azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 10:31:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
feat/admin-page
ui/_docs/02_document/ripple_log_cycle2.md
T
Oleksandr Bezdieniezhnykh f7dd6c98d8
ci/woodpecker/push/build-arm Pipeline failed
Details
[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes 
Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 05:31:11 +03:00

8.8 KiB
Raw Permalink Blame History

Documentation Ripple Log — Cycle 2 (Phase B)

Generated during Step 13 (Update Docs) of the autodev existing-code flow, cycle 2. Task specs in scope: AZ-498_satellite_tile_swap.md, AZ-499_mission_planner_weather_env.md (both in _docs/02_tasks/done/). Implementation: single batch (_docs/03_implementation/batch_11_report.md).

Scope analysis (Task Step 0)

Direct source files changed by Cycle 2 batch 11:

Source file Changed in Touched module / component / system doc
src/features/flights/types.ts AZ-498 (replaced TILE_URLS with getTileUrl() + DEFAULT_SATELLITE_TILE_URL) modules/src__features__flights.md (updated by implementer at batch-11 commit time)
src/features/flights/FlightMap.tsx AZ-498 (drop mapType state + toggle button + MiniMap mapType prop; single <TileLayer crossOrigin="use-credentials">) same group doc as above
src/features/flights/MiniMap.tsx AZ-498 (drop mapType prop) same group doc
src/vite-env.d.ts AZ-498 (replaced VITE_OSM_TILE_URL / VITE_ESRI_TILE_URL with VITE_SATELLITE_TILE_URL) covered in modules/src__features__flights.md Tile URL section + deployment/environment_strategy.md (this run)
.env.example AZ-498 deployment/environment_strategy.md §2 (this run)
src/i18n/en.json, src/i18n/ua.json AZ-498 (removed flights.planner.satellite key in lockstep — STC-FP22 parity preserved) no module doc change needed (i18n parity is enforced by static check, not described in module docs)
mission-planner/src/services/WeatherService.ts AZ-499 (env vars + fail-soft null when key unset) modules/mission-planner.md (updated by implementer at batch-11 commit time)
mission-planner/.env.example AZ-499 same group doc + deployment/environment_strategy.md (this run)
mission-planner/src/vite-env.d.ts AZ-499 same group doc
tests/security/banned-deps.json AZ-499 (added owm_key_in_source kind) tests/security-tests.md NFT-SEC-09 step 3 (Step 12 cycle-update)
scripts/check-banned-deps.mjs AZ-499 (extended source-tree dispatch) static-check infrastructure — covered by AZ-482 module doc (no new entry needed; same dispatch shape)
scripts/run-tests.sh AZ-499 (added STC-SEC1C row) tests/environment.md Test Execution + tests/security-tests.md NFT-SEC-09 (Step 12)
e2e/docker-compose.suite-e2e.yml AZ-498 (replaced dead VITE_TILE_BASE_URL with VITE_SATELLITE_TILE_URL) tests/environment.md (Step 12)
e2e/stubs/tile/server.ts AZ-498 (rewrote classify() for /tiles/{z}/{x}/{y} shape) tests/environment.md (Step 12)
e2e/tests/infrastructure.e2e.ts AZ-498 (AC-2 rewritten; OSM removed from EXTERNAL_HOSTS) tests/blackbox-tests.md FT-P-59 (Step 12)
tests/msw/handlers/tiles.ts AZ-498 (rewrote handlers from OSM/Esri .png to /tiles/{z}/{x}/{y} with cookie-auth headers) covered by FT-P-57 / FT-P-59 (Step 12)

System-level docs (architecture.md, system-flows.md, deployment/environment_strategy.md): architecture.md + environment_strategy.md TOUCHED this run; system-flows.md not touched (no flow diagrams referenced map tiles or OWM). The architectural changes are: external-integration table (OSM/Esri removed from outbound; suite-internal satellite-provider added), system-boundaries table (tile providers row updated), § 5 External Integrations (failure-mode column updated for satellite tiles + OWM), Air-gap section in § 2 (tiles no longer external; OWM remains external but env-resolved + fail-soft).

Problem-level docs: acceptance_criteria.md TOUCHED this run — added AC-41 (self-hosted satellite tiles + cookie auth) and AC-42 (mission-planner OWM env hardening + STC-SEC1C); updated AC-20 row to reference the closure tasks; updated Coverage status section to move AC-20 from "Currently violated" to "Currently met & enforced" and add AC-41 / AC-42 there as well. restrictions.md not touched (the air-gap restriction E1 is now better satisfied for tiles, but the restriction text itself does not change).

