FLX-ENG-RFC-002 — Week 1 · Access, Orientation & CodePulse Procurement¶

TL;DR¶

Establish the access baseline, perform an initial read-through of the DMS codebase, procure and configure CodePulse SaaS, and run first-pass objective scans — all within Week 1. The output is a scan report and active CodePulse data collection that feeds Week 2 DORA baseline work.

0. Execution Packet for 2-Day Delivery¶

Branch and Workspace¶

Use the D: drive workspace to avoid duplicating earlier local setup:

git clone https://github.com/Flexli-Technologies/dms_ci_cd_test.git D:\work\repos\dms_ci_cd_test
git -C D:\work\repos\dms_ci_cd_test switch -c docs/epic-1-rfc-specs
git -C D:\work\repos\dms_ci_cd_test pull --ff-only origin main

Current verified state on 2026-06-24:

• The active checkout should live on D: for this docs/RFC PR.
• D:\Distribution-Management-Server already exists and can be reused for DMS orientation/scans after git status and git remote -v checks.
• An older C: checkout exists as prior context, but should not be the active workspace because this RFC work is expected to run on D:.
• No arunsingh/dms_ci_cd_test fork was visible through the GitHub connector; use the Flexli org branch unless a maintainer asks for a personal fork workflow.

Open execution gaps filed from this planning pass:

• 66 - confirm canonical mSORT Dashboard repository and access path.¶

• 67 - provide CodePulse payment and password-manager access.¶

• 68 - confirm Project #15 update mechanism for contributor workflow.¶

Child Specs¶

Contribution Rules¶

This engagement follows a Rust-lang-style contribution discipline adapted for Flexli:

• Small, issue-linked PRs; avoid mixed cleanup and feature work.
• Every docs or code change must state problem, approach, tests, and rollback.
• Review comments get short, human replies; explain the change, not the ego.
• Public docs describe what users need; git history and PR body explain why.
• Inline comments explain only non-obvious decisions.
• Release engineering changes require branch, CI, rollback, and owner evidence.
• RFC changes must be reviewable as text and renderable through MkDocs.

Preferred 2-Day Order¶

Day 1:

1. US-1.1 access verification.
2. US-1.2 docs access and MkDocs build.
3. US-1.3 manual orientation.
4. US-1.4 release sync or async questionnaire.
5. Start US-1.6 CodePulse procurement if credentials and billing are ready.

Day 2:

1. US-1.7 configure CodePulse rules if US-1.6 is complete.
2. US-1.8 run scans and capture summary.
3. US-1.5 publish initial scan report.
4. Open gap issues for blockers or P0/P1 findings.
5. Open the PR and link #1, #9-#16.

PR Body Template¶

## Summary
- Adds EPIC-1 execution specs for #1 and US-1.1 through US-1.8 (#9-#16).
- Documents D: workspace reuse, branch commands, setup, scan gates, stop rules, and Mac handoff.
- Links child specs from MkDocs/RFC navigation.

## Evidence
- Remote pull: `git pull --ff-only origin main`
- Docs build: `mkdocs build --strict`
- Source workspace: D: checkout for `dms_ci_cd_test`

## Acceptance
- [ ] EPIC-1 parent spec updated
- [ ] US-1.1 through US-1.8 have separate specs
- [ ] MkDocs navigation updated
- [ ] Gaps filed as issues
- [ ] Project #15 card/issue notes updated where permissions allow

Closes/Refs: #1, #9, #10, #11, #12, #13, #14, #15, #16
Related gaps: #66, #67, #68

Stop Rules¶

Stop and file a gap issue when:

• GitHub repo access returns 403/404 after login is confirmed.
• mSORT Dashboard exact repo name is not confirmed.
• CodePulse credentials are not available from password manager.
• CodePulse OAuth requests broader org permissions than approved.
• Scans reveal secrets, private keys, auth bypass, or critical/high SAST findings.
• MkDocs cannot build after nav changes.
• Project #15 cannot be updated with available GitHub permissions.

1. Problem¶

The consulting engagement cannot measure, baseline, or recommend without: 1. Read access to the source repositories 2. An understanding of the current repo structure and CI state 3. An active DORA data collector (CodePulse) with at least 7 days of passive data before the Week 3 analysis

Without completing Week 1 in full, all downstream work (DORA baseline, defect catalog, CI gates, final report) is delayed.

