csxj2026/junhong_cmp_fiber
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
e98dd4d7255646f97653d46691cfeb4a064a5ee1
junhong_cmp_fiber/specs/001-fiber-middleware-integration/tasks.md

511 lines
23 KiB
Markdown
Raw Blame History

# Tasks: Fiber Middleware Integration with Configuration Management
**Feature**: 001-fiber-middleware-integration
**Input**: Design documents from `/specs/001-fiber-middleware-integration/`
**Prerequisites**: plan.md, spec.md, research.md, data-model.md, contracts/api.yaml
**Tests**: Unit and integration tests are REQUIRED per constitution testing standards (70%+ overall, 90%+ core business)
**Organization**: Tasks are grouped by user story to enable independent implementation and testing of each story.
## Format: `- [ ] [ID] [P?] [Story?] Description`
- **[P]**: Can run in parallel (different files, no dependencies)
- **[Story]**: Which user story this task belongs to (e.g., US1, US2, US3)
- Include exact file paths in descriptions
---
## Phase 1: Setup (Shared Infrastructure)
**Purpose**: Project initialization and basic structure
- [X] T001 Create directory structure: pkg/config/, pkg/logger/, pkg/response/, pkg/errors/, pkg/constants/, pkg/validator/, internal/middleware/, configs/, logs/
- [X] T002 [P] Setup unified error codes and messages in pkg/errors/codes.go
- [X] T003 [P] Setup custom error types in pkg/errors/errors.go
- [X] T004 [P] Setup unified response structure in pkg/response/response.go
- [X] T005 [P] Setup response code constants in pkg/response/codes.go
- [X] T006 [P] Setup business constants in pkg/constants/constants.go
- [X] T007 [P] Setup Redis key generation functions in pkg/constants/redis.go
---
## Phase 2: Foundational (Blocking Prerequisites)
**Purpose**: Core infrastructure that MUST be complete before ANY user story can be implemented
**⚠️ CRITICAL**: No user story work can begin until this phase is complete
### Configuration Management (US1 Foundation)
- [X] T008 Create Config structures with Viper mapstructure tags in pkg/config/config.go
- [X] T009 Implement config loading with validation in pkg/config/loader.go
- [X] T010 Implement config hot reload with fsnotify in pkg/config/watcher.go
- [X] T011 Create default configuration file in configs/config.yaml
- [X] T012 [P] Create environment-specific configs: config.dev.yaml, config.staging.yaml, config.prod.yaml
- [ ] T012a [P] Unit test for environment-specific config loading (test APP_ENV variable loads correct config file) in pkg/config/loader_test.go
### Logging Infrastructure (US2 Foundation)
- [X] T013 Initialize Zap logger with JSON encoder in pkg/logger/logger.go
- [X] T014 Setup Lumberjack rotation for app.log in pkg/logger/logger.go (合并到 T013)
- [X] T015 Setup Lumberjack rotation for access.log in pkg/logger/logger.go (合并到 T013)
- [X] T016 Create Fiber logger middleware adapter in pkg/logger/middleware.go
### Redis Connection (US6 Foundation)
- [X] T017 Setup Redis client with connection pool configuration in pkg/validator/token.go (使用 go-redis 直接在 main.go 中初始化)
**Checkpoint**: Foundation ready - user story implementation can now begin in parallel
---
## Phase 3: User Story 1 - Configuration Hot Reload (Priority: P1) 🎯 MVP
**Goal**: Enable runtime configuration updates without service restart
**Independent Test**: Modify config.yaml while server runs, verify changes applied within 5 seconds without restart
### Unit Tests for User Story 1
- [ ] T018 [P] [US1] Unit test for config loading and validation in pkg/config/loader_test.go
- [ ] T019 [P] [US1] Unit test for config hot reload mechanism in pkg/config/watcher_test.go
- [ ] T020 [P] [US1] Test invalid config handling (malformed YAML, validation errors) in pkg/config/config_test.go
### Implementation for User Story 1
- [ ] T021 [US1] Implement atomic config pointer swap in pkg/config/config.go (sync/atomic usage)
- [ ] T022 [US1] Implement config change callback with validation in pkg/config/watcher.go
