[FA-17] Update auth

- Fix GraphQL authorization attributes to use string[] instead of string for roles
- Remove admin role requirement from ImportNovel endpoint
- Add comprehensive OIDC configuration validation with specific error messages
- Validate Authority, ClientId, and Audience are properly configured
- Ensure HTTPS requirement except for localhost development

Co-authored-by: conco <conco@users.noreply.local>

.gitea/workflows/build-gateway.yml

@@ -3,18 +3,31 @@ name: Build Gateway
 on:
   workflow_dispatch:
   push:
-    branches:
-      - master
-    paths:
-      - 'FictionArchive.API/**'
+    tags:
+      - 'v*.*.*'
 
 env:
   REGISTRY: ${{ gitea.server_url }}
   IMAGE_NAME: ${{ gitea.repository_owner }}/fictionarchive-api
 
 jobs:
-  build-gateway:
+  build-subgraphs:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        service:
+          - name: novel-service
+            project: FictionArchive.Service.NovelService
+            subgraph: Novel
+          - name: translation-service
+            project: FictionArchive.Service.TranslationService
+            subgraph: Translation
+          - name: scheduler-service
+            project: FictionArchive.Service.SchedulerService
+            subgraph: Scheduler
+          - name: user-service
+            project: FictionArchive.Service.UserService
+            subgraph: User
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -27,44 +40,75 @@ jobs:
       - name: Install Fusion CLI
         run: dotnet tool install -g HotChocolate.Fusion.CommandLine
         
+      - name: Add .NET tools to PATH
+        run: echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
+
+      - name: Restore dependencies
+        run: dotnet restore ${{ matrix.service.project }}/${{ matrix.service.project }}.csproj
+
+      - name: Build
+        run: dotnet build ${{ matrix.service.project }}/${{ matrix.service.project }}.csproj -c Release --no-restore
+
+      - name: Export schema
+        run: |
+          dotnet run -c Release --no-launch-profile \
+            --project ${{ matrix.service.project }}/${{ matrix.service.project }}.csproj \
+            -- schema export --output schema.graphql
+
+      - name: Pack subgraph
+        run: fusion subgraph pack -w ${{ matrix.service.project }}
+
+      - name: Upload subgraph package
+        uses: christopherhx/gitea-upload-artifact@v4
+        with:
+          name: ${{ matrix.service.name }}-subgraph
+          path: ${{ matrix.service.project }}/*.fsp
+          retention-days: 30
+
+  build-gateway:
+    runs-on: ubuntu-latest
+    needs: build-subgraphs
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '8.0.x'
+
+      - name: Install Fusion CLI
+        run: dotnet tool install -g HotChocolate.Fusion.CommandLine
+
+      - name: Add .NET tools to PATH
+        run: echo "$HOME/.dotnet/tools" >> $GITHUB_PATH
+
       - name: Create subgraphs directory
         run: mkdir -p subgraphs
 
-      # Download all subgraph packages from latest successful builds
       - name: Download Novel Service subgraph
-        uses: actions/download-artifact@v4
+        uses: christopherhx/gitea-download-artifact@v4
         with:
           name: novel-service-subgraph
           path: subgraphs/novel
-        continue-on-error: true
 
       - name: Download Translation Service subgraph
-        uses: actions/download-artifact@v4
+        uses: christopherhx/gitea-download-artifact@v4
         with:
           name: translation-service-subgraph
           path: subgraphs/translation
-        continue-on-error: true
 
       - name: Download Scheduler Service subgraph
-        uses: actions/download-artifact@v4
+        uses: christopherhx/gitea-download-artifact@v4
         with:
           name: scheduler-service-subgraph
           path: subgraphs/scheduler
-        continue-on-error: true
 
       - name: Download User Service subgraph
-        uses: actions/download-artifact@v4
+        uses: christopherhx/gitea-download-artifact@v4
         with:
           name: user-service-subgraph
           path: subgraphs/user
-        continue-on-error: true
-
-      - name: Download File Service subgraph
-        uses: actions/download-artifact@v4
-        with:
-          name: file-service-subgraph
-          path: subgraphs/file
-        continue-on-error: true
 
       - name: Configure subgraph URLs for Docker
         run: |
@@ -95,13 +139,13 @@ jobs:
       - name: Build gateway
         run: dotnet build FictionArchive.API/FictionArchive.API.csproj -c Release --no-restore -p:SkipFusionBuild=true
 
-      - name: Run tests
-        run: dotnet test FictionArchive.sln -c Release --no-build --verbosity normal
-        continue-on-error: true
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Extract registry hostname
+        id: registry
+        run: echo "HOST=$(echo '${{ gitea.server_url }}' | sed 's|https\?://||')" >> $GITHUB_OUTPUT
+
       - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
@@ -116,7 +160,7 @@ jobs:
           file: FictionArchive.API/Dockerfile
           push: true
           tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ gitea.sha }}
+            ${{ steps.registry.outputs.HOST }}/${{ env.IMAGE_NAME }}:latest
+            ${{ steps.registry.outputs.HOST }}/${{ env.IMAGE_NAME }}:${{ gitea.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

.gitea/workflows/build-subgraphs.yml

@@ -1,78 +0,0 @@
-name: Build Subgraphs
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - master
-    paths:
-      - 'FictionArchive.Service.*/**'
-      - 'FictionArchive.Common/**'
-      - 'FictionArchive.Service.Shared/**'
-
-jobs:
-  build-subgraphs:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        service:
-          - name: novel-service
-            project: FictionArchive.Service.NovelService
-            subgraph: Novel
-          - name: translation-service
-            project: FictionArchive.Service.TranslationService
-            subgraph: Translation
-          - name: scheduler-service
-            project: FictionArchive.Service.SchedulerService
-            subgraph: Scheduler
-          - name: user-service
-            project: FictionArchive.Service.UserService
-            subgraph: User
-          - name: file-service
-            project: FictionArchive.Service.FileService
-            subgraph: File
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup .NET
-        uses: actions/setup-dotnet@v4
-        with:
-          dotnet-version: '8.0.x'
-
-      - name: Install Fusion CLI
-        run: dotnet tool install -g HotChocolate.Fusion.CommandLine
-
-      - name: Restore dependencies
-        run: dotnet restore ${{ matrix.service.project }}/${{ matrix.service.project }}.csproj
-
-      - name: Build
-        run: dotnet build ${{ matrix.service.project }}/${{ matrix.service.project }}.csproj -c Release --no-restore
-
-      - name: Export schema
-        run: |
-          dotnet run -c Release --no-launch-profile \
-            --project ${{ matrix.service.project }}/${{ matrix.service.project }}.csproj \
-            -- schema export --output ${{ matrix.service.project }}/schema.graphql
-
-      - name: Pack subgraph
-        run: fusion subgraph pack -w ${{ matrix.service.project }}
-
-      - name: Upload subgraph package
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ matrix.service.name }}-subgraph
-          path: ${{ matrix.service.project }}/*.fsp
-          retention-days: 30
-
-  # Trigger gateway build after all subgraphs are built
-  trigger-gateway:
-    runs-on: ubuntu-latest
-    needs: build-subgraphs
-    steps:
-      - name: Trigger gateway workflow
-        run: |
-          curl -X POST \
-            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
-            "${{ gitea.server_url }}/api/v1/repos/${{ gitea.repository }}/actions/workflows/build-gateway.yml/dispatches" \
-            -d '{"ref":"master"}'

.gitea/workflows/build.yml

@@ -20,14 +20,6 @@ jobs:
         with:
           dotnet-version: '8.0.x'
 
-      - name: Setup Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-
-      - name: Install Fusion CLI
-        run: dotnet tool install -g HotChocolate.Fusion.CommandLine
-
       - name: Restore dependencies
         run: dotnet restore FictionArchive.sln
 
@@ -35,7 +27,27 @@ jobs:
         run: dotnet build FictionArchive.sln --configuration Release --no-restore /p:SkipFusionBuild=true
 
       - name: Run tests
-        run: dotnet test FictionArchive.sln --configuration Release --no-build --verbosity normal
+        run: |
+          dotnet test FictionArchive.sln --configuration Release --no-build --verbosity normal \
+            --logger "trx;LogFileName=test-results.trx" \
+            --collect:"XPlat Code Coverage" \
+            --results-directory ./TestResults
+
+      - name: Upload test results
+        uses: christopherhx/gitea-upload-artifact@v4
+        if: always()
+        with:
+          name: test-results
+          path: ./TestResults/**/*.trx
+          retention-days: 30
+
+      - name: Upload coverage results
+        uses: christopherhx/gitea-upload-artifact@v4
+        if: always()
+        with:
+          name: coverage-results
+          path: ./TestResults/**/coverage.cobertura.xml
+          retention-days: 30
 
   build-frontend:
     runs-on: ubuntu-latest

.gitea/workflows/claude_assistant.yml

@@ -27,10 +27,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          fetch-depth: 1
+          fetch-depth: 0
 
