personal-ai-assistant

alexei.dolgolyov/personal-ai-assistant

Fork 0

Commit Graph

Author	SHA1	Message	Date
dolgolyov.alexei	4cbce89129	Phase 7: Hardening — logging, security, Docker, production readiness Backend: - Structured JSON logging (python-json-logger) with request ID correlation - RequestIDMiddleware (server-generated UUID, no client trust) - Global exception handlers: AppException, RequestValidationError, generic 500 — all return consistent {"error": {code, message, request_id}} format - Async rate limiting with lock + stale key eviction on auth endpoints - Health endpoint checks DB connectivity, returns version + status - Custom exception classes (NotFoundException, ForbiddenException, etc.) - OpenAPI docs with tag descriptions, conditional URL (disabled in production) - LOG_LEVEL, DOCS_ENABLED, RATE_LIMIT_* settings added Docker: - Backend: multi-stage build (builder + runtime), non-root user, HEALTHCHECK - Frontend: removed dead user, HEALTHCHECK directive - docker-compose: restart policies, healthchecks, Redis service, named volumes for uploads/PDFs, rate limit env vars forwarded - Alembic migrations run only in Dockerfile CMD (removed from lifespan) Nginx: - server_tokens off - CSP, Referrer-Policy, Permissions-Policy headers - HSTS ready (commented, enable with TLS) Config & Docs: - .env.production.example with production-ready settings - CLAUDE.md project conventions (structure, workflow, naming, how-to) - .env.example updated with new variables Review fixes applied: - Rate limiter: async lock prevents race condition, stale key eviction - Request ID: always server-generated (no log injection) - Removed duplicate alembic migration from lifespan - Removed dead app user from frontend Dockerfile - Health check logs DB errors - Rate limit env vars forwarded in docker-compose Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-19 14:52:21 +03:00

Author

SHA1

Message

Date

dolgolyov.alexei

4cbce89129

Phase 7: Hardening — logging, security, Docker, production readiness

Backend:
- Structured JSON logging (python-json-logger) with request ID correlation
- RequestIDMiddleware (server-generated UUID, no client trust)
- Global exception handlers: AppException, RequestValidationError, generic 500
  — all return consistent {"error": {code, message, request_id}} format
- Async rate limiting with lock + stale key eviction on auth endpoints
- Health endpoint checks DB connectivity, returns version + status
- Custom exception classes (NotFoundException, ForbiddenException, etc.)
- OpenAPI docs with tag descriptions, conditional URL (disabled in production)
- LOG_LEVEL, DOCS_ENABLED, RATE_LIMIT_* settings added

Docker:
- Backend: multi-stage build (builder + runtime), non-root user, HEALTHCHECK
- Frontend: removed dead user, HEALTHCHECK directive
- docker-compose: restart policies, healthchecks, Redis service, named volumes
  for uploads/PDFs, rate limit env vars forwarded
- Alembic migrations run only in Dockerfile CMD (removed from lifespan)

Nginx:
- server_tokens off
- CSP, Referrer-Policy, Permissions-Policy headers
- HSTS ready (commented, enable with TLS)

Config & Docs:
- .env.production.example with production-ready settings
- CLAUDE.md project conventions (structure, workflow, naming, how-to)
- .env.example updated with new variables

Review fixes applied:
- Rate limiter: async lock prevents race condition, stale key eviction
- Request ID: always server-generated (no log injection)
- Removed duplicate alembic migration from lifespan
- Removed dead app user from frontend Dockerfile
- Health check logs DB errors
- Rate limit env vars forwarded in docker-compose

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-19 14:52:21 +03:00

1 Commits