admin

mirror of https://github.com/azaion/admin.git synced 2026-06-21 22:31:09 +00:00

Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	f369153149	[AZ-552] [AZ-553] [AZ-554] [AZ-555] Cycle-2 hotfix: deploy/infra chain Batch 5 (cycle 2 hotfix sprint, batch 1 of 2). 6 story points under epic AZ-530. Addresses 2 Critical + 2 High deploy-blocking findings from security_report_cycle2.md (F-INFRA-1..F-INFRA-4). AZ-552 — drop_jwt_secret_deploy_preflight (1 pt, F-INFRA-1 Critical) scripts/start-services.sh swaps obsolete JwtConfig__Secret preflight for the cycle-2 trio (KeysFolder + ActiveKid + DataProtection.KeysFolder). .env.example, env/api/env.ps1, _docs/04_deploy/* updated to match. Repo scan in scripts/ and .env.example returns 0 offenders. AZ-553 — bind_mount_es256_keys (2 pts, F-INFRA-2 Critical) start-services.sh bind-mounts DEPLOY_HOST_JWT_KEYS_DIR read-only at /etc/azaion/jwt-keys; preflight fails fast on a missing or empty host directory with operator-actionable error messages. AZ-554 — persist_dataprotection_keys (2 pts, F-INFRA-3 High) Program.cs DataProtection wiring now fails fast in Production when KeysFolder is unset OR not probe-writable. start-services.sh bind-mounts DEPLOY_HOST_DP_KEYS_DIR read-write at /var/lib/azaion/dp-keys. Development behaviour unchanged (ephemeral default). AZ-555 — secrets_readme_es256_rewrite (1 pt, F-INFRA-4 High) secrets/README.md schema fully rewritten; new "Host-side directories" subsection with bind-mount table + ownership/permission guidance. Cycle-1 JwtConfig__Secret removed from live schema (one prose deprecation paragraph retained). Adjacent hygiene module-layout.md "Owns" extended to include scripts/, secrets/, env/, .env.example (gap from Step 9 new-task layout-delta). Tests e2e/Azaion.E2E/Tests/Cycle2HotfixDeployTests.cs — 19 facts (8 exec, 11 Skip with rationale per AZ-537/AZ-538 precedent). Skipped tests cover preflight/restart/Production-only paths verified at deploy gate. Build: 0W 0E across Azaion.AdminApi + Azaion.E2E. Test run deferred to autodev Step 11 (Run Tests). Tracker transition deferred to next batch (MCP availability unverified in this session — Leftovers pattern). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 09:35:57 +03:00
Oleksandr Bezdieniezhnykh	a77b3f8a59	[AZ-529] [AZ-530] Cycle-2 documentation refresh Refreshes _docs/02_document/ to reflect the cycle-2 auth-modernization + CMMC hardening landings (AZ-531..AZ-538). Authoritative source for the ripple set is ripple_log_cycle2.md. Covered: - architecture.md (section 1 rewritten, ADRs 6-9 added) - data_model.md (sessions, audit_events, user columns, migrations) - system-flows.md (F1 rewritten; F11-F17 added; F2/F7/F9 minor) - module-layout.md (cycle-2 sub-component table) - diagrams/flows/flow_login.md (dual-token + MFA) - components/{01_data_layer,03_auth_and_security,05_admin_api} - modules/ (12 new, 8 modified — full Argon2id/ES256/MFA/refresh /mission/session/audit/jwks rollup) - tests/{blackbox,security,traceability-matrix} Step 13 (Update Docs) output for cycle 2. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 09:22:53 +03:00
Oleksandr Bezdieniezhnykh	3a925b9b0f	refactor: remove obsolete resource download and installer endpoints ci/woodpecker/push/01-test Pipeline failed Details ci/woodpecker/push/02-build-push unknown status Details - Deleted the `POST /resources/get/{dataFolder?}` and `GET /resources/get-installer` endpoints as part of the architectural shift towards simplified resource management. - Removed associated methods and configurations, including `ResourcesService.GetEncryptedResource`, `ResourcesService.GetInstaller`, and related properties in `ResourcesConfig`. - Cleaned up environment variables and configuration files to reflect the removal of installer-related settings. - Eliminated the `GetResourceRequest` DTO and its validator, along with the `WrongResourceName` error code. - Updated documentation to clarify the changes in resource handling and the retirement of per-user file encryption. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-14 04:17:55 +03:00
Oleksandr Bezdieniezhnykh	c7b297de83	refactor: remove deploy.cmd and update Dockerfile for health checks ci/woodpecker/push/01-test Pipeline failed Details ci/woodpecker/push/02-build-push unknown status Details - Deleted the deploy.cmd script as it was no longer needed. - Updated Dockerfile to include curl for health checks and added a non-root user for improved security. - Modified health check command to use curl for better reliability. - Adjusted docker-compose.test.yml to reflect changes in health check configuration. - Cleaned up appsettings.json and removed unused configuration properties. - Removed Resource entity and related requests from the codebase as part of the architectural shift. - Updated documentation to reflect the removal of hardware binding and related endpoints. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 08:47:21 +03:00
Oleksandr Bezdieniezhnykh	5ca9ccab2c	[AZ-513] [AZ-196] [AZ-183] Add /classes CRUD, /devices, fleet OTA AZ-513: POST/PATCH/DELETE /classes for detection-class CRUD; new DetectionClass entity, schema, DTOs, IDetectionClassService. Unblocks ui/AZ-512. AZ-196: POST /devices auto-assigns sequential azj-NNNN serial+email +password and inserts a CompanionPC user. Returns plaintext credentials for the provisioning script. AZ-183: Resources table + POST /get-update + POST /resources/publish for fleet OTA. Per-resource encryption_key column AES-256-CBC encrypted at rest with ResourcesConfig.EncryptionMasterKey; ICache wraps the per-(arch,stage) latest-versions lookup and is invalidated on publish. Adds IDbFactory.RunAdmin<T> overload for write-and-return. Backfills _docs/02_document/module-layout.md to satisfy the implement skill's File Ownership prerequisite (the _docs/ artifact set predates the Step 1.5 module-layout addition). Code review: PASS_WITH_WARNINGS — see _docs/03_implementation/reviews/batch_05_review.md. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-13 04:34:42 +03:00

5 Commits