       - name: Run Claude PR Action
-        uses: anthropics/claude-code-action@beta
+        uses: markwylde/claude-code-gitea-action@v1.0.20
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
           gitea_token: ${{ secrets.CLAUDE_GITEA_TOKEN }}

.gitea/workflows/release.yml

@@ -15,8 +15,6 @@ jobs:
     strategy:
       matrix:
         service:
-          - name: api
-            dockerfile: FictionArchive.API/Dockerfile
           - name: novel-service
             dockerfile: FictionArchive.Service.NovelService/Dockerfile
           - name: user-service
@@ -40,6 +38,10 @@ jobs:
         id: version
         run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
+      - name: Extract registry hostname
+        id: registry
+        run: echo "HOST=$(echo '${{ gitea.server_url }}' | sed 's|https\?://||')" >> $GITHUB_OUTPUT
+
       - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
@@ -54,8 +56,8 @@ jobs:
           file: ${{ matrix.service.dockerfile }}
           push: true
           tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service.name }}:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service.name }}:latest
+            ${{ steps.registry.outputs.HOST }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service.name }}:${{ steps.version.outputs.VERSION }}
+            ${{ steps.registry.outputs.HOST }}/${{ env.IMAGE_PREFIX }}-${{ matrix.service.name }}:latest
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
@@ -72,6 +74,10 @@ jobs:
         id: version
         run: echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
+      - name: Extract registry hostname
+        id: registry
+        run: echo "HOST=$(echo '${{ gitea.server_url }}' | sed 's|https\?://||')" >> $GITHUB_OUTPUT
+
       - name: Log in to Gitea Container Registry
         uses: docker/login-action@v3
         with:
@@ -92,7 +98,7 @@ jobs:
             VITE_OIDC_REDIRECT_URI=${{ vars.VITE_OIDC_REDIRECT_URI }}
             VITE_OIDC_POST_LOGOUT_REDIRECT_URI=${{ vars.VITE_OIDC_POST_LOGOUT_REDIRECT_URI }}
           tags: |
-            ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-frontend:${{ steps.version.outputs.VERSION }}
-            ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-frontend:latest
+            ${{ steps.registry.outputs.HOST }}/${{ env.IMAGE_PREFIX }}-frontend:${{ steps.version.outputs.VERSION }}
+            ${{ steps.registry.outputs.HOST }}/${{ env.IMAGE_PREFIX }}-frontend:latest
           cache-from: type=gha
           cache-to: type=gha,mode=max

Documentation/CICD.md

@@ -7,9 +7,9 @@ This document describes the CI/CD pipeline configuration for FictionArchive usin
 | Workflow | File | Trigger | Purpose |
 |----------|------|---------|---------|
 | CI | `build.yml` | Push/PR to master | Build and test all projects |
-| Build Subgraphs | `build-subgraphs.yml` | Push to master (service changes) | Build GraphQL subgraph packages |
-| Build Gateway | `build-gateway.yml` | Manual or triggered by subgraphs | Compose gateway and build Docker image |
+| Build Gateway | `build-gateway.yml` | Tag `v*.*.*` or manual | Build subgraphs, compose gateway, push API image |
 | Release | `release.yml` | Tag `v*.*.*` | Build and push all Docker images |
+| Claude PR Assistant | `claude_assistant.yml` | Issue/PR comments with @claude | AI-assisted code review and issue handling |
 
 ## Pipeline Architecture
 
@@ -18,27 +18,32 @@ This document describes the CI/CD pipeline configuration for FictionArchive usin
 │                         Push to master                               │
 └─────────────────────────────┬───────────────────────────────────────┘
                               │
-              ┌───────────────┴───────────────┐
-              ▼                               ▼
-┌─────────────────────────┐     ┌─────────────────────────┐
-│      build.yml          │     │   build-subgraphs.yml   │
-│   (CI checks - always)  │     │  (if service changes)   │
-└─────────────────────────┘     └────────────┬────────────┘
-                                             │
-                                             ▼
-                                ┌─────────────────────────┐
-                                │   build-gateway.yml     │
-                                │  (compose & push API)   │
-                                └─────────────────────────┘
+                              ▼
+                ┌─────────────────────────┐
+                │      build.yml          │
+                │     (CI checks)         │
+                └─────────────────────────┘
 
 ┌─────────────────────────────────────────────────────────────────────┐
 │                        Push tag v*.*.*                               │
+└─────────────────────────────┬───────────────────────────────────────┘
+                              │
+              ┌───────────────┴───────────────┐
+              ▼                               ▼
+┌─────────────────────────┐     ┌─────────────────────────┐
+│      release.yml        │     │   build-gateway.yml     │
+│  (build & push all      │     │  (build subgraphs &     │
+│   backend + frontend)   │     │   push API gateway)     │
+└─────────────────────────┘     └─────────────────────────┘
+
+┌─────────────────────────────────────────────────────────────────────┐
+│              Issue/PR comment containing @claude                     │
 └─────────────────────────────┬───────────────────────────────────────┘
                               │
                               ▼
                 ┌─────────────────────────┐
-                │      release.yml        │
-                │  (build & push all)     │
+                │  claude_assistant.yml   │
+                │  (AI code assistance)   │
                 └─────────────────────────┘
 ```
 
@@ -51,14 +56,15 @@ Configure these in **Settings → Actions → Secrets**:
 | Secret | Description | Required By |
 |--------|-------------|-------------|
 | `REGISTRY_TOKEN` | Gitea access token with `write:package` scope | `release.yml`, `build-gateway.yml` |
-| `GITEA_TOKEN` | Gitea access token for API calls | `build-subgraphs.yml` |
+| `CLAUDE_CODE_OAUTH_TOKEN` | Claude Code OAuth token | `claude_assistant.yml` |
+| `CLAUDE_GITEA_TOKEN` | Gitea token for Claude assistant | `claude_assistant.yml` |
 
 #### Creating Access Tokens
 
 1. Go to **Settings → Applications → Access Tokens**
 2. Create a new token with the following scopes:
    - `write:package` - Push container images
-   - `write:repository` - Trigger workflows via API
+   - `write:repository` - For Claude assistant to push commits
 3. Copy the token and add it as a repository secret
 
 ### Repository Variables
@@ -85,42 +91,62 @@ Configure these in **Settings → Actions → Variables**:
 
 **Requirements:**
 - .NET 8.0 SDK
-- Python 3.12
 - Node.js 20
-- HotChocolate Fusion CLI
 
-### Build Subgraphs (`build-subgraphs.yml`)
+**Steps (Backend):**
+1. Checkout repository
+2. Setup .NET 8.0
+3. Restore dependencies
+4. Build solution (Release, with `SkipFusionBuild=true`)
+5. Run tests
 
-**Trigger:** Push to `master` with changes in:
-- `FictionArchive.Service.*/**`
-- `FictionArchive.Common/**`
-- `FictionArchive.Service.Shared/**`
-
-**Jobs:**
-1. `build-subgraphs` - Matrix job building each service's `.fsp` package
-2. `trigger-gateway` - Triggers gateway rebuild via API
-
-**Subgraphs Built:**
-- Novel Service
-- Translation Service
-- Scheduler Service
-- User Service
-- File Service
-
-**Artifacts:** Each subgraph produces a `.fsp` file retained for 30 days.
+**Steps (Frontend):**
+1. Checkout repository
+2. Setup Node.js 20
+3. Install dependencies (`npm ci`)
+4. Run linter (`npm run lint`)
+5. Build application (`npm run build`)
 
 ### Build Gateway (`build-gateway.yml`)
 
 **Trigger:**
 - Manual dispatch (`workflow_dispatch`)
-- Push to `master` with changes in `FictionArchive.API/**`
-- Triggered by `build-subgraphs.yml` completion
+- Push tag matching `v*.*.*`
 
-**Process:**
-1. Downloads all subgraph `.fsp` artifacts
-2. Configures Docker-internal URLs for each subgraph
-3. Composes gateway schema using Fusion CLI
-4. Builds and pushes API Docker image
+**Jobs:**
+
+#### 1. `build-subgraphs` (Matrix Job)
+Builds GraphQL subgraph packages for each service:
+
+| Service | Project | Subgraph Name |
+|---------|---------|---------------|
+| novel-service | FictionArchive.Service.NovelService | Novel |
+| translation-service | FictionArchive.Service.TranslationService | Translation |
+| scheduler-service | FictionArchive.Service.SchedulerService | Scheduler |
+| user-service | FictionArchive.Service.UserService | User |
+
+**Note:** File Service and Authentication Service are not subgraphs (no GraphQL schema).
+
+**Steps:**
+1. Checkout repository
+2. Setup .NET 8.0
+3. Install HotChocolate Fusion CLI
+4. Restore and build service project
+5. Export GraphQL schema (`schema export`)
+6. Pack subgraph into `.fsp` file
+7. Upload artifact (retained 30 days)
+
+#### 2. `build-gateway` (Depends on `build-subgraphs`)
+Composes the API gateway from subgraph packages.
+
+**Steps:**
+1. Checkout repository
+2. Setup .NET 8.0 and Fusion CLI
+3. Download all subgraph artifacts
+4. Configure Docker-internal URLs (`http://{service}-service:8080/graphql`)
+5. Compose gateway schema using Fusion CLI
+6. Build gateway project
+7. Build and push Docker image
 
 **Image Tags:**
 - `<registry>/<owner>/fictionarchive-api:latest`
@@ -131,23 +157,54 @@ Configure these in **Settings → Actions → Variables**:
 **Trigger:** Push tag matching `v*.*.*` (e.g., `v1.0.0`)
 
 **Jobs:**
-1. `build-and-push` - Matrix job building all backend service images
-2. `build-frontend` - Builds and pushes frontend image
 
-**Services Built:**
-- `fictionarchive-api`
-- `fictionarchive-novel-service`
-- `fictionarchive-user-service`
-- `fictionarchive-translation-service`
-- `fictionarchive-file-service`
-- `fictionarchive-scheduler-service`
-- `fictionarchive-authentication-service`
-- `fictionarchive-frontend`
+#### 1. `build-and-push` (Matrix Job)
+Builds and pushes all backend service images:
+
+| Service | Dockerfile |
+|---------|------------|
+| novel-service | FictionArchive.Service.NovelService/Dockerfile |
+| user-service | FictionArchive.Service.UserService/Dockerfile |
+| translation-service | FictionArchive.Service.TranslationService/Dockerfile |
+| file-service | FictionArchive.Service.FileService/Dockerfile |
+| scheduler-service | FictionArchive.Service.SchedulerService/Dockerfile |
+| authentication-service | FictionArchive.Service.AuthenticationService/Dockerfile |
+
+#### 2. `build-frontend`
+Builds and pushes the frontend image with environment-specific build arguments.
+
+**Build Args:**
+- `VITE_GRAPHQL_URI`
+- `VITE_OIDC_AUTHORITY`
+- `VITE_OIDC_CLIENT_ID`
+- `VITE_OIDC_REDIRECT_URI`
+- `VITE_OIDC_POST_LOGOUT_REDIRECT_URI`
 
 **Image Tags:**
 - `<registry>/<owner>/fictionarchive-<service>:<version>`
 - `<registry>/<owner>/fictionarchive-<service>:latest`
 
+### Claude PR Assistant (`claude_assistant.yml`)
+
+**Trigger:** Comments or issues containing `@claude`:
+- Issue comments
+- Pull request review comments
+- Pull request reviews
+- New issues (opened or assigned)
+
+**Permissions Required:**
+- `contents: write`
+- `pull-requests: write`
+- `issues: write`
+- `id-token: write`
+
+**Usage:**
+Mention `@claude` in any issue or PR comment to invoke the AI assistant for:
+- Code review assistance
+- Bug analysis
+- Implementation suggestions
+- Documentation help
+
 ## Container Registry
 
 Images are pushed to the Gitea Container Registry at:
@@ -155,6 +212,19 @@ Images are pushed to the Gitea Container Registry at:
 <gitea-server-url>/<repository-owner>/fictionarchive-<service>:<tag>
 ```
 
