Chris0Jeky
diff --git a/‎.github/workflows/cd-staging-gate.yml‎
Lines changed: 212 additions & 0 deletions b/‎.github/workflows/cd-staging-gate.yml‎
Lines changed: 212 additions & 0 deletions
diff --git a/‎.github/workflows/ci-extended.yml‎
Lines changed: 17 additions & 0 deletions b/‎.github/workflows/ci-extended.yml‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎.github/workflows/ci-required.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/ci-required.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/mutation-testing.yml‎
Lines changed: 120 additions & 0 deletions b/‎.github/workflows/mutation-testing.yml‎
Lines changed: 120 additions & 0 deletions
@@ -0,0 +1,212 @@
+# =============================================================================
+# CD Staging Gate — Automated staging deployment verification and production
+# promotion gate. Implements Phase 1-2 of the staged deployment workflow
+# (docs/ops/DEPLOYMENT_WORKFLOW.md) with a manual approval gate for Phase 3.
+#
+# Triggers:
+#   - Release published (automatic)
+#   - Manual workflow dispatch (for re-runs or pre-release validation)
+#
+# ADR: ADR-0028 (Staged Deployment — Blue/Green with Canary Verification)
+# Issue: #101 (OPS-09)
+# =============================================================================
+
+name: CD Staging Gate
+
+on:
+  workflow_dispatch:
+    inputs:
+      image_tag:
+        description: "Container image tag to deploy (e.g., v0.2.0)"
+        required: true
+        type: string
+      skip_smoke:
+        description: "Skip smoke tests (emergency only)"
+        required: false
+        type: boolean
+        default: false
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+  actions: read
+
+concurrency:
+  group: cd-staging-${{ github.ref }}
+  cancel-in-progress: false
+
+env:
+  NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+
+jobs:
+  # -----------------------------------------------------------------------
+  # Phase 1: Build Verification
+  # -----------------------------------------------------------------------
+  build-verification:
+    name: "Phase 1: Build Verification"
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    outputs:
+      image_tag: ${{ steps.resolve-tag.outputs.tag }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Resolve image tag
+        id: resolve-tag
+        env:
+          INPUT_TAG: ${{ inputs.image_tag }}
+          EVENT_NAME: ${{ github.event_name }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          if [[ -n "$INPUT_TAG" ]]; then
+            TAG="$INPUT_TAG"
+          elif [[ "$EVENT_NAME" == "release" ]]; then
+            TAG="$RELEASE_TAG"
+          else
+            TAG="$(git describe --tags --always)"
+          fi
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          echo "Resolved image tag: $TAG"
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: 8.0.x
+          cache: true
+          cache-dependency-path: |
+            backend/Taskdeck.sln
+            backend/**/*.csproj
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24.13.1
+          cache: npm
+          cache-dependency-path: frontend/taskdeck-web/package-lock.json
+
+      - name: Restore and build backend
+        run: |
+          dotnet restore backend/Taskdeck.sln
+          dotnet build backend/Taskdeck.sln -c Release --no-restore
+
+      - name: Install and build frontend
+        working-directory: frontend/taskdeck-web
+        run: |
+          npm ci
+          npx vite build
+
+      - name: Build container images
+        run: |
+          docker build -f deploy/docker/backend.Dockerfile -t taskdeck-api:${{ steps.resolve-tag.outputs.tag }} .
+          docker build --build-arg VITE_API_BASE_URL=/api -f deploy/docker/frontend.Dockerfile -t taskdeck-web:${{ steps.resolve-tag.outputs.tag }} .
+
+      - name: Verify compose configuration
+        run: |
+          TASKDECK_JWT_SECRET=ci-staging-gate-secret \
+          docker compose -f deploy/docker-compose.yml --profile baseline config > /dev/null
+
+      - name: Write Phase 1 summary
+        run: |
+          cat <<EOF >> "$GITHUB_STEP_SUMMARY"
+          ## Phase 1: Build Verification -- PASSED
+
+          - **Image tag**: \`${{ steps.resolve-tag.outputs.tag }}\`
+          - Backend: restore + build (Release) passed
+          - Frontend: npm ci + vite build passed
+          - Container images: built successfully
+          - Compose config: validated
+          EOF
+
+  # -----------------------------------------------------------------------
+  # Phase 2: Staging Smoke Tests
+  # -----------------------------------------------------------------------
+  staging-smoke:
+    name: "Phase 2: Staging Smoke Tests"
+    needs: build-verification
+    if: ${{ !inputs.skip_smoke }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Build container images
+        run: |
+          docker build -f deploy/docker/backend.Dockerfile -t taskdeck-api:local .
