Develop #2
Merged
Develop #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 24 commits
January 7, 2026 16:37
**build-base.yml**: - Restrict push trigger to main branch only (was: main, develop) - Prevents unstable base images from develop branch experiments - Base image should only rebuild on production-ready changes **docker-build.yml**: - Remove develop from workflow_run branches (was: main, develop) - Prevents duplicate builds during develop → main PR - workflow_run now only triggers on main branch CI success - Clarifies PR builds are test-only (not pushed) **Impact**: - Eliminates 2x redundant builds during PR process - Ensures base images are only rebuilt from stable main branch - Maintains PR testing capability without publishing artifacts Fixes: develop → main PR triggering unnecessary docker-build
… Config Center MAJOR CHANGES: 1. JWT Configuration Consolidation - Merged internal/jwt/config.go → pkg/jwt/config.go (single source of truth) - Auth module now embeds jwt.Config (eliminates duplication) - Removed standalone JWT config registration (auth.jwt is primary) 2. Config Center Integration - Added pkg/config/provider.go: ConfigProvider interface (10 methods) - Added pkg/config/viper.go: Viper adapter implementing Provider - Added pkg/config/mock/provider.go: Mock provider for testing - Auth module registered in main.go with bcrypt cost application - Refactored internal/jwt/token.go to TokenService pattern with ConfigProvider 3. Config Generation Script Fix - Fixed generate-config-example.go to include auth module - Removed duplicate JWT registration - Config file now has auth.jwt (not separate jwt:) TECHNICAL DETAILS: - ConfigProvider abstraction: Decouples from Viper, enables testing - Bcrypt cost now configurable via Config Center API - TokenService uses dependency injection (backward compatible) - All tests passing (auth: 13 tests, password: 7 tests) FILES CHANGED: Created: - core/pkg/config/provider.go (51 lines) - core/pkg/config/viper.go (79 lines) - core/pkg/config/mock/provider.go (132 lines) - core/pkg/jwt/config.go (148 lines) - core/modules/auth/config.go (with constants) Modified: - core/cmd/server/main.go (auth registration, removed jwt) - core/internal/jwt/token.go (TokenService refactor) - core/scripts/generate-config-example.go (auth registration) - core/config/config.example (regenerated) Deleted: - core/internal/jwt/config.go (replaced by pkg/jwt/config.go) TESTING: - All compilation: PASS (go build ./...) - Auth module: PASS (13 tests, 30.242s) - Password module: PASS (7 tests, 2.403s) - Config generation: PASS (4 modules registered) RELATED ISSUES: - Resolves P2 technical debt: JWT config duplication - Resolves config generation: auth module missing - Implements Question #3 from technical-analysis-auth-module.md - Follows Story 10 Config Center architecture BMad Method: ✅ Business cohesion principle applied (constants in config.go) Breaking Changes: None (backward compatible via package-level functions)
- Add Cache struct to types.go as infrastructure config (similar to Database) - Add mapstructure tags for proper Viper unmarshaling - Register JWT config aliases (jwt.* -> auth.jwt.*) for TokenService compatibility - Remove POC configuration (unused test config) - Update tests to remove POC references Fixes: - Config service initialization error (Config.Cache.PoolSize validation) - JWT Secret not loading (path mismatch: jwt.secret vs auth.jwt.secret) - POC config validation failures (removed unused config) Changes: - core/internal/config/types.go: Add Cache struct with mapstructure tags - core/config/default.yaml: Fix port type, remove POC config - core/pkg/config/viper.go: Register JWT aliases for backward compatibility - core/modules/config/*_test.go: Remove POC test references All tests passing, application starts successfully.
