@platformatic/watt-extra 1.12.0 → 1.13.0-alpha.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@platformatic/watt-extra",
-  "version": "1.12.0",
+  "version": "1.13.0-alpha.0",
   "description": "The Platformatic runtime manager",
   "type": "module",
   "scripts": {

package/plugins/alerts.js

@@ -130,7 +130,7 @@ async function alerts (app, _opts) {
         lastServicesAlertTime[serviceId] = currentTime
         delete healthInfo.healthConfig
 
-        const authHeaders = await app.getAuthorizationHeader()
+        const authHeaders = await app.getAuthorizationHeaders()
 
         const { statusCode, body } = await request(`${scalerUrl}/alerts`, {
           method: 'POST',

package/plugins/auth.js

@@ -3,6 +3,8 @@ import { Agent } from 'undici'
 
 const K8S_TOKEN_PATH = '/var/run/secrets/kubernetes.io/serviceaccount/token'
 
+// ── Helpers ────────────────────────────────────────────────────────────────
+
 function decodeJwtPayload (token) {
   try {
     if (!token) return null
@@ -10,7 +12,7 @@ function decodeJwtPayload (token) {
     if (!base64Payload) return null
     const payload = Buffer.from(base64Payload, 'base64').toString('utf8')
     return JSON.parse(payload)
-  } catch (err) {
+  } catch {
     return null
   }
 }
@@ -18,72 +20,115 @@ function decodeJwtPayload (token) {
 function isTokenExpired (token, offset = 0) {
   const payload = decodeJwtPayload(token)
   if (!payload || !payload.exp) return true
+  return payload.exp <= Math.floor(Date.now() / 1000) + offset
+}
 
-  // Check if token is expired
-  const currentTime = Math.floor(Date.now() / 1000)
-  return payload.exp <= (currentTime + offset)
+function detectProvider () {
+  if (process.env.ECS_CONTAINER_METADATA_URI_V4) return 'ecs'
+  if (process.env.KUBERNETES_SERVICE_HOST) return 'k8s'
+  return 'k8s' // safe default
 }
 
-async function authPlugin (app) {
-  // Add a 1 min offset to update the token before it expires
-  // via runtime shared context
-  const offset = parseInt(process.env.PLT_JWT_EXPIRATION_OFFSET_SEC ?? 0)
+async function loadK8sToken (log) {
+  let token
+  try {
+    await stat(K8S_TOKEN_PATH)
+    log.info('Loading JWT token from K8s service account')
+    token = await readFile(K8S_TOKEN_PATH, 'utf8')
+  } catch {
+    log.warn('Failed to load JWT token from K8s service account')
+  }
+  if (!token) {
+    log.warn('K8s token not found, falling back to environment variable')
+    token = process.env.PLT_TEST_TOKEN
+  }
+  return token
+}
 
-  async function loadToken () {
-    let token
-    try {
-      await stat(K8S_TOKEN_PATH)
-      app.log.info('Loading JWT token from K8s service account')
-      token = await readFile(K8S_TOKEN_PATH, 'utf8')
-    } catch (err) {
-      app.log.warn('Failed to load JWT token from K8s service account')
-    }
+// Read ECS task identity (TaskARN suffix + cluster) from the task metadata
+// endpoint. K8s identity travels via the SA JWT, so no resolution needed there.
+async function resolveEcsIdentity (log) {
+  const metadataUrl = `${process.env.ECS_CONTAINER_METADATA_URI_V4}/task`
+  try {
+    const res = await fetch(metadataUrl)
+    if (!res.ok) throw new Error(`status ${res.status}`)
+    const meta = await res.json()
+    const id = meta.TaskARN?.split('/').pop()
+    const namespace = meta.Cluster
+    if (!id || !namespace) throw new Error('TaskARN or Cluster missing in metadata')
+    log.info({ id, namespace }, 'Resolved ECS task identity')
+    return { id, namespace }
+  } catch (err) {
+    log.error({ err, metadataUrl }, 'Failed to read ECS task metadata')
+    return null
+  }
+}
 
