tlc-claude-code 1.4.8 → 1.4.9

package/server/lib/k8s/secrets-encryption.js

@@ -0,0 +1,168 @@
+/**
+ * Secrets Encryption at Rest
+ */
+
+/**
+ * Generates a sealed secret
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Secret name
+ * @param {Object} options.data - Secret data (key-value pairs)
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @param {Function} options.mockSeal - Mock seal function for testing
+ * @returns {Object} SealedSecret resource
+ */
+export function generateSealedSecret({ name, data = {}, namespace = 'default', mockSeal } = {}) {
+  const encryptedData = {};
+
+  for (const [key, value] of Object.entries(data)) {
+    if (mockSeal) {
+      encryptedData[key] = mockSeal(value);
+    } else {
+      // In production, this would use kubeseal
+      encryptedData[key] = Buffer.from(value).toString('base64');
+    }
+  }
+
+  return {
+    apiVersion: 'bitnami.com/v1alpha1',
+    kind: 'SealedSecret',
+    metadata: {
+      name,
+      namespace
+    },
+    spec: {
+      encryptedData
+    }
+  };
+}
+
+/**
+ * Configures encryption at rest
+ * @param {Object} options - Configuration options
+ * @param {string} options.provider - Encryption provider ('kms', 'aescbc', 'secretbox')
+ * @param {string} options.keyId - Key ID (for KMS)
+ * @returns {Object} Encryption configuration
+ */
+export function configureEncryptionAtRest({ provider = 'kms', keyId } = {}) {
+  const config = {
+    kind: 'EncryptionConfiguration',
+    apiVersion: 'apiserver.config.k8s.io/v1',
+    resources: [{
+      resources: ['secrets'],
+      providers: []
+    }]
+  };
+
+  if (provider === 'kms') {
+    config.resources[0].providers.push({
+      kms: {
+        name: 'kms-provider',
+        endpoint: 'unix:///var/run/kms-provider.sock',
+        cachesize: 1000,
+        timeout: '3s'
+      }
+    });
+    if (keyId) {
+      config.resources[0].providers[0].kms.keyId = keyId;
+    }
+  } else if (provider === 'aescbc') {
+    config.resources[0].providers.push({
+      aescbc: {
+        keys: [{
+          name: 'key1',
+          secret: '<base64-encoded-secret>'
+        }]
+      }
+    });
+  }
+
+  // Always add identity provider as fallback for reading unencrypted secrets
+  config.resources[0].providers.push({ identity: {} });
+
+  return {
+    providers: config.resources[0].providers,
+    config
+  };
+}
+
+/**
+ * Generates an ExternalSecret custom resource
+ * @param {Object} options - Configuration options
+ * @param {string} options.name - Secret name
+ * @param {string} options.store - Secret store name
+ * @param {Array} options.keys - Keys to fetch from store
+ * @param {string} options.namespace - Target namespace (default: 'default')
+ * @returns {Object} ExternalSecret resource
+ */
+export function generateExternalSecret({ name, store, keys = [], namespace = 'default' } = {}) {
+  return {
+    apiVersion: 'external-secrets.io/v1beta1',
+    kind: 'ExternalSecret',
+    metadata: {
+      name,
+      namespace
+    },
+    spec: {
+      refreshInterval: '1h',
+      secretStoreRef: {
+        name: store,
+        kind: 'SecretStore'
+      },
+      target: {
+        name,
+        creationPolicy: 'Owner'
+      },
+      data: keys.map(key => ({
+        secretKey: key,
+        remoteRef: {
+          key: name,
+          property: key
+        }
+      }))
+    }
+  };
+}
+
+/**
+ * Generates Vault integration configuration
+ * @param {Object} options - Configuration options
+ * @param {string} options.address - Vault server address
+ * @param {string} options.role - Vault role
+ * @param {string} options.authPath - Auth path (default: 'kubernetes')
+ * @returns {string} Vault configuration as string
+ */
+export function generateVaultConfig({ address, role, authPath = 'kubernetes' } = {}) {
+  return `
+vault:
+  address: "${address}"
+  auth:
+    method: kubernetes
+    path: ${authPath}
+    role: ${role}
+  secrets:
+    path: secret/data
+`.trim();
+}
+
+/**
+ * Creates a secrets encryption manager
+ * @returns {Object} Manager with seal, rotate, and getLog methods
+ */
+export function createSecretsEncryption() {
+  const log = [];
+
+  return {
+    seal: (options) => {
+      log.push(`Sealing secret: ${options.name}`);
+      return generateSealedSecret(options);
+    },
+    rotate: (options) => {
+      log.push(`Rotating encryption key`);
+      return { rotated: true, timestamp: new Date().toISOString() };
+    },
+    getLog: () => {
+      // Never include sensitive data in logs
+      return log.join('\n');
+    }
+  };
+}

