azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 09:41:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update autodev state and lessons documentation
ci/woodpecker/push/build-arm Pipeline failed
Details

Browse Source 
- Changed current step from 15 (Performance Test) to 9 (New Task) in _docs/_autodev_state.md, reflecting the transition to Cycle 3.
- Updated cycle count from 2 to 3 and modified sub-step details to indicate progress in gathering feature descriptions.
- Added new lessons to _docs/LESSONS.md, emphasizing best practices for API key management, dependency handling, and reporting inline fixes during security audits.
- Enhanced CI/CD pipeline documentation in _docs/02_document/deployment/ci_cd_pipeline.md to include new gates for vulnerability scans and SBOM emissions, along with dependency overrides for transitive dependencies.
- Expanded environment strategy documentation in _docs/02_document/deployment/environment_strategy.md to include the new Google Geocode API key management.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 22:49:38 +03:00
parent f7dd6c98d8
commit 15838c5cc1
8 changed files with 451 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/LESSONS.md
+27
View File
@@ -8,6 +8,33 @@ Categories: estimation · architecture · testing · dependencies · tooling ·
---
- [2026-05-12] [process] When externalizing a committed API key, always follow
the 4-step rotation discipline: (a) extract to env-var via a service module
so unit tests can stub it, (b) add a literal-scan static gate (STC-SECx)
against the rotated value as defense-in-depth, (c) document in
`.env.example` using the established `<your-...>` placeholder convention,
(d) leave the actual key revocation as a manual deliverable AC with
evidence-attachment requirement — never assume the static gate alone
neutralizes the leaked credential.
Source: _docs/06_metrics/retro_2026-05-12_cycle2.md
- [2026-05-12] [dependencies] When `bun audit` reports advisories on a
transitive dep that direct `bun update <dep>` does not clear (because
nested copies persist under sibling tools, e.g.
`vitest/node_modules/<dep>`), use `package.json` `"overrides"` to floor
the resolution AND clean reinstall (`rm -rf node_modules bun.lock &&
bun install`) — a direct update alone cannot displace nested copies, and
Bun honors the npm-compatible `overrides` field exactly as npm does.
Source: _docs/06_metrics/retro_2026-05-12_cycle2.md
- [2026-05-12] [tooling] When the autodev orchestrator delegates to a
sub-skill that ends in a HIGH-severity blocking gate (e.g. security audit
FAIL → user picks "fix inline"), capture the inline-fix sub-step results
as a separate batch report (`batch_NN_report.md`) — not as an extension
of the prior batch — so the cycle metrics correctly attribute findings,
ACs, and complexity to the work boundary that produced them.
Source: _docs/06_metrics/retro_2026-05-12_cycle2.md
- [2026-05-12] [architecture] When adding an architecture gate (STC-ARCH-*),
extend the existing single-script dispatcher with a new `--mode` flag
instead of forking a second script; same walker, same comment-skip, same