Bilko Stage Environment — Cloud Run Services (Phase 2) Overview MC: #10177 Phase 2  |  Deployed: 2026-04-30  |  Git SHA: 1f48fdc  |  Status: LIVE, healthy GCP Project: tribal-sign-487920-k0  |  Region: europe-north1 WARNING — TD-3 PROD CUTOVER BLOCKER (MC #10241): bilko-staging-db uses public IP (0.0.0.0/0 authorized network, requireSsl=false). Acceptable for stage only. MUST NOT be replicated to production. Production deploy is blocked until Cloud SQL private IP + VPC connector is configured. Live Services Service URL Image Min/Max Memory Status bilko-api-stage bilko-api-stage bilko/api:stage-1f48fdc 0/2 512Mi, CPU 1 LIVE bilko-web-stage bilko-web-stage bilko/web:stage-1f48fdc 0/2 512Mi, CPU 1 LIVE Full Artifact Registry prefix: europe-north1-docker.pkg.dev/tribal-sign-487920-k0/ bilko-api-stage Detail Field Value Dockerfile Dockerfile.api-kotlin (Kotlin/Ktor, port 4001) JAVA_OPTS HikariCP connection pool tuned Cloud SQL tribal-sign-487920-k0:europe-north1:bilko-staging-db via direct TCP 35.228.33.112:5432 (TD-2 + TD-3) Secrets bilko-staging-db-password , bilko-jwt-secret , bilko-jwt-refresh-secret , bilko-staging-field-encryption-key (NEW, ADR-014), bilko-staging-field-hmac-key (NEW, ADR-014) SA bilko-api-stage-sa@tribal-sign-487920-k0.iam.gserviceaccount.com SA roles cloudsql.client , secretmanager.secretAccessor Smoke GET /api/v1/health → 200 {"status":"ok","service":"bilko-api","version":"1.0.0"} Revision bilko-api-stage-00001-5x8 (100% traffic) bilko-web-stage Detail Field Value Dockerfile apps/web/Dockerfile (Next.js 15) NEXT_PUBLIC_API_URL https://bilko-api-stage-dh4m46blja-lz.a.run.app/api/v1 NEXT_PUBLIC_APP_ENV stage Smoke GET / → 200 (HTML, lang=sr-Latn) Revision bilko-web-stage-00001-c45 (100% traffic) Build note Fresh npm install (no lockfile) — workaround TD-1 MC #10239 Smoke Test Commands # API health (expected: {"status":"ok","service":"bilko-api","version":"1.0.0"}) curl -s https://bilko-api-stage-dh4m46blja-lz.a.run.app/api/v1/health # Web root (expected: HTTP 200) curl -s -o /dev/null -w "HTTP %{http_code}" https://bilko-web-stage-dh4m46blja-lz.a.run.app Stage Rollback # List revisions gcloud run revisions list --service bilko-api-stage --project=tribal-sign-487920-k0 --region=europe-north1 # Route to prior revision gcloud run services update-traffic bilko-api-stage --project=tribal-sign-487920-k0 --region=europe-north1 --to-revisions=REVISION_NAME=100 Stage Redeploy (image update only) gcloud run services update bilko-api-stage --project=tribal-sign-487920-k0 --region=europe-north1 --image=europe-north1-docker.pkg.dev/tribal-sign-487920-k0/bilko/api:NEW_TAG gcloud run services update bilko-web-stage --project=tribal-sign-487920-k0 --region=europe-north1 --image=europe-north1-docker.pkg.dev/tribal-sign-487920-k0/bilko/web:NEW_TAG Phase 2 Tech Debt Tracker ID MC Description Severity Blocks TD-1 #10239 package-lock.json macOS arm64 missing linux-x64 native bins — fresh npm install workaround Medium Clean stage re-deploys TD-2 #10240 postgres-socket-factory not in build.gradle.kts — Kotlin API uses direct TCP public IP Medium Secure DB connectivity TD-3 #10241 bilko-staging-db: 0.0.0.0/0 + requireSsl=false — STAGE ONLY, NEVER replicate to prod BLOCKER PROD CUTOVER Phase 5 Key Learnings Lockfile drift macOS/linux: fresh npm install required per build until TD-1 fixed Kotlin Cloud SQL TCP via public IP works for stage, NOT prod (TD-2 + TD-3) --no-traffic flag invalid on new service creation — route 100% on first deploy Field encryption/HMAC keys are random per env (stage isolated from prod — ADR-014) HikariCP socketPath URL param silently ignored — always use explicit host:port for direct TCP References Phase 1 Cloud SQL: Bilko Stage Environment — Cloud SQL & IAM (Phase 1) MC #10177 (parent), #10239 / #10240 / #10241 (TD items) ADR-014 (field encryption), ADR-021 (blueprint Section 15) DEPLOY-MAP.md section: Cloud Run Stage Services RUNBOOK.md section: 7a Stage Cloud Run Services Access