Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks

Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path

Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'

Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue

Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build

All 6 projects compile clean (tsc --noEmit).

products/05-aws-cost-anomaly/src/index.ts

@@ -2,8 +2,8 @@ import Fastify from 'fastify';
 import cors from '@fastify/cors';
 import pino from 'pino';
 import { config } from './config/index.js';
-import { pool } from './data/db.js';
-import { registerAuth, registerAuthRoutes } from './auth/middleware.js';
+import { getPoolForAuth } from './data/db.js';
+import { authHook, decorateAuth, registerAuthRoutes, registerProtectedAuthRoutes } from './auth/middleware.js';
 import { registerAnomalyRoutes } from './api/anomalies.js';
 import { registerBaselineRoutes } from './api/baselines.js';
 import { registerGovernanceRoutes } from './api/governance.js';
@@ -15,16 +15,25 @@ const app = Fastify({ logger: true });
 
 await app.register(cors, { origin: config.CORS_ORIGIN });
 
-registerAuth(app, config.JWT_SECRET, pool);
+const pool = getPoolForAuth();
+decorateAuth(app);
 
-app.get('/health', async () => ({ status: 'ok', service: 'dd0c-cost' } /* v:c4ec43c */));
+// Public routes (no auth)
+app.get('/health', async () => ({ status: 'ok', service: 'dd0c-cost' }));
 app.get('/version', async () => ({ version: process.env.BUILD_SHA || 'dev', built: process.env.BUILD_TIME || 'unknown' }));
 
+// Auth routes (public - login/signup)
 registerAuthRoutes(app, config.JWT_SECRET, pool);
-registerIngestionRoutes(app);
-registerAnomalyRoutes(app);
-registerBaselineRoutes(app);
-registerGovernanceRoutes(app);
+
+// Protected routes (auth required)
+app.register(async function protectedRoutes(protectedApp) {
+  protectedApp.addHook('onRequest', authHook(config.JWT_SECRET, pool));
+  registerProtectedAuthRoutes(protectedApp, config.JWT_SECRET, pool);
+  registerIngestionRoutes(protectedApp);
+  registerAnomalyRoutes(protectedApp);
+  registerBaselineRoutes(protectedApp);
+  registerGovernanceRoutes(protectedApp);
+});
 
 try {
   await app.listen({ port: config.PORT, host: '0.0.0.0' });
@@ -33,6 +42,3 @@ try {
   logger.fatal(err, 'Failed to start');
   process.exit(1);
 }
-// Build: 2026-03-01T06:43:58Z
-// CI: 2026-03-01T06:52:14Z
-// CI fix: 06:56