- [ ] T023 [US1] Add config reload logging with Zap in pkg/config/watcher.go
- [ ] T024 [US1] Integrate config watcher with context cancellation in cmd/api/main.go
- [ ] T025 [US1] Add graceful shutdown for config watcher in cmd/api/main.go
**Checkpoint**: Config hot reload should work independently - modify config and see changes applied
---
## Phase 4: User Story 2 - Structured Logging and Log Rotation (Priority: P1)
**Goal**: Production-ready JSON logging with automatic rotation and separate app/access logs
**Independent Test**: Generate logs, verify JSON format in app.log and access.log, trigger rotation by size
### Unit Tests for User Story 2
- [ ] T026 [P] [US2] Unit test for logger initialization in pkg/logger/logger_test.go
- [ ] T027 [P] [US2] Unit test for log rotation configuration in pkg/logger/rotation_test.go
- [ ] T028 [P] [US2] Test structured logging with fields in pkg/logger/logger_test.go
### Implementation for User Story 2
- [ ] T029 [P] [US2] Create appLogger instance with Lumberjack writer in pkg/logger/logger.go
- [ ] T030 [P] [US2] Create accessLogger instance with separate Lumberjack writer in pkg/logger/logger.go
- [ ] T031 [US2] Configure JSON encoder with RFC3339 timestamps in pkg/logger/logger.go
- [ ] T032 [US2] Export GetAppLogger() and GetAccessLogger() functions in pkg/logger/logger.go
- [ ] T033 [US2] Add logger.Sync() call in graceful shutdown in cmd/api/main.go
**Checkpoint**: Both app.log and access.log should exist with JSON entries, rotate at configured size
---
## Phase 5: User Story 3 - Unified API Response Format (Priority: P1)
**Goal**: Consistent response structure across all endpoints
**Independent Test**: Call any endpoint, verify response has {code, data, msg, timestamp} structure
### Unit Tests for User Story 3
- [ ] T034 [P] [US3] Unit test for Success() response helper in pkg/response/response_test.go
- [ ] T035 [P] [US3] Unit test for Error() response helper in pkg/response/response_test.go
- [ ] T036 [P] [US3] Test response serialization with sonic JSON in pkg/response/response_test.go
### Implementation for User Story 3
- [ ] T037 [P] [US3] Implement Success() helper function in pkg/response/response.go
- [ ] T038 [P] [US3] Implement Error() helper function in pkg/response/response.go
- [ ] T039 [P] [US3] Implement SuccessWithMessage() helper function in pkg/response/response.go
- [ ] T040 [US3] Configure Fiber to use sonic as JSON serializer in cmd/api/main.go
- [ ] T041 [US3] Create example health check endpoint using response helpers in internal/handler/health.go
- [ ] T042 [US3] Register health check route in cmd/api/main.go
**Checkpoint**: Health check endpoint returns unified response format with proper structure
---
## Phase 6: User Story 4 - Request Logging and Tracing (Priority: P2)
**Goal**: Unique UUID v4 request ID for every request with comprehensive access logging
**Independent Test**: Make requests, verify each has unique X-Request-ID header and appears in logs
### Integration Tests for User Story 4
- [ ] T043 [P] [US4] Integration test for requestid middleware (UUID v4 generation) in tests/integration/middleware_test.go
- [ ] T044 [P] [US4] Integration test for logger middleware (access log entries) in tests/integration/middleware_test.go
- [ ] T045 [P] [US4] Test request ID propagation through middleware chain in tests/integration/middleware_test.go
### Implementation for User Story 4
- [ ] T046 [P] [US4] Configure Fiber requestid middleware with google/uuid in cmd/api/main.go
- [ ] T047 [US4] Implement custom logger middleware writing to accessLogger in internal/middleware/logger.go
- [ ] T048 [US4] Add request ID to Fiber Locals in logger middleware in internal/middleware/logger.go
- [ ] T049 [US4] Add X-Request-ID response header in logger middleware in internal/middleware/logger.go
- [ ] T050 [US4] Log request details (method, path, status, duration, IP, user_agent) to access.log in internal/middleware/logger.go
