npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/progress.md ADDED Viewed

@@ -0,0 +1,156 @@
+# Progress Log — Phase 2: Vault Dynamic Credentials
+## Session: 2026-02-17 (Planning)
+### Planning & Architecture Design
+- **Status:** complete
+- **Started:** 2026-02-17
+- Actions taken:
+  - Explored current infrastructure: Helm charts, db-provisioner, credential manager, builder deploy flow
+  - Identified Helm chart gaps: missing `podAnnotations` and `serviceAccountName`
+  - Designed Vault Agent sidecar + entrypoint wrapper pattern (no app code changes)
+  - Chose AWS KMS for auto-unseal, Raft for storage, standalone mode
+  - Scoped all three DB types: MongoDB dynamic, Redis ACL, Neo4j (evaluate plugin)
+  - Documented architecture, annotations pattern, entrypoint wrapper
+  - Created task_plan.md, findings.md, progress.md
+- Files created/modified:
+  - task_plan.md (created)
+  - findings.md (created)
+  - progress.md (created)
+  - .claude/plans/pure-snuggling-sketch.md (created — detailed architecture plan)
+---
+## Phase 2a: Vault Infrastructure (Days 1-3)
+- **Status:** complete
+- Actions taken:
+  - Created AWS KMS key `00d61cf0-a84f-49ef-a54d-62465dc09931` (alias: tawa-vault-unseal, us-east-1)
+  - Created IAM user `tawa-vault-unseal` with scoped Encrypt/Decrypt policy
+  - Created K8s secret `vault-kms-creds` in vault namespace
+  - Deployed Vault OSS 1.21.2 via Helm (standalone, Raft storage, AWS KMS auto-unseal)
+  - Initialized Vault, stored recovery keys to `~/vault-init-keys.json`
+  - Enabled: K8s auth, database secrets engine, KV v2, file audit device
+  - Configured MongoDB connection (`mongodb-tawa`) in database engine
+  - Created 12 Vault database roles (7 prod + 4 sandbox + 1 shared)
+  - Created 11 policies (least-privilege per service)
+  - Created 11 K8s auth role bindings (ServiceAccount → Vault policy)
+  - Exposed Vault via NodePort 30820 for builder access
+  - Added `VAULT_ADDR`, `VAULT_TOKEN`, `VAULT_ENABLED=false` to builder `.env`
+  - Verified dynamic credential generation: end-to-end test with koko-prod role
+- Files created/modified:
+  - `scripts/setup-vault.sh` (created — deployment + init script)
+  - `helm/vault-values.yaml` (created — Vault Helm chart values)
+  - `src/services/vault-client.ts` (created — Vault API client)
+  - `src/services/vault-client.test.ts` (created — 21 tests)
+  - `src/config/env.ts` (modified — added VAULT_ADDR, VAULT_TOKEN, VAULT_ENABLED)
+  - `helm/default-service/templates/deployment.yaml` (modified — podAnnotations + serviceAccountName)
+  - `helm/default-service/values.yaml` (modified — added defaults)
+  - `src/services/dockerfile-generator.ts` (modified — Vault entrypoint wrapper)
+## Phase 2b: Wire Vault into Deploy Pipeline (Days 3-7)
+- **Status:** complete
+- Actions taken:
+  - Added `provisionDatabasesVault()` helper to builder.ts (creates Vault roles, policies, K8s auth, returns annotations)
+  - Modified `executeBuild()` with feature-flagged Vault branch: `isVaultEnabled() && isVaultHealthy()`
+  - Vault branch creates Vault database roles + K8s auth, skips K8s secret creation (Vault Agent handles it)
+  - Fallback: if Vault provisioning throws, catches error and falls back to Phase 1 `provisionDatabases()`
