GoRunChat Docs

Deployment Path

First-parity deployment baseline, release rules, DNS gates, and docs-site separation.

Deployment Path

GoRunChat uses a GCP-first deployment baseline.

No production app deployment is signed off. No production app DNS cutover is signed off.

Baseline

The first app runtime target is Cloud Run.

The first data plane is MongoDB Atlas plus Memorystore for Redis.

The audit plane is application-owned audit and discovery storage, BigQuery query copy, and Cloud Storage archive.

Cloudflare serves DNS, the separate docs site, and an early app edge gate. It is not the product runtime.

The docs Worker and app edge Worker block Cloudflare country metadata outside US. They also fail closed when public requests lack Cloudflare country metadata. Docs static assets use Worker-entrypoint gating and Worker-first asset routing. Zone-level country blocking still needs Cloudflare Rulesets write permission before it can be managed as a shared policy.

Release Target

The accepted first-parity release path uses:

  • service: gorunchat-api.
  • region: us-central1.
  • runtime service account: gorunchat-run.
  • deployer service account: gorunchat-deployer.
  • image repository: us-central1-docker.pkg.dev/gorunchat/gorunchat/gorunchat-api.
  • release input: exact commit SHA and immutable image digest.

Mutable tags such as latest are forbidden for release input.

Cloud Build triggers are not the first-parity release path. Cloud Build being enabled does not authorize release.

The deployer may deploy the service and read the exact deployment artifacts it needs. It must not receive runtime data-plane privileges.

hey.jones@icloud.com may impersonate gorunchat-deployer. The deployer may act as gorunchat-run for Cloud Run deploys.

GitHub Cloud Run deploy is not configured yet.

The Cloud Run Release workflow validates Go tests, Docker image build, local container smoke checks, and the release script syntax. It does not push to Artifact Registry or deploy Cloud Run.

Operator shell releases use scripts/release-cloud-run.sh from a clean repo. The script builds the current commit, pushes an immutable image tag, resolves the digest, deploys through gorunchat-deployer impersonation, and verifies the shell probes.

Cloud Run Service Contract

The product Cloud Run service spec must preserve the shell probe evidence and name:

  • immutable image reference policy.
  • runtime service account.
  • health endpoints.
  • startup and readiness expectations.
  • concurrency, timeout, min and max instances, and CPU policy.
  • Direct VPC egress to the private network.
  • Atlas private-connectivity validation from product service runtime.
  • version-pinned Secret Manager injection.
  • explicit denial of CLOUDFLARE_* secrets to runtime.

Deployment verification must capture active revision, image digest, service account, ingress, Direct VPC egress, and secret versions.

First Deployment Tasks

  1. Keep baseline GCP runtime services enabled.
  2. Preserve the shell Cloud Run Atlas PSC and Redis validation when replacing the probe with product runtime behavior.
  3. Define the full runtime env and secret injection matrix.
  4. Implement W5A before any enterprise-ready claim.
  5. Extend IaC for product runtime deltas, product audit projector IAM, replay validation, retention runbooks, and export runbooks.

DNS And Front Door

First parity can ship on direct Cloud Run ingress or through the app edge gate after product runtime proof.

Do not wire product-runtime DNS cutover behind the edge gate until:

  • product runtime exists.
  • product health checks exist.
  • rollback target is defined.
  • SSE behavior is validated through the chosen ingress.
  • secrets and database connectivity are verified.
  • W5A fail-closed audit and discovery behavior is proven.

The app edge gate is live for early hostname propagation:

  • Worker name: gorunchat-app-gate.
  • hostnames: app.gorunchat.com and api.gorunchat.com.
  • edge readiness: /healthz and /readyz.
  • product paths: deterministic 503 until runtime connection is approved.
  • GitHub environment: edge-production.
  • secrets: none from app runtime.

If Cloudflare fronts product traffic later, the contract must decide streaming pass-through behavior, header policy, and rollback.

The US-only traffic rule must stay enforced before any product traffic is exposed. Public hostnames must fail closed when Cloudflare country metadata is missing. Use the Worker-fronted gate or a zone-level Rulesets policy after the required Cloudflare permission exists.

Cloudflare edge logs do not replace application audit or discovery records.

Docs Site Lane

The docs site is a separate Astro property on Cloudflare Workers.

It uses:

  • production hostname: docs.gorunchat.com.
  • current URL: https://docs.gorunchat.com.
  • fallback URL: https://gorunchat-docs.labs-testing.workers.dev.
  • Worker name: gorunchat-docs.
  • DNS status: approved and attached.
  • country rule: non-US Cloudflare country metadata returns 403.
  • missing country metadata on public hostnames returns 403.
  • asset routing: Worker entrypoint runs before assets.
  • GitHub deploy environment: docs-production.
  • GitHub deploy state: workflow_dispatch with deploy: true passed.
  • deploy artifact: docs-site/dist.
  • deploy path: wrangler deploy.

Docs deploy must not consume app runtime secrets, provider secrets, database secrets, Redis secrets, or session secrets.

The docs lane does not change apex DNS or the app Cloud Run ingress decision.

docs.gorunchat.com is attached as a Cloudflare Worker custom domain. It does not change apex DNS or the app Cloud Run ingress decision.

Rejected Baselines

Do not use Firebase deploy as the first-parity baseline.

Do not use service-account key files or repo-local credential files for release.

Do not use Serverless VPC Access connectors as the default backend-connectivity path.

Do not use mutable image tags for runtime release.

Do not replace first-parity MongoDB or Redis roles with Cloud Firestore.