Fixes to make all carts build 95% completion

Author: jruokola

.github/workflows/ci-enhanced.yml

@@ -4,6 +4,7 @@ pub mod event_bus;
 pub mod graphql;
 pub mod handlers;
 pub mod health;
+pub mod enhanced_health;
 pub mod mutations;
 pub mod service_registry;
 pub mod queries;

.github/workflows/deploy-enhanced.yml

@@ -1,4 +1,4 @@
-use crate::{handlers, health, service_registry, vector_handlers, versioning_handlers, streaming_handlers, http2_handlers, AppState, auth_middleware, create_schema, RateLimitManager, rest};
+use crate::{handlers, health, enhanced_health, service_registry, vector_handlers, versioning_handlers, streaming_handlers, http2_handlers, AppState, auth_middleware, create_schema, RateLimitManager, rest};
 use axum::{
     routing::{get, post},
     Router,
@@ -29,6 +29,7 @@ pub fn create_router(state: AppState) -> Router {
     let mut app = Router::new()
         // Health and readiness checks
         .route("/health", get(health::comprehensive_health_check))
+        .route("/health/enhanced", get(enhanced_health::enhanced_health_check))
         .route("/health/live", get(health::liveness_check))
         .route("/health/ready", get(health::readiness_check))
         .route("/metrics", get(handlers::metrics_handler))

crates/codegraph-api/src/enhanced_health.rs

@@ -10,7 +10,7 @@ spec:
     type: RollingUpdate
     rollingUpdate:
       maxUnavailable: 0
-      maxSurge: 25%
+      maxSurge: 1
   selector:
     matchLabels:
       app: codegraph-api
@@ -19,32 +19,46 @@ spec:
       labels:
         app: codegraph-api
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        fsGroup: 1000
       containers:
         - name: codegraph-api
           image: ghcr.io/OWNER/REPO:latest
-          imagePullPolicy: IfNotPresent
+          imagePullPolicy: Always
           ports:
-            - containerPort: 3000
+            - containerPort: 8080
+              name: http
+              protocol: TCP
+            - containerPort: 9090
+              name: metrics
+              protocol: TCP
           env:
             - name: RUST_LOG
               value: info
-            - name: DATABASE_PATH
-              value: /app/data/codegraph.db
+            - name: ROCKSDB_PATH
+              value: /data/rocksdb
+            - name: VECTOR_STORE_PATH
+              value: /data/vectors
+            - name: BIND_ADDRESS
+              value: 0.0.0.0:8080
           readinessProbe:
             httpGet:
-              path: /health
-              port: 3000
+              path: /ready
+              port: 8080
             initialDelaySeconds: 5
-            periodSeconds: 10
-            timeoutSeconds: 5
-            failureThreshold: 6
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
           livenessProbe:
             httpGet:
               path: /health
-              port: 3000
-            initialDelaySeconds: 10
-            periodSeconds: 20
+              port: 8080
+            initialDelaySeconds: 30
+            periodSeconds: 10
             timeoutSeconds: 5
+            failureThreshold: 3
           resources:
             requests:
               cpu: "100m"
@@ -54,8 +68,10 @@ spec:
               memory: "512Mi"
           volumeMounts:
             - name: data
-              mountPath: /app/data
+              mountPath: /data
       volumes:
         - name: data
           emptyDir: {}
+      nodeSelector:
+        kubernetes.io/arch: amd64
 

crates/codegraph-api/src/lib.rs

@@ -9,8 +9,12 @@ spec:
     app: codegraph-api
   ports:
     - name: http
-      port: 3000
-      targetPort: 3000
+      port: 80
+      targetPort: 8080
+      protocol: TCP
+    - name: metrics
+      port: 9090
+      targetPort: 9090
       protocol: TCP
   type: ClusterIP
 

