Claude/repo code review lg2 nx#5
Merged
Merged
Conversation
Complete Wave 5 persistence layer: - PostgreSQL connection pool (min=2, max=10) with error handling - Migration runner on startup with transaction safety and advisory locks - Run store with full CRUD and checkpoint support - Gate decision store with approval/rejection workflow - Service account store with secret rotation - Audit logger with DB-backed SHA256 hash chain and advisory lock protection - Health endpoint (liveness, no DB check) and Ready endpoint (readiness, DB/Redis dependent) - Database seed script with dev fixtures (5 projects, 6 users, 5 pre-seeded runs) - Updated server startup: PORT 8080, graceful shutdown, SIGTERM/SIGINT handlers - All API routes updated to /v1/ prefix - Environment variables documented in .env.example Closes R-04, R-14, R-18, R-20 risks and implements all Wave 5 requirements. Unblocks Phases 3, 4, 5 to run in parallel. https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
…on security Phase 3 - API Versioning & Contract: - All routes already updated to /v1/ prefix in previous Wave 5 commit - Framework in place for OpenAPI spec generation and request validation Phase 4 - Governance Gates Implementation: - Implemented 9 governance gate evaluators: * ScopeGate: Verify changes within project boundaries * ArchitectureGate: Check against ADR constraints * SecurityGate: Static analysis and vulnerability detection * CostGate: Estimate and block on budget overage * DeploymentGate: Verify target approved for mode * QAGate: Require test coverage delta >= 0 * BuildGate: Require successful build before deployment * LaunchGate: Final human approval for production * RiskThresholdGate: Mode-specific risk scoring - GateManager with: * Mode-aware gate sequences (turbo, safe, balanced, expert, god) * Pause rules based on severity and mode * Short-circuit on blocked gates * Manual approval override support - GateStore with approval/rejection workflow - POST /v1/gates/:id/reject endpoint with audit logging Phase 5 - Session Security & Service Account Hardening: - Redis-backed session revocation (jti blacklist) - DELETE /v1/sessions/me endpoint for logout - Service account secret rotation: * POST /v1/service-accounts/:id/rotate * Generates new 32-byte secret via crypto.randomBytes * Bcrypt hashing (plaintext never persisted) * Returns secret once, never logged - Revocation check middleware (verifyRevocation) - Server startup initializes revocation store - Graceful shutdown closes revocation store New Files: - packages/governance/src/gates/base-gate.ts - packages/governance/src/gates/scope-gate.ts - packages/governance/src/gates/architecture-gate.ts - packages/governance/src/gates/security-gate.ts - packages/governance/src/gates/cost-gate.ts - packages/governance/src/gates/deployment-gate.ts - packages/governance/src/gates/qa-gate.ts - packages/governance/src/gates/build-gate.ts - packages/governance/src/gates/launch-gate.ts - packages/governance/src/gates/risk-threshold-gate.ts - packages/governance/src/gate-manager.ts - packages/auth/src/session-revocation.ts - apps/control-service/src/handlers/reject-gate.ts - apps/control-service/src/handlers/rotate-service-account-secret.ts - apps/control-service/src/handlers/delete-session.ts - apps/control-service/src/middleware/verify-revocation.ts Updated: - apps/control-service/src/index.ts (wire new handlers, gates, revocation) - apps/control-service/package.json (added bcrypt) All routes now available at /v1/ prefix with proper auth checks. Governance gates integrated into orchestration pipeline. Session revocation via Redis for immediate effect. https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
….0 release prep Phase 6 — Observability & Deployment: - Prometheus metrics middleware: http_requests_total, http_request_duration_seconds, run_created_total, run_completed_total, run_failed_total, gate_evaluations_total - GET /metrics endpoint (prom-client, no auth required) - Security headers middleware: HSTS, X-Frame-Options, CSP, X-Content-Type-Options, Referrer-Policy, X-Powered-By removed - HTTPS redirect middleware (NODE_ENV=production + X-Forwarded-Proto check) - Rate limiting: 100 req/min global per IP; 10 req/min for SA rotation endpoint - Configurable CORS from CKU_ALLOWED_ORIGINS env var - Dockerfile: multi-stage build (builder + runner), non-root user, HEALTHCHECK - .dockerignore: excludes tests, docs, .env, dist, coverage - Docker Compose: postgres:16-alpine, redis:7-alpine, control-service with health checks - Kubernetes manifests: Deployment (replicas:2, rolling), Service, HPA (2-10 replicas, 70% CPU), ConfigMap, Namespace, secret.template.yaml Phase 7 — Test Coverage: - packages/auth/src/execution-token.test.ts (TC-EXEC-001..006) - packages/auth/src/service-account.test.ts (TC-SA-001..007) - packages/governance/src/gate-manager.test.ts (TC-GATE-001..010) - apps/control-service/test/smoke.test.ts (S-001..003, A-001..003, R-001..002, G-001..002, D-001..002 — deprecated route checks) - Added test scripts to control-service package.json - Added vitest, supertest, coverage devDeps to control-service Phase 8 — v1.3.0 Release Preparation: - CHANGELOG.md: Full v1.3.0 section with features, security fixes, breaking changes, new dependencies - SECURITY.md: Updated with v1.3.0 as actively supported, full security model section, mitigated risk table, responsible disclosure policy (90-day coordinated) - package.json: Version bumped 1.2.0 → 1.3.0; test:* scripts added; db:migrate and db:seed scripts wired to real implementations - docs/ROLLBACK.md: Complete v1.3.0 → v1.2.0 rollback runbook with time targets - docs/06_validation/GO_NO_GO_CHECKLIST.md: Updated status — 11/21 items now checked; Gate 1 at 6/7, Gate 3 at 4/5; overall NO-GO → targeting GO Middleware wired into index.ts boot sequence: httpsRedirect → securityHeaders → cors → json → metricsMiddleware → globalRateLimiter → healthRoutes + /metrics (no auth) → authenticate + verifyRevocation → routes https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
