feat(phase-3): workstream 6 — SOC 2 Type II Preparation
Implements all 22 WS6 tasks completing Phase 3 Enterprise. Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService applied to credentials.secret_hash, credentials.vault_path, webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path. Backward-compatible: isEncrypted() guard skips decryption for existing plaintext rows until next read-write cycle. Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)). AuditVerificationService walks the full chain verifying hash continuity. AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity Prometheus gauge to 1 (pass) or 0 (fail). TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto in production. SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7 days; increments agentidp_credentials_expiring_soon_total. ComplianceController + routes: GET /audit/verify (auth+audit:read scope, 30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s). ComplianceStatusStore: module-level map updated by jobs, consumed by controller. Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total, agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml. Compliance docs: soc2-controls-matrix.md, encryption-runbook.md, audit-log-runbook.md, incident-response.md, secrets-rotation.md. Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService, AuditVerificationService); 19 compliance integration tests. TypeScript clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
@@ -1,10 +1,10 @@
|
||||
/**
|
||||
* Shared Prometheus metrics registry for SentryAgent.ai AgentIdP.
|
||||
* All 7 metric definitions live here. Import specific metrics in the files that use them.
|
||||
* All metric definitions live here. Import specific metrics in the files that use them.
|
||||
* This is the ONLY file that defines metrics — all other files import from here.
|
||||
*/
|
||||
|
||||
import { Registry, Counter, Histogram } from 'prom-client';
|
||||
import { Registry, Counter, Gauge, Histogram } from 'prom-client';
|
||||
|
||||
/** Shared registry — do NOT use the default global registry (conflicts with tests). */
|
||||
export const metricsRegistry = new Registry();
|
||||
@@ -89,3 +89,30 @@ export const webhookDeadLettersTotal = new Counter({
|
||||
labelNames: ['organization_id'] as const,
|
||||
registers: [metricsRegistry],
|
||||
});
|
||||
|
||||
/**
|
||||
* Total number of agent credentials detected as expiring within 7 days.
|
||||
* Incremented by SecretsRotationJob on each scheduled check.
|
||||
* Labels: agent_id
|
||||
*
|
||||
* SOC 2 CC9.2 — Secrets Rotation monitoring.
|
||||
*/
|
||||
export const credentialsExpiringSoonTotal = new Counter({
|
||||
name: 'agentidp_credentials_expiring_soon_total',
|
||||
help: 'Total number of agent credentials detected as expiring within 7 days.',
|
||||
labelNames: ['agent_id'] as const,
|
||||
registers: [metricsRegistry],
|
||||
});
|
||||
|
||||
/**
|
||||
* Binary gauge indicating whether the most recent audit chain verification passed.
|
||||
* Set to 1 (passing) or 0 (failing) by AuditChainVerificationJob.
|
||||
* No labels.
|
||||
*
|
||||
* SOC 2 CC7.2 — Audit Log Integrity monitoring.
|
||||
*/
|
||||
export const auditChainIntegrity = new Gauge({
|
||||
name: 'agentidp_audit_chain_integrity',
|
||||
help: 'Binary gauge: 1 = most recent audit chain verification passed, 0 = failed.',
|
||||
registers: [metricsRegistry],
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user