Commit Graph

31 Commits

Author SHA1 Message Date
CarterPerez-dev 2466a80ce2 feat(cre): one-shot curl|bash installer for credential-rotation-enforcer
- fresh-machine to 'cre' on PATH, runnable from a clone or piped from the web
2026-06-18 23:24:30 -04:00
CarterPerez-dev 0006ddad3d cracked 2026-05-23 05:01:01 -04:00
CarterPerez-dev 91199476e1 feat: comprehensive audit-driven hardening pass
Closes 36 findings from the project audit. The headline win is correctness:
the daemon now actually does what the README claims, all three audit-log
integrity layers verify, and the rotation control loop terminates.

Critical fixes:
- Orchestrator bumps Credential.last_rotated_at on success and writes a
  sealed credential_versions row, so the policy evaluator stops re-firing
  the same rotation every tick
- Envelope encryption (AES-256-GCM, KEK-wrapped DEK, AAD-bound) is now
  wired into the rotation success path; the credential_versions table is
  no longer dead schema
- cre audit verify checks all three layers (hash chain + HMAC ratchet +
  Merkle batches) instead of only the chain
- BatchSealerScheduler runs every 300s and on shutdown so audit_batches
  actually fills with signed Merkle roots
- Compliance bundle exports the real audit_batches list and covers
  public_key.pem under the manifest's checksum
- cre run/watch hard-fail without CRE_HMAC_KEY_HEX + CRE_KEK_HEX rather
  than silently using zero defaults

Quality fixes:
- HTTP::Client wrapper with connect/read timeouts + bounded retry-with-
  jitter on 408/429/5xx; Telegram error logs redact the bot token
- EventBus dispatch isolates Block subscribers behind select+timeout so
  one stuck subscriber can't pin the bus
- RotationWorker checks rotations.in_flight before dispatching to dedupe
  duplicate schedules; PG enforces it at the DB via partial unique index
- Commit-step failures transition rotations to Inconsistent (a terminal
  state) and raise a critical alert instead of pretending success
- env_file rotator uses per-PID pending paths plus an exclusive flock on
  a sibling .lock file so two daemons can't race on the rename
- Versioned migration runner replaces the soup of CREATE IF NOT EXISTS;
  SQLite gains BEFORE UPDATE / BEFORE DELETE triggers on audit_events
- AuditSubscriber publishes a critical alert + panics by default when
  log writes fail, instead of silently dropping
- Engine.stop drains via an ack channel with a 2s deadline rather than
  the previous magic 50ms sleep
- Policy DSL moved into CRE::Policy::Dsl module (consumers `include` it);
  multiple matching policies raise PolicyConflictError
- Evaluator uses credentials.overdue() per-max_age group instead of
  loading every credential each tick
- AuditRepo gains each_in_range streaming and all_batches enumeration;
  bundle export streams instead of buffering
- New cre verify-bundle <zip> CLI re-runs every check the bundle README
  documents; new cre tui-demo for synthetic event preview

Tests: 179 unit (up from 159), all passing. New rotation_worker_spec,
new SigV4 regression vector, new orchestrator success-path coverage
(envelope write + last_rotated_at bump + Inconsistent state).

Docs: README + learn/00..04 aligned with the post-audit behavior;
removed /snooze (was a stub) and the AwsIamKey/Database CredentialKind
variants that had no rotators. Added required-env-var documentation.
2026-04-29 03:35:10 -04:00
CarterPerez-dev 99d89b3050 docs(README): match repo project pattern (#27 intermediate)
Replace MIT placeholder with the standard intermediate-project README
shape used by sbom-generator, secrets-scanner, etc:
- Block-character ASCII banner (CRE)
- Project #27 / Crystal / AGPLv3 / Postgres badges
- One-line description quote -> learn modules pointer
- What It Does (bulleted feature list)
- Quick Start with both clone-and-build and install.sh paths
- just hint with install one-liner
- Demo tiers + daemon usage code blocks
- Flagship Rotators table
- ASCII architecture diagram
- Three-layer audit log diagram (own section)
- Stack section (language + deps + FFI note + testing)
- Configuration pointer (CONFIGURATION.md)
- Learn modules table
- AGPL 3.0 license footer

Also swapped LICENSE from MIT to AGPL v3 to match the rest of the
intermediate projects.
2026-04-29 01:50:30 -04:00
CarterPerez-dev 225716d140 fix(env_file): rename _s -> s on commit/rollback_apply to match parent
Crystal's compiler warns when an overriding method's parameter name
differs from the parent's, since named-argument callers would pass
the wrong slot. Underscore-prefix was meant as 'unused' but it changed
the parameter name, which Crystal correctly flagged.

