Troubleshooting: Can't save project strategy or related links in production

Saves for project strategy (Linked Strategy dropdown) and related links (Quick Links) go through the Next.js API and write to Firestore via the Firebase Admin SDK. If those saves work locally but fail in production, the usual cause is Firebase Admin not having valid credentials in the production environment.

What to check

1. Service account secret in production
   The Admin SDK needs either:

   • FIREBASE_SERVICE_ACCOUNT_JSON – full JSON key in an env/secret, or
   • FIREBASE_SERVICE_ACCOUNT_PATH – path to a key file (only works where the filesystem has the file; often not available on serverless).

   On Cloud Run, secrets are injected from Secret Manager (e.g. firebase-service-account). Ensure the production service has a secret that provides the service account JSON (e.g. mapped to FIREBASE_SERVICE_ACCOUNT_JSON). If neither variable is set, the app falls back to default credentials, which may not have access to Firestore or may point at the wrong project.

2. Firestore project
   The project used for Firestore is (in order) FIRESTORE_PROJECT_ID, NEXT_PUBLIC_FIREBASE_PROJECT_ID, or GOOGLE_CLOUD_PROJECT. In production, if you use a shared dev Firestore (e.g. gtc-tools-dev), set FIRESTORE_PROJECT_ID to that project. The service account must have Firestore write access in that project.

3. See the real error
   Failed saves now return the server error message in the toast. Reproduce the save in production and note the exact message (e.g. "Firebase project ID not configured", "Permission denied", or "Service account file not found"). Check Cloud Run logs for the same error and stack trace.

Quick fix

Add or fix the Firebase Admin secret in production (Secret Manager → Cloud Run env mapping) so that FIREBASE_SERVICE_ACCOUNT_JSON is set to the same service account you use for Firestore in the target project (e.g. dev), then redeploy.

See also: DEPLOYMENT_FLOW.md (secrets and Cloud Run).