Mike/ShieldAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
62 Commits 1 Branch 0 Tags
c1e4e8e4045c7b2603dedeedf93714ef0f85d7c1
Commit Graph

8 Commits

Author SHA1 Message Date
Michael Freno
7b925c89bd Fix 3 Code Review findings on FRE-4574 
- P2: Replace wget with curl for ECS health check (Alpine lacks wget)
- P2: Add AWS credentials step to CI terraform-plan job for S3 backend auth
- P3: Remove unused GitHub provider from infra/main.tf

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-10 07:09:39 -04:00
Michael Freno
4ddd24fd72 Fix 6 P1 infrastructure issues from code review (FRE-4574) 
- ALB: deploy to public subnets instead of private (adds public_subnet_ids var)
- ECS: fix launch_desired_count → launch_type = FARGATE
- Secrets: accept actual RDS/ElastiCache endpoints from parent module
- Deploy: fix circular dependency (needs.detect → steps.detect)
- Health check: dynamic ALB DNS lookup via aws elbv2 CLI
- Health check: exit 1 on failure so rollback triggers

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-10 02:28:48 -04:00
Michael Freno
8506fd17ef Fix load test scenarios, runner, and CI threshold checks 
- Add constant-arrival-rate scenarios to all 4 service scripts (api,
  darkwatch, spamshield, voiceprint) to enforce 500 req/s target
- Fix defaultThresholds() to return { thresholds: {...} } so
  http_req_duration and errors thresholds are actually applied
- Rewrite run-all.sh: per-service summary files, proper env var
  passing (DURATION, API_TOKEN), fixed threshold aggregation
- Update CI workflow threshold check jq to match new threshold-results
  structure (.services.<name>.exitCode)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-09 10:35:45 -04:00
Michael Freno
a804cab431 Add load testing job to GitHub Actions CI pipeline (FRE-4931) 
- Add load-test job to ci.yml that runs after docker-build on push to main
- Create combined load test runner (scripts/load-test/run-all.sh) for all services
- Create k6 load test scripts for api, darkwatch, spamshield, and voiceprint
- Add shared k6 utilities (lib/common.js)
- Update load-test.yml to support all services and report artifacts
- Configure k6 cloud output and P99 threshold validation
- Generate load test report as CI artifact

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-05-09 09:16:36 -04:00
Senior Engineer
cb5851ec8c Add k6 load test scripts for Voiceprint verification endpoints (FRE-4930) 
- k6 script with P99 latency thresholds (enrollment <500ms, verification <250ms, model retrieval <100ms)
- Configurable 500 req/s sustained throughput for 5 minutes
- Mixed workload scenario + individual endpoint scenarios
- GitHub Actions workflow for automated load testing
- Runner script with environment configuration
- JSON result export for CI artifact collection
- .gitignore entry for load test results
 2026-05-09 07:50:29 -04:00
Senior Engineer
a0799c0647 Add Terraform AWS infrastructure and enhanced CI/CD pipeline (FRE-4574) 
- Terraform modules: VPC, ECS Fargate, RDS PostgreSQL, ElastiCache Redis, S3, Secrets Manager, CloudWatch
- Multi-environment support: staging and production configs
- ECS auto-scaling: CPU-based scaling with configurable min/max
- CI/CD: pnpm caching, Docker Buildx, Trivy security scanning, Terraform plan on PR
- Deploy: ECS service updates with automatic rollback on health check failure
- Backup: automated RDS snapshots, S3 versioning, ElastiCache snapshots
- Monitoring: CloudWatch dashboards, CPU/memory/5xx alarms
- Rollback script for manual service rollback
- Infrastructure documentation with architecture overview
 2026-05-08 02:54:39 -04:00
Senior Engineer
91e4985a8e FRE-4474 Phase 5: Verify and resolve security review findings for SpamShield and Cross-Service Correlation 
- FRE-4499 (SpamShield): Verified 6 security fixes (2 High, 4 Medium)
  - S01: Pre-compiled regex in RuleEngine (ReDoS fix)
  - S02: SmsClassifier accepts senderPhoneNumber context
  - S03: AlertServer JWT auth + origin validation
  - S04: SHA-256 phone hashing (PII protection)
  - S05: DecisionEngine timeout enforcement via Promise.race
  - S06: CarrierFactory.getAllCarriers properly async/await

- FRE-4500 (Correlation): Verified 7 security fixes (2 Critical, 2 High, 2 Medium, 1 Low)
  - C1: Ingest endpoints auth via request.user.id
  - C2: IDOR protection on group endpoints (userId filter)
  - H3: JWT middleware registered in server.ts
  - H4: Fastify schema validation on all routes
  - M6: Payload sanitization with depth limit and circular ref detection
  - L7: CORS origin restricted to env var

- Resolved liveness incidents FRE-4652 and FRE-4654
- All Phase 5 child issues now complete
 2026-05-02 18:36:29 -04:00
Michael Freno
9fb5379b7a Add tier-based scan scheduler and webhook triggers (FRE-4498) 
- ScanScheduler: tier-based scheduling (BASIC=24h, PLUS=6h, PREMIUM=1h)
- WebhookHandler: HMAC-verified webhook ingestion with SCAN_TRIGGER support
- API routes: /scheduler and /webhooks endpoints under /api/v1/darkwatch
- Jobs: scheduled scan checker + webhook retry processor via BullMQ
- Schema: ScanSchedule, WebhookEvent models; ScanJob.scheduledBy field
- Types: ScheduleStatus, WebhookEventType, WebhookTriggerInput
- Tests: scheduler lifecycle + webhook signature/processing tests

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-04-30 10:57:56 -04:00