Refactor(config): Implement central environment config (MP-18)) (#17)

* fix(infra): Makefile .env generiert * MP-18 Env-Konfiguration Refactoring: Schritte 2–4 umgesetzt\n\n2) Single Source of Truth für Versionen\n- docker/versions.toml als alleinige Quelle bestätigt\n- docker/build-args/global.env bereinigt und konsistent auf *_IMAGE_TAG umgestellt (PROMETHEUS_IMAGE_TAG, GRAFANA_IMAGE_TAG, KEYCLOAK_IMAGE_TAG, POSTGRES_IMAGE_TAG, REDIS_IMAGE_TAG, CONSUL_IMAGE_TAG, KAFKA_IMAGE_TAG, ZOOKEEPER_IMAGE_TAG)\n- Keine Ports/Profiles/Secrets in global.env\n\n3) Build vs. Laufzeit getrennt (Variablenbereinigung)\n- .env.template von allen Build-/Image-Versionen befreit (DOCKER_*_VERSION, (DOCKER_)APP_VERSION, BUILD_DATE)\n- App-Versionsvariable vereinheitlicht: Nutzung von VERSION (APP_VERSION in Build-Args entfernt)\n\n4) Laufzeit-Env konsolidiert (globales .env)\n- Zentrales config/env/.env erstellt (Ports, Hosts, Flags, Pfade, SPRING_PROFILES_ACTIVE, NODE_ENV etc.)\n- config/env/.env.local angelegt (gitignored) und .gitignore ergänzt\n- Laufzeitwerte aus Build-Args-Dateien (clients/infrastructure/services) entfernt bzw. kommentiert mit Verweis auf config/env/.env\n\nAkzeptanzkriterien erfüllt\n- global.env enthält ausschließlich Build-Versionen/-Tags und Build-Tool-Versionen\n- .env.template enthält keine Build-/Image-Versionen mehr\n- Zentrales config/env/.env ist die einzige Quelle für Laufzeitwerte\n\nYouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * MP-18 Env-Konfiguration Refactoring: Schritte 5–7 umgesetzt 5) Build-Args-Dateien entschlackt/umstrukturiert - clients.env: Laufzeitwerte entfernt, NODE_VERSION/NGINX_VERSION → NODE_IMAGE_TAG/NGINX_IMAGE_TAG; nur Build-relevante Pfade/Namen belassen - infrastructure.env/services.env: bereits zuvor Runtime-Variablen entfernt, Kommentare mit Verweis auf config/env/.env beibehalten 6) Dockerfiles überprüft/angepasst - clients/web-app: Build-ARGs eingeführt (GRADLE_VERSION, JAVA_VERSION, NGINX_IMAGE_TAG), Basis-Image aus Tag abgeleitet; keine Runtime-ARGs - services/ping-service: SPRING_PROFILES_ACTIVE als ARG entfernt; Build ruft ohne -P profile; Labels/ENV vereinheitlicht (OCI: version/created) - infrastructure/gateway: SPRING_PROFILES_ACTIVE als ARG entfernt; Build ohne -P; Labels vereinheitlicht - templates/spring-boot-service.Dockerfile: Runtime-ARGs (SPRING_PROFILES_ACTIVE, SERVICE_PORT) entfernt; Healthcheck/Expose auf ENV basierend; ENV getrennt gesetzt - infrastructure/monitoring-server: SPRING_PROFILES_ACTIVE-ARG entfernt; Build ohne -P; ENV/Labels bereinigt 7) docker-compose* bereinigt - docker-compose.yml: env_file: config/env/.env hinzugefügt; Image-Tags von DOCKER_* auf feste Versionen (aus global.env/versions.toml) umgestellt; keine Laufzeitwerte via build.args - docker-compose.services.yml: env_file hinzugefügt; DOCKER_* Build-Args entfernt; nur Build-Zeit-ARGs (GRADLE_VERSION, JAVA_VERSION, BUILD_DATE, VERSION); Ports/ENV aus config/env/.env - docker-compose.clients.yml: env_file hinzugefügt; DOCKER_* entfernt; NGINX_IMAGE_TAG als Build-Arg; APP_VERSION nutzt VERSION Akzeptanzkriterien - Keine Laufzeitvariablen in build-args-Dateien - Dockerfiles verwenden ausschließlich Build-ARGs; keine Ports/Secrets/Profile als ARG - Compose lädt nur eine Runtime-Env-Quelle (config/env/.env) und schleust keine Runtimewerte via build.args ein YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * MP-18 Env-Konfiguration Refactoring: Schritte 8–11 umgesetzt 8) Secrets-Strategie (Dev vereinfacht) - config/env/.env.local bereits vorhanden und gitignored; Nutzung für lokale Secrets verdeutlicht - docker/secrets/README.md hinzugefügt; echte Geheimnisse entfernt/Platzhalter gesetzt (postgres_password.txt) - Optimierte Compose-Dateien erzwingen Secrets nur im Profil 'prod' (profiles: [prod]) und verwenden env_file: config/env/.env 9) Namenskonventionen vereinheitlicht - DOCKER_* in optimierten Compose-Dateien entfernt; Build-Args auf GRADLE_VERSION/JAVA_VERSION/VERSION und *_IMAGE_TAG konsolidiert - SPRING_PROFILES_ACTIVE nur noch zur Laufzeit (Compose/env); aus Dockerfiles (auth, gateway, horses, events, members, masterdata) als Build-ARG entfernt 10) CI: ssot-guard.yml erweitert - Guard-Checks hinzugefügt: Fail bei Runtime-Variablen in Build-Args-Dateien und bei Build-/Versions-Variablen in Runtime-Envs - Konsistenz-Check zwischen docker/versions.toml und docker/build-args/global.env (zentraler Versionsabgleich) 11) Skripte & Automatisierung - Neues Skript scripts/generate-build-env.sh zum Generieren von docker/build-args/global.env aus docker/versions.toml (minimal) Akzeptanzkriterien - Lokale Entwicklung erfordert keine Docker-Secrets (Compose default), keine Geheimnisse im Repo - Keine DOCKER_* Präfixe in Laufzeitdateien, eindeutige Namenskonventionen - CI bricht bei Build-vs-Runtime-Verletzungen und Versions-Drift YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * MP-18 Env-Konfiguration Refactoring: Schritte 12–17 umgesetzt 12) DDD-Slice-Overrides eingeführt - Optionale Runtime-Env-Dateien hinzugefügt: config/env/services/{ping,members,horses,events,masterdata}.env, config/env/infrastructure/api-gateway.env, config/env/clients/web-app.env - Compose-Dateien laden diese Overrides zusätzlich zu config/env/.env (nur wenn vorhanden) 13) Deduplizierung bestätigt - Build-Args-Dateien enthalten keine Laufzeitwerte; .env/.env.template ohne Build-/Versions-Keys 14) Compose an Envs gekoppelt - docker-compose*.yml referenzieren ausschließlich config/env/.env + optionale Slice-Overrides; keine docker/build-args/*.env als Runtime-Quelle 15) Doku aktualisiert - README: neue Konfig-Struktur, Quickstart mit .env/.env.local, optionale Overrides, Deprecations (DOCKER_*_VERSION → *_IMAGE_TAG), Smoke-Tests 16) Cleanup & Deprecations - Deprecation-Hinweise in README dokumentiert; keine obsoleten Root-.env-Dateien verbleiben 17) Validierung & Hinweise - Start-/Healthcheck-Hinweise für lokalen Smoke-Test ergänzt; CI-Guards bleiben gültig * MP-18 DoD-Finalisierung: Build/Runtime-Trennung verhärtet, Doku-Hinweise korrigiert - Entfernt: Runtime-Build-ARG SERVICE_PORT aus Service-Dockerfiles (members, horses, events, masterdata) * Feste Default-Ports gesetzt (8083–8086), Healthchecks und SERVER_PORT-ENV angepasst * Erfüllt DoD: Build-Args enthalten keine Runtime-Werte mehr - .env.template Usage korrigiert: verweist nun explizit auf config/env/.env und compose-Aufrufe DoD-Checkliste: ✓ Zentrale Runtime-Datei config/env/.env + .env.local (Compose nutzt env_file) ✓ Build-Args nur Versionen/Pfade/Namen (keine Runtime-Keys) ✓ versions.toml als einzige Quelle für Image-/Tool-Versionen (CI-Guard prüft Drift) ✓ CI-Workflow blockiert Build/Runtime-Mixing & Versions-Drift (ssot-guard) ✓ README dokumentiert den Flow (Quickstart, Struktur, Deprecations) ✓ Clean Builds/Local-Starts durch compose-Files unterstützt YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * MP-18: GitHub-Workflows aktualisiert und README Markdownlint-Fehler behoben Workflows - CI: minimale Permissions + Concurrency hinzugefügt; build-test hängt jetzt auch von validate-docs ab; actions/setup-node → v4 - SSoT Guard: minimale Permissions + Concurrency - Deploy Proxmox: Concurrency; Deploy-Job läuft korrekt bei workflow_dispatch (zuvor durch falsche IF-Bedingung blockiert) - Docs KDoc Sync: minimale Permissions + Concurrency - Integration Tests: minimale Permissions + Concurrency - YouTrack Sync: minimale Permissions + Concurrency; Guard, wenn Secrets fehlen Docs - README.md: MD032 (Leerzeilen um Listen) korrigiert - README.md: MD037 (Spaces in Emphasis / Wildcards) durch Backticks behoben - README.md: MD034 (Bare URLs) via <> eingefasst Ziel - Optimierte, aktuelle CI-Workflows und grüne markdownlint-Prüfungen. YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * MP-18: Fix Docker SSoT validator errors Remove default values from centralized ARGs in web-app Dockerfile (GRADLE_VERSION, JAVA_VERSION, NGINX_IMAGE_TAG). Align build.args in compose files to centralized DOCKER_* vars from versions.toml mapping (clients/services/optimized), and update api-gateway in optimized compose. Replace hardcoded infra image tags in docker-compose.yml with DOCKER_* fallbacks for postgres/redis/prometheus/grafana/keycloak. Validated via scripts/validate-docker-consistency.sh all → Errors=0 (Warnings remain by design). YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * MP-18: Finalize Env/SSoT refactor – align generator, validator, build-args and compose - Switch docker/build-args/global.env to *_IMAGE_TAG keys (PROMETHEUS/GRAFANA/KEYCLOAK/POSTGRES/REDIS/CONSUL/KAFKA/ZOOKEEPER) - Clean docker/build-args/{clients,services,infrastructure}.env to build-time only; remove runtime/profile/ports - Update scripts/docker-versions-update.sh to emit *_IMAGE_TAG and strip runtime keys from build-args files - Update scripts/validate-docker-consistency.sh to check *_IMAGE_TAG and stop enforcing runtime keys in build-args - Rename Keycloak Dockerfile ARG to KEYCLOAK_IMAGE_TAG and update FROM/labels - Add build arg fallbacks in compose files where needed (GRADLE/JAVA/VERSION) for dev convenience Result: - scripts/validate-docker-consistency.sh all → 0 errors (warnings remain informational) YouTrack: https://meldestelle-pro.youtrack.cloud/issue/MP-18 * fix: Bash-Syntax-Fehler in ssot-guard.yml behoben - Fehlerhafte '2>/dev/null || true' Konstrukte in for-Schleifen entfernt - Stattdessen 'shopt -s nullglob' für saubere Behandlung nicht-existierender Dateimuster verwendet - Beide betroffene for-Schleifen (Runtime-Variablen und Build-Variablen Guards) korrigiert MP-18 * chore: Regenerate Docker Compose files to fix SSoT drift - Removed default values from build arguments (now using centralized DOCKER_* variables) - Removed env_file directives for cleaner configuration - Updated variable names for consistency (GATEWAY_PORT → API_GATEWAY_PORT) - Standardized comments and structure across all compose files Resolves SSoT drift detected by ssot-guard workflow. MP-18 * MP-18 fix: Bash-Syntax-Fehler in ssot-guard.yml behoben - Fehlerhafte '2>/dev/null || true' Konstrukte in for-Schleifen entfernt - Stattdessen 'shopt -s nullglob' für saubere Behandlung nicht-existierender Dateimuster verwendet - Beide betroffene for-Schleifen (Runtime-Variablen und Build-Variablen Guards) korrigiert * MP-18 chore: Regenerate Docker Compose files to fix SSoT drift - Removed default values from build arguments (now using centralized DOCKER_* variables) - Removed env_file directives for cleaner configuration - Updated variable names for consistency (GATEWAY_PORT → API_GATEWAY_PORT) - Standardized comments and structure across all compose files Resolves SSoT drift detected by ssot-guard workflow. * MP-18 fix: qodana_code_quality.yml qodana.yaml * fix: GitHub Actions Workflow-Fehler behoben - youtrack-sync.yml: Korrektur der secrets if-Bedingung (Line 18) * Entfernung ungültiger != '' Vergleiche * Verwendung korrekter GitHub Actions Syntax: secrets.YT_URL && secrets.YT_TOKEN - ssot-guard.yml: Korrektur der get_toml_ver() Funktion * Behebung des Versions-Drift Problems * Parsing nur aus [versions] Sektion mit State-Machine-Pattern * Korrekte Extraktion aller 11 Versionswerte aus versions.toml * Trimming von Spaces vor Key-Vergleich Fixes: MP-18 * MP-18 Entfernung von Qodana * MP-18 fix(ssot-guard): align build-args comments with generator output to remove SSoT drift - clients.env/services.env/infrastructure.env: update runtime note text to match scripts/docker-versions-update.sh - Avoids false-positive drift in workflow (content changes beyond ignored timestamps) * MP-18 fix: workflows/youtrack-sync.yml * MP-18 fix: workflows/youtrack-sync.yml * MP-18 fix: workflows/youtrack-sync.yml * MP-18 fix: workflows/youtrack-sync.yml * MP-18 fix: workflows/youtrack-sync.yml
2025-11-19 00:59:41 +01:00
parent b5b87292fe
commit 3f9326a533
44 changed files with 620 additions and 321 deletions
@@ -1,33 +1,21 @@
 # ===================================================================
 # Environment Configuration Template - Meldestelle Project
 # ===================================================================
-# Copy this file to .env and customize the values for your environment
+# Copy this file to config/env/.env and customize the values for your environment
