Files
datatools-dev/server/compose.test.yml
Michael bab2c9468c feat(server): mint API + Postgres schema + manual adapter (PR 1)
Source-agnostic license issuance service. FastAPI app fronts a
Postgres `licenses` table; the only currently-wired source is
`manual` (operator mints via /internal/mint). Gumroad webhook
adapter lands in PR 2.

Key design points:

- Signing reuses src/license/crypto.py via a COPY into the image
  (single source of truth — blobs minted server-side verify against
  the same embedded pubkey on the buyer's machine).
- Source adapter Protocol (app/adapters/base.py) is the seam for
  Gumroad / Lemon Squeezy / Stripe in later PRs; Mint API speaks
  only SaleEvent / RefundEvent.
- (source, source_order_id) UNIQUE composite gives idempotent
  webhook retries without double-mint.
- JSONB type uses with_variant(JSON, 'sqlite') so the same models
  drive both Postgres prod and SQLite tests (no testcontainers dep).
- Bearer-token auth on /internal/*; the IP-loopback guard was
  removed after the docker bridge made it fight legitimate prod
  traffic (nginx defense + Bearer remain).
- Secrets resolved via *_FILE env vars pointing at
  /run/secrets/<name>, so passwords never appear in `docker inspect`.

21 unit tests (SQLite in-memory, StaticPool) plus a real-Postgres
docker-compose smoke test in server/scripts/smoke.sh that builds the
image, runs the alembic migration, mints a license, verifies the
signature against the host dev pubkey, and checks the DB row.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 00:46:54 +00:00

42 lines
1.2 KiB
YAML

# Smoke-test compose. Stands the API + Postgres up in isolation,
# exercises a mint, tears everything down (volume included). Never
# meant for production — for that see docs/SETUP-LICENSE-SERVER.md.
#
# Ports map to 127.0.0.1 only so it can run on a host that already
# binds 5432 / 8090 to something else.
services:
postgres:
image: postgres:16-alpine
environment:
POSTGRES_DB: dt_test
POSTGRES_USER: dt_test
POSTGRES_PASSWORD: test_pw
ports:
- "127.0.0.1:15432:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U dt_test -d dt_test"]
interval: 2s
timeout: 2s
retries: 20
api:
build:
context: ..
dockerfile: server/Dockerfile
depends_on:
postgres:
condition: service_healthy
environment:
DATABASE_URL: postgresql+psycopg://dt_test:test_pw@postgres:5432/dt_test
DATATOOLS_ADMIN_TOKEN: test-admin-token
# No DATATOOLS_LICENSE_PRIVKEY — falls back to the in-tree
# dev keypair, matching what the desktop dev build expects.
ports:
- "127.0.0.1:18090:8000"
healthcheck:
test: ["CMD", "curl", "--fail", "--silent", "http://localhost:8000/health"]
interval: 5s
timeout: 3s
retries: 10