feat(phase-3): workstream 6 — SOC 2 Type II Preparation

Implements all 22 WS6 tasks completing Phase 3 Enterprise.

Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService
applied to credentials.secret_hash, credentials.vault_path,
webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path.
Backward-compatible: isEncrypted() guard skips decryption for existing
plaintext rows until next read-write cycle.

Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash
on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)).
AuditVerificationService walks the full chain verifying hash continuity.
AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity
Prometheus gauge to 1 (pass) or 0 (fail).

TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first
middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto
in production.

SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7
days; increments agentidp_credentials_expiring_soon_total.

ComplianceController + routes: GET /audit/verify (auth+audit:read scope,
30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s).
ComplianceStatusStore: module-level map updated by jobs, consumed by controller.

Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total,
agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml.

Compliance docs: soc2-controls-matrix.md, encryption-runbook.md,
audit-log-runbook.md, incident-response.md, secrets-rotation.md.

Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService,
AuditVerificationService); 19 compliance integration tests. TypeScript clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

monitoring/prometheus/alerts.yml

@@ -0,0 +1,50 @@
+groups:
+  - name: agentidp_alerts
+    rules:
+      - alert: AuthFailureSpike
+        expr: rate(agentidp_http_requests_total{status_code="401"}[5m]) > 0.5
+        for: 2m
+        labels: { severity: warning }
+        annotations:
+          summary: "Auth failure spike detected"
+          description: "More than 0.5 auth failures/sec over the past 2 minutes."
+
+      - alert: RateLimitExhaustion
+        expr: rate(agentidp_http_requests_total{status_code="429"}[5m]) > 0.2
+        for: 2m
+        labels: { severity: warning }
+        annotations:
+          summary: "Rate limit exhaustion spike"
+          description: "Sustained rate limit rejections over the past 2 minutes."
+
+      - alert: AnomalousTokenIssuance
+        expr: rate(agentidp_tokens_issued_total[5m]) > 10
+        for: 5m
+        labels: { severity: warning }
+        annotations:
+          summary: "Anomalous token issuance rate"
+          description: "More than 10 tokens/sec issued over the past 5 minutes."
+
+      - alert: WebhookDeadLetterAccumulating
+        expr: increase(agentidp_webhook_dead_letters_total[1h]) > 10
+        for: 0m
+        labels: { severity: critical }
+        annotations:
+          summary: "Webhook dead-letter accumulation"
+          description: "More than 10 webhook deliveries moved to dead-letter in the past hour."
+
+      - alert: AuditChainIntegrityFailed
+        expr: agentidp_audit_chain_integrity == 0
+        for: 0m
+        labels: { severity: critical }
+        annotations:
+          summary: "Audit chain integrity failure"
+          description: "Audit chain verification failed — possible log tampering detected."
+
+      - alert: CredentialExpiryApproaching
+        expr: increase(agentidp_credentials_expiring_soon_total[1h]) > 0
+        for: 0m
+        labels: { severity: info }
+        annotations:
+          summary: "Credentials expiring soon"
+          description: "One or more agent credentials will expire within 7 days."

monitoring/prometheus/prometheus.yml

@@ -2,6 +2,9 @@ global:
   scrape_interval: 15s
   evaluation_interval: 15s
 
+rule_files:
+  - alerts.yml
+
 scrape_configs:
   - job_name: 'agentidp'
     static_configs: