mirror of
https://github.com/azaion/annotations.git
synced 2026-06-21 13:31:06 +00:00
Oleksandr Bezdieniezhnykh
03f879206e
This commit captures everything produced during autodev existing-code Steps 1 (Document), 2 (Architecture Baseline Scan), and 3 (Test Spec), together with the targeted auth + CORS re-sync triggered on 2026-05-14 when codebase drift was detected at Step 4 entry. None of this work was previously committed. Step 1 (Document) — 50+ _docs/02_document/ files: problem, solution, architecture, system flows, glossary, module-layout, per-component specs (01..06), modules, deployment, diagrams, data model, FINAL report, verification log, discovery. Step 2 (Architecture Baseline) — architecture_compliance_baseline.md. Verdict PASS_WITH_WARNINGS (0 Critical, 0 High, 1 Medium, 2 Low). No High/Critical findings; auto-chained to Step 3 per existing-code flow. Step 3 (Test Spec) — _docs/02_document/tests/* (67 scenarios across blackbox, security, resilience, resource-limit, performance), plus e2e/docker-compose.test.yml, e2e/seed/run.sh, scripts/run-tests.sh, scripts/run-performance-tests.sh. Coverage 88% over the active scope (40 of 45 items covered, 6 RB-deferred, 5 documented-as-uncovered). Targeted auth + CORS re-sync — replaces the deleted in-house token issuer with a JWKS-verifier model. AuthController and TokenService removed; JwtExtensions switched from HS256 symmetric to ES256 over admin's JWKS. ConfigurationResolver and CorsConfigurationValidator added under src/Infrastructure/. ADR-002 and ADR-006 retired; SEC-01, SEC-02, SEC-03 marked Closed. One new testability risk recorded in architecture.md Open Risks Section 6 (JWKS HTTPS gating). Source changes: - src/Auth/JwtExtensions.cs (modified) — ES256, JWKS, alg pinning - src/Program.cs (modified) — DI wiring for ConfigurationResolver and CorsConfigurationValidator - src/Controllers/AuthController.cs (deleted) — no in-service issuance - src/Services/TokenService.cs (deleted) — same - src/Infrastructure/ConfigurationResolver.cs (new) - src/Infrastructure/CorsConfigurationValidator.cs (new) - .env.example (new) — required env var documentation - .gitignore (updated) Cross-repo coordination: _docs/cross-repo/flights_h1_h2_h3_change_spec captures the change-spec for downstream services that consumed the now deleted /auth endpoints. Co-authored-by: Cursor <cursoragent@cursor.com>
4.8 KiB
4.8 KiB
Azaion.Annotations — Restrictions
Only constraints evidenced in code, configs, or Dockerfiles are listed. Inferred-but-unverified items are flagged.
Hardware
| ID | Restriction | Evidence |
|---|---|---|
| HW-01 | Service binary is built for ARM64 only — no AMD64 image is produced. | .woodpecker/build-arm.yml (platforms: linux/arm64); Dockerfile --arch=$BUILDARCH driven by BUILDPLATFORM=linux/arm64. |
| HW-02 | Local writable filesystem is required at images_dir / videos_dir / (planned) deleted_dir. |
Services/AnnotationService.cs (File.WriteAllBytesAsync), Services/PathResolver.cs, directory_settings table. |
| HW-03 | Memory pressure scales with the largest single image read into memory by FailsafeProducer (re-reads the image to put bytes on the wire). |
Services/FailsafeProducer.cs:138 neighborhood. |
Software
| ID | Restriction | Evidence |
|---|---|---|
| SW-01 | .NET 10 SDK and runtime — no fallback. | Dockerfile mcr.microsoft.com/dotnet/sdk:10.0, aspnet:10.0. |
| SW-02 | PostgreSQL backend; migrator emits IF NOT EXISTS, ON CONFLICT, CREATE TYPE — Postgres 13+ semantics expected. |
