Marcel 1109ab917b docs(observability): ADR-024 + rotation runbook for grafana_reader ...

ADR-024 records the deliberate cross-domain link (obs-grafana joins
archiv-net to query archive-db via the SELECT-only grafana_reader role),
the rejected alternatives (Prometheus exporter, read replica, versioned
migration + flyway repair, hardcoded fallback), and the consequences —
specifically that a Grafana compromise gains TCP reach to archive-db
but is bounded by the role's least-privilege grants.

The DEPLOYMENT.md runbook documents the rotation procedure that
R__grafana_reader_password.sql now enables: bump GRAFANA_DB_PASSWORD,
restart backend (Flyway re-applies because the resolved checksum
changed), restart obs-grafana (datasource picks up the new env var).
Also calls out the fail-closed startup behavior so operators who hit
IllegalStateException know it is deliberate.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-22 17:21:27 +02:00

..

001-ocr-python-microservice.md

docs(adr): add ADR-001 (OCR microservice) and ADR-002 (polygon JSONB)

2026-04-12 15:07:46 +02:00

002-polygon-jsonb-storage.md

docs(adr): add ADR-001 (OCR microservice) and ADR-002 (polygon JSONB)

2026-04-12 15:07:46 +02:00

003-chronik-unified-activity-feed.md

feat(chronik): add ADR-003 + Paraglide keys for /chronik page (de/en/es)

2026-04-20 20:38:10 +02:00

004-pdfbox-thumbnails.md

docs(adr): document layering exception and in-memory backfill state

2026-04-22 22:58:36 +02:00

005-thumbnail-aspect-and-page-count.md

docs(adr): ADR-005 thumbnailAspect + pageCount alongside the thumbnail

2026-04-23 21:38:56 +02:00

006-synchronous-domain-events-in-transaction.md

docs(adr): ADR-006 synchronous domain events inside the publisher's transaction

2026-04-28 21:42:03 +02:00

007-reader-dashboard-permission-discriminant.md

docs(adr): ADR-007 reader-dashboard permission discriminant

2026-05-08 15:56:47 +02:00

008-fts-sql-pagination.md

docs(adr): ADR-008 SQL-level FTS pagination via window-function CTE

2026-05-09 16:35:01 +02:00

009-standalone-compose-not-overlay.md

docs(adr): ADR-009 standalone docker-compose.prod.yml, not overlay

2026-05-11 13:14:58 +02:00

010-minio-self-hosted-not-hetzner-obs.md

docs(adr): ADR-010 MinIO stays self-hosted, Hetzner OBS deferred

2026-05-11 13:15:38 +02:00

011-single-tenant-gitea-runner.md

docs(adr): ADR-011 single-tenant Gitea runner with on-disk env-files

2026-05-11 13:16:20 +02:00

012-browser-test-mocking-strategy.md

docs(adr-012): document duplicate-id hazard and patch-package backport

2026-05-13 08:09:57 +02:00

012-nsenter-for-host-service-management-in-ci.md

docs(adr): ADR-012 — nsenter via privileged container for host service management in CI

2026-05-12 07:42:28 +02:00

013-client-branches-coverage-threshold.md

docs(adr-013): set exact baseline to 75% (confirmed in CI)

2026-05-14 09:03:45 +02:00

014-upload-artifact-v3-pin.md

docs(adr-014): record upload-artifact v3 pin and Gitea act_runner v4 limitation

2026-05-14 10:58:19 +02:00

015-dood-workspace-bind-mount.md

docs(adr): add ADR-015 for DooD workspace bind-mount approach

2026-05-15 19:38:18 +02:00

016-obs-stack-co-location-ci-push.md

docs(adr): correct ADR-016 Decision section to match two-source env model

2026-05-16 08:52:42 +02:00

017-management-port-security.md

docs(adr): add ADR-017 — Spring Boot 4.0 management port shares main security filter chain

2026-05-16 15:46:45 +02:00

018-glitchtip-frontend-error-tracking.md

docs(adr): add ADR-018 for GlitchTip frontend error tracking via @sentry/sveltekit

2026-05-17 10:27:46 +02:00

019-container-hardening-baseline.md

docs(adr): ADR-019 — container hardening baseline (non-root + read-only)

2026-05-17 17:33:06 +02:00

020-stateful-auth-via-spring-session-jdbc.md

docs(adr): ADR-020 — stateful auth via Spring Session JDBC

2026-05-17 19:15:51 +02:00

021-tmpdir-persistent-volume-staging.md

docs(ocr): document TMPDIR convention and add ADR-021

2026-05-18 10:58:10 +02:00

022-csrf-session-revocation-rate-limiting.md

fix(auth): address PR #617 review feedback on CSRF/rate-limit implementation

2026-05-19 09:23:01 +02:00

022-eager-to-lazy-fetch-strategy.md

fix(document): fix test assertion structure + add entity graph decision comments

2026-05-19 09:23:30 +02:00

023-prometheus-instrumentator-and-metrics-registry-injection.md

docs: add ADR-023 and glossary entries for OCR metrics

2026-05-21 17:06:44 +02:00

024-grafana-reads-archive-db-via-bridged-network.md

docs(observability): ADR-024 + rotation runbook for grafana_reader

2026-05-22 17:21:27 +02:00