package/server/lib/k8s/secrets-encryption.test.js

@@ -0,0 +1,49 @@
+/**
+ * Secrets Encryption Tests
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { generateSealedSecret, configureEncryptionAtRest, generateExternalSecret, generateVaultConfig, createSecretsEncryption } from './secrets-encryption.js';
+
+describe('secrets-encryption', () => {
+  describe('generateSealedSecret', () => {
+    it('generates sealed secret', () => {
+      const secret = generateSealedSecret({ name: 'db-creds', data: { password: 'secret' }, mockSeal: vi.fn().mockReturnValue('encrypted') });
+      expect(secret.kind).toBe('SealedSecret');
+    });
+  });
+
+  describe('configureEncryptionAtRest', () => {
+    it('configures KMS encryption', () => {
+      const config = configureEncryptionAtRest({ provider: 'kms', keyId: 'arn:aws:kms:...' });
+      expect(config.providers.some(p => p.kms !== undefined)).toBe(true);
+    });
+  });
+
+  describe('generateExternalSecret', () => {
+    it('generates ExternalSecret CR', () => {
+      const secret = generateExternalSecret({ name: 'db-creds', store: 'vault', keys: ['password'] });
+      expect(secret.kind).toBe('ExternalSecret');
+    });
+  });
+
+  describe('generateVaultConfig', () => {
+    it('generates Vault integration config', () => {
+      const config = generateVaultConfig({ address: 'https://vault.example.com', role: 'app' });
+      expect(config).toContain('vault.example.com');
+    });
+  });
+
+  describe('createSecretsEncryption', () => {
+    it('creates manager', () => {
+      const manager = createSecretsEncryption();
+      expect(manager.seal).toBeDefined();
+      expect(manager.rotate).toBeDefined();
+    });
+
+    it('never logs secret values', () => {
+      const manager = createSecretsEncryption();
+      const log = manager.getLog();
+      expect(log).not.toContain('password');
+    });
+  });
+});

package/server/lib/monitoring/alert-manager.js

@@ -0,0 +1,238 @@
+/**
+ * Alert Manager
+ * Alert routing and notifications
+ */
+
+export const ALERT_SEVERITY = {
+  CRITICAL: 'critical',
+  WARNING: 'warning',
+  INFO: 'info',
+};
+
+/**
+ * Generate a unique alert ID
+ * @returns {string} Unique ID
+ */
+function generateId() {
+  return `alert_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+}
+
+/**
+ * Generate a fingerprint for deduplication
+ * @param {Object} alert - Alert object
+ * @returns {string} Fingerprint
+ */
+function generateFingerprint(alert) {
+  return `${alert.title}_${alert.severity}_${alert.source || 'unknown'}`;
+}
+
+/**
+ * Create an alert
+ * @param {Object} options - Alert options
+ * @param {string} options.title - Alert title
+ * @param {string} options.severity - Alert severity
+ * @param {string} options.description - Alert description
+ * @param {string} options.source - Alert source
+ * @returns {Object} Alert object
+ */
+export function createAlert(options = {}) {
+  const { title, severity = ALERT_SEVERITY.INFO, description, source } = options;
+
+  const alert = {
+    id: generateId(),
+    title,
+    severity,
+    description,
+    source,
+    timestamp: new Date().toISOString(),
+    acknowledged: false,
+  };
+
+  alert.fingerprint = generateFingerprint(alert);
+
+  return alert;
+}
+
+/**
+ * Route an alert to appropriate channels
+ * @param {Object} alert - Alert object
+ * @param {Object} rules - Routing rules by severity
+ * @returns {Array} List of channels to send to
+ */
+export function routeAlert(alert, rules = {}) {
+  const { severity } = alert;
+  return rules[severity] || [];
+}
+
+/**
+ * Send alert to PagerDuty
+ * @param {Object} alert - Alert object
+ * @param {Object} options - Configuration options
+ * @param {Function} options.post - Post function
+ * @param {string} options.routingKey - PagerDuty routing key
+ * @returns {Object} Response
+ */
+export async function sendToPagerDuty(alert, options = {}) {
+  const { post, routingKey } = options;
+
+  if (!post) {
+    throw new Error('post function required');
+  }
+
+  const payload = {
+    routing_key: routingKey,
+    event_action: 'trigger',
+    dedup_key: alert.fingerprint || alert.id,
+    payload: {
+      summary: alert.title,
+      severity: alert.severity === ALERT_SEVERITY.CRITICAL ? 'critical' : 'warning',
+      source: alert.source || 'monitoring',
+      timestamp: alert.timestamp,
+    },
+  };
+
+  return post('https://events.pagerduty.com/v2/enqueue', payload);
+}
+
+/**
+ * Send alert to Slack
+ * @param {Object} alert - Alert object
+ * @param {Object} options - Configuration options
+ * @param {Function} options.post - Post function
+ * @param {string} options.webhookUrl - Slack webhook URL
+ * @returns {Object} Response
+ */
+export async function sendToSlack(alert, options = {}) {
+  const { post, webhookUrl } = options;
+
+  if (!post) {
+    throw new Error('post function required');
+  }
+
+  const severityEmoji = {
+    [ALERT_SEVERITY.CRITICAL]: ':rotating_light:',
+    [ALERT_SEVERITY.WARNING]: ':warning:',
+    [ALERT_SEVERITY.INFO]: ':information_source:',
+  };
+
+  const payload = {
+    text: `${severityEmoji[alert.severity] || ''} ${alert.title}`,
+    attachments: [
+      {
+        color: alert.severity === ALERT_SEVERITY.CRITICAL ? 'danger' : 'warning',
+        fields: [
+          { title: 'Severity', value: alert.severity, short: true },
+          { title: 'Time', value: alert.timestamp, short: true },
+        ],
+      },
+    ],
+  };
+
+  if (alert.description) {
+    payload.attachments[0].text = alert.description;
+  }
+
+  return post(webhookUrl, payload);
+}
+
+/**
+ * Deduplicate alerts by fingerprint
+ * @param {Array} alerts - Array of alerts
+ * @returns {Array} Deduplicated alerts
+ */
+export function deduplicateAlerts(alerts) {
+  const seen = new Map();
+
+  for (const alert of alerts) {
+    const key = alert.fingerprint;
+    if (!seen.has(key)) {
+      seen.set(key, alert);
+    }
+  }
+
+  return Array.from(seen.values());
+}
+
+/**
+ * Acknowledge an alert
+ * @param {Object} alert - Alert object
+ * @param {Object} options - Acknowledgment options
+ * @param {string} options.user - User acknowledging
+ * @param {string} options.note - Acknowledgment note
+ * @returns {Object} Acknowledged alert
+ */
+export function acknowledgeAlert(alert, options = {}) {
+  const { user, note } = options;
+
+  return {
+    ...alert,
+    acknowledged: true,
+    acknowledgedBy: user,
+    acknowledgedAt: new Date().toISOString(),
+    acknowledgeNote: note,
+  };
+}
+
+/**
+ * Create an alert manager
+ * @param {Object} options - Configuration options
+ * @param {Object} options.escalation - Escalation rules
+ * @param {Object} options.routing - Routing rules
+ * @returns {Object} Alert manager
+ */
+export function createAlertManager(options = {}) {
+  const { escalation, routing = {} } = options;
+
+  const alerts = new Map();
+  const config = {
+    escalation,
+    routing,
+  };
+
+  return {
+    async send(alertOptions) {
+      const alert = createAlert(alertOptions);
+      alerts.set(alert.id, alert);
+
+      const routes = routeAlert(alert, config.routing);
+      return { alert, routes };
+    },
+
+    acknowledge(alertId, ackOptions) {
+      const alert = alerts.get(alertId);
+      if (!alert) {
+        throw new Error(`Alert ${alertId} not found`);
+      }
+
+      const acked = acknowledgeAlert(alert, ackOptions);
+      alerts.set(alertId, acked);
+      return acked;
+    },
+
+    list(filter = {}) {
+      let result = Array.from(alerts.values());
+
+      if (filter.severity) {
+        result = result.filter((a) => a.severity === filter.severity);
+      }
+
+      if (filter.acknowledged !== undefined) {
+        result = result.filter((a) => a.acknowledged === filter.acknowledged);
+      }
+
+      return result;
+    },
+
+    get(alertId) {
+      return alerts.get(alertId);
+    },
+
+    configure(newConfig) {
+      Object.assign(config, newConfig);
+    },
+
+    getConfig() {
+      return { ...config };
+    },
+  };
+}

