@polymorphism-tech/morph-spec 2.4.0 → 3.0.0

package/content/.azure/pipelines/prod-pipeline.yml

@@ -1,319 +1,319 @@
-# ==============================================================================
-# MORPH-SPEC - Production Pipeline
-# Deployment to Azure Container Apps with manual approval and always-on
-# ==============================================================================
-
-trigger:
-  branches:
-    include:
-      - main
-      - master
-
-pr: none  # No PR builds for prod
-
-variables:
-  - template: pipeline-variables.yml
-  - name: environment
-    value: 'prod'
-  - name: resourceGroupName
-    value: 'rg-$(APP_NAME)-prod'
-  - name: containerAppName
-    value: 'ca-$(APP_NAME)-prod'
-  - name: hostingType
-    value: 'containerapp'
-  - name: parametersFile
-    value: 'content/.morph/templates/infra/parameters.prod.json'
-  - name: imageName
-    value: '$(APP_NAME)'
-  - name: imageFullName
-    value: '$(containerRegistry)/$(imageName):$(imageTag)'
-
-stages:
-  # ===========================================================================
-  # STAGE 1: Build & Test
-  # ===========================================================================
-  - stage: Build
-    displayName: 'Build & Test'
-    jobs:
-      - job: BuildJob
-        displayName: 'Build .NET Application'
-        pool:
-          vmImage: 'ubuntu-latest'
-        steps:
-          - checkout: self
-            fetchDepth: 1
-
-          - template: templates/build-dotnet.yml
-            parameters:
-              dotnetVersion: $(dotnetVersion)
-              buildConfiguration: $(buildConfiguration)
-              runTests: true
-              publishArtifact: false
-
-  # ===========================================================================
-  # STAGE 2: Security Scan
-  # ===========================================================================
-  - stage: SecurityScan
-    displayName: 'Security Scan'
-    dependsOn: Build
-    condition: succeeded()
-    jobs:
-      - job: SecurityScanJob
-        displayName: 'Run Security Scans'
-        pool:
-          vmImage: 'ubuntu-latest'
-        steps:
-          - checkout: self
-            fetchDepth: 1
-
-          - task: DotNetCoreCLI@2
-            displayName: 'Restore packages'
-            inputs:
-              command: 'restore'
-
-          - task: PowerShell@2
-            displayName: 'Check for vulnerable packages'
-            inputs:
-              targetType: 'inline'
-              script: |
-                Write-Host "🔍 Scanning for vulnerable NuGet packages..."
-                dotnet list package --vulnerable --include-transitive
-
-                if ($LASTEXITCODE -ne 0) {
-                  Write-Warning "⚠️ Vulnerable packages found. Review before deploying to production."
-                }
-
-  # ===========================================================================
-  # STAGE 3: Deploy Infrastructure
-  # ===========================================================================
-  - stage: DeployInfra
-    displayName: 'Deploy Infrastructure'
-    dependsOn: SecurityScan
-    condition: succeeded()
-    jobs:
-      - deployment: DeployInfraJob
-        displayName: 'Deploy Bicep Templates'
-        pool:
-          vmImage: 'ubuntu-latest'
-        environment: 'production'  # Requires manual approval in Azure DevOps
-        strategy:
-          runOnce:
-            deploy:
-              steps:
-                - checkout: self
-                  fetchDepth: 1
-
-                - template: templates/infra-deploy.yml
-                  parameters:
-                    azureSubscription: 'Azure-Prod-Connection'
-                    resourceGroupName: $(resourceGroupName)
-                    location: $(azureLocation)
-                    environment: $(environment)
-                    appName: $(APP_NAME)
-                    hostingType: $(hostingType)
-                    bicepTemplateFile: $(bicepTemplateFile)
-                    parametersFile: $(parametersFile)
-
-  # ===========================================================================
-  # STAGE 4: Build and Push Container
-  # ===========================================================================
-  - stage: BuildContainer
-    displayName: 'Build Container'
-    dependsOn: DeployInfra
-    condition: succeeded()
-    jobs:
-      - job: BuildContainerJob
-        displayName: 'Build and Push Docker Image'
-        pool:
-          vmImage: 'ubuntu-latest'
-        steps:
-          - checkout: self
-            fetchDepth: 1
-
-          - task: Docker@2
-            displayName: 'Build and push container'
-            inputs:
-              containerRegistry: 'ACR-Connection'
-              repository: '$(imageName)'
-              command: 'buildAndPush'
-              Dockerfile: '$(dockerfilePath)'
-              tags: |
-                $(imageTag)
-                prod-latest
-                $(Build.BuildId)
-
-          - task: AzureCLI@2
-            displayName: 'Scan image for vulnerabilities (Microsoft Defender)'
-            continueOnError: false  # Fail on vulnerabilities in prod
-            inputs:
-              azureSubscription: 'Azure-Prod-Connection'
-              scriptType: 'bash'
-              scriptLocation: 'inlineScript'
-              inlineScript: |
-                echo "🔍 Scanning image for vulnerabilities..."