Story 1.16: Redis Cache Package - Add unified cache client interface with Redis implementation (pkg/cache/) - Implement KV operations: Set/Get/Delete/Exists/TTL/Expire - Implement Pub/Sub: Publish/Subscribe with goroutine lifecycle management - Add fail-open design for graceful degradation - Add environment-based configuration (REDIS_* env vars) - Add mock client for testing (pkg/cache/mock.go) - Add comprehensive documentation and examples (README.md) - Add error codes following pkg/errors framework - Coverage: 48.1% (mock + config), integration tests provided Story 5.4: Token Refresh Mechanism - Add JWT token blacklist using cache package (internal/jwt/blacklist.go) - Implement token refresh handler (modules/auth/handler/refresh.go) - Add refresh token validation and rotation logic - Add token type distinction (access vs refresh) - Add token pair generation with different expiration - Add one-time use policy with blacklist tracking - Add graceful fallback when Redis unavailable Tests: - 43 unit tests passing (pkg/cache/) - Integration tests for real Redis (integration_test.go) - Token refresh unit tests (token_refresh_test.go) - JWT blacklist tests with cache mock Files: pkg/cache/ - client.go: Client interface (8 operations) - config.go: Configuration with env support - errors.go: 7 unified error codes - redis.go: Redis client implementation (304 lines) - mock.go: Mock client for testing - README.md: Comprehensive documentation - *_test.go: Unit and integration tests internal/jwt/ - blacklist.go: Token blacklist with cache (130 lines) - token_refresh_test.go: Refresh token validation tests modules/auth/handler/ - refresh.go: POST /api/auth/refresh endpoint (180 lines) Technical Details: - Fail-open strategy for cache unavailability - Interface-based design for testability - JSON auto-serialization for complex types - Key naming convention: module:type:id - Connection pooling and health checks - Structured logging throughout - 2-second timeout on cache operations
…mentation Sprint 1 Artifacts: - docs/sprint-artifacts/sprint-1/5-4-token-refresh.md Complete story specification for token refresh mechanism 34,597 lines including implementation guide, security patterns, testing strategy - docs/sprint-artifacts/sprint-1/validation-report-5-4-20260112.md Quality validation report identifying 6 critical issues before implementation 17,313 lines with risk assessment and recommendations Sprint 2 Artifacts: - docs/sprint-artifacts/sprint-2/1-16-redis-cache-package.md Sprint artifact for Redis cache implementation (6,511 lines) - docs/sprint-artifacts/sprint-2/README.md Sprint 2 planning document with goals and metrics (1,891 lines) - docs/sprint-artifacts/sprint-2/checklist-1.16.md Development checklist for Story 1.16 (5,779 lines) - docs/sprint-artifacts/sprint-2/story-1-16-implementation-summary.md Complete implementation summary with test results (9,991 lines) Epic Updates: - docs/epics/1-infrastructure-epic.md Updated with Story 1.16 completion status - docs/epics/README.md Epic overview updates Documentation Quality: - Comprehensive implementation guides - Security best practices documented - Testing strategies defined - Risk assessments completed - Quality validation reports included Story Status: - Story 1.16: ✅ Complete (all 7 AC met, 43 tests passing) - Story 5.4: 📝 Specification complete, validation done
Translations: - core/locales/active.en-US.toml: Add token refresh error messages - core/locales/active.zh-CN.toml: Add Chinese translations for auth errors - core/locales/template.toml: Update translation template Sprint Status: - docs/sprint-artifacts/sprint-status.yaml: Mark Story 1.16 as done Translation Keys Added: - auth.error.invalid_request - auth.error.missing_refresh_token - auth.error.refresh_token_expired - auth.error.invalid_token_type - auth.error.invalid_refresh_token - auth.error.token_revoked - auth.error.user_not_found - auth.error.account_disabled - auth.error.token_refresh_failed - auth.error.token_generation_failed
