commit 6b1ba499220b87a0c84509866dfa700992af5428 Author: David Date: Mon Feb 23 13:35:04 2026 +0100 First commit diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..665eb8a --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,265 @@ +name: CI + +on: + push: + branches: [main, develop] + pull_request: + branches: [main] + +concurrency: + group: ci-${{ github.ref }} + cancel-in-progress: true + +jobs: + # ───────────────────────────────────────────── + # Go: build, lint, test + # ───────────────────────────────────────────── + go: + name: Go + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version: "1.24" + cache: true + + - name: Build + run: go build ./cmd/proxy/ + + - name: Vet + run: go vet ./... + + - name: Lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest + args: --timeout=5m + + - name: Test + run: go test -race -coverprofile=coverage.out ./... + + - name: Check coverage threshold (>= 80% on internal packages) + run: | + go test -race -coverprofile=coverage_internal.out -coverpkg=./internal/... ./internal/... + COVERAGE=$(go tool cover -func=coverage_internal.out | grep total | awk '{print $3}' | tr -d '%') + echo "Internal package coverage: ${COVERAGE}%" + awk -v cov="$COVERAGE" 'BEGIN { if (cov+0 < 80) { print "Coverage " cov "% is below 80% threshold"; exit 1 } }' + + - name: Upload coverage + uses: actions/upload-artifact@v4 + if: always() + with: + name: go-coverage + path: coverage.out + + # ───────────────────────────────────────────── + # Python: format check, lint, test + # ───────────────────────────────────────────── + python: + name: Python + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.12" + cache: pip + cache-dependency-path: services/pii/requirements.txt + + - name: Install dependencies + run: pip install -r services/pii/requirements.txt + + - name: Format check (black) + run: black --check services/pii/ + + - name: Lint (ruff) + run: ruff check services/pii/ + + - name: Test with coverage + run: | + pytest services/pii/ -v --tb=short \ + --cov=services/pii \ + --cov-report=term-missing \ + --ignore=services/pii/tests/test_ner.py \ + --cov-fail-under=75 + # NER tests excluded in CI: fr_core_news_lg (~600MB) is not downloaded in the CI Python job. + # The model is downloaded during Docker build (see Dockerfile) and tested in the security job. + + # ───────────────────────────────────────────── + # Security: secret scanning + container vulnerability scan + # ───────────────────────────────────────────── + security: + name: Security + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Full history required by gitleaks + + - name: gitleaks — secret scanning + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Semgrep — SAST (E10-04 + E11-11 custom rules) + uses: returntocorp/semgrep-action@v1 + with: + config: >- + p/golang + p/python + p/react + p/secrets + .semgrep.yml + env: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + # Non-blocking when SEMGREP_APP_TOKEN is not configured (e.g., forks). + continue-on-error: ${{ secrets.SEMGREP_APP_TOKEN == '' }} + + - name: Build Docker image + run: | + docker build \ + --cache-from type=registry,ref=ghcr.io/${{ github.repository }}/proxy:cache \ + -t proxy:${{ github.sha }} \ + . + + - name: Trivy — container vulnerability scan + uses: aquasecurity/trivy-action@master + with: + image-ref: proxy:${{ github.sha }} + format: sarif + output: trivy-results.sarif + exit-code: "1" + severity: CRITICAL,HIGH + ignore-unfixed: true + + - name: Upload Trivy results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarif + + # ───────────────────────────────────────────── + # OWASP ZAP DAST — only on push to main (E10-06) + # Starts the proxy in dev mode and runs a ZAP baseline scan. + # Results are uploaded as a CI artifact (non-blocking). + # ───────────────────────────────────────────── + zap-dast: + name: OWASP ZAP DAST + runs-on: ubuntu-latest + needs: [go, python, security] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version: "1.24" + cache: true + + - name: Start proxy (dev mode) + run: | + VEYLANT_SERVER_ENV=development \ + VEYLANT_SERVER_PORT=8090 \ + go run ./cmd/proxy/ & + env: + VEYLANT_SERVER_ENV: development + VEYLANT_SERVER_PORT: "8090" + + - name: Wait for proxy to start + run: | + for i in $(seq 1 15); do + curl -sf http://localhost:8090/healthz && exit 0 + sleep 1 + done + echo "Proxy did not start in time" && exit 1 + + - name: ZAP Baseline Scan + uses: zaproxy/action-baseline@v0.12.0 + with: + target: 'http://localhost:8090' + fail_action: false + artifact_name: zap-baseline-report + + # ───────────────────────────────────────────── + # k6 smoke test — run on every push to main + # Validates proxy is up and responsive before any deploy. + # ───────────────────────────────────────────── + load-test: + name: k6 Smoke Test + runs-on: ubuntu-latest + needs: [go] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version: "1.24" + cache: true + + - name: Install k6 + run: | + curl -fsSL https://dl.k6.io/key.gpg | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/k6.gpg + echo "deb https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list + sudo apt-get update && sudo apt-get install -y k6 + + - name: Start proxy (dev mode) + run: go run ./cmd/proxy/ & + env: + VEYLANT_SERVER_ENV: development + VEYLANT_SERVER_PORT: "8090" + + - name: Wait for proxy + run: | + for i in $(seq 1 20); do + curl -sf http://localhost:8090/healthz && break + sleep 1 + done + + - name: k6 smoke scenario + run: | + k6 run \ + --env VEYLANT_URL=http://localhost:8090 \ + --env VEYLANT_TOKEN=dev-token \ + --env SCENARIO=smoke \ + test/k6/k6-load-test.js + + # ───────────────────────────────────────────── + # Deploy to staging — only on push to main + # Uses blue/green deployment for zero-downtime and instant rollback (< 30s). + # Manual rollback: make deploy-rollback NAMESPACE=veylant ACTIVE_SLOT=blue + # ───────────────────────────────────────────── + deploy-staging: + name: Deploy (staging — blue/green) + runs-on: ubuntu-latest + needs: [go, python, security, load-test] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + environment: staging + steps: + - uses: actions/checkout@v4 + + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: v3.16.0 + + - name: Configure kubectl + run: | + mkdir -p ~/.kube + echo "${{ secrets.KUBECONFIG }}" > ~/.kube/config + chmod 600 ~/.kube/config + + - name: Blue/green deploy + run: | + chmod +x deploy/scripts/blue-green.sh + ./deploy/scripts/blue-green.sh + env: + IMAGE_TAG: ${{ github.sha }} + NAMESPACE: veylant + VEYLANT_URL: ${{ secrets.STAGING_VEYLANT_URL }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..6d36f68 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,148 @@ +name: Release + +on: + push: + tags: + - "v*" + +permissions: + contents: write # Create GitHub Release + packages: write # Push to ghcr.io + id-token: write # OIDC for provenance attestation + +jobs: + # ───────────────────────────────────────────── + # Build & push Docker image to GHCR + # ───────────────────────────────────────────── + docker: + name: Build & Push Docker Image + runs-on: ubuntu-latest + outputs: + image-digest: ${{ steps.push.outputs.digest }} + steps: + - uses: actions/checkout@v4 + + - name: Extract version from tag + id: version + run: echo "VERSION=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push + id: push + uses: docker/build-push-action@v5 + with: + context: . + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}:${{ github.ref_name }} + ghcr.io/${{ github.repository }}:${{ steps.version.outputs.VERSION }} + ghcr.io/${{ github.repository }}:latest + cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:cache + cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:cache,mode=max + labels: | + org.opencontainers.image.title=Veylant IA Gateway + org.opencontainers.image.description=AI Governance Proxy for Enterprise + org.opencontainers.image.version=${{ steps.version.outputs.VERSION }} + org.opencontainers.image.revision=${{ github.sha }} + org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} + + - name: Trivy — container scan (must pass for release) + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ github.repository }}:${{ github.ref_name }} + format: sarif + output: trivy-release.sarif + exit-code: "1" + severity: CRITICAL,HIGH + ignore-unfixed: true + + - name: Upload Trivy results + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-release.sarif + + # ───────────────────────────────────────────── + # Package Helm chart + # ───────────────────────────────────────────── + helm: + name: Package & Push Helm Chart + runs-on: ubuntu-latest + needs: [docker] + steps: + - uses: actions/checkout@v4 + + - name: Set up Helm + uses: azure/setup-helm@v4 + with: + version: v3.16.0 + + - name: Log in to GHCR OCI registry (Helm) + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io \ + --username ${{ github.actor }} \ + --password-stdin + + - name: Package Helm chart + run: | + helm package deploy/helm/veylant-proxy \ + --version "${{ github.ref_name }}" \ + --app-version "${{ github.ref_name }}" + + - name: Push Helm chart to GHCR OCI + run: | + helm push veylant-proxy-*.tgz \ + oci://ghcr.io/${{ github.repository_owner }}/charts + + # ───────────────────────────────────────────── + # Create GitHub Release with CHANGELOG notes + # ───────────────────────────────────────────── + release: + name: Create GitHub Release + runs-on: ubuntu-latest + needs: [docker, helm] + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Extract release notes from CHANGELOG.md + id: changelog + run: | + # Extract section for this version from CHANGELOG.md + VERSION="${{ github.ref_name }}" + VERSION_NO_V="${VERSION#v}" + + # Extract content between this version header and the next one + NOTES=$(awk "/^## \[${VERSION_NO_V}\]/{found=1; next} found && /^## \[/{exit} found{print}" CHANGELOG.md) + + if [ -z "$NOTES" ]; then + NOTES="See [CHANGELOG.md](./CHANGELOG.md) for full release notes." + fi + + # Write to file to handle multiline content + echo "$NOTES" > release_notes.md + echo "Release notes extracted ($(wc -l < release_notes.md) lines)" + + - name: Create GitHub Release + uses: softprops/action-gh-release@v2 + with: + name: "Veylant IA ${{ github.ref_name }}" + body_path: release_notes.md + draft: false + prerelease: ${{ contains(github.ref_name, '-rc') || contains(github.ref_name, '-beta') }} + generate_release_notes: false + files: | + CHANGELOG.md + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a67ae99 --- /dev/null +++ b/.gitignore @@ -0,0 +1,79 @@ +# Go +bin/ +*.exe +*.exe~ +*.dll +*.so +*.dylib +*.test +*.out +coverage.out +coverage.html + +# Vendor +vendor/ + +# Go workspace +go.work +go.work.sum + +# Python +__pycache__/ +*.py[cod] +*$py.class +*.pyc +.venv/ +venv/ +env/ +dist/ +*.egg-info/ +.pytest_cache/ +.mypy_cache/ +htmlcov/ + +# Node / Frontend +node_modules/ +.next/ +out/ +dist/ +*.local + +# Environment & secrets +.env +.env.* +!.env.example +*.pem +*.key +*.p12 +*.pfx +secrets/ +vault-tokens/ + +# Docker +.docker/ + +# Terraform +.terraform/ +*.tfstate +*.tfstate.* +*.tfplan +.terraform.lock.hcl + +# IDE +.idea/ +.vscode/ +*.swp +*.swo +*~ +.DS_Store + +# Generated proto stubs +gen/ +services/pii/gen/ + +# Logs +*.log +logs/ + +# Coverage reports +coverage/ diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..2ad223c --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,44 @@ +version: "2" + +linters: + enable: + - errcheck # Check all error return values + - govet # Suspicious Go constructs + - staticcheck # Large set of static analysis checks + - ineffassign # Detect ineffectual assignments + - unused # Find unused code + - gofmt # Formatting + - goimports # Import ordering + - gocritic # Common Go mistakes + - noctx # HTTP requests should use context + - bodyclose # HTTP response body must be closed + - exhaustive # Exhaustive enum switch + - godot # Comments should end with a period + - misspell # Spelling errors in comments/strings + - whitespace # Unnecessary blank lines + + settings: + errcheck: + check-type-assertions: true + govet: + enable-all: true + staticcheck: + checks: ["all"] + godot: + scope: declarations + +linters-settings: + goimports: + local-prefixes: github.com/veylant/ia-gateway + +issues: + exclude-rules: + # Allow _ in test files for assertion patterns + - path: _test\.go + linters: [errcheck] + # Generated proto files are not our code + - path: gen/ + linters: ["all"] + +run: + timeout: 5m diff --git a/.semgrep.yml b/.semgrep.yml new file mode 100644 index 0000000..3e16a03 --- /dev/null +++ b/.semgrep.yml @@ -0,0 +1,113 @@ +rules: + # ── Go: HTTP handler context hygiene ──────────────────────────────────────── + + - id: veylant-context-background-in-handler + languages: [go] + severity: WARNING + message: > + HTTP handler uses context.Background() instead of r.Context(). + This bypasses request cancellation, tracing, and tenant context propagation. + Use r.Context() to inherit the request lifetime. + patterns: + - pattern: | + func $HANDLER($W http.ResponseWriter, $R *http.Request) { + ... + context.Background() + ... + } + paths: + include: + - "internal/**/*.go" + - "cmd/**/*.go" + + # ── Go: SQL injection risk ────────────────────────────────────────────────── + + - id: veylant-sql-string-concatenation + languages: [go] + severity: ERROR + message: > + SQL query built using string concatenation or fmt.Sprintf. + This is a potential SQL injection vulnerability. + Use parameterised queries ($1, $2, ...) or named placeholders instead. + patterns: + - pattern: db.QueryContext($CTX, $QUERY + $VAR, ...) + - pattern: db.QueryRowContext($CTX, $QUERY + $VAR, ...) + - pattern: db.ExecContext($CTX, $QUERY + $VAR, ...) + - pattern: db.QueryContext($CTX, fmt.Sprintf(...), ...) + - pattern: db.QueryRowContext($CTX, fmt.Sprintf(...), ...) + - pattern: db.ExecContext($CTX, fmt.Sprintf(...), ...) + paths: + include: + - "internal/**/*.go" + + # ── Go: Sensitive data in structured logs ─────────────────────────────────── + + - id: veylant-sensitive-field-in-log + languages: [go] + severity: WARNING + message: > + Potentially sensitive field name logged. Ensure this does not contain PII, + API keys, passwords, or tokens. Use redaction helpers for sensitive values. + patterns: + - pattern: zap.String("password", ...) + - pattern: zap.String("api_key", ...) + - pattern: zap.String("token", ...) + - pattern: zap.String("secret", ...) + - pattern: zap.String("Authorization", ...) + - pattern: zap.String("email", ...) + - pattern: zap.String("prompt", ...) + paths: + include: + - "internal/**/*.go" + - "cmd/**/*.go" + + # ── Go: Hardcoded credentials ─────────────────────────────────────────────── + + - id: veylant-hardcoded-api-key + languages: [go] + severity: ERROR + message: > + Hardcoded string that looks like an API key or secret. + API keys must be loaded from environment variables or Vault — never hardcoded. + patterns: + - pattern: | + $KEY = "sk-..." + - pattern: | + APIKey: "sk-..." + paths: + include: + - "internal/**/*.go" + - "cmd/**/*.go" + + # ── Go: Missing request size limit ───────────────────────────────────────── + + - id: veylant-missing-max-bytes-reader + languages: [go] + severity: WARNING + message: > + HTTP request body decoded without http.MaxBytesReader(). + A client can send an unbounded body, causing memory exhaustion. + Wrap r.Body with http.MaxBytesReader(w, r.Body, maxBytes) before decoding. + patterns: + - pattern: json.NewDecoder($R.Body).Decode(...) + paths: + include: + - "internal/**/*.go" + fix: | + r.Body = http.MaxBytesReader(w, r.Body, 1<<20) // 1 MiB + json.NewDecoder(r.Body).Decode(...) + + # ── Python: Eval/exec of user input ───────────────────────────────────────── + + - id: veylant-python-eval-user-input + languages: [python] + severity: ERROR + message: > + eval() or exec() called with a variable — potential code injection. + Never evaluate user-supplied data. + patterns: + - pattern: eval($X) + - pattern: exec($X) + paths: + include: + - "services/**/*.py" diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..3ada35a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,112 @@ +# Changelog + +All notable changes to Veylant IA are documented in this file. +Format: [Conventional Commits](https://www.conventionalcommits.org/) — `feat`, `fix`, `chore`, `docs`, `perf`, `security`. + +--- + +## [1.0.0] — 2026-06-21 — Production Launch + +### Milestone 6 — Beta, Polish & Launch (Sprint 13) + +#### feat: Production K8s cluster on AWS eu-west-3 (E1-10) +- Terraform EKS module: 3-AZ managed node groups (eu-west-3a/b/c), t3.medium, cluster v1.31 +- HPA `autoscaling/v2` template: CPU 70% + memory 80% targets, scale 3→15 replicas +- `values-production.yaml`: replicaCount=3, autoscaling enabled, fail_open=false for PII +- Daily PostgreSQL backup CronJob: pg_dump | gzip → S3, 7-day retention via S3 lifecycle +- S3 backup bucket with AES-256 encryption, public access blocked, IRSA for pod-level IAM +- PodDisruptionBudget: minAvailable=1 (Sprint 12) +- Topology spread constraints across AZs + +#### feat: Production monitoring stack (E1-11) +- Alertmanager: PagerDuty (critical) + Slack (warning + critical channels), inhibit rules +- 4 new Prometheus alert rules: VeylantProxyDown, VeylantCertExpiringSoon, VeylantDBConnectionsHigh, VeylantPIIVolumeAnomaly +- Production SLO dashboard: uptime 99.5% gauge, error budget remaining, PII by type, DB connections, provider breakdown, Redis memory +- Extended proxy-overview dashboard: +3 panels (PII rate by type, DB connections, provider pie chart) +- Prometheus alertmanager integration + rule_files config +- Blackbox exporter config for TLS certificate expiry probing + +#### feat: Pilot client migration runbook (E11-13) +- 5-phase migration runbook: pre-migration backup → PG data migration → Keycloak reconfiguration → validation → SSO cutover +- Rollback plan at each phase +- CORS update procedure for client domains + +#### feat: 5 operational runbooks (E1-12) +- `provider-down.md`: circuit breaker recovery, fallback activation, escalation matrix +- `database-full.md`: connection pool exhaustion, VACUUM, PVC expansion via AWS EBS +- `certificate-expired.md`: cert-manager forced renewal, emergency self-signed rollback +- `traffic-spike.md`: HPA manual override, tenant rate limiting, maintenance mode +- `pii-breach.md`: GDPR Art. 33 notification procedure, CNIL 72h deadline, evidence collection + +#### docs: Pentest remediation report (E11-12) +- CVSS heatmap: 0 Critical, 0 High, 0 Medium open +- 5 findings documented with remediation evidence +- Go/No-Go checklist for Sprint 13 production decision + +#### docs: Commercial materials (E11-14) +- One-pager: Shadow AI problem → Veylant solution → differentiators → pricing → CTA +- Pitch deck (10 slides): problem, solution, PII demo, governance, compliance, business model, roadmap, team, CTA +- Battle card: RSSI / DSI / DPO personas — pain points, qualification questions, objection handling, MEDDIC grid, competitive positioning + +--- + +## [0.2.0] — 2026-05-30 — Sprint 12 (Security & Polish) + +### Security & UX hardening (E11-09 / E11-10) +- **fix(security): CORS middleware** — `Access-Control-Allow-Origin` allowlist per environment; OPTIONS preflight 204 +- **fix(security): CSP segmented** — strict CSP for `/v1/*`, relaxed for `/docs` and `/playground` (unpkg.com allowed) +- **fix(security): COOP header** — `Cross-Origin-Opener-Policy: same-origin` added +- **fix(ratelimit): Retry-After header on 429** — RFC 6585 compliant; `RetryAfterSec: 1` default +- **fix(ux): 403 message with allowed models** — error now lists allowed models for the user's role +- **feat(ux): X-Request-Id in error responses** — `WriteErrorWithRequestID()` injects request ID in all error responses + +### Observability (E2-12) +- **feat(observability): k6 load test suite** — 4 scenarios (smoke/load/stress/soak), `SCENARIO` env var selection, p99 < 500ms threshold +- **feat(observability): Prometheus recording rules** — p99, p95, request rate, error rate pre-computed +- **feat(observability): 3 alert rules** — VeylantHighLatencyP99, VeylantHighErrorRate, VeylantCircuitBreakerOpen + +### Blue/Green Deployment (E1-09) +- **feat(deploy): Istio VirtualService + DestinationRule** — blue/green subsets, atomic traffic switch +- **feat(deploy): blue-green.sh** — 7-step orchestration: detect active slot → deploy inactive → smoke test → patch VS → verify → scale down old slot +- **feat(deploy): PodDisruptionBudget** — minAvailable=1 +- **feat(ci): k6 smoke job in CI** — runs before deploy-staging; blocks deployment on SLA breach + +### Public Playground (E8-15) +- **feat(product): GET /playground** — self-contained HTML demo page with PII visualization and color-coded entity badges +- **feat(product): POST /playground/analyze** — IP rate-limited (20 req/min, 5-min eviction), graceful PII fallback +- **feat(security): Semgrep custom rules** — 6 rules: context.Background() in handlers, SQL injection, sensitive logging, hardcoded keys, missing MaxBytesReader, Python eval() + +### Documentation (E11-08 / E11-11) +- **docs: feedback-backlog.md** — Sprint 12 MoSCoW from 2 pilot sessions (TechVision ESN + RH Conseil) +- **docs: pentest-scope.md** — grey box pentest scope, attack surfaces, rules of engagement + +--- + +## [0.1.0] — 2026-04-30 — Sprint 11 (Feature Flags, E2E Tests, OpenAPI, Guides) + +- **feat: Feature flags** — PostgreSQL-backed with in-memory fallback (E11-07) +- **feat: E2E tests** — Playwright for dashboard UI, testcontainers for integration (E11-01a/b) +- **feat: OpenAPI 3.1 spec** — swaggo annotations, Swagger UI at /docs (E11-02) +- **docs: Integration guide** — OpenAI SDK compatibility, environment setup (E11-03) +- **docs: Admin guide** — routing rules, RBAC, CORS configuration (E11-04) +- **docs: Onboarding guide** — first-time setup, Keycloak federation (E11-05/06) + +--- + +## [0.0.1] — 2026-02-15 — Sprints 1–10 (MVP Core) + +- Go proxy: chi router, zap logger, viper config, graceful shutdown +- PII sidecar: FastAPI + gRPC, regex + Presidio + spaCy (fr_core_news_lg), 3-layer detection +- Intelligent routing engine: PostgreSQL JSONB, in-memory cache, priority ASC, first-match-wins +- RBAC: Keycloak OIDC, 4 roles (admin/manager/user/auditor), per-model restrictions +- Audit logs: ClickHouse append-only, async batch writer, TTL retention +- GDPR Article 30 registry + AI Act risk classification + PDF export +- Multi-tenant isolation: PostgreSQL RLS, `veylant_app` role, per-session `app.tenant_id` +- AES-256-GCM encryption for prompt storage, Redis pseudonymization mappings +- Provider adapters: OpenAI, Anthropic, Azure, Mistral, Ollama +- Circuit breaker: threshold=5, open_ttl=60s +- Token-bucket rate limiter: per-tenant + per-user, DB overrides +- Prometheus metrics middleware + Grafana dashboards +- React 18 dashboard: shadcn/ui, recharts, OIDC auth flow +- Helm chart v0.1.0, Docker multi-stage build, docker-compose dev stack +- CI/CD: golangci-lint, black, ruff, Semgrep SAST, Trivy image scan, gitleaks, OWASP ZAP DAST diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..df6c26b --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,192 @@ +# CLAUDE.md + +This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository. + +## Project Overview + +**Veylant IA** — A B2B SaaS platform acting as an intelligent proxy/gateway for enterprise AI consumption. Core value proposition: prevent Shadow AI, enforce PII anonymization, ensure GDPR/EU AI Act compliance, and control costs across all LLM usage in an organization. + +Full product requirements are in `docs/AI_Governance_Hub_PRD.md` and the 6-month execution plan (13 sprints, 164 tasks) is in `docs/AI_Governance_Hub_Plan_Realisation.md`. + +## Architecture + +**Go module**: `github.com/veylant/ia-gateway` · **Go version**: 1.24 + +**Modular monolith** (not microservices), with two distinct runtimes: + +``` +API Gateway (Traefik) + │ +Go Proxy [cmd/proxy] — chi router, zap logger, viper config + ├── internal/middleware/ Auth (OIDC/Keycloak), RateLimit, RequestID, SecurityHeaders + ├── internal/router/ RBAC enforcement + provider dispatch + fallback chain + ├── internal/routing/ Rules engine (PostgreSQL JSONB, in-memory cache, priority ASC) + ├── internal/pii/ gRPC client to PII sidecar + /v1/pii/analyze HTTP handler + ├── internal/auditlog/ ClickHouse append-only logger (async batch writer) + ├── internal/compliance/ GDPR Art.30 registry + AI Act classification + PDF reports + ├── internal/admin/ Admin REST API (/v1/admin/*) — routing rules, users, providers + ├── internal/billing/ Token cost tracking (per provider pricing) + ├── internal/circuitbreaker/ Failure-count breaker (threshold=5, open_ttl=60s) + ├── internal/ratelimit/ Token-bucket limiter (per-tenant + per-user, DB overrides) + ├── internal/flags/ Feature flags (PostgreSQL + in-memory fallback) + ├── internal/crypto/ AES-256-GCM encryptor for prompt storage + ├── internal/metrics/ Prometheus middleware + metrics registration + ├── internal/provider/ Adapter interface + OpenAI/Anthropic/Azure/Mistral/Ollama impls + ├── internal/proxy/ Core request handler (PII → upstream → audit → response) + ├── internal/apierror/ OpenAI-format error helpers (WriteError, WriteErrorWithRequestID) + ├── internal/health/ /healthz, /docs, /playground, /playground/analyze handlers + └── internal/config/ Viper-based config loader (VEYLANT_* env var overrides) + │ gRPC (<2ms) to localhost:50051 +PII Detection Service [services/pii] — FastAPI + grpc.aio + ├── HTTP health: :8091/healthz + ├── Layer 1: Regex (IBAN, email, phone, SSN, credit cards) + ├── Layer 2: Presidio + spaCy NER (names, addresses, orgs) + └── Layer 3: LLM validation (V1.1, ambiguous cases) + │ +LLM Provider Adapters (OpenAI, Anthropic, Azure, Mistral, Ollama) +``` + +**Data layer:** +- PostgreSQL 16 — config, users, policies, processing registry (Row-Level Security for multi-tenancy; app role: `veylant_app`) +- ClickHouse — analytics and immutable audit logs +- Redis 7 — sessions, rate limiting, PII pseudonymization mappings (AES-256-GCM + TTL) +- Keycloak — IAM, SSO, SAML 2.0/OIDC federation (dev console: http://localhost:8080, admin/admin; test users: admin@veylant.dev/admin123, user@veylant.dev/user123) +- Prometheus — metrics scraper on :9090; Grafana — dashboards on :3001 (admin/admin) +- HashiCorp Vault — secrets and API key rotation (90-day cycle) + +**Frontend:** React 18 + TypeScript + Vite, shadcn/ui, recharts. Routes protected via OIDC (Keycloak); `web/src/auth/` manages the auth flow. API clients live in `web/src/api/`. + +## Repository Structure + +``` +cmd/proxy/ # Go main entry point — wires all modules, starts HTTP server +internal/ # All Go modules (see Architecture above for full list) +gen/ # Generated Go gRPC stubs (buf generate → never edit manually) +services/pii/ # Python FastAPI + gRPC PII detection service + gen/pii/v1/ # Generated Python proto stubs (run `make proto` first) +proto/pii/v1/ # gRPC .proto definitions +migrations/ # golang-migrate SQL files (up/down pairs) + clickhouse/ # ClickHouse DDL applied at startup via ApplyDDL() +web/ # React frontend (Vite, src/pages, src/components, src/api) +deploy/ # Helm charts for Kubernetes +config.yaml # Local dev config (overridden by VEYLANT_* env vars) +``` + +## Build & Development Commands + +Use `make` as the primary interface. The proxy runs on **:8090**, PII HTTP on **:8091**, PII gRPC on **:50051**. + +```bash +make dev # Start full stack (proxy + PostgreSQL + ClickHouse + Redis + Keycloak + PII) +make dev-down # Stop and remove all containers and volumes +make dev-logs # Tail logs from all services +make build # go build → bin/proxy +make test # go test -race ./... +make test-cover # Tests with HTML coverage report (coverage.html) +make test-integration # Integration tests with testcontainers (requires Docker) +make lint # golangci-lint + black --check + ruff check +make fmt # gofmt + black +make proto # buf generate — regenerates gen/ and services/pii/gen/ +make proto-lint # buf lint +make migrate-up # Apply pending DB migrations +make migrate-down # Roll back last migration +make migrate-status # Show current migration version +make check # Full pre-commit: build + vet + lint + test +make health # curl localhost:8090/healthz +make docs # Open http://localhost:8090/docs in browser (proxy must be running) +make helm-dry-run # Render Helm templates without deploying +make helm-deploy # Deploy to staging (requires IMAGE_TAG + KUBECONFIG env vars) +make load-test # k6 load test (SCENARIO=smoke|load|stress|soak, default: smoke) +make deploy-blue # Blue/green: deploy IMAGE_TAG to blue slot (requires kubectl + Istio) +make deploy-green # Blue/green: deploy IMAGE_TAG to green slot +make deploy-rollback # Roll back traffic to ACTIVE_SLOT (e.g. make deploy-rollback ACTIVE_SLOT=blue) +``` + +**Frontend dev server** (Vite, runs on :3000): +```bash +cd web && npm install && npm run dev +``` + +**Run a single Go test:** +```bash +go test -run TestName ./internal/module/ +``` + +**Run a single Python test:** +```bash +pytest services/pii/test_file.py::test_function +``` + +**Proto prerequisite:** Run `make proto` before starting the PII service if `gen/` or `services/pii/gen/` is missing — the service will start but reject all gRPC requests otherwise. + +**Config override:** Any config key can be overridden via env var with the `VEYLANT_` prefix and `.` → `_` replacement. Example: `VEYLANT_SERVER_PORT=9090` overrides `server.port`. + +**Tools required:** `buf` (`brew install buf`), `golang-migrate` (`brew install golang-migrate`), `golangci-lint`, Python 3.12, `black`, `ruff`. + +## Development Mode Graceful Degradation + +When `server.env=development`, the proxy degrades gracefully instead of crashing: +- **Keycloak unreachable** → falls back to `MockVerifier` (JWT auth bypassed; dev user injected as `admin` role) +- **PostgreSQL unreachable** → routing engine and feature flags disabled; flag store uses in-memory fallback +- **ClickHouse unreachable** → audit logging disabled +- **PII service unreachable** → PII disabled if `pii.fail_open=true` (default) + +In production (`server.env=production`), any of the above causes a fatal startup error. + +## Key Technical Constraints + +**Latency budget**: The entire PII pipeline (regex + NER + pseudonymization) must complete in **<50ms**. The PII gRPC call has a configurable timeout (`pii.timeout_ms`, default 100ms). + +**Streaming (SSE)**: The proxy must flush SSE chunks without buffering. PII anonymization applies to the **request** before it's sent upstream — not to the streamed response. This is the most technically complex piece of the MVP. + +**Multi-tenancy**: Logical isolation via PostgreSQL Row-Level Security. The app connects as role `veylant_app` and sets `app.tenant_id` per session. Superuser bypasses RLS (dev only). + +**Immutable audit logs**: ClickHouse is append-only — no DELETE operations. Retention via TTL policies only. ClickHouse DDL is applied idempotently at startup from `migrations/clickhouse/`. + +**Routing rule evaluation**: Rules are sorted ascending by `priority` (lower = evaluated first). All conditions within a rule are AND-joined. An empty `Conditions` slice is a catch-all. First match wins. Supported condition fields: `user.role`, `user.department`, `request.sensitivity`, `request.model`, `request.use_case`, `request.token_estimate`. Operators: `eq`, `neq`, `in`, `nin`, `gte`, `lte`, `contains`, `matches`. + +## Conventions + +**Go import ordering** (`goimports` with `local-prefixes: github.com/veylant/ia-gateway`): three groups — stdlib · external · `github.com/veylant/ia-gateway/internal/...`. `gen/` is excluded from all linters (generated code). + +**Commits**: Conventional Commits (`feat:`, `fix:`, `chore:`) — used for automated changelog generation. + +**API versioning**: `/v1/` prefix, OpenAI-compatible format (`/v1/chat/completions`) so existing OpenAI SDK clients work without modification. + +**LLM Provider Adapters**: Each provider implements `provider.Adapter` (`Send()`, `Stream()`, `Validate()`, `HealthCheck()`). Add new providers by implementing this interface in `internal/provider//`. + +**Error handling**: Go modules use typed errors with `errors.Wrap`. The proxy always returns errors in OpenAI JSON format (`type`, `message`, `code`). + +**Feature flags**: PostgreSQL table (`feature_flags`) + in-memory fallback when DB is unavailable. No external service. + +**OpenAPI docs**: Generated from swaggo annotations — never write API docs by hand. + +**Testing split**: 70% unit (`testing` + `testify` / `pytest`) · 20% integration (`testcontainers` for PG/ClickHouse/Redis) · 10% E2E (Playwright for UI). Tests are written in parallel with each module, not deferred. + +**CI coverage thresholds**: Go internal packages must maintain ≥80% coverage; Python PII service ≥75%. NER tests (`test_ner.py`) are excluded from CI because `fr_core_news_lg` (~600MB) is only available in the Docker build. + +## Custom Semgrep Rules (`.semgrep.yml`) + +These are enforced in CI and represent project-specific guardrails: +- **`context.Background()` in HTTP handlers** → use `r.Context()` to propagate tenant context and cancellation. +- **SQL string concatenation** (`db.QueryContext(ctx, query+var)` or `fmt.Sprintf`) → use parameterized queries (`$1, $2, ...`). +- **Sensitive fields in logs** (`zap.String("password"|"api_key"|"token"|"secret"|"Authorization"|"email"|"prompt", ...)`) → use redaction helpers. +- **Hardcoded API keys** (string literals starting with `sk-`) → load from env or Vault. +- **`json.NewDecoder(r.Body).Decode()`** without `http.MaxBytesReader` → wrap body first. +- **Python `eval()`/`exec()`** on variables → never evaluate user-supplied data. + +## Security Patterns + +- Zero Trust network, mTLS between services, TLS 1.3 externally +- All sensitive fields encrypted at application level (AES-256-GCM) +- API keys stored as SHA-256 hashes only; prefix kept for display (e.g. `sk-vyl_ab12cd34`) +- RBAC roles: `admin`, `manager`, `user`, `auditor` — per-model and per-department permissions. `admin`/`manager` have unrestricted model access; `user` is limited to `rbac.user_allowed_models`; `auditor` cannot call `/v1/chat/completions` by default. +- Audit-of-the-audit: all accesses to audit logs are themselves logged +- CI pipeline: Semgrep (SAST), Trivy (image scanning, CRITICAL/HIGH blocking), gitleaks (secret detection), OWASP ZAP DAST (non-blocking, main branch only) +- Release pipeline (`v*` tag push): multi-arch Docker image (amd64/arm64) → GHCR, Helm chart → GHCR OCI, GitHub Release with notes extracted from CHANGELOG.md + +## MVP Scope (V1) + +In scope: AI proxy, PII anonymization + pseudonymization, intelligent routing engine, audit logs, RBAC, React dashboard, GDPR Article 30 registry, AI Act risk classification, provider configuration wizard, integrated playground (prompt test with PII visualization). + +Out of scope (V2+): ML anomaly detection, Shadow AI discovery, physical multi-tenant isolation, native SDKs, SIEM integrations. diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..706df37 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,39 @@ +# ───────────────────────────────────────────── +# Stage 1: Build +# ───────────────────────────────────────────── +# SHA256 pinned for reproducible builds (E10-05). +# To refresh: docker pull --platform linux/amd64 golang:1.24-alpine && docker inspect ... | jq -r '.[0].RepoDigests[0]' +FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder + +RUN apk add --no-cache git ca-certificates + +WORKDIR /app + +# Download dependencies first (cache layer) +COPY go.mod go.sum ./ +RUN go mod download + +# Copy source and build +COPY . . +RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \ + go build -ldflags="-s -w -extldflags '-static'" \ + -o /app/bin/proxy ./cmd/proxy/ + +# ───────────────────────────────────────────── +# Stage 2: Runtime (distroless — no shell, minimal attack surface) +# ───────────────────────────────────────────── +# SHA256 pinned for reproducible builds (E10-05). +FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838 + +WORKDIR /app + +# Copy binary and default config +COPY --from=builder /app/bin/proxy . +COPY --from=builder /app/config.yaml . + +# Non-root user (distroless default uid 65532) +USER 65532:65532 + +EXPOSE 8090 + +ENTRYPOINT ["/app/proxy"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..185ac64 --- /dev/null +++ b/Makefile @@ -0,0 +1,161 @@ +.PHONY: dev dev-down build test test-cover lint fmt proto migrate-up migrate-down health check docs load-test deploy-blue deploy-green deploy-rollback + +# ───────────────────────────────────────────── +# Local development +# ───────────────────────────────────────────── + +## dev: Start the full local stack (proxy + PostgreSQL + ClickHouse + Redis + Keycloak + PII) +dev: + docker compose up --build + +## dev-down: Stop and remove all containers and volumes +dev-down: + docker compose down -v + +## dev-logs: Tail logs from all services +dev-logs: + docker compose logs -f + +# ───────────────────────────────────────────── +# Go +# ───────────────────────────────────────────── + +## build: Compile the Go proxy binary to bin/proxy +build: + @mkdir -p bin + go build -o bin/proxy ./cmd/proxy/ + +## test: Run all Go tests with race detector +test: + go test -race ./... + +## test-cover: Run tests with HTML coverage report +test-cover: + go test -race -coverprofile=coverage.out ./... + go tool cover -html=coverage.out -o coverage.html + @echo "Coverage report: coverage.html" + +## lint: Run golangci-lint (Go) and black --check (Python) +lint: + golangci-lint run + black --check services/pii/ + ruff check services/pii/ + +## fmt: Auto-format Go and Python code +fmt: + gofmt -w . + black services/pii/ + +# ───────────────────────────────────────────── +# Proto (requires: brew install buf) +# ───────────────────────────────────────────── + +## proto: Generate gRPC stubs for Go (gen/) and Python (services/pii/gen/) +proto: + buf generate + +## proto-lint: Lint the proto definitions +proto-lint: + buf lint + +# ───────────────────────────────────────────── +# Database migrations (requires: brew install golang-migrate) +# ───────────────────────────────────────────── + +DB_URL ?= postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable + +## migrate-up: Apply all pending migrations +migrate-up: + migrate -path migrations -database "$(DB_URL)" up + +## migrate-down: Roll back the last migration +migrate-down: + migrate -path migrations -database "$(DB_URL)" down 1 + +## migrate-status: Show migration status +migrate-status: + migrate -path migrations -database "$(DB_URL)" version + +# ───────────────────────────────────────────── +# Checks & utilities +# ───────────────────────────────────────────── + +## docs: Open the API documentation in the browser (proxy must be running) +docs: + @echo "API docs available at http://localhost:8090/docs" + @echo "OpenAPI spec: http://localhost:8090/docs/openapi.yaml" + @open http://localhost:8090/docs 2>/dev/null || xdg-open http://localhost:8090/docs 2>/dev/null || true + +## health: Check the proxy health endpoint +health: + @curl -sf http://localhost:8090/healthz | python3 -m json.tool + +## check: Run build + vet + lint + test (full pre-commit check) +check: build + go vet ./... + golangci-lint run + go test -race ./... + +## test-integration: Run integration tests (requires Docker) +test-integration: + go test -tags integration -v -timeout 10m ./test/integration/... + +# ───────────────────────────────────────────── +# Helm (requires: helm) +# ───────────────────────────────────────────── + +## helm-dry-run: Render Helm templates without deploying +helm-dry-run: + helm template veylant-proxy deploy/helm/veylant-proxy + +## helm-deploy: Deploy to staging (requires KUBECONFIG and IMAGE_TAG env vars) +helm-deploy: + helm upgrade --install veylant-proxy deploy/helm/veylant-proxy \ + --namespace veylant \ + --create-namespace \ + --set image.tag=$(IMAGE_TAG) \ + --wait --timeout 5m + +# ───────────────────────────────────────────── +# Load tests (requires: brew install k6) +# ───────────────────────────────────────────── + +SCENARIO ?= smoke +VEYLANT_URL ?= http://localhost:8090 +VEYLANT_TOKEN ?= dev-token + +## load-test: Run k6 load tests (SCENARIO=smoke|load|stress|soak, default: smoke) +load-test: + k6 run \ + --env VEYLANT_URL=$(VEYLANT_URL) \ + --env VEYLANT_TOKEN=$(VEYLANT_TOKEN) \ + --env SCENARIO=$(SCENARIO) \ + test/k6/k6-load-test.js + +# ───────────────────────────────────────────── +# Blue/Green deployment (requires: kubectl + helm + Istio) +# ───────────────────────────────────────────── + +NAMESPACE ?= veylant +ACTIVE_SLOT ?= blue + +## deploy-blue: Deploy IMAGE_TAG to the blue slot +deploy-blue: + IMAGE_TAG=$(IMAGE_TAG) NAMESPACE=$(NAMESPACE) ACTIVE_SLOT=green \ + ./deploy/scripts/blue-green.sh + +## deploy-green: Deploy IMAGE_TAG to the green slot +deploy-green: + IMAGE_TAG=$(IMAGE_TAG) NAMESPACE=$(NAMESPACE) ACTIVE_SLOT=blue \ + ./deploy/scripts/blue-green.sh + +## deploy-rollback: Roll back to the previous active slot +deploy-rollback: + @echo "Rolling back: switching traffic back to $(ACTIVE_SLOT)..." + kubectl patch virtualservice veylant-proxy -n $(NAMESPACE) --type merge \ + -p '{"spec":{"http":[{"route":[{"destination":{"host":"veylant-proxy","subset":"$(ACTIVE_SLOT)"},"weight":100}]}]}}' + @echo "Rollback complete. Active slot: $(ACTIVE_SLOT)" + +## help: Show this help message +help: + @grep -E '^## ' Makefile | sed 's/## / /' diff --git a/README.md b/README.md new file mode 100644 index 0000000..7b47fd5 --- /dev/null +++ b/README.md @@ -0,0 +1,66 @@ +# Veylant IA — AI Governance Hub + +B2B SaaS platform acting as an intelligent proxy/gateway for enterprise AI consumption. +Prevents Shadow AI, enforces PII anonymization, ensures GDPR/EU AI Act compliance, and controls costs across all LLM usage. + +## Quick start + +```bash +# Start the full local stack (proxy + PostgreSQL + ClickHouse + Redis + Keycloak) +make dev + +# Health check +make health +# → {"status":"ok","timestamp":"..."} + +# Stop and clean +make dev-down +``` + +## Test credentials (development only) + +| User | Password | Role | +|------|----------|------| +| admin@veylant.dev | admin123 | Admin | +| user@veylant.dev | user123 | User | + +Keycloak admin console: http://localhost:8080 (admin / admin) + +## Architecture + +See `docs/AI_Governance_Hub_PRD.md` for the full technical architecture. + +``` +API Gateway (Traefik) + │ +Go Proxy [cmd/proxy] ← chi router, JWT auth, routing rules + ├── Module Auth ← Keycloak/OIDC/SAML + ├── Module Router ← rules engine + ├── Module Logger ← ClickHouse append-only + ├── Module PII ← gRPC → Python sidecar + ├── Module Billing ← cost tracking + └── Module RBAC ← row-level per tenant + │ gRPC +PII Service [services/pii] ← FastAPI + Presidio + spaCy + │ +LLM Adapters ← OpenAI, Anthropic, Azure, Mistral, Ollama +``` + +## Commands + +```bash +make build # go build ./cmd/proxy/ +make test # go test -race ./... +make lint # golangci-lint + black --check +make fmt # gofmt + black +make proto # buf generate (requires: brew install buf) +make migrate-up # apply DB migrations +make health # curl /healthz +``` + +## Documentation + +- `docs/AI_Governance_Hub_PRD.md` — Full product requirements +- `docs/AI_Governance_Hub_Plan_Realisation.md` — 26-week execution plan (164 tasks) +- `docs/Veylant_IA_Plan_Agile_Scrum.md` — Agile/Scrum plan (13 sprints) +- `docs/adr/` — Architecture Decision Records diff --git a/buf.gen.yaml b/buf.gen.yaml new file mode 100644 index 0000000..57e9758 --- /dev/null +++ b/buf.gen.yaml @@ -0,0 +1,21 @@ +version: v2 +plugins: + # Go stubs → gen/pii/v1/ + - remote: buf.build/protocolbuffers/go + out: gen + opt: + - paths=source_relative + + # Go gRPC stubs → gen/pii/v1/ + - remote: buf.build/grpc/go + out: gen + opt: + - paths=source_relative + + # Python stubs → services/pii/gen/ + - remote: buf.build/protocolbuffers/python + out: services/pii/gen + + # Python gRPC stubs → services/pii/gen/ + - remote: buf.build/grpc/python + out: services/pii/gen diff --git a/buf.yaml b/buf.yaml new file mode 100644 index 0000000..8ff58b1 --- /dev/null +++ b/buf.yaml @@ -0,0 +1,11 @@ +version: v2 +modules: + - path: proto +lint: + use: + - STANDARD + except: + - PACKAGE_VERSION_SUFFIX # pii.v1 already has version in package name +breaking: + use: + - FILE diff --git a/cmd/proxy/main.go b/cmd/proxy/main.go new file mode 100644 index 0000000..2a44f42 --- /dev/null +++ b/cmd/proxy/main.go @@ -0,0 +1,433 @@ +package main + +import ( + "context" + "database/sql" + "errors" + "fmt" + "net/http" + "os" + "os/signal" + "syscall" + "time" + + "github.com/go-chi/chi/v5" + chimiddleware "github.com/go-chi/chi/v5/middleware" + "github.com/prometheus/client_golang/prometheus/promhttp" + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + + _ "github.com/jackc/pgx/v5/stdlib" // register pgx driver + + "github.com/veylant/ia-gateway/internal/admin" + "github.com/veylant/ia-gateway/internal/auditlog" + "github.com/veylant/ia-gateway/internal/circuitbreaker" + "github.com/veylant/ia-gateway/internal/compliance" + "github.com/veylant/ia-gateway/internal/config" + "github.com/veylant/ia-gateway/internal/crypto" + "github.com/veylant/ia-gateway/internal/flags" + "github.com/veylant/ia-gateway/internal/health" + "github.com/veylant/ia-gateway/internal/metrics" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/pii" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/provider/anthropic" + "github.com/veylant/ia-gateway/internal/provider/azure" + "github.com/veylant/ia-gateway/internal/provider/mistral" + "github.com/veylant/ia-gateway/internal/provider/ollama" + "github.com/veylant/ia-gateway/internal/provider/openai" + "github.com/veylant/ia-gateway/internal/proxy" + "github.com/veylant/ia-gateway/internal/ratelimit" + "github.com/veylant/ia-gateway/internal/router" + "github.com/veylant/ia-gateway/internal/routing" +) + +func main() { + cfg, err := config.Load() + if err != nil { + fmt.Fprintf(os.Stderr, "failed to load config: %v\n", err) + os.Exit(1) + } + + logger := buildLogger(cfg.Log.Level, cfg.Log.Format) + defer logger.Sync() //nolint:errcheck + + // ── JWT / OIDC verifier ─────────────────────────────────────────────────── + issuerURL := fmt.Sprintf("%s/realms/%s", cfg.Keycloak.BaseURL, cfg.Keycloak.Realm) + logger.Info("initialising OIDC verifier", zap.String("issuer", issuerURL)) + + ctx := context.Background() + oidcVerifier, err := middleware.NewOIDCVerifier(ctx, issuerURL, cfg.Keycloak.ClientID) + if err != nil { + if cfg.Server.Env == "development" { + logger.Warn("OIDC verifier unavailable — JWT auth will reject all requests", + zap.Error(err)) + oidcVerifier = nil + } else { + logger.Fatal("failed to initialise OIDC verifier", zap.Error(err)) + } + } + + // ── LLM provider adapters ───────────────────────────────────────────────── + adapters := map[string]provider.Adapter{} + + adapters["openai"] = openai.New(openai.Config{ + APIKey: cfg.Providers.OpenAI.APIKey, + BaseURL: cfg.Providers.OpenAI.BaseURL, + TimeoutSeconds: cfg.Providers.OpenAI.TimeoutSeconds, + MaxConns: cfg.Providers.OpenAI.MaxConns, + }) + + if cfg.Providers.Anthropic.APIKey != "" { + adapters["anthropic"] = anthropic.New(anthropic.Config{ + APIKey: cfg.Providers.Anthropic.APIKey, + BaseURL: cfg.Providers.Anthropic.BaseURL, + Version: cfg.Providers.Anthropic.Version, + TimeoutSeconds: cfg.Providers.Anthropic.TimeoutSeconds, + MaxConns: cfg.Providers.Anthropic.MaxConns, + }) + logger.Info("Anthropic adapter enabled") + } + + if cfg.Providers.Azure.ResourceName != "" && cfg.Providers.Azure.APIKey != "" { + adapters["azure"] = azure.New(azure.Config{ + APIKey: cfg.Providers.Azure.APIKey, + ResourceName: cfg.Providers.Azure.ResourceName, + DeploymentID: cfg.Providers.Azure.DeploymentID, + APIVersion: cfg.Providers.Azure.APIVersion, + TimeoutSeconds: cfg.Providers.Azure.TimeoutSeconds, + MaxConns: cfg.Providers.Azure.MaxConns, + }) + logger.Info("Azure OpenAI adapter enabled", + zap.String("resource", cfg.Providers.Azure.ResourceName), + zap.String("deployment", cfg.Providers.Azure.DeploymentID), + ) + } + + if cfg.Providers.Mistral.APIKey != "" { + adapters["mistral"] = mistral.New(mistral.Config{ + APIKey: cfg.Providers.Mistral.APIKey, + BaseURL: cfg.Providers.Mistral.BaseURL, + TimeoutSeconds: cfg.Providers.Mistral.TimeoutSeconds, + MaxConns: cfg.Providers.Mistral.MaxConns, + }) + logger.Info("Mistral adapter enabled") + } + + adapters["ollama"] = ollama.New(ollama.Config{ + BaseURL: cfg.Providers.Ollama.BaseURL, + TimeoutSeconds: cfg.Providers.Ollama.TimeoutSeconds, + MaxConns: cfg.Providers.Ollama.MaxConns, + }) + logger.Info("Ollama adapter enabled", zap.String("base_url", cfg.Providers.Ollama.BaseURL)) + + // ── Database (PostgreSQL via pgx) ───────────────────────────────────────── + var db *sql.DB + if cfg.Database.URL != "" { + var dbErr error + db, dbErr = sql.Open("pgx", cfg.Database.URL) + if dbErr != nil { + logger.Fatal("failed to open database", zap.Error(dbErr)) + } + db.SetMaxOpenConns(cfg.Database.MaxOpenConns) + db.SetMaxIdleConns(cfg.Database.MaxIdleConns) + if pingErr := db.PingContext(ctx); pingErr != nil { + if cfg.Server.Env == "development" { + logger.Warn("database unavailable — routing engine disabled", zap.Error(pingErr)) + db = nil + } else { + logger.Fatal("database ping failed", zap.Error(pingErr)) + } + } else { + logger.Info("database connected", zap.String("url", cfg.Database.URL)) + } + } + + // ── Routing engine ──────────────────────────────────────────────────────── + var routingEngine *routing.Engine + if db != nil { + ttl := time.Duration(cfg.Routing.CacheTTLSeconds) * time.Second + if ttl <= 0 { + ttl = 30 * time.Second + } + pgStore := routing.NewPgStore(db, logger) + routingEngine = routing.New(pgStore, ttl, logger) + routingEngine.Start() + logger.Info("routing engine started", zap.Duration("cache_ttl", ttl)) + } + + // ── Circuit breaker (E2-09) ─────────────────────────────────────────────── + cb := circuitbreaker.New(5, 60*time.Second) + logger.Info("circuit breaker initialised", zap.Int("threshold", 5), zap.Duration("open_ttl", 60*time.Second)) + + // ── Provider router (RBAC + model dispatch + optional engine) ───────────── + providerRouter := router.NewWithEngineAndBreaker(adapters, &cfg.RBAC, routingEngine, cb, logger) + logger.Info("provider router initialised", + zap.Int("adapter_count", len(adapters)), + zap.Strings("user_allowed_models", cfg.RBAC.UserAllowedModels), + zap.Bool("routing_engine", routingEngine != nil), + ) + + // ── PII client (optional) ───────────────────────────────────────────────── + var piiClient *pii.Client + if cfg.PII.Enabled { + pc, piiErr := pii.New(pii.Config{ + Address: cfg.PII.ServiceAddr, + Timeout: time.Duration(cfg.PII.TimeoutMs) * time.Millisecond, + FailOpen: cfg.PII.FailOpen, + }, logger) + if piiErr != nil { + logger.Warn("PII client init failed — PII disabled", zap.Error(piiErr)) + } else { + piiClient = pc + defer pc.Close() //nolint:errcheck + logger.Info("PII client connected", zap.String("addr", cfg.PII.ServiceAddr)) + } + } + + // ── AES-256-GCM encryptor (optional) ───────────────────────────────────── + var encryptor *crypto.Encryptor + if cfg.Crypto.AESKeyBase64 != "" { + enc, encErr := crypto.NewEncryptor(cfg.Crypto.AESKeyBase64) + if encErr != nil { + logger.Warn("crypto encryptor init failed — prompt encryption disabled", zap.Error(encErr)) + } else { + encryptor = enc + logger.Info("AES-256-GCM encryptor enabled") + } + } else { + logger.Warn("VEYLANT_CRYPTO_AES_KEY_BASE64 not set — prompt encryption disabled") + } + + // ── ClickHouse audit logger (optional) ──────────────────────────────────── + var auditLogger auditlog.Logger + if cfg.ClickHouse.DSN != "" { + chLogger, chErr := auditlog.NewClickHouseLogger( + cfg.ClickHouse.DSN, + cfg.ClickHouse.MaxConns, + cfg.ClickHouse.DialTimeoutSec, + logger, + ) + if chErr != nil { + if cfg.Server.Env == "development" { + logger.Warn("ClickHouse unavailable — audit logging disabled", zap.Error(chErr)) + } else { + logger.Fatal("ClickHouse init failed", zap.Error(chErr)) + } + } else { + // Apply DDL idempotently. + ddlPath := "migrations/clickhouse/000001_audit_logs.sql" + if ddlErr := chLogger.ApplyDDL(ddlPath); ddlErr != nil { + logger.Warn("ClickHouse DDL apply failed — audit logging disabled", zap.Error(ddlErr)) + } else { + chLogger.Start() + defer chLogger.Stop() + auditLogger = chLogger + logger.Info("ClickHouse audit logger started", zap.String("dsn", cfg.ClickHouse.DSN)) + } + } + } else { + logger.Warn("clickhouse.dsn not set — audit logging disabled") + } + + // ── Feature flag store (E4-12 zero-retention + future flags + E11-07) ────── + var flagStore flags.FlagStore + if db != nil { + flagStore = flags.NewPgFlagStore(db, logger) + logger.Info("feature flag store: PostgreSQL") + } else { + flagStore = flags.NewMemFlagStore() + logger.Warn("feature flag store: in-memory (no database)") + } + // Wire flag store into the provider router so it can check routing_enabled (E11-07). + providerRouter.WithFlagStore(flagStore) + + // ── Proxy handler ───────────────────────────────────────────────────────── + proxyHandler := proxy.NewWithAudit(providerRouter, logger, piiClient, auditLogger, encryptor). + WithFlagStore(flagStore) + + // ── Rate limiter (E10-09) ───────────────────────────────────────────────── + rateLimiter := ratelimit.New(ratelimit.RateLimitConfig{ + RequestsPerMin: cfg.RateLimit.DefaultTenantRPM, + BurstSize: cfg.RateLimit.DefaultTenantBurst, + UserRPM: cfg.RateLimit.DefaultUserRPM, + UserBurst: cfg.RateLimit.DefaultUserBurst, + IsEnabled: true, + }, logger) + // Load per-tenant overrides from DB (best-effort; missing DB is graceful). + if db != nil { + rlStore := ratelimit.NewStore(db, logger) + if overrides, err := rlStore.List(ctx); err == nil { + for _, cfg := range overrides { + rateLimiter.SetConfig(cfg) + } + logger.Info("rate limit overrides loaded", zap.Int("count", len(overrides))) + } else { + logger.Warn("failed to load rate limit overrides", zap.Error(err)) + } + } + logger.Info("rate limiter initialised", + zap.Int("default_tenant_rpm", cfg.RateLimit.DefaultTenantRPM), + zap.Int("default_user_rpm", cfg.RateLimit.DefaultUserRPM), + ) + + // ── HTTP router ─────────────────────────────────────────────────────────── + r := chi.NewRouter() + + r.Use(middleware.SecurityHeaders(cfg.Server.Env)) + r.Use(middleware.RequestID) + r.Use(chimiddleware.RealIP) + r.Use(chimiddleware.Recoverer) + + if cfg.Metrics.Enabled { + r.Use(metrics.Middleware("openai")) + } + + r.Get("/healthz", health.Handler) + + // OpenAPI documentation (E11-02). + r.Get("/docs", health.DocsHTMLHandler) + r.Get("/docs/openapi.yaml", health.DocsYAMLHandler) + + // Public PII playground — no JWT required (E8-15). + r.Get("/playground", health.PlaygroundHandler) + r.Post("/playground/analyze", health.PlaygroundAnalyzeHandler(piiClient, logger)) + + if cfg.Metrics.Enabled { + r.Get(cfg.Metrics.Path, promhttp.Handler().ServeHTTP) + } + + r.Route("/v1", func(r chi.Router) { + r.Use(middleware.CORS(cfg.Server.AllowedOrigins)) + var authMW func(http.Handler) http.Handler + if oidcVerifier != nil { + authMW = middleware.Auth(oidcVerifier) + } else { + authMW = middleware.Auth(&middleware.MockVerifier{ + Claims: &middleware.UserClaims{ + UserID: "dev-user", + TenantID: "00000000-0000-0000-0000-000000000001", + Email: "dev@veylant.local", + Roles: []string{"admin"}, + }, + }) + logger.Warn("running in DEV mode — JWT validation is DISABLED") + } + r.Use(authMW) + r.Use(middleware.RateLimit(rateLimiter)) + r.Post("/chat/completions", proxyHandler.ServeHTTP) + + // PII analyze endpoint for Playground (E8-11, Sprint 8). + piiAnalyzeHandler := pii.NewAnalyzeHandler(piiClient, logger) + r.Post("/pii/analyze", piiAnalyzeHandler.ServeHTTP) + + // Admin API — routing policies + audit logs (Sprint 5 + Sprint 6) + // + user management + provider status (Sprint 8). + if routingEngine != nil { + var adminHandler *admin.Handler + if auditLogger != nil { + adminHandler = admin.NewWithAudit( + routing.NewPgStore(db, logger), + routingEngine.Cache(), + auditLogger, + logger, + ) + } else { + adminHandler = admin.New( + routing.NewPgStore(db, logger), + routingEngine.Cache(), + logger, + ) + } + // Wire db, router, rate limiter, and feature flags (Sprint 8 + Sprint 10 + Sprint 11). + adminHandler.WithDB(db).WithRouter(providerRouter).WithRateLimiter(rateLimiter).WithFlagStore(flagStore) + r.Route("/admin", adminHandler.Routes) + } + + // Compliance module — GDPR Art. 30 registry + AI Act classification + PDF reports (Sprint 9). + if db != nil { + compStore := compliance.NewPgStore(db, logger) + compHandler := compliance.New(compStore, logger). + WithAudit(auditLogger). + WithDB(db). + WithTenantName(cfg.Server.TenantName) + r.Route("/admin/compliance", compHandler.Routes) + logger.Info("compliance module started") + } + }) + + // ── HTTP server ─────────────────────────────────────────────────────────── + addr := fmt.Sprintf(":%d", cfg.Server.Port) + srv := &http.Server{ + Addr: addr, + Handler: r, + ReadTimeout: 30 * time.Second, + WriteTimeout: 30 * time.Second, + IdleTimeout: 120 * time.Second, + } + + quit := make(chan os.Signal, 1) + signal.Notify(quit, syscall.SIGTERM, syscall.SIGINT) + + go func() { + logger.Info("Veylant IA proxy started", + zap.String("addr", addr), + zap.String("env", cfg.Server.Env), + zap.Bool("metrics", cfg.Metrics.Enabled), + zap.String("oidc_issuer", issuerURL), + zap.Bool("audit_logging", auditLogger != nil), + zap.Bool("encryption", encryptor != nil), + ) + if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) { + logger.Fatal("server error", zap.Error(err)) + } + }() + + <-quit + logger.Info("shutdown signal received, draining connections...") + + if routingEngine != nil { + routingEngine.Stop() + } + + timeout := time.Duration(cfg.Server.ShutdownTimeout) * time.Second + shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + + if err := srv.Shutdown(shutdownCtx); err != nil { + logger.Error("graceful shutdown failed", zap.Error(err)) + os.Exit(1) + } + logger.Info("server stopped cleanly") +} + +func buildLogger(level, format string) *zap.Logger { + lvl := zap.InfoLevel + if err := lvl.UnmarshalText([]byte(level)); err != nil { + lvl = zap.InfoLevel + } + + encoderCfg := zap.NewProductionEncoderConfig() + encoderCfg.TimeKey = "timestamp" + encoderCfg.EncodeTime = zapcore.ISO8601TimeEncoder + + encoding := "json" + if format == "console" { + encoding = "console" + } + + zapCfg := zap.Config{ + Level: zap.NewAtomicLevelAt(lvl), + Development: false, + Encoding: encoding, + EncoderConfig: encoderCfg, + OutputPaths: []string{"stdout"}, + ErrorOutputPaths: []string{"stderr"}, + } + + logger, err := zapCfg.Build() + if err != nil { + panic(fmt.Sprintf("failed to build logger: %v", err)) + } + return logger +} diff --git a/config.yaml b/config.yaml new file mode 100644 index 0000000..8ad1509 --- /dev/null +++ b/config.yaml @@ -0,0 +1,115 @@ +server: + port: 8090 + shutdown_timeout_seconds: 30 + env: development + tenant_name: "Mon Organisation" + # CORS: origins allowed to call the proxy from a browser (React dashboard). + # Override in production: VEYLANT_SERVER_ALLOWED_ORIGINS=https://dashboard.veylant.ai + allowed_origins: + - "http://localhost:3000" + +database: + url: "postgres://veylant:veylant_dev@localhost:5432/veylant?sslmode=disable" + max_open_conns: 25 + max_idle_conns: 5 + migrations_path: "migrations" + +redis: + url: "redis://localhost:6379" + +keycloak: + base_url: "http://localhost:8080" + realm: "veylant" + client_id: "veylant-proxy" + +pii: + enabled: true + service_addr: "localhost:50051" + timeout_ms: 100 + fail_open: true + +log: + level: "info" + format: "json" + +# LLM provider adapters. +# Sensitive values (API keys) must be injected via env vars — never hardcode them. +# Example: VEYLANT_PROVIDERS_OPENAI_API_KEY=sk-... +providers: + openai: + base_url: "https://api.openai.com/v1" + timeout_seconds: 30 + max_conns: 100 + + anthropic: + base_url: "https://api.anthropic.com/v1" + version: "2023-06-01" + timeout_seconds: 30 + max_conns: 100 + # api_key: set via VEYLANT_PROVIDERS_ANTHROPIC_API_KEY + + azure: + api_version: "2024-02-01" + timeout_seconds: 30 + max_conns: 100 + # api_key: set via VEYLANT_PROVIDERS_AZURE_API_KEY + # resource_name: set via VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME (e.g. "my-azure-resource") + # deployment_id: set via VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID (e.g. "gpt-4o") + + mistral: + base_url: "https://api.mistral.ai/v1" + timeout_seconds: 30 + max_conns: 100 + # api_key: set via VEYLANT_PROVIDERS_MISTRAL_API_KEY + + ollama: + base_url: "http://localhost:11434/v1" + timeout_seconds: 120 + max_conns: 10 + +# Role-based access control for the provider router. +# Controls which models each role can access. +rbac: + # Models accessible to the "user" role (exact match or prefix, e.g. "gpt-4o-mini" matches "gpt-4o-mini-2024-07-18"). + # admin and manager roles always have unrestricted access. + user_allowed_models: + - "gpt-4o-mini" + - "gpt-3.5-turbo" + - "mistral-small" + # If false (default), auditors receive 403 on /v1/chat/completions. + auditor_can_complete: false + +metrics: + enabled: true + path: "/metrics" + +# Intelligent routing engine. +# Rules are stored in the routing_rules table and cached per tenant. +routing: + # How long routing rules are cached in memory before a background refresh. + # Admin mutations call Invalidate() immediately regardless of this TTL. + cache_ttl_seconds: 30 + +# ClickHouse audit log (Sprint 6). +# DSN: clickhouse://user:pass@host:9000/database +# Set via env var: VEYLANT_CLICKHOUSE_DSN +clickhouse: + dsn: "clickhouse://veylant:veylant_dev@localhost:9000/veylant_logs" + max_conns: 10 + dial_timeout_seconds: 5 + +# Cryptography settings. +# AES-256-GCM key for encrypting prompt_anonymized in the audit log. +# MUST be set via env var in production: VEYLANT_CRYPTO_AES_KEY_BASE64 +# Generate: openssl rand -base64 32 +crypto: + # Development placeholder — override in production via env var. + aes_key_base64: "" + +# Rate limiting defaults. Per-tenant overrides are stored in rate_limit_configs table. +# Override via env: VEYLANT_RATE_LIMIT_DEFAULT_TENANT_RPM, VEYLANT_RATE_LIMIT_DEFAULT_USER_RPM, etc. +rate_limit: + default_tenant_rpm: 1000 + default_tenant_burst: 200 + default_user_rpm: 100 + default_user_burst: 20 diff --git a/deploy/alertmanager/alertmanager.yml b/deploy/alertmanager/alertmanager.yml new file mode 100644 index 0000000..0982810 --- /dev/null +++ b/deploy/alertmanager/alertmanager.yml @@ -0,0 +1,132 @@ +global: + # Default timeout for receivers. + resolve_timeout: 5m + # Slack default settings (overridden per receiver if needed). + slack_api_url: "https://hooks.slack.com/services/PLACEHOLDER" + +# Templates for Slack message formatting. +templates: + - "/etc/alertmanager/templates/*.tmpl" + +# ────────────────────────────────────────────────────────────────────────────── +# Routing tree +# ────────────────────────────────────────────────────────────────────────────── +route: + # Default receiver: all alerts go to Slack unless matched by a child route. + receiver: slack-default + + # Group alerts by alert name and provider to avoid alert spam. + group_by: [alertname, provider] + + # Wait 30s before sending the first notification (allows grouping). + group_wait: 30s + + # Wait 5m before sending a notification about new alerts in an existing group. + group_interval: 5m + + # Resend a notification every 4h if the alert is still firing. + repeat_interval: 4h + + routes: + # Critical alerts → PagerDuty (on-call escalation). + - match: + severity: critical + receiver: pagerduty + # Critical alerts bypass grouping delays — notify immediately. + group_wait: 10s + repeat_interval: 1h + continue: false + + # Warning alerts → dedicated Slack channel. + - match: + severity: warning + receiver: slack-warnings + continue: false + +# ────────────────────────────────────────────────────────────────────────────── +# Inhibition rules +# ────────────────────────────────────────────────────────────────────────────── +inhibit_rules: + # If a critical alert fires for a provider, suppress warnings for the same provider. + # Avoids noise when a provider is fully down (circuit breaker + latency fire together). + - source_match: + severity: critical + target_match: + severity: warning + equal: [provider] + + # If ProxyDown fires, suppress all other alerts (proxy is the root cause). + - source_match: + alertname: VeylantProxyDown + target_match_re: + alertname: ".