-                # Add your security scanning tool here (e.g., Trivy, Defender for Containers)
-                # az acr scan --name $(ACR_NAME) --image $(imageName):$(imageTag)
-
-  # ===========================================================================
-  # STAGE 5: Deploy to Production (Blue-Green)
-  # ===========================================================================
-  - stage: DeployApp
-    displayName: 'Deploy to Production'
-    dependsOn: BuildContainer
-    condition: succeeded()
-    jobs:
-      - deployment: DeployAppJob
-        displayName: 'Deploy Container App'
-        pool:
-          vmImage: 'ubuntu-latest'
-        environment: 'production'  # Requires manual approval
-        strategy:
-          runOnce:
-            deploy:
-              steps:
-                - checkout: self
-                  fetchDepth: 1
-
-                # Create new revision
-                - template: templates/deploy-container-app.yml
-                  parameters:
-                    azureSubscription: 'Azure-Prod-Connection'
-                    containerAppName: $(containerAppName)
-                    resourceGroupName: $(resourceGroupName)
-                    containerRegistry: $(containerRegistry)
-                    imageName: $(imageName)
-                    imageTag: $(imageTag)
-                    acrServiceConnection: 'ACR-Connection'
-                    healthCheckUrl: '/health'
-                    healthCheckTimeout: 300
-
-                # Wait before activating
-                - task: PowerShell@2
-                  displayName: 'Monitor new revision (5 min)'
-                  inputs:
-                    targetType: 'inline'
-                    script: |
-                      Write-Host "⏳ Monitoring new revision for 5 minutes before activating..."
-                      Start-Sleep -Seconds 300
-                      Write-Host "✅ Monitoring period complete"
-
-  # ===========================================================================
-  # STAGE 6: Smoke Tests in Production
-  # ===========================================================================
-  - stage: SmokeTests
-    displayName: 'Production Smoke Tests'
-    dependsOn: DeployApp
-    condition: succeeded()
-    jobs:
-      - job: SmokeTestsJob
-        displayName: 'Run Production Smoke Tests'
-        pool:
-          vmImage: 'ubuntu-latest'
-        steps:
-          - task: AzureCLI@2
-            displayName: 'Get Container App URL'
-            name: getUrl
-            inputs:
-              azureSubscription: 'Azure-Prod-Connection'
-              scriptType: 'bash'
-              scriptLocation: 'inlineScript'
-              inlineScript: |
-                FQDN=$(az containerapp show \
-                  --name $(containerAppName) \
-                  --resource-group $(resourceGroupName) \
-                  --query properties.configuration.ingress.fqdn -o tsv)
-
-                APP_URL="https://$FQDN"
-                echo "##vso[task.setvariable variable=appUrl]$APP_URL"
-                echo "Production URL: $APP_URL"
-
-          - task: PowerShell@2
-            displayName: 'Critical smoke tests'
-            inputs:
-              targetType: 'inline'
-              script: |
-                $appUrl = "$(appUrl)"
-
-                Write-Host "🧪 Running CRITICAL smoke tests in PRODUCTION"
-                Write-Host "URL: $appUrl"
-
-                $criticalEndpoints = @(
-                  @{Path="/health"; Description="Health Check"},
-                  @{Path="/health/ready"; Description="Readiness Check"},
-                  @{Path="/"; Description="Home Page"}
-                )
-
-                $failed = $false
-                foreach ($endpoint in $criticalEndpoints) {
-                  $url = "$appUrl$($endpoint.Path)"
-                  try {
-                    $response = Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 10
-                    Write-Host "✅ $($endpoint.Description): $($response.StatusCode)"
-                  }
-                  catch {
-                    Write-Error "❌ $($endpoint.Description) FAILED: $_"
-                    $failed = $true
-                  }
-                }
-
-                if ($failed) {
-                  Write-Error "❌ CRITICAL: Smoke tests failed in production!"
