jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
146 Commits 1 Branch 0 Tags
main
Commit Graph

5 Commits

Author SHA1 Message Date
Max
f1f4dee7ab feat(cost): add zombie hunter, Slack interactions, composite scoring
Some checks failed
CI — P3 Alert / test (push) Successful in 28s
Details
CI — P5 Cost / test (push) Successful in 42s
Details
CI — P6 Run / saas (push) Successful in 41s
Details
CI — P6 Run / build-push (push) Has been cancelled
Details
CI — P3 Alert / build-push (push) Failing after 53s
Details
CI — P5 Cost / build-push (push) Failing after 5s
Details 
- Zombie resource hunter: detects idle EC2/RDS/EBS/EIP/NAT resources
- Slack interactive handler: acknowledge, snooze, create-ticket actions
- Composite anomaly scorer: Z-Score + rate-of-change + pattern + novelty
- Cold-start fast path for new resources (<7 days data)
- 005_zombies.sql migration
 2026-03-03 06:39:20 +00:00
Protocol dd0c Agent
76715d169e fix: RLS auth bypass for signup/login flows
Some checks failed
CI — P2 Drift (Go + Node) / saas (push) Successful in 26s
Details
CI — P3 Alert / test (push) Successful in 23s
Details
CI — P6 Run / build-push (push) Failing after 15s
Details
CI — P2 Drift (Go + Node) / agent (push) Successful in 38s
Details
CI — P4 Portal / test (push) Successful in 34s
Details
CI — P5 Cost / test (push) Successful in 35s
Details
CI — P6 Run / saas (push) Successful in 33s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 50s
Details
CI — P3 Alert / build-push (push) Failing after 5s
Details
CI — P4 Portal / build-push (push) Failing after 51s
Details
CI — P5 Cost / build-push (push) Failing after 15s
Details 
- Add set_config('app.tenant_id') before user INSERT in signup tx
- Add 004_auth_rls_fix.sql: permissive SELECT on users/api_keys for
  auth lookups, INSERT on users with tenant context check
- db-setup now runs migrations on every up (idempotent)
 2026-03-03 05:38:25 +00:00
Max Mayfield
eb953cdea5 Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
Details
CI — P2 Drift (Go + Node) / saas (push) Failing after 5s
Details
CI — P3 Alert / test (push) Failing after 4s
Details
CI — P4 Portal / test (push) Failing after 4s
Details
CI — P5 Cost / test (push) Failing after 4s
Details
CI — P6 Run / saas (push) Failing after 5s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 7s
Details
CI — P3 Alert / build-push (push) Has been skipped
Details
CI — P4 Portal / build-push (push) Has been skipped
Details
CI — P5 Cost / build-push (push) Has been skipped
Details
CI — P6 Run / build-push (push) Failing after 5s
Details 
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path

Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173'

Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue

Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build

All 6 projects compile clean (tsc --noEmit).
 2026-03-02 23:53:55 +00:00
Max Mayfield
5ee869b9d8 Implement auth: login/signup (scrypt), API key generation, shared migration 
- Login: email + password lookup, scrypt verify, JWT token
- Signup: create tenant + owner user in transaction, slug generation
- API key: dd0c_ prefix, SHA-256 hash (not bcrypt — faster for API key lookups), prefix index
- Scrypt over bcrypt: zero native deps, Node.js built-in crypto
- Auth routes skip JWT middleware (login/signup are public)
- 002_auth.sql: users + api_keys tables with RLS, copied to all products
- Synced auth middleware to P3/P4/P5/P6
 2026-03-01 03:19:18 +00:00
Max Mayfield
ccc4cd1c32 Scaffold dd0c/alert: ingestion, correlation engine, HMAC validation, tests 
- Webhook ingestion: HMAC validation for Datadog/PagerDuty/OpsGenie with 5-min timestamp freshness
- Payload normalizers: canonical alert schema with severity mapping per provider
- Correlation engine: time-window grouping, late-alert attachment (2x window), FakeClock for testing
- InMemoryWindowStore for unit tests
- Tests: 12 HMAC validation cases, 5 normalizer cases, 7 correlation engine cases
- PostgreSQL schema with RLS: tenants, incidents, alerts, webhook_secrets, notification_configs
- Free tier enforcement columns (alert_count_month, reset_at)
- Fly.io config, Dockerfile, Gitea Actions CI
 2026-03-01 02:49:14 +00:00