docs: position Cloud Run deployment as demo API server example

mchmarny · claude · mchmarny · commit 768f420780d0 · 2026-01-31T11:44:29.000-08:00
Update all documentation to clarify that the Cloud Run deployment
is a demonstration for testing and development purposes only.
Users should self-host eidosd for production use.

Changes:
- RELEASING.md: Rename "Cloud Run Deployment" to "Demo Cloud Run Deployment"
- api-server.md: Rename "Production Deployment" to "Demo API Server Deployment"
- README.md (architecture): Update pipeline diagram and deployment description
- README.md (actions): Clarify deploy job is for demo purposes
- copilot-instructions.md: Update cloud-run-deploy action description
- CLAUDE.md: Update reference to demo deployment procedures

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
@@ -371,7 +371,7 @@ See `CONTRIBUTING.md` for contributor documentation:
 See `RELEASING.md` for maintainer documentation:
 - Release methods (automatic, manual, hotfix)
 - Verification commands for attestations and checksums
-- Cloud Run deployment and rollback procedures
+- Demo API server deployment and rollback procedures (example deployment)
 - Emergency hotfix procedure
 
 See `.github/copilot-instructions.md` for extended technical documentation:
diff --git a/.github/actions/README.md b/.github/actions/README.md
@@ -222,7 +222,7 @@ This action runs `tools/setup-tools --skip-go --skip-docker` in auto mode, which
 3. **E2E Tests** (parallel): Full end-to-end tests
 4. **Build and Release** (after tests): GoReleaser builds binaries and images to GHCR
 5. **Attest Images** (after build): SBOM and provenance for eidos and eidosd images
-6. **Deploy API Server** (after attest): Copy image to Artifact Registry and deploy to Cloud Run
+6. **Deploy Demo API Server** (after attest): Copy image to Artifact Registry and deploy demo to Cloud Run (example deployment)
 
 ### `test-deploy.yaml`
 **Trigger**: Manual (workflow_dispatch)
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -955,7 +955,7 @@ Eidos uses a **three-layer composite actions architecture** for reusability:
 - `go-ci` – Complete Go CI pipeline (setup → test → lint)
 - `go-build-release` – Full build/release pipeline
 - `attest-image-from-tag` – Resolve digest + generate attestations
-- `cloud-run-deploy` – GCP deployment with Workload Identity
+- `cloud-run-deploy` – Demo API server deployment (example deployment to GCP)
 
 **Layer 3: Workflows** (Orchestrate Actions)
 - `on-push.yaml` – CI validation for PRs and main branch
@@ -1000,7 +1000,7 @@ jobs:
         with:
           image_name: 'ghcr.io/nvidia/eidos'
           tag: ${{ github.ref_name }}
-  deploy:
+  deploy:  # Demo deployment (example, not production)
     needs: [attest]
     steps:
       - uses: ./.github/actions/cloud-run-deploy
diff --git a/RELEASING.md b/RELEASING.md
@@ -35,7 +35,7 @@ For standard releases from the main branch.
    - SBOM generation for all artifacts
    - Attestations signed with Sigstore
    - GitHub Release created with changelog
-   - Cloud Run deployment (eidosd API server)
+   - Demo Cloud Run deployment (eidosd API server example)
 
 4. **Verify artifacts** (see [Verification](#verification) below)
 
@@ -66,8 +66,8 @@ For rebuilding from existing tags or emergency releases:
 ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐
 │ Tag Push │───▶│  Go CI   │───▶│  Build   │───▶│  Attest  │───▶│  Deploy  │
 └──────────┘    └──────────┘    └──────────┘    └──────────┘    └──────────┘
-                  tests +         binaries +      SBOM +          Cloud Run
-                  lint            images          provenance      (eidosd)
+                  tests +         binaries +      SBOM +          Demo Deploy
+                  lint            images          provenance      (example)
 ```
 
 ## Released Components
@@ -161,16 +161,18 @@ curl http://localhost:8080/health
 - **Pre-releases**: `v1.2.3-rc1`, `v1.2.3-beta1` (automatically marked in GitHub)
 - **Breaking changes**: Increment MAJOR version
 
-## Cloud Run Deployment
+## Demo Cloud Run Deployment
 
-The `eidosd` API server is automatically deployed to Google Cloud Run on successful release:
+> **Note**: This is a **demonstration deployment** for testing and development purposes only. It is not a production service. Users should self-host the `eidosd` API server in their own infrastructure for production use. See [API Server Documentation](docs/architecture/api-server.md) for deployment guidance.
+
+The `eidosd` API server demo is automatically deployed to Google Cloud Run on successful release:
 
 - **Project**: `eidosx`
 - **Region**: `us-west1`
 - **Service**: `api`
 - **Authentication**: Workload Identity Federation (keyless)
 
-Deployment only occurs if the build step succeeds.
+This demo deployment only occurs if the build step succeeds and serves as an example of how to deploy the API server.
 
 ## Troubleshooting
 
@@ -186,7 +188,9 @@ Deployment only occurs if the build step succeeds.
 
 Use manual workflow trigger with the existing tag. No need to delete and recreate tags.
 
-### Rollback Cloud Run
+### Rollback Demo Deployment
+
+To rollback the demo Cloud Run deployment (maintainers only):
 