 # Security Note: Never commit .env files containing production secrets!
 # ===================================================================
 # ===================================================================
-# Build Configuration
+# Runtime Configuration (Single Source for runtime values)
 # Hinweis: Build-/Image-Versionen werden ausschließlich in docker/versions.toml
 # und docker/build-args/global.env gepflegt. Keine Build-/Versionseinträge hier.
 # ===================================================================
 # Docker image versions
 DOCKER_GRADLE_VERSION=9.0.1
 DOCKER_JAVA_VERSION=21
 DOCKER_KEYCLOAK_VERSION=26.4.0
 DOCKER_PROMETHEUS_VERSION=v2.54.1
 DOCKER_GRAFANA_VERSION=11.3.0
-# Application version
+# Anwendung
 DOCKER_APP_VERSION=1.0.0
 APP_VERSION=1.0.0
 APP_NAME=Meldestelle
-# Build metadata
+# Profile
 BUILD_DATE=
 # BUILD_DATE will be auto-generated if not set
 # Spring profiles for services
 SPRING_PROFILES_ACTIVE=docker,keycloak
 DOCKER_SPRING_PROFILES_DEFAULT=default
 DOCKER_SPRING_PROFILES_DOCKER=docker
 # ===================================================================
 # Infrastructure Services - Port Configuration
@@ -181,13 +169,13 @@ ENABLE_WASM=false
 # ===================================================================
 # Usage Instructions
 # ===================================================================
-# 1. Copy this file: cp .env.template .env
+# 1. Copy this file: mkdir -p config/env && cp .env.template config/env/.env
-# 2. Customize values in .env for your environment
+# 2. Customize values in config/env/.env for your environment
 # 3. Generate secrets: ./docker/secrets/setup-secrets.sh --all
 # 4. Create data directories: mkdir -p ./data/{postgres,redis,prometheus,grafana,keycloak,consul}
-# 5. Deploy infrastructure: docker-compose -f docker-compose.yml.optimized up -d
+# 5. Deploy infrastructure: docker compose -f docker-compose.yml up -d
-# 6. Deploy services: docker-compose -f docker-compose.yml.optimized -f docker-compose.services.yml.optimized up -d
+# 6. Deploy services: docker compose -f docker-compose.services.yml up -d
-# 7. Deploy clients: docker-compose -f docker-compose.yml.optimized -f docker-compose.services.yml.optimized -f docker-compose.clients.yml.optimized up -d
+# 7. Deploy clients: docker compose -f docker-compose.clients.yml up -d
 # ===================================================================
 # Monitoring and Logging
@@ -1,5 +1,12 @@
 name: CI - Main Pipeline
 permissions:
  contents: read
 concurrency:
  group: ci-main-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main, develop ]
@@ -37,7 +44,7 @@ jobs:
      - uses: actions/checkout@v5
      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: '20'
@@ -81,7 +88,7 @@ jobs:
  build-test:
    name: Build and Test
    runs-on: ubuntu-latest
-    needs: [ docker-ssot, validate-openapi ]
+    needs: [ docker-ssot, validate-openapi, validate-docs ]
    steps:
      - uses: actions/checkout@v5
@@ -5,6 +5,13 @@
 name: Deploy Proxmox (manual)
 permissions:
  contents: read
 concurrency:
  group: deploy-proxmox-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch: # Manueller Trigger
@@ -53,7 +60,7 @@ jobs:
  deploy:
    needs: build-and-test
    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    if: github.event_name == 'workflow_dispatch'
    steps:
    - name: Checkout Code
@@ -1,5 +1,12 @@
 name: KDoc → YouTrack KB Sync
 permissions:
  contents: read
 concurrency:
  group: kdoc-sync-${{ github.ref }}
  cancel-in-progress: true
 on:
  workflow_dispatch:
    inputs:
@@ -1,5 +1,12 @@
 name: Integration Tests
 permissions:
  contents: read
 concurrency:
  group: integration-tests-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main, develop ]
@@ -1,5 +1,12 @@
 name: Docker SSoT Guard
 permissions:
  contents: read
 concurrency:
  group: ssot-guard-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main ]
@@ -41,6 +48,85 @@ jobs:
      - name: Validate Docker SSoT consistency
        run: bash scripts/validate-docker-consistency.sh all
      - name: Build vs Runtime variable guards
        run: |
          set -euo pipefail
          echo "[Guard] Prüfe, dass keine Laufzeit-Variablen in Build-Args-Dateien vorkommen..."
          RUNTIME_KEYS_REGEX='^(GATEWAY_HOST|GATEWAY_PORT|WEB_APP_PORT|NODE_ENV|CONSUL_(HOST|PORT|ENABLED)|DB_(HOST|PORT|NAME|USER|USERNAME|PASSWORD)|POSTGRES_DB|REDIS_PORT|KEYCLOAK_PORT|PING_SERVICE_PORT|MEMBERS_SERVICE_PORT|HORSES_SERVICE_PORT|EVENTS_SERVICE_PORT|MASTERDATA_SERVICE_PORT|AUTH_SERVICE_PORT|MONITORING_SERVER_PORT|PROMETHEUS_PORT|GRAFANA_PORT|JWT_ISSUER|JWT_AUDIENCE)$'
          FAIL=0
          shopt -s nullglob
          for f in docker/build-args/*.env config/build/*.env; do
            [ -f "$f" ] || continue
            BAD=$(grep -E '^[A-Z0-9_]+=' "$f" | cut -d= -f1 | grep -E "$RUNTIME_KEYS_REGEX" || true)
            if [ -n "$BAD" ]; then
              echo "Fehler: Laufzeit-Variablen in Build-Args Datei $f gefunden:"; echo "$BAD"; FAIL=1
            fi
          done
          shopt -u nullglob
          if [ $FAIL -ne 0 ]; then
            echo "Build vs Runtime Trennung verletzt."; exit 1; fi
          echo "[Guard] Prüfe, dass keine Build-/Versions-Variablen in Runtime-Env vorkommen..."
