frontend, backend, and external services. It covers the trust boundaries between components, session management at every layer, and three complete end-to-end flows with the exact payloads that cross each boundary. It is the reference for understanding the system as a whole rather than any single component in isolation.
System Topology
All services run in Docker containers except Supabase Cloud, Stripe, and LLM/embedding/reranker APIs. Traefik is the reverse proxy that terminates TLS and routes to the frontend and backend.
Network Model
The system has three logical network zones:
| Zone | Traffic | Components |
|---|---|---|
| Public | Browser to Traefik over HTTPS | User agent |
| Internal | Traefik to containers, containers to each other | Frontend, Backend, Redis, Qdrant, TypeSense |
| External | Containers to cloud APIs over HTTPS | Supabase, Stripe, LLM, Embedding, Reranker |
The frontend never calls the backend's public address internally. Both are on the same Docker network. The backend is exposed via Traefik at the hostname api.falsafa.syedkhalid.tech. The frontend proxies to the backend at the internal Docker address http://backend:8001.
Out of Scope and Stale Code
Dead code paths, stale migrations, stubs, and unused dependencies that are present in the codebase but not part of the active architecture.
Trust Boundaries
Where user identity is validated across each hop: browser to frontend, frontend to backend, and backend to external APIs.