# Infrastructure & Configuration Review (Cycle 7)

**Date**: 2026-05-22
**Mode**: Delta scan
**Scope**: Cycle-7 changes to deployment configs, CI/CD files, and shell scripts only.

## Cycle-7 Infrastructure-Layer Diff

Computed via `git log --since=2026-05-19 -- Dockerfile* docker-compose* .woodpecker.yml .github/** scripts/**` against the cycle-7 commit (`865dfdb`):

| File | Diff | Security relevance |
|------|------|--------------------|
| `docker-compose.yml` | Host port for Postgres moved `5432:5432` → `5433:5432`. Container-internal port unchanged. | Local-dev only; the host port move avoids a sibling-project conflict. Does not affect production (production runs containers on a private docker network without host-port mapping per the existing deployment model). No exposure change. |
| `scripts/probe_inventory_validation.sh` | NEW manual probe script. | Reviewed in `static_analysis_cycle7.md` Test Code Review § `scripts/probe_inventory_validation.sh`. No embedded credentials; fails fast under `set -o errexit -o pipefail -o nounset`. `curl --insecure` used and justified for the dev self-signed cert. ✓ |

No changes to:

- `Dockerfile`, `Dockerfile.tests`, `Dockerfile.api`, or any image-build file.
- `docker-compose.tests.yml`, `docker-compose.prod.yml`, or any orchestration file other than the one host-port edit above.
- `.woodpecker.yml`, `.github/workflows/**`, or any CI/CD pipeline definition.
- `scripts/run-tests.sh`, `scripts/run-performance-tests.sh`, or any other harness shell script.

## Container & Image Security — Carried Forward Unchanged

| Check | Status (carried from cycle 5/6) | Cycle-7 impact |
|-------|---------------------------------|----------------|
| Non-root container user (Dockerfile `USER` directive) | Already in effect | None |
| Minimal base image (alpine/distroless/etc.) | The API image uses the .NET 10 SDK base — same as cycle 5; image hardening is owned by a separate, still-unscheduled follow-up task. | None |
| No secrets in build args | Verified cycle 5; no `Dockerfile` change in cycle 7 | None |
| Health checks | Compose `healthcheck` block on Postgres unchanged | None |

## CI/CD Security — Carried Forward Unchanged

| Check | Status | Cycle-7 impact |
|-------|--------|----------------|
| Secrets management (env vars / vault, not pipeline literals) | Existing pattern preserved | None |
| No credentials in pipeline definitions | `.woodpecker.yml` untouched in cycle 7 | None |
| Artifact signing | Existing posture (none — owned by a separate operational improvement track) | None |
| Dependency-audit step in pipeline | Existing posture (manual audit per `dependency_scan_cycle*.md`; no automated `dotnet list package --vulnerable` in CI due to the build-hang issue noted in `AGENTS.md`) | None |

## Environment & Secrets

- `.env.example` — not modified in cycle 7. The cycle-7 code reads no new env vars (FluentValidation has no config knobs; `GlobalValidatorConfig` is pure code).
- `appsettings.Development.json` — minor edit during cycle 7 (the connection-string port change, mirroring the compose-file edit). No new secret material.
- `appsettings.json` — production template; unchanged in cycle 7.

## Verdict (Phase 4)

**PASS** — zero new infrastructure-layer findings.

The single docker-compose host-port edit is a local-developer-convenience change with no exposure implication. The new probe shell script is dev/test only, env-driven, and contains no embedded secrets.