scripts/deploy/render-secrets-template.md

# Render Secrets — Configuration Checklist

This document lists every environment variable that must be set in the
Render dashboard for `hasarui-api` and `hasarui-worker`. Most are
declared `sync: false` in `render.yaml`, which means Render keeps the
key empty until you set it manually (so they never get committed to
git).

After applying `render.yaml` via **Blueprints -> New Blueprint** in the
dashboard, go to each service -> **Environment** and populate:

---

## 1. JWT / auth

| Key                | Service(s)      | How to set                                        |
|--------------------|-----------------|---------------------------------------------------|
| `JWT_SECRET_KEY`   | api, worker     | Auto-generated by Render; worker pulls from api.  |
| `API_KEYS`         | api, worker     | Comma-separated tenant keys, e.g. `client1_xxx,client2_yyy`. |
| `ADMIN_EMAIL`      | api             | First admin user email.                           |
| `ADMIN_PASSWORD`   | api             | First admin password (rotate after first login).  |

## 2. S3 (model weights + uploaded images)

Use any S3-compatible provider. Recommended for pilot: **Cloudflare R2**
(zero egress) or **Backblaze B2** (~$0.005/GB).

| Key                  | Example value                                          | Notes                                   |
|----------------------|--------------------------------------------------------|-----------------------------------------|
| `S3_ENDPOINT`        | `https://<accountid>.r2.cloudflarestorage.com`         | Empty for plain AWS S3.                 |
| `S3_REGION`          | `auto` (R2) / `eu-central-1` (AWS) / `eu-central-003` (B2) | Match the bucket.                    |
| `S3_ACCESS_KEY`      | (provider IAM access key id)                           | Use a *scoped* key, not root.           |
| `S3_SECRET_KEY`      | (provider IAM secret)                                  | Treat as max-sensitive.                 |
| `S3_BUCKET`          | `hasarui-inspections-prod`                             | Stores uploaded images & artefacts.     |
| `S3_PUBLIC_ENDPOINT` | `https://cdn.hasarui.com` or signed-URL base           | Used to build URLs returned to clients. |

### Model bundle bucket (can be the same bucket, different prefix)

| Key                | Example                                | Notes                                  |
|--------------------|----------------------------------------|----------------------------------------|
| `MODEL_S3_BUCKET`  | `hasarui-models`                       | Bucket containing model weights.       |
| `MODEL_S3_PREFIX`  | `models/full_20260515_044630`          | Already set in render.yaml.            |

### Uploading the model bundle (one-time)

From a machine with the snapshot dir on disk:

```bash
aws s3 sync \
  services/ml/runs/bundles/full_20260515_044630/_SNAPSHOT_FOR_BUILD/ \
  s3://hasarui-models/models/full_20260515_044630/ \
  --endpoint-url https://<accountid>.r2.cloudflarestorage.com
```

After upload, redeploy `hasarui-api` once; the entrypoint will pull the
three `.pt` files into `/app/models/` on boot (~30 s on first boot).

## 3. CORS

| Key                  | Example                                                                |
|----------------------|------------------------------------------------------------------------|
| `CORS_ORIGINS`       | `https://hasarui.vercel.app,https://app.hasarui.com,tauri://localhost` |
| `CORS_ORIGIN_REGEX`  | `^https://([a-z0-9-]+\.)*hasarui\.com$`                                |

For the desktop (Tauri) app include `tauri://localhost` and
`http://tauri.localhost`. For Expo dev clients include
`http://localhost:8081`.

## 4. Observability (optional but strongly recommended)

| Key             | Where to get it                                  |
|-----------------|--------------------------------------------------|
| `SENTRY_DSN`    | Sentry project settings -> Client Keys (DSN).    |

## 5. Deploy hooks (set in GitHub repo secrets, NOT Render)

After creating the services, copy each one's **Deploy Hook URL** from
Render -> Service -> Settings -> Deploy Hook, and add to GitHub:

| GitHub secret name             | Value                              |
|--------------------------------|------------------------------------|
| `RENDER_DEPLOY_HOOK_API`       | Deploy hook URL for `hasarui-api`. |
| `RENDER_DEPLOY_HOOK_WORKER`    | Deploy hook URL for `hasarui-worker`. |

---

## Cost reference (May 2026)

| Component                   | Plan      | Monthly |
|-----------------------------|-----------|---------|
| `hasarui-api` (web)         | starter   | $7      |
| `hasarui-api` (web)         | standard  | $25     |
| `hasarui-worker`            | starter   | $7      |
| `hasarui-redis`             | starter   | $10     |
| `hasarui-db` (Postgres)     | starter   | $7      |
| **Total (starter)**         |           | **~$31** |
| **Total (standard web)**    |           | **~$49** |

Add S3 (R2: ~$0.015/GB stored, $0 egress) and Sentry developer free tier.

---

## Operational notes

- **Cold start**: starter plans do NOT spin down. Stay on starter
  minimum even when traffic is low — free tier spins down after 15 min
  and the first inference would cost ~45 s of cold boot (uvicorn +
  model load).
- **Memory**: the warmed pipeline holds ~700 MB of weights in RAM.
  Starter (512 MB) will OOM. Bump `hasarui-api` and `hasarui-worker`
  to **standard ($25)** before doing real inference.
- **Filesystem is ephemeral**: every deploy and every restart wipes
  `/app/models`. That is why we re-fetch from S3 in
  `scripts/entrypoint.sh`. Boot time: ~30 s for the 3 weight files.
- **One worker concurrency**: keep `--concurrency=1` until you
  upgrade plans — two parallel inferences on a 0.5 CPU plan starve
  each other.
- **Secrets rotation**: rotate `S3_ACCESS_KEY` / `JWT_SECRET_KEY`
  every 90 days. JWT rotation invalidates active sessions — schedule
  during a maintenance window.