          BUILD_KEYS_REGEX='^(GRADLE_VERSION|JAVA_VERSION|VERSION|APP_VERSION|[A-Z]+_IMAGE_TAG)$'
          shopt -s nullglob
          for f in config/env/.env .env.template; do
            [ -f "$f" ] || continue
            BAD=$(grep -E '^[A-Z0-9_]+=' "$f" | cut -d= -f1 | grep -E "$BUILD_KEYS_REGEX" || true)
            if [ -n "$BAD" ]; then
              echo "Fehler: Build-/Versions-Variablen in Runtime-Env $f gefunden:"; echo "$BAD"; FAIL=1
            fi
          done
          shopt -u nullglob
          if [ $FAIL -ne 0 ]; then
            echo "Build-/Runtime-Mischung in Runtime-Env."; exit 1; fi
      - name: Check versions.toml vs global.env consistency
        run: |
          set -euo pipefail
          TOML=docker/versions.toml
          GLOBAL=docker/build-args/global.env
          [ -f "$TOML" ] || { echo "Missing $TOML"; exit 1; }
          [ -f "$GLOBAL" ] || { echo "Missing $GLOBAL"; exit 1; }
          get_toml_ver(){ awk -F'=' -v key="$1" '/^\[versions\]/{in_vers=1; next} /^\[/{in_vers=0} in_vers && gsub(/^[ \t]+|[ \t]+$/,"",$1) && $1==key {gsub(/[ "\t]/,"",$2); print $2; exit}' "$TOML"; }
          mapfile -t checks < <(printf "%s\n" \
            "GRADLE_VERSION:versions.gradle" \
            "JAVA_VERSION:versions.java" \
            "VERSION:versions.app-version" \
            "PROMETHEUS_IMAGE_TAG:versions.prometheus" \
            "GRAFANA_IMAGE_TAG:versions.grafana" \
            "KEYCLOAK_IMAGE_TAG:versions.keycloak" \
            "POSTGRES_IMAGE_TAG:versions.postgres" \
            "REDIS_IMAGE_TAG:versions.redis" \
            "CONSUL_IMAGE_TAG:versions.consul" \
            "ZOOKEEPER_IMAGE_TAG:versions.zookeeper" \
            "KAFKA_IMAGE_TAG:versions.kafka")
          FAIL=0
          for entry in "${checks[@]}"; do
            var=${entry%%:*}; path=${entry##*:}
            key=${path#*.}
            case "$var" in
              GRADLE_VERSION) expected=$(get_toml_ver gradle) ;;
              JAVA_VERSION) expected=$(get_toml_ver java) ;;
              VERSION) expected=$(get_toml_ver app-version) ;;
              PROMETHEUS_IMAGE_TAG) expected=$(get_toml_ver prometheus) ;;
              GRAFANA_IMAGE_TAG) expected=$(get_toml_ver grafana) ;;
              KEYCLOAK_IMAGE_TAG) expected=$(get_toml_ver keycloak) ;;
              POSTGRES_IMAGE_TAG) expected=$(get_toml_ver postgres) ;;
              REDIS_IMAGE_TAG) expected=$(get_toml_ver redis) ;;
              CONSUL_IMAGE_TAG) expected=$(get_toml_ver consul) ;;
              ZOOKEEPER_IMAGE_TAG) expected=$(get_toml_ver zookeeper) ;;
              KAFKA_IMAGE_TAG) expected=$(get_toml_ver kafka) ;;
            esac
            actual=$(grep -E "^${var}=" "$GLOBAL" | head -n1 | cut -d= -f2-)
            if [ -z "$actual" ] || [ "$actual" != "$expected" ]; then
              echo "Versions-Drift: $var global.env='$actual' != versions.toml('$expected')"; FAIL=1
            fi
          done
          if [ $FAIL -ne 0 ]; then
            echo "Versions SSoT-Drift erkannt."; exit 1; fi
      - name: Check drift of generated artifacts (ignore timestamps)
        run: |
          set -euo pipefail
@@ -1,4 +1,12 @@
 name: YouTrack Sync (on merge)
 permissions:
  contents: read
  id-token: write
 concurrency:
  group: youtrack-sync-${{ github.ref }}
  cancel-in-progress: true
 on:
  push:
    branches: [ main ]
@@ -6,17 +14,42 @@ on:
 jobs:
  notify:
    runs-on: ubuntu-latest
    # Secrets als Umgebungsvariablen für den Job verfügbar machen
    env:
      YT_URL: ${{ secrets.YT_URL }}
      YT_TOKEN: ${{ secrets.YT_TOKEN }}
    steps:
      # WICHTIG: Checkout ist notwendig, damit "git log" funktioniert
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Notwendig, um die Commit-Historie für "git log" zu laden
      - name: Comment to YouTrack Issue(s)
        # Wir haben das problematische "if: ${{ secrets... }}" entfernt.
        # Die Prüfung findet nun sicher im Shell-Skript statt.
        run: |
          set -euo pipefail
          # 1. Prüfen, ob Secrets vorhanden sind (Shell-Ebene)
          if [ -z "${YT_URL:-}" ] || [ -z "${YT_TOKEN:-}" ]; then
            echo "Skipping: YT_URL or YT_TOKEN is not set."
            exit 0
          fi
          # 2. Commit Message nach Issue-Keys durchsuchen
          KEYS=$(git log -1 --pretty=%B | grep -o '[A-Z]\+-[0-9]\+' | sort -u || true)
          if [ -z "$KEYS" ]; then
            echo "No issue keys in last commit message. Skipping."
            exit 0
          fi
          # 3. Kommentar an YouTrack senden
          for ISSUE in $KEYS; do
            MSG=$(printf 'PR/Commit gemergt: %s\nRepo: %s\nCommit: %s' "${{ github.event.head_commit.url }}" "${{ github.repository }}" "${{ github.sha }}")
            echo "Posting comment to $ISSUE..."
            curl -sS -X POST \
              -H "Authorization: Bearer $YT_TOKEN" \
              -H "Accept: application/json" \
@@ -24,6 +57,3 @@ jobs:
              "$YT_URL/api/issues/$ISSUE/comments" \
              -d "{\"text\": \"$MSG\"}"
          done
        env:
          YT_URL: ${{ secrets.YT_URL }}
          YT_TOKEN: ${{ secrets.YT_TOKEN }}
@@ -26,6 +26,9 @@ logs/
 # Generated diagrams
 build/diagrams/
 # Local runtime secrets/overrides
 config/env/.env.local
 # Python virtual environment
 .venv/
 venv/
@@ -15,13 +15,20 @@
 git clone https://github.com/StefanMoCoAt/meldestelle.git
 cd meldestelle
-# 2) (Optional, falls SSoT Compose-Files erst generiert werden müssen)
+# 2) Runtime-Environment vorbereiten (Single Source of Truth)
 #   Kopiere die Vorlage und passe sie bei Bedarf an.
 cp -n .env.template config/env/.env 2>/dev/null || true
 #   Optionale lokale Geheimnisse/Overrides (gitignored):
 #   echo "POSTGRES_PASSWORD=meinlokalespasswort" >> config/env/.env.local
 # 3) (Optional) Compose-Files generieren
 #    (nur falls du die Generator-Pipeline nutzt)
 # DOCKER_SSOT_MODE=envless bash scripts/generate-compose-files.sh all development
-# 3) Infrastruktur starten
+# 4) Infrastruktur starten
 docker compose -f docker-compose.yml up -d
-# 4) Services starten (Beispiel)
+# 5) Services starten (Beispiel)
 ./gradlew :members:members-service:bootRun
 # oder – falls zentral gewollt und unterstützt
 # ./gradlew bootRun
@@ -95,6 +102,47 @@ Das System ist in unabhängige Domänen aufgeteilt:
 ---
 ## ⚙️ Konfigurationsstruktur (Build vs. Runtime)
 Laufzeit (Runtime) – Single Source of Truth:
 - config/env/.env – globale Runtime-Werte (Ports, Hosts, Feature-Flags, Pfade, Profile)
 - config/env/.env.local – lokale, geheime Overrides (gitignored)
 - Optionale DDD-Slice-Overrides (nur wenn nötig):
  - config/env/services/<service>.env (z. B. ping-service.env)
  - config/env/infrastructure/<component>.env (z. B. api-gateway.env)
  - config/env/clients/<client>.env (z. B. web-app.env)
 Build-Zeit (nur Versionen/Tags/Pfade):
 - docker/versions.toml – zentrale Versionsquelle (SSoT)
 - docker/build-args/global.env – aus versions.toml abgeleitet (kann via scripts/generate-build-env.sh erzeugt werden)
 - docker/build-args/{clients,infrastructure,services}.env – nur Build-relevante Pfade/Namen; keine Runtime-Variablen
 Compose-Anbindung:
 - Alle docker-compose*.yml laden config/env/.env und optional die per-Slice-Overrides via env_file
 - Laufzeitwerte werden nicht via build.args eingeschleust
 Deprecations / Umbenennungen:
 - `DOCKER_*_VERSION` → `*_IMAGE_TAG` (nur Build-Zeit)
 - `APP_VERSION` wurde vereinheitlicht als `VERSION`
 Schnelltest / Smoke (lokal):
 - docker compose -f docker-compose.yml up -d
 - docker compose -f docker-compose.services.yml up -d
 - docker compose -f docker-compose.clients.yml up -d
 - Healthchecks prüfen: <http://localhost:3000> (Grafana), <http://localhost:9090> (Prometheus), <http://localhost:8180> (Keycloak), <http://localhost:8081> (Gateway), <http://localhost:4000> (Web)
 Sicherheits-Hinweise:
 - Keine echten Secrets im Repo; verwende config/env/.env.local für lokale Entwicklung
 - Die optimierten Compose-Dateien (`*.optimized`) nutzen Docker-Secrets im Profil "prod"
 ---
 ## 🛠️ Tech Stack
 | Komponente     | Technologie                   | Version |
@@ -0,0 +1,81 @@
 # ===================================================================
 # Global Runtime Environment - Single Source of Truth (Runtime)
 # Location: config/env/.env
 # Note: Do NOT put image versions or build-only values here.
 #       Secrets belong in config/env/.env.local (gitignored) or Docker/K8s secrets later.
 # ===================================================================
 # -------------------------------------------------------------------
 # Runtime Profiles
 # -------------------------------------------------------------------
 SPRING_PROFILES_ACTIVE=docker,keycloak
 # -------------------------------------------------------------------
 # Infrastructure Services - Port/Host Configuration
 # -------------------------------------------------------------------
 POSTGRES_DB=meldestelle
 REDIS_PORT=6379
 KEYCLOAK_PORT=8180
 KEYCLOAK_LOG_LEVEL=INFO
 CONSUL_HOST=consul
 CONSUL_PORT=8500
 CONSUL_ENABLED=true
 ZOOKEEPER_CLIENT_PORT=2181
 KAFKA_PORT=9092
 KAFKA_BROKER_ID=1
 KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR=1
 PROMETHEUS_PORT=9090
 GRAFANA_PORT=3000
 # -------------------------------------------------------------------
 # Application Services - Port/Host Configuration
 # -------------------------------------------------------------------
 GATEWAY_HOST=api-gateway
 GATEWAY_PORT=8081
 PING_SERVICE_PORT=8082
 MEMBERS_SERVICE_PORT=8083
 HORSES_SERVICE_PORT=8084
 EVENTS_SERVICE_PORT=8085
 MASTERDATA_SERVICE_PORT=8086
 AUTH_SERVICE_PORT=8087
 MONITORING_SERVER_PORT=8088
 # -------------------------------------------------------------------
 # Client Applications
 # -------------------------------------------------------------------
 WEB_APP_PORT=4000
 WEB_APP_DOMAIN=localhost
 NODE_ENV=production
 NGINX_WORKER_PROCESSES=auto
 NGINX_WORKER_CONNECTIONS=1024
 DESKTOP_VNC_WEB_PORT=6080
 DESKTOP_VNC_PORT=5901
 DESKTOP_APP_DOMAIN=localhost
 # -------------------------------------------------------------------
 # Security (non-secret runtime values)
 # -------------------------------------------------------------------
 JWT_ISSUER=meldestelle-auth-server
 JWT_AUDIENCE=meldestelle-services
 KEYCLOAK_REALM=meldestelle
 KEYCLOAK_CLIENT_ID=api-gateway
 # -------------------------------------------------------------------
 # Data Storage
 # -------------------------------------------------------------------
 DATA_PATH=./data
 # -------------------------------------------------------------------
 # Development & Features
 # -------------------------------------------------------------------
 DEBUG=false
 ENABLE_WASM=false
@@ -0,0 +1,8 @@
 # Optional Client Override – Web App
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn die Web-App abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # WEB_APP_PORT=4001
 # NODE_ENV=development
 # APP_TITLE=Meldestelle (Dev)
@@ -0,0 +1,8 @@
 # Optional Infrastructure Override – API Gateway
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn das Gateway abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # GATEWAY_PORT=8081
 # SPRING_PROFILES_ACTIVE=docker,keycloak
 # LOGGING_LEVEL_ROOT=DEBUG
@@ -0,0 +1,8 @@
 # Optional Service Override – Events Service
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn der Events-Service abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # SERVER_PORT=8085
 # LOGGING_LEVEL_ROOT=DEBUG
 # DEBUG=true
@@ -0,0 +1,8 @@
 # Optional Service Override – Horses Service
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn der Horses-Service abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # SERVER_PORT=8084
 # LOGGING_LEVEL_ROOT=DEBUG
 # DEBUG=true
@@ -0,0 +1,8 @@
 # Optional Service Override – Masterdata Service
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn der Masterdata-Service abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # SERVER_PORT=8086
 # LOGGING_LEVEL_ROOT=DEBUG
 # DEBUG=true
@@ -0,0 +1,8 @@
 # Optional Service Override – Members Service
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn der Members-Service abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # SERVER_PORT=8083
 # LOGGING_LEVEL_ROOT=DEBUG
 # DEBUG=true
@@ -0,0 +1,8 @@
 # Optional Service Override – Ping Service
 # Diese Datei wird zusätzlich zu config/env/.env geladen.
 # Nur befüllen, wenn der Ping-Service abweichende Runtime-Werte benötigt.
 # Beispiel-Overrides (auskommentiert lassen, falls nicht benötigt):
 #
 # SERVER_PORT=8082
 # LOGGING_LEVEL_ROOT=DEBUG
 # DEBUG=true
@@ -2,7 +2,7 @@
 # Docker Compose - Client Applications
 # Generated from docker/versions.toml
 # Environment: development
-# Generated: 2025-11-11 23:07:01 UTC
+# Generated: 2025-11-18 19:43:46 UTC
 # ===================================================================
 services:
@@ -36,23 +36,26 @@ services:
      context: .
