[ E ] Infrastructure Google Cloud Certified · Professional Cloud Architect

Cloud architecture.

SciPHR runs on Google Cloud, designed so that the cloud is the hosting plane, never the custody plane. Every managed service in the stack exists to keep the platform available, observable, and auditable, and none of them ever holds a user key. This page walks the runtime topology, the identity model, and the keyless deployment pipeline.

Designed and operated by SciPHR's founder, a holder of the Google Cloud Certified · Professional Cloud Architect credential, Google's certification for designing secure, scalable, highly available cloud architecture.

Scope & status

The platform currently runs against the XRPL testnet. The architecture below is the same one that hardens for mainnet, the difference is configuration (cache tier, instance floors, alerting thresholds), not design. Service names are Google Cloud products; project-level identifiers are deliberately omitted.

[ 01 ]The design constraint

What the cloud is trusted with.

SciPHR's custody model requires that a fully compromised backend cannot steal funds or extract key material. The cloud architecture is designed for that scenario: it assumes the backend can be breached, and keeps the system safe in that case.

Trusted with

Availability, public metadata, prepared-intent records, encrypted envelopes it cannot open. The infrastructure's job is uptime and integrity, not secrecy of user keys.

Never trusted with

Seeds, private keys, decrypt capability, signing authority. There is no signer service, no KMS-wrapped user secret, no decrypt endpoint anywhere in the deployed stack.

Why it matters

A breach of the backend yields metadata and sciphrtext, nothing that can sign or decrypt. That property holds because the boundary was set before any service was provisioned, not added afterward.

Defense in depth, in the right order

The platform still applies the full hardening playbook, least-privilege IAM, secret isolation, private egress, keyless CI/CD. Hardening reduces the chance of a breach; the custody boundary limits what a breach can reach.

[ 02 ]Runtime topology

A serverless core, drawn.

The backend is a stateless container on Cloud Run fronted by an edge proxy. Requests reach the origin only with a Google-issued identity token; secrets mount at runtime from Secret Manager; ephemeral state lives in Firestore with every record carrying its own expiry; private egress flows through a Serverless VPC connector.

Mobile App holds all keys · signs Edge proxy attaches Google identity token to each request Cloud Run backend API · stateless scale-to-zero · no user keys Secret Manager config at runtime Firestore expiry-stamped records VPC connector private egress only Memorystore opt-in HA cache Compute Engine IPFS node · persistent disk · HTTPS + auth XRP Ledger validate · settle GCP never holds • user seeds or private keys • envelope decrypt capability • user-wallet signing authority HTTPS ID token secrets mount session · intent private broadcast signed blobs → pin encrypted envelopes
Fig. 1, Runtime topology. The dashed frame is an opt-in tier; the amber box lists what the platform never holds. The origin accepts only Google-issued identity tokens, so the public hostname stays public while the service itself stays closed.
[ 03 ]The managed stack

The stack, service by service.

ConcernGCP serviceWhy this one
ComputeCloud RunStateless containers, request-scoped scaling down to zero. A capped instance ceiling bounds both cost and blast radius.
SecretsSecret ManagerConfiguration mounts at deploy time as versioned references, never baked into images, never committed. Deploys fail closed if a required secret is missing.
StateFirestoreServerless document store for ephemeral records. Every record carries an expiry stamp enforced on read, with Firestore TTL available to garbage-collect stale documents platform-side.
CacheMemorystore for RedisOpt-in HA tier reached only over private networking. Test environments run an in-process cache instead.
Private networkingServerless VPC AccessCloud Run egress to private ranges only, so the cache and internal services are never internet-reachable.
Build & registryCloud Build · Artifact RegistryContainer images built and stored inside the project, versioned per release and deployed through the pipeline in §05.
Async workCloud TasksQueued dispatch with bounded retries, exponential backoff, and capped concurrency, so failures retry without flooding downstream services.
AI guardrailsModel ArmorScreens inbound text for prompt injection, jailbreaks, and malicious URIs before it ever reaches an LLM (§06).
Ingress controlAPI GatewayA managed public front for functions whose direct invoker access is restricted, auth handled by IAM, not application code.
Storage nodeCompute EngineA persistent-disk IPFS node for the encrypted envelopes, behind HTTPS and authenticated API access.
ObservabilityCloud MonitoringUptime checks against the health endpoint with an alerting channel, so failed checks page before users report them.
[ 04 ]The identity model

Short-lived identity over stored credentials.

