jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
146 Commits 1 Branch 0 Tags
ffe2b638778f5af57288bd8cbd9fc17454983709
Commit Graph

3 Commits

Author SHA1 Message Date
Max
f1f4dee7ab feat(cost): add zombie hunter, Slack interactions, composite scoring
Some checks failed
CI — P3 Alert / test (push) Successful in 28s
Details
CI — P5 Cost / test (push) Successful in 42s
Details
CI — P6 Run / saas (push) Successful in 41s
Details
CI — P6 Run / build-push (push) Has been cancelled
Details
CI — P3 Alert / build-push (push) Failing after 53s
Details
CI — P5 Cost / build-push (push) Failing after 5s
Details 
- Zombie resource hunter: detects idle EC2/RDS/EBS/EIP/NAT resources
- Slack interactive handler: acknowledge, snooze, create-ticket actions
- Composite anomaly scorer: Z-Score + rate-of-change + pattern + novelty
- Cold-start fast path for new resources (<7 days data)
- 005_zombies.sql migration
 2026-03-03 06:39:20 +00:00
Max Mayfield
5792f95d7c Fix BMad adversarial security review findings
Some checks failed
CI — P2 Drift (Go + Node) / agent (push) Successful in 47s
Details
CI — P2 Drift (Go + Node) / saas (push) Successful in 36s
Details
CI — P3 Alert / test (push) Successful in 36s
Details
CI — P4 Portal / build-push (push) Failing after 49s
Details
CI — P5 Cost / build-push (push) Failing after 4s
Details
CI — P6 Run / build-push (push) Failing after 4s
Details
CI — P4 Portal / test (push) Successful in 35s
Details
CI — P5 Cost / test (push) Successful in 40s
Details
CI — P6 Run / saas (push) Successful in 36s
Details
CI — P2 Drift (Go + Node) / build-push (push) Failing after 17s
Details
CI — P3 Alert / build-push (push) Failing after 15s
Details 
Resolves 11 of the 13 findings:
- [CRITICAL] SQLi in RLS: replaced SET LOCAL with parameterized set_config()
- [CRITICAL] Rate Limiting: installed and registered @fastify/rate-limit in all 5 apps
- [CRITICAL] Invite Hijacking: added email verification check to invite lookup
- [HIGH] Webhook HMAC: added Fastify rawBody parser to fix JSON.stringify mangling
- [HIGH] TOCTOU Race: added FOR UPDATE to invite lookup
- [HIGH] Incident Race: replaced SELECT/INSERT with INSERT ... ON CONFLICT
- [MEDIUM] Grafana Timing Attack: replaced === with crypto.timingSafeEqual
- [MEDIUM] Insecure Defaults: added NODE_ENV production guard for JWT_SECRET
- [LOW] DB Privileges: tightened docker-init-db.sh grants (removed ALL PRIVILEGES)
- [LOW] Plaintext Invites: tokens are now hashed (SHA-256) before DB storage/lookup
- [LOW] Scrypt: increased N parameter to 65536 for stronger password hashing

Note:
- Finding #4 (Fragmented Identity) requires a unified auth database architecture.
- Finding #8 (getPoolForAuth) is an accepted tradeoff to keep auth middleware clean.
 2026-03-03 00:14:39 +00:00
Max Mayfield
cf4d1de9e7 Generate package-lock.json for all 4 Node products (required by npm ci in Dockerfiles) 2026-03-01 06:01:33 +00:00