Environments

Last updated: 2026-05-31

Env	Purpose	URL	Database
dev	Local development	localhost:8787	local D1
production (CF Workers)	API gateway (public entry)	https://finstack-api-gateway.glctc.workers.dev	—
production (CF Workers)	Dashboard + auth	https://finstack-dashboard-ar0.pages.dev	Cloudflare D1 `finstack-dashboard-auth` (Galactic)
production (Fly.io)	Rust API backend (internal)	https://finstack-api.fly.dev ⚠️ internal only	Neon Postgres us-east-1
production (CF Workers)	Marketing site	https://finstack-marketing.glctc.workers.dev	—

⚠️ finstack-api.fly.dev is internal-only (ADR-2). All consumer traffic must go through the gateway. All CF assets now on Galactic account (79ab1e991d169dab74424fd917c22195).

Brand domain — TBD

No production custom domain yet. Marketing site is live at finstack-marketing.glctc.workers.dev. A FinStack-branded domain is still to be acquired (finstack.com/.io/.dev/.ai all taken; .sh/.build available on Spaceship pending funds). paystream.fi is a separate project — not FinStack.

CF Workers (finstack-api-gateway)

Worker: finstack-api-gateway · account: Galactic (79ab1e991d169dab74424fd917c22195)
URL: https://finstack-api-gateway.glctc.workers.dev
Routes: /healthz (local), /v1/*, /admin/*, /mcp, /oauth/*, /webhooks/* → proxied to core
Secrets (set via wrangler secret put --config api-gateway/wrangler.toml):
- GATEWAY_TOKEN — shared secret injected as X-Gateway-Token on every upstream request
- FINSTACK_API_URL — https://finstack-api.fly.dev
Vars: ALLOWED_DASHBOARD_ORIGIN = https://finstack-dashboard.pages.dev

Fly.io (finstack-api)

App: finstack-api · region iad · shared-cpu-1x 512MB
Image: registry.fly.io/finstack-api (Rust 1.95 + distroless)
Health check: GET /healthz → "ok"
Secrets (set via fly secrets set):
- DATABASE_URL — Neon Postgres, finstack_app role (no BYPASSRLS)
- DATABASE_ADMIN_URL — Neon Postgres, neondb_owner role (BYPASSRLS)
- DATABASE_WORKER_URL — Required for orchestration sweeper. Neon Postgres, neondb_owner role (BYPASSRLS, same role as DATABASE_ADMIN_URL). Uses pooler endpoint. If unset, the sweeper falls back to DATABASE_URL (finstack_app) which will fail with 42501 on every cross-tenant update.
- INTERNAL_CALL_SECRET — Shared bearer secret used by the orchestration executor when calling internal primitives. If unset, the Authorization header is omitted and primitive auth relies on network isolation + X-Tenant-Id only. Should be set in production.
- FINSTACK_ADMIN_TOKEN — bearer token for /admin/* routes
- GATEWAY_TOKEN — shared secret validated by api-rest::gateway::check; must match the CF Worker secret

Cloudflare Pages (finstack-dashboard)

Project: finstack-dashboard · account: Galactic (79ab1e991d169dab74424fd917c22195)
URL: https://finstack-dashboard-ar0.pages.dev
D1 binding: AUTH_DB → finstack-dashboard-auth (f75436a5-df12-4e22-9dc9-244b8aaf740c)
Env vars set: AUTH_SECRET (new), AUTH_URL, NEXT_PUBLIC_FINSTACK_API_URL (gateway), ENVIRONMENT
Secrets still needed (set via CF dashboard or PATCH API — values from old finstack account):
- AUTH_GITHUB_ID, AUTH_GITHUB_SECRET — GitHub OAuth app 3607747 (add new callback URL)
- GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET — Google OAuth (add new callback URL)
- AUTH_RESEND_KEY — Resend API key
- FINSTACK_ADMIN_TOKEN — same value as on Fly.io
- FINSTACK_KEY_SEED — 32-byte hex AES-GCM key (copy from old project or regenerate)
GitHub connection: install CF Pages GitHub app on Galactic account, then connect finhub-vc/finstack via CF dashboard
OAuth callback URLs to add:
- GitHub app: https://finstack-dashboard-ar0.pages.dev/api/auth/callback/github
- Google app: https://finstack-dashboard-ar0.pages.dev/api/auth/callback/google

Neon Postgres

Project: muddy-union-15349058
Host: ep-dark-firefly-aqh8vw8h.c-8.us-east-1.aws.neon.tech
Roles: finstack_app (app queries, RLS enforced), neondb_owner (admin/seeds, BYPASSRLS)
Migrations: 27 applied (up to 0027_payment_ledger_txn_id.sql)