tracksolid_timescale_grafan.../.dockerignore

40 lines
562 B
Text
Raw Normal View History

fix(security,ingest): 260702 audit — secure the stack, correct poller counters Security: - .dockerignore + Dockerfile: stop baking .env / the 346MB OSM pbf into image layers; install pinned from uv.lock (reproducible builds) (SEC-04/05). - docker-compose: DB port binds ${DB_BIND_ADDR:-127.0.0.1} — loopback-only by default; remote tooling moves to an SSH tunnel (SEC-01). - webhook_receiver: CRITICAL startup warning + WEBHOOK_REQUIRE_TOKEN=1 fail-closed when JIMI_WEBHOOK_TOKEN is empty (SEC-02 / FIX-W01). Correctness: - FIX-M22/E07: capture cur.rowcount BEFORE RELEASE SAVEPOINT in poll_alarms/ poll_trips/poll_parking — the RELEASE reported -1, producing "Alarms: -4 new events inserted" logs and negative ingestion_log.rows_inserted. - FIX-W02: parse application/json push bodies (were silently dropped). - FIX-W03: move webhook DB work off the event loop via asyncio.to_thread. - FIX-M23: poll_trips phased so no txn/connection is held across Tracksolid + Nominatim (1 req/s) network calls. - FIX-M24: sync_devices disables devices absent from every target (guarded). - FIX-W04: reject device-clock-garbage alarm_time (2019 timestamps observed). - get_token(): don't relabel already-aware timestamptz expiries (BUG-P9). Observability/lifecycle: - migration 21: v_ingest_health restricted to active pipeline endpoints so one-shot tools stop wedging /health/ingest at 'stale' (dry-run verified). - FIX-M25: daily purge_audit_logs() trims ingestion_log (90d) + refresh_log (180d). - remove orphaned duplicate migrations/10_driver_clock_views.sql; ruff lint config. +5 webhook tests (82 pass). Report/plan/work-log in docs/reports/260702_*. Local only; not deployed. CLAUDE.md fix-history edits left uncommitted (that file also carries unrelated in-progress edits). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-07-02 06:51:02 +00:00
# SEC-04: keep secrets and bulk artefacts out of image layers.
# The Dockerfile ends with `COPY . .` — everything not listed here ships in the image.
# Secrets — never in an image layer
.env
.env.*
*.pw
# VCS / local tooling
.git
.gitignore
.claude
.pytest_cache
.ruff_cache
.venv
__pycache__
*.pyc
*.pyo
.DS_Store
*.code-workspace
# Bulk data artefacts (rebuildable / operator-side only)
*.osm.pbf
*.geojson
csv/
data/
tools/data/
shell_stations.csv
# Not needed at runtime
docs/
tests/
agents/
db_audit/
legacy/
SOUL.md
README.md
CLAUDE.md
uv.lock.bak