- [ ] T051 [US4] Register requestid and logger middleware in correct order in cmd/api/main.go
**Checkpoint**: Every request should have unique UUID v4 in header and access.log, with full request details
---
## Phase 7: User Story 5 - Automatic Error Recovery (Priority: P2)
**Goal**: Recover from panics, log stack trace, return error response, continue serving requests
**Independent Test**: Trigger panic in handler, verify server doesn't crash, returns 500, logs stack trace
### Integration Tests for User Story 5
- [ ] T052 [P] [US5] Integration test for panic recovery in tests/integration/middleware_test.go
- [ ] T053 [P] [US5] Test panic logging with stack trace in tests/integration/middleware_test.go
- [ ] T054 [P] [US5] Test subsequent requests after panic recovery in tests/integration/middleware_test.go
### Implementation for User Story 5
- [ ] T055 [US5] Implement custom recover middleware with Zap logging in internal/middleware/recover.go
- [ ] T056 [US5] Add stack trace capture to recover middleware in internal/middleware/recover.go
- [ ] T057 [US5] Add request ID to panic logs in internal/middleware/recover.go
- [ ] T058 [US5] Return unified error response (500, code 1000) on panic in internal/middleware/recover.go
- [ ] T059 [US5] Register recover middleware as FIRST middleware in cmd/api/main.go
- [ ] T060 [US5] Create test panic endpoint for testing in internal/handler/test.go (optional, for quickstart validation)
**Checkpoint**: Panic in handler should be caught, logged with stack trace, return 500, server continues running
---
## Phase 8: User Story 6 - Token-Based Authentication (Priority: P2)
**Goal**: Validate authentication tokens against Redis, enforce access control
**Independent Test**: Request with valid/invalid/missing token, verify 200/401 responses with correct error codes
### Unit Tests for User Story 6
- [ ] T061 [P] [US6] Unit test for TokenValidator.Validate() with valid token in pkg/validator/token_test.go
- [ ] T062 [P] [US6] Unit test for expired/invalid token (redis.Nil) in pkg/validator/token_test.go
- [ ] T063 [P] [US6] Unit test for Redis unavailable (fail closed) in pkg/validator/token_test.go
- [ ] T064 [P] [US6] Unit test for context timeout in Redis operations in pkg/validator/token_test.go
### Integration Tests for User Story 6
- [ ] T065 [P] [US6] Integration test for keyauth middleware with valid token in tests/integration/auth_test.go
- [ ] T066 [P] [US6] Integration test for missing token (401, code 1001) in tests/integration/auth_test.go
- [ ] T067 [P] [US6] Integration test for invalid token (401, code 1002) in tests/integration/auth_test.go
- [ ] T068 [P] [US6] Integration test for Redis down (503, code 1004) in tests/integration/auth_test.go
### Implementation for User Story 6
- [ ] T069 [US6] Create TokenValidator struct with Redis client in pkg/validator/token.go
- [ ] T070 [US6] Implement TokenValidator.Validate() with Redis GET operation in pkg/validator/token.go
- [ ] T071 [US6] Add context timeout (50ms) for Redis operations in pkg/validator/token.go
- [ ] T072 [US6] Implement Redis availability check (Ping) with fail-closed behavior in pkg/validator/token.go
- [ ] T073 [US6] Implement custom keyauth middleware wrapper in internal/middleware/auth.go
- [ ] T074 [US6] Configure keyauth with header lookup "token" in internal/middleware/auth.go
- [ ] T075 [US6] Add validator callback to keyauth config in internal/middleware/auth.go
- [ ] T076 [US6] Store user_id in Fiber Locals after successful validation in internal/middleware/auth.go
- [ ] T077 [US6] Implement custom ErrorHandler mapping errors to response codes in internal/middleware/auth.go
- [ ] T078 [US6] Add auth failure logging with request ID in internal/middleware/auth.go
- [ ] T079 [US6] Register keyauth middleware after logger in cmd/api/main.go
- [ ] T080 [US6] Create protected example endpoint (/api/v1/users) in internal/handler/user.go
