chore: add GRACE semantic contracts across agent + backend + build scripts

- Add @RELATION/@RATIONALE/@REJECTED headers to agent modules
- Add GRACE contracts to backend services, models, schemas
- Update build.sh with single-image build commands (build:backend|frontend|agent)
- Update docker entrypoint: openssl rsa → openssl pkey (alg-agnostic)
- Add @RATIONALE to backend core modules (cot_logger, config_manager, ssl)
This commit is contained in:
2026-07-08 11:10:59 +03:00
parent b6b1e05567
commit f22b0cf41c
34 changed files with 452 additions and 263 deletions

View File

@@ -12,6 +12,13 @@
# @POST User identity verified and session tokens issued according to role scopes.
# @SIDE_EFFECT Writes last login timestamps and JIT-provisions external users.
# @DATA_CONTRACT [Credentials | ADFSClaims] -> [UserEntity | SessionToken]
# @RATIONALE Thin service layer between API routes and AuthRepository — encapsulates credential
# verification (password hashing), ADFS JIT provisioning, and session creation into
# a single orchestration class. This keeps route handlers free of auth business logic.
# @REJECTED Putting credential verification logic directly in API route handlers was rejected —
# it would be duplicated across local login, ADFS callback, and API-key auth paths.
# Authentication was kept separate from authorization (permission checks in middleware)
# to allow independent testing of each concern.
from datetime import UTC, datetime
from typing import Any