refactor: decompose monolith — app.py 10,600→143 lines, 30+ modules

Fase 0 complete: extract all business logic, auth, database, and 176
endpoints from monolithic app.py into dedicated modules.

Structure:
- app.py: FastAPI hub (CORS, routers, startup/shutdown)
- models.py: 13 Pydantic request models
- utils.py: shared utilities (embed status, upload validation, process registries)
- config.py: constants, env vars, model catalogs
- auth/: crypto, jwt_auth, oidc, rate_limit
- database/: db(), init_db(), schema DDL
- services/: genai, compliance, chat, terraform, embeddings, cis_reports, mcp
- routes/: 13 APIRouter modules (auth, users, oci_config, oci_explorer,
  genai, mcp, adb, embeddings, reports, chat, terraform, settings, cis_engine)

Also: README updated with OCIR auth instructions for manual docker run.

86 tests passing.
This commit is contained in:
nogueiraguh
2026-04-06 15:20:10 -03:00
parent 426bde563e
commit 1135e9d6a9
36 changed files with 11179 additions and 10514 deletions

View File

@@ -309,7 +309,44 @@ bash distribution/setup.sh
One command: authenticates to OCIR, pulls the image, starts the container. Access `http://localhost:8080` — default credentials `admin` / `admin123` (forced password change on first login).
### Option B — Development (Docker Compose)
### Option B — Manual Docker Run (from OCIR image)
> **Important**: The container image is hosted on a **private OCIR registry**. You must authenticate before pulling.
**Step 1 — Authenticate to OCIR** (one-time):
```bash
python infra/scripts/ocir-login.py --passphrase ateam-security-2026
```
This passphrase is **read-only** — it only grants permission to pull the container image. It cannot be used to push images, access OCI resources, or modify any configuration.
To authenticate and pull the image in one step:
```bash
python infra/scripts/ocir-login.py --passphrase ateam-security-2026 --pull
```
> The script uses Fernet AES-128 encryption (PBKDF2 600K iterations) to securely store the registry auth token. The passphrase only decrypts the OCIR pull credential.
**Step 2 — Run the container**:
```bash
docker run -d \
--name oci-cis-agent \
-p 8080:8080 \
-v agent-data:/data \
-e APP_SECRET=$(openssl rand -hex 64) \
-e TZ=America/Sao_Paulo \
--restart unless-stopped \
us-ashburn-1.ocir.io/idi1o0a010nx/oci-cis-agent:latest
```
Access `http://localhost:8080` — default credentials `admin` / `admin123` (forced password change on first login).
> **Note**: If you get `403 Forbidden`, the OCIR login expired. Run `ocir-login.py` again.
### Option C — Development (Docker Compose)
```bash
cp .env.example .env