40 Commits

Author	SHA1	Message	Date
Max	47a64d53fd	fix: align backend API routes with console frontend contract	2026-03-03 06:09:41 +00:00
Protocol dd0c Agent	76715d169e	fix: RLS auth bypass for signup/login flows ... - Add set_config('app.tenant_id') before user INSERT in signup tx - Add 004_auth_rls_fix.sql: permissive SELECT on users/api_keys for auth lookups, INSERT on users with tenant context check - db-setup now runs migrations on every up (idempotent)	2026-03-03 05:38:25 +00:00
Protocol dd0c Agent	1d068c3f75	fix: add maxmem to scrypt params (128MB) ... Node's OpenSSL defaults to 32MB scrypt memory limit but N=65536/r=8/p=1 needs ~64MB. Adds maxmem: 128*1024*1024 to all 5 services' hash and verify functions.	2026-03-03 05:11:37 +00:00
Max Mayfield	5792f95d7c	Fix BMad adversarial security review findings ... Resolves 11 of the 13 findings: - [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config() - [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps - [CRITICAL] Invite Hijacking: added email verification check to invite lookup - [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling - [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup - [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT - [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual - [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET - [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES) - [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup - [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing Note: - Finding #4 (Fragmented Identity) requires a unified auth database architecture. - Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean.	2026-03-03 00:14:39 +00:00
Max Mayfield	eb953cdea5	Security hardening: auth encapsulation, pool restriction, rate limiting, invites, async webhooks ... Phase 1 (Security Critical): - Auth plugin encapsulation: replaced global addHook with Fastify plugin scope - Removed startsWith URL matching; public routes registered outside auth scope - JWT verify now enforces algorithms: ['HS256'] (prevents algorithm confusion) - Raw pool no longer exported from db.ts; systemQuery() + getPoolForAuth() instead - withTenant() remains primary tenant-scoped query path Phase 2 (Infrastructure): - docker-compose.yml: all secrets via env var substitution (${VAR:-default}) - Per-service Postgres users (dd0c_drift, dd0c_alert, etc.) in docker-init-db.sh - .env.example with all configurable secrets - build-push.sh uses $REGISTRY_PASSWORD instead of hardcoded - .gitignore excludes .env files - @fastify/rate-limit: 100 req/min global, 5/min login, 3/min signup - CORS_ORIGIN default changed from '*' to 'http://localhost:5173' Phase 3 (Product): - Team invite flow: tenant_invites table, POST /invite, GET /invites, DELETE /invites/:id - Signup accepts optional invite_token to join existing tenant - Async webhook ingestion (P3): LPUSH to Redis, BRPOP worker, dead-letter queue Console: - All 5 product modules wired: drift, alert, portal, cost, run - PageHeader accepts children prop - 71 modules, 70KB gzipped production build All 6 projects compile clean (tsc --noEmit).	2026-03-02 23:53:55 +00:00
Max Mayfield	be3f37cfdd	Fix CRITICAL auth bypass: exact match for login/signup paths ... startsWith('/api/v1/auth/login') allowed any path with that prefix to bypass authentication (e.g. /api/v1/auth/login-anything). Changed to exact path match with query string stripping. Fixed across all 5 products + shared/auth.ts.	2026-03-02 20:35:28 +00:00
Max Mayfield	3be37d1293	Skip auth on /version endpoint (same as /health)	2026-03-02 13:54:46 +00:00
Max Mayfield	5bad2481ae	Add /version endpoint to all products + BUILD_SHA/BUILD_TIME in Dockerfiles	2026-03-02 13:53:15 +00:00
