[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics

Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors). Standalone integration compose stack, docs, security audit, perf and retro. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-26 08:21:14 +00:00 · 2026-06-25 17:32:14 +03:00
parent 7633134a8a
commit 7ed780b063
22 changed files with 618 additions and 40 deletions
@@ -0,0 +1,27 @@
+# Infrastructure & Configuration Review (Cycle 9)
+
+**Date**: 2026-06-25
+**Mode**: Delta scan
+**Scope**: Cycle-9 infrastructure changes only.
+
+| File | Change | Security relevance |
+|------|--------|-------------------|
+| `docker-compose.tests.yml` | Rewritten as self-contained stack; **no host port publishing** for postgres/api | **Positive** — avoids port conflicts; reduces accidental exposure of test DB/API to host network |
+| `scripts/run-tests.sh` | Integration runs use `docker-compose.tests.yml` only | Aligns with above |
+| `SatelliteProvider.Api/Dockerfile` | Added `GrpcContracts` csproj COPY | Build-order only; no new secrets |
+| `SatelliteProvider.IntegrationTests/Dockerfile` | `linux/amd64` platform; `aspnet:10.0` runtime for Grpc.AspNetCore | Protoc/build stability; no new exposed ports |
+| `docker-compose.yml` (dev) | Unchanged | Host ports 5433/18980 still published for local dev — pre-existing |
+| CI/CD, `.env`, `appsettings.*` | Unchanged | — |
+
+## Container checks (carried forward)
+
+| Check | Status |
+|-------|--------|
+| Non-root user in API image | Still runs as root (pre-existing; not cycle-9 regression) |
+| Secrets in build args | None |
+| Dev TLS cert gitignored | `./certs/` — unchanged |
+| JWT via env vars | Unchanged |
+
+## Verdict
+
+**PASS** (cycle-9 delta) — test harness change improves isolation; no new misconfiguration.