+### Image Naming Convention
+
+| Image | Description |
+|-------|-------------|
+| `fictionarchive-api` | API Gateway (GraphQL Federation) |
+| `fictionarchive-novel-service` | Novel Service |
+| `fictionarchive-user-service` | User Service |
+| `fictionarchive-translation-service` | Translation Service |
+| `fictionarchive-file-service` | File Service |
+| `fictionarchive-scheduler-service` | Scheduler Service |
+| `fictionarchive-authentication-service` | Authentication Service |
+| `fictionarchive-frontend` | Web Frontend |
+
 ### Pulling Images
 
 ```bash
@@ -184,13 +254,13 @@ docker pull <gitea-server-url>/<owner>/fictionarchive-api:latest
 - Ensure the `REGISTRY_TOKEN` secret is configured in repository settings
 - Verify the token has `write:package` scope
 
-**"Failed to trigger gateway workflow"**
-- Ensure `GITEA_TOKEN` secret is configured
-- Verify the token has `write:repository` scope
-
 **"No subgraph artifacts found"**
-- The gateway build requires subgraph artifacts from a previous `build-subgraphs` run
-- Trigger `build-subgraphs.yml` manually or push a change to a service
+- The gateway build requires subgraph artifacts from the `build-subgraphs` job
+- If subgraph builds failed, check the matrix job logs for errors
+
+**"Schema export failed"**
+- Ensure the service project has a valid `subgraph-config.json`
+- Check that the service starts correctly for schema export
 
 ### Frontend Build Failures
 
@@ -204,6 +274,13 @@ docker pull <gitea-server-url>/<owner>/fictionarchive-api:latest
 - Verify `REGISTRY_TOKEN` has correct permissions
 - Check that the token hasn't expired
 
+### Claude Assistant Failures
+
+**"Claude assistant not responding"**
+- Verify `CLAUDE_CODE_OAUTH_TOKEN` is configured
+- Verify `CLAUDE_GITEA_TOKEN` is configured and has write permissions
+- Check that the comment contains `@claude` mention
+
 ## Local Testing
 
 To test workflows locally before pushing:

FictionArchive.API/FictionArchive.API.csproj

@@ -13,6 +13,7 @@
         <PackageReference Include="HotChocolate.Data.EntityFramework" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Fusion" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Types.Scalars" Version="15.1.11" />
+        <PackageReference Include="Microsoft.AspNetCore.HeaderPropagation" Version="8.0.22" />
         <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="9.0.11">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -20,6 +21,7 @@
         <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="9.0.11" />
         <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="8.0.7" />
         <PackageReference Include="Swashbuckle.AspNetCore" Version="6.6.2"/>
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
     </ItemGroup>
     
     <!-- Builds the Fusion graph file before building the application itself (skipped in CI) -->

FictionArchive.API/Program.cs

@@ -12,7 +12,11 @@ public class Program
         
         #region Fusion Gateway
 
-        builder.Services.AddHttpClient("Fusion");
+        builder.Services.AddHttpClient("Fusion")
+            .AddHeaderPropagation(opt =>
+            {
+                opt.Headers.Add("Authorization");
+            });
 
         builder.Services
             .AddFusionGatewayServer()
@@ -21,23 +25,29 @@ public class Program
         
         #endregion
         
+        // Add authentication
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        
         builder.Services.AddCors(options =>
         {
-            options.AddPolicy("AllowAllOrigins",
-                builder =>
+            options.AddPolicy("AllowFictionArchiveOrigins",
+                policyBuilder =>
                 {
-                    builder.AllowAnyOrigin()
+                    policyBuilder.WithOrigins("https://fictionarchive.orfl.xyz", "http://localhost:5173")
                         .AllowAnyMethod()
-                        .AllowAnyHeader();
+                        .AllowAnyHeader()
+                        .AllowCredentials();
                 });
         });
 
         var app = builder.Build();
 
-        app.UseCors("AllowAllOrigins");
+        app.UseCors("AllowFictionArchiveOrigins");
         
         app.MapHealthChecks("/healthz");
 
+        app.UseHeaderPropagation();
+
         app.MapGraphQL();
 
         app.RunWithGraphQLCommands(args);

FictionArchive.API/appsettings.json

@@ -5,5 +5,15 @@
       "Microsoft.AspNetCore": "Warning"
     }
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.FileService/Controllers/S3ProxyController.cs

@@ -2,6 +2,7 @@ using System.Web;
 using Amazon.S3;
 using Amazon.S3.Model;
 using FictionArchive.Service.FileService.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
@@ -10,6 +11,7 @@ namespace FictionArchive.Service.FileService.Controllers
 {
     [Route("api/{*path}")]
     [ApiController]
+    [Authorize]
     public class S3ProxyController : ControllerBase
     {
         private readonly AmazonS3Client _amazonS3Client;

FictionArchive.Service.FileService/Dockerfile

@@ -7,17 +7,17 @@ EXPOSE 8081
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 ARG BUILD_CONFIGURATION=Release
 WORKDIR /src
-COPY ["FictionArchive.Service.ImageService/FictionArchive.Service.ImageService.csproj", "FictionArchive.Service.ImageService/"]
-RUN dotnet restore "FictionArchive.Service.ImageService/FictionArchive.Service.ImageService.csproj"
+COPY ["FictionArchive.Service.FileService/FictionArchive.Service.FileService.csproj", "FictionArchive.Service.FileService/"]
+RUN dotnet restore "FictionArchive.Service.FileService/FictionArchive.Service.FileService.csproj"
 COPY . .
-WORKDIR "/src/FictionArchive.Service.ImageService"
-RUN dotnet build "./FictionArchive.Service.ImageService.csproj" -c $BUILD_CONFIGURATION -o /app/build
+WORKDIR "/src/FictionArchive.Service.FileService"
+RUN dotnet build "./FictionArchive.Service.FileService.csproj" -c $BUILD_CONFIGURATION -o /app/build
 
 FROM build AS publish
 ARG BUILD_CONFIGURATION=Release
-RUN dotnet publish "./FictionArchive.Service.ImageService.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
+RUN dotnet publish "./FictionArchive.Service.FileService.csproj" -c $BUILD_CONFIGURATION -o /app/publish /p:UseAppHost=false
 
 FROM base AS final
 WORKDIR /app
 COPY --from=publish /app/publish .
-ENTRYPOINT ["dotnet", "FictionArchive.Service.ImageService.dll"]
+ENTRYPOINT ["dotnet", "FictionArchive.Service.FileService.dll"]

FictionArchive.Service.FileService/FictionArchive.Service.FileService.csproj

@@ -21,6 +21,7 @@
       <PackageReference Include="AWSSDK.S3" Version="4.0.13.1" />
       <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" />
       <PackageReference Include="Swashbuckle.AspNetCore" Version="10.0.1" />
+      <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
     </ItemGroup>
 
     <ItemGroup>

FictionArchive.Service.FileService/Program.cs

@@ -34,6 +34,10 @@ public class Program
         
         #endregion
         
+        // Add authentication with cookie support
+        builder.Services.AddOidcCookieAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+        
         builder.Services.Configure<ProxyConfiguration>(builder.Configuration.GetSection("ProxyConfiguration"));
         
         // Add S3 Client
@@ -60,6 +64,9 @@ public class Program
             app.UseSwaggerUI();
         }
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+        
         app.MapHealthChecks("/healthz");
         
         app.MapControllers();

FictionArchive.Service.FileService/appsettings.json

@@ -18,5 +18,15 @@
     "AccessKey": "REPLACE_ME",
     "SecretKey": "REPLACE_ME"
   },
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-files",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  },
   "AllowedHosts": "*"
 }

FictionArchive.Service.NovelService/GraphQL/Mutation.cs

@@ -6,32 +6,24 @@ using FictionArchive.Service.NovelService.Models.SourceAdapters;
 using FictionArchive.Service.NovelService.Services;
 using FictionArchive.Service.NovelService.Services.SourceAdapters;
 using FictionArchive.Service.Shared.Services.EventBus;
+using HotChocolate.Authorization;
 using Microsoft.EntityFrameworkCore;
 
 namespace FictionArchive.Service.NovelService.GraphQL;
 
