Налаштування production adapter
Консоль інтеграцій
Одна операційна settings-поверхня керує локальними DB/auth-ready контрактами, режимами provider і checklist переходу в production.
Контракт сценарію
ScenarioStore.v1
Форма API стабільна для майбутнього DB adapter.
Актори ролей
5
Demo users мапляться на майбутні RBAC claims.
Режими provider
6
Mock/local providers показують production targets.
Preflight
1/5
Hotovnist snapshot migration pered realnym DB/auth cutover.
Кроки переходу
0/6
Закриті gates проти infrastructure tasks.
Connection
0/4
Redacted endpoint readiness for selected adapter.
Integration Readiness Copilot
2/9 integration gates are ready for db-auth-session-adapter.
Recommended integration action
Record adapter connection evidence
Connection checks show 0/4; record the redacted endpoint packet before dry-run.
Provider contracts
6 local-to-production provider contracts are visible.
Session adapter
ScenarioStore.v1 runs with mock-auth-header for the local demo contract.
Migration preflight
Preflight is 1/5 with snapshot checksum bfg-eba94650.
Migration runbook
Runbook is 1/6 with decision BLOCKED_PENDING_PREFLIGHT.
Release handoff
Release is 3/5 with decision BLOCKED_PENDING_DRY_RUN.
Rollback drill
Rollback is 0/4 with decision BLOCKED_PENDING_DRY_RUN.
Integration blocker checklist
Production readiness decision
Infrastructure decision prompt
db-auth-session-adapter is selected for rehearsal, but BLOCKED_PENDING_DRY_RUN keeps real DB/auth cutover blocked until infrastructure owners choose the live provider.
Decision needed
Choose the real DB/auth provider before wiring production
Release gates show 3/5; data cutover remains 0/5. Keep demo evidence open, but do not claim production readiness.
Selected adapter target
db-auth-session-adapter
The target is ready for local replay, not live production traffic.
Auth/RBAC owner
OIDC/RBAC
OIDC, roles and secret handling need owner confirmation before code wiring.
Go/no-go decision
BLOCKED_PENDING_DRY_RUN
Local demo can proceed while production remains blocked.
Provider selection acceptance
Provider selection acceptance stub
Anna Kowalska maie pryiniaty db-auth-session-adapter do live DB/auth wiring; BLOCKED_PENDING_DRY_RUN zalyshaietsia yedynym production decision.
Live DB/auth provider
db-auth-session-adapter
Anna Kowalska maie obraty realnyi provider contract dlia db-auth-session-adapter.
Auth/RBAC owner
OIDC/RBAC
Anna Kowalska maie pidtverdyty roles, claims i secret handling pered live users.
Tenant and secrets boundary
single-tenant-local
db-auth-session-adapter zalyshaietsia blocked do tenant isolation i managed secrets acceptance.
Live wiring go/no-go
BLOCKED_PENDING_DRY_RUN
BLOCKED_PENDING_DRY_RUN locked do sign-off provider, auth i rollback owners.
Infrastructure selection decision
ProductionInfrastructureDecision.v1 blocker
Anna Kowalska maie obraty hosting, region, runtime ownership i secrets/backup boundaries dlia db-auth-session-adapter; BLOCKED_PENDING_DRY_RUN zalyshaietsia locked do tsiiei decision.
Hosting provider and account
db-auth-session-adapter
Anna Kowalska maie obraty live hosting account/provider pered production traffic dlia db-auth-session-adapter.
Anna Kowalska vidpovidaie za tsiu infrastructure decision pered real DB/auth wiring.
Region and data residency
EU region pending
EU region, data residency i backup locality treba pidtverdyty pered live DB/auth wiring.
Anna Kowalska vidpovidaie za tsiu infrastructure decision pered real DB/auth wiring.
Runtime operations owner
Managed runtime pending
On-call, deploy, monitoring i incident owner maie buty nazvanyi dlia db-auth-session-adapter.
Anna Kowalska vidpovidaie za tsiu infrastructure decision pered real DB/auth wiring.
Secrets and backup boundary
Secrets/backup pending
Managed secrets, backup/RPO i restore owner treba pryiniaty pered zminoiu BLOCKED_PENDING_DRY_RUN.
Anna Kowalska vidpovidaie za tsiu infrastructure decision pered real DB/auth wiring.