-    if (!token) {
-      app.log.warn('K8s token not found, falling back to environment variable')
-      token = process.env.PLT_TEST_TOKEN
-    }
+// ── Provider strategies ────────────────────────────────────────────────────
 
-    return token
-  }
+// K8s strategy: load the SA JWT once, refresh on expiry, send as Bearer.
+async function createK8sStrategy (app, offset) {
+  app.token = await loadK8sToken(app.log)
 
-  const getAuthorizationHeader = async (headers = {}) => {
+  return async function getHeaders () {
     if (app.token && isTokenExpired(app.token, offset)) {
       app.log.info('JWT token expired, reloading')
-      app.token = await loadToken()
+      app.token = await loadK8sToken(app.log)
 
       app.watt?.updateSharedContext({
         iccAuthHeaders: { authorization: `Bearer ${app.token}` }
-      }).catch((err) => {
+      }).catch(err => {
         app.log.error({ err }, 'Failed to update jwt token in shared context')
       })
     }
+    return { authorization: `Bearer ${app.token}` }
+  }
+}
 
+// ECS strategy: resolve task identity once and send as explicit headers.
+// Unauthenticated for now; future hardening will replace this with a Sigv4-
+// presigned sts:GetCallerIdentity proof carried in an Authorization header.
+async function createEcsStrategy (app) {
+  app.machineIdentity = await resolveEcsIdentity(app.log)
+
+  return async function getHeaders () {
+    if (!app.machineIdentity) return {}
     return {
-      ...headers,
-      authorization: `Bearer ${app.token}`
+      'x-ecs-task-id': app.machineIdentity.id,
+      'x-ecs-cluster': app.machineIdentity.namespace
     }
   }
+}
+
+// ── Plugin ─────────────────────────────────────────────────────────────────
+
+async function authPlugin (app) {
+  // 1 min offset to refresh the token before it actually expires.
+  const offset = parseInt(process.env.PLT_JWT_EXPIRATION_OFFSET_SEC ?? 0)
+  const provider = detectProvider()
+
+  const getProviderHeaders = provider === 'ecs'
+    ? await createEcsStrategy(app)
+    : await createK8sStrategy(app, offset)
+
+  async function getAuthorizationHeaders (headers = {}) {
+    return { ...headers, ...(await getProviderHeaders()) }
+  }
 
-  const authorizationTokenInterceptor = dispatch => {
+  function authorizationTokenInterceptor (dispatch) {
     return async function InterceptedDispatch (opts, handler) {
-      opts.headers = await getAuthorizationHeader(opts.headers)
+      opts.headers = await getAuthorizationHeaders(opts.headers)
       return dispatch(opts, handler)
     }
   }
 
-  app.token = await loadToken()
-
-  setInterval(async () => {
-    // Check if token is expired to propagate it to the runtime
-    // via the shared context
-    await getAuthorizationHeader()
-  }, offset ? offset * 1000 / 2 : 30000).unref()
+  // Periodically call the strategy so K8s token refresh propagates to the
+  // runtime shared context before requests need it. No-op for ECS.
+  setInterval(getAuthorizationHeaders, offset ? offset * 1000 / 2 : 30000).unref()
 
