jarvis/dd0c
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
dd0c/products/03-alert-intelligence/test-architecture/bmad-review.md
Max Mayfield b24cfa7c0d BMad code reviews complete for all 6 products 
P1 route: Gemini — 'Ship the proxy, stop writing tests for the tests'
P2 drift: Gemini — mTLS revocation, state lock corruption, RLS pool leak
P3 alert: Gemini — replay attacks, trace propagation, SQS claim-check
P4 portal: Manual — discovery reliability is existential risk
P5 cost: Manual — concurrent baselines, remediation RBAC, pricing staleness
P6 run: Gemini — policy update loophole, AST parsing, audit streaming
2026-03-01 02:09:19 +00:00

3.3 KiB
Raw Permalink Blame History

dd0c/alert — BMad Code Review

Reviewer: BMad Code Review Agent (Gemini) Date: March 1, 2026

Severity-Rated Findings

🔴 Critical

  1. Ingestion Security: Replay Attack Vulnerability. HMAC tests validate signatures but don't enforce timestamp freshness. Datadog and PagerDuty have timestamp headers, but OpsGenie doesn't always package it cleanly. Without rejecting payloads older than ~5 minutes, an attacker can capture a valid webhook and spam the ingestion endpoint, blowing up SQS queues and Redis windows.

  2. Trace Propagation: Cross-SQS CI Verification. Checking that traceparent is attached to SQS MessageAttributes isn't enough. AWS SDKs often drop or mangle these when crossing into ECS. CI needs to assert on the reassembled trace tree — verify the ECS span registers as a child of the Lambda ingestion span, not a disconnected root span.

  3. Multi-tenancy: Confused Deputy Vulnerabilities. Partition key enforcement tests only check the happy path for a single tenant. Need explicit negative tests: insert data for Tenant A and Tenant B, query using Tenant A's JWT, explicitly assert Tenant B's data is undefined in the result set.

🟡 Important

  1. Correlation Quality: Out-of-Order Delivery. Tests likely simulate perfect chronological delivery. Distributed monitoring is messy. What happens if an alert from T-minus-30s arrives after the correlation window has closed and shipped the incident to SQS? Does it trigger a duplicate Slack ping, or correctly attach to the existing incident timeline?

  2. SQS 256KB: Claim-Check Edge Cases. Compression + S3 pointers is standard, but tests must cover: (a) S3 put/get latency causing Lambda timeouts, (b) orphaned S3 pointers without lifecycle rules, (c) ECS Fargate failing to fetch payload due to IAM boundary issues.

  3. Self-Hosted Mode: Behavioral Gaps. DynamoDB scales connections and handles TTL natively. PostgreSQL requires explicit connection pooling (PgBouncer) and manual partitioning/pruning. Lambda recycles memory; Fastify is persistent — a tiny memory leak in the correlation engine will crash Fastify but go unnoticed in Lambda. Test suite doesn't simulate long-running process memory limits or Postgres connection exhaustion.

V1 Cut List

  • Self-hosted mode / DB abstractions — pick AWS SaaS and commit. Supporting Postgres/Fastify doubles testing surface for zero immediate revenue.
  • Dashboard UI E2E (Playwright) — test the API thoroughly, visually verify the UI.
  • OTEL trace propagation tests — visually verify in Jaeger once.
  • DLQ replay with backpressure — manual replay is fine for V1.
  • Slack circuit breaker — if Slack is down, alerts queue. Accept it.

Must-Have Before Launch

  1. HMAC timestamp validation — reject payloads older than 5 minutes (all 4 sources).
  2. Cross-tenant negative tests — explicitly assert data isolation between tenants.
  3. Correlation window edge cases — out-of-order delivery, late arrivals after window close.
  4. SQS 256KB S3 pointer round-trip — prove the claim-check pattern works end-to-end.
  5. Free tier enforcement — 10K alerts/month counter, 7-day retention purge.
  6. Slack signature validation — timing-safe HMAC for interactive payloads.

"If you aren't testing for leakage, it will leak."

Reference in New Issue View Git Blame Copy Permalink