Add dev auto-deploy for Rust desktop backend

[beastoin]

Summary

• Add .github/workflows/desktop_backend_auto_dev.yml — auto-builds and deploys Rust desktop backend to dev Cloud Run on pushes to main under desktop/Backend-Rust/**
• Uses Cloud Run (not GKE) to match prod deployment target and avoid ESO secret sync gaps
• Secrets injected natively via GCP Secret Manager: GEMINI_API_KEY, ENCRYPTION_SECRET, REDIS_DB_PASSWORD, FIREBASE_API_KEY, PINECONE_API_KEY

Mirrors the Python backend dev auto-deploy pattern (gcp_backend_auto_dev.yml).

Note: FIREBASE_PROJECT_ID=based-hardware (prod) is intentional.

Closes #5309

Test plan

• Verify workflow triggers on desktop/Backend-Rust/** changes to main
• Verify Docker build succeeds with context: ./desktop/Backend-Rust
• Verify Cloud Run service desktop-backend is created/updated in dev project
• Verify /health endpoint responds after deploy
• Verify secrets exist in dev project's GCP Secret Manager: GEMINI_API_KEY, ENCRYPTION_SECRET, REDIS_DB_PASSWORD, FIREBASE_API_KEY, PINECONE_API_KEY

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR successfully adds auto-deployment for the Rust desktop backend to the dev environment, mirroring the established Python backend deployment pattern. The workflow triggers on changes to desktop/Backend-Rust/**, builds and pushes a Docker image to GCR, then deploys to GKE using Helm with the updated dev configuration.

Key changes:

• New GitHub Actions workflow that follows the same structure as gcp_backend_auto_dev.yml
• Added critical missing environment variables (ENCRYPTION_SECRET, Redis connection, Firebase API key, Pinecone credentials) required by the Rust backend code
• Added Kubernetes health probes (/health endpoint) for proper liveness, readiness, and startup checks
• Relaxed node affinity from required to preferred for more flexible scheduling in dev environment
• Documented intentional use of prod Firebase project (based-hardware) in dev with inline comment

All environment variables are verified to exist in the codebase and are properly sourced from the dev-omi-backend-secrets Kubernetes secret.

Confidence Score: 5/5

• This PR is safe to merge with no issues found
• The implementation correctly follows established patterns from the Python backend deployment, all environment variables are verified to exist in the codebase, the health endpoint is properly implemented, and the Docker build context is correctly configured
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/desktop_backend_auto_dev.yml	Added auto-deploy workflow for Rust desktop backend to dev GKE — mirrors Python backend pattern with proper Docker build and Helm deployment
desktop/Backend-Rust/charts/desktop-backend/dev_values.yaml	Added missing env vars (ENCRYPTION_SECRET, Redis, Firebase, Pinecone), health probes, and relaxed node affinity to preferred

_{Last reviewed commit: 3a9fb26}

[beastoin]

Codex analysis: Swift desktop app → Rust backend dependency map

Ran a comprehensive audit of every endpoint the Swift APIClient calls on the Rust backend, and compared against Python backend equivalents. Key findings:

Auth: no separate auth needed

The Rust backend's OAuth flow (/v1/auth/authorize, /v1/auth/callback/apple, /v1/auth/callback/google, /v1/auth/token) has near-exact Python equivalents. One difference: Rust uses in-memory session/code storage vs Python's Redis-backed storage. The .well-known/apple-developer-domain-association.txt endpoint is Rust-only (missing from Python).

For dev environment purposes: the Swift app works with this Rust backend as-is — auth is self-contained in the Rust backend.