+  - Modified `deployToKubernetes()` to accept `vaultAnnotations` parameter
+  - Added Vault annotation injection via `--set-json podAnnotations` + `--set serviceAccountName`
+  - Updated Dockerfile entrypoint to source all files in `/vault/secrets/*` (one per DB type)
+  - Fixed vault-client.ts connection names: `mongodb-tawa`, `redis-tawa`, `neo4j-tawa`
+  - Added 8 integration tests for Vault pipeline (annotations, role names, fallback, all DB types)
+  - All 287 tests passing, TypeScript build clean
+- Files created/modified:
+  - `src/services/builder.ts` (modified — Vault branch in executeBuild, annotation injection in deployToKubernetes)
+  - `src/services/vault-client.ts` (modified — fixed connection names)
+  - `src/services/dockerfile-generator.ts` (modified — entrypoint sources /vault/secrets/*)
+  - `src/services/__tests__/deploy-pipeline.integration.test.ts` (modified — 8 new Vault tests)
+## Phase 2b.1: Production Rollout — Bio-ID (2026-02-17)
+- **Status:** complete
+- Actions taken:
+  - Enabled VAULT_ENABLED=true on builder
+  - Bio-ID crashed: custom Dockerfile missing Vault entrypoint wrapper
+  - Added entrypoint wrapper to bio's custom Dockerfile (sources /vault/secrets/*)
+  - Removed bio's unused custom Helm chart (builder uses default-service chart)
+  - Fixed Vault template to use VPC IP (10.124.0.3) instead of public IP (64.23.181.20)
+  - Added new K8s node (137.184.92.199) to MongoDB iptables + persisted rules
+  - Fixed liveness probe: added httpGet:null to prevent dual handler conflict
+  - Cleared stale helmChart:'helm' from bio's service DB record
+  - Added runAsUser:1001 + fsGroup:1001 to default-service chart values
+  - Changed bio Dockerfile to use numeric UID (USER 1001) instead of USER nextjs
+  - Bio-ID running with Vault dynamic credentials, 0 restarts, VPC connectivity
+- Files created/modified:
+  - `iec-bio/apps/bio-id/Dockerfile` (modified — Vault entrypoint + numeric UID)
+  - `iec-bio/apps/bio-id/.iec.yaml` (modified — restored dockerfile: Dockerfile)
+  - `iec-bio/apps/bio-id/helm/` (deleted — unused custom chart)
+  - `src/services/vault-client.ts` (modified — use DB_MONGODB_HOST for Vault template)
+  - `src/services/builder.ts` (modified — httpGet:null in liveness probe override)
+  - `helm/default-service/values.yaml` (modified — runAsUser:1001, fsGroup:1001)
+  - Builder .env: DB_MONGODB_HOST=10.124.0.3, DB_REDIS_HOST=10.124.0.3
+- Errors encountered:
+  - Custom Dockerfile missing Vault entrypoint → bio fell back to localhost:27017/iec_bio
+  - Generated Dockerfile can't handle turborepo → must use custom Dockerfile
+  - New K8s node IP not in iptables → MongoDB connection timeout from pods
+  - Stale helmChart in DB → Helm tried to use deleted directory
+  - Non-numeric USER in Dockerfile → K8s runAsNonRoot rejection
+## Phase 2c: Redis ACLs via Vault (Days 7-9)
+- **Status:** pending
+- Actions taken:
+  -
+- Files created/modified:
+  -
+## Phase 2d: Neo4j Auth via Vault (Days 9-11)
+- **Status:** pending
+- Actions taken:
+  -
+- Files created/modified:
+  -
+## Phase 2e: Migration & Hardening (Days 11-14)
+- **Status:** pending
+- Actions taken:
+  -
+- Files created/modified:
+  -
+## Test Results
+| Test | Input | Expected | Actual | Status |
