Commit fb2b82
2026-03-13 01:52:00 Claude (Dev): [mcp] Port Phase 4 tasks to wiki| /dev/null .. tasks/phase 4.md | |
| @@ 0,0 1,172 @@ | |
| + | ## How to read this document |
| + | |
| + | - **Dependencies** list task IDs that must be complete before this task starts |
| + | - **Parallel group** identifies tasks that can run simultaneously within a phase |
| + | - **Target** identifies which repo and branch the work goes into |
| + | - Tasks are numbered `P{phase}-{sequence}` (e.g., P0-3) |
| + | - Acceptance criteria are binary — pass or fail, no judgment calls |
| + | |
| + | --- |
| + | |
| + | ## Phase 4: Git Remote + Launch Prep |
| + | |
| + | **Goal:** Git clone/pull access, rate limiting, monitoring, backups, landing page. Free tier shippable after this phase. |
| + | |
| + | ### P4-1: Git Smart HTTP |
| + | |
| + | **Parallel group:** Phase 4 (parallel with P4-3, P4-4, P4-5, P4-6) |
| + | **Dependencies:** P1-7 (routing) |
| + | **Target:** `wikibot-io` repo, `feat/P4-1-git-http` |
| + | |
| + | **Description:** |
| + | Implement Git smart HTTP protocol for read-only clone/pull access (free tier). Lambda handles `git-upload-pack` for clone/fetch. Use dulwich for pure-Python Git protocol handling (no `git` binary dependency). |
| + | |
| + | Route: `{username}.wikibot.io/{wiki}.git/*` |
| + | |
| + | **Deliverables:** |
| + | - `app/git/smart_http.py` — Git smart HTTP handlers (info/refs, git-upload-pack) |
| + | - API Gateway routes for `/{wiki}.git/*` |
| + | - Integration test: `git clone https://user.wikibot.io/wiki.git` |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] `git clone` succeeds for authorized user |
| + | - [ ] `git pull` fetches latest changes |
| + | - [ ] `git push` rejected for free tier (read-only) |
| + | - [ ] Unauthorized clone rejected (unless public wiki) |
| + | - [ ] Public wiki clonable without auth |
| + | |
| + | --- |
| + | |
| + | ### P4-2: Git Auth |
| + | |
| + | **Parallel group:** Phase 4 |
| + | **Dependencies:** P4-1, P2-2 |
| + | **Target:** `wikibot-io` repo, `feat/P4-2-git-auth` |
| + | |
| + | **Description:** |
| + | Git credential authentication. Users authenticate `git clone/pull` with their MCP bearer token as password (username ignored or set to `token`). The Lambda validates the bearer token against the wiki's stored hash. |
| + | |
| + | **Deliverables:** |
| + | - Git credential validation in smart HTTP handler |
| + | - Documentation: how to configure `git credential helper` for wikibot.io |
| + | - Integration test: authenticated clone, rejected unauthorized clone |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] `git clone https://token:<bearer>@user.wikibot.io/wiki.git` succeeds |
| + | - [ ] Invalid token rejected with 401 |
| + | - [ ] Git credential helper instructions work |
| + | |
| + | --- |
| + | |
| + | ### P4-3: WAF Setup |
| + | |
| + | **Parallel group:** Phase 4 (independent) |
| + | **Dependencies:** None (can apply to existing API Gateway) |
| + | **Target:** `wikibot-io` repo, `feat/P4-3-waf` |
| + | |
| + | **Description:** |
| + | AWS WAF on API Gateway and CloudFront. IP-based rate limiting, OWASP Top 10 managed rule set, bot control. |
| + | |
| + | **Deliverables:** |
| + | - `infra/components/waf.py` — WAF web ACL, managed rules, rate limiting |
| + | - Rate limit: 100 requests/minute per IP (adjustable) |
| + | - OWASP managed rule set attached |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] WAF attached to API Gateway and CloudFront |
| + | - [ ] Rate limiting triggers on excessive requests |
| + | - [ ] OWASP rules active |
| + | - [ ] Legitimate traffic not affected |
| + | |
| + | --- |
| + | |
| + | ### P4-4: Monitoring and Alerting |
| + | |
| + | **Parallel group:** Phase 4 (independent) |