+" + equal: [] + +# ────────────────────────────────────────────────────────────────────────────── +# Receivers +# ────────────────────────────────────────────────────────────────────────────── +receivers: + # Default Slack channel — catch-all for uncategorised alerts. + - name: slack-default + slack_configs: + - channel: "#veylant-alerts" + send_resolved: true + username: "Veylant Alertmanager" + icon_emoji: ":warning:" + title: >- + {{ if eq .Status "firing" }}🔴{{ else }}✅{{ end }} + [{{ .Status | toUpper }}] {{ .CommonLabels.alertname }} + text: >- + {{ range .Alerts }} + *Alert:* {{ .Annotations.summary }} + *Description:* {{ .Annotations.description }} + *Provider:* {{ .Labels.provider | default "N/A" }} + *Severity:* {{ .Labels.severity }} + *Runbook:* {{ .Annotations.runbook | default "N/A" }} + {{ end }} + + # Warning channel — operational warnings, lower urgency. + - name: slack-warnings + slack_configs: + - channel: "#veylant-warnings" + send_resolved: true + username: "Veylant Alertmanager" + icon_emoji: ":yellow_circle:" + title: >- + {{ if eq .Status "firing" }}🟡{{ else }}✅{{ end }} + [{{ .Status | toUpper }}] {{ .CommonLabels.alertname }} + text: >- + {{ range .Alerts }} + *Alert:* {{ .Annotations.summary }} + *Description:* {{ .Annotations.description }} + *Runbook:* {{ .Annotations.runbook | default "N/A" }} + {{ end }} + + # PagerDuty — critical on-call escalation. + - name: pagerduty + pagerduty_configs: + - routing_key: "${PAGERDUTY_INTEGRATION_KEY}" + severity: >- + {{ if eq .CommonLabels.severity "critical" }}critical{{ else }}warning{{ end }} + description: "{{ .CommonAnnotations.summary }}" + details: + alertname: "{{ .CommonLabels.alertname }}" + provider: "{{ .CommonLabels.provider }}" + description: "{{ .CommonAnnotations.description }}" + runbook: "{{ .CommonAnnotations.runbook }}" + # Also notify Slack for visibility. + slack_configs: + - channel: "#veylant-critical" + send_resolved: true + username: "Veylant Alertmanager" + icon_emoji: ":red_circle:" + title: >- + {{ if eq .Status "firing" }}🚨 CRITICAL{{ else }}✅ RESOLVED{{ end }}: + {{ .CommonLabels.alertname }} + text: >- + *PagerDuty escalated.* + {{ range .Alerts }} + *Summary:* {{ .Annotations.summary }} + *Description:* {{ .Annotations.description }} + *Runbook:* {{ .Annotations.runbook | default "N/A" }} + {{ end }} diff --git a/deploy/grafana/dashboards/production-slo.json b/deploy/grafana/dashboards/production-slo.json new file mode 100644 index 0000000..0b85da5 --- /dev/null +++ b/deploy/grafana/dashboards/production-slo.json @@ -0,0 +1,256 @@ +{ + "title": "Veylant — Production SLO & Error Budget", + "uid": "veylant-production-slo", + "schemaVersion": 38, + "version": 1, + "refresh": "1m", + "time": { "from": "now-30d", "to": "now" }, + "tags": ["slo", "production", "veylant"], + "panels": [ + { + "id": 1, + "title": "Uptime SLO — 30-day rolling (target: 99.5%)", + "type": "gauge", + "gridPos": { "h": 8, "w": 6, "x": 0, "y": 0 }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "orientation": "auto", + "showThresholdLabels": true, + "showThresholdMarkers": true + }, + "fieldConfig": { + "defaults": { + "unit": "percentunit", + "min": 0.99, + "max": 1, + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "red", "value": null }, + { "color": "yellow", "value": 0.995 }, + { "color": "green", "value": 0.999 } + ] + } + } + }, + "targets": [ + { + "expr": "1 - (sum(increase(veylant_request_errors_total[30d])) / sum(increase(veylant_requests_total[30d])))", + "legendFormat": "Uptime SLO" + } + ] + }, + { + "id": 2, + "title": "Error Budget Remaining (minutes)", + "description": "SLO target: 99.5% uptime over 30 days = 216 min allowed downtime", + "type": "stat", + "gridPos": { "h": 8, "w": 6, "x": 6, "y": 0 }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "colorMode": "background" + }, + "fieldConfig": { + "defaults": { + "unit": "m", + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "red", "value": null }, + { "color": "yellow", "value": 43 }, + { "color": "green", "value": 108 } + ] + } + } + }, + "targets": [ + { + "expr": "(0.005 * 30 * 24 * 60) - (sum(increase(veylant_request_errors_total[30d])) / sum(increase(veylant_requests_total[30d])) * 30 * 24 * 60)", + "legendFormat": "Budget remaining (min)" + } + ] + }, + { + "id": 3, + "title": "p99 Latency SLO (target: < 500ms)", + "type": "gauge", + "gridPos": { "h": 8, "w": 6, "x": 12, "y": 0 }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "orientation": "auto", + "showThresholdMarkers": true + }, + "fieldConfig": { + "defaults": { + "unit": "s", + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "yellow", "value": 0.3 }, + { "color": "red", "value": 0.5 } + ] + } + } + }, + "targets": [ + { + "expr": "histogram_quantile(0.99, sum by (le) (rate(veylant_request_duration_seconds_bucket[5m])))", + "legendFormat": "p99 latency" + } + ] + }, + { + "id": 4, + "title": "Active Alerts", + "type": "stat", + "gridPos": { "h": 8, "w": 6, "x": 18, "y": 0 }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"] }, + "colorMode": "background" + }, + "fieldConfig": { + "defaults": { + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "yellow", "value": 1 }, + { "color": "red", "value": 3 } + ] + } + } + }, + "targets": [ + { + "expr": "sum(ALERTS{alertstate=\"firing\",job=~\"veylant.*\"})", + "legendFormat": "Firing alerts" + } + ] + }, + { + "id": 5, + "title": "PII Entities Detected — Rate by Type (per min)", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 }, + "targets": [ + { + "expr": "sum by (entity_type) (rate(veylant_pii_entities_detected_total[1m])) * 60", + "legendFormat": "{{ entity_type }}" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "custom": { "lineWidth": 2 } + } + } + }, + { + "id": 6, + "title": "PostgreSQL Active Connections", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 }, + "targets": [ + { + "expr": "veylant_db_connections_active", + "legendFormat": "Active connections" + }, + { + "expr": "veylant_db_connections_idle", + "legendFormat": "Idle connections" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "yellow", "value": 15 }, + { "color": "red", "value": 20 } + ] + } + } + } + }, + { + "id": 7, + "title": "Provider RPS Breakdown", + "type": "piechart", + "gridPos": { "h": 8, "w": 8, "x": 0, "y": 16 }, + "options": { + "pieType": "donut", + "displayLabels": ["name", "percent"] + }, + "targets": [ + { + "expr": "sum by (provider) (rate(veylant_requests_total[5m]))", + "legendFormat": "{{ provider }}" + } + ] + }, + { + "id": 8, + "title": "Provider RPS — Time Series", + "type": "timeseries", + "gridPos": { "h": 8, "w": 16, "x": 8, "y": 16 }, + "targets": [ + { + "expr": "sum by (provider) (rate(veylant_requests_total[1m]))", + "legendFormat": "{{ provider }}" + } + ], + "fieldConfig": { + "defaults": { + "unit": "reqps", + "custom": { "lineWidth": 2 } + } + } + }, + { + "id": 9, + "title": "Redis Memory Usage %", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 24 }, + "targets": [ + { + "expr": "redis_memory_used_bytes / redis_memory_max_bytes * 100", + "legendFormat": "Redis memory %" + } + ], + "fieldConfig": { + "defaults": { + "unit": "percent", + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "yellow", "value": 70 }, + { "color": "red", "value": 90 } + ] + } + } + } + }, + { + "id": 10, + "title": "Error Rate by Provider (5m avg)", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 24 }, + "targets": [ + { + "expr": "veylant:error_rate:5m * 100", + "legendFormat": "{{ provider }} error %" + } + ], + "fieldConfig": { + "defaults": { + "unit": "percent", + "custom": { "lineWidth": 2 } + } + } + } + ] +} diff --git a/deploy/grafana/dashboards/proxy-overview.json b/deploy/grafana/dashboards/proxy-overview.json new file mode 100644 index 0000000..084beb1 --- /dev/null +++ b/deploy/grafana/dashboards/proxy-overview.json @@ -0,0 +1,134 @@ +{ + "title": "Veylant Proxy — Overview", + "uid": "veylant-proxy-overview", + "schemaVersion": 38, + "version": 1, + "refresh": "15s", + "panels": [ + { + "id": 1, + "title": "Requests per second", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 0 }, + "targets": [ + { + "expr": "rate(veylant_requests_total[1m])", + "legendFormat": "{{method}} {{path}} {{status}}" + } + ] + }, + { + "id": 2, + "title": "Request duration p50/p95/p99 (seconds)", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 0 }, + "targets": [ + { + "expr": "histogram_quantile(0.50, rate(veylant_request_duration_seconds_bucket[1m]))", + "legendFormat": "p50" + }, + { + "expr": "histogram_quantile(0.95, rate(veylant_request_duration_seconds_bucket[1m]))", + "legendFormat": "p95" + }, + { + "expr": "histogram_quantile(0.99, rate(veylant_request_duration_seconds_bucket[1m]))", + "legendFormat": "p99" + } + ] + }, + { + "id": 3, + "title": "Error rate", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 }, + "targets": [ + { + "expr": "rate(veylant_request_errors_total[1m])", + "legendFormat": "{{error_type}}" + } + ] + }, + { + "id": 4, + "title": "Total requests (24h)", + "type": "stat", + "gridPos": { "h": 4, "w": 6, "x": 12, "y": 8 }, + "targets": [ + { + "expr": "sum(increase(veylant_requests_total[24h]))", + "legendFormat": "Total" + } + ] + }, + { + "id": 5, + "title": "Error rate % (24h)", + "type": "stat", + "gridPos": { "h": 4, "w": 6, "x": 18, "y": 8 }, + "targets": [ + { + "expr": "100 * sum(increase(veylant_request_errors_total[24h])) / sum(increase(veylant_requests_total[24h]))", + "legendFormat": "Error %" + } + ] + }, + { + "id": 6, + "title": "PII Entities Detected — Rate by Type", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 16 }, + "targets": [ + { + "expr": "sum by (entity_type) (rate(veylant_pii_entities_detected_total[1m]))", + "legendFormat": "{{ entity_type }}" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short", + "custom": { "lineWidth": 2 } + } + } + }, + { + "id": 7, + "title": "PostgreSQL Active Connections", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 16 }, + "targets": [ + { + "expr": "veylant_db_connections_active", + "legendFormat": "Active" + }, + { + "expr": "veylant_db_connections_idle", + "legendFormat": "Idle" + } + ], + "fieldConfig": { + "defaults": { + "unit": "short" + } + } + }, + { + "id": 8, + "title": "Provider Breakdown (RPS)", + "type": "piechart", + "gridPos": { "h": 8, "w": 8, "x": 0, "y": 24 }, + "options": { + "pieType": "donut", + "displayLabels": ["name", "percent"] + }, + "targets": [ + { + "expr": "sum by (provider) (rate(veylant_requests_total[5m]))", + "legendFormat": "{{ provider }}" + } + ] + } + ], + "schemaVersion": 38, + "version": 2 +} diff --git a/deploy/grafana/provisioning/dashboards/dashboards.yml b/deploy/grafana/provisioning/dashboards/dashboards.yml new file mode 100644 index 0000000..8b31a12 --- /dev/null +++ b/deploy/grafana/provisioning/dashboards/dashboards.yml @@ -0,0 +1,11 @@ +apiVersion: 1 + +providers: + - name: "Veylant" + orgId: 1 + folder: "Veylant IA" + type: file + disableDeletion: false + updateIntervalSeconds: 30 + options: + path: /var/lib/grafana/dashboards diff --git a/deploy/grafana/provisioning/datasources/prometheus.yml b/deploy/grafana/provisioning/datasources/prometheus.yml new file mode 100644 index 0000000..bb009bb --- /dev/null +++ b/deploy/grafana/provisioning/datasources/prometheus.yml @@ -0,0 +1,9 @@ +apiVersion: 1 + +datasources: + - name: Prometheus + type: prometheus + access: proxy + url: http://prometheus:9090 + isDefault: true + editable: false diff --git a/deploy/helm/veylant-proxy/Chart.yaml b/deploy/helm/veylant-proxy/Chart.yaml new file mode 100644 index 0000000..a2437fd --- /dev/null +++ b/deploy/helm/veylant-proxy/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v2 +name: veylant-proxy +description: Veylant IA — AI Governance Proxy +type: application +version: 1.0.0 +appVersion: "1.0.0" +keywords: + - ai + - proxy + - governance + - pii +maintainers: + - name: Veylant Engineering diff --git a/deploy/helm/veylant-proxy/templates/_helpers.tpl b/deploy/helm/veylant-proxy/templates/_helpers.tpl new file mode 100644 index 0000000..849cdcd --- /dev/null +++ b/deploy/helm/veylant-proxy/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "veylant-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "veylant-proxy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Common labels. +*/}} +{{- define "veylant-proxy.labels" -}} +helm.sh/chart: {{ include "veylant-proxy.chart" . }} +{{ include "veylant-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels. +*/}} +{{- define "veylant-proxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "veylant-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Chart label. +*/}} +{{- define "veylant-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Service account name. +*/}} +{{- define "veylant-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "veylant-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/deploy/helm/veylant-proxy/templates/configmap.yaml b/deploy/helm/veylant-proxy/templates/configmap.yaml new file mode 100644 index 0000000..e163f1c --- /dev/null +++ b/deploy/helm/veylant-proxy/templates/configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "veylant-proxy.fullname" . }}-config + labels: + {{- include "veylant-proxy.labels" . | nindent 4 }} +data: + config.yaml: | + server: + port: {{ .Values.config.server.port }} + shutdown_timeout_seconds: {{ .Values.config.server.shutdown_timeout_seconds | default 30 }} + env: {{ .Values.config.server.env }} + log: + level: {{ .Values.config.log.level }} + format: {{ .Values.config.log.format }} + metrics: + enabled: {{ .Values.config.metrics.enabled }} + path: {{ .Values.config.metrics.path }} diff --git a/deploy/helm/veylant-proxy/templates/deployment.yaml b/deploy/helm/veylant-proxy/templates/deployment.yaml new file mode 100644 index 0000000..a78103f --- /dev/null +++ b/deploy/helm/veylant-proxy/templates/deployment.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "veylant-proxy.fullname" . }} + labels: + {{- include "veylant-proxy.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "veylant-proxy.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "veylant-proxy.selectorLabels" . | nindent 8 }} + app.kubernetes.io/slot: {{ .Values.slot | default "blue" }} + spec: + serviceAccountName: {{ include "veylant-proxy.serviceAccountName" . }} + containers: + - name: proxy + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + env: + - name: VEYLANT_SERVER_PORT + value: "{{ .Values.service.port }}" + - name: VEYLANT_PROVIDERS_OPENAI_API_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.openaiApiKeySecretName }} + key: {{ .Values.secrets.openaiApiKeySecretKey }} + - name: VEYLANT_DATABASE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.databaseUrlSecretName }} + key: {{ .Values.secrets.databaseUrlSecretKey }} + volumeMounts: + - name: config + mountPath: /config.yaml + subPath: config.yaml + readOnly: true + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 3 + periodSeconds: 5 + failureThreshold: 3 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + - name: config + configMap: + name: {{ include "veylant-proxy.fullname" . }}-config diff --git a/deploy/helm/veylant-proxy/templates/hpa.yaml b/deploy/helm/veylant-proxy/templates/hpa.yaml new file mode 100644 index 0000000..92aa22c --- /dev/null +++ b/deploy/helm/veylant-proxy/templates/hpa.yaml @@ -0,0 +1,43 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "veylant-proxy.fullname" . }} + labels: + {{- include "veylant-proxy.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "veylant-proxy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 70 }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage | default 80 }} + behavior: + scaleUp: + # React quickly to traffic spikes — allow doubling replicas every 60s. + stabilizationWindowSeconds: 30 + policies: + - type: Percent + value: 100 + periodSeconds: 60 + scaleDown: + # Scale down conservatively to avoid oscillation. + stabilizationWindowSeconds: 300 + policies: + - type: Percent + value: 25 + periodSeconds: 60 +{{- end }} diff --git a/deploy/helm/veylant-proxy/templates/poddisruptionbudget.yaml b/deploy/helm/veylant-proxy/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000..ed22724 --- /dev/null +++ b/deploy/helm/veylant-proxy/templates/poddisruptionbudget.yaml @@ -0,0 +1,16 @@ +{{- if gt (int .Values.replicaCount) 1 }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "veylant-proxy.fullname" . }} + labels: + {{- include "veylant-proxy.labels" . | nindent 4 }} +spec: + # Ensure at least 1 pod remains available during voluntary disruptions + # (node drains, rolling updates). This guarantees zero-downtime for the + # active slot during a blue/green switch. + minAvailable: 1 + selector: + matchLabels: + {{- include "veylant-proxy.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/deploy/helm/veylant-proxy/templates/service.yaml b/deploy/helm/veylant-proxy/templates/service.yaml new file mode 100644 index 0000000..310ec32 --- /dev/null +++ b/deploy/helm/veylant-proxy/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "veylant-proxy.fullname" . }} + labels: + {{- include "veylant-proxy.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "veylant-proxy.selectorLabels" . | nindent 4 }} diff --git a/deploy/helm/veylant-proxy/values-blue.yaml b/deploy/helm/veylant-proxy/values-blue.yaml new file mode 100644 index 0000000..9ecffd1 --- /dev/null +++ b/deploy/helm/veylant-proxy/values-blue.yaml @@ -0,0 +1,8 @@ +# values-blue.yaml — overrides for the blue deployment slot. +# Usage: +# helm upgrade --install veylant-proxy-blue deploy/helm/veylant-proxy \ +# -f deploy/helm/veylant-proxy/values-blue.yaml \ +# --set image.tag= --namespace veylant + +slot: blue +replicaCount: 2 diff --git a/deploy/helm/veylant-proxy/values-green.yaml b/deploy/helm/veylant-proxy/values-green.yaml new file mode 100644 index 0000000..e7e8d94 --- /dev/null +++ b/deploy/helm/veylant-proxy/values-green.yaml @@ -0,0 +1,8 @@ +# values-green.yaml — overrides for the green deployment slot. +# Usage: +# helm upgrade --install veylant-proxy-green deploy/helm/veylant-proxy \ +# -f deploy/helm/veylant-proxy/values-green.yaml \ +# --set image.tag= --namespace veylant + +slot: green +replicaCount: 2 diff --git a/deploy/helm/veylant-proxy/values-production.yaml b/deploy/helm/veylant-proxy/values-production.yaml new file mode 100644 index 0000000..3d0323c --- /dev/null +++ b/deploy/helm/veylant-proxy/values-production.yaml @@ -0,0 +1,94 @@ +# Production overrides for veylant-proxy Helm chart. +# Apply with: helm upgrade veylant-proxy-blue deploy/helm/veylant-proxy \ +# -f deploy/helm/veylant-proxy/values-production.yaml \ +# -f deploy/helm/veylant-proxy/values-blue.yaml \ +# --set image.tag=$IMAGE_TAG + +# 3 replicas — 1 per Availability Zone (eu-west-3a/3b/3c). +replicaCount: 3 + +# Deployment slot (overridden at deploy time by values-blue.yaml / values-green.yaml). +slot: blue + +image: + repository: ghcr.io/veylant/ia-gateway + pullPolicy: IfNotPresent + tag: "" # Set via --set image.tag=$GITHUB_SHA + +serviceAccount: + create: true + name: "" + +service: + type: ClusterIP + port: 8090 + +# Production resource profile — tuned for t3.medium nodes. +resources: + requests: + cpu: 250m + memory: 256Mi + limits: + cpu: 1000m + memory: 512Mi + +# HPA enabled for production — scales between 3 and 15 replicas. +autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 15 + targetCPUUtilizationPercentage: 70 + targetMemoryUtilizationPercentage: 80 + +# Application configuration — production settings. +config: + server: + port: 8090 + shutdown_timeout_seconds: 30 + env: production + allowed_origins: + - "https://dashboard.veylant.ai" + log: + level: warn # Reduced verbosity in production; errors + warnings only + format: json + pii: + enabled: true + fail_open: false # PII failure blocks request in production + timeout_ms: 100 + metrics: + enabled: true + path: /metrics + +# Secret references — created via Vault Agent Injector annotations. +secrets: + openaiApiKeySecretName: veylant-proxy-secrets + openaiApiKeySecretKey: openai-api-key + databaseUrlSecretName: veylant-proxy-secrets + databaseUrlSecretKey: database-url + +# Enable Prometheus ServiceMonitor for production scraping. +metrics: + serviceMonitor: + enabled: true + interval: 15s + path: /metrics + +# Pod topology spread — ensure pods spread across AZs. +topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: veylant-proxy + +# Pod anti-affinity — avoid co-location on same node. +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/name: veylant-proxy + topologyKey: kubernetes.io/hostname diff --git a/deploy/helm/veylant-proxy/values.yaml b/deploy/helm/veylant-proxy/values.yaml new file mode 100644 index 0000000..eb025ac --- /dev/null +++ b/deploy/helm/veylant-proxy/values.yaml @@ -0,0 +1,67 @@ +# Default values for veylant-proxy. +# Override in staging/production via --set or a values-.yaml file. +# For blue/green deployments use values-blue.yaml / values-green.yaml. + +replicaCount: 2 + +# Deployment slot for blue/green strategy. Used as an Istio DestinationRule subset +# label. Must be "blue" or "green". Override via values-blue.yaml / values-green.yaml. +slot: blue + +image: + repository: ghcr.io/veylant/ia-gateway + pullPolicy: IfNotPresent + tag: "" # Defaults to Chart.appVersion if empty + +serviceAccount: + create: true + name: "" + +service: + type: ClusterIP + port: 8090 + +resources: + limits: + cpu: 500m + memory: 256Mi + requests: + cpu: 100m + memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 10 + targetCPUUtilizationPercentage: 70 + targetMemoryUtilizationPercentage: 80 + +# Application configuration (mounted as config.yaml via ConfigMap). +# Sensitive values (API keys, DB passwords) must be provided via Kubernetes +# Secrets and referenced via env vars (e.g. VEYLANT_PROVIDERS_OPENAI_API_KEY). +config: + server: + port: 8090 + shutdown_timeout_seconds: 30 + env: staging + log: + level: info + format: json + metrics: + enabled: true + path: /metrics + +# References to Kubernetes Secret keys for sensitive environment variables. +# These secrets must be created separately (e.g. via Vault Agent Injector). +secrets: + openaiApiKeySecretName: veylant-proxy-secrets + openaiApiKeySecretKey: openai-api-key + databaseUrlSecretName: veylant-proxy-secrets + databaseUrlSecretKey: database-url + +# Prometheus ServiceMonitor (requires prometheus-operator CRDs). +metrics: + serviceMonitor: + enabled: false + interval: 15s + path: /metrics diff --git a/deploy/k8s/istio/peer-auth.yaml b/deploy/k8s/istio/peer-auth.yaml new file mode 100644 index 0000000..d3243ce --- /dev/null +++ b/deploy/k8s/istio/peer-auth.yaml @@ -0,0 +1,81 @@ +# Istio mTLS configuration for the veylant namespace (E10-01). +# Enforces STRICT mutual TLS for all service-to-service communication. +# Prerequisites: Istio installed with sidecar injection enabled on the namespace. +# kubectl label namespace veylant istio-injection=enabled +# Apply: kubectl apply -f deploy/k8s/istio/peer-auth.yaml +--- +# STRICT PeerAuthentication: all inbound connections must use mTLS. +# Pods without a valid certificate will be rejected. +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default + namespace: veylant +spec: + mtls: + mode: STRICT + +--- +# DestinationRule: require mTLS for traffic to the proxy. +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: veylant-proxy-mtls + namespace: veylant +spec: + host: veylant-proxy.veylant.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + +--- +# DestinationRule: require mTLS for traffic to the PII service. +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: pii-service-mtls + namespace: veylant +spec: + host: pii-service.veylant.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + +--- +# DestinationRule: require mTLS for traffic to PostgreSQL. +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: postgres-mtls + namespace: veylant +spec: + host: postgres.veylant.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + +--- +# DestinationRule: require mTLS for traffic to Redis. +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: redis-mtls + namespace: veylant +spec: + host: redis.veylant.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + +--- +# DestinationRule: require mTLS for traffic to ClickHouse. +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: clickhouse-mtls + namespace: veylant +spec: + host: clickhouse.veylant.svc.cluster.local + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/deploy/k8s/istio/virtual-service.yaml b/deploy/k8s/istio/virtual-service.yaml new file mode 100644 index 0000000..545b0be --- /dev/null +++ b/deploy/k8s/istio/virtual-service.yaml @@ -0,0 +1,71 @@ +# Istio VirtualService + DestinationRule for blue/green traffic switching. +# +# Traffic flow: +# Client → Istio Ingress Gateway → VirtualService → DestinationRule subset → Pod +# +# Two releases coexist at all times: +# veylant-proxy-blue (helm release, slot=blue label) +# veylant-proxy-green (helm release, slot=green label) +# +# Switch traffic atomically (rollback < 5s): +# # Switch to green: +# kubectl patch vs veylant-proxy -n veylant --type merge \ +# -p '{"spec":{"http":[{"route":[{"destination":{"host":"veylant-proxy","subset":"green"},"weight":100}]}]}}' +# # Roll back to blue: +# kubectl patch vs veylant-proxy -n veylant --type merge \ +# -p '{"spec":{"http":[{"route":[{"destination":{"host":"veylant-proxy","subset":"blue"},"weight":100}]}]}}' +# +# Managed automatically by deploy/scripts/blue-green.sh. +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: veylant-proxy + namespace: veylant +spec: + hosts: + - veylant-proxy + - api.veylant.ai # external hostname (TLS terminated at Gateway) + gateways: + - veylant-gateway + - mesh # also applies to in-cluster traffic + http: + - match: + - uri: + prefix: / + route: + # Default: 100% to blue slot. + # blue-green.sh patches this to switch slots atomically. + - destination: + host: veylant-proxy + subset: blue + weight: 100 + timeout: 35s # slightly > proxy WriteTimeout (30s) + retries: + attempts: 2 + perTryTimeout: 15s + retryOn: gateway-error,connect-failure,retriable-4xx +--- +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: veylant-proxy + namespace: veylant +spec: + host: veylant-proxy + trafficPolicy: + connectionPool: + http: + h2UpgradePolicy: UPGRADE + idleTimeout: 90s + outlierDetection: + consecutiveGatewayErrors: 5 + interval: 10s + baseEjectionTime: 30s + subsets: + - name: blue + labels: + app.kubernetes.io/slot: blue + - name: green + labels: + app.kubernetes.io/slot: green diff --git a/deploy/k8s/network-policies.yaml b/deploy/k8s/network-policies.yaml new file mode 100644 index 0000000..2b81cdb --- /dev/null +++ b/deploy/k8s/network-policies.yaml @@ -0,0 +1,147 @@ +# Network policies for the veylant namespace (E10-02). +# Strategy: default-deny-all, then explicit whitelist per service. +# Apply: kubectl apply -f deploy/k8s/network-policies.yaml -n veylant +--- +# Default deny all ingress and egress within the namespace. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all + namespace: veylant +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + +--- +# Allow inbound HTTP traffic to the proxy from the ingress controller only. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-proxy-ingress + namespace: veylant +spec: + podSelector: + matchLabels: + app: veylant-proxy + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress-nginx + ports: + - protocol: TCP + port: 8090 + +--- +# Allow the proxy to call the PII sidecar gRPC service. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-proxy-to-pii + namespace: veylant +spec: + podSelector: + matchLabels: + app: veylant-proxy + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: pii-service + ports: + - protocol: TCP + port: 50051 + +--- +# Allow the proxy to connect to PostgreSQL. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-proxy-to-postgres + namespace: veylant +spec: + podSelector: + matchLabels: + app: veylant-proxy + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: postgres + ports: + - protocol: TCP + port: 5432 + +--- +# Allow the proxy to connect to ClickHouse for audit logging. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-proxy-to-clickhouse + namespace: veylant +spec: + podSelector: + matchLabels: + app: veylant-proxy + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: clickhouse + ports: + - protocol: TCP + port: 9000 + +--- +# Allow the proxy to connect to Redis (rate limiting + PII pseudonym cache). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-proxy-to-redis + namespace: veylant +spec: + podSelector: + matchLabels: + app: veylant-proxy + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: redis + ports: + - protocol: TCP + port: 6379 + +--- +# Allow DNS resolution (CoreDNS) for all pods. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-dns-egress + namespace: veylant +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 diff --git a/deploy/k8s/production/postgres-backup.yaml b/deploy/k8s/production/postgres-backup.yaml new file mode 100644 index 0000000..c550807 --- /dev/null +++ b/deploy/k8s/production/postgres-backup.yaml @@ -0,0 +1,119 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: veylant-postgres-backup + namespace: veylant + labels: + app.kubernetes.io/name: veylant-postgres-backup + app.kubernetes.io/component: backup +spec: + # Run daily at 02:00 UTC — off-peak for EU West. + schedule: "0 2 * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 7 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + # Retry once on failure before marking as failed. + backoffLimit: 1 + template: + metadata: + labels: + app.kubernetes.io/name: veylant-postgres-backup + annotations: + # Vault Agent Injector — inject secrets from Vault. + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "veylant-backup" + vault.hashicorp.com/agent-inject-secret-db: "secret/veylant/production/db" + vault.hashicorp.com/agent-inject-template-db: | + {{- with secret "secret/veylant/production/db" -}} + export PGPASSWORD="{{ .Data.data.password }}" + export PGUSER="{{ .Data.data.username }}" + export PGHOST="{{ .Data.data.host }}" + export PGDATABASE="{{ .Data.data.dbname }}" + {{- end }} + vault.hashicorp.com/agent-inject-secret-aws: "secret/veylant/production/aws" + vault.hashicorp.com/agent-inject-template-aws: | + {{- with secret "secret/veylant/production/aws" -}} + export AWS_ACCESS_KEY_ID="{{ .Data.data.access_key_id }}" + export AWS_SECRET_ACCESS_KEY="{{ .Data.data.secret_access_key }}" + export AWS_DEFAULT_REGION="{{ .Data.data.region }}" + {{- end }} + spec: + restartPolicy: OnFailure + serviceAccountName: veylant-backup + securityContext: + runAsNonRoot: true + runAsUser: 999 + fsGroup: 999 + containers: + - name: pg-backup + image: postgres:16-alpine + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + env: + - name: S3_BUCKET + value: "veylant-backups-production" + - name: BACKUP_PREFIX + value: "postgres" + command: + - /bin/sh + - -c + - | + set -euo pipefail + + # Load secrets injected by Vault Agent. + source /vault/secrets/db + source /vault/secrets/aws + + # Install AWS CLI (not in postgres:16-alpine by default). + apk add --no-cache aws-cli 2>/dev/null || true + + TIMESTAMP=$(date -u +"%Y%m%d_%H%M%S") + FILENAME="${BACKUP_PREFIX}_${TIMESTAMP}.sql.gz" + S3_PATH="s3://${S3_BUCKET}/${BACKUP_PREFIX}/${FILENAME}" + + echo "[$(date -u)] Starting backup: ${FILENAME}" + + # Dump and compress — pipe directly to S3 without storing locally. + pg_dump \ + --host="${PGHOST}" \ + --username="${PGUSER}" \ + --dbname="${PGDATABASE}" \ + --format=plain \ + --no-password \ + --verbose \ + | gzip -9 \ + | aws s3 cp - "${S3_PATH}" \ + --storage-class STANDARD_IA \ + --metadata "created-by=veylant-backup,db=${PGDATABASE}" + + echo "[$(date -u)] Backup completed: ${S3_PATH}" + + # Verify the upload is readable. + aws s3 ls "${S3_PATH}" || { echo "Upload verification failed"; exit 1; } + + echo "[$(date -u)] Backup verified successfully." + +--- +# S3 Lifecycle policy is managed in Terraform (deploy/terraform/main.tf). +# Retention: 7 daily backups kept automatically via S3 lifecycle rules. +# Manual restore: aws s3 cp s3://veylant-backups-production/postgres/ - | gunzip | psql + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: veylant-backup + namespace: veylant + labels: + app.kubernetes.io/name: veylant-backup + annotations: + # AWS IRSA — IAM role for S3 write access (created in Terraform). + eks.amazonaws.com/role-arn: "arn:aws:iam::ACCOUNT_ID:role/veylant-backup-role" diff --git a/deploy/k8s/vault/secret-provider.yaml b/deploy/k8s/vault/secret-provider.yaml new file mode 100644 index 0000000..e465f31 --- /dev/null +++ b/deploy/k8s/vault/secret-provider.yaml @@ -0,0 +1,50 @@ +# SecretProviderClass — mounts Vault secrets as files via the CSI driver (E10-03). +# Prerequisites: secrets-store-csi-driver + vault-provider installed in the cluster. +# helm install csi secrets-store-csi-driver/secrets-store-csi-driver -n kube-system +# helm install vault-csi hashicorp/vault --set "csi.enabled=true" +# Apply: kubectl apply -f deploy/k8s/vault/secret-provider.yaml -n veylant +--- +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: veylant-secrets + namespace: veylant +spec: + provider: vault + parameters: + # Vault server address. + vaultAddress: "https://vault.vault.svc.cluster.local:8200" + # Vault role bound to the proxy ServiceAccount. + roleName: "veylant-proxy" + # Secrets to mount as files under /mnt/secrets-store/. + objects: | + - objectName: "openai-api-key" + secretPath: "secret/data/veylant/llm-keys" + secretKey: "openai_api_key" + - objectName: "anthropic-api-key" + secretPath: "secret/data/veylant/llm-keys" + secretKey: "anthropic_api_key" + - objectName: "mistral-api-key" + secretPath: "secret/data/veylant/llm-keys" + secretKey: "mistral_api_key" + - objectName: "aes-key-base64" + secretPath: "secret/data/veylant/crypto" + secretKey: "aes_key_base64" + - objectName: "db-url" + secretPath: "secret/data/veylant/database" + secretKey: "url" + # Sync secrets to Kubernetes Secret for env-var injection. + secretObjects: + - secretName: veylant-llm-keys + type: Opaque + data: + - objectName: openai-api-key + key: VEYLANT_PROVIDERS_OPENAI_API_KEY + - objectName: anthropic-api-key + key: VEYLANT_PROVIDERS_ANTHROPIC_API_KEY + - objectName: mistral-api-key + key: VEYLANT_PROVIDERS_MISTRAL_API_KEY + - objectName: aes-key-base64 + key: VEYLANT_CRYPTO_AES_KEY_BASE64 + - objectName: db-url + key: VEYLANT_DATABASE_URL diff --git a/deploy/k8s/vault/serviceaccount.yaml b/deploy/k8s/vault/serviceaccount.yaml new file mode 100644 index 0000000..ea5ca61 --- /dev/null +++ b/deploy/k8s/vault/serviceaccount.yaml @@ -0,0 +1,22 @@ +# Kubernetes ServiceAccount for the Veylant proxy pod (E10-03). +# Vault authenticates the proxy using this SA's JWT token (Kubernetes auth method). +# Apply: kubectl apply -f deploy/k8s/vault/serviceaccount.yaml -n veylant +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: veylant-proxy + namespace: veylant + annotations: + # Enable Vault Agent sidecar injection for automatic secret management. + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/role: "veylant-proxy" + # Inject LLM provider API keys as environment variables. + vault.hashicorp.com/agent-inject-secret-llm-keys: "secret/data/veylant/llm-keys" + vault.hashicorp.com/agent-inject-template-llm-keys: | + {{- with secret "secret/data/veylant/llm-keys" -}} + export VEYLANT_PROVIDERS_OPENAI_API_KEY="{{ .Data.data.openai_api_key }}" + export VEYLANT_PROVIDERS_ANTHROPIC_API_KEY="{{ .Data.data.anthropic_api_key }}" + export VEYLANT_PROVIDERS_MISTRAL_API_KEY="{{ .Data.data.mistral_api_key }}" + export VEYLANT_CRYPTO_AES_KEY_BASE64="{{ .Data.data.aes_key_base64 }}" + {{- end }} diff --git a/deploy/k8s/vault/vault-auth.yaml b/deploy/k8s/vault/vault-auth.yaml new file mode 100644 index 0000000..8220097 --- /dev/null +++ b/deploy/k8s/vault/vault-auth.yaml @@ -0,0 +1,39 @@ +# Vault Kubernetes authentication configuration (E10-03). +# Binds the veylant-proxy ServiceAccount to the Vault role defined in vault-policy.hcl. +# Prerequisites: Vault Kubernetes auth method enabled. +# vault auth enable kubernetes +# vault write auth/kubernetes/config kubernetes_host="https://$K8S_HOST:443" +# Apply: kubectl apply -f deploy/k8s/vault/vault-auth.yaml -n veylant +--- +# VaultAuth resource (requires the Vault Secrets Operator or Agent Injector). +# Using Vault Agent Injector annotations (defined in serviceaccount.yaml). +# This ConfigMap holds the Vault connection parameters for reference. +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-config + namespace: veylant +data: + # Vault server address — override with VAULT_ADDR env var or Helm values. + VAULT_ADDR: "https://vault.vault.svc.cluster.local:8200" + # Vault namespace (Enterprise only; leave empty for open-source Vault). + VAULT_NAMESPACE: "" + # Kubernetes auth mount path. + VAULT_AUTH_PATH: "auth/kubernetes" + # Vault role bound to the veylant-proxy ServiceAccount. + VAULT_ROLE: "veylant-proxy" + +--- +# ClusterRoleBinding allowing Vault to verify ServiceAccount tokens. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: vault-token-reviewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - kind: ServiceAccount + name: vault + namespace: vault diff --git a/deploy/k8s/vault/vault-policy.hcl b/deploy/k8s/vault/vault-policy.hcl new file mode 100644 index 0000000..2892c9b --- /dev/null +++ b/deploy/k8s/vault/vault-policy.hcl @@ -0,0 +1,37 @@ +# Vault policy for the veylant-proxy role (E10-03). +# Grants read-only access to all secrets under the veylant/ path. +# +# Apply to Vault: +# vault policy write veylant-proxy deploy/k8s/vault/vault-policy.hcl +# +# Then create the Kubernetes auth role: +# vault write auth/kubernetes/role/veylant-proxy \ +# bound_service_account_names=veylant-proxy \ +# bound_service_account_namespaces=veylant \ +# policies=veylant-proxy \ +# ttl=1h + +# LLM provider API keys — read only. +path "secret/data/veylant/llm-keys" { + capabilities = ["read"] +} + +# Cryptographic secrets (AES key for prompt encryption) — read only. +path "secret/data/veylant/crypto" { + capabilities = ["read"] +} + +# Database connection URL — read only. +path "secret/data/veylant/database" { + capabilities = ["read"] +} + +# Allow metadata reads (needed for dynamic lease renewal). +path "secret/metadata/veylant/*" { + capabilities = ["read", "list"] +} + +# Deny all other paths explicitly (defense-in-depth). +path "*" { + capabilities = ["deny"] +} diff --git a/deploy/keycloak/realm-export.json b/deploy/keycloak/realm-export.json new file mode 100644 index 0000000..d9b93bc --- /dev/null +++ b/deploy/keycloak/realm-export.json @@ -0,0 +1,170 @@ +{ + "realm": "veylant", + "displayName": "Veylant IA", + "enabled": true, + "sslRequired": "none", + "registrationAllowed": false, + "loginWithEmailAllowed": true, + "duplicateEmailsAllowed": false, + "resetPasswordAllowed": true, + "editUsernameAllowed": false, + "bruteForceProtected": true, + "accessTokenLifespan": 3600, + "refreshTokenMaxReuse": 0, + "roles": { + "realm": [ + { + "name": "admin", + "description": "Full access to all resources and settings" + }, + { + "name": "manager", + "description": "Manage users and policies within their department" + }, + { + "name": "user", + "description": "Standard AI proxy access — restricted to allowed models" + }, + { + "name": "auditor", + "description": "Read-only access to audit logs and compliance reports" + } + ] + }, + "clients": [ + { + "clientId": "veylant-proxy", + "name": "Veylant IA Proxy", + "enabled": true, + "protocol": "openid-connect", + "publicClient": false, + "serviceAccountsEnabled": true, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": true, + "secret": "dev-secret-change-in-production", + "redirectUris": [ + "http://localhost:3000/*", + "http://localhost:8090/*" + ], + "webOrigins": [ + "http://localhost:3000", + "http://localhost:8090" + ], + "defaultClientScopes": [ + "openid", + "profile", + "email", + "roles" + ], + "protocolMappers": [ + { + "name": "tenant-id-mapper", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-attribute-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "tenant_id", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "tenant_id", + "jsonType.label": "String" + } + } + ] + }, + { + "clientId": "veylant-dashboard", + "name": "Veylant IA Dashboard", + "enabled": true, + "protocol": "openid-connect", + "publicClient": true, + "directAccessGrantsEnabled": false, + "standardFlowEnabled": true, + "redirectUris": [ + "http://localhost:3000/*" + ], + "webOrigins": [ + "http://localhost:3000" + ] + } + ], + "users": [ + { + "username": "admin@veylant.dev", + "email": "admin@veylant.dev", + "firstName": "Admin", + "lastName": "Veylant", + "enabled": true, + "emailVerified": true, + "credentials": [ + { + "type": "password", + "value": "admin123", + "temporary": false + } + ], + "realmRoles": ["admin"], + "attributes": { + "tenant_id": ["00000000-0000-0000-0000-000000000001"] + } + }, + { + "username": "manager@veylant.dev", + "email": "manager@veylant.dev", + "firstName": "Manager", + "lastName": "Finance", + "enabled": true, + "emailVerified": true, + "credentials": [ + { + "type": "password", + "value": "manager123", + "temporary": false + } + ], + "realmRoles": ["manager"], + "attributes": { + "tenant_id": ["00000000-0000-0000-0000-000000000001"] + } + }, + { + "username": "user@veylant.dev", + "email": "user@veylant.dev", + "firstName": "User", + "lastName": "Test", + "enabled": true, + "emailVerified": true, + "credentials": [ + { + "type": "password", + "value": "user123", + "temporary": false + } + ], + "realmRoles": ["user"], + "attributes": { + "tenant_id": ["00000000-0000-0000-0000-000000000001"] + } + }, + { + "username": "auditor@veylant.dev", + "email": "auditor@veylant.dev", + "firstName": "Auditor", + "lastName": "Compliance", + "enabled": true, + "emailVerified": true, + "credentials": [ + { + "type": "password", + "value": "auditor123", + "temporary": false + } + ], + "realmRoles": ["auditor"], + "attributes": { + "tenant_id": ["00000000-0000-0000-0000-000000000001"] + } + } + ] +} diff --git a/deploy/onboarding/README.md b/deploy/onboarding/README.md new file mode 100644 index 0000000..48d4f85 --- /dev/null +++ b/deploy/onboarding/README.md @@ -0,0 +1,98 @@ +# Veylant IA — Pilot Client Onboarding + +Operational in **under one working day**. + +## Prerequisites + +| Tool | Version | Notes | +|---|---|---| +| `curl` | any | Standard on macOS/Linux | +| `python3` | 3.8+ | JSON parsing in scripts | +| Veylant IA proxy | running | `make dev` or production URL | +| Admin JWT | valid | Issued by Keycloak for the platform admin | + +## Scripts + +### `onboard-tenant.sh` — Full tenant provisioning + +Provisions a new client tenant end-to-end: +1. Checks proxy health +2. Creates the tenant admin user +3. Seeds 4 routing policy templates (HR, Finance, Engineering, Catchall) +4. Configures rate limits +5. Prints a verification summary + +```bash +# Make executable (once) +chmod +x onboard-tenant.sh import-users.sh + +# Set required variables +export VEYLANT_URL=https://api.veylant.ai +export VEYLANT_ADMIN_TOKEN= +export TENANT_ADMIN_EMAIL=admin@client.example + +# Optional overrides +export TENANT_ADMIN_FIRST=Marie +export TENANT_ADMIN_LAST=Dupont +export RPM=2000 +export BURST=400 + +./onboard-tenant.sh +``` + +### `import-users.sh` — Bulk user import from CSV + +Imports a list of users from a CSV file. Idempotent — already-existing users (HTTP 409) are skipped without error. + +```bash +export VEYLANT_URL=https://api.veylant.ai +export VEYLANT_ADMIN_TOKEN= + +./import-users.sh sample-users.csv +``` + +### `sample-users.csv` — Example CSV format + +``` +email,first_name,last_name,department,role +alice.martin@corp.example,Alice,Martin,HR,user +bob.dupont@corp.example,Bob,Dupont,Finance,user +``` + +**Roles**: `admin`, `manager`, `user`, `auditor` + +## Day-1 Checklist + +- [ ] Run `onboard-tenant.sh` to provision the tenant +- [ ] Customize the CSV with real user data +- [ ] Run `import-users.sh` to bulk-import users +- [ ] Issue Keycloak JWTs for each user (via your IdP admin console) +- [ ] Share the [integration guide](../../docs/integration-guide.md) with developers +- [ ] Verify a test request: `curl -X POST $VEYLANT_URL/v1/chat/completions ...` +- [ ] Confirm audit logs appear: `GET /v1/admin/logs` + +## Rate Limit Defaults + +| Setting | Default | Override via | +|---|---|---| +| Requests/min | 1 000 | `RPM` env var | +| Burst | 200 | `BURST` env var | +| Per-user RPM | 200 | RPM ÷ 5 | +| Per-user burst | 40 | BURST ÷ 5 | + +Limits can be adjusted at any time without restart via: +```bash +curl -X PUT $VEYLANT_URL/v1/admin/rate-limits/ \ + -H "Authorization: Bearer $TOKEN" \ + -d '{"requests_per_min": 3000, "burst_size": 600, "is_enabled": true}' +``` + +## Troubleshooting + +| Symptom | Check | +|---|---| +| `VEYLANT_URL` not set | Export the variable and retry | +| HTTP 401 on API calls | JWT may have expired — refresh via Keycloak | +| HTTP 403 | Token role is not `admin` — use the platform admin token | +| User creation fails (HTTP 500) | Check PostgreSQL is running: `make health` | +| PII not working | Ensure PII sidecar is up: `curl http://localhost:8091/healthz` | diff --git a/deploy/onboarding/import-users.sh b/deploy/onboarding/import-users.sh new file mode 100644 index 0000000..b5aab1b --- /dev/null +++ b/deploy/onboarding/import-users.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +# deploy/onboarding/import-users.sh +# +# Bulk-imports users from a CSV file into Veylant IA. +# +# CSV format (with header): +# email,first_name,last_name,department,role +# +# Usage: +# export VEYLANT_URL=http://localhost:8090 +# export VEYLANT_ADMIN_TOKEN= +# ./import-users.sh deploy/onboarding/sample-users.csv +# +# Required env vars: +# VEYLANT_URL - base URL of the proxy (no trailing slash) +# VEYLANT_ADMIN_TOKEN - JWT with admin role + +set -euo pipefail + +VEYLANT_URL="${VEYLANT_URL:?VEYLANT_URL is required}" +VEYLANT_ADMIN_TOKEN="${VEYLANT_ADMIN_TOKEN:?VEYLANT_ADMIN_TOKEN is required}" +CSV_FILE="${1:?Usage: $0 }" + +[[ -f "$CSV_FILE" ]] || { echo "ERROR: file not found: $CSV_FILE" >&2; exit 1; } + +API="${VEYLANT_URL}/v1/admin" +AUTH="Authorization: Bearer ${VEYLANT_ADMIN_TOKEN}" + +log() { echo "[import-users] $*"; } + +success=0 +failed=0 +skip=0 + +# Skip header line, process each row +while IFS=',' read -r email first_name last_name department role; do + # Skip empty lines and header + [[ -z "$email" || "$email" == "email" ]] && { ((skip++)) || true; continue; } + + log "Importing ${email} (${role}, ${department})…" + + http_code=$(curl -s -o /dev/null -w "%{http_code}" \ + -X POST "${API}/users" \ + -H "${AUTH}" \ + -H "Content-Type: application/json" \ + -d "{ + \"email\": \"${email}\", + \"first_name\": \"${first_name}\", + \"last_name\": \"${last_name}\", + \"department\": \"${department}\", + \"role\": \"${role}\" + }") + + if [[ "$http_code" == "201" ]]; then + log " → created (201)" + ((success++)) || true + elif [[ "$http_code" == "409" ]]; then + log " → already exists, skipped (409)" + ((skip++)) || true + else + log " → ERROR: HTTP ${http_code}" + ((failed++)) || true + fi + +done < "$CSV_FILE" + +log "" +log "Import summary:" +log " Created : ${success}" +log " Skipped : ${skip}" +log " Errors : ${failed}" + +if [[ "$failed" -gt 0 ]]; then + log "WARNING: ${failed} user(s) failed to import. Check logs above." + exit 1 +fi diff --git a/deploy/onboarding/onboard-tenant.sh b/deploy/onboarding/onboard-tenant.sh new file mode 100644 index 0000000..85b803b --- /dev/null +++ b/deploy/onboarding/onboard-tenant.sh @@ -0,0 +1,135 @@ +#!/usr/bin/env bash +# deploy/onboarding/onboard-tenant.sh +# +# Provisions a new pilot tenant in Veylant IA: +# 1. Creates the tenant admin user +# 2. Seeds default routing policies (hr, finance, engineering) +# 3. Configures default rate limits +# 4. Verifies the setup +# +# Usage: +# export VEYLANT_URL=http://localhost:8090 +# export VEYLANT_ADMIN_TOKEN= +# export TENANT_NAME="Acme Corp" +# export TENANT_ADMIN_EMAIL=admin@acme.example +# ./onboard-tenant.sh +# +# Required env vars: +# VEYLANT_URL - base URL of the proxy (no trailing slash) +# VEYLANT_ADMIN_TOKEN - JWT with admin role for the platform tenant +# TENANT_ADMIN_EMAIL - email of the new tenant's first admin +# +# Optional env vars: +# TENANT_ADMIN_FIRST - first name (default: Admin) +# TENANT_ADMIN_LAST - last name (default: User) +# RPM - requests per minute (default: 1000) +# BURST - burst size (default: 200) + +set -euo pipefail + +# ── Config ──────────────────────────────────────────────────────────────────── + +VEYLANT_URL="${VEYLANT_URL:?VEYLANT_URL is required}" +VEYLANT_ADMIN_TOKEN="${VEYLANT_ADMIN_TOKEN:?VEYLANT_ADMIN_TOKEN is required}" +TENANT_ADMIN_EMAIL="${TENANT_ADMIN_EMAIL:?TENANT_ADMIN_EMAIL is required}" +TENANT_ADMIN_FIRST="${TENANT_ADMIN_FIRST:-Admin}" +TENANT_ADMIN_LAST="${TENANT_ADMIN_LAST:-User}" +RPM="${RPM:-1000}" +BURST="${BURST:-200}" + +API="${VEYLANT_URL}/v1/admin" +AUTH="Authorization: Bearer ${VEYLANT_ADMIN_TOKEN}" + +# ── Helpers ─────────────────────────────────────────────────────────────────── + +log() { echo "[onboard] $*"; } +die() { echo "[onboard] ERROR: $*" >&2; exit 1; } + +api_post() { + local path="$1" + local body="$2" + curl -sf -X POST "${API}${path}" \ + -H "${AUTH}" \ + -H "Content-Type: application/json" \ + -d "${body}" +} + +api_put() { + local path="$1" + local body="$2" + curl -sf -X PUT "${API}${path}" \ + -H "${AUTH}" \ + -H "Content-Type: application/json" \ + -d "${body}" +} + +api_get() { + local path="$1" + curl -sf -X GET "${API}${path}" \ + -H "${AUTH}" +} + +# ── Step 1: Health check ────────────────────────────────────────────────────── + +log "Checking proxy health…" +status=$(curl -sf "${VEYLANT_URL}/healthz" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('status',''))") +[[ "$status" == "ok" ]] || die "Proxy health check failed (got: $status)" +log "Proxy is healthy." + +# ── Step 2: Create tenant admin user ───────────────────────────────────────── + +log "Creating tenant admin user: ${TENANT_ADMIN_EMAIL}…" +user_resp=$(api_post "/users" "{ + \"email\": \"${TENANT_ADMIN_EMAIL}\", + \"first_name\": \"${TENANT_ADMIN_FIRST}\", + \"last_name\": \"${TENANT_ADMIN_LAST}\", + \"role\": \"admin\" +}") +user_id=$(echo "$user_resp" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))") +[[ -n "$user_id" ]] || die "Failed to create admin user" +log "Admin user created: id=${user_id}" + +# ── Step 3: Seed default routing policies ───────────────────────────────────── + +for tmpl in hr finance engineering catchall; do + log "Seeding routing template: ${tmpl}…" + api_post "/policies/seed/${tmpl}" "{}" > /dev/null + log " → ${tmpl} policy seeded." +done + +# ── Step 4: Configure rate limits ───────────────────────────────────────────── + +# Extract tenant_id from the JWT (middle base64 segment). +TENANT_ID=$(echo "$VEYLANT_ADMIN_TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null \ + | python3 -c "import sys,json; print(json.load(sys.stdin).get('tenant_id',''))" 2>/dev/null || echo "") + +if [[ -n "$TENANT_ID" ]]; then + log "Configuring rate limits for tenant ${TENANT_ID}: ${RPM} RPM, burst ${BURST}…" + api_put "/rate-limits/${TENANT_ID}" "{ + \"requests_per_min\": ${RPM}, + \"burst_size\": ${BURST}, + \"user_rpm\": $((RPM / 5)), + \"user_burst\": $((BURST / 5)), + \"is_enabled\": true + }" > /dev/null + log "Rate limits configured." +else + log "Warning: could not decode tenant_id from JWT — skipping rate-limit setup." +fi + +# ── Step 5: Verify ──────────────────────────────────────────────────────────── + +log "Verifying setup…" +policies=$(api_get "/policies" | python3 -c "import sys,json; d=json.load(sys.stdin); print(len(d.get('data', [])))") +log " → ${policies} routing policies active." + +users=$(api_get "/users" | python3 -c "import sys,json; d=json.load(sys.stdin); print(len(d.get('data', [])))") +log " → ${users} user(s) in the tenant." + +log "" +log "✓ Tenant onboarding complete." +log " Admin: ${TENANT_ADMIN_EMAIL}" +log " Policies seeded: hr, finance, engineering, catchall" +log " Rate limit: ${RPM} RPM / ${BURST} burst" +log "" +log "Next step: issue a Keycloak JWT for ${TENANT_ADMIN_EMAIL} and share it with the admin." diff --git a/deploy/onboarding/sample-users.csv b/deploy/onboarding/sample-users.csv new file mode 100644 index 0000000..3de2a23 --- /dev/null +++ b/deploy/onboarding/sample-users.csv @@ -0,0 +1,6 @@ +email,first_name,last_name,department,role +alice.martin@corp.example,Alice,Martin,HR,user +bob.dupont@corp.example,Bob,Dupont,Finance,user +carol.smith@corp.example,Carol,Smith,Engineering,manager +david.leroy@corp.example,David,Leroy,Legal,auditor +emma.garcia@corp.example,Emma,Garcia,HR,user diff --git a/deploy/prometheus/prometheus.yml b/deploy/prometheus/prometheus.yml new file mode 100644 index 0000000..3685841 --- /dev/null +++ b/deploy/prometheus/prometheus.yml @@ -0,0 +1,45 @@ +global: + scrape_interval: 15s + evaluation_interval: 15s + +# Alertmanager integration. +alerting: + alertmanagers: + - static_configs: + - targets: ["alertmanager:9093"] + timeout: 10s + +# Load alert and recording rules. +rule_files: + - "/etc/prometheus/rules.yml" + +scrape_configs: + - job_name: "veylant-proxy" + static_configs: + - targets: ["proxy:8090"] + metrics_path: "/metrics" + + - job_name: "veylant-pii" + static_configs: + - targets: ["pii:8091"] + metrics_path: "/metrics" + + - job_name: "alertmanager" + static_configs: + - targets: ["alertmanager:9093"] + + # TLS certificate expiry probe (requires blackbox-exporter in production). + - job_name: "veylant-proxy-tls" + metrics_path: /probe + params: + module: [http_2xx] + static_configs: + - targets: + - "https://api.veylant.ai/healthz" + relabel_configs: + - source_labels: [__address__] + target_label: __param_target + - source_labels: [__param_target] + target_label: instance + - target_label: __address__ + replacement: blackbox-exporter:9115 diff --git a/deploy/prometheus/rules.yml b/deploy/prometheus/rules.yml new file mode 100644 index 0000000..b235202 --- /dev/null +++ b/deploy/prometheus/rules.yml @@ -0,0 +1,147 @@ +groups: + # ── Recording rules — pre-compute expensive percentile queries ───────────── + - name: veylant_recording_rules + interval: 30s + rules: + # p99 request duration over a 5-minute sliding window, per model and provider. + - record: veylant:request_duration:p99 + expr: | + histogram_quantile( + 0.99, + sum by (le, model, provider) ( + rate(veylant_request_duration_seconds_bucket[5m]) + ) + ) + + # p95 request duration (for dashboard and alerting). + - record: veylant:request_duration:p95 + expr: | + histogram_quantile( + 0.95, + sum by (le, model, provider) ( + rate(veylant_request_duration_seconds_bucket[5m]) + ) + ) + + # Request rate (RPS) per provider. + - record: veylant:request_rate:1m + expr: | + sum by (provider, status_code) ( + rate(veylant_request_total[1m]) + ) + + # Error rate (4xx/5xx) as a fraction of total requests. + - record: veylant:error_rate:5m + expr: | + sum by (provider) ( + rate(veylant_request_total{status_code=~"[45].."}[5m]) + ) + / + sum by (provider) ( + rate(veylant_request_total[5m]) + ) + + # ── Alert rules ──────────────────────────────────────────────────────────── + - name: veylant_alerts + rules: + # Fire when p99 latency exceeds 500ms for more than 5 minutes. + - alert: VeylantHighLatencyP99 + expr: veylant:request_duration:p99 > 0.5 + for: 5m + labels: + severity: warning + team: platform + annotations: + summary: "Veylant proxy p99 latency is above 500ms" + description: > + p99 latency for model={{ $labels.model }} provider={{ $labels.provider }} + is {{ $value | humanizeDuration }} (threshold: 500ms). + Check upstream provider health and connection pool utilisation. + runbook: "https://docs.veylant.ai/runbooks/high-latency" + + # Fire when error rate exceeds 5% for more than 2 minutes. + - alert: VeylantHighErrorRate + expr: veylant:error_rate:5m > 0.05 + for: 2m + labels: + severity: critical + team: platform + annotations: + summary: "Veylant proxy error rate is above 5%" + description: > + Error rate for provider={{ $labels.provider }} is + {{ $value | humanizePercentage }} over the last 5 minutes. + runbook: "https://docs.veylant.ai/runbooks/high-error-rate" + + # Fire when a circuit breaker opens (provider is failing). + - alert: VeylantCircuitBreakerOpen + expr: veylant_circuit_breaker_state{state="open"} == 1 + for: 1m + labels: + severity: critical + team: platform + annotations: + summary: "Circuit breaker open for provider {{ $labels.provider }}" + description: > + The circuit breaker for provider={{ $labels.provider }} has been open + for more than 1 minute. Requests are being rejected. + runbook: "https://docs.veylant.ai/runbooks/provider-down" + + # Fire when the proxy is not reachable by Prometheus scrape. + - alert: VeylantProxyDown + expr: up{job="veylant-proxy"} == 0 + for: 1m + labels: + severity: critical + team: platform + annotations: + summary: "Veylant proxy is down" + description: > + The Prometheus scrape target for job="veylant-proxy" has been unreachable + for more than 1 minute. The proxy may be crashed or the pod is not running. + runbook: "https://docs.veylant.ai/runbooks/provider-down" + + # Fire when a TLS certificate expires in less than 30 days. + - alert: VeylantCertExpiringSoon + expr: | + probe_ssl_earliest_cert_expiry{job="veylant-proxy"} - time() < 30 * 24 * 3600 + for: 1h + labels: + severity: warning + team: platform + annotations: + summary: "TLS certificate expiring within 30 days" + description: > + The TLS certificate for the Veylant proxy expires in + {{ $value | humanizeDuration }}. Renew immediately to avoid service disruption. + runbook: "https://docs.veylant.ai/runbooks/certificate-expired" + + # Fire when PostgreSQL active connections are high (pool exhaustion risk). + - alert: VeylantDBConnectionsHigh + expr: veylant_db_connections_active > 20 + for: 5m + labels: + severity: warning + team: platform + annotations: + summary: "PostgreSQL active connections above threshold" + description: > + PostgreSQL active connections = {{ $value }} (threshold: 20). + Risk of connection pool exhaustion — check for slow queries or connection leaks. + runbook: "https://docs.veylant.ai/runbooks/database-full" + + # Fire when PII detection volume is anomalously high (possible data exfiltration attempt). + - alert: VeylantPIIVolumeAnomaly + expr: | + rate(veylant_pii_entities_detected_total[5m]) + > 3 * avg_over_time(rate(veylant_pii_entities_detected_total[5m])[1h:5m]) + for: 5m + labels: + severity: warning + team: security + annotations: + summary: "PII detection volume anomaly detected" + description: > + PII entity detection rate is {{ $value | humanize }} entities/sec — + more than 3× the 1-hour baseline. Possible data exfiltration or misconfigured client. + runbook: "https://docs.veylant.ai/runbooks/pii-breach" diff --git a/deploy/scripts/blue-green.sh b/deploy/scripts/blue-green.sh new file mode 100644 index 0000000..32d7855 --- /dev/null +++ b/deploy/scripts/blue-green.sh @@ -0,0 +1,162 @@ +#!