# Infrastructure & Configuration Review (Cycle 9)

**Date**: 2026-06-25
**Mode**: Delta scan
**Scope**: Cycle-9 infrastructure changes only.

| File | Change | Security relevance |
|------|--------|-------------------|
| `docker-compose.tests.yml` | Rewritten as self-contained stack; **no host port publishing** for postgres/api | **Positive** — avoids port conflicts; reduces accidental exposure of test DB/API to host network |
| `scripts/run-tests.sh` | Integration runs use `docker-compose.tests.yml` only | Aligns with above |
| `SatelliteProvider.Api/Dockerfile` | Added `GrpcContracts` csproj COPY | Build-order only; no new secrets |
| `SatelliteProvider.IntegrationTests/Dockerfile` | `linux/amd64` platform; `aspnet:10.0` runtime for Grpc.AspNetCore | Protoc/build stability; no new exposed ports |
| `docker-compose.yml` (dev) | Unchanged | Host ports 5433/18980 still published for local dev — pre-existing |
| CI/CD, `.env`, `appsettings.*` | Unchanged | — |

## Container checks (carried forward)

| Check | Status |
|-------|--------|
| Non-root user in API image | Still runs as root (pre-existing; not cycle-9 regression) |
| Secrets in build args | None |
| Dev TLS cert gitignored | `./certs/` — unchanged |
| JWT via env vars | Unchanged |

## Verdict

**PASS** (cycle-9 delta) — test harness change improves isolation; no new misconfiguration.