322a8d6a91
Console nginx reverse proxy: route API calls to backend services
...
Console on :3010 now proxies all /api/v1/* requests to the correct
backend service via Docker Compose service names (drift, alert, portal,
cost, run). No CORS issues, no client-side port config needed.
2026-03-03 00:37:40 +00:00
5a1e287ab6
Add console + marketing site to Docker Compose and build-push
...
- Console: nginx SPA on port 3010, image reg.dd0c.net/dd0c-console
- Marketing: nginx static on port 3011, image reg.dd0c.net/dd0c-marketing
- Dockerfiles + .dockerignore for both
- build-push.sh updated to include console + marketing targets
2026-03-03 00:36:48 +00:00
5792f95d7c
Fix BMad adversarial security review findings
...
CI — P2 Drift (Go + Node) / agent (push) Successful in 47s
CI — P2 Drift (Go + Node) / saas (push) Successful in 36s
CI — P3 Alert / test (push) Successful in 36s
CI — P4 Portal / build-push (push) Failing after 49s
CI — P5 Cost / build-push (push) Failing after 4s
CI — P6 Run / build-push (push) Failing after 4s
CI — P4 Portal / test (push) Successful in 35s
CI — P5 Cost / test (push) Successful in 40s
CI — P6 Run / saas (push) Successful in 36s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 17s
CI — P3 Alert / build-push (push) Failing after 15s
Resolves 11 of the 13 findings:
- [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config()
- [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps
- [CRITICAL] Invite Hijacking: added email verification check to invite lookup
- [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling
- [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup
- [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT
- [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual
- [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET
- [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES)
- [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup
- [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing
Note:
- Finding #4 (Fragmented Identity) requires a unified auth database architecture.
- Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean.
2026-03-03 00:14:39 +00:00
eb953cdea5
Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks
...
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
CI — P2 Drift (Go + Node) / saas (push) Failing after 5s
CI — P3 Alert / test (push) Failing after 4s
CI — P4 Portal / test (push) Failing after 4s
CI — P5 Cost / test (push) Failing after 4s
CI — P6 Run / saas (push) Failing after 5s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 7s
CI — P3 Alert / build-push (push) Has been skipped
CI — P4 Portal / build-push (push) Has been skipped
CI — P5 Cost / build-push (push) Has been skipped
CI — P6 Run / build-push (push) Failing after 5s
Phase 1 (Security Critical):
- Auth plugin encapsulation: replaced global addHook with Fastify plugin scope
- Removed startsWith URL matching; public routes registered outside auth scope
- JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion)
- Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead
- withTenant() remains primary tenant-scoped query path
Phase 2 (Infrastructure):
- docker-compose.yml: all secrets via env var substitution (${VAR:-default})
- Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh
- .env.example with all configurable secrets
- build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded
- .gitignore excludes .env files
- @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup
- CORS_ORIGIN default changed from '*' to 'http://localhost:5173 '
Phase 3 (Product):
- Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id
- Signup accepts optional invite_token to join existing tenant
- Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue
Console:
- All 5 product modules wired: drift, alert, portal, cost, run
- PageHeader accepts children prop
- 71 modules, 70KB gzipped production build
All 6 projects compile clean (tsc --noEmit).
2026-03-02 23:53:55 +00:00
be3f37cfdd
Fix CRITICAL auth bypass: exact match for login/signup paths
...
CI — P2 Drift (Go + Node) / agent (push) Successful in 45s
CI — P2 Drift (Go + Node) / saas (push) Successful in 28s
CI — P3 Alert / test (push) Successful in 24s
CI — P4 Portal / test (push) Successful in 27s
CI — P5 Cost / test (push) Successful in 26s
CI — P6 Run / saas (push) Successful in 25s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 46s
CI — P3 Alert / build-push (push) Failing after 38s
CI — P4 Portal / build-push (push) Failing after 50s
CI — P5 Cost / build-push (push) Failing after 22s
CI — P6 Run / build-push (push) Failing after 1m3s
startsWith('/api/v1/auth/login') allowed any path with that prefix
to bypass authentication (e.g. /api/v1/auth/login-anything).
Changed to exact path match with query string stripping.
Fixed across all 5 products + shared/auth.ts.
2026-03-02 20:35:28 +00:00
dac6376fb2
Add dd0c Console — modular React dashboard with drift module
...
- Vite + React + TypeScript + Tailwind CSS
- Shell: auth provider, entitlement gate, dynamic sidebar
- Shared components: Button, Card, Table, Badge, Modal, EmptyState, PageHeader
- Drift module: dashboard, detail view, report viewer
- Module manifest pattern for pluggable product UIs
- Dockerfile: multi-stage node:22-slim → nginx:alpine
- 189KB JS + 17KB CSS (65KB gzipped)
2026-03-02 20:30:33 +00:00
3be37d1293
Skip auth on /version endpoint (same as /health)
CI — P2 Drift (Go + Node) / agent (push) Successful in 9s
CI — P3 Alert / test (push) Successful in 21s
CI — P2 Drift (Go + Node) / saas (push) Successful in 35s
CI — P4 Portal / test (push) Successful in 25s
CI — P5 Cost / test (push) Successful in 37s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 3s
CI — P6 Run / saas (push) Successful in 22s
CI — P3 Alert / build-push (push) Failing after 3s
CI — P4 Portal / build-push (push) Failing after 2s
CI — P5 Cost / build-push (push) Failing after 2s
CI — P6 Run / build-push (push) Failing after 3s
2026-03-02 13:54:46 +00:00
5bad2481ae
Add /version endpoint to all products + BUILD_SHA/BUILD_TIME in Dockerfiles
CI — P2 Drift (Go + Node) / saas (push) Successful in 34s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 4s
CI — P3 Alert / build-push (push) Failing after 3s
CI — P6 Run / saas (push) Successful in 23s
CI — P4 Portal / build-push (push) Failing after 2s
CI — P2 Drift (Go + Node) / agent (push) Successful in 17s
CI — P3 Alert / test (push) Successful in 21s
CI — P5 Cost / test (push) Successful in 24s
CI — P4 Portal / test (push) Successful in 38s
CI — P5 Cost / build-push (push) Failing after 3s
CI — P6 Run / build-push (push) Failing after 2s
2026-03-02 13:53:15 +00:00
c4ec43cb76
Add CI build-push jobs targeting reg.dd0c.net with docker login + deploy
CI — P2 Drift (Go + Node) / saas (push) Successful in 26s
CI — P2 Drift (Go + Node) / agent (push) Successful in 53s
CI — P3 Alert / test (push) Successful in 26s
CI — P5 Cost / test (push) Successful in 22s
CI — P4 Portal / test (push) Successful in 38s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 4s
CI — P3 Alert / build-push (push) Failing after 2s
CI — P6 Run / saas (push) Successful in 22s
CI — P5 Cost / build-push (push) Failing after 2s
CI — P4 Portal / build-push (push) Failing after 3s
CI — P6 Run / build-push (push) Failing after 2s
2026-03-02 13:48:10 +00:00
6b045637be
Switch registry to reg.dd0c.net (HTTPS on 443)
2026-03-02 13:31:11 +00:00
09eb22af62
Add comprehensive API reference doc for all 6 products
2026-03-02 05:42:27 +00:00
6181727406
Add docker login to build-push.sh and watch-loop.sh for registry auth (HTTP secret)
2026-03-02 05:40:02 +00:00
ee11ef9e9b
Remove build-push from CI — Nas runner lacks Docker socket inside containers
...
Build+push must happen on the NAS host via watch-loop.sh or build-push.sh
2026-03-02 05:35:46 +00:00
18d476f7a0
Target Nas runner (ubuntu-24.04) for build-push jobs — sandbox lacks Docker
CI — P2 Drift (Go + Node) / saas (push) Successful in 24s
CI — P2 Drift (Go + Node) / agent (push) Successful in 53s
CI — P3 Alert / test (push) Successful in 27s
CI — P5 Cost / test (push) Successful in 23s
CI — P4 Portal / test (push) Successful in 37s
CI — P6 Run / saas (push) Successful in 25s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 17s
CI — P3 Alert / build-push (push) Failing after 17s
CI — P5 Cost / build-push (push) Failing after 11s
CI — P4 Portal / build-push (push) Failing after 14s
CI — P6 Run / build-push (push) Failing after 13s
2026-03-02 05:32:04 +00:00
2df0ce2fff
Trigger CI build+push to populate registry at 192.168.86.11:30095
CI — P4 Portal / test (push) Successful in 36s
CI — P6 Run / saas (push) Successful in 22s
CI — P3 Alert / build-push (push) Failing after 1s
CI — P5 Cost / build-push (push) Failing after 0s
CI — P6 Run / build-push (push) Failing after 0s
CI — P2 Drift (Go + Node) / saas (push) Successful in 27s
CI — P2 Drift (Go + Node) / agent (push) Successful in 52s
CI — P3 Alert / test (push) Successful in 26s
CI — P5 Cost / test (push) Successful in 24s
CI — P4 Portal / build-push (push) Failing after 0s
CI — P2 Drift (Go + Node) / build-push (push) Failing after 41s
2026-03-02 05:29:03 +00:00
6b79d3cbc9
Switch to Brian's registry at 192.168.86.11:30095, add CI build+push+deploy jobs
...
