vijay_admin/sentryagent-idp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fd90b2acd1d4a34f50fa9fe1433fe746dc9988c2
sentryagent-idp/tests/unit/metrics/registry.test.ts
SentryAgent.ai Developer fd90b2acd1 feat(phase-3): workstream 6 — SOC 2 Type II Preparation 
Implements all 22 WS6 tasks completing Phase 3 Enterprise.

Column-level encryption (AES-256-CBC, Vault-backed key) via EncryptionService
applied to credentials.secret_hash, credentials.vault_path,
webhook_subscriptions.vault_secret_path, and agent_did_keys.vault_key_path.
Backward-compatible: isEncrypted() guard skips decryption for existing
plaintext rows until next read-write cycle.

Audit chain integrity (CC7.2): AuditRepository computes SHA-256 Merkle hash
on every INSERT (hash = SHA-256(eventId+timestamp+action+outcome+agentId+orgId+prevHash)).
AuditVerificationService walks the full chain verifying hash continuity.
AuditChainVerificationJob runs hourly; sets agentidp_audit_chain_integrity
Prometheus gauge to 1 (pass) or 0 (fail).

TLS enforcement (CC6.7): TLSEnforcementMiddleware registered as first
middleware in Express stack; 301 redirect on non-https X-Forwarded-Proto
in production.

SecretsRotationJob (CC9.2): hourly scan for credentials expiring within 7
days; increments agentidp_credentials_expiring_soon_total.

ComplianceController + routes: GET /audit/verify (auth+audit:read scope,
30/min rate-limit); GET /compliance/controls (public, Cache-Control 60s).
ComplianceStatusStore: module-level map updated by jobs, consumed by controller.

Prometheus: 2 new metrics (agentidp_credentials_expiring_soon_total,
agentidp_audit_chain_integrity); 6 alerting rules in alerts.yml.

Compliance docs: soc2-controls-matrix.md, encryption-runbook.md,
audit-log-runbook.md, incident-response.md, secrets-rotation.md.

Tests: 557 unit tests passing (35 suites); 26 new tests (EncryptionService,
AuditVerificationService); 19 compliance integration tests. TypeScript clean.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-31 00:41:53 +00:00

163 lines
6.7 KiB
TypeScript
Raw Blame History

/**
* Unit tests for src/metrics/registry.ts
*
* Verifies that all Prometheus metrics are registered on the shared
* metricsRegistry (not the default global registry), have the correct
* names, and carry the correct label names.
*/
import {
metricsRegistry,
tokensIssuedTotal,
agentsRegisteredTotal,
httpRequestsTotal,
httpRequestDurationSeconds,
dbQueryDurationSeconds,
redisCommandDurationSeconds,
credentialsExpiringSoonTotal,
auditChainIntegrity,
} from '../../../src/metrics/registry';
describe('metricsRegistry', () => {
// ──────────────────────────────────────────────────────────────────
// Registry isolation
// ──────────────────────────────────────────────────────────────────
it('uses a non-default registry instance', async () => {
// prom-client default registry is accessed via Registry.default or
// by calling register.metrics(). The shared registry must NOT be
// the same reference as the default one.
const { register } = await import('prom-client');
expect(metricsRegistry).not.toBe(register);
});
it('contains exactly 9 metric entries', async () => {
const entries = await metricsRegistry.getMetricsAsJSON();
expect(entries).toHaveLength(9);
});
// ──────────────────────────────────────────────────────────────────
// Metric names
// ──────────────────────────────────────────────────────────────────
it.each([
'agentidp_tokens_issued_total',
'agentidp_agents_registered_total',
'agentidp_http_requests_total',
'agentidp_http_request_duration_seconds',
'agentidp_db_query_duration_seconds',
'agentidp_redis_command_duration_seconds',
'agentidp_webhook_dead_letters_total',
'agentidp_credentials_expiring_soon_total',
'agentidp_audit_chain_integrity',
])('registers metric "%s"', async (metricName) => {
const entries = await metricsRegistry.getMetricsAsJSON();
const names = entries.map((e) => e.name);
expect(names).toContain(metricName);
});
// ──────────────────────────────────────────────────────────────────
// Label names per metric
// ──────────────────────────────────────────────────────────────────
describe('tokensIssuedTotal', () => {
it('has name agentidp_tokens_issued_total', () => {
// Access the internal name via the metric object
const metric = tokensIssuedTotal as unknown as { name: string };
expect(metric.name).toBe('agentidp_tokens_issued_total');
});
it('has label "scope"', async () => {
const entries = await metricsRegistry.getMetricsAsJSON();
const entry = entries.find((e) => e.name === 'agentidp_tokens_issued_total');
expect(entry).toBeDefined();
// Counter with no observations has an empty values array but the metric exists
expect(entry!.type).toBe('counter');
});
});
describe('agentsRegisteredTotal', () => {
it('has name agentidp_agents_registered_total', () => {
const metric = agentsRegisteredTotal as unknown as { name: string };
expect(metric.name).toBe('agentidp_agents_registered_total');
});
});
describe('httpRequestsTotal', () => {
it('has name agentidp_http_requests_total', () => {
const metric = httpRequestsTotal as unknown as { name: string };
expect(metric.name).toBe('agentidp_http_requests_total');
});
it('increments with method, route, status_code labels without throwing', () => {
expect(() =>
httpRequestsTotal.inc({ method: 'GET', route: '/test', status_code: '200' }),
).not.toThrow();
});
});
describe('httpRequestDurationSeconds', () => {
it('has name agentidp_http_request_duration_seconds', () => {
const metric = httpRequestDurationSeconds as unknown as { name: string };
expect(metric.name).toBe('agentidp_http_request_duration_seconds');
});
it('observes with method, route, status_code labels without throwing', () => {
expect(() =>
httpRequestDurationSeconds.observe({ method: 'GET', route: '/test', status_code: '200' }, 0.05),
).not.toThrow();
});
});
describe('dbQueryDurationSeconds', () => {
it('has name agentidp_db_query_duration_seconds', () => {
const metric = dbQueryDurationSeconds as unknown as { name: string };
expect(metric.name).toBe('agentidp_db_query_duration_seconds');
});
it('observes with operation label without throwing', () => {
expect(() =>
dbQueryDurationSeconds.observe({ operation: 'query' }, 0.002),
).not.toThrow();
});
});
describe('redisCommandDurationSeconds', () => {
it('has name agentidp_redis_command_duration_seconds', () => {
const metric = redisCommandDurationSeconds as unknown as { name: string };
expect(metric.name).toBe('agentidp_redis_command_duration_seconds');
});
it('observes with command label without throwing', () => {
expect(() =>
redisCommandDurationSeconds.observe({ command: 'get' }, 0.001),
).not.toThrow();
});
});
describe('credentialsExpiringSoonTotal', () => {
it('has name agentidp_credentials_expiring_soon_total', () => {
const metric = credentialsExpiringSoonTotal as unknown as { name: string };
expect(metric.name).toBe('agentidp_credentials_expiring_soon_total');
});
it('increments with agent_id label without throwing', () => {
expect(() =>
credentialsExpiringSoonTotal.inc({ agent_id: 'agent-test-001' }),
).not.toThrow();
});
});
describe('auditChainIntegrity', () => {
it('has name agentidp_audit_chain_integrity', () => {
const metric = auditChainIntegrity as unknown as { name: string };
expect(metric.name).toBe('agentidp_audit_chain_integrity');
});
it('can be set to 1 (passing) without throwing', () => {
expect(() => auditChainIntegrity.set(1)).not.toThrow();
});
it('can be set to 0 (failing) without throwing', () => {
expect(() => auditChainIntegrity.set(0)).not.toThrow();
});
});
});
Reference in New Issue View Git Blame Copy Permalink