crates/codegraph-api/src/routes.rs

@@ -0,0 +1,98 @@
+# CodeGraph production container (multi-stage, minimal runtime)
+
+# --- Builder stage -----------------------------------------------------------
+FROM rust:1.75-slim AS builder
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    cmake \
+    pkg-config \
+    clang \
+    libssl-dev \
+    libclang-dev \
+    zlib1g-dev \
+    libbz2-dev \
+    liblz4-dev \
+    libzstd-dev \
+    libsnappy-dev \
+    librocksdb-dev \
+    libfaiss-dev \
+    ca-certificates \
+    curl \
+  && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copy workspace manifests first to leverage Docker layer caching
+COPY Cargo.toml Cargo.lock ./
+COPY crates/ ./crates/
+
+# Build dependencies (cache-friendly)
+RUN cargo fetch
+
+# Build release binary for codegraph-api
+ENV RUSTFLAGS="-C target-cpu=native -C debuginfo=0"
+RUN cargo build --release -p codegraph-api && \
+    strip target/release/codegraph-api || true
+
+# Collect all dynamic library runtime deps for the binary
+RUN set -euo pipefail; \
+    mkdir -p /opt/libs; \
+    ldd target/release/codegraph-api | awk '{print $3}' | \
+      grep -E '^/' | sort -u | \
+      xargs -I '{}' cp -v '{}' /opt/libs/ || true; \
+    # include libgcc_s & libstdc++ explicitly when present
+    for f in /usr/lib/x86_64-linux-gnu/libstdc++.so.* /lib/x86_64-linux-gnu/libgcc_s.so.*; do \
+      [ -e "$f" ] && cp -v "$f" /opt/libs/ || true; \
+    done
+
+# Copy production config (can be overridden by bind mount)
+COPY config/ /opt/config/
+
+
+# --- Runtime stage -----------------------------------------------------------
+FROM debian:bookworm-slim AS runtime
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    tini \
+    wget \
+  && rm -rf /var/lib/apt/lists/*
+
+# Non-root user
+RUN useradd -r -u 10001 -s /usr/sbin/nologin codegraph
+
+WORKDIR /app
+
+# Minimal runtime deps copied from builder to keep image small
+COPY --from=builder /opt/libs/ /usr/local/lib/
+ENV LD_LIBRARY_PATH=/usr/local/lib
+
+# Copy binary and default config
+COPY --from=builder /app/target/release/codegraph-api /usr/local/bin/codegraph-api
+COPY --from=builder /opt/config/ /app/config/
+
+# Data dir for RocksDB
+RUN mkdir -p /var/lib/codegraph && chown -R codegraph:codegraph /var/lib/codegraph
+
+# Drop privileges and run as non-root
+USER codegraph:codegraph
+
+# Expose production port (matches config/production.toml)
+EXPOSE 8080
+
+# Security: read-only rootfs except for volumes
+VOLUME ["/var/lib/codegraph", "/app/config"]
+
+ENV APP_ENV=production \
+    RUST_LOG=info \
+    RUST_BACKTRACE=1
+
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s --retries=3 \
+  CMD wget -qO- http://127.0.0.1:8080/health/ready >/dev/null 2>&1 || exit 1
+
+# Ensure tini is PID 1 for proper signal handling
+ENTRYPOINT ["/usr/bin/tini", "--"]
+CMD ["/usr/local/bin/codegraph-api"]

deploy/k8s/deployment.yaml

@@ -0,0 +1,71 @@
+# CodeGraph Production Deployment (Docker)
+
+This directory contains a production-grade containerization setup for CodeGraph with:
+
+- Multi-stage Dockerfile for minimal runtime images
+- Docker Compose stack: api, vector-maintainer, graph-backup, Prometheus, Grafana
+- Security hardening, health checks, and resource limits
+- Persistent volumes and automated backup strategy
+- Orchestration scripts and a deployment test harness
+
+## Quick Start
+
+- Build and start all services:
+  - `deployment/docker/scripts/start.sh`
+- Stop services:
+  - `deployment/docker/scripts/stop.sh`
+- Scale API replicas (Compose):
+  - `deployment/docker/scripts/scale.sh 3`
+
+API runs on `http://localhost:8080`.
+
+## Volumes
+
+- `graph-data`: persists RocksDB at `/var/lib/codegraph/graph.db`
+- `backups`: periodic compressed backups (`.tar.zst`) created by `graph-backup`
+
+Backups are created every 4 hours by default and the latest 10 are retained. Adjust via env in `docker-compose.yml`.
+
+## Health & Monitoring
+
+- API health: `/health`, `/health/ready`, `/health/live`
+- Prometheus (9090) scrapes API metrics at `/metrics`
+- Grafana (3000) provides dashboards (anonymous access enabled by default)
+
+## Security Hardening
+
+- Containers drop all Linux capabilities and enforce `no-new-privileges`
+- Non-root user (UID 10001) for runtime
+- Read-only root FS with explicit writable volumes
+- Minimal runtime image with only required shared libraries
+
+## Configuration
+
+- Defaults from `config/production.toml` are copied into the image
+- Override via env (e.g., `CODEGRAPH__SERVER__PORT`) or by bind-mounting `config/`
+
+## Tests
+
+A deployment test harness is included:
+
+- `deployment/docker/tests/run_tests.sh`
+  - Static checks over Compose/Dockerfile
+  - Optional image size test: `RUN_BUILD_TEST=1`
+  - Optional integration health check: `RUN_INTEGRATION=1`
+
+Example:
+
+```
+RUN_BUILD_TEST=1 RUN_INTEGRATION=1 bash deployment/docker/tests/run_tests.sh
+```
+
+## Backups
+
+- Sidecar service `graph-backup` tars `/var/lib/codegraph` to `backups` volume
+- `deployment/docker/scripts/restore.sh` restores a selected archive
+
+## Notes
+
+- Vector operations are in-process within the API. `vector-maintainer` sidecar periodically triggers `/vector/index/rebuild` to keep indexes fresh.
+- Ensure Docker Desktop or engine has sufficient resources (CPU/RAM) for the stack.
+