apps/backend: Rust API runtime, native on port7820, Docker sidecar, and Cloudflare Workertuturuuu-backend.apps/tanstack-web: TanStack Start frontend, local dev on port7824, Docker sidecar, Cloudflare Workertuturuuu-tanstack-web, and opt-in Vercel build validation.
apps/web runtime available until the cutover gates pass. This
page explains how to start, validate, and deploy the new stack; route ownership
and cutover evidence stay in the
TanStack/Rust migration contract
and cutover runbook.
Required Environment
Use real values only in ignored env files, shell variables, GitHub Environment secrets, Cloudflare Worker secrets, Vercel Project Environment Variables, or VPS secret stores. Do not commit values.| Variable | Used by | Notes |
|---|---|---|
BACKEND_INTERNAL_TOKEN | backend and frontend server runtime | Shared bearer token for internal migration/status calls. |
BACKEND_INTERNAL_URL | apps/tanstack-web outside Cloudflare service bindings | Server-only backend origin, such as http://localhost:7820 or an HTTPS backend Worker/VPS origin. |
BACKEND_PUBLIC_ORIGIN | apps/tanstack-web browser-safe backend origin fallback | Public backend origin when the frontend needs a browser-safe base URL. |
SUPABASE_URL | backend Worker | Server-side Supabase REST origin. |
SUPABASE_SERVICE_ROLE_KEY | backend Worker | Server-side Supabase service key. |
TUTURUUU_APP_COORDINATION_SECRET | backend Worker | App coordination token verification. |
CRON_SECRET | backend Worker | Cron proxy parity. |
DISCORD_APP_DEPLOYMENT_URL | backend Worker | Discord app deployment proxy. |
AURORA_EXTERNAL_URL | backend Worker | Aurora health and ingest upstream. |
AURORA_EXTERNAL_WSID | backend Worker | Aurora ingest workspace id. |
TANSTACK_WEB_RUNTIME | frontend build/runtime selection | Use node for Docker/node output, vercel for Vercel build validation, and unset for Cloudflare Workers. |
Local Native Run
Native local development is two processes: Rust backend first, then TanStack Start.apps/backend/.env.example is a template; the native Rust binary reads
environment variables from the process environment.
-
From the repo root, export local-only backend values:
-
Start the Rust backend:
-
In another shell, point TanStack Start at the backend and start the frontend:
-
Verify the backend:
-
Open the frontend on port
7824. The root migration shell should report the backend as reachable when the URL and token match.
readyzis not ready:BACKEND_INTERNAL_TOKENis missing from the backend process.- TanStack shows backend unreachable: the frontend shell does not have
BACKEND_INTERNAL_URLorBACKEND_INTERNAL_TOKEN, or the backend is running on a different port. - Rust starts but route calls fail: the route may require additional Supabase, Aurora, Discord, cron, or app coordination env values.
Docker Dual-Stack Rehearsal
Use the minimal dual-stack compose file when you want production artifacts for only the migration stack:| Service | Container | Host URL |
|---|---|---|
| Rust backend | backend-dual | http://127.0.0.1:7820 |
| TanStack frontend | tanstack-web-dual | http://127.0.0.1:7824 |
web-proxy, blue/green cutover, watcher recovery, Redis, cron, or
Cloudflare Tunnel. That path is covered in
Web Docker Deployment.
Cloudflare Workers Deployment
Cloudflare Workers is the edge preview path for both runtimes. The frontend Worker uses theBACKEND service binding to call the backend Worker first, with
HTTP env fallback only for local and emergency non-binding runs. This follows
the current TanStack Start Cloudflare guidance for
@cloudflare/vite-plugin plus wrangler.
-
Authenticate and validate config:
-
Install Rust Worker prerequisites if the machine has not built Workers
before:
-
Bootstrap backend Worker secrets in Cloudflare:
-
Deploy the backend Worker first:
-
Bootstrap TanStack Worker secrets:
-
Generate Worker types and deploy the TanStack Worker:
-
Smoke both Worker origins:
Vercel Frontend Build Validation
Vercel is used to validate thatapps/tanstack-web can produce Vercel-compatible
TanStack Start output. This repository does not deploy or publish the TanStack
frontend to Vercel. The Rust backend must still be reachable over HTTPS during
the build, usually through the Cloudflare backend Worker or a self-hosted
backend origin. Vercel mode uses the app-local
TANSTACK_WEB_RUNTIME=vercel branch and Nitro, matching the current Vercel
TanStack Start guidance.
Configure the Vercel project:
| Setting | Value |
|---|---|
| Project root | apps/tanstack-web |
| Build command | bun run build:vercel |
| Framework preset | Other, unless Vercel auto-detects the TanStack/Nitro output correctly |
| Git integration | Disabled by apps/tanstack-web/vercel.json; GitHub Actions runs vercel build only |
| Variable | Value source |
|---|---|
TANSTACK_WEB_RUNTIME | vercel |
BACKEND_PUBLIC_ORIGIN | HTTPS backend origin |
BACKEND_INTERNAL_URL | Same HTTPS backend origin unless a separate private origin exists |
BACKEND_INTERNAL_TOKEN | Same token configured on the backend |
NEXT_PUBLIC_SUPABASE_URL | Supabase project URL, if the rendered routes need Supabase client config |
NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY | Supabase publishable key, if routes need browser Supabase config |
vercel pull --environment=production
and vercel build --prod. It intentionally does not run vercel deploy.
GitHub Actions owns the normal path:
.github/workflows/vercel-preview-tanstack-web.yaml.github/workflows/vercel-production-tanstack-web.yaml
VERCEL_TANSTACK_WEB_PROJECT_ID, VERCEL_ORG_ID, and
VERCEL_TOKEN inside the build jobs only. Preview builds require
workflow_dispatch from protected main plus a trusted actor. Production builds
run from the production branch. They record build markers after vercel build
passes and do not create Vercel deployments.
External references: Vercel TanStack Start,
vercel pull,
vercel build.
VPS Or Self-Hosting With Cloudflare Tunnel
Self-hosting uses the existing production Docker stack. Use this when the full platform proxy, blue/green deployment history, watcher recovery, and Cloudflare Tunnel container should own traffic.-
Prepare the server:
-
Put production env values in root
.env.localor an explicit deployment env file. Set the frontend selector and backend token: -
If using Cloudflare Tunnel, create a remotely managed tunnel in Cloudflare
Zero Trust, add a public hostname for the desired domain, and route it to:
Store the tunnel token as
CF_TUNNEL_TOKEN,CLOUDFLARED_TOKEN, orDOCKER_CLOUDFLARED_TOKENin the server env file. The Docker helper mapsCF_TUNNEL_TOKENto the ComposeCLOUDFLARED_TOKEN. -
Start the TanStack production stack without a tunnel:
Start it with the bundled Cloudflare Tunnel sidecar:A non-empty
CF_TUNNEL_TOKENin root.env.localalso auto-enables the tunnel sidecar unless the Docker helper is explicitly opted out. -
Verify through the local proxy:
-
Verify through the public hostname after Tunnel reports healthy:
-
Stop the stack:
- Blue/green: use the existing cached rollback path documented in Web Docker Deployment.
- Git: check out the previous known-good commit and rerun
DOCKER_WEB_FRONTEND=tanstack bun serve:web:docker:bg. - Tunnel: remove or change the Cloudflare public hostname route while the local stack is repaired.