mirror of
https://github.com/azaion/ui.git
synced 2026-06-21 23:31:11 +00:00
Oleksandr Bezdieniezhnykh
15838c5cc1
ci/woodpecker/push/build-arm Pipeline failed
- Changed current step from 15 (Performance Test) to 9 (New Task) in _docs/_autodev_state.md, reflecting the transition to Cycle 3. - Updated cycle count from 2 to 3 and modified sub-step details to indicate progress in gathering feature descriptions. - Added new lessons to _docs/LESSONS.md, emphasizing best practices for API key management, dependency handling, and reporting inline fixes during security audits. - Enhanced CI/CD pipeline documentation in _docs/02_document/deployment/ci_cd_pipeline.md to include new gates for vulnerability scans and SBOM emissions, along with dependency overrides for transitive dependencies. - Expanded environment strategy documentation in _docs/02_document/deployment/environment_strategy.md to include the new Google Geocode API key management. Co-authored-by: Cursor <cursoragent@cursor.com>
2.9 KiB
2.9 KiB
Cycle 2 Step 16 — Deploy Planning Sync (planning-only)
Date: 2026-05-12 Cycle: 2 (autodev Step 16) Outcome: Planning sync completed; prod cutover deferred (see leftovers). Decision basis: user skipped the structured choice; agent defaulted to option B (planning-only) because option A required unverifiable cross-workspace state and option C would have lost the planning information.
What was synced
| Document | Cycle 2 delta captured |
|---|---|
_docs/02_document/deployment/environment_strategy.md |
Section 2: new row for VITE_GOOGLE_GEOCODE_KEY (AZ-501, mission-planner) mirroring the OWM-mission-planner row. Section 3: mission-planner/.env.example now lists three env vars (OWM pair + tile URL + new Google key). Section 5: mission-planner local-dev bullet updated with the new key + reminder that committed-then-removed literals must still be revoked at the upstream dashboards. |
_docs/02_document/deployment/ci_cd_pipeline.md |
Section 2 (Missing steps): bun audit --severity high row added with rationale (linked to F-INF-1 from the cycle 2 security audit) and explicit notes against re-introducing the AZ-502 advisories. New §2a "Dependency overrides (AZ-502, cycle 2)": documents the vite >=6.4.2 and postcss >=8.5.10 overrides block in both package.jsons, why it exists, and the maintenance rule for removing it safely. |
_docs/02_document/deployment/containerization.md |
No changes — Vite 6.4.2 upgrade does not affect the Dockerfile or the runtime image. |
_docs/02_document/deployment/observability.md |
No changes — cycle 2 added no client-telemetry surface. |
What was NOT done (deferred)
Three pieces of work could not complete this cycle. Each is recorded in
_docs/_process_leftovers/2026-05-12_az-498-deploy-and-key-revocations.md with a full
replay procedure:
| ID | Item | Reason | Owner |
|---|---|---|---|
| L-AZ-498-DEPLOY | UI tile-swap prod cutover | Cross-workspace gate: satellite-provider cookie-auth migration on GET /tiles/{z}/{x}/{y} must merge + deploy first. Deploying the UI side alone produces a broken map. |
Cross-workspace + user |
| L-AZ-499-OWM-REVOKE | OWM key revocation at owm dashboard | Manual third-party-console action; cannot be automated from CI. AZ-499 AC-7 / AC-42 pending evidence attachment. | User |
| L-AZ-501-GOOGLE-REVOKE | Google Geocode key revocation at Google Cloud Console | Same reason as above. AZ-501 AC-6 / AC-43 pending evidence attachment. | User |
Verification
- Read-after-write check: each modified deployment doc was re-read in this session; the new content is present and the surrounding sections are intact.
- No source-code changes — this is a documentation-only step.
- No pipeline / Docker / nginx changes — those are deferred to the Phase B follow-ups
F-INF-1..F-INF-5 already tracked in
_docs/05_security/infrastructure_review.md.
Auto-chain
→ Step 17 (Retrospective) for cycle 2.