+|------|-------|----------|--------|--------|
+| Vault health | `vault status` | Initialized + unsealed | Initialized=true, Sealed=false, v1.21.2 | pass |
+| K8s auth | `vault auth list` | kubernetes/ method listed | kubernetes/ enabled | pass |
+| MongoDB dynamic creds | `vault read database/creds/svc-koko-prod-mongodb` | Short-lived user + password | lease_duration=1h, renewable=true | pass |
+| Auto-unseal | Kill vault pod, wait | Pod recovers, unsealed | | pending |
+| MongoDB dynamic creds | Deploy sandbox svc | Pod has sidecar, MONGODB_URI valid | | pending |
+| Lease renewal | Wait 1hr | No disruption, lease renewed | | pending |
+| Phase 1 fallback | Set VAULT_ENABLED=false, redeploy | Static creds work | | pending |
+| Redis ACL | Deploy sandbox svc | REDIS_URL with credentials | | pending |
+| Redis key isolation | Write to other service prefix | Permission denied | | pending |
+| Neo4j auth | Deploy sandbox svc | NEO4J_URI + credentials valid | | pending |
+| Full migration | Run migrate-to-vault.ts | All services have Vault roles | | pending |
+| All health checks | After migration | All services healthy | | pending |
+## Error Log
+| Timestamp | Error | Attempt | Resolution |
+|-----------|-------|---------|------------|
+| | | | |
+## Blockers
+- [x] ~~Phase 1 extension (Redis ACL + Neo4j static auth) must complete first~~ — Phase 1 COMPLETE
+- [x] ~~AWS account needed for KMS key~~ — KMS key created
+- [ ] Redis version must be confirmed >= 6.0
+- [ ] Neo4j Vault plugin maturity must be evaluated
+## 5-Question Reboot Check
+| Question | Answer |
+|----------|--------|
+| Where am I? | Phase 2a + 2b COMPLETE. Ready for testing with a sandbox deploy |
+| Where am I going? | Test with sandbox service, then Phase 2c (Redis ACLs) or 2e (migration) |
+| What's the goal? | Replace static DB passwords with Vault dynamic credentials |
+| What have I learned? | Vault wired into builder, feature-flagged, graceful fallback works |
+| What have I done? | Vault infra deployed, builder code branching on VAULT_ENABLED, 287 tests green |
+---
+*Update after completing each phase or encountering errors*

package/scripts/.vault-init-keys.json ADDED Viewed

@@ -0,0 +1,23 @@
+{
+  "unseal_keys_b64": [],
+  "unseal_keys_hex": [],
+  "unseal_shares": 1,
+  "unseal_threshold": 1,
+  "recovery_keys_b64": [
+    "ewoWGuci8aYmg/mEbyjIX4YHUOKfFzTiqQZDHnPiJADz",
+    "0KFRyVBV7VDJRPq+JBtCcVTT3KIh9mf0aRq2azrr8bYG",
+    "7PK+sZSLN9xwW75Kxe0pTRm48bM+DmMXp/Adn0ABRNkP",
+    "Hzj7Ar4+Pk+8lwkWJR0FnJX39sANDj8Q1I0d5CUofQ6k",
+    "Q+0y35dkqh1n44C/aefvQ3e/nYkRoB1Wm4Fp8qX5DCNV"
+  ],
+  "recovery_keys_hex": [
+    "7b0a161ae722f1a62683f9846f28c85f860750e29f1734e2a906431e73e22400f3",
+    "d0a151c95055ed50c944fabe241b427154d3dca221f667f4691ab66b3aebf1b606",
+    "ecf2beb1948b37dc705bbe4ac5ed294d19b8f1b33e0e6317a7f01d9f400144d90f",
+    "1f38fb02be3e3e4fbc970916251d059c95f7f6c00d0e3f10d48d1de425287d0ea4",
+    "43ed32df9764aa1d67e380bf69e7ef4377bf9d8911a01d569b8169f2a5f90c2355"
+  ],
+  "recovery_keys_shares": 5,
+  "recovery_keys_threshold": 3,
+  "root_token": "hvs.MS9jJK9L8FoTIPJesT1emjWE"
+}

package/scripts/backfill-ownership.ts ADDED Viewed

@@ -0,0 +1,113 @@
+/**
+ * One-time script to backfill org and createdBy on existing services.
