Engagement Platform Labs — Architecture

This file is the canonical architecture reference for the Mango-only / devcontainer workshop configuration. See architecture.html for a visual version (note: the HTML was generated before the devcontainer pivot and has been patched with a banner; this Markdown file is authoritative).

Component Diagram

Operator laptop
├── Discord client
├── wrangler CLI
├── cloudflared CLI
└── VS Code devcontainer  ("engagement platform")
        ├── tailscale daemon   (magicDNS hostname: ep-<slot>)
        ├── cloudflared        (tunnel origin → api.<slot>.eplabs.cloud)
        ├── python3 + tooling
        └── OpenWrt 23.05.3 ramips/mt76x8 rootfs
            (same baseline as Mango — unconstrained on flash/RAM)

GL.iNet Mango GL-MT300N-V2  ("drop device")
├── custom drop firmware (16MB NOR — minimal core)
└── /overlay → USB ExtRoot
        ├── tailscale          (magicDNS hostname: drop-<slot>)
        └── /etc/uci-defaults/99-enroll.sh  (one-shot, self-deletes)

Cloudflare edge
├── Worker     api.<slot>.eplabs.cloud  — emoji decode, dispatch, audit
├── D1         fleet-database           — devices, audit_log, sessions
├── KV         (rate_limits, job_queue)
├── R2         artifacts/<job_id>.pcap  — signed URLs
├── Access     (service tokens for devices, JWT for operator)
└── Tunnel     (cloudflared origin → devcontainer port 8787)

Tailscale tailnet
├── ep-<slot>    (devcontainer — operator side)
└── drop-<slot>  (Mango — drop side)

Capstone Round-Trip (Lab 14)

Discord emoji
  → Worker /v1/chatops/discord (EmojiChef decode)
  → CF Access token validation
  → D1 audit_log INSERT (action: decode)
  → KV job enqueue (job_id, command: "capture")

Operator (devcontainer):
  → reads GET /v1/jobs/<id>
  → tailscale ssh root@drop-<slot> 'sh /tmp/run-capture.sh <id> 30'

Mango:
  → tcpdump-mini -G 30 -W 1 -w /tmp/cap.pcap
  → POST /v1/artifacts/upload (gets R2 signed PUT URL)
  → PUT pcap to R2 via signed URL
  → PATCH /v1/jobs/<id>/complete  { artifact_id, device_id, duration_s }

Worker:
  → D1 audit_log INSERT (action: complete)
  → R2 signed GET URL minted (15-minute TTL)
  → Discord webhook POST (signed URL in message)

Operator:
  → clicks signed URL → downloads pcap

Firmware Pins

Component	Version / Image
OpenWrt	23.05.3
Target	ramips / mt76x8
Mango profile	glinet_gl-mt300n-v2
Devcontainer rootfs	openwrt/rootfs:ramips-mt76x8-23.05.3
ImageBuilder	openwrt/imagebuilder:ramips-mt76x8-23.05.3
Node	20.x LTS
wrangler	4.x

Build Targets

# From courses/engagement-platform-labs/labs/
make engagement-platform   # builds devcontainer rootfs tarball
make drop-mango            # builds Mango sysupgrade .bin (squashfs <= 13MB)
make validate-NN           # runs validate.sh for lab NN (e.g. make validate-05)

Take-Home Track (MT3000)

Students who later acquire a GL.iNet MT3000 (Beryl AX) can follow the take-home labs at labs/take-home/. These cover the mediatek/filogic target and the MT3000’s eMMC storage (no ExtRoot required) and WiFi-6 drop scenarios.