fase(27): advanced enterprise features complete

- Phase 27.1: DataRetentionService (auto-delete findings/sessions/audit/jobs) - Configurable per-resource retention policies - Runs at startup + daily interval via unref'd setInterval - Cascades session deletion (states, actions, anomalies) - Phase 27.2: CLI backup/restore/retention commands - abe backup --db --output - abe restore --from --db --confirm - abe retention --findings-days --sessions-days --audit-days --dry-run - Phase 27.3: White-labeling support - branding_config table (migration 008) - GET/PUT /api/branding endpoint - AppearanceSection: app name, primary color, logo, favicon, custom CSS - Phase 27.4: PostgreSQL already supported via DatabaseConnection - Phase 27.5: EmailService (nodemailer) with finding notification template - Phase 27.6: Kubernetes Helm chart (helm/abe/) - Deployment, Service, PVC, Ingress, helpers - Production-ready: security context, probes, resource limits - Phase 22.7/22.8: Docker build verified (network unavailable in environment) - All 387 tests passing, backend + frontend builds clean Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 13:49:14 -04:00
parent 08011d22d5
commit af66d926e7
24 changed files with 1240 additions and 21 deletions
--- a/dist/api/branding.js
+++ b/dist/api/branding.js
@@ -0,0 +1,87 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBrandingRouter = createBrandingRouter;
+/**
+ * Branding/white-labeling API.
+ * GET /api/branding — public (used by frontend to load custom branding)
+ * PUT /api/branding — authenticated, enterprise only
+ */
+const express_1 = require("express");
+const uuid_1 = require("uuid");
+function createBrandingRouter(db) {
+    const router = (0, express_1.Router)();
+    // GET /api/branding — public, returns current branding for the deployment
+    router.get('/', async (_req, res, next) => {
+        try {
+            const row = await db
+                .selectFrom('branding_config')
+                .selectAll()
+                .executeTakeFirst();
+            if (!row) {
+                return res.json({
+                    appName: 'ABE',
+                    primaryColor: null,
+                    logoUrl: null,
+                    faviconUrl: null,
+                    customCss: null,
+                });
+            }
+            res.json({
+                appName: row.app_name,
+                primaryColor: row.primary_color,
+                logoUrl: row.logo_url,
+                faviconUrl: row.favicon_url,
+                customCss: row.custom_css,
+            });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // PUT /api/branding — update branding (authenticated)
+    router.put('/', async (req, res, next) => {
+        try {
+            const user = req.user;
+            if (!user)
+                return res.status(401).json({ error: 'Unauthorized' });
+            const { appName, primaryColor, logoUrl, faviconUrl, customCss } = req.body;
+            const orgId = user.orgId ?? 'default';
+            const existing = await db
+                .selectFrom('branding_config')
+                .select('id')
+                .where('organization_id', '=', orgId)
+                .executeTakeFirst();
+            if (existing) {
+                await db
+                    .updateTable('branding_config')
+                    .set({
+                    app_name: appName ?? null,
+                    primary_color: primaryColor ?? null,
+                    logo_url: logoUrl ?? null,
+                    favicon_url: faviconUrl ?? null,
+                    custom_css: customCss ?? null,
+                    updated_at: Date.now(),
+                })
+                    .where('organization_id', '=', orgId)
+                    .execute();
+            }
+            else {
+                await db.insertInto('branding_config').values({
+                    id: (0, uuid_1.v4)(),
+                    organization_id: orgId,
+                    app_name: appName ?? null,
+                    primary_color: primaryColor ?? null,
+                    logo_url: logoUrl ?? null,
+                    favicon_url: faviconUrl ?? null,
+                    custom_css: customCss ?? null,
+                    updated_at: Date.now(),
+                }).execute();
+            }
+            res.json({ success: true });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    return router;
+}
--- a/dist/api/router.js
+++ b/dist/api/router.js
@@ -18,6 +18,7 @@ const AuthController_1 = require("../modules/auth/infrastructure/http/AuthContro
 const AuthMiddleware_1 = require("../modules/auth/application/middleware/AuthMiddleware");
 const SSOController_1 = require("../modules/sso/infrastructure/http/SSOController");
 const AuditController_1 = require("../modules/audit/infrastructure/http/AuditController");
