products/05-aws-cost-anomaly/src/index.ts

import Fastify from 'fastify';
import cors from '@fastify/cors';
import rateLimit from '@fastify/rate-limit';
import pino from 'pino';
import { config } from './config/index.js';
import { getPoolForAuth } from './data/db.js';
import { authHook, decorateAuth, registerAuthRoutes, registerProtectedAuthRoutes } from './auth/middleware.js';
import { registerAnomalyRoutes } from './api/anomalies.js';
import { registerBaselineRoutes } from './api/baselines.js';
import { registerGovernanceRoutes } from './api/governance.js';
import { registerIngestionRoutes } from './api/ingestion.js';

const logger = pino({ name: 'dd0c-cost', level: config.LOG_LEVEL });

const app = Fastify({ logger: true });

await app.register(cors, { origin: config.CORS_ORIGIN });
await app.register(rateLimit, { max: 100, timeWindow: '1 minute' });

const pool = getPoolForAuth();
decorateAuth(app);

// Public routes (no auth)
app.get('/health', async () => ({ status: 'ok', service: 'dd0c-cost' }));
app.get('/version', async () => ({ version: process.env.BUILD_SHA || 'dev', built: process.env.BUILD_TIME || 'unknown' }));

// Auth routes (public - login/signup)
registerAuthRoutes(app, config.JWT_SECRET, pool);

// Protected routes (auth required)
app.register(async function protectedRoutes(protectedApp) {
  protectedApp.addHook('onRequest', authHook(config.JWT_SECRET, pool));
  registerProtectedAuthRoutes(protectedApp, config.JWT_SECRET, pool);
  registerIngestionRoutes(protectedApp);
  registerAnomalyRoutes(protectedApp);
  registerBaselineRoutes(protectedApp);
  registerGovernanceRoutes(protectedApp);
});

try {
  await app.listen({ port: config.PORT, host: '0.0.0.0' });
  logger.info({ port: config.PORT }, 'dd0c/cost started');
} catch (err) {
  logger.fatal(err, 'Failed to start');
  process.exit(1);
}
Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines - Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline - Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend - Governance API: mode status, promotion eligibility check with FP rate calculation - Baseline API: list with computed stddev, reset per resource - Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD - Fastify server entry point 2026-03-01 03:07:02 +00:00			`import Fastify from 'fastify';`
			`import cors from '@fastify/cors';`
Fix BMad adversarial security review findings Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean. 2026-03-03 00:14:39 +00:00			`import rateLimit from '@fastify/rate-limit';`
Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines - Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline - Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend - Governance API: mode status, promotion eligibility check with FP rate calculation - Baseline API: list with computed stddev, reset per resource - Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD - Fastify server entry point 2026-03-01 03:07:02 +00:00			`import pino from 'pino';`
			`import { config } from './config/index.js';`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`import { getPoolForAuth } from './data/db.js';`
			`import { authHook, decorateAuth, registerAuthRoutes, registerProtectedAuthRoutes } from './auth/middleware.js';`
Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines - Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline - Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend - Governance API: mode status, promotion eligibility check with FP rate calculation - Baseline API: list with computed stddev, reset per resource - Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD - Fastify server entry point 2026-03-01 03:07:02 +00:00			`import { registerAnomalyRoutes } from './api/anomalies.js';`
			`import { registerBaselineRoutes } from './api/baselines.js';`
			`import { registerGovernanceRoutes } from './api/governance.js';`
			`import { registerIngestionRoutes } from './api/ingestion.js';`

			`const logger = pino({ name: 'dd0c-cost', level: config.LOG_LEVEL });`

			`const app = Fastify({ logger: true });`

			`await app.register(cors, { origin: config.CORS_ORIGIN });`
Fix BMad adversarial security review findings Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean. 2026-03-03 00:14:39 +00:00			`await app.register(rateLimit, { max: 100, timeWindow: '1 minute' });`
Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines - Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline - Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend - Governance API: mode status, promotion eligibility check with FP rate calculation - Baseline API: list with computed stddev, reset per resource - Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD - Fastify server entry point 2026-03-01 03:07:02 +00:00
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`const pool = getPoolForAuth();`
			`decorateAuth(app);`
Wire auth middleware into all products, add docker-compose and init-db script - Auth middleware (JWT + API key + RBAC) copied into P3/P4/P5/P6 - All server entry points now register auth hooks + auth routes - Webhook and Slack endpoints skip JWT auth (use HMAC/signature) - docker-compose.yml: shared Postgres + Redis + Meilisearch, all 4 Node products as services - init-db.sh: creates per-product databases and runs migrations - P1 (Rust) and P2 (Go agent) run standalone, not in compose 2026-03-01 03:10:35 +00:00
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`// Public routes (no auth)`
			`app.get('/health', async () => ({ status: 'ok', service: 'dd0c-cost' }));`
Add /version endpoint to all products + BUILD_SHA/BUILD_TIME in Dockerfiles 2026-03-02 13:53:15 +00:00			`app.get('/version', async () => ({ version: process.env.BUILD_SHA \|\| 'dev', built: process.env.BUILD_TIME \|\| 'unknown' }));`
Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines - Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline - Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend - Governance API: mode status, promotion eligibility check with FP rate calculation - Baseline API: list with computed stddev, reset per resource - Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD - Fastify server entry point 2026-03-01 03:07:02 +00:00
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`// Auth routes (public - login/signup)`
Wire auth middleware into all products, add docker-compose and init-db script - Auth middleware (JWT + API key + RBAC) copied into P3/P4/P5/P6 - All server entry points now register auth hooks + auth routes - Webhook and Slack endpoints skip JWT auth (use HMAC/signature) - docker-compose.yml: shared Postgres + Redis + Meilisearch, all 4 Node products as services - init-db.sh: creates per-product databases and runs migrations - P1 (Rust) and P2 (Go agent) run standalone, not in compose 2026-03-01 03:10:35 +00:00			`registerAuthRoutes(app, config.JWT_SECRET, pool);`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00
			`// Protected routes (auth required)`
			`app.register(async function protectedRoutes(protectedApp) {`
			`protectedApp.addHook('onRequest', authHook(config.JWT_SECRET, pool));`
			`registerProtectedAuthRoutes(protectedApp, config.JWT_SECRET, pool);`
			`registerIngestionRoutes(protectedApp);`
			`registerAnomalyRoutes(protectedApp);`
			`registerBaselineRoutes(protectedApp);`
			`registerGovernanceRoutes(protectedApp);`
			`});`
Flesh out dd0c/cost: ingestion with Welford optimistic locking, anomaly API, governance, baselines - Ingestion API: batch cost events, Welford baseline update with optimistic locking (version column), anomaly detection inline - Anomaly API: list (filtered), acknowledge, snooze (1-168h), mark expected, dashboard summary with hourly trend - Governance API: mode status, promotion eligibility check with FP rate calculation - Baseline API: list with computed stddev, reset per resource - Data layer: withTenant() RLS wrapper, Zod config with ANOMALY_THRESHOLD - Fastify server entry point 2026-03-01 03:07:02 +00:00
			`try {`
			`await app.listen({ port: config.PORT, host: '0.0.0.0' });`
			`logger.info({ port: config.PORT }, 'dd0c/cost started');`
			`} catch (err) {`
			`logger.fatal(err, 'Failed to start');`
			`process.exit(1);`
			`}`