 public class Mutation
 {
-    public async Task<NovelUpdateRequestedEvent> ImportNovel(string novelUrl, IEventBus eventBus)
+    [Authorize]
+    public async Task<NovelUpdateRequestedEvent> ImportNovel(string novelUrl, NovelUpdateService service)
     {
-        var importNovelRequestEvent = new NovelUpdateRequestedEvent()
-        {
-            NovelUrl = novelUrl
-        };
-        await eventBus.Publish(importNovelRequestEvent);
-        return importNovelRequestEvent;
+        return await service.QueueNovelImport(novelUrl);
     }
 
+    [Authorize]
     public async Task<ChapterPullRequestedEvent> FetchChapterContents(uint novelId,
         uint chapterNumber,
-        IEventBus eventBus)
+        NovelUpdateService service)
     {
-        var chapterPullEvent = new ChapterPullRequestedEvent()
-        {
-            NovelId = novelId,
-            ChapterNumber = chapterNumber
-        };
-        await eventBus.Publish(chapterPullEvent);
-        return chapterPullEvent;
+        return await service.QueueChapterPull(novelId, chapterNumber);
     }
 }

FictionArchive.Service.NovelService/GraphQL/Query.cs

@@ -1,5 +1,6 @@
 using FictionArchive.Service.NovelService.Models.Novels;
 using FictionArchive.Service.NovelService.Services;
+using HotChocolate.Authorization;
 using HotChocolate.Data;
 using HotChocolate.Types;
 
@@ -7,6 +8,7 @@ namespace FictionArchive.Service.NovelService.GraphQL;
 
 public class Query
 {
+    [Authorize]
     [UsePaging]
     [UseProjection]
     [UseFiltering]

FictionArchive.Service.NovelService/Program.cs

@@ -6,6 +6,7 @@ using FictionArchive.Service.NovelService.Services;
 using FictionArchive.Service.NovelService.Services.EventHandlers;
 using FictionArchive.Service.NovelService.Services.SourceAdapters;
 using FictionArchive.Service.NovelService.Services.SourceAdapters.Novelpia;
+using FictionArchive.Service.Shared;
 using FictionArchive.Service.Shared.Extensions;
 using FictionArchive.Service.Shared.Services.EventBus.Implementations;
 using FictionArchive.Service.Shared.Services.GraphQL;
@@ -17,6 +18,8 @@ public class Program
 {
     public static void Main(string[] args)
     {
+        var isSchemaExport = SchemaExportDetector.IsSchemaExportMode(args);
+
         var builder = WebApplication.CreateBuilder(args);
         builder.AddLocalAppsettings();
         
@@ -24,26 +27,32 @@ public class Program
         
         #region Event Bus
 
-        builder.Services.AddRabbitMQ(opt =>
+        if (!isSchemaExport)
         {
-            builder.Configuration.GetSection("RabbitMQ").Bind(opt);
-        })
-            .Subscribe<TranslationRequestCompletedEvent, TranslationRequestCompletedEventHandler>()
-            .Subscribe<NovelUpdateRequestedEvent, NovelUpdateRequestedEventHandler>()
-            .Subscribe<ChapterPullRequestedEvent, ChapterPullRequestedEventHandler>()
-            .Subscribe<FileUploadRequestStatusUpdateEvent, FileUploadRequestStatusUpdateEventHandler>();
+            builder.Services.AddRabbitMQ(opt =>
+            {
+                builder.Configuration.GetSection("RabbitMQ").Bind(opt);
+            })
+                .Subscribe<TranslationRequestCompletedEvent, TranslationRequestCompletedEventHandler>()
+                .Subscribe<NovelUpdateRequestedEvent, NovelUpdateRequestedEventHandler>()
+                .Subscribe<ChapterPullRequestedEvent, ChapterPullRequestedEventHandler>()
+                .Subscribe<FileUploadRequestStatusUpdateEvent, FileUploadRequestStatusUpdateEventHandler>();
+        }
 
         #endregion
         
         #region GraphQL
 
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         
         #endregion
         
         #region Database
 
-        builder.Services.RegisterDbContext<NovelServiceDbContext>(builder.Configuration.GetConnectionString("DefaultConnection"));
+        builder.Services.RegisterDbContext<NovelServiceDbContext>(
+            builder.Configuration.GetConnectionString("DefaultConnection"),
+            skipInfrastructure: isSchemaExport);
         
         #endregion
         
@@ -67,11 +76,16 @@ public class Program
         
         builder.Services.AddHealthChecks();
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         var app = builder.Build();
         
-        // Update database
-        using (var scope = app.Services.CreateScope())
+        // Update database (skip in schema export mode)
+        if (!isSchemaExport)
         {
+            using var scope = app.Services.CreateScope();
             var dbContext = scope.ServiceProvider.GetRequiredService<NovelServiceDbContext>();
             dbContext.UpdateDatabase();
         }
@@ -80,6 +94,9 @@ public class Program
 
         app.MapHealthChecks("/healthz");
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
 
         app.RunWithGraphQLCommands(args);

FictionArchive.Service.NovelService/Services/NovelUpdateService.cs

@@ -2,6 +2,7 @@ using FictionArchive.Service.FileService.IntegrationEvents;
 using FictionArchive.Service.NovelService.Models.Configuration;
 using FictionArchive.Service.NovelService.Models.Enums;
 using FictionArchive.Service.NovelService.Models.Images;
+using FictionArchive.Service.NovelService.Models.IntegrationEvents;
 using FictionArchive.Service.NovelService.Models.Localization;
 using FictionArchive.Service.NovelService.Models.Novels;
 using FictionArchive.Service.NovelService.Models.SourceAdapters;
@@ -201,4 +202,25 @@ public class NovelUpdateService
         
         await _dbContext.SaveChangesAsync();
     }
+
+    public async Task<NovelUpdateRequestedEvent> QueueNovelImport(string novelUrl)
+    {
+        var importNovelRequestEvent = new NovelUpdateRequestedEvent()
+        {
+            NovelUrl = novelUrl
+        };
+        await _eventBus.Publish(importNovelRequestEvent);
+        return importNovelRequestEvent;
+    }
+
+    public async Task<ChapterPullRequestedEvent> QueueChapterPull(uint novelId, uint chapterNumber)
+    {
+        var chapterPullEvent = new ChapterPullRequestedEvent()
+        {
+            NovelId = novelId,
+            ChapterNumber = chapterNumber
+        };
+        await _eventBus.Publish(chapterPullEvent);
+        return chapterPullEvent;
+    }
 }

FictionArchive.Service.NovelService/appsettings.json

@@ -19,5 +19,15 @@
     "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "NovelService"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "ldi5IpEidq2WW0Ka1lehVskb2SOBjnYRaZCpEyBh",
+    "Audience": "ldi5IpEidq2WW0Ka1lehVskb2SOBjnYRaZCpEyBh",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.NovelService/subgraph-config.json

@@ -1,6 +1,6 @@
 {
   "subgraph": "Novels",
   "http": {
-    "baseAddress": "http://localhost:5101/graphql"
+    "baseAddress": "https://localhost:7208/graphql"
   }
 }

FictionArchive.Service.SchedulerService/GraphQL/Mutation.cs

@@ -1,6 +1,8 @@
 using System.Data;
 using FictionArchive.Service.SchedulerService.Models;
 using FictionArchive.Service.SchedulerService.Services;
+using FictionArchive.Service.Shared.Constants;
+using HotChocolate.Authorization;
 using HotChocolate.Types;
 using Quartz;
 
@@ -10,18 +12,21 @@ public class Mutation
 {
     [Error<DuplicateNameException>]
     [Error<FormatException>]
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<SchedulerJob> ScheduleEventJob(string key, string description, string eventType, string eventData, string cronSchedule, JobManagerService jobManager)
     {
         return await jobManager.ScheduleEventJob(key, description, eventType, eventData, cronSchedule);
     }
 
     [Error<JobPersistenceException>]
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<bool> RunJob(string jobKey, JobManagerService jobManager)
     {
         return await jobManager.TriggerJob(jobKey);
     }
 
     [Error<KeyNotFoundException>]
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<bool> DeleteJob(string jobKey, JobManagerService jobManager)
     {
         bool deleted = await jobManager.DeleteJob(jobKey);

FictionArchive.Service.SchedulerService/Program.cs

@@ -1,5 +1,6 @@
 using FictionArchive.Service.SchedulerService.GraphQL;
 using FictionArchive.Service.SchedulerService.Services;
+using FictionArchive.Service.Shared;