Endpoints only in Rust (no Python equivalent)

These are Rust-only features the Swift app depends on that have no Python backend path:

• Chat sessions — full CRUD (/v2/chat-sessions/*)
• Staged tasks pipeline — list, batch scores, promote, migrate (/v1/staged-tasks/*)
• Focus sessions — tracking + stats (/v1/focus-sessions/*, /v1/focus-stats)
• Daily/weekly scores — derived from action items (/v1/daily-score, /v1/scores)
• Screen activity sync — screenshot metadata + Pinecone embeddings (/v1/screen-activity/sync)
• Advice feed — CRUD + mark-all-read (/v1/advice/*)
• Crisp unread — operator messages (/v1/crisp/unread)
• Sentry webhooks — feedback ingestion (/v1/webhooks/sentry/*)
• PostHog chat stats — message counts via HogQL (/v1/users/stats/chat-messages)
• Release management — create + promote releases (POST /updates/releases, PATCH /updates/releases/promote) — Codemagic CI depends on this

Partial equivalents (Python exists but gaps)

• Conversations: count, from-segments paths differ
• Action items: batch-scores, soft-delete missing
• User settings: notification-settings, AI profile, assistant-settings missing/renamed
• Personas: generate-prompt missing, check-username different path
• Agent VM: different endpoint names (vm-status/vm-ensure vs provision/status)
• LLM usage: POST + /total missing from Python
• Messages: rating endpoint missing

Note on prod Firebase in dev values.yaml

The prod Firebase project reference (based-hardware) in dev_values.yaml is intentional per manager confirmation — the desktop backend needs prod Firestore access even in dev. Flagging for visibility but keeping as-is.

Bottom line

For this PR (dev environment setup): no blockers. The Rust backend is self-contained and the Swift app connects to it directly with its own auth flow. The dev environment will work correctly.

For future migration to Python-only: significant gaps exist — roughly a third of desktop-specific endpoints have no Python equivalent at all.

[beastoin]

Added missing env vars to the Cloud Run deploy step:

• GOOGLE_APPLICATION_CREDENTIALS=/app/google-credentials.json (env_var) — needed for Firestore access via baked-in credentials file
• REDIS_DB_HOST (secret) — Redis connection host
• REDIS_DB_PORT (secret) — Redis connection port
• PINECONE_HOST (secret) — Pinecone vector DB host URL

These were already in dev_values.yaml (Helm/GKE) but missing from the Cloud Run workflow, which would cause runtime failures for Firestore, Redis, and Pinecone.

Next step: @mon — need these secrets created in dev GCP Secret Manager (based-hardware-dev):

• REDIS_DB_HOST, REDIS_DB_PORT, PINECONE_HOST (new)
• GEMINI_API_KEY, ENCRYPTION_SECRET, REDIS_DB_PASSWORD, FIREBASE_API_KEY, PINECONE_API_KEY (may already exist)

Also need GCP_PROJECT_ID var + GCP_CREDENTIALS/GCP_SERVICE_ACCOUNT secrets in the GitHub development environment.

by AI for @beastoin

[beastoin]

All 8 secrets confirmed in dev GCP Secret Manager (based-hardware-dev):

Secret	Status
GEMINI_API_KEY	existed
ENCRYPTION_SECRET	existed
REDIS_DB_PASSWORD	existed
FIREBASE_API_KEY	existed
PINECONE_API_KEY	existed
REDIS_DB_HOST	existed
REDIS_DB_PORT	created
PINECONE_HOST	created

GH development environment exists (id:4238881757) and is used by the Python auto-deploy workflow.

PR is ready for merge. First push to main under desktop/Backend-Rust/** will trigger the workflow and create the Cloud Run service.

by AI for @beastoin

[beastoin]

lgtm

[beastoin]

Dev Cloud Run deployment verified

Service URL: https://desktop-backend-dt5lrfkkoa-uc.a.run.app

Health check (200 OK):

{"status":"healthy","service":"omi-desktop-backend","version":"0.1.0"}

Auth endpoint (401 — correct, requires token):

{"error":"missing_token","message":"Authorization header required"}

Mac Mini app linked: .env updated to point to Cloud Run:

OMI_API_URL=https://desktop-backend-dt5lrfkkoa-uc.a.run.app

App logs confirm: Loaded environment from: /Applications/Omi Dev.app/Contents/Resources/.env, AuthState.isSignedIn=true, Fetching user conversations...

Note: Had to add allUsers IAM binding (Cloud Run defaulted to authenticated-only). Filed PR #5348 to add --allow-unauthenticated to the workflow for future deploys.

by AI for @beastoin