Reviewer proof path
Use these routes to show the blocker, evidence and audit trail without pretending live infrastructure exists.
Guarded DB/auth wiring
ProductionDbAuthAdapterWiring.v1 preflight
Local contract wiring dlia db-auth-session-adapter mozhe startuvaty pislia infrastructure acceptance (0/4); production traffic zalyshaietsia disabled do live credentials.
Infrastructure acceptance
Potribuie accepted hosting, EU region, runtime owner i secrets/backup ownership dlia db-auth-session-adapter.
db-auth-session-adapter.infrastructureAcceptance
Endpoint contract
Vykorystovuie redacted adapter endpoint contract bez live external connection.
db-auth-session-adapter.endpointContract
Tenant context
Mapuie organization i tenant claims pered bud-yakym live database write.
db-auth-session-adapter.tenantContext
OIDC/RBAC claims
Hotuie role claims dlia MD, dispatcher, accountant, driver i client scopes.
db-auth-session-adapter.oidcRbacClaims
RLS policy draft
Pidtverdzhuie tenant-scoped RLS policy plan dlia migration review.
db-auth-session-adapter.rlsPolicyDraft
Secrets and backup boundary
Trymaie secrets, backup/RPO i restore ownership pryiniatymy v infrastructure decision.
db-auth-session-adapter.secretsBackupBoundary
Live credentials
Blocked do liudskoho reviewed provider credentials poza local demo workspace.
db-auth-session-adapter.liveCredentials
Production traffic disabled
Decision=BLOCKED_PENDING_INFRASTRUCTURE_OR_CREDENTIALS; traffic=production_traffic_disabled. Live credentials i secrets vidsutni v MVP workspace.
Preflight ne run; infrastructure status: blocked.
Контракти provider
Mock-first providers з production targets
Кожна зовнішня залежність має локальний MVP-режим і названий шлях заміни для production.
Scenario store
Сьогодні зберігає demo scenario і визначає майбутній DB session contract.
Поточний режим
file-local
Цільовий режим
Postgres/RLS
Auth і RBAC
Role headers ведуть MVP і зберігають межі user, tenant і permission.
Поточний режим
mock-auth-header
Цільовий режим
OIDC/RBAC
Document intelligence
Локальні OCR outputs мають форму production extraction responses.
Поточний режим
local-ocr
Цільовий режим
Document AI
KSeF e-invoice
Mock invoice packages тримають finance flow готовим до regulated API.
Поточний режим
mock-ksef
Цільовий режим
KSeF API
Maps і ETA
Локальна ETA logic може бути замінена на live maps і traffic provider.
Поточний режим
local-eta
Цільовий режим
Maps/ETA API
Driver offline sync
Service worker і trip cache визначають майбутню background-sync межу.
Поточний режим
service-worker
Цільовий режим
Background sync
Live-сесія
Поточний стан adapter
Storage adapter
file-local
Auth mode
mock-auth-header
Tenant mode
single-tenant-local
Останній запис
Ще не записано
RBAC-мапа
Актори за ролями
Ті самі actor ids і permissions проходять через Scenario API headers і можуть стати auth claims.
Anna Kowalska
user_md_anna · BFG Control
Marek Zielinski
user_dispatcher_marek · Dispatch desk
Olena Shevchenko
user_accountant_olena · Finance
Petro Tarasenko
driver_tarasenko · BFG Driver
Lviv Farma Distribution
cp_client_lviv_farma · Client Portal
Production перехід
DB/auth migration checklist
Приймайте owner-led cutover rehearsal, щоб DB/auth checklist став audit evidence.
Контракти зафіксовано
Scenario envelope, actor headers і metadata fields покриті smoke tests.
Owner: Anna Kowalska · Керівник
Role headers змаплено
Managing Director, Dispatcher, Accountant, Driver і Client контексти видимі.
Owner: Marek Zielinski · Диспетчер
Scenario Store rehearsal
Підтвердити file-local adapter payload для DB replay.
Owner: Marek Zielinski · Диспетчер
Схема DB
Створити tenant, user, permission і scenario-state tables для production adapter.
Owner: Olena Shevchenko · Бухгалтер
Secrets і auth
Підключити обраний OIDC/RBAC provider без вимоги paid keys для MVP.
