Olympus Documentation What is Olympus Architecture Repo Map License Glossary

Athena API Authentication Athena API Errors Athena API Pagination Athena Settings API SDK Settings API

Environment variables

Sequence diagrams Authorization Code + PKCE Client Credentials (M2M)Refresh token rotation RP-initiated logout Email verification roundtrip Password recovery with HMAC token Social IdP linking MFA step-up to AAL2 Brute-force lockout escalation Athena → Kratos admin Caddy → backend routing Production deploy pipeline Encryption key rotation (zero-downtime)pgAdmin OIDC SSO Claude-driven Daedalus deploy via MCP

ReferenceSequence diagrams

Production deploy pipeline

From `git push` to running containers

Gates before deploy

The verify-prod-config.yml workflow enforces:

No literal secrets in compose / config files.
sslmode=verify-full in every DATABASE_URL.
All images digest-pinned (no :latest or floating tags).
Kratos leak_sensitive_values: false.
Email verification hook configured.

A red gate stops the deploy.

End-to-end time

~3 minutes for a normal deploy. First-time deploy with cert issuance: ~5 minutes.

Rollback

Revert the compose digest, commit, push. Deploy workflow runs again, pulls the older images.

Where to learn more

Internals, Platform deploy pipeline
Deploy, First production deploy
ADR 0014, Image digest pinning

Caddy → backend routing

How Caddy decides which backend to proxy to

Encryption key rotation (zero-downtime)

How ENCRYPTION_KEY is rotated without losing access to encrypted settings

On this page

Gates before deploy End-to-end time Rollback Where to learn more