package/server/lib/monitoring/alert-manager.test.js

@@ -0,0 +1,106 @@
+/**
+ * Alert Manager Tests
+ */
+import { describe, it, expect, vi } from 'vitest';
+import {
+  createAlert,
+  routeAlert,
+  sendToPagerDuty,
+  sendToSlack,
+  deduplicateAlerts,
+  acknowledgeAlert,
+  ALERT_SEVERITY,
+  createAlertManager,
+} from './alert-manager.js';
+
+describe('alert-manager', () => {
+  describe('ALERT_SEVERITY', () => {
+    it('defines severity constants', () => {
+      expect(ALERT_SEVERITY.CRITICAL).toBe('critical');
+      expect(ALERT_SEVERITY.WARNING).toBe('warning');
+      expect(ALERT_SEVERITY.INFO).toBe('info');
+    });
+  });
+
+  describe('createAlert', () => {
+    it('creates alert with required fields', () => {
+      const alert = createAlert({ title: 'Test Alert', severity: 'critical' });
+      expect(alert.id).toBeDefined();
+      expect(alert.title).toBe('Test Alert');
+      expect(alert.severity).toBe('critical');
+      expect(alert.timestamp).toBeDefined();
+    });
+  });
+
+  describe('routeAlert', () => {
+    it('routes critical alerts to PagerDuty', () => {
+      const routes = routeAlert({ severity: 'critical' }, {
+        critical: ['pagerduty'],
+        warning: ['slack'],
+      });
+      expect(routes).toContain('pagerduty');
+    });
+
+    it('routes warning alerts to Slack', () => {
+      const routes = routeAlert({ severity: 'warning' }, {
+        critical: ['pagerduty'],
+        warning: ['slack'],
+      });
+      expect(routes).toContain('slack');
+    });
+  });
+
+  describe('sendToPagerDuty', () => {
+    it('sends alert to PagerDuty', async () => {
+      const mockPost = vi.fn().mockResolvedValue({ ok: true });
+      await sendToPagerDuty({ title: 'Test' }, { post: mockPost, routingKey: 'key' });
+      expect(mockPost).toHaveBeenCalled();
+    });
+  });
+
+  describe('sendToSlack', () => {
+    it('sends alert to Slack', async () => {
+      const mockPost = vi.fn().mockResolvedValue({ ok: true });
+      await sendToSlack({ title: 'Test' }, { post: mockPost, webhookUrl: 'url' });
+      expect(mockPost).toHaveBeenCalled();
+    });
+  });
+
+  describe('deduplicateAlerts', () => {
+    it('removes duplicate alerts', () => {
+      const alerts = [
+        { id: '1', fingerprint: 'abc', title: 'Alert 1' },
+        { id: '2', fingerprint: 'abc', title: 'Alert 1' },
+        { id: '3', fingerprint: 'def', title: 'Alert 2' },
+      ];
+      const deduped = deduplicateAlerts(alerts);
+      expect(deduped.length).toBe(2);
+    });
+  });
+
+  describe('acknowledgeAlert', () => {
+    it('marks alert as acknowledged', () => {
+      const alert = createAlert({ title: 'Test' });
+      const acked = acknowledgeAlert(alert, { user: 'admin' });
+      expect(acked.acknowledged).toBe(true);
+      expect(acked.acknowledgedBy).toBe('admin');
+    });
+  });
+
+  describe('createAlertManager', () => {
+    it('creates manager with methods', () => {
+      const manager = createAlertManager();
+      expect(manager.send).toBeDefined();
+      expect(manager.acknowledge).toBeDefined();
+      expect(manager.list).toBeDefined();
+      expect(manager.configure).toBeDefined();
+    });
+
+    it('configures escalation rules', () => {
+      const manager = createAlertManager({
+        escalation: { afterMinutes: 5, to: 'pagerduty' },
+      });
+      expect(manager.getConfig().escalation).toBeDefined();
+    });
+  });
+});