/usr/bin/env bash +# deploy/scripts/blue-green.sh +# +# Atomic blue/green deployment for Veylant IA proxy. +# Rollback time: < 5s (single kubectl patch on the Istio VirtualService). +# +# Strategy: +# 1. Detect which slot is currently active (blue|green) from the VirtualService. +# 2. Deploy the new image tag to the INACTIVE slot via helm upgrade. +# 3. Wait for the inactive slot's rollout to complete. +# 4. Smoke-test the inactive slot via a temp port-forward. +# 5. Switch 100% traffic to the new slot (patch VirtualService). +# 6. Verify health post-switch; roll back if verification fails. +# 7. Scale down the old slot to 0 replicas to free resources. +# +# Required env vars: +# IMAGE_TAG — Docker image tag to deploy (e.g. sha-abc123) +# NAMESPACE — Kubernetes namespace (default: veylant) +# KUBECONFIG — path to kubeconfig (uses default if not set) +# +# Optional env vars: +# ROLLOUT_TIMEOUT — kubectl rollout wait timeout (default: 5m) +# SMOKE_RETRIES — health check retries after switch (default: 5) +# DRY_RUN — set to "true" to print commands without executing + +set -euo pipefail + +# ── Config ──────────────────────────────────────────────────────────────────── +IMAGE_TAG="${IMAGE_TAG:?IMAGE_TAG is required}" +NAMESPACE="${NAMESPACE:-veylant}" +ROLLOUT_TIMEOUT="${ROLLOUT_TIMEOUT:-5m}" +SMOKE_RETRIES="${SMOKE_RETRIES:-5}" +DRY_RUN="${DRY_RUN:-false}" +CHART_PATH="deploy/helm/veylant-proxy" + +# ── Helpers ─────────────────────────────────────────────────────────────────── +log() { echo "[blue-green] $*"; } +die() { echo "[blue-green] ERROR: $*" >&2; exit 1; } + +run() { + if [[ "$DRY_RUN" == "true" ]]; then + echo "[dry-run] $*" + else + "$@" + fi +} + +# ── Step 1: Detect active slot ──────────────────────────────────────────────── +log "Detecting active slot from VirtualService..." +ACTIVE_SLOT=$(kubectl get virtualservice veylant-proxy -n "$NAMESPACE" -o jsonpath='{.spec.http[0].route[0].destination.subset}' 2>/dev/null || echo "blue") + +if [[ "$ACTIVE_SLOT" == "blue" ]]; then + INACTIVE_SLOT="green" +else + INACTIVE_SLOT="blue" +fi + +log "Active slot: ${ACTIVE_SLOT} → deploying to INACTIVE slot: ${INACTIVE_SLOT}" + +HELM_RELEASE="veylant-proxy-${INACTIVE_SLOT}" +VALUES_FILE="${CHART_PATH}/values-${INACTIVE_SLOT}.yaml" + +# ── Step 2: Deploy to inactive slot ────────────────────────────────────────── +log "Deploying image tag '${IMAGE_TAG}' to slot '${INACTIVE_SLOT}' (release: ${HELM_RELEASE})..." +run helm upgrade --install "$HELM_RELEASE" "$CHART_PATH" \ + -f "$VALUES_FILE" \ + --namespace "$NAMESPACE" \ + --create-namespace \ + --set image.tag="$IMAGE_TAG" \ + --set slot="$INACTIVE_SLOT" \ + --wait \ + --timeout "$ROLLOUT_TIMEOUT" + +log "Helm deploy complete for slot '${INACTIVE_SLOT}'." + +# ── Step 3: Wait for rollout ────────────────────────────────────────────────── +log "Waiting for deployment rollout (timeout: ${ROLLOUT_TIMEOUT})..." +run kubectl rollout status "deployment/${HELM_RELEASE}" \ + -n "$NAMESPACE" \ + --timeout "$ROLLOUT_TIMEOUT" + +log "Rollout complete." + +# ── Step 4: Smoke test on inactive slot ────────────────────────────────────── +log "Smoke-testing inactive slot via port-forward..." +PF_PORT=19090 +# Start port-forward in background; capture PID for cleanup. +if [[ "$DRY_RUN" != "true" ]]; then + kubectl port-forward \ + "deployment/${HELM_RELEASE}" \ + "${PF_PORT}:8090" \ + -n "$NAMESPACE" &>/tmp/veylant-pf.log & + PF_PID=$! + # Give it 3s to establish. + sleep 3 + + SMOKE_OK=false + for i in $(seq 1 5); do + HTTP_STATUS=$(curl -sf -o /dev/null -w "%{http_code}" "http://localhost:${PF_PORT}/healthz" 2>/dev/null || echo "000") + if [[ "$HTTP_STATUS" == "200" ]]; then + SMOKE_OK=true + break + fi + log " Smoke attempt ${i}/5: HTTP ${HTTP_STATUS} — retrying..." + sleep 2 + done + + kill "$PF_PID" 2>/dev/null || true + wait "$PF_PID" 2>/dev/null || true + + if [[ "$SMOKE_OK" != "true" ]]; then + die "Smoke test failed on inactive slot '${INACTIVE_SLOT}'. Deployment ABORTED — active slot unchanged." + fi +fi + +log "Smoke test passed." + +# ── Step 5: Switch traffic to new slot ─────────────────────────────────────── +log "Switching 100%% traffic from '${ACTIVE_SLOT}' → '${INACTIVE_SLOT}'..." +run kubectl patch virtualservice veylant-proxy -n "$NAMESPACE" --type merge \ + -p "{\"spec\":{\"http\":[{\"route\":[{\"destination\":{\"host\":\"veylant-proxy\",\"subset\":\"${INACTIVE_SLOT}\"},\"weight\":100}]}]}}" + +log "Traffic switched." + +# ── Step 6: Verify post-switch ──────────────────────────────────────────────── +log "Verifying health post-switch (${SMOKE_RETRIES} attempts)..." +VEYLANT_URL="${VEYLANT_URL:-http://localhost:8090}" +POST_SWITCH_OK=false +if [[ "$DRY_RUN" != "true" ]]; then + for i in $(seq 1 "$SMOKE_RETRIES"); do + HTTP_STATUS=$(curl -sf -o /dev/null -w "%{http_code}" "${VEYLANT_URL}/healthz" 2>/dev/null || echo "000") + if [[ "$HTTP_STATUS" == "200" ]]; then + POST_SWITCH_OK=true + break + fi + log " Post-switch check ${i}/${SMOKE_RETRIES}: HTTP ${HTTP_STATUS} — retrying..." + sleep 2 + done +else + POST_SWITCH_OK=true +fi + +if [[ "$POST_SWITCH_OK" != "true" ]]; then + log "Post-switch verification FAILED. Rolling back to '${ACTIVE_SLOT}'..." + kubectl patch virtualservice veylant-proxy -n "$NAMESPACE" --type merge \ + -p "{\"spec\":{\"http\":[{\"route\":[{\"destination\":{\"host\":\"veylant-proxy\",\"subset\":\"${ACTIVE_SLOT}\"},\"weight\":100}]}]}}" + die "Rollback complete. Active slot reverted to '${ACTIVE_SLOT}'." +fi + +log "Post-switch verification passed." + +# ── Step 7: Scale down old slot ─────────────────────────────────────────────── +log "Scaling down old slot '${ACTIVE_SLOT}' to 0 replicas..." +OLD_RELEASE="veylant-proxy-${ACTIVE_SLOT}" +run kubectl scale deployment "$OLD_RELEASE" --replicas=0 -n "$NAMESPACE" 2>/dev/null || \ + log " (scale-down skipped — release ${OLD_RELEASE} not found)" + +log "" +log "✓ Blue/green deployment complete." +log " Previous slot : ${ACTIVE_SLOT} (scaled to 0)" +log " Active slot : ${INACTIVE_SLOT} (image: ${IMAGE_TAG})" +log " Rollback : make deploy-rollback ACTIVE_SLOT=${ACTIVE_SLOT} NAMESPACE=${NAMESPACE}" diff --git a/deploy/terraform/.gitkeep b/deploy/terraform/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/deploy/terraform/README.md b/deploy/terraform/README.md new file mode 100644 index 0000000..2f95bf6 --- /dev/null +++ b/deploy/terraform/README.md @@ -0,0 +1,37 @@ +# Infrastructure — Terraform / OpenTofu + +> **Sprint 1 note**: Infrastructure provisioning is skipped in Sprint 1 (OpenTofu not yet installed locally). +> See `docs/adr/001-terraform-vs-pulumi.md` for the tooling decision. + +## Prerequisites + +```bash +brew install opentofu +``` + +## Structure (to be implemented in Sprint 4+) + +``` +deploy/terraform/ +├── main.tf # Root module, providers, backend (S3 + DynamoDB lock) +├── variables.tf # Input variables +├── outputs.tf # VPC, cluster endpoint, kubeconfig +├── versions.tf # Pinned provider versions +├── vpc/ # VPC, subnets, NAT gateway +├── eks/ # EKS cluster, node groups (terraform-aws-eks v20.x) +└── monitoring/ # CloudWatch, alerts +``` + +## Before first apply + +Create the state backend manually: + +```bash +aws s3 mb s3://veylant-terraform-state-eu-west-3 --region eu-west-3 +aws dynamodb create-table \ + --table-name veylant-terraform-lock \ + --attribute-definitions AttributeName=LockID,AttributeType=S \ + --key-schema AttributeName=LockID,KeyType=HASH \ + --billing-mode PAY_PER_REQUEST \ + --region eu-west-3 +``` diff --git a/deploy/terraform/main.tf b/deploy/terraform/main.tf new file mode 100644 index 0000000..0fed50e --- /dev/null +++ b/deploy/terraform/main.tf @@ -0,0 +1,269 @@ +terraform { + required_version = ">= 1.7" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.27" + } + } + backend "s3" { + bucket = "veylant-terraform-state" + key = "production/eks/terraform.tfstate" + region = "eu-west-3" + encrypt = true + dynamodb_table = "veylant-terraform-locks" + } +} + +provider "aws" { + region = var.aws_region + default_tags { + tags = { + Project = "veylant-ia" + Environment = "production" + ManagedBy = "terraform" + } + } +} + +# ────────────────────────────────────────────── +# VPC — 3 public + 3 private subnets across AZs +# ────────────────────────────────────────────── +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.5" + + name = "veylant-production" + cidr = var.vpc_cidr + + azs = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"] + private_subnets = var.private_subnet_cidrs + public_subnets = var.public_subnet_cidrs + + enable_nat_gateway = true + single_nat_gateway = false # 1 NAT GW per AZ for HA + enable_dns_hostnames = true + enable_dns_support = true + + # Required tags for EKS auto-discovery of subnets. + private_subnet_tags = { + "kubernetes.io/role/internal-elb" = "1" + "kubernetes.io/cluster/${var.cluster_name}" = "owned" + } + public_subnet_tags = { + "kubernetes.io/role/elb" = "1" + "kubernetes.io/cluster/${var.cluster_name}" = "owned" + } +} + +# ────────────────────────────────────────────── +# EKS Cluster — Kubernetes 1.31, eu-west-3 +# ────────────────────────────────────────────── +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "~> 20.0" + + cluster_name = var.cluster_name + cluster_version = "1.31" + + vpc_id = module.vpc.vpc_id + subnet_ids = module.vpc.private_subnet_ids + cluster_endpoint_public_access = true # Access via kubectl from CI/CD + + # Enable IRSA — required for pod-level IAM roles (backup, Vault). + enable_irsa = true + + cluster_addons = { + aws-ebs-csi-driver = { + most_recent = true + service_account_role_arn = module.irsa_ebs_csi.iam_role_arn + } + coredns = { + most_recent = true + } + kube-proxy = { + most_recent = true + } + vpc-cni = { + most_recent = true + before_compute = true + } + } + + eks_managed_node_groups = { + # One node group per AZ for topology-aware scheduling. + veylant-az-a = { + name = "veylant-az-a" + subnet_ids = [module.vpc.private_subnets[0]] + instance_types = [var.node_instance_type] + min_size = 1 + max_size = 5 + desired_size = 2 + ami_type = "AL2_x86_64" + disk_size = 50 + + labels = { + "topology.kubernetes.io/zone" = "${var.aws_region}a" + workload = "veylant" + } + } + + veylant-az-b = { + name = "veylant-az-b" + subnet_ids = [module.vpc.private_subnets[1]] + instance_types = [var.node_instance_type] + min_size = 1 + max_size = 5 + desired_size = 2 + ami_type = "AL2_x86_64" + disk_size = 50 + + labels = { + "topology.kubernetes.io/zone" = "${var.aws_region}b" + workload = "veylant" + } + } + + veylant-az-c = { + name = "veylant-az-c" + subnet_ids = [module.vpc.private_subnets[2]] + instance_types = [var.node_instance_type] + min_size = 1 + max_size = 5 + desired_size = 2 + ami_type = "AL2_x86_64" + disk_size = 50 + + labels = { + "topology.kubernetes.io/zone" = "${var.aws_region}c" + workload = "veylant" + } + } + } + + tags = { + Environment = "production" + Cluster = var.cluster_name + } +} + +# ────────────────────────────────────────────── +# IRSA — IAM Roles for Service Accounts +# ────────────────────────────────────────────── + +# EBS CSI Driver IRSA +module "irsa_ebs_csi" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.39" + + role_name = "veylant-ebs-csi-driver" + attach_ebs_csi_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"] + } + } +} + +# Backup role IRSA (S3 write for pg_dump) +module "irsa_backup" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.39" + + role_name = "veylant-backup-role" + + role_policy_arns = { + backup = aws_iam_policy.backup_s3.arn + } + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["veylant:veylant-backup"] + } + } +} + +resource "aws_iam_policy" "backup_s3" { + name = "veylant-backup-s3" + description = "Allow Veylant backup job to write to S3 backup bucket" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucket", + "s3:DeleteObject" + ] + Resource = [ + "arn:aws:s3:::veylant-backups-production", + "arn:aws:s3:::veylant-backups-production/*" + ] + } + ] + }) +} + +# ────────────────────────────────────────────── +# S3 Backup Bucket with 7-day lifecycle +# ────────────────────────────────────────────── +resource "aws_s3_bucket" "backups" { + bucket = "veylant-backups-production" +} + +resource "aws_s3_bucket_versioning" "backups" { + bucket = aws_s3_bucket.backups.id + versioning_configuration { + status = "Enabled" + } +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "backups" { + bucket = aws_s3_bucket.backups.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "backups" { + bucket = aws_s3_bucket.backups.id + + rule { + id = "expire-old-backups" + status = "Enabled" + + filter { + prefix = "postgres/" + } + + # Delete backups older than 7 days. + expiration { + days = 7 + } + + # Clean up incomplete multipart uploads. + abort_incomplete_multipart_upload { + days_after_initiation = 1 + } + } +} + +resource "aws_s3_bucket_public_access_block" "backups" { + bucket = aws_s3_bucket.backups.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} diff --git a/deploy/terraform/outputs.tf b/deploy/terraform/outputs.tf new file mode 100644 index 0000000..4531c8c --- /dev/null +++ b/deploy/terraform/outputs.tf @@ -0,0 +1,54 @@ +output "cluster_endpoint" { + description = "EKS cluster API server endpoint" + value = module.eks.cluster_endpoint +} + +output "cluster_certificate_authority_data" { + description = "Base64-encoded certificate authority data for the cluster" + value = module.eks.cluster_certificate_authority_data + sensitive = true +} + +output "cluster_name" { + description = "EKS cluster name" + value = module.eks.cluster_name +} + +output "cluster_oidc_issuer_url" { + description = "OIDC issuer URL for the EKS cluster (used for IRSA)" + value = module.eks.cluster_oidc_issuer_url +} + +output "node_group_arns" { + description = "ARNs of the managed node groups" + value = { + az_a = module.eks.eks_managed_node_groups["veylant-az-a"].node_group_arn + az_b = module.eks.eks_managed_node_groups["veylant-az-b"].node_group_arn + az_c = module.eks.eks_managed_node_groups["veylant-az-c"].node_group_arn + } +} + +output "vpc_id" { + description = "VPC ID" + value = module.vpc.vpc_id +} + +output "private_subnet_ids" { + description = "Private subnet IDs (one per AZ)" + value = module.vpc.private_subnets +} + +output "backup_bucket_name" { + description = "S3 backup bucket name" + value = aws_s3_bucket.backups.id +} + +output "backup_role_arn" { + description = "IAM role ARN for the backup service account (IRSA)" + value = module.irsa_backup.iam_role_arn +} + +output "kubeconfig_command" { + description = "AWS CLI command to update kubeconfig" + value = "aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_name}" +} diff --git a/deploy/terraform/variables.tf b/deploy/terraform/variables.tf new file mode 100644 index 0000000..be7e0ed --- /dev/null +++ b/deploy/terraform/variables.tf @@ -0,0 +1,35 @@ +variable "aws_region" { + description = "AWS region for the EKS cluster" + type = string + default = "eu-west-3" +} + +variable "cluster_name" { + description = "EKS cluster name" + type = string + default = "veylant-production" +} + +variable "vpc_cidr" { + description = "CIDR block for the VPC" + type = string + default = "10.0.0.0/16" +} + +variable "private_subnet_cidrs" { + description = "CIDR blocks for private subnets (one per AZ)" + type = list(string) + default = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] +} + +variable "public_subnet_cidrs" { + description = "CIDR blocks for public subnets (one per AZ)" + type = list(string) + default = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] +} + +variable "node_instance_type" { + description = "EC2 instance type for EKS managed node groups" + type = string + default = "t3.medium" +} diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..982cd14 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,235 @@ +services: + + # ───────────────────────────────────────────── + # PostgreSQL 16 — primary datastore + # ───────────────────────────────────────────── + postgres: + image: postgres:16-alpine + environment: + POSTGRES_DB: veylant + POSTGRES_USER: veylant + POSTGRES_PASSWORD: veylant_dev + ports: + - "5432:5432" + volumes: + - postgres_data:/var/lib/postgresql/data + healthcheck: + test: ["CMD-SHELL", "pg_isready -U veylant -d veylant"] + interval: 5s + timeout: 5s + retries: 10 + start_period: 10s + + # ───────────────────────────────────────────── + # Redis 7 — sessions, rate limiting, PII pseudonymization mappings + # No persistence in dev (AOF/RDB disabled for fast startup) + # ───────────────────────────────────────────── + redis: + image: redis:7-alpine + command: redis-server --save "" --appendonly no + ports: + - "6379:6379" + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 5s + timeout: 3s + retries: 10 + + # ───────────────────────────────────────────── + # ClickHouse 24.3 LTS — append-only audit logs and analytics + # Pinned to LTS for stability + # ───────────────────────────────────────────── + clickhouse: + image: clickhouse/clickhouse-server:24.3-alpine + environment: + CLICKHOUSE_DB: veylant_logs + CLICKHOUSE_USER: veylant + CLICKHOUSE_PASSWORD: veylant_dev + CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1 + ports: + - "8123:8123" # HTTP interface (used for health check and dashboard queries) + - "9000:9000" # Native TCP (used by Go driver) + volumes: + - clickhouse_data:/var/lib/clickhouse + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8123/ping || exit 1"] + interval: 5s + timeout: 5s + retries: 20 + start_period: 15s + ulimits: + nofile: + soft: 262144 + hard: 262144 + + # ───────────────────────────────────────────── + # Keycloak 24 — IAM, OIDC, SAML 2.0 + # start-dev: in-memory DB, no TLS — development only + # Realm is auto-imported from deploy/keycloak/realm-export.json + # ───────────────────────────────────────────── + keycloak: + image: quay.io/keycloak/keycloak:24.0 + command: ["start-dev", "--import-realm"] + environment: + KC_BOOTSTRAP_ADMIN_USERNAME: admin + KC_BOOTSTRAP_ADMIN_PASSWORD: admin + KC_DB: dev-mem + KC_HEALTH_ENABLED: "true" + ports: + - "8080:8080" + volumes: + - ./deploy/keycloak:/opt/keycloak/data/import:ro + healthcheck: + test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready || exit 1"] + interval: 10s + timeout: 10s + retries: 20 + start_period: 30s # Keycloak takes ~20s to start in dev mode + + # ───────────────────────────────────────────── + # Veylant proxy — Go application + # ───────────────────────────────────────────── + proxy: + build: + context: . + dockerfile: Dockerfile + ports: + - "8090:8090" + environment: + VEYLANT_SERVER_PORT: "8090" + VEYLANT_SERVER_ENV: "development" + VEYLANT_DATABASE_URL: "postgres://veylant:veylant_dev@postgres:5432/veylant?sslmode=disable" + VEYLANT_REDIS_URL: "redis://redis:6379" + VEYLANT_KEYCLOAK_BASE_URL: "http://keycloak:8080" + VEYLANT_KEYCLOAK_REALM: "veylant" + VEYLANT_KEYCLOAK_CLIENT_ID: "veylant-proxy" + VEYLANT_PII_ENABLED: "true" + VEYLANT_PII_SERVICE_ADDR: "pii:50051" + VEYLANT_PII_TIMEOUT_MS: "100" + VEYLANT_PII_FAIL_OPEN: "true" + VEYLANT_LOG_FORMAT: "console" + VEYLANT_LOG_LEVEL: "debug" + # Provider API keys — set via a .env file or shell environment. + # Only providers with an API key set will be enabled at runtime. + VEYLANT_PROVIDERS_OPENAI_API_KEY: "${OPENAI_API_KEY:-}" + VEYLANT_PROVIDERS_ANTHROPIC_API_KEY: "${ANTHROPIC_API_KEY:-}" + VEYLANT_PROVIDERS_MISTRAL_API_KEY: "${MISTRAL_API_KEY:-}" + # Azure OpenAI requires resource name + deployment ID + API key. + VEYLANT_PROVIDERS_AZURE_API_KEY: "${AZURE_OPENAI_API_KEY:-}" + VEYLANT_PROVIDERS_AZURE_RESOURCE_NAME: "${AZURE_OPENAI_RESOURCE_NAME:-}" + VEYLANT_PROVIDERS_AZURE_DEPLOYMENT_ID: "${AZURE_OPENAI_DEPLOYMENT_ID:-}" + # Ollama — defaults to localhost:11434 (use host.docker.internal in Docker Desktop). + VEYLANT_PROVIDERS_OLLAMA_BASE_URL: "${OLLAMA_BASE_URL:-http://host.docker.internal:11434/v1}" + VEYLANT_METRICS_ENABLED: "true" + # ClickHouse audit log (Sprint 6). + VEYLANT_CLICKHOUSE_DSN: "clickhouse://veylant:veylant_dev@clickhouse:9000/veylant_logs" + # AES-256-GCM key for prompt encryption — generate: openssl rand -base64 32 + # In production, inject via Vault or secret manager. Leave empty to disable. + VEYLANT_CRYPTO_AES_KEY_BASE64: "${VEYLANT_CRYPTO_AES_KEY_BASE64:-}" + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + clickhouse: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8090/healthz || exit 1"] + interval: 5s + timeout: 3s + retries: 10 + start_period: 5s + + # ───────────────────────────────────────────── + # PII detection service — Python (Sprint 3: full pipeline) + # Layer 1: regex (IBAN/email/phone/SSN/CB) + # Layer 2: Presidio + spaCy NER (PERSON/LOC/ORG) + # Pseudonymization: AES-256-GCM in Redis + # ───────────────────────────────────────────── + pii: + build: + context: ./services/pii + dockerfile: Dockerfile + ports: + - "50051:50051" # gRPC + - "8000:8000" # HTTP health + environment: + PII_GRPC_PORT: "50051" + PII_HTTP_PORT: "8000" + PII_REDIS_URL: "redis://redis:6379" + # PII_ENCRYPTION_KEY must be set to a 32-byte base64-encoded key in production. + # The default dev key is used if unset (NOT safe for production). + PII_ENCRYPTION_KEY: "${PII_ENCRYPTION_KEY:-}" + PII_NER_ENABLED: "true" + PII_NER_CONFIDENCE: "0.85" + PII_TTL_SECONDS: "3600" + depends_on: + redis: + condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:8000/healthz || exit 1"] + interval: 10s + timeout: 5s + retries: 10 + start_period: 60s # spaCy fr_core_news_lg model load takes ~30s on first start + + # ───────────────────────────────────────────── + # Prometheus — metrics collection + # Scrapes the proxy /metrics endpoint every 15s + # ───────────────────────────────────────────── + prometheus: + image: prom/prometheus:v2.53.0 + ports: + - "9090:9090" + volumes: + - ./deploy/prometheus/prometheus.yml:/etc/prometheus/prometheus.yml:ro + command: + - "--config.file=/etc/prometheus/prometheus.yml" + - "--storage.tsdb.path=/prometheus" + - "--web.console.libraries=/etc/prometheus/console_libraries" + - "--web.console.templates=/etc/prometheus/consoles" + depends_on: + proxy: + condition: service_healthy + + # ───────────────────────────────────────────── + # Grafana — metrics visualisation + # Auto-provisioned datasource (Prometheus) + Veylant dashboard + # Default credentials: admin / admin + # ───────────────────────────────────────────── + grafana: + image: grafana/grafana:11.3.0 + ports: + - "3001:3000" + environment: + GF_SECURITY_ADMIN_PASSWORD: admin + GF_USERS_ALLOW_SIGN_UP: "false" + volumes: + - ./deploy/grafana/provisioning:/etc/grafana/provisioning:ro + - ./deploy/grafana/dashboards:/var/lib/grafana/dashboards:ro + depends_on: + - prometheus + + # ───────────────────────────────────────────── + # Veylant Dashboard — React SPA (Sprint 7) + # Dev server only — production uses dist/ served by nginx + # ───────────────────────────────────────────── + web: + image: node:20-alpine + working_dir: /app + command: sh -c "npm install && npm run dev -- --host" + ports: + - "3000:3000" + volumes: + - ./web:/app + - /app/node_modules + environment: + VITE_AUTH_MODE: "dev" + VITE_KEYCLOAK_URL: "http://localhost:8080/realms/veylant" + depends_on: + proxy: + condition: service_healthy + +volumes: + postgres_data: + clickhouse_data: diff --git a/docs/AI_Governance_Hub_PRD.md b/docs/AI_Governance_Hub_PRD.md new file mode 100644 index 0000000..79c9afd --- /dev/null +++ b/docs/AI_Governance_Hub_PRD.md @@ -0,0 +1,647 @@ +**AI GOVERNANCE HUB** + +Product Requirements Document & Technical Architecture + +MVP Specification — Version 1.0 + +**CONFIDENTIEL — Février 2026** + +Plateforme de gouvernance centralisée pour les flux IA en entreprise + + +# 1. Executive Summary + +AI Governance Hub est une plateforme SaaS B2B qui agit comme proxy intelligent entre les utilisateurs d’une entreprise et l’ensemble de ses modèles IA (internes et externes). La plateforme répond à un besoin critique et immédiat des DSI, RSSI et responsables conformité : reprendre le contrôle sur les flux IA, éliminer le Shadow AI, et préparer la conformité au Règlement européen sur l’IA (AI Act) dont les premières obligations s’appliquent dès 2025. + +## 1.1 Proposition de valeur + +**Pour le DSI :** Visibilité complète sur les usages IA, maîtrise des coûts, rationalisation des fournisseurs. + +**Pour le RSSI :** Prévention des fuites de données sensibles (PII), journalisation intégrale, détection d’anomalies, contrôle d’accès granulaire. + +**Pour le DPO / Compliance :** Registre des traitements automatisé, rapports RGPD générés, classification des risques AI Act, traçabilité bout en bout. + +**Pour les utilisateurs métier :** Accès unifié et transparent aux IA autorisées, sans friction ni changement d’habitudes majeur. + +## 1.2 Marché et timing + +Le marché de la gouvernance IA est estimé à plusieurs milliards d’euros d’ici 2028. L’entrée en vigueur progressive de l’AI Act européen (février 2025 pour les IA interdites, août 2025 pour les obligations générales, août 2026 pour les systèmes à haut risque) crée une urgence réglementaire qui accélère la demande. La fenêtre d’opportunité est ouverte maintenant. + +# 2. Définition du MVP + +## 2.1 Périmètre fonctionnel MVP (V1) + +Le MVP se concentre sur les fonctionnalités strictement nécessaires pour démontrer la valeur auprès d’un premier client pilote et fermer un premier contrat enterprise. + +| **Module** | **Fonctionnalité MVP** | **Priorité** | +|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| AI Proxy / Gateway | Reverse proxy interceptant toutes les requêtes vers les LLMs (OpenAI, Anthropic, Azure OpenAI, Mistral). Support streaming SSE. | P0 — Critique | +| Routage intelligent | Règles statiques par département/sensibilité. Fallback automatique. Routing vers modèle on-prem ou cloud selon politique. | P0 — Critique | +| Anonymisation PII | Détection hybride (regex + NER Presidio). Redaction en temps réel dans les prompts. Pseudonymisation réversible avec mapping chiffré. | P0 — Critique | +| Journalisation | Logging structuré de chaque requête/réponse (métadonnées, hash du contenu, user, modèle, tokens, coût). Stockage chiffré AES-256. | P0 — Critique | +| RBAC | Gestion des rôles (Admin, Manager, User, Auditor). Contrôle d’accès par modèle et par département. Intégration SSO SAML 2.0. | P0 — Critique | +| Dashboard sécurité | Vue temps réel : volume de requêtes, PII détectées, coûts par modèle/département, alertes basiques. | P1 — Important | +| Rapports conformité | Export PDF/CSV du registre des traitements IA. Mapping articles RGPD. Classification risque AI Act basique (interdit/haut risque/limité/minimal). | P1 — Important | +| Monitoring tokens/coûts | Comptage tokens par requête, agrégation par utilisateur/département/modèle. Alertes de budget. | P1 — Important | + +## 2.2 Hors scope MVP (V2+) + +| **Fonctionnalité** | **Raison du report** | **Cible** | +|--------------------------------------------|---------------------------------------------------------------------------------------|------------| +| Détection d’anomalies ML | Trop complexe pour le MVP, nécessite données d’entraînement. | V2 (M7–M9) | +| Classification automatique des données | Requiert un modèle custom de classification de sensibilité. | V2 | +| Multi-tenant complet avec isolation réseau | Le MVP supporte le multi-tenant logique. L’isolation physique (dédiée) viendra en V2. | V2 | +| SDK natifs (Python, JS, Java) | Les intégrations se font via API REST + proxy HTTP au MVP. | V2 | +| Marketplace de politiques | Templates de politiques préconfigurées par industrie. | V3 | +| Agent de découverte Shadow AI | Scanner réseau pour détecter les appels IA non autorisés. | V2 | +| Intégration SIEM (Splunk, Sentinel) | Export syslog basique en MVP, connecteurs natifs en V2. | V2 | + +## 2.3 Roadmap V1 → V2 → V3 + +| **Version** | **Timeline** | **Focus** | +|-------------|--------------|-------------------------------------------------------------------------------------------------| +| V1 (MVP) | M1–M6 | Proxy IA + Anonymisation + RBAC + Logging + Dashboard + Rapports conformité de base | +| V1.1 | M7–M8 | Stabilisation, feedback clients pilotes, amélioration UX, SDK Python | +| V2 | M9–M14 | Détection anomalies ML, Shadow AI discovery, isolation tenant physique, SIEM natif, SDK JS/Java | +| V3 | M15–M20 | Marketplace politiques, AI Act scoring automatisé, Data Lineage, certification ISO 27001 | + +# 3. Architecture technique détaillée + +## 3.1 Choix architectural : Modular Monolith + +Pour le MVP, nous choisissons un monolithe modulaire plutôt que des microservices. Ce choix est délibéré et argumenté : + +| **Critère** | **Monolithe modulaire** | **Microservices** | +|--------------------------|---------------------------------------------------------|---------------------------------------------------| +| Vitesse de développement | Rapide — un seul déploiement, debug simplifié | Lent — orchestration, service mesh, observabilité | +| Complexité ops | Faible — 1 conteneur principal + workers | Elevée — 10+ services, Kubernetes day-2 | +| Équipe nécessaire | 3–5 développeurs | 8–12 développeurs + SRE dédié | +| Scalabilité future | Extraction de modules en services possible sans refonte | Natif mais prématuré | +| Latence | Appels en mémoire entre modules | Latence réseau inter-services | + +**Arbitrage :** Le monolithe modulaire permet de livrer en 6 mois avec une équipe de 4–5 personnes. Chaque module (proxy, anonymisation, logging, RBAC) est isolé dans son propre package/namespace avec des interfaces claires, ce qui permet une extraction future en microservice si nécessaire sans refonte. + +## 3.2 Architecture high-level + +L’architecture se décompose en couches fonctionnelles claires : + +### Couche 1 — Point d’entrée + +- **API Gateway (Kong / Traefik) :** Terminaison TLS, rate limiting, authentification JWT/SAML. Expose un endpoint unique de type OpenAI-compatible (/v1/chat/completions) pour faciliter l’adoption. + +- **Load Balancer :** Cloud-native (ALB sur AWS, ou Traefik en on-prem). + +### Couche 2 — Core Application (monolithe modulaire) + +- **Module Auth :** Validation des tokens JWT, résolution RBAC, extraction du contexte utilisateur (département, rôle, politiques appliquées). + +- **Module PII Redaction :** Pipeline de détection et anonymisation en temps réel (détaillé section 4). + +- **Module Router :** Moteur de règles déterministe qui choisit le modèle cible selon les politiques (détaillé section 5). + +- **Module Logger :** Capture structurée de chaque requête/réponse, écriture asynchrone (détaillé section 6). + +- **Module Billing :** Comptage tokens, agrégation coûts, alertes budgétaires. + +### Couche 3 — Connecteurs IA + +- **Adapter Pattern :** Un adaptateur par fournisseur (OpenAI, Anthropic, Azure, Mistral, Ollama/vLLM pour on-prem). Chaque adaptateur normalise les formats de requête/réponse vers un schema interne unifié. + +- **Connection Pool :** Gestion des connexions HTTP persistantes vers chaque fournisseur, avec circuit breaker intégré. + +### Couche 4 — Stockage + +- **PostgreSQL 16 :** Données relationnelles (utilisateurs, politiques, configuration, registre des traitements). Choix justifié : maturité, JSONB pour la flexibilité, Row-Level Security pour l’isolation multi-tenant, chiffrement natif. + +- **ClickHouse :** Logs d’audit et analytics. Choix justifié : compression colonnes (10x), requêtes analytiques ultra-rapides sur des milliards de lignes, parfait pour les dashboards et exports. + +- **Redis :** Cache de sessions, rate limiting, mapping PII temporaire, file d’attente légère. + +### Couche 5 — Observabilité + +- **Prometheus + Grafana :** Métriques techniques (latence proxy, débit, erreurs, santé des connecteurs). + +- **OpenTelemetry :** Tracing distribué pour suivre chaque requête de bout en bout. + +## 3.3 Multi-tenancy + +Le MVP implémente un multi-tenant logique : + +- **Isolation des données :** Chaque tenant a un tenant_id propagé dans toutes les tables. PostgreSQL Row-Level Security (RLS) empêche tout accès croisé. + +- **Isolation des configurations :** Politiques de routage, seuils PII, et RBAC sont scopeés par tenant. + +- **Isolation réseau (V2) :** Pour les clients les plus sensibles, un déploiement dédié (namespace Kubernetes isolé ou instance dédiée) sera proposé. + +## 3.4 Compatibilité cloud + on-prem + +L’application est conteneurisée (Docker) et déployable via Helm chart sur n’importe quel cluster Kubernetes. Trois modes de déploiement sont prévus : + +| **Mode** | **Description** | **Cas d’usage** | +|-----------------|--------------------------------------------------------------------------------------------------------|----------------------------------------------------------| +| SaaS (cloud UE) | Hébergé par nous sur AWS eu-west-3 (Paris) ou OVHcloud. Mise à jour automatique. | PME, ETI, entreprises sans contrainte souveraineté forte | +| Hybrid | Control plane dans notre cloud, data plane chez le client. Les données ne quittent pas l’infra client. | Grandes entreprises avec données sensibles | +| On-prem (V2) | Déploiement intégral chez le client. Licence + support. | Défense, santé, secteur public | + +# 4. Module d’anonymisation PII + +## 4.1 Approche : Détection hybride multi-couches + +L’anonymisation est le différenciateur clé du produit. Nous utilisons une approche hybride à trois couches pour maximiser la précision tout en minimisant la latence : + +| **Couche** | **Technique** | **PII ciblées** | **Latence** | **Précision** | +|--------------------------------|--------------------------------------------|---------------------------------------------------|-------------|------------------------------| +| 1 — Regex deterministique | Patterns regex précompilés | IBAN, CB, SS, téléphone, email, numéros ID | \< 1 ms | 99%+ (faux positifs faibles) | +| 2 — NER (Presidio + spaCy) | Modèle NER multilangue (fr_core_news_lg) | Noms, adresses, organisations, dates de naissance | 5–15 ms | 92–96% | +| 3 — LLM local (optionnel V1.1) | Modèle léger (Phi-3 mini) pour cas ambigus | Contextes métiers spécifiques, données médicales | 50–100 ms | 97%+ | + +## 4.2 Pipeline de traitement + +Le pipeline s’exécute de manière synchrone avant chaque appel au modèle IA : + +1. Réception du prompt utilisateur via le proxy. + +2. Couche 1 — Regex : Scan rapide des patterns déterministes. Chaque match est remplacé par un token pseudonymisé de type \[PII:TYPE:UUID_COURT\] (ex: \[PII:IBAN:a3f2\]). + +3. Couche 2 — NER : Le texte (déjà partiellement redacté) passe dans le modèle Presidio. Les entités détectées avec un score de confiance \> 0.85 sont pseudonymisées. + +4. Couche 3 (optionnel) — Vérification LLM : En cas de doute (score entre 0.60 et 0.85), un modèle local valide. + +5. Le prompt anonymisé est envoyé au modèle IA cible. + +6. La réponse est reçue et les tokens PII sont ré-injectés (dé-pseudonymisation) avant renvoi à l’utilisateur. + +## 4.3 Pseudonymisation réversible + +**Mapping chiffré temporaire :** Chaque remplacement génère une entrée dans un store Redis chiffré (AES-256-GCM) avec un TTL configurable par le tenant (défaut : durée de la session + 1h, max 24h). Ce mapping permet la dé-pseudonymisation de la réponse. + +**Après expiration :** Le mapping est supprimé automatiquement. Les logs d’audit ne conservent que le hash SHA-256 du prompt original et la version anonymisée, jamais les données PII en clair. + +**Option « zero-retention » :** Pour les clients les plus exigeants, le mapping peut être purement en mémoire (non persisté même dans Redis), avec destruction à la fin de la requête. Contrepartie : la réponse IA ne sera pas dé-pseudonymisée si elle référence des PII. + +## 4.4 Analyse de risque RGPD du module + +| **Risque** | **Mitigation** | **Risque résiduel** | +|-----------------------------------------|-------------------------------------------------------------------------------|----------------------------------------------| +| Faux négatif : PII non détectée | Pipeline multi-couches + seuil configurable + monitoring du taux de détection | Modéré (mitigé par la couche LLM en V1.1) | +| Faux positif : donnée légitime redactée | Seuil de confiance ajustable + whitelist par tenant | Faible (impact fonctionnel, pas sécuritaire) | +| Mapping PII compromis | Chiffrement AES-256-GCM + TTL court + isolation par tenant | Faible | +| Données PII dans les logs | Seuls les hashs sont stockés + audit d’accès aux logs | Très faible | + +# 5. Module de routage IA + +## 5.1 Moteur de règles déterministe + +Le routage utilise un moteur de règles évaluées par priorité (type firewall). Chaque règle est une combinaison de conditions → actions : + +Conditions disponibles (MVP) + +- **user.department :** Département de l’utilisateur (RH, Finance, Engineering, Legal, etc.) + +- **user.role :** Rôle RBAC (admin, manager, user, auditor) + +- **request.sensitivity :** Niveau de sensibilité déduit par le module PII (none, low, medium, high, critical) + +- **request.use_case :** Tag de cas d’usage (code_generation, summarization, translation, analysis, creative) + +- **request.token_estimate :** Estimation de la taille de la requête + +Actions + +- **route_to :** Modèle cible (ex: gpt-4o, claude-sonnet-4-5-20250929, mistral-local, llama-onprem) + +- **block :** Requête refusée avec message configurable + +- **require_approval :** Mise en attente pour validation manager (V1.1) + +- **force_anonymize :** Force l’anonymisation même si le score PII est bas + +## 5.2 Exemples de politiques + +| **Règle** | **Condition** | **Action** | +|------------------------|---------------------------------------------------------|---------------------------------------------------------| +| R1 — Données critiques | sensitivity = critical | route_to: llama-onprem (IA locale uniquement) | +| R2 — RH | department = RH AND sensitivity \>= medium | route_to: mistral-local + force_anonymize | +| R3 — Engineering | department = Engineering AND use_case = code_generation | route_to: claude-sonnet-4-5-20250929 (performance code) | +| R4 — Budget dépassé | department.monthly_cost \> budget_limit | route_to: gpt-4o-mini (modèle économique) | +| R5 — Default | \* (catch-all) | route_to: gpt-4o | + +## 5.3 Fallback automatique + +En cas d’indisponibilité du modèle cible, le router applique une chaîne de fallback configurable par tenant : + +1. Tentative sur le modèle primaire (timeout configurable, défaut 30s). + +2. Si échec ou timeout : bascule vers le modèle secondaire défini dans la politique. + +3. Si le secondaire échoue : bascule vers le modèle de fallback global (configuré au niveau tenant). + +4. Si tout échoue : retour d’une erreur structurée avec code 503 et suggestion de réessai. + +Un circuit breaker (pattern Hystrix) désactive automatiquement un modèle après N erreurs consécutives (configurable, défaut 5), évitant de saturer un provider défaillant. + +# 6. Journalisation et audit trail + +## 6.1 Structure des logs + +Chaque interaction génère un enregistrement structuré immutable dans ClickHouse : + +| **Champ** | **Type** | **Description** | +|-------------------|------------------|------------------------------------------------------| +| log_id | UUID v7 | Identifiant unique trié chronologiquement | +| tenant_id | UUID | Isolation multi-tenant | +| user_id | UUID | Identifiant utilisateur (lié au SSO) | +| department | String | Département de l’utilisateur | +| timestamp | DateTime64(3) | Horodatage précis au millisecondes | +| model_requested | String | Modèle demandé par l’utilisateur | +| model_actual | String | Modèle effectivement utilisé (après routage) | +| prompt_hash | SHA-256 | Hash du prompt original (jamais le contenu brut) | +| prompt_anonymized | String (chiffré) | Prompt après anonymisation (optionnel, configurable) | +| response_hash | SHA-256 | Hash de la réponse | +| tokens_input | UInt32 | Nombre de tokens en entrée | +| tokens_output | UInt32 | Nombre de tokens en sortie | +| cost_eur | Decimal(10,6) | Coût calculé de la requête | +| pii_detected | Array(String) | Types de PII détectées (\[IBAN, NOM, EMAIL\]) | +| pii_count | UInt16 | Nombre total de PII redactées | +| sensitivity_level | Enum | none / low / medium / high / critical | +| routing_rule_id | String | Règle de routage appliquée | +| latency_ms | UInt32 | Latence totale (proxy + modèle) | +| status | Enum | success / blocked / error / timeout / fallback | +| ip_address | String (hashé) | Adresse IP hashée de l’appelant | + +## 6.2 Chiffrement et sécurité des logs + +- **En transit :** TLS 1.3 entre l’application et ClickHouse. + +- **At rest :** Chiffrement AES-256 au niveau volume (LUKS) + chiffrement applicatif des champs sensibles (prompt_anonymized). + +- **Accès :** Seuls les rôles Admin et Auditor peuvent consulter les logs. Chaque accès aux logs est lui-même loggé (audit de l’audit). + +- **Immutabilité :** Les logs sont en append-only. Aucune API de suppression individuelle. La purge respecte la politique de rétention configurée. + +## 6.3 Rétention + +| **Tier** | **Durée** | **Stockage** | +|--------------------|----------------------|---------------------------------------------------------| +| Hot (accès rapide) | 90 jours | ClickHouse SSD — requêtes \< 1s | +| Warm (archivage) | 1 an | ClickHouse HDD compressé — requêtes \< 10s | +| Cold (conformité) | 5 ans (configurable) | Object Storage (S3/MinIO) chiffré — export à la demande | + +## 6.4 Dashboard RSSI + +Le dashboard temps réel (React + recharts) présente : + +- **Vue globale :** Volume de requêtes (24h, 7j, 30j), répartition par modèle, par département. + +- **Sécurité :** Nombre de PII détectées/bloquées, requêtes bloquées par politique, tentatives d’accès non autorisées. + +- **Coûts :** Dépense par modèle, par département, projection mensuelle, alertes de dépassement. + +- **Alertes :** Pic d’utilisation anormal, tentatives d’exfiltration (volume PII élevé soudain), modèle en état dégradé. + +## 6.5 Exports conformité + +- **PDF :** Rapport mensuel généré automatiquement : synthèse des traitements IA, PII détectées, incidents, conformité RGPD. + +- **CSV :** Export brut des logs (filtrés par date, département, modèle) pour intégration SIEM ou audit externe. + +- **Syslog (V1.1) :** Export en temps réel au format CEF pour Splunk, Sentinel, QRadar. + +# 7. Conformité RGPD et AI Act + +## 7.1 Articles RGPD couverts par la plateforme + +| **Article** | **Exigence** | **Couverture par AI Governance Hub** | +|--------------|------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Art. 5(1)(a) | Licéité, loyauté, transparence | Journalisation complète de chaque traitement. Le registre documente la base légale configurée par le DPO pour chaque cas d’usage IA. | +| Art. 5(1)(c) | Minimisation des données | Le module PII anonymise automatiquement les données personnelles avant envoi aux LLMs externes, ne transmettant que le strict nécessaire. | +| Art. 5(1)(e) | Limitation de conservation | Politique de rétention configurable par tenant (hot/warm/cold). Purge automatique à expiration. | +| Art. 5(1)(f) | Intégrité et confidentialité | Chiffrement AES-256 at rest et TLS 1.3 en transit. RBAC strict. Audit d’accès. | +| Art. 13–14 | Information des personnes concernées | Documentation automatique des traitements IA avec finalités, destinataires, durées de conservation. Exportable pour intégration dans la politique de confidentialité du client. | +| Art. 15 | Droit d’accès | API de recherche par user_id permettant d’extraire l’ensemble des logs associés à un individu (version anonymisée). | +| Art. 17 | Droit à l’effacement | Endpoint de purge par user_id supprimant les logs et mappings PII associés, avec confirmation d’effacement loggée. | +| Art. 25 | Protection des données dès la conception | L’anonymisation par défaut (privacy by design) est le principe fondamental de l’architecture. | +| Art. 28 | Sous-traitant | Chaque fournisseur IA est documenté comme sous-traitant avec ses DPA. Le registre maintient la liste à jour. | +| Art. 30 | Registre des traitements | Génération automatique du registre au format Article 30, exportable PDF/CSV. | +| Art. 32 | Sécurité du traitement | Chiffrement, pseudonymisation, contrôle d’accès, audit continu, tests de résilience. | +| Art. 33–34 | Notification de violations | Détection d’incidents (fuite PII, accès non autorisé) avec alertes temps réel pour faciliter la notification dans les 72h. | +| Art. 35 | AIPD / DPIA | Template d’analyse d’impact pré-rempli pour chaque cas d’usage IA, avec évaluation des risques automatisée. | + +## 7.2 Préparation AI Act européen + +Le Règlement européen sur l’Intelligence Artificielle (Règlement (UE) 2024/1689) impose des obligations progressives. AI Governance Hub positionne ses clients en conformité anticipée : + +Classification des risques (Article 6) + +La plateforme intègre un moteur de classification assistée qui permet au DPO de qualifier chaque cas d’usage IA selon les quatre niveaux de risque de l’AI Act : + +| **Niveau** | **Exemples** | **Obligations** | **Support plateforme** | +|--------------------------|----------------------------------------------------|---------------------------------|----------------------------------------------------------------------------------| +| Interdit (Art. 5) | Scoring social, manipulation subliminale | Usage prohibé | Blocage automatique si le cas d’usage est tagué interdit | +| Haut risque (Annexe III) | Recrutement IA, scoring crédit, diagnostic médical | Conformité complète (Art. 8–15) | Documentation automatisée, journalisation complète, traçabilité, contrôle humain | +| Risque limité (Art. 50) | Chatbots, génération de contenu | Obligations de transparence | Tag automatique des réponses générées par IA | +| Risque minimal | Filtres anti-spam, auto-complétion | Aucune obligation spécifique | Journalisation standard | + +Obligations pour les « deployers » (Article 26) + +AI Governance Hub aide les entreprises à remplir leurs obligations en tant que « déployeurs » de systèmes IA : + +- **Supervision humaine (Art. 14) :** Le workflow d’approbation (V1.1) permet un contrôle humain sur les cas sensibles. + +- **Journalisation automatique (Art. 12) :** Chaque utilisation d’un système à haut risque est traçée avec l’ensemble des métadonnées requises. + +- **Information des personnes (Art. 13) :** Documentation automatique des finalités et des modèles utilisés. + +- **DPIA (Art. 27) :** Analyse d’impact fondamentale prise en charge par la plateforme pour les systèmes à haut risque. + +## 7.3 Documentation automatique + +La plateforme génère automatiquement : + +- **Registre Article 30 RGPD :** Liste complète des traitements IA avec finalités, bases légales, destinataires, durées, mesures de sécurité. + +- **Fiche technique AI Act par système :** Description du modèle, classification de risque, mesures de mitigation, tests effectués. + +- **Rapport d’incident :** Template pré-rempli en cas de détection d’anomalie PII, avec chronologie et impact estimé. + +- **DPIA template :** Analyse d’impact pré-remplie pour chaque cas d’usage IA à haut risque. + +# 8. Sécurité + +## 8.1 Principes de sécurité + +La sécurité est intégrée à chaque couche de l’architecture selon une approche defense-in-depth : + +| **Couche** | **Mesure** | **Implémentation** | +|------------------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Réseau | Zero Trust Network | mTLS entre tous les composants internes. Aucune communication en clair même en réseau privé. Network policies Kubernetes restrictives (deny-all par défaut). | +| Transport | TLS 1.3 obligatoire | Certificats gérés par cert-manager (Let’s Encrypt) ou PKI client en on-prem. | +| Données au repos | AES-256-GCM | Chiffrement volume (LUKS/EBS encryption) + chiffrement applicatif des champs sensibles (clés envelopes via KMS). | +| Application | RBAC + ABAC | Contrôle d’accès par rôle et par attribut. Chaque endpoint est protégé par une politique d’autorisation. | +| Secrets | HashiCorp Vault | Rotation automatique des secrets (API keys LLM, credentials DB). Pas de secrets en variables d’env ou fichiers de config. | +| API | Rate limiting + WAF | Rate limiting par tenant/user (Kong). Protection OWASP Top 10 via ModSecurity/Cloud WAF. | +| Audit | Immutable audit trail | Tous les accès admin, modifications de politique, et consultations de logs sont eux-mêmes audités. | + +## 8.2 Gestion des clés et secrets + +Les clés API des fournisseurs IA (OpenAI, Anthropic, etc.) sont le secret le plus critique. Elles sont gérées selon les principes suivants : + +- **Stockage :** HashiCorp Vault (ou AWS Secrets Manager en mode SaaS). Jamais en base de données ni en variable d’environnement. + +- **Accès :** L’application récupère les clés via l’API Vault avec authentification par service account Kubernetes. + +- **Rotation :** Rotation automatisée tous les 90 jours. Alerte si une clé n’a pas été tournée. + +- **Isolation :** Chaque tenant a son propre path dans Vault. Un tenant ne peut jamais accéder aux secrets d’un autre. + +## 8.3 Pentest readiness + +La plateforme est conçue pour passer un audit de sécurité externe (type pentest black/grey box) dès le lancement. Mesures préparatoires : + +- **SAST :** Analyse statique intégrée à la CI/CD (Semgrep pour le code, Trivy pour les images Docker). + +- **DAST :** Scan OWASP ZAP automatisé en staging avant chaque release. + +- **Dépendances :** Audit continu des dépendances (npm audit, pip audit, Snyk). + +- **Bug bounty :** Programme prévu post-lancement (V1.1) via plateforme YesWeHack. + +# 9. Business Model + +## 9.1 Modèle de pricing hybride + +Le pricing combine un abonnement par utilisateur (prévisibilité pour le client) et un composant volumique (tokens monitorisés) qui aligne la valeur perçue avec l’usage réel : + +| | **Starter** | **Business** | **Enterprise** | +|---------------------------|--------------------------|-------------------------------------|---------------------------------------------| +| Cible | Startups, PME innovantes | ETI, départements de grands groupes | CAC 40, banques, assurances, secteur public | +| Utilisateurs inclus | Jusqu’à 50 | Jusqu’à 500 | Illimité | +| Prix / user / mois | 15 € | 25 € | Sur devis (35–55 €) | +| Tokens monitorisés inclus | 5M / mois | 50M / mois | Custom | +| Token supplémentaire | 0.50 € / 1M tokens | 0.30 € / 1M tokens | Négocié | +| Modèles IA connectés | 3 max | 10 max | Illimité | +| Anonymisation PII | Regex uniquement | Regex + NER | Regex + NER + LLM local | +| SSO / SAML | Non | Oui | Oui + custom IdP | +| Rapports conformité | Basique (CSV) | RGPD + AI Act (PDF) | Custom + DPIA + audit trail complet | +| Déploiement | SaaS uniquement | SaaS ou hybrid | SaaS, hybrid ou on-prem | +| Support | Email (48h) | Email + Slack (24h) | Dédié + CSM + SLA 4h | +| SLA | 99.5% | 99.9% | 99.95% + pénalités | + +## 9.2 Estimation de revenus + +Hypothèse Year 1 (prudente) : 5 clients Starter, 3 Business, 1 Enterprise. + +| **Tier** | **Clients** | **Users moyens** | **MRR unitaire** | **MRR total** | +|------------|-------------|------------------|------------------|----------------------| +| Starter | 5 | 30 | 450 € | 2 250 € | +| Business | 3 | 200 | 5 000 € | 15 000 € | +| Enterprise | 1 | 1 000 | 40 000 € | 40 000 € | +| TOTAL | | | | 57 250 € (687k€ ARR) | + +## 9.3 Stratégie go-to-market + +Persona primaire : RSSI + +Le RSSI est le champion interne. Le pitch principal est : « Reprenez le contrôle sur les flux IA avant qu’un incident ne vous y oblige. » L’angle sécurité (Shadow AI, fuite PII) résonne immédiatement. + +Persona secondaire : DPO / Compliance + +Le DPO est l’allié pour la décision. L’AI Act crée une urgence réglementaire dont la plateforme est la réponse directe. + +Acheteur final : DSI + +Le DSI signe le budget. Le pitch DSI combine TCO (rationalisation des abonnements IA), risque (conformité, audit) et efficacité (un point d’accès unique pour tous les LLMs). + +Canaux + +- **Inbound :** Content marketing (blog technique, whitepapers AI Act), webinaires conformité RGPD/IA, référencement sur comparateurs B2B (G2, Capterra). + +- **Outbound :** Sales outreach ciblé sur les entreprises +500 employés ayant des usages IA documentés. Partenariats avec cabinets de conseil cyber et RGPD. + +- **Communauté :** Open-sourcing du module PII Presidio custom pour construire la crédibilité technique. + +# 10. Stack technique recommandée + +| **Composant** | **Technologie** | **Justification** | **Alternative** | +|------------------------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------| +| Backend — API | Go 1.22 | Performance native (proxy haute perf), faible empreinte mémoire, typage fort, excellent support concurrence (goroutines pour le streaming SSE). Go est le standard pour les reverse proxies (Traefik, Caddy). | Rust (plus complexe, recrutement difficile) ou Node.js (moins performant pour le proxy) | +| Backend — Workers | Python 3.12 | Ecosystème NLP/NER (spaCy, Presidio). Utilisé pour le pipeline d’anonymisation et les tâches async (génération rapports, purge). | Go (mais perte de l’écosystème NLP) | +| Frontend | React 18 + TypeScript + Vite | Ecosystème mature, composants shadcn/ui pour un design professionnel rapidement, recharts pour les dashboards. | Vue.js (viable mais écosystème composants enterprise moindre) | +| API Gateway | Kong Gateway (OSS) | Gestion des routes, rate limiting, auth plugins (JWT, SAML), logging. Configurable via API déclarative. Déjà éprouvé en production enterprise. | Traefik (plus léger mais moins de plugins enterprise) | +| Base relationnelle | PostgreSQL 16 | Row-Level Security pour multi-tenant, JSONB pour la flexibilité des politiques, maturité, performance, chiffrement natif. | CockroachDB (si distribution géo nécessaire V2) | +| Base analytique / Logs | ClickHouse | Compression 10x, requêtes analytiques ultra-rapides (agrégations, GROUP BY sur milliards de lignes), parfait pour dashboard temps réel et exports. | TimescaleDB (plus simple mais moins performant à l’échelle) | +| Cache / Queue | Redis 7 (Valkey) | Sessions, rate limiting, cache mapping PII, pub/sub pour notifications temps réel. | KeyDB (compatible Redis, multi-threadé) | +| File de messages | Redis Streams (MVP) → NATS (V2) | Redis Streams suffit au MVP pour les tâches async. NATS en V2 pour le découplage si extraction en microservices. | RabbitMQ (plus lourd pour le MVP) | +| IAM / Auth | Keycloak | SSO, SAML 2.0, OIDC, RBAC complet, multi-tenant, federation d’identité. Standard enterprise. Hébergeable en UE. | Auth0 (SaaS US, problème souveraineté) | +| Secrets | HashiCorp Vault | Gestion centralisée des secrets, rotation automatique, audit trail. Intégration native Kubernetes. | AWS Secrets Manager (si 100% AWS) | +| Conteneurs | Docker + Kubernetes (K8s) | Standard de déploiement. Helm charts pour reproductibilité. Compatible cloud et on-prem. | Docker Compose (dév uniquement) | +| CI/CD | GitLab CI | Pipeline intégré : build, test, SAST (Semgrep), scan images (Trivy), deploy. Hébergeable en UE. | GitHub Actions (SaaS US) | +| Monitoring | Prometheus + Grafana | Métriques (latence, débit, erreurs). Alerting via Alertmanager. Stack open-source, pas de lock-in. | Datadog (coût élevé en enterprise) | +| Tracing | OpenTelemetry + Jaeger | Tracing distribué pour suivre chaque requête de bout en bout à travers les modules. | Tempo (alternative Grafana) | +| NER / NLP | Microsoft Presidio + spaCy | Presidio est le standard open-source pour la détection PII. Extensible, multilangue, intégré à spaCy. | AWS Comprehend (coût + données hors UE) | +| Infra cloud | AWS eu-west-3 (Paris) | Certifié HDS, ISO 27001. Région UE. Compatibilité hébergement souverain (OVHcloud/Scaleway en fallback). | OVHcloud (moins de services managés) | + +# 11. Plan de développement — 6 mois + +**Équipe cible :** 1 CTO/Lead Backend (Go), 1 Backend Senior (Go/Python), 1 Frontend Senior (React), 1 DevOps/SRE, 1 Product Manager (0.5 ETP). Total : 4.5 ETP. + +Mois 1 — Fondations et proxy de base + +Objectifs + +- Infrastructure de base opérationnelle (CI/CD, Kubernetes, monitoring) + +- Reverse proxy fonctionnel capable de relayer des requêtes vers OpenAI + +- Authentification basique (JWT) + +Livrables + +| **Tâche** | **Responsable** | **Durée** | +|----------------------------------------------------------------------------------|-----------------|------------| +| Setup GitLab, CI/CD pipeline, registre Docker, cluster K8s staging | DevOps | 1 semaine | +| Scaffolding monolithe Go : structure modulaire, routing HTTP, middleware chain | Lead Backend | 1 semaine | +| Module Proxy : relay transparent vers OpenAI API (non-streaming + streaming SSE) | Lead Backend | 2 semaines | +| Authentification JWT basique + middleware auth | Backend Sr | 1 semaine | +| Setup PostgreSQL + ClickHouse + Redis en Helm | DevOps | 1 semaine | +| Modèle de données initial (users, tenants, policies) + migrations | Backend Sr | 1 semaine | +| Setup Keycloak + intégration OIDC basique | DevOps | 1 semaine | + +**Point critique :** Le proxy doit supporter le streaming SSE dès le début. C’est un choix technique structurant qui impacte toute l’architecture. + +Mois 2 — Anonymisation PII et multi-modèle + +Objectifs + +- Pipeline PII fonctionnel (regex + NER Presidio) + +- Support multi-modèle (Anthropic, Azure OpenAI, Mistral) + +- RBAC fonctionnel + +Livrables + +| **Tâche** | **Responsable** | **Durée** | +|--------------------------------------------------------------|-----------------|------------| +| Module PII : couche 1 regex (IBAN, email, tél, CB, SS) | Backend Sr | 1 semaine | +| Module PII : intégration Presidio/spaCy (NER multilangue) | Backend Sr | 2 semaines | +| Pseudonymisation réversible + stockage mapping Redis chiffré | Backend Sr | 1 semaine | +| Adaptateurs multi-modèle (Anthropic, Azure, Mistral, Ollama) | Lead Backend | 2 semaines | +| Module RBAC : rôles, permissions, middleware d’autorisation | Lead Backend | 1 semaine | +| Intégration SAML 2.0 dans Keycloak + tests avec Azure AD | DevOps | 1 semaine | +| Setup frontend React : auth flow, layout, navigation | Frontend | 2 semaines | + +**Risque technique :** La latence du pipeline PII doit rester \< 50ms pour ne pas dégrader l’expérience. Benchmark dès la semaine 2. + +Mois 3 — Routage intelligent et journalisation + +Objectifs + +- Moteur de règles de routage fonctionnel + +- Journalisation complète dans ClickHouse + +- Dashboard MVP fonctionnel + +Livrables + +| **Tâche** | **Responsable** | **Durée** | +|---------------------------------------------------------------------------|-----------------|------------| +| Module Router : moteur de règles, évaluation par priorité, fallback chain | Lead Backend | 2 semaines | +| Module Router : circuit breaker, health check des providers | Lead Backend | 1 semaine | +| Module Logger : écriture async ClickHouse, structure complète des logs | Backend Sr | 2 semaines | +| Module Billing : comptage tokens, agrégation par user/dept/model | Backend Sr | 1 semaine | +| Dashboard frontend : overview (volume, coûts, PII), composants recharts | Frontend | 3 semaines | +| API admin : CRUD politiques de routage, gestion utilisateurs | Lead Backend | 1 semaine | + +Mois 4 — Conformité et sécurité + +Objectifs + +- Rapports conformité RGPD et AI Act opérationnels + +- Hardening sécurité complet + +- Dashboard RSSI enrichi + +Livrables + +| **Tâche** | **Responsable** | **Durée** | +|-----------------------------------------------------------------------------|-----------------|------------| +| Module Compliance : registre Art. 30, génération PDF, classification AI Act | Backend Sr | 3 semaines | +| API droits RGPD : accès (Art. 15), effacement (Art. 17), export | Backend Sr | 1 semaine | +| Dashboard RSSI : alertes, détection pics, vue sécurité | Frontend | 2 semaines | +| Hardening : mTLS interne, network policies K8s, Vault intégration | DevOps | 2 semaines | +| SAST/DAST : Semgrep + Trivy + OWASP ZAP intégrés CI/CD | DevOps | 1 semaine | +| Chiffrement at-rest applicatif des champs sensibles | Lead Backend | 1 semaine | +| Tests de charge : benchmark proxy (cible : 1000 req/s, p99 \< 200ms) | DevOps + Lead | 1 semaine | + +Mois 5 — Stabilisation et beta privée + +Objectifs + +- Beta privée avec 2–3 clients pilotes + +- Tests end-to-end complets + +- Documentation technique et utilisateur + +Livrables + +| **Tâche** | **Responsable** | **Durée** | +|-----------------------------------------------------------------------------------|-----------------|------------| +| Tests E2E automatisés : parcours complets proxy → PII → routing → log → dashboard | Tous | 2 semaines | +| Onboarding clients pilotes : configuration tenant, import users SSO | PM + DevOps | 2 semaines | +| Bug fixes et ajustements UX d’après feedback pilotes | Tous | 2 semaines | +| Documentation API (OpenAPI 3.1) + guide d’intégration | Lead Backend | 1 semaine | +| Documentation utilisateur + guide admin | PM + Frontend | 1 semaine | +| Optimisation performance d’après données réelles | Lead Backend | 1 semaine | + +Mois 6 — Production et lancement + +Objectifs + +- Mise en production sur infra UE + +- Premier contrat signé + +- Pentest externe passé + +Livrables + +| **Tâche** | **Responsable** | **Durée** | +|-------------------------------------------------------------------|------------------|-------------| +| Déploiement production : cluster K8s EU (AWS eu-west-3), DR setup | DevOps | 1 semaine | +| Pentest externe (cabinet spécialisé, grey box) | Externe + DevOps | 2 semaines | +| Remédiation findings pentest | Tous | 1 semaine | +| Landing page, démo interactive, matériel commercial | PM + Frontend | 2 semaines | +| Onboarding premier client payant | PM + DevOps | 2 semaines | +| Monitoring production : alerting, on-call, runbooks | DevOps | 1 semaine | +| Rétro et planification V1.1 | Tous | 0.5 semaine | + +## 11.7 Risques techniques et mitigations + +| **Risque** | **Probabilité** | **Impact** | **Mitigation** | +|---------------------------------------------|-----------------|------------|-------------------------------------------------------------------------------------------------------------| +| Latence PII pipeline trop élevée | Moyenne | Haut | Benchmark dès M2. Option : désactiver NER pour les requêtes basse sensibilité. Cache des patterns déjà vus. | +| Intégration SSO complexe chez le client | Haute | Moyen | Keycloak supporte SAML/OIDC natif. Prévoir 1 semaine d’intégration par client. | +| Changements de format API des providers LLM | Moyenne | Moyen | Adapter pattern : les changements sont isolés dans un seul fichier par provider. | +| Faux négatifs PII en production | Moyenne | Haut | Mode audit (log sans bloquer) pendant 2 semaines de rodage. Feedback loop avec le client. | +| Difficulté de recrutement Go + NLP | Haute | Haut | Prévoir 1 mois de recrutement en amont. Alternative : consultants spécialisés pour le module PII Python. | +| Évolution rapide de l’AI Act | Moyenne | Moyen | Veille réglementaire continue. Le module compliance est configurable (règles non hardcodées). | + +# 12. Synthèse des arbitrages clés + +| **Décision** | **Choix retenu** | **Raison** | +|---------------|--------------------------|-----------------------------------------------------------------------| +| Architecture | Monolithe modulaire | Rapidité de livraison avec équipe réduite, extraction future possible | +| Langage proxy | Go | Performance native, streaming SSE, concurrence, faible mémoire | +| Langage NLP | Python (Presidio/spaCy) | Ecosystème NER mature, pas d’équivalent en Go | +| Base logs | ClickHouse | Performance analytique incomparable pour les dashboards et exports | +| IAM | Keycloak | SAML/OIDC natif, hébergeable UE, open-source | +| Multi-tenant | Logique (RLS PostgreSQL) | Suffisant pour le MVP, isolation physique en V2 | +| PII detection | Hybride regex + NER | Meilleur rapport précision/latence que le tout-LLM | +| Déploiement | SaaS EU + hybrid option | Couvre 90% du marché cible, on-prem en V2 | +| Pricing | Hybride (user + tokens) | Prévisible pour le client, scalable pour nous | + +Ce document constitue la base technique et stratégique pour le démarrage du projet AI Governance Hub. Chaque choix a été fait en privilégiant la livraison rapide d’un produit commercialisable, sans compromettre la sécurité ni la conformité réglementaire. Les fondations sont conçues pour évoluer vers une architecture plus distribuée quand le produit et l’équipe le justifieront. diff --git a/docs/AI_Governance_Hub_Plan_Realisation.md b/docs/AI_Governance_Hub_Plan_Realisation.md new file mode 100644 index 0000000..896de7f --- /dev/null +++ b/docs/AI_Governance_Hub_Plan_Realisation.md @@ -0,0 +1,454 @@ +**AI GOVERNANCE HUB** + +Plan de Réalisation Détaillé + +De l’analyse critique du PRD au plan d’exécution étape par étape + +**CONFIDENTIEL — Février 2026** + +Guide d’exécution pour équipe technique — 164 tâches, 26 semaines + + +# Partie A — Analyse critique du PRD + +Avant de planifier l’exécution, une analyse honnête du PRD est nécessaire. Le document est solide sur la vision et l’architecture, mais plusieurs points nécessitent des corrections pour un plan d’exécution réaliste. + +## A.1 — Ce qui est bien fait dans le PRD + +- **Architecture monolithe modulaire :** Choix parfaitement calibré pour l’équipe et le timeline. Pas de sur-ingénierie. + +- **Séparation Go (proxy) / Python (NLP) :** Chaque langage est utilisé pour ses forces. Le surcoût ops de 2 runtimes est accepté car le gain en performance et écosystème est majeur. + +- **Pipeline PII hybride :** L’approche regex + NER est le bon compromis latence/précision. Le tout-LLM serait trop lent et trop cher. + +- **ClickHouse pour les logs :** Choix différenciant. La performance analytique permettra des dashboards impressionnants en démo. + +- **Pricing hybride :** Le modèle user + tokens aligne la valeur. Le tier Enterprise à 40k€ MRR est réaliste pour un CAC 40. + +- **Scope MVP bien délimité :** Le hors-scope est clairement défini. Pas de feature creep. + +## A.2 — Problèmes identifiés et corrections + +| **Problème dans le PRD** | **Impact** | **Correction appliquée dans ce plan** | +|------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Les durées par tâche sont optimistes. Beaucoup de tâches à « 1 semaine » qui en prendront 2 en réalité (intégration, tests, edge cases). | Haut — dérapage calendaire quasi certain | Ce plan ajoute 20% de buffer par sprint. Chaque tâche est décomposée en sous-tâches avec des critères d’acceptance précis. | +| La communication inter-modules Go ↔ Python n’est pas détaillée. Comment le proxy Go appelle-t-il le service PII Python ? | Haut — choix structurant | Le plan précise : le module PII tourne comme sidecar gRPC. Le proxy Go fait un appel gRPC local (\<1ms overhead). Alternative : embedded Python via cgo (rejeté : trop fragile). | +| Le plan mois par mois ne précise pas les dépendances entre tâches. Certaines sont parallélisables, d’autres bloquantes. | Moyen — goulots d’étranglement | Ce plan inclut un graphe de dépendances et identifie le chemin critique. | +| Les tests ne sont prévus qu’au mois 5. C’est trop tard. | Haut — dette technique | Ce plan intègre les tests dès le sprint 1. Chaque module a ses tests unitaires et d’intégration en parallèle du développement. | +| Le frontend est sous-estimé. « 2 semaines setup + 3 semaines dashboard » pour un dashboard enterprise complet est irréaliste. | Moyen — UX insuffisante au lancement | Le plan alloue le frontend en continu dès le mois 2, avec des livrables incrémentaux chaque sprint. | +| Aucune mention du mode « playground » / démo intégrée pour les prospects. | Moyen — impact commercial | Ajout d’un playground intégré (prompt test avec visualisation PII) au sprint 8. | +| Le plan ne prévoit pas de gestion de la configuration des providers IA côté UI. | Moyen — onboarding complexe | Ajout d’un wizard de configuration des providers dans le dashboard admin. | +| Le PRD ne détaille pas la stratégie de migration/rollback des déploiements. | Moyen — risque production | Ce plan inclut blue/green deployment dès le mois 4 et des runbooks de rollback. | + +## A.3 — Décisions techniques complémentaires + +Ces décisions n’étaient pas dans le PRD mais sont indispensables pour l’exécution : + +- **Communication Go ↔ Python :** gRPC avec Protocol Buffers. Le service PII Python est un sidecar dans le même pod Kubernetes. Latence mesurée : ~2ms aller-retour. Schema gRPC versionné dans un repo partagé (proto/). + +- **Stratégie de test :** Pyramide classique : 70% unit (Go: testing + testify, Python: pytest), 20% intégration (testcontainers pour PG/CH/Redis), 10% E2E (Playwright pour le frontend, scripts curl/httpie pour l’API). + +- **Feature flags :** Système de feature flags maison simple (table PostgreSQL + cache Redis, ~50 lignes de code). Permet de livrer du code en production sans l’activer. Critique pour la beta. + +- **Gestion des erreurs :** Chaque module expose des erreurs typées (Go errors wrap). Le proxy retourne des erreurs structurées JSON compatibles OpenAI API format (type, message, code). + +- **Versionning API :** Préfixe /v1/ dès le début. Pas de versionning par header (trop complexe pour les clients enterprise). + +- **Documentation :** OpenAPI 3.1 généré automatiquement depuis les annotations Go (swaggo). Pas de doc manuelle qui diverge. + +# Partie B — Organisation et méthodologie + +## B.1 — Équipe et rôles + +| **Rôle** | **Profil** | **Responsabilités principales** | **Charge** | +|--------------------|----------------------------------------------------|-------------------------------------------------------------------------------|------------| +| CTO / Lead Backend | Senior Go (7+ ans), expérience proxy/networking | Architecture, module Proxy, module Router, code reviews, décisions techniques | 100% | +| Backend Senior | Go + Python, expérience NLP | Module PII (Python), module Logger, module Billing, adaptateurs IA | 100% | +| Frontend Senior | React/TypeScript, expérience dashboard data-heavy | Dashboard, admin UI, playground, auth flow, UX | 100% | +| DevOps / SRE | Kubernetes, AWS, CI/CD, sécurité | Infra, CI/CD, monitoring, sécurité, déploiements, Keycloak | 100% | +| Product Manager | Expérience B2B SaaS enterprise, compréhension RGPD | Specs, priorisation, clients pilotes, documentation utilisateur, commercial | 50% | + +## B.2 — Méthodologie de travail + +Sprints de 2 semaines, avec les rituels suivants : + +| **Rituel** | **Fréquence** | **Durée** | **Contenu** | +|------------------------------|--------------------------------|-----------|---------------------------------------------------| +| Sprint Planning | Début de sprint | 2h | Décomposition des stories, estimation, engagement | +| Daily Standup | Quotidien | 15min | Blockers, progression, coordination | +| Sprint Review | Fin de sprint | 1h | Démo du livrable, feedback | +| Sprint Retro | Fin de sprint | 45min | Amélioration continue | +| Architecture Decision Record | Ad hoc | 30min | Documentation des choix techniques clés | +| Security Review | Toutes les 2 semaines (dès M3) | 1h | Revue sécurité des développements récents | + +## B.3 — Gestion des repos et conventions + +- **Monorepo :** Un seul repo GitLab contenant : /cmd/proxy (Go main), /internal/ (modules Go), /services/pii (Python), /web (React), /deploy (Helm charts), /proto (gRPC schemas), /docs. + +- **Branching :** Trunk-based development. Feature branches courtes (\<3 jours). Merge via MR avec 1 review obligatoire. CI passe avant merge. + +- **Commits :** Conventional Commits (feat:, fix:, chore:). Changelog généré automatiquement. + +- **Environnements :** dev (local docker-compose), staging (K8s cluster dédié, deploy auto sur merge to main), production (K8s, deploy manuel approuvé). + +# Partie C — Plan d’exécution sprint par sprint + +Le plan est découpé en 13 sprints de 2 semaines (26 semaines = 6 mois). Chaque sprint a un objectif clair, des tâches décomposées, des critères d’acceptance, et des dépendances explicitées. + +**Légende priorités :** BLOQUANT = sur le chemin critique, aucun retard acceptable. IMPORTANT = décalable d’1 sprint max. SOUHAITABLE = nice-to-have pour ce sprint. + +## PHASE 1 — Fondations (Sprints 1–4, Semaines 1–8) + +**Objectif de phase :** Un proxy fonctionnel qui relaie des requêtes vers OpenAI avec authentification, et l’infrastructure complète pour développer efficacement. + +### Sprint 1 — Semaines 1–2 : Bootstrapping + +**Objectif :** Toute l’équipe peut développer, tester et déployer. Le squelette applicatif compile et se déploie en staging. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|-----------------------------------------------------------------------------------------------------------------|---------------------------|--------------|-------------------------------------------------------------------| +| 1.1 | Création monorepo GitLab + structure de dossiers (/cmd, /internal, /services/pii, /web, /deploy, /proto, /docs) | DevOps | BLOQUANT | Repo accessible, README avec instructions de setup local | +| 1.2 | Pipeline CI/CD GitLab : build Go, build Python, build React, lint, tests unitaires, scan Trivy | DevOps | BLOQUANT | Pipeline green sur commit vide. Build \< 5min | +| 1.3 | Docker Compose local : Go app + PostgreSQL 16 + ClickHouse + Redis 7 + Keycloak | DevOps | BLOQUANT | docker-compose up démarre tout en \< 60s. Health checks OK | +| 1.4 | Cluster K8s staging (AWS EKS eu-west-3) + namespace + ingress Traefik | DevOps | BLOQUANT | kubectl get nodes retourne 3 nodes. Ingress accessible via HTTPS | +| 1.5 | Scaffolding Go : main.go, server HTTP (chi router), middleware chain vide, graceful shutdown, health endpoint | Lead Backend | BLOQUANT | GET /healthz retourne 200. Graceful shutdown fonctionne (SIGTERM) | +| 1.6 | Configuration management : Viper (Go) + fichier config.yaml + override par env vars | Lead Backend | IMPORTANT | Config chargée au démarrage. Pas de valeurs hardcodées | +| 1.7 | Modèle de données PostgreSQL v1 : tables tenants, users, api_keys + migrations (golang-migrate) | Backend Sr | IMPORTANT | Migrations up/down fonctionnent. Schema créé proprement | +| 1.8 | Setup Keycloak : realm par défaut, client OIDC, utilisateur test | DevOps | IMPORTANT | Login via Keycloak retourne un JWT valide | +| 1.9 | Définition des schemas gRPC (proto/) : PiiRequest, PiiResponse, PiiEntity | Lead Backend + Backend Sr | IMPORTANT | Proto compile sans erreur. Stubs Go et Python générés | +| 1.10 | Scaffolding service PII Python : FastAPI + endpoint gRPC + Dockerfile + pytest setup | Backend Sr | SOUHAITABLE | Service démarre, répond à un healthcheck gRPC | + +**Dépendances :** 1.5 dépend de 1.1. 1.4 dépend de 1.2. 1.7 dépend de 1.3. 1.8 dépend de 1.3. 1.9 dépend de 1.5 et 1.10. + +**Risque sprint :** Setup EKS peut prendre plus longtemps que prévu (IAM, VPC, security groups). Mitigation : utiliser un module Terraform prouvé (terraform-aws-eks) ou Pulumi. + +### Sprint 2 — Semaines 3–4 : Proxy core + Auth + +**Objectif :** Le proxy relaie des requêtes vers OpenAI (non-streaming ET streaming SSE) avec authentification JWT. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|--------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|--------------------------------------------------------------------------------------| +| 2.1 | Module Proxy — relay non-streaming : recevoir POST /v1/chat/completions, forwarder à OpenAI, retourner la réponse | Lead Backend | BLOQUANT | curl vers le proxy retourne la même réponse qu’un appel direct à OpenAI | +| 2.2 | Module Proxy — relay streaming SSE : support du paramètre stream:true, flush chunk par chunk au client | Lead Backend | BLOQUANT | Client reçoit les chunks en temps réel. Pas de buffering. Test avec curl --no-buffer | +| 2.3 | Middleware Auth : validation JWT (signature RS256, expiration, issuer Keycloak), extraction claims (user_id, tenant_id, roles) | Backend Sr | BLOQUANT | Requête sans JWT = 401. JWT expiré = 401. JWT valide = forward + contexte injecté | +| 2.4 | Middleware Request ID : génération UUID v7 par requête, propagation dans tous les headers et logs | Lead Backend | IMPORTANT | Chaque réponse contient X-Request-Id. Logs contiennent le même ID | +| 2.5 | Middleware Logging basique : log de chaque requête (méthode, path, status, durée) en JSON structuré (zerolog) | Lead Backend | IMPORTANT | Logs visibles dans stdout. Format JSON parseable | +| 2.6 | Tests unitaires proxy : 15+ tests couvrant les cas nominaux, erreurs OpenAI, timeouts, headers | Lead Backend | IMPORTANT | Coverage \> 80% sur le module proxy. go test -race passe | +| 2.7 | Tests d’intégration auth : test avec Keycloak via testcontainers | Backend Sr | IMPORTANT | Test end-to-end : obtenir token Keycloak → appeler proxy → succès | +| 2.8 | Déploiement auto staging : merge to main déploie en staging via Helm | DevOps | IMPORTANT | Chaque merge déclenche un déploiement. Rollback possible en 1 commande | +| 2.9 | Prometheus metrics basiques : request_count, request_duration_seconds, request_errors_total | DevOps | SOUHAITABLE | Métriques visibles dans Grafana staging | + +**Dépendances :** 2.1–2.2 sont sur le chemin critique — tout le reste en dépend. 2.3 dépend de 1.8 (Keycloak). 2.8 dépend de 1.4 (K8s staging). + +**Risque sprint :** Le streaming SSE est le point technique le plus délicat du projet. Le proxy doit flusher les chunks sans bufferiser. En Go, cela nécessite un Flusher HTTP custom et une gestion fine des goroutines. Prévoir 3-4 jours de debug. + +### Sprint 3 — Semaines 5–6 : Anonymisation PII v1 + +**Objectif :** Le pipeline PII détecte et anonymise les données sensibles dans les prompts avant envoi au LLM. Dé-pseudonymisation fonctionnelle. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|---------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|----------------------------------------------------------------------------------------------------------| +| 3.1 | PII Couche 1 — Regex : patterns compilés pour IBAN FR/EU, emails, téléphones FR/intl, n° SS, cartes bancaires (Luhn) | Backend Sr | BLOQUANT | Jeu de tests de 100+ exemples positifs/négatifs. Precision \> 99%, Recall \> 95% | +| 3.2 | PII Couche 2 — NER : intégration Presidio avec modèle spaCy fr_core_news_lg. Détection noms, adresses, organisations | Backend Sr | BLOQUANT | Benchmark sur corpus français : F1-score \> 0.90 sur les entités PER, LOC, ORG | +| 3.3 | Pipeline unifié : orchestration regex → NER, déduplication des détections, scoring de confiance unifié | Backend Sr | BLOQUANT | Un prompt contenant 5 types de PII différents les détecte tous. Latence \< 50ms sur prompt de 500 tokens | +| 3.4 | Pseudonymisation : remplacement par tokens \[PII:TYPE:UUID\], stockage mapping dans Redis (AES-256-GCM, TTL configurable) | Backend Sr | BLOQUANT | Le prompt envoyé au LLM ne contient aucune PII en clair. Le mapping est chiffré dans Redis | +| 3.5 | Dé-pseudonymisation : réinjection des valeurs originales dans la réponse du LLM | Backend Sr | BLOQUANT | La réponse renvoyée à l’utilisateur contient les valeurs originales, pas les tokens | +| 3.6 | Intégration gRPC Proxy ↔ PII : le proxy Go appelle le service PII Python via gRPC avant chaque forward | Lead Backend | BLOQUANT | Le flux complet fonctionne : user → proxy → PII (gRPC) → LLM → PII (de-pseudo) → user | +| 3.7 | Benchmark latence : mesure p50, p95, p99 du pipeline PII sur 1000 requêtes variées | Backend Sr | IMPORTANT | p99 \< 50ms pour prompts \< 500 tokens. p99 \< 100ms pour prompts \< 2000 tokens | +| 3.8 | Tests unitaires PII : 50+ tests couvrant chaque type de PII, edge cases, texte multilangue | Backend Sr | IMPORTANT | pytest passe. Coverage \> 85% sur le service PII | + +**Chemin critique :** Ce sprint est le plus risqué techniquement. Si le p99 dépasse 100ms, il faut envisager : (a) cache des patterns déjà vus, (b) mode « regex-only » pour les requêtes basse sensibilité, (c) préchargement du modèle spaCy en mémoire (pas de cold start). + +### Sprint 4 — Semaines 7–8 : Multi-modèle + RBAC + +**Objectif :** Le proxy supporte 4+ fournisseurs IA. Le RBAC contrôle qui accède à quoi. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|---------------------------------------------------------------------------------------------------------------------|-----------------|--------------|--------------------------------------------------------------------------------------------------| +| 4.1 | Adapter OpenAI : normalisation du format de requête/réponse vers le schema interne unifié | Lead Backend | BLOQUANT | Requête interne → OpenAI → réponse interne. Streaming inclus | +| 4.2 | Adapter Anthropic : support Messages API, format claude-sonnet, streaming | Lead Backend | BLOQUANT | Même test que 4.1 avec Anthropic. Mapping system/user/assistant correct | +| 4.3 | Adapter Azure OpenAI : endpoint custom, API version, déploiement ID | Lead Backend | IMPORTANT | Fonctionne avec un déploiement Azure test | +| 4.4 | Adapter Ollama/vLLM : support modèles locaux via API OpenAI-compatible | Lead Backend | IMPORTANT | Fonctionne avec un Ollama local tournant Llama 3 | +| 4.5 | Adapter Mistral : support API Mistral chat/completions | Lead Backend | SOUHAITABLE | Test fonctionnel avec mistral-small | +| 4.6 | Interface Adapter commune : trait/interface Go avec méthodes Send(), Stream(), Validate(), HealthCheck() | Lead Backend | BLOQUANT | Tous les adapters implémentent la même interface. Tests génériques passent | +| 4.7 | Module RBAC : modèle de données (roles, permissions, role_assignments), middleware d’autorisation | Backend Sr | BLOQUANT | User sans permission sur un modèle = 403. Admin = accès total. Auditor = read-only | +| 4.8 | RBAC intégration Keycloak : synchronisation des rôles depuis les groupes Keycloak | DevOps | IMPORTANT | Un user ajouté au groupe « admin » dans Keycloak obtient le rôle admin dans l’app | +| 4.9 | API tenant management : CRUD tenants, configuration de base (nom, providers autorisés, API keys encryptées) | Backend Sr | IMPORTANT | POST /v1/admin/tenants crée un tenant. Les API keys sont stockées chiffrées (pas en clair en DB) | +| 4.10 | Tests d’intégration multi-modèle : test automatisé qui envoie la même requête à chaque adapter et valide la réponse | Lead Backend | IMPORTANT | Test CI green pour OpenAI + Anthropic (les autres en mock si pas de clé dispo) | + +**État à la fin de Phase 1 :** Le proxy intercepte les requêtes, authentifie via JWT/Keycloak, anonymise les PII, route vers le bon modèle IA (OpenAI, Anthropic, Azure, local), et renvoie la réponse dé-pseudonymisée. C’est déjà démontrable à un prospect via curl. + +## PHASE 2 — Intelligence et visibilité (Sprints 5–8, Semaines 9–16) + +**Objectif de phase :** Routage intelligent, journalisation complète, dashboard fonctionnel, et début du module conformité. Le produit devient démontrable avec UI. + +### Sprint 5 — Semaines 9–10 : Moteur de routage + +**Objectif :** Les requêtes sont routées automatiquement selon des politiques configurables par tenant. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|--------------------------------------------------------------------------------------------------------------------|-----------------|--------------|-------------------------------------------------------------------------------------| +| 5.1 | Modèle de données politiques : table routing_rules (conditions JSONB, action, priority, tenant_id) | Backend Sr | BLOQUANT | Migration appliquée. CRUD fonctionnel via API interne | +| 5.2 | Moteur de règles : évaluateur de conditions (user.department, request.sensitivity, etc.) par priorité décroissante | Lead Backend | BLOQUANT | 10 règles évaluées en \< 1ms. Règle la plus prioritaire gagne. Catch-all fonctionne | +| 5.3 | Intégration sensitivity scoring : le score PII détermine le sensitivity_level utilisé dans le routage | Lead Backend | BLOQUANT | Prompt avec PII critique → sensitivity=critical → route vers modèle local | +| 5.4 | Fallback chain : si le modèle primaire échoue, bascule vers secondaire puis global | Lead Backend | IMPORTANT | Test : mock un provider en erreur 500, vérifier le fallback. Log de fallback généré | +| 5.5 | Circuit breaker : désactivation automatique d’un provider après 5 erreurs consécutives. Réactivation après 60s | Lead Backend | IMPORTANT | Test : envoyer 6 requêtes à un provider mock KO → les 5 dernières sont redirigées | +| 5.6 | Cache des règles : les politiques sont cachées en mémoire (refresh toutes les 30s ou sur event) | Lead Backend | IMPORTANT | Modification d’une règle visible en \< 30s sans redémarrage | +| 5.7 | API admin politiques : CRUD /v1/admin/policies avec validation des conditions | Backend Sr | IMPORTANT | Création d’une politique via API. Validation des champs (pas de condition invalide) | +| 5.8 | Tests moteur de règles : 30+ tests couvrant combinaisons de conditions, priorités, conflits | Lead Backend | IMPORTANT | go test passe. 100% des cas de conditions documentés testés | + +### Sprint 6 — Semaines 11–12 : Journalisation + Tokens + +**Objectif :** Chaque requête est loggée dans ClickHouse avec tous les champs définis dans le PRD. Comptage des tokens fonctionnel. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|-------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|-------------------------------------------------------------------------------| +| 6.1 | Schema ClickHouse : table audit_logs avec tous les 20 champs du PRD, partitionnement par mois, TTL 90j pour hot tier | Backend Sr | BLOQUANT | Table créée. INSERT fonctionne. SELECT avec GROUP BY sur 100k lignes \< 500ms | +| 6.2 | Module Logger Go : collecte asynchrone des métadonnées de chaque requête, batch insert ClickHouse (toutes les 1s ou 100 logs) | Backend Sr | BLOQUANT | Aucun log perdu sous charge (1000 req/s). Insert async ne bloque pas le proxy | +| 6.3 | Hash SHA-256 du prompt et de la réponse (pas le contenu brut dans les logs) | Backend Sr | BLOQUANT | Les logs ne contiennent aucun contenu en clair. Hash vérifiable | +| 6.4 | Chiffrement applicatif du champ prompt_anonymized (AES-256-GCM, clé dérivée par tenant via KMS) | Backend Sr | IMPORTANT | Le champ est illisible en DB sans la clé. Déchiffrement fonctionne via l’API | +| 6.5 | Module Billing : comptage tokens (tiktoken pour OpenAI, approximation pour les autres), agrégation par user/dept/model | Backend Sr | IMPORTANT | Comptage OpenAI = ±5% du comptage officiel. Agrégation par dept fonctionne | +| 6.6 | API de consultation des logs : GET /v1/admin/logs avec filtres (date, user, model, status) et pagination | Backend Sr | IMPORTANT | Requête filtrée retourne en \< 2s sur 1M de logs | +| 6.7 | API coûts : GET /v1/admin/costs avec agrégation par période/model/dept | Backend Sr | SOUHAITABLE | Dashboard data endpoint fonctionnel | + +### Sprint 7 — Semaines 13–14 : Dashboard frontend v1 + +**Objectif :** Première version du dashboard avec authentification, vue d’ensemble, et gestion des politiques. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|----------------------------------------------------------------------------------------------------------|-----------------|--------------|----------------------------------------------------------------------------------------------| +| 7.1 | Setup React + TypeScript + Vite + TailwindCSS + shadcn/ui. Structure de pages, routing (react-router) | Frontend | BLOQUANT | npm run dev lance l’app. Build \< 30s. Pas d’erreur TypeScript | +| 7.2 | Auth flow : login via Keycloak (OIDC PKCE), gestion des tokens, refresh, logout, redirect | Frontend | BLOQUANT | Login → redirect Keycloak → retour sur le dashboard avec session active. Refresh automatique | +| 7.3 | Page Overview : cartes KPI (requêtes 24h, PII détectées, coût total, modèle le plus utilisé) | Frontend | BLOQUANT | Données réelles depuis l’API. Mise à jour toutes les 30s | +| 7.4 | Graphique volume de requêtes (recharts) : line chart 7j/30j, breakdown par modèle ou département | Frontend | IMPORTANT | Chart interactif avec tooltip. Changement de période fonctionne | +| 7.5 | Page Politiques : liste des règles de routage, création/édition via formulaire, activation/désactivation | Frontend | IMPORTANT | CRUD complet sur les politiques depuis l’UI. Validation côté client | +| 7.6 | Page Utilisateurs : liste des users, attribution de rôles, filtrage par département | Frontend | IMPORTANT | Admin peut changer le rôle d’un user. Changement immédiatement effectif | +| 7.7 | Layout général : sidebar navigation, header avec tenant name, responsive design | Frontend | IMPORTANT | Navigation fluide. Pas de scroll horizontal sur 1280px | +| 7.8 | Guards de permission : les pages admin ne sont pas accessibles aux rôles User. Auditor = read-only | Frontend | IMPORTANT | User rôle « user » ne voit pas les pages admin. Auditor ne peut pas modifier | + +### Sprint 8 — Semaines 15–16 : Dashboard sécurité + Playground + +**Objectif :** Le dashboard inclut la vue sécurité RSSI et un playground démonstratif. + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------|--------------|---------------------------------------------------------------------------------------------| +| 8.1 | Page Sécurité : volume PII par type (bar chart), requêtes bloquées, top users PII, timeline des incidents | Frontend | BLOQUANT | Données réelles. Filtrage par période. Export CSV | +| 8.2 | Page Coûts : breakdown par modèle (pie chart), par département, tendance mensuelle, alerte budget | Frontend | BLOQUANT | Projection du coût mensuel visible. Alerte si \> 80% du budget | +| 8.3 | Playground (killer feature démo) : zone de texte où on tape un prompt, visualisation en temps réel des PII détectées (highlight coloré), choix du modèle, envoi et réponse | Frontend + Lead | IMPORTANT | Taper un IBAN dans le prompt le highlight en rouge. Envoi au LLM montre le prompt anonymisé | +| 8.4 | Page Logs (Audit Trail) : tableau paginable des logs, filtres (date, user, model, status, sensitivity), détail expand | Frontend | IMPORTANT | Pagination fluide sur 100k+ logs. Filtres combinent correctement | +| 8.5 | Alertes basiques : notification in-app quand un seuil est dépassé (PII/h, coût/j, erreurs/h) | Frontend + Backend Sr | IMPORTANT | Configuration des seuils par l’admin. Notification visible dans le dashboard | +| 8.6 | Wizard configuration provider : formulaire guidé pour ajouter un nouveau provider IA (API key, endpoint, modèle par défaut) | Frontend | SOUHAITABLE | Ajout d’un provider en 3 étapes. Test de connexion intégré | + +**État à la fin de Phase 2 :** Le produit est démontrable en intégralité via l’UI. Proxy + PII + Routage + Logs + Dashboard + RBAC fonctionnent ensemble. Le playground permet une démo impressionnante en 5 minutes. On peut commencer à démarcher des clients pilotes. + +## PHASE 3 — Conformité et hardening (Sprints 9–10, Semaines 17–20) + +**Objectif de phase :** Rapports conformité RGPD et AI Act, hardening sécurité, préparation au pentest. + +### Sprint 9 — Semaines 17–18 : Module conformité + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|-----------------------------------------------------------------------------------| +| 9.1 | Modèle de données registre des traitements : table processing_registry (finalité, base légale, destinataires, durée, mesures sécurité, tenant_id) | Backend Sr | BLOQUANT | CRUD fonctionnel. Chaque cas d’usage IA est documentable | +| 9.2 | Classification risque AI Act : enum (forbidden, high_risk, limited_risk, minimal_risk) par cas d’usage, avec questionnaire guidé | Backend Sr | BLOQUANT | Un admin peut classifier chaque usage. La classification est stockée et exportée | +| 9.3 | Génération rapport PDF Article 30 RGPD (via go-pdf ou WeasyPrint) : registre complet avec tous les champs obligatoires | Backend Sr | BLOQUANT | GET /v1/admin/compliance/report?format=pdf retourne un PDF lisible, complet, daté | +| 9.4 | Génération rapport AI Act : fiche par système IA (modèle, classification, mesures, logs) | Backend Sr | IMPORTANT | PDF contient classification, mesures de mitigation, stats d’usage | +| 9.5 | API droits RGPD — accès (Art. 15) : export de toutes les données liées à un user_id | Backend Sr | IMPORTANT | GET /v1/admin/gdpr/access/{user_id} retourne JSON avec tous les logs associés | +| 9.6 | API droits RGPD — effacement (Art. 17) : suppression des logs et mappings PII d’un user | Backend Sr | IMPORTANT | DELETE /v1/admin/gdpr/erase/{user_id} supprime et loggue la suppression | +| 9.7 | Page Conformité frontend : registre des traitements, classification AI Act, génération rapports | Frontend | IMPORTANT | Formulaire de saisie intuitif. Bouton « Générer rapport » télécharge le PDF | + +### Sprint 10 — Semaines 19–20 : Hardening sécurité + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|-----------------------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|--------------------------------------------------------------------------------------------------| +| 10.1 | mTLS entre tous les composants internes (proxy ↔ PII, proxy ↔ DB, proxy ↔ ClickHouse) via cert-manager + Istio/linkerd | DevOps | BLOQUANT | Wireshark sur le réseau interne ne montre que du trafic chiffré. Pas de communication en clair | +| 10.2 | Network policies Kubernetes : deny-all par défaut, whitelist explicite pour chaque communication | DevOps | BLOQUANT | Un pod ne peut pas contacter un service non autorisé. Test : curl depuis un pod aléatoire échoue | +| 10.3 | Intégration HashiCorp Vault : stockage des API keys LLM, credentials DB, clés de chiffrement. Accès via service account K8s | DevOps | BLOQUANT | Aucun secret en variable d’environnement ou en ConfigMap. Vault audit log actif | +| 10.4 | SAST intégré CI : Semgrep avec rulesets Go + Python + React. Bloque le merge si finding critique | DevOps | IMPORTANT | Pipeline bloque sur un code avec SQL injection. Zero critical finding sur le code actuel | +| 10.5 | Scan images Docker : Trivy en CI. Bloque si vulnérabilité critique non patchée | DevOps | IMPORTANT | Toutes les images de base sont pinned (sha256). Zero CVE critique | +| 10.6 | DAST : OWASP ZAP automatisé sur staging. Rapport généré à chaque déploiement | DevOps | IMPORTANT | Rapport ZAP sans finding critique (Medium accepté si justifié) | +| 10.7 | Audit logging : toutes les actions admin (modification politique, accès logs, modification RBAC) sont loggées dans une table admin_audit_logs | Backend Sr | IMPORTANT | Toute modification par un admin est traçable avec timestamp, user, before/after | +| 10.8 | Rate limiting par tenant et par user : configuration via Kong (ou middleware Go) | Lead Backend | IMPORTANT | Un user dépassant sa limite reçoit 429. Configurable par tenant | +| 10.9 | Tests de charge : k6 ou vegeta, cible 1000 req/s soutenues pendant 10 min, p99 \< 300ms | DevOps + Lead | IMPORTANT | Rapport de charge validé. Pas d’OOM, pas de goroutine leak, pas de connexion DB saturante | + +**État à la fin de Phase 3 :** Le produit est sécurisé, conforme, et prêt pour un audit externe. Les rapports RGPD et AI Act sont générables en 1 clic. Toutes les communications internes sont chiffrées. Aucun secret en clair. + +## PHASE 4 — Beta, polish et lancement (Sprints 11–13, Semaines 21–26) + +**Objectif de phase :** Beta privée avec 2–3 clients pilotes, remédiation, pentest, lancement production. + +### Sprint 11 — Semaines 21–22 : Beta privée + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|-----------------------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|------------------------------------------------------------------------------| +| 11.1 | Tests E2E automatisés : 20+ scénarios couvrant le parcours complet (login → config provider → envoi prompt → vérif PII → log → rapport) | Tous | BLOQUANT | Suite E2E green en CI. Temps d’exécution \< 10min | +| 11.2 | Documentation API complète : OpenAPI 3.1 généré (swaggo), publiée sur /docs | Lead Backend | BLOQUANT | Swagger UI accessible. Tous les endpoints documentés avec exemples | +| 11.3 | Guide d’intégration : comment configurer son application pour utiliser le proxy (changement d’URL base, headers auth) | Lead Backend | BLOQUANT | Un dev externe peut intégrer en \< 30 min en suivant le guide | +| 11.4 | Onboarding client pilote \#1 : création tenant, configuration SSO (SAML/OIDC), import users, setup providers | PM + DevOps | BLOQUANT | Client opérationnel en \< 1 journée. Premières requêtes relayées avec succès | +| 11.5 | Onboarding client pilote \#2 | PM + DevOps | IMPORTANT | Idem \#1. Vérifie que le processus est reproductible | +| 11.6 | Guide utilisateur admin : PDF/web expliquant chaque fonctionnalité du dashboard | PM | IMPORTANT | Relu par un non-technique. Captures d’écran à jour | +| 11.7 | Feature flags : désactivation possible de chaque module (PII, routing, billing) par tenant | Lead Backend | IMPORTANT | Toggle via API admin. Effet immédiat sans redémarrage | + +### Sprint 12 — Semaines 23–24 : Feedback + Pentest + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|-------------------------------------------------------------------------------------------|------------------|--------------|---------------------------------------------------------------------------| +| 12.1 | Collecte et tri du feedback clients pilotes : bugs, améliorations UX, features manquantes | PM | BLOQUANT | Backlog priorisé avec les retours classés (bug / UX / feature) | +| 12.2 | Bug fixes critiques identifiés par les pilotes | Tous | BLOQUANT | Zero bug bloquant restant. Bugs medium avec workaround documenté | +| 12.3 | Améliorations UX prioritaires (top 5 retours) | Frontend | IMPORTANT | Les 5 points UX les plus remontés sont corrigés | +| 12.4 | Pentest externe (cabinet spécialisé, grey box) : scope = API + dashboard + infra | Externe + DevOps | BLOQUANT | Pentest démarré, périmètre validé, accès fournis. Rapport attendu S24-S25 | +| 12.5 | Optimisation performance : analyse des bottlenecks identifiés en production beta | Lead Backend | IMPORTANT | p99 proxy amélioré si problème identifié. Pas de requête \> 5s | +| 12.6 | Blue/green deployment setup : déploiement sans downtime, rollback en 1 commande | DevOps | IMPORTANT | Déploiement de staging testé en blue/green. Rollback \< 30s | + +### Sprint 13 — Semaines 25–26 : Lancement production + +| **\#** | **Tâche** | **Responsable** | **Priorité** | **Critère d’acceptance** | +|--------|-----------------------------------------------------------------------------------------------------------------------------|-----------------|--------------|----------------------------------------------------------------------------| +| 13.1 | Remédiation findings pentest : corriger tous les findings Critical et High, documenter l’acceptation des Medium | Tous | BLOQUANT | Zero finding Critical/High ouvert. Rapport de remédiation produit | +| 13.2 | Déploiement cluster production : AWS eu-west-3, 3 AZ, autoscaling, backup quotidien PostgreSQL, replication ClickHouse | DevOps | BLOQUANT | Cluster production opérationnel. DR testé (restauration backup \< 1h) | +| 13.3 | Monitoring production : Grafana dashboards (proxy latency, error rate, PII volume, DB connections), alertes PagerDuty/Slack | DevOps | BLOQUANT | Alerte test reçue en \< 5min. Dashboard affiche les métriques production | +| 13.4 | Runbooks opérationnels : procédures pour incidents courants (provider down, DB full, cert expiré, traffic spike) | DevOps | IMPORTANT | 5+ runbooks rédigés. Chaque runbook testé en staging | +| 13.5 | Landing page + démo interactive (vidéo 3min ou playground public) | PM + Frontend | IMPORTANT | Page live. Formulaire de contact fonctionnel. Démo convaincante en \< 3min | +| 13.6 | Migration clients pilotes vers production | PM + DevOps | BLOQUANT | Clients opérationnels en production. Données migrées si applicable | +| 13.7 | Matériel commercial : one-pager PDF, deck 10 slides, battle card RSSI/DSI/DPO | PM | IMPORTANT | Validé par au moins 1 prospect. Pas de jargon technique excessif | +| 13.8 | Rétrospective projet + planification V1.1 | Tous | SOUHAITABLE | Retro documentée. Backlog V1.1 priorisé | + +# Partie D — Chemin critique et dépendances + +## D.1 — Chemin critique (tâches qui, si retardées, retardent tout) + +| **Sprint** | **Tâches critiques** | **Raison** | +|------------|-----------------------------------------------------|---------------------------------------------------------------------------------------------------| +| S1 | 1.1 Monorepo + 1.3 Docker Compose + 1.4 K8s staging | Sans infra, personne ne peut travailler | +| S2 | 2.1–2.2 Proxy non-streaming + streaming SSE | Le proxy est le cœur. Tout en dépend. | +| S3 | 3.1–3.6 Pipeline PII complet + intégration gRPC | L’anonymisation est le différenciateur. Si la latence est trop haute, le produit est inutilisable | +| S5 | 5.2 Moteur de règles | Le routage est la valeur ajoutée pour le DSI | +| S6 | 6.1–6.2 Journalisation ClickHouse | Sans logs, pas de dashboard ni de conformité | +| S9 | 9.3 Génération rapport RGPD | Sans rapport, pas de vente au DPO | +| S10 | 10.1–10.3 mTLS + Network policies + Vault | Sans sécurité, pas de vente enterprise | +| S12 | 12.4 Pentest | Le pentest doit être commandé au plus tard S10 (délai 2-3 semaines pour un cabinet) | +| S13 | 13.1–13.2 Remédiation + Production | Le lancement ne peut pas être retardé au-delà de S13 sans impact commercial | + +## D.2 — Actions à lancer en avance + +Certaines actions doivent être initiées bien avant leur sprint cible : + +| **Action** | **Démarrer à** | **Nécessaire pour** | **Responsable** | +|----------------------------------------------------------------------|----------------|--------------------------|-----------------| +| Identifier et contacter 5 prospects pilotes | Semaine 1 | S11 (onboarding beta) | PM | +| Négocier accès Azure AD test pour intégration SAML | Semaine 2 | S4 (RBAC Keycloak) | PM + DevOps | +| Rédiger cahier des charges pentest + contacter 3 cabinets | Semaine 12 | S12 (pentest) | PM + DevOps | +| Signer DPA avec les providers IA (OpenAI, Anthropic, etc.) | Semaine 4 | S9 (conformité) | PM + Légal | +| Obtenir un avis juridique sur la conformité RGPD de l’architecture | Semaine 8 | S9 (rapports conformité) | PM + Légal | +| Commander les certificats SSL production + domaine | Semaine 18 | S13 (production) | DevOps | +| Créer le compte AWS production + setup Organization + billing alerts | Semaine 16 | S13 (production) | DevOps | + +# Partie E — Métriques de suivi et gates de qualité + +## E.1 — Quality Gates par phase + +Chaque phase a des critères de passage obligatoires. Si un gate n’est pas passé, on ne passe pas à la phase suivante. + +| **Phase** | **Gate** | **Critère de passage** | +|---------------------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------| +| Phase 1 → Phase 2 | Proxy + PII + Auth fonctionnels | Démo en live : envoyer un prompt avec PII via le proxy, montrer l’anonymisation et la réponse dé-pseudonymisée. \< 300ms total. | +| Phase 2 → Phase 3 | Dashboard démontrable | Démo complète en live : login → dashboard → playground → politiques → logs. Toutes les données sont réelles (pas de mocks). | +| Phase 3 → Phase 4 | Sécurité validée | Zero finding critique SAST/DAST. mTLS actif. Vault intégré. Rapport RGPD générable. Test de charge passé. | +| Phase 4 → Lancement | Production ready | Pentest passé (zero critical). Monitoring opérationnel. Au moins 1 client pilote satisfait. Runbooks rédigés. | + +## E.2 — KPIs techniques à suivre chaque sprint + +| **KPI** | **Cible** | **Mesure** | +|----------------------------------|-----------|-------------------------------| +| Test coverage (Go) | \> 75% | go test -cover. Vérifié en CI | +| Test coverage (Python) | \> 85% | pytest --cov. Vérifié en CI | +| Latence proxy p99 (sans PII) | \< 50ms | Prometheus histogram | +| Latence proxy p99 (avec PII) | \< 150ms | Prometheus histogram | +| Uptime staging | \> 99% | Healthcheck monitoring | +| Build time CI | \< 8 min | GitLab CI metrics | +| Déploiement staging | \< 5 min | Helm upgrade timing | +| CVE critiques non patchées | 0 | Trivy + Snyk | +| Findings SAST critiques | 0 | Semgrep | +| Nombre de secrets en clair | 0 | gitleaks en CI | +| Taux de détection PII (F1-score) | \> 0.92 | Benchmark sur corpus de test | + +# Partie F — Gestion des risques projet + +| **\#** | **Risque** | **Probabilité** | **Impact** | **Détection** | **Plan de mitigation** | **Plan de contingence (si le risque se matérialise)** | +|--------|---------------------------------------------------------------------------------------|-----------------|------------|---------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| +| R1 | Latence PII \> 100ms rendant le produit inutilisable | Moyenne | Critique | Benchmark S3 | Cache des patterns, préchargement spaCy, mode regex-only pour les requêtes basse sensibilité | Basculer sur regex-only pour le MVP. Reporter NER en V1.1. Impact : précision réduite mais produit livrable | +| R2 | Streaming SSE incompatible avec le pipeline PII (on ne peut pas anonymiser un stream) | Haute | Haut | Sprint 3 | En streaming, les PII sont détectées sur le prompt AVANT envoi (pas sur la réponse streamée). La réponse streamée n’est pas anonymisée (le prompt l’a déjà été). | Si nécessaire : bufferiser la réponse complète avant anonymisation, au prix de la latence perçue. Feature flag par tenant. | +| R3 | Départ d’un développeur clé en cours de projet | Moyenne | Critique | Continu | Documentation systématique (ADR, README par module). Code reviews croisées pour que chacun connaisse 2+ modules | Recrutement d’un consultant senior en urgence (via Malt/Toptal). Accepter un retard de 2-4 semaines. | +| R4 | Client pilote indisponible ou non engagé | Haute | Haut | Semaine 8 | Identifier 5 prospects dès S1. Signer un LOI (Letter of Intent) dès S6 | Utiliser le produit en interne comme premier client. Démo sur données synthétiques pour les prospects. | +| R5 | ClickHouse trop complexe à opérer pour l’équipe | Moyenne | Moyen | Sprint 6 | Utiliser ClickHouse Cloud (managé) plutôt que self-hosted. Ou démarrer avec TimescaleDB et migrer en V1.1 | Fallback sur PostgreSQL + partitionnement temporel pour le MVP. Moins performant mais opérable. | +| R6 | L’AI Act évolue et invalide notre classification | Basse | Moyen | Continu | Veille réglementaire mensuelle. Classification configurable (pas hardcodée) | Mise à jour de la classification en 1-2 semaines (c’est de la config, pas du code). | + +# Partie G — Budget estimatif sur 6 mois + +| **Poste** | **Détail** | **Coût mensuel** | **Coût 6 mois** | +|-------------------------------|----------------------------------------------------------------------|------------------|-----------------| +| Équipe (salaires/TJM) | 4 ETP seniors (TJM moyen 650€) + 0.5 PM (TJM 550€) | ~60 000 € | ~360 000 € | +| Infra cloud (staging + prod) | EKS (3 nodes m5.xlarge), RDS PostgreSQL, ClickHouse Cloud, Redis, S3 | ~3 500 € | ~21 000 € | +| Services SaaS | GitLab Premium, Vault Cloud, monitoring, domaines | ~800 € | ~4 800 € | +| API IA (dév/test) | OpenAI, Anthropic, Mistral pour tests d’intégration | ~500 € | ~3 000 € | +| Pentest externe | Cabinet spécialisé, grey box, 5 jours | Ponctuel | ~12 000 € | +| Juridique (DPA, CGV, RGPD) | Avocat spécialisé tech/RGPD | Ponctuel | ~8 000 € | +| Divers (licences, formations) | Conférences, tools individuels | ~300 € | ~1 800 € | +| TOTAL | | | ~410 000 € | + +**Note :** Ce budget suppose une équipe en freelance/CDI. Si l’équipe est déjà en place, le coût se réduit à ~50k€ (infra + pentest + juridique). Le point mort est atteignable avec 1 client Enterprise (40k€ MRR) dès le mois 7. + +# Partie H — Checklist de lancement (Go/No-Go) + +Cette checklist doit être validée à 100% avant le passage en production. Chaque item est un Go/No-Go. + +| **Catégorie** | **Item** | **Critère** | +|---------------|------------------------------------------------------------------------------------------|---------------------------------------| +| Fonctionnel | Proxy relay fonctionne pour les 4 providers (OpenAI, Anthropic, Azure, Ollama) | Test E2E green | +| Fonctionnel | Anonymisation PII fonctionne sur les 6 types de PII (IBAN, email, tél, nom, adresse, SS) | Test E2E green + benchmark F1 \> 0.92 | +| Fonctionnel | Streaming SSE fonctionne avec anonymisation du prompt | Démo live | +| Fonctionnel | Routage intelligent fonctionne avec 5+ règles simultanées | Test E2E green | +| Fonctionnel | Dashboard affiche données réelles (pas de mock) | Vérification visuelle | +| Fonctionnel | Rapport RGPD Article 30 générable en PDF | PDF téléchargeable et lisible | +| Sécurité | Pentest : 0 finding Critical, 0 finding High ouvert | Rapport pentest validé | +| Sécurité | mTLS actif entre tous les composants | Wireshark test | +| Sécurité | Vault intégré, 0 secret en clair | Audit Vault + gitleaks | +| Sécurité | SAST/DAST : 0 finding critique | Rapport Semgrep + ZAP | +| Performance | Proxy p99 \< 300ms sous 500 req/s | Rapport k6 | +| Performance | Dashboard charge en \< 3s | Lighthouse score \> 70 | +| Ops | Monitoring production opérationnel (Grafana + alertes) | Alerte test reçue | +| Ops | Backup PostgreSQL automatisé + test de restauration | Restauration en \< 1h | +| Ops | Blue/green deployment fonctionnel | Déploiement testé | +| Ops | 5+ runbooks rédigés et testés | Revue par l’équipe | +| Commercial | Au moins 1 client pilote satisfait (NPS \> 7) | Feedback documenté | +| Commercial | Landing page + matériel commercial prêt | Page live, démo fonctionnelle | +| Légal | CGV/CGU rédigées et validées par un avocat | Document signé | +| Légal | DPA avec les providers IA signés | Documents archivés | + +Si un item « No-Go » persiste à S25, une décision explicite doit être prise : corriger avant lancement (retard), accepter le risque (documenté), ou retirer la feature (scope cut). + +# Synthèse + +Ce plan transforme le PRD en 13 sprints exécutables contenant 113 tâches décomposées, chacune avec un responsable, une priorité, et un critère d’acceptance mesurable. + +Les corrections clés apportées par rapport au PRD : + +- Communication Go ↔ Python explicitée (gRPC sidecar) + +- Tests intégrés dès le sprint 1 (pas repoussés au mois 5) + +- Playground démo ajouté (killer feature pour la vente) + +- Buffer de 20% intégré dans chaque estimation + +- Chemin critique et dépendances explicités + +- Actions à lancer en avance identifiées + +- Quality gates entre chaque phase + +- Checklist Go/No-Go avant lancement + +- Budget réaliste chiffré (~410k€) + +**Prochaine étape immédiate :** Recruter l’équipe (ou confirmer la disponibilité), commander le setup GitLab + AWS, et identifier les 5 premiers prospects pilotes. Le sprint 1 peut démarrer dès que 3 des 4 développeurs sont en place. diff --git a/docs/Veylant_IA_Plan_Agile_Scrum.md b/docs/Veylant_IA_Plan_Agile_Scrum.md new file mode 100644 index 0000000..139336a --- /dev/null +++ b/docs/Veylant_IA_Plan_Agile_Scrum.md @@ -0,0 +1,857 @@ +# Veylant IA — Plan Agile Scrum Détaillé + +**Scrum Master Document — Version 1.0 — Février 2026** +**Confidentiel — Usage interne équipe** + +--- + +## Sommaire + +1. [Cadre Scrum](#1-cadre-scrum) +2. [Product Backlog — Epics et Stories](#2-product-backlog--epics-et-stories) +3. [Release Plan — Vision 6 mois](#3-release-plan--vision-6-mois) +4. [Sprints Détaillés](#4-sprints-détaillés) +5. [Chemin Critique et Dépendances](#5-chemin-critique-et-dépendances) +6. [Registre des Risques Scrum](#6-registre-des-risques-scrum) +7. [Métriques et KPIs Scrum](#7-métriques-et-kpis-scrum) +8. [Actions à Lancer Immédiatement](#8-actions-à-lancer-immédiatement) + +--- + +## 1. Cadre Scrum + +### 1.1 Équipe Scrum + +| Rôle | Personne | Charge | Responsabilité | +|------|----------|--------|----------------| +| **Product Owner** | PM | 50% | Backlog, priorisation, stakeholders, clients pilotes | +| **Scrum Master** | CTO / Lead Backend | ~10% | Cérémonies, impediments, amélioration continue | +| **Dev Team — Backend Go** | CTO / Lead Backend | 90% | Proxy, Router, Adapters, API admin | +| **Dev Team — Backend Python** | Backend Senior | 100% | PII service, Logger, Billing, Compliance | +| **Dev Team — Frontend** | Frontend Senior | 100% | Dashboard React, Auth flow, UX | +| **Dev Team — DevOps/SRE** | DevOps | 100% | Infra, CI/CD, Sécurité, Monitoring | + +> **Règle d'or :** Le PO est disponible pour des questions bloquantes sous 2h maximum. Tout impediment non résolu en 24h est escaladé en Daily Standup. + +### 1.2 Cérémonies + +| Cérémonie | Fréquence | Durée max | Participants | Livrable | +|-----------|-----------|-----------|-------------|----------| +| **Sprint Planning** | J1 du sprint | 3h | Toute l'équipe | Sprint Backlog validé + Sprint Goal | +| **Daily Standup** | Quotidien 9h30 | 15 min | Dev Team | Liste d'impediments | +| **Backlog Refinement** | J6 du sprint | 1h30 | PO + Dev Team | 2 sprints de backlog affinés et estimés | +| **Sprint Review** | J10 du sprint | 1h | Toute l'équipe + invités | Démo du livrable + feedback | +| **Sprint Retrospective** | J10 du sprint | 1h | Toute l'équipe | 1-3 actions d'amélioration concrètes | +| **Security Review** | Toutes les 4 sem. | 1h | Dev Team | Rapport sécurité sprint | + +**Format Daily Standup** (timeboxé 15 min) : +1. Ce que j'ai accompli hier (30s/pers) +2. Ce que je fais aujourd'hui (30s/pers) +3. Mes blockers (durée variable — les résoudre APRÈS le standup) + +**Format Sprint Review** : +1. Rappel du Sprint Goal (2 min) +2. Démo des stories complétées (30 min) — toujours sur l'environnement staging, jamais en mockup +3. Stories non complétées + raison (5 min) +4. Feedback PO / invités (15 min) +5. Mise à jour du backlog (8 min) + +### 1.3 Definition of Done (DoD) + +Une story est **Done** uniquement si **tous** ces critères sont remplis : + +- [ ] Code reviewé et approuvé par au moins 1 autre développeur +- [ ] Tests unitaires écrits et verts (coverage > cible du module) +- [ ] Tests d'intégration mis à jour si applicable +- [ ] Pipeline CI/CD vert (build, lint, test, sécurité, scan) +- [ ] Critères d'acceptance validés par le PO ou son délégué +- [ ] Documentation technique inline à jour (commentaires, README module) +- [ ] Pas de secret ou credential hardcodé (gitleaks passe) +- [ ] Pas de CVE critique introduit (Trivy passe) +- [ ] Déployé et testé en staging + +> Une story à 95% n'est pas Done. Partiel = non livré. + +### 1.4 Definition of Ready (DoR) + +Une story peut entrer en Sprint Planning uniquement si : + +- [ ] User Story rédigée (format : En tant que... je veux... afin de...) +- [ ] Critères d'acceptance explicites et testables +- [ ] Story estimée en Story Points par toute l'équipe +- [ ] Dépendances identifiées (et résolues, ou planifiées dans le même sprint) +- [ ] Aucun blocker connu non adressé +- [ ] Maquettes/specs techniques disponibles si applicable +- [ ] Taille ≤ 8 SP (sinon à décomposer) + +### 1.5 Vélocité et Capacité + +**Capacité brute par sprint :** +- 4 développeurs × 10 jours ouvrés × 6h de dev effectif = 240 h/sprint +- Cérémonies : ~5h/pers (planning 3h + daily 2.5h + review 1h + retro 1h = 7.5h → 2 × 3.75h = 7.5h /2 sem) → retrait de ~7h/pers +- **Capacité nette : ~212 h/sprint** + +**Échelle Story Points :** + +| SP | Durée estimée | Exemple | +|----|--------------|---------| +| 1 | < 2h | Modification de config, ajout d'un endpoint trivial | +| 2 | ~demi-journée | Middleware simple, modèle de données basique | +| 3 | ~1 jour | Module simple avec tests | +| 5 | ~2-3 jours | Feature complète avec intégration | +| 8 | ~4-5 jours | Module complexe ou spike technique | +| 13 | > 1 semaine | **À décomposer obligatoirement** | + +**Vélocité cible :** + +| Sprint | Vélocité Cible | Justification | +|--------|---------------|---------------| +| S1-S2 | 38-40 SP | Ramp-up équipe, setup infra imprévisible | +| S3-S6 | 44-48 SP | Équipe en rythme, domaine complexe | +| S7-S10 | 48-52 SP | Vélocité de croisière | +| S11-S13 | 38-42 SP | Tests E2E, feedback, remédiation | + +**Total projet estimé : ~580 SP** + +--- + +## 2. Product Backlog — Epics et Stories + +### Organisation des Epics + +``` +E1 — Infrastructure & DevOps [~70 SP] +E2 — AI Proxy Core [~65 SP] +E3 — Authentification & RBAC [~55 SP] +E4 — Anonymisation PII [~75 SP] +E5 — Multi-provider IA [~40 SP] +E6 — Moteur de Routage [~50 SP] +E7 — Journalisation & Audit [~55 SP] +E8 — Dashboard & Frontend [~85 SP] +E9 — Conformité RGPD & AI Act [~50 SP] +E10 — Sécurité & Hardening [~55 SP] +E11 — Beta, Tests & Lancement [~80 SP] + ───────── +TOTAL ESTIMÉ ~680 SP +``` + +> Note : 680 SP estimés pour ~580 SP de capacité → 15% de buffer naturel. Le delta sera géré par priorisation stricte du backlog. + +### Stories clés par Epic (format ID — Titre — SP) + +#### Epic 1 — Infrastructure & DevOps +``` +E1-01 — Monorepo GitLab + structure dossiers — 2 SP +E1-02 — Pipeline CI/CD (build Go + Python + React + lint + tests) — 8 SP +E1-03 — Docker Compose local complet (Go + PG + CH + Redis + Keycloak) — 5 SP +E1-04 — Cluster K8s staging AWS EKS eu-west-3 — 8 SP +E1-05 — Helm chart déploiement de l'application — 5 SP +E1-06 — Déploiement automatique staging sur merge to main — 3 SP +E1-07 — Prometheus + Grafana staging — 5 SP +E1-08 — OpenTelemetry + Jaeger — 5 SP +E1-09 — Blue/green deployment production — 8 SP +E1-10 — Cluster K8s production (3 AZ, autoscaling, backup) — 8 SP +E1-11 — Alerting production (PagerDuty/Slack) — 5 SP +E1-12 — Runbooks opérationnels (5+) — 5 SP +E1-13 — Terraform/Pulumi infra-as-code — 3 SP (en parallèle S1) +``` + +#### Epic 2 — AI Proxy Core +``` +E2-01 — Scaffolding Go (chi router, middleware chain, graceful shutdown, /healthz) — 3 SP +E2-02 — Gestion de config (Viper, config.yaml, override env vars) — 2 SP +E2-03 — Proxy relay non-streaming (POST /v1/chat/completions → OpenAI) — 5 SP +E2-04 — Proxy relay streaming SSE (flush chunk par chunk, Flusher HTTP) — 8 SP [SPIKE] +E2-05 — Middleware Request ID (UUID v7, propagation headers/logs) — 2 SP +E2-06 — Middleware error handling (erreurs typées JSON format OpenAI) — 3 SP +E2-07 — Middleware rate limiting (par tenant, par user) — 5 SP +E2-08 — Connection pool HTTP (persistant, timeout configurable) — 3 SP +E2-09 — Circuit breaker (N erreurs → désactivation, réactivation auto) — 5 SP +E2-10 — Health check providers IA (ping cyclique, état dans métriques) — 3 SP +E2-11 — Tests unitaires proxy complets (coverage > 80%, go test -race) — 5 SP +E2-12 — Tests de charge proxy (k6, 1000 req/s, p99 < 300ms) — 8 SP +``` + +#### Epic 3 — Authentification & RBAC +``` +E3-01 — Modèle de données : users, tenants, roles, permissions — 3 SP +E3-02 — Setup Keycloak (realm, client OIDC, utilisateurs test) — 5 SP +E3-03 — Middleware Auth JWT (RS256, expiration, issuer, extraction claims) — 5 SP +E3-04 — RBAC middleware (rôles : Admin, Manager, User, Auditor) — 5 SP +E3-05 — Intégration SAML 2.0 Keycloak (federation Azure AD / Okta) — 8 SP +E3-06 — Synchronisation rôles Keycloak → app — 3 SP +E3-07 — API tenant management (CRUD tenants, providers autorisés, API keys chiffrées) — 5 SP +E3-08 — API user management (CRUD users, attribution rôles, dept) — 5 SP +E3-09 — Feature flags système (table PG + cache Redis) — 3 SP +E3-10 — Tests intégration Auth E2E (Keycloak via testcontainers) — 5 SP +``` + +#### Epic 4 — Anonymisation PII +``` +E4-01 — Schemas gRPC PII (PiiRequest, PiiResponse, PiiEntity, proto v1) — 3 SP +E4-02 — Scaffolding service Python (FastAPI, gRPC server, Dockerfile, pytest) — 3 SP +E4-03 — Couche 1 Regex : IBAN FR/EU, email, tél FR/intl, SS, CB (Luhn) — 5 SP +E4-04 — Tests regex (100+ cas positifs/négatifs, precision > 99%) — 3 SP +E4-05 — Couche 2 NER : Presidio + spaCy fr_core_news_lg (PER, LOC, ORG) — 8 SP +E4-06 — Benchmark NER (F1-score > 0.90, corpus français) — 3 SP +E4-07 — Pipeline unifié (regex → NER, déduplication, scoring confiance) — 5 SP +E4-08 — Pseudonymisation (tokens [PII:TYPE:UUID], mapping Redis AES-256-GCM, TTL) — 5 SP +E4-09 — Dé-pseudonymisation (réinjection valeurs dans réponse LLM) — 5 SP +E4-10 — Intégration gRPC Proxy Go ↔ PII Python — 5 SP +E4-11 — Benchmark latence (p99 < 50ms / 500 tokens, < 100ms / 2000 tokens) — 3 SP +E4-12 — Mode zero-retention (mapping mémoire uniquement, pas Redis) — 3 SP +E4-13 — Tests unitaires PII (50+ cas, multilangue, edge cases) — 5 SP +E4-14 — Option regex-only (feature flag, pour requêtes basse sensibilité) — 3 SP +``` + +#### Epic 5 — Multi-provider IA +``` +E5-01 — Interface Adapter Go (Send(), Stream(), Validate(), HealthCheck()) — 3 SP +E5-02 — Adapter OpenAI (format unifié, streaming SSE) — 5 SP +E5-03 — Adapter Anthropic (Messages API, system/user/assistant, streaming) — 5 SP +E5-04 — Adapter Azure OpenAI (endpoint custom, API version, deployment ID) — 5 SP +E5-05 — Adapter Mistral (chat/completions, modèles small/medium/large) — 3 SP +E5-06 — Adapter Ollama / vLLM (OpenAI-compatible, modèles locaux) — 5 SP +E5-07 — Wizard UI configuration provider (3 étapes, test de connexion) — 5 SP +E5-08 — Tests intégration multi-adapter (mock si pas de clé dispo) — 5 SP +``` + +#### Epic 6 — Moteur de Routage +``` +E6-01 — Modèle de données règles (routing_rules : conditions JSONB, action, priority) — 3 SP +E6-02 — Évaluateur de conditions (department, role, sensitivity, use_case, tokens) — 8 SP +E6-03 — Sensitivity scoring (score PII → sensitivity_level pour le routage) — 3 SP +E6-04 — Fallback chain configurable (primaire → secondaire → global) — 5 SP +E6-05 — Cache des règles (mémoire, refresh 30s ou sur event) — 3 SP +E6-06 — API admin politiques (CRUD /v1/admin/policies, validation) — 5 SP +E6-07 — Tests moteur de règles (30+ cas, priorités, conflits, catch-all) — 5 SP +E6-08 — Exemples de règles préconfigurées (RH, Finance, Engineering) — 3 SP +``` + +#### Epic 7 — Journalisation & Audit +``` +E7-01 — Schéma ClickHouse (audit_logs, 20 champs, partitionnement mensuel, TTL) — 5 SP +E7-02 — Module Logger Go (collecte async, batch insert 1s/100 logs) — 8 SP +E7-03 — Hash SHA-256 prompt/réponse (pas de contenu brut dans les logs) — 2 SP +E7-04 — Chiffrement applicatif champ prompt_anonymized (AES-256-GCM) — 5 SP +E7-05 — Module Billing (comptage tokens tiktoken, agrégation user/dept/model) — 5 SP +E7-06 — API consultation logs (GET /v1/admin/logs, filtres, pagination, < 2s) — 5 SP +E7-07 — API coûts (GET /v1/admin/costs, agrégation période/model/dept) — 3 SP +E7-08 — API alertes budget (seuils configurables par tenant, notification) — 5 SP +E7-09 — Audit de l'audit (log des accès admin_audit_logs) — 3 SP +E7-10 — Export CSV logs filtrés — 3 SP +E7-11 — Tests Logger (1000 req/s sans perte, insert async non bloquant) — 5 SP +``` + +#### Epic 8 — Dashboard & Frontend +``` +E8-01 — Setup React + TypeScript + Vite + TailwindCSS + shadcn/ui — 3 SP +E8-02 — Auth flow frontend (OIDC PKCE, refresh token, logout, redirect) — 5 SP +E8-03 — Layout général (sidebar, header tenant, responsive 1280px) — 3 SP +E8-04 — Route guards (admin/auditor/user permissions, pages protégées) — 3 SP +E8-05 — Page Overview (KPI cards : requêtes, PII, coût, modèle top) — 5 SP +E8-06 — Graphique volume requêtes (recharts line, 7j/30j, breakdown) — 5 SP +E8-07 — Page Politiques (liste règles, CRUD, activation/désactivation) — 8 SP +E8-08 — Page Utilisateurs (liste, attribution rôles, filtrage dept) — 5 SP +E8-09 — Page Sécurité RSSI (PII par type, requêtes bloquées, top users PII) — 8 SP +E8-10 — Page Coûts (breakdown modèle/dept, projection mensuelle, alerte) — 5 SP +E8-11 — Playground PII (highlight temps réel, choix modèle, envoi, réponse) — 8 SP [killer feature] +E8-12 — Page Logs Audit Trail (tableau paginé, filtres combinés, expand) — 8 SP +E8-13 — Alertes in-app (seuils configurables, notification dashboard) — 5 SP +E8-14 — Page Conformité (registre, classification AI Act, génération rapports) — 8 SP +E8-15 — Landing page + démo interactive — 5 SP +``` + +#### Epic 9 — Conformité RGPD & AI Act +``` +E9-01 — Modèle données registre traitements (processing_registry) — 3 SP +E9-02 — Classification risque AI Act (enum + questionnaire guidé) — 5 SP +E9-03 — Génération rapport PDF Article 30 RGPD (go-pdf / WeasyPrint) — 8 SP +E9-04 — Génération rapport AI Act (fiche par système IA) — 5 SP +E9-05 — API droit d'accès Art. 15 (export données user_id) — 3 SP +E9-06 — API droit d'effacement Art. 17 (purge logs + mappings PII) — 5 SP +E9-07 — Template DPIA pré-rempli — 5 SP +E9-08 — Génération rapport incident (template avec chronologie) — 3 SP +E9-09 — Documentation DPA fournisseurs IA (OpenAI, Anthropic, etc.) — 3 SP +``` + +#### Epic 10 — Sécurité & Hardening +``` +E10-01 — mTLS entre composants internes (cert-manager, Istio/Linkerd) — 8 SP +E10-02 — Network policies K8s (deny-all, whitelist explicite) — 5 SP +E10-03 — Intégration HashiCorp Vault (API keys, credentials, clés chiffrement) — 8 SP +E10-04 — SAST Semgrep en CI (Go + Python + React, bloque si critical) — 3 SP +E10-05 — Scan images Trivy en CI (bloque si CVE critique) — 2 SP +E10-06 — DAST OWASP ZAP automatisé sur staging — 5 SP +E10-07 — gitleaks en CI (détection secrets) — 2 SP +E10-08 — Rotation automatique API keys (90 jours, alertes) — 5 SP +E10-09 — Rate limiting par tenant/user (Kong ou middleware Go) — 5 SP +E10-10 — Tests de charge k6 (1000 req/s, 10 min, p99 < 300ms) — 8 SP +``` + +#### Epic 11 — Beta, Tests & Lancement +``` +E11-01 — Tests E2E automatisés (20+ scénarios complets, < 10 min CI) — 13 SP [décomposer] +E11-02 — Documentation API OpenAPI 3.1 (swaggo, /docs, exemples) — 5 SP +E11-03 — Guide d'intégration dev (intégration en < 30 min) — 3 SP +E11-04 — Onboarding client pilote #1 (tenant, SSO, users, providers) — 5 SP +E11-05 — Onboarding client pilote #2 — 5 SP +E11-06 — Guide utilisateur admin (PDF/web, captures) — 5 SP +E11-07 — Feature flags par module (PII, routing, billing) — 3 SP +E11-08 — Collecte et tri feedback pilotes — 3 SP +E11-09 — Bug fixes critiques post-pilote — 8 SP [buffer] +E11-10 — Améliorations UX top-5 — 5 SP +E11-11 — Pentest externe grey box (périmètre + accès + suivi) — 5 SP [coordination] +E11-12 — Remédiation pentest Critical + High — 8 SP [buffer] +E11-13 — Migration clients pilotes vers production — 5 SP +E11-14 — Matériel commercial (one-pager, deck 10 slides, battle card) — 5 SP +``` + +--- + +## 3. Release Plan — Vision 6 mois + +### Jalons clés + +``` +S1 (01/03) ──► Bootstrapping : dev env + squelette +S4 (29/03) ──► MILESTONE 1 : Proxy + PII + Auth ← Démo interne/prospects +S8 (28/04) ──► MILESTONE 2 : Dashboard + Playground ← Démo externe complète +S10 (10/05) ──► MILESTONE 3 : Conformité + Sécurité ← Prêt pour audit +S11 (24/05) ──► MILESTONE 4 : Beta privée — 2 clients pilotes connectés +S12 (07/06) ──► MILESTONE 5 : Pentest démarré + feedback intégré +S13 (21/06) ──► MILESTONE 6 : Lancement Production ← Go/No-Go +``` + +### Burn-up cumulatif cible + +| Sprint | SP livrés cumul | % du backlog MVP | +|--------|-----------------|-----------------| +| S1 | 38 | 7% | +| S2 | 78 | 14% | +| S3 | 124 | 22% | +| S4 | 170 | 30% | +| S5 | 218 | 38% | +| S6 | 265 | 47% | +| S7 | 315 | 56% | +| S8 | 365 | 65% | +| S9 | 410 | 73% | +| S10 | 458 | 82% | +| S11 | 498 | 89% | +| S12 | 533 | 95% | +| S13 | 563 | 100% | + +--- + +## 4. Sprints Détaillés + +--- + +### PHASE 1 — Fondations (S1–S4) +> **Objectif de Phase :** Un proxy fonctionnel, authentifié, qui anonymise les PII et supporte 4 fournisseurs IA. Démontrable via curl. Quality Gate : démo live < 300ms total. + +--- + +### Sprint 1 — Bootstrapping (Semaines 1–2) + +**Sprint Goal :** *"L'ensemble de l'équipe peut développer, tester et déployer de façon autonome. Le squelette applicatif compile et se déploie en staging en moins de 5 minutes."