Match the parent signature (s : Domain::NewSecret) and use the explicit
'_ = s' idiom inside the body to mark it intentionally unused. Now
'shards build cre' compiles with zero warnings.
2026-04-29 01:43:56 -04:00
CarterPerez-dev 1b8cfc9589 feat: wire RotationWorker + Telegram in cre run + CONFIGURATION.md guide
Two changes that go together:

1. RotationWorker (src/cre/engine/rotation_worker.cr) is the missing
   subscriber that turns RotationScheduled events into actual 4-step
   rotations. Without it, the daemon ticked, evaluated, fired
   RotationScheduled, and... nothing happened. Now it dispatches via
   the orchestrator using a kind -> Rotator dispatch table populated
   at boot.

2. cre run now wires:
   - All 4 rotators based on env vars (AWS_ACCESS_KEY_ID, VAULT_ADDR/TOKEN,
     GITHUB_TOKEN). EnvFile is always available.
   - Telegram subscriber + bot if TELEGRAM_TOKEN + chat-id env vars set.
   Boot output reports which rotators wired and whether telegram is on.

3. CONFIGURATION.md: full operator setup guide. 13 sections covering
   required env vars, Postgres setup with role hardening, key generation,
   policy authoring, inventory seeding (per-rotator tag schemas), AWS IAM
   policy, Vault token policy.hcl, GitHub admin PAT acquisition, Telegram
   bot creation + chat ID discovery, systemd unit with hardening
   directives, audit chain verification, KEK rotation procedure, and a
   13-item production security checklist.
2026-04-29 01:42:45 -04:00
CarterPerez-dev 7835aa4dc5 feat(demo): add tui-demo command + fix demo-full recipe
cre tui-demo (8 seconds default) renders the live TUI with synthetic
events: 4 fake credentials going through rotation states, a policy
violation, drift detection, an apply-step failure, and a critical alert.
Lets you see what watch mode looks like without seeding any real data.

demo-full: dropped the bogus --config=... flag (cre run never
implemented config-file loading; uses env vars + --db). Now exports
the four service URLs (DATABASE_URL, AWS_ENDPOINT, VAULT_ADDR,
GITHUB_API_BASE) at the user's manually-set ports (6022/45666/18201/7115)
and runs the daemon against the real Postgres. Added demo-full-status
to peek at container health.
2026-04-29 01:34:25 -04:00
CarterPerez-dev 73e3488edc chore: replace Makefile with justfile to match repo convention
Justfile mirrors the haskell-reverse-proxy pattern (grouped recipes:
build, run, demo, test, quality, db, util). 33 recipes covering full
lifecycle - including parameterized recipes (cre rotate ID, cre policy
show NAME) that read more naturally as 'just rotate ...' than as
make targets.

User-edited docker-compose.yml port mappings preserved
(postgres:18 on 6022, localstack on 45666, vault on 18201,
fake-github on 7115).
2026-04-29 01:28:37 -04:00
CarterPerez-dev 33cddb57cd fix(demo): wire AuditSubscriber so events reach the audit log
Tier 1 demo was creating an AuditLog instance but never subscribing it
to the bus, so the verification step always reported '0 events'.
Now we explicitly start the AuditSubscriber and the verifier reports
the actual chain length (4 step events + RotationCompleted = 5).
2026-04-29 01:22:18 -04:00
CarterPerez-dev 51287d3f7d docs: install.sh + learn/ walkthrough series + full README
install.sh: cross-platform Crystal version check, libpcre2 dependency
hint, shards install + release build, optional install to PATH via
INSTALL_TO_PATH=1.

learn/:
  00-OVERVIEW.md       - quick start + three-tier demo path
  01-CONCEPTS.md       - rotation theory, real breaches (SolarWinds,
                         Codecov, LastPass, Storm-0558, Snowflake/UNC5537),
                         framework controls
  02-ARCHITECTURE.md   - bus + plugin diagrams, three-layer audit integrity,
                         AEAD envelope encryption layer breakdown
  03-IMPLEMENTATION.md - code walkthrough pointing at each key file
  04-CHALLENGES.md     - 10 ranked extension challenges (PG ALTER USER
                         rotator, Slack notifier, ML-KEM hybrid wrap,
                         OpenTimestamps anchoring, SPIFFE workload identity,
                         JIT credential broker, etc.)