-  // We cannot change the global dispatcher because it's shared with the runtime main thread.
-  const wattDispatcher = new Agent()
-  app.dispatcher = wattDispatcher.compose(authorizationTokenInterceptor)
-  app.getAuthorizationHeader = getAuthorizationHeader
+  // Can't replace the global dispatcher (shared with the runtime main thread).
+  app.dispatcher = new Agent().compose(authorizationTokenInterceptor)
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 }
 
 export default authPlugin

package/plugins/compliancy.js

@@ -30,7 +30,7 @@ async function compliancy (app, _opts) {
     // There is a better way? We need to set the default headers for the client
     // every time, because the token might be expired
     // And we cannot set the global dispatcher because it's shared with the runtime main thread.
-    setDefaultHeaders(await app.getAuthorizationHeader())
+    setDefaultHeaders(await app.getAuthorizationHeaders())
     const compliancyMetadata = await getCompliancyMetadata({
       projectDir: appDir,
       runtime

package/plugins/flamegraphs.js

@@ -281,7 +281,7 @@ async function flamegraphs (app, _opts) {
       query.alertId = alertId
     }
 
-    const authHeaders = await app.getAuthorizationHeader()
+    const authHeaders = await app.getAuthorizationHeaders()
     const { statusCode, body } = await request(url, {
       method: 'POST',
       headers: {
@@ -350,7 +350,7 @@ async function flamegraphs (app, _opts) {
     const url = `${scalerUrl}/flamegraphs/${flamegraphId}/alerts`
     app.log.info({ flamegraphId, alerts: alertIds }, 'Attaching flamegraph to alerts')
 
-    const authHeaders = await app.getAuthorizationHeader()
+    const authHeaders = await app.getAuthorizationHeaders()
     const { statusCode, body } = await request(url, {
       method: 'POST',
       headers: {

package/plugins/health-signals.js

@@ -187,7 +187,7 @@ async function healthSignals (app, _opts) {
     const applicationId = app.instanceConfig?.applicationId
     const runtimeId = app.getRuntimeId()
     const timestamp = Date.now()
-    const authHeaders = await app.getAuthorizationHeader()
+    const authHeaders = await app.getAuthorizationHeaders()
 
     const { statusCode, body } = await request(`${scalerUrl}/ready`, {
       method: 'POST',
@@ -207,7 +207,7 @@ async function healthSignals (app, _opts) {
   async function sendHealthSignals (rawSignals, batchStartedAt) {
     const scalerUrl = app.instanceConfig?.iccServices?.scaler?.url
     const applicationId = app.instanceConfig?.applicationId
-    const authHeaders = await app.getAuthorizationHeader()
+    const authHeaders = await app.getAuthorizationHeaders()
 
     // Transform signals to the format expected by ICC LoadPredictor
     // Format: { serviceId: { elu: { options, workers: { workerId: { values: [[ts, val], ...] } } } } }

package/plugins/init.js

@@ -8,7 +8,7 @@ async function initPlugin (app) {
     // There is a better way? We need to set the default headers for the client
     // every time, because the token might be expired
     // And we cannot set the global dispatcher because it's shared with the runtime main thread.
-    setDefaultHeaders(await app.getAuthorizationHeader())
+    setDefaultHeaders(await app.getAuthorizationHeaders())
     const request = {
       podId,
       apiVersion: 'v3'
@@ -80,7 +80,7 @@ async function initPlugin (app) {
   app.watt = watt
   app.initApplication = initApplication
 
-  const headers = await app.getAuthorizationHeader()
+  const headers = await app.getAuthorizationHeaders()
   await app.watt.updateSharedContext({ iccAuthHeaders: headers })
 }
 

package/plugins/metadata.js

@@ -60,13 +60,13 @@ async function metadata (app, _opts) {
           // There is a better way? We need to set the default headers for the client
           // every time, because the token might be expired
           // And we cannot set the global dispatcher because it's shared with the runtime main thread.
-          setDefaultHeaders(await app.getAuthorizationHeader())
+          setDefaultHeaders(await app.getAuthorizationHeaders())
           await controlPlaneClient.saveApplicationInstanceState({
             id: app.instanceId,
             services,
             metadata: runtimeMetadata
           }, {
-            headers: await app.getAuthorizationHeader()
+            headers: await app.getAuthorizationHeaders()
           })
         } catch (error) {
           app.log.error('Failed to save application state to Control Plane', error)

