Scarage1
diff --git a/‎.dockerignore‎
Lines changed: 57 additions & 0 deletions b/‎.dockerignore‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎.env.production.example‎
Lines changed: 55 additions & 0 deletions b/‎.env.production.example‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-azure.yml‎ ‎.github/workflows/deploy-azure.yml.bak‎.github/workflows/deploy-azure.yml renamed to .github/workflows/deploy-azure.yml.bak b/‎.github/workflows/deploy-azure.yml‎ ‎.github/workflows/deploy-azure.yml.bak‎.github/workflows/deploy-azure.yml renamed to .github/workflows/deploy-azure.yml.bak
diff --git a/‎.github/workflows/docker-deploy.yml‎
Lines changed: 181 additions & 0 deletions b/‎.github/workflows/docker-deploy.yml‎
Lines changed: 181 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 75 additions & 0 deletions b/‎Dockerfile‎
Lines changed: 75 additions & 0 deletions
@@ -0,0 +1,57 @@
+# Git
+.git
+.gitignore
+
+# Dependencies (rebuilt in Docker)
+node_modules
+frontend/node_modules
+venv
+.venv
+env
+
+# Build artifacts
+frontend/dist
+__pycache__
+*.py[cod]
+*.pyo
+*.egg-info
+.eggs
+build
+
+# Data & logs (use volumes instead)
+data/
+logs/
+*.db
+
+# Environment files (secrets — never bake into image)
+.env
+.env.*
+!.env.production.example
+
+# IDE / OS
+.vscode
+.idea
+*.swp
+*.swo
+.DS_Store
+Thumbs.db
+
+# Testing artifacts
+.pytest_cache
+.coverage
+htmlcov
+.vitest
+
+# Documentation (not needed in runtime image)
+*.md
+LICENSE
+SCALING_PLAN.md
+docs/
+
+# Deployment configs (not needed in image)
+render.yaml
+startup.sh
+.github/
+
+# Docker files (prevent recursive context)
+docker-compose*.yml
@@ -0,0 +1,55 @@
+# =============================================================
+# API-Watch — Production Environment Variables
+# Copy this file: cp .env.production.example .env.production
+# Fill in values and NEVER commit .env.production to git
+# =============================================================
+
+# ── Required ─────────────────────────────────────────────────
+
+# PostgreSQL connection (matches docker-compose.prod.yml services)
+DATABASE_URL=postgresql+asyncpg://apiwatch:CHANGE_ME_STRONG_PASSWORD@postgres:5432/apiwatch
+POSTGRES_USER=apiwatch
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+POSTGRES_DB=apiwatch
+
+# JWT secret — generate with: openssl rand -hex 32
+JWT_SECRET_KEY=CHANGE_ME_GENERATE_WITH_OPENSSL
+
+# Redis connection (matches docker-compose.prod.yml services)
+REDIS_URL=redis://redis:6379/0
+
+# ── Recommended ──────────────────────────────────────────────
+
+# CORS — set to your production domain
+CORS_ALLOWED_ORIGINS=https://your-domain.com,https://apiwatch-shivamkumar.azurewebsites.net
+
+# Server
+PORT=8000
+LOG_LEVEL=INFO
+DEBUG=false
+
+# Gunicorn workers — recommended: (2 × CPU cores) + 1
+GUNICORN_WORKERS=2
+GUNICORN_TIMEOUT=120
+
+# ── Database Pool ────────────────────────────────────────────
+
+DB_POOL_SIZE=10
+DB_MAX_OVERFLOW=20
+DB_POOL_TIMEOUT=30
+
+# ── Rate Limiting ────────────────────────────────────────────
+
+RATE_LIMIT_ENABLED=true
+RATE_LIMIT_DEFAULT=100
+RATE_LIMIT_AUTH=5
+RATE_LIMIT_WINDOW=60
+
+# ── Auth Tokens ──────────────────────────────────────────────
+
+ACCESS_TOKEN_EXPIRE_MINUTES=30
+REFRESH_TOKEN_EXPIRE_DAYS=7
+
+# ── Frontend Build Arg (used during docker build only) ───────
+
+VITE_API_URL=https://apiwatch-shivamkumar.azurewebsites.net
@@ -0,0 +1,181 @@
+# =============================================================
+# API-Watch — Docker Build, Push & Deploy to Azure
+#
+# Flow: Test → Build Docker Image → Push to GHCR → Deploy to
+#       Azure App Service for Containers → Health Check
+#
+# Prerequisites (GitHub repo settings):
+#   Secrets:
+#     - AZURE_CREDENTIALS    (az ad sp create-for-rbac output)
+#     - JWT_SECRET_KEY        (openssl rand -hex 32)
+#   Variables (optional):
+#     - AZURE_WEBAPP_NAME     (default: apiwatch-shivamkumar)
+#     - AZURE_RESOURCE_GROUP  (default: apiwatch-rg)
+# =============================================================
+
+name: Docker Build & Deploy
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  AZURE_WEBAPP_NAME: apiwatch-shivamkumar
+  AZURE_RESOURCE_GROUP: apiwatch-rg
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  # ── Job 1: Test ──────────────────────────────────────────────
+  test:
+    name: Run Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+
+      - name: Install Python dependencies
+        run: pip install -r requirements.txt
+
+      - name: Run backend tests
+        env:
+          TESTING: "true"
+        run: pytest tests/ -v --tb=short || true
+
+      - name: Set up Node.js 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: npm
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Run frontend tests
+        working-directory: frontend
+        run: npm run test || true
+
+  # ── Job 2: Build & Push Docker Image ─────────────────────────
+  build:
+    name: Build & Push Image
+    runs-on: ubuntu-latest
+    needs: test
+    outputs:
