Bilko Stage Environment — Cloud SQL & IAM (Phase 1)

Summary MC #10177 Phase 1 (FlowForge, 2026-04-29): bilko-staging-db Cloud SQL instance brought under Flyway management. Pre-existing instance (2026-04-15, Prisma-managed). V1+V2+V4+V5 baselined, V3 actually executed. IAM SA created. Phase 2 (Cloud Run) pending. Instance Details Field Value Instance name bilko-staging-db Connection name tribal-sign-487920-k0:europe-north1:bilko-staging-db IP 35.228.33.112 Tier db-g1-small Version POSTGRES_16 State RUNNABLE (pre-existing since 2026-04-15; reused) Database bilko App user bilko Migration admin migration_admin Secret bilko-staging-db-password (Secret Manager, 2026-04-15) IAM SA bilko-api-stage-sa@tribal-sign-487920-k0.iam.gserviceaccount.com IAM SA roles roles/cloudsql.client + roles/secretmanager.secretAccessor Total tables 24 (public schema) Flyway State (2026-04-29) Version Script Status V1 V1__initial_schema.sql Baselined (DDL existed via Prisma) V2 V2__add_missing_prisma_columns.sql Baselined (DDL existed via Prisma) V3 V3__add_jmbg_oib_encryption.sql EXECUTED LIVE — jmbg/jmbg_hash/oib/oib_hash + 2 indexes added to contacts (ADR-014) V4 V4__add_supplementary_tables.sql Baselined (DDL existed via Prisma) V5 V5__add_logo_url_to_organizations.sql Baselined (DDL existed via Prisma) Open Risks V3 prod gap: Prisma migrations never included V3. Production DB may be missing jmbg/oib columns on contacts. Audit required before Kotlin cutover (separate MC pending). Prod topology unknown: bilko-staging-db is the only documented Cloud SQL instance. Whether a separate prod instance exists is unconfirmed. Audit required before Phase 2 prod deploy. MC #10187: gradle flywayMigrate broken (Flyway plugin 10.22.0 + Gradle 9.3.1 incompatibility). Workaround: psql sequential apply. Phase Status Phase 1 (Cloud SQL + IAM + Flyway baseline): COMPLETE Phase 1.5 (Proveo validation): pending Phase 2 (Cloud Run bilko-api-stage + bilko-web-stage): Mehanik gate next References MC #10177 (parent), MC #10183 (Flyway verify), MC #10187 (gradle fix) ADR-014 (field encryption), ADR-021 (blueprint reorg) DEPLOY-MAP.md — Cloud SQL Instances section RUNBOOK.md — Section 7g Evidence: /tmp/bilko-stage-phase1-evidence.json (FlowForge)