Max Mayfield	c4ec43cb76	Add CI build-push jobs targeting reg.dd0c.net with docker login + deploy	2026-03-02 13:48:10 +00:00
Max Mayfield	18d476f7a0	Target Nas runner (ubuntu-24.04) for build-push jobs — sandbox lacks Docker	2026-03-02 05:32:04 +00:00
Max Mayfield	2df0ce2fff	Trigger CI build+push to populate registry at 192.168.86.11:30095	2026-03-02 05:29:03 +00:00
Max Mayfield	4eda9d7be3	Add .dockerignore to all Node products (skip node_modules/dist/tests in build context)	2026-03-02 04:45:57 +00:00
Max Mayfield	81d03c1735	Fix tenant slug collision: append random hex suffix to prevent 23505 on duplicate tenant names	2026-03-01 22:36:21 +00:00
Max Mayfield	362c94af33	Fix Node Dockerfiles: npm ci --include=dev so tsc is available in builder stage	2026-03-01 19:31:44 +00:00
Max Mayfield	27a89ee2b7	Trigger CI with tsc fix	2026-03-01 06:56:00 +00:00
Max Mayfield	3e68e8871d	Trigger CI for P2-SaaS, P4, P5, P6	2026-03-01 06:52:14 +00:00
Max Mayfield	68140881e0	Trigger CI for P3-P6 Node products	2026-03-01 06:43:58 +00:00
Max Mayfield	6403e7a3bf	Move CI workflows to repo root .gitea/workflows/ (Gitea requires root location) ... - 6 per-product CI workflows with path filters - P1: Rust (cargo test + clippy + fmt) - P2: Go agent (go test + vet) + Node SaaS (tsc + npm test) - P3-P6: Node (npm ci + tsc + npm test) - Removed old per-product .gitea dirs (Gitea ignores non-root workflows)	2026-03-01 06:19:42 +00:00
Max Mayfield	4146f1c4d0	Fix TypeScript compilation errors across P3-P6 ... - jwt.sign: explicit SignOptions cast for expiresIn (all 4 products) - ioredis: use named import { Redis } instead of default (P4, P6) - P4 catalog/service: fix import paths for aws-scanner and github-scanner - P4 discovery: pass pool to ScheduledDiscovery constructor - P6 agent-bridge: add explicit types for Redis message callback params - All 4 Node products now compile cleanly with tsc --noEmit	2026-03-01 06:06:31 +00:00
Max Mayfield	cf4d1de9e7	Generate package-lock.json for all 4 Node products (required by npm ci in Dockerfiles)	2026-03-01 06:01:33 +00:00
Max Mayfield	228eebf52b	Implement P6 agent Run command: YAML parse → classify → execute with approval gates ... - Full runbook execution loop: parse YAML, validate required variables, merge defaults - Variable substitution via --var key=value CLI args - Safety-gated execution: read-only auto-approved, modifying/destructive prompt on stdin - Failure handling: abort, continue, retry with max_attempts - Removed Verify subcommand (Ed25519 deferred to post-V1)	2026-03-01 04:15:25 +00:00
Max Mayfield	c5f4246fe9	Implement P6 TODO stubs: runbook CRUD, execution triggers, approval flow, Slack bot ... - Runbooks: list (paginated), get, create (with step counting), archive - Executions: trigger with dry_run + variables, history, detail with audit trail - Approvals: list pending, approve/reject with Redis pub/sub notification to agent - Slack bot: approve_step/reject_step button handlers with DB updates + agent bridge - All routes use withTenant() RLS	2026-03-01 03:21:06 +00:00
Max Mayfield	5ee869b9d8	Implement auth: login/signup (scrypt), API key generation, shared migration ... - Login: email + password lookup, scrypt verify, JWT token - Signup: create tenant + owner user in transaction, slug generation - API key: dd0c_ prefix, SHA-256 hash (not bcrypt — faster for API key lookups), prefix index - Scrypt over bcrypt: zero native deps, Node.js built-in crypto - Auth routes skip JWT middleware (login/signup are public) - 002_auth.sql: users + api_keys tables with RLS, copied to all products - Synced auth middleware to P3/P4/P5/P6	2026-03-01 03:19:18 +00:00