+ *
+ * For each service missing org/createdBy:
+ *   1. Finds the oldest build with org/requestedBy set
+ *   2. Falls back to extracting org from repoUrl
+ *
+ * Usage:
+ *   npx tsx scripts/backfill-ownership.ts [--dry-run]
+ */
+import { MongoClient } from 'mongodb'
+import { config } from 'dotenv'
+import { dirname, resolve } from 'path'
+import { fileURLToPath } from 'url'
+const __dirname = dirname(fileURLToPath(import.meta.url))
+config({ path: resolve(__dirname, '../.env') })
+const MONGODB_URI = process.env.MONGODB_URI || 'mongodb://64.23.181.20:27017/builder'
+const DRY_RUN = process.argv.includes('--dry-run')
+function extractRepoOrg(repoUrl: string): string | undefined {
+  try {
+    const url = new URL(repoUrl)
+    const parts = url.pathname.split('/').filter(Boolean)
+    if (parts.length >= 2) return parts[0]
+  } catch {
+    // Not a valid URL — try SSH format
+  }
+  const sshMatch = repoUrl.match(/^[^@]+@[^:]+:([^/]+)\//)
+  if (sshMatch) return sshMatch[1]
+  return undefined
+}
+async function main() {
+  console.log(`Backfill service ownership${DRY_RUN ? ' (DRY RUN)' : ''}`)
+  console.log(`MongoDB: ${MONGODB_URI.replace(/\/\/[^@]+@/, '//<redacted>@')}`)
+  const client = new MongoClient(MONGODB_URI)
+  await client.connect()
+  const db = client.db()
+  const services = db.collection('services')
+  const builds = db.collection('builds')
+  const needsBackfill = await services
+    .find({ $or: [{ org: { $exists: false } }, { createdBy: { $exists: false } }] })
+    .toArray()
+  console.log(`Found ${needsBackfill.length} services needing backfill\n`)
+  let updated = 0
+  let skipped = 0
+  for (const service of needsBackfill) {
+    const updates: Record<string, string> = {}
+    // Find oldest build for this service with org or requestedBy
+    const oldestBuild = await builds.findOne(
+      {
+        serviceId: service.id,
+        $or: [
+          { org: { $exists: true, $ne: null } },
+          { requestedBy: { $exists: true, $ne: null } },
+        ],
+      },
+      { sort: { createdAt: 1 } }
+    )
+    if (!service.org) {
+      if (oldestBuild?.org) {
+        updates.org = oldestBuild.org
+      } else {
+        const repoOrg = extractRepoOrg(service.repoUrl)
+        if (repoOrg) {
+          updates.org = repoOrg
+        }
+      }
+    }
+    if (!service.createdBy && oldestBuild?.requestedBy) {
+      updates.createdBy = oldestBuild.requestedBy
+    }
+    if (Object.keys(updates).length === 0) {
+      console.log(`  SKIP  ${service.name} — no data to backfill`)
+      skipped++
+      continue
+    }
+    console.log(`  ${DRY_RUN ? 'WOULD UPDATE' : 'UPDATE'}  ${service.name}  →  ${JSON.stringify(updates)}`)
+    if (!DRY_RUN) {
+      await services.updateOne(
+        { id: service.id },
+        { $set: { ...updates, updatedAt: new Date().toISOString() } }
+      )
+    }
+    updated++
+  }
+  console.log(`\nDone. Updated: ${updated}, Skipped: ${skipped}`)
+  await client.close()
+}
+main().catch((err) => {
+  console.error('Backfill failed:', err)
+  process.exit(1)
+})

package/scripts/finalize-mongo-auth.sh ADDED Viewed

@@ -0,0 +1,212 @@
+#!/bin/bash
+# Finalize MongoDB auth: enable authorization on standalone MongoDB.
+# Run ONLY after all services have been redeployed with credentials.
+#
+# Usage:
+#   Check status:    ssh tawa 'bash -s' < scripts/finalize-mongo-auth.sh --check
+#   Enable auth:     ssh tawa 'bash -s' < scripts/finalize-mongo-auth.sh
+#   Rollback auth:   ssh tawa 'bash -s' < scripts/finalize-mongo-auth.sh --rollback
+set -euo pipefail
+MONGOD_CONF="/etc/mongod.conf"
+BUILDER_ENV="/opt/iec-builder/.env"
+# Parse args
+ACTION="${1:-finalize}"
+# ----- Helper: check credential status -----
+check_credentials() {
+  if ! grep -q "^DB_MONGODB_ADMIN_URI=" "$BUILDER_ENV" 2>/dev/null; then
+    echo "ERROR: DB_MONGODB_ADMIN_URI not set in builder .env"
+    echo "Run setup-mongo-auth.sh first."
