docs(getting-started): add solid start guide

[SantiagoDePolonia]

Summary

• add a new Solid Start getting-started guide for production-oriented GoModel setup
• add the guide to Mintlify navigation
• link to it from the Quickstart next steps

Validation

• pre-commit run --files docs/docs.json docs/getting-started/quickstart.mdx docs/getting-started/solid-start.mdx

Note: direct mint validate is not available on this PATH, but the repo pre-commit Mintlify validation passed.

Summary by CodeRabbit

• Documentation
  • Added a new production deployment guide covering Docker, Docker Compose, and systemd deployment, plus configuration, security, and operational best practices (secrets, logging, storage, TLS, health checks, verification).
  • Updated the Quick Start guide to reference the new production deployment documentation as a “Next Steps” link.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
gomodel	🟢 Ready	View Preview	May 25, 2026, 4:05 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 02a0dc79-1c64-410a-a1b6-03d8adae8787

📥 Commits

Reviewing files that changed from the base of the PR and between ce5f402 and 5287989.

📒 Files selected for processing (1)

• docs/getting-started/solid-start.mdx

---

📝 Walkthrough

Walkthrough

This PR adds a production deployment guide for GoModel, wiring it into the documentation site navigation and quickstart flow. The new solid-start guide provides baseline recommendations, .env configuration setup, deployment methods (Docker, Docker Compose, systemd), verification steps, and operational notes.

Changes

Production Deployment Documentation

Layer / File(s)	Summary
Documentation navigation and quickstart integration docs/docs.json, docs/getting-started/quickstart.mdx	Navigation config adds the new getting-started/solid-start guide to the Getting Started list; quickstart page adds a "Next Steps" link to the production deployment guide.
Production baseline and configuration setup docs/getting-started/solid-start.mdx (lines 1–89)	Adds page frontmatter, a production baseline decisions table (secrets/auth/logging/storage/network/health), and a complete example production .env with provider keys, storage, audit/usage retention, admin toggles, and host hardening notes including SQLite mount guidance.
Deployment methods (Docker, Docker Compose, systemd) docs/getting-started/solid-start.mdx (lines 91–205)	Documents Docker run with --env-file and durable host storage mounts, Docker Compose service wiring and a PostgreSQL switch for multi-instance setups, and native binary installation with a hardened systemd unit template and runtime user/directory setup.
Verification and operational notes docs/getting-started/solid-start.mdx (lines 207–245)	Provides liveness and authenticated API smoke-test commands for /health, /v1/models, and /v1/chat/completions, plus operational notes on reverse-proxy responsibilities, production-safe defaults (e.g., keep PPROF_ENABLED and LOGGING_LOG_BODIES disabled), and links to configuration and Prometheus metrics docs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

A guide to production so fine,
With Docker, systemd, .env in line,
Health checks and certs, all in place,
GoModel deploys with grace! 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs(getting-started): add solid start guide' accurately describes the main change—adding a new production-oriented documentation page to the getting-started section.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/solid-start-guide

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a production-oriented getting-started guide for GoModel. The main changes are:

• A new Solid Start guide covering .env, Docker, Compose, and native binary deployment.
• A new navigation entry under Getting Started.
• A Quickstart next-step link to the Solid Start page.

Confidence Score: 3/5

This should be fixed before merging.

• The production sample can expose the unauthenticated dashboard while implying it is protected by auth.
• The native logging sample can capture headers unexpectedly.
• The navigation and Quickstart link changes are straightforward.

docs/getting-started/solid-start.mdx

Security Review

• Unauthenticated dashboard exposure in docs/getting-started/solid-start.mdx: the production sample enables ADMIN_UI_ENABLED=true even though /admin/dashboard skips GoModel auth.
• Audit header capture in docs/getting-started/solid-start.mdx: the native binary sample enables audit logging without disabling header logging.

Important Files Changed

Filename	Overview
docs/getting-started/solid-start.mdx	Adds the new production guide and contains the deployment defaults that need security-focused corrections.

_{Reviews (1): Last reviewed commit: "docs(getting-started): add solid start g..." | Re-trigger Greptile}

[greptile-apps]

Dashboard remains unauthenticated

This production sample enables ADMIN_UI_ENABLED=true while saying the dashboard should be kept enabled only when protected by auth. In the server, /admin/dashboard and its static assets skip GoModel auth whenever the dashboard is enabled, even when GOMODEL_MASTER_KEY is set. An operator who copies this baseline can expose the dashboard publicly behind HTTPS while believing the master key protects it. The production default should either disable the dashboard UI or explicitly require proxy/network auth before enabling it.

