Track: B — Engineering Execution
Optional setup guides for HTTPS parity, security scanning, database extensions, and ingress hardening.
Enables production parity for SameSite cookies, HSTS, and HTTPS-only integrations.
sudo apt-get install -y mkcert libnss3-tools
mkcert -install
cd infra/certs && mkcert localhost 127.0.0.1 "*.local"
just up-https # starts edge proxy on :443Verify: curl -vk https://127.0.0.1/api/api/v1/observations
Architecture: TLS termination at the Nginx edge proxy (:443). The edge proxies to internal services over plain HTTP inside Docker network.
Certificate details: 825-day validity, auto-trusted by mkcert CA. Regenerate with mkcert localhost 127.0.0.1 "*.local" in infra/certs/.
BuildKit is enabled by default in Docker 24+. For explicit activation:
export DOCKER_BUILDKIT=1 # add to ~/.bashrcuv pip install pip-audit
pre-commit install # runs pip-audit on every commit
pre-commit run --all-files # manual runsudo apt-get install -y trivy
trivy image ingestor:latest # scan local image
trivy image --severity HIGH,CRITICAL ... # block only on criticalFor CI/CD: Trivy outputs SARIF format → GitHub Code Scanning dashboard.
pre-commit install
pre-commit run --all-filesHooks: pip-audit, Ruff, mypy, end-of-file fixer, trailing-whitespace fixer, secrets scanner.
PostgreSQL 17 with pgvector extension — automatically installed via custom Docker image at infra/database/Dockerfile.
docker compose up -d db # start PostgreSQL with pgvector
uv run alembic upgrade head # create embeddings tableCustom Dockerfile builds from postgres:17-bookworm and compiles pgvector v0.7.4 from source. Init script at docker-entrypoint-initdb.d/01-init.sql creates the extension.
-- HNSW (best for high-dim, <10M vectors)
CREATE INDEX ON embeddings USING hnsw (embedding vector_cosine_ops);
-- IVFFlat (faster build, lower recall)
CREATE INDEX ON embeddings USING ivfflat (embedding vector_cosine_ops) WITH (lists = 100);Local AI gateway for VSCode Kilo extension semantic search.
docker compose up -d qdrant ollama
docker exec ollama ollama pull nomic-embed-textMCP config in .kilo/mcp.json (if using Kilo): sets OLLAMA_URL=http://127.0.0.1:11434, QDRANT_URL=http://127.0.0.1:6333.
Health checks:
curl http://127.0.0.1:6333/health(Qdrant)curl http://127.0.0.1:11434/api/tags(Ollama)
Before promoting to cloud/VPS, harden the Nginx edge proxy:
- Dev: static upstreams (fast, no DNS re-resolution)
- Prod: dynamic resolution with
resolver 127.0.0.11 valid=10sviaset $upstream_ingestor http://ingestor:8000
- Replace mkcert with Let's Encrypt / ACM
- Enforce HTTPS redirect
- Set explicit
server_name
- Raise keepalive to 64/128 per upstream worker
- Adjust rate-limiting zones for production SLA thresholds
server_tokens off;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";The Ansible layer in infra/ansible/ fills the gap between Terraform (cloud resources) and Docker Compose (containers).
inventory/: groups fordev(localhost),staging(10.0.1.10),production(empty)vars.yml+vault.yml: envars pattern, vault encrypted withansible-vault- Roles:
common(apt, ulimits, sysctl),docker(install CE + Compose),app(clone repo, render .env,uv sync,docker compose up -d),secrets(vault bootstrap) - Playbooks:
bootstrap.yml,provision.yml,drift-check.yml,secrets-bootstrap.yml
ansible-galaxy collection install -r infra/ansible/requirements.yml
ansible-vault edit infra/ansible/inventory/group_vars/all/vault.yml
ansible-playbook infra/ansible/playbooks/secrets-bootstrap.yml # validate vault
ansible-playbook infra/ansible/playbooks/bootstrap.yml # full provision
ansible-playbook infra/ansible/playbooks/drift-check.yml # read-only auditWhen: 1st Monday of each month (~30 min). Picks up security patches.
# 1. Scan current digests
just docker-scan-image
# 2. Find new digests
docker pull python:3.14-slim 2>&1 | grep "Digest:"
docker pull postgres:17-bookworm 2>&1 | grep "Digest:"
# 3. Update Dockerfiles: 6 Python services + infra/database/Dockerfile
# 4. Test
bash scripts/test_digest_updates.sh
# 5. Create PR with branch chore/update-base-image-digests-$(date +%Y-%m)Current Python digest is pinned to python:3.14-slim@sha256:bc389f7dfcb.... PostgreSQL uses postgres:17-bookworm (no pin yet — ~1 CRITICAL + 13 HIGH vulns).
See docs/_archive/04-setup/references.md for a curated list of external docs organized by pillar: FastAPI, Pydantic, PostgreSQL, SQLAlchemy, Alembic, Docker, Terraform, OpenTelemetry, OWASP, uv, and more.