Database/DatabaseMigrator.cs. |
| SW-03 | RabbitMQ broker with the streams plugin enabled — service uses RabbitMQ.Stream.Client, not classic queues. |
Services/FailsafeProducer.cs. |
| SW-04 | Linq2DB ORM, MessagePack with the contractless resolver, gzip wire format. | Services/FailsafeProducer.cs. |
| SW-05 | JWT verification is ES256 over admin's JWKS (JWT_JWKS_URL); ValidAlgorithms is pinned to EcdsaSha256. Annotations is verifier-only — admin is the sole token issuer for the suite. JWKS retrieval requires HTTPS. |
Auth/JwtExtensions.cs. |
Environment
| ID | Restriction | Evidence |
|---|---|---|
| ENV-01 | Required env vars (fail-fast at startup via ConfigurationResolver): DATABASE_URL, JWT_ISSUER, JWT_AUDIENCE, JWT_JWKS_URL. Optional with defaults: RABBITMQ_HOST, RABBITMQ_STREAM_PORT, RABBITMQ_PRODUCER_USER, RABBITMQ_PRODUCER_PASS. |
Program.cs, Infrastructure/ConfigurationResolver.cs, Services/FailsafeProducer.cs. |
| ENV-02 | Service listens on port 8080 HTTP, no TLS terminator inside the image. |
Dockerfile EXPOSE 8080, ASPNETCORE_URLS=http://+:8080. |
| ENV-03 | Build stamps AZAION_REVISION from CI; Program.cs echoes it on startup. |
Dockerfile ARG AZAION_REVISION, Program.cs. |
| ENV-04 | Image tag scheme is branch-driven: ${BRANCH}-arm. No semver tags. |
.woodpecker/build-arm.yml. |
| ENV-05 | Swagger UI is mounted unconditionally — present in production builds (ADR-005). | Program.cs. |
| ENV-06 | CORS is config-driven (CorsConfig:AllowedOrigins + opt-in CorsConfig:AllowAnyOrigin); CorsConfigurationValidator.EnsureSafeForEnvironment refuses to start in Production when the allow-list is empty and AllowAnyOrigin is not set. ADR-006 retired. |
Program.cs, Infrastructure/CorsConfigurationValidator.cs. |
| ENV-07 | Boot-time DatabaseMigrator.MigrateAsync() runs on startup — no separate migration step in the deploy pipeline (ADR-007). |
Program.cs, Database/DatabaseMigrator.cs. |
Operational
| ID | Restriction | Evidence |
|---|---|---|
| OP-01 | SSE state is per-instance — no broker fan-out — so horizontal scaling is bounded today. | Services/AnnotationEventService.cs (in-process Channel<>). |
| OP-02 | Outbox drainer has no row-leasing — running multiple instances will double-publish until RB-09 deduplication contract is in place. | Services/FailsafeProducer.cs. |
| OP-03 | No automated test suite in repo; CI does build-and-push only. | _docs/02_document/00_discovery.md, .woodpecker/build-arm.yml. |
| OP-04 | No lint or formatter step in CI. | .woodpecker/build-arm.yml. |
| OP-05 | Dockerfile HEALTHCHECK calls /health; HTTP 200 expected by orchestrator. |
Dockerfile. |
| OP-06 | The service must be the only writer of annotations_queue_records — the table is treated as a private outbox. |
Services/AnnotationService.cs, Services/FailsafeProducer.cs. |
| OP-07 | DB connection string format is the Java/Hikari jdbc:postgresql://… style; Helpers/PostgreSqlConnectionStringHelper parses it. |
Helpers/PostgreSqlConnectionStringHelper.cs. |
Cross-cutting (suite-level, evidence in suite/_docs/01_annotations.md)
| ID | Restriction |
|---|---|
| SUITE-01 | The shared JWT secret family is cross-service; revoking it invalidates every service token. |
| SUITE-02 | Wire enums for AnnotationStatus, MediaType, QueueOperation are duplicated across services and must move in lock-step (or a single contract has to be published). |
| SUITE-03 | Stream consumers (admin worker, AI training) commit offsets independently — Annotations does not own retention semantics. |