Owner: Olena Shevchenko · Бухгалтер
Migration і rollback
Перенести local demo state у DB adapter і залишити rollback path для demo.
Owner: Anna Kowalska · Керівник
Adapter decision board
Production adapter decision board
Shows DB/auth adapter choice, environment readiness, secrets, schema, migration, rollback and owner approvals before production cutover.
Adapter selection status
db-auth-session-adapter
Staging target is explicitly selected while the local MVP keeps the file adapter for demos.
Owner
Anna Kowalska
Керівник
Evidence
Target locked
Environment readiness
Staging to production
Contracts and replayable Scenario Store payload must be accepted before the DB/auth environment opens.
Owner
Marek Zielinski
Диспетчер
Evidence
0/2 checks accepted
Secrets and RBAC owner
OIDC/RBAC handoff
Role headers and secret handling must both be accepted before real user auth is wired.
Owner
Olena Shevchenko
Бухгалтер
Evidence
0/2 checks accepted
Schema and RLS
Postgres/RLS
Tenant, user, permission and scenario-state tables need owner acceptance before adapter migration.
Owner
Olena Shevchenko
Бухгалтер
Evidence
0/1 checks accepted
Migration dry-run
Seed backfill rehearsal
The local demo state needs a dry-run path into the DB adapter before reviewer cutover.
Owner
Anna Kowalska
Керівник
Evidence
0/1 checks accepted
Rollback window
File-local fallback
Keep the file-local adapter ready until migration and replay evidence are accepted together.
Owner
Anna Kowalska
Керівник
Evidence
0/2 checks accepted
Release owner approvals
6 owner checks
All owner-led cutover rehearsals must be accepted before production release sign-off.
Owner
Anna Kowalska
Керівник
Evidence
0/6 checks accepted
Migration runbook
Production migration runbook
Portable SQL/RLS outline and operator checklist for replaying the current ScenarioStore snapshot into the selected DB/auth adapter without live secrets.
Freeze snapshot
0 / bfg-feb1d61b
Carry BFGScenarioSnapshot.v1 rows and checksum into the migration packet.
Schema and RLS
0/6
Tenant, user, snapshot and audit tables are mapped for the selected adapter.
Actor claims
5
Demo actors and permissions become future DB/auth claims.
Adapter replay
0/4 + 0/5
Connection and dry-run evidence prove the target can replay the payload.
Checksum verification
1/5
Preflight readiness and checksum close the migration verification loop.
Rollback seal
BLOCKED_PENDING_DRY_RUN
Release and rollback decisions remain bound to the local fallback adapter.
ProductionAdapterMigrationRunbook.v1 SQL Outline
ProductionAdapterMigrationRunbook.v1 targets db-auth-session-adapter with checksum bfg-feb1d61b; keep it as a reviewer-safe migration rehearsal outline until real infrastructure is connected.
-- ProductionAdapterMigrationRunbook.v1
-- source=BFGScenarioSnapshot.v1
-- target=db-auth-session-adapter
-- session=grant-demo-local
-- checksum=bfg-feb1d61b
-- rows=0
-- runbook_decision=BLOCKED_PENDING_PREFLIGHT
create schema if not exists bfg_flowcontrol;
create table if not exists bfg_flowcontrol.tenants (
tenant_id text primary key,
name text not null,
created_at timestamptz not null default now()
);
create table if not exists bfg_flowcontrol.users (
user_id text primary key,
tenant_id text not null references bfg_flowcontrol.tenants(tenant_id),
role_key text not null,
display_name text not null,
permissions text[] not null default '{}'
);
create table if not exists bfg_flowcontrol.scenario_snapshots (
snapshot_id text primary key,
tenant_id text not null references bfg_flowcontrol.tenants(tenant_id),
checksum text not null,
schema_version text not null,
payload jsonb not null,
created_at timestamptz not null default now()
);
create table if not exists bfg_flowcontrol.audit_events (
event_id text primary key,
tenant_id text not null references bfg_flowcontrol.tenants(tenant_id),
actor_id text not null references bfg_flowcontrol.users(user_id),
source text not null,
payload jsonb not null,
created_at timestamptz not null default now()
);
alter table bfg_flowcontrol.users enable row level security;
alter table bfg_flowcontrol.scenario_snapshots enable row level security;
alter table bfg_flowcontrol.audit_events enable row level security;
drop policy if exists bfg_tenant_users on bfg_flowcontrol.users;
drop policy if exists bfg_tenant_snapshots on bfg_flowcontrol.scenario_snapshots;
drop policy if exists bfg_tenant_audit on bfg_flowcontrol.audit_events;
create policy bfg_tenant_users on bfg_flowcontrol.users
using (tenant_id = current_setting('bfg.tenant_id', true));
create policy bfg_tenant_snapshots on bfg_flowcontrol.scenario_snapshots
using (tenant_id = current_setting('bfg.tenant_id', true));
create policy bfg_tenant_audit on bfg_flowcontrol.audit_events
using (tenant_id = current_setting('bfg.tenant_id', true));Runbook decision BLOCKED_PENDING_PREFLIGHT; 1/6 migration checks are ready.