Dependencies (go.mod/go.sum): - Add github.com/redis/go-redis/v9 v9.17.2 for cache client - Add github.com/google/uuid v1.6.0 for token ID generation Configuration: - core/.env.example: Add REDIS_* environment variables template - core/pkg/jwt/config.go: Add refresh token configuration - core/pkg/database/config.go: Configuration adjustments Error Codes: - core/pkg/errors/codes.go: Add auth error codes AUTH_TOKEN_EXPIRED, AUTH_INVALID_TOKEN_TYPE, AUTH_TOKEN_REVOKED, AUTH_USER_NOT_FOUND Environment: - core/pkg/env/loader.go: Enhance environment variable loading New Environment Variables: REDIS_HOST - Redis server hostname REDIS_PORT - Redis server port REDIS_PASSWORD - Redis authentication password REDIS_DB - Redis database number REDIS_POOL_SIZE - Connection pool size REDIS_TIMEOUT - Operation timeout REDIS_FAIL_STRATEGY - Fail open or fail fast
Server Integration:
- core/cmd/server/main.go
Initialize cache client with configuration
Pass cache client to JWT blacklist initialization
Add graceful shutdown for cache connections
Routes:
- core/routes/router.go
Add POST /api/auth/refresh endpoint
Wire refresh handler to auth module
JWT Updates:
- core/internal/jwt/claims.go
Add TokenType field ('access' or 'refresh')
Add JTI (JWT ID) for blacklist tracking
- core/internal/jwt/token.go
Add GenerateTokenPair() for access + refresh tokens
Add ValidateRefreshToken() for refresh-specific validation
Add token type checking
Update token generation to include unique IDs
Auth Service:
- core/modules/auth/service/auth_service.go
Update Login() to return token pair (access + refresh)
Update LoginResponse to include refresh_token field
Maintain backward compatibility
Tests:
- core/modules/auth/auth_benchmark_test.go
Add refresh token benchmarks
- core/modules/auth/auth_integration_test.go
Add refresh token integration tests
Test token rotation and blacklist
Integration:
- Cache client initialized at startup
- JWT blacklist uses cache for token tracking
- Refresh endpoint registered in router
- Token rotation enforced via blacklist
Security:
- One-time use refresh tokens
- Automatic blacklist of old tokens
- Fail-open design if cache unavailable
- Token type validation prevents misuse
Swagger Documentation:
- core/docs/docs.go: Regenerated with refresh endpoint
- core/docs/swagger.json: Add /api/auth/refresh endpoint spec
- core/docs/swagger.yaml: Add refresh token request/response schemas
API Endpoint Added:
POST /api/auth/refresh
- Summary: Refresh access token
- Request: { refresh_token: string }
- Response: { access_token, refresh_token, expires_in }
- Errors: 400 (missing token), 401 (invalid/expired), 403 (account disabled)
Configuration:
- core/config/config.example: Add cache configuration section
- core/scripts/generate-config-example.go: Update config generator
Config Example Additions:
[cache]
host = localhost
port = 6379
password = ''
db = 0
pool_size = 10
timeout = 2s
max_retries = 3
fail_open = true
tls_enabled = false
Documentation Complete:
✅ API endpoints documented
✅ Request/response schemas defined
✅ Error codes documented
✅ Configuration examples provided
Cleanup: - Remove obsolete sprint artifacts (moved to sprint-1/) × code-review-report-story-5.2.md × implementation-report-config-center-integration.md × technical-analysis-auth-module.md Documentation Updates: - docs/sprint-artifacts/sprint-1/5-2-user-login.md Update with refresh token integration notes Add references to Story 5.4 Environment: - .env.dev: Update for cache configuration Build Artifacts: - core/server: Rebuilt binary with cache support Locales: - Remove temporary backup files (*.backup.*) Sprint Organization: ✅ Sprint 1 artifacts consolidated ✅ Sprint 2 artifacts created ✅ Obsolete reports removed ✅ Documentation structure cleaned
add config.go for config center, and delete internal/config
add story 5-5 rabc
…text compatibility Add project_id field to ConfigItem schema for multi-tenant data isolation Create database migration 004_add_project_id_to_configitem.sql Refactor JWT middleware to use struct context keys for compatibility with helpers Move JWT middleware from modules/auth/middleware to internal/middleware Update routes to use internal middleware package Add comprehensive tests for JWT middleware and context helpers Update Makefile db-diff command documentation for docker-in-docker limitations
- Add comprehensive Dev Agent Record and File List to story documentation - Fix API endpoint path inconsistency: /permissions/my → /permissions/me - Update acceptance criteria to reflect actual implementation status - Remove redundant WriteHeader calls in error handling - Clean up git backup files and update .gitignore - Add missing test cases for duplicate member handling and pagination - Update sprint status from 'done' to 'in-progress' - Regenerate Swagger documentation with corrected paths Resolves 17/18 code review findings including security, documentation, and testing improvements. Core RBAC functionality remains intact with enhanced error handling and test coverage. Story: 5.5.2-rbac-api-endpoints Module: auth Files: 12 modified, 1 added, 14 deleted