      dockerfile: dockerfiles/clients/web-app/Dockerfile
      args:
-        # Global build arguments (centralized DOCKER_* variables)
+        # Global build arguments (build-time only)
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
-        BUILD_DATE: ${BUILD_DATE}
+        BUILD_DATE: ${BUILD_DATE:-unknown}
-        VERSION: ${DOCKER_APP_VERSION}
+        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
-        # Client-specific arguments (centralized DOCKER_* variables)
+        # Client-specific image tag (build-time only)
-        NODE_VERSION: ${DOCKER_NODE_VERSION}
+        NGINX_IMAGE_TAG: ${DOCKER_NGINX_VERSION:-1.28.0-alpine}
        NGINX_VERSION: ${DOCKER_NGINX_VERSION}
        # Application-specific arguments
        CLIENT_PATH: client
        CLIENT_MODULE: client
        CLIENT_NAME: meldestelle-web-app
    container_name: meldestelle-web-app
    env_file:
      - config/env/.env
      # Optional client-specific overrides (only if file exists)
      - config/env/clients/web-app.env
    environment:
      NODE_ENV: ${NODE_ENV:-production}
      APP_TITLE: ${APP_NAME:-Meldestelle}
-      APP_VERSION: ${APP_VERSION:-1.0.0}
+      APP_VERSION: ${VERSION:-1.0.0}
      # API Gateway Configuration
      API_BASE_URL: http://${GATEWAY_HOST:-api-gateway}:${GATEWAY_PORT:-8081}
      # Nginx Worker Processes (for Performance)
@@ -103,8 +106,10 @@ services:
      dockerfile: dockerfiles/clients/desktop-app/Dockerfile
      args:
        - BUILD_DATE=${BUILD_DATE:-$(date -u +"%Y-%m-%dT%H:%M:%SZ")}
-        - VERSION=${APP_VERSION:-1.0.0}
+        - VERSION=${VERSION:-1.0.0}
    container_name: meldestelle-desktop-app
    env_file:
      - config/env/.env
    environment:
      # API Configuration - fallback to external gateway if not in same compose network
      API_BASE_URL: http://${GATEWAY_HOST:-api-gateway}:${GATEWAY_PORT:-8081}
@@ -2,7 +2,7 @@
 # Docker Compose - Application Services
 # Generated from docker/versions.toml
 # Environment: development
-# Generated: 2025-11-11 23:07:01 UTC
+# Generated: 2025-11-18 19:43:46 UTC
 # ===================================================================
 services:
@@ -24,14 +24,16 @@ services:
      context: .
      dockerfile: dockerfiles/services/ping-service/Dockerfile
      args:
-        # Global build arguments
+        # Global build arguments (build-time only)
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
-        JAVA_VERSION: ${DOCKER_JAVA_VERSION:-21}
+        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
        BUILD_DATE: ${BUILD_DATE:-unknown}
        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
        # Service-specific arguments
        SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker}
    container_name: meldestelle-ping-service
    env_file:
      - config/env/.env
      # Optional service-specific overrides (only if file exists)
      - config/env/services/ping-service.env
    volumes:
      # Mount Gradle cache for better build performance
      - ping-service-gradle-cache:/home/gradle/.gradle
@@ -67,6 +69,8 @@ services:
        condition: service_healthy
    networks:
      - meldestelle-network
    # Secrets sind für lokale Entwicklung optional; für Prod Profil aktivieren
    profiles: ["prod"]
    secrets:
      - postgres_user
      - postgres_password
@@ -99,11 +103,14 @@ services:
      dockerfile: dockerfiles/services/members-service/Dockerfile
      args:
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
-        JAVA_VERSION: ${DOCKER_JAVA_VERSION:-21}
+        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
        BUILD_DATE: ${BUILD_DATE:-unknown}
        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
        SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker}
    container_name: meldestelle-members-service
    env_file:
      - config/env/.env
      # Optional service-specific overrides
      - config/env/services/members-service.env
    volumes:
      - members-service-gradle-cache:/home/gradle/.gradle
    environment:
@@ -175,11 +182,14 @@ services:
      dockerfile: dockerfiles/services/horses-service/Dockerfile
      args:
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
-        JAVA_VERSION: ${DOCKER_JAVA_VERSION:-21}
+        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
        BUILD_DATE: ${BUILD_DATE:-unknown}
        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
        SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker}
    container_name: meldestelle-horses-service
    env_file:
      - config/env/.env
      # Optional service-specific overrides
      - config/env/services/horses-service.env
    volumes:
      - horses-service-gradle-cache:/home/gradle/.gradle
    environment:
@@ -251,11 +261,14 @@ services:
      dockerfile: dockerfiles/services/events-service/Dockerfile
      args:
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
-        JAVA_VERSION: ${DOCKER_JAVA_VERSION:-21}
+        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
        BUILD_DATE: ${BUILD_DATE:-unknown}
        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
        SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker}
    container_name: meldestelle-events-service
    env_file:
      - config/env/.env
      # Optional service-specific overrides
      - config/env/services/events-service.env
    volumes:
      - events-service-gradle-cache:/home/gradle/.gradle
    environment:
@@ -327,11 +340,14 @@ services:
      dockerfile: dockerfiles/services/masterdata-service/Dockerfile
      args:
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
-        JAVA_VERSION: ${DOCKER_JAVA_VERSION:-21}
+        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
        BUILD_DATE: ${BUILD_DATE:-unknown}
        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
        SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DOCKER:-docker}
    container_name: meldestelle-masterdata-service
    env_file:
      - config/env/.env
      # Optional service-specific overrides
      - config/env/services/masterdata-service.env
    volumes:
      - masterdata-service-gradle-cache:/home/gradle/.gradle
    environment:
@@ -2,7 +2,7 @@
 # Docker Compose - Infrastructure Services
 # Generated from docker/versions.toml
 # Environment: development
-# Generated: 2025-11-11 23:07:01 UTC
+# Generated: 2025-11-18 19:43:46 UTC
 # ===================================================================
 services:
@@ -365,14 +365,16 @@ services:
      context: .
      dockerfile: dockerfiles/infrastructure/gateway/Dockerfile
      args:
-        # Global build arguments
+        # Global build arguments (build-time only)
        GRADLE_VERSION: ${DOCKER_GRADLE_VERSION}
-        JAVA_VERSION: ${DOCKER_JAVA_VERSION:-21}
+        JAVA_VERSION: ${DOCKER_JAVA_VERSION}
        BUILD_DATE: ${BUILD_DATE:-unknown}
        VERSION: ${DOCKER_APP_VERSION:-1.0.0}
        # Infrastructure-specific arguments
        SPRING_PROFILES_ACTIVE: ${DOCKER_SPRING_PROFILES_DEFAULT:-default}
    container_name: meldestelle-api-gateway
    env_file:
      - config/env/.env
      # Optional infrastructure-specific overrides (only if file exists)
      - config/env/infrastructure/api-gateway.env
    volumes:
      # Mount Gradle cache for better build performance
      - api-gateway-gradle-cache:/home/gradle/.gradle
@@ -415,6 +417,8 @@ services:
        condition: service_started
    networks:
      - meldestelle-network
    # Secrets für lokale Dev optional; mit Profil "prod" aktivieren
    profiles: ["prod"]
    secrets:
      - keycloak_client_secret
      - postgres_user
@@ -1,7 +1,7 @@
 # ===================================================================
 # Clients Docker Build Arguments - dockerfiles/clients/*
 # Source: docker/versions.toml [categories.clients]
-# Last updated: 2025-11-11 22:36:33 UTC
+# Last updated: 2025-11-18 14:30:11 UTC
 # ===================================================================
 # --- Include Global Arguments ---
@@ -16,18 +16,5 @@ CLIENT_PATH=client
 CLIENT_MODULE=client
 CLIENT_NAME=meldestelle-client
-# --- Web Application Specific ---
+# Note: Runtime/Dev values moved to config/env/.env
-WEB_APP_PORT=4000
+# Keep this file strictly for build-time values only.