package/plugins/scheduler.js

@@ -18,7 +18,7 @@ async function scheduler (app, _opts) {
         return
       }
       const cronClient = build(cronUrl)
-      setDefaultHeaders(await app.getAuthorizationHeader())
+      setDefaultHeaders(await app.getAuthorizationHeaders())
 
       const jobs = config.scheduler || []
 

package/plugins/update.js

@@ -72,7 +72,7 @@ async function updatePlugin (app) {
     app.log.info({ runtimeId }, `Connecting to updates websocket at ${wsUrl}`)
 
     try {
-      const headers = await app.getAuthorizationHeader()
+      const headers = await app.getAuthorizationHeaders()
 
       socket = new WebSocket(wsUrl, { headers })
       await once(socket, 'open')

package/test/alerts.test.js

@@ -52,7 +52,7 @@ test('should send alert when service becomes unhealthy', async (t) => {
   let alertReceived = null
   let flamegraphReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -83,7 +83,7 @@ test('should send alert when service becomes unhealthy', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -146,7 +146,7 @@ test('should not send alert when application is healthy', async (t) => {
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -168,7 +168,7 @@ test('should not send alert when application is healthy', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -211,7 +211,7 @@ test('should cache health data and include it in alerts', async (t) => {
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -234,7 +234,7 @@ test('should cache health data and include it in alerts', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -328,7 +328,7 @@ test('should not fail when health info is missing', async (t) => {
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -350,7 +350,7 @@ test('should not fail when health info is missing', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -371,7 +371,7 @@ test('should respect alert retention window', async (t) => {
 
   const alertsReceived = []
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -397,7 +397,7 @@ test('should respect alert retention window', async (t) => {
 
   const app = await start()
 
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -495,7 +495,7 @@ test('should send alert when flamegraphs are disabled', async (t) => {
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -519,7 +519,7 @@ test('should send alert when flamegraphs are disabled', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -577,7 +577,7 @@ test('should send alert when failed to send a flamegraph', async (t) => {
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -604,7 +604,7 @@ test('should send alert when failed to send a flamegraph', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -662,7 +662,7 @@ test('should handle old runtime (< 3.18.0) health events', async (t) => {
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -684,7 +684,7 @@ test('should handle old runtime (< 3.18.0) health events', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   // Mock the runtime version check to simulate old runtime
   const originalFn = app.watt.runtimeSupportsNewHealthMetrics
@@ -748,7 +748,7 @@ test('should attach one flamegraph to multiple alerts', async (t) => {
   const receivedFlamegraphs = []
   const receivedAttachedFlamegraphs = []
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -792,7 +792,7 @@ test('should attach one flamegraph to multiple alerts', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -855,7 +855,7 @@ test('should send flamegraphs if attaching fails', async (t) => {
   const receivedAlerts = []
   const receivedFlamegraphs = []
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -895,7 +895,7 @@ test('should send flamegraphs if attaching fails', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -956,7 +956,7 @@ test('should skip alerts during grace period but still cache health data', async
 
   let alertReceived = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -979,7 +979,7 @@ test('should skip alerts during grace period but still cache health data', async
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()
@@ -1033,7 +1033,7 @@ test('should reset grace period when worker restarts', async (t) => {
 
   const alertsReceived = []
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -1059,7 +1059,7 @@ test('should reset grace period when worker restarts', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()

