azaion/annotations
1
0
Fork 0
mirror of https://github.com/azaion/annotations.git synced 2026-06-21 22:11:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs+src: complete Steps 1-3 outcomes + auth re-sync baseline

Browse Source 
This commit captures everything produced during autodev existing-code
Steps 1 (Document), 2 (Architecture Baseline Scan), and 3 (Test Spec),
together with the targeted auth + CORS re-sync triggered on 2026-05-14
when codebase drift was detected at Step 4 entry. None of this work was
previously committed.

Step 1 (Document) — 50+ _docs/02_document/ files: problem, solution,
architecture, system flows, glossary, module-layout, per-component
specs (01..06), modules, deployment, diagrams, data model, FINAL
report, verification log, discovery.

Step 2 (Architecture Baseline) — architecture_compliance_baseline.md.
Verdict PASS_WITH_WARNINGS (0 Critical, 0 High, 1 Medium, 2 Low). No
High/Critical findings; auto-chained to Step 3 per existing-code flow.

Step 3 (Test Spec) — _docs/02_document/tests/* (67 scenarios across
blackbox, security, resilience, resource-limit, performance), plus
e2e/docker-compose.test.yml, e2e/seed/run.sh, scripts/run-tests.sh,
scripts/run-performance-tests.sh. Coverage 88% over the active scope
(40 of 45 items covered, 6 RB-deferred, 5 documented-as-uncovered).

Targeted auth + CORS re-sync — replaces the deleted in-house token
issuer with a JWKS-verifier model. AuthController and TokenService
removed; JwtExtensions switched from HS256 symmetric to ES256 over
admin's JWKS. ConfigurationResolver and CorsConfigurationValidator
added under src/Infrastructure/. ADR-002 and ADR-006 retired; SEC-01,
SEC-02, SEC-03 marked Closed. One new testability risk recorded in
architecture.md Open Risks Section 6 (JWKS HTTPS gating).

Source changes:
- src/Auth/JwtExtensions.cs (modified) — ES256, JWKS, alg pinning
- src/Program.cs (modified) — DI wiring for ConfigurationResolver
  and CorsConfigurationValidator
- src/Controllers/AuthController.cs (deleted) — no in-service issuance
- src/Services/TokenService.cs (deleted) — same
- src/Infrastructure/ConfigurationResolver.cs (new)
- src/Infrastructure/CorsConfigurationValidator.cs (new)
- .env.example (new) — required env var documentation
- .gitignore (updated)

Cross-repo coordination: _docs/cross-repo/flights_h1_h2_h3_change_spec
captures the change-spec for downstream services that consumed the now
deleted /auth endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-14 20:19:05 +03:00
parent 08eadc1158
commit 03f879206e
66 changed files with 6006 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_document/deployment/ci_cd_pipeline.md
+72
View File
@@ -0,0 +1,72 @@
# CI / CD Pipeline
Source of truth: `.woodpecker/build-arm.yml`.
## Engine
Woodpecker CI. No GitHub Actions / GitLab CI / Azure Pipelines configured in this repo — `.github/workflows/` is absent (`00_discovery.md`). Suite-wide CI may layer on top of this; that lives outside the workspace.
## Trigger
```yaml
when:
event: [push, manual]
branch: [dev, stage, main]
```
- Builds run on push to **`dev`**, **`stage`**, or **`main`**, plus manual triggers.
- Other branches do **not** build images.
## Runner constraint
```yaml
labels:
platform: arm64
```
Pipeline pins to ARM64 runners. The Dockerfile is multi-arch capable but this pipeline only builds `arm64`.
## Steps (single step `build-push`)
1. Login to private registry using secrets `registry_host`, `registry_user`, `registry_token`.
2. Compute `TAG=${CI_COMMIT_BRANCH}-arm` and `BUILD_DATE` (`date -u +%Y-%m-%dT%H:%M:%SZ`).
3. `docker build -f src/Dockerfile` with build args + OCI labels:
- `--build-arg CI_COMMIT_SHA=$CI_COMMIT_SHA`
- `--label org.opencontainers.image.revision=$CI_COMMIT_SHA`
- `--label org.opencontainers.image.created=$BUILD_DATE`
- `--label org.opencontainers.image.source=$CI_REPO_URL`
- tag: `$REGISTRY_HOST/azaion/annotations:$TAG`
4. `docker push` of that tag.
5. Mounts `/var/run/docker.sock` into the build container (Docker-out-of-Docker pattern).
## Image tagging
Per branch:
| Branch | Image tag |
|--------|-----------|
| `dev` | `dev-arm` |
| `stage` | `stage-arm` |
| `main` | `main-arm` |
Tags are **mutable** — every push to a branch overwrites the prior image at that tag. No immutable revision-tagged images are produced today (`main-arm-${SHA}` is not pushed). Adding immutable tags would simplify rollback and trace-back from a running image to a commit.
## Secrets
| Secret | Purpose |
|--------|---------|
| `registry_host` | Registry hostname (also used in pushed image FQN) |
| `registry_user` | Registry login user |
| `registry_token` | Registry login token (used via `--password-stdin`) |
Secrets are referenced via `from_secret:` and never echoed.
## What CI does NOT do today
- No tests run (no test project exists in repo per `00_discovery.md`).
- No linters / format checks (`dotnet format`).
- No `amd64` image.
- No scan (Trivy / Grype) on the produced image.
- No automated rollback on failed deploy (deploy itself is out of pipeline scope).
These are gaps to track when the test project is added in autodev Phase A Step 6.