 # --- Desktop Application Specific ---
 DESKTOP_APP_VNC_PORT=5901
 DESKTOP_APP_NOVNC_PORT=6080
 # --- Client Environment ---
 NODE_ENV=production
 APP_TITLE=Meldestelle
 APP_VERSION=1.0.0
 # --- Development Configuration ---
 WEBPACK_DEV_SERVER_HOST=0.0.0.0
 WEBPACK_DEV_SERVER_PORT=4000
@@ -1,7 +1,7 @@
 # ===================================================================
 # Global Docker Build Arguments - Used by all categories
 # Source: docker/versions.toml
-# Last updated: 2025-11-11 22:36:33 UTC
+# Last updated: 2025-11-18 15:44:00 UTC
 # ===================================================================
 # --- Build Tools ---
@@ -11,16 +11,16 @@ JAVA_VERSION=21
 # --- Build Metadata ---
 VERSION=1.0.0
-# --- Monitoring & Infrastructure Services ---
+# --- Monitoring & Infrastructure Services (image tags) ---
-DOCKER_PROMETHEUS_VERSION=v2.54.1
+PROMETHEUS_IMAGE_TAG=v2.54.1
-DOCKER_GRAFANA_VERSION=11.3.0
+GRAFANA_IMAGE_TAG=11.3.0
-DOCKER_KEYCLOAK_VERSION=26.4.2
+KEYCLOAK_IMAGE_TAG=26.4.2
-# --- Datastore Images ---
+# --- Datastore Images (image tags) ---
-DOCKER_POSTGRES_VERSION=16-alpine
+POSTGRES_IMAGE_TAG=16-alpine
-DOCKER_REDIS_VERSION=7-alpine
+REDIS_IMAGE_TAG=7-alpine
-# --- Additional Infrastructure Images ---
+# --- Additional Infrastructure Images (image tags) ---
-DOCKER_CONSUL_VERSION=1.15
+CONSUL_IMAGE_TAG=1.15
-DOCKER_ZOOKEEPER_VERSION=7.4.0
+ZOOKEEPER_IMAGE_TAG=7.4.0
-DOCKER_KAFKA_VERSION=7.4.0
+KAFKA_IMAGE_TAG=7.4.0
@@ -1,20 +1,12 @@
 # ===================================================================
 # Infrastructure Docker Build Arguments - dockerfiles/infrastructure/*
 # Source: docker/versions.toml [categories.infrastructure]
-# Last updated: 2025-11-11 22:36:33 UTC
+# Last updated: 2025-11-18 14:30:11 UTC
 # ===================================================================
 # --- Include Global Arguments ---
 # Source global.env for GRADLE_VERSION, JAVA_VERSION, VERSION
 # --- Infrastructure Services Configuration ---
 SPRING_PROFILES_ACTIVE=default
 # --- Infrastructure Service Ports (matches gradle.properties) ---
 GATEWAY_PORT=8081
 AUTH_SERVER_PORT=8087
 MONITORING_SERVER_PORT=8088
 # --- API Gateway Specific ---
 GATEWAY_SERVICE_PATH=infrastructure/gateway
 GATEWAY_SERVICE_NAME=api-gateway
@@ -27,12 +19,4 @@ AUTH_SERVER_SERVICE_NAME=auth-server
 MONITORING_SERVER_PATH=infrastructure/monitoring/monitoring-server
 MONITORING_SERVER_SERVICE_NAME=monitoring-server
-# --- Infrastructure Dependencies ---
+# Note: Runtime profiles/ports/dependencies moved to config/env/.env
 CONSUL_ENABLED=true
 CONSUL_HOST=consul
 CONSUL_PORT=8500
 # --- Database Configuration for Infrastructure Services ---
 DB_HOST=postgres
 DB_PORT=5432
 DB_NAME=meldestelle
@@ -1,26 +1,14 @@
 # ===================================================================
 # Services Docker Build Arguments - dockerfiles/services/*
 # Source: docker/versions.toml [categories.services]
-# Last updated: 2025-11-11 22:36:33 UTC
+# Last updated: 2025-11-18 14:30:11 UTC
 # ===================================================================
 # --- Include Global Arguments ---
 # Source global.env for GRADLE_VERSION, JAVA_VERSION, VERSION
 # --- Spring Boot Services Configuration ---
 SPRING_PROFILES_ACTIVE=docker
 # --- Service-Specific Arguments ---
 SERVICE_PATH=.
 SERVICE_NAME=spring-boot-service
 SERVICE_PORT=8080
-# --- Service Port Mapping (matches gradle.properties) ---
+# Note: Runtime profiles/ports moved to config/env/.env
 PING_SERVICE_PORT=8082
 MEMBERS_SERVICE_PORT=8083
 HORSES_SERVICE_PORT=8084
 EVENTS_SERVICE_PORT=8085
 MASTERDATA_SERVICE_PORT=8086
 # --- Services List (for automation scripts) ---
 # ping-service, members-service, horses-service, events-service, masterdata-service
@@ -0,0 +1,15 @@
 # Docker Secrets (Development vs. Production)
 In der lokalen Entwicklung werden keine Docker-Secrets erzwungen.
 - Verwende für sensible Werte stattdessen die Datei `config/env/.env.local` (ist gitignored).
 - Die Dateien in diesem Ordner sind lediglich Platzhalter und enthalten KEINE echten Geheimnisse.
 - Für ein Deployment in Produktion kannst du diese Dateien mit echten Werten befüllen oder einen sicheren Secret-Store (Docker/K8s) verwenden.
 Hinweise:
 - Postgres-User/Passwort haben in der lokalen Entwicklung Standard/Fallback-Werte via `docker-compose.yml` (Environment mit Defaults).
 - Die optimierten Compose-Dateien (`*.optimized`) können weiterhin Docker-Secrets verwenden – diese sind für Prod gedacht.
 Schnellstart lokal (ohne Secrets):
 - Passe `config/env/.env` und optional `config/env/.env.local` an
 - Starte mit: `docker compose -f docker-compose.yml -f docker-compose.services.yml up`
@@ -1 +1 @@
-pGnDFSiwacGxfKCtb8VJmTQc9Emlcdow
+CHANGE_ME_LOCAL_DEV
@@ -5,11 +5,17 @@
 # ===================================================================
 # Stage 1: Build Stage - Kotlin/JS kompilieren
 # ===================================================================
-FROM gradle:8-jdk21 AS builder
+# Build args (build-time only)
 ARG GRADLE_VERSION
 ARG JAVA_VERSION
 ARG NODE_VERSION
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION} AS builder
-# Install Node.js and npm for Kotlin/JS builds (Ubuntu-based image has better Node.js compatibility)
+# Install Node.js (version aligned with versions.toml)
 # Derive major version from NODE_VERSION (e.g., 22.21.0 -> setup_22.x)
 RUN apt-get update && apt-get install -y curl && \
-    curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && \
+    NODE_MAJOR=$(echo "$NODE_VERSION" | cut -d. -f1) && \
    curl -fsSL "https://deb.nodesource.com/setup_${NODE_MAJOR}.x" | bash - && \
    apt-get install -y nodejs && \
    rm -rf /var/lib/apt/lists/*
@@ -40,7 +46,9 @@ RUN ./gradlew :clients:app:jsBrowserDistribution --no-configure-on-demand -Pprod
 # ===================================================================
 # Stage 2: Runtime Stage - Nginx für Static Files + API Proxy
 # ===================================================================
-FROM nginx:1.25-alpine
+# Build arg controls runtime base image tag (build-time only)
 ARG NGINX_IMAGE_TAG
 FROM nginx:${NGINX_IMAGE_TAG}
 # Installiere curl für Health-Checks
 RUN apk add --no-cache curl
@@ -14,16 +14,14 @@ ARG JAVA_VERSION
 ARG BUILD_DATE
 ARG VERSION
-# Infrastructure-specific arguments (docker/build-args/infrastructure.env)
+# Infrastruktur-spezifische Build-Argumente (keine Runtime-Profile/Ports als ARG)
 ARG SPRING_PROFILES_ACTIVE
 # ===================================================================
 # Build Stage
 # ===================================================================
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
-# Re-declare build arguments for this stage
+# Re-declare build arguments for this stage (nur Build-Zeit)
 ARG SPRING_PROFILES_ACTIVE
 ARG BUILD_DATE
 ARG VERSION
@@ -75,8 +73,7 @@ RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
 # Build application with BuildKit cache mount
 RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
    --mount=type=cache,target=/home/gradle/.gradle/wrapper \
-    ./gradlew :infrastructure:auth:auth-server:bootJar --no-daemon --info \
+    ./gradlew :infrastructure:auth:auth-server:bootJar --no-daemon --info
    -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
 # ===================================================================
 # Runtime Stage
@@ -87,7 +84,6 @@ FROM eclipse-temurin:${JAVA_VERSION}-jre-alpine AS runtime
 ARG BUILD_DATE
 ARG VERSION
 ARG JAVA_VERSION
 ARG SPRING_PROFILES_ACTIVE
 # Convert build arguments to environment variables
 ENV JAVA_VERSION=${JAVA_VERSION} \
@@ -100,7 +96,6 @@ LABEL service="auth-server" \
      description="Authentication and Authorization Server for Meldestelle" \
      maintainer="Meldestelle Development Team" \
      java.version="${JAVA_VERSION}" \
      spring.profiles.active="${SPRING_PROFILES_ACTIVE}" \
      build.date="${BUILD_DATE}" \
      org.opencontainers.image.title="Meldestelle Auth Server" \
      org.opencontainers.image.description="Spring Boot authentication service with Keycloak integration" \
@@ -164,7 +159,6 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
 # Auth-server specific Spring Boot configuration
 ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
    SERVER_PORT=8081 \
    MANAGEMENT_SERVER_PORT=8081 \
    LOGGING_LEVEL_ROOT=INFO \
@@ -173,7 +167,7 @@ ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
 # Enhanced entrypoint with tini init system and conditional debug support
 ENTRYPOINT ["tini", "--", "sh", "-c", "\
    echo 'Starting Meldestelle Auth Server with Java ${JAVA_VERSION}...'; \
-    echo 'Active Spring profiles: ${SPRING_PROFILES_ACTIVE}'; \
+    echo 'Active Spring profiles: '${SPRING_PROFILES_ACTIVE:-not-set}; \
    echo 'Auth server port: 8081'; \
    echo 'Container memory: '$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes 2>/dev/null || echo 'unlimited'); \
    if [ \"${DEBUG:-false}\" = \"true\" ]; then \
@@ -15,7 +15,7 @@ ARG BUILD_DATE
 ARG VERSION
 # Infrastructure-specific arguments (docker/build-args/infrastructure.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: No runtime profiles as build ARGs
 # ===================================================================
 # Build Stage
@@ -23,7 +23,6 @@ ARG SPRING_PROFILES_ACTIVE
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
 # Re-declare build arguments for this stage
 ARG SPRING_PROFILES_ACTIVE
 ARG BUILD_DATE
 ARG VERSION
@@ -81,8 +80,7 @@ RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
 # Build the application with optimizations and build cache (removed deprecated flag)
 RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
    --mount=type=cache,target=/home/gradle/.gradle/wrapper \
-    ./gradlew :infrastructure:gateway:bootJar --info \
+    ./gradlew :infrastructure:gateway:bootJar --info
    -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
 # Extract JAR layers for better caching in runtime stage
 RUN mkdir -p build/dependency && \
@@ -98,7 +96,6 @@ FROM eclipse-temurin:${JAVA_VERSION}-jre-alpine AS runtime
 ARG BUILD_DATE
 ARG VERSION
 ARG JAVA_VERSION
 ARG SPRING_PROFILES_ACTIVE
 # Convert build arguments to environment variables
 ENV JAVA_VERSION=${JAVA_VERSION} \
@@ -111,7 +108,6 @@ LABEL service="api-gateway" \
      description="Spring Cloud Gateway for Meldestelle microservices architecture" \
      maintainer="Meldestelle Development Team" \
      java.version="${JAVA_VERSION}" \
      spring.profiles.active="${SPRING_PROFILES_ACTIVE}" \
      build.date="${BUILD_DATE}" \
