feat(auth-broker): register dry-run service surface
This commit is contained in:
@@ -111,6 +111,7 @@ const defaultOptions: ArtifactRegistryOptions = {
|
||||
deployJsonService: null,
|
||||
};
|
||||
const supportedArtifactConsumerServices = [
|
||||
"auth-broker",
|
||||
"backend-core",
|
||||
"baidu-netdisk",
|
||||
"claudeqq",
|
||||
@@ -259,6 +260,43 @@ const baiduNetdiskAuthHealthGate: AuthHealthGate = {
|
||||
};
|
||||
|
||||
const artifactConsumerSpecs: Record<string, ArtifactConsumerSpec> = {
|
||||
"auth-broker": {
|
||||
serviceId: "auth-broker",
|
||||
environment: "prod",
|
||||
kind: "compose",
|
||||
registryRepository: "unidesk/auth-broker",
|
||||
dockerfile: "src/components/microservices/auth-broker/Dockerfile",
|
||||
prodLiveApply: "supervisor-only",
|
||||
prodLiveBlockReason: "auth-broker is registered for source/contract/profile dry-run only; live production apply requires a separate credential mounting and exposure review.",
|
||||
devLiveApply: "supervisor-only",
|
||||
devLiveBlockReason: "auth-broker DEV live apply requires explicit operator authorization after reviewing credential mounting, private exposure, and dry-run evidence.",
|
||||
targets: {
|
||||
dev: {
|
||||
targetImage: "auth-broker",
|
||||
targetCommitImage: (commit: string) => `auth-broker:${commit}`,
|
||||
deployRef: "deploy.json#environments.dev.services.auth-broker",
|
||||
compose: {
|
||||
serviceName: "auth-broker",
|
||||
containerName: "auth-broker-backend",
|
||||
deployEnvPrefix: "UNIDESK_AUTH_BROKER_DEPLOY",
|
||||
healthProbeCommand: "auth-broker --healthcheck",
|
||||
requireHealthCommit: false,
|
||||
},
|
||||
},
|
||||
prod: {
|
||||
targetImage: "auth-broker",
|
||||
targetCommitImage: (commit: string) => `auth-broker:${commit}`,
|
||||
deployRef: "deploy.json#environments.prod.services.auth-broker",
|
||||
compose: {
|
||||
serviceName: "auth-broker",
|
||||
containerName: "auth-broker-backend",
|
||||
deployEnvPrefix: "UNIDESK_AUTH_BROKER_DEPLOY",
|
||||
healthProbeCommand: "auth-broker --healthcheck",
|
||||
requireHealthCommit: false,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"backend-core": {
|
||||
serviceId: "backend-core",
|
||||
environment: "prod",
|
||||
@@ -1435,6 +1473,27 @@ function codeQueueMgrSelfBootstrapGuard(environment: ArtifactDeployEnvironment,
|
||||
};
|
||||
}
|
||||
|
||||
function authBrokerCredentialMountGuard(environment: ArtifactDeployEnvironment, requiresSupervisorApproval: boolean): Record<string, unknown> {
|
||||
return {
|
||||
check: "auth-broker-credential-mount-guard",
|
||||
serviceId: "auth-broker",
|
||||
requiresSupervisorApproval,
|
||||
actorBoundary: "dry-run and contract evidence are allowed, but live broker startup needs explicit review of credential reference mounting and private exposure",
|
||||
targetScope: "main-server Compose profile auth-broker / container auth-broker-backend only",
|
||||
composeProfileRequired: "auth-broker",
|
||||
publicPortAllowed: false,
|
||||
registryCredentialsProxied: false,
|
||||
deployCredentialsProxied: false,
|
||||
environment,
|
||||
forbiddenActions: [
|
||||
"write real GitHub token into config.json, deploy.json, or docker-compose.yml",
|
||||
"publish auth-broker on a public port",
|
||||
"restart backend-core, provider-gateway, or Code Queue as part of broker dry-run registration",
|
||||
"grant registry, deploy, database, k3s, provider token, or host SSH permissions",
|
||||
],
|
||||
};
|
||||
}
|
||||
|
||||
function artifactConsumerSelfBootstrapGuard(
|
||||
spec: ArtifactConsumerSpec,
|
||||
environment: ArtifactDeployEnvironment,
|
||||
@@ -1442,6 +1501,7 @@ function artifactConsumerSelfBootstrapGuard(
|
||||
): Record<string, unknown> | undefined {
|
||||
if (spec.serviceId === "code-queue") return codeQueueSelfBootstrapGuard(environment);
|
||||
if (spec.serviceId === "code-queue-mgr") return codeQueueMgrSelfBootstrapGuard(environment, requiresSupervisorApproval);
|
||||
if (spec.serviceId === "auth-broker") return authBrokerCredentialMountGuard(environment, requiresSupervisorApproval);
|
||||
return undefined;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user