feat: add OAuth staging docker-compose and env template#137
Conversation
cmeans-claude-dev
Bot
added
the
Dev Active
github-actions
Bot
added
Awaiting CI
cmeans-claude-dev
Bot
removed
the
Dev Active
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
cmeans-claude-dev
Bot
added
the
Ready for QA
|
Adding QA Active — beginning code review and manual verification. |
github-actions
Bot
removed
the
Ready for QA
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA Review — PR #137
CI Status
All checks green: lint ✓, typecheck ✓, tests (3.10/3.11/3.12) ✓, codecov/patch ✓
Code Review Findings
1. SUBSTANTIVE — pull_policy: always contradicts build: .
docker-compose.oauth.yaml:28 — The awareness-oauth service has both build: . and pull_policy: always. pull_policy applies to image pulls, but build triggers a local build. This is misleading. Either remove pull_policy (since you're building), or uncomment the image: line and remove build.
2. SUBSTANTIVE — Shared Ollama volume default between prod and staging
docker-compose.oauth.yaml:131 — ollama-oauth defaults to ${AWARENESS_OLLAMA_DATA:-~/awareness-ollama}, same as production (docker-compose.yaml:118). The comment says "shares model cache to avoid re-download," but concurrent access from both stacks could corrupt data. Consider defaulting to ~/awareness-ollama-oauth, or documenting mutual exclusion.
3. OBSERVATION — Hardcoded AWARENESS_PUBLIC_URL
docker-compose.oauth.yaml:48 — AWARENESS_PUBLIC_URL=https://staging.mcpawareness.com is hardcoded rather than parameterized via ${AWARENESS_PUBLIC_URL:-https://staging.mcpawareness.com}. Inconsistent with the pattern used for other variables.
4. NIT — Example issuer in template
.env.oauth.example:5 — AWARENESS_OAUTH_ISSUER=https://thoughtful-saga-02-staging.authkit.app includes what appears to be a real WorkOS staging domain. Consider using a placeholder like https://your-app.authkit.app.
Manual Test Results
| # | Test | Result |
|---|---|---|
| 1 | Stack starts cleanly (3 containers healthy) | PASS |
| 2 | Briefing responds on staging port 8421 (JWT auth enforced, valid JSON) | PASS |
| 3 | Production unaffected on port 8420 | PASS |
| 4 | Clean teardown (down -v removes all containers/network) |
PASS |
Verdict
4/4 manual tests pass. 2 substantive findings, 1 observation, 1 nit. Substantive items (#1 pull_policy, #2 shared Ollama volume) should be addressed before merge.
|
QA Audit — 4/4 manual tests pass, CI all green. 2 substantive findings posted in review (pull_policy contradiction, shared Ollama volume). Applying QA Failed pending resolution of substantive items. |
cmeans
added
QA Failed
cmeans-claude-dev
Bot
added
Dev Active
github-actions
Bot
added
the
Awaiting CI
cmeans-claude-dev
Bot
added
Ready for QA
github-actions
Bot
removed
the
Awaiting CI
Adds an isolated Docker Compose stack for testing OAuth/WorkOS AuthKit on a separate port (8421) without affecting production. Includes env template and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Remove pull_policy: always — contradicts build: . (SUBSTANTIVE #1) 2. Default Ollama volume to ~/awareness-ollama-oauth to avoid concurrent access with production (SUBSTANTIVE #2) 3. Parameterize AWARENESS_PUBLIC_URL with env var (OBSERVATION #3) 4. Replace real WorkOS domain with placeholder in template (NIT #4) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cmeans
left a comment
cmeans
left a comment
There was a problem hiding this comment.
QA Re-Review — PR #137 (Round 2)
Fix Verification
All 4 findings from Round 1 addressed in commit 85f5bd8:
| # | Severity | Finding | Status |
|---|---|---|---|
| 1 | SUBSTANTIVE | pull_policy: always contradicts build: . |
FIXED — pull_policy removed |
| 2 | SUBSTANTIVE | Shared Ollama volume default | FIXED — defaults to ~/awareness-ollama-oauth, comment clarifies isolation |
| 3 | OBSERVATION | Hardcoded AWARENESS_PUBLIC_URL |
FIXED — parameterized via ${AWARENESS_PUBLIC_URL:-...} |
| 4 | NIT | Real WorkOS domain in template | FIXED — replaced with https://your-app.authkit.app |
Additional Scan
No new issues introduced by fix commit. Verified:
- Localhost-only port binding preserved (
127.0.0.1:8421:8421) - Required env vars still use
?Set ...error syntax - Postgres volume still isolated (
~/awareness-oauth-pg) - Resource limits and healthchecks intact
- Ollama behind
profiles: [embeddings]
CI Status
All checks green: lint ✓, typecheck ✓, tests (3.10/3.11/3.12) ✓, codecov/patch ✓
Verdict
0 open findings. All substantive issues resolved. PR is ready for signoff.
|
QA Audit (Round 2) — All 4 round-1 findings verified fixed. CI all green. 0 open findings. Applying Ready for QA Signoff. |
cmeans
added
Ready for QA Signoff
cmeans
removed
Ready for QA
cmeans
force-pushed
the
feat/oauth-staging-compose
branch
from
85f5bd8 to
04abe40
Compare
github-actions
Bot
added
Awaiting CI
1 participant
Summary
docker-compose.oauth.yaml— isolated Docker Compose stack for testing OAuth/WorkOS AuthKit on port 8421 (separate containers, volumes, and tunnel from production).env.oauth.example— template with all required/optional env vars for staging.env.oauthto.gitignoreto prevent committing secretsQA
Prerequisites
.env.oauth.exampleto.env.oauthand fill in WorkOS valuestunnel-oauthservice)Manual tests (via MCP tools)
Expected:
awareness-oauth,postgres-oauth, andawareness-tunnel-oauthcontainers running and healthyExpected: valid briefing JSON (may be empty if fresh database)
Expected: production briefing still works, separate from staging data
Expected: all staging containers and volumes removed
🤖 Generated with Claude Code