- All services pull from 192.168.86.11:30095 instead of localhost:5000
- Removed self-hosted registry container (Brian runs his own)
- CI workflows: test → build → push to registry → deploy
- build-push.sh and watch-loop.sh updated with new registry address
2026-03-02 05:28:35 +00:00
1ea42bbb87
Restore build: directives alongside image: tags — allows both local build and registry pull
2026-03-02 05:21:33 +00:00
17ec444dcd
Update README: local registry workflow, smart watch-loop, test commands, fix cost port
2026-03-02 05:18:49 +00:00
551a5c4158
Remove build-push from CI (runners lack Docker access); watch-loop.sh handles it on NAS
2026-03-02 05:17:21 +00:00
21bf967e76
Add smart watch-loop.sh: detects changed products, builds only what changed, pushes to registry
2026-03-02 05:16:58 +00:00
41e016e9a6
Add local Docker registry: registry:2 on :5000, build-push.sh, CI auto-deploy
...
- docker-compose services now pull from localhost:5000 instead of building locally
- build-push.sh builds + pushes all 5 Node images to local registry
- CI workflows get build-push job: test → build → push → deploy
- Deploy becomes: docker compose pull && docker compose up -d
- Eliminates silent git pull + stale Docker cache issues
2026-03-02 05:15:37 +00:00
2c9408b1df
Fix indentation on registerWebhookSecretRoutes call
CI — P3 Alert / test (push) Successful in 23s
2026-03-02 05:11:37 +00:00
571a93953d
Fix integration test ordering: move new tests before exit, add runbook execution flow
2026-03-02 05:07:59 +00:00
aea88065b4
Extend integration tests: webhook secrets CRUD + drift report submission/history/deletion
2026-03-02 05:04:11 +00:00
c537022fa8
Add drift report submission + stack deletion endpoints to P2
CI — P2 Drift (Go + Node) / saas (push) Successful in 25s
CI — P2 Drift (Go + Node) / agent (push) Successful in 43s
2026-03-02 05:03:34 +00:00
9f46b84257
Add API to manage webhook secrets for alert integrations
CI — P3 Alert / test (push) Successful in 15s
2026-03-02 05:00:40 +00:00
9d33c536d5
Add Fly.io deployment script with shared Postgres/Redis, custom domains, auto-stop
2026-03-02 04:57:50 +00:00
380a1b44d5
Fix integration-test.sh payloads to match correct Zod schemas and Fastify empty body requirements
2026-03-02 04:49:30 +00:00
4eda9d7be3
Add .dockerignore to all Node products (skip node_modules/dist/tests in build context)
CI — P2 Drift (Go + Node) / saas (push) Successful in 25s
CI — P2 Drift (Go + Node) / agent (push) Successful in 52s
CI — P3 Alert / test (push) Successful in 29s
CI — P5 Cost / test (push) Successful in 23s
CI — P4 Portal / test (push) Successful in 36s
CI — P6 Run / saas (push) Successful in 21s
2026-03-02 04:45:57 +00:00
d175c3a6e7
Clean up drift: restore Dockerfile name, remove cache bust artifacts
CI — P2 Drift (Go + Node) / agent (push) Successful in 14s
CI — P2 Drift (Go + Node) / saas (push) Successful in 28s
2026-03-02 04:45:12 +00:00
e0b84f5481
Fix drift SET LOCAL: use string interpolation with UUID validation (SET doesn't support params)
CI — P2 Drift (Go + Node) / agent (push) Successful in 15s
CI — P2 Drift (Go + Node) / saas (push) Successful in 29s
2026-03-02 03:59:26 +00:00
d55162a047
Force drift rebuild: explicit image tag dd0c-drift:v2
2026-03-02 00:21:12 +00:00
364e411e69
Nuclear cache bust: rename drift Dockerfile to Dockerfile.v2
CI — P2 Drift (Go + Node) / saas (push) Successful in 25s
CI — P2 Drift (Go + Node) / agent (push) Successful in 42s
2026-03-02 00:14:43 +00:00
00aaf1a941
Force drift rebuild: add CACHE_BUST build arg to Dockerfile + docker-compose
