This is the actual move order for taking Lucia from localhost into a private hosted staging environment without creating fake progress or an avoidable mess.
Purpose
Use this page as the working runbook for:
- exact transition order
- environment cutover notes
- credentials and secret references
- validation status
- rollback notes
- live issues / fixes discovered during staging
Current phase tracker
Use this block first. If the folder ever feels confusing, come back here and mark exactly where the transition stands.
- Current phase:
- Current owner / driver:
- Started on:
- Last updated on:
- Blocking issue:
- Next concrete move:
Quick phase checklist
Phase guide at a glance
Runbook rules
- Do not move everything at once.
- Engine first, then Admin.
- Keep private staging protected before broad access.
- Do not claim Lucia is “production-ready” because it has a URL.
- Validate runtime behavior after every meaningful move.
Phase 0 — Preflight
Goal: make sure we are not walking into staging with sloppy config or repo confusion.
Repo ownership
| Layer | Repo | Notes |
|---|
| Lucia Engine | | main backend/runtime behavior owner |
| Lucia Admin/UI | | operator-facing shell |
Preflight checklist
Known runtime items to fix during staging move
Phase 1 — Service accounts and access
Goal: get the house keys organized before touching deployment.
Service access tracker
| Service | Account Email | Dashboard URL | Owner | MFA Confirmed | 1Password Item | Status |
|---|
| Cloudflare | | | | [ ] | | |
| Render | | | | [ ] | | |
| Supabase | | | | [ ] | | |
| Clerk | | | | [ ] | | |
| Upstash Redis | | | | [ ] | | |
| Sentry | | | | [ ] | | |
Secrets posture
Phase 2 — Cloudflare private staging front door
Goal: create a private, access-protected staging perimeter before Lucia is broadly reachable.
Tasks
Staging hostnames
| Use | Hostname | Live Yet | Notes |
|---|
| Lucia Admin staging | | [ ] | |
| Lucia Engine/API staging | | [ ] | |
| Optional status / health | | [ ] | |
Cloudflare credential references
| Item | Value |
|---|
| Account email | |
| Account ID | |
| Zone ID | |
| Dashboard URL | |
| Access app name | |
| Allowed user emails | |
| API token reference | |
Phase 3 — Render: host Lucia Engine first
Engine first. Always. Admin without a stable engine behind it is just a shiny shell with nowhere to go.
Engine deploy checklist
Engine service record
| Item | Value |
|---|
| Render service name | |
| Repo | |
| Branch | |
| Region | |
| Runtime | |
| Start command | |
| Health check path | |
| Render URL | |
| Custom domain | |
Engine env vars
| Variable | Value / Reference | Confirmed |
|---|
NODE_ENV | | [ ] |
PORT | | [ ] |
LUCIA_OPENAI_API_KEY | | [ ] |
OPENAI_API_KEY | | [ ] |
LUCIA_INTELLIGENCE_MODEL | | [ ] |
LUCIA_MODEL_FOCUS_OPS_REPLY | | [ ] |
SUPABASE_URL | | [ ] |
SUPABASE_SERVICE_ROLE_KEY | | [ ] |
CLERK_SECRET_KEY | | [ ] |
OPERATOR_TIME_ZONE | America/Los_Angeles | [ ] |
Engine smoke checks
Phase 4 — Render: host Lucia Admin/UI second
Only do this after the Engine URL is stable enough to target cleanly.
Admin deploy checklist
Admin service record
| Item | Value |
|---|
| Render service/site name | |
| Repo | |
| Branch | |
| Region | |
| Build command | |
| Start / publish command | |
| Render URL | |
| Custom domain | |
| API base URL target | |
Admin env vars
| Variable | Value / Reference | Confirmed |
|---|
VITE_API_BASE_URL or equivalent | | [ ] |
VITE_CLERK_PUBLISHABLE_KEY | | [ ] |
VITE_CLERK_SIGN_IN_URL | | [ ] |
VITE_CLERK_SIGN_UP_URL | | [ ] |
VITE_CLERK_AFTER_SIGN_IN_URL | | [ ] |
VITE_CLERK_AFTER_SIGN_UP_URL | | [ ] |
Admin smoke checks
Phase 5 — Supabase and Clerk staging alignment
Supabase
Clerk
Secret references
| Service | Secret / Key | Value / 1Password Reference |
|---|
| Supabase | project URL | |
| Supabase | anon/public key | |
| Supabase | service role key | |
| Clerk | publishable key | |
| Clerk | secret key | |
| Clerk | app / instance name | |
Phase 6 — Add Redis-backed continuity
Lucia is not truly staging-hardened if continuity depends only on process memory.
Redis move checklist
Redis connection record
| Item | Value |
|---|
| Database name | |
| Region | |
| Endpoint | |
| REST URL | |
| Token reference | |
| Key prefix | lucia: |
Candidate env vars
| Variable | Value / Reference | Confirmed |
|---|
UPSTASH_REDIS_REST_URL | | [ ] |
UPSTASH_REDIS_REST_TOKEN | | [ ] |
LUCIA_SESSION_TTL_SECONDS | | [ ] |
Phase 7 — Observability
Sentry
Better Stack or equivalent
Observability references
| Service | Item | Value / Reference |
|---|
| Sentry | DSN | |
| Sentry | project name | |
| Sentry | environment names | |
| Better Stack | monitor URLs | |
| Better Stack | alert recipients | |
Phase 8 — Validation against hosted staging
Hosted staging is not “good” because it deployed. It is good when Lucia still behaves like Lucia.
Validation checklist
Must-pass notes
| Check | Result | Notes |
|---|
| route contract | | |
| greeting / human utility | | |
| distress continuity | | |
| priority triage | | |
| payment risk | | |
| concierge readiness | | |
| maintenance focus | | |
| off-topic boundary | | |
Hosted staging test prompts
Good morningHow are you?I'm overwhelmedWhat matters most right now?Show payment risks I need to handle now.Show open concierge requests needing confirmation.Any urgent maintenance issues today?
Phase 9 — Rollback and recovery
No migration is serious if rollback is just prayer.
Rollback checklist
Rollback references
| Item | Value |
|---|
| Last known good Engine commit | |
| Last known good Admin commit | |
| Previous API base target | |
| Previous DNS target | |
| Rollback owner | |
Open issues log
| Date | Area | Issue | Severity | Owner | Status | Notes |
|---|
| | | | | | |
Change log
| Date | Change | Who | Notes |
|---|
| Initial runbook created | ChatGPT | staging-first migration plan |
Related pages
