feat: add Redis TLS support

[brendan-kellam]

Summary

• Extracts Redis client into packages/backend/src/redis.ts with TLS support
• Adds env vars for Redis TLS configuration (REDIS_TLS_ENABLED, certs, SNI, cipher options, etc.)
• Adds Infrastructure docs section with a Redis TLS configuration page

Fixes #1006

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Added Redis TLS support configurable via environment variables to enable and customize secure Redis connections.

• Documentation

  • Added an Infrastructure section with Architecture and Redis pages.
  • Expanded Redis docs with TLS configuration and enablement guidance.
  • Consolidated environment variables documentation into the Configuration section and clarified REDIS_URL/TLS notes.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6f093900-6bd1-4d3b-9a16-05b04f7abe00

📥 Commits

Reviewing files that changed from the base of the PR and between 11cdf04 and be6020e.

📒 Files selected for processing (1)

• packages/backend/src/redis.ts

---

Walkthrough

Adds Redis TLS support: a new backend Redis module builds TLS options from environment variables, shared env schema exposes REDIS_TLS_* keys, backend imports the shared Redis client, and docs/manifest updated with infrastructure and Redis TLS documentation.

Changes

Cohort / File(s)	Summary
Documentation structure & pages docs/docs.json, docs/docs/configuration/environment-variables.mdx, docs/docs/deployment/infrastructure/architecture.mdx, docs/docs/deployment/infrastructure/redis.mdx	Added an Infrastructure group and Redis TLS doc; consolidated placement of the environment variables page and added a TLS-enable note for REDIS_URL.
Backend Redis client packages/backend/src/redis.ts, packages/backend/src/index.ts	Added redis.ts exporting a shared redis client that conditionally builds TLS options from REDIS_TLS_* env vars; replaced local Redis instantiation in index.ts with import of the shared instance.
Shared environment schema packages/shared/src/env.server.ts	Added server-scoped REDIS_TLS_* environment declarations (enable flag, CA/cert/key paths, servername, validation flags, protocol, ciphers, honor order, key passphrase).
Changelog CHANGELOG.md	Documented Redis-over-TLS support and listed related env vars in Unreleased.

Sequence Diagram(s)

sequenceDiagram
  participant Env as "Environment (REDIS_URL + REDIS_TLS_*)"
  participant RedisModule as "packages/backend/src/redis.ts"
  participant Backend as "packages/backend/src/index.ts"
  participant RedisServer as "Redis (remote)"

  Env->>RedisModule: provide `REDIS_URL` and `REDIS_TLS_*` vars
  RedisModule->>RedisModule: buildTlsOptions() (read flags, load files)
  RedisModule->>RedisModule: instantiate shared `redis` with TLS options
  Backend->>RedisModule: import shared `redis`
  Backend->>RedisServer: connect via `redis` (TLS if enabled)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat: add Redis TLS support #1011: Implements the same Redis TLS support changes (new redis.ts, REDIS_TLS_* env vars, docs).
• db performance improvements and job resilience  #200: Prior adjustments to Redis initialization and REDIS_URL handling that overlap with centralized client changes.
• chore(worker): Migrate off of groupmq #860: Related work modifying backend Redis usage and integrations that would consume a centralized TLS-capable Redis client.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main change: adding Redis TLS support is the primary objective implemented across multiple files.
Linked Issues check	✅ Passed	The PR fully addresses issue #1006 by enabling TLS configuration for Redis via environment variables (REDIS_TLS_ENABLED and related vars), extracting Redis initialization to support TLS options, and providing comprehensive documentation.
Out of Scope Changes check	✅ Passed	All changes directly support Redis TLS functionality: environment variables, Redis client extraction with TLS handling, documentation, and changelog entry are all in-scope.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bkellam/redis_tls

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/docs/deployment/infrastructure/redis.mdx (1)

6-6: Use second-person voice in the opening sentence.

Please rephrase Line 6 to second person (for example, “You use Redis…”), to match docs style consistency.

As per coding guidelines, docs/**/*.mdx: "Write in second person ('you') and present tense."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/docs/deployment/infrastructure/redis.mdx` at line 6, Replace the
sentence "Sourcebot uses Redis as a job queue for background indexing work."
with a second-person, present-tense variant (e.g., "You use Redis as a job queue
for background indexing work.") to match docs style; update the text in the
redis.mdx content where that exact sentence appears so the opening sentence uses
"you" and present tense.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/backend/src/redis.ts`:
- Around line 5-8: buildTlsOptions currently only enables TLS when
REDIS_TLS_ENABLED="true", ignoring when REDIS_URL uses rediss://; change it so
TLS options are built when either env.REDIS_TLS_ENABLED==="true" OR
env.REDIS_URL startsWith("rediss://"). Populate and return a proper tls options
object using env-driven values (e.g. REDIS_TLS_SERVERNAME -> servername,
REDIS_TLS_CA/REDIS_TLS_CERT/REDIS_TLS_KEY -> ca/cert/key,
REDIS_TLS_REJECT_UNAUTHORIZED -> rejectUnauthorized, REDIS_TLS_CIPHERS ->
ciphers, etc.) so ioredis receives detailed TLS config; otherwise return {}.
Ensure this logic lives in buildTlsOptions so callers of that function get the
correct tls config.

---

Nitpick comments:
In `@docs/docs/deployment/infrastructure/redis.mdx`:
- Line 6: Replace the sentence "Sourcebot uses Redis as a job queue for
background indexing work." with a second-person, present-tense variant (e.g.,
"You use Redis as a job queue for background indexing work.") to match docs
style; update the text in the redis.mdx content where that exact sentence
appears so the opening sentence uses "you" and present tense.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2e10554d-339f-4016-bd50-ff8f6d5f1978

📥 Commits

Reviewing files that changed from the base of the PR and between ca63bf2 and 585a675.

📒 Files selected for processing (7)

• docs/docs.json
• docs/docs/configuration/environment-variables.mdx
• docs/docs/deployment/infrastructure/architecture.mdx
• docs/docs/deployment/infrastructure/redis.mdx
• packages/backend/src/index.ts
• packages/backend/src/redis.ts
• packages/shared/src/env.server.ts