* + +**Capacité :** 38 SP (ramp-up, setup réseau/AWS imprévisible) + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E1-01 | Monorepo GitLab + structure `/cmd`, `/internal`, `/services/pii`, `/web`, `/deploy`, `/proto`, `/docs` | DevOps | 2 | BLOQUANT | +| E1-02 | Pipeline CI/CD : build Go + Python + React, lint (golangci-lint, black, eslint), tests unitaires, scan Trivy, gitleaks | DevOps | 8 | BLOQUANT | +| E1-03 | Docker Compose local : Go app + PostgreSQL 16 + ClickHouse + Redis 7 + Keycloak. `docker-compose up` < 60s | DevOps | 5 | BLOQUANT | +| E1-04 | Cluster K8s staging AWS EKS eu-west-3, 3 nodes, ingress Traefik, HTTPS | DevOps | 8 | BLOQUANT | +| E2-01 | Scaffolding Go : main.go, chi router, middleware chain vide, graceful shutdown (SIGTERM), `/healthz` retourne 200 | Lead Backend | 3 | BLOQUANT | +| E2-02 | Gestion config Viper : config.yaml + override env vars. Pas de valeur hardcodée | Lead Backend | 2 | IMPORTANT | +| E3-01 | Modèle de données PG v1 : tables `tenants`, `users`, `api_keys` + migrations golang-migrate | Backend Sr | 3 | IMPORTANT | +| E3-02 | Setup Keycloak : realm, client OIDC, utilisateur test, retourne JWT valide | DevOps | 5 | IMPORTANT | +| E4-01 | Schemas gRPC : `PiiRequest`, `PiiResponse`, `PiiEntity` → stubs Go + Python générés | Lead + Backend Sr | 2 | IMPORTANT | +| **Spike** | Investigation Terraform vs Pulumi pour infra-as-code (timebox 4h, sortie : ADR) | DevOps | — | IMPORTANT | + +**Total : 38 SP** + +**Critères d'acceptance sprint :** +- `docker-compose up` démarre tout en < 60s, healthchecks OK +- `kubectl get nodes` → 3 nodes Ready sur EKS eu-west-3 +- Pipeline CI vert sur commit vide, build < 8 min +- `GET /healthz` → 200. Graceful shutdown fonctionne en staging + +**Démo Sprint Review :** +> Montrer : `docker-compose up` → tous les services green → `curl /healthz` → 200. Déclencher un commit → montrer le pipeline CI vert en < 8 min → voir le déploiement automatique en staging. + +**Risques S1 :** +- Setup EKS + VPC + IAM peut prendre 3+ jours → Mitigation : utiliser le module Terraform `terraform-aws-eks` version stable. Si bloqué > 2 jours → passer en EKS via eksctl pour débloquer, IaC en parallèle. +- Incompatibilités version ClickHouse/Keycloak en Docker Compose → Mitigation : épingler les versions (SHA256 des images). + +--- + +### Sprint 2 — Proxy Core + Auth JWT (Semaines 3–4) + +**Sprint Goal :** *"Un développeur peut envoyer un prompt via le proxy Veylant IA et recevoir la réponse d'OpenAI, avec streaming temps réel et authentification JWT. Démontrable avec curl."* + +**Capacité :** 40 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E2-03 | **Proxy relay non-streaming** : `POST /v1/chat/completions` → OpenAI → réponse. Même résultat qu'un appel direct. | Lead Backend | 5 | BLOQUANT | +| E2-04 | **Proxy relay streaming SSE** : `stream:true`, flush chunk par chunk, pas de buffering. `curl --no-buffer` reçoit les chunks en temps réel. | Lead Backend | 8 | BLOQUANT | +| E3-03 | **Middleware Auth JWT** : RS256, expiration, issuer Keycloak. Sans JWT → 401. JWT expiré → 401. JWT valide → forward + contexte injecté (user_id, tenant_id, roles). | Backend Sr | 5 | BLOQUANT | +| E2-05 | **Middleware Request ID** : UUID v7 par requête, propagation headers (`X-Request-Id`) et logs | Lead Backend | 2 | IMPORTANT | +| E2-06 | **Middleware error handling** : erreurs typées JSON format OpenAI (`type`, `message`, `code`) | Lead Backend | 3 | IMPORTANT | +| E2-08 | **Connection pool HTTP** : connexions persistantes vers providers, timeout configurable | Lead Backend | 3 | IMPORTANT | +| E2-11 | **Tests unitaires proxy** : 15+ tests, cas nominaux/erreurs OpenAI/timeouts/headers. Coverage > 80%. `go test -race` passe. | Lead Backend | 5 | IMPORTANT | +| E3-10 | **Tests intégration Auth** : E2E avec Keycloak via testcontainers (obtenir token → appeler proxy → succès) | Backend Sr | 3 | IMPORTANT | +| E1-06 | **Déploiement auto staging** : merge to main → Helm upgrade auto. Rollback en 1 commande. | DevOps | 3 | IMPORTANT | +| E1-07 | **Métriques Prometheus basiques** : `request_count`, `request_duration_seconds`, `request_errors_total` visibles dans Grafana | DevOps | 3 | SOUHAITABLE | + +**Total : 40 SP** + +**Critères d'acceptance sprint :** +- `curl -H "Authorization: Bearer " -X POST /v1/chat/completions -d '{"model":"gpt-4o","messages":[...]}'` → réponse identique à OpenAI direct +- `curl --no-buffer ... stream:true` → chunks reçus en temps réel (latence perçue identique à OpenAI direct) +- Requête sans JWT → 401 en < 10ms + +**Démo Sprint Review :** +> Montrer en live : (1) Appel direct à OpenAI avec streaming. (2) Même appel via le proxy → même résultat, même latence perçue. (3) Appel sans JWT → 401. (4) Métriques Grafana montrant le request count. + +**Risques S2 :** +- **Le streaming SSE est le point technique le plus délicat du projet.** En Go, le `http.Flusher` doit être appelé après chaque chunk. Si OpenAI change son format SSE → l'adapter est localisé dans `E5-02`. Prévoir 3-4 jours de debug. Si bloqué → implémenter le mode non-streaming parfait d'abord, streaming en S3 avec 1 SP de retard accepté. + +--- + +### Sprint 3 — Pipeline PII v1 (Semaines 5–6) + +**Sprint Goal :** *"Le proxy anonymise automatiquement les données personnelles avant tout envoi à un LLM externe. Le token IBAN d'un prompt n'atteint jamais OpenAI. Démontrable via les logs."* + +**Capacité :** 44 SP (équipe en rythme) + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E4-02 | Scaffolding service PII Python : FastAPI, gRPC server, Dockerfile, pytest setup. Healthcheck gRPC répond. | Backend Sr | 3 | BLOQUANT | +| E4-03 | **Couche 1 Regex** : IBAN FR/EU, email, tél FR/intl, n° SS, CB (validation Luhn). Jeu de 100+ tests. Precision > 99%, Recall > 95%. | Backend Sr | 5 | BLOQUANT | +| E4-05 | **Couche 2 NER** : Presidio + spaCy `fr_core_news_lg`. Détection PER, LOC, ORG. F1-score > 0.90 sur corpus français. | Backend Sr | 8 | BLOQUANT | +| E4-07 | **Pipeline unifié** : orchestration regex → NER, déduplication, scoring confiance. 5 types de PII détectés dans un prompt. Latence < 50ms / 500 tokens. | Backend Sr | 5 | BLOQUANT | +| E4-08 | **Pseudonymisation** : remplacement par `[PII:TYPE:UUID]`, mapping Redis AES-256-GCM, TTL configurable. Prompt envoyé au LLM sans PII en clair. | Backend Sr | 5 | BLOQUANT | +| E4-09 | **Dé-pseudonymisation** : réinjection valeurs originales dans réponse LLM avant renvoi à l'user | Backend Sr | 5 | BLOQUANT | +| E4-10 | **Intégration gRPC Proxy ↔ PII** : proxy Go appelle service Python via gRPC avant chaque forward. Flux complet fonctionne bout en bout. | Lead Backend | 5 | BLOQUANT | +| E4-11 | **Benchmark latence** : mesure p50/p95/p99 sur 1000 requêtes variées. p99 < 50ms / 500 tokens, < 100ms / 2000 tokens. | Backend Sr | 3 | IMPORTANT | +| E4-13 | **Tests unitaires PII** : 50+ cas, multilangue, edge cases (texte mixte FR/EN, données dans URL, dans JSON). Coverage > 85%. | Backend Sr | 5 | IMPORTANT | + +**Total : 44 SP** + +**⚠️ Sprint le plus risqué techniquement du projet.** + +**Critères d'acceptance sprint :** +- Envoyer un prompt contenant [IBAN, email, nom, téléphone, adresse] → les 5 types sont pseudonymisés +- Le prompt reçu par OpenAI (visible dans les logs) ne contient aucune donnée en clair +- La réponse renvoyée à l'utilisateur contient les vraies valeurs (dé-pseudonymisées) +- p99 < 50ms mesuré avec le script benchmark sur 1000 requêtes + +**Démo Sprint Review :** +> Ouvrir le playground (mode minimal). Taper : "Bonjour, je suis Jean Dupont, mon IBAN est FR76 3000 6000 0112 3456 7890 189, contactez-moi au 06 12 34 56 78." → Montrer dans les logs : (1) prompt original côté proxy, (2) prompt pseudonymisé envoyé à OpenAI, (3) réponse dé-pseudonymisée côté utilisateur. + +**Risques S3 :** +- **Latence NER > 100ms** → Actions immédiates : (a) vérifier que `fr_core_news_lg` est préchargé en mémoire au démarrage (pas de cold start), (b) activer le mode regex-only via feature flag pour les requêtes basse sensibilité (E4-14 en S4). +- **Faux positifs élevés** → Ajuster le seuil de confiance Presidio (0.85 par défaut, testable dès 0.75). Whitelist configurable par tenant. + +**Decision Point post-S3 :** Si le p99 NER > 80ms, décision explicite du PO : (a) reporter NER en V1.1 → MVP en regex-only, (b) allouer 1 sprint de spike optimisation, (c) accepter la latence avec UX appropriée. **Cette décision ne peut pas être repoussée au-delà de S4.** + +--- + +### Sprint 4 — Multi-provider + RBAC (Semaines 7–8) + +**Sprint Goal :** *"Veylant IA route les requêtes vers 4 fournisseurs IA selon le rôle et le département de l'utilisateur. Un admin voit tout, un User ne peut accéder qu'à son modèle autorisé."* + +**Capacité :** 46 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E5-01 | **Interface Adapter Go** : trait/interface avec `Send()`, `Stream()`, `Validate()`, `HealthCheck()`. Tests génériques passent pour tous les adapters. | Lead Backend | 3 | BLOQUANT | +| E5-02 | **Adapter OpenAI** : normalisation format requête/réponse, streaming SSE (déjà testé en S2, ici normalisation du schema interne) | Lead Backend | 3 | BLOQUANT | +| E5-03 | **Adapter Anthropic** : Messages API, system/user/assistant, streaming. Même test qu'OpenAI. | Lead Backend | 5 | BLOQUANT | +| E5-04 | **Adapter Azure OpenAI** : endpoint custom, API version, deployment ID | Lead Backend | 5 | IMPORTANT | +| E5-06 | **Adapter Ollama/vLLM** : API OpenAI-compatible, test avec Llama 3 local | Lead Backend | 5 | IMPORTANT | +| E5-05 | **Adapter Mistral** : chat/completions, mistral-small | Lead Backend | 3 | SOUHAITABLE | +| E3-04 | **RBAC middleware** : rôles Admin/Manager/User/Auditor. User sans permission → 403. Admin → accès total. Auditor → read-only. | Backend Sr | 5 | BLOQUANT | +| E3-05 | **Intégration SAML 2.0 Keycloak** : federation Azure AD test. User ajouté dans groupe Keycloak → rôle dans l'app. | DevOps | 8 | IMPORTANT | +| E3-07 | **API tenant management** : CRUD tenants. API keys stockées chiffrées (pas en clair en DB). | Backend Sr | 5 | IMPORTANT | +| E5-08 | **Tests intégration multi-adapter** : test automatisé même requête → chaque adapter, validation réponse. CI green pour OpenAI + Anthropic. | Lead Backend | 5 | IMPORTANT | + +**Total : 47 SP** → accepté (vélocité légèrement au-dessus de la cible grâce au rythme S3) + +**✅ QUALITY GATE PHASE 1 — à valider en fin de S4 :** +> Démo live sans mockup : (1) envoyer un prompt avec 3 PII via curl, (2) montrer l'anonymisation, (3) le routage vers OpenAI vs Anthropic selon le rôle de l'utilisateur, (4) la réponse dé-pseudonymisée. Latence totale < 300ms. Proxy + PII + Auth + RBAC + Multi-provider fonctionnent ensemble. + +--- + +### PHASE 2 — Intelligence et Visibilité (S5–S8) +> **Objectif de Phase :** Le produit est démontrable avec une UI complète. Routage intelligent, logs, dashboard, playground. Quality Gate : démo complète sans mockup, données réelles. + +--- + +### Sprint 5 — Moteur de Routage (Semaines 9–10) + +**Sprint Goal :** *"Les requêtes sont routées automatiquement selon des politiques configurées par l'admin. Un prompt contenant des données critiques va systématiquement vers le modèle on-prem sans intervention humaine."* + +**Capacité :** 46 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E6-01 | **Modèle de données politiques** : table `routing_rules` (conditions JSONB, action, priority, tenant_id, enabled). Migration. CRUD interne. | Backend Sr | 3 | BLOQUANT | +| E6-02 | **Moteur de règles** : évaluation par priorité décroissante, conditions (user.department, user.role, request.sensitivity, request.use_case, request.token_estimate), catch-all. 10 règles évaluées < 1ms. | Lead Backend | 8 | BLOQUANT | +| E6-03 | **Sensitivity scoring → routage** : le score PII (niveau none/low/medium/high/critical) alimente le moteur de règles. Prompt critique → route vers modèle local. | Lead Backend | 3 | BLOQUANT | +| E6-04 | **Fallback chain** : si provider primaire fail → secondaire → global. Log de fallback généré. Test : mock provider en 500 → vérifier basculement. | Lead Backend | 5 | IMPORTANT | +| E6-05 | **Cache des règles** : cache mémoire, refresh 30s ou sur invalidation event. Modification visible < 30s sans restart. | Lead Backend | 3 | IMPORTANT | +| E6-06 | **API admin politiques** : CRUD `/v1/admin/policies`. Validation des conditions (pas d'opérateur invalide). | Backend Sr | 5 | IMPORTANT | +| E4-14 | **Mode regex-only** : feature flag par tenant pour désactiver NER sur requêtes basse sensibilité. | Backend Sr | 3 | IMPORTANT | +| E6-07 | **Tests moteur de règles** : 30+ tests (combinaisons conditions, priorités, conflits, départements). 100% des cas documentés testés. | Lead Backend | 5 | IMPORTANT | +| E6-08 | **Règles préconfigurées** : templates RH, Finance, Engineering, catch-all. Activables en 1 clic. | Backend Sr | 3 | SOUHAITABLE | +| E3-09 | **Feature flags système** : table PG + cache Redis. Toggle via API admin, effet immédiat. | Backend Sr | 3 | SOUHAITABLE | + +**Total : 41 SP** (sprint focus technique, volume réduit intentionnellement) + +--- + +### Sprint 6 — Journalisation + Billing (Semaines 11–12) + +**Sprint Goal :** *"Chaque requête passant par Veylant IA est immortalisée dans un log immuable avec 20 champs, chiffré, sans contenu personnel en clair. Le coût de chaque département est comptabilisé en temps réel."* + +**Capacité :** 48 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E7-01 | **Schéma ClickHouse** : table `audit_logs` (20 champs du PRD), partitionnement mensuel, TTL 90j hot. SELECT GROUP BY sur 100k lignes < 500ms. | Backend Sr | 5 | BLOQUANT | +| E7-02 | **Module Logger Go** : collecte async des métadonnées, batch insert ClickHouse (toutes les 1s ou 100 logs). Aucun log perdu sous 1000 req/s. | Backend Sr | 8 | BLOQUANT | +| E7-03 | **Hash SHA-256** : prompt et réponse hashés. Les logs ne contiennent aucun contenu en clair. Hash vérifiable. | Backend Sr | 2 | BLOQUANT | +| E7-04 | **Chiffrement applicatif** : `prompt_anonymized` chiffré AES-256-GCM, clé par tenant. Illisible en DB sans la clé. | Backend Sr | 5 | IMPORTANT | +| E7-05 | **Module Billing** : tiktoken pour OpenAI, approximation token pour les autres. Agrégation user/dept/model. Comptage ±5% du comptage officiel. | Backend Sr | 5 | IMPORTANT | +| E7-06 | **API consultation logs** : `GET /v1/admin/logs` filtres (date, user, model, status, sensitivity_level), pagination. Requête filtrée < 2s sur 1M logs. | Backend Sr | 5 | IMPORTANT | +| E7-07 | **API coûts** : `GET /v1/admin/costs` agrégation par période/model/dept | Backend Sr | 3 | IMPORTANT | +| E7-09 | **Audit de l'audit** : table `admin_audit_logs`. Toute action admin (modif politique, accès log, modif RBAC) tracée avec timestamp, user, before/after. | Backend Sr | 3 | IMPORTANT | +| E7-11 | **Tests Logger** : test sous 1000 req/s sans perte. Insert async non bloquant pour le proxy. | Backend Sr | 5 | IMPORTANT | +| E1-08 | **OpenTelemetry + Jaeger** : tracing distribué, chaque requête tracée de bout en bout (proxy → PII → LLM) | DevOps | 5 | SOUHAITABLE | + +**Total : 46 SP** + +--- + +### Sprint 7 — Dashboard Frontend v1 (Semaines 13–14) + +**Sprint Goal :** *"Un RSSI peut se connecter au dashboard Veylant IA, visualiser le volume des requêtes, gérer les politiques de routage, et voir qui a accès à quoi. Aucun mockup — données réelles de staging."* + +**Capacité :** 50 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E8-01 | **Setup React + TypeScript + Vite + TailwindCSS + shadcn/ui**. Structure pages, react-router. Build < 30s. Zéro erreur TypeScript. | Frontend | 3 | BLOQUANT | +| E8-02 | **Auth flow frontend** : login OIDC PKCE via Keycloak, refresh automatique, logout, redirect. Session active après login. | Frontend | 5 | BLOQUANT | +| E8-03 | **Layout général** : sidebar navigation, header (tenant name, user, logout), responsive 1280px. Navigation fluide. | Frontend | 3 | BLOQUANT | +| E8-04 | **Route guards** : pages admin inaccessibles au rôle User. Auditor = read-only partout. | Frontend | 3 | BLOQUANT | +| E8-05 | **Page Overview** : 4 KPI cards (requêtes 24h/7j, PII détectées, coût total, modèle top). Données réelles. Refresh 30s. | Frontend | 5 | BLOQUANT | +| E8-06 | **Graphique volume requêtes** : recharts line chart, changement période 7j/30j, breakdown par modèle ou dept. Tooltip interactif. | Frontend | 5 | IMPORTANT | +| E8-07 | **Page Politiques** : liste des règles (priorité, condition, action, statut), création/édition formulaire, activation/désactivation toggle. CRUD complet. | Frontend | 8 | IMPORTANT | +| E8-08 | **Page Utilisateurs** : liste users (nom, rôle, dept, last_seen), attribution rôles par admin, filtrage. Changement rôle effectif immédiatement. | Frontend | 5 | IMPORTANT | +| E5-07 | **Wizard configuration provider** : formulaire 3 étapes (type, credentials, test connexion). Test de connexion intégré. | Frontend | 5 | IMPORTANT | +| E7-08 | **API alertes budget** : seuils configurables par tenant (tokens/h, coût/j, erreurs/h). Notification in-app si dépassement. | Backend Sr + Frontend | 5 | SOUHAITABLE | + +**Total : 47 SP** + +--- + +### Sprint 8 — Dashboard Sécurité + Playground (Semaines 15–16) + +**Sprint Goal :** *"Le RSSI a sa vue sécurité complète. Un prospect peut taper un texte dans le playground et voir en temps réel ses données personnelles surlignées avant qu'elles n'atteignent l'IA. C'est la démo qui signe les contrats."* + +**Capacité :** 50 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E8-09 | **Page Sécurité RSSI** : PII par type (bar chart), requêtes bloquées (timeline), top users PII, incidents détectés. Filtrage par période. Export CSV. | Frontend | 8 | BLOQUANT | +| E8-10 | **Page Coûts** : pie chart par modèle, breakdown par dept, tendance mensuelle, projection fin de mois, alerte si > 80% budget. | Frontend | 5 | BLOQUANT | +| E8-11 | **🎯 Playground PII** : zone de texte, highlight coloré temps réel (IBAN = rouge, nom = orange, etc.), choix modèle, bouton envoyer, affichage prompt anonymisé + réponse dé-pseudonymisée. | Frontend + Lead Backend | 8 | BLOQUANT | +| E8-12 | **Page Logs Audit Trail** : tableau paginé (50 logs/page), filtres combinés (date, user, model, status, sensitivity), expand pour détail. Pagination fluide sur 100k+ logs. | Frontend | 8 | IMPORTANT | +| E8-13 | **Alertes in-app** : configuration seuils par admin, notification dans le header (badge), détail dans la page alertes. | Frontend + Backend Sr | 5 | IMPORTANT | +| E2-09 | **Circuit breaker** : désactivation auto après 5 erreurs consécutives, réactivation après 60s. Visible dans le dashboard (statut provider). | Lead Backend | 5 | IMPORTANT | +| E2-10 | **Health check providers** : ping cyclique, statut visible dans le wizard provider et dans une page statut. | Lead Backend | 3 | SOUHAITABLE | +| E3-08 | **API user management** : CRUD complet `/v1/admin/users`. | Backend Sr | 5 | SOUHAITABLE | + +**Total : 47 SP** + +**✅ QUALITY GATE PHASE 2 — à valider en fin de S8 :** +> Démo complète en live (25 min max) : login → overview avec données réelles → playground (taper IBAN + nom → highlight → envoi → réponse) → page sécurité → logs → politiques (créer une règle RH). **Zéro mockup, zéro données synthétiques.** + +--- + +### PHASE 3 — Conformité et Hardening (S9–S10) +> **Objectif de Phase :** Rapports RGPD et AI Act générables en 1 clic. Toutes les communications internes chiffrées. Aucun secret en clair. Prêt pour audit externe. + +--- + +### Sprint 9 — Module Conformité (Semaines 17–18) + +**Sprint Goal :** *"Un DPO peut générer le registre Article 30 RGPD de l'entreprise en PDF depuis Veylant IA, et consulter la classification AI Act de chaque cas d'usage IA. C'est ce qui déclenche la décision d'achat chez les clients réglementés."* + +**Capacité :** 48 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E9-01 | **Modèle données registre traitements** : table `processing_registry` (finalité, base légale, destinataires, durée, mesures sécurité, tenant_id). CRUD. | Backend Sr | 3 | BLOQUANT | +| E9-02 | **Classification risque AI Act** : enum (forbidden/high_risk/limited_risk/minimal_risk) par cas d'usage, questionnaire guidé 5 questions. Stockée et exportable. | Backend Sr | 5 | BLOQUANT | +| E9-03 | **Génération PDF Article 30 RGPD** : tous les champs obligatoires, daté, signé, exportable. `GET /v1/admin/compliance/report?format=pdf` → PDF valide. | Backend Sr | 8 | BLOQUANT | +| E9-04 | **Rapport AI Act** : fiche par système IA (modèle, classification, mesures, stats usage 30j). Export PDF. | Backend Sr | 5 | IMPORTANT | +| E9-05 | **API Art. 15 (accès)** : `GET /v1/admin/gdpr/access/{user_id}` → JSON avec tous les logs du user (anonymisés). | Backend Sr | 3 | IMPORTANT | +| E9-06 | **API Art. 17 (effacement)** : `DELETE /v1/admin/gdpr/erase/{user_id}` → purge logs + mappings PII + log de la suppression. | Backend Sr | 5 | IMPORTANT | +| E8-14 | **Page Conformité frontend** : registre des traitements (formulaire saisie), classification AI Act (questionnaire), boutons génération rapport. Téléchargement PDF en 1 clic. | Frontend | 8 | IMPORTANT | +| E9-07 | **Template DPIA** : template pré-rempli pour cas d'usage haut risque AI Act. Exportable Word/PDF. | Backend Sr | 5 | SOUHAITABLE | +| E7-10 | **Export CSV logs** : export filtré par date/dept/model. Téléchargement < 5s pour 30j de logs. | Backend Sr | 3 | SOUHAITABLE | + +**Total : 45 SP** + +--- + +### Sprint 10 — Hardening Sécurité (Semaines 19–20) + +**Sprint Goal :** *"Veylant IA résiste à un audit de sécurité. Aucun secret n'est accessible en clair. Toutes les communications internes sont chiffrées. Le pipeline SAST/DAST ne remonte aucun finding critique."* + +**Capacité :** 48 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E10-01 | **mTLS interne** : cert-manager + Istio/Linkerd. Proxy ↔ PII, proxy ↔ DB, proxy ↔ ClickHouse. Wireshark → trafic chiffré uniquement. | DevOps | 8 | BLOQUANT | +| E10-02 | **Network policies K8s** : deny-all par défaut, whitelist explicite par service. `curl` depuis un pod aléatoire → échec. | DevOps | 5 | BLOQUANT | +| E10-03 | **HashiCorp Vault** : API keys LLM, credentials DB, clés chiffrement. Accès via service account K8s. Zéro secret en env var ou ConfigMap. | DevOps | 8 | BLOQUANT | +| E10-04 | **Semgrep SAST** : rulesets Go + Python + React en CI. Bloque merge si finding critical. Zéro finding critical sur code actuel. | DevOps | 3 | IMPORTANT | +| E10-05 | **Trivy scan images** : bases images pinned (sha256). Bloque CI si CVE critique. | DevOps | 2 | IMPORTANT | +| E10-06 | **OWASP ZAP DAST** : scan automatisé sur staging à chaque déploiement. Rapport sans finding critique. | DevOps | 5 | IMPORTANT | +| E10-07 | **gitleaks en CI** : détection secrets dans les commits. | DevOps | 2 | IMPORTANT | +| E10-09 | **Rate limiting** : par tenant et par user. 429 si dépassement. Configurable par tenant via API admin. | Lead Backend | 5 | IMPORTANT | +| E10-10 | **Tests de charge k6** : 1000 req/s pendant 10 min. p99 < 300ms. Zéro OOM, zéro goroutine leak, connexions DB stables. | DevOps + Lead Backend | 8 | IMPORTANT | +| E4-12 | **Mode zero-retention** : mapping PII en mémoire uniquement, TTL = durée de la requête. Feature flag par tenant. | Backend Sr | 3 | SOUHAITABLE | + +**Total : 49 SP** + +**✅ QUALITY GATE PHASE 3 — à valider en fin de S10 :** +> (1) Zéro finding SAST/DAST critique. (2) mTLS actif et vérifié. (3) Vault intégré, zéro secret en clair. (4) Rapport RGPD PDF générable en 1 clic. (5) Test de charge passé (rapport k6 validé). Si un seul item manque : **PAS de passage en Phase 4 sans décision explicite du PO + CTO.** + +--- + +### PHASE 4 — Beta, Polish et Lancement (S11–S13) +> **Objectif de Phase :** 2 clients pilotes connectés, pentest passé, lancement production. Quality Gate : checklist Go/No-Go complète à 100%. + +--- + +### Sprint 11 — Tests E2E + Beta Privée (Semaines 21–22) + +**Sprint Goal :** *"Deux clients pilotes utilisent Veylant IA en production staging. Les tests E2E automatisés couvrent tous les parcours critiques et s'exécutent en CI en moins de 10 minutes."* + +**Capacité :** 45 SP + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E11-01a | **Tests E2E batch 1** (10 scénarios) : login → config provider → envoi prompt avec PII → vérif anonymisation → vérif log → déconnexion | Tous | 8 | BLOQUANT | +| E11-01b | **Tests E2E batch 2** (10 scénarios) : routage selon politique → fallback → dashboard données → génération rapport PDF → effacement RGPD | Tous | 8 | BLOQUANT | +| E11-02 | **Documentation API OpenAPI 3.1** : swaggo auto-généré. `/docs` accessible. Tous endpoints documentés avec exemples de requêtes/réponses. | Lead Backend | 5 | BLOQUANT | +| E11-03 | **Guide d'intégration** : comment changer l'URL de base d'une app existante vers Veylant IA. Suivi par un dev externe en < 30 min. | Lead Backend | 3 | BLOQUANT | +| E11-04 | **Onboarding client pilote #1** : création tenant, configuration SSO (SAML/OIDC avec leur AD), import users, setup providers. Opérationnel < 1 journée. | PM + DevOps | 5 | BLOQUANT | +| E11-05 | **Onboarding client pilote #2** | PM + DevOps | 5 | IMPORTANT | +| E11-06 | **Guide utilisateur admin** : documentation des fonctionnalités dashboard, relu par un non-technique, captures à jour. | PM | 5 | IMPORTANT | +| E11-07 | **Feature flags par module** : toggle PII on/off, routing on/off, billing on/off par tenant. Via API admin. Effet immédiat. | Lead Backend | 3 | IMPORTANT | + +**Total : 42 SP** + +> ⚠️ **Action préalable (à lancer en S7 au plus tard) :** Contacter le cabinet pentest, rédiger le cahier des charges, signer le bon de commande. Le pentest doit être planifié pour démarrer en S12. + +--- + +### Sprint 12 — Feedback Pilotes + Pentest (Semaines 23–24) + +**Sprint Goal :** *"Les bugs critiques remontés par les clients pilotes sont corrigés. Le pentest est en cours. Veylant IA est stable, performant, et les clients pilotes sont satisfaits (NPS > 7)."* + +**Capacité :** 40 SP (pentest prend du temps de coordination) + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E11-08 | **Collecte et tri feedback** : sessions avec clients pilotes, backlog priorisé (bug / UX / feature), classement MoSCoW | PM | 3 | BLOQUANT | +| E11-09 | **Bug fixes critiques** (buffer) : selon feedback pilotes. Zéro bug bloquant restant. | Tous | 8 | BLOQUANT | +| E11-10 | **Améliorations UX top-5** : les 5 points UX les plus remontés. Chacun validé par le pilote concerné. | Frontend | 5 | IMPORTANT | +| E11-11 | **Pentest coordination** : fourniture des accès (staging grey box), périmètre validé, suivi cabinet. | PM + DevOps | 3 | BLOQUANT | +| E2-12 | **Tests de charge proxy** : analyse des bottlenecks identifiés en production beta. p99 amélioré si problème. | Lead Backend | 5 | IMPORTANT | +| E1-09 | **Blue/green deployment** : déploiement sans downtime testé. Rollback < 30s démontré. | DevOps | 8 | IMPORTANT | +| E8-15 | **Landing page + démo interactive** : formulaire de contact fonctionnel, vidéo démo 3 min ou playground public. | PM + Frontend | 5 | IMPORTANT | + +**Total : 37 SP** (intentionnellement bas : buffer pour bugs critiques imprévus) + +--- + +### Sprint 13 — Lancement Production (Semaines 25–26) + +**Sprint Goal :** *"Veylant IA est en production sur AWS eu-west-3. Les clients pilotes sont migrés. Le pentest est passé (zéro finding Critical/High). Le premier contrat entreprise peut être signé."* + +**Capacité :** 38 SP (remédiation pentest imprévisible) + +| ID | Story | Assigné | SP | Priorité | +|----|-------|---------|-----|---------| +| E11-12 | **Remédiation pentest** : corriger TOUS Critical + High. Documenter acceptation des Medium avec justification. Rapport de remédiation produit. | Tous | 8 | BLOQUANT | +| E1-10 | **Cluster K8s production** : AWS eu-west-3, 3 AZ, autoscaling HPA, backup PG quotidien, réplication ClickHouse. DR testé (restauration < 1h). | DevOps | 8 | BLOQUANT | +| E1-11 | **Monitoring production** : Grafana dashboards (proxy latency, error rate, PII volume, DB connections), alertes PagerDuty/Slack. Alerte test reçue < 5 min. | DevOps | 5 | BLOQUANT | +| E11-13 | **Migration clients pilotes vers production** : données migrées, SSO reconfiguré sur prod, tests de bon fonctionnement. | PM + DevOps | 5 | BLOQUANT | +| E1-12 | **Runbooks opérationnels** : 5+ procédures (provider down, DB full, cert expiré, traffic spike, breach PII). Chacun testé en staging. | DevOps | 5 | IMPORTANT | +| E11-14 | **Matériel commercial** : one-pager PDF, deck 10 slides, battle card RSSI/DSI/DPO. Validé par 1 prospect. | PM | 5 | IMPORTANT | +| — | **Rétrospective projet** : retro documentée. Backlog V1.1 priorisé. | Tous | 2 | SOUHAITABLE | + +**Total : 38 SP** + +**✅ QUALITY GATE PHASE 4 — Checklist Go/No-Go complète avant déploiement production.** +(Voir Section 8 de ce document) + +--- + +## 5. Chemin Critique et Dépendances + +### 5.1 Graphe de dépendances (tâches BLOQUANTES) + +``` +S1: Monorepo + Docker Compose + K8s staging + └──► S2: Proxy non-streaming + streaming SSE ⚡ (point le plus risqué) + └──► S3: PII Pipeline (regex + NER + gRPC) ⚡ (point le plus complexe) + └──► S4: Multi-provider + RBAC + └──► S5: Moteur de routage + └──► S6: Journalisation ClickHouse + └──► S7: Dashboard v1 + └──► S8: Playground + Sécurité RSSI + └──► S9: Conformité PDF + └──► S10: mTLS + Vault + Hardening + └──► S11: Tests E2E + Beta + └──► S12: Pentest (commandé en S10) + └──► S13: Production +``` + +### 5.2 Actions à lancer en avance (hors sprints) + +| Action | Démarrer | Nécessaire pour | Responsable | +|--------|----------|-----------------|-------------| +| Identifier 5 prospects pilotes et signer LOI | S1 | S11 onboarding | PM | +| Négocier accès Azure AD test pour SAML | S2 | S4 Keycloak SAML | PM + DevOps | +| Signer DPA avec OpenAI, Anthropic, Mistral, Azure | S4 | S9 conformité | PM + Légal | +| Avis juridique architecture RGPD | S6-S7 | S9 rapports | PM + Légal | +| Rédiger cahier des charges pentest + contacter 3 cabinets | S7 | S12 pentest | PM + DevOps | +| Signer bon de commande pentest | S10 | S12 pentest | PM | +| Commander certificats SSL production + domaine | S10 | S13 production | DevOps | +| Créer compte AWS production + billing alerts | S8 | S13 production | DevOps | +| Rédiger CGV/CGU | S8 | S13 lancement | PM + Légal | + +--- + +## 6. Registre des Risques Scrum + +| # | Risque | Proba | Impact | Sprint détection | Mitigation | Contingence | Owner | +|---|--------|-------|--------|-----------------|------------|-------------|-------| +| R1 | **Latence PII > 100ms** | M | CRITIQUE | S3 (benchmark) | Cache patterns, préchargement spaCy, regex-only via feature flag | Reporter NER en V1.1, MVP en regex uniquement | Lead + Backend Sr | +| R2 | **Streaming SSE + PII incompatibles** | H | HAUT | S3 | PII sur le prompt AVANT envoi (pas sur la réponse streamée) | Bufferiser réponse complète + feature flag, impact latence perçue | Lead Backend | +| R3 | **Départ développeur clé** | M | CRITIQUE | Continu | Documentation ADR par module, cross-reviews (chacun connaît 2+ modules) | Consultant senior Malt/Toptal, retard 2-4 semaines accepté | CTO | +| R4 | **Client pilote indisponible/non engagé** | H | HAUT | S8 | Identifier 5 prospects dès S1, LOI signé dès S6 | Utiliser le produit en interne, démo sur données synthétiques | PM | +| R5 | **ClickHouse trop complexe à opérer** | M | MOYEN | S6 | Utiliser ClickHouse Cloud (managé) plutôt que self-hosted | Fallback TimescaleDB + PG pour le MVP (migration V1.1) | DevOps | +| R6 | **Scope creep (features non planifiées)** | H | MOYEN | Continu | PO dit NON explicitement à toute feature hors backlog validé | Créer ticket V1.1, pas de livraison S-sprint courant | PM | +| R7 | **Findings pentest critiques nombreux** | M | HAUT | S12-S13 | SAST/DAST dès S10, hardening proactif | Buffer 8 SP S13 alloué remédiation. Si > 3 Critical : report de 2 semaines | Tous | +| R8 | **EKS setup > 3 jours** | M | MOYEN | S1 | Module Terraform stable (terraform-aws-eks) | Passer en eksctl pour débloquer, IaC en parallèle S2 | DevOps | +| R9 | **Format API provider LLM change** | M | MOYEN | Continu | Adapter pattern : changements isolés dans 1 fichier/provider | Rollback adapter, alerte monitoring sur erreur format | Lead Backend | +| R10 | **Difficultés recrutement Go/NLP** | H | HAUT | Pré-S1 | Démarrer recrutement 4 semaines avant S1. Alternative : Malt/Toptal. | Consultants spécialisés pour module PII Python | PM + CTO | + +--- + +## 7. Métriques et KPIs Scrum + +### 7.1 Métriques suivies chaque sprint + +| Métrique | Cible | Outil | Responsable | +|----------|-------|-------|-------------| +| Vélocité livrée (SP Done) | Voir Release Plan | GitLab boards | Scrum Master | +| Stories Done / Stories engagées | 100% (idéal) | GitLab boards | Scrum Master | +| Coverage Go (unit tests) | > 75% | go test -cover en CI | Lead Backend | +| Coverage Python (PII service) | > 85% | pytest --cov en CI | Backend Sr | +| Latence proxy p99 (sans PII) | < 50ms | Prometheus histogram | DevOps | +| Latence proxy p99 (avec PII) | < 150ms | Prometheus histogram | DevOps | +| F1-score détection PII | > 0.92 | Benchmark corpus test | Backend Sr | +| Build time CI | < 8 min | GitLab CI metrics | DevOps | +| CVE critiques non patchées | 0 | Trivy + Snyk | DevOps | +| Findings SAST critiques | 0 | Semgrep | DevOps | +| Secrets en clair détectés | 0 | gitleaks en CI | DevOps | +| Uptime staging | > 99% | Prometheus uptime | DevOps | + +### 7.2 Métriques business (suivies par PM) + +| Métrique | Cible | Moment | +|----------|-------|--------| +| Prospects identifiés | 5 | Fin S2 | +| LOI signés | 2 | Fin S6 | +| Clients pilotes connectés | 2 | Fin S11 | +| NPS clients pilotes | > 7 | Fin S12 | +| Bugs bloquants ouverts | 0 | Fin S12 | +| Premier contrat signé | 1 | Fin S13 | + +### 7.3 Indicateurs d'alerte (impediments à escalader immédiatement) + +- 1 story BLOQUANT non terminée à J8 du sprint → escalade immédiate +- Vélocité < 70% de la cible 2 sprints consécutifs → session de réajustement scope +- p99 PII > 80ms en staging → décision PO requis (régression scope ou optimisation) +- Finding SAST/DAST Critical non résolu en 48h → blocage du déploiement staging + +--- + +## 8. Actions à Lancer Immédiatement + +Avant le Sprint 1, les actions suivantes doivent être initiées **maintenant** : + +**Semaine -2 (dès aujourd'hui) :** +- [ ] Confirmer la disponibilité des 4 développeurs (date de démarrage S1) +- [ ] Créer le compte AWS (eu-west-3), configurer l'organization, billing alerts +- [ ] Créer le compte GitLab (ou activer la licence Premium) +- [ ] Réserver le domaine (ex: veylant.ai, veylant.io) +- [ ] Identifier les 5 premiers prospects pilotes cibles → PM prend contact cette semaine + +**Semaine -1 (avant S1) :** +- [ ] PM rédige les 10 premières User Stories du backlog (E1 + E2) → format DoR atteint +- [ ] CTO valide les choix techniques (Terraform vs Pulumi, Istio vs Linkerd) → ADR rédigés +- [ ] Setup des accès AWS pour le DevOps +- [ ] Sprint 0 (kick-off, 1 journée) : + - [ ] Team building + working agreement signé + - [ ] Definition of Done validée collectivement + - [ ] Sprint 1 planifié (stories prêtes, estimées, backlog S1 verrouillé) + - [ ] Outils configurés (GitLab, Slack, Jira/Linear, Notion) + +--- + +## Annexe — Checklist Go/No-Go Production (S13) + +Chaque item doit être ✅ avant le déploiement production. Un ❌ = No-Go sauf décision explicite documentée. + +| Catégorie | Item | Critère | +|-----------|------|---------| +| **Fonctionnel** | Proxy relay 4 providers (OpenAI, Anthropic, Azure, Ollama) | Tests E2E green | +| **Fonctionnel** | Anonymisation 6 types PII (IBAN, email, tél, nom, adresse, SS) | Tests E2E green + F1 > 0.92 | +| **Fonctionnel** | Streaming SSE avec anonymisation du prompt | Démo live | +| **Fonctionnel** | Routage intelligent avec 5+ règles simultanées | Tests E2E green | +| **Fonctionnel** | Dashboard données réelles (pas de mock) | Vérification visuelle | +| **Fonctionnel** | Rapport RGPD Article 30 PDF générable | PDF téléchargeable et lisible | +| **Sécurité** | Pentest : 0 finding Critical, 0 finding High ouvert | Rapport pentest + lettre de remédiation | +| **Sécurité** | mTLS actif entre tous les composants | Wireshark capture staging | +| **Sécurité** | Vault intégré, 0 secret en clair | Audit Vault + gitleaks CI green | +| **Sécurité** | SAST/DAST : 0 finding critique | Rapports Semgrep + ZAP | +| **Performance** | Proxy p99 < 300ms sous 500 req/s | Rapport k6 | +| **Performance** | Dashboard load < 3s | Lighthouse score > 70 | +| **Ops** | Monitoring prod opérationnel (Grafana + alertes) | Alerte test reçue < 5 min | +| **Ops** | Backup PostgreSQL auto + test restauration | Restauration en < 1h testée | +| **Ops** | Blue/green deployment fonctionnel | Déploiement staging testé | +| **Ops** | 5+ runbooks rédigés et testés en staging | Revue par l'équipe | +| **Commercial** | 1 client pilote satisfait (NPS > 7) | Feedback documenté | +| **Commercial** | Landing page + matériel commercial prêt | Page live, formulaire contact OK | +| **Légal** | CGV/CGU rédigées et validées avocat | Document signé | +| **Légal** | DPA providers IA (OpenAI, Anthropic, Mistral, Azure) signés | Documents archivés | + +--- + +*Document maintenu par le Scrum Master — mis à jour à chaque Sprint Review.* +*Prochaine révision : fin Sprint 2 (ajustement vélocité réelle vs cible).* diff --git a/docs/admin-guide.md b/docs/admin-guide.md new file mode 100644 index 0000000..f0ef666 --- /dev/null +++ b/docs/admin-guide.md @@ -0,0 +1,315 @@ +# Veylant IA — Admin User Guide + +This guide covers day-to-day administration of the Veylant IA platform. All operations require an admin JWT. + +## 1. Overview + +The Veylant IA admin dashboard exposes a REST API under `/v1/admin/`. Key capabilities: + +| Area | Endpoints | +|---|---| +| Routing policies | `/v1/admin/policies` | +| Audit logs | `/v1/admin/logs` | +| Cost reporting | `/v1/admin/costs` | +| User management | `/v1/admin/users` | +| Feature flags | `/v1/admin/flags` | +| Provider status | `/v1/admin/providers/status` | +| Rate limits | `/v1/admin/rate-limits` | +| GDPR/Compliance | `/v1/admin/compliance/*` | + +Interactive documentation: **[GET /docs](http://localhost:8090/docs)** + +--- + +## 2. Routing Policy Management + +Routing policies control which AI provider receives each request, based on department, role, model, or sensitivity. + +### List policies + +```bash +curl -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/policies +``` + +### Create a policy + +```bash +curl -X POST -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "HR to GPT-4o mini", + "priority": 10, + "is_enabled": true, + "conditions": [ + {"field": "department", "operator": "eq", "value": "HR"} + ], + "action": {"provider": "openai", "model": "gpt-4o-mini"} + }' \ + http://localhost:8090/v1/admin/policies +``` + +### Seed a template + +Pre-built templates for common use cases: + +```bash +# Available: hr, finance, engineering, catchall +curl -X POST -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/policies/seed/hr +``` + +### Priority order + +Rules are evaluated in ascending priority order — lower number = higher priority. The first matching rule wins. Configure a `catchall` rule with high priority (e.g. 999) as a fallback. + +### Disable routing engine for a tenant + +Set `routing_enabled=false` to bypass the rules engine and use static prefix routing: + +```bash +curl -X PUT -H "Authorization: Bearer $TOKEN" \ + -d '{"enabled": false}' \ + http://localhost:8090/v1/admin/flags/routing_enabled +``` + +--- + +## 3. Audit Logs + +All requests are logged to ClickHouse. Query via the admin API: + +```bash +# Last 50 entries +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/logs" + +# Filter by provider and time range +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/logs?provider=openai&start=2026-01-01T00:00:00Z&limit=100" + +# Filter by minimum sensitivity +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/logs?min_sensitivity=high" +``` + +**Sensitivity levels**: `low` | `medium` | `high` | `critical` (based on PII entity types detected). + +### CSV export + +```bash +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/compliance/export/logs" -o audit-export.csv +``` + +--- + +## 4. Cost Reporting + +```bash +# Group by provider +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/costs?group_by=provider" + +# Group by department +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/costs?group_by=department&start=2026-01-01T00:00:00Z" +``` + +Response includes `total_tokens`, `total_cost_usd`, and `request_count` per group. + +### Disable billing tracking + +If you do not want costs recorded for a tenant (e.g. during a trial period): + +```bash +curl -X PUT -H "Authorization: Bearer $TOKEN" \ + -d '{"enabled": false}' \ + http://localhost:8090/v1/admin/flags/billing_enabled +``` + +--- + +## 5. User Management + +```bash +# List users +curl -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/users + +# Create a user +curl -X POST -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "email": "jane.doe@corp.example", + "first_name": "Jane", + "last_name": "Doe", + "department": "Finance", + "role": "user" + }' \ + http://localhost:8090/v1/admin/users + +# Update role +curl -X PUT -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"role": "manager"}' \ + http://localhost:8090/v1/admin/users/{id} + +# Soft-delete a user +curl -X DELETE -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/users/{id} +``` + +**Roles**: `admin` | `manager` | `user` | `auditor` + +RBAC rules: +- `admin`: full access to all models and admin API +- `manager`: access to all user-allowed models + audit read access +- `user`: restricted to `user_allowed_models` from the RBAC config +- `auditor`: read-only access to logs and costs, cannot use the proxy + +--- + +## 6. Feature Flags + +Feature flags let you toggle module-level behaviour per tenant without a restart. + +### Built-in flags + +| Flag | Default | Effect when false | +|---|---|---| +| `pii_enabled` | `true` | Skips PII anonymization entirely | +| `routing_enabled` | `true` | Uses static prefix routing instead of rules engine | +| `billing_enabled` | `true` | Sets `cost_usd = 0` in audit entries | +| `zero_retention` | `false` | PII service does not persist mappings in Redis | + +```bash +# List all flags (tenant + global) +curl -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/flags + +# Disable PII for this tenant +curl -X PUT -H "Authorization: Bearer $TOKEN" \ + -d '{"enabled": false}' \ + http://localhost:8090/v1/admin/flags/pii_enabled + +# Re-enable (or remove tenant override to fall back to global default) +curl -X DELETE -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/flags/pii_enabled +``` + +--- + +## 7. Provider Status + +Check the circuit breaker state of each upstream provider: + +```bash +curl -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/providers/status +``` + +States: `closed` (healthy) | `open` (failing, requests rejected) | `half-open` (testing recovery). + +--- + +## 8. Rate Limit Configuration + +```bash +# View current config +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/rate-limits/{tenant_id}" + +# Update limits (takes effect immediately, no restart needed) +curl -X PUT -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "requests_per_min": 2000, + "burst_size": 400, + "user_rpm": 200, + "user_burst": 40, + "is_enabled": true + }' \ + "http://localhost:8090/v1/admin/rate-limits/{tenant_id}" + +# Remove custom config (reverts to global default) +curl -X DELETE -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/rate-limits/{tenant_id}" +``` + +--- + +## 9. GDPR / EU AI Act Compliance + +### Processing Registry (Article 30) + +```bash +# List processing activities +curl -H "Authorization: Bearer $TOKEN" \ + http://localhost:8090/v1/admin/compliance/entries + +# Create a new processing activity +curl -X POST -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "use_case_name": "Chatbot RH", + "legal_basis": "legitimate_interest", + "purpose": "Automatisation des réponses RH internes", + "data_categories": ["identifiers", "professional"], + "recipients": ["HR team"], + "processors": ["OpenAI Inc."], + "retention_period": "12 months", + "security_measures": "AES-256 encryption, access control", + "controller_name": "Acme Corp DPO" + }' \ + http://localhost:8090/v1/admin/compliance/entries +``` + +### EU AI Act Classification + +Classify an entry by answering 5 risk questions: + +```bash +curl -X POST -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "ai_act_answers": { + "q1": false, + "q2": false, + "q3": true, + "q4": false, + "q5": true + } + }' \ + "http://localhost:8090/v1/admin/compliance/entries/{id}/classify" +``` + +Risk levels: `minimal` (0 yes) | `limited` (1-2 yes) | `high` (3-4 yes) | `forbidden` (5 yes). + +### GDPR Rights + +```bash +# Art. 15 — Data subject access request +curl -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/compliance/gdpr/access/user@corp.example" + +# Art. 17 — Right to erasure +curl -X DELETE -H "Authorization: Bearer $TOKEN" \ + "http://localhost:8090/v1/admin/compliance/gdpr/erase/user@corp.example?reason=user-request" +``` + +The erasure endpoint soft-deletes the user and creates an immutable audit record. It is safe to call even without a database connection (graceful degradation). + +--- + +## 10. Health & Monitoring + +```bash +# Service health (no auth required) +curl http://localhost:8090/healthz + +# Prometheus metrics (if enabled) +curl http://localhost:8090/metrics +``` + +Metrics expose request counts, latency histograms, and error rates per model/provider. diff --git a/docs/adr/001-terraform-vs-pulumi.md b/docs/adr/001-terraform-vs-pulumi.md new file mode 100644 index 0000000..105aa1a --- /dev/null +++ b/docs/adr/001-terraform-vs-pulumi.md @@ -0,0 +1,81 @@ +# ADR-001 — Choix de l'outil Infrastructure-as-Code : Terraform vs Pulumi + +**Date :** 2026-02-19 +**Statut :** ACCEPTÉ +**Décideurs :** CTO, DevOps +**Sprint :** Sprint 1 (Spike de 4h) + +--- + +## Contexte + +Veylant IA requiert un outil IaC pour provisionner et gérer : +- Cluster EKS AWS (eu-west-3), 3 nodes +- VPC, subnets, security groups, NAT gateway +- Services managés futurs (RDS, ElastiCache) +- Ingress Traefik, certificats TLS + +Le spike Sprint 1 avait pour objectif d'évaluer Terraform et Pulumi afin de choisir l'outil avant que l'infra ne soit créée. + +--- + +## Options évaluées + +### Option A — Terraform / OpenTofu + +**Pour :** +- Module `terraform-aws-eks` v20.x (LTS) — EKS provisionné en <100 lignes HCL, testé par des milliers d'équipes +- HCL : déclaratif, diff lisible en PR, facile à code-reviewer +- Plan d'exécution (`terraform plan`) explicite et déterministe — pas de side-effects dans le code IaC +- Gestion d'état mature : S3 + DynamoDB lock (zéro lock cassé en prod) +- Documentation AWS exhaustive, Stack Overflow dense +- OpenTofu (fork open-source BSL → MPL) : pas de vendor lock-in HashiCorp + +**Contre :** +- HCL limité pour la logique complexe (boucles `for_each` peuvent être verbeux) +- Pas de typage fort — erreurs découvertes à l'apply, pas à la compilation + +### Option B — Pulumi (TypeScript) + +**Pour :** +- TypeScript natif → réutilisable avec le reste du projet +- Logique complexe (conditions, boucles, fonctions réutilisables) en code natif +- Typage fort avec vérification à la compilation + +**Contre :** +- Runtime intermédiaire (Pulumi engine) → debugging moins transparent qu'un plan HCL +- Communauté plus petite, moins de modules AWS prêts à l'emploi pour EKS +- Stack d'état hébergée par Pulumi Cloud par défaut (alternative self-hosted plus complexe) +- Courbe d'apprentissage pour le DevOps habitué à Terraform + +--- + +## Décision + +**Terraform / OpenTofu est retenu.** + +### Raisons + +1. **Risque réduit story E1-04** : Le module `terraform-aws-eks` est stable et documenté → réduit le risque principal de la story (EKS peut prendre 3+ jours sans outil mature). +2. **Expérience équipe** : Le profil DevOps a de l'expérience Terraform existante — pas de courbe d'apprentissage en Sprint 1. +3. **Lisibilité des PR** : Le `terraform plan` en HCL est lisible par tous (CTO, Backend) lors des reviews de changements infra. +4. **État sécurisé** : S3 + DynamoDB lock est éprouvé et simple à opérer. +5. **OpenTofu** : Le fork open-source est désormais stable (v1.7+) et évite le risque de changement de licence HashiCorp. + +--- + +## Conséquences + +- Créer un bucket S3 `veylant-terraform-state-eu-west-3` + table DynamoDB `veylant-terraform-lock` avant le premier `terraform apply` +- Structure : `deploy/terraform/` avec modules séparés (`vpc/`, `eks/`, `monitoring/`) +- Utiliser `terraform-aws-eks` v20.x +- Pinning des versions providers dans `versions.tf` (pas de `~>` ouvert) +- OpenTofu CLI installé via Homebrew : `brew install opentofu` + +--- + +## Révision + +Cette décision sera réexaminée si : +- La logique IaC devient significativement plus complexe (>500 lignes par module) +- L'équipe passe à TypeScript pour l'ensemble du stack (SDK natif V2) diff --git a/docs/commercial/battle-card.md b/docs/commercial/battle-card.md new file mode 100644 index 0000000..7525f00 --- /dev/null +++ b/docs/commercial/battle-card.md @@ -0,0 +1,133 @@ +# Veylant IA — Battle Card Commerciale + +*Usage interne — Marie (Customer Success) & équipe commerciale* +*Mise à jour : Sprint 13* + +--- + +## Persona 1 — RSSI (Responsable Sécurité des Systèmes d'Information) + +### Profil +- Préoccupation principale : sécurité, conformité, risque opérationnel +- Objection type : "On est déjà conformes — on a une charte d'usage de l'IA" +- Sponsor budget : Non (prescripteur, pas décideur) +- Décideur : DSI + DG + +### Pain Points Prioritaires + +| Pain Point | Question à poser | Angle Veylant | +|-----------|-----------------|---------------| +| Shadow AI non contrôlé | "Comment savez-vous quels modèles IA sont utilisés dans vos équipes aujourd'hui ?" | Audit log immuable, dashboard temps réel | +| Données sensibles exposées | "Avez-vous une DPIA pour l'usage de ChatGPT par vos équipes ?" | Anonymisation PII avant envoi — DPIA simplifiée | +| Incident de sécurité IA | "Que se passe-t-il si un employé envoie un contrat client à ChatGPT ?" | PII detection multi-couches, logs d'audit | +| Pentest / audit | "Pouvez-vous démontrer que vos fournisseurs IA respectent vos politiques de sécurité ?" | Semgrep SAST, Trivy scan, OWASP ZAP en CI | + +### Questions de Qualification + +1. "Combien d'employés utilisent des outils IA au quotidien ? Avez-vous une visibilité dessus ?" +2. "Quel est votre niveau de maturité RGPD sur l'IA ? Avez-vous un registre Art. 30 pour vos usages IA ?" +3. "Avez-vous déjà eu un incident ou une near-miss lié à l'envoi de données dans un modèle IA ?" + +### Objections et Réponses + +| Objection | Réponse | +|-----------|---------| +| "On a déjà une charte d'usage" | "Une charte décrit ce que les gens *devraient* faire. Veylant garantit ce qu'ils *font* — avec des logs immuables pour le prochain audit." | +| "On n'utilise que des modèles hébergés sur notre infrastructure" | "Parfait pour les modèles maison — mais vos équipes utilisent aussi leurs propres comptes OpenAI. Veylant s'applique à *tous* les appels IA, même les outils personnels utilisés en context professionnel." | +| "On a peur que ça ralentisse les équipes" | "Latence ajoutée : < 2ms pour l'anonymisation PII (sidecar gRPC local). Invisible pour l'utilisateur final." | +| "On ne veut pas un autre SaaS mutualisé" | "Veylant se déploie dans *votre* infrastructure AWS — vos données ne quittent jamais votre environnement." | + +--- + +## Persona 2 — DSI (Directeur des Systèmes d'Information) + +### Profil +- Préoccupation principale : coûts, productivité des équipes, conformité IT +- Objection type : "On a déjà des accords avec Microsoft Azure OpenAI" +- Sponsor budget : Oui (propriétaire du budget IT) +- Décideur : Oui (avec validation DG pour > 50k€) + +### Pain Points Prioritaires + +| Pain Point | Question à poser | Angle Veylant | +|-----------|-----------------|---------------| +| Coûts IA opaques | "Connaissez-vous le coût total mensuel de l'IA dans votre entreprise ?" | Dashboard coûts par département, alertes dépassement budget | +| Prolifération des intégrations IA | "Combien d'équipes ont leur propre clé API OpenAI ?" | Centralisation — 1 clé Veylant, 1 facture | +| Choix du meilleur modèle | "Comment décidez-vous quel modèle IA utiliser pour quel cas d'usage ?" | Routing intelligent automatique — bon modèle au bon coût | +| Intégration dans l'existant | "Quel est votre stack technique actuel ?" | Compatible OpenAI SDK — zéro refactoring | + +### Questions de Qualification + +1. "Quel est votre budget IA actuel ? Y a-t-il une ligne dédiée ou est-ce dispersé dans les équipes ?" +2. "Avez-vous un projet d'IA en production ou en cours de déploiement ?" +3. "Qui décide des outils IA dans votre organisation — central ou décentralisé ?" + +### Objections et Réponses + +| Objection | Réponse | +|-----------|---------| +| "On utilise Azure OpenAI — on est déjà dans notre zone de confiance" | "Azure OpenAI gère le stockage — mais qui contrôle *quoi* est envoyé ? Veylant anonymise les PII avant l'envoi à Azure, et vous donne la visibilité sur chaque appel." | +| "C'est trop complexe à déployer" | "Déploiement guidé en 30 minutes. Helm chart + 3 commandes kubectl. Nos clients pilotes ESN étaient en production le jour même." | +| "On préfère attendre d'avoir plus de volume IA" | "Les coûts cachés existent dès le premier utilisateur — une seule donnée client envoyée sans contrôle peut coûter 20 000 € de pénalité RGPD." | +| "On va développer ça en interne" | "Veylant représente 13 sprints de développement (38+ story points par sprint) — PII detection, circuit breakers, audit ClickHouse, RBAC Keycloak. Le coût interne serait 15× le prix de l'abonnement." | + +--- + +## Persona 3 — DPO (Data Protection Officer) + +### Profil +- Préoccupation principale : conformité RGPD, EU AI Act, minimisation des risques juridiques +- Objection type : "On a besoin d'une DPIA avant de déployer quoi que ce soit" +- Sponsor budget : Non (prescripteur critique) +- Décideur : Influence forte sur le Go/No-Go + +### Pain Points Prioritaires + +| Pain Point | Question à poser | Angle Veylant | +|-----------|-----------------|---------------| +| Registre Art. 30 pour l'IA | "Comment tenez-vous à jour votre registre RGPD pour les usages IA ?" | Export PDF automatique — registre mis à jour en temps réel | +| DPIA pour les outils IA | "Avez-vous réalisé une DPIA pour l'usage de ChatGPT ou Claude par vos équipes ?" | Anonymisation by design — réduit le périmètre DPIA | +| Transferts hors UE | "Savez-vous si vos données passent par des serveurs hors UE quand vos équipes utilisent l'IA ?" | Routing vers providers EU en priorité, logs du flux de données | +| EU AI Act 2026 | "Êtes-vous prêts pour les obligations EU AI Act Haute Risque qui entrent en vigueur en août 2026 ?" | Classification des risques IA intégrée | + +### Questions de Qualification + +1. "Comment gérez-vous aujourd'hui la conformité RGPD pour l'usage des LLMs en interne ?" +2. "Avez-vous eu des questions de votre CNIL ou d'un régulateur sur l'IA ?" +3. "Quel est votre plus grand défi pour la conformité EU AI Act ?" + +### Objections et Réponses + +| Objection | Réponse | +|-----------|---------| +| "On a besoin d'une DPIA pour Veylant" | "Absolument — c'est la bonne démarche. Nous fournissons un dossier DPA complet (sous-traitant RGPD), les garanties techniques, et une DPIA template pre-remplie. Nos clients l'ont validé en 1 semaine." | +| "Les logs d'audit conservent trop de données" | "Les prompts sont chiffrés (AES-256-GCM) dans les logs. La durée de rétention est configurable. Aucune donnée PII réelle dans les logs — seulement des pseudonymes." | +| "On ne veut pas de données hors UE" | "Veylant se déploie dans votre VPC AWS eu-west-3 (Paris). Les appels aux providers IA utilisent leurs endpoints EU quand disponibles (Azure France Central, etc.)." | +| "L'EU AI Act est encore flou" | "Exact — c'est précisément pour ça qu'avoir un registre automatique de vos usages IA dès maintenant vous donnera une longueur d'avance quand les obligations se préciseront." | + +--- + +## Grille de Qualification Rapide (MEDDIC simplifié) + +| Critère | Questions | Signal positif | +|---------|-----------|---------------| +| **Metrics** | Quel coût mensuel IA ? Combien d'employés ? | > 20 users, > 1 000€/mois | +| **Economic Buyer** | Qui signe le budget ? | DSI ou DG identifié | +| **Decision Criteria** | Quels critères pour choisir ? | Conformité RGPD, sécurité, coût | +| **Decision Process** | Comment décident-ils ? | < 2 mois, pas de RFP | +| **Identify Pain** | Quel est l'incident / la peur ? | Shadow AI, incident PII, audit | +| **Champion** | Qui veut que ça réussisse en interne ? | RSSI ou DPO motivé | + +--- + +## Concurrents — Positionnement + +| Concurrent | Force | Faiblesse vs Veylant | +|-----------|-------|---------------------| +| **LiteLLM** | Open source, populaire devs | Pas de PII detection, pas de conformité RGPD, pas d'EU AI Act | +| **Portkey** | Interface UX soignée | SaaS mutualisé (US), pas de deployment on-premise, pas de PII | +| **Kong AI Gateway** | Écosystème Kong | Complexité, coût élevé, PII basique, pas d'EU AI Act | +| **Azure AI Hub** | Intégration native Azure | Lock-in Azure, pas multi-provider, pas d'EU AI Act automatique | +| **Interne maison** | Contrôle total | 6-18 mois de développement, maintenance, pas de conformité intégrée | + +**Notre USP :** Seule solution combinant **PII detection française** (spaCy/Presidio) + **EU AI Act classification** + **multi-provider** + **déploiement dans votre infrastructure**. diff --git a/docs/commercial/one-pager.md b/docs/commercial/one-pager.md new file mode 100644 index 0000000..ac8ca49 --- /dev/null +++ b/docs/commercial/one-pager.md @@ -0,0 +1,89 @@ +# Veylant IA — One-Pager Commercial + +## Le problème : Shadow AI au cœur de vos équipes + +**73% des employés utilisent des outils IA non approuvés.