Milestones & Deliverables

CI/CD Multi-Group Implementation Plan

Key Milestones

M1

Discovery Complete

Current state inventoried, threats identified, architecture designed

Deliverables

Current-state infrastructure map
Threat + mitigations checklist
Architecture decision document

M2

Foundation Validated

Shared skills deployed, admin runner configured, workflow verified

Deliverables

/opt/shared/claude-skills/ directory (755, root:docker)
Updated config.toml with volume mounts
Administrator symlinks configured
Skeleton CI pipeline running
Admin workflow validation report

M3

Core Components Ready

Pipeline library, Keycloak, tokens, and JWT extraction implemented

Deliverables

administrators/cicd/ with include:rules pattern
groups/administrators.yml (blocking security)
groups/developers.yml (advisory security)
Keycloak client with groups mapper
GITLAB_TOKEN_ADMIN & GITLAB_TOKEN_DEV
lib/auth.ts with extractGroup()

M4

Integration Complete

Dashboard integrated, pipeline tested, secrets audited

Deliverables

lib/gitlab.ts with per-group client factory
GroupSwitcher component
Pipeline test report (administrators)
Labels replicated to developers group
Secrets audit confirmation

M5

Developer Environment Live

Dev runner registered, dashboard deployed, user bootstrapped

Deliverables

dev-runner registered with developers tags
Dashboard at cicd-dashboard.ai-servicers.com
websurfinmurf environment configured
developers/test-project with CI

M6

Validation Complete

All isolation tests passed, CI pipeline finalized

Deliverables

Dashboard isolation test report
Runner isolation test report
Pipeline config selection test report
Failure isolation test report
Complete .gitlab-ci.yml for cicd project

Risk Register

Risk	Impact	Probability	Mitigation
JWT missing groups claim	High	Medium	Fallback to roles; test in Task 2.2
Runner picks wrong jobs	High	Low	Tags + protected refs + locked runners
Dashboard auth failures	Medium	Medium	Defensive JWT extraction (null checks)
Shared skills break on update	Medium	Low	Git version control
Keycloak mapper misconfiguration	Medium	Medium	Verify token before Task 2.4
GitLab token exposure	High	Low	Per-group tokens; rotate regularly
Volume mount path mismatch	Medium	Low	Validate path exists in Task 1.1

Review Feedback Incorporated

From Gemini

Phase 0 restructured: Inventory sequential first, then parallel
Phase 1 parallelism: Tasks 1.2, 1.3, 1.4 now parallel after 1.1
Task 2.4 dependency on 2.2 added
Agent redistribution: Security for 4.1, QA for 4.4

From Codex

Defensive JWT extraction with null checks
Keycloak→JWT explicit dependency
Volume mount path validation in Task 1.1
Early CI pipeline (Task 1.4) for dogfooding

Back to Plan Overview Solution Details