Max Mayfield	2c112b2fb1	Add vitest configs for P2-P6	2026-03-01 03:16:58 +00:00
Max Mayfield	2ceeac1a11	Add P2 SaaS CI, P4 scheduled discovery, P6 agent bridge (Redis pub/sub), Caddyfile ... - P2: Gitea Actions CI for SaaS backend (separate from Go agent CI) - P4: ScheduledDiscovery with Redis distributed lock to prevent concurrent scans - P6: AgentBridge — Redis pub/sub for SaaS↔agent communication (approvals + step results) - Caddyfile: self-hosted reverse proxy with auto-TLS for all 6 products	2026-03-01 03:16:33 +00:00
Max Mayfield	bbbea3519e	Add unit tests for P2 SaaS, P3 notifications, P4 search, P5 ingestion, P6 API ... - P2: nonce validation, severity levels, RLS withTenant - P3: notification dispatcher severity gating, Slack Block Kit emoji mapping - P4: Meilisearch fallback, service CRUD validation, staged update actions - P5: cost ingestion validation, snooze range, optimistic locking - P6: runbook API validation, approval decisions, execution status machine, Slack signature	2026-03-01 03:15:31 +00:00
Max Mayfield	3326d9a714	Add .gitignore files for P2-P6	2026-03-01 03:14:37 +00:00
Max Mayfield	b41cdd1db9	Fix P6 agent: add serde_yaml dep, make modules public for integration tests	2026-03-01 03:13:26 +00:00
Max Mayfield	829e408e1e	Add notification dispatchers (P3 Slack/Email/Webhook, P5 Slack), full YAML parser for P6 ... - P3 alert: NotificationDispatcher with Slack Block Kit, Resend email, generic webhook; severity-gated dispatch - P5 cost: CostSlackNotifier with anomaly Block Kit (score, deviation, snooze/expected buttons) - P6 run: Full YAML runbook parser with serde_yaml, variable substitution ({{var}}), failure actions, 7 tests - P6 parser: validates non-empty steps, default timeout (300s), default abort on failure	2026-03-01 03:13:06 +00:00
Max Mayfield	f2e0a32cc7	Wire auth middleware into all products, add docker-compose and init-db script ... - Auth middleware (JWT + API key + RBAC) copied into P3/P4/P5/P6 - All server entry points now register auth hooks + auth routes - Webhook and Slack endpoints skip JWT auth (use HMAC/signature) - docker-compose.yml: shared Postgres + Redis + Meilisearch, all 4 Node products as services - init-db.sh: creates per-product databases and runs migrations - P1 (Rust) and P2 (Go agent) run standalone, not in compose	2026-03-01 03:10:35 +00:00
Max Mayfield	2bbaa1efde	Add missing configs: CI workflows, tsconfigs, data layers for P4/P5/P6	2026-03-01 03:07:33 +00:00
Max Mayfield	57e7083986	Scaffold dd0c/run: Rust agent (classifier, executor, audit) + TypeScript SaaS ... - Rust agent: clap CLI, command classifier (read-only/modifying/destructive), executor with approval gates, audit log entries - Classifier: pattern-based safety classification for shell, AWS, kubectl, terraform/tofu commands - 6 Rust tests: read-only, destructive, modifying, empty, terraform apply, tofu destroy - SaaS backend: Fastify server, runbook CRUD API, approval API, Slack interactive handler - Slack integration: signature verification, block_actions for approve/reject buttons - PostgreSQL schema with RLS: runbooks, executions, audit_entries (append-only), agents - Dual Dockerfiles: Rust multi-stage (agent), Node multi-stage (SaaS) - Gitea Actions CI: Rust test+clippy, Node typecheck+test - Fly.io config for SaaS	2026-03-01 03:03:29 +00:00
Max Mayfield	72a0f26a7b	Add BMad review epic addendums for all 6 products ... Per-product surgical additions to existing epics (not cross-cutting): - P1 route: 8pts (key redaction, SSE billing, token math, CI runner) - P2 drift: 12pts (mTLS revocation, state lock recovery, pgmq visibility, RLS leak, entropy scrubber) - P3 alert: 10pts (HMAC replay, claim-check, out-of-order correlation, free tier, tenant isolation) - P4 portal: 9pts (partial scan recovery, ownership conflicts, Meilisearch rebuild, VCR freshness, free tier) - P5 cost: 7pts (concurrent baselines, remediation RBAC, Clock interface, property tests, Redis fallback) - P6 run: 15pts (shell AST parsing, canary suite, intervention TTL, streaming audit, crypto signatures) Total: 61 story points across 30 new stories	2026-03-01 02:27:55 +00:00