-                  exit 1
-                }
-
-                Write-Host "✅ All critical smoke tests passed!"
-
-          - task: AzureCLI@2
-            displayName: 'Monitor metrics'
-            inputs:
-              azureSubscription: 'Azure-Prod-Connection'
-              scriptType: 'bash'
-              scriptLocation: 'inlineScript'
-              inlineScript: |
-                echo "📊 Production Deployment Metrics:"
-
-                # Get replica count
-                REPLICAS=$(az containerapp revision list \
-                  --name $(containerAppName) \
-                  --resource-group $(resourceGroupName) \
-                  --query "[?properties.active].properties.replicas" -o tsv)
-
-                echo "Active Replicas: $REPLICAS"
-
-                # Show active revisions
-                az containerapp revision list \
-                  --name $(containerAppName) \
-                  --resource-group $(resourceGroupName) \
-                  --query "[?properties.active].{Name:name, Traffic:properties.trafficWeight, Replicas:properties.replicas}" \
-                  --output table
-
-          - task: AzureCLI@2
-            displayName: 'Deployment summary'
-            inputs:
-              azureSubscription: 'Azure-Prod-Connection'
-              scriptType: 'bash'
-              scriptLocation: 'inlineScript'
-              inlineScript: |
-                echo "╔════════════════════════════════════════════════════════════════╗"
-                echo "║          PRODUCTION DEPLOYMENT SUCCESSFUL                      ║"
-                echo "╚════════════════════════════════════════════════════════════════╝"
-                echo ""
-                echo "🌐 Application URL: $(appUrl)"
-                echo "📊 Environment: $(environment)"
-                echo "🐳 Container Image: $(imageFullName)"
-                echo "💰 Hosting: Container Apps (always-on) - ~$10-20/month"
-                echo "📦 Resource Group: $(resourceGroupName)"
-                echo "🏷️  Version: $(imageTag)"
-                echo ""
-                echo "⚠️  IMPORTANT:"
-                echo "  1. Monitor Application Insights for errors"
-                echo "  2. Watch for performance degradation"
-                echo "  3. Have rollback plan ready"
-                echo "  4. Monitor costs in Azure Portal"
-                echo ""
-                echo "🔄 Rollback command (if needed):"
-                echo "  az containerapp revision activate \\"
-                echo "    --name $(containerAppName) \\"
-                echo "    --resource-group $(resourceGroupName) \\"
-                echo "    --revision <PREVIOUS_REVISION_NAME>"
-                echo ""
+# ==============================================================================
+# MORPH-SPEC - Production Pipeline
+# Deployment to Azure Container Apps with manual approval and always-on
+# ==============================================================================
+
+trigger:
+  branches:
+    include:
+      - main
+      - master
+
+pr: none  # No PR builds for prod
+
+variables:
+  - template: pipeline-variables.yml
+  - name: environment
+    value: 'prod'
+  - name: resourceGroupName
+    value: 'rg-$(APP_NAME)-prod'
+  - name: containerAppName
+    value: 'ca-$(APP_NAME)-prod'
+  - name: hostingType
+    value: 'containerapp'
+  - name: parametersFile
+    value: 'content/.morph/templates/infra/parameters.prod.json'
+  - name: imageName
+    value: '$(APP_NAME)'
+  - name: imageFullName
+    value: '$(containerRegistry)/$(imageName):$(imageTag)'
+
+stages:
+  # ===========================================================================
+  # STAGE 1: Build & Test
+  # ===========================================================================
+  - stage: Build
+    displayName: 'Build & Test'
+    jobs:
+      - job: BuildJob
+        displayName: 'Build .NET Application'
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - checkout: self
+            fetchDepth: 1
+
+          - template: templates/build-dotnet.yml
+            parameters:
+              dotnetVersion: $(dotnetVersion)
+              buildConfiguration: $(buildConfiguration)
+              runTests: true
+              publishArtifact: false
+
+  # ===========================================================================
+  # STAGE 2: Security Scan
+  # ===========================================================================
+  - stage: SecurityScan
+    displayName: 'Security Scan'
+    dependsOn: Build
+    condition: succeeded()
+    jobs:
+      - job: SecurityScanJob
+        displayName: 'Run Security Scans'
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - checkout: self
+            fetchDepth: 1
+
+          - task: DotNetCoreCLI@2
+            displayName: 'Restore packages'
+            inputs:
+              command: 'restore'
+
+          - task: PowerShell@2
+            displayName: 'Check for vulnerable packages'
+            inputs:
+              targetType: 'inline'
+              script: |
+                Write-Host "🔍 Scanning for vulnerable NuGet packages..."