      org.opencontainers.image.title="Meldestelle API Gateway" \
      org.opencontainers.image.description="Spring Cloud Gateway with service discovery and monitoring" \
@@ -177,9 +173,8 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Dmanagement.endpoint.health.show-details=always \
    -Dmanagement.prometheus.metrics.export.enabled=true"
-# Spring Boot configuration (consistent port variable usage)
+# Spring Boot configuration (Profile nur zur Laufzeit setzen, nicht im Build)
 ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
    SERVER_PORT=8081 \
    LOGGING_LEVEL_ROOT=INFO \
    LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_CLOUD_GATEWAY=DEBUG
@@ -188,7 +183,7 @@ ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
 # Fixed memory cgroup path for better compatibility with different container runtimes
 ENTRYPOINT ["tini", "--", "sh", "-c", "\
    echo 'Starting API Gateway with Java ${JAVA_VERSION}...'; \
-    echo 'Active Spring profiles: ${SPRING_PROFILES_ACTIVE}'; \
+    echo 'Active Spring profiles: '${SPRING_PROFILES_ACTIVE:-not-set}; \
    echo 'Gateway port: ${SERVER_PORT}'; \
    MEMORY_LIMIT=$(cat /sys/fs/cgroup/memory.max 2>/dev/null || cat /sys/fs/cgroup/memory/memory.limit_in_bytes 2>/dev/null || echo 'unlimited'); \
    echo \"Container memory limit: $MEMORY_LIMIT\"; \
@@ -9,13 +9,13 @@
 # - Custom theme support
 # - Health monitoring
 # ===================================================================
-ARG KEYCLOAK_VERSION
+ARG KEYCLOAK_IMAGE_TAG
-FROM quay.io/keycloak/keycloak:${KEYCLOAK_VERSION}
+FROM quay.io/keycloak/keycloak:${KEYCLOAK_IMAGE_TAG}
 LABEL maintainer="Meldestelle Development Team"
 LABEL description="Production-ready Keycloak for Meldestelle authentication"
-LABEL version="${KEYCLOAK_VERSION}"
+LABEL version="${KEYCLOAK_IMAGE_TAG}"
 # Set environment variables for build
 ENV KC_HEALTH_ENABLED=true
@@ -14,7 +14,7 @@ ARG BUILD_DATE
 ARG VERSION
 # Infrastructure-specific arguments (docker/build-args/infrastructure.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: No runtime profiles as build ARGs
 # ===================================================================
 # Build Stage
@@ -55,8 +55,7 @@ COPY infrastructure/monitoring/monitoring-server/src/ infrastructure/monitoring/
 # Build application
 RUN ./gradlew :infrastructure:monitoring:monitoring-server:dependencies --no-daemon --info
-RUN ./gradlew :infrastructure:monitoring:monitoring-server:bootJar --no-daemon --info \
+RUN ./gradlew :infrastructure:monitoring:monitoring-server:bootJar --no-daemon --info
    -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
 # ===================================================================
 # Runtime Stage
@@ -68,8 +67,7 @@ LABEL service="monitoring-server" \
      version="1.0.0" \
      description="Monitoring and Observability Server for Meldestelle" \
      maintainer="Meldestelle Development Team" \
-      java.version="${JAVA_VERSION}" \
+      java.version="${JAVA_VERSION}"
      spring.profiles.active="${SPRING_PROFILES_ACTIVE}"
 # Build arguments for user configuration
 ARG APP_USER=monitoruser
@@ -122,12 +120,11 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus"
 # Monitoring-server specific Spring Boot configuration
-ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
+ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+ENV SERVER_PORT=8088
-    SERVER_PORT=8088 \
+ENV MANAGEMENT_SERVER_PORT=8088
-    MANAGEMENT_SERVER_PORT=8088 \
+ENV LOGGING_LEVEL_ROOT=INFO
-    LOGGING_LEVEL_ROOT=INFO \
+ENV LOGGING_LEVEL_AT_MOCODE=DEBUG
    LOGGING_LEVEL_AT_MOCODE=DEBUG
 # Monitoring-focused startup command with debug support
 ENTRYPOINT ["sh", "-c", "\
@@ -14,21 +14,18 @@ ARG BUILD_DATE
 ARG VERSION
 # Service-specific arguments (docker/build-args/services.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: Keine Runtime-Profile/Ports als Build-ARGs
 ARG SERVICE_PATH=events/events-service
 ARG SERVICE_NAME=events-service
 ARG SERVICE_PORT=8085
 # ===================================================================
 # Build Stage
 # ===================================================================
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
-# Re-declare build arguments for this stage
+# Re-declare build arguments for this stage (nur Build-Zeit)
 ARG SERVICE_PATH=events/events-service
 ARG SERVICE_NAME=events-service
 ARG SERVICE_PORT=8086
 ARG SPRING_PROFILES_ACTIVE
 LABEL stage=builder
 LABEL maintainer="Meldestelle Development Team"
@@ -60,10 +57,10 @@ COPY events/events-application/ events/events-application/
 COPY events/events-infrastructure/ events/events-infrastructure/
 COPY events/events-service/ events/events-service/
-# Build events service
+# Build events service (ohne Runtime-Profile bei Build)
 RUN echo "Building Events Service..." && \
    ./gradlew :events:events-service:dependencies --no-daemon --info && \
-    ./gradlew :events:events-service:bootJar --no-daemon --info -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
+    ./gradlew :events:events-service:bootJar --no-daemon --info
 # Extract JAR layers for optimized Docker layer caching
 WORKDIR /builder
@@ -107,7 +104,6 @@ RUN mkdir -p /app/logs /app/tmp && \
 # Re-declare build arguments for runtime stage
 ARG SERVICE_PATH=events/events-service
 ARG SERVICE_NAME=events-service
 ARG SERVICE_PORT=8086
 # Copy Spring Boot layers in optimal order for Docker layer caching
 COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/dependencies/ ./
@@ -118,11 +114,11 @@ COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/application/ ./
 USER ${APP_USER}
 # Expose application port and debug port
-EXPOSE ${SERVICE_PORT} 5006
+EXPOSE 8085 5006
 # Health check
 HEALTHCHECK --interval=15s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -fsS --max-time 2 http://localhost:${SERVICE_PORT}/actuator/health/readiness || exit 1
+    CMD curl -fsS --max-time 2 http://localhost:8085/actuator/health/readiness || exit 1
 # JVM configuration optimized for events service
 ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
@@ -138,16 +134,15 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Duser.timezone=Europe/Vienna \
    -Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus"
-# Spring Boot configuration
+# Spring Boot configuration (Profile nur zur Laufzeit via Compose/Env)
 ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+    SERVER_PORT=8085 \
    SERVER_PORT=${SERVICE_PORT} \
    LOGGING_LEVEL_ROOT=INFO \
    LOGGING_LEVEL_AT_MOCODE_EVENTS=DEBUG
 # Startup command with debug support
 ENTRYPOINT ["sh", "-c", "\
-    echo 'Starting Events Service on port ${SERVICE_PORT}...'; \
+    echo 'Starting Events Service on port 8085...'; \
    if [ \"${DEBUG:-false}\" = \"true\" ]; then \
        echo 'Debug mode enabled on port 5006'; \
        exec java $JAVA_OPTS -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5006 org.springframework.boot.loader.launch.JarLauncher; \
@@ -14,21 +14,18 @@ ARG BUILD_DATE
 ARG VERSION
 # Service-specific arguments (docker/build-args/services.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: Keine Runtime-Profile/Ports als Build-ARGs
 ARG SERVICE_PATH=horses/horses-service
 ARG SERVICE_NAME=horses-service
 ARG SERVICE_PORT=8084
 # ===================================================================
 # Build Stage
 # ===================================================================
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
-# Re-declare build arguments for this stage
+# Re-declare build arguments for diesem Stage (nur Build-Zeit)
 ARG SERVICE_PATH=horses/horses-service
 ARG SERVICE_NAME=horses-service
 ARG SERVICE_PORT=8085
 ARG SPRING_PROFILES_ACTIVE
 LABEL stage=builder
 LABEL maintainer="Meldestelle Development Team"
@@ -60,10 +57,10 @@ COPY horses/horses-application/ horses/horses-application/
 COPY horses/horses-infrastructure/ horses/horses-infrastructure/
 COPY horses/horses-service/ horses/horses-service/
-# Build horses service
+# Build horses service (ohne Runtime-Profile bei Build)
 RUN echo "Building Horses Service..." && \
    ./gradlew :horses:horses-service:dependencies --no-daemon --info && \
-    ./gradlew :horses:horses-service:bootJar --no-daemon --info -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
+    ./gradlew :horses:horses-service:bootJar --no-daemon --info
 # Extract JAR layers for optimized Docker layer caching
 WORKDIR /builder
@@ -107,7 +104,6 @@ RUN mkdir -p /app/logs /app/tmp && \
 # Re-declare build arguments for runtime stage
 ARG SERVICE_PATH=horses/horses-service
 ARG SERVICE_NAME=horses-service
 ARG SERVICE_PORT=8085
 # Copy Spring Boot layers in optimal order for Docker layer caching
 COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/dependencies/ ./
@@ -118,11 +114,11 @@ COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/application/ ./
 USER ${APP_USER}
 # Expose application port and debug port
-EXPOSE ${SERVICE_PORT} 5005
+EXPOSE 8084 5005
 # Health check
 HEALTHCHECK --interval=15s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -fsS --max-time 2 http://localhost:${SERVICE_PORT}/actuator/health/readiness || exit 1
+    CMD curl -fsS --max-time 2 http://localhost:8084/actuator/health/readiness || exit 1
 # JVM configuration optimized for horses service
 ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
@@ -138,16 +134,15 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Duser.timezone=Europe/Vienna \
    -Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus"
-# Spring Boot configuration
+# Spring Boot configuration (Profile nur zur Laufzeit via Compose/Env)
 ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+    SERVER_PORT=8084 \
    SERVER_PORT=${SERVICE_PORT} \
    LOGGING_LEVEL_ROOT=INFO \
    LOGGING_LEVEL_AT_MOCODE_HORSES=DEBUG
 # Startup command with debug support
 ENTRYPOINT ["sh", "-c", "\
-    echo 'Starting Horses Service on port ${SERVICE_PORT}...'; \
+    echo 'Starting Horses Service on port 8084...'; \
    if [ \"${DEBUG:-false}\" = \"true\" ]; then \
        echo 'Debug mode enabled on port 5005'; \
        exec java $JAVA_OPTS -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 org.springframework.boot.loader.launch.JarLauncher; \
@@ -14,21 +14,18 @@ ARG BUILD_DATE
 ARG VERSION
 # Service-specific arguments (docker/build-args/services.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: Keine Runtime-Profile/Ports als Build-ARGs
 ARG SERVICE_PATH=masterdata/masterdata-service
 ARG SERVICE_NAME=masterdata-service
 ARG SERVICE_PORT=8086
