1e42c4a5c2
FRE-4529: Transfer ShieldAI code from FrenoCorp repo
...
Transferred ShieldAI-related files mistakenly placed in ~/code/FrenoCorp:
- Services: spamshield (feature-flags, audit-logger, error-handler), voiceprint (config, service, feature-flags), darkwatch (pipeline, scan, scheduler, watchlist, webhook)
- Packages: shared-analytics, shared-auth, shared-ui, shared-utils (new); shared-billing, jobs supplemented with unique FC files
- Server: alerts (FC version newer), routes (spamshield, darkwatch, voiceprint)
- Config: turbo.json, tsconfig.base.json, vite/vitest configs, drizzle, Dockerfile
- VoicePrint ML service
- Examples
Pending: apps/{api,web,mobile}/ structured merge, shared-db/db mapping
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 10:13:13 -04:00
8687868632
Add request ID validation and CSPRNG fallback (FRE-4516)
...
- Max-length guard (256 chars) on incoming request IDs to prevent log bloat
- Format whitelist (alphanumeric, hyphen, underscore) to prevent log injection
- Replace Math.random() with crypto.randomBytes in fallback for CSPRNG
2026-05-02 09:43:13 -04:00
b01b79d02a
Add ReDoS validation for SpamRule.pattern field (FRE-4512)
...
- Create regex-validation utility with ReDoS detection (nested quantifiers,
overlapping alternations, complexity limits)
- Add @db.VarChar(500) constraint on pattern field in Prisma schema
- Integrate validation in rule-engine at load time and evaluation time
- Add 46 unit tests covering syntax, ReDoS patterns, complexity, edge cases
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 07:23:39 -04:00
90fbbc4465
FRE-4493: Complete API gateway review
...
✅ Approved Fastify API gateway implementation with:
- Request ID correlation middleware
- Multi-service routing (DarkWatch, VoicePrint, Correlation)
- CORS, Helmet security, health checks
- Docker containerization
Production gaps: rate limiting registration, JWT middleware, CORS whitelist
Artifacts:
- Review doc: packages/api/docs/FRE-4493-review.md
- Daily notes: memory/2026-05-02.md
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 01:51:23 -04:00
Senior Engineer
03276dde2d
Add cross-service alert correlation system FRE-4500
...
- Unified alert types (AlertSource, AlertCategory, CorrelationStatus, EntityType)
- NormalizedAlert and CorrelationGroup Prisma models
- AlertNormalizer for all 4 services (DarkWatch, SpamShield, VoicePrint, CallAnalysis)
- CorrelationEngine with temporal + entity-based correlation detection
- CorrelationService orchestrator with dashboard API
- Correlation API routes (/api/v1/correlation/*)
- Service emitters wired to DarkWatch, SpamShield, VoicePrint
- pnpm workspace config for monorepo
2026-05-02 01:10:44 -04:00
3663e5b80a
FRE-4517, FRE-4499: Complete SpamShield implementation and billing updates
...
- SpamFeedback table migration with timestamp index
- Real-time interception engine completion
- Billing service enhancements
- Classifier and rule engine updates
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-01 19:53:19 -04:00
c490735ba2
FRE-4520: Fix security vulnerabilities in notification template system
...
- Fix HTML injection vulnerability with proper entity encoding
- Fix rate limit cleanup bug (count vs timestamp confusion)
- Add URL validation to prevent open redirect attacks
- Add expiration to in-memory deduplication entries
- Use Zod schema for config validation
- Add email format validation
All 29 tests passing. Ready for Code Reviewer final review.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-01 19:35:22 -04:00
2a5c6f49a7
Add SpamFeedback table migration with timestamp index (FRE-4517)
...
Create migration to add SpamFeedback table with indexes on:
- userId (user relationship queries)
- phoneNumberHash (anonymized lookup)
- createdAt (time-based queries, requested in FRE-4517)
2026-05-01 18:43:39 -04:00
Senior Engineer
574bcf2264
FRE-4521 Implement Redis integration for rate limiting and deduplication
...
- Add ioredis dependency for Redis connection pooling
- Create RedisService singleton with connection management
- Add Redis config (url, dedupWindowSeconds) to notification.config.ts
- Implement NotificationService.checkRateLimit using Redis INCR+EXPIRE
- Implement NotificationService.deduplicateNotification using Redis SET/NX
- Add configurable rate limit windows and thresholds via env vars
- Add 29 unit tests covering Redis operations, rate limiting, and dedup
- All tests pass, TypeScript compiles cleanly for new files
2026-05-01 16:13:17 -04:00
7aed2d8b2b
FRE-4520: Add unit tests for notification template system
...