README.md: full hero + badges + quick start + subcommand cheatsheet +
flagship rotator table + ASCII architecture diagram + project layout
+ links to learn/ + test suite instructions.
2026-04-29 01:21:17 -04:00
CarterPerez-dev a19e8669d2 feat(demo): Tier 1 zero-deps demo + Tier 2 docker-compose scaffold
Tier 1 (cre demo): in-memory SQLite + tempfile .env rotator. Walks
through inventory -> before -> 4-step rotation -> after -> audit chain
verify. Narrates every step event live with green/red glyphs. Runs in
under 1 second on commodity hardware, no external deps.

Tier 2 (docker/docker-compose.yml): postgres:16, localstack
(secretsmanager), hashicorp/vault dev mode, plus a fake-GitHub Flask
app that mocks /user, POST/DELETE /user/personal-access-tokens.
config/demo-full.cr.example documents env vars for the full stack.

Also fixed env_file rotator newline preservation (lines(chomp: true)
+ explicit \n join) so the rotated file is properly delimited.
2026-04-29 01:16:08 -04:00
CarterPerez-dev 7ce0cb48bd feat(compliance): evidence bundle export + framework control mapping
ControlMapping for SOC2 (CC6.1, CC6.6, CC6.7, CC4.1, CC7.x), PCI-DSS
(8.3.9, 8.6.3, 10.5.x, 3.7.4), ISO 27001:2022 (A.5.16, A.5.17, A.5.18,
A.8.5, A.8.15, A.8.16, A.8.24), HIPAA (164.308 / 164.312). Mapping is
intentionally minimal - each event maps only where it provides direct
evidence.

Bundle.write produces a self-verifying ZIP:
- audit_log.ndjson (raw chain rows with hex hashes)
- audit_batches.json (signed Merkle roots)
- control_mapping.json (event_type -> controls)
- manifest.json (per-file SHA-256 + size)
- README.md (verification instructions)
- public_key.pem + manifest.sig (Ed25519, when signer provided)

7 specs verify ZIP layout, manifest sha256-per-file, control mapping
content per framework.
2026-04-29 01:14:02 -04:00
CarterPerez-dev 545e189b43 feat(cli): subcommand dispatch with 9 commands + output formatters
CLI grammar:
  cre run                    daemon (sqlite or postgres)
  cre watch                  daemon + live TUI in same process
  cre check                  one-shot policy eval (CI-friendly exit codes)
  cre rotate <id>            manual rotation
  cre policy list / show     compile-time-baked policy registry inspection
  cre export --framework=X   compliance bundle (Phase 14 stub)
  cre audit verify           hash chain + HMAC + Merkle integrity verification
  cre demo                   Tier 1 demo (Phase 15 stub)
  cre version                version
  cre help                   usage

Output module: human / json / ndjson formatter; CI-friendly exit codes
(0 ok, 1 violations/error, 64 usage, 2 audit-chain-broken).

run/watch wire engine + persistence + scheduler + evaluator + log
notifier (and TUI for watch); SIGINT triggers graceful shutdown.

7 unit specs cover usage / version / policy-list-empty / policy-show-404
/ unknown-subcommand / check-no-violations. All commands callable
end-to-end against a working binary.
2026-04-29 01:12:46 -04:00
CarterPerez-dev 9651ff56f1 feat(tui): hand-rolled live monitor with ANSI primitives + 4 panels
Stack:
- Ansi: stdlib-only escape helpers (move, colorize, strip)
- State: rolling view of active rotations + recent events; trims to N
- Renderer: paints header / status / active / recent panels; works against
  any IO so tests assert against IO::Memory
- Tui: ties State + Renderer to event bus; coalesces repaints to a tick
  interval (default 200ms) to avoid flicker under burst events

Active rotation rows show step progress as a filled-bar (▰▰▰▱). Recent
events list latest 8 with timestamp + severity glyph (✓ / ⚠ / !). The
renderer's pad/center helpers correctly account for ANSI escape widths
when computing visible column width.

