refactor: decompose monolith — app.py 10,600→143 lines, 30+ modules
Fase 0 complete: extract all business logic, auth, database, and 176 endpoints from monolithic app.py into dedicated modules. Structure: - app.py: FastAPI hub (CORS, routers, startup/shutdown) - models.py: 13 Pydantic request models - utils.py: shared utilities (embed status, upload validation, process registries) - config.py: constants, env vars, model catalogs - auth/: crypto, jwt_auth, oidc, rate_limit - database/: db(), init_db(), schema DDL - services/: genai, compliance, chat, terraform, embeddings, cis_reports, mcp - routes/: 13 APIRouter modules (auth, users, oci_config, oci_explorer, genai, mcp, adb, embeddings, reports, chat, terraform, settings, cis_engine) Also: README updated with OCIR auth instructions for manual docker run. 86 tests passing.
This commit is contained in:
39
README.md
39
README.md
@@ -309,7 +309,44 @@ bash distribution/setup.sh
|
||||
|
||||
One command: authenticates to OCIR, pulls the image, starts the container. Access `http://localhost:8080` — default credentials `admin` / `admin123` (forced password change on first login).
|
||||
|
||||
### Option B — Development (Docker Compose)
|
||||
### Option B — Manual Docker Run (from OCIR image)
|
||||
|
||||
> **Important**: The container image is hosted on a **private OCIR registry**. You must authenticate before pulling.
|
||||
|
||||
**Step 1 — Authenticate to OCIR** (one-time):
|
||||
|
||||
```bash
|
||||
python infra/scripts/ocir-login.py --passphrase ateam-security-2026
|
||||
```
|
||||
|
||||
This passphrase is **read-only** — it only grants permission to pull the container image. It cannot be used to push images, access OCI resources, or modify any configuration.
|
||||
|
||||
To authenticate and pull the image in one step:
|
||||
|
||||
```bash
|
||||
python infra/scripts/ocir-login.py --passphrase ateam-security-2026 --pull
|
||||
```
|
||||
|
||||
> The script uses Fernet AES-128 encryption (PBKDF2 600K iterations) to securely store the registry auth token. The passphrase only decrypts the OCIR pull credential.
|
||||
|
||||
**Step 2 — Run the container**:
|
||||
|
||||
```bash
|
||||
docker run -d \
|
||||
--name oci-cis-agent \
|
||||
-p 8080:8080 \
|
||||
-v agent-data:/data \
|
||||
-e APP_SECRET=$(openssl rand -hex 64) \
|
||||
-e TZ=America/Sao_Paulo \
|
||||
--restart unless-stopped \
|
||||
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
|
||||
```
|
||||
|
||||
Access `http://localhost:8080` — default credentials `admin` / `admin123` (forced password change on first login).
|
||||
|
||||
> **Note**: If you get `403 Forbidden`, the OCIR login expired. Run `ocir-login.py` again.
|
||||
|
||||
### Option C — Development (Docker Compose)
|
||||
|
||||
```bash
|
||||
cp .env.example .env
|
||||
|
||||
Reference in New Issue
Block a user