a4684e9121
Fix SMS classifier test mock: add defaultScores and metadataLimits exports (FRE-4509)
...
The test mock for spamshield.config was missing defaultScores and
metadataLimits exports that are imported by spamshield.service.ts,
causing 8 tests to fail with 'No defaultScores export is defined'.
2026-05-02 20:23:29 -04:00
Senior Engineer
91e4985a8e
FRE-4474 Phase 5: Verify and resolve security review findings for SpamShield and Cross-Service Correlation
...
- FRE-4499 (SpamShield): Verified 6 security fixes (2 High, 4 Medium)
- S01: Pre-compiled regex in RuleEngine (ReDoS fix)
- S02: SmsClassifier accepts senderPhoneNumber context
- S03: AlertServer JWT auth + origin validation
- S04: SHA-256 phone hashing (PII protection)
- S05: DecisionEngine timeout enforcement via Promise.race
- S06: CarrierFactory.getAllCarriers properly async/await
- FRE-4500 (Correlation): Verified 7 security fixes (2 Critical, 2 High, 2 Medium, 1 Low)
- C1: Ingest endpoints auth via request.user.id
- C2: IDOR protection on group endpoints (userId filter)
- H3: JWT middleware registered in server.ts
- H4: Fastify schema validation on all routes
- M6: Payload sanitization with depth limit and circular ref detection
- L7: CORS origin restricted to env var
- Resolved liveness incidents FRE-4652 and FRE-4654
- All Phase 5 child issues now complete
2026-05-02 18:36:29 -04:00
0afdf8b6e8
FRE-4500: Fix security review findings (Critical/High/Medium/Low)
...
- Critical #1 : Add auth check to ingest endpoints (use request.user.id)
- Critical #2 : Add IDOR protection on group endpoints (userId ownership)
- High #3 : Register auth middleware in server.ts (populates request.user)
- High #4 : Add Fastify schema validation to all route handlers
- Medium #5 : Add NormalizedAlert/CorrelationGroup models to Prisma schema
- Medium #6 : Sanitize payload storage in normalizer (depth limit, circular ref)
- Low #7 : Restrict CORS origins (use CORS_ORIGIN env var)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 16:40:01 -04:00
24bc9c235f
Consolidate @shieldai/db and @shieldsai/shared-db packages (FRE-4603)
...
- Merged singleton pattern + type exports from shared-db
- Kept FieldEncryptionService from original db package
- Upgraded to Prisma v6.2.0 (newer version)
- Adopted shared-db's complete schema for multi-service platform
- Updated 17 consumer imports across darkwatch, voiceprint, jobs, api
- Standardized on @shieldai/db namespace
Files changed:
- packages/db/package.json (v0.1.0 → v0.2.0)
- packages/db/src/index.ts (consolidated exports)
- packages/db/prisma/schema.prisma (merged schema)
- packages/db/prisma/seed.ts (updated for new schema)
- 17 consumer files updated
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 15:06:02 -04:00
bdf8ad30b6
Apply security remediations for FRE-4498 (FRE-4612)
...
Security findings from April 30 review were claimed fixed but never committed.
Applied all remediations:
HIGH:
- WebhookHandler: fail fast when DARKWATCH_WEBHOOK_SECRET missing instead of defaulting to hardcoded secret
- field-encryption.service: require PII_ENCRYPTION_KEY at startup instead of defaulting
MEDIUM:
- WebhookHandler: make signature required (was optional, accepted unsigned events)
- WebhookHandler: reject unknown event types instead of silently defaulting to SCAN_TRIGGER
- scheduler.routes + webhook.routes: add ownership checks on /:userId endpoints (IDOR)
LOW:
- webhook.routes: generic error responses, full error logged server-side
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 13:03:28 -04:00
f34adc5e82
Add null checks in feedback processing pipeline (FRE-4514)
...
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 13:01:02 -04:00
e704a9074a
FRE-4533: Merge apps/{api,web,mobile} and shared-db into ShieldAI repo
...
