Adds the two passwordless-auth endpoints behind /api/v1/auth/:
POST /magic-link/request — body {email}; always 200 (no enumeration leak)
GET /magic-link/consume — ?token=...; signs in (signup-on-first-link)
Sign-up flow: first consume for an unknown email creates the user with a
random unguessable bcrypt-hashed password — keeps the schema NOT NULL
constraint while permanently locking the password endpoints out.
Failure modes (missing/expired/already-consumed) collapse to a single
401 to prevent attackers distinguishing them. DB persist failures on
request silently degrade to the generic 200 to avoid leaking internal
state.
Config:
auth.magic_link.ttl (default 15m, env DLC_AUTH_MAGIC_LINK_TTL)
auth.magic_link.base_url (default http://localhost:8080)
Tests: 11 unit tests against fakes (repo, user service, sender) cover
happy path (new + existing user), normalization, bad JSON, persist
failure, missing/unknown/expired/consumed token, URL builder.
Phase 1 part 2 of ADR-0022 (companion to PR #22 rate-limit). In-memory cache service via go-cache, used by /api/version (60s TTL).
6/6 unit tests pass. ~95% Mistral autonomous via ICM workspace, cost €2.50 stages 01-02 (50% reduction vs T5 thanks to pre-extracted snippets in shared/).
Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
## Summary
Closes#15
When `logging.json: true` (or `DLC_LOGGING_JSON=true`), the logger was unconditionally initialised to console/text format at the top of `LoadConfig()`, so early log lines — most visibly **"Config file loaded"** — were always written as human-readable text regardless of configuration.
## Root cause
Classic chicken-and-egg: the format flag lives inside the config that is being loaded. The format-switch block only ran *after* `v.Unmarshal()`, too late for the config-file log.
## Changes
### `pkg/config/config.go`
- Add `peekJSONLogging()`: resolves the JSON flag **before** any log is emitted by (1) checking `DLC_LOGGING_JSON` directly via `os.Getenv`, then (2) doing a minimal throwaway Viper pre-read of the config file for the `logging.json` key. This mirrors Viper's own priority order without parsing the full config twice.
- Apply the resolved format immediately and emit **"Logging configured"** as the very first log line.
- Remove the now-redundant format-switch block that ran after `Unmarshal()`.
### `scripts/start-server.sh`, `test-graceful-shutdown.sh`, `test-opentelemetry.sh`
- Replace hardcoded `PROJECT_DIR` path with a dynamic `SCRIPTS_DIR=$(dirname $(realpath ${BASH_SOURCE[0]}))` derivation so scripts work from any worktree or clone location.
## Test plan
- [x] `go test ./pkg/...` — all pass
- [x] `scripts/test-graceful-shutdown.sh` — all JSON valid, all startup logs present
- [x] Manual smoke test: first line is `{"level":"info",...,"message":"Logging configured"}`, every line is valid JSON
Reviewed-on: #16
Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
- Add ADR-0012 documenting the decision to format only staged Go files
- Update ADR README.md with new entry
- Document rationale, alternatives, and verification results
- Include future considerations for monitoring and CI/CD integration
Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
- Added /api/v2/greet POST endpoint with JSON request/response
- Implemented ServiceV2 with Hello my friend <name>! greeting format
- Added api.v2_enabled feature flag (default: false)
- Extended BDD tests to cover v2 scenarios
- Maintained full backward compatibility with v1 API
- Added DLC_API_V2_ENABLED environment variable support
- Created ADR 0010-api-v2-feature-flag.md
- Updated configuration system to support API versioning
- Add scripts/build.sh to compile binaries into bin/ directory
- Move all zerolog setup logic from cmd/server/main.go to pkg/config
- Add log level configuration support (trace, debug, info, warn, error, fatal, panic)
- Simplify cmd/server/main.go from 57 to 27 lines (53% reduction)
- Update .gitignore to use bin/ directory instead of individual files
- Document build process and bin directory in AGENTS.md
- Maintain backward compatibility with all existing functionality
- Added signal.NotifyContext for modern signal handling in cmd/server/main.go
- Implemented BaseContext for proper context propagation to HTTP handlers
- Added readiness drain delay before shutdown for graceful degradation
- Fixed PID detection in start-server.sh to target actual server process
- Added Logging.JSON configuration option with DLC_LOGGING_JSON environment variable
- Created comprehensive test script that validates entire server lifecycle
- Updated documentation with JSON logging configuration examples
- All shutdown logs now appear correctly in JSON format
- Server terminates gracefully on SIGTERM with proper log flushing
The graceful shutdown implementation follows VictoriaMetrics best practices:
1. Catches termination signals (SIGTERM, SIGINT)
2. Stops accepting new requests but allows ongoing requests to complete
3. Waits for active requests to finish within configured timeout
4. Releases resources and performs cleanup
5. Logs all shutdown steps for observability
Test script validates:
- Server startup and API functionality
- Graceful shutdown sequence
- JSON log format validation
- Complete log sequence verification
- Proper signal handling and context propagation
Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
\n- Add DLC_CONFIG_FILE environment variable for custom config paths\n- Update config.go to support both default and custom config file locations\n- Update README.md and AGENTS.md with configuration documentation\n- Remove /Users/gabrielradureau/.dancelessonscoach/ directory approach\n- Add os import to config.go\n- Test all configuration scenarios
