feat(phase-3): workstream 6 — SOC 2 Type II Preparation

Implements all 22 WS6 tasks completing Phase 3 Enterprise.

Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService
applied to credentials.secret_hash, credentials.vault_path,
webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path.
Backward-compatible: isEncrypted() guard skips decryption for existing
plaintext rows until next read-write cycle.

Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash
on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)).
AuditVerificationService walks the full chain verifying hash continuity.
AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity
Prometheus gauge to 1 (pass) or 0 (fail).

TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first
middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto
in production.

SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7
days; increments agentidp_credentials_expiring_soon_total.

ComplianceController + routes: GET /audit/verify (auth+audit:read scope,
30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s).
ComplianceStatusStore: module-level map updated by jobs, consumed by controller.

Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total,
agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml.

Compliance docs: soc2-controls-matrix.md, encryption-runbook.md,
audit-log-runbook.md, incident-response.md, secrets-rotation.md.

Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService,
AuditVerificationService); 19 compliance integration tests. TypeScript clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/app.ts

@@ -41,6 +41,7 @@ import { DIDController } from './controllers/DIDController.js';
 import { OIDCController } from './controllers/OIDCController.js';
 import { FederationController } from './controllers/FederationController.js';
 import { WebhookController } from './controllers/WebhookController.js';
+import { ComplianceController } from './controllers/ComplianceController.js';
 
 import { createAgentsRouter } from './routes/agents.js';
 import { createTokenRouter } from './routes/token.js';
@@ -53,13 +54,19 @@ import { createDIDRouter } from './routes/did.js';
 import { createOIDCRouter } from './routes/oidc.js';
 import { createFederationRouter } from './routes/federation.js';
 import { createWebhooksRouter } from './routes/webhooks.js';
+import { createComplianceRouter } from './routes/compliance.js';
 
 import { errorHandler } from './middleware/errorHandler.js';
 import { createOpaMiddleware } from './middleware/opa.js';
 import { metricsMiddleware } from './middleware/metrics.js';
 import { createOrgContextMiddleware } from './middleware/orgContext.js';
 import { authMiddleware } from './middleware/auth.js';
+import { tlsEnforcementMiddleware } from './middleware/TLSEnforcementMiddleware.js';
 import { createVaultClientFromEnv } from './vault/VaultClient.js';
+import { getEncryptionService } from './services/EncryptionService.js';
+import { getAuditVerificationService } from './services/AuditVerificationService.js';
+import { startSecretsRotationJob } from './jobs/SecretsRotationJob.js';
+import { startAuditChainVerificationJob } from './jobs/AuditChainVerificationJob.js';
 import { RedisClientType } from 'redis';
 import path from 'path';
 
@@ -73,6 +80,12 @@ import path from 'path';
 export async function createApp(): Promise<Application> {
   const app = express();
 
+  // ────────────────────────────────────────────────────────────────
+  // TLS enforcement — MUST be first middleware (SOC 2 CC6.7)
+  // In production, redirects all non-HTTPS requests to HTTPS.
+  // ────────────────────────────────────────────────────────────────
+  app.use(tlsEnforcementMiddleware);
+
   // ────────────────────────────────────────────────────────────────
   // Security headers
   // ────────────────────────────────────────────────────────────────
@@ -138,11 +151,21 @@ export async function createApp(): Promise<Application> {
     console.log('[AgentIdP] Kafka integration enabled — events will be produced to agentidp-events');
   }
 
+  // ────────────────────────────────────────────────────────────────
+  // Encryption service — column-level AES-256-CBC (SOC 2 CC6.1)
+  // Only initialised when Vault is configured (key stored in Vault).
+  // ────────────────────────────────────────────────────────────────
+  const encryptionService =
+    vaultClient !== null ? getEncryptionService(vaultClient) : null;
+  if (encryptionService !== null) {
+    console.log('[AgentIdP] EncryptionService enabled — sensitive columns encrypted at rest (SOC 2 CC6.1)');
+  }
+
   // ────────────────────────────────────────────────────────────────
   // Webhook infrastructure
   // ────────────────────────────────────────────────────────────────
   const redisUrl = process.env['REDIS_URL'] ?? 'redis://localhost:6379';
-  const webhookService = new WebhookService(pool, vaultClient, redis as RedisClientType);
+  const webhookService = new WebhookService(pool, vaultClient, redis as RedisClientType, encryptionService);
   const webhookWorker = new WebhookDeliveryWorker(pool, vaultClient, redis as RedisClientType, redisUrl);
   webhookWorker.start();
   const eventPublisher = new EventPublisher(webhookWorker, pool, kafkaProducer);
@@ -151,9 +174,9 @@ export async function createApp(): Promise<Application> {
   // Service layer
   // ────────────────────────────────────────────────────────────────
   const auditService = new AuditService(auditRepo);
-  const didService = new DIDService(pool, vaultClient, redis as RedisClientType);
+  const didService = new DIDService(pool, vaultClient, redis as RedisClientType, encryptionService);
   const agentService = new AgentService(agentRepo, credentialRepo, auditService, didService, eventPublisher);
-  const credentialService = new CredentialService(credentialRepo, agentRepo, auditService, vaultClient, eventPublisher);
+  const credentialService = new CredentialService(credentialRepo, agentRepo, auditService, vaultClient, eventPublisher, encryptionService);
   const orgService = new OrgService(orgRepo, agentRepo);
 
   const privateKey = process.env['JWT_PRIVATE_KEY'];
@@ -177,6 +200,7 @@ export async function createApp(): Promise<Application> {
     vaultClient,
     idTokenService,
     eventPublisher,
+    encryptionService,
   );
 
   // ────────────────────────────────────────────────────────────────
@@ -198,6 +222,16 @@ export async function createApp(): Promise<Application> {
   const federationController = new FederationController(federationService);
   const webhookController = new WebhookController(webhookService);
 
+  // ────────────────────────────────────────────────────────────────
+  // Compliance services and background jobs (SOC 2 Type II)
+  // ────────────────────────────────────────────────────────────────
+  const auditVerificationService = getAuditVerificationService(pool);
+  const complianceController = new ComplianceController(auditVerificationService);
+
+  // Start background compliance monitoring jobs (non-blocking)
+  startSecretsRotationJob(pool);
+  startAuditChainVerificationJob(auditVerificationService);
+
   // ────────────────────────────────────────────────────────────────
   // Org context middleware — sets PostgreSQL session variable app.organization_id
   // Must run after auth (so req.user is populated) and before route handlers.
@@ -235,6 +269,7 @@ export async function createApp(): Promise<Application> {
   app.use(`${API_BASE}/organizations`, createOrgsRouter(orgController, opaMiddleware));
   app.use(`${API_BASE}`, createFederationRouter(federationController, authMiddleware, opaMiddleware));
   app.use(`${API_BASE}/webhooks`, createWebhooksRouter(webhookController, authMiddleware, opaMiddleware));
+  app.use(`${API_BASE}`, createComplianceRouter(complianceController));
 
   // ────────────────────────────────────────────────────────────────
   // Dashboard static assets (served from dashboard/dist/)