- [ ] T081 [US6] Register protected routes with middleware in cmd/api/main.go
**Checkpoint**: Protected endpoints require valid token, reject invalid/missing tokens with correct error codes
---
## Phase 9: User Story 7 - Rate Limiting Configuration (Priority: P3)
**Goal**: Provide IP-based rate limiting capability (disabled by default, easy to enable)
**Independent Test**: Enable limiter, exceed limit, verify 429 responses; disable and verify no limiting
### Integration Tests for User Story 7
- [ ] T082 [P] [US7] Integration test for rate limiter with limit exceeded (429, code 1003) in tests/integration/ratelimit_test.go
- [ ] T083 [P] [US7] Integration test for rate limit reset after window expiration in tests/integration/ratelimit_test.go
- [ ] T084 [P] [US7] Test per-IP rate limiting (different IPs have separate limits) in tests/integration/ratelimit_test.go
### Implementation for User Story 7
- [ ] T085 [US7] Implement rate limiter middleware wrapper (COMMENTED by default) in internal/middleware/ratelimit.go
- [ ] T086 [US7] Configure limiter with IP-based key generator (c.IP()) in internal/middleware/ratelimit.go
- [ ] T087 [US7] Configure limiter with config values (Max, Expiration) in internal/middleware/ratelimit.go
- [ ] T088 [US7] Add custom LimitReached handler returning unified error response in internal/middleware/ratelimit.go
- [ ] T089 [US7] Add commented middleware registration example in cmd/api/main.go
- [ ] T090 [US7] Document rate limiter usage in quickstart.md (how to enable, configure)
- [ ] T091 [US7] Add rate limiter configuration examples to config files
**Checkpoint**: Rate limiter can be enabled via config, blocks excess requests per IP, returns 429 with code 1003
---
## Phase 10: Polish & Quality Gates
**Purpose**: Final quality checks and cross-cutting improvements
### Documentation & Examples
- [ ] T092 [P] Update quickstart.md with actual file paths and final configuration
- [ ] T093 [P] Create example requests (curl commands) in quickstart.md for all scenarios
- [ ] T094 [P] Document middleware execution order in docs/ or README
- [ ] T095 [P] Add troubleshooting section to quickstart.md
- [ ] T095a [P] Create docs/rate-limiting.md with configuration guide, code examples, testing instructions, storage options comparison, and common usage patterns (implements FR-020)
### Code Quality
- [ ] T096 [P] Add Go doc comments to all exported functions and types
- [ ] T097 [P] Run code quality checks (gofmt, go vet, golangci-lint) on all Go files
- [ ] T098 [P] Fix all formatting, linting, and static analysis issues reported by T097
- [ ] T099 Review all Redis key usage, ensure no hardcoded strings (use constants.RedisAuthTokenKey())
- [ ] T101 Review all error handling, ensure explicit returns (no panic abuse)
- [ ] T102 Review naming conventions (UserID not userId, HTTPServer not HttpServer)
- [ ] T103 Check for Java-style anti-patterns (no I-prefix, no Impl-suffix, no getters/setters)
### Testing & Coverage
- [ ] T104 Run all unit tests: go test ./pkg/...
- [ ] T105 Run all integration tests: go test ./tests/integration/...
- [ ] T106 Measure test coverage: go test -cover ./...
- [ ] T107 Verify core business logic coverage >= 90% (config, logger, validator)
- [ ] T108 Verify overall coverage >= 70%
### Security Audit
- [ ] T109 Review authentication fail-closed behavior (Redis unavailable = 503)
- [ ] T110 Review context timeouts on Redis operations
- [ ] T111 Check for command injection vulnerabilities
- [ ] T112 Verify no sensitive data in logs (tokens, passwords)
- [ ] T113 Review error messages (no sensitive information leakage)
### Performance Validation
- [ ] T114 Test middleware overhead < 5ms per request (load testing)
- [ ] T115 Verify log rotation doesn't block requests
- [ ] T116 Test config hot reload doesn't affect in-flight requests
- [ ] T117 Verify Redis connection pool handles load correctly
### Final Quality Gates
- [ ] T118 Quality Gate: All tests pass (go test ./...)