+                dotnet list package --vulnerable --include-transitive
+
+                if ($LASTEXITCODE -ne 0) {
+                  Write-Warning "⚠️ Vulnerable packages found. Review before deploying to production."
+                }
+
+  # ===========================================================================
+  # STAGE 3: Deploy Infrastructure
+  # ===========================================================================
+  - stage: DeployInfra
+    displayName: 'Deploy Infrastructure'
+    dependsOn: SecurityScan
+    condition: succeeded()
+    jobs:
+      - deployment: DeployInfraJob
+        displayName: 'Deploy Bicep Templates'
+        pool:
+          vmImage: 'ubuntu-latest'
+        environment: 'production'  # Requires manual approval in Azure DevOps
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                  fetchDepth: 1
+
+                - template: templates/infra-deploy.yml
+                  parameters:
+                    azureSubscription: 'Azure-Prod-Connection'
+                    resourceGroupName: $(resourceGroupName)
+                    location: $(azureLocation)
+                    environment: $(environment)
+                    appName: $(APP_NAME)
+                    hostingType: $(hostingType)
+                    bicepTemplateFile: $(bicepTemplateFile)
+                    parametersFile: $(parametersFile)
+
+  # ===========================================================================
+  # STAGE 4: Build and Push Container
+  # ===========================================================================
+  - stage: BuildContainer
+    displayName: 'Build Container'
+    dependsOn: DeployInfra
+    condition: succeeded()
+    jobs:
+      - job: BuildContainerJob
+        displayName: 'Build and Push Docker Image'
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - checkout: self
+            fetchDepth: 1
+
+          - task: Docker@2
+            displayName: 'Build and push container'
+            inputs:
+              containerRegistry: 'ACR-Connection'
+              repository: '$(imageName)'
+              command: 'buildAndPush'
+              Dockerfile: '$(dockerfilePath)'
+              tags: |
+                $(imageTag)
+                prod-latest
+                $(Build.BuildId)
+
+          - task: AzureCLI@2
+            displayName: 'Scan image for vulnerabilities (Microsoft Defender)'
+            continueOnError: false  # Fail on vulnerabilities in prod
+            inputs:
+              azureSubscription: 'Azure-Prod-Connection'
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                echo "🔍 Scanning image for vulnerabilities..."
+                # Add your security scanning tool here (e.g., Trivy, Defender for Containers)
+                # az acr scan --name $(ACR_NAME) --image $(imageName):$(imageTag)
+
+  # ===========================================================================
+  # STAGE 5: Deploy to Production (Blue-Green)
+  # ===========================================================================
+  - stage: DeployApp
+    displayName: 'Deploy to Production'
+    dependsOn: BuildContainer
+    condition: succeeded()
+    jobs:
+      - deployment: DeployAppJob
+        displayName: 'Deploy Container App'
+        pool:
+          vmImage: 'ubuntu-latest'
+        environment: 'production'  # Requires manual approval
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+                  fetchDepth: 1
+
+                # Create new revision
+                - template: templates/deploy-container-app.yml
+                  parameters:
+                    azureSubscription: 'Azure-Prod-Connection'
+                    containerAppName: $(containerAppName)
+                    resourceGroupName: $(resourceGroupName)
+                    containerRegistry: $(containerRegistry)
+                    imageName: $(imageName)
+                    imageTag: $(imageTag)
+                    acrServiceConnection: 'ACR-Connection'
+                    healthCheckUrl: '/health'
+                    healthCheckTimeout: 300
+
+                # Wait before activating
+                - task: PowerShell@2
+                  displayName: 'Monitor new revision (5 min)'
+                  inputs:
+                    targetType: 'inline'
+                    script: |
+                      Write-Host "⏳ Monitoring new revision for 5 minutes before activating..."
