feat: use postgres

2026-04-26 20:34:39 +02:00
parent 48b0056b49
commit fe829285a6
365 changed files with 29223 additions and 24049 deletions
@@ -7,10 +7,16 @@ verification, shutdown, and common authsession incidents.

 Before starting the process, confirm:

- `AUTHSESSION_REDIS_ADDR` points to the Redis deployment used for authsession
-  source-of-truth data, resend throttling, and gateway projection
- the configured Redis ACL, DB, TLS, and key-prefix settings match the target
-  environment
+- `AUTHSESSION_REDIS_MASTER_ADDR` and `AUTHSESSION_REDIS_PASSWORD` point to the
+  Redis deployment used for authsession source-of-truth data, resend
+  throttling, and gateway projection. Optional read replicas may be listed in
+  `AUTHSESSION_REDIS_REPLICA_ADDRS` (currently unused; reserved for future
+  read-routing).
+- the configured Redis DB and key-prefix settings match the target environment.
+  Per `ARCHITECTURE.md §Persistence Backends`, Redis traffic is
+  password-protected and TLS is disabled by policy; the deprecated
+  `AUTHSESSION_REDIS_TLS_ENABLED` and `AUTHSESSION_REDIS_USERNAME` variables
+  are no longer accepted and cause a hard fail at startup.
 - if `AUTHSESSION_USER_SERVICE_MODE=rest`, both
  `AUTHSESSION_USER_SERVICE_BASE_URL` and
  `AUTHSESSION_USER_SERVICE_REQUEST_TIMEOUT` are configured
@@ -21,15 +27,10 @@ Before starting the process, confirm:
  - `gateway:session:` cache key prefix
  - `gateway:session_events` stream name

-At startup the process performs bounded `PING` checks for:
-
- challenge store
- session store
- config provider
- gateway projection publisher
- resend-throttle protector
-
-Startup fails fast if any of those checks fail.
+At startup the process performs one bounded `PING` against the shared Redis
+client used by every adapter (challenge store, session store, config provider,
+gateway projection publisher, resend-throttle protector). Startup fails fast
+if the ping fails.

 Expected listener state after a healthy start: