fd90b2acd1
Implements all 22 WS6 tasks completing Phase 3 Enterprise. Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService applied to credentials.secret_hash, credentials.vault_path, webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path. Backward-compatible: isEncrypted() guard skips decryption for existing plaintext rows until next read-write cycle. Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)). AuditVerificationService walks the full chain verifying hash continuity. AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity Prometheus gauge to 1 (pass) or 0 (fail). TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto in production. SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7 days; increments agentidp_credentials_expiring_soon_total. ComplianceController + routes: GET /audit/verify (auth+audit:read scope, 30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s). ComplianceStatusStore: module-level map updated by jobs, consumed by controller. Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total, agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml. Compliance docs: soc2-controls-matrix.md, encryption-runbook.md, audit-log-runbook.md, incident-response.md, secrets-rotation.md. Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService, AuditVerificationService); 19 compliance integration tests. TypeScript clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
51 lines
1.9 KiB
YAML
51 lines
1.9 KiB
YAML
groups:
|
|
- name: agentidp_alerts
|
|
rules:
|
|
- alert: AuthFailureSpike
|
|
expr: rate(agentidp_http_requests_total{status_code="401"}[5m]) > 0.5
|
|
for: 2m
|
|
labels: { severity: warning }
|
|
annotations:
|
|
summary: "Auth failure spike detected"
|
|
description: "More than 0.5 auth failures/sec over the past 2 minutes."
|
|
|
|
- alert: RateLimitExhaustion
|
|
expr: rate(agentidp_http_requests_total{status_code="429"}[5m]) > 0.2
|
|
for: 2m
|
|
labels: { severity: warning }
|
|
annotations:
|
|
summary: "Rate limit exhaustion spike"
|
|
description: "Sustained rate limit rejections over the past 2 minutes."
|
|
|
|
- alert: AnomalousTokenIssuance
|
|
expr: rate(agentidp_tokens_issued_total[5m]) > 10
|
|
for: 5m
|
|
labels: { severity: warning }
|
|
annotations:
|
|
summary: "Anomalous token issuance rate"
|
|
description: "More than 10 tokens/sec issued over the past 5 minutes."
|
|
|
|
- alert: WebhookDeadLetterAccumulating
|
|
expr: increase(agentidp_webhook_dead_letters_total[1h]) > 10
|
|
for: 0m
|
|
labels: { severity: critical }
|
|
annotations:
|
|
summary: "Webhook dead-letter accumulation"
|
|
description: "More than 10 webhook deliveries moved to dead-letter in the past hour."
|
|
|
|
- alert: AuditChainIntegrityFailed
|
|
expr: agentidp_audit_chain_integrity == 0
|
|
for: 0m
|
|
labels: { severity: critical }
|
|
annotations:
|
|
summary: "Audit chain integrity failure"
|
|
description: "Audit chain verification failed — possible log tampering detected."
|
|
|
|
- alert: CredentialExpiryApproaching
|
|
expr: increase(agentidp_credentials_expiring_soon_total[1h]) > 0
|
|
for: 0m
|
|
labels: { severity: info }
|
|
annotations:
|
|
summary: "Credentials expiring soon"
|
|
description: "One or more agent credentials will expire within 7 days."
|