- [ ] T119 Quality Gate: No formatting issues (gofmt -l . returns empty)
- [ ] T120 Quality Gate: No vet issues (go vet ./...)
- [ ] T121 Quality Gate: Test coverage meets requirements (70%+ overall, 90%+ core)
- [ ] T122 Quality Gate: All TODOs/FIXMEs addressed or documented
- [ ] T123 Quality Gate: quickstart.md works end-to-end (manual validation)
- [ ] T124 Quality Gate: All middleware integrated and working together
- [ ] T125 Quality Gate: Graceful shutdown works correctly (no goroutine leaks)
- [ ] T126 Quality Gate: Constitution compliance verified (no violations)
---
## Dependencies & Execution Order
### Phase Dependencies
1. **Setup (Phase 1)**: No dependencies - start immediately
2. **Foundational (Phase 2)**: Depends on Setup (Phase 1) - BLOCKS all user stories
3. **User Stories (Phases 3-9)**: All depend on Foundational (Phase 2) completion
- US1, US2, US3 can proceed in parallel (independent)
- US4 depends on US2 (needs logger)
- US5 can proceed in parallel with others
- US6 depends on US3 (needs response format)
- US7 depends on US3 (needs response format)
4. **Polish (Phase 10)**: Depends on all desired user stories being complete
### User Story Dependencies
```
Foundational (Phase 2) - MUST COMPLETE FIRST
├─→ US1: Config Hot Reload (independent)
├─→ US2: Logging (independent)
├─→ US3: Response Format (independent)
├─→ US4: Request Tracing (depends on US2: logger)
├─→ US5: Error Recovery (independent)
├─→ US6: Authentication (depends on US3: response format)
└─→ US7: Rate Limiting (depends on US3: response format)
```
### Within Each User Story
- Tests MUST be written FIRST and FAIL before implementation
- Models/structures before services
- Services before middleware
- Middleware before registration in main.go
- Core implementation before integration
### Parallel Opportunities
**Phase 1 (Setup)**: All tasks T002-T007 marked [P] can run in parallel
**Phase 2 (Foundational)**:
- T012 (dev/staging/prod configs) can run in parallel with others
- T013-T016 (logging) can run in parallel as group
- These are independent file operations
**Phase 3-9 (User Stories)**:
- After Foundational completes, these can start in parallel:
- US1: T018-T025 (config hot reload)
- US2: T026-T033 (logging)
- US3: T034-T042 (response format)
- US5: T052-T060 (error recovery)
- After US2 completes:
- US4: T043-T051 (request tracing)
- After US3 completes:
- US6: T061-T081 (authentication)
- US7: T082-T091 (rate limiting)
**Phase 10 (Polish)**: Many tasks marked [P] can run in parallel (documentation, linting, etc.)
---
## Parallel Execution Examples
### Example 1: Setup Phase (All Parallel)
```bash
# Launch all setup tasks together (different files):
Task T002: "Setup unified error codes in pkg/errors/codes.go"
Task T003: "Setup custom error types in pkg/errors/errors.go"
Task T004: "Setup unified response structure in pkg/response/response.go"
Task T005: "Setup response code constants in pkg/response/codes.go"
Task T006: "Setup business constants in pkg/constants/constants.go"
Task T007: "Setup Redis key generation functions in pkg/constants/redis.go"
```
### Example 2: User Story Tests (Parallel within Story)
```bash
# US6 unit tests - all can run in parallel:
Task T061: "Unit test for TokenValidator with valid token"
Task T062: "Unit test for expired/invalid token"
Task T063: "Unit test for Redis unavailable"
Task T064: "Unit test for context timeout"
# US6 integration tests - all can run in parallel:
Task T065: "Integration test with valid token"
Task T066: "Integration test for missing token"
Task T067: "Integration test for invalid token"
Task T068: "Integration test for Redis down"
```
### Example 3: Independent User Stories (After Foundation)
```bash
# After Phase 2 completes, these can all start in parallel:
Agent 1: Work on US1 (Config Hot Reload) - T018 through T025
Agent 2: Work on US2 (Logging) - T026 through T033
Agent 3: Work on US3 (Response Format) - T034 through T042
Agent 4: Work on US5 (Error Recovery) - T052 through T060
```
---
## Implementation Strategy
### MVP First (Minimum Viable Product)
**Recommendation**: Complete Phases 1-5 (Setup + Foundation + US1 + US2 + US3) for MVP
This delivers:
- Configuration hot reload (US1)
- Production logging (US2)
- API response consistency (US3)
Then deploy and validate before adding authentication and other features.
