azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 14:41:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-552..AZ-557] Cycle-2 hotfix task intake (6 specs, 11 pts)

Browse Source 
Materializes cycle-2 hotfix sprint task specs from security_report_cycle2.md
findings. All six roll up to epic AZ-530 per the `cycle-2-hotfix` /
`AZ-530-followup` Jira labels. Total 11 story points; gates the next deploy.

Tasks:
- AZ-552 drop_jwt_secret_deploy_preflight (1 pt) — F-INFRA-1 Critical
- AZ-553 bind_mount_es256_keys (2 pts)        — F-INFRA-2 Critical
- AZ-554 persist_dataprotection_keys (2 pts)  — F-INFRA-3 High
- AZ-555 secrets_readme_es256_rewrite (1 pt)  — F-INFRA-4 High
- AZ-556 unify_login_error_codes (2 pts)      — F-AUTH-1+F-AUTH-3 High
- AZ-557 mfa_brute_force_lockout (3 pts)      — F-AUTH-2 High

Also:
- _dependencies_table.md updated (25 tasks / 82 pts; hotfix landing order)
- _autodev_state.md rolled to step: 10 (Implement) not_started
- _process_leftovers/2026-05-14_suite_infra_jwt_secret_drift.md logs the
  out-of-scope suite-level _infra/deploy/webserver/ JWT_SECRET drift —
  separate Jira ticket needed against the suite repo, not blocking.

Step 9 (New Task) cycle-2-hotfix-intake output.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-14 09:23:12 +03:00
parent 1bdbe8c96d
commit d2b5308b45
9 changed files with 777 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/_process_leftovers/2026-05-14_suite_infra_jwt_secret_drift.md
+44
View File
@@ -0,0 +1,44 @@
# Leftover: Suite-Level `_infra/deploy/webserver/` Still Uses Obsolete `JWT_SECRET`
**Timestamp**: 2026-05-14T09:18:00+03:00
**Type**: cross-workspace follow-up (non-blocking)
**Source**: `/autodev` Step 9 (cycle-2 hotfix intake) — ownership verification before drafting AZ-552..AZ-557
## What was blocked
Nothing in this workspace is blocked. This leftover records a related concern that lives **outside** the admin repo and therefore cannot be addressed by tickets AZ-552..AZ-557 (which are admin-only).
## Observation
The suite-level deploy artifact at `/Users/obezdienie001/dev/azaion/suite/_infra/deploy/webserver/` still references the obsolete HS256-era `JWT_SECRET` for the admin service:
- `_infra/deploy/webserver/docker-compose.yml:45,52-60,71,141``JWT_SECRET: ${JWT_SECRET}` injected into admin and at least one other service.
- `_infra/deploy/webserver/install.sh:87``JWT_SECRET=changeme` default in the installer.
- `_infra/deploy/webserver/.env.example:20``JWT_SECRET=changeme` template.
The cycle-2 admin build no longer reads `JWT_SECRET` / `JwtConfig__Secret` (AZ-532 removed it; AZ-552 will remove the script-level preflight check). The suite-level webserver deploy path is therefore out-of-sync: it injects an env var that the cycle-2 admin container ignores, and it does NOT set up the new `JwtConfig__KeysFolder` / `JwtConfig__ActiveKid` / `DataProtection__KeysFolder` env vars that the cycle-2 admin REQUIRES.
If anyone deploys cycle-2 admin via `_infra/deploy/webserver/`, the container will fail-fast at startup (same root cause as F-INFRA-1/F-INFRA-2, just at a different layer).
## What the suite repo needs to do
Equivalent of AZ-552..AZ-555 but against the `_infra/deploy/webserver/` flow:
1. Drop `JWT_SECRET` injection for the admin service from `docker-compose.yml`, `install.sh`, `.env.example`.
2. Add `JwtConfig__KeysFolder`, `JwtConfig__ActiveKid`, `DataProtection__KeysFolder` env vars to the admin service block.
3. Bind-mount the host-side JWT keys folder and DataProtection keys folder into the admin container (mirroring AZ-553/AZ-554's pattern from the admin repo).
4. Update `_infra/deploy/webserver/README.md` schema.
These changes must land in the **suite repo** (`/Users/obezdienie001/dev/azaion/suite/`), not the admin repo. They are NOT covered by AZ-552..AZ-557.
## Recommended action
File a Jira ticket against the suite repo under epic AZ-530 (or whichever epic owns suite-level deploy) titled "Update `_infra/deploy/webserver/` for cycle-2 ES256 + DataProtection env vars". Cross-link from this admin's AZ-553/AZ-555 commit messages so reviewers see the suite-side follow-up exists.
Estimated complexity: 3 points (mirrors AZ-552 + AZ-553 + AZ-555 combined but in a different repo).
## Replay status
- Replay attempted: not yet — this is informational only; no automated tracker write is queued.
- Next replay opportunity: at the start of the next `/autodev` invocation, the user should be reminded of this entry. If they confirm the suite ticket has been filed, delete this leftover.
- Blocker for autodev progress: **NO**. This leftover does not block any cycle-2 hotfix work in the admin repo.