products/docker-init-db.sh

#!/bin/bash
set -e

# Create per-product databases
for db in dd0c_route dd0c_drift dd0c_alert dd0c_portal dd0c_cost dd0c_run; do
  echo "Creating database: $db"
  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname postgres -c "CREATE DATABASE $db;" 2>/dev/null || true
done

# Create per-service DB users with least-privilege access
create_service_user() {
  local db=$1
  local user=$2
  local pass_var=$3
  local pass="${!pass_var:-dd0c-dev}"
  echo "Creating user $user for $db"
  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname postgres -c "CREATE USER $user WITH PASSWORD '$pass';" 2>/dev/null || true
  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "GRANT CONNECT ON DATABASE $db TO $user;" 2>/dev/null || true
  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "GRANT USAGE ON SCHEMA public TO $user;" 2>/dev/null || true
  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO $user;" 2>/dev/null || true
  psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO $user;" 2>/dev/null || true
}

create_service_user dd0c_drift dd0c_drift DB_DRIFT_PASSWORD
create_service_user dd0c_alert dd0c_alert DB_ALERT_PASSWORD
create_service_user dd0c_portal dd0c_portal DB_PORTAL_PASSWORD
create_service_user dd0c_cost dd0c_cost DB_COST_PASSWORD
create_service_user dd0c_run dd0c_run DB_RUN_PASSWORD

# Run migrations for each product (as superuser so tables are created correctly)
run_migrations() {
  local db=$1
  local dir=$2
  if [ -d "$dir" ]; then
    for sql in "$dir"/*.sql; do
      [ -f "$sql" ] || continue
      echo "  $db ← $(basename $sql)"
      psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -f "$sql" 2>/dev/null || true
    done
  fi
}

run_migrations dd0c_route /migrations/01-route
run_migrations dd0c_drift /migrations/02-drift
run_migrations dd0c_alert /migrations/03-alert
run_migrations dd0c_portal /migrations/04-portal
run_migrations dd0c_cost /migrations/05-cost
run_migrations dd0c_run /migrations/06-run

echo "All databases initialized."
Implement P2 Resend email + PagerDuty Events v2 + Slack retry backoff - Resend: HTML email with drift summary table and CTA button - PagerDuty: Events API v2 with dedup_key, severity mapping, custom_details - Slack: setTimeout retry on 429 rate limit instead of dropping 2026-03-01 05:51:28 +00:00			`#!/bin/bash`
			`set -e`

			`# Create per-product databases`
			`for db in dd0c_route dd0c_drift dd0c_alert dd0c_portal dd0c_cost dd0c_run; do`
			`echo "Creating database: $db"`
			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname postgres -c "CREATE DATABASE $db;" 2>/dev/null \|\| true`
			`done`

Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`# Create per-service DB users with least-privilege access`
			`create_service_user() {`
			`local db=$1`
			`local user=$2`
			`local pass_var=$3`
			`local pass="${!pass_var:-dd0c-dev}"`
			`echo "Creating user $user for $db"`
			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname postgres -c "CREATE USER $user WITH PASSWORD '$pass';" 2>/dev/null \|\| true`
Fix BMad adversarial security review findings Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean. 2026-03-03 00:14:39 +00:00			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "GRANT CONNECT ON DATABASE $db TO $user;" 2>/dev/null \|\| true`
			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "GRANT USAGE ON SCHEMA public TO $user;" 2>/dev/null \|\| true`
			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO $user;" 2>/dev/null \|\| true`
			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO $user;" 2>/dev/null \|\| true`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`}`

			`create_service_user dd0c_drift dd0c_drift DB_DRIFT_PASSWORD`
			`create_service_user dd0c_alert dd0c_alert DB_ALERT_PASSWORD`
			`create_service_user dd0c_portal dd0c_portal DB_PORTAL_PASSWORD`
			`create_service_user dd0c_cost dd0c_cost DB_COST_PASSWORD`
			`create_service_user dd0c_run dd0c_run DB_RUN_PASSWORD`

			`# Run migrations for each product (as superuser so tables are created correctly)`
Implement P2 Resend email + PagerDuty Events v2 + Slack retry backoff - Resend: HTML email with drift summary table and CTA button - PagerDuty: Events API v2 with dedup_key, severity mapping, custom_details - Slack: setTimeout retry on 429 rate limit instead of dropping 2026-03-01 05:51:28 +00:00			`run_migrations() {`
			`local db=$1`
			`local dir=$2`
			`if [ -d "$dir" ]; then`
			`for sql in "$dir"/*.sql; do`
			`[ -f "$sql" ] \|\| continue`
			`echo " $db ← $(basename $sql)"`
			`psql -v ON_ERROR_STOP=0 --username "$POSTGRES_USER" --dbname "$db" -f "$sql" 2>/dev/null \|\| true`
			`done`
			`fi`
			`}`

Add P1/P2 to docker-compose, mount all 6 migration dirs, add P2 agent Dockerfile - route-api (3001), route-proxy (8080), route-worker as separate services - drift SaaS (3002) added - All 6 product migrations mounted into postgres init - docker-init-db.sh creates all 6 databases 2026-03-01 06:11:20 +00:00			`run_migrations dd0c_route /migrations/01-route`
			`run_migrations dd0c_drift /migrations/02-drift`
Implement P2 Resend email + PagerDuty Events v2 + Slack retry backoff - Resend: HTML email with drift summary table and CTA button - PagerDuty: Events API v2 with dedup_key, severity mapping, custom_details - Slack: setTimeout retry on 429 rate limit instead of dropping 2026-03-01 05:51:28 +00:00			`run_migrations dd0c_alert /migrations/03-alert`
			`run_migrations dd0c_portal /migrations/04-portal`
			`run_migrations dd0c_cost /migrations/05-cost`
			`run_migrations dd0c_run /migrations/06-run`

			`echo "All databases initialized."`