 # ===================================================================
 # Build Stage
 # ===================================================================
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
-# Re-declare build arguments for this stage
+# Re-declare build arguments for this stage (nur Build-Zeit)
 ARG SERVICE_PATH=masterdata/masterdata-service
 ARG SERVICE_NAME=masterdata-service
 ARG SERVICE_PORT=8087
 ARG SPRING_PROFILES_ACTIVE
 LABEL stage=builder
 LABEL maintainer="Meldestelle Development Team"
@@ -60,10 +57,10 @@ COPY masterdata/masterdata-application/ masterdata/masterdata-application/
 COPY masterdata/masterdata-infrastructure/ masterdata/masterdata-infrastructure/
 COPY masterdata/masterdata-service/ masterdata/masterdata-service/
-# Build masterdata service
+# Build masterdata service (ohne Runtime-Profile bei Build)
 RUN echo "Building Masterdata Service..." && \
    ./gradlew :masterdata:masterdata-service:dependencies --no-daemon --info && \
-    ./gradlew :masterdata:masterdata-service:bootJar --no-daemon --info -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
+    ./gradlew :masterdata:masterdata-service:bootJar --no-daemon --info
 # Extract JAR layers for optimized Docker layer caching
 WORKDIR /builder
@@ -107,7 +104,6 @@ RUN mkdir -p /app/logs /app/tmp && \
 # Re-declare build arguments for runtime stage
 ARG SERVICE_PATH=masterdata/masterdata-service
 ARG SERVICE_NAME=masterdata-service
 ARG SERVICE_PORT=8087
 # Copy Spring Boot layers in optimal order for Docker layer caching
 COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/dependencies/ ./
@@ -118,11 +114,11 @@ COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/application/ ./
 USER ${APP_USER}
 # Expose application port and debug port
-EXPOSE ${SERVICE_PORT} 5007
+EXPOSE 8086 5007
 # Health check
 HEALTHCHECK --interval=15s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -fsS --max-time 2 http://localhost:${SERVICE_PORT}/actuator/health/readiness || exit 1
+    CMD curl -fsS --max-time 2 http://localhost:8086/actuator/health/readiness || exit 1
 # JVM configuration optimized for masterdata service
 ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
@@ -138,16 +134,15 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Duser.timezone=Europe/Vienna \
    -Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus"
-# Spring Boot configuration
+# Spring Boot configuration (Profile nur zur Laufzeit via Compose/Env)
 ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+    SERVER_PORT=8086 \
    SERVER_PORT=${SERVICE_PORT} \
    LOGGING_LEVEL_ROOT=INFO \
    LOGGING_LEVEL_AT_MOCODE_MASTERDATA=DEBUG
 # Startup command with debug support
 ENTRYPOINT ["sh", "-c", "\
-    echo 'Starting Masterdata Service on port ${SERVICE_PORT}...'; \
+    echo 'Starting Masterdata Service on port 8086...'; \
    if [ \"${DEBUG:-false}\" = \"true\" ]; then \
        echo 'Debug mode enabled on port 5007'; \
        exec java $JAVA_OPTS -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5007 org.springframework.boot.loader.launch.JarLauncher; \
@@ -14,21 +14,18 @@ ARG BUILD_DATE
 ARG VERSION
 # Service-specific arguments (docker/build-args/services.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: Keine Runtime-Profile/Ports als Build-ARGs
 ARG SERVICE_PATH=members/members-service
 ARG SERVICE_NAME=members-service
 ARG SERVICE_PORT=8083
 # ===================================================================
 # Build Stage
 # ===================================================================
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
-# Re-declare build arguments for this stage
+# Re-declare build arguments for this stage (nur Build-Zeit)
 ARG SERVICE_PATH=members/members-service
 ARG SERVICE_NAME=members-service
 ARG SERVICE_PORT=8084
 ARG SPRING_PROFILES_ACTIVE
 LABEL stage=builder
 LABEL maintainer="Meldestelle Development Team"
@@ -60,10 +57,10 @@ COPY members/members-application/ members/members-application/
 COPY members/members-infrastructure/ members/members-infrastructure/
 COPY members/members-service/ members/members-service/
-# Build members service
+# Build members service (ohne Runtime-Profile bei Build)
 RUN echo "Building Members Service..." && \
    ./gradlew :members:members-service:dependencies --no-daemon --info && \
-    ./gradlew :members:members-service:bootJar --no-daemon --info -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
+    ./gradlew :members:members-service:bootJar --no-daemon --info
 # Extract JAR layers for optimized Docker layer caching
 WORKDIR /builder
@@ -107,7 +104,6 @@ RUN mkdir -p /app/logs /app/tmp && \
 # Re-declare build arguments for runtime stage
 ARG SERVICE_PATH=members/members-service
 ARG SERVICE_NAME=members-service
 ARG SERVICE_PORT=8084
 # Copy Spring Boot layers in optimal order for Docker layer caching
 COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/dependencies/ ./
@@ -118,11 +114,11 @@ COPY --from=builder --chown=${APP_USER}:${APP_GROUP} /builder/application/ ./
 USER ${APP_USER}
 # Expose application port and debug port
-EXPOSE ${SERVICE_PORT} 5004
+EXPOSE 8083 5004
 # Health check
 HEALTHCHECK --interval=15s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -fsS --max-time 2 http://localhost:${SERVICE_PORT}/actuator/health/readiness || exit 1
+    CMD curl -fsS --max-time 2 http://localhost:8083/actuator/health/readiness || exit 1
 # JVM configuration optimized for members service
 ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
@@ -138,16 +134,15 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Duser.timezone=Europe/Vienna \
    -Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus"
-# Spring Boot configuration
+# Spring Boot configuration (Profile nur zur Laufzeit via Compose/Env)
 ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+    SERVER_PORT=8083 \
    SERVER_PORT=${SERVICE_PORT} \
    LOGGING_LEVEL_ROOT=INFO \
    LOGGING_LEVEL_AT_MOCODE_MEMBERS=DEBUG
 # Startup command with debug support
 ENTRYPOINT ["sh", "-c", "\
-    echo 'Starting Members Service on port ${SERVICE_PORT}...'; \
+    echo 'Starting Members Service on port 8083...'; \
    if [ \"${DEBUG:-false}\" = \"true\" ]; then \
        echo 'Debug mode enabled on port 5004'; \
        exec java $JAVA_OPTS -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5004 org.springframework.boot.loader.launch.JarLauncher; \
@@ -15,7 +15,7 @@ ARG BUILD_DATE
 ARG VERSION
 # Service-specific arguments (docker/build-args/services.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: No runtime profiles as build ARGs
 # Build stage: compile the ping-service JAR inside Docker
 FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
@@ -81,8 +81,7 @@ RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
 # Build the application with optimizations and build cache
 RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
    --mount=type=cache,target=/home/gradle/.gradle/wrapper \
-    ./gradlew :services:ping:ping-service:bootJar --no-daemon --info \
+    ./gradlew :services:ping:ping-service:bootJar --no-daemon --info
    -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
 # ===================================================================
 # Runtime stage: optimized JRE image for production
@@ -93,7 +92,6 @@ FROM eclipse-temurin:${JAVA_VERSION}-jre-alpine AS runtime
 ARG BUILD_DATE
 ARG VERSION
 ARG JAVA_VERSION
 ARG SPRING_PROFILES_ACTIVE
 # Convert build arguments to environment variables
 ENV JAVA_VERSION=${JAVA_VERSION} \
@@ -106,7 +104,6 @@ LABEL service="ping-service" \
      description="Microservice demonstrating circuit breaker patterns and monitoring" \
      maintainer="Meldestelle Development Team" \
      java.version="${JAVA_VERSION}" \
      spring.profiles.active="${SPRING_PROFILES_ACTIVE}" \
      build.date="${BUILD_DATE}" \
      org.opencontainers.image.title="Ping Service" \
      org.opencontainers.image.description="Spring Boot microservice with circuit breaker patterns" \
@@ -171,16 +168,14 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=75.0 \
    -Dmanagement.prometheus.metrics.export.enabled=true"
 # Spring Boot configuration
-ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
+ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+ENV SERVER_PORT=8082
-    SERVER_PORT=8082 \
+ENV LOGGING_LEVEL_ROOT=INFO
    LOGGING_LEVEL_ROOT=INFO
 # Enhanced entrypoint with tini init system and conditional debug support
 # Fixed memory cgroup path for better compatibility with different container runtimes
 ENTRYPOINT ["tini", "--", "sh", "-c", "\
    echo 'Starting Ping Service with Java ${JAVA_VERSION}...'; \
    echo 'Active Spring profiles: ${SPRING_PROFILES_ACTIVE}'; \
    echo 'Service port: ${SERVER_PORT}'; \
    MEMORY_LIMIT=$(cat /sys/fs/cgroup/memory.max 2>/dev/null || cat /sys/fs/cgroup/memory/memory.limit_in_bytes 2>/dev/null || echo 'unlimited'); \
    echo \"Container memory limit: $MEMORY_LIMIT\"; \
@@ -17,10 +17,9 @@ ARG BUILD_DATE
 ARG VERSION
 # Service-specific arguments (docker/build-args/services.env or infrastructure.env)
-ARG SPRING_PROFILES_ACTIVE
+# Note: No runtime profiles/ports as build ARGs
 ARG SERVICE_PATH=.
 ARG SERVICE_NAME=spring-boot-service
 ARG SERVICE_PORT=8080
 # ===================================================================
 # Build Stage
@@ -30,8 +29,6 @@ FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
 # Re-declare build arguments for this stage
 ARG SERVICE_PATH=.
 ARG SERVICE_NAME=spring-boot-service
 ARG SERVICE_PORT=8080
 ARG SPRING_PROFILES_ACTIVE
 LABEL stage=builder
 LABEL maintainer="Meldestelle Development Team"
@@ -65,12 +62,12 @@ RUN if [ "${SERVICE_PATH}" = "." ]; then \
        cp /workspace/gradlew /workspace/gradlew.bat .; \
        cp -r /workspace/gradle .; \
        echo "Building standalone application..."; \
-        ./gradlew bootJar --no-daemon --info -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}; \
+        ./gradlew bootJar --no-daemon --info; \
        cp build/libs/*.jar /workspace/app.jar; \
    else \
        echo "Building specific service: ${SERVICE_NAME}"; \
        ./gradlew :${SERVICE_NAME}:dependencies --no-daemon --info; \
-        ./gradlew :${SERVICE_NAME}:bootJar --no-daemon --info -Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}; \
+        ./gradlew :${SERVICE_NAME}:bootJar --no-daemon --info; \
        cp ${SERVICE_PATH}/build/libs/*.jar /workspace/app.jar; \
    fi
@@ -110,7 +107,6 @@ RUN mkdir -p /app/logs /app/tmp && \
 # Re-declare build arguments for runtime stage
 ARG SERVICE_PATH=.