…gate cases - packages/auth/package.json: add test and test:coverage scripts, vitest devDeps - smoke.test.ts: add beforeEach mock reset, additional gate test cases (no-token 401, reject-without-reason 400 validation check) https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
…ypecheck - Add shared pool registry (packages/shared/src/db.ts) and shared Pino logger (packages/shared/src/logger.ts) so packages never import from apps - Fix all packages (governance, audit, auth, orchestrator) to use shared db.getPool() and shared logger instead of app-level imports - Fix handler import paths: apps/control-service handlers needed 4 levels up (../../../../) not 3 to reach workspace packages - Fix session-revocation.ts: use redis v4 createClient API, typed ReturnType - Fix service-account-store.ts: add (row: any) annotation, use shared deps - Fix scope-gate.ts: handle undefined projectId with nullish coalescing - Fix migrate.ts: add (r: any) annotation on rows.map callback - Fix reject-gate/rotate-sa handlers: explicit string casts for req.params - Add redis@^4.7.0 to packages/auth and sync pnpm-lock.yaml https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
- Create packages/insforge with InsForgeClient SDK: - getSignedContext(): exchange actor token for InsForge signed context - evaluatePolicy(): submit risk metadata for policy decision (PDP) - emitAuditEvent(): forward audit events to InsForge authority - getApprovalState(): poll InsForge approval workflow - isRevoked(): check InsForge token revocation - reportStatus(): send execution state transitions to control plane - Define SignedExecutionContext, PolicyDecision, ApprovalState types matching the partnership prospectus integration contract - Update AuditLogger to dual-emit: PostgreSQL (InsForge DB) + InsForge API - Add correlationId and actorType fields to AuditEvent interface - Add SSL support to DB pool for InsForge managed PostgreSQL (sslmode=require) - Link @cku/insforge workspace dep into @cku/audit - Add .env with InsForge project credentials (gitignored) https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
…backend" This reverts commit 1aa91c7.
…tial) Initial commit of packages/prompt-system and prompts/ directory structure. Agents are still completing the remaining TypeScript source files and prompt templates. Follow-up commit will add the complete implementation. - packages/prompt-system: contracts, types, registry, compiler (partial) - prompts/registry: prompt-registry.json with 5 agent entries - prompts/templates: manifests and output-schemas for all 5 agents (ai-ceo, dev-agent, gate-manager, orchestrator, mode-controller) https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
Full implementation of the versioned, dynamic, policy-bound, InsForge-aware prompt system as specified in the production architecture design. packages/prompt-system/src/: - contracts.ts: PromptManifest, PromptBuildContext, BuiltPromptArtifact types - types.ts: supporting types (ContextBlock, AdapterInfo, MemoryContext, etc.) - registry/: PromptRegistryService, PromptLoader, manifest validator - compiler/: Handlebars render, block merger, SHA-256 fingerprinter, compile-prompt - context/: 6 resolvers (session, tenant, policy, run, memory, adapters) - injectors/: 5 injectors (policy, insforge, mode, safety, execution-state) - runtime/: PromptRuntime class, select-prompt, evaluate-capabilities - audit/: write-prompt-audit (structured governance log) - testing/: snapshot-prompt, AJV-backed validate-output - index.ts: full public API surface - prompt-system.test.ts: 11 passing vitest tests prompts/: - registry/prompt-registry.json: 5 agent entries (ai-ceo, dev-agent, gate-manager, orchestrator, mode-controller) - templates/system/*/v1.0.0/system.md: full Handlebars prompt for each agent - templates/system/*/v1.0.0/output-schema.json: AJV-enforced output schemas - partials/policy/: default-policy.md, high-risk-policy.md - partials/insforge/: tenant-session.md, machine-execution.md - partials/modes/: safe.md, balanced.md, god.md - partials/execution/: run-summary.md, failure-context.md, verification-context.md Prompt pipeline: Registry → Compiler → Context Resolvers → Policy/InsForge/Mode Injectors → Handlebars Render → Fingerprint → Schema Validation → Audit → Artifact https://claude.ai/code/session_013CbVhakN7fxtgiws2VkAcZ
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Important
PR Title Recommendation: Use the format
type(scope): summary(e.g.,feat(orchestrator): add routing).PR titles are used to automatically group release notes.
See Conventional Commits Policy.
Changes
Risk Level
Risk:
Verification Performed
npm run typecheckpassed.npm run testpassed.Rollback Plan
Documentation Updated