Contract docs: _docs/02_document/contracts/satellite-provider/tiles.md was drafted in Step 9 (New Task) and updated by the implementer to reference AZ-498 in the Consumer tasks field — no further edit this run.

Import-graph ripple (Task Step 0.5)

The reverse-dependency set of the changed files is small and is already captured in the direct list above plus the test-spec / system-level updates from this run. Specifically:

  • src/features/flights/types.ts exports getTileUrl() + DEFAULT_SATELLITE_TILE_URL (cycle 2) plus the existing waypoint / mission JSON shapes. Importers: FlightMap.tsx, MiniMap.tsx (both directly in scope), and the new fast test src/features/flights/__tests__/satellite_tile.test.tsx. No additional consumer needs a doc refresh — FlightsPage.tsx consumes FlightMap / MiniMap as JSX components without referencing the tile URL plumbing.
  • src/features/flights/FlightMap.tsx is imported by FlightsPage.tsx (which composes the page); the public prop surface of FlightMap is unchanged on tile-related axes (no exported tile constants, no mapType exposure to callers). FlightsPage's module-doc section (modules/src__features__flights.md) already reflects the change because the implementer updated the group doc at batch-11 commit time.
  • src/features/flights/MiniMap.tsx lost a public prop (mapType) — this IS a public surface change. Callers: only FlightMap.tsx (intra-component); no external caller. The change was applied in lockstep in the same batch, so there is no "stale caller" to chase.
  • mission-planner/src/services/WeatherService.ts keeps its public getWeatherData(lat, lon) signature; only the internal env-var resolution + fail-soft branch changed. Callers in mission-planner/ (page-level components in the legacy port-source) see no behavior change beyond null returned when the key is unset — already documented under modules/mission-planner.md Migration Notes.

Therefore: no additional doc was added to the refresh set by ripple analysis beyond the system-level docs already updated for cycle-wide concerns (architecture.md external integrations + environment_strategy.md env-var matrix).

Tooling notes

  • Ripple analysis was performed by reading the implementer's _docs/03_implementation/batch_11_report.md (which enumerates every modified file with rationale), then cross-checking each changed file's importers via Grep against src/features/flights/ and mission-planner/. The repo has no madge / depcruise configured; this counts as the "directory-proximity + manual import inspection" fallback path from document/workflows/task.md Task Step 0.5 #6 — full coverage was achievable because the changed file set is small and bounded by two well-known package roots (src/features/flights/ and mission-planner/src/services/).
  • No static analyzer was used to discover indirect importers. None was needed: the public-surface changes are minimal (one prop drop on MiniMap, one preserved-signature env-resolution change on getWeatherData, one new function on types.ts replacing a removed const), and all in-tree callers were updated in the same batch.

Outcome

Cycle-2 documentation refresh complete. Updated this run:

Level Doc Reason
System-level _docs/02_document/architecture.md Removed stale OSM/Esri tile entries; added suite-internal satellite-provider row; updated External Integrations failure-mode for tiles + OWM; corrected stale "hardcoded API key" claim.
System-level _docs/02_document/deployment/environment_strategy.md Added env-var matrix rows for VITE_SATELLITE_TILE_URL (main SPA + mission-planner) and VITE_OWM_API_KEY / VITE_OWM_BASE_URL (main SPA + mission-planner); updated tile-providers column for all three envs; updated .env strategy section to reflect cycle-2 reality.
Component _docs/02_document/components/05_flights/description.md Removed stale "hardcoded API key" claim from the legacy mission-planner port-source comparison (line 59).
Problem _docs/00_problem/acceptance_criteria.md Added AC-41 (satellite tiles + cookie auth + toggle removal) and AC-42 (mission-planner OWM env hardening + STC-SEC1C); reworded AC-20; updated Coverage status.

Module-level docs (modules/src__features__flights.md, modules/mission-planner.md) and the contract doc (contracts/satellite-provider/tiles.md) were already updated by the implementer at batch-11 commit time and verified consistent with the source tree at the start of this run; no additional change applied.

Test-spec docs (tests/blackbox-tests.md, tests/security-tests.md, tests/resilience-tests.md, tests/environment.md, tests/traceability-matrix.md) were updated in the preceding Step 12 (Test-Spec Sync) cycle-update — see the Step 12 commit for those changes.

Reference in New Issue View Git Blame Copy Permalink