From eb457faa9bcfdfa4a831174a9a9be6084af69dac Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Wed, 11 Mar 2026 21:10:20 +0000
Subject: [PATCH] Review fixes: parameterize DBAL base image, report seed
 errors, update pipeline docs

- DBAL Dockerfile: Add ARG BASE_REGISTRY=metabuilder so CI can override
  the FROM image path to ghcr.io/... (was hardcoded metabuilder/base-apt)
- Setup route: Return HTTP 207 + success:false when seed errors occur
  instead of always returning 200/true
- Pipeline: Update comments/diagram to reflect Gate 7 running after
  Gate 1 (not after Gate 6), add dbal + dbal-init to Trivy scan matrix

https://claude.ai/code/session_01ChKf8wbKQLBcNbBCtqCwT6
---
 .github/workflows/gated-pipeline.yml          | 22 ++++++++++---------
 dbal/production/build-config/Dockerfile       |  6 +++--
 .../workflowui/src/app/api/setup/route.ts     |  7 +++---
 3 files changed, 20 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/gated-pipeline.yml b/.github/workflows/gated-pipeline.yml
index 7e16eb6f0..267731640 100644
--- a/.github/workflows/gated-pipeline.yml
+++ b/.github/workflows/gated-pipeline.yml
@@ -71,12 +71,12 @@ permissions:
 #
 # Sequential Gates (fan-out/fan-in):
 #   Gate 1: Code Quality (DBAL schemas, typecheck, lint, security)
-#   Gate 2: Testing (unit with coverage, E2E, DBAL daemon)
+#   Gate 7: Container Build & Push to GHCR (after Gate 1, before testing)
+#   Gate 2: Testing (unit with coverage, E2E with prod images, DBAL daemon)
 #   Gate 3: Build & Package
 #   Gate 4: Development Assistance (PR only)
 #   Gate 5: Staging Deployment (main branch push)
 #   Gate 6: Production Deployment (release or manual with approval)
-#   Gate 7: Container Build & Push (push/tag/dispatch, not PRs)
 # ════════════════════════════════════════════════════════════════════════════════
 
 jobs:
@@ -1304,7 +1304,7 @@ jobs:
             });
 
   # ============================================================================
-  # GATE 7: Container Build & Push (push/tag/dispatch only, not PRs)
+  # GATE 7: Container Build & Push to GHCR (after Gate 1, before testing)
   # ════════════════════════════════════════════════════════════════════════════
   # Tiered base images respecting the dependency DAG:
   #   Tier 1 (independent):  base-apt, base-node-deps, base-pip-deps
@@ -1626,6 +1626,8 @@ jobs:
           - postgres-dashboard
           - workflowui
           - exploded-diagrams
+          - dbal
+          - dbal-init
     steps:
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v4
@@ -1789,7 +1791,13 @@ jobs:
             summary += '  1.1 DBAL Schemas  1.2 TypeScript  1.3 Lint\n';
             summary += '  1.4 Security  1.5 File Size  1.6 Complexity  1.7 Stubs\n';
             summary += '      |\n';
-            summary += 'Gate 2: Testing (3 steps)\n';
+            summary += 'Gate 7: Containers (after Gate 1)\n';
+            summary += '  T1: base-apt, node-deps, pip-deps\n';
+            summary += '  T2: conan-deps, android-sdk\n';
+            summary += '  T3: devcontainer\n';
+            summary += '  Apps: 9 images (incl. dbal, dbal-init) -> GHCR\n';
+            summary += '      |\n';
+            summary += 'Gate 2: Testing (3 steps, pulls prod images)\n';
             summary += '  2.1 Unit Tests (+ coverage)  2.2 E2E  2.3 DBAL\n';
             summary += '      |\n';
             summary += 'Gate 3: Build (2 steps)\n';
@@ -1800,12 +1808,6 @@ jobs:
             summary += 'Gate 5: Staging (main push)\n';
             summary += '      |\n';
             summary += 'Gate 6: Production (release/manual)\n';
-            summary += '      |\n';
-            summary += 'Gate 7: Containers (push/tag/dispatch)\n';
-            summary += '  T1: base-apt, node-deps, pip-deps\n';
-            summary += '  T2: conan-deps, android-sdk\n';
-            summary += '  T3: devcontainer\n';
-            summary += '  Apps: 7 images -> Trivy scan -> Multi-arch manifests\n';
             summary += '```\n\n';
 
             console.log(summary);
diff --git a/dbal/production/build-config/Dockerfile b/dbal/production/build-config/Dockerfile
index 41a9d9de2..2335b9834 100644
--- a/dbal/production/build-config/Dockerfile
+++ b/dbal/production/build-config/Dockerfile
@@ -5,7 +5,8 @@
 ARG BUILD_TYPE=Release
 
 # ── Build stage ──────────────────────────────────────────────────────────────
-FROM metabuilder/base-apt:latest AS builder
+ARG BASE_REGISTRY=metabuilder
+FROM ${BASE_REGISTRY}/base-apt:latest AS builder
 
 ARG BUILD_TYPE
 
@@ -56,7 +57,8 @@ RUN cd /dbal/build \
     && strip dbal_daemon
 
 # ── Runtime stage ────────────────────────────────────────────────────────────
-FROM metabuilder/base-apt:latest
+ARG BASE_REGISTRY=metabuilder
+FROM ${BASE_REGISTRY}/base-apt:latest
 
 WORKDIR /app
 
diff --git a/frontends/workflowui/src/app/api/setup/route.ts b/frontends/workflowui/src/app/api/setup/route.ts
index b7e14d133..1cea84cd0 100644
--- a/frontends/workflowui/src/app/api/setup/route.ts
+++ b/frontends/workflowui/src/app/api/setup/route.ts
@@ -95,9 +95,10 @@ export async function POST() {
 
   console.warn(`[Seed] Complete: ${results.packages} packages, ${results.pages} pages, ${results.skipped} skipped, ${results.errors} errors`)
 
+  const status = results.errors > 0 ? 207 : 200
   return NextResponse.json({
-    success: true,
-    message: 'Database seeded successfully',
+    success: results.errors === 0,
+    message: results.errors > 0 ? `Seeded with ${results.errors} error(s)` : 'Database seeded successfully',
     results,
-  })
+  }, { status })
 }