 using FictionArchive.Service.Shared.Extensions;
 using FictionArchive.Service.Shared.Services.EventBus.Implementations;
 using Quartz;
@@ -11,54 +12,79 @@ public class Program
 {
     public static void Main(string[] args)
     {
+        var isSchemaExport = SchemaExportDetector.IsSchemaExportMode(args);
+
         var builder = WebApplication.CreateBuilder(args);
         
         // Services
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         builder.Services.AddHealthChecks();
         builder.Services.AddTransient<JobManagerService>();
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         #region Database
         
-        builder.Services.RegisterDbContext<SchedulerServiceDbContext>(builder.Configuration.GetConnectionString("DefaultConnection"));
+        builder.Services.RegisterDbContext<SchedulerServiceDbContext>(
+            builder.Configuration.GetConnectionString("DefaultConnection"),
+            skipInfrastructure: isSchemaExport);
         
         #endregion
         
         #region Event Bus
 
-        builder.Services.AddRabbitMQ(opt =>
+        if (!isSchemaExport)
         {
-            builder.Configuration.GetSection("RabbitMQ").Bind(opt);
-        });
+            builder.Services.AddRabbitMQ(opt =>
+            {
+                builder.Configuration.GetSection("RabbitMQ").Bind(opt);
+            });
+        }
 
         #endregion
         
         #region Quartz
 
-        builder.Services.AddQuartz(opt =>
+        if (isSchemaExport)
         {
-            opt.UsePersistentStore(pso =>
+            // Schema export mode: use in-memory store (no DB connection needed)
+            builder.Services.AddQuartz(opt =>
             {
-                pso.UsePostgres(pgsql =>
-                {
-                    pgsql.ConnectionString = builder.Configuration.GetConnectionString("DefaultConnection");
-                    pgsql.UseDriverDelegate<PostgreSQLDelegate>();
-                    pgsql.TablePrefix = "quartz.qrtz_"; // Needed for Postgres due to the differing schema used
-                });
-                pso.UseNewtonsoftJsonSerializer();
+                opt.UseInMemoryStore();
             });
-        });
-        builder.Services.AddQuartzHostedService(opt =>
+        }
+        else
         {
-            opt.WaitForJobsToComplete = true;
-        });
+            builder.Services.AddQuartz(opt =>
+            {
+                opt.UsePersistentStore(pso =>
+                {
+                    pso.UsePostgres(pgsql =>
+                    {
+                        pgsql.ConnectionString = builder.Configuration.GetConnectionString("DefaultConnection");
+                        pgsql.UseDriverDelegate<PostgreSQLDelegate>();
+                        pgsql.TablePrefix = "quartz.qrtz_"; // Needed for Postgres due to the differing schema used
+                    });
+                    pso.UseNewtonsoftJsonSerializer();
+                });
+            });
+            builder.Services.AddQuartzHostedService(opt =>
+            {
+                opt.WaitForJobsToComplete = true;
+            });
+        }
 
         #endregion
         
         var app = builder.Build();
         
-        using (var scope = app.Services.CreateScope())
+        // Update database (skip in schema export mode)
+        if (!isSchemaExport)
         {
+            using var scope = app.Services.CreateScope();
             var dbContext = scope.ServiceProvider.GetRequiredService<SchedulerServiceDbContext>();
             dbContext.UpdateDatabase();
         }
@@ -67,6 +93,9 @@ public class Program
 
         app.MapHealthChecks("/healthz");
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
         
         app.RunWithGraphQLCommands(args);

FictionArchive.Service.SchedulerService/appsettings.json

@@ -12,5 +12,15 @@
   "ConnectionStrings": {
     "DefaultConnection": "Host=localhost;Database=FictionArchive_SchedulerService;Username=postgres;password=postgres"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.Shared/Constants/AuthorizationConstants.cs

@@ -0,0 +1,15 @@
+namespace FictionArchive.Service.Shared.Constants;
+
+public static class AuthorizationConstants
+{
+    public static class Roles
+    {
+        public const string Admin = "admin";
+    }
+
+    public static class Policies
+    {
+        public const string Admin = "Admin";
+        public const string User = "User";
+    }
+}

FictionArchive.Service.Shared/Extensions/AuthenticationExtensions.cs

@@ -0,0 +1,168 @@
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
+using FictionArchive.Service.Shared.Constants;
+using FictionArchive.Service.Shared.Models.Authentication;
+using System.Linq;
+
+namespace FictionArchive.Service.Shared.Extensions;
+
+public static class AuthenticationExtensions
+{
+    public static IServiceCollection AddOidcAuthentication(this IServiceCollection services, IConfiguration configuration)
+    {
+        var oidcConfig = configuration.GetSection("OIDC").Get<OidcConfiguration>();
+        
+        if (oidcConfig == null)
+        {
+            throw new InvalidOperationException("OIDC configuration is required but not found in app settings");
+        }
+        
+        ValidateOidcConfiguration(oidcConfig);
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.Authority = oidcConfig.Authority;
+                options.Audience = oidcConfig.Audience;
+                options.RequireHttpsMetadata = !string.IsNullOrEmpty(oidcConfig.Authority) && oidcConfig.Authority.StartsWith("https://");
+
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = oidcConfig.ValidateIssuer,
+                    ValidIssuer = oidcConfig.ValidIssuer,
+                    ValidateAudience = oidcConfig.ValidateAudience,
+                    ValidateLifetime = oidcConfig.ValidateLifetime,
+                    ValidateIssuerSigningKey = oidcConfig.ValidateIssuerSigningKey,
+                    ClockSkew = TimeSpan.FromMinutes(5)
+                };
+
+                options.Events = CreateLoggingJwtBearerEvents();
+            });
+
+        return services;
+    }
+
+    private static JwtBearerEvents CreateLoggingJwtBearerEvents(JwtBearerEvents? existingEvents = null)
+    {
+        return new JwtBearerEvents
+        {
+            OnMessageReceived = existingEvents?.OnMessageReceived ?? (_ => Task.CompletedTask),
+            OnAuthenticationFailed = context =>
+            {
+                var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
+                    .CreateLogger("JwtBearerAuthentication");
+
+                logger.LogWarning(context.Exception, "JWT authentication failed: {Message}", context.Exception.Message);
+
+                return existingEvents?.OnAuthenticationFailed?.Invoke(context) ?? Task.CompletedTask;
+            },
+            OnChallenge = context =>
+            {
+                var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
+                    .CreateLogger("JwtBearerAuthentication");
+
+                logger.LogDebug(
+                    "JWT challenge issued. Error: {Error}, ErrorDescription: {ErrorDescription}",
+                    context.Error,
+                    context.ErrorDescription);
+
+                return existingEvents?.OnChallenge?.Invoke(context) ?? Task.CompletedTask;
+            },
+            OnTokenValidated = context =>
+            {
+                var logger = context.HttpContext.RequestServices.GetRequiredService<ILoggerFactory>()
+                    .CreateLogger("JwtBearerAuthentication");
+
+                logger.LogDebug(
+                    "JWT token validated for subject: {Subject}",
+                    context.Principal?.FindFirst("sub")?.Value ?? "unknown");
+
+                return existingEvents?.OnTokenValidated?.Invoke(context) ?? Task.CompletedTask;
+            }
+        };
+    }
+
+    public static IServiceCollection AddOidcCookieAuthentication(this IServiceCollection services, IConfiguration configuration, string cookieName = "fa_session")
+    {
+        var oidcConfig = configuration.GetSection("OIDC").Get<OidcConfiguration>();
+        
+        if (oidcConfig == null)
+        {
+            throw new InvalidOperationException("OIDC configuration is required but not found in app settings");
