alexei.dolgolyov/personal-ai-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 7: Hardening — logging, security, Docker, production readiness

Browse Source 
Backend:
- Structured JSON logging (python-json-logger) with request ID correlation
- RequestIDMiddleware (server-generated UUID, no client trust)
- Global exception handlers: AppException, RequestValidationError, generic 500
  — all return consistent {"error": {code, message, request_id}} format
- Async rate limiting with lock + stale key eviction on auth endpoints
- Health endpoint checks DB connectivity, returns version + status
- Custom exception classes (NotFoundException, ForbiddenException, etc.)
- OpenAPI docs with tag descriptions, conditional URL (disabled in production)
- LOG_LEVEL, DOCS_ENABLED, RATE_LIMIT_* settings added

Docker:
- Backend: multi-stage build (builder + runtime), non-root user, HEALTHCHECK
- Frontend: removed dead user, HEALTHCHECK directive
- docker-compose: restart policies, healthchecks, Redis service, named volumes
  for uploads/PDFs, rate limit env vars forwarded
- Alembic migrations run only in Dockerfile CMD (removed from lifespan)

Nginx:
- server_tokens off
- CSP, Referrer-Policy, Permissions-Policy headers
- HSTS ready (commented, enable with TLS)

Config & Docs:
- .env.production.example with production-ready settings
- CLAUDE.md project conventions (structure, workflow, naming, how-to)
- .env.example updated with new variables

Review fixes applied:
- Rate limiter: async lock prevents race condition, stale key eviction
- Request ID: always server-generated (no log injection)
- Removed duplicate alembic migration from lifespan
- Removed dead app user from frontend Dockerfile
- Health check logs DB errors
- Rate limit env vars forwarded in docker-compose

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Admin
2026-03-19 14:52:21 +03:00
parent fed6a3df1b
commit 4cbce89129
18 changed files with 485 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.env.production.example Normal file
View File

@@ -0,0 +1,32 @@
# PostgreSQL
POSTGRES_USER=ai_assistant
POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD
POSTGRES_DB=ai_assistant
# Backend
DATABASE_URL=postgresql+asyncpg://ai_assistant:CHANGE_ME_STRONG_PASSWORD@postgres:5432/ai_assistant
SECRET_KEY=CHANGE_ME_RANDOM_64_CHAR_STRING
BACKEND_CORS_ORIGINS=["https://yourdomain.com"]
ENVIRONMENT=production
# Auth
ACCESS_TOKEN_EXPIRE_MINUTES=15
REFRESH_TOKEN_EXPIRE_DAYS=30
REFRESH_TOKEN_EXPIRE_HOURS=24
# AI
ANTHROPIC_API_KEY=sk-ant-your-production-key
CLAUDE_MODEL=claude-sonnet-4-20250514
# Logging & Docs
LOG_LEVEL=WARNING
DOCS_ENABLED=false
# Rate limiting
RATE_LIMIT_REQUESTS=20
RATE_LIMIT_WINDOW_SECONDS=60
# Admin seed (change after first run)
FIRST_ADMIN_EMAIL=admin@yourdomain.com
FIRST_ADMIN_USERNAME=admin
FIRST_ADMIN_PASSWORD=CHANGE_ME_STRONG_ADMIN_PASSWORD