2. Scope¶

In scope: - Repository access for DMS and mSORT Dashboard - Documentation folder inheritance (DEVELOPER_SETUP.md, RUNBOOK.md, RFCs, ADRs) - DMS codebase read-through for initial orientation - Sync with Rahul, Tushar, Shrikant on branching, releases, and known gaps - Initial scan report covering repo structure, CI state, and obvious gaps - CodePulse SaaS procurement ($149/month via shared flexly account) - CodePulse deployment rules and excluded-PR filter configuration - First-pass objective scans (build gate, SAST, CVE, secret scan)

Out of scope: - DORA metric collection (Week 2) - Defect catalog (Week 3) - Any code changes or fixes to DMS

3. Step-by-Step Tasks¶

Task 1 · US-1.1 — Confirm Repository Access (GitHub Issue #9)¶

Priority: P1 | Effort: 0.25 hr | Owner: Arun Singh

1. Verify Arun Singh has been added as a collaborator (read access minimum) to:
2. Flexli-Technologies/dms_ci_cd_test (Distribution Management Server)
3. Flexli-Technologies/mSORT-Dashboard (or equivalent mSORT repo)
4. Clone both repos locally: git clone https://github.com/Flexli-Technologies/dms_ci_cd_test.git
5. Confirm git log --oneline -10 works on both repos (no auth errors)
6. Confirm GitHub Actions tab is visible (read access to CI logs)
7. Exit signal: Both repos cloned, last 10 commits visible, no 403 errors

Task 2 · US-1.2 — Inherit Flexli Documentation Folder Access (GitHub Issue #10)¶

Priority: P2 | Effort: 0.25 hr | Owner: Arun Singh

1. Confirm access to the shared docs/ folder structure in dms_ci_cd_test:
2. docs/developer-guide/DEVELOPER_SETUP.md
3. docs/runbooks/
4. docs/rfcs/ (this RFC series)
5. docs/architecture/
6. Confirm MkDocs site is accessible (Cloudflare Pages URL or local mkdocs serve)
7. Verify all markdown files render correctly in the docs site
8. If any doc links are broken: log as P3 issue, do not block Week 1 progress
9. Exit signal: Can read and navigate all documentation files; MkDocs site renders

Task 3 · US-1.3 — Manual DMS Read-Through for Initial Orientation (GitHub Issue #11)¶

Priority: P1 | Effort: 2 hrs | Owner: Arun Singh

Step-by-step read path: 1. Read README.md and DEVELOPER_SETUP.md → understand prerequisites and local setup 2. Read docs/architecture/ → understand layered architecture (Core + Meesho layers) 3. Open src/distribution-management-server-layered/ → map directory structure: - Core/Controller/ → API surface (InfeedController, etc.) - Core/Service/ → business logic layer - Core/Persistence/ → DB access + EF migrations - Meesho/ → tenant-specific implementation 4. Open Program.cs → map DI registrations, middleware pipeline, startup sequence 5. Open docker-compose.yml → understand dev environment topology 6. Open Core/Controller/InfeedController.cs → understand primary API endpoint patterns 7. Identify and note: - Missing XML doc comments on public interfaces - Any TODO: or FIXME: comments - Obvious missing try/catch blocks at API boundaries - Missing HTTP error response standardisation 8. Produce a 1-page orientation summary (committed to docs/developer-guide/orientation-notes.md) 9. Exit signal: Orientation notes committed; can explain DMS data flow in 5 minutes

Task 4 · US-1.4 — 15-min Sync with Rahul, Tushar & Shrikant (GitHub Issue #12)¶

Priority: P1 | Effort: 0.25 hr | Owner: Arun Singh (facilitator)

Meeting agenda: 1. (2 min) Introductions + engagement scope recap — what we are measuring and why 2. (5 min) Rahul: current branching model — how PRs flow from feature → dev → prod 3. (3 min) Tushar: current CI/CD state — what runs automatically vs. manually 4. (3 min) Shrikant: known code quality gaps — what areas they'd flag for review 5. (2 min) Confirm CodePulse access will be shared with team + agree on excluded PRs

Action items from meeting: - Document answers to: What is the current deploy frequency? Last failed deploy and RCA? Any active P0 incidents? - Capture list of PRs that should be excluded from DORA measurement (infra-only, docs, etc.) - Confirm team availability for Week 2 pair session (US-2.2) - Exit signal: Notes committed to docs/developer-guide/week1-sync-notes.md

Task 5 · US-1.5 — Initial Scan Report (GitHub Issue #13)¶

Priority: P1 | Effort: 1.5 hrs | Owner: Arun Singh

Report content (template):

# DMS Initial Scan Report — Week 1
Date: YYYY-MM-DD
Author: Arun Singh

## Repository Structure
- Source: src/distribution-management-server-layered/
- Test: DistributionServerUnitTest/
- Migrations: N EF migrations (latest: YYYYMMDD_*)
- Documentation: docs/ (MkDocs Material)

## CI/CD State
- Current CI: [yes/no] — describe what runs
- Branch protection: [enabled/disabled on main]
- Secret scanning: [enabled/disabled]
- CodeQL: [enabled/disabled]

