stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	dd171b287f	feat(#353 ): Create VaultService NestJS module for OpenBao Transit Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Implements secure credential encryption using OpenBao Transit API with automatic fallback to AES-256-GCM when OpenBao is unavailable. Features: - AppRole authentication with automatic token renewal at 50% TTL - Transit encrypt/decrypt with 4 named keys - Automatic fallback to CryptoService when OpenBao unavailable - Auto-detection of ciphertext format (vault:v1: vs AES) - Request timeout protection (5s default) - Health indicator for monitoring - Backward compatible with existing AES-encrypted data Security: - ERROR-level logging for fallback - Proper error propagation (no silent failures) - Request timeouts prevent hung operations - Secure credential file reading Migrations: - Account encryption middleware uses VaultService - Uses TransitKey.ACCOUNT_TOKENS for OAuth tokens - Backward compatible with existing encrypted data Tests: 56 tests passing (36 VaultService + 20 middleware) Closes #353 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-07 16:13:05 -06:00
Jason Woltje	737eb40d18	feat(#352 ): Encrypt existing plaintext Account tokens Some checks failed ci/woodpecker/push/woodpecker Pipeline failed Details Implements transparent encryption/decryption of OAuth tokens via Prisma middleware with progressive migration strategy. Core Implementation: - Prisma middleware transparently encrypts tokens on write, decrypts on read - Auto-detects ciphertext format: aes:iv:authTag:encrypted, vault:v1:..., or plaintext - Uses existing CryptoService (AES-256-GCM) for encryption - Progressive encryption: tokens encrypted as they're accessed/refreshed - Zero-downtime migration (schema change only, no bulk data migration) Security Features: - Startup key validation prevents silent data loss if ENCRYPTION_KEY changes - Secure error logging (no stack traces that could leak sensitive data) - Graceful handling of corrupted encrypted data - Idempotent encryption prevents double-encryption - Future-proofed for OpenBao Transit encryption (Phase 2) Token Fields Encrypted: - accessToken (OAuth access tokens) - refreshToken (OAuth refresh tokens) - idToken (OpenID Connect ID tokens) Backward Compatibility: - Existing plaintext tokens readable (encryptionVersion = NULL) - Progressive encryption on next write - BetterAuth integration transparent (middleware layer) Test Coverage: - 20 comprehensive unit tests (89.06% coverage) - Encryption/decryption scenarios - Null/undefined handling - Corrupted data handling - Legacy plaintext compatibility - Future vault format support - All CRUD operations (create, update, updateMany, upsert) Files Created: - apps/api/src/prisma/account-encryption.middleware.ts - apps/api/src/prisma/account-encryption.middleware.spec.ts - apps/api/prisma/migrations/20260207_encrypt_account_tokens/migration.sql Files Modified: - apps/api/src/prisma/prisma.service.ts (register middleware) - apps/api/src/prisma/prisma.module.ts (add CryptoService) - apps/api/src/federation/crypto.service.ts (add key validation) - apps/api/prisma/schema.prisma (add encryptionVersion) - .env.example (document ENCRYPTION_KEY) Fixes #352 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-07 13:16:43 -06:00
Jason Woltje	99afde4f99	feat(#2 ): Implement PostgreSQL 17 + pgvector database schema Establishes multi-tenant database layer with vector similarity search for AI-powered memory features. Includes Docker infrastructure, Prisma ORM integration, NestJS services, and shared types across the monorepo. Key changes: - Docker: PostgreSQL 17 + pgvector v0.7.4, Valkey cache - Schema: 8 models (User, Workspace, Task, Event, Project, ActivityLog, MemoryEmbedding) with RLS preparation - NestJS: PrismaModule, DatabaseModule, EmbeddingsService - Shared: Type-safe enums, constants, and database types Fixes #2 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-28 16:06:34 -06:00

Author

SHA1

Message

Date

Jason Woltje

dd171b287f

feat(#353 ): Create VaultService NestJS module for OpenBao Transit

ci/woodpecker/push/woodpecker Pipeline failed

Details

Implements secure credential encryption using OpenBao Transit API with
automatic fallback to AES-256-GCM when OpenBao is unavailable.