- 25 tests covering template resolution, localization fallback, variable substitution, caching, custom template registration, and edge cases
- Update package.json to use vitest for test execution
- All 25 tests passing
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-01 10:08:48 -04:00
8b30cad462
FRE-4499: Implement real-time SpamShield interception engine
...
Phase 1 & 2 complete: Carrier API integration, decision engine, and WebSocket alerts
## Carrier API Integration
- Carrier types interface for Twilio/Plivo/SIP
- Twilio carrier implementation with block/flag/allow operations
- Plivo carrier implementation with custom action headers
- Carrier factory for carrier management and health checks
## Decision Engine
- Multi-layer scoring: Reputation (40%), Rules (30%), Behavioral (20%), User History (10%)
- Thresholds: BLOCK >= 0.85, FLAG >= 0.60, ALLOW < 0.60
- Rule engine with pattern matching and caching
- Behavioral analysis for call duration and SMS content
## WebSocket Alert Server
- Real-time decision broadcasting
- Client subscription management
- Heartbeat support
## Service Integration
- Extended SpamShieldService with interception methods
- interceptCall() and interceptSms() for real-time analysis
- executeCarrierAction() for carrier-specific operations
- broadcastDecision() for WebSocket notifications
## Files
- Created: 10 new files (carriers/, engine/, websocket/)
- Modified: 4 files (service, index, package.json, plan)
TypeScript typecheck shows 27 errors (type-safety improvements only)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-01 10:04:25 -04:00
ec4565f44c
Implement WebRTC real-time call analysis with security hardening (FRE-4497)
...
- signaling-server.ts: JWT auth, origin validation, JSON schema validation,
crypto.randomBytes peer IDs, message size limits, idle timeout, graceful shutdown
- alert-server.ts: JWT auth enabled by default, non-empty jwtSecret from env,
origin allowlist, per-subscriber callId filtering, bounded alert history with TTL,
alert cooldown, graceful shutdown with timeout
- call-analysis-engine.ts: Bounded eventBuffer/anomalyBuffer with FIFO eviction,
real quality metrics from signal properties, configurable buffer sizes
- audio-stream-capture.ts: Proper destroy() lifecycle with awaited stop(),
AudioWorklet support with ScriptProcessorNode fallback, bounded frame buffers
- Added ws dependency and server tsconfig
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-30 16:49:53 -04:00
19c5a951fe
billing
2026-04-30 11:07:38 -04:00
9fb5379b7a
Add tier-based scan scheduler and webhook triggers (FRE-4498)
...
- ScanScheduler: tier-based scheduling (BASIC=24h, PLUS=6h, PREMIUM=1h)
- WebhookHandler: HMAC-verified webhook ingestion with SCAN_TRIGGER support
- API routes: /scheduler and /webhooks endpoints under /api/v1/darkwatch
- Jobs: scheduled scan checker + webhook retry processor via BullMQ
- Schema: ScanSchedule, WebhookEvent models; ScanJob.scheduledBy field
- Types: ScheduleStatus, WebhookEventType, WebhookTriggerInput
- Tests: scheduler lifecycle + webhook signature/processing tests
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-30 10:57:56 -04:00
509259bcf2
for first push
2026-04-29 16:29:03 -04:00
Senior Engineer
218de3b03b
FRE-4471: Scaffold DarkWatch MVP — monorepo, schema, services, API routes, tests
...
- Turborepo monorepo structure (packages: api, db, types, jobs; services: darkwatch)
- Prisma schema: User, WatchListItem, Exposure, Alert, ScanJob models
- WatchListService: CRUD with normalization, dedup, tier-based limits
- HIBPService: API integration with severity scoring
- MatchingEngine: exact-match with content hash dedup
- AlertPipeline: dedup window, email notifications
- ScanService: orchestrates watch list -> HIBP -> match -> alert flow
- BullMQ job workers for scan and alert processing
- Fastify API routes: watchlist, exposures, alerts, scan
- Docker Compose: PostgreSQL 16 + Redis 7
- 15 unit tests passing
- Implementation plan document uploaded
2026-04-29 09:47:45 -04:00
