[CLAUDE] Docs: tick Phase 5 Prep items in migration-todos

Follow-up: migration-todos Phase 5 section update bi miss trong commit truoc (Edit bi block boi system reminder). Apply lai: - Tick 14 items Prep xong - Split 'Deploy that (can Gitea URL)' va 'Phase 5.1 Security hardening' Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 12:58:08 +07:00
parent f3fb3fd565
commit 46a2cab788
1 changed files with 34 additions and 12 deletions
--- a/docs/changelog/migration-todos.md
+++ b/docs/changelog/migration-todos.md
@ -182,22 +182,44 @@
 ## Phase 5 — Production (T12-13)
- [ ] `docs/guides/cicd.md` — CI/CD runbook
+### Prep xong (code + scripts + docs)
- [ ] Gitea Actions workflow `.gitea/workflows/deploy.yml` — build .NET + 2 FE, deploy IIS qua SSH/WinRM
+
- [ ] Pin Node 20.x trong workflow, test CI sớm (không để surprise cuối dự án)
+- [x] `docs/guides/cicd.md` — CI/CD runbook
- [ ] `scripts/deploy-iis.ps1` — stop app pool, xcopy, start app pool
+- [x] Gitea Actions workflow `.gitea/workflows/deploy.yml` — build .NET + 2 FE, deploy IIS qua WinRM
 - [x] Pin Node `.nvmrc` 20 (gotcha #5)
 - [x] `scripts/deploy-iis.ps1` — stop pool → backup → xcopy → start → health check
 - [x] `scripts/backup-sql.ps1` — daily BACKUP DATABASE + COMPRESSION + retention 30d
 - [x] `appsettings.Production.json` template + user secrets pattern
 - [x] Rate limiting (built-in .NET 10) — auth-login 5/min + global 300/min
 - [x] Health check `/health/live` + `/health/ready` (DB probe)
 - [x] Serilog File sink rolling daily retention 30d
 - [x] HSTS production (1 year)
 - [x] `docs/guides/deployment-iis.md` — setup lần đầu + troubleshooting
 - [x] `docs/guides/security-checklist.md` — OWASP top 10
 - [x] `docs/guides/runbook.md` — operations (restart, rollback, restore)
 - [x] FE refresh token auto interceptor (queue pattern cả 2 app)
 ### Deploy thật (cần Gitea URL)
 - [ ] Windows Server setup: IIS + URL Rewrite + ARR (reverse proxy FE → IIS)
- [ ] SQL Server prod: backup plan daily + weekly full
+- [ ] SQL Server prod + Task Scheduler trigger backup-sql.ps1
- [ ] HTTPS certificate (Let's Encrypt qua win-acme hoặc mua cert)
+- [ ] HTTPS certificate (Let's Encrypt qua win-acme)
- [ ] `appsettings.Production.json` + user secrets
+- [ ] Gitea remote setup + push all commits
- [ ] Security audit: owasp top 10 check
+- [ ] Set 5 Gitea Actions secrets (IIS_HOST/USER/PASSWORD/JWT_SECRET/DB_CONNECTION)
- [ ] Rate limiting middleware (AspNetCoreRateLimit hoặc built-in)
+- [ ] Enable Gitea runner (Windows + Ubuntu)
- [ ] Health check endpoint `/health` cho IIS probe
+- [ ] Test CI/CD workflow lần đầu staging
 - [ ] Error tracking: Serilog → file rolling daily, retention 30 ngày
 - [ ] Runbook: restart app, rollback migration, restore backup
 - [ ] UAT production 1 tuần với 2-3 user thật
 - [ ] Go-live checklist: backup, rollback plan, on-call contact
 ### Phase 5.1 Security hardening
 - [ ] Security headers middleware (X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy)
 - [ ] Identity account lockout (5 fail → 15min lock) — config trong `DependencyInjection.cs`
 - [ ] Password policy min 12 chars production
 - [ ] IDOR check ContractsController — user Drafter chỉ xem HĐ mình tạo hoặc có role giữ phase
 - [ ] Dependencies scan vào CI (`dotnet list package --vulnerable --include-transitive`, `npm audit --audit-level=high`)
 - [ ] Admin mặc định: đổi password prod hoặc disable sau setup user thật
 ## Post-launch (Phase 6+ — future)
 - [ ] E-signature integration (VNPT CA hoặc FPT CA)