GoRunChat Docs

Runtime And Secrets

Target runtime shape, required inputs, secret projection, and fail-closed startup rules.

Runtime And Secrets

The runtime shape is contracted. A shell Cloud Run probe exists. Product runtime implementation has not started.

Use these rules when replacing the shell probe with product cmd/api, Cloud Run specs, config loading, and startup validation.

Target Runtime

cmd/api is the first app runtime.

The current shell runtime proves infrastructure only.

It exposes:

  • /health.
  • /readyz.
  • /probes/redis.
  • /probes/mongo.
  • /probes/all.

The product runtime must still serve:

  • Go HTTP API.
  • SSE streaming.
  • templ and HTMX web shell delivery.
  • direct Cloud Run ingress in us-central1.
  • Direct VPC egress to gorunchat-core and gorunchat-us-central1.

Operational data lives in MongoDB Atlas. Replay and coordination state lives in Memorystore for Redis. Audit query and archive paths use BigQuery and Cloud Storage.

Shell runtime evidence:

  • service: gorunchat-api.
  • revision: gorunchat-api-00002-dmd.
  • image digest: sha256:46de3062f5c3b9fadd884d17ecd88cde69162a470146c015e00381302a1c5cb4.
  • IaC state: imported into OpenTofu with a clean drift plan.
  • MONGODB_URI comes from MONGODB_APP_URI version 3.
  • REDIS_URI comes from REDIS_URL version 2.
  • REDIS_CA comes from REDIS_SERVER_CA_PEM version 2.
  • /probes/all returns 200 with Redis and MongoDB ok.

Cloud Firestore is not part of the first-parity runtime shape.

Serverless VPC Access connectors are not the default backend-connectivity path.

Required Runtime Inputs

Present managed inputs include provider keys, web-search keys, MongoDB connection strings, Redis connection data, and Redis CA material.

Do not publish raw values. Public docs may name required secret keys and runtime env names only.

Runtime Env Projection

Runtime envSecret Manager sourceRule
MONGODB_URIMONGODB_APP_URIApp runtime only. Migration jobs use the migration URI.
REDIS_URIREDIS_URLKeep the LibreChat-compatible runtime env name.
REDIS_CAREDIS_SERVER_CA_PEMInject as a file or PEM content according to the Cloud Run plan.
USE_REDISconfigRequired true for first-parity replay and coordination.
USE_REDIS_STREAMSconfigSet explicitly based on the stream implementation.
OPENAI_API_KEYOPENAI_API_KEYServer-side only.
ANTHROPIC_API_KEYANTHROPIC_API_KEYServer-side only.
GOOGLE_KEYGOOGLE_KEYCanonical Google chat env name.
GEMINI_API_KEYGEMINI_API_KEYImage-generation fallback.
XAI_API_KEYXAI_API_KEYServer-side only.
SERPER_API_KEYSERPER_API_KEYPreferred managed web-search provider.
FIRECRAWL_API_KEYFIRECRAWL_API_KEYOptional scraper upgrade.
JINA_API_KEYJINA_API_KEYOptional reranker.
COHERE_API_KEYexpected when enabledOptional reranker.

Conditional endpoint secrets are required only when the related endpoint is enabled. Examples include Assistants, Azure, Azure Assistants, and Bedrock keys.

Auth And Session Secrets

Startup must require these baseline auth secrets:

  • JWT_SECRET
  • JWT_REFRESH_SECRET
  • CREDS_KEY

Startup must fail closed when a baseline secret is missing or left at a known sample default.

Conditional auth secrets are required when the related mode is enabled:

  • OPENID_CLIENT_SECRET
  • OPENID_SESSION_SECRET
  • LDAP_BIND_CREDENTIALS
  • SAML_SESSION_SECRET
  • enabled social-provider client ids and client secrets

Auth configuration also includes non-secret runtime envs for login, registration, password reset, OpenID, LDAP, and SAML behavior.

First parity uses serper as the managed web-search provider.

firecrawl, jina, and cohere are optional upgrades when those paths are enabled.

SERPAPI_API_KEY exists in current inventory, but SerpAPI is outside the active first-parity contract.

Cloudflare Secrets

Cloudflare control-plane secrets are for docs deploy and Cloudflare operations only.

They are runtime-forbidden. The app service account must not receive CLOUDFLARE_* secrets.

Docs CI uses Cloudflare account and Worker deploy credentials for the docs lane. That lane is separate from cmd/api.

Frontend Rule

Frontend and startup config may expose provider availability and safe configuration shape.

They must never expose raw provider credentials, database credentials, Redis credentials, session secrets, or Cloudflare control-plane credentials.

Runtime Readiness Rule

Product runtime is not ready until these pieces exist and are verified:

  • structured logs.
  • request and trace correlation.
  • health endpoints.
  • Cloud Run runtime service account.
  • Direct VPC egress.
  • private Atlas connectivity.
  • version-pinned Secret Manager injection.
  • explicit denial of Cloudflare control-plane secrets to runtime.
  • W5A audit and discovery integration.

Current imported runtime IAM grants gorunchat-run access to shell and baseline runtime secrets, grants gorunchat-jobs access to migration and Redis secrets, lets gorunchat-deployer deploy Cloud Run and read Artifact Registry, lets hey.jones@icloud.com impersonate gorunchat-deployer, lets gorunchat-deployer act as gorunchat-run, and lets hey.jones@icloud.com invoke the protected shell service.

The Cloud Run Release workflow is build-only. It runs Go tests, builds the Docker image, starts the image locally, and checks /health plus /readyz. It does not push or deploy.