 ARG SERVICE_NAME=spring-boot-service
 ARG SERVICE_PORT=8080
 # Copy JAR (different locations for standalone vs service-specific builds)
 COPY --from=builder --chown=${APP_USER}:${APP_GROUP} \
@@ -118,12 +114,12 @@ COPY --from=builder --chown=${APP_USER}:${APP_GROUP} \
 USER ${APP_USER}
-# Expose ports
+# Expose ports (runtime port configured via environment)
-EXPOSE ${SERVICE_PORT} 5005
+EXPOSE 8080 5005
 # Health check
 HEALTHCHECK --interval=15s --timeout=3s --start-period=40s --retries=3 \
-    CMD curl -fsS --max-time 2 http://localhost:${SERVICE_PORT}/actuator/health/readiness || exit 1
+    CMD curl -fsS --max-time 2 http://localhost:${SERVER_PORT:-8080}/actuator/health/readiness || exit 1
 # JVM configuration
 ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
@@ -137,10 +133,9 @@ ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
    -Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus"
 # Spring Boot configuration
-ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
+ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS
-    SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
+ENV LOGGING_LEVEL_ROOT=INFO
-    SERVER_PORT=${SERVICE_PORT} \
+ENV SERVER_PORT=8080
    LOGGING_LEVEL_ROOT=INFO
 # Startup command with debug support
 ENTRYPOINT ["sh", "-c", "\
@@ -86,7 +86,7 @@ sync_to_env_files() {
    local zookeeper_version=$(get_version "zookeeper")
    local kafka_version=$(get_version "kafka")
-    # Update global.env
+    # Update global.env (strictly build-time versions/tags)
    cat > "$BUILD_ARGS_DIR/global.env" << EOF
 # ===================================================================
 # Global Docker Build Arguments - Used by all categories
@@ -101,23 +101,23 @@ JAVA_VERSION=$java_version
 # --- Build Metadata ---
 VERSION=$app_version
-# --- Monitoring & Infrastructure Services ---
+# --- Monitoring & Infrastructure Services (image tags) ---
-DOCKER_PROMETHEUS_VERSION=$prometheus_version
+PROMETHEUS_IMAGE_TAG=$prometheus_version
-DOCKER_GRAFANA_VERSION=$grafana_version
+GRAFANA_IMAGE_TAG=$grafana_version
-DOCKER_KEYCLOAK_VERSION=$keycloak_version
+KEYCLOAK_IMAGE_TAG=$keycloak_version
-# --- Datastore Images ---
+# --- Datastore Images (image tags) ---
-DOCKER_POSTGRES_VERSION=$postgres_version
+POSTGRES_IMAGE_TAG=$postgres_version
-DOCKER_REDIS_VERSION=$redis_version
+REDIS_IMAGE_TAG=$redis_version
-# --- Additional Infrastructure Images ---
+# --- Additional Infrastructure Images (image tags) ---
-DOCKER_CONSUL_VERSION=$consul_version
+CONSUL_IMAGE_TAG=$consul_version
-DOCKER_ZOOKEEPER_VERSION=$zookeeper_version
+ZOOKEEPER_IMAGE_TAG=$zookeeper_version
-DOCKER_KAFKA_VERSION=$kafka_version
+KAFKA_IMAGE_TAG=$kafka_version
 EOF
    print_success "Updated global.env"
-    # Update clients.env
+    # Update clients.env (strictly build-time values; no runtime/dev vars)
    cat > "$BUILD_ARGS_DIR/clients.env" << EOF
 # ===================================================================
 # Clients Docker Build Arguments - dockerfiles/clients/*
@@ -136,26 +136,12 @@ NGINX_VERSION=$nginx_version
 CLIENT_PATH=client
 CLIENT_MODULE=client
 CLIENT_NAME=meldestelle-client
-
+# Note: Runtime/Dev values moved to config/env/.env
-# --- Web Application Specific ---
+# Keep this file strictly for build-time values only.
 WEB_APP_PORT=4000
 # --- Desktop Application Specific ---
 DESKTOP_APP_VNC_PORT=5901
 DESKTOP_APP_NOVNC_PORT=6080
 # --- Client Environment ---
 NODE_ENV=production
 APP_TITLE=Meldestelle
 APP_VERSION=$app_version
 # --- Development Configuration ---
 WEBPACK_DEV_SERVER_HOST=0.0.0.0
 WEBPACK_DEV_SERVER_PORT=4000
 EOF
    print_success "Updated clients.env"
-    # Update services.env
+    # Update services.env (strictly build-time values; no runtime vars)
    cat > "$BUILD_ARGS_DIR/services.env" << EOF
 # ===================================================================
 # Services Docker Build Arguments - dockerfiles/services/*
@@ -166,27 +152,14 @@ EOF
 # --- Include Global Arguments ---
 # Source global.env for GRADLE_VERSION, JAVA_VERSION, VERSION
 # --- Spring Boot Services Configuration ---
 SPRING_PROFILES_ACTIVE=$spring_docker
 # --- Service-Specific Arguments ---
 SERVICE_PATH=.
 SERVICE_NAME=spring-boot-service
-SERVICE_PORT=8080
+# Note: Runtime profiles/ports moved to config/env/.env
 # --- Service Port Mapping (matches gradle.properties) ---
 PING_SERVICE_PORT=8082
 MEMBERS_SERVICE_PORT=8083
 HORSES_SERVICE_PORT=8084
 EVENTS_SERVICE_PORT=8085
 MASTERDATA_SERVICE_PORT=8086
 # --- Services List (for automation scripts) ---
 # ping-service, members-service, horses-service, events-service, masterdata-service
 EOF
    print_success "Updated services.env"
-    # Update infrastructure.env
+    # Update infrastructure.env (strictly build-time values; no runtime vars)
    cat > "$BUILD_ARGS_DIR/infrastructure.env" << EOF
 # ===================================================================
 # Infrastructure Docker Build Arguments - dockerfiles/infrastructure/*
@@ -197,14 +170,6 @@ EOF
 # --- Include Global Arguments ---
 # Source global.env for GRADLE_VERSION, JAVA_VERSION, VERSION
 # --- Infrastructure Services Configuration ---
 SPRING_PROFILES_ACTIVE=$spring_default
 # --- Infrastructure Service Ports (matches gradle.properties) ---
 GATEWAY_PORT=8081
 AUTH_SERVER_PORT=8087
 MONITORING_SERVER_PORT=8088
 # --- API Gateway Specific ---
 GATEWAY_SERVICE_PATH=infrastructure/gateway
 GATEWAY_SERVICE_NAME=api-gateway
@@ -217,15 +182,7 @@ AUTH_SERVER_SERVICE_NAME=auth-server
 MONITORING_SERVER_PATH=infrastructure/monitoring/monitoring-server
 MONITORING_SERVER_SERVICE_NAME=monitoring-server
-# --- Infrastructure Dependencies ---
+# Note: Runtime profiles/ports/dependencies moved to config/env/.env
 CONSUL_ENABLED=true
 CONSUL_HOST=consul
 CONSUL_PORT=8500
 # --- Database Configuration for Infrastructure Services ---
 DB_HOST=postgres
 DB_PORT=5432
 DB_NAME=meldestelle
 EOF
    print_success "Updated infrastructure.env"
@@ -0,0 +1,69 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Minimal generator: creates docker/build-args/global.env from docker/versions.toml
 # Usage: scripts/generate-build-env.sh [OUTPUT_FILE]
 ROOT_DIR=$(cd "$(dirname "$0")/.." && pwd)
 TOML="$ROOT_DIR/docker/versions.toml"
 OUT="${1:-$ROOT_DIR/docker/build-args/global.env}"
 if [[ ! -f "$TOML" ]]; then
  echo "Error: versions file not found: $TOML" >&2
  exit 1
 fi
 get_ver() {
  # reads [versions] table key
  local key="$1"
  awk -F'=' -v k="$key" '
    $0 ~ /^\[versions\]/ { inver=1; next }
    $0 ~ /^\[/ { if(inver) exit }
    inver && $1 ~ "^"k"$" { gsub(/[ "\t]/, "", $2); print $2; exit }
  ' "$TOML"
 }
 GRADLE_VERSION=$(get_ver gradle)
 JAVA_VERSION=$(get_ver java)
 APP_VERSION=$(get_ver app-version)
 PROMETHEUS=$(get_ver prometheus)
 GRAFANA=$(get_ver grafana)
 KEYCLOAK=$(get_ver keycloak)
 POSTGRES=$(get_ver postgres)
 REDIS=$(get_ver redis)
 CONSUL=$(get_ver consul)
 KAFKA=$(get_ver kafka)
 ZOOKEEPER=$(get_ver zookeeper)
 mkdir -p "$(dirname "$OUT")"
 cat > "$OUT" <<EOF
 # ===================================================================
 # Global Docker Build Arguments - Used by all categories
 # Source: docker/versions.toml
 # Last updated: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
 # ===================================================================
 # --- Build Tools ---
 GRADLE_VERSION=$GRADLE_VERSION
 JAVA_VERSION=$JAVA_VERSION
 # --- Build Metadata ---
 VERSION=$APP_VERSION
 # --- Monitoring & Infrastructure Services ---
 PROMETHEUS_IMAGE_TAG=$PROMETHEUS
 GRAFANA_IMAGE_TAG=$GRAFANA
 KEYCLOAK_IMAGE_TAG=$KEYCLOAK
 # --- Datastore Images ---
 POSTGRES_IMAGE_TAG=$POSTGRES
 REDIS_IMAGE_TAG=$REDIS
 # --- Additional Infrastructure Images ---
 CONSUL_IMAGE_TAG=$CONSUL
 ZOOKEEPER_IMAGE_TAG=$ZOOKEEPER
 KAFKA_IMAGE_TAG=$KAFKA
 EOF
 echo "Generated $OUT from $TOML"
@@ -546,36 +546,26 @@ validate_env_value_equality() {
        fi
    }
-    # global.env mappings
+    # global.env mappings (build-only) — use *_IMAGE_TAG instead of DOCKER_* vars
    _check_env_pair "global.env" "GRADLE_VERSION" "gradle"
    _check_env_pair "global.env" "JAVA_VERSION" "java"
    _check_env_pair "global.env" "VERSION" "app-version"
-    _check_env_pair "global.env" "DOCKER_PROMETHEUS_VERSION" "prometheus"
+    _check_env_pair "global.env" "PROMETHEUS_IMAGE_TAG" "prometheus"
-    _check_env_pair "global.env" "DOCKER_GRAFANA_VERSION" "grafana"
+    _check_env_pair "global.env" "GRAFANA_IMAGE_TAG" "grafana"
-    _check_env_pair "global.env" "DOCKER_KEYCLOAK_VERSION" "keycloak"
+    _check_env_pair "global.env" "KEYCLOAK_IMAGE_TAG" "keycloak"
-    # clients.env mappings
+    # clients.env mappings (build-only)
    _check_env_pair "clients.env" "NODE_VERSION" "node"
    _check_env_pair "clients.env" "NGINX_VERSION" "nginx"
-    _check_env_pair "clients.env" "APP_VERSION" "app-version"
+    # No APP_VERSION or runtime/dev values here by policy
    # Ports for clients (map to [service-ports])
    _check_env_pair "clients.env" "WEB_APP_PORT" "web-app"
    _check_env_pair "clients.env" "DESKTOP_APP_VNC_PORT" "desktop-app-vnc"
    _check_env_pair "clients.env" "DESKTOP_APP_NOVNC_PORT" "desktop-app-novnc"
-    # services.env mappings
+    # services.env mappings (build-only)
-    _check_env_pair "services.env" "SPRING_PROFILES_ACTIVE" "spring-profiles-docker"
+    # Only paths/names are expected here; no runtime profiles/ports
-    _check_env_pair "services.env" "PING_SERVICE_PORT" "ping-service"
+    # Skipping runtime checks by policy
    _check_env_pair "services.env" "MEMBERS_SERVICE_PORT" "members-service"
    _check_env_pair "services.env" "HORSES_SERVICE_PORT" "horses-service"
    _check_env_pair "services.env" "EVENTS_SERVICE_PORT" "events-service"
    _check_env_pair "services.env" "MASTERDATA_SERVICE_PORT" "masterdata-service"
-    # infrastructure.env mappings
+    # infrastructure.env mappings (build-only)
-    _check_env_pair "infrastructure.env" "SPRING_PROFILES_ACTIVE" "spring-profiles-default"
+    # Only paths/names are expected here; no runtime profiles/ports
-    _check_env_pair "infrastructure.env" "GATEWAY_PORT" "api-gateway"
+    # Skipping runtime checks by policy
    _check_env_pair "infrastructure.env" "AUTH_SERVER_PORT" "auth-server"
    _check_env_pair "infrastructure.env" "MONITORING_SERVER_PORT" "monitoring-server"
    if [[ "$has_diff" == false ]]; then
        print_success "Environment files are fully synchronized with versions.toml"
`@@ -1 +1 @@`
	`pGnDFSiwacGxfKCtb8VJmTQc9Emlcdow`	`CHANGE_ME_LOCAL_DEV`