iris/render.yaml at main · cgbarlow/iris · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Render Blueprint — Iris cloud deployment (ADR-096).
# Deploy via Render Dashboard → New → Blueprint, point to this repo.
# Secrets (sync: false) must be entered manually in the Render Dashboard.

services:
  # --- Frontend: SvelteKit SPA served as static files ---
  - type: web
    name: iris-frontend
    runtime: static
    buildCommand: cd frontend && npm ci && npm run build
    staticPublishPath: frontend/build
    envVars:
      - key: VITE_DB_BACKEND
        value: supabase
      - key: VITE_SUPABASE_URL
        sync: false
      - key: VITE_SUPABASE_ANON_KEY
        sync: false
      - key: VITE_API_BASE_URL
        sync: false
      - key: VITE_SCENIA_URL
        sync: false
      # Absolute base URL for this deployment — used by Open Graph /
      # Twitter meta tags so social preview images are served with a
      # full URL (ADR-126). Example: `https://iris-uat.chrisbarlow.nz`.
      # Interpolated into src/app.html at build time via
      # %sveltekit.env.PUBLIC_SITE_URL%. Must be set per environment
      # in the Render dashboard (sync: false).
      - key: PUBLIC_SITE_URL
        sync: false
    routes:
      - type: rewrite
        source: /*
        destination: /index.html

  # --- Scenia: React roadmapping SPA (external fork) ---
  - type: web
    name: scenia
    runtime: static
    repo: https://github.com/cgbarlow/waylonkenning_scenia
    branch: feature/iris-embed
    buildCommand: npm ci && npx vite build --config vite.config.app.ts
    staticPublishPath: dist
    envVars:
      - key: VITE_API_BASE_URL
        sync: false
    routes:
      - type: rewrite
        source: /*
        destination: /index.html

  # --- Backend: FastAPI via uvicorn (Docker for mdbtools/.eap import) ---
  - type: web
    name: iris-api
    runtime: docker
    plan: free
    region: singapore
    dockerfilePath: backend/Dockerfile
    dockerContext: .
    envVars:
      - key: IRIS_DB_BACKEND
        value: supabase
      - key: SUPABASE_URL
        sync: false
      - key: SUPABASE_ANON_KEY
        sync: false
      - key: SUPABASE_SERVICE_ROLE_KEY
        sync: false
      - key: SUPABASE_DB_URL
        sync: false
      - key: SUPABASE_JWT_SECRET
        sync: false
      - key: IRIS_JWT_SECRET
        # v6.0.14 (ADR-174): HS256 signing secret for iris-issued JWTs.
        # The /oauth/token endpoint mints OAuth bearers signed with this
        # secret; _get_current_user_supabase validates them using the
        # same. Without this set, the code falls back to a dev default
        # string baked into config.py — which is in the public repo and
        # would let anyone with the iris-api URL forge tokens.
        # Generate with: openssl rand -hex 32
        sync: false
      - key: IRIS_CORS_ORIGINS
        sync: false
      - key: IRIS_DEBUG
        value: "false"
      - key: IRIS_WEB_URL
        # v6.0.11 (ADR-171): sourced for the OAuth `authorization_endpoint`
        # in the RFC 8414 AS metadata. The user-facing consent screen
        # is a SvelteKit page at <IRIS_WEB_URL>/oauth/authorize, NOT a
        # FastAPI route on the API host. Without this, claude.ai
        # redirected user browsers to the API host and got HTTP 404.
        value: https://iris-uat.chrisbarlow.nz
      # v5.5.7 (issue #55 follow-up): GitHub PAT used by
      # POST /api/extensions/{id}/check-update to query releases.
      # Without it, requests are unauthenticated (60/hr per IP) and
      # Render's shared egress hits the limit quickly → 403. With it,
      # the limit is 5000/hr per token. Use a fine-grained PAT scoped
      # to "Public Repositories (read-only)" — no write access needed.
      - key: GITHUB_TOKEN
        sync: false

  # --- MCP server: standalone Streamable-HTTP MCP for AI agents ---
  # ADR-134: split out of iris-api so the API doesn't carry the MCP SDK
  # in resident memory (free dyno is 512 MB; embedded mount OOM'd).
  - type: web
    name: iris-mcp
    runtime: docker
    plan: free
    region: singapore
    dockerfilePath: mcp/Dockerfile
    dockerContext: .
    envVars:
      - key: IRIS_API_URL
        # Render-assigned URL of the iris-api service above. Update if
        # iris-api ever moves to a custom domain.
        value: https://iris-api-gtb3.onrender.com
      - key: IRIS_WEB_URL
        # v5.6.1: front-end URL the MCP returns alongside entity ids
        # so the AI host can produce real "https://iris-uat..." links
        # instead of guessing the host. Optional — when unset the MCP
        # omits `web_url` from tool responses.
        value: https://iris-uat.chrisbarlow.nz
      - key: IRIS_MCP_PUBLIC_URL
        # v6.0.9 (ADR-169): canonical iris-mcp public URL. Used as the
        # `resource` field in the RFC 9728 Protected Resource metadata
        # document at /.well-known/oauth-protected-resource. MCP clients
        # use this to identify the resource server when starting an
        # OAuth dance. Without this env var, `resource` falls back to
        # IRIS_API_URL, which works but isn't the actual MCP endpoint.
        value: https://iris-mcp.onrender.com