mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 14:11:10 +00:00
Oleksandr Bezdieniezhnykh
a77b3f8a59
Refreshes _docs/02_document/ to reflect the cycle-2 auth-modernization
+ CMMC hardening landings (AZ-531..AZ-538). Authoritative source for
the ripple set is ripple_log_cycle2.md.
Covered:
- architecture.md (section 1 rewritten, ADRs 6-9 added)
- data_model.md (sessions, audit_events, user columns, migrations)
- system-flows.md (F1 rewritten; F11-F17 added; F2/F7/F9 minor)
- module-layout.md (cycle-2 sub-component table)
- diagrams/flows/flow_login.md (dual-token + MFA)
- components/{01_data_layer,03_auth_and_security,05_admin_api}
- modules/ (12 new, 8 modified — full Argon2id/ES256/MFA/refresh
/mission/session/audit/jwks rollup)
- tests/{blackbox,security,traceability-matrix}
Step 13 (Update Docs) output for cycle 2.
Co-authored-by: Cursor <cursoragent@cursor.com>
7.5 KiB
7.5 KiB
Documentation Ripple Log — Cycle 2 (Auth Modernization, AZ-531..AZ-538)
Generated by
documentskill, Task Step 0.5 (Import-Graph Ripple), 2026-05-14. Source: cycle-2 implementation report (_docs/03_implementation/implementation_report_auth_modernization_cycle2.md).
Method
For each source file changed by the cycle, identified C# namespace consumers via rg "using Azaion\.<namespace>". Resolved consumer csproj membership via module-layout.md. Folded transitively-affected component / module docs into the refresh set.
Direct + Ripple-affected docs (already refreshed in this cycle)
| Trigger (changed in cycle 2) | Importing namespaces / files | Doc(s) refreshed | Reason |
|---|---|---|---|
Azaion.Services.Security (Argon2id rebuild — AZ-536) |
UserService, MfaService |
modules/services_security.md, modules/services_user_service.md, modules/services_mfa_service.md |
API surface changed (HashPassword/VerifyPassword replace ToHash); both consumers had to be re-read |
Azaion.Services.AuthService (ES256 — AZ-532) |
Azaion.AdminApi/Program.cs |
modules/services_auth_service.md, modules/admin_api_program.md |
CreateToken signature (sid, jti, amr); JWKS publication wired in Program.cs |
Azaion.Services.RefreshTokenService (new — AZ-531) |
Program.cs |
modules/services_refresh_token_service.md (new), modules/admin_api_program.md |
New endpoints /login, /login/mfa, /token/refresh consume it |
Azaion.Services.SessionService (new — AZ-535) |
Program.cs, MissionTokenService, UserService.SetEnableStatus |
modules/services_session_service.md (new), modules/admin_api_program.md, modules/services_user_service.md, modules/services_mission_token_service.md |
RevokeMissionsForAircraft called from login/refresh; RevokeAllForUser called when user disabled |
Azaion.Services.MfaService (new — AZ-534) |
Program.cs |
modules/services_mfa_service.md (new), modules/admin_api_program.md |
New endpoints /users/me/mfa/{enroll,confirm,disable} + step-1 token in login |
Azaion.Services.MissionTokenService (new — AZ-533) |
Program.cs |
modules/services_mission_token_service.md (new), modules/admin_api_program.md |
/sessions/mission |
Azaion.Services.JwtSigningKeyProvider (new — AZ-532) |
Program.cs, AuthService, MfaService |
modules/services_jwt_signing_key_provider.md (new), modules/admin_api_program.md, modules/services_auth_service.md, modules/services_mfa_service.md |
Eager-built singleton; both JwtBearer IssuerSigningKeyResolver and AuthService consume it |
Azaion.Services.AuditLog (new — AZ-537+534) |
UserService, MfaService, Program.cs (DI only) |
modules/services_audit_log.md (new), modules/services_user_service.md, modules/services_mfa_service.md |
Per-account rate-limit + lifecycle audit |
Azaion.Common.Entities.User (extended — AZ-537+534) |
UserService, MfaService, RefreshTokenService (UserId), SessionService, AuthService |
modules/common_entities_user.md, all services above |
New columns drive new application logic |
Azaion.Common.Entities.Session (new — AZ-531+535+533+534) |
RefreshTokenService, SessionService, MissionTokenService |
modules/common_entities_session.md (new); already-listed services |
