GoRunChat Docs

Infrastructure Inventory

Verified infrastructure state and remaining setup gaps for GoRunChat.

Infrastructure Inventory

Baseline cloud infrastructure exists, but production readiness is not signed off.

Treat this page as the starting inventory for implementation and deploy work. It records known resources and known gaps. Do not infer runtime readiness from resource existence.

Cloudflare

The gorunchat.com zone is active in Cloudflare.

The zone has the proxied docs custom-domain record for docs.gorunchat.com. The apex does not resolve to an app target.

Cloudflare remains DNS authority and an early edge gate. It is not the product runtime.

The docs lane is separate from the app runtime:

  • first docs hostname: docs.gorunchat.com
  • current docs URL: https://docs.gorunchat.com
  • fallback operator URL: https://gorunchat-docs.labs-testing.workers.dev
  • static site platform: Astro on Cloudflare Workers
  • Worker name: gorunchat-docs
  • approved deploy path: Worker deploy with wrangler
  • GitHub Actions deploy path: validated through docs-production
  • country rule: Cloudflare country metadata outside US returns 403
  • missing country metadata on public hostnames returns 403
  • asset routing: Worker entrypoint runs before assets
  • unused Pages projects and retained-state R2 buckets were removed after the Worker decision

The app edge lane is separate from the product runtime:

  • Worker name: gorunchat-app-gate
  • hostnames: app.gorunchat.com and api.gorunchat.com
  • country rule: Cloudflare country metadata outside US returns 403
  • missing country metadata on public hostnames returns 403
  • readiness: /healthz and /readyz return 200
  • product paths: return 503 until the product runtime is connected
  • GitHub environment: edge-production
  • secrets: no provider, database, Redis, or app session secrets

Future apex DNS mutation automation stays blocked until the change contract names hostname, target, proxy mode, owner, approval path, and rollback.

Zone-level country blocking is not managed yet. The validated token paths still need Cloudflare Rulesets write permission for that. Until then, early public app hostnames must use a Worker-fronted country gate or stay private.

GCP

The GCP project is gorunchat.

Core services are enabled for Cloud Run, Artifact Registry, Cloud Build, Compute, Secret Manager, BigQuery, Logging, Monitoring, Storage, Redis, Service Networking, and VPC access dependencies.

Current resources include:

  • Artifact Registry repository gorunchat in us-central1.
  • runtime service account gorunchat-run.
  • jobs service account gorunchat-jobs.
  • deployer service account gorunchat-deployer.
  • VPC network gorunchat-core.
  • subnet gorunchat-us-central1 with private Google access and VPC Flow Logs.
  • Atlas PSC forwarding rule gorunchat-atlas-psc-us-central1 at 10.40.0.2, accepted by GCP.
  • Cloud Run shell service gorunchat-api, revision gorunchat-api-00002-dmd.
  • Cloud Run labels env=bootstrap, role=api-probe, and system=gorunchat.
  • BigQuery dataset gorunchat_audit in US.
  • BigQuery query-copy tables audit_events and discovery_records.
  • Cloud Storage archive bucket for audit evidence with 3-year retention, Bucket Lock, versioning, uniform bucket-level access, and public access prevention.
  • Cloud Storage Terraform state bucket gorunchat-terraform-state-276647067754, using backend prefix terraform/gorunchat.
  • Memorystore instance gorunchat-redis in us-central1, STANDARD_HA, 5 GiB, Redis 7.2, AUTH enabled, and transit encryption enabled.
  • project-level Data Access audit logging for Secret Manager, BigQuery, and Cloud Storage.
  • Log Router sinks for BigQuery query copy and Cloud Storage archive.

W5A infrastructure is closer, but runtime signoff is not met. The app-owned ledger, outbox projector, and representative emitters are not implemented yet.

MongoDB Atlas

MongoDB Atlas has a dedicated project and one cluster for GoRunChat.

The active cluster is gorunchat-primary, hosted on GCP in CENTRAL_US, sized at M10, and backed by continuous backup with point-in-time recovery.

Scoped database users exist for app runtime and migration work. Runtime and migration connection strings exist in Secret Manager.

