feat: containerize monolith (Phase 1) and add decomposition plan

[devin-ai-integration]

Summary

Implements Phase 1 of the microservice decomposition strategy: containerize the monolith as-is, and document the full decomposition plan.

Task 1 — Decomposition Plan (docs/DECOMPOSITION_PLAN.md)

• Current monolith architecture overview (single ApplicationDbContext, 5 business services)
• 4 identified bounded contexts: Identity & Auth, Customer, Product Catalog, Order
• Key coupling points to break (shared DbContext, FK relationships, monolithic seeder, embedded auth)
• 6-phase decomposition roadmap (Containerize → Extract Identity → Customer → Product Catalog → Order → Frontend)
• AWS EKS infrastructure recommendations (ECR, RDS, Secrets Manager, App Mesh, ALB, SNS/SQS, CloudWatch)
• Inter-service communication patterns (sync REST/gRPC for queries, async SNS/SQS for domain events)

Task 2 — Containerization

• Dockerfile — Multi-stage build: Node 22 (Angular build) → .NET 10 SDK (restore + publish) → ASP.NET 10 runtime on port 8080
• .dockerignore — Excludes bin, obj, node_modules, .angular, dist, .git, docs, etc.
• docker-compose.yml — SQL Server 2022 + web app services with health checks and volume persistence
• k8s/ — Kubernetes manifests for EKS deployment:
  • namespace.yaml — quickapp namespace
  • deployment.yaml — 2 replicas, readiness/liveness probes, resource limits (256-512Mi, 250-500m CPU)
  • service.yaml — ClusterIP on port 8080
  • ingress.yaml — ALB Ingress with internet-facing scheme and IP target type
  • configmap.yaml — ASPNETCORE_ENVIRONMENT=Production
  • secret.yaml — Placeholder DB connection string + OIDC certificate config (with External Secrets Operator guidance)
• appsettings.Production.json — Placeholder connection string + OIDC certificate config, overridden by env vars in K8s
• README.md — Updated with Docker Compose usage, ECR push, EKS deploy instructions, and link to decomposition plan

Review & Testing Checklist for Human

• Verify Dockerfile builds successfully: docker build -t quickapp .
• Verify docker compose up --build starts both SQL Server and web app, and the app is accessible at http://localhost:8080
• Review docs/DECOMPOSITION_PLAN.md for accuracy against the actual codebase structure
• Verify k8s manifests are valid: kubectl apply --dry-run=client -f k8s/
• Confirm appsettings.Production.json and k8s/secret.yaml placeholder values are not real credentials

Notes

• The Dockerfile uses mcr.microsoft.com/dotnet/sdk:10.0-preview and mcr.microsoft.com/dotnet/aspnet:10.0-preview since .NET 10 is currently in preview. Update to GA images when .NET 10 ships.
• The k8s/deployment.yaml image reference uses <AWS_ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/quickapp:latest as a placeholder — must be updated before deployment.
• The k8s/secret.yaml includes OIDC certificate placeholders (OIDC__Certificates__Path, OIDC__Certificates__Password) required for multi-replica deployments where ephemeral keys would break cross-pod token validation.
• Production deployments should use AWS Secrets Manager + External Secrets Operator instead of plain Kubernetes Secrets.

Link to Devin session: https://partner-workshops.devinenterprise.com/sessions/6d31ebce878b4a0bbc09c64a15fbb4ce
Requested by: @bsmitches

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 1 potential issue.

View 5 additional findings in Devin Review.

[devin-ai-integration]

🔴 OIDC certificate path in secret.yaml will crash app at startup — no volume mount in deployment.yaml

The k8s/secret.yaml sets OIDC__Certificates__Path to the non-empty value /app/certs/oidc.pfx, which is injected into pods via envFrom: secretRef in k8s/deployment.yaml:28-29. With ASPNETCORE_ENVIRONMENT=Production (from configmap), the code at QuickApp.Server/Program.cs:113-125 reads this non-empty path, skips the ephemeral-key fallback at line 116, and calls X509CertificateLoader.LoadPkcs12FromFile("/app/certs/oidc.pfx", ...) at line 125. However, deployment.yaml has no volumes or volumeMounts to make any certificate file available at /app/certs/, so this call throws a FileNotFoundException and crashes the application at startup. Unlike other placeholders in the secret (e.g. <RDS_ENDPOINT>) which use obvious <PLACEHOLDER> syntax, this path looks like a real, ready-to-use value, making the issue non-obvious. The fix is either to default OIDC__Certificates__Path to an empty string (so the app falls back to ephemeral keys at Program.cs:120-121), or to add the corresponding volume/volumeMount configuration in deployment.yaml.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Addressed in 01bbae2 — added OIDC certificate placeholders to k8s/secret.yaml (OIDC__Certificates__Path and OIDC__Certificates__Password) and documented the requirement in appsettings.Production.json.