Infrastructure Inventory
Verified infrastructure state and remaining setup gaps for GoRunChat.
Infrastructure Inventory
Baseline cloud infrastructure exists, but production readiness is not signed off.
Treat this page as the starting inventory for implementation and deploy work. It records known resources and known gaps. Do not infer runtime readiness from resource existence.
Cloudflare
The gorunchat.com zone is active in Cloudflare.
The zone has the proxied docs custom-domain record for docs.gorunchat.com. The apex does not resolve to an app target.
Cloudflare remains DNS authority and an early edge gate. It is not the product runtime.
The docs lane is separate from the app runtime:
- first docs hostname:
docs.gorunchat.com - current docs URL:
https://docs.gorunchat.com - fallback operator URL:
https://gorunchat-docs.labs-testing.workers.dev - static site platform: Astro on Cloudflare Workers
- Worker name:
gorunchat-docs - approved deploy path: Worker deploy with
wrangler - GitHub Actions deploy path: validated through
docs-production - country rule: Cloudflare country metadata outside
USreturns403 - missing country metadata on public hostnames returns
403 - asset routing: Worker entrypoint runs before assets
- unused Pages projects and retained-state R2 buckets were removed after the Worker decision
The app edge lane is separate from the product runtime:
- Worker name:
gorunchat-app-gate - hostnames:
app.gorunchat.comandapi.gorunchat.com - country rule: Cloudflare country metadata outside
USreturns403 - missing country metadata on public hostnames returns
403 - readiness:
/healthzand/readyzreturn200 - product paths: return
503until the product runtime is connected - GitHub environment:
edge-production - secrets: no provider, database, Redis, or app session secrets
Future apex DNS mutation automation stays blocked until the change contract names hostname, target, proxy mode, owner, approval path, and rollback.
Zone-level country blocking is not managed yet. The validated token paths still need Cloudflare Rulesets write permission for that. Until then, early public app hostnames must use a Worker-fronted country gate or stay private.
GCP
The GCP project is gorunchat.
Core services are enabled for Cloud Run, Artifact Registry, Cloud Build, Compute, Secret Manager, BigQuery, Logging, Monitoring, Storage, Redis, Service Networking, and VPC access dependencies.
Current resources include:
- Artifact Registry repository
gorunchatinus-central1. - runtime service account
gorunchat-run. - jobs service account
gorunchat-jobs. - deployer service account
gorunchat-deployer. - VPC network
gorunchat-core. - subnet
gorunchat-us-central1with private Google access and VPC Flow Logs. - Atlas PSC forwarding rule
gorunchat-atlas-psc-us-central1at10.40.0.2, accepted by GCP. - Cloud Run shell service
gorunchat-api, revisiongorunchat-api-00002-dmd. - Cloud Run labels
env=bootstrap,role=api-probe, andsystem=gorunchat. - BigQuery dataset
gorunchat_auditinUS. - BigQuery query-copy tables
audit_eventsanddiscovery_records. - Cloud Storage archive bucket for audit evidence with 3-year retention, Bucket Lock, versioning, uniform bucket-level access, and public access prevention.
- Cloud Storage Terraform state bucket
gorunchat-terraform-state-276647067754, using backend prefixterraform/gorunchat. - Memorystore instance
gorunchat-redisinus-central1,STANDARD_HA, 5 GiB, Redis 7.2, AUTH enabled, and transit encryption enabled. - project-level Data Access audit logging for Secret Manager, BigQuery, and Cloud Storage.
- Log Router sinks for BigQuery query copy and Cloud Storage archive.
W5A infrastructure is closer, but runtime signoff is not met. The app-owned ledger, outbox projector, and representative emitters are not implemented yet.
MongoDB Atlas
MongoDB Atlas has a dedicated project and one cluster for GoRunChat.
The active cluster is gorunchat-primary, hosted on GCP in CENTRAL_US, sized at M10, and backed by continuous backup with point-in-time recovery.
Scoped database users exist for app runtime and migration work. Runtime and migration connection strings exist in Secret Manager.
