azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 16:51:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6c7e29722f3c3931faaa3103244951d02df153a4
ui/_docs/02_document/ripple_log_cycle2.md
T
Oleksandr Bezdieniezhnykh f7dd6c98d8
ci/woodpecker/push/build-arm Pipeline failed
Details
[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes 
Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 05:31:11 +03:00

66 lines
8.8 KiB
Markdown
Raw Blame History

# Documentation Ripple Log — Cycle 2 (Phase B)
> Generated during Step 13 (Update Docs) of the autodev existing-code flow, cycle 2.
> Task specs in scope: `AZ-498_satellite_tile_swap.md`, `AZ-499_mission_planner_weather_env.md` (both in `_docs/02_tasks/done/`).
> Implementation: single batch (`_docs/03_implementation/batch_11_report.md`).
## Scope analysis (Task Step 0)
Direct source files changed by Cycle 2 batch 11:
| Source file | Changed in | Touched module / component / system doc |
|---|---|---|
| `src/features/flights/types.ts` | AZ-498 (replaced `TILE_URLS` with `getTileUrl()` + `DEFAULT_SATELLITE_TILE_URL`) | `modules/src__features__flights.md` (updated by implementer at batch-11 commit time) |
| `src/features/flights/FlightMap.tsx` | AZ-498 (drop `mapType` state + toggle button + `MiniMap mapType` prop; single `<TileLayer crossOrigin="use-credentials">`) | same group doc as above |
| `src/features/flights/MiniMap.tsx` | AZ-498 (drop `mapType` prop) | same group doc |
| `src/vite-env.d.ts` | AZ-498 (replaced `VITE_OSM_TILE_URL` / `VITE_ESRI_TILE_URL` with `VITE_SATELLITE_TILE_URL`) | covered in `modules/src__features__flights.md` Tile URL section + `deployment/environment_strategy.md` (this run) |
| `.env.example` | AZ-498 | `deployment/environment_strategy.md` §2 (this run) |
| `src/i18n/en.json`, `src/i18n/ua.json` | AZ-498 (removed `flights.planner.satellite` key in lockstep — STC-FP22 parity preserved) | no module doc change needed (i18n parity is enforced by static check, not described in module docs) |
| `mission-planner/src/services/WeatherService.ts` | AZ-499 (env vars + fail-soft `null` when key unset) | `modules/mission-planner.md` (updated by implementer at batch-11 commit time) |
| `mission-planner/.env.example` | AZ-499 | same group doc + `deployment/environment_strategy.md` (this run) |
| `mission-planner/src/vite-env.d.ts` | AZ-499 | same group doc |
| `tests/security/banned-deps.json` | AZ-499 (added `owm_key_in_source` kind) | `tests/security-tests.md` NFT-SEC-09 step 3 (Step 12 cycle-update) |
| `scripts/check-banned-deps.mjs` | AZ-499 (extended source-tree dispatch) | static-check infrastructure — covered by AZ-482 module doc (no new entry needed; same dispatch shape) |
| `scripts/run-tests.sh` | AZ-499 (added `STC-SEC1C` row) | `tests/environment.md` Test Execution + `tests/security-tests.md` NFT-SEC-09 (Step 12) |
| `e2e/docker-compose.suite-e2e.yml` | AZ-498 (replaced dead `VITE_TILE_BASE_URL` with `VITE_SATELLITE_TILE_URL`) | `tests/environment.md` (Step 12) |
| `e2e/stubs/tile/server.ts` | AZ-498 (rewrote `classify()` for `/tiles/{z}/{x}/{y}` shape) | `tests/environment.md` (Step 12) |
| `e2e/tests/infrastructure.e2e.ts` | AZ-498 (AC-2 rewritten; OSM removed from `EXTERNAL_HOSTS`) | `tests/blackbox-tests.md` FT-P-59 (Step 12) |
| `tests/msw/handlers/tiles.ts` | AZ-498 (rewrote handlers from OSM/Esri `.png` to `/tiles/{z}/{x}/{y}` with cookie-auth headers) | covered by FT-P-57 / FT-P-59 (Step 12) |
System-level docs (`architecture.md`, `system-flows.md`, `deployment/environment_strategy.md`): **architecture.md + environment_strategy.md TOUCHED this run**; `system-flows.md` not touched (no flow diagrams referenced map tiles or OWM). The architectural changes are: external-integration table (OSM/Esri removed from outbound; suite-internal `satellite-provider` added), system-boundaries table (tile providers row updated), § 5 External Integrations (failure-mode column updated for satellite tiles + OWM), Air-gap section in § 2 (tiles no longer external; OWM remains external but env-resolved + fail-soft).
Problem-level docs: **acceptance_criteria.md TOUCHED this run** — added AC-41 (self-hosted satellite tiles + cookie auth) and AC-42 (mission-planner OWM env hardening + STC-SEC1C); updated AC-20 row to reference the closure tasks; updated Coverage status section to move AC-20 from "Currently violated" to "Currently met & enforced" and add AC-41 / AC-42 there as well. `restrictions.md` not touched (the air-gap restriction E1 is now better satisfied for tiles, but the restriction text itself does not change).
