Add API layer with deployment infrastructure and CI/CD (#12)

API:
- Projects + workspaces CRUD with dual DB support (SQLite + DynamoDB)
- Cognito JWT auth with dev bypass (gated behind debug mode)
- Repository pattern with Protocol-based interfaces
- Security hardened: input validation, pagination, error handling
- 94 tests passing, Pyright strict, Ruff clean

Deployment:
- Lambda container image (Python 3.14) with Mangum adapter
- API Gateway HTTP API v2 with custom domain ({ws}-api.openfactcheck.com)
- DynamoDB single-table design matching frontend key scheme
- ECR in separate repositories/ deployment (no chicken-and-egg)
- Build tooling with hash-based skip logic (task build:lambda)
- LIVE alias pattern for safe Lambda deployments

CI/CD:
- Integration: push to main → deploy infra + build + push + update Lambda
- Production: version tag → publish to PyPI + deploy

Author: hasaniqbal777

.env.example

@@ -0,0 +1,25 @@
+# OpenFactCheck API Configuration
+# Copy to .env and update values as needed.
+
+# Server
+OPENFACTCHECK_HOST=0.0.0.0
+OPENFACTCHECK_PORT=8000
+OPENFACTCHECK_DEBUG=true
+
+# CORS
+OPENFACTCHECK_CORS_ORIGINS=["http://localhost:3001"]
+
+# Auth (auth_bypass only works when debug=true — both must be set for local dev)
+OPENFACTCHECK_AUTH_BYPASS=true
+OPENFACTCHECK_COGNITO_REGION=us-east-1
+OPENFACTCHECK_COGNITO_USER_POOL_ID=
+OPENFACTCHECK_COGNITO_CLIENT_ID=
+
+# Database
+OPENFACTCHECK_DATABASE_BACKEND=sqlite
+OPENFACTCHECK_SQLITE_PATH=~/.openfactcheck/data.db
+OPENFACTCHECK_DYNAMODB_TABLE_NAME=openfactcheck
+OPENFACTCHECK_DYNAMODB_REGION=us-east-1
+
+# Execution
+OPENFACTCHECK_MAX_EXECUTION_TIMEOUT=600

.github/workflows/ci-integration.yml

@@ -67,5 +67,10 @@ jobs:
           aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile hasaniqbal-dev
           aws configure set region us-east-1 --profile hasaniqbal-dev
 
-      - name: Deploy to integration
-        run: task deploy TARGET=integration AUTO_APPROVE=true
+      - name: Deploy infrastructure
+        run: |
+          task deploy TARGET=integration DEP=repositories AUTO_APPROVE=true
+          task deploy TARGET=integration AUTO_APPROVE=true
+
+      - name: Build and deploy API
+        run: task deploy:api TARGET=integration

.github/workflows/ci-production.yml

@@ -103,5 +103,10 @@ jobs:
           aws configure set aws_session_token "$AWS_SESSION_TOKEN" --profile hasaniqbal-dev
           aws configure set region us-east-1 --profile hasaniqbal-dev
 
-      - name: Deploy to production
-        run: task deploy TARGET=production AUTO_APPROVE=true
+      - name: Deploy infrastructure
+        run: |
+          task deploy TARGET=production DEP=repositories AUTO_APPROVE=true
+          task deploy TARGET=production AUTO_APPROVE=true
+
+      - name: Build and deploy API
+        run: task deploy:api TARGET=production

.gitignore

@@ -70,4 +70,9 @@ accounts/
 environments/
 
 # Temp files
-tmp
+tmp
+
+# Build artifacts
+deployments/containers/*/build/
+deployments/containers/*/.hash
+deployments/base/ignore.*.auto.tfvars

