feat(phase-3): workstream 6 — SOC 2 Type II Preparation

Implements all 22 WS6 tasks completing Phase 3 Enterprise. Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService applied to credentials.secret_hash, credentials.vault_path, webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path. Backward-compatible: isEncrypted() guard skips decryption for existing plaintext rows until next read-write cycle. Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)). AuditVerificationService walks the full chain verifying hash continuity. AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity Prometheus gauge to 1 (pass) or 0 (fail). TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto in production. SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7 days; increments agentidp_credentials_expiring_soon_total. ComplianceController + routes: GET /audit/verify (auth+audit:read scope, 30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s). ComplianceStatusStore: module-level map updated by jobs, consumed by controller. Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total, agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml. Compliance docs: soc2-controls-matrix.md, encryption-runbook.md, audit-log-runbook.md, incident-response.md, secrets-rotation.md. Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService, AuditVerificationService); 19 compliance integration tests. TypeScript clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 00:41:53 +00:00
parent 272b69f18d
commit fd90b2acd1
35 changed files with 3715 additions and 26 deletions
--- a/tests/unit/metrics/registry.test.ts
+++ b/tests/unit/metrics/registry.test.ts
@@ -1,7 +1,7 @@
 /**
 * Unit tests for src/metrics/registry.ts
 *
- * Verifies that all 6 Prometheus metrics are registered on the shared
+ * Verifies that all Prometheus metrics are registered on the shared
 * metricsRegistry (not the default global registry), have the correct
 * names, and carry the correct label names.
 */
@@ -14,6 +14,8 @@ import {
  httpRequestDurationSeconds,
  dbQueryDurationSeconds,
  redisCommandDurationSeconds,
+  credentialsExpiringSoonTotal,
+  auditChainIntegrity,
 } from '../../../src/metrics/registry';

 describe('metricsRegistry', () => {
@@ -28,9 +30,9 @@ describe('metricsRegistry', () => {
    expect(metricsRegistry).not.toBe(register);
  });

-  it('contains exactly 7 metric entries', async () => {
+  it('contains exactly 9 metric entries', async () => {
    const entries = await metricsRegistry.getMetricsAsJSON();
-    expect(entries).toHaveLength(7);
+    expect(entries).toHaveLength(9);
  });

  // ──────────────────────────────────────────────────────────────────
@@ -43,6 +45,9 @@ describe('metricsRegistry', () => {
    'agentidp_http_request_duration_seconds',
    'agentidp_db_query_duration_seconds',
    'agentidp_redis_command_duration_seconds',
+    'agentidp_webhook_dead_letters_total',
+    'agentidp_credentials_expiring_soon_total',
+    'agentidp_audit_chain_integrity',
  ])('registers metric "%s"', async (metricName) => {
    const entries = await metricsRegistry.getMetricsAsJSON();
    const names = entries.map((e) => e.name);
@@ -126,4 +131,32 @@ describe('metricsRegistry', () => {
      ).not.toThrow();
    });
  });
+
+  describe('credentialsExpiringSoonTotal', () => {
+    it('has name agentidp_credentials_expiring_soon_total', () => {
+      const metric = credentialsExpiringSoonTotal as unknown as { name: string };
+      expect(metric.name).toBe('agentidp_credentials_expiring_soon_total');
+    });
+
+    it('increments with agent_id label without throwing', () => {
+      expect(() =>
+        credentialsExpiringSoonTotal.inc({ agent_id: 'agent-test-001' }),
+      ).not.toThrow();
+    });
+  });
+
+  describe('auditChainIntegrity', () => {
+    it('has name agentidp_audit_chain_integrity', () => {
+      const metric = auditChainIntegrity as unknown as { name: string };
+      expect(metric.name).toBe('agentidp_audit_chain_integrity');
+    });
+
+    it('can be set to 1 (passing) without throwing', () => {
+      expect(() => auditChainIntegrity.set(1)).not.toThrow();
+    });
+
+    it('can be set to 0 (failing) without throwing', () => {
+      expect(() => auditChainIntegrity.set(0)).not.toThrow();
+    });
+  });
 });