chore: merge dev into production (#34)

* feat: harden Cloud Run security with Secret Manager, VPC connector, and private backend

- Secret Manager: move all sensitive env vars (Azure credentials, Gemini key,
  DB credentials) out of GitHub Secrets and into GCP Secret Manager; Cloud Run
  reads them at runtime via --set-secrets, so secrets are never exposed in
  workflow logs or build args.

- VPC Connector: add Serverless VPC Access connector (terraform/network.tf) so
  Cloud Run services can reach Cloud SQL and each other over the private VPC
  network.

- Private backend: set backend Cloud Run ingress to 'internal', blocking all
  public internet access. Frontend nginx now proxies /api/* to the backend's
  internal URL (with BACKEND_URL injected as a runtime env var), so the browser
  never needs a direct connection to the backend.

- Terraform IaC: terraform/ directory manages the VPC connector, Secret Manager
  secrets, Cloud Run service account, and Cloud SQL (importable via import.sh).
  CI continues to own image builds and Cloud Run deployments.

- Data migration script: scripts/migrate_db.sh migrates PostgreSQL data between
  Cloud SQL instances via Cloud SQL Auth Proxy if the database ever needs to be
  rebuilt.

https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m

* fix: construct Cloud Run SA email inline to use PROJECT_ID, clarify VITE_API_BASE_URL

GitHub Actions does not interpolate ${{ env.X }} inside the top-level env:
block, so the full SA email could not reference PROJECT_ID there. Replaced
CLOUD_RUN_SA with CLOUD_RUN_SA_NAME and build the email inline in the flags
blocks where expression context is available.

Added a comment explaining VITE_API_BASE_URL=/api — it is the nginx location
prefix, not a full URL, because the browser calls the frontend's own origin
and nginx proxies /api/* to the internal backend.

https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m

* docs: add infrastructure documentation with architecture diagrams to README

- Add production architecture Mermaid diagram showing Cloud Run services,
  VPC connector, Secret Manager, Cloud SQL, and external dependencies
- Add network security model table (frontend public / backend internal)
- Add secret management table listing all Secret Manager secrets
- Add IaC ownership table (Terraform vs CI pipeline)
- Add CI/CD pipeline Mermaid flowchart showing Workload Identity auth,
  image build/push, and deploy steps with secret injection
- Add Terraform to technology stack table

Also remove overly broad github_actions_secret_accessor IAM binding from
terraform/iam.tf — the GitHub Actions SA never reads secret values directly;
Cloud Run reads them at startup using the Cloud Run SA identity.

https://claude.ai/code/session_01SRRzCWrpwgMpdYFurMVn7m

* fix: align Terraform DB config and reorganize docs (#33)

* fix: align database.tf backup config with actual Cloud SQL instance state

Backup was disabled on the real instance; syncing so terraform plan is clean
with no spurious diff on next apply.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* docs: reorganize README into focused docs/ files

README trimmed to a lean landing page. Detailed content moved to:
- docs/ARCHITECTURE.md (BFF pattern, ReAct agent, security model)
- docs/INFRASTRUCTURE.md (Cloud topology, Terraform, Secret Manager, CI/CD)
- docs/AZURE_SETUP.md (Entra ID registration, Cosmos DB, frontend config)
- docs/DEVELOPMENT.md (local setup, testing, code style)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: ChingEnLin

.github/workflows/google-cloudrun-docker.yml

@@ -1,6 +1,8 @@
-# This workflow builds and pushes Docker containers to Google Artifact Registry
-# and deploys both backend and frontend on Cloud Run when a commit is pushed to the "production"
-# branch.
+# Build and deploy QueryPal to Cloud Run.
+# Runs on pushes to the production branch.
+#
+# Infrastructure changes (VPC connector, Secret Manager, IAM) are managed by
+# Terraform in the terraform/ directory and must be applied before first deploy.
 
 name: 'Build and Deploy QueryPal to Cloud Run'
 
@@ -16,6 +18,11 @@ env:
   BACKEND_SERVICE: 'querypal-backend'
   FRONTEND_SERVICE: 'querypal-frontend'
   WORKLOAD_IDENTITY_PROVIDER: 'projects/874216619692/locations/global/workloadIdentityPools/github/providers/querypal'
+  # Short name of the Cloud Run SA and VPC connector created by Terraform.
+  # The full SA email is constructed inline in flags using ${{ env.PROJECT_ID }}
+  # because GitHub Actions does not interpolate env vars inside the env: block.
+  CLOUD_RUN_SA_NAME: 'querypal-cloudrun-sa'
+  VPC_CONNECTOR: 'querypal-vpc-connector'
 
 jobs:
   deploy:
@@ -29,80 +36,96 @@ jobs:
       - name: 'Checkout'
         uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
 
-      # Configure Workload Identity Federation and generate an access token.
       - id: 'auth'
         name: 'Authenticate to Google Cloud'
         uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
         with:
           workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
-          service_account: 'github-actions@gen-lang-client-0698668474.iam.gserviceaccount.com'
+          service_account: 'github-actions@${{ env.PROJECT_ID }}.iam.gserviceaccount.com'
 
-      # Set up Cloud SDK
       - name: 'Set up Cloud SDK'
         uses: 'google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200' # google-github-actions/setup-gcloud@v2
 
