Document AWS build variant and bearer-token sources

- docs/deployment.md: new "Token sources" section listing the three bearer-token source precedences (AWS SM, JSON file/env, single token). New "Build Variants" section explaining default vs aws builds and their release-artifact naming. New "AWS Secrets Manager" section covering env var, secret payload format, IAM role credential discovery, and the hard error for feature-less builds. - CONTRIBUTING.md: documents the `aws` feature and the two test commands contributors should run when touching auth code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-15 01:55:13 +02:00 · 2026-04-18 04:04:45 +03:00 · 2026-04-18 04:04:45 +03:00 · d830ebcb64
commit d830ebcb64
parent 7a3bf5c758
2 changed files with 73 additions and 3 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -16,6 +16,22 @@ cargo test --workspace
 If you touch S3-backed flows, the CI model uses a local RustFS instance for
 integration tests.

+### Cargo features
+
+`omnigraph-server` has an optional `aws` feature that pulls in the AWS
+Secrets Manager SDK for a bearer-token backend. Default builds omit it —
+most contributors never compile the AWS code path.
+
+When you touch `crates/omnigraph-server/src/auth.rs` or any AWS-conditional
+code, verify both configurations:
+
+```bash
+cargo test -p omnigraph-server                  # default
+cargo test -p omnigraph-server --features aws   # AWS enabled
+```
+
+CI runs both.
+
 ## Pull Requests

 - keep changes focused