deployments/base/aws_apigateway.tf

@@ -0,0 +1,113 @@
+# ##############################################################################
+# API Gateway HTTP API (v2)
+# ##############################################################################
+
+resource "aws_apigatewayv2_api" "openfactcheck" {
+  name          = "openfactcheck-api-${terraform.workspace}-${var.aws_region}"
+  description   = "OpenFactCheck API Gateway for ${terraform.workspace}-${var.aws_region}"
+  protocol_type = "HTTP"
+
+  disable_execute_api_endpoint = true
+
+  cors_configuration {
+    allow_origins     = var.cors_origins
+    allow_methods     = ["GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS"]
+    allow_headers     = ["Authorization", "Content-Type", "X-Request-ID"]
+    allow_credentials = true
+    max_age           = 3600
+  }
+
+  tags = {
+    Name = "OpenFactCheck - API Gateway - ${terraform.workspace} - ${var.aws_region}"
+  }
+}
+
+# ##############################################################################
+# Integration — Lambda proxy via LIVE alias
+# ##############################################################################
+
+resource "aws_apigatewayv2_integration" "lambda" {
+  api_id                 = aws_apigatewayv2_api.openfactcheck.id
+  description            = "OpenFactCheck API Lambda for ${terraform.workspace}-${var.aws_region}"
+  integration_type       = "AWS_PROXY"
+  connection_type        = "INTERNET"
+  integration_method     = "POST"
+  integration_uri        = aws_lambda_alias.api_live.invoke_arn
+  payload_format_version = "2.0"
+}
+
+# ##############################################################################
+# Routes
+# ##############################################################################
+
+resource "aws_apigatewayv2_route" "default" {
+  api_id    = aws_apigatewayv2_api.openfactcheck.id
+  route_key = "$default"
+  target    = "integrations/${aws_apigatewayv2_integration.lambda.id}"
+}
+
+resource "aws_apigatewayv2_route" "options" {
+  api_id             = aws_apigatewayv2_api.openfactcheck.id
+  route_key          = "OPTIONS /{proxy+}"
+  target             = "integrations/${aws_apigatewayv2_integration.lambda.id}"
+  authorization_type = "NONE"
+}
+
+
+# ##############################################################################
+# Stage — auto-deploy with access logging
+# ##############################################################################
+
+resource "aws_apigatewayv2_stage" "default" {
+  api_id      = aws_apigatewayv2_api.openfactcheck.id
+  name        = "$default"
+  auto_deploy = true
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api.arn
+    format          = <<JSON
+  { "requestTime": "$context.requestTime", "requestId": "$context.requestId", "httpMethod": "$context.httpMethod", "path": "$context.path", "routeKey": "$context.routeKey", "status": $context.status, "responseLatency": $context.responseLatency, "integrationRequestId": "$context.integration.requestId", "functionResponseStatus": "$context.integration.status", "integrationLatency": "$context.integration.latency", "integrationServiceStatus": "$context.integration.integrationStatus", "ip": "$context.identity.sourceIp", "userAgent": "$context.identity.userAgent", "error": { "message": "$context.error.message", "responseType": "$context.error.responseType" } }
+  JSON
+  }
+
+  tags = {
+    Name = "OpenFactCheck - API Gateway Stage - ${terraform.workspace} - ${var.aws_region}"
+  }
+}
+
+# ##############################################################################
+# Custom Domain
+# ##############################################################################
+
+resource "aws_apigatewayv2_domain_name" "api" {
+  domain_name = local.api_domain
+
+  domain_name_configuration {
+    certificate_arn = local.certificate_arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+
+  tags = {
+    Name = "OpenFactCheck - API Domain - ${terraform.workspace} - ${var.aws_region}"
+  }
+}
+
+resource "aws_apigatewayv2_api_mapping" "api" {
+  api_id      = aws_apigatewayv2_api.openfactcheck.id
+  domain_name = aws_apigatewayv2_domain_name.api.id
+  stage       = aws_apigatewayv2_stage.default.id
+}
+
+# ##############################################################################
+# API Gateway Logs
+# ##############################################################################
+
+resource "aws_cloudwatch_log_group" "api" {
+  name              = "/openfactcheck-${terraform.workspace}-${var.aws_region}/api/"
+  retention_in_days = 30
+
+  tags = {
+    Name = "OpenFactCheck - CloudWatch - API - ${terraform.workspace} - ${var.aws_region}"
+  }
+}

deployments/base/aws_dynamodb.tf

@@ -0,0 +1,31 @@
+# ##############################################################################
+# DynamoDB Table — Single-table design
+# ##############################################################################
+
+resource "aws_dynamodb_table" "openfactcheck" {
+  name         = "openfactcheck-db-${terraform.workspace}-${var.aws_region}"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "PK"
+
+  global_secondary_index {
+    name            = "gs1"
+    hash_key        = "GS1PK"
+    projection_type = "ALL"
+  }
+
+  attribute {
+    name = "PK"
+    type = "S"
+  }
+
+  attribute {
+    name = "GS1PK"
+    type = "S"
+  }
+
+  deletion_protection_enabled = terraform.workspace == "production" ? true : false
+
+  tags = {
+    Name = "OpenFactCheck - DynamoDB - ${terraform.workspace} - ${var.aws_region}"
+  }
+}