- Add comprehensive Dev Agent Record and File List to story documentation - Fix API endpoint path inconsistency: /permissions/my → /permissions/me - Update acceptance criteria to reflect actual implementation status - Remove redundant WriteHeader calls in error handling - Clean up git backup files and update .gitignore - Add missing test cases for duplicate member handling and pagination - Update sprint status from 'done' to 'in-progress' - Regenerate Swagger documentation with corrected paths Resolves 17/18 code review findings including security, documentation, and testing improvements. Core RBAC functionality remains intact with enhanced error handling and test coverage. Story: 5.5.2-rbac-api-endpoints Module: auth Files: 12 modified, 1 added, 14 deleted
Sprint 0 Documentation Updates: - Story 1.5 (Database Migration): - Add 3 new migration subcommands (inspect, repair, clean) - total 10 commands - Update command list from 7 to 10 with mode categorization - Add inspect/repair command explanations and usage scenarios - Update CLI Reference links and architecture docs - Story 1.6 (Unified CLI): - Add Migration Enhancement section (10 subcommands complete) - Update completion dates (2026-01-15 initial, 2026-01-16 enhanced) - Document migration modes (Versioned vs Declarative) - Update story points from 3-4 days to 5-6 days - Remove Story 1.6.1 reference (deleted) - Story 1.7 (Makefile Standards): - Mark as Done (2026-01-16) - Add database commands section with apprun migrate integration - Document single-source-of-truth pattern (Makefile → apprun CLI) - Add Implementation Notes section with code examples Sprint Documentation: - Delete Story 1.6.1 (Admin Management Commands) - scope moved to future work - Update Story 1.17 (Platform Initialization) - add initialization architecture principles - Update sprint-status.yaml: Story 1.6 review→done, regenerate 2026-01-16 - Regenerate story-index.md: 48 stories (Story 1.6.1 removed) Migration Architecture Documentation (New): - Add MIGRATION-QUICK-REF.md: command comparison, 5 scenarios, troubleshooting - Add MIGRATE-INSPECT-REPAIR.md: inspect/repair guide, declarative migrations - Add MIGRATIONS-MAINTENANCE.md: directory maintenance strategies CLI Reference (New): - Add cli-reference.md: complete CLI documentation - Server commands (configure, serve, migrate, version) - Client commands (deploy, logs, backup placeholders) - 10 migration subcommands with examples - Migration modes and best practices - Troubleshooting guide and Makefile shortcuts Story 1.6.2 (CLI-API Adapter) (New): - Create comprehensive story document for schema-driven CLI generation - OpenAPI → Cobra command auto-generation - 9 tasks with 5-6 day estimate - Ready for development Core Infrastructure: - Add core/cmd/atlas.hcl: Atlas migration configuration with metadata filtering - Add core/ent/entc.go: Ent code generation with Atlas integration - Add core/ent/privacy/privacy.go: Generated Ent privacy rules - Add core/internal/jwt/token_race_test.go: JWT concurrency test (100 goroutines) - Add core/migrations/20260116104342_new_feature.sql: Initial schema migration Test & Scripts: - Add tests/integration/cli_test.sh: CLI integration tests (20 test cases) - Add scripts/test-reset-sync-workflow.sh: Migration workflow validation Key Changes: - Migration system now has 10 commands (7 versioned + 2 declarative + 1 maintenance) - Complete migration documentation ecosystem established - Story 1.6.1 removed - admin commands scope deferred - Sprint 0 core stories (1.5, 1.6, 1.7) marked as done - CLI reference provides comprehensive user documentation Technical Enhancements: - Atlas metadata table filtering to prevent false drift detection - Comprehensive migration troubleshooting guides - CLI-API adapter architecture for future development - Race condition testing for concurrent token generation Files Changed: 18 modified, 11 added, 2 deleted Documentation: ~4500 lines added across architecture, CLI, and story docs
There was a problem hiding this comment.