+        }
+        
+        ValidateOidcConfiguration(oidcConfig);
+
+        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
+            .AddJwtBearer(options =>
+            {
+                options.Authority = oidcConfig.Authority;
+                options.Audience = oidcConfig.Audience;
+                options.RequireHttpsMetadata = !string.IsNullOrEmpty(oidcConfig.Authority) && oidcConfig.Authority.StartsWith("https://");
+
+                var cookieEvents = new JwtBearerEvents
+                {
+                    OnMessageReceived = context =>
+                    {
+                        // Try to get token from cookie first, then from Authorization header
+                        if (context.Request.Cookies.ContainsKey(cookieName))
+                        {
+                            context.Token = context.Request.Cookies[cookieName];
+                        }
+
+                        return Task.CompletedTask;
+                    }
+                };
+                options.Events = CreateLoggingJwtBearerEvents(cookieEvents);
+
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    ValidateIssuer = oidcConfig.ValidateIssuer,
+                    ValidIssuer = oidcConfig.ValidIssuer,
+                    ValidateAudience = oidcConfig.ValidateAudience,
+                    ValidateLifetime = oidcConfig.ValidateLifetime,
+                    ValidateIssuerSigningKey = oidcConfig.ValidateIssuerSigningKey,
+                    ClockSkew = TimeSpan.FromMinutes(5)
+                };
+            });
+
+        return services;
+    }
+
+    public static IServiceCollection AddFictionArchiveAuthorization(this IServiceCollection services)
+    {
+        services.AddAuthorizationBuilder()
+            .AddPolicy(AuthorizationConstants.Policies.Admin, policy => policy.RequireRole(AuthorizationConstants.Roles.Admin))
+            .AddPolicy(AuthorizationConstants.Policies.User, policy => policy.RequireAuthenticatedUser());
+
+        return services;
+    }
+
+    private static void ValidateOidcConfiguration(OidcConfiguration config)
+    {
+        var errors = new List<string>();
+
+        if (string.IsNullOrWhiteSpace(config.Authority))
+            errors.Add("OIDC Authority is required");
+
+        if (string.IsNullOrWhiteSpace(config.ClientId))
+            errors.Add("OIDC ClientId is required");
+
+        if (string.IsNullOrWhiteSpace(config.Audience))
+            errors.Add("OIDC Audience is required");
+
+        if (!Uri.TryCreate(config.Authority, UriKind.Absolute, out var authorityUri))
+            errors.Add($"OIDC Authority '{config.Authority}' is not a valid URI");
+        else if (!authorityUri.Scheme.Equals("https", StringComparison.OrdinalIgnoreCase) && 
+                 !authorityUri.Host.Equals("localhost", StringComparison.OrdinalIgnoreCase))
+            errors.Add("OIDC Authority must use HTTPS unless running on localhost");
+
+        if (errors.Any())
+        {
+            throw new InvalidOperationException($"OIDC configuration validation failed:{Environment.NewLine}{string.Join(Environment.NewLine, errors)}");
+        }
+    }
+}

FictionArchive.Service.Shared/Extensions/DatabaseExtensions.cs

@@ -6,16 +6,29 @@ namespace FictionArchive.Service.Shared.Extensions;
 
 public static class DatabaseExtensions
 {
-    public static IServiceCollection RegisterDbContext<TContext>(this IServiceCollection services,
-        string connectionString) where TContext : FictionArchiveDbContext
+    public static IServiceCollection RegisterDbContext<TContext>(
+        this IServiceCollection services,
+        string connectionString,
+        bool skipInfrastructure = false) where TContext : FictionArchiveDbContext
     {
-        services.AddDbContext<TContext>(options =>
+        if (skipInfrastructure)
         {
-            options.UseNpgsql(connectionString, o =>
+            // For schema export: use in-memory provider to allow EF Core entity discovery
+            services.AddDbContext<TContext>(options =>
             {
-                o.UseNodaTime();
+                options.UseInMemoryDatabase($"SchemaExport_{typeof(TContext).Name}");
             });
-        });
+        }
+        else
+        {
+            services.AddDbContext<TContext>(options =>
+            {
+                options.UseNpgsql(connectionString, o =>
+                {
+                    o.UseNodaTime();
+                });
+            });
+        }
         return services;
     }
 }

FictionArchive.Service.Shared/FictionArchive.Service.Shared.csproj

@@ -9,6 +9,7 @@
     <ItemGroup>
         <PackageReference Include="GraphQL.Server.Ui.GraphiQL" Version="8.3.3" />
         <PackageReference Include="HotChocolate.AspNetCore" Version="15.1.11" />
+        <PackageReference Include="HotChocolate.AspNetCore.Authorization" Version="15.1.11" />
         <PackageReference Include="HotChocolate.AspNetCore.CommandLine" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Data.EntityFramework" Version="15.1.11" />
         <PackageReference Include="HotChocolate.Types.Scalars" Version="15.1.11" />
@@ -18,6 +19,7 @@
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
+        <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="9.0.11" />
         <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="9.0.11" />
         <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="9.0.11">
             <PrivateAssets>all</PrivateAssets>
@@ -28,6 +30,7 @@
         <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="9.0.4" />
         <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL.NodaTime" Version="9.0.4" />
         <PackageReference Include="RabbitMQ.Client" Version="7.2.0" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.11" />
     </ItemGroup>
     
     <ItemGroup>

FictionArchive.Service.Shared/Models/Authentication/OidcConfiguration.cs

@@ -0,0 +1,13 @@
+namespace FictionArchive.Service.Shared.Models.Authentication;
+
+public class OidcConfiguration
+{
+    public string Authority { get; set; } = string.Empty;
+    public string ClientId { get; set; } = string.Empty;
+    public string Audience { get; set; } = string.Empty;
+    public string? ValidIssuer { get; set; }
+    public bool ValidateIssuer { get; set; } = true;
+    public bool ValidateAudience { get; set; } = true;
+    public bool ValidateLifetime { get; set; } = true;
+    public bool ValidateIssuerSigningKey { get; set; } = true;
+}

FictionArchive.Service.Shared/SchemaExportDetector.cs

@@ -0,0 +1,22 @@
+namespace FictionArchive.Service.Shared;
+
+/// <summary>
+/// Detects if the application is running in schema export mode (for HotChocolate CLI commands).
+/// In this mode, infrastructure like RabbitMQ and databases should not be initialized.
+/// </summary>
+public static class SchemaExportDetector
+{
+    /// <summary>
+    /// Checks if the current run is a schema export command.
+    /// </summary>
+    /// <param name="args">Command line arguments passed to Main()</param>
+    /// <returns>True if running schema export, false otherwise</returns>
+    public static bool IsSchemaExportMode(string[] args)
+    {
+        // HotChocolate CLI pattern: "schema export" after "--" delimiter
+        // Handles: dotnet run -- schema export --output schema.graphql
+        var normalizedArgs = args.SkipWhile(a => a == "--").ToArray();
+        return normalizedArgs.Length > 0 &&
+               normalizedArgs[0].Equals("schema", StringComparison.OrdinalIgnoreCase);
+    }
+}

FictionArchive.Service.TranslationService/GraphQL/Mutation.cs

@@ -5,11 +5,13 @@ using FictionArchive.Service.TranslationService.Models.Enums;
 using FictionArchive.Service.TranslationService.Services;
 using FictionArchive.Service.TranslationService.Services.Database;
 using FictionArchive.Service.TranslationService.Services.TranslationEngines;
+using HotChocolate.Authorization;
 
 namespace FictionArchive.Service.TranslationService.GraphQL;
 
 public class Mutation
 {
+    [Authorize]
     public async Task<TranslationResult> TranslateText(string text, Language from, Language to, string translationEngineKey, TranslationEngineService translationEngineService)
