feat(auth-broker): register dry-run service surface
This commit is contained in:
@@ -36,10 +36,25 @@ The first skeleton lives at:
|
||||
- `src/components/microservices/auth-broker/Cargo.toml`
|
||||
- `src/components/microservices/auth-broker/src/main.rs`
|
||||
- `src/components/microservices/auth-broker/Dockerfile`
|
||||
- `config.json` microservice id `auth-broker`
|
||||
- `deploy.json` prod/dev desired-state entries for `auth-broker`
|
||||
- `docker-compose.yml` service `auth-broker` behind Compose profile `auth-broker`
|
||||
- `scripts/src/auth-broker.ts`
|
||||
|
||||
The skeleton intentionally does not read `GH_TOKEN` or `GITHUB_TOKEN`. It uses only redacted readiness configuration such as `AUTH_BROKER_GITHUB_CONFIGURED`, `AUTH_BROKER_GITHUB_CREDENTIAL_REF`, `AUTH_BROKER_ALLOWED_REPOS` and optional `AUTH_BROKER_AUDIT_LOG`. Real secret mounting is outside this contract.
|
||||
|
||||
## P1 Source Registration
|
||||
|
||||
P1 keeps Auth Broker in source/contract/dry-run only:
|
||||
|
||||
- `config.json` registers stable microservice id `auth-broker` on `main-server`, private backend `http://auth-broker:4291`, health path `/health`, and allowed proxy prefixes `/health` plus `/v1/github/`.
|
||||
- `docker-compose.yml` defines service `auth-broker` with `profiles: ["auth-broker"]`, `restart: "no"`, no public `ports`, and redacted env names only. Default `server start` does not select this profile, so this source registration must not change current production runtime.
|
||||
- `deploy.json` includes prod and dev desired-state entries so `deploy plan --env prod|dev --service auth-broker` has a stable identity. Live apply is supervisor-gated until credential mounting and private exposure are separately reviewed.
|
||||
- `bun scripts/cli.ts auth-broker contract|health --dry-run|credential-request --dry-run|pr-preflight --dry-run` reports `serviceRegistration.config`, `serviceRegistration.compose`, `serviceRegistration.deploy`, and `serviceRegistration.runtimeCredentialRef` using presence/ref fields only.
|
||||
- Runtime credential readiness is expressed by `UNIDESK_AUTH_BROKER_GITHUB_CONFIGURED` / `AUTH_BROKER_GITHUB_CONFIGURED` and `UNIDESK_AUTH_BROKER_GITHUB_CREDENTIAL_REF` / `AUTH_BROKER_GITHUB_CREDENTIAL_REF` presence. The CLI prints only the source key and a sanitized `github:<ref>` style preview, never a token or raw credential value.
|
||||
|
||||
P1 still does not start Auth Broker, mount real secrets, deploy to prod/dev, restart backend-core/provider-gateway/Code Queue, or proxy registry/deploy credentials.
|
||||
|
||||
### `GET /health`
|
||||
|
||||
只返回服务状态和 redacted capability,不返回 secret 值。
|
||||
|
||||
Reference in New Issue
Block a user