| + | **Dependencies:** None |
| + | **Target:** `wikibot-io` repo, `feat/P4-4-monitoring` |
| + | |
| + | **Description:** |
| + | CloudWatch dashboards, alarms, and alerting for production readiness. |
| + | |
| + | **Deliverables:** |
| + | - `infra/components/monitoring.py` — dashboards, alarms, SNS topics |
| + | - Dashboard: Lambda invocations, errors, duration, cold starts; API Gateway 4xx/5xx rates; DynamoDB throttles; EFS IOPS |
| + | - Alarms: Lambda error rate > 5%, API 5xx rate > 1%, DynamoDB throttle, EFS burst credit depletion |
| + | - SNS email notifications for alarms |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] Dashboard viewable in CloudWatch console |
| + | - [ ] Alarms trigger on test conditions |
| + | - [ ] Email notifications received |
| + | |
| + | --- |
| + | |
| + | ### P4-5: Backup Strategy |
| + | |
| + | **Parallel group:** Phase 4 (independent) |
| + | **Dependencies:** None |
| + | **Target:** `wikibot-io` repo, `feat/P4-5-backups` |
| + | |
| + | **Description:** |
| + | AWS Backup for EFS (daily snapshots, 30-day retention). DynamoDB PITR (already enabled in P2-1, verify here). |
| + | |
| + | **Deliverables:** |
| + | - `infra/components/backups.py` — AWS Backup vault, plan, selection for EFS |
| + | - Verification that DynamoDB PITR is enabled |
| + | - Runbook: how to restore from EFS backup, how to restore DynamoDB to point-in-time |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] AWS Backup plan created with daily schedule |
| + | - [ ] EFS filesystem selected for backup |
| + | - [ ] 30-day retention configured |
| + | - [ ] DynamoDB PITR verified active |
| + | - [ ] Restore runbook written and tested (at least one test restore) |
| + | |
| + | --- |
| + | |
| + | ### P4-6: Landing Page and Docs |
| + | |
| + | **Parallel group:** Phase 4 (independent) |
| + | **Dependencies:** P3-7 (static hosting infrastructure) |
| + | **Target:** `wikibot-io` repo, `feat/P4-6-landing` |
| + | |
| + | **Description:** |
| + | Public landing page at `wikibot.io` for new visitors. Explains what wikibot.io is, shows pricing (free tier), and has a signup CTA. Basic docs covering: getting started, MCP setup, wiki conventions. |
| + | |
| + | **Deliverables:** |
| + | - Landing page (within SPA or separate static page) |
| + | - Getting Started guide |
| + | - MCP setup documentation |
| + | - Pricing section (free tier only for now, "premium coming soon") |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] Landing page loads at `https://wikibot.io/` |
| + | - [ ] Getting Started guide covers: signup → create wiki → connect MCP → first note |
| + | - [ ] MCP setup docs cover Claude.ai and Claude Code |
| + | - [ ] CTA links to signup/login |
| + | |
| + | --- |
| + | |
| + | ### P4-7: Phase 4 E2E Test |
| + | |
| + | **Parallel group:** Phase 4 (final) |
| + | **Dependencies:** All P4 tasks |
| + | **Target:** `wikibot-io` repo, `feat/P4-7-e2e` |
| + | |
| + | **Description:** |
| + | Full free-tier user journey: discover → signup → create wiki → connect MCP → write notes → clone repo → manage collaborators. This is the launch readiness test. |
| + | |
| + | **Deliverables:** |
| + | - `tests/e2e/test_phase4.py` |
| + | - Results documented in wiki |
| + | |
| + | **Acceptance criteria:** |
| + | - [ ] Landing page → signup → dashboard flow works |
| + | - [ ] Wiki creation, MCP connection, note writing all work |
| + | - [ ] Git clone of wiki repo succeeds |
| + | - [ ] Collaborator invitation and access works |
| + | - [ ] Rate limiting doesn't block normal usage |
| + | - [ ] Monitoring dashboard shows the test traffic |
| + | - [ ] Backup has run at least once |
| + | - [ ] No security warnings in WAF logs from legitimate traffic |
| \ | No newline at end of file |