vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(phase-3): workstream 6 — SOC 2 Type II Preparation

Browse Source 
Implements all 22 WS6 tasks completing Phase 3 Enterprise.

Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService
applied to credentials.secret_hash, credentials.vault_path,
webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path.
Backward-compatible: isEncrypted() guard skips decryption for existing
plaintext rows until next read-write cycle.

Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash
on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)).
AuditVerificationService walks the full chain verifying hash continuity.
AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity
Prometheus gauge to 1 (pass) or 0 (fail).

TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first
middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto
in production.

SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7
days; increments agentidp_credentials_expiring_soon_total.

ComplianceController + routes: GET /audit/verify (auth+audit:read scope,
30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s).
ComplianceStatusStore: module-level map updated by jobs, consumed by controller.

Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total,
agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml.

Compliance docs: soc2-controls-matrix.md, encryption-runbook.md,
audit-log-runbook.md, incident-response.md, secrets-rotation.md.

Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService,
AuditVerificationService); 19 compliance integration tests. TypeScript clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
2026-03-31 00:41:53 +00:00
parent 272b69f18d
commit fd90b2acd1
35 changed files with 3715 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
tests/integration/compliance/tls-enforcement.test.ts Normal file
View File

@@ -0,0 +1,144 @@
/**
* Integration tests for TLSEnforcementMiddleware.
*
* Tests:
* 1. In production mode with non-https x-forwarded-proto, request gets 301 redirect
* 2. In production mode with https x-forwarded-proto, request passes through
* 3. In non-production (development) mode, request always passes through
*/
import express, { Application, Request, Response } from 'express';
import request from 'supertest';
import { tlsEnforcementMiddleware } from '../../../src/middleware/TLSEnforcementMiddleware';
// ============================================================================
// Helpers
// ============================================================================
/** Creates a minimal Express app with the TLS middleware and a test route. */
function createTestApp(): Application {
const app = express();
app.use(tlsEnforcementMiddleware);
app.get('/test', (_req: Request, res: Response) => {
res.status(200).json({ ok: true });
});
return app;
}
// ============================================================================
// Tests
// ============================================================================
describe('TLSEnforcementMiddleware', () => {
const originalNodeEnv = process.env['NODE_ENV'];
afterEach(() => {
// Restore NODE_ENV after each test
if (originalNodeEnv === undefined) {
delete process.env['NODE_ENV'];
} else {
process.env['NODE_ENV'] = originalNodeEnv;
}
});
describe('in production mode', () => {
beforeEach(() => {
process.env['NODE_ENV'] = 'production';
});
it('should return 301 redirect when x-forwarded-proto is http', async () => {
const app = createTestApp();
const res = await request(app)
.get('/test')
.set('x-forwarded-proto', 'http')
.set('host', 'api.sentryagent.ai');
expect(res.status).toBe(301);
expect(res.headers['location']).toBe('https://api.sentryagent.ai/test');
});
it('should return 301 redirect when x-forwarded-proto is missing', async () => {
const app = createTestApp();
const res = await request(app)
.get('/test')
.set('host', 'api.sentryagent.ai');
// No x-forwarded-proto header set
expect(res.status).toBe(301);
});
it('should pass through when x-forwarded-proto is https', async () => {
const app = createTestApp();
const res = await request(app)
.get('/test')
.set('x-forwarded-proto', 'https')
.set('host', 'api.sentryagent.ai');
expect(res.status).toBe(200);
expect(res.body).toEqual({ ok: true });
});
it('should preserve the original URL path in the redirect', async () => {
// Add a path that includes a query string
const testApp = express();
testApp.use(tlsEnforcementMiddleware);
testApp.get('/api/v1/agents', (_req: Request, res: Response) => {
res.status(200).json({ ok: true });
});
const res = await request(testApp)
.get('/api/v1/agents?page=1&limit=20')
.set('x-forwarded-proto', 'http')
.set('host', 'api.sentryagent.ai');
expect(res.status).toBe(301);
expect(res.headers['location']).toBe('https://api.sentryagent.ai/api/v1/agents?page=1&limit=20');
});
});
describe('in development mode', () => {
beforeEach(() => {
process.env['NODE_ENV'] = 'development';
});
it('should pass through without redirect even for http requests', async () => {
const app = createTestApp();
const res = await request(app)
.get('/test')
.set('x-forwarded-proto', 'http')
.set('host', 'localhost:3000');
expect(res.status).toBe(200);
expect(res.body).toEqual({ ok: true });
});
it('should pass through when no proto header is present', async () => {
const app = createTestApp();
const res = await request(app)
.get('/test');
expect(res.status).toBe(200);
});
});
describe('in test mode', () => {
beforeEach(() => {
process.env['NODE_ENV'] = 'test';
});
it('should pass through without redirect in test mode', async () => {
const app = createTestApp();
const res = await request(app)
.get('/test')
.set('x-forwarded-proto', 'http');
expect(res.status).toBe(200);
});
});
});