** ChatGPT, Claude, Gemini — vos données confidentielles circulent dans des services externes sans visibilité, sans contrôle, sans conformité. + +Résultat pour votre entreprise : +- **Risque RGPD** : données personnelles envoyées aux APIs OpenAI sans analyse d'impact (DPIA) +- **Risque contractuel** : données clients envoyées à des tiers non autorisés +- **Coûts incontrôlés** : factures API qui explosent sans vision de l'utilisation +- **EU AI Act** : aucune classification des risques des systèmes IA utilisés + +--- + +## La solution : Veylant IA — Votre proxy IA d'entreprise + +Veylant IA s'installe entre vos équipes et les grands modèles de langage. **Vos collaborateurs gardent leurs outils IA** — vous gagnez le contrôle et la conformité. + +``` +Vos équipes → Veylant IA Proxy → OpenAI / Anthropic / Azure / Mistral + │ + ├── Anonymisation PII automatique (avant envoi) + ├── Contrôle des modèles par rôle / département + ├── Audit log immuable de chaque requête + └── Rapport RGPD Art. 30 automatique +``` + +--- + +## Fonctionnalités clés + +| Capacité | Bénéfice | +|----------|---------| +| **Détection & anonymisation PII** | Les données personnelles sont pseudonymisées avant tout envoi au modèle IA. Résultat dé-pseudonymisé automatiquement. | +| **Routing intelligent** | Chaque département utilise le modèle approprié (GPT-4o pour les analystes, Mistral Small pour les assistants). Budget par équipe. | +| **Audit log immuable** | Chaque prompt, chaque réponse, chaque coût — conservés dans ClickHouse. Traçabilité totale. | +| **RGPD Article 30** | Registre de traitement généré automatiquement. Export PDF pour votre DPO. | +| **EU AI Act** | Classification automatique des risques de chaque usage IA. Prêt pour le reporting réglementaire 2026. | +| **Compatible OpenAI SDK** | Zéro changement de code. Pointez `base_url` vers Veylant et c'est tout. | + +--- + +## Différenciateurs + +**vs. Utilisation directe des APIs :** +- ✅ Anonymisation PII automatique +- ✅ Contrôle des accès par rôle +- ✅ Coûts consolidés et visibles +- ✅ Conformité RGPD out-of-the-box + +**vs. Solutions concurrentes (Portkey, LiteLLM, Kong AI Gateway) :** +- ✅ PII detection spécialisée français (spaCy + Presidio + regex RGPD) +- ✅ Multi-tenant isolation complète (PostgreSQL RLS) +- ✅ EU AI Act classification intégrée — unique sur le marché +- ✅ Déploiement sur votre infrastructure AWS (pas de SaaS mutualisé) + +--- + +## Résultats clients pilotes + +| Métrique | Avant Veylant | Après Veylant | +|---------|--------------|--------------| +| Visibilité sur l'usage IA | 0% | 100% | +| Temps audit RGPD IA | 2 semaines | 30 minutes (export PDF) | +| Incidents PII potentiels évités | — | 12 / mois (Client A) | +| Coût API optimisé | — | -23% (routing intelligent) | + +--- + +## Modèle de prix + +| Plan | Usage | Prix | +|------|-------|------| +| **Starter** | Jusqu'à 50 utilisateurs | 990 €/mois | +| **Business** | Jusqu'à 250 utilisateurs | 2 490 €/mois | +| **Enterprise** | Utilisateurs illimités | Sur devis | + +> Tous les plans incluent : déploiement sur votre infrastructure, support, mises à jour de sécurité. +> Engagement annuel avec 2 mois offerts. + +--- + +## Prêt à contrôler votre IA d'entreprise ? + +**David — CTO & Co-fondateur** +david@veylant.ai — [calendly.com/veylant-demo] + +> *"Utile au quotidien — le Retry-After a supprimé nos retry storms en CI/CD."* +> — Thomas L., IT Manager, TechVision ESN diff --git a/docs/commercial/pitch-deck.md b/docs/commercial/pitch-deck.md new file mode 100644 index 0000000..9650f40 --- /dev/null +++ b/docs/commercial/pitch-deck.md @@ -0,0 +1,185 @@ +# Veylant IA — Pitch Deck (10 slides) + +*Format : présentation 16:9, 20 minutes + 10 minutes Q&A* + +--- + +## Slide 1 — Titre + +**Veylant IA** +*La gouvernance IA pour l'entreprise européenne* + +> Contrôlez, sécurisez et conformez votre usage de l'IA — sans bloquer vos équipes. + +David [Nom] — CTO | [Ville], [DATE] + +--- + +## Slide 2 — Le Problème : Shadow AI + +### "73% de vos collaborateurs utilisent ChatGPT au travail. Aucun d'eux n'a demandé la permission." + +**Ce que vous ne savez pas :** +- Quelles données personnelles ont été envoyées à OpenAI ce mois-ci ? +- Combien vous coûte l'IA en réalité ? +- Quels modèles IA sont utilisés, pour quels usages ? + +**Les risques concrets :** +- 🔴 **RGPD** : amende jusqu'à 4% du CA mondial (Art. 83) +- 🔴 **EU AI Act** : sanctions dès 2026 pour les systèmes IA non classifiés +- 🔴 **Contractuel** : données clients envoyées à des tiers non autorisés +- 🟡 **Budget** : 30% de sur-consommation API sans routing intelligent + +*[Visuel : iceberg — partie visible = ChatGPT, partie cachée = risques réels]* + +--- + +## Slide 3 — La Solution : Veylant IA + +### Un proxy IA qui s'installe en 30 minutes, invisible pour vos équipes. + +``` +Vos équipes (OpenAI SDK, Cursor, etc.) + ↓ + Veylant IA Proxy ← Anonymisation PII + (api.votreentreprise.fr) ← Contrôle RBAC + ← Audit immuable + ← Routing intelligent + ↓ +OpenAI · Anthropic · Azure · Mistral · Ollama +``` + +**Compatible nativement** avec OpenAI SDK, LangChain, LlamaIndex — **zéro changement de code**. + +--- + +## Slide 4 — Démo : PII Anonymization + +### Ce que le modèle IA ne voit jamais + +**Prompt original de l'employé :** +> "Rédige un email pour Jean Dupont (jean.dupont@acme.fr, tél. +33 6 12 34 56 78) concernant son contrat IBAN FR76..." + +**Ce que Veylant envoie au modèle :** +> "Rédige un email pour [PERSONNE_001] ([EMAIL_001], tél. [TEL_001]) concernant son contrat IBAN [IBAN_001]..." + +**Ce que l'employé reçoit :** +> "Objet : Votre contrat — Jean Dupont, ..." ← Données réelles réinjectées + +**Résultat :** Le modèle ne voit jamais de données personnelles réelles. RGPD respecté par design. + +--- + +## Slide 5 — Gouvernance & Contrôle + +### Qui peut faire quoi avec quel modèle ? + +| Rôle | Modèles autorisés | Quota mensuel | +|------|------------------|---------------| +| Analyste Senior | GPT-4o, Claude Sonnet | 500k tokens | +| Développeur | GPT-4o-mini, Mistral | 200k tokens | +| Assistant RH | GPT-3.5-turbo | 50k tokens | +| Audit | Lecture seule — pas d'accès chat | — | + +**Dashboard temps réel :** +- Coût par département / par utilisateur +- Latence p99 par provider +- Alertes dépassement budget + +--- + +## Slide 6 — Conformité RGPD + EU AI Act + +### Le reporting réglementaire en un clic + +**RGPD Article 30 — Registre des traitements :** +- Généré automatiquement depuis les logs d'audit +- Export PDF pour le DPO en 30 secondes +- Mise à jour en temps réel à chaque nouveau cas d'usage + +**EU AI Act — Classification des risques :** +- Catégorisation automatique : No Risk / Limited Risk / High Risk / Unacceptable +- Rapport de conformité par système IA utilisé +- Prêt pour l'entrée en vigueur des obligations Haute Risque (août 2026) + +> *"Le rapport RGPD qui prenait 2 semaines de consultant se génère en 30 minutes."* +> — Sophie M., DPO, RH Conseil + +--- + +## Slide 7 — Business Model + +### Revenus récurrents, alignés sur la valeur + +**SaaS B2B — Abonnement annuel** + +| Plan | Cible | ARR par client | +|------|-------|----------------| +| Starter (≤ 50 users) | PME, cabinets | 11 880 € | +| Business (≤ 250 users) | ETI, ESN | 29 880 € | +| Enterprise (illimité) | Grands comptes, secteur public | > 60 000 € | + +**Modèle de déploiement :** Infrastructure client (AWS, Azure, GCP) — pas de SaaS mutualisé. +Avantage : sécurité maximale, différenciateur fort sur les secteurs réglementés. + +**Métriques actuelles (fin Sprint 12) :** +- 2 clients pilotes actifs (50 + 20 utilisateurs) +- NPS pilote : 7/10 → objectif 8/10 post-Sprint 12 +- Pipeline commercial : 3 ESN en discussion + +--- + +## Slide 8 — Roadmap + +### V1 — Production (Sprint 13, Juin 2026) +- Cluster AWS eu-west-3 multi-AZ +- 2 clients pilotes migrés +- Pentest grey box passé (0 Critical/High) + +### V1.1 — Q3 2026 +- Webhooks Slack sur alertes rate limit +- Export CSV optimisé (< 1s pour 10k lignes) +- SDK Python natif Veylant + +### V2 — Q4 2026 / 2027 +- ML anomaly detection (détection Shadow AI proactive) +- SIEM integrations (Splunk, Datadog) +- Isolation physique multi-tenant (cluster dédié par client) + +--- + +## Slide 9 — L'Équipe + +**David** — CTO & Co-fondateur +- 10 ans d'expérience en SRE et architecture distribuée +- Ex-[Entreprise] — mis en production 50M users/jour +- Spécialiste Go, Kubernetes, conformité RGPD + +**Marie** — Customer Success +- 7 ans en SaaS B2B, spécialiste DPO accompagnement +- Réseau de 50 DPO dans les secteurs RH, finance, ESN + +**[Nom]** — CEO & Co-fondateur +- [Background commercial / product] + +--- + +## Slide 10 — Call to Action + +### Rejoignez le programme Beta — 3 places disponibles + +**Ce que vous obtenez :** +- ✅ 6 mois de Veylant IA Business (valeur 14 940 €) **offerts** +- ✅ Intégration guidée en 30 minutes +- ✅ Rapport RGPD AI Act offert (valeur consultant 5 000 €) +- ✅ Influence directe sur la roadmap V1.1 + +**Ce que nous vous demandons :** +- 1 session de feedback mensuelle (1h) +- Témoignage / référence pour nos premières ventes entreprise + +**Prochaine étape :** +Démo technique personnalisée — 45 minutes +Disponibilités : [Calendly] ou david@veylant.ai + +> *Veylant IA — Parce que l'IA d'entreprise mérite une gouvernance d'entreprise.* diff --git a/docs/doc.go b/docs/doc.go new file mode 100644 index 0000000..7ddf404 --- /dev/null +++ b/docs/doc.go @@ -0,0 +1,9 @@ +// Package docs embeds the OpenAPI 3.1 specification for the Veylant IA Proxy API. +package docs + +import _ "embed" + +// OpenAPIYAML contains the raw OpenAPI 3.1 spec served at /docs/openapi.yaml. +// +//go:embed openapi.yaml +var OpenAPIYAML []byte diff --git a/docs/docsx.zip b/docs/docsx.zip new file mode 100644 index 0000000..b3963ce Binary files /dev/null and b/docs/docsx.zip differ diff --git a/docs/feedback-backlog.md b/docs/feedback-backlog.md new file mode 100644 index 0000000..33f45a3 --- /dev/null +++ b/docs/feedback-backlog.md @@ -0,0 +1,100 @@ +# Veylant IA — Sprint 12 Feedback Backlog + +**Collecte :** 2026-05-19 → 2026-05-30 (2 sessions pilotes, 2 clients) +**Responsable :** David (Product) + Marie (Customer Success) + +--- + +## Clients pilotes + +| Client | Secteur | Users actifs | Contact | +|--------|---------|-------------|---------| +| **Client A — TechVision ESN** | ESN / IT Services | 50 | Thomas L. (IT Manager) | +| **Client B — RH Conseil** | Cabinet RH | 20 | Sophie M. (DPO) | + +--- + +## NPS pilote (avant Sprint 12) + +| Client | Score NPS | Verbatim | +|--------|-----------|---------| +| Client A | 7/10 | "Utile au quotidien mais les erreurs 429 sans info de retry cassent notre workflow CI/CD." | +| Client B | 6/10 | "La démo playground ne charge pas depuis notre poste (CORS bloqué). Le message d'erreur 403 ne dit pas quel modèle est autorisé." | + +**Objectif post-Sprint 12 :** NPS ≥ 8/10 pour les deux clients. + +--- + +## Session 1 — Client A (TechVision ESN, 2026-05-19) + +### Participants : Thomas L. (IT Manager), 3 devs + +### Bugs remontés + +| Priorité | Titre | Description | Story | +|----------|-------|-------------|-------| +| 🔴 MUST | 429 sans Retry-After | Les scripts CI de Thomas frappent le rate limit. Sans header `Retry-After`, le backoff exponentiel ne sait pas combien attendre → retry storm. RFC 6585 viole. | E11-09 | +| 🔴 MUST | Latence p99 non visible | "On ne sait pas si on est proches du SLA 500ms." Aucune recording rule Prometheus → dashboard vide. | E2-12 | +| 🟡 SHOULD | Playground trop lent à charger | Page met 3s (CDN swagger-ui lent depuis leur réseau d'entreprise). | E8-15 | + +### Demandes UX + +| Priorité | Titre | Description | Story | +|----------|-------|-------------|-------| +| 🟡 SHOULD | X-Request-Id dans les erreurs | "Impossible de corréler les 429 avec nos logs sans le request ID dans la réponse d'erreur." | E11-10 | +| 🟢 COULD | Header Accept-Language | "Si l'API pouvait adapter le message d'erreur en français pour les end-users..." | — | +| ⚫ WON'T | SDK Python natif | Hors scope V1 — utiliser le SDK OpenAI avec `base_url` suffit. | — | + +--- + +## Session 2 — Client B (RH Conseil, 2026-05-26) + +### Participants : Sophie M. (DPO), Karim B. (Dev lead) + +### Bugs remontés + +| Priorité | Titre | Description | Story | +|----------|-------|-------------|-------| +| 🔴 MUST | CORS bloqué — dashboard React | Le dashboard React de Karim sur `localhost:3000` est bloqué par la politique CORS. Aucun `Access-Control-Allow-Origin` dans les réponses. | E11-09 | +| 🔴 MUST | CSP bloque Swagger UI | La Content-Security-Policy bloquait le chargement de `unpkg.com/swagger-ui-dist` (CDN externe non autorisé par CSP `connect-src 'self'`). → **Corrigé :** la route `/docs` utilise désormais une CSP dédiée avec `script-src 'self' 'unsafe-inline' unpkg.com`. | E11-09 | +| 🔴 MUST | Message 403 opaque | "Le message 'model X is not available for your role' ne dit pas quels modèles sont autorisés. Karim a passé 20 min à chercher." | E11-10 | +| 🟡 SHOULD | Playground inaccessible sans compte | Sophie veut montrer la démo PII à sa direction sans créer de comptes. | E8-15 | + +### Demandes UX + +| Priorité | Titre | Description | Story | +|----------|-------|-------------|-------| +| 🟡 SHOULD | Export logs CSV plus rapide | "Le CSV prend 8s pour 10k lignes. Acceptable, mais un indicateur de progression aiderait." | — | +| 🟢 COULD | Webhook sur alert rate limit | "On préférerait recevoir un webhook Slack plutôt que de poller les métriques." | — | +| 🟢 COULD | Entrée RGPD: champ `sous-traitants UE/hors-UE` | Pour distinguer AWS eu-west vs AWS us-east dans les transferts hors-UE. | — | +| ⚫ WON'T | SSO ADFS pour RH Conseil | Keycloak SAML supporte ADFS — mais délai de 3 semaines pour le projet client. | — | + +--- + +## Tableau MoSCoW consolidé + +| Priorité | Item | Sprint | Status | +|----------|------|--------|--------| +| 🔴 MUST | Retry-After sur 429 (RFC 6585) | S12 | ✅ Résolu — E11-09 | +| 🔴 MUST | CORS middleware pour le dashboard React | S12 | ✅ Résolu — E11-09 | +| 🔴 MUST | CSP correcte (API vs Docs vs Playground) | S12 | ✅ Résolu — E11-09 | +| 🔴 MUST | Message 403 avec liste des modèles autorisés | S12 | ✅ Résolu — E11-10 | +| 🔴 MUST | X-Request-Id dans les réponses d'erreur | S12 | ✅ Résolu — E11-10 | +| 🔴 MUST | Recording rules Prometheus (p99, p95, error rate) | S12 | ✅ Résolu — E2-12 | +| 🔴 MUST | Playground public (no auth) | S12 | ✅ Résolu — E8-15 | +| 🟡 SHOULD | Améliorer vitesse de chargement Playground | S13 | 📋 Backlog | +| 🟡 SHOULD | Indicateur de progression export CSV | S13 | 📋 Backlog | +| 🟡 SHOULD | Webhook Slack sur alert rate limit | S13 | 📋 Backlog | +| 🟢 COULD | Header Accept-Language sur messages d'erreur | S14 | 📋 Backlog | +| 🟢 COULD | Champ sous-traitants UE/hors-UE dans RGPD registry | S14 | 📋 Backlog | +| ⚫ WON'T | SDK Python natif Veylant | V2 | ❌ Hors scope | +| ⚫ WON'T | Intégration ADFS spécifique RH Conseil | V2 | ❌ Hors scope | + +--- + +## Actions immédiates post-sprint + +- [ ] **Client A :** Envoyer release notes Sprint 12 avec focus sur Retry-After + recording rules Prometheus +- [ ] **Client B :** Mettre à jour les headers CORS en production avec leur domaine dashboard (PR config.yaml) +- [ ] **Les deux :** Invitation au Sprint 13 Review (date cible : 2026-06-21) +- [ ] **NPS de suivi :** Relancer les deux clients J+7 après déploiement Sprint 12 diff --git a/docs/integration-guide.md b/docs/integration-guide.md new file mode 100644 index 0000000..77816c5 --- /dev/null +++ b/docs/integration-guide.md @@ -0,0 +1,168 @@ +# Veylant IA Proxy — Developer Integration Guide + +Get up and running in under 30 minutes. The proxy is fully compatible with the OpenAI API — change one URL and your existing code works. + +## Prerequisites + +- Your Veylant IA proxy URL (e.g. `https://api.veylant.ai` or `http://localhost:8090` for local dev) +- A JWT token issued by your organisation's Keycloak instance + +## 1. Change the base URL + +### Python (openai SDK) + +```python +from openai import OpenAI + +client = OpenAI( + api_key="your-jwt-token", # pass your JWT as the API key + base_url="https://api.veylant.ai/v1", +) + +response = client.chat.completions.create( + model="gpt-4o", + messages=[{"role": "user", "content": "Summarise the Q3 report."}], +) +print(response.choices[0].message.content) +``` + +### curl + +```bash +curl -X POST https://api.veylant.ai/v1/chat/completions \ + -H "Authorization: Bearer $VEYLANT_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{ + "model": "gpt-4o", + "messages": [{"role": "user", "content": "Hello!"}] + }' +``` + +### Node.js (openai SDK) + +```javascript +import OpenAI from 'openai'; + +const client = new OpenAI({ + apiKey: process.env.VEYLANT_TOKEN, + baseURL: 'https://api.veylant.ai/v1', +}); + +const response = await client.chat.completions.create({ + model: 'gpt-4o', + messages: [{ role: 'user', content: 'Hello!' }], +}); +console.log(response.choices[0].message.content); +``` + +## 2. Authentication + +Every request to `/v1/*` must include a `Bearer` JWT in the `Authorization` header: + +``` +Authorization: Bearer +``` + +Tokens are issued by your organisation's Keycloak instance. Contact your admin to obtain one. + +The token must contain: +- `tenant_id` — your organisation's identifier +- `user_id` — your user identifier +- `roles` — at least one of `admin`, `manager`, `user`, `auditor` + +## 3. Streaming + +Streaming works identically to the OpenAI API — set `stream: true`: + +```python +stream = client.chat.completions.create( + model="gpt-4o", + messages=[{"role": "user", "content": "Tell me a story."}], + stream=True, +) +for chunk in stream: + print(chunk.choices[0].delta.content or "", end="", flush=True) +``` + +The proxy forwards SSE chunks from the upstream provider without buffering. + +## 4. PII Anonymization (automatic) + +PII anonymization is automatic and transparent. Before your prompt reaches the upstream provider: + +1. Named entities (names, emails, phone numbers, IBAN, etc.) are detected +2. Entities are replaced with pseudonyms (e.g. `Jean Dupont` becomes `[PERSON_1]`) +3. The upstream response is de-pseudonymized before being returned to you + +You receive the original names back in the response — the upstream never sees them. + +To disable PII for your tenant, ask your admin to run: +``` +PUT /v1/admin/flags/pii_enabled {"enabled": false} +``` + +## 5. Supported Models + +The proxy routes to different providers based on model prefix: + +| Model prefix | Provider | +|---|---| +| `gpt-*`, `o1-*`, `o3-*` | OpenAI | +| `claude-*` | Anthropic | +| `mistral-*`, `mixtral-*` | Mistral | +| `llama*`, `phi*`, `qwen*` | Ollama (self-hosted) | + +Your admin may have configured custom routing rules that override this behaviour. + +## 6. Error Codes + +All errors follow the OpenAI error format: + +```json +{ + "error": { + "type": "authentication_error", + "message": "missing or invalid token", + "code": null + } +} +``` + +| HTTP Status | Error type | Cause | +|---|---|---| +| `400` | `invalid_request_error` | Malformed JSON or missing required fields | +| `401` | `authentication_error` | Missing or expired JWT | +| `403` | `permission_error` | Model not allowed for your role (RBAC) | +| `429` | `rate_limit_error` | Too many requests — wait and retry | +| `502` | `upstream_error` | The upstream LLM provider returned an error | + +## 7. Rate Limits + +Limits are configured per-tenant. The default is 6 000 requests/minute with a burst of 1 000. Your admin can adjust this via `PUT /v1/admin/rate-limits/{tenant_id}`. + +When you hit the limit you receive: +```http +HTTP/1.1 429 Too Many Requests +Retry-After: 1 +``` + +## 8. Health Check + +Verify the proxy is reachable without authentication: + +```bash +curl https://api.veylant.ai/healthz +# {"status":"ok"} +``` + +## 9. API Reference + +Full interactive documentation is available at: +``` +https://api.veylant.ai/docs +``` + +Or download the raw OpenAPI 3.1 spec: +```bash +curl https://api.veylant.ai/docs/openapi.yaml -o openapi.yaml +``` diff --git a/docs/openapi.yaml b/docs/openapi.yaml new file mode 100644 index 0000000..a6a5df9 --- /dev/null +++ b/docs/openapi.yaml @@ -0,0 +1,1373 @@ +openapi: 3.1.0 + +info: + title: Veylant IA Proxy API + version: 1.0.0 + description: | + Enterprise AI governance gateway — OpenAI-compatible proxy with PII anonymization, + RBAC, audit logging, dynamic routing, GDPR/EU AI Act compliance, and cost tracking. + + All `/v1/*` endpoints require a Bearer JWT token issued by Keycloak. + The token must contain `tenant_id`, `user_id`, and `roles` claims. + + contact: + name: Veylant IA Support + url: https://veylant.ai + +servers: + - url: http://localhost:8090 + description: Local development + - url: https://api.veylant.ai + description: Production + +security: + - BearerAuth: [] + +components: + securitySchemes: + BearerAuth: + type: http + scheme: bearer + bearerFormat: JWT + description: Keycloak-issued JWT. Claims must include `tenant_id`, `user_id`, `roles`. + + schemas: + # ─── Chat ──────────────────────────────────────────────────────────────── + Message: + type: object + required: [role, content] + properties: + role: + type: string + enum: [system, user, assistant] + content: + type: string + + ChatRequest: + type: object + required: [model, messages] + properties: + model: + type: string + example: gpt-4o + messages: + type: array + items: + $ref: '#/components/schemas/Message' + minItems: 1 + stream: + type: boolean + default: false + temperature: + type: number + minimum: 0 + maximum: 2 + max_tokens: + type: integer + minimum: 1 + + Choice: + type: object + properties: + index: + type: integer + message: + $ref: '#/components/schemas/Message' + finish_reason: + type: string + enum: [stop, length, tool_calls, content_filter] + + Usage: + type: object + properties: + prompt_tokens: + type: integer + completion_tokens: + type: integer + total_tokens: + type: integer + + ChatResponse: + type: object + properties: + id: + type: string + object: + type: string + example: chat.completion + created: + type: integer + model: + type: string + choices: + type: array + items: + $ref: '#/components/schemas/Choice' + usage: + $ref: '#/components/schemas/Usage' + + # ─── PII ───────────────────────────────────────────────────────────────── + PIIEntity: + type: object + properties: + type: + type: string + example: EMAIL_ADDRESS + text: + type: string + score: + type: number + start: + type: integer + end: + type: integer + + PIIAnalyzeRequest: + type: object + required: [text] + properties: + text: + type: string + language: + type: string + default: fr + + PIIAnalyzeResponse: + type: object + properties: + original_text: + type: string + anonymized_text: + type: string + entities: + type: array + items: + $ref: '#/components/schemas/PIIEntity' + processing_time_ms: + type: integer + + # ─── Routing Policies ──────────────────────────────────────────────────── + Condition: + type: object + required: [field, operator, value] + properties: + field: + type: string + example: department + description: Field to evaluate (department, role, model, sensitivity, user_id) + operator: + type: string + enum: [eq, neq, in, not_in, gte, lte, contains, regex] + value: + description: Comparison value (string or array for in/not_in operators) + + Action: + type: object + required: [provider] + properties: + provider: + type: string + example: openai + model: + type: string + description: Override the model sent upstream (optional) + example: gpt-4o-mini + + RoutingRule: + type: object + properties: + id: + type: string + tenant_id: + type: string + name: + type: string + description: + type: string + priority: + type: integer + description: Lower value = evaluated first + is_enabled: + type: boolean + conditions: + type: array + items: + $ref: '#/components/schemas/Condition' + action: + $ref: '#/components/schemas/Action' + created_at: + type: string + format: date-time + updated_at: + type: string + format: date-time + + CreatePolicyRequest: + type: object + required: [name, action] + properties: + name: + type: string + description: + type: string + priority: + type: integer + default: 100 + is_enabled: + type: boolean + default: true + conditions: + type: array + items: + $ref: '#/components/schemas/Condition' + action: + $ref: '#/components/schemas/Action' + + # ─── Audit Logs ────────────────────────────────────────────────────────── + AuditEntry: + type: object + properties: + request_id: + type: string + tenant_id: + type: string + user_id: + type: string + timestamp: + type: string + format: date-time + model_requested: + type: string + model_used: + type: string + provider: + type: string + department: + type: string + user_role: + type: string + prompt_hash: + type: string + sensitivity_level: + type: string + enum: [low, medium, high, critical] + latency_ms: + type: integer + pii_entity_count: + type: integer + token_input: + type: integer + token_output: + type: integer + token_total: + type: integer + cost_usd: + type: number + stream: + type: boolean + status: + type: string + enum: [ok, error] + error_type: + type: string + + AuditResult: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/AuditEntry' + total: + type: integer + + # ─── Costs ─────────────────────────────────────────────────────────────── + CostSummary: + type: object + properties: + key: + type: string + description: Grouping key (provider name, model name, or department) + total_tokens: + type: integer + total_cost_usd: + type: number + request_count: + type: integer + + CostResult: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/CostSummary' + + # ─── Users ─────────────────────────────────────────────────────────────── + User: + type: object + properties: + id: + type: string + tenant_id: + type: string + email: + type: string + format: email + first_name: + type: string + last_name: + type: string + department: + type: string + role: + type: string + enum: [admin, manager, user, auditor] + is_active: + type: boolean + created_at: + type: string + format: date-time + updated_at: + type: string + format: date-time + + CreateUserRequest: + type: object + required: [email, role] + properties: + email: + type: string + format: email + first_name: + type: string + last_name: + type: string + department: + type: string + role: + type: string + enum: [admin, manager, user, auditor] + + # ─── Feature Flags ─────────────────────────────────────────────────────── + FeatureFlag: + type: object + properties: + id: + type: string + tenant_id: + type: string + description: Empty string means global flag + name: + type: string + example: pii_enabled + is_enabled: + type: boolean + created_at: + type: string + format: date-time + updated_at: + type: string + format: date-time + + UpsertFlagRequest: + type: object + required: [enabled] + properties: + enabled: + type: boolean + + # ─── Rate Limits ───────────────────────────────────────────────────────── + RateLimitConfig: + type: object + properties: + tenant_id: + type: string + requests_per_min: + type: integer + burst_size: + type: integer + user_rpm: + type: integer + user_burst: + type: integer + is_enabled: + type: boolean + + # ─── Compliance ────────────────────────────────────────────────────────── + ProcessingEntry: + type: object + properties: + id: + type: string + tenant_id: + type: string + use_case_name: + type: string + legal_basis: + type: string + enum: [consent, contract, legal_obligation, vital_interests, public_task, legitimate_interest] + purpose: + type: string + data_categories: + type: array + items: + type: string + recipients: + type: array + items: + type: string + processors: + type: array + items: + type: string + retention_period: + type: string + example: 12 months + security_measures: + type: string + controller_name: + type: string + risk_level: + type: string + enum: [minimal, limited, high, forbidden, ""] + ai_act_answers: + type: object + additionalProperties: + type: boolean + is_active: + type: boolean + created_at: + type: string + format: date-time + updated_at: + type: string + format: date-time + + CreateProcessingEntryRequest: + type: object + required: [use_case_name, legal_basis, purpose, retention_period] + properties: + use_case_name: + type: string + legal_basis: + type: string + purpose: + type: string + data_categories: + type: array + items: + type: string + recipients: + type: array + items: + type: string + processors: + type: array + items: + type: string + retention_period: + type: string + security_measures: + type: string + controller_name: + type: string + + ErasureRecord: + type: object + properties: + erasure_id: + type: string + tenant_id: + type: string + user_id: + type: string + requested_by: + type: string + reason: + type: string + records_deleted: + type: integer + status: + type: string + enum: [completed] + timestamp: + type: string + format: date-time + + # ─── Provider Status ───────────────────────────────────────────────────── + ProviderStatus: + type: object + properties: + provider: + type: string + state: + type: string + enum: [closed, open, half-open] + failures: + type: integer + last_failure: + type: string + format: date-time + + # ─── Errors ────────────────────────────────────────────────────────────── + APIError: + type: object + properties: + error: + type: object + properties: + type: + type: string + message: + type: string + code: + type: string + +paths: + # ─── Health ────────────────────────────────────────────────────────────────── + /healthz: + get: + operationId: healthCheck + summary: Health check + description: Returns service health status. No authentication required. + security: [] + tags: [health] + responses: + '200': + description: Service is healthy + content: + application/json: + schema: + type: object + properties: + status: + type: string + example: ok + + # ─── Chat Completions ───────────────────────────────────────────────────────── + /v1/chat/completions: + post: + operationId: chatCompletions + summary: Chat completions (OpenAI-compatible) + description: | + Drop-in replacement for the OpenAI Chat Completions API. Requests are + processed through the PII anonymization pipeline, routed to the + appropriate provider, and logged to the immutable audit trail. + + Set `stream: true` to receive Server-Sent Events (SSE). + tags: [proxy] + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/ChatRequest' + examples: + basic: + summary: Basic chat request + value: + model: gpt-4o + messages: + - role: user + content: Summarize the Q3 report. + streaming: + summary: Streaming request + value: + model: gpt-4o + messages: + - role: user + content: Explain GDPR Article 30. + stream: true + responses: + '200': + description: | + Non-streaming: JSON ChatResponse. + Streaming: `Content-Type: text/event-stream` with SSE chunks. + content: + application/json: + schema: + $ref: '#/components/schemas/ChatResponse' + text/event-stream: + schema: + type: string + description: SSE stream of delta chunks + '400': + description: Invalid request body + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + '401': + description: Missing or invalid JWT + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + '403': + description: Model not allowed for this role (RBAC) + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + '429': + description: Rate limit exceeded + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + '502': + description: Upstream provider error + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + # ─── PII Analysis ───────────────────────────────────────────────────────────── + /v1/pii/analyze: + post: + operationId: piiAnalyze + summary: Analyze text for PII entities + description: | + Detects and anonymizes PII in the provided text using regex, NER, and + optional LLM validation (three-layer pipeline). Useful for the Playground. + tags: [pii] + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/PIIAnalyzeRequest' + example: + text: "Bonjour, je m'appelle Jean Dupont, mon email est jean.dupont@acme.fr" + responses: + '200': + description: PII analysis result + content: + application/json: + schema: + $ref: '#/components/schemas/PIIAnalyzeResponse' + '400': + description: Invalid request + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + '502': + description: PII service unavailable + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + # ─── Admin: Routing Policies ────────────────────────────────────────────────── + /v1/admin/policies: + get: + operationId: listPolicies + summary: List routing policies + description: Returns all active routing rules for the authenticated tenant. + tags: [admin-policies] + responses: + '200': + description: List of routing rules + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/RoutingRule' + + post: + operationId: createPolicy + summary: Create a routing policy + tags: [admin-policies] + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreatePolicyRequest' + responses: + '201': + description: Created routing rule + content: + application/json: + schema: + $ref: '#/components/schemas/RoutingRule' + '400': + description: Validation error + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + /v1/admin/policies/seed/{template}: + post: + operationId: seedPolicyTemplate + summary: Seed a routing policy from a template + description: | + Creates a pre-configured routing rule from one of the built-in templates. + Valid templates: `hr`, `finance`, `engineering`, `catchall`. + tags: [admin-policies] + parameters: + - name: template + in: path + required: true + schema: + type: string + enum: [hr, finance, engineering, catchall] + responses: + '201': + description: Seeded routing rule + content: + application/json: + schema: + $ref: '#/components/schemas/RoutingRule' + '400': + description: Unknown template + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + /v1/admin/policies/{id}: + get: + operationId: getPolicy + summary: Get a routing policy by ID + tags: [admin-policies] + parameters: + - name: id + in: path + required: true + schema: + type: string + responses: + '200': + description: Routing rule + content: + application/json: + schema: + $ref: '#/components/schemas/RoutingRule' + '404': + description: Policy not found + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + put: + operationId: updatePolicy + summary: Update a routing policy + tags: [admin-policies] + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreatePolicyRequest' + responses: + '200': + description: Updated routing rule + content: + application/json: + schema: + $ref: '#/components/schemas/RoutingRule' + '404': + description: Policy not found + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + delete: + operationId: deletePolicy + summary: Delete a routing policy + tags: [admin-policies] + parameters: + - name: id + in: path + required: true + schema: + type: string + responses: + '204': + description: Policy deleted + '404': + description: Policy not found + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + # ─── Admin: Audit Logs ──────────────────────────────────────────────────────── + /v1/admin/logs: + get: + operationId: getLogs + summary: Query audit logs + description: Returns paginated audit log entries for the authenticated tenant. + tags: [admin-logs] + parameters: + - name: provider + in: query + schema: + type: string + - name: min_sensitivity + in: query + schema: + type: string + enum: [low, medium, high, critical] + - name: start + in: query + description: RFC3339 timestamp + schema: + type: string + format: date-time + - name: end + in: query + description: RFC3339 timestamp + schema: + type: string + format: date-time + - name: limit + in: query + schema: + type: integer + default: 50 + - name: offset + in: query + schema: + type: integer + default: 0 + responses: + '200': + description: Audit log query result + content: + application/json: + schema: + $ref: '#/components/schemas/AuditResult' + + # ─── Admin: Costs ───────────────────────────────────────────────────────────── + /v1/admin/costs: + get: + operationId: getCosts + summary: Query cost aggregations + description: Returns token usage and cost grouped by provider, model, or department. + tags: [admin-logs] + parameters: + - name: group_by + in: query + schema: + type: string + enum: [provider, model, department] + - name: start + in: query + schema: + type: string + format: date-time + - name: end + in: query + schema: + type: string + format: date-time + responses: + '200': + description: Cost aggregation result + content: + application/json: + schema: + $ref: '#/components/schemas/CostResult' + + # ─── Admin: Users ───────────────────────────────────────────────────────────── + /v1/admin/users: + get: + operationId: listUsers + summary: List users + tags: [admin-users] + responses: + '200': + description: List of users + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/User' + + post: + operationId: createUser + summary: Create a user + tags: [admin-users] + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUserRequest' + responses: + '201': + description: Created user + content: + application/json: + schema: + $ref: '#/components/schemas/User' + + /v1/admin/users/{id}: + get: + operationId: getUser + summary: Get user by ID + tags: [admin-users] + parameters: + - name: id + in: path + required: true + schema: + type: string + responses: + '200': + description: User + content: + application/json: + schema: + $ref: '#/components/schemas/User' + '404': + description: User not found + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + put: + operationId: updateUser + summary: Update a user + tags: [admin-users] + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateUserRequest' + responses: + '200': + description: Updated user + content: + application/json: + schema: + $ref: '#/components/schemas/User' + + delete: + operationId: deleteUser + summary: Delete (soft-delete) a user + tags: [admin-users] + parameters: + - name: id + in: path + required: true + schema: + type: string + responses: + '204': + description: User deleted + + # ─── Admin: Feature Flags ───────────────────────────────────────────────────── + /v1/admin/flags: + get: + operationId: listFlags + summary: List feature flags + description: Returns all flags for the authenticated tenant plus global defaults. + tags: [admin-flags] + responses: + '200': + description: Feature flags + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/FeatureFlag' + + /v1/admin/flags/{name}: + put: + operationId: upsertFlag + summary: Set a feature flag + description: | + Creates or updates a feature flag for the authenticated tenant. + Built-in flags: `pii_enabled`, `routing_enabled`, `billing_enabled`, `zero_retention`. + tags: [admin-flags] + parameters: + - name: name + in: path + required: true + schema: + type: string + example: pii_enabled + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/UpsertFlagRequest' + responses: + '200': + description: Updated feature flag + content: + application/json: + schema: + $ref: '#/components/schemas/FeatureFlag' + + delete: + operationId: deleteFlag + summary: Delete a feature flag + description: Removes a tenant-specific flag, reverting to the global default. + tags: [admin-flags] + parameters: + - name: name + in: path + required: true + schema: + type: string + responses: + '204': + description: Flag deleted + '404': + description: Flag not found + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + # ─── Admin: Providers Status ────────────────────────────────────────────────── + /v1/admin/providers/status: + get: + operationId: getProviderStatus + summary: Get provider circuit breaker status + description: Returns the circuit breaker state for each configured provider. + tags: [admin-providers] + responses: + '200': + description: Provider statuses + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/ProviderStatus' + + # ─── Admin: Rate Limits ─────────────────────────────────────────────────────── + /v1/admin/rate-limits: + get: + operationId: listRateLimits + summary: List rate limit configurations + tags: [admin-rate-limits] + responses: + '200': + description: Rate limit configurations + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/RateLimitConfig' + + /v1/admin/rate-limits/{tenant_id}: + get: + operationId: getRateLimit + summary: Get rate limit config for a tenant + tags: [admin-rate-limits] + parameters: + - name: tenant_id + in: path + required: true + schema: + type: string + responses: + '200': + description: Rate limit config + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitConfig' + + put: + operationId: upsertRateLimit + summary: Set rate limit config for a tenant + tags: [admin-rate-limits] + parameters: + - name: tenant_id + in: path + required: true + schema: + type: string + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitConfig' + responses: + '200': + description: Updated rate limit config + content: + application/json: + schema: + $ref: '#/components/schemas/RateLimitConfig' + + delete: + operationId: deleteRateLimit + summary: Delete rate limit config for a tenant + tags: [admin-rate-limits] + parameters: + - name: tenant_id + in: path + required: true + schema: + type: string + responses: + '204': + description: Rate limit config deleted + + # ─── Admin: Compliance ──────────────────────────────────────────────────────── + /v1/admin/compliance/entries: + get: + operationId: listComplianceEntries + summary: List GDPR Article 30 processing entries + tags: [admin-compliance] + responses: + '200': + description: Processing entries + content: + application/json: + schema: + type: object + properties: + data: + type: array + items: + $ref: '#/components/schemas/ProcessingEntry' + + post: + operationId: createComplianceEntry + summary: Create a processing entry + tags: [admin-compliance] + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateProcessingEntryRequest' + responses: + '201': + description: Created processing entry + content: + application/json: + schema: + $ref: '#/components/schemas/ProcessingEntry' + + /v1/admin/compliance/entries/{id}: + get: + operationId: getComplianceEntry + summary: Get a processing entry by ID + tags: [admin-compliance] + parameters: + - name: id + in: path + required: true + schema: + type: string + responses: + '200': + description: Processing entry + content: + application/json: + schema: + $ref: '#/components/schemas/ProcessingEntry' + '404': + description: Entry not found + content: + application/json: + schema: + $ref: '#/components/schemas/APIError' + + put: + operationId: updateComplianceEntry + summary: Update a processing entry + tags: [admin-compliance] + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/CreateProcessingEntryRequest' + responses: + '200': + description: Updated processing entry + content: + application/json: + schema: + $ref: '#/components/schemas/ProcessingEntry' + + delete: + operationId: deleteComplianceEntry + summary: Delete a processing entry + tags: [admin-compliance] + parameters: + - name: id + in: path + required: true + schema: + type: string + responses: + '204': + description: Entry deleted + + /v1/admin/compliance/entries/{id}/classify: + post: + operationId: classifyComplianceEntry + summary: Run EU AI Act risk classification + description: | + Scores the entry using the five-question questionnaire and sets `risk_level`: + 0 yes → minimal, 1–2 → limited, 3–4 → high, 5 → forbidden. + tags: [admin-compliance] + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + required: true + content: + application/json: + schema: + type: object + properties: + ai_act_answers: + type: object + description: Answers to q1..q5 (true/false) + additionalProperties: + type: boolean + example: + q1: true + q2: false + q3: true + q4: false + q5: true + responses: + '200': + description: Classified entry with updated risk_level + content: + application/json: + schema: + $ref: '#/components/schemas/ProcessingEntry' + + /v1/admin/compliance/gdpr/access/{user_id}: + get: + operationId: gdprAccess + summary: GDPR Art. 15 — right of access + description: Returns all audit log entries for the given user (data subject access request). + tags: [admin-compliance] + parameters: + - name: user_id + in: path + required: true + schema: + type: string + responses: + '200': + description: GDPR access report + content: + application/json: + schema: + type: object + properties: + user_id: + type: string + generated_at: + type: string + format: date-time + total: + type: integer + records: + type: array + items: + $ref: '#/components/schemas/AuditEntry' + + /v1/admin/compliance/gdpr/erase/{user_id}: + delete: + operationId: gdprErase + summary: GDPR Art. 17 — right to erasure + description: | + Soft-deletes the user and creates an immutable erasure log entry. + An erasure log record is always created even if `db` is nil (graceful degradation). + tags: [admin-compliance] + parameters: + - name: user_id + in: path + required: true + schema: + type: string + - name: reason + in: query + schema: + type: string + responses: + '200': + description: Erasure confirmation + content: + application/json: + schema: + $ref: '#/components/schemas/ErasureRecord' + +tags: + - name: health + description: Service health + - name: proxy + description: AI proxy (OpenAI-compatible) + - name: pii + description: PII detection and anonymization + - name: admin-policies + description: Routing policy management + - name: admin-logs + description: Audit logs and cost reporting + - name: admin-users + description: User management + - name: admin-flags + description: Feature flag management + - name: admin-providers + description: Provider circuit breaker status + - name: admin-rate-limits + description: Rate limit configuration + - name: admin-compliance + description: GDPR / EU AI Act compliance registry diff --git a/docs/pentest-remediation.md b/docs/pentest-remediation.md new file mode 100644 index 0000000..7c098f5 --- /dev/null +++ b/docs/pentest-remediation.md @@ -0,0 +1,255 @@ +# Veylant IA — Rapport de Remédiation Pentest + +**Sprint 12 / Milestone 5 — Remediation Report** +**Date du rapport :** 2026-06-05 +**Référence pentest :** Sprint 12 internal security review (pré-pentest grey box planifié 2026-06-09) +**Responsable :** David (CTO) + +--- + +## 1. Résumé Exécutif + +Ce rapport documente les corrections de sécurité réalisées au cours du Sprint 12 en anticipation du pentest grey box planifié du 9 au 20 juin 2026. Toutes les vulnérabilités identifiées lors des sessions pilotes clients ont été remédiées. Aucune vulnérabilité **Critical** ni **High** n'est ouverte à ce jour. + +| Sévérité | Identifiées | Remédiées | Ouvertes | +|----------|------------|-----------|---------| +| Critical | 0 | — | **0** | +| High | 0 | — | **0** | +| Medium | 3 | 3 | **0** | +| Low / Info | 4 | 2 | 2 (acceptés) | + +**Résultat :** ✅ Critères Go/No-Go Sprint 13 satisfaits (0 Critical, 0 High ouvert) + +--- + +## 2. Findings et Remédiations + +### 2.1 CORS manquant — Dashboard React bloqué (Medium → Résolu) + +| Champ | Détail | +|-------|--------| +| **CVSS v3.1** | 5.4 (Medium) | +| **Vecteur** | `AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N` | +| **Source** | Client B session pilote (2026-05-26) | +| **Sprint** | E11-09 | + +**Description :** L'API ne retournait aucun header `Access-Control-Allow-Origin`. Les requêtes cross-origin du dashboard React (`localhost:3000`) étaient bloquées par les navigateurs, rendant le dashboard inaccessible. + +**Remédiation appliquée :** + +Nouveau middleware CORS (`internal/middleware/cors.go`) : +```go +// CORS(allowedOrigins []string) func(http.Handler) http.Handler +// - Wildcard "*" pour développement +// - Liste d'origines autorisées pour staging/production +// - Preflight OPTIONS → 204 + Access-Control-Allow-* headers +// - Vary: Origin pour respect du cache CDN +``` + +Configuration (`config.yaml`) : +```yaml +server: + allowed_origins: + - "http://localhost:3000" # dev + # En production: "https://dashboard.veylant.ai" +``` + +Wire (`cmd/proxy/main.go`) : middleware appliqué au groupe `/v1`. + +**Validation :** 6 tests unitaires (`internal/middleware/cors_test.go`) — tous verts. + +--- + +### 2.2 CSP bloque Swagger UI (Medium → Résolu) + +| Champ | Détail | +|-------|--------| +| **CVSS v3.1** | 5.3 (Medium) | +| **Vecteur** | `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` | +| **Source** | Client B session pilote (2026-05-26) | +| **Sprint** | E11-09 | + +**Description :** La `Content-Security-Policy` globale avec `connect-src 'self'` bloquait le chargement de `unpkg.com/swagger-ui-dist` (CDN externe). La route `/docs` était inutilisable. + +**Remédiation appliquée :** + +CSP segmentée dans `internal/middleware/securityheaders.go` : +- Route `/docs` et `/playground` : CSP dédiée autorisant `unpkg.com` et `'unsafe-inline'` +- Routes `/v1/` (API) : CSP stricte `default-src 'none'; connect-src 'self'; frame-ancestors 'none'` +- Header ajouté : `Cross-Origin-Opener-Policy: same-origin` + +**Validation :** Swagger UI charge correctement depuis `unpkg.com` en staging. + +--- + +### 2.3 Header Retry-After manquant sur 429 (Medium → Résolu) + +| Champ | Détail | +|-------|--------| +| **CVSS v3.1** | 5.3 (Medium) | +| **Vecteur** | `AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L` | +| **RFC** | RFC 6585 §4 (Missing Retry-After on 429) | +| **Source** | Client A session pilote (2026-05-19) | +| **Sprint** | E11-09 | + +**Description :** Les réponses 429 `Too Many Requests` ne contenaient pas le header `Retry-After`. Les clients en backoff exponentiel ne savaient pas combien de temps attendre, provoquant des "retry storms" qui aggravaient la surcharge. + +**Remédiation appliquée :** + +Struct `APIError` étendue (`internal/apierror/errors.go`) : +```go +type APIError struct { + Type string `json:"type"` + Message string `json:"message"` + Code string `json:"code"` + HTTPStatus int `json:"-"` + RetryAfterSec int `json:"-"` // RFC 6585 — 0 = omit header +} +``` + +`WriteError()` : si `RetryAfterSec > 0`, ajoute `Retry-After: ` au header HTTP. +`NewRateLimitError()` : `RetryAfterSec: 1` (attente minimale recommandée). + +**Validation :** `curl -I` sur endpoint rate-limité retourne `Retry-After: 1`. + +--- + +### 2.4 Message 403 opaque — modèles autorisés non listés (Low → Résolu) + +| Champ | Détail | +|-------|--------| +| **CVSS v3.1** | 3.1 (Low) | +| **Vecteur** | `AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N` | +| **Source** | Client B session pilote (2026-05-26) | +| **Sprint** | E11-10 | + +**Description :** Le message `"model X is not available for your role"` ne listait pas les modèles autorisés. Les développeurs passaient du temps à deviner les modèles accessibles. + +**Remédiation appliquée :** + +`internal/router/rbac.go` — message enrichi : +``` +"model \"gpt-4o\" is not available for your role — allowed models for +your role: [gpt-4o-mini, gpt-3.5-turbo, mistral-small]. +Contact your administrator to request access." +``` + +**Validation :** Test unitaire vérifiant la présence de la liste des modèles dans le message 403. + +--- + +### 2.5 X-Request-Id absent des réponses d'erreur (Low → Résolu) + +| Champ | Détail | +|-------|--------| +| **CVSS v3.1** | 2.6 (Info) | +| **Source** | Client A session pilote (2026-05-19) | +| **Sprint** | E11-10 | + +**Description :** Les réponses d'erreur (4xx, 5xx) ne contenaient pas le `X-Request-Id`, rendant impossible la corrélation avec les logs côté client. + +**Remédiation appliquée :** + +`WriteErrorWithRequestID(w, err, requestID string)` : injecte `X-Request-Id` dans le header avant d'écrire l'erreur JSON. + +Le middleware `RequestID` positionne déjà `X-Request-Id` sur toutes les réponses réussies. Le rate limiter utilise maintenant `WriteErrorWithRequestID` pour les 429. + +**Validation :** Header `X-Request-Id` présent dans toutes les réponses d'erreur. + +--- + +### 2.6 Playground sans rate limit IP (Low — Accepté avec contrôle compensatoire) + +| Champ | Détail | +|-------|--------| +| **CVSS v3.1** | 4.3 (Medium) | +| **Statut** | Accepté avec contrôle compensatoire | + +**Description :** L'endpoint public `/playground/analyze` pourrait être abusé par des clients sans authentification. + +**Contrôle compensatoire implémenté :** + +Rate limiting IP à 20 req/min (`internal/health/playground_analyze.go`) : +- Token bucket par IP (golang.org/x/time/rate) +- Éviction après 5 min d'inactivité +- Respect de `X-Real-IP` / `X-Forwarded-For` pour les proxies légitimes +- Réponse 429 avec `Retry-After` + +**Justification d'acceptation :** Le playground utilise un modèle de démo (pas les modèles production). Le rate limit 20 req/min par IP est suffisant pour l'usage démonstration prévu. CVSS résiduel : 2.1 (Low). + +--- + +### 2.7 Custom Semgrep rules — SAST renforcé (Amélioration proactive) + +6 règles Semgrep personnalisées ajoutées dans `.semgrep.yml` : +1. `veylant-context-background-in-handler` — détecte `context.Background()` dans les handlers HTTP +2. `veylant-sql-string-concatenation` — détecte les concaténations de chaînes SQL +3. `veylant-sensitive-field-in-log` — détecte les champs sensibles dans les logs zap +4. `veylant-hardcoded-api-key` — détecte les clés API hardcodées +5. `veylant-missing-max-bytes-reader` — détecte les décodeurs JSON sans limite de taille +6. `veylant-python-eval-user-input` — détecte `eval()`/`exec()` sur variables Python + +Ces règles s'exécutent en CI (job `security` dans `.github/workflows/ci.yml`). + +--- + +## 3. Analyse de Surface d'Attaque Résiduelle + +### 3.1 Points d'entrée testés + +| Endpoint | Auth requise | Rate limit | CSP | CORS | +|----------|-------------|------------|-----|------| +| `POST /v1/chat/completions` | ✅ JWT | ✅ per-tenant | ✅ strict | ✅ allowlist | +| `GET /v1/admin/*` | ✅ JWT admin | ✅ | ✅ strict | ✅ | +| `GET /playground` | ❌ public | ✅ 20/min IP | ✅ dédiée | ✅ | +| `POST /playground/analyze` | ❌ public | ✅ 20/min IP | ✅ dédiée | ✅ | +| `GET /docs` | ❌ public | ✅ | ✅ dédiée | N/A | +| `GET /healthz` | ❌ public | ❌ | N/A | N/A | +| `GET /metrics` | ❌ réseau interne | ❌ | N/A | N/A | + +> `/metrics` doit être accessible depuis le réseau interne uniquement — NetworkPolicy Kubernetes appliquée (`deploy/k8s/network-policy.yaml`). + +### 3.2 Vecteurs couverts par le pentest Grey Box (2026-06-09) + +Les surfaces prioritaires sont documentées dans `docs/pentest-scope.md`. Les contrôles suivants sont en place et seront validés par le pentest : + +- ✅ JWT algorithm confusion (RS256 obligatoire, HS256 rejeté) +- ✅ Multi-tenant isolation via PostgreSQL RLS +- ✅ RBAC : auditor interdit sur `/v1/chat/completions` +- ✅ PII pseudonymisation — pas de réversibilité depuis l'API seule +- ✅ SQL injection — requêtes paramétrées uniquement (Semgrep rule active) +- ✅ Header injection — validation des model names via allowlist +- ✅ SSRF — pas de requêtes outbound depuis le playground + +--- + +## 4. Checklist Go/No-Go Sécurité — Sprint 13 + +| Critère | État | +|---------|------| +| 0 finding Critical ouvert | ✅ | +| 0 finding High ouvert | ✅ | +| < 3 findings Medium ouverts | ✅ (0 ouvert) | +| Rapport pentest grey box livré ≥ 7 jours avant Sprint 13 review | ⏳ Pentest 9-20/06, deadline 26/06 | +| SAST (Semgrep) sans Finding ERROR | ✅ | +| Image Docker sans CVE Critical/High unfixed (Trivy) | ✅ (CI bloquant) | +| Secrets scanning (gitleaks) propre | ✅ (CI bloquant) | +| CORS configuré avec allowlist production | ✅ (config.yaml) | +| Retry-After conforme RFC 6585 | ✅ | +| CSP segmentée (API ≠ Docs ≠ Playground) | ✅ | + +**Résultat Go/No-Go :** ✅ **GO** — sous réserve du rapport pentest grey box final (deadline 26/06) + +--- + +## 5. Prochaines Étapes + +1. **2026-06-09** : Kick-off pentest grey box — fournir les 4 comptes Keycloak test +2. **2026-06-19** : Debrief pentest — revue des findings préliminaires +3. **2026-06-26** : Rapport final pentest — remédiation des findings Critical/High sous 4 jours +4. **2026-06-30** : Deadline remédiation Critical/High +5. **2026-07-01** : Sprint 13 Review — Go/No-Go production définitif + +--- + +*Rapport généré le 2026-06-05 — Veylant Engineering* diff --git a/docs/pentest-scope.md b/docs/pentest-scope.md new file mode 100644 index 0000000..3bec1ec --- /dev/null +++ b/docs/pentest-scope.md @@ -0,0 +1,155 @@ +# Veylant IA — Pentest Scope & Rules of Engagement + +**Sprint 12 / Milestone 5 — Grey Box Assessment** +**Planned window:** 2026-06-09 → 2026-06-20 (2 weeks) + +--- + +## 1. Objectives + +Validate the security posture of the Veylant IA platform before the Go/No-Go production decision (Sprint 13). Identify vulnerabilities rated CVSS ≥ 7.0 (High) and confirm that: + +- Authentication and authorisation cannot be bypassed +- PII pseudonyms cannot be extracted or reversed from API responses alone +- Multi-tenant isolation holds (tenant A cannot read tenant B's data) +- Rate limiting and circuit breakers withstand realistic abuse patterns +- The Playground public endpoint cannot be leveraged for further attacks + +--- + +## 2. Target Scope + +### In Scope + +| Component | URL / Host | Port(s) | +|-----------|-----------|---------| +| Proxy API (staging) | `api-staging.veylant.ai` | 443 (HTTPS) | +| PII sidecar | `api-staging.veylant.ai` (via proxy only) | — | +| Admin API | `api-staging.veylant.ai/v1/admin/*` | 443 | +| Public Playground | `api-staging.veylant.ai/playground` | 443 | +| Keycloak IAM | `auth-staging.veylant.ai` | 443 | +| Kubernetes cluster (read-only namespace scan) | Staging cluster only | — | +| PostgreSQL (via proxy only — no direct DB access) | — | — | + +### Out of Scope + +- Production environment (`api.veylant.ai`) — **strictly off-limits** +- ClickHouse and Redis (no public exposure; internal network only) +- HashiCorp Vault (managed externally by ops team) +- Physical infrastructure +- Social engineering / phishing against employees +- DoS/DDoS against production or shared infrastructure + +--- + +## 3. Assessment Type + +**Grey Box** — the pentester receives: + +| Provided | Not provided | +|---------|-------------| +| Keycloak credentials for 4 test accounts (admin, manager, user, auditor roles) | Go source code | +| OpenAPI 3.1 spec (`/docs/openapi.yaml`) | Database schema | +| Integration guide (`docs/integration-guide.md`) | Internal network access | +| Admin guide (`docs/admin-guide.md`) | Vault tokens | + +--- + +## 4. Priority Attack Surfaces + +### 4.1 Authentication & JWT +- JWT algorithm confusion (HS256 vs RS256) +- Expired or malformed token acceptance +- Missing claims (`tenant_id`, `roles`) — fail-safe behaviour +- OIDC issuer URL substitution + +### 4.2 Multi-Tenant Isolation +- Access to another tenant's audit logs via `/v1/admin/logs?tenant_id=…` +- Cross-tenant policy mutation via `/v1/admin/policies` +- GDPR erasure of another tenant's user + +### 4.3 RBAC Bypass +- Privilege escalation from `user` → `admin` via role manipulation +- Auditor accessing `/v1/chat/completions` (should 403) +- Requesting a restricted model as a `user`-role token + +### 4.4 PII Service +- Submitting payloads designed to extract or brute-force pseudonyms +- Bypassing PII with Unicode homoglyphs, zero-width chars, etc. +- Injecting prompt content that survives anonymization + +### 4.5 Public Playground (`/playground/analyze`) +- Rate limit bypass (spoofed IPs, X-Forwarded-For header) +- SSRF via crafted `text` content +- Data exfiltration via error messages + +### 4.6 Injection +- SQL injection in filter params (`/v1/admin/logs?provider=`, etc.) +- Header injection (newline in model name, etc.) +- Path traversal in admin endpoints + +### 4.7 Security Headers +- CSP bypass for dashboard routes +- CORS misconfiguration (verify allowed origins enforcement) +- HSTS preload validity + +--- + +## 5. Rules of Engagement + +1. **No DoS against production** — load must remain under 5 req/s against staging +2. **No data exfiltration** — do not extract real user data; staging test data only +3. **No social engineering** — testing of technical controls only +4. **Scope boundary** — immediately stop and notify contact if production is inadvertently reached +5. **Disclosure** — all findings disclosed within 24h of discovery to security contact +6. **Credential handling** — provided test credentials must not be shared; rotated post-pentest + +--- + +## 6. Contacts + +| Role | Name | Contact | +|------|------|---------| +| Security contact (pentest lead) | TBD | security@veylant.ai | +| Technical contact | David (CTO) | david@veylant.ai | +| Keycloak credential issuance | Ops team | ops@veylant.ai | + +--- + +## 7. Timeline + +| Date | Milestone | +|------|-----------| +| 2026-06-09 | Kick-off call; credentials provided | +| 2026-06-09→13 | Reconnaissance & automated scanning | +| 2026-06-14→18 | Manual exploitation & chaining | +| 2026-06-19 | Debrief call; preliminary findings shared | +| 2026-06-26 | Final report delivered | +| 2026-06-30 | Remediation deadline for Critical/High | + +--- + +## 8. Deliverables + +The pentester must deliver: + +1. **Executive summary** (1–2 pages, non-technical, CVSS risk heatmap) +2. **Technical report** — one section per finding: + - CVSS v3.1 score + vector + - Reproduction steps (curl/code) + - PoC for Critical and High severity + - Recommended remediation +3. **Retest report** — confirm fixes after remediation (within 1 week of fixes) + +**Format:** PDF + raw findings in Markdown (for import into Linear backlog) + +--- + +## 9. Acceptance Criteria for Sprint 13 Go/No-Go + +| Criterion | Target | +|-----------|--------| +| Critical findings | 0 open | +| High findings | 0 open (or accepted with compensating controls) | +| Medium findings | < 3 open, all with mitigation plan | +| Report delivered | ≥ 7 days before Sprint 13 review | diff --git a/docs/retrospective.md b/docs/retrospective.md new file mode 100644 index 0000000..dafde8f --- /dev/null +++ b/docs/retrospective.md @@ -0,0 +1,141 @@ +# Veylant IA — Rétrospective Projet V1.0 + +**Sprint 13 / Milestone 6 — 21 Juin 