CI — P2 Drift (Go + Node) / agent (push) Successful in 10s
CI — P2 Drift (Go + Node) / saas (push) Successful in 27s
2026-03-01 23:06:19 +00:00
cbc9e01807
Cache bust: force drift image rebuild to pick up auth middleware
CI — P2 Drift (Go + Node) / saas (push) Successful in 26s
CI — P2 Drift (Go + Node) / agent (push) Successful in 44s
2026-03-01 22:59:34 +00:00
0da2f77035
Fix smoke-test.sh: correct port parsing, webhook slug path, 404 as valid response, arithmetic safety
2026-03-01 22:40:29 +00:00
81d03c1735
Fix tenant slug collision: append random hex suffix to prevent 23505 on duplicate tenant names
CI — P2 Drift (Go + Node) / saas (push) Successful in 34s
CI — P2 Drift (Go + Node) / agent (push) Successful in 1m6s
CI — P3 Alert / test (push) Successful in 37s
CI — P5 Cost / test (push) Successful in 29s
CI — P4 Portal / test (push) Successful in 48s
CI — P6 Run / saas (push) Successful in 25s
2026-03-01 22:36:21 +00:00
e0d3a3c043
Add auth middleware to P2 Drift (signup/login/API keys), remove pino-pretty dev transport
CI — P2 Drift (Go + Node) / agent (push) Successful in 53s
CI — P2 Drift (Go + Node) / saas (push) Successful in 52s
2026-03-01 22:24:18 +00:00
23fda04854
Add waitlist modal to marketing site (all 7 pages) — triggers on #waitlist links, Formspree-ready
2026-03-01 22:09:35 +00:00
580872f059
Fix docker-compose: add NODE_ENV=production to all services (drift crashes on pino-pretty in dev mode)
2026-03-01 20:41:47 +00:00
d6d8de16db
Fix docker-compose: remap Postgres from :5432 to :5433 (5432 already in use on NAS)
2026-03-01 20:34:49 +00:00
362c94af33
Fix Node Dockerfiles: npm ci --include=dev so tsc is available in builder stage
CI — P2 Drift (Go + Node) / saas (push) Successful in 34s
CI — P3 Alert / test (push) Successful in 38s
CI — P4 Portal / test (push) Successful in 38s
CI — P6 Run / saas (push) Successful in 39s
CI — P2 Drift (Go + Node) / agent (push) Successful in 1m15s
CI — P5 Cost / test (push) Successful in 1m7s
2026-03-01 19:31:44 +00:00
aec0d62787
docker-compose: put Rust services behind 'rust' profile so Node services start independently
...
docker compose up -d → starts Node services only (fast)
docker compose --profile rust up -d → starts everything including Rust (slow build)
2026-03-01 19:15:49 +00:00
6c97ce0547
Fix docker-compose: remap P5 cost from :3005 to :3007 (3005 is Gitea)
2026-03-01 19:07:52 +00:00
a8a8c53917
cargo fmt: format all Rust source files
CI — P1 Route (Rust) / test (push) Successful in 6m35s
2026-03-01 17:53:28 +00:00
00db59ff83
Fix Dockerfile: bump Rust 1.79 -> 1.85 (edition2024 support)
CI — P1 Route (Rust) / test (push) Failing after 7m12s
2026-03-01 17:44:41 +00:00
435b5b1a3b
Fix Dockerfile: copy benches/ dir so Cargo.toml bench entry resolves
CI — P1 Route (Rust) / test (push) Failing after 6m56s
2026-03-01 17:34:12 +00:00
0a3173c6a9
Fix P1 Rust: all clippy warnings resolved, all tests passing
...
CI — P1 Route (Rust) / test (push) Has been cancelled
- Fixed struct field references (_org_id, _config) in constructors
- Added chrono::Weekday import in test module
- cargo clippy --workspace -- -D warnings: CLEAN
- cargo test --workspace: 5/5 passing
2026-03-01 17:28:41 +00:00
4b6292e0c3
Fix P1 Rust: remove all unused imports, variables, and fields across api/worker bins
CI — P1 Route (Rust) / test (push) Failing after 3m48s
2026-03-01 17:15:31 +00:00
6e044809d4
Fix P1 Rust: repair mangled auth lines, fix _jwt_secret constructor
CI — P1 Route (Rust) / test (push) Failing after 6m52s
2026-03-01 17:04:02 +00:00