     {
         var result = await translationEngineService.Translate(from, to, text, translationEngineKey);

FictionArchive.Service.TranslationService/GraphQL/Query.cs

@@ -2,12 +2,14 @@ using FictionArchive.Service.TranslationService.Models;
 using FictionArchive.Service.TranslationService.Models.Database;
 using FictionArchive.Service.TranslationService.Services.Database;
 using FictionArchive.Service.TranslationService.Services.TranslationEngines;
+using HotChocolate.Authorization;
 using Microsoft.EntityFrameworkCore;
 
 namespace FictionArchive.Service.TranslationService.GraphQL;
 
 public class Query
 {
+    [Authorize]
     [UseFiltering]
     [UseSorting]
     public IEnumerable<TranslationEngineDescriptor> GetTranslationEngines(IEnumerable<ITranslationEngine> engines)
@@ -15,6 +17,7 @@ public class Query
         return engines.Select(engine => engine.Descriptor);
     }
 
+    [Authorize]
     [UsePaging]
     [UseProjection]
     [UseFiltering]

FictionArchive.Service.TranslationService/Program.cs

@@ -1,5 +1,6 @@
 using DeepL;
 using FictionArchive.Common.Extensions;
+using FictionArchive.Service.Shared;
 using FictionArchive.Service.Shared.Extensions;
 using FictionArchive.Service.Shared.Services.EventBus.Implementations;
 using FictionArchive.Service.Shared.Services.GraphQL;
@@ -18,6 +19,8 @@ public class Program
 {
     public static void Main(string[] args)
     {
+        var isSchemaExport = SchemaExportDetector.IsSchemaExportMode(args);
+
         var builder = WebApplication.CreateBuilder(args);
         builder.AddLocalAppsettings();
 
@@ -25,24 +28,30 @@ public class Program
         
         #region Event Bus
 
-        builder.Services.AddRabbitMQ(opt =>
+        if (!isSchemaExport)
         {
-            builder.Configuration.GetSection("RabbitMQ").Bind(opt);
-        })
-        .Subscribe<TranslationRequestCreatedEvent, TranslationRequestCreatedEventHandler>();
+            builder.Services.AddRabbitMQ(opt =>
+            {
+                builder.Configuration.GetSection("RabbitMQ").Bind(opt);
+            })
+            .Subscribe<TranslationRequestCreatedEvent, TranslationRequestCreatedEventHandler>();
+        }
 
         #endregion
         
         
         #region Database
         
-        builder.Services.RegisterDbContext<TranslationServiceDbContext>(builder.Configuration.GetConnectionString("DefaultConnection"));
+        builder.Services.RegisterDbContext<TranslationServiceDbContext>(
+            builder.Configuration.GetConnectionString("DefaultConnection"),
+            skipInfrastructure: isSchemaExport);
         
         #endregion
         
         #region GraphQL
         
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         
         #endregion
         
@@ -58,11 +67,16 @@ public class Program
 
         #endregion
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         var app = builder.Build();
         
-        // Update database
-        using (var scope = app.Services.CreateScope())
+        // Update database (skip in schema export mode)
+        if (!isSchemaExport)
         {
+            using var scope = app.Services.CreateScope();
             var dbContext = scope.ServiceProvider.GetRequiredService<TranslationServiceDbContext>();
             dbContext.UpdateDatabase();
         }
@@ -71,6 +85,9 @@ public class Program
 
         app.MapHealthChecks("/healthz");
 
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
 
         app.RunWithGraphQLCommands(args);

FictionArchive.Service.TranslationService/appsettings.json

@@ -15,5 +15,15 @@
     "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "TranslationService"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

FictionArchive.Service.UserService/GraphQL/Mutation.cs

@@ -1,10 +1,13 @@
+using FictionArchive.Service.Shared.Constants;
 using FictionArchive.Service.UserService.Models.Database;
 using FictionArchive.Service.UserService.Services;
+using HotChocolate.Authorization;
 
 namespace FictionArchive.Service.UserService.GraphQL;
 
 public class Mutation
 {
+    [Authorize(Roles = [AuthorizationConstants.Roles.Admin])]
     public async Task<User> RegisterUser(string username, string email, string oAuthProviderId,
         string? inviterOAuthProviderId, UserManagementService userManagementService)
     {

FictionArchive.Service.UserService/GraphQL/Query.cs

@@ -1,10 +1,12 @@
 using FictionArchive.Service.UserService.Models.Database;
 using FictionArchive.Service.UserService.Services;
+using HotChocolate.Authorization;
 
 namespace FictionArchive.Service.UserService.GraphQL;
 
 public class Query
 {
+    [Authorize]
     public async Task<IQueryable<User>> GetUsers(UserManagementService userManagementService)
     {
         return userManagementService.GetUsers();

FictionArchive.Service.UserService/Program.cs

@@ -1,3 +1,5 @@
+using FictionArchive.Common.Extensions;
+using FictionArchive.Service.Shared;
 using FictionArchive.Service.Shared.Extensions;
 using FictionArchive.Service.Shared.Services.EventBus.Implementations;
 using FictionArchive.Service.UserService.GraphQL;
@@ -11,38 +13,55 @@ public class Program
 {
     public static void Main(string[] args)
     {
+        var isSchemaExport = SchemaExportDetector.IsSchemaExportMode(args);
+
         var builder = WebApplication.CreateBuilder(args);
+        builder.AddLocalAppsettings();
 
         #region Event Bus
 
-        builder.Services.AddRabbitMQ(opt =>
+        if (!isSchemaExport)
         {
-            builder.Configuration.GetSection("RabbitMQ").Bind(opt);
-        })
-        .Subscribe<AuthUserAddedEvent, AuthUserAddedEventHandler>();
+            builder.Services.AddRabbitMQ(opt =>
+            {
+                builder.Configuration.GetSection("RabbitMQ").Bind(opt);
+            })
+            .Subscribe<AuthUserAddedEvent, AuthUserAddedEventHandler>();
+        }
 
         #endregion
         
         #region GraphQL
         
-        builder.Services.AddDefaultGraphQl<Query, Mutation>();
+        builder.Services.AddDefaultGraphQl<Query, Mutation>()
+            .AddAuthorization();
         
         #endregion
         
-        builder.Services.RegisterDbContext<UserServiceDbContext>(builder.Configuration.GetConnectionString("DefaultConnection"));
+        builder.Services.RegisterDbContext<UserServiceDbContext>(
+            builder.Configuration.GetConnectionString("DefaultConnection"),
+            skipInfrastructure: isSchemaExport);
         builder.Services.AddTransient<UserManagementService>();
 
         builder.Services.AddHealthChecks();
 
+        // Authentication & Authorization
+        builder.Services.AddOidcAuthentication(builder.Configuration);
+        builder.Services.AddFictionArchiveAuthorization();
+
         var app = builder.Build();
         
-        // Update database
-        using (var scope = app.Services.CreateScope())
+        // Update database (skip in schema export mode)
+        if (!isSchemaExport)
         {
+            using var scope = app.Services.CreateScope();
             var dbContext = scope.ServiceProvider.GetRequiredService<UserServiceDbContext>();
             dbContext.UpdateDatabase();
         }
         
+        app.UseAuthentication();
+        app.UseAuthorization();
+
         app.MapGraphQL();
 
         app.MapHealthChecks("/healthz");

FictionArchive.Service.UserService/appsettings.json

@@ -12,5 +12,15 @@
     "ConnectionString": "amqp://localhost",
     "ClientIdentifier": "UserService"
   },
-  "AllowedHosts": "*"
+  "AllowedHosts": "*",
+  "OIDC": {
+    "Authority": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ClientId": "fictionarchive-api",
+    "Audience": "fictionarchive-api",
+    "ValidIssuer": "https://auth.orfl.xyz/application/o/fiction-archive/",
+    "ValidateIssuer": true,
+    "ValidateAudience": true,
+    "ValidateLifetime": true,
+    "ValidateIssuerSigningKey": true
+  }
 }

docker-compose.yml

@@ -34,15 +34,18 @@ services:
   # Backend Services
   # ===========================================
   novel-service:
-    build:
-      context: .
-      dockerfile: FictionArchive.Service.NovelService/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-novel-service:latest