9 specs cover ANSI helpers (color codes, cursor move, strip), State
event-to-row mapping with completion bookkeeping and ring-buffer trim,
and Renderer output assertions across empty + active + populated states.
2026-04-29 01:09:20 -04:00
CarterPerez-dev 67d65a934f feat(notifiers): structured-log subscriber + Telegram bidirectional bot
LogNotifier subscribes (Drop overflow) and emits stdlib Log lines with
structured kwargs (credential_id, rotation_id, severity, etc.) suitable
for downstream ingestion by journald/vector/fluentd.

Telegram is a thin HTTP::Client wrapper for sendMessage and getUpdates.
TelegramSubscriber sends emoji-prefixed alerts on RotationFailed,
DriftDetected, PolicyViolation, AlertRaised; success notifications gated
by the notify_on_success flag. Errors are swallowed so a flaky bot never
blocks the engine.

TelegramBot does long-polling getUpdates and dispatches commands:
- viewer tier: /status /queue /history /alerts /help
- operator tier: viewer + /rotate + /snooze
ACL is by chat_id allowlist (bot token + chat IDs in env vars).
/rotate publishes RotationScheduled to the bus.

11 unit specs cover send_message + error handling + getUpdates parsing,
subscriber dispatch, success-suppression flag, and bot ACL enforcement
(unauthorized / viewer-blocked-from-mutations / operator-can-rotate).
2026-04-29 01:07:44 -04:00
CarterPerez-dev d7d5f10825 feat(engine): Scheduler fiber publishes SchedulerTick on a fixed interval
Initial tick fires immediately on start so first policy evaluation
doesn't wait for the full interval on boot. The PolicyEvaluator
subscribes to SchedulerTick events and invokes evaluate_all -> overdue
discovery -> RotationScheduled fan-out. 3 specs verify boot-tick,
periodic cadence, and clean stop().
2026-04-29 01:05:44 -04:00
CarterPerez-dev 873257ad4b feat(rotators): GitHub fine-grained PAT rotator + thin GitHub API client
Github::Client wraps the bearer-auth REST API with required
'X-GitHub-Api-Version: 2022-11-28' header. Implements me, create_pat
(POST /user/personal-access-tokens), delete_pat (DELETE by id).

GithubPatRotator's 4-step contract:
- generate: create_pat returns new id + token value (fresh PAT alongside old)
- apply: no-op (create_pat already active)
- verify: probe-client uses the NEW PAT to GET /user; success means it works
- commit: delete OLD PAT by id (tracked via old_pat_id tag)
- rollback_apply: delete NEW PAT

7 unit specs verify create/delete/me round-trips, full rotation path,
verify-on-401, and rollback deletion.
2026-04-29 01:05:10 -04:00
CarterPerez-dev d431e9014e feat(rotators): Vault dynamic-secrets rotator + thin Vault client
Vault::Client wraps token-auth REST: read_dynamic, revoke_lease,
renew_lease, health. Errors surface as VaultError carrying status.

VaultDynamicRotator's rotation contract leans on Vault as the secret
factory:
- generate: read_dynamic (Vault issues new creds + lease)
- apply: no-op (Vault already provisioned)
- verify: lease renewal acts as liveness check
- commit: revoke OLD lease (tracked in current_lease_id tag)
- rollback_apply: revoke NEW lease

8 unit specs cover client method round-trips, rotator full path with
old-lease revocation, verify-on-Vault-error handling, rollback, and
the no-old-lease pass-through case.
2026-04-29 01:04:12 -04:00
CarterPerez-dev 7e23f58fbb feat(rotators): AWS Secrets Manager rotator with SigV4 signer + secrets client
SigV4 implementation per AWS reference: canonical request -> string-to-sign
-> HMAC-derived signing key (kSecret -> kDate -> kRegion -> kService ->
kSigning) -> HMAC-SHA256 signature. Includes session token (STS) support.

