SentryAgent.ai Developer
a504964e5f
feat(phase-2): workstream 7 — Prometheus + Grafana Monitoring
...
- Add prom-client 15; shared registry in src/metrics/registry.ts (7 metrics)
- HTTP request counter + duration histogram via metricsMiddleware
- DB query duration histogram wrapping pg Pool.query
- Redis command duration histogram via typed instrumentRedisMethod wrapper
- agentidp_tokens_issued_total in OAuth2Service
- agentidp_agents_registered_total in AgentService
- GET /metrics unauthenticated endpoint (Prometheus text format)
- docker-compose.monitoring.yml overlay (Prometheus + Grafana)
- Grafana auto-provisioned datasource + pre-built AgentIdP dashboard
- docs/devops/operations.md monitoring section added
- 36/36 unit tests passing, 100% coverage on new metrics code
- Fix pre-existing unused import in tests/integration/agents.test.ts
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-29 06:13:41 +00:00
SentryAgent.ai Developer
7328a61c44
feat(phase-2): workstream 5 — OPA Policy Engine
...
- policies/authz.rego: Rego policy with path normalisation and scope enforcement
- policies/data/scopes.json: all 13 endpoint → scope mappings
- src/middleware/opa.ts: OpaMiddleware with Wasm primary path + scopes.json fallback;
exports createOpaMiddleware() and reloadOpaPolicy() for SIGHUP hot-reload
- All four route files: opaMiddleware wired after authMiddleware
- AuditController, OAuth2Service: manual scope checks removed (now centralised in OPA)
- src/server.ts: SIGHUP handler calls reloadOpaPolicy()
- docs/devops/environment-variables.md: POLICY_DIR documented
- 38 new tests; 302/302 passing; opa.ts coverage 98.66% statements
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-28 23:02:11 +00:00
SentryAgent.ai Developer
90a4addb21
feat(phase-2): workstream 1 — HashiCorp Vault credential storage
...
Vault is optional — server falls back to bcrypt (Phase 1 behaviour)
when VAULT_ADDR is not set. Full coexistence: existing bcrypt credentials
continue to work until rotated.
Changes:
- src/vault/VaultClient.ts — wraps node-vault KV v2; writeSecret,
readSecret, verifySecret (constant-time), deleteSecret
- src/db/migrations/005_add_vault_path.sql — vault_path column on credentials
- CredentialRepository — createWithVaultPath, updateVaultPath methods
- CredentialService — routes generate/rotate through Vault when configured;
bcrypt path unchanged
- OAuth2Service — verifies via Vault when vaultPath set, bcrypt otherwise
- src/app.ts — createVaultClientFromEnv() wired into service layer
- ICredentialRow — vaultPath field added
- docs/devops/environment-variables.md — VAULT_ADDR, VAULT_TOKEN, VAULT_MOUNT
- docs/devops/vault-setup.md — dev quickstart, production config, migration guide
- tests: 33/33 unit tests pass (VaultClient + CredentialService Vault path)
- node-vault + @types/node-vault installed
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-28 15:02:33 +00:00
SentryAgent.ai Developer
d94a8cedc0
docs: DevOps documentation — complete docs/devops/ set
...
Adds the full devops-documentation OpenSpec change implementation.
Separate from docs/developers/ — serves a different audience (operators,
not API consumers).
docs/devops/:
- README.md — index and system overview
- architecture.md — components, ports, data flow, Redis key patterns
- environment-variables.md — all 7 env vars (required + optional, formats, .env example)
- database.md — 4-table schema, indexes, constraints, migration runner
- local-development.md — docker-compose setup, health checks, startup, Dockerfile gap noted
- security.md — RSA key generation/rotation, CORS, bcrypt, secret storage guidance
- operations.md — startup order, graceful shutdown, log reference, troubleshooting
QA gates: 48/48 tasks complete. All env vars verified against source.
All table names verified against migrations. All ports verified against
docker-compose.yml. All internal links resolve.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-28 14:28:55 +00:00
