Docs

govbase.dev production deployment

govbase.dev production deployment

Intended production architecture for GovBase / GovAI on govbase.dev. Topology JSON: ../../hosted-saas/govbase-production-topology.json.

Architecture overview#

                    ┌─────────────────────┐
                    │  govbase.dev        │
                    │  (Vercel dashboard) │
                    │  /, /docs, /help    │
                    │  /login, console    │
                    └──────────┬──────────┘
                               │ HTTPS
                               ▼
                    ┌─────────────────────┐
                    │ audit.govbase.dev   │
                    │ Rust audit API      │
                    │ /health /ready      │
                    └──────────┬──────────┘
                               │
                               ▼
                    ┌─────────────────────┐
                    │ Managed Postgres    │
                    │ ledger + tenants    │
                    └─────────────────────┘

Surfaces#

SurfaceURLNotes
Marketing and dashboardhttps://govbase.devNext.js dashboard/
Documentationhttps://govbase.dev/docsCanonical docs/*.md
Help centerhttps://govbase.dev/helpOperator guides
Hosted audit APIhttps://audit.govbase.devEvidence ingest and summaries
Tenant consolehttps://govbase.dev/tenant-consoleSnapshot-driven UI
Onboardinghttps://govbase.dev/onboardingLive checklist backed by tenant_onboarding_progress

Environment variables#

Dashboard (Vercel)#

VariablePurpose
NEXT_PUBLIC_SITE_URLhttps://govbase.dev
NEXT_PUBLIC_GOVAI_API_BASE_URLhttps://audit.govbase.dev
AIGOV_AUDIT_URLServer-side audit fetches
SUPABASE_URLSession auth
SUPABASE_SERVICE_ROLE_KEYServer auth (secret)

Audit API#

VariablePurpose
DATABASE_URLPostgres connection
GOVAI_BASE_URLCanonical public URL in /status
GOVAI_STRIPE_SECRET_KEYOptional billing
GOVAI_STRIPE_WEBHOOK_SECRETOptional webhooks

See also ../hosted-backend-deployment.md and ../env-resolution.md.

Production secrets#

Store in the operator secret manager; rotate at least every 90 days. Never commit .env with production values.

Database#

Managed Postgres with TLS, RLS per tenant, and automated backups (see backup-and-disaster-recovery.md).

Monitoring#

  • Liveness: GET https://audit.govbase.dev/health
  • Readiness: GET https://audit.govbase.dev/ready
  • Metrics: GET https://audit.govbase.dev/metrics

Backups#

Follow backup-and-disaster-recovery.md. Verify restore in staging each quarter.

Signup-to-ready flow#

  1. User signs in on govbase.dev (Supabase).
  2. Dashboard calls POST /api/tenants on audit.govbase.dev with the access token.
  3. Audit API provisions tenant, team, ledger binding, billing row, onboarding steps, and optional API key.
  4. User completes /onboarding; progress is stored in tenant_onboarding_progress.
  5. Integrations use the issued API key against /evidence and /compliance-summary (hash-resolved tenant scope).

Legacy pilots may still set GOVAI_API_KEYS / GOVAI_API_KEYS_JSON; provisioned keys in tenant_api_keys work without adding plaintext to env.

Deployment checklist#

  • NEXT_PUBLIC_SITE_URL and GOVAI_BASE_URL match public DNS
  • Migrations applied through 0022_tenant_registry.sql (sqlx migrate or GOVAI_AUTO_MIGRATE)
  • /ready green on audit origin
  • Stripe webhooks registered when billing enabled
  • WAF / rate limits configured at edge
  • make hosted-saas-readiness-check passes in CI
  • On-call rotation and status page configured

← Back to home