Gabriel Radureau
7703dff8c2
Closes the missing piece of ADR-0021's admin surface. Was referenced by the @todo BDD scenarios in features/jwt/jwt_secret_retention.feature since PR #41 but never wired up. Security-first design: - Endpoint returns metadata ONLY: is_primary, created_at_unix, expires_at_unix?, age_seconds, is_expired, secret_sha256 (8-byte prefix as fingerprint). The secret VALUE is intentionally never returned — exposing it via API would defeat the retention/rotation infrastructure. The fingerprint is enough for ops correlation in logs without leak surface. - Routed under /api/v1/admin/jwt/secrets. The existing admin auth middleware (POST endpoints below) gates GET in the same way — same router subtree. Plumbing: - New JWTSecretInfo struct in pkg/user/user.go (metadata-only). - AuthService.ListJWTSecretsInfo() interface method. - userServiceImpl.ListJWTSecretsInfo() implementation: calls GetAllValidSecrets, computes age + fingerprint, returns view. - handleListJWTSecrets in pkg/user/api/admin_handler.go. - Documentation/API.md updated with full schema + security note. Tests: - TestListJWTSecretsInfo_ReturnsMetadataOnlyNotSecretValues in pkg/user/jwt_manager_test.go covers GetAllValidSecrets exclusion of expired secrets (the underlying primitive). go test -race passes. - Full BDD suite (auth/config/greet/health/info/jwt) green. @todo BDD scenarios in features/jwt/jwt_secret_retention.feature can now be activated in a follow-up PR — left as @todo for review.
dance-lessons-coach
Go web service demonstrating idiomatic package structure, versioned JSON API, and production-ready features.
Features
- Versioned JSON API (
/api/v1,/api/v2) - Chi router with graceful shutdown
- Zerolog structured logging (console and JSON modes)
- Viper configuration (file + env vars)
- Readiness endpoint for Kubernetes / service mesh
- OpenTelemetry / Jaeger distributed tracing
- OpenAPI / Swagger UI (embedded in binary)
- PostgreSQL user service with JWT auth
- BDD + unit tests
Quick Start
git clone https://gitea.arcodange.lab/arcodange/dance-lessons-coach.git
cd dance-lessons-coach
./scripts/build.sh # produces ./bin/server and ./bin/greet
./scripts/start-server.sh start
curl http://localhost:8080/api/health
curl http://localhost:8080/api/v1/greet/Alice
Stop: ./scripts/start-server.sh stop
Greet CLI
go run ./cmd/greet # Hello world!
go run ./cmd/greet Alice # Hello Alice!
Configuration
All options are available via config.yaml or DLC_* environment variables.
| Env var | Default | Description |
|---|---|---|
DLC_SERVER_PORT |
8080 |
Listening port |
DLC_SERVER_HOST |
0.0.0.0 |
Bind address |
DLC_LOGGING_JSON |
false |
JSON log format |
DLC_LOGGING_OUTPUT |
stderr | Log file path |
DLC_SHUTDOWN_TIMEOUT |
30s |
Graceful shutdown window |
DLC_API_V2_ENABLED |
false |
Enable /api/v2 routes |
DLC_CONFIG_FILE |
./config.yaml |
Override config path |
See config.example.yaml for a full template.
API
| Method | Path | Description |
|---|---|---|
| GET | /api/health |
Liveness check |
| GET | /api/ready |
Readiness check (503 during shutdown) |
| GET | /api/version |
Version info (?format=plain|full|json) |
| GET | /api/v1/greet/ |
Default greeting |
| GET | /api/v1/greet/{name} |
Named greeting |
| POST | /api/v2/greet |
V2 greeting with validation |
| GET | /swagger/ |
Swagger UI |
Testing
go test ./... # unit + integration tests
./scripts/test-graceful-shutdown.sh # lifecycle + JSON logging validation
./scripts/test-opentelemetry.sh # tracing end-to-end
Gitea Client
AI agent helper script at .vibe/skills/gitea-client/scripts/gitea-client.sh.
Auth setup:
echo "your_token" > ~/.gitea_token
chmod 600 ~/.gitea_token
export GITEA_API_TOKEN_FILE="$HOME/.gitea_token"
Get a token at https://gitea.arcodange.lab → Profile → Settings → Applications.
Architecture
Key decisions are documented in adr/. See AGENTS.md for the full development reference (commands, config, ADR index, commit conventions).
License
MIT