### Incremental Delivery Roadmap
1. **Foundation** (Phases 1-2): ~2-3 days
- Setup + Foundational infrastructure
- **Deliverable**: Basic Fiber app with config, logging, response structure
2. **MVP** (Phases 3-5): ~2-3 days
- US1: Config hot reload
- US2: Logging with rotation
- US3: Unified responses
- **Deliverable**: Production-ready foundation with observability
3. **Observability+** (Phases 6-7): ~2-3 days
- US4: Request tracing
- US5: Error recovery
- **Deliverable**: Complete observability and fault tolerance
4. **Security** (Phase 8): ~2-3 days
- US6: Authentication
- **Deliverable**: Secured API with Redis token validation
5. **Production Hardening** (Phases 9-10): ~2-3 days
- US7: Rate limiting (optional)
- Polish and quality gates
- **Deliverable**: Production-ready system
**Total Estimated Time**: 10-15 days (single developer)
### Parallel Team Strategy
With 3 developers after Foundation completes:
- **Dev A**: US1 + US2 (Config + Logging) - Core infrastructure
- **Dev B**: US3 + US4 (Response + Tracing) - API foundation
- **Dev C**: US5 + US6 (Recovery + Auth) - Reliability + Security
Then converge for US7 and Polish.
**Estimated Time with Parallel Work**: 7-10 days
---
## Task Summary
- **Total Tasks**: 127 (updated: added T012a for environment config testing, T095a for rate-limiting.md documentation, consolidated code quality checks from 4 tasks into 3 tasks)
- **Setup Phase**: 7 tasks
- **Foundational Phase**: 11 tasks (BLOCKING) - includes T012a
- **User Story 1** (Config): 8 tasks (3 tests + 5 implementation)
- **User Story 2** (Logging): 8 tasks (3 tests + 5 implementation)
- **User Story 3** (Response): 9 tasks (3 tests + 6 implementation)
- **User Story 4** (Tracing): 9 tasks (3 tests + 6 implementation)
- **User Story 5** (Recovery): 9 tasks (3 tests + 6 implementation)
- **User Story 6** (Auth): 21 tasks (8 tests + 13 implementation)
- **User Story 7** (Rate Limit): 10 tasks (3 tests + 7 implementation)
- **Polish Phase**: 35 tasks (documentation, quality, security) - includes T095a, consolidated code quality checks
**Parallelizable Tasks**: 47 tasks marked [P] (added T012a, T095a)
**Test Coverage**:
- Unit tests: 24 tasks (added T012a)
- Integration tests: 18 tasks
- Total test tasks: 42 (33% of all tasks)
**Constitution Compliance**:
- ✅ All tasks follow Handler → Service → Store → Model pattern
- ✅ All Redis keys use generation functions (no hardcoded strings)
- ✅ All responses use unified format
- ✅ All error codes centralized
- ✅ Go idiomatic patterns (no Java-style anti-patterns)
- ✅ Explicit error handling throughout
- ✅ Context usage for timeouts and cancellation
---
## Next Steps
1. ✅ Tasks.md generated and validated
2. ⏳ Review task list with team
3. ⏳ Set up development environment (Go 1.25.1, Redis 7.x)
4. ⏳ Run `/speckit.implement` to begin implementation
5. ⏳ Start with Phase 1 (Setup) - all tasks can run in parallel
**Ready for Implementation**: Yes - all tasks are specific, have file paths, and follow constitution principles.
Reference in New Issue View Git Blame Copy Permalink