+                      Start-Sleep -Seconds 300
+                      Write-Host "✅ Monitoring period complete"
+
+  # ===========================================================================
+  # STAGE 6: Smoke Tests in Production
+  # ===========================================================================
+  - stage: SmokeTests
+    displayName: 'Production Smoke Tests'
+    dependsOn: DeployApp
+    condition: succeeded()
+    jobs:
+      - job: SmokeTestsJob
+        displayName: 'Run Production Smoke Tests'
+        pool:
+          vmImage: 'ubuntu-latest'
+        steps:
+          - task: AzureCLI@2
+            displayName: 'Get Container App URL'
+            name: getUrl
+            inputs:
+              azureSubscription: 'Azure-Prod-Connection'
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                FQDN=$(az containerapp show \
+                  --name $(containerAppName) \
+                  --resource-group $(resourceGroupName) \
+                  --query properties.configuration.ingress.fqdn -o tsv)
+
+                APP_URL="https://$FQDN"
+                echo "##vso[task.setvariable variable=appUrl]$APP_URL"
+                echo "Production URL: $APP_URL"
+
+          - task: PowerShell@2
+            displayName: 'Critical smoke tests'
+            inputs:
+              targetType: 'inline'
+              script: |
+                $appUrl = "$(appUrl)"
+
+                Write-Host "🧪 Running CRITICAL smoke tests in PRODUCTION"
+                Write-Host "URL: $appUrl"
+
+                $criticalEndpoints = @(
+                  @{Path="/health"; Description="Health Check"},
+                  @{Path="/health/ready"; Description="Readiness Check"},
+                  @{Path="/"; Description="Home Page"}
+                )
+
+                $failed = $false
+                foreach ($endpoint in $criticalEndpoints) {
+                  $url = "$appUrl$($endpoint.Path)"
+                  try {
+                    $response = Invoke-WebRequest -Uri $url -UseBasicParsing -TimeoutSec 10
+                    Write-Host "✅ $($endpoint.Description): $($response.StatusCode)"
+                  }
+                  catch {
+                    Write-Error "❌ $($endpoint.Description) FAILED: $_"
+                    $failed = $true
+                  }
+                }
+
+                if ($failed) {
+                  Write-Error "❌ CRITICAL: Smoke tests failed in production!"
+                  exit 1
+                }
+
+                Write-Host "✅ All critical smoke tests passed!"
+
+          - task: AzureCLI@2
+            displayName: 'Monitor metrics'
+            inputs:
+              azureSubscription: 'Azure-Prod-Connection'
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                echo "📊 Production Deployment Metrics:"
+
+                # Get replica count
+                REPLICAS=$(az containerapp revision list \
+                  --name $(containerAppName) \
+                  --resource-group $(resourceGroupName) \
+                  --query "[?properties.active].properties.replicas" -o tsv)
+
+                echo "Active Replicas: $REPLICAS"
+
+                # Show active revisions
+                az containerapp revision list \
+                  --name $(containerAppName) \
+                  --resource-group $(resourceGroupName) \
+                  --query "[?properties.active].{Name:name, Traffic:properties.trafficWeight, Replicas:properties.replicas}" \
+                  --output table
+
+          - task: AzureCLI@2
+            displayName: 'Deployment summary'
+            inputs:
+              azureSubscription: 'Azure-Prod-Connection'
+              scriptType: 'bash'
+              scriptLocation: 'inlineScript'
+              inlineScript: |
+                echo "╔════════════════════════════════════════════════════════════════╗"
+                echo "║          PRODUCTION DEPLOYMENT SUCCESSFUL                      ║"
+                echo "╚════════════════════════════════════════════════════════════════╝"
+                echo ""
+                echo "🌐 Application URL: $(appUrl)"
+                echo "📊 Environment: $(environment)"
+                echo "🐳 Container Image: $(imageFullName)"
+                echo "💰 Hosting: Container Apps (always-on) - ~$10-20/month"
+                echo "📦 Resource Group: $(resourceGroupName)"
+                echo "🏷️  Version: $(imageTag)"
+                echo ""
+                echo "⚠️  IMPORTANT:"
+                echo "  1. Monitor Application Insights for errors"
+                echo "  2. Watch for performance degradation"
+                echo "  3. Have rollback plan ready"
+                echo "  4. Monitor costs in Azure Portal"
+                echo ""
+                echo "🔄 Rollback command (if needed):"
+                echo "  az containerapp revision activate \\"
+                echo "    --name $(containerAppName) \\"
+                echo "    --resource-group $(resourceGroupName) \\"
+                echo "    --revision <PREVIOUS_REVISION_NAME>"
+                echo ""