Internal Setup

Solstera-only readiness checks for provider apps, database storage, and backend AI.

Founder Setup Map

Plain-English ownership for the hosted beta plumbing.

Render

Hosts the app and database. Solstera owns this once; customers never touch it.

Resend

Sends sign-in codes and beta invite emails from a verified Solstera sender.

Microsoft OAuth

Lets users connect Outlook by signing in with Microsoft. The product app is already configured here.

Google OAuth

Lets users connect Gmail by signing in with Google. The Solstera Google client still needs credentials.

OpenAI

Powers backend summaries, drafts, tasks, and briefings. Users never provide their own AI key.

Account Linking Readiness

These are product configuration tasks Solstera owns. Customers should not configure them.

DatabaseReady

Reachable in 13ms

Database SchemaReady

Required product tables and indexes exist

Token EncryptionReady

Token encryption key configured

Microsoft OAuthReady

Microsoft OAuth configured

Google OAuthReady

Google OAuth configured

Invite EmailReady

Invite email delivery configured

Backend AIReady

Backend AI key configured

Live Smoke AccountsNeeds setup

LIVE_SMOKE_SAFE_ACCOUNTS missing

Production GuardrailsReady

Production configuration ready

Ownership Boundary

End users only sign in with Microsoft or Google. They do not create provider apps.

Solstera configures Microsoft and Google OAuth apps once for the product.

Users connect accounts by signing in on the provider's secure page.

The backend stores encrypted tokens and handles sync, AI, usage, and audit logs.

Production Environment Checklist

22 of 23 hosted configuration checks are ready.

Health JSON

NODE_ENV

Hosted runtime should set NODE_ENV=production.

APP_BASE_URL

Final hosted HTTPS app origin used for OAuth redirects and links.

DATABASE_URL

Managed non-local Postgres connection string for sessions, account links, and communication data.

DATABASE_SSL

Keep true for managed Postgres unless the provider explicitly documents otherwise.

TOKEN_ENCRYPTION_KEY

Generated with npm run prod:generate-token-key and stored only in the deployment environment.

DEV_SESSION_DISABLED

Disables local development fallback sessions in hosted environments.

AUTH_EMAIL_DELIVERY_MODE

Production sign-in codes should use Resend delivery.

RESEND_API_KEY

Backend-only email provider key for sign-in and invite delivery.

AUTH_EMAIL_FROM

Verified sender address shown on sign-in and invitation email.

INVITE_EMAIL_DELIVERY_MODE

External beta invites should be delivered by email, not local console links.

MICROSOFT_CLIENT_ID

Solstera-owned Microsoft app registration client ID.

MICROSOFT_CLIENT_SECRET

Secret value for the Solstera-owned Microsoft app registration.

MICROSOFT_REDIRECT_URI

Must exactly match APP_BASE_URL plus /api/auth/outlook/callback.

GOOGLE_CLIENT_ID

Solstera-owned Google OAuth web client ID.

GOOGLE_CLIENT_SECRET

Secret value for the Solstera-owned Google OAuth web client.

GOOGLE_REDIRECT_URI

Must exactly match APP_BASE_URL plus /api/auth/gmail/callback.

OPENAI_API_KEY

Backend-only AI key. Users never provide or see provider AI credentials.

OPENAI_DEFAULT_MODEL

Default backend model for summaries, drafts, tasks, and briefings.

LIVE_SMOKE_SAFE_ACCOUNTS

Comma-separated harmless test mailbox allowlist used for live Outlook/Gmail send and calendar smoke tests.

RATE_LIMIT_*

All production throttles should be explicit positive values.

BACKGROUND_JOB_PROCESSORS_ENABLED

Keep effectful processors disabled; the readiness snapshot canary may be enabled after hosted worker testing.

HOSTED_WORKER_SCHEDULER_ENABLED

Optional hosted scheduler for safe readiness canaries. It must stay paired with disabled effectful processors.

BILLING_MODE

Pilot can stay off; Stripe mode should only be enabled with webhook credentials.

Invite Delivery Setup

5 of 5 invitation delivery checks are ready.

Beta Gate

Resend API Key

Backend credential used for sign-in codes and workspace invitation emails.

Ready for hosted beta.

Verified Sender

The sender address shown to beta testers when they receive codes and invites.

Ready for hosted beta.

Sign-In Email Mode

Hosted sign-in codes should leave development console mode before external beta.

Ready for hosted beta.

Invite Email Mode

Workspace invitations should deliver by email for outside beta testers.

Ready for hosted beta.

Hosted Acceptance Links

Invite links should point at the HTTPS hosted app, not localhost.

Ready for hosted beta.

Microsoft App Registration

Use this once in Solstera's Microsoft tenant. End users never do this.

App nameSolstera Labs - Communications Command & Control

Supported accountsAny Microsoft Entra ID organization

PlatformWeb

Redirect URIhttps://app.solsteralabs.com/api/auth/outlook/callback

Tenant endpointorganizations

Delegated scopes

openidprofileoffline_accessUser.ReadMail.ReadMail.ReadWriteMail.SendCalendars.ReadCalendars.ReadWrite

Environment status

MICROSOFT_CLIENT_ID

Application client ID from the Solstera-owned Microsoft app registration.

MICROSOFT_CLIENT_SECRET

Client secret value generated for the web app registration.

MICROSOFT_TENANT_ID

Use organizations for work/school Microsoft 365 accounts; use common only if personal Microsoft accounts are enabled in the app registration.

MICROSOFT_REDIRECT_URI

Must exactly match the Web redirect URI in Microsoft app registration.

Google OAuth Client

Use this once in Solstera's Google Cloud project. End users never do this.

App nameSolstera Labs - Communications Command & Control

Supported accountsGoogle Workspace and Gmail accounts approved for the Solstera OAuth app

PlatformWeb application

Redirect URIhttps://app.solsteralabs.com/api/auth/gmail/callback

ConsentGoogle OAuth hosted sign-in

Delegated scopes

openidemailprofilehttps://www.googleapis.com/auth/gmail.readonlyhttps://www.googleapis.com/auth/gmail.modifyhttps://www.googleapis.com/auth/gmail.composehttps://www.googleapis.com/auth/calendar.readonlyhttps://www.googleapis.com/auth/calendar.events

Environment status

GOOGLE_CLIENT_ID

OAuth client ID from the Solstera-owned Google Cloud OAuth client.

GOOGLE_CLIENT_SECRET

Client secret value generated for the Solstera-owned Google OAuth client.

GOOGLE_REDIRECT_URI

Must exactly match the authorized redirect URI on the Google OAuth client.