Suggested change

	# Keep admin endpoints and dashboard enabled only when they are protected by auth
	# and reachable through your intended network path.
	ADMIN_ENDPOINTS_ENABLED=true
	ADMIN_UI_ENABLED=true
	# Keep admin endpoints enabled behind bearer auth. The dashboard UI is unauthenticated,
	# so enable it only when protected by proxy auth or a trusted network boundary.
	ADMIN_ENDPOINTS_ENABLED=true
	ADMIN_UI_ENABLED=false

Context Used: CLAUDE.md (source)

[greptile-apps]

Headers stay logged

This native-binary sample enables audit logging and disables body logging, but it omits LOGGING_LOG_HEADERS=false. Header logging defaults to enabled, so operators copying this block will capture request and response headers even though the main production baseline turns header logging off. Add the same header opt-out here so the native deployment path matches the safer production logging defaults.

Suggested change

	LOGGING_ENABLED=true
	LOGGING_LOG_BODIES=false
	LOGGING_RETENTION_DAYS=30
	LOGGING_ENABLED=true
	LOGGING_LOG_BODIES=false
	LOGGING_LOG_HEADERS=false
	LOGGING_RETENTION_DAYS=30

Context Used: CLAUDE.md (source)

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/getting-started/solid-start.mdx`:
- Around line 60-64: The docs currently enable admin surfaces by default; change
the baseline to set ADMIN_ENDPOINTS_ENABLED=false and ADMIN_UI_ENABLED=false,
and move the explained lines into a clearly labeled “enable if needed”
subsection that documents the risk and how to turn them on (mentioning
ADMIN_ENDPOINTS_ENABLED and ADMIN_UI_ENABLED), so the production baseline
defaults to disabled and users must opt into enabling the admin endpoints/UI.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 9fedcbe5-9472-4bb3-87d3-bcd1a6c3dfcc

📥 Commits

Reviewing files that changed from the base of the PR and between 581cf4a and 902735b.

📒 Files selected for processing (3)

• docs/docs.json
• docs/getting-started/quickstart.mdx
• docs/getting-started/solid-start.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Default admin surfaces to disabled in the production baseline.

Setting ADMIN_ENDPOINTS_ENABLED=true and ADMIN_UI_ENABLED=true in the baseline .env increases exposed surface area. For a production default, these should be false and moved to an explicit “enable if needed” subsection.

Suggested doc patch

-# Keep admin endpoints and dashboard enabled only when they are protected by auth
-# and reachable through your intended network path.
-ADMIN_ENDPOINTS_ENABLED=true
-ADMIN_UI_ENABLED=true
+# Keep admin endpoints/dashboard disabled by default in production.
+# Enable only when needed, with explicit network and auth controls.
+ADMIN_ENDPOINTS_ENABLED=false
+ADMIN_UI_ENABLED=false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Keep admin endpoints and dashboard enabled only when they are protected by auth
	# and reachable through your intended network path.
	ADMIN_ENDPOINTS_ENABLED=true
	ADMIN_UI_ENABLED=true
	```
	# Keep admin endpoints/dashboard disabled by default in production.
	# Enable only when needed, with explicit network and auth controls.
	ADMIN_ENDPOINTS_ENABLED=false
	ADMIN_UI_ENABLED=false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/getting-started/solid-start.mdx` around lines 60 - 64, The docs
currently enable admin surfaces by default; change the baseline to set
ADMIN_ENDPOINTS_ENABLED=false and ADMIN_UI_ENABLED=false, and move the explained
lines into a clearly labeled “enable if needed” subsection that documents the
risk and how to turn them on (mentioning ADMIN_ENDPOINTS_ENABLED and
ADMIN_UI_ENABLED), so the production baseline defaults to disabled and users
must opt into enabling the admin endpoints/UI.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

docs/getting-started/solid-start.mdx (3)

38-38: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Provide guidance on generating a secure master key.

The placeholder text does not explain how to generate a cryptographically secure key. Production users need concrete instructions.

📝 Suggested addition after line 38

Add a tip or note after the .env block:

 ADMIN_UI_ENABLED=true

+

• Generate a secure master key with openssl rand -base64 32 or your secret manager's random generator.
  +

SQLITE_PATH uses /app/data/gomodel.db for Docker because that path exists

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @docs/getting-started/solid-start.mdx at line 38, Replace the placeholder
value "GOMODEL_MASTER_KEY=replace-with-a-long-random-secret" with a brief
explanatory tip added immediately after that .env entry: add a note telling
users how to generate a cryptographically secure key (for example using openssl
rand -base64 32 or a secrets manager's random generator) and suggest storing it
in their secret manager rather than committing it; reference the existing .env
line "GOMODEL_MASTER_KEY=replace-with-a-long-random-secret" to locate where to
insert the tip in solid-start.mdx.

</details>

---

`211-226`: _🧹 Nitpick_ | _🔵 Trivial_ | _⚡ Quick win_

**Use a variable reference instead of a literal placeholder in verification examples.**

Lines 213 and 220 use the literal string `replace-with-a-long-random-secret` in the Authorization header. Users may copy-paste this by mistake. Consider using `$GOMODEL_MASTER_KEY` or a clearer placeholder like `<your-master-key>`.


<details>
<summary>✨ Suggested refinement</summary>