+    return 1
+  fi
+  ADMIN_URI=$(grep "^DB_MONGODB_ADMIN_URI=" "$BUILDER_ENV" | cut -d'=' -f2-)
+  echo "Checking service credentials..."
+  echo ""
+  mongosh --quiet "$ADMIN_URI" --eval '
+    const svcs = db.getSiblingDB("builder").services.find(
+      {},
+      { name: 1, databaseCredentials: 1, "catalog.databases": 1 }
+    ).toArray()
+    const withMongo = svcs.filter(s =>
+      s.catalog && s.catalog.databases &&
+      s.catalog.databases.some(d => d.type === "mongodb")
+    )
+    const withCreds = withMongo.filter(s =>
+      s.databaseCredentials && s.databaseCredentials.length > 0
+    )
+    const withoutCreds = withMongo.filter(s =>
+      !s.databaseCredentials || s.databaseCredentials.length === 0
+    )
+    print("Services with MongoDB databases: " + withMongo.length)
+    print("")
+    if (withCreds.length > 0) {
+      print("  With credentials (" + withCreds.length + "):")
+      withCreds.forEach(s => {
+        const creds = s.databaseCredentials.map(c => c.username + " (" + c.environment + ")")
+        print("    " + s.name + ": " + creds.join(", "))
+      })
+    }
+    print("")
+    if (withoutCreds.length > 0) {
+      print("  WITHOUT credentials (" + withoutCreds.length + "):")
+      withoutCreds.forEach(s => print("    " + s.name))
+      print("")
+      print("WARNING: These services will lose database access when auth is enabled.")
+      print("Redeploy them first: tawa deploy <service>")
+    } else {
+      print("  All services have credentials!")
+      print("")
+      print("Safe to finalize: ssh tawa '\''bash -s'\'' < scripts/finalize-mongo-auth.sh")
+    }
+  ' 2>/dev/null || echo "Could not query builder database"
+}
+# ----- --check: just show status -----
+if [ "$ACTION" = "--check" ]; then
+  echo "=== MongoDB Auth Migration Status ==="
+  echo ""
+  if grep -q "authorization: enabled" "$MONGOD_CONF" 2>/dev/null; then
+    echo "Auth status: ENABLED (full enforcement)"
+  else
+    echo "Auth status: DISABLED (migration in progress)"
+  fi
+  echo ""
+  check_credentials
+  exit 0
+fi
+# ----- --rollback: disable auth -----
+if [ "$ACTION" = "--rollback" ]; then
+  echo "=== Rolling Back MongoDB Auth ==="
+  echo ""
+  if ! grep -q "authorization: enabled" "$MONGOD_CONF" 2>/dev/null; then
+    echo "Auth is not enabled. Nothing to roll back."
+    exit 0
+  fi
+  sudo cp "$MONGOD_CONF" "${MONGOD_CONF}.bak.$(date +%Y%m%d%H%M%S)"
+  # Remove the entire security section
+  sudo python3 -c "
+import re
+with open('$MONGOD_CONF', 'r') as f:
+    content = f.read()
+# Remove security section (last one in file)
+content = re.sub(r'\nsecurity:\n  authorization: enabled\n?', '\n', content)
+with open('$MONGOD_CONF', 'w') as f:
+    f.write(content)
+"
+  echo "Restarting MongoDB without auth..."
+  sudo systemctl restart mongod
+  sleep 3
+  if ! systemctl is-active --quiet mongod; then
+    echo "ERROR: MongoDB failed to restart! Rolling back config..."
+    LATEST_BACKUP=$(ls -t "${MONGOD_CONF}.bak."* 2>/dev/null | head -1)
+    if [ -n "$LATEST_BACKUP" ]; then
+      sudo cp "$LATEST_BACKUP" "$MONGOD_CONF"
+      sudo systemctl restart mongod
+    fi
+    exit 1
+  fi
+  echo "MongoDB auth disabled. All connections accepted."
