From fa8cc7359d4038630327bf8131426c92c3681112 Mon Sep 17 00:00:00 2001
From: Evan Petzoldt <evan.petzoldt@protonmail.com>
Date: Wed, 11 Mar 2026 07:23:31 -0500
Subject: [PATCH 1/3] enabled sql auth proxy socket option for db connection

---
 .env.example    |  5 +++++
 apphosting.yaml | 19 +++++++++++++++++++
 src/lib/db.ts   | 36 +++++++++++++++++++++++++++++++++++-
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 0da2ffe..4690771 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,10 @@
 DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/postgres
 
+# Cloud SQL Auth Proxy (Unix socket) — set these instead of DATABASE_URL on Cloud Run.
+# INSTANCE_UNIX_SOCKET=/cloudsql/PROJECT:REGION:INSTANCE
+# DATABASE_PASSWORD=****
+# DB_USE_UNIX_SOCKET=true  # set to "false" to force DATABASE_URL even when INSTANCE_UNIX_SOCKET is set
+
 # `openssl rand -hex 32`
 NEXTAUTH_SECRET=****
 
diff --git a/apphosting.yaml b/apphosting.yaml
index 5260942..a23df7c 100644
--- a/apphosting.yaml
+++ b/apphosting.yaml
@@ -59,3 +59,22 @@ env:
     availability:
       - BUILD
       - RUNTIME
+
+  # Cloud SQL Auth Proxy (Unix socket) connection.
+  # Set INSTANCE_UNIX_SOCKET to enable; set DB_USE_UNIX_SOCKET=false to force DATABASE_URL fallback.
+  - variable: INSTANCE_UNIX_SOCKET
+    value: /cloudsql/f3data:us-central1:f3data
+    availability:
+      - RUNTIME
+  - variable: DB_USER
+    value: app_codex
+    availability:
+      - RUNTIME
+  - variable: DB_PASSWORD
+    secret: codex-db-password
+    availability:
+      - RUNTIME
+  - variable: DB_NAME
+    value: f3_prod
+    availability:
+      - RUNTIME
diff --git a/src/lib/db.ts b/src/lib/db.ts
index 0000f63..a9918e4 100644
--- a/src/lib/db.ts
+++ b/src/lib/db.ts
@@ -4,11 +4,44 @@ import { Pool, type PoolClient } from "pg";
 let pool: Pool | null = null;
 
 function initializePool(): Pool {
+  const instanceUnixSocket = process.env.INSTANCE_UNIX_SOCKET; // e.g. /cloudsql/PROJECT:REGION:INSTANCE
+  const useUnixSocket =
+    instanceUnixSocket && process.env.DB_USE_UNIX_SOCKET !== "false";
+
+  if (useUnixSocket) {
+    const dbUser = process.env.DB_USER;
+    const dbPassword = process.env.DB_PASSWORD;
+    const dbName = process.env.DB_NAME;
+
+    if (!dbUser || !dbName) {
+      throw new Error(
+        "INSTANCE_UNIX_SOCKET is set but DB_USER and/or DB_NAME are missing.",
+      );
+    }
+
+    const newPool = new Pool({
+      user: dbUser,
+      password: dbPassword,
+      database: dbName,
+      host: instanceUnixSocket,
+    });
+
+    newPool.on("error", (err) => {
+      console.error("Unexpected error on idle PostgreSQL client:", err);
+    });
+
+    console.log("✅ PostgreSQL pool initialized via Cloud SQL Unix socket.");
+    return newPool;
+  }
+
+  // Fallback: direct TCP connection via DATABASE_URL
   const connectionString = process.env.DATABASE_URL;
 
   if (!connectionString) {
     console.error("❌ CRITICAL: DATABASE_URL is not set in the environment.");
-    throw new Error("DATABASE_URL is missing. Cannot connect to the database.");
+    throw new Error(
+      "Neither INSTANCE_UNIX_SOCKET nor DATABASE_URL is configured. Cannot connect to the database.",
+    );
   }
 
   const isProduction = process.env.NODE_ENV === "production";
@@ -23,6 +56,7 @@ function initializePool(): Pool {
     console.error("Unexpected error on idle PostgreSQL client:", err);
   });
 
+  console.log("✅ PostgreSQL pool initialized via DATABASE_URL (TCP).");
   return newPool;
 }
 

From 71613af42a8a37c73ed65bdd4da0dcf0bb25a548 Mon Sep 17 00:00:00 2001
From: Evan Petzoldt <evan.petzoldt@protonmail.com>
Date: Wed, 11 Mar 2026 07:35:17 -0500
Subject: [PATCH 2/3] fixing db_password name and reference

---
 .env.example    | 2 +-
 apphosting.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index 4690771..890f158 100644
--- a/.env.example
+++ b/.env.example
@@ -2,7 +2,7 @@ DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/postgres
 
 # Cloud SQL Auth Proxy (Unix socket) — set these instead of DATABASE_URL on Cloud Run.
 # INSTANCE_UNIX_SOCKET=/cloudsql/PROJECT:REGION:INSTANCE
-# DATABASE_PASSWORD=****
+# DB_PASSWORD=****
 # DB_USE_UNIX_SOCKET=true  # set to "false" to force DATABASE_URL even when INSTANCE_UNIX_SOCKET is set
 
 # `openssl rand -hex 32`
diff --git a/apphosting.yaml b/apphosting.yaml
index a23df7c..ec5f4dc 100644
--- a/apphosting.yaml
+++ b/apphosting.yaml
@@ -71,7 +71,7 @@ env:
     availability:
       - RUNTIME
   - variable: DB_PASSWORD
-    secret: codex-db-password
+    secret: client-database-password
     availability:
       - RUNTIME
   - variable: DB_NAME

From 9e06033e02d29d862aaabc4790c2fd3d7047d1b7 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Wed, 11 Mar 2026 21:31:01 -0600
Subject: [PATCH 3/3] Source Cloud SQL Auth Proxy connection vars from secrets
 in apphosting.yaml (#93)

Just updating .env.example. Ended up not using secrets for non-secret stuff.
---
 .env.example | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.env.example b/.env.example
index 890f158..74acf4d 100644
--- a/.env.example
+++ b/.env.example
@@ -2,7 +2,9 @@ DATABASE_URL=postgres://postgres:postgres@127.0.0.1:5432/postgres
 
 # Cloud SQL Auth Proxy (Unix socket) — set these instead of DATABASE_URL on Cloud Run.
 # INSTANCE_UNIX_SOCKET=/cloudsql/PROJECT:REGION:INSTANCE
+# DB_USER=your_db_user
 # DB_PASSWORD=****
+# DB_NAME=your_db_name
 # DB_USE_UNIX_SOCKET=true  # set to "false" to force DATABASE_URL even when INSTANCE_UNIX_SOCKET is set
 
 # `openssl rand -hex 32`