Todo API

A production-ready Todo API with:

• GET /health endpoint returning { "status": "healthy" }
• GET / endpoint returning { "message": "todo-api" }
• MongoDB-backed Todo CRUD endpoints:
  • POST /todos
  • GET /todos
  • GET /todos/:id
  • PUT /todos/:id
  • DELETE /todos/:id
• Unit tests with coverage gate (>= 90%)
• Docker multi-stage build
• Docker Compose for app + MongoDB + test execution in containers
• Helm chart for Kubernetes deployment

GitHub Copilot customizations in this repo

This repository is now set up with multiple GitHub Copilot customization features:

• Repository-wide instructions: .github/copilot-instructions.md
• Path-specific Node.js instructions: .github/instructions/nodejs.instructions.md
• Agent instructions: AGENTS.md
• Project skill: .github/skills/deployment-readiness/SKILL.md
• Project skill: .github/skills/security-hardening/SKILL.md
• Project skill: .github/skills/docker-optimization/SKILL.md
• Project skill: .github/skills/ci-failure-triage/SKILL.md
• Project skill: .github/skills/unit-test-generator/SKILL.md
• Project skill: .github/skills/code-reviewer/SKILL.md
• Project skill: .github/skills/refactor-safe/SKILL.md

CI/CD pipeline

An Azure Pipelines config is included at azure-pipelines.yml.

It implements this end-to-end flow:

• developer pushes app changes to todo-api
• validation stage runs tests + coverage and SAST/security checks (npm audit, Trivy)
• build stage creates Docker image and OCI-ready Helm chart package and publishes pipeline artifacts
• environment stages (DevPublish, PrdPublish) run image analysis then push image + Helm chart to respective ACRs
• developer updates flux-cd manifests with released image/chart tags
• Flux on AKS pulls Helm chart from ACR and deploys app image to target clusters

Validation checks:

• dependency install with npm ci
• unit tests and coverage report generation
• SAST and security checks via npm audit and trivy fs
• Docker Compose and Helm render validation

Release outputs:

• Docker image artifact (todo-api:<BuildId>)
• Helm chart package artifact (todo-api-<chartVersion>.tgz)
• Build metadata artifact used by publish stages

Deployment validation artifacts are written to output/deployment-readiness/ inside the workspace.

Agent skill details

The deployment-readiness skill focuses on release-safe deployment updates:

• update Helm values/templates for app changes
• validate probes/ports/env/resource defaults
• check chart render/lint workflows for production readiness
• include release-readiness gates (upgrade path, rollback approach, post-deploy checks)
• classify change impact vs previous release and apply semantic version bumps:
  • breaking change -> major
  • non-breaking feature change -> minor
  • fix-only change -> patch
  • keep versions aligned in package.json and helm/todo-api/Chart.yaml

The security-hardening skill focuses on dependency/runtime/container/deployment security guardrails.

The docker-optimization skill focuses on fast, reproducible, and secure Docker/Compose workflows.

The ci-failure-triage skill focuses on diagnosing and fixing failures in the Azure pipeline steps for this repository.

The unit-test-generator skill focuses on creating comprehensive unit tests:

• generate tests for new or changed code across all layers (routes, services, repositories)
• apply repo-specific mocking strategies (mock service for app tests, mock repository for service tests, mock collection for repository tests)
• enforce AAA (Arrange-Act-Assert) structure and descriptive test names
• cover success, failure, validation, edge-case, and regression scenarios
• maintain >= 90% global coverage across statements, branches, functions, and lines

The code-reviewer skill performs systematic code review:

• verify correctness, input validation, and error handling
• enforce layered architecture boundaries (routes → services → repositories)
• check coding standards, naming, and security practices
• confirm API contract stability and test coverage for changed code
• classify findings by severity (critical, major, minor, suggestion)

The refactor-safe skill guides safe code restructuring:

• preserve external behavior and API contracts during structural changes
• enforce incremental changes with test verification after each step
• maintain dependency injection patterns and layer boundaries
• prevent coverage decreases and mixed refactor + feature changes

Each skill includes an inlined completion checklist — no separate reference files needed.

Additional Copilot features you can add next

• Prompt files in .github/prompts/*.prompt.md for repeatable tasks (for example: endpoint scaffolding, test generation, release checklist).
• MCP server configuration in repository settings to let Copilot coding agent use approved external tools.
• Additional focused skills under .github/skills/ for domains such as observability/runbook automation.

Prerequisites

• Node.js 22+
• Docker + Docker Compose plugin
• Helm 3+

Run locally

npm install
npm start

API runs on http://localhost:3000.

MongoDB is expected at mongodb://localhost:27017 by default.

Run tests locally

npm test

Run with Docker

Build and run API:

docker compose up --build api

Run unit tests in container:

docker compose --profile test up --build --abort-on-container-exit unit-tests

Helm deployment

Install chart:

helm upgrade --install todo-api ./helm/todo-api \
  --namespace todo-api --create-namespace

Override image repository/tag as needed:

helm upgrade --install todo-api ./helm/todo-api \
  --set image.repository=<your-registry>/todo-api \
  --set image.tag=<your-tag>