+  exit 0
+fi
+# ----- Finalize: enable auth -----
+echo "=== Finalize MongoDB Auth ==="
+echo ""
+if grep -q "authorization: enabled" "$MONGOD_CONF" 2>/dev/null; then
+  echo "Auth is already enabled."
+  exit 0
+fi
+# Check admin URI is set
+if ! grep -q "^DB_MONGODB_ADMIN_URI=" "$BUILDER_ENV" 2>/dev/null; then
+  echo "ERROR: DB_MONGODB_ADMIN_URI not set in builder .env"
+  echo "Run setup-mongo-auth.sh first."
+  exit 1
+fi
+ADMIN_URI=$(grep "^DB_MONGODB_ADMIN_URI=" "$BUILDER_ENV" | cut -d'=' -f2-)
+# Show credential status
+check_credentials
+echo ""
+read -p "Proceed with full auth enforcement? Services without credentials will lose DB access. (yes/no): " CONFIRM
+if [ "$CONFIRM" != "yes" ]; then
+  echo "Aborted."
+  exit 0
+fi
+# ----- Enable auth -----
+echo "Updating $MONGOD_CONF..."
+sudo cp "$MONGOD_CONF" "${MONGOD_CONF}.bak.$(date +%Y%m%d%H%M%S)"
+# Add security section at end of file
+sudo tee -a "$MONGOD_CONF" > /dev/null <<'MONGOCFG'
+security:
+  authorization: enabled
+MONGOCFG
+echo "Restarting MongoDB..."
+sudo systemctl restart mongod
+sleep 3
+if ! systemctl is-active --quiet mongod; then
+  echo "ERROR: MongoDB failed to restart! Rolling back..."
+  LATEST_BACKUP=$(ls -t "${MONGOD_CONF}.bak."* 2>/dev/null | head -1)
+  if [ -n "$LATEST_BACKUP" ]; then
+    sudo cp "$LATEST_BACKUP" "$MONGOD_CONF"
+    sudo systemctl restart mongod
+  fi
+  exit 1
+fi
+# Verify auth is enforced
+UNAUTH_TEST=$(mongosh --quiet --eval 'db.getSiblingDB("builder").services.countDocuments()' 2>&1 || echo "DENIED")
+if echo "$UNAUTH_TEST" | grep -qi "auth\|denied\|unauthorized"; then
+  echo "Unauthenticated data access: BLOCKED (correct)"
+else
+  echo "WARNING: Unauthenticated data access may still work"
+fi
+AUTH_TEST=$(mongosh --quiet "$ADMIN_URI" --eval 'db.adminCommand({ping:1}).ok' 2>/dev/null || echo "FAIL")
+if [ "$AUTH_TEST" = "1" ]; then
+  echo "Admin auth connection: OK"
+else
+  echo "ERROR: Admin auth connection failed!"
+fi
+echo ""
+echo "=== MongoDB Auth Finalized ==="
+echo "All unauthenticated connections are now rejected."
+echo "Services must have credentials to connect."
+echo ""
+echo "To roll back in an emergency:"
+echo "  ssh tawa 'bash -s' < scripts/finalize-mongo-auth.sh --rollback"

package/scripts/setup-ipset.sh ADDED Viewed

@@ -0,0 +1,107 @@
+#!/bin/bash
+# Setup ipset-based MongoDB access control on tawa-builder server.
+# Run once: ssh tawa 'bash -s' < scripts/setup-ipset.sh
+#
+# Creates a named IP set "mongodb-access" and a single iptables rule
+# that allows port 27017 from IPs in the set. Each entry supports
+# per-IP TTL (auto-expiry), managed by the builder API.
+set -euo pipefail
+IPSET_NAME="mongodb-access"
+MONGO_PORT=27017
+echo "=== MongoDB IP Whitelist Setup ==="
+echo ""
+# 1. Install ipset if not present
+if ! command -v ipset &>/dev/null; then
+  echo "Installing ipset..."