Cutover даних
Консоль production cutover даних
Перетворює migration runbook на batch-докази для tenant, operations, finance та audit до підключення live DB/auth.
Tenant і RBAC seed
5 actors
Demo actors і permissions стають першим tenant/user seed.
Operations replay
0 rows
Orders, driver events, client requests і dispatch evidence можна replay.
Finance ledger
0 rows
KSeF і payment events відокремлені для finance migration.
Audit trail
0 rows
Risk, cutover, connection, dry-run і sign-off evidence залишаються разом.
Snapshot freeze
0 rows
BFGScenarioSnapshot.v1 rows і checksum зафіксовані.
Tenant/RLS seed
1/6
Runbook tables і RLS outline готові для adapter.
Batch replay
0/4 + 0/5
Connection і dry-run доводять безпечний replay payload.
Audit parity
1/4
Усі batch groups мають дані та preflight evidence.
Rollback seal
BLOCKED_PENDING_DRY_RUN
Release і rollback зберігають file-local fallback явним.
Пакет ProductionDataCutoverPlan.v1
db-auth-session-adapter пакує 5 batch-рядків із checksum bfg-e7a2d068; це безпечний план data cutover до вибору production infrastructure.
ProductionDataCutoverPlan.v1 target=db-auth-session-adapter session=grant-demo-local snapshot_schema=BFGScenarioSnapshot.v1 snapshot_checksum=bfg-e7a2d068 snapshot_rows=0 batch_rows=5 batches=1/4 steps=0/5 connection=0/4 dry_run=0/5 runbook_decision=BLOCKED_PENDING_PREFLIGHT release_decision=BLOCKED_PENDING_DRY_RUN rollback_decision=BLOCKED_PENDING_DRY_RUN cutover_decision=BLOCKED_PENDING_DATA_CUTOVER
Рішення BLOCKED_PENDING_DATA_CUTOVER; 0/5 cutover-перевірок і 1 batch-груп готові.
Adapter connection
Production adapter connection wizard
Record redacted endpoint, TLS/RBAC and write-probe evidence without storing secrets.
Endpoint reachability
Selected adapter endpoint is named and reachable.
Waiting for connection check
TLS fingerprint
Certificate fingerprint is reviewer-safe.
Waiting for connection check
RBAC session
Demo actor claims map to tenant/user boundary.
Waiting for connection check
Write probe
No-secret write/read probe can be replayed before cutover.
Waiting for connection check
ProductionAdapterConnection.v1 packet
Adapter target
db-auth-session-adapter
Redacted endpoint
Not recorded
Endpoint fingerprint
Fingerprint not recorded
Record the packet once endpoint reachability, TLS, RBAC and write probe are confirmed.
Dry-run adaptera
Transcript produkcyjnego dry-run adaptera
Локальний transcript replay для file-backed сценарію у вибраний DB/auth adapter contract без live infrastructure.
Scenario snapshot export
Фіксує orders, driver events, finance events та reviewer evidence перед migration.
Очікує dry-run
Schema map validation
Мапить Scenario Store fields до tenant, user, order, document та audit tables.
Очікує dry-run
RBAC claims rehearsal
Replay demo actor ids як майбутні auth claims з role permissions.
Очікує dry-run
Adapter replay transcript
Write/read scenario payload через вибраний DB/auth adapter contract.
Очікує dry-run
Rollback checkpoint
Зберігає file-local fallback та replay id до production approval.