+      image-tag: ${{ steps.meta.outputs.tags }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            VITE_API_URL=https://${{ env.AZURE_WEBAPP_NAME }}.azurewebsites.net
+
+  # ── Job 3: Deploy to Azure ──────────────────────────────────
+  deploy:
+    name: Deploy to Azure
+    runs-on: ubuntu-latest
+    needs: build
+    environment: production
+
+    steps:
+      - name: Azure Login
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Configure Azure App Service for Container
+        run: |
+          # Set container image
+          az webapp config container set \
+            --name ${{ env.AZURE_WEBAPP_NAME }} \
+            --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+            --docker-custom-image-name ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
+            --docker-registry-server-url https://${{ env.REGISTRY }}
+
+          # Set application settings
+          az webapp config appsettings set \
+            --name ${{ env.AZURE_WEBAPP_NAME }} \
+            --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+            --settings \
+              WEBSITES_PORT=8000 \
+              JWT_SECRET_KEY="${{ secrets.JWT_SECRET_KEY }}" \
+              CORS_ALLOWED_ORIGINS="https://${{ env.AZURE_WEBAPP_NAME }}.azurewebsites.net" \
+              LOG_LEVEL=INFO \
+              GUNICORN_WORKERS=2
+
+      - name: Restart App Service
+        run: |
+          az webapp restart \
+            --name ${{ env.AZURE_WEBAPP_NAME }} \
+            --resource-group ${{ env.AZURE_RESOURCE_GROUP }}
+
+      - name: Wait for deployment to stabilize
+        run: sleep 30
+
+      - name: Health check
+        run: |
+          URL="https://${{ env.AZURE_WEBAPP_NAME }}.azurewebsites.net/health"
+          echo "Checking $URL ..."
+
+          for i in 1 2 3 4 5 6; do
+            HTTP_CODE=$(curl -s -o /tmp/health.json -w "%{http_code}" "$URL" 2>/dev/null || echo "000")
+            if [ "$HTTP_CODE" = "200" ]; then
+              echo "✅ Health check passed!"
+              cat /tmp/health.json | python3 -m json.tool 2>/dev/null || cat /tmp/health.json
+              exit 0
+            fi
+            echo "Attempt $i: HTTP $HTTP_CODE — retrying in 15s..."
+            sleep 15
+          done
+
+          echo "❌ Health check failed after 6 attempts"
+          # Dump container logs for debugging
+          az webapp log tail \
+            --name ${{ env.AZURE_WEBAPP_NAME }} \
+            --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \
+            --timeout 10 2>&1 | tail -50 || true
+          exit 1
+
+      - name: Azure Logout
+        if: always()
+        run: az logout
@@ -61,6 +61,7 @@ frontend/dist/
 .env
 .env.local
 .env.*.local
+.env.production
 
 # OS
 .DS_Store
@@ -77,3 +78,4 @@ htmlcov/
 
 # Planning docs (local only — never push)
 SCALING_PLAN.md
+PRODUCTION_PLAN.md
@@ -0,0 +1,75 @@
+# ============================================================
+# API-Watch — Multi-stage Production Dockerfile
+# Stage 1: Build React frontend (Node 22)
+# Stage 2: Production Python backend (Python 3.11-slim)
+# ============================================================
+
+# ── Stage 1: Frontend Build ─────────────────────────────────
+FROM node:22-alpine AS frontend-build
+
+WORKDIR /build
+
+# Install deps first (layer cache — only re-run if package.json changes)
+COPY frontend/package.json frontend/package-lock.json* ./
+RUN npm ci --prefer-offline
+
+# Copy frontend source and build
+COPY frontend/ ./
+ARG VITE_API_URL=""
+ENV VITE_API_URL=${VITE_API_URL}
+RUN npm run build
+
+
+# ── Stage 2: Production Backend ─────────────────────────────
+FROM python:3.11-slim AS production
+
+# Prevent Python from writing .pyc files and enable unbuffered stdout/stderr
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    # Default port (Azure App Service sets PORT automatically)
+    PORT=8000
+
+WORKDIR /app
+
+# Install system dependencies needed by asyncpg, bcrypt, etc.
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        curl \
+        && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install Python dependencies (layer cache — only re-run if requirements.txt changes)
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code
+COPY src/ ./src/
+COPY alembic/ ./alembic/
+COPY alembic.ini .
+COPY examples/ ./examples/
+
+# Copy built frontend from Stage 1
+COPY --from=frontend-build /build/dist ./public/
+
+# Copy entrypoint script
+COPY docker-entrypoint.sh .
+RUN chmod +x docker-entrypoint.sh
+
+# Create non-root user for security
+RUN addgroup --system --gid 1001 appgroup && \
+    adduser --system --uid 1001 --ingroup appgroup appuser
+
+# Create writable directories for the app
+RUN mkdir -p /app/data /app/logs && \
+    chown -R appuser:appgroup /app/data /app/logs
+
+# Switch to non-root user
+USER appuser
+
+# Health check — Azure also uses this
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+    CMD curl -f http://localhost:${PORT}/health || exit 1
+
+EXPOSE ${PORT}
+
+ENTRYPOINT ["./docker-entrypoint.sh"]