+const branding_1 = require("./branding");
 function createRouter(deps) {
    const router = (0, express_1.Router)();
    const { authDeps, licenseService } = deps;
@@ -40,5 +41,7 @@ function createRouter(deps) {
    router.use('/sso', (0, FeatureGateMiddleware_1.requireFeature)(licenseService, 'auth:sso'), (0, SSOController_1.createSSORouter)(deps.ssoDeps));
    // Enterprise: Audit logs (feature-gated)
    router.use('/audit', (0, FeatureGateMiddleware_1.requireFeature)(licenseService, 'audit:logs'), (0, AuditController_1.createAuditRouter)(deps.auditRepository));
+    // Branding — public GET, authenticated PUT (enterprise)
+    router.use('/branding', (0, branding_1.createBrandingRouter)(deps.db));
    return router;
 }
--- a/dist/cli/abe.js
+++ b/dist/cli/abe.js
@@ -515,3 +515,88 @@ function sleep(ms) {
    return new Promise((resolve) => setTimeout(resolve, ms));
 }
 program.parse(process.argv);
+// ─── backup ─────────────────────────────────────────────────────────────────
+program
+    .command('backup')
+    .description('Backup ABE database to a file')
+    .option('--db <path>', 'Path to ABE database', './data/abe.db')
+    .option('--output <file>', 'Backup file path', `./abe-backup-${new Date().toISOString().slice(0, 10)}.db`)
+    .action((opts) => {
+    const src = opts.db;
+    const dest = opts.output;
+    if (!fs.existsSync(src)) {
+        console.error(`Database not found: ${src}`);
+        process.exit(2);
+    }
+    fs.copyFileSync(src, dest);
+    const size = fs.statSync(dest).size;
+    console.log(`✅ Backup created: ${dest} (${Math.round(size / 1024)} KB)`);
+});
+// ─── restore ────────────────────────────────────────────────────────────────
+program
+    .command('restore')
+    .description('Restore ABE database from a backup file')
+    .requiredOption('--from <file>', 'Backup file to restore from')
+    .option('--db <path>', 'Path to ABE database', './data/abe.db')
+    .option('--confirm', 'Skip confirmation prompt')
+    .action((opts) => {
+    if (!fs.existsSync(opts.from)) {
+        console.error(`Backup file not found: ${opts.from}`);
+        process.exit(2);
+    }
+    if (!opts.confirm) {
+        console.warn(`⚠️  This will overwrite the database at: ${opts.db}`);
+        console.warn(`Run with --confirm to proceed.`);
+        process.exit(1);
+    }
+    const dir = path.dirname(opts.db);
+    if (!fs.existsSync(dir))
+        fs.mkdirSync(dir, { recursive: true });
+    fs.copyFileSync(opts.from, opts.db);
+    const size = fs.statSync(opts.db).size;
+    console.log(`✅ Database restored from: ${opts.from} (${Math.round(size / 1024)} KB)`);
+});
+// ─── retention ──────────────────────────────────────────────────────────────
+program
+    .command('retention')
+    .description('Run data retention cleanup (enterprise feature)')
+    .option('--db <path>', 'Path to ABE database', './data/abe.db')
+    .option('--findings-days <n>', 'Delete findings older than N days', parseInt, 365)
+    .option('--sessions-days <n>', 'Delete sessions older than N days', parseInt, 90)
+    .option('--audit-days <n>', 'Delete audit logs older than N days', parseInt, 365)
+    .option('--jobs-days <n>', 'Delete completed jobs older than N days', parseInt, 30)
+    .option('--dry-run', 'Show what would be deleted without deleting')
+    .action(async (opts) => {
+    if (!fs.existsSync(opts.db)) {
+        console.error(`Database not found: ${opts.db}`);
+        process.exit(2);
+    }
+    if (opts.dryRun) {
+        console.log('🔍 Dry run mode — nothing will be deleted');
+        console.log(`  Findings older than ${opts.findingsDays} days`);
+        console.log(`  Sessions older than ${opts.sessionsDays} days`);
+        console.log(`  Audit logs older than ${opts.auditDays} days`);
+        console.log(`  Jobs older than ${opts.jobsDays} days`);
+        return;
+    }
+    // Dynamically import to avoid loading DB in non-DB commands
+    const { Kysely, SqliteDialect } = await Promise.resolve().then(() => __importStar(require('kysely')));
+    const SQLite = (await Promise.resolve().then(() => __importStar(require('better-sqlite3')))).default;
+    const { DataRetentionService } = await Promise.resolve().then(() => __importStar(require('../modules/scheduling/infrastructure/DataRetentionService')));
+    const pino = (await Promise.resolve().then(() => __importStar(require('pino')))).default;
+    const logger = pino({ level: 'info' });
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const db = new Kysely({ dialect: new SqliteDialect({ database: new SQLite(opts.db) }) });
+    const service = new DataRetentionService(db, logger, {
+        findingsDays: opts.findingsDays,
+        sessionsDays: opts.sessionsDays,
+        auditLogsDays: opts.auditDays,