+  sudo apt-get update -qq && sudo apt-get install -y -qq ipset
+fi
+echo "ipset version: $(ipset --version | head -1)"
+# 2. Create the hash:ip set with timeout support (idempotent)
+if ipset list "$IPSET_NAME" &>/dev/null; then
+  echo "ipset '$IPSET_NAME' already exists"
+else
+  sudo ipset create "$IPSET_NAME" hash:ip timeout 0 maxelem 65536
+  echo "Created ipset '$IPSET_NAME'"
+fi
+# 3. Add iptables rules (idempotent)
+# Rule order: ipset ACCEPT → localhost ACCEPT → private ACCEPT → DROP all other 27017
+if sudo iptables -C INPUT -p tcp --dport "$MONGO_PORT" -m set --match-set "$IPSET_NAME" src -j ACCEPT 2>/dev/null; then
+  echo "iptables ipset rule already exists"
+else
+  sudo iptables -I INPUT -p tcp --dport "$MONGO_PORT" -m set --match-set "$IPSET_NAME" src -j ACCEPT
+  echo "Added iptables rule: ACCEPT tcp/$MONGO_PORT from ipset '$IPSET_NAME'"
+fi
+# Allow localhost (builder connects locally)
+if sudo iptables -C INPUT -p tcp --dport "$MONGO_PORT" -s 127.0.0.1 -j ACCEPT 2>/dev/null; then
+  echo "iptables localhost rule already exists"
+else
+  sudo iptables -I INPUT 2 -p tcp --dport "$MONGO_PORT" -s 127.0.0.1 -j ACCEPT
+  echo "Added iptables rule: ACCEPT tcp/$MONGO_PORT from localhost"
+fi
+# Allow private network (K8s nodes, internal services)
+if sudo iptables -C INPUT -p tcp --dport "$MONGO_PORT" -s 10.0.0.0/8 -j ACCEPT 2>/dev/null; then
+  echo "iptables private network rule already exists"
+else
+  sudo iptables -I INPUT 3 -p tcp --dport "$MONGO_PORT" -s 10.0.0.0/8 -j ACCEPT
+  echo "Added iptables rule: ACCEPT tcp/$MONGO_PORT from 10.0.0.0/8"
+fi
+# DROP all other 27017 traffic
+if sudo iptables -C INPUT -p tcp --dport "$MONGO_PORT" -j DROP 2>/dev/null; then
+  echo "iptables DROP rule already exists"
+else
+  sudo iptables -I INPUT 4 -p tcp --dport "$MONGO_PORT" -j DROP
+  echo "Added iptables rule: DROP tcp/$MONGO_PORT (all non-whitelisted)"
+fi
+# 4. Persist ipset and iptables across reboots
+echo "Persisting ipset rules..."
+sudo ipset save | sudo tee /etc/ipset.rules >/dev/null
+# Create systemd service to restore ipset on boot (before iptables)
+sudo tee /etc/systemd/system/ipset-restore.service >/dev/null <<'EOF'
+[Unit]
+Description=Restore ipset rules
+Before=netfilter-persistent.service
+DefaultDependencies=no
+[Service]
+Type=oneshot
+ExecStart=/sbin/ipset restore -f /etc/ipset.rules
+RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target
+EOF
+sudo systemctl daemon-reload
+sudo systemctl enable ipset-restore.service
+# Persist iptables
+if command -v netfilter-persistent &>/dev/null; then
+  sudo netfilter-persistent save
+  echo "iptables rules persisted via netfilter-persistent"
+else
+  echo "WARNING: netfilter-persistent not found. Install with: apt-get install iptables-persistent"
+  echo "iptables rule will not survive reboot without it."
+fi
+echo ""
+echo "=== Setup Complete ==="
+echo ""
+echo "The builder can now manage access via:"
+echo "  ipset add $IPSET_NAME <IP> timeout <seconds>"
+echo "  ipset del $IPSET_NAME <IP>"
+echo "  ipset list $IPSET_NAME"
+echo ""
+echo "Current set members:"
+sudo ipset list "$IPSET_NAME" | tail -n +8