Atlas private connectivity is available through PSC:

  • endpoint service 69eaf9ec27ffb24df59f9cbb.
  • endpoint group gorunchat-atlas-psc-us-central1.
  • endpoint IP 10.40.0.2.
  • Atlas status AVAILABLE.
  • GCP forwarding rule status ACCEPTED.

Runtime validation from the shell Cloud Run service passed for Redis and Atlas PSC.

IaC State

Bootstrap Terraform exists for selected baseline resources.

OpenTofu uses the GCS backend gs://gorunchat-terraform-state-276647067754/terraform/gorunchat.

Selected baseline resources are imported into OpenTofu remote state. The current drift plan reports no changes for managed baseline resources.

The Terraform state bucket is imported and managed with versioning, uniform bucket-level access, and public access prevention.

The Terraform Config workflow validates format and provider schema without remote backend access.

Memorystore gorunchat-redis is imported into OpenTofu remote state. The current plan reports no changes. Google reports the live Redis range as effective_reserved_ip_range, so Terraform records 10.103.214.48/29 in locals and leaves the creation-only input unset for the imported instance.

Cloud Run service gorunchat-api and baseline runtime IAM are also imported. The managed shell service, service invoker binding, Secret Manager access grants, deployer Cloud Run role, and Artifact Registry reader grant all plan clean.

Release identity IAM is imported too. hey.jones@icloud.com may impersonate gorunchat-deployer, and gorunchat-deployer may act as gorunchat-run for Cloud Run deploys.

W5A evidence pipeline resources are also imported. The query-copy tables, Log Router sinks, Data Access audit configs, archive object-writer IAM, and jobs BigQuery role all plan clean.

Ready Now

  • Domain and repo name are chosen.
  • Cloudflare operator auth is verified.
  • Docs Worker is deployed at https://docs.gorunchat.com.
  • Docs GitHub environment docs-production exists and is branch-limited to main.
  • Docs GitHub deploy variable and secret exist.
  • Docs GitHub workflow deploy passed.
  • Docs Worker blocks non-US Cloudflare country metadata.
  • Docs Worker blocks public requests with missing Cloudflare country metadata.
  • Docs static assets are covered by Worker-entrypoint gating and Worker-first asset routing.
  • App edge Worker blocks non-US Cloudflare country metadata.
  • App edge Worker blocks public requests with missing Cloudflare country metadata.
  • App edge hostnames return deterministic not-ready responses for product paths.
  • App edge GitHub workflow and deploy environment are configured.
  • GCP project and baseline runtime services exist.
  • Artifact Registry exists.
  • Runtime and jobs service accounts exist.
  • Deployer service account exists.
  • VPC and subnet exist.
  • Atlas PSC endpoint exists and is accepted.
  • BigQuery audit dataset exists.
  • BigQuery audit and discovery query tables exist.
  • Cloud Storage audit archive bucket exists.
  • Terraform state bucket exists and backs OpenTofu remote state.
  • Bucket Lock is enabled.
  • Memorystore is ready.
  • MongoDB Atlas cluster is ready.
  • MongoDB and Redis runtime secrets exist.
  • Cloud Run shell service validates Redis and Atlas PSC.
  • Cloud Run release workflow validates the shell image without pushing or deploying.
  • Cloud Run shell service and baseline runtime IAM are imported into OpenTofu with a clean drift plan.
  • Release identity IAM is imported into OpenTofu with a clean drift plan.
  • Terraform config workflow validates format and provider schema without GCP credentials.
  • W5A evidence pipeline resources are imported into OpenTofu with a clean drift plan.
  • Data Access audit logging is enabled for core evidence services.

Not Ready Yet

  • Product runtime implementation has not started.
  • Product Cloud Run runtime behavior does not exist yet.
  • SSE, auth, provider, tools, MCP, files, messages, and audit routes are not implemented yet.
  • Product runtime is not connected behind the app edge gate.
  • Apex DNS records are not created.
  • Zone-level Cloudflare country blocking is not managed yet.
  • GitHub Cloud Run deploy is not configured.
  • Production deployment is not signed off.