Очікує dry-run
ProductionAdapterDryRun.v1 checkpoint
db-auth-session-adapter
Запусти dry-run, щоб зберегти replayable adapter checkpoint для reviewers.
Migration preflight
Snapshot migration preflight
Reviewer-safe DB/auth rehearsal report z potochnoho BFGScenarioSnapshot.v1 payload, adapter target ta rollback evidence.
Snapshot payload
0 rows
BFGScenarioSnapshot.v1 zafiksovanyi z row count ta checksum.
Schema map
1/7
Adapter decision ta cutover evidence vyznachaiut tenant/user/order/document/audit tables.
RBAC claims
5 actors
Demo actor ids ta permissions hotovi staty auth claims.
Adapter replay
0/5
ProductionAdapterDryRun.v1 pidtverdzhuie write/read compatibility dlia obranoho adaptera.
Rollback evidence
Zablokovano
Release ta rollback packets zberihaiut file-local fallback yavnym.
ProductionAdapterMigrationPreflight.v1 report
BFGScenarioSnapshot.v1 maie 0 rows ta checksum bfg-eba94650; vykorystai report dlia DB/auth migration rehearsal pered live infrastructure.
ProductionAdapterMigrationPreflight.v1 schema=BFGScenarioSnapshot.v1 target=db-auth-session-adapter session=grant-demo-local checksum=bfg-eba94650 rows=0 adapter_contract=ScenarioStore.v1 dry_run=0/5 connection=0/4 rollback_decision=BLOCKED_PENDING_DRY_RUN
Release handoff
Production release env export
Reviewer-ready env pokazue lokalnyi adapter mode, target, rollback owner ta go/no-go rishennia.
Env zminni
9
Deviat release znachen idut iz session metadata.
Adapter target
1/7
Vybranyi DB/auth target vydymyi.
Dry-run transcript
0/5
Replay transcript dovodyt local payload compatibility.
Rollback
file-local
Fallback adapter zalyshaietsia yavno.
Owner evidence
0/6
Cutover owner checks poviazani zi Scenario Store.
Release env block
BFG_RELEASE_ENVIRONMENT=local-demo BFG_RELEASE_TARGET=db-auth-session-adapter BFG_SCENARIO_ADAPTER=ScenarioStore.v1 BFG_STORAGE_ADAPTER=file-local BFG_AUTH_MODE=mock-auth-header BFG_TENANT_MODE=single-tenant-local BFG_ROLLBACK_OWNER=user_md_anna BFG_RELEASE_EVIDENCE=ProductionAdapterDryRun.v1 BFG_RELEASE_DECISION=BLOCKED_PENDING_DRY_RUN
Rishennia BLOCKED_PENDING_DRY_RUN; 3/5 release handoff gates hotovi.
Rollback drill
Production rollback drill
Ops pereviriaie fallback ownera, storage adapter i audit paket pered realnym infrastructure cutover.
Freeze window
BLOCKED_PENDING_DRY_RUN
Production zalyshaietsia blocked do perevirky local go/no-go rishennia.
Owner ack
Anna Kowalska
Managing Director volodiie rollback rishenniam ta audit paketom.
Storage fallback
file-local
File-local adapter zalyshaietsia yavnoiu rollback stezhkoiu.
Audit paket
ProductionRollbackDrill.v1
Release i rollback evidence poviazani v odnomu export paketi.
Rollback audit paket
BFG_ROLLBACK_DECISION=BLOCKED_PENDING_DRY_RUN BFG_ROLLBACK_OWNER=user_md_anna BFG_ROLLBACK_STORAGE=file-local BFG_ROLLBACK_AUTH=mock-auth-header BFG_ROLLBACK_EVIDENCE=ProductionReleaseHandoff.v1 BFG_ROLLBACK_PACKET=ProductionRollbackDrill.v1
Rishennia BLOCKED_PENDING_DRY_RUN; 0/4 rollback checks hotovi dlia Anna Kowalska.
Середовища
План rollout adapter
Local demo
file-local
Працює зараз із file-local scenario state і mock provider contracts.
Staging
db-auth-session-adapter
Наступна ціль для DB persistence, auth claims і provider secrets.
Production
tenant-rbac-adapter
Фінальний tenant-scoped adapter зі справжнім auth і provider audit logs.