-      # Configure Docker to use gcloud as a credential helper
       - name: 'Configure Docker for GCR'
-        run: |-
-          gcloud auth configure-docker --quiet
+        run: gcloud auth configure-docker --quiet
+
+      # ── Backend ──────────────────────────────────────────────────────────────
 
-      # Build and Push Backend Container
       - name: 'Build and Push Backend Container'
         run: |-
           cd backend
           DOCKER_TAG="gcr.io/${{ env.PROJECT_ID }}/${{ env.BACKEND_SERVICE }}:${{ github.sha }}"
           docker build --tag "${DOCKER_TAG}" --platform linux/amd64 .
           docker push "${DOCKER_TAG}"
 
-      # Deploy Backend to Cloud Run
       - id: 'deploy-backend'
         name: 'Deploy Backend to Cloud Run'
         uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
         with:
           service: '${{ env.BACKEND_SERVICE }}'
           region: '${{ env.REGION }}'
           image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.BACKEND_SERVICE }}:${{ github.sha }}'
+          # Non-secret runtime configuration only.
           env_vars: |
             ENVIRONMENT=production
-            AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-            AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-            AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
             ARM_SCOPE=https://management.azure.com/.default
-            GEMINI_API_KEY=${{ secrets.GEMINI_API_KEY }}
-            DB_USER=${{ secrets.DB_USER }}
-            DB_PASS=${{ secrets.DB_PASS }}
             DB_NAME=querypal
-            DB_UNIX_SOCKET=/cloudsql/gen-lang-client-0698668474:europe-west1:querypal-db
+            DB_UNIX_SOCKET=/cloudsql/${{ env.PROJECT_ID }}:${{ env.REGION }}:querypal-db
+          # Sensitive values are read directly from Secret Manager at runtime.
+          # Secret must exist before first deploy (created by terraform/secrets.tf).
+          secrets: |
+            AZURE_TENANT_ID=querypal-azure-tenant-id:latest
+            AZURE_CLIENT_ID=querypal-azure-client-id:latest
+            AZURE_CLIENT_SECRET=querypal-azure-client-secret:latest
+            GEMINI_API_KEY=querypal-gemini-api-key:latest
+            DB_USER=querypal-db-user:latest
+            DB_PASS=querypal-db-pass:latest
           flags: |
             --port=8000
-            --add-cloudsql-instances=gen-lang-client-0698668474:europe-west1:querypal-db
+            --service-account=${{ env.CLOUD_RUN_SA_NAME }}@${{ env.PROJECT_ID }}.iam.gserviceaccount.com
+            --add-cloudsql-instances=${{ env.PROJECT_ID }}:${{ env.REGION }}:querypal-db
+            --vpc-connector=${{ env.VPC_CONNECTOR }}
+            --vpc-egress=private-ranges-only
+            --ingress=internal
             --allow-unauthenticated
 
-      # Build and Push Frontend Container
+      # ── Frontend ─────────────────────────────────────────────────────────────
+
       - name: 'Build and Push Frontend Container'
         run: |-
           cd frontend
           DOCKER_TAG="gcr.io/${{ env.PROJECT_ID }}/${{ env.FRONTEND_SERVICE }}:${{ github.sha }}"
+          # VITE_API_BASE_URL=/api tells the React app to send all API calls to
+          # the /api/* path on its own origin instead of a full backend URL.
+          # Nginx then proxies those requests to the internal backend service.
           docker build --tag "${DOCKER_TAG}" --platform linux/amd64 \
-            --build-arg VITE_API_BASE_URL=${{ steps.deploy-backend.outputs.url }} \
+            --build-arg VITE_API_BASE_URL=/api \
             --build-arg VITE_AZURE_REDIRECT_URI=https://querypal.virtonomy.io \
             .
           docker push "${DOCKER_TAG}"
 
-      # Deploy Frontend to Cloud Run
       - id: 'deploy-frontend'
         name: 'Deploy Frontend to Cloud Run'
         uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
         with:
           service: '${{ env.FRONTEND_SERVICE }}'
           region: '${{ env.REGION }}'
           image: 'gcr.io/${{ env.PROJECT_ID }}/${{ env.FRONTEND_SERVICE }}:${{ github.sha }}'
+          # BACKEND_URL is the internal Cloud Run URL; nginx uses it at runtime to
+          # proxy /api/* requests to the backend (which is not publicly reachable).
+          env_vars: |
+            BACKEND_URL=${{ steps.deploy-backend.outputs.url }}
           flags: |
             --port=4000
+            --service-account=${{ env.CLOUD_RUN_SA_NAME }}@${{ env.PROJECT_ID }}.iam.gserviceaccount.com
+            --vpc-connector=${{ env.VPC_CONNECTOR }}
+            --vpc-egress=all-traffic
+            --ingress=all
             --allow-unauthenticated
 
-      # Show output URLs
+      # ── Summary ───────────────────────────────────────────────────────────────
+
       - name: 'Show deployment URLs'
         run: |-
-          echo "Backend URL: ${{ steps.deploy-backend.outputs.url }}"
           echo "Frontend URL: ${{ steps.deploy-frontend.outputs.url }}"
+          echo "Backend URL:  ${{ steps.deploy-backend.outputs.url }} (internal only)"