Max Mayfield	d038cd9c5c	Implement BMad Must-Have Before Launch fixes for all 6 products ... P1: API key redaction, SSE billing leak, token math edge cases, CI runner config P2: mTLS revocation lockout, terraform state lock recovery, RLS pool leak, entropy scrubber, pgmq visibility P3: HMAC replay prevention, cross-tenant negative tests, correlation window edge cases, SQS claim-check, free tier P4: Discovery partial failure recovery, ownership conflict integration test, VCR freshness CI, Meilisearch rebuild, Cmd+K latency P5: Concurrent baseline conflicts, remediation RBAC, Clock interface for governance, 10K property-based runs, Redis panic fallback P6: Cryptographic agent update signatures, streaming audit logs with WAL, shell AST parsing (mvdan/sh), intervention deadlock TTL, canary suite CI gate	2026-03-01 02:14:04 +00:00
Max Mayfield	b24cfa7c0d	BMad code reviews complete for all 6 products ... P1 route: Gemini — 'Ship the proxy, stop writing tests for the tests' P2 drift: Gemini — mTLS revocation, state lock corruption, RLS pool leak P3 alert: Gemini — replay attacks, trace propagation, SQS claim-check P4 portal: Manual — discovery reliability is existential risk P5 cost: Manual — concurrent baselines, remediation RBAC, pricing staleness P6 run: Gemini — policy update loophole, AST parsing, audit streaming	2026-03-01 02:09:19 +00:00
Max Mayfield	c3bafa238a	Add dual-mode deployment addendums for all 6 products ... P1 route: 16 pts (template, full docker-compose + install script) P2 drift: 17 pts (pgmq, local CA for mTLS) P3 alert: 19 pts (Lambda→Fastify, DynamoDB→PG JSONB) P4 portal: 18 pts (Step Functions→cron, Aurora→PG+pgvector) P5 cost: 19 pts (EventBridge→agent/polling, DynamoDB→PG JSONB) P6 run: 15 pts (easiest — already PG-native, no AWS deps in core) Total self-hosted effort: ~104 story points across all 6 products	2026-03-01 02:00:00 +00:00
Max Mayfield	4938674c20	Phase 3: BDD acceptance specs for P2 (drift), P3 (alert), P6 (run) ... P2: 2,245 lines, 10 epics — Sonnet subagent (8min) P3: 1,653 lines, 10 epics — Sonnet subagent (6min) P6: 2,303 lines, 262 scenarios, 10 epics — Sonnet subagent (7min) P4 (portal) still in progress	2026-03-01 01:54:35 +00:00
Max Mayfield	03bfe931fc	Implement review remediation + PLG analytics SDK ... - All 6 test architectures patched with Section 11 addendums - P5 (cost) fully rewritten from 232 to ~600 lines - PLG brainstorm + party mode advisory board results - Analytics SDK v2 (PostHog Cloud, Zod strict, Lambda-safe) - Analytics tests v2 (safeParse, no , no timestamp, no PII) - Addresses all Gemini review findings across P1-P6	2026-03-01 01:42:49 +00:00
Max Mayfield	2fe0ed856e	Add Gemini TDD reviews for all 6 products ... P1, P2, P3, P4, P6 reviewed by Gemini subagents. P5 reviewed manually (Gemini credential errors). All reviews flag coverage gaps, anti-patterns, and Transparent Factory tenet gaps.	2026-03-01 00:29:24 +00:00
Max Mayfield	5ee95d8b13	dd0c: full product research pipeline - 6 products, 8 phases each ... Products: route, drift, alert, portal, cost, run Phases: brainstorm, design-thinking, innovation-strategy, party-mode, product-brief, architecture, epics (incl. Epic 10 TF compliance), test-architecture (TDD strategy) Brand strategy and market research included.	2026-02-28 17:35:02 +00:00