azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 13:31:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
admin/_docs/02_document/ripple_log_cycle2.md
T
Oleksandr Bezdieniezhnykh a77b3f8a59 [AZ-529] [AZ-530] Cycle-2 documentation refresh 
Refreshes _docs/02_document/ to reflect the cycle-2 auth-modernization
+ CMMC hardening landings (AZ-531..AZ-538). Authoritative source for
the ripple set is ripple_log_cycle2.md.

Covered:
- architecture.md (section 1 rewritten, ADRs 6-9 added)
- data_model.md (sessions, audit_events, user columns, migrations)
- system-flows.md (F1 rewritten; F11-F17 added; F2/F7/F9 minor)
- module-layout.md (cycle-2 sub-component table)
- diagrams/flows/flow_login.md (dual-token + MFA)
- components/{01_data_layer,03_auth_and_security,05_admin_api}
- modules/ (12 new, 8 modified — full Argon2id/ES256/MFA/refresh
  /mission/session/audit/jwks rollup)
- tests/{blackbox,security,traceability-matrix}

Step 13 (Update Docs) output for cycle 2.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 09:22:53 +03:00

7.5 KiB
Raw Permalink Blame History

Documentation Ripple Log — Cycle 2 (Auth Modernization, AZ-531..AZ-538)

Generated by document skill, Task Step 0.5 (Import-Graph Ripple), 2026-05-14. Source: cycle-2 implementation report (_docs/03_implementation/implementation_report_auth_modernization_cycle2.md).

Method

For each source file changed by the cycle, identified C# namespace consumers via rg "using Azaion\.<namespace>". Resolved consumer csproj membership via module-layout.md. Folded transitively-affected component / module docs into the refresh set.

Direct + Ripple-affected docs (already refreshed in this cycle)

Trigger (changed in cycle 2) Importing namespaces / files Doc(s) refreshed Reason
Azaion.Services.Security (Argon2id rebuild — AZ-536) UserService, MfaService modules/services_security.md, modules/services_user_service.md, modules/services_mfa_service.md API surface changed (HashPassword/VerifyPassword replace ToHash); both consumers had to be re-read
Azaion.Services.AuthService (ES256 — AZ-532) Azaion.AdminApi/Program.cs modules/services_auth_service.md, modules/admin_api_program.md CreateToken signature (sid, jti, amr); JWKS publication wired in Program.cs
Azaion.Services.RefreshTokenService (new — AZ-531) Program.cs modules/services_refresh_token_service.md (new), modules/admin_api_program.md New endpoints /login, /login/mfa, /token/refresh consume it
Azaion.Services.SessionService (new — AZ-535) Program.cs, MissionTokenService, UserService.SetEnableStatus modules/services_session_service.md (new), modules/admin_api_program.md, modules/services_user_service.md, modules/services_mission_token_service.md RevokeMissionsForAircraft called from login/refresh; RevokeAllForUser called when user disabled
Azaion.Services.MfaService (new — AZ-534) Program.cs modules/services_mfa_service.md (new), modules/admin_api_program.md New endpoints /users/me/mfa/{enroll,confirm,disable} + step-1 token in login
Azaion.Services.MissionTokenService (new — AZ-533) Program.cs modules/services_mission_token_service.md (new), modules/admin_api_program.md /sessions/mission
Azaion.Services.JwtSigningKeyProvider (new — AZ-532) Program.cs, AuthService, MfaService modules/services_jwt_signing_key_provider.md (new), modules/admin_api_program.md, modules/services_auth_service.md, modules/services_mfa_service.md Eager-built singleton; both JwtBearer IssuerSigningKeyResolver and AuthService consume it
Azaion.Services.AuditLog (new — AZ-537+534) UserService, MfaService, Program.cs (DI only) modules/services_audit_log.md (new), modules/services_user_service.md, modules/services_mfa_service.md Per-account rate-limit + lifecycle audit
Azaion.Common.Entities.User (extended — AZ-537+534) UserService, MfaService, RefreshTokenService (UserId), SessionService, AuthService modules/common_entities_user.md, all services above New columns drive new application logic
Azaion.Common.Entities.Session (new — AZ-531+535+533+534) RefreshTokenService, SessionService, MissionTokenService modules/common_entities_session.md (new); already-listed services Direct ORM consumer
Azaion.Common.Entities.AuditEvent (new — AZ-537+534) AuditLog, UserService modules/common_entities_audit_event.md (new) Direct ORM consumer
Azaion.Common.Entities.RoleEnum (extended — Service — AZ-535) Program.cs (revocationReaderPolicy), UserService modules/common_entities_role_enum.md, modules/admin_api_program.md Authorization policy gate
Azaion.Common.Configs.JwtConfig (rebuilt — AZ-532) Program.cs, AuthService, MfaService, JwtSigningKeyProvider modules/common_configs_jwt_config.md, downstream services already covered All ES256-related config
Azaion.Common.Configs.AuthConfig (new — AZ-536+537) Program.cs, UserService, Security modules/common_configs_auth_config.md (new), downstream covered Argon2id parameters + rate limit + lockout
Azaion.Common.Configs.SessionConfig (new — AZ-531) Program.cs, RefreshTokenService folded into modules/common_configs_jwt_config.md (renamed JwtConfig + SessionConfig), downstream covered Refresh sliding + absolute lifetimes
Azaion.Common.Requests.LoginResponse / RefreshTokenRequest (new — AZ-531) Program.cs modules/common_requests_login_response.md (new), modules/admin_api_program.md, modules/common_requests_login_request.md (cross-ref note) New response shape; backward-compat Token getter
Azaion.Common.Requests.MissionSessionRequest / MissionSessionResponse (new — AZ-533) Program.cs, MissionTokenService modules/common_requests_mission_session_request.md (new) New endpoint payload
Azaion.Common.Requests.MfaRequests (new — AZ-534) Program.cs, MfaService modules/common_requests_mfa_requests.md (new) Five DTOs grouped in one file
Azaion.Common.BusinessException / ExceptionEnum (extended — AZ-531+533+534+535+537) All services + BusinessExceptionHandler modules/common_business_exception.md, modules/admin_api_program.md (handler section) New error codes + Retry-After header support
Azaion.Common.Database.AzaionDb / AzaionDbShemaHolder (extended — Sessions + AuditEvents + jsonb mappings) all services using them covered transitively via component 01 Data Layer New ITables; new mappings

