From a260260aa0540248eb02813844ca03764fd879fb Mon Sep 17 00:00:00 2001 From: John Dalmolin <82729254+john-dalmolin@users.noreply.github.com> Date: Wed, 11 Mar 2026 16:29:17 -0300 Subject: [PATCH] docs: add portfolio proof snapshot --- README.md | 7 ++++- docs/assets/auth-api-proof-overview.svg | 37 +++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 docs/assets/auth-api-proof-overview.svg diff --git a/README.md b/README.md index 4a8a1a5..a7965e5 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Auth API ![CI](https://github.com/gabedalmolin/auth-api-node/actions/workflows/ci.yml/badge.svg) -[![Release](https://img.shields.io/github/v/release/gabedalmolin/auth-api-node?display_name=tag)](https://github.com/gabedalmolin/auth-api-node/releases/tag/v1.0.0) +[![Release](https://img.shields.io/github/v/release/gabedalmolin/auth-api-node?display_name=tag)](https://github.com/gabedalmolin/auth-api-node/releases/latest) Production-grade authentication API built with **Express 5**, **TypeScript**, **Prisma/PostgreSQL**, and **Redis**. @@ -9,6 +9,10 @@ This project models what a **production-grade core auth service** looks like whe It is intentionally focused on **authentication depth**, not identity-platform breadth. The goal is to show how a serious backend service should be designed when correctness, observability, and maintainability matter more than feature count. +## Proof snapshot + +![Auth API delivery proof overview](./docs/assets/auth-api-proof-overview.svg) + ## Why this project matters Many portfolio auth APIs stop at registration, login, and a basic JWT flow. This one goes further by modelling the production concerns that usually decide whether an auth service is trustworthy in practice: @@ -38,6 +42,7 @@ Many portfolio auth APIs stop at registration, login, and a basic JWT flow. This ## Operational proof +- Proof snapshot: [`docs/assets/auth-api-proof-overview.svg`](./docs/assets/auth-api-proof-overview.svg) - Architecture decisions: [`docs/adr/`](./docs/adr) - Threat model: [`docs/threat-model.md`](./docs/threat-model.md) - Benchmark report: [`docs/benchmarks/auth-benchmark.md`](./docs/benchmarks/auth-benchmark.md) diff --git a/docs/assets/auth-api-proof-overview.svg b/docs/assets/auth-api-proof-overview.svg new file mode 100644 index 0000000..f38ed65 --- /dev/null +++ b/docs/assets/auth-api-proof-overview.svg @@ -0,0 +1,37 @@ + + Auth API delivery proof overview + Overview card summarising session security, operational telemetry, benchmark baseline, and CI discipline for the Auth API project. + + + + + + Auth API Delivery Proof + Production-grade authentication depth with replay resistance, operational telemetry, and measurable validation. + + + Session Security + Session-backed auth lifecycle + Refresh-token rotation with replay detection + Server-side session revocation and compromise handling + + + Operational Telemetry + Prometheus-compatible `/metrics` endpoint + Grafana dashboard and local observability stack + Health, readiness, replay, and rate-limit counters + + + Benchmark Baseline + 25.01 req/s + Aggregate throughput across auth lifecycle scenarios + p95 684.36ms p99 900.44ms + 100 percent check pass rate with replay rejection under load + + + Delivery Discipline + Contract-driven API docs and typed environment validation + Quality, integration, CodeQL, and dependency-review checks + Architecture decision records and repository threat model + Versioned proof assets: benchmark summary, observability guide, dashboard JSON, ADRs +