feat(auth-broker): register dry-run service surface

This commit is contained in:
Codex
2026-05-21 14:37:01 +00:00
parent 7e171dd904
commit ce1f7dc8c4
9 changed files with 511 additions and 6 deletions
+60
View File
@@ -111,6 +111,7 @@ const defaultOptions: ArtifactRegistryOptions = {
deployJsonService: null,
};
const supportedArtifactConsumerServices = [
"auth-broker",
"backend-core",
"baidu-netdisk",
"claudeqq",
@@ -259,6 +260,43 @@ const baiduNetdiskAuthHealthGate: AuthHealthGate = {
};
const artifactConsumerSpecs: Record<string, ArtifactConsumerSpec> = {
"auth-broker": {
serviceId: "auth-broker",
environment: "prod",
kind: "compose",
registryRepository: "unidesk/auth-broker",
dockerfile: "src/components/microservices/auth-broker/Dockerfile",
prodLiveApply: "supervisor-only",
prodLiveBlockReason: "auth-broker is registered for source/contract/profile dry-run only; live production apply requires a separate credential mounting and exposure review.",
devLiveApply: "supervisor-only",
devLiveBlockReason: "auth-broker DEV live apply requires explicit operator authorization after reviewing credential mounting, private exposure, and dry-run evidence.",
targets: {
dev: {
targetImage: "auth-broker",
targetCommitImage: (commit: string) => `auth-broker:${commit}`,
deployRef: "deploy.json#environments.dev.services.auth-broker",
compose: {
serviceName: "auth-broker",
containerName: "auth-broker-backend",
deployEnvPrefix: "UNIDESK_AUTH_BROKER_DEPLOY",
healthProbeCommand: "auth-broker --healthcheck",
requireHealthCommit: false,
},
},
prod: {
targetImage: "auth-broker",
targetCommitImage: (commit: string) => `auth-broker:${commit}`,
deployRef: "deploy.json#environments.prod.services.auth-broker",
compose: {
serviceName: "auth-broker",
containerName: "auth-broker-backend",
deployEnvPrefix: "UNIDESK_AUTH_BROKER_DEPLOY",
healthProbeCommand: "auth-broker --healthcheck",
requireHealthCommit: false,
},
},
},
},
"backend-core": {
serviceId: "backend-core",
environment: "prod",
@@ -1435,6 +1473,27 @@ function codeQueueMgrSelfBootstrapGuard(environment: ArtifactDeployEnvironment,
};
}
function authBrokerCredentialMountGuard(environment: ArtifactDeployEnvironment, requiresSupervisorApproval: boolean): Record<string, unknown> {
return {
check: "auth-broker-credential-mount-guard",
serviceId: "auth-broker",
requiresSupervisorApproval,
actorBoundary: "dry-run and contract evidence are allowed, but live broker startup needs explicit review of credential reference mounting and private exposure",
targetScope: "main-server Compose profile auth-broker / container auth-broker-backend only",
composeProfileRequired: "auth-broker",
publicPortAllowed: false,
registryCredentialsProxied: false,
deployCredentialsProxied: false,
environment,
forbiddenActions: [
"write real GitHub token into config.json, deploy.json, or docker-compose.yml",
"publish auth-broker on a public port",
"restart backend-core, provider-gateway, or Code Queue as part of broker dry-run registration",
"grant registry, deploy, database, k3s, provider token, or host SSH permissions",
],
};
}
function artifactConsumerSelfBootstrapGuard(
spec: ArtifactConsumerSpec,
environment: ArtifactDeployEnvironment,
@@ -1442,6 +1501,7 @@ function artifactConsumerSelfBootstrapGuard(
): Record<string, unknown> | undefined {
if (spec.serviceId === "code-queue") return codeQueueSelfBootstrapGuard(environment);
if (spec.serviceId === "code-queue-mgr") return codeQueueMgrSelfBootstrapGuard(environment, requiresSupervisorApproval);
if (spec.serviceId === "auth-broker") return authBrokerCredentialMountGuard(environment, requiresSupervisorApproval);
return undefined;
}