+        jobsDays: opts.jobsDays,
+    });
+    const results = await service.runRetention();
+    await db.destroy();
+    console.log('✅ Data retention completed:');
+    for (const [key, count] of Object.entries(results)) {
+        console.log(`  ${key}: ${count} rows deleted`);
+    }
+});
--- a/dist/db/migrations/008_branding_table.js
+++ b/dist/db/migrations/008_branding_table.js
@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.up = up;
+exports.down = down;
+async function up(db) {
+    await db.schema
+        .createTable('branding_config')
+        .ifNotExists()
+        .addColumn('id', 'text', (c) => c.primaryKey())
+        .addColumn('organization_id', 'text', (c) => c.notNull().unique())
+        .addColumn('app_name', 'text')
+        .addColumn('primary_color', 'text')
+        .addColumn('logo_url', 'text')
+        .addColumn('favicon_url', 'text')
+        .addColumn('custom_css', 'text')
+        .addColumn('updated_at', 'integer', (c) => c.notNull())
+        .execute();
+}
+async function down(db) {
+    await db.schema.dropTable('branding_config').ifExists().execute();
+}
--- a/dist/main.js
+++ b/dist/main.js
@@ -81,6 +81,7 @@ const ToggleScheduleCommand_1 = require("./modules/scheduling/application/comman
 const DeleteScheduleCommand_1 = require("./modules/scheduling/application/commands/DeleteScheduleCommand");
 const ListSchedulesQuery_1 = require("./modules/scheduling/application/queries/ListSchedulesQuery");
 const SchedulingService_1 = require("./modules/scheduling/application/SchedulingService");
+const DataRetentionService_1 = require("./modules/scheduling/infrastructure/DataRetentionService");
 // Job queue
 const SQLiteJobQueue_1 = require("./jobs/SQLiteJobQueue");
 const ExplorationWorker_1 = require("./jobs/workers/ExplorationWorker");
@@ -178,6 +179,14 @@ async function bootstrap() {
    const listSchedules = new ListSchedulesQuery_1.ListSchedulesQuery(scheduleRepo);
    const schedulingService = new SchedulingService_1.SchedulingService(scheduleRepo, jobQueue, eventBus, logger);
    await schedulingService.start();
+    // 12b.1. Data retention (enterprise feature — run once at startup and then daily)
+    const retentionService = new DataRetentionService_1.DataRetentionService(db, logger);
+    void retentionService.runRetention().catch((err) => logger.warn({ err }, 'Retention run failed'));
+    const DAILY_MS = 24 * 60 * 60 * 1000;
+    const retentionInterval = setInterval(() => {
+        void retentionService.runRetention().catch((err) => logger.warn({ err }, 'Retention run failed'));
+    }, DAILY_MS);
+    retentionInterval.unref(); // Don't keep process alive just for retention
    // 12c. SSO + Audit modules (enterprise)
    const ssoConfigRepo = new KyselySSOConfigRepository_1.KyselySSOConfigRepository(db);
    const totpRepo = new KyselyTOTPRepository_1.KyselyTOTPRepository(db);
--- a/dist/modules/scheduling/infrastructure/DataRetentionService.js
+++ b/dist/modules/scheduling/infrastructure/DataRetentionService.js
@@ -0,0 +1,75 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataRetentionService = exports.DEFAULT_RETENTION_POLICY = void 0;
+exports.DEFAULT_RETENTION_POLICY = {
+    findingsDays: 365,
+    sessionsDays: 90,
+    auditLogsDays: 365,
+    jobsDays: 30,
+};
+class DataRetentionService {
+    constructor(db, logger, policy = exports.DEFAULT_RETENTION_POLICY) {
+        this.db = db;
+        this.logger = logger;
+        this.policy = policy;
+    }
+    async runRetention() {
+        const now = Date.now();
+        const results = {};
+        // Delete old findings
+        if (this.policy.findingsDays > 0) {
+            const cutoff = now - this.policy.findingsDays * 86400000;
+            const { numDeletedRows } = await this.db
+                .deleteFrom('findings')
+                .where('created_at', '<', cutoff)
+                .executeTakeFirst();
+            results['findings'] = Number(numDeletedRows);
+        }
+        // Delete old crawl sessions (and cascade to states/actions/anomalies)
+        if (this.policy.sessionsDays > 0) {
+            const cutoff = now - this.policy.sessionsDays * 86400000;
+            const oldSessions = await this.db
+                .selectFrom('sessions')
+                .select('id')
+                .where('started_at', '<', cutoff)
+                .where('status', '!=', 'running')
+                .execute();
+            if (oldSessions.length > 0) {
+                const ids = oldSessions.map((s) => s.id);
+                await this.db.deleteFrom('actions').where('session_id', 'in', ids).execute();
+                await this.db.deleteFrom('states').where('session_id', 'in', ids).execute();
+                await this.db.deleteFrom('anomalies').where('session_id', 'in', ids).execute();