package/test/auth.test.js

@@ -170,3 +170,48 @@ test('auth plugin does not reload when token is undefined', async (t) => {
   const reloadLogMessage = logMessages.find(msg => msg === 'JWT token expired, reloading')
   equal(reloadLogMessage, undefined, 'Should not attempt to reload undefined token')
 })
+
+test('auth plugin sends ECS identity headers when running on ECS', async (t) => {
+  const originalEnv = { ...process.env }
+
+  t.after(() => {
+    process.env = originalEnv
+  })
+
+  // Mock ECS task metadata endpoint.
+  const metadata = fastify()
+  metadata.get('/task', async () => ({
+    TaskARN: 'arn:aws:ecs:us-east-1:123456789012:task/my-cluster/abcdef0123',
+    Cluster: 'my-cluster'
+  }))
+  await metadata.listen({ port: 0 })
+  const metadataUrl = `http://localhost:${metadata.server.address().port}`
+  t.after(() => metadata.close())
+
+  // Make detectProvider() pick ECS.
+  delete process.env.KUBERNETES_SERVICE_HOST
+  process.env.ECS_CONTAINER_METADATA_URI_V4 = metadataUrl
+
+  const server = fastify()
+  server.get('/', async (request) => {
+    return { headers: request.headers }
+  })
+  await server.listen({ port: 0 })
+  const url = `http://localhost:${server.server.address().port}`
+  t.after(() => server.close())
+
+  const app = createMockApp()
+  await authPlugin(app)
+
+  equal(app.machineIdentity?.id, 'abcdef0123', 'Task id should be the TaskARN suffix')
+  equal(app.machineIdentity?.namespace, 'my-cluster', 'Namespace should be the ECS cluster')
+  equal(app.token, undefined, 'No K8s JWT should be loaded on ECS')
+
+  const response = await request(url, { dispatcher: app.dispatcher })
+  const responseBody = await response.body.json()
+
+  equal(response.statusCode, 200)
+  equal(responseBody.headers['x-ecs-task-id'], 'abcdef0123')
+  equal(responseBody.headers['x-ecs-cluster'], 'my-cluster')
+  equal(responseBody.headers.authorization, undefined, 'No Authorization header on ECS')
+})

package/test/health-signals.test.js

@@ -21,7 +21,7 @@ test('should send health signals when service becomes unhealthy', async (t) => {
   const receivedFlamegraphReqs = []
   let receivedReadyReq = null
 
-  const getAuthorizationHeader = async (headers) => {
+  const getAuthorizationHeaders = async (headers) => {
     return { ...headers, authorization: 'Bearer test-token' }
   }
 
@@ -61,7 +61,7 @@ test('should send health signals when service becomes unhealthy', async (t) => {
   })
 
   const app = await start()
-  app.getAuthorizationHeader = getAuthorizationHeader
+  app.getAuthorizationHeaders = getAuthorizationHeaders
 
   t.after(async () => {
     await app.close()

package/test/init.test.js

@@ -20,7 +20,7 @@ const createMockApp = (env = {}) => {
       warn: () => {},
       error: () => {}
     },
-    getAuthorizationHeader: async () => 'Bearer test-token',
+    getAuthorizationHeaders: async () => 'Bearer test-token',
     logMessages
   }
 }

package/test/trigger-flamegraphs.test.js

@@ -91,7 +91,7 @@ function createMockApp (port, includeScalerUrl = true, env = {}) {
       applicationId: 'test-application-id'
     },
     instanceId: 'test-pod-123',
-    getAuthorizationHeader: async () => {
+    getAuthorizationHeaders: async () => {
       return { Authorization: 'Bearer test-token' }
     },
     getRuntimeId: () => {

package/test/update.test.js

@@ -18,7 +18,7 @@ function createMockApp (port, options = {}) {
     instanceConfig: {
       applicationId: 'test-application-id',
     },
-    getAuthorizationHeader: async () => {
+    getAuthorizationHeaders: async () => {
       return { Authorization: 'Bearer test-token' }
     },
     getRuntimeId: () => {

package/.claude/settings.local.json

@@ -1,7 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(node -e \"const schema = require\\(''''@platformatic/runtime/lib/schema.js''''\\); console.log\\(JSON.stringify\\(schema.default?.properties?.services?.items?.properties || schema.properties?.services?.items?.properties, null, 2\\)\\)\")"
-    ]
-  }
-}