## Initial Findings (pre-scan observations)
| Finding | Severity | Area |
|---------|----------|------|
| [item] | P0/P1/P2 | [module] |

## First-pass Scans
| Tool | Finding Count | Critical | High |
|------|--------------|----------|------|
| dotnet build | errors | - | - |
| gitleaks | secrets | - | - |
| Semgrep | SAST issues | - | - |
| Trivy | CVEs | - | - |

Steps: 1. Run dotnet build → capture output 2. Run gitleaks detect --source . → capture finding count 3. Run semgrep --config auto src/ → capture critical/high count 4. Run trivy fs . → capture CVE summary 5. Fill template above with actual numbers 6. Commit report to docs/developer-guide/week1-scan-report.md 7. Exit signal: Report committed and linked from this issue

Task 6 · US-1.6 — Procure CodePulse SaaS (GitHub Issue #14)¶

Priority: P0 | Effort: 0.5 hr | Owner: Raja (payment approval) + Arun (setup)

Steps: 1. Raja approves $149/month spend (within ₹20–30k operational budget) 2. Navigate to app.codepulse.io (or current signup URL) using shared flexly account 3. Click "Connect GitHub" → authorize CodePulse GitHub App on Flexli-Technologies org 4. Select repositories: dms_ci_cd_test, mSORT-Dashboard 5. Accept DORA_METRICS_SCOPE permission grant 6. Verify CodePulse dashboard shows both repos under "Connected Repositories" 7. Note the account credentials in shared password manager (Teampass/1Password/Bitwarden) 8. Fallback: If CodePulse procurement is delayed, activate Harness Free tier (zero cost): - Create account at app.harness.io - Connect GitHub via "Source Control" → OAuth - Enable DORA module (included in free tier) 9. Exit signal: CodePulse (or Harness) dashboard shows at least one repo with PR data flowing

Task 7 · US-1.7 — Configure CodePulse Deployment Rules (GitHub Issue #15)¶

Priority: P1 | Effort: 0.5 hr | Owner: Arun Singh

Configuration steps: 1. In CodePulse dashboard → Settings → Deployment Rules: - Deployment trigger: merge to main branch - Or: tag matching v*.*.* (if semver tagging exists) 2. Configure excluded PR filters (from Task 4 sync notes): - PRs with title starting with docs:, chore:, ci: - PRs authored by bots (Dependabot, Renovate) - PRs targeting non-main branches 3. Set "Business Hours" for recovery time calculation: Mon–Fri 9am–7pm IST 4. Configure team members: add Rahul, Tushar, Shrikant as contributors 5. Set DORA metric targets (will be calibrated in Week 3, use elite thresholds for now): - Change Lead Time: < 24 hours - Deployment Frequency: multiple per week - Recovery Time: < 1 hour - Change Fail Rate: < 15% 6. Exit signal: CodePulse shows "Configuration complete" status; at least one deployment event captured

Task 8 · US-1.8 — First-Pass Objective Scans (GitHub Issue #16)¶

Priority: P1 | Effort: 1 hr | Owner: Arun Singh

Scans to run and capture:

# 1. Build gate
dotnet build src/distribution-management-server-layered/ -c Release 2>&1 | tee /tmp/build-output.txt

# 2. Test
dotnet test DistributionServerUnitTest/ --logger "trx;LogFileName=test-results.trx" 2>&1 | tee /tmp/test-output.txt

# 3. Secret scan
gitleaks detect --source . --report-format json --report-path /tmp/gitleaks-report.json

# 4. SAST
semgrep --config "p/csharp" src/ --json --output /tmp/semgrep-report.json

# 5. CVE scan
trivy fs . --format json --output /tmp/trivy-report.json --severity CRITICAL,HIGH

# 6. Duplication (approximate)
jscpd src/ --threshold 5 --reporter json > /tmp/duplication-report.json

Outputs: - Commit all report files to docs/developer-guide/week1-scans/ - Create summary table in docs/developer-guide/week1-scan-report.md (Task 5) - Open GitHub issues for any P0 findings (CRITICAL CVEs, high SAST, leaked secrets) - Exit signal: All 6 scans completed; results committed; P0 findings triaged

4. Dependencies¶

5. Success Criteria¶

• Both DMS and mSORT repos cloned and accessible locally
• Orientation notes committed and summarising DMS architecture
• Sync notes with Rahul/Tushar/Shrikant committed
• Initial scan report committed with actual tool output counts
• CodePulse active and collecting PR/deployment data
• First-pass scans (build, test, SAST, CVE, secrets, duplication) run and results committed
• No P0 findings from scans left without a triaged GitHub issue

6. Risks¶