Pull request overview
This pull request merges the develop branch into main, bringing comprehensive BMad Builder Module (BMB) documentation, BMad Method infrastructure improvements, and significant project documentation updates.
Changes:
- Added BMB module with agent creation workflows and comprehensive documentation
- Updated project documentation (README, CONTRIBUTING, OWNER guides)
- Modernized Makefile with organized commands and improved workflow
- Removed deprecated chatmode files, replaced with unified agent activation system
- Updated agent file paths from
.bmad/to_bmad/across GitHub agents
Reviewed changes
Copilot reviewed 142 out of 895 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
_bmad/bmb/workflows/agent/data/*.md |
BMB module documentation for agent creation patterns, validation checklists, and architecture guides |
_bmad/bmb/config.yaml |
BMB module configuration with output folder and user settings |
_bmad/bmb/agents/*.md |
Agent builder, module builder, and workflow builder agent definitions |
_bmad/bmb/README.md |
BMB module overview documentation |
_bmad/_memory/storyteller-sidecar/*.md |
Storyteller agent sidecar memory templates |
_bmad/_memory/config.yaml |
Memory module configuration |
_bmad/_config/*.csv, _bmad/_config/*.yaml |
Project manifests for workflows, agents, tasks, files, and tools |
_bmad/_config/agents/*.customize.yaml |
Agent customization templates |
README.md |
Simplified project README with deployment and development instructions |
OWNER.md |
New comprehensive maintainer manual for CI/CD, releases, database, deployment, security, monitoring |
Makefile |
Complete rewrite with organized targets, improved help, and standardized workflow commands |
CONTRIBUTING.md |
Updated contributor guide with BMad Method workflow and development commands |
.vscode/settings.json |
Added files.exclude configuration to show .git folder |
.github/workflows/docker-build.yml, .github/workflows/build-base.yml |
Updated CI triggers to target only main branch |
.github/copilot-instructions.md |
Added agent-activation section with dynamic agent loading instructions |
.github/chatmodes/*.chatmode.md |
Removed deprecated chatmode files (analyst, architect, bmad-master, pm, quick-flow-solo-dev, tech-writer) |
.github/agents/bmd-custom-*.agent.md |
Updated all agent file paths from .bmad/ to _bmad/ and added new CIS and BMB agent definitions |
.env.prod.example |
Added JWT configuration section |
Comments suppressed due to low confidence (2)
Makefile:1
- Line 442 contains an unrecognized emoji character that may not render correctly in all terminals. Consider using a standard ASCII character or verifying emoji support.
# apprun Makefile
Makefile:1
- Line 570 uses an emoji that may have rendering issues. The installation box emoji might not display correctly across all terminal environments.
# apprun Makefile
| @@ -1,6 +1,5 @@ | |||
| # Agent Customization | |||
| # Customize any section below - all are optional | |||
There was a problem hiding this comment.
Comment line 3 referencing build command was removed, but other similar customization files retain outdated references. For consistency, verify that all *.customize.yaml files across BMM/BMB/CIS modules either include or exclude the build instruction comment.
Suggested change
| # Customize any section below - all are optional | |
| # Customize any section below - all are optional | |
| # After modifying this file, follow your project's standard build or regeneration process for BMad agents. |
| - Govulncheck | ||
| - Docker 20.10+ | ||
| - Docker Compose 2.0+ | ||
| - Go 1.23+ (for local development) |
There was a problem hiding this comment.
The Prerequisites section lists 'Go 1.23+' but CONTRIBUTING.md specifies 'Go 1.25.5+'. These version requirements should be consistent across documentation.
Suggested change
| - Go 1.23+ (for local development) | |
| - Go 1.25.5+ (for local development) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.