products/06-runbook-automation/saas/src/index.ts

import Fastify from 'fastify';
import cors from '@fastify/cors';
import helmet from '@fastify/helmet';
import rateLimit from '@fastify/rate-limit';
import pino from 'pino';
import { config } from './config/index.js';
import { getPoolForAuth } from './data/db.js';
import { authHook, decorateAuth, registerAuthRoutes, registerProtectedAuthRoutes } from './auth/middleware.js';
import { registerRunbookRoutes } from './api/runbooks.js';
import { registerApprovalRoutes } from './api/approvals.js';
import { registerSlackRoutes } from './slackbot/handler.js';

const logger = pino({ name: 'dd0c-run', level: config.LOG_LEVEL });

const app = Fastify({ logger: true });

await app.register(cors, { origin: config.CORS_ORIGIN });
await app.register(helmet);
await app.register(rateLimit, { max: 100, timeWindow: '1 minute' });

const pool = getPoolForAuth();
decorateAuth(app);

// Public routes (no auth)
app.get('/health', async () => ({ status: 'ok', service: 'dd0c-run' }));
app.get('/version', async () => ({ version: process.env.BUILD_SHA || 'dev', built: process.env.BUILD_TIME || 'unknown' }));
registerSlackRoutes(app);

// Auth routes (public - login/signup)
registerAuthRoutes(app, config.JWT_SECRET, pool);

// Protected routes (auth required)
app.register(async function protectedRoutes(protectedApp) {
  protectedApp.addHook('onRequest', authHook(config.JWT_SECRET, pool));
  registerProtectedAuthRoutes(protectedApp, config.JWT_SECRET, pool);
  registerRunbookRoutes(protectedApp);
  registerApprovalRoutes(protectedApp);
});

try {
  await app.listen({ port: config.PORT, host: '0.0.0.0' });
  logger.info({ port: config.PORT }, 'dd0c/run SaaS started');
} catch (err) {
  logger.fatal(err, 'Failed to start');
  process.exit(1);
}
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00			`import Fastify from 'fastify';`
			`import cors from '@fastify/cors';`
			`import helmet from '@fastify/helmet';`
Fix BMad adversarial security review findings Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean. 2026-03-03 00:14:39 +00:00			`import rateLimit from '@fastify/rate-limit';`
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00			`import pino from 'pino';`
			`import { config } from './config/index.js';`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`import { getPoolForAuth } from './data/db.js';`
			`import { authHook, decorateAuth, registerAuthRoutes, registerProtectedAuthRoutes } from './auth/middleware.js';`
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00			`import { registerRunbookRoutes } from './api/runbooks.js';`
			`import { registerApprovalRoutes } from './api/approvals.js';`
			`import { registerSlackRoutes } from './slackbot/handler.js';`

			`const logger = pino({ name: 'dd0c-run', level: config.LOG_LEVEL });`

			`const app = Fastify({ logger: true });`

			`await app.register(cors, { origin: config.CORS_ORIGIN });`
			`await app.register(helmet);`
Fix BMad adversarial security review findings Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean. 2026-03-03 00:14:39 +00:00			`await app.register(rateLimit, { max: 100, timeWindow: '1 minute' });`
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`const pool = getPoolForAuth();`
			`decorateAuth(app);`
Wire auth middleware into all products, add docker-compose and init-db script - Auth middleware (JWT + API key + RBAC) copied into P3/P4/P5/P6 - All server entry points now register auth hooks + auth routes - Webhook and Slack endpoints skip JWT auth (use HMAC/signature) - docker-compose.yml: shared Postgres + Redis + Meilisearch, all 4 Node products as services - init-db.sh: creates per-product databases and runs migrations - P1 (Rust) and P2 (Go agent) run standalone, not in compose 2026-03-01 03:10:35 +00:00
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`// Public routes (no auth)`
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00			`app.get('/health', async () => ({ status: 'ok', service: 'dd0c-run' }));`
Add /version endpoint to all products + BUILD_SHA/BUILD_TIME in Dockerfiles 2026-03-02 13:53:15 +00:00			`app.get('/version', async () => ({ version: process.env.BUILD_SHA \|\| 'dev', built: process.env.BUILD_TIME \|\| 'unknown' }));`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`registerSlackRoutes(app);`
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`// Auth routes (public - login/signup)`
Wire auth middleware into all products, add docker-compose and init-db script - Auth middleware (JWT + API key + RBAC) copied into P3/P4/P5/P6 - All server entry points now register auth hooks + auth routes - Webhook and Slack endpoints skip JWT auth (use HMAC/signature) - docker-compose.yml: shared Postgres + Redis + Meilisearch, all 4 Node products as services - init-db.sh: creates per-product databases and runs migrations - P1 (Rust) and P2 (Go agent) run standalone, not in compose 2026-03-01 03:10:35 +00:00			`registerAuthRoutes(app, config.JWT_SECRET, pool);`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00
			`// Protected routes (auth required)`
			`app.register(async function protectedRoutes(protectedApp) {`
			`protectedApp.addHook('onRequest', authHook(config.JWT_SECRET, pool));`
			`registerProtectedAuthRoutes(protectedApp, config.JWT_SECRET, pool);`
			`registerRunbookRoutes(protectedApp);`
			`registerApprovalRoutes(protectedApp);`
			`});`
Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS 2026-03-01 03:03:29 +00:00
			`try {`
			`await app.listen({ port: config.PORT, host: '0.0.0.0' });`
			`logger.info({ port: config.PORT }, 'dd0c/run SaaS started');`
			`} catch (err) {`
			`logger.fatal(err, 'Failed to start');`
			`process.exit(1);`
			`}`