Component-level rollup

Component Refreshed? Why
01 Data Layer yes Session, AuditEvent, extended User/RoleEnum, new AuthConfig/SessionConfig, rebuilt JwtConfig, new ITables, new indexes
02 User Management yes (within services_user_service.md) Argon2id + lockout + rate-limit + audit
03 Auth & Security yes Major rebuild — full rewrite of components/03_auth_and_security/description.md
04 Resource Management no Cycle 2 auth-modernization did not touch resource code
04b Detection Classes no Same
05 Admin API yes Major endpoint surface expansion + middleware pipeline rewrite

System-level docs refreshed

  • system-flows.md — F1 rewritten; F11F17 added; F2/F7/F9 minor edits (Argon2id, session-revoke-on-disable)
  • data_model.md — full rewrite to cover sessions / audit_events / new user columns / migrations / permissions
  • architecture.md — section 1 rewritten, sections 27 updated, ADRs 69 added
  • module-layout.md — sub-component table refreshed for cycle 2 services
  • diagrams/flows/flow_login.md — full rewrite for the dual-token + MFA model

Tests (out-of-process)

15 new e2e test files under e2e/Azaion.E2E/Tests/ consume Azaion.* namespaces but are out-of-process HTTP tests; they do not have their own module docs by design (per module-layout.md §1). They are referenced from each module's "Tests" section.

Heuristic / parse-failure notes

None. The C# using graph was directly resolvable for every changed namespace.

Out of scope

  • _docs/00_problem/* — no AC / input-parameter changes from cycle 2 that aren't already captured in the per-task specs
  • _docs/04_deploy/* — deployment ripple (ES256 PEM volume, DataProtection volume, HSTS/HTTPS rollout) is owned by the deploy skill (Step 14 of the autodev existing-code flow), not the document skill
  • _docs/05_security/* — security report ripple is owned by the security skill
Reference in New Issue View Git Blame Copy Permalink