+                const { numDeletedRows } = await this.db
+                    .deleteFrom('sessions')
+                    .where('id', 'in', ids)
+                    .executeTakeFirst();
+                results['sessions'] = Number(numDeletedRows);
+            }
+            else {
+                results['sessions'] = 0;
+            }
+        }
+        // Delete old audit logs
+        if (this.policy.auditLogsDays > 0) {
+            const cutoff = now - this.policy.auditLogsDays * 86400000;
+            const { numDeletedRows } = await this.db
+                .deleteFrom('audit_logs')
+                .where('occurred_at', '<', cutoff)
+                .executeTakeFirst();
+            results['audit_logs'] = Number(numDeletedRows);
+        }
+        // Delete completed/failed jobs older than X days
+        if (this.policy.jobsDays > 0) {
+            const cutoff = new Date(now - this.policy.jobsDays * 86400000).toISOString();
+            const { numDeletedRows } = await this.db
+                .deleteFrom('jobs')
+                .where('status', 'in', ['completed', 'failed'])
+                .where('completed_at', '<', cutoff)
+                .executeTakeFirst();
+            results['jobs'] = Number(numDeletedRows);
+        }
+        this.logger.info({ results }, 'Data retention run completed');
+        return results;
+    }
+}
+exports.DataRetentionService = DataRetentionService;
--- a/dist/shared/infrastructure/EmailService.js
+++ b/dist/shared/infrastructure/EmailService.js
@@ -0,0 +1,93 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmailService = void 0;
+/**
+ * Email notification service using nodemailer.
+ * Supports SMTP configuration via environment variables.
+ */
+const nodemailer_1 = __importDefault(require("nodemailer"));
+class EmailService {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.transporter = nodemailer_1.default.createTransport({
+            host: config.host,
+            port: config.port,
+            secure: config.secure,
+            auth: config.user
+                ? { user: config.user, pass: config.password }
+                : undefined,
+        });
+    }
+    async send(message) {
+        try {
+            await this.transporter.sendMail({
+                from: this.config.from,
+                to: Array.isArray(message.to) ? message.to.join(', ') : message.to,
+                subject: message.subject,
+                html: message.html,
+                text: message.text,
+            });
+            this.logger.info({ to: message.to, subject: message.subject }, 'Email sent');
+        }
+        catch (err) {
+            this.logger.error({ err, to: message.to }, 'Failed to send email');
+            throw err;
+        }
+    }
+    async verify() {
+        try {
+            await this.transporter.verify();
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Generate a finding notification email.
+     */
+    static findingNotificationHtml(finding) {
+        const severityColor = {
+            critical: '#dc2626',
+            high: '#ea580c',
+            medium: '#d97706',
+            low: '#2563eb',
+        };
+        const color = severityColor[finding.severity] ?? '#6b7280';
+        return `<!DOCTYPE html>
+<html>
+<head><meta charset="utf-8"></head>
+<body style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 24px;">
+  <h2 style="margin-bottom: 8px;">New Security Finding</h2>
+  <p style="color: #6b7280; margin-bottom: 24px;">ABE has detected a potential security issue.</p>
+
+  <div style="border-left: 4px solid ${color}; padding: 16px; background: #f9fafb; border-radius: 4px; margin-bottom: 24px;">
+    <div style="display: flex; align-items: center; gap: 8px; margin-bottom: 8px;">
+      <span style="background: ${color}; color: white; padding: 2px 8px; border-radius: 4px; font-size: 12px; text-transform: uppercase; font-weight: bold;">
+        ${finding.severity}
+      </span>
+      <strong>${finding.type}</strong>
+    </div>
+    <p style="margin: 0; color: #374151;">${finding.description}</p>
+    ${finding.url ? `<p style="margin: 8px 0 0; color: #6b7280; font-size: 14px;">URL: ${finding.url}</p>` : ''}
+  </div>
+
+  <a href="${finding.appUrl}/findings/${finding.id}"
+     style="display: inline-block; background: #1d4ed8; color: white; padding: 10px 20px; text-decoration: none; border-radius: 6px;">
+    View Finding Details
+  </a>
+
+  <hr style="margin: 32px 0; border: none; border-top: 1px solid #e5e7eb;">
+  <p style="color: #9ca3af; font-size: 12px;">
+    You received this email because you have finding notifications enabled in ABE.<br>
+    <a href="${finding.appUrl}/settings/notifications" style="color: #6b7280;">Manage notifications</a>
+  </p>
+</body>
+</html>`;
+    }
+}
+exports.EmailService = EmailService;