Atlas private connectivity is available through PSC:
- endpoint service
69eaf9ec27ffb24df59f9cbb. - endpoint group
gorunchat-atlas-psc-us-central1. - endpoint IP
10.40.0.2. - Atlas status
AVAILABLE. - GCP forwarding rule status
ACCEPTED.
Runtime validation from the shell Cloud Run service passed for Redis and Atlas PSC.
IaC State
Bootstrap Terraform exists for selected baseline resources.
OpenTofu uses the GCS backend gs://gorunchat-terraform-state-276647067754/terraform/gorunchat.
Selected baseline resources are imported into OpenTofu remote state. The current drift plan reports no changes for managed baseline resources.
The Terraform state bucket is imported and managed with versioning, uniform bucket-level access, and public access prevention.
The Terraform Config workflow validates format and provider schema without remote backend access.
Memorystore gorunchat-redis is imported into OpenTofu remote state. The current plan reports no changes. Google reports the live Redis range as effective_reserved_ip_range, so Terraform records 10.103.214.48/29 in locals and leaves the creation-only input unset for the imported instance.
Cloud Run service gorunchat-api and baseline runtime IAM are also imported. The managed shell service, service invoker binding, Secret Manager access grants, deployer Cloud Run role, and Artifact Registry reader grant all plan clean.
Release identity IAM is imported too. hey.jones@icloud.com may impersonate gorunchat-deployer, and gorunchat-deployer may act as gorunchat-run for Cloud Run deploys.
W5A evidence pipeline resources are also imported. The query-copy tables, Log Router sinks, Data Access audit configs, archive object-writer IAM, and jobs BigQuery role all plan clean.
Ready Now
- Domain and repo name are chosen.
- Cloudflare operator auth is verified.
- Docs Worker is deployed at
https://docs.gorunchat.com. - Docs GitHub environment
docs-productionexists and is branch-limited tomain. - Docs GitHub deploy variable and secret exist.
- Docs GitHub workflow deploy passed.
- Docs Worker blocks non-US Cloudflare country metadata.
- Docs Worker blocks public requests with missing Cloudflare country metadata.
- Docs static assets are covered by Worker-entrypoint gating and Worker-first asset routing.
- App edge Worker blocks non-US Cloudflare country metadata.
- App edge Worker blocks public requests with missing Cloudflare country metadata.
- App edge hostnames return deterministic not-ready responses for product paths.
- App edge GitHub workflow and deploy environment are configured.
- GCP project and baseline runtime services exist.
- Artifact Registry exists.
- Runtime and jobs service accounts exist.
- Deployer service account exists.
- VPC and subnet exist.
- Atlas PSC endpoint exists and is accepted.
- BigQuery audit dataset exists.
- BigQuery audit and discovery query tables exist.
- Cloud Storage audit archive bucket exists.
- Terraform state bucket exists and backs OpenTofu remote state.
- Bucket Lock is enabled.
- Memorystore is ready.
- MongoDB Atlas cluster is ready.
- MongoDB and Redis runtime secrets exist.
- Cloud Run shell service validates Redis and Atlas PSC.
- Cloud Run release workflow validates the shell image without pushing or deploying.
- Cloud Run shell service and baseline runtime IAM are imported into OpenTofu with a clean drift plan.
- Release identity IAM is imported into OpenTofu with a clean drift plan.
- Terraform config workflow validates format and provider schema without GCP credentials.
- W5A evidence pipeline resources are imported into OpenTofu with a clean drift plan.
- Data Access audit logging is enabled for core evidence services.
Not Ready Yet
- Product runtime implementation has not started.
- Product Cloud Run runtime behavior does not exist yet.
- SSE, auth, provider, tools, MCP, files, messages, and audit routes are not implemented yet.
- Product runtime is not connected behind the app edge gate.
- Apex DNS records are not created.
- Zone-level Cloudflare country blocking is not managed yet.
- GitHub Cloud Run deploy is not configured.
- Production deployment is not signed off.