Features:
- AppRole authentication with automatic token renewal at 50% TTL
- Transit encrypt/decrypt with 4 named keys
- Automatic fallback to CryptoService when OpenBao unavailable
- Auto-detection of ciphertext format (vault:v1: vs AES)
- Request timeout protection (5s default)
- Health indicator for monitoring
- Backward compatible with existing AES-encrypted data

Security:
- ERROR-level logging for fallback
- Proper error propagation (no silent failures)
- Request timeouts prevent hung operations
- Secure credential file reading

Migrations:
- Account encryption middleware uses VaultService
- Uses TransitKey.ACCOUNT_TOKENS for OAuth tokens
- Backward compatible with existing encrypted data

Tests: 56 tests passing (36 VaultService + 20 middleware)

Closes #353

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-07 16:13:05 -06:00

Jason Woltje

737eb40d18

feat(#352 ): Encrypt existing plaintext Account tokens

ci/woodpecker/push/woodpecker Pipeline failed

Details

Implements transparent encryption/decryption of OAuth tokens via Prisma middleware with progressive migration strategy.

Core Implementation:
- Prisma middleware transparently encrypts tokens on write, decrypts on read
- Auto-detects ciphertext format: aes:iv:authTag:encrypted, vault:v1:..., or plaintext
- Uses existing CryptoService (AES-256-GCM) for encryption
- Progressive encryption: tokens encrypted as they're accessed/refreshed
- Zero-downtime migration (schema change only, no bulk data migration)

Security Features:
- Startup key validation prevents silent data loss if ENCRYPTION_KEY changes
- Secure error logging (no stack traces that could leak sensitive data)
- Graceful handling of corrupted encrypted data
- Idempotent encryption prevents double-encryption
- Future-proofed for OpenBao Transit encryption (Phase 2)

Token Fields Encrypted:
- accessToken (OAuth access tokens)
- refreshToken (OAuth refresh tokens)
- idToken (OpenID Connect ID tokens)

Backward Compatibility:
- Existing plaintext tokens readable (encryptionVersion = NULL)
- Progressive encryption on next write
- BetterAuth integration transparent (middleware layer)

Test Coverage:
- 20 comprehensive unit tests (89.06% coverage)
- Encryption/decryption scenarios
- Null/undefined handling
- Corrupted data handling
- Legacy plaintext compatibility
- Future vault format support
- All CRUD operations (create, update, updateMany, upsert)

Files Created:
- apps/api/src/prisma/account-encryption.middleware.ts
- apps/api/src/prisma/account-encryption.middleware.spec.ts
- apps/api/prisma/migrations/20260207_encrypt_account_tokens/migration.sql

Files Modified:
- apps/api/src/prisma/prisma.service.ts (register middleware)
- apps/api/src/prisma/prisma.module.ts (add CryptoService)
- apps/api/src/federation/crypto.service.ts (add key validation)
- apps/api/prisma/schema.prisma (add encryptionVersion)
- .env.example (document ENCRYPTION_KEY)

Fixes #352

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-07 13:16:43 -06:00

Jason Woltje

99afde4f99

feat(#2 ): Implement PostgreSQL 17 + pgvector database schema

Establishes multi-tenant database layer with vector similarity search for AI-powered memory features. Includes Docker infrastructure, Prisma ORM integration, NestJS services, and shared types across the monorepo.

Key changes:
- Docker: PostgreSQL 17 + pgvector v0.7.4, Valkey cache
- Schema: 8 models (User, Workspace, Task, Event, Project, ActivityLog, MemoryEmbedding) with RLS preparation
- NestJS: PrismaModule, DatabaseModule, EmbeddingsService
- Shared: Type-safe enums, constants, and database types

Fixes #2

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-01-28 16:06:34 -06:00

3 Commits