diff --git a/backend/README.md b/backend/README.md index 62adec3..88bae7f 100644 --- a/backend/README.md +++ b/backend/README.md @@ -35,6 +35,7 @@ backend/ ```bash make install # uv venv + pip install -e .[dev] make db-up # docker compose up -d postgres +make db-bootstrap # one-time: create the mimic_audit_writer role (see below) make db-migrate # alembic upgrade head make run # flask run (debug) make test # pytest unit @@ -42,6 +43,20 @@ make test-int # pytest integration (testcontainers) make lint # ruff + mypy strict ``` +### Audit writer role (dev) + +`mimic_audit_writer` is provisioned by the Ansible playbook in production +(decision D-010). For local development, create it manually after `make db-up`: + +```bash +docker exec -it mimic-postgres psql -U mimic_app -d mimic \ + -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'pick-a-dev-secret';" +``` + +Then expose the same secret in `MIMIC_DATABASE_AUDIT_URL` in your `.env`. The +Alembic migration grants the INSERT-only permission on `audit_log` against +this role; if it does not exist, the grant block is a no-op (idempotent). + ## What sprint 0 ships - Full ยง8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column). diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml index 4aacd6d..54e6c70 100644 --- a/backend/docker-compose.yml +++ b/backend/docker-compose.yml @@ -11,7 +11,11 @@ services: - "127.0.0.1:5432:5432" volumes: - mimic_pgdata:/var/lib/postgresql/data - - ./scripts/postgres-init:/docker-entrypoint-initdb.d:ro + # The `mimic_audit_writer` role is provisioned by the Ansible playbook + # in prod (D-010). For dev, create it manually after `make db-up`: + # docker exec -it mimic-postgres psql -U mimic_app -d mimic \ + # -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '';" + # Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env. healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"] interval: 5s