Users trust SciPHR's backend to prepare transactions honestly and serve correct data, so the identities allowed to touch it are kept short-lived and narrow. Three places where that shows up:

[ 01 ]
Closed origin, open hostname
The Cloud Run origin requires a Google-issued identity token to invoke. The edge proxy holds a dedicated invoker identity and attaches a short-lived token to each request, so the API that prepares transactions and verifies signed blobs is never directly reachable by anonymous traffic.
[ 02 ]
One service, one identity
Each workload runs as its own least-privilege service account: the API reads its secrets and intent records, the triage function enqueues tasks and calls its models, the gateway invokes exactly one function. Compromising one service grants that service's permissions, not the platform's.
[ 03 ]
Keyless deployment
CI/CD authenticates by proving which repository and branch a workflow ran from, via OIDC and Workload Identity Federation. There is no stored deploy key that could be stolen and used to push a malicious backend revision. Drawn in full below.
[ 05 ]Keyless CI/CD

Deploys without stored keys.

The classic failure mode of cloud CI/CD is a long-lived service-account key stored in a repo secret. SciPHR's pipeline holds no cloud credential at all. GitHub's OIDC provider attests the workflow's identity; Google's Security Token Service verifies the attestation and issues credentials that exist only for the life of that run, and only for workflows from this exact repository.

GitHub Actions push to main OIDC token proves the source repo Google STS verifies · issues creds Deploy identity short-lived · scoped Cloud Build image → registry Cloud Run revision deployed · health-checked request exchange impersonate build + push deploy No stored cloud key anywhere in the pipeline · credentials expire with the workflow · only this repository can authenticate.
Fig. 2, Workload Identity Federation. Credentials are issued per workflow run and expire when it ends.
github-actions · deploy on push to main

#the whole pipeline, no downloaded keys anywhere

$git push origin main

quality gates · type-check + lint… ok

auth · OIDC → Security Token Service → short-lived credentials

build · Cloud Build → image → Artifact Registry

deploy · new Cloud Run revision · secrets mounted at runtime

verify · GET /api/health … 200 ok _

[ 06 ]An applied example

The feedback triage pipeline.

The same architecture patterns extend beyond the wallet backend. SciPHR's feedback triage system, which reads user feedback, classifies it with Claude, and files tracked issues automatically, is a small event-driven pipeline that shows the posture end to end:

Screened before the model

Every inbound message passes through Model Armor, prompt-injection, jailbreak, and malicious-URI filtering, before any LLM sees it. User-submitted text never reaches a model unscreened.

Queued, not coupled

Work dispatches through Cloud Tasks with bounded retries and exponential backoff. If a downstream service is unavailable, work waits in the queue and retries; nothing is lost.

Gated ingress

The function itself restricts direct invocation; public traffic enters only through API Gateway, whose own identity is the single principal allowed to invoke it.

Verified senders

Inbound events are signature-verified at the boundary, and every credential the pipeline uses lives in Secret Manager, mounted at runtime like everything else.

[ 07 ]Testnet → mainnet

What changes for mainnet.

The platform runs lean on testnet, with the mainnet upgrade path already provisioned in code. Moving to mainnet changes configuration, not architecture:

  • Cache moves from in-process to Memorystore HA with a replica, over the same private connector that already exists.
  • Cloud Run instance floors rise from scale-to-zero to warm minimums; the container and pipeline don't change.
  • Uptime checks and alerting widen from health probes to latency and error-budget alerting on the same monitoring plane.
  • The custody boundary doesn't change, it was never a function of environment.

Summary

Managed, serverless, and identity-driven everywhere, so the operational surface stays small enough to audit, and no user key material ever enters the cloud.

← PreviousDevelopers