SecretsManagerClient wraps PutSecretValue, GetSecretValue,
UpdateSecretVersionStage with custom endpoint support (LocalStack).
AWS API errors surface as AwsApiError carrying HTTP status + AWS __type.

AwsSecretsRotator implements 4-step contract:
- generate: PutSecretValue with AWSPENDING stage, captures version_id
- apply: no-op (PutSecretValue already exposed it)
- verify: GetSecretValue by version_id, byte-equal SecretString check
- commit: UpdateSecretVersionStage move AWSCURRENT to new + remove from old
- rollback_apply: UpdateSecretVersionStage remove AWSPENDING from new version

13 unit specs verify SigV4 idempotence + format, client methods (with
WebMock), rotator's full 4-step path, verify-mismatch, rollback_apply,
and can_rotate? gating.
2026-04-29 01:02:40 -04:00
CarterPerez-dev bad50daad2 feat(rotators): abstract Rotator with macro registration + EnvFileRotator + 4-step orchestrator
Rotator base exposes the four lifecycle methods as abstract; subclasses
register at compile time via 'register_as :kind' macro. REGISTRY is
populated as soon as the rotator file is required - drop a new file in
src/cre/rotators/ and the orchestrator can dispatch to it.

EnvFileRotator implements the simplest rotation:
- generate: 32 random bytes -> base64-urlsafe (no padding)
- apply: write to PATH.pending atomically (in-place line replace, 0600)
- verify: parse pending file, confirm key=value present and non-empty
- commit: rename PATH.pending -> PATH (atomic on POSIX)
- rollback_apply: unlink PATH.pending

RotationOrchestrator runs the 4-step contract with full event publishing,
state machine transitions in DB (generating -> applying -> verifying ->
committing -> completed | failed), and rollback_apply on apply/verify
failure. 8 specs cover happy path + raised-during-apply + rollback verification.
2026-04-29 00:59:01 -04:00
CarterPerez-dev 538395ebcc feat(policy): Crystal Policy as Code DSL with macros + compile-time enum autocast
- Policy struct: matcher Proc, max_age, warn_at, enforce_action, notify_channels, triggers
- Builder validates all required fields at .build, raises BuilderError with the policy name
- DSL exposes top-level 'policy' method via 'with builder yield' so all
  builder methods (description, match, max_age, enforce, notify_via, etc.)
  are receiver-less inside the block
- Symbol literals autocast to Action/Channel/Trigger enums on direct calls;
  Symbol overload for splat parameters (notify_via :telegram, :email)
- Evaluator subscribes to bus, fires PolicyViolation + RotationScheduled
  (rotate_immediately) or AlertRaised (notify_only/quarantine) when overdue
- 15 unit specs cover Policy.matches?/overdue?/in_warning_window?,
  Builder validation, DSL syntax with closures, evaluator action dispatch
2026-04-29 00:56:29 -04:00
CarterPerez-dev 2ba81cfd82 feat(engine): typed event hierarchy + EventBus with fanout + AuditSubscriber + Engine
Events form a Crystal class hierarchy so subscribers pattern-match
exhaustively. EventBus delivers to subscribers via Crystal channels with
per-subscriber overflow policy (Block for audit, Drop for best-effort).

AuditSubscriber listens for all rotation/policy/drift/alert events and
serializes them into the hash-chained audit log via AuditLog.append.

Engine wires Persistence + AuditLog + AuditSubscriber + EventBus together
so callers just .start/.stop. 7 unit specs verify boot, fanout to N
subscribers, drop-on-overflow semantics, and end-to-end event -> audit row.
2026-04-29 00:47:45 -04:00
CarterPerez-dev fe5e9cd07b feat(audit): hash chain + HMAC ratchet + Merkle batches + Ed25519 signing
Three layers of integrity:
- Hash chain (SHA-256 chained) catches silent edits
- HMAC ratchet rotates keys every N entries with HKDF-style derivation
  and zeroizes old key bytes from memory
- Merkle batch sealing builds tree over content_hashes, signs root
  with Ed25519 (FFI to libcrypto EVP_PKEY_ED25519 directly since stdlib
  lacks the high-level OpenSSL::PKey wrapper)