deployments/base/aws_iam_lambda.tf

@@ -0,0 +1,77 @@
+# ##############################################################################
+# IAM Role — Lambda Execution
+# ##############################################################################
+
+resource "aws_iam_role" "lambda_api" {
+  name = "openfactcheck-lambda-api-${terraform.workspace}-${var.aws_region}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+
+  tags = {
+    Name = "OpenFactCheck - Lambda API Role - ${terraform.workspace}"
+  }
+}
+
+# ##############################################################################
+# CloudWatch Logs
+# ##############################################################################
+
+resource "aws_iam_role_policy" "lambda_api_logs" {
+  name = "cloudwatch-logs"
+  role = aws_iam_role.lambda_api.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "arn:aws:logs:${var.aws_region}:${var.aws_account}:*"
+      }
+    ]
+  })
+}
+
+# ##############################################################################
+# DynamoDB Access
+# ##############################################################################
+
+resource "aws_iam_role_policy" "lambda_api_dynamodb" {
+  name = "dynamodb-access"
+  role = aws_iam_role.lambda_api.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:UpdateItem",
+          "dynamodb:DeleteItem",
+          "dynamodb:Query"
+        ]
+        Resource = [
+          aws_dynamodb_table.openfactcheck.arn,
+          "${aws_dynamodb_table.openfactcheck.arn}/index/*"
+        ]
+      }
+    ]
+  })
+}

deployments/base/aws_lambda.tf

@@ -0,0 +1,75 @@
+# ##############################################################################
+# ECR Data Source — repository lives in deployments/repositories
+# ##############################################################################
+
+data "aws_ecr_repository" "api" {
+  name = "openfactcheck-api-${terraform.workspace}"
+}
+
+# ##############################################################################
+# Lambda Function — API
+# ##############################################################################
+
+resource "aws_lambda_function" "api" {
+  function_name = "openfactcheck-api-${terraform.workspace}-${var.aws_region}"
+  description   = var.build_version
+  role          = aws_iam_role.lambda_api.arn
+  package_type  = "Image"
+  image_uri     = "${data.aws_ecr_repository.api.repository_url}:latest"
+  publish       = true
+  timeout       = 30
+  memory_size   = 256
+
+  environment {
+    variables = {
+      OPENFACTCHECK_DATABASE_BACKEND     = "dynamodb"
+      OPENFACTCHECK_DYNAMODB_TABLE_NAME  = aws_dynamodb_table.openfactcheck.name
+      OPENFACTCHECK_DYNAMODB_REGION      = var.aws_region
+      OPENFACTCHECK_COGNITO_REGION       = var.aws_region
+      OPENFACTCHECK_COGNITO_USER_POOL_ID = aws_cognito_user_pool.openfactcheck.id
+      OPENFACTCHECK_COGNITO_CLIENT_ID    = aws_cognito_user_pool_client.openfactcheck_client.id
+      OPENFACTCHECK_CORS_ORIGINS         = jsonencode(var.cors_origins)
+      OPENFACTCHECK_DEBUG                = "false"
+      OPENFACTCHECK_AUTH_BYPASS          = "false"
+    }
+  }
+
+  tags = {
+    Name = "OpenFactCheck - Lambda API - ${terraform.workspace} - ${var.aws_region}"
+  }
+
+  lifecycle {
+    ignore_changes = [image_uri]
+  }
+}
+
+# ##############################################################################
+# Lambda Alias — LIVE
+# ##############################################################################
+
+resource "aws_lambda_alias" "api_live" {
+  name             = "LIVE"
+  description      = "OpenFactCheck API Current Release"
+  function_name    = aws_lambda_function.api.arn
+  function_version = aws_lambda_function.api.version
+}
+
+# ##############################################################################
+# Lambda Permissions — Allow API Gateway to invoke via LIVE alias
+# ##############################################################################
+
+resource "aws_lambda_permission" "api_gateway_default" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.openfactcheck.execution_arn}/*/$default"
+  qualifier     = "LIVE"
+}
+
+resource "aws_lambda_permission" "api_gateway_proxy" {
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.openfactcheck.execution_arn}/*/*/{proxy+}"
+  qualifier     = "LIVE"
+}

deployments/base/aws_route53.tf

@@ -0,0 +1,27 @@
+# ##############################################################################
+# Route 53 — DNS records for the API custom domain
+# ##############################################################################
+
+resource "aws_route53_record" "api" {
+  zone_id = local.route53_zone_id
+  name    = local.api_domain
+  type    = "A"
+
+  alias {
+    name                   = aws_apigatewayv2_domain_name.api.domain_name_configuration[0].target_domain_name
+    zone_id                = aws_apigatewayv2_domain_name.api.domain_name_configuration[0].hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+resource "aws_route53_record" "api_ipv6" {
+  zone_id = local.route53_zone_id
+  name    = local.api_domain
+  type    = "AAAA"
+
+  alias {
+    name                   = aws_apigatewayv2_domain_name.api.domain_name_configuration[0].target_domain_name
+    zone_id                = aws_apigatewayv2_domain_name.api.domain_name_configuration[0].hosted_zone_id
+    evaluate_target_health = false
+  }
+}