```diff
 curl -fsS http://127.0.0.1:8080/v1/models \
-  -H "Authorization: Bearer replace-with-a-long-random-secret"
+  -H "Authorization: Bearer $GOMODEL_MASTER_KEY"

 curl -fsS http://127.0.0.1:8080/v1/chat/completions \
-  -H "Authorization: Bearer replace-with-a-long-random-secret" \
+  -H "Authorization: Bearer $GOMODEL_MASTER_KEY" \
   -H "Content-Type: application/json" \

Alternatively, if you prefer to keep it static for clarity, use angle brackets: <your-master-key-here>.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/getting-started/solid-start.mdx` around lines 211 - 226, Replace the
literal "replace-with-a-long-random-secret" in the Authorization header of both
curl examples (the /v1/models request and the /v1/chat/completions smoke-test)
with a safer variable or clear placeholder; for example use
"$GOMODEL_MASTER_KEY" (or "$GOMODEL_MASTER_KEY" quoted for shells) or
"<your-master-key-here>" so users won’t accidentally copy a fake secret—update
both occurrences to the chosen form.

---

154-164: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Inconsistent .env example for native deployment.

The native .env example (lines 154-164) omits several production-relevant variables that appear in the Docker version (lines 34-64): BODY_SIZE_LIMIT, USAGE_ENABLED, USAGE_RETENTION_DAYS, ADMIN_ENDPOINTS_ENABLED, and ADMIN_UI_ENABLED. This inconsistency may confuse users about which variables are required or recommended for production.

📝 Suggested fix to align with Docker .env example

 # /opt/gomodel/.env
 PORT=8080
 LOG_FORMAT=json
+LOG_LEVEL=info
+BODY_SIZE_LIMIT=10M
 GOMODEL_MASTER_KEY=replace-with-a-long-random-secret
 OPENAI_API_KEY=sk-...
 STORAGE_TYPE=sqlite
 SQLITE_PATH=/var/lib/gomodel/gomodel.db
 LOGGING_ENABLED=true
 LOGGING_LOG_BODIES=false
+LOGGING_LOG_HEADERS=false
 LOGGING_RETENTION_DAYS=30
+USAGE_ENABLED=true
+USAGE_RETENTION_DAYS=90
+ADMIN_ENDPOINTS_ENABLED=true
+ADMIN_UI_ENABLED=true

Note: Once the admin endpoint defaults are changed to false per the earlier review, update both examples consistently.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/getting-started/solid-start.mdx` around lines 154 - 164, Update the
native deployment .env example in docs/getting-started/solid-start.mdx to
include the same production-relevant variables present in the Docker .env
example: add BODY_SIZE_LIMIT, USAGE_ENABLED, USAGE_RETENTION_DAYS,
ADMIN_ENDPOINTS_ENABLED, and ADMIN_UI_ENABLED (set sensible defaults consistent
with the Docker example and your admin endpoint defaults change); locate the
.env block in solid-start.mdx and mirror the Docker example's variable names and
default values so both examples stay consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/getting-started/solid-start.mdx`:
- Line 38: Replace the placeholder value
"GOMODEL_MASTER_KEY=replace-with-a-long-random-secret" with a brief explanatory
tip added immediately after that .env entry: add a note telling users how to
generate a cryptographically secure key (for example using openssl rand -base64
32 or a secrets manager's random generator) and suggest storing it in their
secret manager rather than committing it; reference the existing .env line
"GOMODEL_MASTER_KEY=replace-with-a-long-random-secret" to locate where to insert
the tip in solid-start.mdx.
- Around line 211-226: Replace the literal "replace-with-a-long-random-secret"
in the Authorization header of both curl examples (the /v1/models request and
the /v1/chat/completions smoke-test) with a safer variable or clear placeholder;
for example use "$GOMODEL_MASTER_KEY" (or "$GOMODEL_MASTER_KEY" quoted for
shells) or "<your-master-key-here>" so users won’t accidentally copy a fake
secret—update both occurrences to the chosen form.
- Around line 154-164: Update the native deployment .env example in
docs/getting-started/solid-start.mdx to include the same production-relevant
variables present in the Docker .env example: add BODY_SIZE_LIMIT,
USAGE_ENABLED, USAGE_RETENTION_DAYS, ADMIN_ENDPOINTS_ENABLED, and
ADMIN_UI_ENABLED (set sensible defaults consistent with the Docker example and
your admin endpoint defaults change); locate the .env block in solid-start.mdx
and mirror the Docker example's variable names and default values so both
examples stay consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7a1d5a98-98f5-4e32-b698-219d4fc54eff

📥 Commits

Reviewing files that changed from the base of the PR and between 902735b and ce5f402.

📒 Files selected for processing (1)

• docs/getting-started/solid-start.mdx