AuditLog.append is mutex-guarded for serial writes; verify_chain detects
both single-row tampering and structural inconsistency. BatchSealer's
pack_message format (BE start_seq || BE end_seq || merkle_root) is shared
between signer and verifier so external auditors can validate offline.
2026-04-29 00:45:54 -04:00
CarterPerez-dev 4723716e08 feat(crypto): AEAD envelope encryption with AES-256-GCM, KEK loader, secure random
- Random with constant-time-equal helper
- KEK loader from env (Tier 1) with InvalidKekError on bad/missing var
- AEAD via direct LibCrypto FFI bindings (Crystal 1.20 stdlib OpenSSL::Cipher
  doesn't expose GCM auth_data/auth_tag, so we extend LibCrypto with
  EVP_CIPHER_CTX_ctrl + EVP_aes_256_gcm and call them directly)
- Envelope: per-row DEK wrapped by KEK, AAD-bound, algorithm_id reserved
  for crypto agility (0x01 = AES-256-GCM today, 0x02/0x03 reserved)
- 17 unit specs including a 100-iteration random property test
- Tag-tampered ciphertext / wrong-AAD / wrong-key all raise Aead::Error
2026-04-29 00:43:12 -04:00
CarterPerez-dev 5971cbd33e feat(persistence): PostgreSQL adapter with append-only audit trigger
- All 4 repos mirror the SQLite contracts using PG-native types
  (UUID, BYTEA, JSONB, BIGSERIAL, TIMESTAMPTZ, SMALLINT)
- audit_no_modify() trigger refuses UPDATE/DELETE/TRUNCATE on audit_events
- pg_advisory_xact_lock for cross-process row locking
- Integration tests verify trigger fires correctly on tamper attempt
- Test cleanup helper temporarily disables trigger to reset between specs
- 4 integration specs all green against PostgreSQL 16
2026-04-29 00:39:53 -04:00
CarterPerez-dev 58e12941e9 feat(persistence): SQLite adapter with credentials/versions/rotations/audit repos
All four repos implement their abstract contracts. Migrations create
tables idempotently. Bytes round-trip through SQLite BLOB columns
correctly. RotatorKind and RotationState enums replace Symbol fields
in record types so they round-trip safely through DB string columns.
8 unit specs verify CRUD, find_by_external, in_flight filtering,
revocation, and audit append/range/latest_hash genesis behavior.
2026-04-29 00:36:22 -04:00
CarterPerez-dev fb4e26c798 feat(persistence): abstract Persistence + repo contracts (CredentialsRepo, VersionsRepo, RotationsRepo, AuditRepo) and record types 2026-04-29 00:33:26 -04:00
CarterPerez-dev d91477cfa1 feat(domain): NewSecret and CredentialVersion structs
CredentialVersion adds a revoked? predicate so callers don't need to
nil-check revoked_at directly. Both structs are immutable value types.
2026-04-29 00:32:53 -04:00
CarterPerez-dev fd77a4c323 feat(domain): Credential struct with kind enum and tag accessor
CredentialKind enum covers AwsSecretsmgr, AwsIamKey, VaultDynamic,
GithubPat, EnvFile, Database. Auto-generated kind predicates
(c.kind.aws_secretsmgr?) drive policy matching at compile time.
tag() accepts both string and symbol keys.
2026-04-29 00:28:54 -04:00
CarterPerez-dev 8ebdd3fee7 feat(cre): source tree skeleton with empty module dirs and CI workflow
- src/cre.cr entry point + version.cr
- Empty module dirs: cli, tui, engine, events, rotators, policy, audit, crypto, persistence, notifiers, compliance, config, domain, aws, vault, github, demo
- spec/ unit + integration + fixtures structure mirroring src/
- spec_helper.cr with stdlib spec + cre require
- GitHub Actions CI: format, unit matrix (Crystal 1.19/1.20/nightly x ubuntu/macos), integration with PG service, build job
2026-04-28 23:54:59 -04:00
CarterPerez-dev e69cc301cf feat(cre): bootstrap Crystal project shell
- shard.yml with db, pg, sqlite3, tourmaline (deps), webmock (dev)
- Makefile with build/test/format/lint/demo targets
- .gitignore, .editorconfig, LICENSE (MIT), README skeleton
- ameba lint deferred until libpcre3-dev is available on this env
2026-04-28 18:05:36 -04:00