Direct ORM consumer |
Azaion.Common.Entities.AuditEvent (new — AZ-537+534) |
AuditLog, UserService |
modules/common_entities_audit_event.md (new) |
Direct ORM consumer |
Azaion.Common.Entities.RoleEnum (extended — Service — AZ-535) |
Program.cs (revocationReaderPolicy), UserService |
modules/common_entities_role_enum.md, modules/admin_api_program.md |
Authorization policy gate |
Azaion.Common.Configs.JwtConfig (rebuilt — AZ-532) |
Program.cs, AuthService, MfaService, JwtSigningKeyProvider |
modules/common_configs_jwt_config.md, downstream services already covered |
All ES256-related config |
Azaion.Common.Configs.AuthConfig (new — AZ-536+537) |
Program.cs, UserService, Security |
modules/common_configs_auth_config.md (new), downstream covered |
Argon2id parameters + rate limit + lockout |
Azaion.Common.Configs.SessionConfig (new — AZ-531) |
Program.cs, RefreshTokenService |
folded into modules/common_configs_jwt_config.md (renamed JwtConfig + SessionConfig), downstream covered |
Refresh sliding + absolute lifetimes |
Azaion.Common.Requests.LoginResponse / RefreshTokenRequest (new — AZ-531) |
Program.cs |
modules/common_requests_login_response.md (new), modules/admin_api_program.md, modules/common_requests_login_request.md (cross-ref note) |
New response shape; backward-compat Token getter |
Azaion.Common.Requests.MissionSessionRequest / MissionSessionResponse (new — AZ-533) |
Program.cs, MissionTokenService |
modules/common_requests_mission_session_request.md (new) |
New endpoint payload |
Azaion.Common.Requests.MfaRequests (new — AZ-534) |
Program.cs, MfaService |
modules/common_requests_mfa_requests.md (new) |
Five DTOs grouped in one file |
Azaion.Common.BusinessException / ExceptionEnum (extended — AZ-531+533+534+535+537) |
All services + BusinessExceptionHandler |
modules/common_business_exception.md, modules/admin_api_program.md (handler section) |
New error codes + Retry-After header support |
Azaion.Common.Database.AzaionDb / AzaionDbShemaHolder (extended — Sessions + AuditEvents + jsonb mappings) |
all services using them | covered transitively via component 01 Data Layer | New ITables; new mappings |
Component-level rollup
| Component | Refreshed? | Why |
|---|---|---|
| 01 Data Layer | yes | Session, AuditEvent, extended User/RoleEnum, new AuthConfig/SessionConfig, rebuilt JwtConfig, new ITables, new indexes |
| 02 User Management | yes (within services_user_service.md) |
Argon2id + lockout + rate-limit + audit |
| 03 Auth & Security | yes | Major rebuild — full rewrite of components/03_auth_and_security/description.md |
| 04 Resource Management | no | Cycle 2 auth-modernization did not touch resource code |
| 04b Detection Classes | no | Same |
| 05 Admin API | yes | Major endpoint surface expansion + middleware pipeline rewrite |
System-level docs refreshed
system-flows.md— F1 rewritten; F11–F17 added; F2/F7/F9 minor edits (Argon2id, session-revoke-on-disable)data_model.md— full rewrite to cover sessions / audit_events / new user columns / migrations / permissionsarchitecture.md— section 1 rewritten, sections 2–7 updated, ADRs 6–9 addedmodule-layout.md— sub-component table refreshed for cycle 2 servicesdiagrams/flows/flow_login.md— full rewrite for the dual-token + MFA model
Tests (out-of-process)
15 new e2e test files under e2e/Azaion.E2E/Tests/ consume Azaion.* namespaces but are out-of-process HTTP tests; they do not have their own module docs by design (per module-layout.md §1). They are referenced from each module's "Tests" section.
Heuristic / parse-failure notes
None. The C# using graph was directly resolvable for every changed namespace.
Out of scope
_docs/00_problem/*— no AC / input-parameter changes from cycle 2 that aren't already captured in the per-task specs_docs/04_deploy/*— deployment ripple (ES256 PEM volume, DataProtection volume, HSTS/HTTPS rollout) is owned by the deploy skill (Step 14 of the autodev existing-code flow), not the document skill_docs/05_security/*— security report ripple is owned by the security skill