feat(phase-3): workstream 6 — SOC 2 Type II Preparation

Implements all 22 WS6 tasks completing Phase 3 Enterprise. Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService applied to credentials.secret_hash, credentials.vault_path, webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path. Backward-compatible: isEncrypted() guard skips decryption for existing plaintext rows until next read-write cycle. Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)). AuditVerificationService walks the full chain verifying hash continuity. AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity Prometheus gauge to 1 (pass) or 0 (fail). TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto in production. SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7 days; increments agentidp_credentials_expiring_soon_total. ComplianceController + routes: GET /audit/verify (auth+audit:read scope, 30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s). ComplianceStatusStore: module-level map updated by jobs, consumed by controller. Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total, agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml. Compliance docs: soc2-controls-matrix.md, encryption-runbook.md, audit-log-runbook.md, incident-response.md, secrets-rotation.md. Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService, AuditVerificationService); 19 compliance integration tests. TypeScript clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 00:41:53 +00:00
parent 272b69f18d
commit fd90b2acd1
35 changed files with 3715 additions and 26 deletions
--- a/src/services/AuditService.ts
+++ b/src/services/AuditService.ts
@@ -1,8 +1,15 @@
 /**
 * Audit Log Service for SentryAgent.ai AgentIdP.
 * Provides methods for logging and querying immutable audit events.
+ *
+ * SOC 2 CC7.2 — Audit Log Integrity:
+ * Each event is cryptographically linked to the previous one via a SHA-256 hash chain.
+ * The hash is computed as:
+ *   SHA-256(eventId + timestamp.toISOString() + action + outcome + agentId + organizationId + previousHash)
+ * This makes any tampering, deletion, or insertion detectable via AuditVerificationService.
 */

+import crypto from 'crypto';
 import { AuditRepository } from '../repositories/AuditRepository.js';
 import {
  IAuditEvent,
@@ -41,6 +48,42 @@ export class AuditService {
    return cutoff;
  }

+  /**
+   * Computes the SHA-256 hash for an audit event in the chain.
+   * Used internally and by AuditVerificationService.
+   *
+   * @param eventId - The event UUID.
+   * @param timestamp - The event timestamp.
+   * @param action - The audit action.
+   * @param outcome - The audit outcome.
+   * @param agentId - The agent UUID.
+   * @param organizationId - The organization UUID.
+   * @param previousHash - The hash of the preceding event ('' for the first event).
+   * @returns 64-character hex SHA-256 hash.
+   */
+  static computeHash(
+    eventId: string,
+    timestamp: Date,
+    action: string,
+    outcome: string,
+    agentId: string,
+    organizationId: string,
+    previousHash: string,
+  ): string {
+    return crypto
+      .createHash('sha256')
+      .update(
+        eventId +
+        timestamp.toISOString() +
+        action +
+        outcome +
+        agentId +
+        organizationId +
+        previousHash,
+      )
+      .digest('hex');
+  }
+
  /**
   * Logs an audit event. This is a fire-and-forget async insert for token
   * endpoints (do not await). For DB-backed operations, await this method.
@@ -51,6 +94,7 @@ export class AuditService {
   * @param ipAddress - The client IP address.
   * @param userAgent - The client User-Agent header.
   * @param metadata - Action-specific structured context data.
+   * @param organizationId - Optional organization UUID for hash chain computation.
   * @returns Promise resolving to the created audit event.
   */
  async logEvent(
@@ -60,9 +104,11 @@ export class AuditService {
    ipAddress: string,
    userAgent: string,
    metadata: Record<string, unknown>,
+    organizationId?: string,
  ): Promise<IAuditEvent> {
    return this.auditRepository.create({
      agentId,
+      organizationId,
      action,
      outcome,
      ipAddress,