Merge FrenoCorp apps into ShieldAI packages/:
- packages/api: merged routes (notifications), middleware (auth, rate-limit, error, logging), config, services (darkwatch, spamshield, voiceprint), tests
- packages/web: new SolidJS web app stub
- packages/mobile: new SolidJS mobile app stub
- packages/shared-db: new Prisma DB package (separate from existing packages/db)
- pnpm-workspace.yaml: restored (apps/* removed, already covered by packages/*)
Next: reconcile packages/shared-db with packages/db, and fix server.ts correlationRoutes import
2026-05-02 10:19:11 -04:00
1e42c4a5c2
FRE-4529: Transfer ShieldAI code from FrenoCorp repo
...
Transferred ShieldAI-related files mistakenly placed in ~/code/FrenoCorp:
- Services: spamshield (feature-flags, audit-logger, error-handler), voiceprint (config, service, feature-flags), darkwatch (pipeline, scan, scheduler, watchlist, webhook)
- Packages: shared-analytics, shared-auth, shared-ui, shared-utils (new); shared-billing, jobs supplemented with unique FC files
- Server: alerts (FC version newer), routes (spamshield, darkwatch, voiceprint)
- Config: turbo.json, tsconfig.base.json, vite/vitest configs, drizzle, Dockerfile
- VoicePrint ML service
- Examples
Pending: apps/{api,web,mobile}/ structured merge, shared-db/db mapping
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 10:13:13 -04:00
90fbbc4465
FRE-4493: Complete API gateway review
...
✅ Approved Fastify API gateway implementation with:
- Request ID correlation middleware
- Multi-service routing (DarkWatch, VoicePrint, Correlation)
- CORS, Helmet security, health checks
- Docker containerization
Production gaps: rate limiting registration, JWT middleware, CORS whitelist
Artifacts:
- Review doc: packages/api/docs/FRE-4493-review.md
- Daily notes: memory/2026-05-02.md
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-02 01:51:23 -04:00
Senior Engineer
03276dde2d
Add cross-service alert correlation system FRE-4500
...
- Unified alert types (AlertSource, AlertCategory, CorrelationStatus, EntityType)
- NormalizedAlert and CorrelationGroup Prisma models
- AlertNormalizer for all 4 services (DarkWatch, SpamShield, VoicePrint, CallAnalysis)
- CorrelationEngine with temporal + entity-based correlation detection
- CorrelationService orchestrator with dashboard API
- Correlation API routes (/api/v1/correlation/*)
- Service emitters wired to DarkWatch, SpamShield, VoicePrint
- pnpm workspace config for monorepo
2026-05-02 01:10:44 -04:00
3663e5b80a
FRE-4517, FRE-4499: Complete SpamShield implementation and billing updates
...
- SpamFeedback table migration with timestamp index
- Real-time interception engine completion
- Billing service enhancements
- Classifier and rule engine updates
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-05-01 19:53:19 -04:00
9fb5379b7a
Add tier-based scan scheduler and webhook triggers (FRE-4498)
...
- ScanScheduler: tier-based scheduling (BASIC=24h, PLUS=6h, PREMIUM=1h)
- WebhookHandler: HMAC-verified webhook ingestion with SCAN_TRIGGER support
- API routes: /scheduler and /webhooks endpoints under /api/v1/darkwatch
- Jobs: scheduled scan checker + webhook retry processor via BullMQ
- Schema: ScanSchedule, WebhookEvent models; ScanJob.scheduledBy field
- Types: ScheduleStatus, WebhookEventType, WebhookTriggerInput
- Tests: scheduler lifecycle + webhook signature/processing tests
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-04-30 10:57:56 -04:00
509259bcf2
for first push
2026-04-29 16:29:03 -04:00
Senior Engineer
218de3b03b
FRE-4471: Scaffold DarkWatch MVP — monorepo, schema, services, API routes, tests
...
- Turborepo monorepo structure (packages: api, db, types, jobs; services: darkwatch)
- Prisma schema: User, WatchListItem, Exposure, Alert, ScanJob models
- WatchListService: CRUD with normalization, dedup, tier-based limits
- HIBPService: API integration with severity scoring
- MatchingEngine: exact-match with content hash dedup
- AlertPipeline: dedup window, email notifications
- ScanService: orchestrates watch list -> HIBP -> match -> alert flow
- BullMQ job workers for scan and alert processing
- Fastify API routes: watchlist, exposures, alerts, scan
- Docker Compose: PostgreSQL 16 + Redis 7
- 15 unit tests passing
- Implementation plan document uploaded
2026-04-29 09:47:45 -04:00