+          docker build --build-arg VITE_API_BASE_URL=/api -f deploy/docker/frontend.Dockerfile -t taskdeck-web:local .
+
+      - name: Start stack
+        run: |
+          TASKDECK_JWT_SECRET=ci-staging-smoke-secret \
+          docker compose -f deploy/docker-compose.yml --profile baseline up -d
+
+      - name: Wait for services to be ready
+        run: |
+          echo "Waiting for services to start..."
+          for attempt in $(seq 1 30); do
+            if curl -sf http://localhost:8080/health/ready > /dev/null 2>&1; then
+              echo "Services ready after $((attempt * 5)) seconds"
+              break
+            fi
+            if [[ "$attempt" -eq 30 ]]; then
+              echo "Services failed to start within 150 seconds" >&2
+              docker compose -f deploy/docker-compose.yml --profile baseline logs
+              exit 1
+            fi
+            sleep 5
+          done
+
+      - name: Run smoke tests
+        run: |
+          bash scripts/deploy/smoke-test.sh http://localhost:8080
+
+      - name: Collect logs on failure
+        if: failure()
+        run: |
+          echo "--- Container status ---"
+          docker compose -f deploy/docker-compose.yml --profile baseline ps
+          echo ""
+          echo "--- Container logs ---"
+          docker compose -f deploy/docker-compose.yml --profile baseline logs --tail=100
+
+      - name: Stop stack
+        if: always()
+        run: |
+          docker compose -f deploy/docker-compose.yml --profile baseline down -v
+
+      - name: Write Phase 2 summary
+        run: |
+          cat <<EOF >> "$GITHUB_STEP_SUMMARY"
+          ## Phase 2: Staging Smoke Tests -- PASSED
+
+          - **Image tag**: \`${{ needs.build-verification.outputs.image_tag }}\`
+          - All S1-S9 smoke checks passed
+          - Stack started, verified, and cleaned up
+          EOF
+
+  # -----------------------------------------------------------------------
+  # Production Promotion Gate (manual approval)
+  # -----------------------------------------------------------------------
+  promotion-gate:
+    name: "Phase 3: Production Promotion Gate"
+    needs: [build-verification, staging-smoke]
+    if: always() && needs.build-verification.result == 'success' && (needs.staging-smoke.result == 'success' || needs.staging-smoke.result == 'skipped')
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - name: Promotion approved
+        run: |
+          cat <<EOF >> "$GITHUB_STEP_SUMMARY"
+          ## Phase 3: Production Promotion Gate -- APPROVED
+
+          - **Image tag**: \`${{ needs.build-verification.outputs.image_tag }}\`
+          - Build verification: passed
+          - Staging smoke: ${{ needs.staging-smoke.result }}
+          - Manual approval: granted
+          - **Next step**: Execute Phase 3 (canary deployment) and Phase 4 (promotion) per \`docs/ops/DEPLOYMENT_WORKFLOW.md\`
+          EOF
+          echo "Production promotion approved for tag: ${{ needs.build-verification.outputs.image_tag }}"
+          echo "Follow the deployment workflow in docs/ops/DEPLOYMENT_WORKFLOW.md for Phases 3-4."