 ```bash
 # List revisions
@@ -242,5 +246,5 @@ After release:
 - [ ] GitHub Release created with changelog
 - [ ] Container images available in GHCR
 - [ ] Attestations verifiable
-- [ ] Cloud Run deployment successful
+- [ ] Demo Cloud Run deployment successful (optional)
 - [ ] Announce release (if applicable)
diff --git a/docs/architecture/README.md b/docs/architecture/README.md
@@ -1102,8 +1102,8 @@ Eidos uses GitHub Actions with a three-layer composite actions architecture for
                     └──────┬──────┘
                            │
                     ┌──────▼──────┐
-                    │ Deploy to   │
-                    │ Cloud Run   │
+                    │ Demo Deploy │
+                    │ (example)   │
                     └─────────────┘
 ```
 
@@ -1124,10 +1124,11 @@ Eidos uses GitHub Actions with a three-layer composite actions architecture for
 - Record in Rekor transparency log (Sigstore)
 - Achieves **SLSA Build Level 3** compliance
 
-**Deployment** (`cloud-run-deploy` action):
+**Demo Deployment** (`cloud-run-deploy` action):
+- Demonstrates deployment to Google Cloud Run (users should self-host for production)
 - Authenticate with Workload Identity Federation (keyless)
 - Copy image from GHCR to Artifact Registry (us-docker.pkg.dev/eidosx/demo)
-- Deploy eidosd to Google Cloud Run from Artifact Registry
+- Deploy eidosd to Cloud Run as example deployment
 
 **Permissions**: `attestations: write`, `contents: write`, `id-token: write`, `packages: write`
 
diff --git a/docs/architecture/api-server.md b/docs/architecture/api-server.md
@@ -523,53 +523,53 @@ curl http://localhost:8080/ready
 curl http://localhost:8080/metrics
 ```
 
-## Production Deployment
+## Demo API Server Deployment
 
-### Google Cloud Run Deployment
+> **Note**: This section describes the **demonstration deployment** of the `eidosd` API server for testing and development purposes only. It is not a production service. Users should self-host the `eidosd` API server in their own infrastructure for production use. See the [Kubernetes Deployment](#kubernetes-deployment) section below for deployment guidance.
 
-The API server is deployed to Google Cloud Run with the following configuration:
+### Example: Google Cloud Run
 
-**Live Service:**
-- **URL**: http://localhost:8080
+The demo API server is deployed to Google Cloud Run as an example of how to deploy `eidosd`:
+
+**Demo Configuration:**
 - **Platform**: Google Cloud Run (fully managed serverless)
-- **Authentication**: Public access
+- **Authentication**: Public access (for demo purposes)
 - **Auto-scaling**: 0-100 instances based on load
-- **Region**: Multi-region for high availability
+- **Region**: `us-west1`
 
 **CI/CD Pipeline** (`on-tag.yaml`):
 ```mermaid
 flowchart LR
     A["Git Tag<br/>v0.8.12"] --> B["GitHub Actions"]
     B --> C["Go CI<br/>(Test + Lint)"]
     C --> D["Build Image<br/>(ko + goreleaser)"]
-    D --> E["Generate SBOM<br/>(Syft)"]  
+    D --> E["Generate SBOM<br/>(Syft)"]
     E --> F["Sign Attestations<br/>(Cosign keyless)"]
     F --> G["Push to GHCR<br/>ghcr.io/nvidia/eidosd"]
-    G --> H["Deploy to Cloud Run<br/>(WIF auth)"]
+    G --> H["Demo Deploy<br/>(example)"]
     H --> I["Health Check<br/>Verification"]
 ```
 
 **Supply Chain Security:**
 - **SLSA Build Level 3** compliance
 - **Signed SBOMs** in SPDX format
-- **Attestations** logged in Rekor transparency log  
+- **Attestations** logged in Rekor transparency log
 - **Verification**: `gh attestation verify oci://ghcr.io/nvidia/eidosd:TAG --owner nvidia`
 
-**Monitoring:**
+**Demo Monitoring:**
 - Health endpoint: `/health`
 - Readiness endpoint: `/ready`
 - Prometheus metrics: `/metrics`
 - Request tracing with `X-Request-Id` headers
-- Cloud Monitoring integration
 
-**Scaling Behavior:**
+**Scaling Behavior (demo):**
 - **Min instances**: 0 (scales to zero when idle)
 - **Max instances**: 100 (automatic scaling)
 - **Cold start**: 2-3 seconds
 - **Request timeout**: 30 seconds
 - **Concurrency**: 80 requests per instance
 
-**Benefits:**
+**Cloud Run Benefits (for reference):**
 - Zero operational overhead
 - Automatic HTTPS with managed certificates
 - Built-in DDoS protection