Contract docs: `_docs/02_document/contracts/satellite-provider/tiles.md` was drafted in Step 9 (New Task) and updated by the implementer to reference AZ-498 in the `Consumer tasks` field — no further edit this run.
## Import-graph ripple (Task Step 0.5)
The reverse-dependency set of the changed files is small and is **already captured in the direct list above** plus the test-spec / system-level updates from this run. Specifically:
- `src/features/flights/types.ts` exports `getTileUrl()` + `DEFAULT_SATELLITE_TILE_URL` (cycle 2) plus the existing waypoint / mission JSON shapes. Importers: `FlightMap.tsx`, `MiniMap.tsx` (both directly in scope), and the new fast test `src/features/flights/__tests__/satellite_tile.test.tsx`. No additional consumer needs a doc refresh — `FlightsPage.tsx` consumes `FlightMap` / `MiniMap` as JSX components without referencing the tile URL plumbing.
- `src/features/flights/FlightMap.tsx` is imported by `FlightsPage.tsx` (which composes the page); the public prop surface of `FlightMap` is unchanged on tile-related axes (no exported tile constants, no `mapType` exposure to callers). FlightsPage's module-doc section (`modules/src__features__flights.md`) already reflects the change because the implementer updated the group doc at batch-11 commit time.
- `src/features/flights/MiniMap.tsx` lost a public prop (`mapType`) — this IS a public surface change. Callers: only `FlightMap.tsx` (intra-component); no external caller. The change was applied in lockstep in the same batch, so there is no "stale caller" to chase.
- `mission-planner/src/services/WeatherService.ts` keeps its public `getWeatherData(lat, lon)` signature; only the internal env-var resolution + fail-soft branch changed. Callers in `mission-planner/` (page-level components in the legacy port-source) see no behavior change beyond `null` returned when the key is unset — already documented under `modules/mission-planner.md` Migration Notes.
Therefore: **no additional doc was added to the refresh set by ripple analysis** beyond the system-level docs already updated for cycle-wide concerns (architecture.md external integrations + environment_strategy.md env-var matrix).
## Tooling notes
- Ripple analysis was performed by reading the implementer's `_docs/03_implementation/batch_11_report.md` (which enumerates every modified file with rationale), then cross-checking each changed file's importers via `Grep` against `src/features/flights/` and `mission-planner/`. The repo has no `madge` / `depcruise` configured; this counts as the "directory-proximity + manual import inspection" fallback path from `document/workflows/task.md` Task Step 0.5 #6 — full coverage was achievable because the changed file set is small and bounded by two well-known package roots (`src/features/flights/` and `mission-planner/src/services/`).
- No static analyzer was used to discover indirect importers. None was needed: the public-surface changes are minimal (one prop drop on `MiniMap`, one preserved-signature env-resolution change on `getWeatherData`, one new function on `types.ts` replacing a removed const), and all in-tree callers were updated in the same batch.
## Outcome
Cycle-2 documentation refresh complete. Updated this run:
| Level | Doc | Reason |
|---|---|---|
| System-level | `_docs/02_document/architecture.md` | Removed stale OSM/Esri tile entries; added suite-internal `satellite-provider` row; updated External Integrations failure-mode for tiles + OWM; corrected stale "hardcoded API key" claim. |
| System-level | `_docs/02_document/deployment/environment_strategy.md` | Added env-var matrix rows for `VITE_SATELLITE_TILE_URL` (main SPA + mission-planner) and `VITE_OWM_API_KEY` / `VITE_OWM_BASE_URL` (main SPA + mission-planner); updated tile-providers column for all three envs; updated `.env` strategy section to reflect cycle-2 reality. |
| Component | `_docs/02_document/components/05_flights/description.md` | Removed stale "hardcoded API key" claim from the legacy mission-planner port-source comparison (line 59). |
| Problem | `_docs/00_problem/acceptance_criteria.md` | Added AC-41 (satellite tiles + cookie auth + toggle removal) and AC-42 (mission-planner OWM env hardening + STC-SEC1C); reworded AC-20; updated Coverage status. |
Module-level docs (`modules/src__features__flights.md`, `modules/mission-planner.md`) and the contract doc (`contracts/satellite-provider/tiles.md`) were already updated by the implementer at batch-11 commit time and verified consistent with the source tree at the start of this run; no additional change applied.
Test-spec docs (`tests/blackbox-tests.md`, `tests/security-tests.md`, `tests/resilience-tests.md`, `tests/environment.md`, `tests/traceability-matrix.md`) were updated in the preceding Step 12 (Test-Spec Sync) cycle-update — see the Step 12 commit for those changes.
Reference in New Issue View Git Blame Copy Permalink