From 46a2cab7888695b549fedd3c4899b7d6fdbfaf2a Mon Sep 17 00:00:00 2001 From: pqhuy1987 Date: Tue, 21 Apr 2026 12:58:08 +0700 Subject: [PATCH] [CLAUDE] Docs: tick Phase 5 Prep items in migration-todos Follow-up: migration-todos Phase 5 section update bi miss trong commit truoc (Edit bi block boi system reminder). Apply lai: - Tick 14 items Prep xong - Split 'Deploy that (can Gitea URL)' va 'Phase 5.1 Security hardening' Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/changelog/migration-todos.md | 46 +++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/docs/changelog/migration-todos.md b/docs/changelog/migration-todos.md index b40216f..a9a1efa 100644 --- a/docs/changelog/migration-todos.md +++ b/docs/changelog/migration-todos.md @@ -182,22 +182,44 @@ ## Phase 5 — Production (T12-13) -- [ ] `docs/guides/cicd.md` — CI/CD runbook -- [ ] Gitea Actions workflow `.gitea/workflows/deploy.yml` — build .NET + 2 FE, deploy IIS qua SSH/WinRM -- [ ] Pin Node 20.x trong workflow, test CI sớm (không để surprise cuối dự án) -- [ ] `scripts/deploy-iis.ps1` — stop app pool, xcopy, start app pool +### Prep xong (code + scripts + docs) + +- [x] `docs/guides/cicd.md` — CI/CD runbook +- [x] Gitea Actions workflow `.gitea/workflows/deploy.yml` — build .NET + 2 FE, deploy IIS qua WinRM +- [x] Pin Node `.nvmrc` 20 (gotcha #5) +- [x] `scripts/deploy-iis.ps1` — stop pool → backup → xcopy → start → health check +- [x] `scripts/backup-sql.ps1` — daily BACKUP DATABASE + COMPRESSION + retention 30d +- [x] `appsettings.Production.json` template + user secrets pattern +- [x] Rate limiting (built-in .NET 10) — auth-login 5/min + global 300/min +- [x] Health check `/health/live` + `/health/ready` (DB probe) +- [x] Serilog File sink rolling daily retention 30d +- [x] HSTS production (1 year) +- [x] `docs/guides/deployment-iis.md` — setup lần đầu + troubleshooting +- [x] `docs/guides/security-checklist.md` — OWASP top 10 +- [x] `docs/guides/runbook.md` — operations (restart, rollback, restore) +- [x] FE refresh token auto interceptor (queue pattern cả 2 app) + +### Deploy thật (cần Gitea URL) + - [ ] Windows Server setup: IIS + URL Rewrite + ARR (reverse proxy FE → IIS) -- [ ] SQL Server prod: backup plan daily + weekly full -- [ ] HTTPS certificate (Let's Encrypt qua win-acme hoặc mua cert) -- [ ] `appsettings.Production.json` + user secrets -- [ ] Security audit: owasp top 10 check -- [ ] Rate limiting middleware (AspNetCoreRateLimit hoặc built-in) -- [ ] Health check endpoint `/health` cho IIS probe -- [ ] Error tracking: Serilog → file rolling daily, retention 30 ngày -- [ ] Runbook: restart app, rollback migration, restore backup +- [ ] SQL Server prod + Task Scheduler trigger backup-sql.ps1 +- [ ] HTTPS certificate (Let's Encrypt qua win-acme) +- [ ] Gitea remote setup + push all commits +- [ ] Set 5 Gitea Actions secrets (IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION) +- [ ] Enable Gitea runner (Windows + Ubuntu) +- [ ] Test CI/CD workflow lần đầu staging - [ ] UAT production 1 tuần với 2-3 user thật - [ ] Go-live checklist: backup, rollback plan, on-call contact +### Phase 5.1 Security hardening + +- [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy) +- [ ] Identity account lockout (5 fail → 15min lock) — config trong `DependencyInjection.cs` +- [ ] Password policy min 12 chars production +- [ ] IDOR check ContractsController — user Drafter chỉ xem HĐ mình tạo hoặc có role giữ phase +- [ ] Dependencies scan vào CI (`dotnet list package --vulnerable --include-transitive`, `npm audit --audit-level=high`) +- [ ] Admin mặc định: đổi password prod hoặc disable sau setup user thật + ## Post-launch (Phase 6+ — future) - [ ] E-signature integration (VNPT CA hoặc FPT CA)