@@ -107,6 +107,16 @@ jobs:
       dotnet-version: 8.0.x
       node-version: 24.13.1
 
+  visual-regression:
+    name: Visual Regression
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && (contains(github.event.pull_request.labels.*.name, 'testing') || contains(github.event.pull_request.labels.*.name, 'visual')))
+    needs:
+      - backend-solution
+    uses: ./.github/workflows/reusable-visual-regression.yml
+    with:
+      dotnet-version: 8.0.x
+      node-version: 24.13.1
+
   load-concurrency-harness:
     name: Load and Concurrency Harness
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'testing'))
@@ -119,3 +129,10 @@ jobs:
       k6-vus: "20"
       k6-duration: "90s"
       k6-user-pool: "6"
+
+  container-integration:
+    name: Container Integration (Testcontainers)
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'testing'))
+    uses: ./.github/workflows/reusable-container-integration.yml
+    with:
+      dotnet-version: 8.0.x
@@ -21,7 +21,8 @@
 #     ├── reusable-backend-solution.yml (label: testing)
 #     ├── reusable-e2e-smoke.yml (label: testing)
 #     ├── reusable-demo-director-smoke.yml (label: automation)
-#     └── reusable-load-concurrency-harness.yml (label: testing)
+#     ├── reusable-load-concurrency-harness.yml (label: testing)
+#     └── reusable-container-integration.yml (label: testing) — Testcontainers PostgreSQL
 #
 #   ci-nightly.yml           scheduled regression (03:25 UTC daily)
 #     ├── reusable-openapi-guardrail.yml
 
@@ -0,0 +1,120 @@
+# =============================================================================
+# Mutation Testing — manual/nightly lane for mutation score tracking.
+# NOT a PR gate. Runs on manual dispatch and weekly schedule.
+# Reports uploaded as artifacts for triage, not enforcement.
+# =============================================================================
+
+name: Mutation Testing
+
+on:
+  schedule:
+    # Weekly on Sunday at 04:00 UTC — avoids overlap with nightly CI at 03:25.
+    - cron: '0 4 * * 0'
+  workflow_dispatch:
+    inputs:
+      backend_only:
+        description: 'Run backend mutation testing only'
+        required: false
+        type: boolean
+        default: false
+      frontend_only:
+        description: 'Run frontend mutation testing only'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  backend-mutation:
+    name: Backend Mutation (Stryker.NET)
+    if: ${{ !inputs.frontend_only }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Install Stryker.NET
+        run: dotnet tool install --global dotnet-stryker
+
+      - name: Restore solution
+        run: dotnet restore backend/Taskdeck.sln
+
+      - name: Run Stryker.NET
+        working-directory: backend
+        run: dotnet stryker --config-file stryker-config.json
+
+      - name: Upload Stryker report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: stryker-net-report
+          path: backend/StrykerOutput/**/reports/
+          retention-days: 30
+
+  frontend-mutation:
+    name: Frontend Mutation (Stryker JS)
+    if: ${{ !inputs.backend_only }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.13.1
+          cache: npm
+          cache-dependency-path: frontend/taskdeck-web/package-lock.json
+
+      - name: Install dependencies
+        working-directory: frontend/taskdeck-web
+        run: npm ci
+
+      - name: Run Stryker
+        working-directory: frontend/taskdeck-web
+        run: npx stryker run
+
+      - name: Upload Stryker report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: stryker-js-report
+          path: frontend/taskdeck-web/reports/
+          retention-days: 30
+
+  summary:
+    name: Mutation Testing Summary
+    if: always()
+    needs: [backend-mutation, frontend-mutation]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Report status
+        env:
+          BACKEND_RESULT: ${{ needs.backend-mutation.result || 'skipped' }}
+          FRONTEND_RESULT: ${{ needs.frontend-mutation.result || 'skipped' }}
+        run: |
+          {
+            echo "## Mutation Testing Results"
+            echo ""
+            echo "| Lane | Status |"
+            echo "|------|--------|"
+            echo "| Backend (Stryker.NET) | ${BACKEND_RESULT} |"
+            echo "| Frontend (Stryker JS) | ${FRONTEND_RESULT} |"
+            echo ""
+            echo "Download HTML/JSON reports from the **Artifacts** section above."
+            echo ""
+            echo "See [Mutation Testing Policy](docs/testing/MUTATION_TESTING_POLICY.md) for threshold strategy and triage guidance."
+          } >> "$GITHUB_STEP_SUMMARY"