     environment:
       ConnectionStrings__DefaultConnection: Host=postgres;Database=FictionArchive_NovelService;Username=${POSTGRES_USER:-postgres};Password=${POSTGRES_PASSWORD:-postgres}
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
       Novelpia__Username: ${NOVELPIA_USERNAME}
       Novelpia__Password: ${NOVELPIA_PASSWORD}
       NovelUpdateService__PendingImageUrl: https://files.fictionarchive.orfl.xyz/api/pendingupload.png
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     depends_on:
       postgres:
         condition: service_healthy
@@ -51,13 +54,16 @@ services:
     restart: unless-stopped
 
   translation-service:
-    build:
-      context: .
-      dockerfile: FictionArchive.Service.TranslationService/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-translation-service:latest
     environment:
       ConnectionStrings__DefaultConnection: Host=postgres;Database=FictionArchive_TranslationService;Username=${POSTGRES_USER:-postgres};Password=${POSTGRES_PASSWORD:-postgres}
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
       DeepL__ApiKey: ${DEEPL_API_KEY}
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     depends_on:
       postgres:
         condition: service_healthy
@@ -66,12 +72,15 @@ services:
     restart: unless-stopped
 
   scheduler-service:
-    build:
-      context: .
-      dockerfile: FictionArchive.Service.SchedulerService/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-scheduler-service:latest
     environment:
       ConnectionStrings__DefaultConnection: Host=postgres;Database=FictionArchive_SchedulerService;Username=${POSTGRES_USER:-postgres};Password=${POSTGRES_PASSWORD:-postgres}
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     depends_on:
       postgres:
         condition: service_healthy
@@ -80,12 +89,15 @@ services:
     restart: unless-stopped
 
   user-service:
-    build:
-      context: .
-      dockerfile: FictionArchive.Service.UserService/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-user-service:latest
     environment:
       ConnectionStrings__DefaultConnection: Host=postgres;Database=FictionArchive_UserService;Username=${POSTGRES_USER:-postgres};Password=${POSTGRES_PASSWORD:-postgres}
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     depends_on:
       postgres:
         condition: service_healthy
@@ -94,20 +106,21 @@ services:
     restart: unless-stopped
 
   authentication-service:
-    build:
-      context: .
-      dockerfile: FictionArchive.Service.AuthenticationService/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-authentication-service:latest
     environment:
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     depends_on:
       rabbitmq:
         condition: service_healthy
     restart: unless-stopped
 
   file-service:
-    build:
-      context: .
-      dockerfile: FictionArchive.Service.FileService/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-file-service:latest
     environment:
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
       S3__Endpoint: ${S3_ENDPOINT:-https://s3.orfl.xyz}
@@ -115,6 +128,14 @@ services:
       S3__AccessKey: ${S3_ACCESS_KEY}
       S3__SecretKey: ${S3_SECRET_KEY}
       Proxy__BaseUrl: https://files.orfl.xyz/api
+      OIDC__Authority: https://auth.orfl.xyz/application/o/fictionarchive/
+      OIDC__ClientId: fictionarchive-files
+      OIDC__Audience: fictionarchive-api
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.file-service.rule=Host(`files.orfl.xyz`)"
@@ -130,11 +151,17 @@ services:
   # API Gateway
   # ===========================================
   api-gateway:
-    build:
-      context: .
-      dockerfile: FictionArchive.API/Dockerfile
+    image: git.orfl.xyz/conco/fictionarchive-api:latest
     environment:
       ConnectionStrings__RabbitMQ: amqp://${RABBITMQ_USER:-guest}:${RABBITMQ_PASSWORD:-guest}@rabbitmq
+      OIDC__Authority: https://auth.orfl.xyz/application/o/fictionarchive/
+      OIDC__ClientId: fictionarchive-api
+      OIDC__Audience: fictionarchive-api
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.api-gateway.rule=Host(`api.fictionarchive.orfl.xyz`)"
@@ -154,15 +181,12 @@ services:
   # Frontend
   # ===========================================
   frontend:
-    build:
-      context: ./fictionarchive-web
-      dockerfile: Dockerfile
-      args:
-        VITE_GRAPHQL_URI: https://api.fictionarchive.orfl.xyz/graphql/
-        VITE_OIDC_AUTHORITY: ${OIDC_AUTHORITY:-https://auth.orfl.xyz/application/o/fiction-archive/}
-        VITE_OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
-        VITE_OIDC_REDIRECT_URI: https://fictionarchive.orfl.xyz/
-        VITE_OIDC_POST_LOGOUT_REDIRECT_URI: https://fictionarchive.orfl.xyz/
+    image: git.orfl.xyz/conco/fictionarchive-frontend:latest
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.frontend.rule=Host(`fictionarchive.orfl.xyz`)"

fictionarchive-web/.dockerignore

@@ -0,0 +1,40 @@
+# Dependencies
+node_modules
+
+# Build output
+dist
+
+# Environment files
+.env
+.env.local
+.env.*.local
+
+# IDE and editor
+.vscode
+.idea
+*.swp
+*.swo
+
+# Git
+.git
+.gitignore
+
+# Logs
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Test coverage
+coverage
+
+# Docker
+Dockerfile
+.dockerignore
+docker-compose*
+
+# Documentation
+README.md
+*.md
+
+# TypeScript build info
+*.tsbuildinfo

fictionarchive-web/src/auth/AuthContext.tsx

@@ -2,6 +2,29 @@ import { createContext, useCallback, useContext, useEffect, useMemo, useRef, use
 import type { User } from 'oidc-client-ts'
 import { isOidcConfigured, userManager } from './oidcClient'
 
+// Cookie management helper functions
+function setCookieFromUser(user: User) {
+  if (!user?.access_token) return
+  
+  const isProduction = window.location.hostname !== 'localhost'
+  const domain = isProduction ? '.orfl.xyz' : undefined
+  const secure = isProduction
+  const sameSite = isProduction ? 'None' : 'Lax'
+  
+  // Set cookie with JWT token from user
+  const cookieValue = `fa_session=${user.access_token}; path=/; ${secure ? 'secure; ' : ''}samesite=${sameSite}${domain ? `; domain=${domain}` : ''}`
+  document.cookie = cookieValue
+}
+
+function clearFaSessionCookie() {
+  const isProduction = window.location.hostname !== 'localhost'
+  const domain = isProduction ? '.orfl.xyz' : undefined
+  
+  // Clear cookie by setting expiration date in the past
+  const cookieValue = `fa_session=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT${domain ? `; domain=${domain}` : ''}`
+  document.cookie = cookieValue
+}
+
 type AuthContextValue = {
   user: User | null
   isLoading: boolean
@@ -26,7 +49,12 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     userManager
       .getUser()
       .then((loadedUser) => {
-        if (!cancelled) setUser(loadedUser ?? null)
+        if (!cancelled) {
+          setUser(loadedUser ?? null)
+          if (loadedUser) {
+            setCookieFromUser(loadedUser)
+          }
+        }
       })
       .finally(() => {
         if (!cancelled) setIsLoading(false)
@@ -41,8 +69,14 @@ export function AuthProvider({ children }: { children: ReactNode }) {
     const manager = userManager
     if (!manager) return
 
-    const handleLoaded = (nextUser: User) => setUser(nextUser)
-    const handleUnloaded = () => setUser(null)
+    const handleLoaded = (nextUser: User) => {
+      setUser(nextUser)
+      setCookieFromUser(nextUser)
+    }
+    const handleUnloaded = () => {
+      setUser(null)
+      clearFaSessionCookie()
+    }
 
     manager.events.addUserLoaded(handleLoaded)
     manager.events.addUserUnloaded(handleUnloaded)
@@ -72,6 +106,9 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       .signinRedirectCallback()
       .then((nextUser) => {
         setUser(nextUser ?? null)
+        if (nextUser) {
+          setCookieFromUser(nextUser)
+        }
       })
       .catch((error) => {
         console.error('Failed to complete sign-in redirect', error)
@@ -103,6 +140,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
       console.error('Failed to sign out via redirect, clearing local session instead.', error)
       await manager.removeUser()
       setUser(null)
+      clearFaSessionCookie()
     }
   }, [])