products/03-alert-intelligence/src/config/index.ts

import { z } from 'zod';

const envSchema = z.object({
  PORT: z.coerce.number().default(3000),
  DATABASE_URL: z.string().default('postgresql://localhost:5432/dd0c_alert'),
  REDIS_URL: z.string().default('redis://localhost:6379'),
  JWT_SECRET: z.string().min(32).default('dev-secret-change-me-in-production!!'),
  CORS_ORIGIN: z.string().default('http://localhost:5173'),
  LOG_LEVEL: z.string().default('info'),
});

export const config = envSchema.parse(process.env);
export type Config = z.infer<typeof envSchema>;
Flesh out dd0c/alert: webhook routes, incident API, notification config, data layer - Webhook routes: Datadog, PagerDuty, OpsGenie, Grafana with per-tenant HMAC/token auth - Incident API: list (filtered), detail with alerts, acknowledge/resolve/suppress, dashboard summary - Notification config: CRUD with upsert, test endpoint, Slack/email/webhook channels - Grafana normalizer: severity mapping (critical/warning/info) - Data layer: withTenant() RLS wrapper, Zod config validation - Fastify server entry point with cors/helmet 2026-03-01 03:04:57 +00:00			`import { z } from 'zod';`

			`const envSchema = z.object({`
			`PORT: z.coerce.number().default(3000),`
			`DATABASE_URL: z.string().default('postgresql://localhost:5432/dd0c_alert'),`
			`REDIS_URL: z.string().default('redis://localhost:6379'),`
			`JWT_SECRET: z.string().min(32).default('dev-secret-change-me-in-production!!'),`
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit). 2026-03-02 23:53:55 +00:00			`CORS_ORIGIN: z.string().default('http://localhost:5173'),`
Flesh out dd0c/alert: webhook routes, incident API, notification config, data layer - Webhook routes: Datadog, PagerDuty, OpsGenie, Grafana with per-tenant HMAC/token auth - Incident API: list (filtered), detail with alerts, acknowledge/resolve/suppress, dashboard summary - Notification config: CRUD with upsert, test endpoint, Slack/email/webhook channels - Grafana normalizer: severity mapping (critical/warning/info) - Data layer: withTenant() RLS wrapper, Zod config validation - Fastify server entry point with cors/helmet 2026-03-01 03:04:57 +00:00			`LOG_LEVEL: z.string().default('info'),`
			`});`

			`export const config = envSchema.parse(process.env);`
			`export type Config = z.infer<typeof envSchema>;`