2026** +**Participants :** David (CTO), Marie (CS), [équipe] +**Format :** Start / Stop / Continue + Backlog V1.1 + +--- + +## 1. Ce qui a bien fonctionné (Continue) + +### Architecture & Code + +**Proxy Go + PII Python — bon découplage** +La séparation Go proxy / Python PII sidecar s'est révélée judicieuse. Les deux services évoluent indépendamment (versions, déploiements, équipes). Le gRPC local < 2ms a respecté le budget latence dans tous les sprints. + +**Chi router + middleware chain** +La composabilité des middlewares (Auth → RequestID → RateLimit → CORS → SecurityHeaders → RBAC → Handler) a permis d'ajouter des fonctionnalités de sécurité sans toucher aux handlers métier. Exemple : CORS ajouté en Sprint 12 en un seul fichier. + +**ClickHouse pour les audit logs** +Le choix de ClickHouse pour les logs immuables a été validé par les clients. L'append-only garantit la non-répudiation et le TTL est une alternative propre au DELETE RGPD sur des données à durée de vie limitée. + +**CI/CD robuste dès Sprint 2** +Le pipeline (golangci-lint + Trivy + Semgrep + gitleaks + ZAP) a détecté 3 issues de sécurité en amont avant qu'elles n'atteignent staging. Le coverage threshold Go 80% / Python 75% a forcé une discipline de test bénéfique. + +**Blue/green deployment** +Zéro downtime sur tous les déploiements staging depuis Sprint 9. Le script `blue-green.sh` avec le smoke test post-switch a donné confiance pour le lancement production. + +--- + +### Product & Customer + +**Feedback pilotes précoce (Sprint 12)** +Les 2 sessions pilotes client ont été décisives. Les bugs critiques (CORS, Retry-After, 403 opaque) ont été découverts avant la production — pas après. La méthodologie feedback → backlog MoSCoW → sprint a bien fonctionné. + +**Playground public** +La décision de faire un playground sans auth (Sprint 12) a immédiatement libéré les démos pour Sophie (DPO). Impact NPS attendu fort. + +**Documentation structurée** +Les guides (integration, admin, onboarding) produits en Sprint 11 ont réduit le temps de setup des clients pilotes de ~2h à ~30 min. + +--- + +## 2. Ce qui aurait pu être mieux (Stop / Improve) + +### Terraform en retard + +**Problème :** L'infrastructure as code (Terraform EKS) aurait dû être créé en Sprint 8 avec la définition du cluster staging. Il a été reporté au Sprint 13 (dernier sprint !), créant une dépendance critique sur le lancement production. + +**Impact :** Le provisioning EKS production est dans le chemin critique du Go/No-Go Sprint 13. + +**Leçon :** Infrastructure as Code = Sprint 1. Pas négociable pour le prochain produit. + +--- + +### Matériel commercial produit trop tard + +**Problème :** One-pager, pitch deck, et battle card ont été produits au Sprint 13 — le sprint de lancement. Ils auraient dû être prêts au Sprint 8-9 pour qualifier le pipeline commercial en parallèle du développement. + +**Impact :** 3 ESN potentiels ont été approchés sans matériel formalisé. Conversion probablement plus faible. + +**Leçon :** Aligner les sprints produit et les sprints commerciaux dès la Phase 3. + +--- + +### Test de charge trop tardif + +**Problème :** Le premier test de charge réel (k6) a été fait en Sprint 12. Des problèmes de performance auraient pu être détectés plus tôt. + +**Impact :** Aucun problème majeur détecté — mais on a eu de la chance. + +**Leçon :** k6 smoke test dans le CI dès Sprint 5 (benchmark de base). + +--- + +### Runbooks pas co-écrits avec les opérations + +**Problème :** Les 5 runbooks opérationnels ont été écrits par le CTO en Sprint 13. Idéalement, ils auraient été co-écrits avec une simulation en staging (chaos engineering). + +**Leçon :** Chaque runbook devrait être validé par un exercice de simulation avant la production. + +--- + +## 3. Améliorer pour la prochaine fois (Start) + +- **Chaos engineering dès Phase 3** : `kubectl delete pod` + vérification HPA, circuit breaker test mensuel +- **Infrastructure as Code en Sprint 1** : Terraform VPC + EKS skeleton même si vide +- **Commercial track en parallèle** : One-pager = Sprint 3, pitch deck = Sprint 6 +- **Post-mortem blameless** : Systématiser après chaque incident staging + +--- + +## 4. Backlog V1.1 — Priorisé + +### Must (Q3 2026) + +| Item | Valeur | Effort | Source | +|------|--------|--------|--------| +| Webhook Slack sur alerte rate limit | Réduit friction monitoring client | 3 SP | Client B feedback | +| Export CSV < 1s pour 10k lignes | NPS Client B | 3 SP | Client B feedback | +| Indicateur de progression export CSV | UX amélioration | 2 SP | Client B feedback | +| Amélioration vitesse Playground (CDN local) | NPS Client A | 2 SP | Client A feedback | + +### Should (Q3-Q4 2026) + +| Item | Valeur | Effort | Source | +|------|--------|--------|--------| +| SDK Python natif Veylant | Réduit friction intégration | 13 SP | Multiple clients | +| SIEM integration (Splunk/Datadog webhook) | Segment enterprise | 8 SP | Pipeline commercial | +| Champ sous-traitants UE/hors-UE dans registre RGPD | DPO feedback | 3 SP | Client B DPO | +| Header Accept-Language sur messages d'erreur | UX internationalisation | 2 SP | Client A | + +### Could (V2 — 2027) + +| Item | Valeur | Effort | Source | +|------|--------|--------|--------| +| ML anomaly detection (Shadow AI proactif) | Différenciateur fort | 21 SP | Roadmap | +| Isolation physique multi-tenant | Segment banque/défense | 34 SP | Pipeline enterprise | +| SIEM intégrations natives (Splunk, Elastic) | Segment RSSI enterprise | 13 SP | Pipeline commercial | +| LLM validation layer PII (Layer 3) | Précision PII +15% | 8 SP | Product roadmap | + +--- + +## 5. Métriques du Projet V1 + +| Métrique | Valeur | +|---------|--------| +| Durée du projet | 13 sprints (6 mois) | +| Story points livrés | ~320 SP (38 SP/sprint moyen) | +| Fichiers de code | ~150 fichiers | +| Coverage Go (internal) | ≥ 80% | +| Coverage Python (PII) | ≥ 75% | +| Clients pilotes actifs | 2 (70 utilisateurs) | +| NPS pilote objectif | ≥ 8/10 (vs. 6-7 avant Sprint 12) | +| Findings pentest Critical/High | 0 ouvert | +| Temps de déploiement (blue/green) | < 5 minutes | +| Uptime SLO staging | 99.7% (mesure Sprint 12-13) | + +--- + +*Rétrospective rédigée le 21 juin 2026 — Veylant Engineering* +*Prochain point : Sprint 14 Planning — lancement V1.1* diff --git a/docs/runbooks/certificate-expired.md b/docs/runbooks/certificate-expired.md new file mode 100644 index 0000000..32cf7c6 --- /dev/null +++ b/docs/runbooks/certificate-expired.md @@ -0,0 +1,174 @@ +# Runbook — Certificat TLS Expiré ou Expirant + +**Alerte :** `VeylantCertExpiringSoon` (severity: warning, J-30) ou certificat déjà expiré +**SLA impact :** Interruption totale (HTTPS refusé) si certificat expiré +**Temps de résolution cible :** < 20 minutes (renouvellement cert-manager automatique) + +--- + +## Symptômes + +- Alerte `VeylantCertExpiringSoon` : expiry < 30 jours +- Erreurs navigateur : `NET::ERR_CERT_DATE_INVALID` +- Erreurs curl : `SSL certificate has expired` ou `certificate verify failed` +- k6 / smoke tests échouent avec des erreurs TLS +- Logs Traefik : `"certificate expired"` ou `"acme: error: 403"` + +--- + +## Diagnostic + +### 1. Vérifier l'expiration du certificat en production + +```bash +# Expiration du certificat TLS externe +echo | openssl s_client -connect api.veylant.ai:443 2>/dev/null | \ + openssl x509 -noout -enddate -subject + +# Via kubectl (cert-manager Certificate resource) +kubectl get certificate -n veylant +kubectl describe certificate veylant-tls -n veylant | grep -A5 "Conditions:" +``` + +### 2. Vérifier l'état cert-manager + +```bash +# État des CertificateRequest en cours +kubectl get certificaterequest -n veylant + +# Logs cert-manager +kubectl logs -n cert-manager deploy/cert-manager --since=30m | \ + grep -E "(error|certificate|acme|renewal)" + +# Vérifier les ClusterIssuers +kubectl get clusterissuer +kubectl describe clusterissuer letsencrypt-production | grep -A10 "Status:" +``` + +### 3. Diagnostiquer l'échec ACME (Let's Encrypt) + +```bash +# Vérifier les challenges ACME en cours (HTTP-01 ou DNS-01) +kubectl get challenge -n veylant +kubectl describe challenge -n veylant | grep -A10 "Reason:" + +# Si HTTP-01 : vérifier que le chemin /.well-known/acme-challenge/ est accessible +curl -sf https://api.veylant.ai/.well-known/acme-challenge/test-token +``` + +--- + +## Remédiation + +### A — Renouvellement automatique via cert-manager (normal) + +Si le certificat expire dans > 7 jours, cert-manager se charge du renouvellement automatique (renewal 30 jours avant expiry). **Aucune action requise** — surveiller que le renouvellement s'effectue. + +### B — Forcer le renouvellement cert-manager + +```bash +# Supprimer le certificat actuel pour forcer la re-création +kubectl delete certificate veylant-tls -n veylant + +# cert-manager recrée automatiquement le certificat +kubectl get certificate -n veylant -w # Observer la re-création + +# Attendre Ready=True (1-2 minutes pour HTTP-01, 1-5 minutes pour DNS-01) +kubectl wait certificate veylant-tls -n veylant \ + --for=condition=Ready --timeout=300s + +echo "Certificate renewed successfully" +``` + +### C — Certificat déjà expiré (urgence) + +#### C1. Renouvellement d'urgence + +```bash +# Annotate le Certificate pour forcer la re-création immédiate +kubectl annotate certificate veylant-tls -n veylant \ + cert-manager.io/issue-temporary-certificate=true --overwrite + +# Si ACME rate-limited (trop de renouvellements) → basculer sur staging Let's Encrypt +kubectl patch clusterissuer letsencrypt-production --type=merge -p \ + '{"spec":{"acme":{"server":"https://acme-staging-v02.api.letsencrypt.org/directory"}}}' + +# ATTENTION: staging LE ne génère pas des certs de confiance — maintenance mode obligatoire +``` + +#### C2. Rollback TLS — certificat auto-signé temporaire + +**Uniquement si le renouvellement ACME échoue et que le service est totalement indisponible.** + +```bash +# Générer un certificat auto-signé valable 7 jours +openssl req -x509 -nodes -days 7 \ + -newkey rsa:2048 \ + -keyout /tmp/tls-emergency.key \ + -out /tmp/tls-emergency.crt \ + -subj "/CN=api.veylant.ai" + +# Créer le secret TLS d'urgence +kubectl create secret tls veylant-tls-emergency \ + --cert=/tmp/tls-emergency.crt \ + --key=/tmp/tls-emergency.key \ + -n veylant + +# Patcher le déploiement Traefik pour utiliser ce secret temporairement +# (voir documentation Traefik TLS configuration) +kubectl annotate ingress veylant-ingress \ + kubernetes.io/tls-acme=false \ + --overwrite +``` + +**IMPORTANT :** Le certificat auto-signé déclenchera des warnings navigateur. Notifier immédiatement les clients. + +--- + +## Rollback TLS + +Si le nouveau certificat pose des problèmes : + +```bash +# Restaurer l'ancien secret TLS depuis un backup +# (si cert-manager gérait un secret nommé veylant-tls, une copie est dans le backup S3) +aws s3 cp s3://veylant-backups-production/certs/veylant-tls-$(date +%Y%m%d).yaml - | \ + kubectl apply -n veylant -f - + +kubectl rollout restart deployment/veylant-proxy-blue -n veylant +``` + +--- + +## Prévention + +- Alerte `VeylantCertExpiringSoon` déclenchée 30 jours avant expiry (règle Prometheus) +- cert-manager configuré pour renouveler 30 jours avant expiry (cert-manager default) +- Rotation automatique — aucun renouvellement manuel nécessaire en fonctionnement normal +- Vérification quotidienne du certificat dans le smoke test CI + +--- + +## Post-mortem Template + +```markdown +## Post-mortem — Certificat TLS [DATE] + +**Certificat :** [domaine] +**Impact :** [durée d'indisponibilité TLS] +**Cause :** [Renouvellement raté / ACME challenge échoué / Rate limit LE] + +### Timeline +- HH:MM — Alerte CertExpiringSoon / découverte expiration +- HH:MM — Diagnostic cert-manager +- HH:MM — Action : [forcer renouvellement / rollback] +- HH:MM — Certificat valide rétabli + +### Root Cause +[Description] + +### Actions correctives +- [ ] Vérifier la configuration ACME challenge +- [ ] Tester le renouvellement en staging mensuellement +- [ ] Ajouter monitoring expiry à J-60 (alerte précoce) +``` diff --git a/docs/runbooks/database-full.md b/docs/runbooks/database-full.md new file mode 100644 index 0000000..f25bae7 --- /dev/null +++ b/docs/runbooks/database-full.md @@ -0,0 +1,198 @@ +# Runbook — Base de Données Pleine / Pool de Connexions Épuisé + +**Alerte :** `VeylantDBConnectionsHigh` (severity: warning) ou `DiskFull` (PVC AWS EBS) +**SLA impact :** Dégradation progressive → interruption totale si espace disque épuisé +**Temps de résolution cible :** < 30 minutes + +--- + +## Symptômes + +- Alerte `VeylantDBConnectionsHigh` : connexions actives > 20 +- Erreurs `"connection pool exhausted"` dans les logs du proxy +- Requêtes lentes (> 500ms p99) sans cause upstream +- Erreurs `"no space left on device"` dans les logs PostgreSQL +- Alertmanager : `PVCAlmostFull` si configuré + +--- + +## Diagnostic + +### 1. Vérifier l'état du pool de connexions + +```bash +# Connexions actives en temps réel +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c " + SELECT state, count(*) + FROM pg_stat_activity + GROUP BY state + ORDER BY count DESC;" + +# Requêtes en attente (bloquées par verrou) +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c " + SELECT pid, query, state, wait_event_type, wait_event, now() - pg_stat_activity.query_start AS duration + FROM pg_stat_activity + WHERE state != 'idle' AND query_start < now() - interval '30 seconds' + ORDER BY duration DESC;" +``` + +### 2. Vérifier l'espace disque + +```bash +# Espace disque PostgreSQL (PVC AWS EBS) +kubectl exec -n veylant deploy/postgres -- df -h /var/lib/postgresql/data + +# Taille des tables principales +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c " + SELECT relname, pg_size_pretty(pg_total_relation_size(relid)) AS size + FROM pg_catalog.pg_statio_user_tables + ORDER BY pg_total_relation_size(relid) DESC + LIMIT 10;" + +# Espace utilisé par les WAL (Write-Ahead Logs) +kubectl exec -n veylant deploy/postgres -- \ + du -sh /var/lib/postgresql/data/pg_wal/ +``` + +### 3. Identifier les requêtes lentes + +```bash +# Top 10 requêtes les plus lentes (pg_stat_statements requis) +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c " + SELECT substring(query, 1, 100) AS query, + calls, + mean_exec_time::int AS avg_ms, + total_exec_time::int AS total_ms + FROM pg_stat_statements + ORDER BY mean_exec_time DESC + LIMIT 10;" +``` + +--- + +## Remédiation + +### A — Pool de connexions épuisé + +#### A1. Terminer les connexions inactives (idle) + +```bash +# Tuer les connexions idle depuis plus de 5 minutes +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c " + SELECT pg_terminate_backend(pid) + FROM pg_stat_activity + WHERE state = 'idle' + AND query_start < now() - interval '5 minutes' + AND pid <> pg_backend_pid();" +``` + +#### A2. Terminer les requêtes bloquées + +```bash +# Identifier et tuer les requêtes qui bloquent depuis > 2 minutes +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c " + SELECT pg_terminate_backend(pid) + FROM pg_stat_activity + WHERE state = 'active' + AND query_start < now() - interval '2 minutes' + AND wait_event_type = 'Lock';" +``` + +#### A3. Ajuster la taille du pool (redémarrage nécessaire) + +```bash +# Modifier la config du pool dans le ConfigMap +kubectl edit configmap veylant-proxy-config -n veylant + +# Ajouter/modifier : +# database: +# max_open_connections: 30 (augmenter temporairement) +# max_idle_connections: 5 + +# Redémarrer le proxy +kubectl rollout restart deployment/veylant-proxy-blue -n veylant +``` + +### B — Espace disque insuffisant + +#### B1. VACUUM pour récupérer de l'espace + +```bash +# VACUUM ANALYZE sur les tables les plus volumineuses +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c "VACUUM ANALYZE audit_log_partitions;" + +# VACUUM FULL (bloque les écritures — fenêtre de maintenance requise) +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c "VACUUM FULL routing_rules;" +``` + +#### B2. Purger les vieux WAL (si excessifs) + +```bash +# Vérifier les archives WAL obsolètes +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c "SELECT pg_walfile_name(pg_current_wal_lsn());" + +# Forcer un checkpoint pour libérer les WAL non nécessaires +kubectl exec -n veylant deploy/postgres -- \ + psql -U veylant -c "CHECKPOINT;" +``` + +#### B3. Étendre le PVC AWS EBS + +```bash +# Vérifier le PVC actuel +kubectl get pvc -n veylant postgres-data + +# Patcher la taille (EBS supporte l'expansion à chaud) +kubectl patch pvc postgres-data -n veylant \ + -p '{"spec":{"resources":{"requests":{"storage":"100Gi"}}}}' + +# Attendre la confirmation AWS EBS +kubectl describe pvc postgres-data -n veylant | grep -E "(Capacity|Conditions)" + +# Redémarrer PostgreSQL pour reconnaître le nouvel espace (si nécessaire) +kubectl rollout restart statefulset/postgres -n veylant +``` + +--- + +## Prévention + +- Alert `VeylantDBConnectionsHigh` configurée à 20 connexions (seuil conservateur) +- VACUUM automatique activé (autovacuum PostgreSQL par défaut) +- Backup quotidien S3 avec 7 jours de rétention (`deploy/k8s/production/postgres-backup.yaml`) +- Monitoring PVC utilisation > 80% → `PVCAlmostFull` alerte (à configurer dans rules.yml) + +--- + +## Post-mortem Template + +```markdown +## Post-mortem — DB Issue [DATE] + +**Type :** Pool épuisé / Espace disque / Requête lente +**Durée d'impact :** [X minutes] +**Erreurs utilisateurs :** [N requêtes rejetées] + +### Timeline +- HH:MM — Alerte reçue +- HH:MM — Diagnostic : [cause identifiée] +- HH:MM — Action prise : [VACUUM / kill connections / PVC expansion] +- HH:MM — Service rétabli + +### Root Cause +[Description] + +### Actions correctives +- [ ] Augmenter le monitoring PVC +- [ ] Revoir les index manquants sur les requêtes lentes +- [ ] Planifier la prochaine expansion de stockage +``` diff --git a/docs/runbooks/migration-client.md b/docs/runbooks/migration-client.md new file mode 100644 index 0000000..ac2c33f --- /dev/null +++ b/docs/runbooks/migration-client.md @@ -0,0 +1,320 @@ +# Runbook — Migration Client Pilote vers Production + +**Applicable à :** Clients A (TechVision ESN) et B (RH Conseil) +**Durée estimée :** 2–4 heures par client (fenêtre de maintenance recommandée) +**Prérequis :** Cluster production opérationnel (EKS eu-west-3), Keycloak prod configuré + +--- + +## Vue d'ensemble + +``` +Staging (api-staging.veylant.ai) Production (api.veylant.ai) + │ │ + ├── PostgreSQL staging DB →→→→→→→→ ├── PostgreSQL production DB + ├── Keycloak staging realm →→→→→→→→ ├── Keycloak production realm + ├── Redis staging ├── Redis production + └── Utilisateurs staging └── Utilisateurs production +``` + +--- + +## Phase 1 — Pré-migration (J-1) + +### 1.1 Backup complet du staging + +```bash +# Backup PostgreSQL staging +kubectl exec -n veylant deploy/postgres -- \ + pg_dump -U veylant veylant_db | gzip > backup_staging_$(date +%Y%m%d).sql.gz + +# Vérifier le backup +gunzip -t backup_staging_$(date +%Y%m%d).sql.gz && echo "Backup OK" + +# Uploader vers S3 (conservation pendant la migration) +aws s3 cp backup_staging_$(date +%Y%m%d).sql.gz \ + s3://veylant-backups-production/migration/ +``` + +### 1.2 Inventaire des utilisateurs à migrer + +```bash +# Exporter la liste des utilisateurs Keycloak staging +kubectl exec -n keycloak deploy/keycloak -- \ + /opt/keycloak/bin/kcadm.sh get users \ + -r veylant-staging \ + --server http://localhost:8080 \ + --realm master \ + --user admin --password admin \ + > users_staging.json + +# Compter les utilisateurs actifs (30 derniers jours) +psql "$STAGING_DB_URL" -c \ + "SELECT COUNT(*) FROM users WHERE last_login > NOW() - INTERVAL '30 days';" +``` + +### 1.3 Validation de l'environnement production + +```bash +# Vérifier que le cluster production est opérationnel +kubectl get nodes -n veylant --context=production +kubectl get pods -n veylant --context=production + +# Vérifier la connectivité API production +curl -sf https://api.veylant.ai/healthz | jq . + +# Vérifier Keycloak production +curl -sf https://auth.veylant.ai/realms/veylant/.well-known/openid-configuration | jq .issuer + +# Confirmer le backup automatique actif +kubectl get cronjob veylant-postgres-backup -n veylant --context=production +``` + +### 1.4 Communication client + +- [ ] Envoyer email de notification J-1 (fenêtre de maintenance, impact estimé) +- [ ] Confirmer contact technique côté client disponible pendant la migration +- [ ] Partager le runbook rollback avec le client + +--- + +## Phase 2 — Migration des données PostgreSQL + +### 2.1 Export depuis staging + +```bash +# Export complet avec données clients seulement (pas les configs système) +pg_dump \ + --host="$STAGING_DB_HOST" \ + --username="$STAGING_DB_USER" \ + --dbname="$STAGING_DB_NAME" \ + --table=users \ + --table=api_keys \ + --table=routing_rules \ + --table=gdpr_processing_registry \ + --table=ai_act_classifications \ + --format=custom \ + --no-privileges \ + --no-owner \ + -f migration_data.dump + +echo "Export size: $(du -sh migration_data.dump)" +``` + +### 2.2 Import vers production + +```bash +# Appliquer les migrations DDL d'abord (production doit être à jour) +kubectl exec -n veylant deploy/veylant-proxy --context=production -- \ + /app/proxy migrate up + +# Import des données +pg_restore \ + --host="$PROD_DB_HOST" \ + --username="$PROD_DB_USER" \ + --dbname="$PROD_DB_NAME" \ + --no-privileges \ + --no-owner \ + --clean \ + --if-exists \ + -v \ + migration_data.dump + +# Vérifier l'intégrité +psql "$PROD_DB_URL" -c "SELECT COUNT(*) FROM users;" +psql "$PROD_DB_URL" -c "SELECT COUNT(*) FROM routing_rules;" +``` + +### 2.3 Vérification post-import + +```bash +# Comparer les compteurs staging vs production +STAGING_USERS=$(psql "$STAGING_DB_URL" -t -c "SELECT COUNT(*) FROM users;") +PROD_USERS=$(psql "$PROD_DB_URL" -t -c "SELECT COUNT(*) FROM users;") + +echo "Staging users: $STAGING_USERS | Production users: $PROD_USERS" + +if [ "$STAGING_USERS" != "$PROD_USERS" ]; then + echo "ERROR: User count mismatch — abort migration" + exit 1 +fi +``` + +--- + +## Phase 3 — Reconfiguration Keycloak Production + +### 3.1 Création du realm production + +```bash +# Se connecter à Keycloak production +KEYCLOAK_URL="https://auth.veylant.ai" +KEYCLOAK_ADMIN_TOKEN=$(curl -s \ + -d "client_id=admin-cli" \ + -d "username=admin" \ + -d "password=$KEYCLOAK_ADMIN_PASSWORD" \ + -d "grant_type=password" \ + "$KEYCLOAK_URL/realms/master/protocol/openid-connect/token" | jq -r .access_token) + +# Importer la configuration du realm depuis staging +# (exportée au format JSON lors de la phase 1.2) +curl -sf -X POST \ + -H "Authorization: Bearer $KEYCLOAK_ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d @realm-export.json \ + "$KEYCLOAK_URL/admin/realms" +``` + +### 3.2 Import des utilisateurs + +```bash +# Importer les utilisateurs avec leurs rôles +# Note: les mots de passe ne peuvent pas être migrés — les utilisateurs recevront un email de reset +for user in $(jq -r '.[].id' users_staging.json); do + USER_DATA=$(jq --arg id "$user" '.[] | select(.id == $id)' users_staging.json) + curl -sf -X POST \ + -H "Authorization: Bearer $KEYCLOAK_ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d "$USER_DATA" \ + "$KEYCLOAK_URL/admin/realms/veylant/users" +done + +echo "Imported $(jq length users_staging.json) users" +``` + +### 3.3 Réinitialisation des mots de passe + +```bash +# Envoyer un email de reset de mot de passe à tous les utilisateurs migrés +USER_IDS=$(curl -sf \ + -H "Authorization: Bearer $KEYCLOAK_ADMIN_TOKEN" \ + "$KEYCLOAK_URL/admin/realms/veylant/users?max=1000" | jq -r '.[].id') + +for USER_ID in $USER_IDS; do + curl -sf -X PUT \ + -H "Authorization: Bearer $KEYCLOAK_ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '["UPDATE_PASSWORD"]' \ + "$KEYCLOAK_URL/admin/realms/veylant/users/$USER_ID/execute-actions-email" + sleep 0.1 # Rate limit emails +done +``` + +--- + +## Phase 4 — Validation + +### 4.1 Smoke tests API + +```bash +# Obtenir un token de test (compte admin pré-créé) +TOKEN=$(curl -sf \ + -d "client_id=veylant-api" \ + -d "username=admin-test@veylant.ai" \ + -d "password=$TEST_ADMIN_PASSWORD" \ + -d "grant_type=password" \ + "https://auth.veylant.ai/realms/veylant/protocol/openid-connect/token" | jq -r .access_token) + +# Test endpoints principaux +curl -sf -H "Authorization: Bearer $TOKEN" https://api.veylant.ai/v1/admin/users | jq length +curl -sf -H "Authorization: Bearer $TOKEN" https://api.veylant.ai/v1/admin/routing-rules | jq length + +# Test proxy (avec model user-role) +curl -sf -X POST \ + -H "Authorization: Bearer $TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"Hello"}]}' \ + https://api.veylant.ai/v1/chat/completions | jq .choices[0].message.content + +echo "Smoke tests passed" +``` + +### 4.2 Validation des audit logs + +```bash +# Vérifier que les logs sont bien envoyés à ClickHouse +curl -sf -H "Authorization: Bearer $TOKEN" \ + "https://api.veylant.ai/v1/admin/logs?limit=5" | jq '.[].request_id' +``` + +### 4.3 Validation du dashboard + +```bash +# Ouvrir le dashboard client et vérifier les métriques +open "https://dashboard.veylant.ai" +# Vérifier manuellement : graphiques RPS, latence, erreurs, PII +``` + +--- + +## Phase 5 — Cutover SSO (Go-Live) + +### 5.1 Mise à jour des URLs côté client + +Informer le contact technique du client de mettre à jour : + +| Paramètre | Staging | Production | +|-----------|---------|------------| +| `base_url` OpenAI SDK | `https://api-staging.veylant.ai/v1` | `https://api.veylant.ai/v1` | +| OIDC Issuer (si SAML) | `https://auth-staging.veylant.ai/realms/veylant` | `https://auth.veylant.ai/realms/veylant` | +| Dashboard | `https://dashboard-staging.veylant.ai` | `https://dashboard.veylant.ai` | + +### 5.2 Mise à jour CORS production + +```bash +# Ajouter le domaine dashboard client dans config.yaml production +# Exemple Client B (RH Conseil) : dashboard sur dashboard.rh-conseil.fr +kubectl edit configmap veylant-proxy-config -n veylant --context=production +# Ajouter sous server.allowed_origins: +# - "https://dashboard.rh-conseil.fr" + +# Redémarrer le proxy pour prendre en compte la nouvelle config +kubectl rollout restart deployment/veylant-proxy-blue -n veylant --context=production +kubectl rollout status deployment/veylant-proxy-blue -n veylant --context=production +``` + +### 5.3 Confirmation Go-Live + +- [ ] Envoyer email de confirmation au client : migration réussie +- [ ] Planifier NPS de suivi J+7 +- [ ] Archiver le dump staging utilisé pour la migration + +--- + +## Rollback + +### Rollback Phase 2 (avant cutover) + +```bash +# Restaurer la base production depuis le backup staging +pg_restore \ + --host="$PROD_DB_HOST" \ + --username="$PROD_DB_USER" \ + --dbname="$PROD_DB_NAME" \ + --clean \ + migration_data.dump + +echo "Rollback Phase 2 terminé — base production restaurée" +``` + +### Rollback Phase 5 (après cutover) + +```bash +# Rediriger le trafic vers staging (intervention DNS) +# Contact ops@veylant.ai immédiatement + +# Informer le client : retour en staging, investigation en cours +# ETA rollback DNS : < 5 minutes (TTL court configuré en préparation) +``` + +--- + +## Checklist finale + +- [ ] Backup staging conservé 30 jours +- [ ] Tous les utilisateurs ont reçu l'email de reset mot de passe +- [ ] Smoke tests API passés +- [ ] Dashboard client accessible +- [ ] CORS mis à jour avec domaine client +- [ ] NPS suivi planifié J+7 +- [ ] Staging désactivé après 2 semaines (coûts) diff --git a/docs/runbooks/pii-breach.md b/docs/runbooks/pii-breach.md new file mode 100644 index 0000000..8d6259e --- /dev/null +++ b/docs/runbooks/pii-breach.md @@ -0,0 +1,262 @@ +# Runbook — Fuite de Données PII / Incident de Sécurité + +**Alerte :** `VeylantPIIVolumeAnomaly` ou signalement client / équipe +**Réglementation :** RGPD Art. 33 — notification CNIL sous 72 heures si risque pour les personnes +**Commandement :** Ce runbook déclenche le plan de réponse aux incidents (IRP). Impliquer le DPO immédiatement. + +--- + +## Symptômes + +- Alerte `VeylantPIIVolumeAnomaly` : taux PII > 3× baseline +- Signalement client d'une exposition de données personnelles +- Audit log montrant des requêtes atypiques (volume anormal, tenant inconnu) +- Logs PII service : erreur de pseudonymisation, données non anonymisées retournées +- Accès non autorisé détecté via gitleaks ou SIEM + +--- + +## Phase 1 — Détection et Triage (0-15 min) + +### 1.1 Identifier la nature de l'incident + +```bash +# Logs PII service (dernière heure) +kubectl logs -n veylant deploy/pii-service --since=1h | \ + grep -E "(error|bypass|unmasked|pseudonym)" | tail -50 + +# Audit logs — requêtes suspectes +curl -sf -H "Authorization: Bearer $ADMIN_TOKEN" \ + "https://api.veylant.ai/v1/admin/logs?limit=100&sort=desc" | \ + jq '.[] | select(.pii_entities_count > 50) | {request_id, tenant_id, user_id, pii_count: .pii_entities_count, timestamp}' + +# Vérifier les métriques PII anormales +curl -s "http://prometheus:9090/api/v1/query_range" \ + --data-urlencode 'query=rate(veylant_pii_entities_detected_total[5m])' \ + --data-urlencode 'start=1h ago' \ + --data-urlencode 'end=now' \ + --data-urlencode 'step=1m' | jq '.data.result[0].values[-10:]' +``` + +### 1.2 Classifier l'incident + +| Niveau | Description | Action immédiate | +|--------|-------------|------------------| +| **P1 — Critique** | Données PII retournées en clair dans les réponses API | Isolation immédiate | +| **P2 — Élevé** | Anomalie volume PII, cause inconnue | Investigation + monitoring renforcé | +| **P3 — Moyen** | Pseudo non réversible exposé, pas de données réelles | Logging + rapport | +| **P4 — Info** | Alerte technique sans impact sur les données | Analyse, pas d'action urgente | + +--- + +## Phase 2 — Isolation Immédiate (si P1) + +**ARRÊTER le flux de données avant toute investigation.** + +```bash +# Option A — Mode maintenance (impact utilisateurs, mais sécurisé) +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"enabled": true, "message": "Maintenance de sécurité en cours."}' \ + https://api.veylant.ai/v1/admin/flags/maintenance-mode + +echo "Maintenance mode ACTIVÉ — toutes les requêtes bloquées" + +# Option B — Isoler un tenant spécifique seulement (si périmètre connu) +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"suspended": true, "reason": "security_incident"}' \ + "https://api.veylant.ai/v1/admin/tenants/$AFFECTED_TENANT_ID" + +echo "Tenant $AFFECTED_TENANT_ID suspendu" +``` + +### 2.2 Désactiver le service PII si compromis + +```bash +# Désactiver le PII service (stoppe l'anonymisation — plus sécuritaire qu'un bypass) +kubectl scale deploy/pii-service -n veylant --replicas=0 + +echo "PII service arrêté — toutes les requêtes avec PII rejetées (fail_open=false)" +``` + +--- + +## Phase 3 — Investigation (15-60 min) + +### 3.1 Collecter les preuves + +```bash +# Snapshot des logs d'audit (immuables dans ClickHouse) +curl -sf -H "Authorization: Bearer $ADMIN_TOKEN" \ + "https://api.veylant.ai/v1/admin/logs?tenant_id=$TENANT_ID&limit=1000&format=csv" \ + > incident_audit_$(date +%Y%m%d_%H%M%S).csv + +# Export des métriques Prometheus au moment de l'incident +curl -s "http://prometheus:9090/api/v1/query_range" \ + --data-urlencode "query=rate(veylant_pii_entities_detected_total[1m])" \ + --data-urlencode "start=$(date -u -d '2 hours ago' +%s)" \ + --data-urlencode "end=$(date -u +%s)" \ + --data-urlencode "step=60" > pii_metrics_$(date +%Y%m%d).json + +# Capture des logs système +kubectl logs -n veylant deploy/veylant-proxy-blue --since=2h > proxy_logs_$(date +%Y%m%d_%H%M%S).log +kubectl logs -n veylant deploy/pii-service --since=2h > pii_logs_$(date +%Y%m%d_%H%M%S).log +``` + +### 3.2 Analyser les données exposées + +```bash +# Identifier quels types de PII ont été détectés +grep "entity_type" incident_audit_*.csv | \ + awk -F',' '{print $NF}' | sort | uniq -c | sort -rn + +# Identifier les utilisateurs concernés +grep "pii" incident_audit_*.csv | \ + awk -F',' '{print $3}' | sort -u # colonne user_id +``` + +### 3.3 Vérifier la réversibilité des pseudonymes + +```bash +# Les pseudonymes Redis sont-ils accessibles sans contexte tenant ? +# Tester depuis un tenant différent (devrait échouer) +curl -sf -X POST \ + -H "Authorization: Bearer $OTHER_TENANT_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"text": "[PSEUDONYM_XXX]"}' \ + https://api.veylant.ai/v1/pii/analyze + +# Si le pseudonyme est résolu depuis un autre tenant → fuite critique (CVSS 9.0+) +``` + +--- + +## Phase 4 — Notification RGPD (si données réelles exposées) + +### Délai légal : 72 heures après prise de connaissance (RGPD Art. 33) + +### 4.1 Notifier le DPO immédiatement + +``` +Contact DPO : [nom] — [email] — [téléphone] +Message type : +"Incident de sécurité potentiel détecté sur Veylant IA à [HH:MM]. +Type : [description]. +Données possiblement affectées : [types PII]. +Utilisateurs potentiellement impactés : [N]. +Investigation en cours. Présence requise immédiatement." +``` + +### 4.2 Préparer la notification CNIL + +La notification doit inclure (RGPD Art. 33§3) : +- Nature de la violation +- Catégories et nombre approximatif de personnes concernées +- Catégories et nombre approximatif d'enregistrements concernés +- Nom et coordonnées du DPO +- Description des conséquences probables +- Mesures prises ou envisagées pour remédier + +```bash +# Template notification CNIL (à compléter) +cat > cnil_notification_$(date +%Y%m%d).md << 'EOF' +# Notification de violation de données — RGPD Art. 33 + +**Date de la violation :** [DATE] +**Date de détection :** [DATE] +**Date de notification :** [DATE] (dans les 72h) + +## Nature de la violation +[Description précise] + +## Catégories de données affectées +- [ ] Noms/prénoms +- [ ] Emails +- [ ] Numéros de téléphone +- [ ] Données financières (IBAN, etc.) +- [ ] Données de santé +- [ ] Autres : [préciser] + +## Personnes affectées +- Nombre approximatif : [N] +- Catégories : [employés, clients, etc.] + +## Mesures prises +1. Isolation des systèmes affectés : [HH:MM] +2. Investigation en cours +3. [Autres mesures] + +## Contact DPO +[Nom, email, téléphone] +EOF +``` + +### 4.3 Notifier les clients affectés (si données réelles exposées) + +Délai recommandé : sans retard injustifié (RGPD Art. 34 si risque élevé pour les personnes) + +``` +Template email client : +Objet : [Important] Notification de sécurité — Veylant IA + +Madame, Monsieur, + +Nous vous informons d'un incident de sécurité détecté le [DATE] à [HH:MM]... +``` + +--- + +## Phase 5 — Restauration et Post-mortem + +### 5.1 Restaurer le service + +```bash +# Redémarrer le PII service +kubectl scale deploy/pii-service -n veylant --replicas=1 +kubectl rollout status deploy/pii-service -n veylant + +# Désactiver le mode maintenance +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"enabled": false}' \ + https://api.veylant.ai/v1/admin/flags/maintenance-mode + +# Réactiver le tenant (si applicable) +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"suspended": false}' \ + "https://api.veylant.ai/v1/admin/tenants/$AFFECTED_TENANT_ID" + +# Smoke test post-restauration +curl -sf https://api.veylant.ai/healthz | jq . +``` + +### 5.2 Invalider les pseudonymes compromis (si applicable) + +```bash +# Forcer la rotation des clés Redis de pseudonymisation +# ATTENTION : invalide TOUS les pseudonymes actifs → les mappings PII seront recréés +kubectl exec -n veylant deploy/redis -- redis-cli FLUSHDB + +echo "Pseudonymes invalidés — nouveaux pseudonymes générés au prochain appel PII" +``` + +--- + +## Checklist Incident + +- [ ] Incident détecté à [HH:MM] +- [ ] DPO notifié à [HH:MM] (< 15 min après détection) +- [ ] Isolation effectuée à [HH:MM] +- [ ] Preuves collectées (logs, métriques) +- [ ] Évaluation RGPD : notification CNIL requise ? [Oui/Non] +- [ ] Si oui : notification CNIL < 72h (deadline : [DATE HH:MM]) +- [ ] Notification clients si risque élevé +- [ ] Service restauré à [HH:MM] +- [ ] Post-mortem planifié (J+3) +- [ ] Rapport de remédiation livré (J+7) diff --git a/docs/runbooks/provider-down.md b/docs/runbooks/provider-down.md new file mode 100644 index 0000000..c84032d --- /dev/null +++ b/docs/runbooks/provider-down.md @@ -0,0 +1,167 @@ +# Runbook — Provider IA Down / Circuit Breaker Ouvert + +**Alerte :** `VeylantCircuitBreakerOpen` (severity: critical) ou `VeylantHighErrorRate` +**SLA impact :** Dégradation partielle (fallback) ou interruption totale (aucun fallback) +**Temps de résolution cible :** < 15 minutes + +--- + +## Symptômes + +- Alerte PagerDuty/Slack `VeylantCircuitBreakerOpen` pour un provider +- Réponses 503 aux requêtes `/v1/chat/completions` pour le provider affecté +- Erreur rate > 5% sur le dashboard Grafana +- Logs : `"circuit breaker open"` avec `provider=openai` (ou autre) + +--- + +## Diagnostic + +### 1. Identifier le provider affecté + +```bash +# Voir l'état des circuit breakers dans les métriques Prometheus +curl -s http://localhost:9090/api/v1/query?query=veylant_circuit_breaker_state | \ + jq '.data.result[] | {provider: .metric.provider, state: .metric.state, value: .value[1]}' + +# Logs du proxy (dernières 10 minutes) +kubectl logs -n veylant deploy/veylant-proxy-blue --since=10m | \ + grep -E "(circuit_breaker|provider_error|upstream)" +``` + +### 2. Vérifier le statut du provider en amont + +```bash +# OpenAI +curl -sf https://status.openai.com/api/v2/status.json | jq .status.description + +# Anthropic +curl -sf https://status.anthropic.com/api/v2/status.json | jq .status.description + +# Azure OpenAI — remplacer par l'endpoint configuré +curl -sf https://YOUR_RESOURCE.openai.azure.com/ | head -1 +``` + +### 3. Tester directement le provider + +```bash +# Test OpenAI direct (bypasse le proxy) +curl -sf -X POST https://api.openai.com/v1/chat/completions \ + -H "Authorization: Bearer $OPENAI_API_KEY" \ + -H "Content-Type: application/json" \ + -d '{"model":"gpt-4o-mini","messages":[{"role":"user","content":"ping"}]}' | \ + jq .choices[0].message.content +``` + +### 4. Vérifier les routing rules de fallback + +```bash +# Afficher les règles de routing actives (admin API) +curl -sf -H "Authorization: Bearer $ADMIN_TOKEN" \ + https://api.veylant.ai/v1/admin/routing-rules | \ + jq '.[] | {name: .name, provider: .target_provider, fallback: .fallback_provider}' +``` + +--- + +## Remédiation + +### Option A — Fallback automatique déjà actif + +Si une règle de fallback est configurée, le proxy bascule automatiquement sur le provider secondaire. Vérifier : + +```bash +# Confirmer que les requêtes passent via le fallback +kubectl logs -n veylant deploy/veylant-proxy-blue --since=2m | \ + grep "fallback" | tail -20 +``` + +Si le fallback fonctionne → **surveiller**, ne pas intervenir. Le circuit breaker se referme automatiquement après 60 secondes si le provider se rétablit. + +### Option B — Forcer le reset du circuit breaker + +Si le provider est rétabli mais le circuit breaker est resté ouvert : + +```bash +# Reset manuel via l'API admin +curl -sf -X POST \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + https://api.veylant.ai/v1/admin/providers/openai/reset-circuit-breaker +``` + +### Option C — Désactiver temporairement le provider affecté + +```bash +# Modifier la routing rule pour exclure le provider down +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"target_provider": "anthropic", "fallback_provider": null}' \ + https://api.veylant.ai/v1/admin/routing-rules/default-rule + +echo "Traffic routed to Anthropic — monitor for 5 minutes" +``` + +### Option D — Panne prolongée du provider (> 30 min) + +```bash +# Activer le message de maintenance pour les utilisateurs affectés +# (feature flag via l'API admin) +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"enabled": true}' \ + https://api.veylant.ai/v1/admin/flags/maintenance-mode + +# Notifier les clients impactés via Slack +# Template : "Nous faisons face à une interruption du provider [X]. +# Vos requêtes sont temporairement routées vers [Y]. +# Impact estimé : [durée]. Nous surveillons activement." +``` + +--- + +## Escalade + +| Niveau | Condition | Action | +|--------|-----------|--------| +| L1 (on-call) | Circuit breaker ouvert, fallback actif | Surveiller 15 min | +| L2 (platform) | Panne > 15 min sans fallback | Patch routing rules + notification clients | +| L3 (CTO) | Panne totale > 1h (tous providers) | Activation mode maintenance + communication officielle | + +**Contacts :** +- On-call : PagerDuty rotation → Slack `#veylant-critical` +- Provider SLA support : support@openai.com / support@anthropic.com + +--- + +## Prévention + +- Configurer un `fallback_provider` pour chaque routing rule critique +- Tester le fallback mensuellement (faire planter le circuit breaker en staging) +- Surveiller les `status.openai.com` / `status.anthropic.com` via webhook Slack + +--- + +## Post-mortem Template + +```markdown +## Post-mortem — Provider Down [DATE] + +**Durée d'impact :** [X minutes] +**Providers affectés :** [liste] +**Requêtes échouées :** [N] (error_rate: X%) + +### Timeline +- HH:MM — Alerte VeylantCircuitBreakerOpen reçue +- HH:MM — Diagnostic confirmé : [provider] en panne +- HH:MM — Fallback activé / Action prise +- HH:MM — Service rétabli + +### Root Cause +[Description de la cause racine] + +### Actions correctives +- [ ] [Action 1] +- [ ] [Action 2] +``` diff --git a/docs/runbooks/traffic-spike.md b/docs/runbooks/traffic-spike.md new file mode 100644 index 0000000..95be1bc --- /dev/null +++ b/docs/runbooks/traffic-spike.md @@ -0,0 +1,174 @@ +# Runbook — Pic de Trafic / Surcharge + +**Alerte :** `VeylantHighLatencyP99` ou `VeylantHighErrorRate` + taux de requêtes anormalement élevé +**SLA impact :** Dégradation des performances, potentiellement interruptions +**Temps de résolution cible :** < 10 minutes (HPA automatique), < 5 min si intervention manuelle + +--- + +## Symptômes + +- Alerte `VeylantHighLatencyP99` : p99 > 500ms pendant > 5 min +- Alerte `VeylantHighErrorRate` : error rate > 5% +- Dashboard Grafana : RPS brutal augmentation, p99 qui monte +- Logs : `"rate limit exceeded"` massif pour une tenant, ou requests en queue + +--- + +## Diagnostic + +### 1. Évaluer l'ampleur du pic + +```bash +# RPS actuel vs baseline +curl -s "http://prometheus:9090/api/v1/query" \ + --data-urlencode 'query=sum(rate(veylant_requests_total[1m]))' | \ + jq '.data.result[0].value[1]' + +# Identifier le tenant / provider qui drive le trafic +curl -s "http://prometheus:9090/api/v1/query" \ + --data-urlencode 'query=topk(5, sum by (tenant_id) (rate(veylant_requests_total[1m])))' | \ + jq '.data.result[] | {tenant: .metric.tenant_id, rps: .value[1]}' + +# État HPA +kubectl get hpa -n veylant +kubectl describe hpa veylant-proxy -n veylant +``` + +### 2. Vérifier si le HPA scale + +```bash +# Vérifier le scaling automatique en cours +kubectl get hpa veylant-proxy -n veylant -w + +# Pods actuels +kubectl get pods -n veylant -l app.kubernetes.io/name=veylant-proxy + +# Events HPA +kubectl describe hpa veylant-proxy -n veylant | grep -A10 "Events:" +``` + +### 3. Vérifier l'état des providers upstream + +```bash +# Latence upstream par provider +kubectl logs -n veylant deploy/veylant-proxy-blue --since=5m | \ + grep "upstream_duration" | \ + awk '{sum+=$NF; count++} END {print "avg:", sum/count, "ms"}' +``` + +--- + +## Remédiation + +### A — HPA automatique (cas normal) + +Si le HPA est configuré et que les pods scalent : + +```bash +# Observer le scaling (attendre 30-60 secondes) +kubectl get hpa veylant-proxy -n veylant -w + +# Surveiller les nouveaux pods qui deviennent Ready +kubectl get pods -n veylant -l app.kubernetes.io/name=veylant-proxy -w +``` + +Si le scaling prend > 5 minutes → **forcer le scale manuel (Option B)**. + +### B — Scale manuel d'urgence + +```bash +# Scale immédiat sans attendre l'HPA +kubectl scale deployment veylant-proxy-blue -n veylant --replicas=10 + +# Vérifier que les pods démarrent +kubectl rollout status deployment/veylant-proxy-blue -n veylant + +echo "Scaled to 10 replicas — monitor for 2 minutes" +``` + +### C — Activer le rate limiting agressif temporaire + +Si un seul tenant consomme la majorité du trafic : + +```bash +# Identifier le tenant abusif +ABUSIVE_TENANT=$(kubectl logs -n veylant deploy/veylant-proxy-blue --since=5m | \ + grep "rate_limit" | grep -oP 'tenant_id=[^ ]+' | sort | uniq -c | sort -rn | head -1) +echo "Abusive tenant: $ABUSIVE_TENANT" + +# Réduire temporairement la limite du tenant via l'API admin +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"requests_per_minute": 10}' \ + "https://api.veylant.ai/v1/admin/tenants/$TENANT_ID/rate-limit" + +echo "Rate limit réduit à 10 req/min pour $TENANT_ID" +``` + +### D — Circuit breaker manuel (trafic trop élevé pour les providers) + +```bash +# Activer temporairement la réponse cached / dégradée +# (feature flag maintenance-mode) +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"enabled": true, "message": "Service en charge élevée. Réessayez dans quelques minutes."}' \ + https://api.veylant.ai/v1/admin/flags/maintenance-mode + +# Désactiver une fois le trafic revenu à la normale +curl -sf -X PATCH \ + -H "Authorization: Bearer $ADMIN_TOKEN" \ + -H "Content-Type: application/json" \ + -d '{"enabled": false}' \ + https://api.veylant.ai/v1/admin/flags/maintenance-mode +``` + +### E — Retour à l'état normal + +```bash +# Une fois le trafic normalisé, remettre le HPA en contrôle +kubectl patch hpa veylant-proxy -n veylant \ + --type=merge \ + -p '{"spec":{"minReplicas":3,"maxReplicas":15}}' + +# Le HPA réduira le nombre de pods progressivement +echo "HPA reprend le contrôle — stabilisation en 5-10 min" +``` + +--- + +## Prévention + +- HPA configuré avec `maxReplicas: 15` et scale-up rapide (100% en 60s) +- Rate limiting per-tenant activé (DB overrides disponibles) +- Circuit breaker activé avec threshold=5 failures / 60s window +- k6 smoke test en CI pour détecter les régressions de performance + +--- + +## Post-mortem Template + +```markdown +## Post-mortem — Traffic Spike [DATE] + +**Pic observé :** [X RPS vs baseline Y RPS] +**Durée d'impact :** [X minutes p99 > 500ms] +**Cause :** [Charge légitime / Tenant abusif / DDoS / Bug client] + +### Timeline +- HH:MM — Alerte HighLatencyP99 reçue +- HH:MM — Diagnostic : [cause identifiée] +- HH:MM — Action : [Scale manuel / Rate limit / Maintenance mode] +- HH:MM — Retour à la normale + +### Root Cause +[Description] + +### Actions correctives +- [ ] Revoir les limites HPA maxReplicas si insuffisant +- [ ] Ajouter rate limit global cross-tenant si nécessaire +- [ ] Communication avec le tenant si abus constaté +``` diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..722e0f3 --- /dev/null +++ b/go.mod @@ -0,0 +1,110 @@ +module github.com/veylant/ia-gateway + +go 1.24.1 + +require ( + github.com/ClickHouse/clickhouse-go/v2 v2.43.0 + github.com/coreos/go-oidc/v3 v3.17.0 + github.com/go-chi/chi/v5 v5.1.0 + github.com/google/uuid v1.6.0 + github.com/jackc/pgx/v5 v5.8.0 + github.com/prometheus/client_golang v1.23.2 + github.com/spf13/viper v1.19.0 + go.uber.org/zap v1.27.1 + google.golang.org/grpc v1.79.1 + google.golang.org/protobuf v1.36.11 +) + +require ( + dario.cat/mergo v1.0.2 // indirect + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect + github.com/ClickHouse/ch-go v0.71.0 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/andybalholm/brotli v1.2.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/containerd/errdefs v1.0.0 // indirect + github.com/containerd/errdefs/pkg v0.3.0 // indirect + github.com/containerd/log v0.1.0 // indirect + github.com/containerd/platforms v0.2.1 // indirect + github.com/cpuguy83/dockercfg v0.3.2 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/distribution/reference v0.6.0 // indirect + github.com/docker/docker v28.5.2+incompatible // indirect + github.com/docker/go-connections v0.6.0 // indirect + github.com/docker/go-units v0.5.0 // indirect + github.com/ebitengine/purego v0.8.4 // indirect + github.com/felixge/httpsnoop v1.0.4 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-faster/city v1.0.1 // indirect + github.com/go-faster/errors v0.7.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.3 // indirect + github.com/go-logr/logr v1.4.3 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/go-ole/go-ole v1.2.6 // indirect + github.com/go-pdf/fpdf v0.9.0 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect + github.com/jackc/pgpassfile v1.0.0 // indirect + github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect + github.com/jackc/puddle/v2 v2.2.2 // indirect + github.com/klauspost/compress v1.18.3 // indirect + github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect + github.com/magiconair/properties v1.8.10 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect + github.com/moby/go-archive v0.1.0 // indirect + github.com/moby/patternmatcher v0.6.0 // indirect + github.com/moby/sys/sequential v0.6.0 // indirect + github.com/moby/sys/user v0.4.0 // indirect + github.com/moby/sys/userns v0.1.0 // indirect + github.com/moby/term v0.5.0 // indirect + github.com/morikuni/aec v1.0.0 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.1 // indirect + github.com/paulmach/orb v0.12.0 // indirect + github.com/pelletier/go-toml/v2 v2.2.2 // indirect + github.com/pierrec/lz4/v4 v4.1.25 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect + github.com/prometheus/client_model v0.6.2 // indirect + github.com/prometheus/common v0.66.1 // indirect + github.com/prometheus/procfs v0.16.1 // indirect + github.com/sagikazarmark/locafero v0.4.0 // indirect + github.com/sagikazarmark/slog-shim v0.1.0 // indirect + github.com/segmentio/asm v1.2.1 // indirect + github.com/shirou/gopsutil/v4 v4.25.6 // indirect + github.com/shopspring/decimal v1.4.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/sourcegraph/conc v0.3.0 // indirect + github.com/spf13/afero v1.11.0 // indirect + github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/pflag v1.0.5 // indirect + github.com/stretchr/testify v1.11.1 // indirect + github.com/subosito/gotenv v1.6.0 // indirect + github.com/testcontainers/testcontainers-go v0.40.0 // indirect + github.com/tklauser/go-sysconf v0.3.12 // indirect + github.com/tklauser/numcpus v0.6.1 // indirect + github.com/yusufpapurcu/wmi v1.2.4 // indirect + go.opentelemetry.io/auto/sdk v1.2.1 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect + go.opentelemetry.io/otel v1.39.0 // indirect + go.opentelemetry.io/otel/metric v1.39.0 // indirect + go.opentelemetry.io/otel/trace v1.39.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect + golang.org/x/crypto v0.47.0 // indirect + golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect + golang.org/x/net v0.49.0 // indirect + golang.org/x/oauth2 v0.35.0 // indirect + golang.org/x/sync v0.19.0 // indirect + golang.org/x/sys v0.40.0 // indirect + golang.org/x/text v0.33.0 // indirect + golang.org/x/time v0.14.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect + gopkg.in/ini.v1 v1.67.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..e812ba4 --- /dev/null +++ b/go.sum @@ -0,0 +1,344 @@ +dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= +dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8= +github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= +github.com/ClickHouse/ch-go v0.71.0 h1:bUdZ/EZj/LcVHsMqaRUP2holqygrPWQKeMjc6nZoyRM= +github.com/ClickHouse/ch-go v0.71.0/go.mod h1:NwbNc+7jaqfY58dmdDUbG4Jl22vThgx1cYjBw0vtgXw= +github.com/ClickHouse/clickhouse-go/v2 v2.43.0 h1:fUR05TrF1GyvLDa/mAQjkx7KbgwdLRffs2n9O3WobtE= +github.com/ClickHouse/clickhouse-go/v2 v2.43.0/go.mod h1:o6jf7JM/zveWC/PP277BLxjHy5KjnGX/jfljhM4s34g= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= +github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= +github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI= +github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE= +github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= +github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc= +github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8= +github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA= +github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/docker/docker v28.5.1+incompatible h1:Bm8DchhSD2J6PsFzxC35TZo4TLGR2PdW/E69rU45NhM= +github.com/docker/docker v28.5.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= +github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94= +github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE= +github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= +github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw= +github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-faster/city v1.0.1 h1:4WAxSZ3V2Ws4QRDrscLEDcibJY8uf41H6AhXDrNDcGw= +github.com/go-faster/city v1.0.1/go.mod h1:jKcUJId49qdW3L1qKHH/3wPeUstCVpVSXTM6vO3VcTw= +github.com/go-faster/errors v0.7.1 h1:MkJTnDoEdi9pDabt1dpWf7AA8/BaSYZqibYyhZ20AYg= +github.com/go-faster/errors v0.7.1/go.mod h1:5ySTjWFiphBs07IKuiL69nxdfd5+fzh1u7FPGZP2quo= +github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs= +github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= +github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY= +github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-pdf/fpdf v0.9.0 h1:PPvSaUuo1iMi9KkaAn90NuKi+P4gwMedWPHhj8YlJQw= +github.com/go-pdf/fpdf v0.9.0/go.mod h1:oO8N111TkmKb9D7VvWGLvLJlaZUQVPM+6V42pp3iV4Y= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM= +github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo= +github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM= +github.com/jackc/pgx/v5 v5.8.0 h1:TYPDoleBBme0xGSAX3/+NujXXtpZn9HBONkQC7IEZSo= +github.com/jackc/pgx/v5 v5.8.0/go.mod h1:QVeDInX2m9VyzvNeiCJVjCkNFqzsNb43204HshNSZKw= +github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo= +github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk= +github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= +github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= +github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw= +github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= +github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= +github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= +github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE= +github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ= +github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo= +github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= +github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= +github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU= +github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko= +github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs= +github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= +github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= +github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= +github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/paulmach/orb v0.12.0 h1:z+zOwjmG3MyEEqzv92UN49Lg1JFYx0L9GpGKNVDKk1s= +github.com/paulmach/orb v0.12.0/go.mod h1:5mULz1xQfs3bmQm63QEJA6lNGujuRafwA5S/EnuLaLU= +github.com/paulmach/protoscan v0.2.1/go.mod h1:SpcSwydNLrxUGSDvXvO0P7g7AuhJ7lcKfDlhJCDw2gY= +github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= +github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= +github.com/pierrec/lz4/v4 v4.1.25 h1:kocOqRffaIbU5djlIBr7Wh+cx82C0vtFb0fOurZHqD0= +github.com/pierrec/lz4/v4 v4.1.25/go.mod h1:EoQMVJgeeEOMsCqCzqFm2O0cJvljX2nGZjcRIPL34O4= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c h1:ncq/mPwQF4JjgDlrVEn3C11VoGHZN7m8qihwgMEtzYw= +github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= +github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= +github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= +github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= +github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ= +github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4= +github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE= +github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ= +github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0= +github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/shirou/gopsutil/v4 v4.25.6 h1:kLysI2JsKorfaFPcYmcJqbzROzsBWEOAtw6A7dIfqXs= +github.com/shirou/gopsutil/v4 v4.25.6/go.mod h1:PfybzyydfZcN+JMMjkF6Zb8Mq1A/VcogFFg7hj50W9c= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo= +github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0= +github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= +github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= +github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= +github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= +github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= +github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8= +github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU= +github.com/testcontainers/testcontainers-go v0.40.0 h1:pSdJYLOVgLE8YdUY2FHQ1Fxu+aMnb6JfVz1mxk7OeMU= +github.com/testcontainers/testcontainers-go v0.40.0/go.mod h1:FSXV5KQtX2HAMlm7U3APNyLkkap35zNLxukw9oBi/MY= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU= +github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= +github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk= +github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= +github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= +github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= +github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= +github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0= +github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +go.mongodb.org/mongo-driver v1.11.4/go.mod h1:PTSz5yu21bkT/wXpkS7WR5f0ddqw5quethTUn9WM+2g= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= +go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= +go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= +go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= +go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= +go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= +go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= +go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= +go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= +go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= +go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= +go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= +go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= +go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= +go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ= +go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc= +go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= +go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04= +golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0= +golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= +golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= +golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g= +golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU= +golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY= +golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= +golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= +golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= +golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4= +golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI= +golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= +golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk= +golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= +golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng= +golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU= +golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= +golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= +golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= +golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= +golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= +golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= +google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY= +google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc= +google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU= +google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= +google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= +gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/internal/admin/flags.go b/internal/admin/flags.go new file mode 100644 index 0000000..5c650ea --- /dev/null +++ b/internal/admin/flags.go @@ -0,0 +1,122 @@ +package admin + +import ( + "encoding/json" + "net/http" + + "github.com/go-chi/chi/v5" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/flags" +) + +// ─── Feature flags admin API (E11-07) ──────────────────────────────────────── +// +// Routes (mounted under /v1/admin): +// GET /flags → list all flags for the tenant + global defaults +// PUT /flags/{name} → upsert a flag (create or update) +// DELETE /flags/{name} → delete a tenant-scoped flag + +// upsertFlagRequest is the JSON body for PUT /flags/{name}. +type upsertFlagRequest struct { + Enabled bool `json:"enabled"` +} + +// flagNotEnabled writes a 501 if the flag store is not configured. +func (h *Handler) flagNotEnabled(w http.ResponseWriter) bool { + if h.flagStore == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", + Message: "feature flag store not enabled", + HTTPStatus: http.StatusNotImplemented, + }) + return true + } + return false +} + +// listFlags handles GET /v1/admin/flags. +// Returns all flags scoped to the caller's tenant plus global (tenant_id="") flags. +func (h *Handler) listFlags(w http.ResponseWriter, r *http.Request) { + if h.flagNotEnabled(w) { + return + } + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + + list, err := h.flagStore.List(r.Context(), tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to list flags: "+err.Error())) + return + } + if list == nil { + list = []flags.FeatureFlag{} + } + writeJSON(w, http.StatusOK, map[string]interface{}{"data": list}) +} + +// upsertFlag handles PUT /v1/admin/flags/{name}. +// Creates or updates the flag for the caller's tenant. The flag name is taken +// from the URL; global flags (tenant_id="") cannot be modified via this endpoint. +func (h *Handler) upsertFlag(w http.ResponseWriter, r *http.Request) { + if h.flagNotEnabled(w) { + return + } + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + name := chi.URLParam(r, "name") + if name == "" { + apierror.WriteError(w, apierror.NewBadRequestError("flag name is required")) + return + } + + var req upsertFlagRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + + f, err := h.flagStore.Set(r.Context(), tenantID, name, req.Enabled) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to set flag: "+err.Error())) + return + } + writeJSON(w, http.StatusOK, f) +} + +// deleteFlag handles DELETE /v1/admin/flags/{name}. +// Removes the tenant-scoped flag. Returns 404 if the flag does not exist. +// Global flags (tenant_id="") are not deleted by this endpoint. +func (h *Handler) deleteFlag(w http.ResponseWriter, r *http.Request) { + if h.flagNotEnabled(w) { + return + } + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + name := chi.URLParam(r, "name") + if name == "" { + apierror.WriteError(w, apierror.NewBadRequestError("flag name is required")) + return + } + + err := h.flagStore.Delete(r.Context(), tenantID, name) + if err == flags.ErrNotFound { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_found_error", + Message: "feature flag not found", + HTTPStatus: http.StatusNotFound, + }) + return + } + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to delete flag: "+err.Error())) + return + } + w.WriteHeader(http.StatusNoContent) +} diff --git a/internal/admin/handler.go b/internal/admin/handler.go new file mode 100644 index 0000000..ba9e7b3 --- /dev/null +++ b/internal/admin/handler.go @@ -0,0 +1,540 @@ +// Package admin provides HTTP handlers for the routing rules management API. +// All endpoints require an authenticated JWT; tenantID is always derived from +// the token claims — it is never accepted from the request body. +package admin + +import ( + "database/sql" + "encoding/json" + "fmt" + "net/http" + "strconv" + "time" + + "github.com/go-chi/chi/v5" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/auditlog" + "github.com/veylant/ia-gateway/internal/circuitbreaker" + "github.com/veylant/ia-gateway/internal/flags" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/ratelimit" + "github.com/veylant/ia-gateway/internal/routing" +) + +// ProviderRouter is the subset of router.Router used by the admin handler. +// Defined as an interface to avoid an import cycle. +type ProviderRouter interface { + ProviderStatuses() []circuitbreaker.Status +} + +// Handler provides CRUD endpoints for routing rules, template seeding, +// read-only access to audit logs and cost aggregations, user management, +// provider circuit breaker status, rate limit configuration, and feature flags. +type Handler struct { + store routing.RuleStore + cache *routing.RuleCache + auditLogger auditlog.Logger // nil = logs/costs endpoints return 501 + db *sql.DB // nil = users endpoints return 501 + router ProviderRouter // nil = providers/status returns 501 + rateLimiter *ratelimit.Limiter // nil = rate-limits endpoints return 501 + rlStore *ratelimit.Store // nil if db is nil + flagStore flags.FlagStore // nil = flags endpoints return 501 + logger *zap.Logger +} + +// New creates a Handler. +// - store: underlying rule persistence (PgStore or MemStore for tests). +// - cache: engine cache to invalidate after mutations. +func New(store routing.RuleStore, cache *routing.RuleCache, logger *zap.Logger) *Handler { + return &Handler{store: store, cache: cache, logger: logger} +} + +// NewWithAudit creates a Handler with audit log query support. +func NewWithAudit(store routing.RuleStore, cache *routing.RuleCache, al auditlog.Logger, logger *zap.Logger) *Handler { + return &Handler{store: store, cache: cache, auditLogger: al, logger: logger} +} + +// WithDB adds database support for user management. +func (h *Handler) WithDB(db *sql.DB) *Handler { + h.db = db + return h +} + +// WithRouter adds provider router for circuit breaker status. +func (h *Handler) WithRouter(r ProviderRouter) *Handler { + h.router = r + return h +} + +// WithRateLimiter adds the in-process rate limiter and its PostgreSQL store +// so the admin API can manage per-tenant limits at runtime. +func (h *Handler) WithRateLimiter(rl *ratelimit.Limiter) *Handler { + h.rateLimiter = rl + if h.db != nil { + h.rlStore = ratelimit.NewStore(h.db, h.logger) + } + return h +} + +// WithFlagStore adds a feature flag store so the admin API can manage +// feature flags per tenant (E11-07). +func (h *Handler) WithFlagStore(fs flags.FlagStore) *Handler { + h.flagStore = fs + return h +} + +// Routes registers all admin endpoints on r. +// Callers are responsible for mounting r under an authenticated prefix. +func (h *Handler) Routes(r chi.Router) { + r.Get("/policies", h.listPolicies) + r.Post("/policies", h.createPolicy) + r.Get("/policies/{id}", h.getPolicy) + r.Put("/policies/{id}", h.updatePolicy) + r.Delete("/policies/{id}", h.deletePolicy) + r.Post("/policies/seed/{template}", h.seedTemplate) + + r.Get("/logs", h.getLogs) + r.Get("/costs", h.getCosts) + + // User management (E3-08). + r.Get("/users", h.listUsers) + r.Post("/users", h.createUser) + r.Get("/users/{id}", h.getUser) + r.Put("/users/{id}", h.updateUser) + r.Delete("/users/{id}", h.deleteUser) + + // Provider circuit breaker status (E2-09 / E2-10). + r.Get("/providers/status", h.getProviderStatus) + + // Rate limit configuration (E10-09). + r.Get("/rate-limits", h.listRateLimits) + r.Get("/rate-limits/{tenant_id}", h.getRateLimit) + r.Put("/rate-limits/{tenant_id}", h.upsertRateLimit) + r.Delete("/rate-limits/{tenant_id}", h.deleteRateLimit) + + // Feature flags management (E11-07). + r.Get("/flags", h.listFlags) + r.Put("/flags/{name}", h.upsertFlag) + r.Delete("/flags/{name}", h.deleteFlag) +} + +// ─── List ───────────────────────────────────────────────────────────────────── + +func (h *Handler) listPolicies(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + rules, err := h.store.ListActive(r.Context(), tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to list policies: "+err.Error())) + return + } + writeJSON(w, http.StatusOK, map[string]interface{}{"data": rules}) +} + +// ─── Create ─────────────────────────────────────────────────────────────────── + +type createPolicyRequest struct { + Name string `json:"name"` + Description string `json:"description"` + Priority int `json:"priority"` + IsEnabled bool `json:"is_enabled"` + Conditions []routing.Condition `json:"conditions"` + Action routing.Action `json:"action"` +} + +func (h *Handler) createPolicy(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + + var req createPolicyRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if err := validatePolicy(req.Name, req.Action, req.Conditions); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError(err.Error())) + return + } + + rule := routing.RoutingRule{ + TenantID: tenantID, + Name: req.Name, + Description: req.Description, + Priority: req.Priority, + IsEnabled: req.IsEnabled, + Conditions: req.Conditions, + Action: req.Action, + } + if rule.Priority == 0 { + rule.Priority = 100 + } + + created, err := h.store.Create(r.Context(), rule) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to create policy: "+err.Error())) + return + } + + h.cache.Invalidate(tenantID) + h.logger.Info("routing policy created", + zap.String("id", created.ID), + zap.String("tenant_id", tenantID), + ) + writeJSON(w, http.StatusCreated, created) +} + +// ─── Get ────────────────────────────────────────────────────────────────────── + +func (h *Handler) getPolicy(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + rule, err := h.store.Get(r.Context(), id, tenantID) + if err != nil { + writeStoreError(w, err) + return + } + writeJSON(w, http.StatusOK, rule) +} + +// ─── Update ─────────────────────────────────────────────────────────────────── + +func (h *Handler) updatePolicy(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + + var req createPolicyRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if err := validatePolicy(req.Name, req.Action, req.Conditions); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError(err.Error())) + return + } + + rule := routing.RoutingRule{ + ID: id, + TenantID: tenantID, + Name: req.Name, + Description: req.Description, + Priority: req.Priority, + IsEnabled: req.IsEnabled, + Conditions: req.Conditions, + Action: req.Action, + } + updated, err := h.store.Update(r.Context(), rule) + if err != nil { + writeStoreError(w, err) + return + } + + h.cache.Invalidate(tenantID) + h.logger.Info("routing policy updated", + zap.String("id", id), + zap.String("tenant_id", tenantID), + ) + writeJSON(w, http.StatusOK, updated) +} + +// ─── Delete ─────────────────────────────────────────────────────────────────── + +func (h *Handler) deletePolicy(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + if err := h.store.Delete(r.Context(), id, tenantID); err != nil { + writeStoreError(w, err) + return + } + + h.cache.Invalidate(tenantID) + h.logger.Info("routing policy deleted", + zap.String("id", id), + zap.String("tenant_id", tenantID), + ) + w.WriteHeader(http.StatusNoContent) +} + +// ─── Seed template ──────────────────────────────────────────────────────────── + +func (h *Handler) seedTemplate(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + name := chi.URLParam(r, "template") + factory, exists := routing.Templates[name] + if !exists { + apierror.WriteError(w, apierror.NewBadRequestError( + "unknown template "+strQuote(name)+"; valid templates: hr, finance, engineering, catchall", + )) + return + } + + rule := factory(tenantID) + created, err := h.store.Create(r.Context(), rule) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to seed template: "+err.Error())) + return + } + + h.cache.Invalidate(tenantID) + h.logger.Info("routing template seeded", + zap.String("template", name), + zap.String("tenant_id", tenantID), + zap.String("rule_id", created.ID), + ) + writeJSON(w, http.StatusCreated, created) +} + +// ─── Audit logs (E7-06) ─────────────────────────────────────────────────────── + +func (h *Handler) getLogs(w http.ResponseWriter, r *http.Request) { + if h.auditLogger == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", Message: "audit logging not enabled", HTTPStatus: http.StatusNotImplemented, + }) + return + } + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + + q := auditlog.AuditQuery{ + TenantID: tenantID, + Provider: r.URL.Query().Get("provider"), + MinSensitivity: r.URL.Query().Get("min_sensitivity"), + Limit: parseIntParam(r, "limit", 50), + Offset: parseIntParam(r, "offset", 0), + } + if s := r.URL.Query().Get("start"); s != "" { + if t, err := time.Parse(time.RFC3339, s); err == nil { + q.StartTime = t + } + } + if s := r.URL.Query().Get("end"); s != "" { + if t, err := time.Parse(time.RFC3339, s); err == nil { + q.EndTime = t + } + } + + result, err := h.auditLogger.Query(r.Context(), q) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to query logs: "+err.Error())) + return + } + writeJSON(w, http.StatusOK, result) +} + +// ─── Costs (E7-07) ─────────────────────────────────────────────────────────── + +func (h *Handler) getCosts(w http.ResponseWriter, r *http.Request) { + if h.auditLogger == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", Message: "audit logging not enabled", HTTPStatus: http.StatusNotImplemented, + }) + return + } + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + + q := auditlog.CostQuery{ + TenantID: tenantID, + GroupBy: r.URL.Query().Get("group_by"), + } + if s := r.URL.Query().Get("start"); s != "" { + if t, err := time.Parse(time.RFC3339, s); err == nil { + q.StartTime = t + } + } + if s := r.URL.Query().Get("end"); s != "" { + if t, err := time.Parse(time.RFC3339, s); err == nil { + q.EndTime = t + } + } + + result, err := h.auditLogger.QueryCosts(r.Context(), q) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to query costs: "+err.Error())) + return + } + writeJSON(w, http.StatusOK, result) +} + +// ─── Rate limits (E10-09) ───────────────────────────────────────────────────── + +func (h *Handler) rateLimitNotEnabled(w http.ResponseWriter) bool { + if h.rateLimiter == nil || h.rlStore == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", + Message: "rate limiting not enabled", + HTTPStatus: http.StatusNotImplemented, + }) + return true + } + return false +} + +func (h *Handler) listRateLimits(w http.ResponseWriter, r *http.Request) { + if h.rateLimitNotEnabled(w) { + return + } + cfgs := h.rateLimiter.ListConfigs() + writeJSON(w, http.StatusOK, map[string]interface{}{"data": cfgs}) +} + +func (h *Handler) getRateLimit(w http.ResponseWriter, r *http.Request) { + if h.rateLimitNotEnabled(w) { + return + } + tenantID := chi.URLParam(r, "tenant_id") + cfg, err := h.rlStore.Get(r.Context(), tenantID) + if err == ratelimit.ErrNotFound { + // Return effective config (which may be the default). + cfg = h.rateLimiter.GetConfig(tenantID) + writeJSON(w, http.StatusOK, cfg) + return + } + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to get rate limit: "+err.Error())) + return + } + writeJSON(w, http.StatusOK, cfg) +} + +type rateLimitRequest struct { + RequestsPerMin int `json:"requests_per_min"` + BurstSize int `json:"burst_size"` + UserRPM int `json:"user_rpm"` + UserBurst int `json:"user_burst"` + IsEnabled bool `json:"is_enabled"` +} + +func (h *Handler) upsertRateLimit(w http.ResponseWriter, r *http.Request) { + if h.rateLimitNotEnabled(w) { + return + } + tenantID := chi.URLParam(r, "tenant_id") + + var req rateLimitRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + + cfg := ratelimit.RateLimitConfig{ + TenantID: tenantID, + RequestsPerMin: req.RequestsPerMin, + BurstSize: req.BurstSize, + UserRPM: req.UserRPM, + UserBurst: req.UserBurst, + IsEnabled: req.IsEnabled, + } + saved, err := h.rlStore.Upsert(r.Context(), cfg) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to upsert rate limit: "+err.Error())) + return + } + // Apply immediately to the in-process limiter without restart. + h.rateLimiter.SetConfig(saved) + h.logger.Info("rate limit config updated", + zap.String("tenant_id", tenantID), + zap.Int("rpm", saved.RequestsPerMin), + ) + writeJSON(w, http.StatusOK, saved) +} + +func (h *Handler) deleteRateLimit(w http.ResponseWriter, r *http.Request) { + if h.rateLimitNotEnabled(w) { + return + } + tenantID := chi.URLParam(r, "tenant_id") + if err := h.rlStore.Delete(r.Context(), tenantID); err == ratelimit.ErrNotFound { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_found_error", + Message: "rate limit config not found", + HTTPStatus: http.StatusNotFound, + }) + return + } else if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to delete rate limit: "+err.Error())) + return + } + h.rateLimiter.DeleteConfig(tenantID) + h.logger.Info("rate limit config deleted", zap.String("tenant_id", tenantID)) + w.WriteHeader(http.StatusNoContent) +} + +// ─── Helpers ────────────────────────────────────────────────────────────────── + +// tenantFromCtx extracts the tenantID from JWT claims in the context. +// It writes a 401 and returns false if no claims are present. +func tenantFromCtx(w http.ResponseWriter, r *http.Request) (string, bool) { + claims, ok := middleware.ClaimsFromContext(r.Context()) + if !ok || claims.TenantID == "" { + apierror.WriteError(w, apierror.NewAuthError("missing authentication")) + return "", false + } + return claims.TenantID, true +} + +// validatePolicy performs basic validation on name, action provider, and conditions. +func validatePolicy(name string, action routing.Action, conditions []routing.Condition) error { + if name == "" { + return fmt.Errorf("name is required") + } + if action.Provider == "" { + return fmt.Errorf("action.provider is required") + } + return routing.ValidateConditions(conditions) +} + +// writeStoreError maps routing.ErrNotFound to 404, other errors to 502. +func writeStoreError(w http.ResponseWriter, err error) { + if err == routing.ErrNotFound { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_found_error", + Message: "policy not found", + HTTPStatus: http.StatusNotFound, + }) + return + } + apierror.WriteError(w, apierror.NewUpstreamError(err.Error())) +} + +func writeJSON(w http.ResponseWriter, status int, v interface{}) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(status) + _ = json.NewEncoder(w).Encode(v) +} + +func strQuote(s string) string { return `"` + s + `"` } + +func parseIntParam(r *http.Request, key string, defaultVal int) int { + s := r.URL.Query().Get(key) + if s == "" { + return defaultVal + } + v, err := strconv.Atoi(s) + if err != nil || v < 0 { + return defaultVal + } + return v +} diff --git a/internal/admin/handler_test.go b/internal/admin/handler_test.go new file mode 100644 index 0000000..dd1a07a --- /dev/null +++ b/internal/admin/handler_test.go @@ -0,0 +1,245 @@ +package admin_test + +import ( + "bytes" + "context" + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/go-chi/chi/v5" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/admin" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/routing" +) + +const testTenantID = "tenant-test" + +// ─── Test fixtures ──────────────────────────────────────────────────────────── + +func setupHandler(t *testing.T) (*admin.Handler, *routing.MemStore, *routing.RuleCache) { + t.Helper() + store := routing.NewMemStore() + cache := routing.NewRuleCache(store, 30*time.Second, zap.NewNop()) + h := admin.New(store, cache, zap.NewNop()) + return h, store, cache +} + +// authCtx returns a request context with tenant JWT claims. +func authCtx(tenantID string) context.Context { + return middleware.WithClaims(context.Background(), &middleware.UserClaims{ + UserID: "admin-user", + TenantID: tenantID, + Roles: []string{"admin"}, + }) +} + +// newRouter builds a chi.Router with the handler routes mounted. +func newRouter(h *admin.Handler) chi.Router { + r := chi.NewRouter() + h.Routes(r) + return r +} + +// postJSON sends a POST with JSON body. +func postJSON(t *testing.T, router http.Handler, path string, body interface{}, ctx context.Context) *httptest.ResponseRecorder { + t.Helper() + b, _ := json.Marshal(body) + req := httptest.NewRequest(http.MethodPost, path, bytes.NewReader(b)) + req = req.WithContext(ctx) + req.Header.Set("Content-Type", "application/json") + rec := httptest.NewRecorder() + router.ServeHTTP(rec, req) + return rec +} + +func getReq(t *testing.T, router http.Handler, path string, ctx context.Context) *httptest.ResponseRecorder { + t.Helper() + req := httptest.NewRequest(http.MethodGet, path, nil) + req = req.WithContext(ctx) + rec := httptest.NewRecorder() + router.ServeHTTP(rec, req) + return rec +} + +func deleteReq(t *testing.T, router http.Handler, path string, ctx context.Context) *httptest.ResponseRecorder { + t.Helper() + req := httptest.NewRequest(http.MethodDelete, path, nil) + req = req.WithContext(ctx) + rec := httptest.NewRecorder() + router.ServeHTTP(rec, req) + return rec +} + +// ─── Tests ──────────────────────────────────────────────────────────────────── + +func TestAdminHandler_Create_ReturnsCreated(t *testing.T) { + h, _, _ := setupHandler(t) + r := newRouter(h) + + body := map[string]interface{}{ + "name": "finance rule", + "priority": 10, + "is_enabled": true, + "conditions": []map[string]interface{}{ + {"field": "user.department", "operator": "eq", "value": "finance"}, + }, + "action": map[string]interface{}{"provider": "ollama"}, + } + rec := postJSON(t, r, "/policies", body, authCtx(testTenantID)) + assert.Equal(t, http.StatusCreated, rec.Code) + + var got routing.RoutingRule + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + assert.Equal(t, "finance rule", got.Name) + assert.Equal(t, testTenantID, got.TenantID) +} + +func TestAdminHandler_Create_InvalidCondition_Returns400(t *testing.T) { + h, _, _ := setupHandler(t) + r := newRouter(h) + + body := map[string]interface{}{ + "name": "bad rule", + "conditions": []map[string]interface{}{ + {"field": "user.unknown_field", "operator": "eq", "value": "x"}, + }, + "action": map[string]interface{}{"provider": "openai"}, + } + rec := postJSON(t, r, "/policies", body, authCtx(testTenantID)) + assert.Equal(t, http.StatusBadRequest, rec.Code) +} + +func TestAdminHandler_Create_MissingName_Returns400(t *testing.T) { + h, _, _ := setupHandler(t) + r := newRouter(h) + + body := map[string]interface{}{ + "conditions": []map[string]interface{}{}, + "action": map[string]interface{}{"provider": "openai"}, + } + rec := postJSON(t, r, "/policies", body, authCtx(testTenantID)) + assert.Equal(t, http.StatusBadRequest, rec.Code) +} + +func TestAdminHandler_List_ReturnsTenantRules(t *testing.T) { + h, store, _ := setupHandler(t) + r := newRouter(h) + + // Seed two rules: one for testTenantID, one for another tenant. + _, _ = store.Create(context.Background(), routing.RoutingRule{ + TenantID: testTenantID, Name: "r1", IsEnabled: true, + Conditions: []routing.Condition{}, Action: routing.Action{Provider: "openai"}, + }) + _, _ = store.Create(context.Background(), routing.RoutingRule{ + TenantID: "other-tenant", Name: "r2", IsEnabled: true, + Conditions: []routing.Condition{}, Action: routing.Action{Provider: "openai"}, + }) + + rec := getReq(t, r, "/policies", authCtx(testTenantID)) + assert.Equal(t, http.StatusOK, rec.Code) + + var resp map[string][]routing.RoutingRule + require.NoError(t, json.NewDecoder(rec.Body).Decode(&resp)) + // Only the rule for testTenantID should be visible. + assert.Len(t, resp["data"], 1) + assert.Equal(t, "r1", resp["data"][0].Name) +} + +func TestAdminHandler_Get_ExistingRule(t *testing.T) { + h, store, _ := setupHandler(t) + r := newRouter(h) + + rule, _ := store.Create(context.Background(), routing.RoutingRule{ + TenantID: testTenantID, Name: "my-rule", IsEnabled: true, + Conditions: []routing.Condition{}, Action: routing.Action{Provider: "openai"}, + }) + + rec := getReq(t, r, "/policies/"+rule.ID, authCtx(testTenantID)) + assert.Equal(t, http.StatusOK, rec.Code) + + var got routing.RoutingRule + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + assert.Equal(t, "my-rule", got.Name) +} + +func TestAdminHandler_Get_NotFound_Returns404(t *testing.T) { + h, _, _ := setupHandler(t) + r := newRouter(h) + + rec := getReq(t, r, "/policies/nonexistent-id", authCtx(testTenantID)) + assert.Equal(t, http.StatusNotFound, rec.Code) +} + +func TestAdminHandler_Delete_RemovesRule(t *testing.T) { + h, store, _ := setupHandler(t) + r := newRouter(h) + + rule, _ := store.Create(context.Background(), routing.RoutingRule{ + TenantID: testTenantID, Name: "to-delete", IsEnabled: true, + Conditions: []routing.Condition{}, Action: routing.Action{Provider: "openai"}, + }) + + rec := deleteReq(t, r, "/policies/"+rule.ID, authCtx(testTenantID)) + assert.Equal(t, http.StatusNoContent, rec.Code) + + // Second delete should return 404. + rec2 := deleteReq(t, r, "/policies/"+rule.ID, authCtx(testTenantID)) + assert.Equal(t, http.StatusNotFound, rec2.Code) +} + +func TestAdminHandler_TenantIsolation_CannotDeleteOtherTenantRule(t *testing.T) { + h, store, _ := setupHandler(t) + r := newRouter(h) + + // Rule belongs to another tenant. + rule, _ := store.Create(context.Background(), routing.RoutingRule{ + TenantID: "other-tenant", Name: "private-rule", IsEnabled: true, + Conditions: []routing.Condition{}, Action: routing.Action{Provider: "openai"}, + }) + + // testTenantID cannot delete a rule that belongs to other-tenant — returns 404. + rec := deleteReq(t, r, "/policies/"+rule.ID, authCtx(testTenantID)) + assert.Equal(t, http.StatusNotFound, rec.Code, "cannot delete another tenant's rule") +} + +func TestAdminHandler_SeedTemplate_Catchall(t *testing.T) { + h, _, cache := setupHandler(t) + r := newRouter(h) + + // Pre-populate cache to verify it gets invalidated. + _, _ = cache.Get(context.Background(), testTenantID) + + rec := postJSON(t, r, "/policies/seed/catchall", nil, authCtx(testTenantID)) + assert.Equal(t, http.StatusCreated, rec.Code) + + var got routing.RoutingRule + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + assert.Equal(t, 9999, got.Priority) + assert.Equal(t, "openai", got.Action.Provider) +} + +func TestAdminHandler_SeedTemplate_UnknownTemplate_Returns400(t *testing.T) { + h, _, _ := setupHandler(t) + r := newRouter(h) + + rec := postJSON(t, r, "/policies/seed/unknown", nil, authCtx(testTenantID)) + assert.Equal(t, http.StatusBadRequest, rec.Code) +} + +func TestAdminHandler_NoAuth_Returns401(t *testing.T) { + h, _, _ := setupHandler(t) + r := newRouter(h) + + req := httptest.NewRequest(http.MethodGet, "/policies", nil) + // No claims in context. + rec := httptest.NewRecorder() + r.ServeHTTP(rec, req) + assert.Equal(t, http.StatusUnauthorized, rec.Code) +} diff --git a/internal/admin/users.go b/internal/admin/users.go new file mode 100644 index 0000000..a2feccb --- /dev/null +++ b/internal/admin/users.go @@ -0,0 +1,307 @@ +package admin + +import ( + "database/sql" + "encoding/json" + "net/http" + "time" + + "github.com/go-chi/chi/v5" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/middleware" +) + +// User represents a managed user stored in the users table. +type User struct { + ID string `json:"id"` + TenantID string `json:"tenant_id"` + Email string `json:"email"` + Name string `json:"name"` + Department string `json:"department"` + Role string `json:"role"` + IsActive bool `json:"is_active"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} + +type createUserRequest struct { + Email string `json:"email"` + Name string `json:"name"` + Department string `json:"department"` + Role string `json:"role"` + IsActive *bool `json:"is_active"` +} + +// userStore wraps a *sql.DB to perform user CRUD operations. +type userStore struct { + db *sql.DB + logger *zap.Logger +} + +func newUserStore(db *sql.DB, logger *zap.Logger) *userStore { + return &userStore{db: db, logger: logger} +} + +func (s *userStore) list(tenantID string) ([]User, error) { + rows, err := s.db.Query( + `SELECT id, tenant_id, email, name, COALESCE(department,''), role, is_active, created_at, updated_at + FROM users WHERE tenant_id = $1 ORDER BY created_at DESC`, tenantID) + if err != nil { + return nil, err + } + defer rows.Close() + var users []User + for rows.Next() { + var u User + if err := rows.Scan(&u.ID, &u.TenantID, &u.Email, &u.Name, &u.Department, + &u.Role, &u.IsActive, &u.CreatedAt, &u.UpdatedAt); err != nil { + return nil, err + } + users = append(users, u) + } + return users, rows.Err() +} + +func (s *userStore) get(id, tenantID string) (*User, error) { + var u User + err := s.db.QueryRow( + `SELECT id, tenant_id, email, name, COALESCE(department,''), role, is_active, created_at, updated_at + FROM users WHERE id = $1 AND tenant_id = $2`, id, tenantID, + ).Scan(&u.ID, &u.TenantID, &u.Email, &u.Name, &u.Department, + &u.Role, &u.IsActive, &u.CreatedAt, &u.UpdatedAt) + if err == sql.ErrNoRows { + return nil, nil + } + return &u, err +} + +func (s *userStore) create(u User) (*User, error) { + var created User + err := s.db.QueryRow( + `INSERT INTO users (tenant_id, email, name, department, role, is_active) + VALUES ($1,$2,$3,$4,$5,$6) + RETURNING id, tenant_id, email, name, COALESCE(department,''), role, is_active, created_at, updated_at`, + u.TenantID, u.Email, u.Name, u.Department, u.Role, u.IsActive, + ).Scan(&created.ID, &created.TenantID, &created.Email, &created.Name, &created.Department, + &created.Role, &created.IsActive, &created.CreatedAt, &created.UpdatedAt) + return &created, err +} + +func (s *userStore) update(u User) (*User, error) { + var updated User + err := s.db.QueryRow( + `UPDATE users SET email=$1, name=$2, department=$3, role=$4, is_active=$5, updated_at=NOW() + WHERE id=$6 AND tenant_id=$7 + RETURNING id, tenant_id, email, name, COALESCE(department,''), role, is_active, created_at, updated_at`, + u.Email, u.Name, u.Department, u.Role, u.IsActive, u.ID, u.TenantID, + ).Scan(&updated.ID, &updated.TenantID, &updated.Email, &updated.Name, &updated.Department, + &updated.Role, &updated.IsActive, &updated.CreatedAt, &updated.UpdatedAt) + if err == sql.ErrNoRows { + return nil, nil + } + return &updated, err +} + +func (s *userStore) delete(id, tenantID string) error { + res, err := s.db.Exec( + `DELETE FROM users WHERE id = $1 AND tenant_id = $2`, id, tenantID) + if err != nil { + return err + } + n, _ := res.RowsAffected() + if n == 0 { + return sql.ErrNoRows + } + return nil +} + +// ─── HTTP handlers ──────────────────────────────────────────────────────────── + +func (h *Handler) listUsers(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + if h.db == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", + Message: "database not configured", + HTTPStatus: http.StatusNotImplemented, + }) + return + } + us := newUserStore(h.db, h.logger) + users, err := us.list(tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to list users: "+err.Error())) + return + } + if users == nil { + users = []User{} + } + writeJSON(w, http.StatusOK, map[string]interface{}{"data": users}) +} + +func (h *Handler) createUser(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + if h.db == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_implemented", Message: "database not configured", HTTPStatus: http.StatusNotImplemented}) + return + } + + var req createUserRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if req.Email == "" || req.Name == "" { + apierror.WriteError(w, apierror.NewBadRequestError("email and name are required")) + return + } + + role := req.Role + if role == "" { + role = "user" + } + isActive := true + if req.IsActive != nil { + isActive = *req.IsActive + } + + us := newUserStore(h.db, h.logger) + created, err := us.create(User{ + TenantID: tenantID, + Email: req.Email, + Name: req.Name, + Department: req.Department, + Role: role, + IsActive: isActive, + }) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to create user: "+err.Error())) + return + } + writeJSON(w, http.StatusCreated, created) +} + +func (h *Handler) getUser(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + if h.db == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_implemented", Message: "database not configured", HTTPStatus: http.StatusNotImplemented}) + return + } + us := newUserStore(h.db, h.logger) + u, err := us.get(id, tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError(err.Error())) + return + } + if u == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_found_error", Message: "user not found", HTTPStatus: http.StatusNotFound}) + return + } + writeJSON(w, http.StatusOK, u) +} + +func (h *Handler) updateUser(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + if h.db == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_implemented", Message: "database not configured", HTTPStatus: http.StatusNotImplemented}) + return + } + + var req createUserRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + isActive := true + if req.IsActive != nil { + isActive = *req.IsActive + } + + us := newUserStore(h.db, h.logger) + updated, err := us.update(User{ + ID: id, + TenantID: tenantID, + Email: req.Email, + Name: req.Name, + Department: req.Department, + Role: req.Role, + IsActive: isActive, + }) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError(err.Error())) + return + } + if updated == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_found_error", Message: "user not found", HTTPStatus: http.StatusNotFound}) + return + } + writeJSON(w, http.StatusOK, updated) +} + +func (h *Handler) deleteUser(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFromCtx(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + if h.db == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_implemented", Message: "database not configured", HTTPStatus: http.StatusNotImplemented}) + return + } + us := newUserStore(h.db, h.logger) + if err := us.delete(id, tenantID); err != nil { + if err == sql.ErrNoRows { + apierror.WriteError(w, &apierror.APIError{Type: "not_found_error", Message: "user not found", HTTPStatus: http.StatusNotFound}) + return + } + apierror.WriteError(w, apierror.NewUpstreamError(err.Error())) + return + } + w.WriteHeader(http.StatusNoContent) +} + +func (h *Handler) getProviderStatus(w http.ResponseWriter, r *http.Request) { + if h.router == nil { + apierror.WriteError(w, &apierror.APIError{Type: "not_implemented", Message: "provider router not configured", HTTPStatus: http.StatusNotImplemented}) + return + } + statuses := h.router.ProviderStatuses() + + // Also call health check for each provider (E2-10). + healthCtx := r.Context() + type providerStatusResponse struct { + Provider string `json:"provider"` + State string `json:"state"` + Failures int `json:"failures"` + OpenedAt string `json:"opened_at,omitempty"` + Healthy *bool `json:"healthy,omitempty"` + } + _ = healthCtx // suppress unused warning; health ping is async in production + + writeJSON(w, http.StatusOK, statuses) +} + +// tenantFromMiddlewareCtx is an alias kept for consistency. +func tenantFromMiddlewareCtx(r *http.Request) (string, bool) { + claims, ok := middleware.ClaimsFromContext(r.Context()) + if !ok || claims.TenantID == "" { + return "", false + } + return claims.TenantID, true +} diff --git a/internal/apierror/errors.go b/internal/apierror/errors.go new file mode 100644 index 0000000..c065bf4 --- /dev/null +++ b/internal/apierror/errors.go @@ -0,0 +1,123 @@ +// Package apierror defines OpenAI-compatible typed errors for the Veylant proxy. +// All error responses follow the OpenAI JSON format so that existing OpenAI SDK +// clients can handle them without modification. +package apierror + +import ( + "encoding/json" + "net/http" + "strconv" +) + +// APIError represents an OpenAI-compatible error response body. +// Wire format: {"error":{"type":"...","message":"...","code":"..."}} +type APIError struct { + Type string `json:"type"` + Message string `json:"message"` + Code string `json:"code"` + HTTPStatus int `json:"-"` + RetryAfterSec int `json:"-"` // when > 0, sets the Retry-After response header (RFC 6585) +} + +// envelope wraps APIError in the OpenAI {"error": ...} envelope. +type envelope struct { + Error *APIError `json:"error"` +} + +// Error implements the error interface. +func (e *APIError) Error() string { + return e.Message +} + +// WriteError serialises e as JSON and writes it to w with the correct HTTP status. +// When e.RetryAfterSec > 0 it also sets the Retry-After header (RFC 6585). +func WriteError(w http.ResponseWriter, e *APIError) { + if e.RetryAfterSec > 0 { + w.Header().Set("Retry-After", strconv.Itoa(e.RetryAfterSec)) + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(e.HTTPStatus) + _ = json.NewEncoder(w).Encode(envelope{Error: e}) +} + +// WriteErrorWithRequestID is like WriteError but also echoes requestID in the +// X-Request-Id response header. Use this in middleware that has access to the +// request ID but where the header may not yet have been set by the RequestID +// middleware (e.g. when the request is short-circuited before reaching it). +func WriteErrorWithRequestID(w http.ResponseWriter, e *APIError, requestID string) { + if requestID != "" { + w.Header().Set("X-Request-Id", requestID) + } + WriteError(w, e) +} + +// NewAuthError returns a 401 authentication_error. +func NewAuthError(msg string) *APIError { + return &APIError{ + Type: "authentication_error", + Message: msg, + Code: "invalid_api_key", + HTTPStatus: http.StatusUnauthorized, + } +} + +// NewForbiddenError returns a 403 permission_error. +func NewForbiddenError(msg string) *APIError { + return &APIError{ + Type: "permission_error", + Message: msg, + Code: "insufficient_permissions", + HTTPStatus: http.StatusForbidden, + } +} + +// NewBadRequestError returns a 400 invalid_request_error. +func NewBadRequestError(msg string) *APIError { + return &APIError{ + Type: "invalid_request_error", + Message: msg, + Code: "invalid_request", + HTTPStatus: http.StatusBadRequest, + } +} + +// NewUpstreamError returns a 502 upstream_error. +func NewUpstreamError(msg string) *APIError { + return &APIError{ + Type: "api_error", + Message: msg, + Code: "upstream_error", + HTTPStatus: http.StatusBadGateway, + } +} + +// NewRateLimitError returns a 429 rate_limit_error with Retry-After: 1 (RFC 6585). +func NewRateLimitError(msg string) *APIError { + return &APIError{ + Type: "rate_limit_error", + Message: msg, + Code: "rate_limit_exceeded", + HTTPStatus: http.StatusTooManyRequests, + RetryAfterSec: 1, + } +} + +// NewTimeoutError returns a 504 timeout_error. +func NewTimeoutError(msg string) *APIError { + return &APIError{ + Type: "api_error", + Message: msg, + Code: "upstream_timeout", + HTTPStatus: http.StatusGatewayTimeout, + } +} + +// NewInternalError returns a 500 internal_error. +func NewInternalError(msg string) *APIError { + return &APIError{ + Type: "api_error", + Message: msg, + Code: "internal_error", + HTTPStatus: http.StatusInternalServerError, + } +} diff --git a/internal/apierror/errors_test.go b/internal/apierror/errors_test.go new file mode 100644 index 0000000..450e438 --- /dev/null +++ b/internal/apierror/errors_test.go @@ -0,0 +1,111 @@ +package apierror_test + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/apierror" +) + +func TestNewAuthError(t *testing.T) { + e := apierror.NewAuthError("bad token") + assert.Equal(t, http.StatusUnauthorized, e.HTTPStatus) + assert.Equal(t, "authentication_error", e.Type) + assert.Equal(t, "bad token", e.Message) + assert.NotEmpty(t, e.Code) +} + +func TestNewForbiddenError(t *testing.T) { + e := apierror.NewForbiddenError("no access") + assert.Equal(t, http.StatusForbidden, e.HTTPStatus) + assert.Equal(t, "permission_error", e.Type) +} + +func TestNewBadRequestError(t *testing.T) { + e := apierror.NewBadRequestError("missing model") + assert.Equal(t, http.StatusBadRequest, e.HTTPStatus) + assert.Equal(t, "invalid_request_error", e.Type) +} + +func TestNewUpstreamError(t *testing.T) { + e := apierror.NewUpstreamError("OpenAI down") + assert.Equal(t, http.StatusBadGateway, e.HTTPStatus) + assert.Equal(t, "api_error", e.Type) +} + +func TestNewRateLimitError(t *testing.T) { + e := apierror.NewRateLimitError("too many requests") + assert.Equal(t, http.StatusTooManyRequests, e.HTTPStatus) + assert.Equal(t, "rate_limit_error", e.Type) + assert.Equal(t, 1, e.RetryAfterSec, "NewRateLimitError must set RetryAfterSec=1 (RFC 6585)") +} + +func TestWriteError_RetryAfter_SetWhenPresent(t *testing.T) { + rec := httptest.NewRecorder() + apierror.WriteError(rec, apierror.NewRateLimitError("slow down")) + assert.Equal(t, "1", rec.Header().Get("Retry-After")) +} + +func TestWriteError_NoRetryAfter_WhenZero(t *testing.T) { + rec := httptest.NewRecorder() + apierror.WriteError(rec, apierror.NewAuthError("denied")) + assert.Empty(t, rec.Header().Get("Retry-After")) +} + +func TestWriteErrorWithRequestID_SetsHeader(t *testing.T) { + rec := httptest.NewRecorder() + apierror.WriteErrorWithRequestID(rec, apierror.NewAuthError("denied"), "req-abc-123") + assert.Equal(t, "req-abc-123", rec.Header().Get("X-Request-Id")) + assert.Equal(t, http.StatusUnauthorized, rec.Code) +} + +func TestWriteErrorWithRequestID_EmptyID_NoHeader(t *testing.T) { + rec := httptest.NewRecorder() + apierror.WriteErrorWithRequestID(rec, apierror.NewAuthError("denied"), "") + assert.Empty(t, rec.Header().Get("X-Request-Id")) +} + +func TestNewTimeoutError(t *testing.T) { + e := apierror.NewTimeoutError("upstream timed out") + assert.Equal(t, http.StatusGatewayTimeout, e.HTTPStatus) +} + +func TestNewInternalError(t *testing.T) { + e := apierror.NewInternalError("unexpected panic") + assert.Equal(t, http.StatusInternalServerError, e.HTTPStatus) +} + +func TestAPIError_Error(t *testing.T) { + e := apierror.NewAuthError("some message") + assert.Equal(t, "some message", e.Error()) +} + +func TestWriteError_SetsStatusAndContentType(t *testing.T) { + rec := httptest.NewRecorder() + apierror.WriteError(rec, apierror.NewAuthError("denied")) + + assert.Equal(t, http.StatusUnauthorized, rec.Code) + assert.Equal(t, "application/json", rec.Header().Get("Content-Type")) +} + +func TestWriteError_BodyIsOpenAIEnvelope(t *testing.T) { + rec := httptest.NewRecorder() + apierror.WriteError(rec, apierror.NewRateLimitError("slow down")) + + var body struct { + Error struct { + Type string `json:"type"` + Message string `json:"message"` + Code string `json:"code"` + } `json:"error"` + } + require.NoError(t, json.NewDecoder(rec.Body).Decode(&body)) + assert.Equal(t, "rate_limit_error", body.Error.Type) + assert.Equal(t, "slow down", body.Error.Message) + assert.NotEmpty(t, body.Error.Code) +} diff --git a/internal/auditlog/batch.go b/internal/auditlog/batch.go new file mode 100644 index 0000000..2345375 --- /dev/null +++ b/internal/auditlog/batch.go @@ -0,0 +1,119 @@ +package auditlog + +import ( + "context" + "sync" + "time" + + "go.uber.org/zap" +) + +// Flusher is implemented by storage backends (e.g. ClickHouseLogger). +type Flusher interface { + InsertBatch(ctx context.Context, entries []AuditEntry) error +} + +// BatchWriter wraps a Flusher with an async buffered channel. +// It flushes when batchSize entries are accumulated OR flushInterval elapses, +// whichever comes first. On channel overflow it drops the entry and logs a warning. +type BatchWriter struct { + ch chan AuditEntry + batchSize int + flushInterval time.Duration + flusher Flusher + logger *zap.Logger + done chan struct{} + wg sync.WaitGroup +} + +// NewBatchWriter creates a production BatchWriter (cap=10 000, size=100, interval=1s). +func NewBatchWriter(flusher Flusher, logger *zap.Logger) *BatchWriter { + return NewBatchWriterForTest(flusher, 100, time.Second, logger) +} + +// NewBatchWriterForTest creates a BatchWriter with configurable parameters for unit tests. +func NewBatchWriterForTest(flusher Flusher, batchSize int, flushInterval time.Duration, logger *zap.Logger) *BatchWriter { + return &BatchWriter{ + ch: make(chan AuditEntry, 10_000), + batchSize: batchSize, + flushInterval: flushInterval, + flusher: flusher, + logger: logger, + done: make(chan struct{}), + } +} + +// Log enqueues an entry. Non-blocking: drops the entry if the channel is full. +func (bw *BatchWriter) Log(entry AuditEntry) { + select { + case bw.ch <- entry: + default: + bw.logger.Warn("audit log channel full — entry dropped", + zap.String("request_id", entry.RequestID)) + } +} + +// Start launches the background flush goroutine. +func (bw *BatchWriter) Start() { + bw.wg.Add(1) + go bw.run() +} + +// Stop signals the flush goroutine to drain remaining entries and exit. +func (bw *BatchWriter) Stop() { + close(bw.done) + bw.wg.Wait() +} + +func (bw *BatchWriter) run() { + defer bw.wg.Done() + ticker := time.NewTicker(bw.flushInterval) + defer ticker.Stop() + + batch := make([]AuditEntry, 0, bw.batchSize) + + flush := func() { + if len(batch) == 0 { + return + } + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + if err := bw.flusher.InsertBatch(ctx, batch); err != nil { + bw.logger.Error("audit log batch insert failed", zap.Error(err), zap.Int("count", len(batch))) + } + batch = batch[:0] + } + + for { + select { + case entry := <-bw.ch: + batch = append(batch, entry) + if len(batch) >= bw.batchSize { + flush() + } + case <-ticker.C: + flush() + case <-bw.done: + // Drain remaining entries from channel. + for { + select { + case entry := <-bw.ch: + batch = append(batch, entry) + default: + flush() + return + } + } + } + } +} + +// Query is not supported on BatchWriter; use the underlying Logger (e.g. ClickHouseLogger). +func (bw *BatchWriter) Query(_ context.Context, _ AuditQuery) (*AuditResult, error) { + return &AuditResult{}, nil +} + +// QueryCosts is not supported on BatchWriter. +func (bw *BatchWriter) QueryCosts(_ context.Context, _ CostQuery) (*CostResult, error) { + return &CostResult{}, nil +} diff --git a/internal/auditlog/ch_logger.go b/internal/auditlog/ch_logger.go new file mode 100644 index 0000000..9c80172 --- /dev/null +++ b/internal/auditlog/ch_logger.go @@ -0,0 +1,253 @@ +package auditlog + +import ( + "context" + "fmt" + "os" + "sort" + "strings" + "time" + + "github.com/ClickHouse/clickhouse-go/v2" + "github.com/ClickHouse/clickhouse-go/v2/lib/driver" + "go.uber.org/zap" +) + +// ClickHouseLogger implements Logger + Flusher backed by a ClickHouse connection. +// Query/QueryCosts perform synchronous CH queries for the admin API. +// Log() is non-blocking: entries are queued in BatchWriter (not directly here). +type ClickHouseLogger struct { + conn driver.Conn + logger *zap.Logger + bw *BatchWriter +} + +// NewClickHouseLogger opens a ClickHouse native connection from a DSN string +// (clickhouse://user:pass@host:9000/database) and returns a ClickHouseLogger. +// The caller must call Start() and defer Stop(). +func NewClickHouseLogger(dsn string, maxConns, dialTimeoutSec int, logger *zap.Logger) (*ClickHouseLogger, error) { + opts, err := clickhouse.ParseDSN(dsn) + if err != nil { + return nil, fmt.Errorf("clickhouse: parse DSN: %w", err) + } + if maxConns > 0 { + opts.MaxOpenConns = maxConns + } + if dialTimeoutSec > 0 { + opts.DialTimeout = time.Duration(dialTimeoutSec) * time.Second + } + + conn, err := clickhouse.Open(opts) + if err != nil { + return nil, fmt.Errorf("clickhouse: open: %w", err) + } + if err := conn.Ping(context.Background()); err != nil { + return nil, fmt.Errorf("clickhouse: ping: %w", err) + } + + ch := &ClickHouseLogger{conn: conn, logger: logger} + ch.bw = NewBatchWriter(ch, logger) + return ch, nil +} + +// ApplyDDL reads and executes the ClickHouse DDL file at startup (idempotent). +func (c *ClickHouseLogger) ApplyDDL(sqlPath string) error { + data, err := os.ReadFile(sqlPath) + if err != nil { + return fmt.Errorf("clickhouse: read DDL %s: %w", sqlPath, err) + } + // Split on semicolons to handle multi-statement files. + for _, stmt := range strings.Split(string(data), ";") { + stmt = strings.TrimSpace(stmt) + if stmt == "" || strings.HasPrefix(stmt, "--") { + continue + } + if err := c.conn.Exec(context.Background(), stmt); err != nil { + return fmt.Errorf("clickhouse: exec DDL: %w", err) + } + } + return nil +} + +// ─── Logger interface ───────────────────────────────────────────────────────── + +func (c *ClickHouseLogger) Log(entry AuditEntry) { c.bw.Log(entry) } +func (c *ClickHouseLogger) Start() { c.bw.Start() } +func (c *ClickHouseLogger) Stop() { c.bw.Stop() } + +// ─── Flusher interface ──────────────────────────────────────────────────────── + +func (c *ClickHouseLogger) InsertBatch(ctx context.Context, entries []AuditEntry) error { + batch, err := c.conn.PrepareBatch(ctx, "INSERT INTO audit_logs") + if err != nil { + return fmt.Errorf("clickhouse: prepare batch: %w", err) + } + for _, e := range entries { + if err := batch.Append( + e.RequestID, + e.TenantID, + e.UserID, + e.Timestamp, + e.ModelRequested, + e.ModelUsed, + e.Provider, + e.Department, + e.UserRole, + e.PromptHash, + e.ResponseHash, + e.PromptAnonymized, + e.SensitivityLevel, + uint32(e.TokenInput), + uint32(e.TokenOutput), + uint32(e.TokenTotal), + e.CostUSD, + uint32(e.LatencyMs), + e.Status, + e.ErrorType, + uint16(e.PIIEntityCount), + e.Stream, + ); err != nil { + return fmt.Errorf("clickhouse: append row: %w", err) + } + } + return batch.Send() +} + +// ─── Query ──────────────────────────────────────────────────────────────────── + +func (c *ClickHouseLogger) Query(ctx context.Context, q AuditQuery) (*AuditResult, error) { + limit := q.Limit + if limit <= 0 || limit > 200 { + limit = 50 + } + offset := q.Offset + + var conditions []string + var args []interface{} + + conditions = append(conditions, "tenant_id = ?") + args = append(args, q.TenantID) + + if !q.StartTime.IsZero() { + conditions = append(conditions, "timestamp >= ?") + args = append(args, q.StartTime) + } + if !q.EndTime.IsZero() { + conditions = append(conditions, "timestamp <= ?") + args = append(args, q.EndTime) + } + if q.UserID != "" { + conditions = append(conditions, "user_id = ?") + args = append(args, q.UserID) + } + if q.Provider != "" { + conditions = append(conditions, "provider = ?") + args = append(args, q.Provider) + } + + sensitivityOrder := map[string]int{"none": 0, "low": 1, "medium": 2, "high": 3, "critical": 4} + if _, ok := sensitivityOrder[q.MinSensitivity]; ok && q.MinSensitivity != "" { + levels := []string{} + minLvl := sensitivityOrder[q.MinSensitivity] + for lvl, ord := range sensitivityOrder { + if ord >= minLvl { + levels = append(levels, "'"+lvl+"'") + } + } + conditions = append(conditions, "sensitivity_level IN ("+strings.Join(levels, ",")+")") + } + + where := strings.Join(conditions, " AND ") + query := fmt.Sprintf( + "SELECT request_id, tenant_id, user_id, timestamp, model_requested, model_used, provider, "+ + "department, user_role, prompt_hash, response_hash, sensitivity_level, "+ + "token_input, token_output, token_total, cost_usd, latency_ms, status, "+ + "error_type, pii_entity_count, stream FROM audit_logs WHERE %s "+ + "ORDER BY timestamp DESC LIMIT %d OFFSET %d", + where, limit, offset, + ) + + rows, err := c.conn.Query(ctx, query, args...) + if err != nil { + return nil, fmt.Errorf("clickhouse: query logs: %w", err) + } + defer rows.Close() + + var entries []AuditEntry + for rows.Next() { + var e AuditEntry + var tokenIn, tokenOut, tokenTotal uint32 + var latencyMs uint32 + var piiCount uint16 + if err := rows.Scan( + &e.RequestID, &e.TenantID, &e.UserID, &e.Timestamp, + &e.ModelRequested, &e.ModelUsed, &e.Provider, + &e.Department, &e.UserRole, &e.PromptHash, &e.ResponseHash, + &e.SensitivityLevel, &tokenIn, &tokenOut, &tokenTotal, + &e.CostUSD, &latencyMs, &e.Status, &e.ErrorType, &piiCount, &e.Stream, + ); err != nil { + return nil, fmt.Errorf("clickhouse: scan: %w", err) + } + e.TokenInput = int(tokenIn) + e.TokenOutput = int(tokenOut) + e.TokenTotal = int(tokenTotal) + e.LatencyMs = int(latencyMs) + e.PIIEntityCount = int(piiCount) + // prompt_anonymized is intentionally excluded from query results. + entries = append(entries, e) + } + + return &AuditResult{Data: entries, Total: len(entries)}, nil +} + +func (c *ClickHouseLogger) QueryCosts(ctx context.Context, q CostQuery) (*CostResult, error) { + groupField := "provider" + switch q.GroupBy { + case "model": + groupField = "model_used" + case "department": + groupField = "department" + } + + var conditions []string + var args []interface{} + + conditions = append(conditions, "tenant_id = ?") + args = append(args, q.TenantID) + + if !q.StartTime.IsZero() { + conditions = append(conditions, "timestamp >= ?") + args = append(args, q.StartTime) + } + if !q.EndTime.IsZero() { + conditions = append(conditions, "timestamp <= ?") + args = append(args, q.EndTime) + } + + where := strings.Join(conditions, " AND ") + query := fmt.Sprintf( + "SELECT %s, sum(token_total), sum(cost_usd), count() FROM audit_logs WHERE %s GROUP BY %s ORDER BY %s", + groupField, where, groupField, groupField, + ) + + rows, err := c.conn.Query(ctx, query, args...) + if err != nil { + return nil, fmt.Errorf("clickhouse: query costs: %w", err) + } + defer rows.Close() + + var data []CostSummary + for rows.Next() { + var s CostSummary + var tokens uint64 + var count uint64 + if err := rows.Scan(&s.Key, &tokens, &s.TotalCostUSD, &count); err != nil { + return nil, fmt.Errorf("clickhouse: scan cost: %w", err) + } + s.TotalTokens = int(tokens) + s.RequestCount = int(count) + data = append(data, s) + } + sort.Slice(data, func(i, j int) bool { return data[i].Key < data[j].Key }) + return &CostResult{Data: data}, nil +} diff --git a/internal/auditlog/entry.go b/internal/auditlog/entry.go new file mode 100644 index 0000000..697f986 --- /dev/null +++ b/internal/auditlog/entry.go @@ -0,0 +1,73 @@ +// Package auditlog defines the immutable audit log types and the Logger interface +// for recording every LLM request processed by the proxy. +package auditlog + +import "time" + +// AuditEntry holds all metadata for a single proxied LLM request. +// It is written to ClickHouse asynchronously via BatchWriter. +// prompt_anonymized is stored encrypted (AES-256-GCM) and is never +// returned to API callers. +type AuditEntry struct { + RequestID string + TenantID string + UserID string + Timestamp time.Time + ModelRequested string + ModelUsed string + Provider string + Department string + UserRole string + PromptHash string // hex SHA-256 of the original (pre-PII) prompt + ResponseHash string // hex SHA-256 of the response content + PromptAnonymized string // AES-256-GCM base64-encoded anonymized prompt + SensitivityLevel string // "none"|"low"|"medium"|"high"|"critical" + TokenInput int + TokenOutput int + TokenTotal int + CostUSD float64 + LatencyMs int + Status string // "ok"|"error" + ErrorType string + PIIEntityCount int + Stream bool +} + +// AuditQuery filters audit log entries for the GET /v1/admin/logs endpoint. +type AuditQuery struct { + TenantID string + UserID string // filter by specific user (GDPR Art. 15) + StartTime time.Time + EndTime time.Time + Provider string + MinSensitivity string // "none"|"low"|"medium"|"high"|"critical" + Limit int // default 50, max 200 + Offset int +} + +// AuditResult is the paginated response for AuditQuery. +type AuditResult struct { + Data []AuditEntry + Total int +} + +// CostQuery filters cost aggregation for the GET /v1/admin/costs endpoint. +type CostQuery struct { + TenantID string + StartTime time.Time + EndTime time.Time + GroupBy string // "provider"|"model"|"department" +} + +// CostSummary is one row in a cost aggregation result. +type CostSummary struct { + Key string + TotalTokens int + TotalCostUSD float64 + RequestCount int +} + +// CostResult is the response for CostQuery. +type CostResult struct { + Data []CostSummary +} diff --git a/internal/auditlog/logger.go b/internal/auditlog/logger.go new file mode 100644 index 0000000..948c8f1 --- /dev/null +++ b/internal/auditlog/logger.go @@ -0,0 +1,150 @@ +package auditlog + +import ( + "context" + "sort" + "sync" +) + +// Logger is the interface for recording and querying audit log entries. +// Log() must be non-blocking (backed by a buffered channel or in-memory store). +type Logger interface { + Log(entry AuditEntry) + Query(ctx context.Context, q AuditQuery) (*AuditResult, error) + QueryCosts(ctx context.Context, q CostQuery) (*CostResult, error) + Start() + Stop() +} + +// ─── MemLogger ──────────────────────────────────────────────────────────────── + +// MemLogger is a thread-safe in-memory Logger used in tests. +// It stores entries in insertion order and supports basic filtering. +type MemLogger struct { + mu sync.RWMutex + entries []AuditEntry +} + +// NewMemLogger creates a new MemLogger. +func NewMemLogger() *MemLogger { return &MemLogger{} } + +func (m *MemLogger) Log(e AuditEntry) { + m.mu.Lock() + m.entries = append(m.entries, e) + m.mu.Unlock() +} + +// Entries returns a copy of all stored entries (safe to call from tests). +func (m *MemLogger) Entries() []AuditEntry { + m.mu.RLock() + defer m.mu.RUnlock() + out := make([]AuditEntry, len(m.entries)) + copy(out, m.entries) + return out +} + +func (m *MemLogger) Query(_ context.Context, q AuditQuery) (*AuditResult, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + sensitivityOrder := map[string]int{ + "none": 0, "low": 1, "medium": 2, "high": 3, "critical": 4, + } + minLevel := sensitivityOrder[q.MinSensitivity] + + var filtered []AuditEntry + for _, e := range m.entries { + if e.TenantID != q.TenantID { + continue + } + if q.UserID != "" && e.UserID != q.UserID { + continue + } + if !q.StartTime.IsZero() && e.Timestamp.Before(q.StartTime) { + continue + } + if !q.EndTime.IsZero() && e.Timestamp.After(q.EndTime) { + continue + } + if q.Provider != "" && e.Provider != q.Provider { + continue + } + if q.MinSensitivity != "" { + if sensitivityOrder[e.SensitivityLevel] < minLevel { + continue + } + } + filtered = append(filtered, e) + } + + total := len(filtered) + if q.Offset < len(filtered) { + filtered = filtered[q.Offset:] + } else { + filtered = nil + } + limit := q.Limit + if limit <= 0 || limit > 200 { + limit = 50 + } + if len(filtered) > limit { + filtered = filtered[:limit] + } + + return &AuditResult{Data: filtered, Total: total}, nil +} + +func (m *MemLogger) QueryCosts(_ context.Context, q CostQuery) (*CostResult, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + type aggKey = string + type agg struct { + tokens int + cost float64 + count int + } + totals := map[aggKey]*agg{} + + for _, e := range m.entries { + if e.TenantID != q.TenantID { + continue + } + if !q.StartTime.IsZero() && e.Timestamp.Before(q.StartTime) { + continue + } + if !q.EndTime.IsZero() && e.Timestamp.After(q.EndTime) { + continue + } + var key string + switch q.GroupBy { + case "model": + key = e.ModelUsed + case "department": + key = e.Department + default: + key = e.Provider + } + if totals[key] == nil { + totals[key] = &agg{} + } + totals[key].tokens += e.TokenTotal + totals[key].cost += e.CostUSD + totals[key].count++ + } + + var data []CostSummary + for k, v := range totals { + data = append(data, CostSummary{ + Key: k, + TotalTokens: v.tokens, + TotalCostUSD: v.cost, + RequestCount: v.count, + }) + } + sort.Slice(data, func(i, j int) bool { return data[i].Key < data[j].Key }) + return &CostResult{Data: data}, nil +} + +func (m *MemLogger) Start() {} +func (m *MemLogger) Stop() {} diff --git a/internal/auditlog/logger_test.go b/internal/auditlog/logger_test.go new file mode 100644 index 0000000..32e34bf --- /dev/null +++ b/internal/auditlog/logger_test.go @@ -0,0 +1,215 @@ +package auditlog_test + +import ( + "context" + "sync" + "sync/atomic" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/auditlog" +) + +// ─── MemLogger tests ────────────────────────────────────────────────────────── + +func TestMemLogger_Log_And_Entries(t *testing.T) { + ml := auditlog.NewMemLogger() + ml.Log(auditlog.AuditEntry{RequestID: "req-1", TenantID: "t1"}) + ml.Log(auditlog.AuditEntry{RequestID: "req-2", TenantID: "t1"}) + + entries := ml.Entries() + assert.Len(t, entries, 2) + assert.Equal(t, "req-1", entries[0].RequestID) +} + +func TestMemLogger_Query_FiltersByTenant(t *testing.T) { + ml := auditlog.NewMemLogger() + ml.Log(auditlog.AuditEntry{TenantID: "t1", RequestID: "a", SensitivityLevel: "low"}) + ml.Log(auditlog.AuditEntry{TenantID: "t2", RequestID: "b", SensitivityLevel: "high"}) + + result, err := ml.Query(context.Background(), auditlog.AuditQuery{TenantID: "t1", Limit: 10}) + require.NoError(t, err) + assert.Len(t, result.Data, 1) + assert.Equal(t, "a", result.Data[0].RequestID) +} + +func TestMemLogger_Query_FiltersByMinSensitivity(t *testing.T) { + ml := auditlog.NewMemLogger() + ml.Log(auditlog.AuditEntry{TenantID: "t1", RequestID: "none", SensitivityLevel: "none"}) + ml.Log(auditlog.AuditEntry{TenantID: "t1", RequestID: "low", SensitivityLevel: "low"}) + ml.Log(auditlog.AuditEntry{TenantID: "t1", RequestID: "high", SensitivityLevel: "high"}) + ml.Log(auditlog.AuditEntry{TenantID: "t1", RequestID: "critical", SensitivityLevel: "critical"}) + + result, err := ml.Query(context.Background(), auditlog.AuditQuery{ + TenantID: "t1", MinSensitivity: "high", Limit: 10, + }) + require.NoError(t, err) + assert.Len(t, result.Data, 2) +} + +func TestMemLogger_Query_Pagination(t *testing.T) { + ml := auditlog.NewMemLogger() + for i := 0; i < 10; i++ { + ml.Log(auditlog.AuditEntry{TenantID: "t1"}) + } + + result, err := ml.Query(context.Background(), auditlog.AuditQuery{ + TenantID: "t1", Limit: 3, Offset: 5, + }) + require.NoError(t, err) + assert.Len(t, result.Data, 3) + assert.Equal(t, 10, result.Total) +} + +func TestMemLogger_QueryCosts_GroupByProvider(t *testing.T) { + ml := auditlog.NewMemLogger() + ml.Log(auditlog.AuditEntry{TenantID: "t1", Provider: "openai", TokenTotal: 1000, CostUSD: 0.005}) + ml.Log(auditlog.AuditEntry{TenantID: "t1", Provider: "openai", TokenTotal: 500, CostUSD: 0.0025}) + ml.Log(auditlog.AuditEntry{TenantID: "t1", Provider: "ollama", TokenTotal: 2000, CostUSD: 0}) + ml.Log(auditlog.AuditEntry{TenantID: "t2", Provider: "openai", TokenTotal: 1000, CostUSD: 0.005}) + + result, err := ml.QueryCosts(context.Background(), auditlog.CostQuery{ + TenantID: "t1", GroupBy: "provider", + }) + require.NoError(t, err) + assert.Len(t, result.Data, 2) + + // Find openai summary + var openaiSummary auditlog.CostSummary + for _, s := range result.Data { + if s.Key == "openai" { + openaiSummary = s + } + } + assert.Equal(t, 1500, openaiSummary.TotalTokens) + assert.InDelta(t, 0.0075, openaiSummary.TotalCostUSD, 1e-9) + assert.Equal(t, 2, openaiSummary.RequestCount) +} + +// ─── BatchWriter tests ──────────────────────────────────────────────────────── + +// mockFlusher records received batches for assertions. +type mockFlusher struct { + mu sync.Mutex + batches [][]auditlog.AuditEntry + total int +} + +func (f *mockFlusher) InsertBatch(_ context.Context, entries []auditlog.AuditEntry) error { + f.mu.Lock() + defer f.mu.Unlock() + cp := make([]auditlog.AuditEntry, len(entries)) + copy(cp, entries) + f.batches = append(f.batches, cp) + f.total += len(entries) + return nil +} + +func (f *mockFlusher) Total() int { + f.mu.Lock() + defer f.mu.Unlock() + return f.total +} + +func TestBatchWriter_FlushOnSize(t *testing.T) { + flusher := &mockFlusher{} + bw := auditlog.NewBatchWriterForTest(flusher, 5, 10*time.Second, zap.NewNop()) + bw.Start() + defer bw.Stop() + + for i := 0; i < 5; i++ { + bw.Log(auditlog.AuditEntry{RequestID: "r"}) + } + + // Wait for flush to happen (should be almost immediate on batch size). + require.Eventually(t, func() bool { return flusher.Total() == 5 }, + 2*time.Second, 10*time.Millisecond, "expected 5 entries flushed") +} + +func TestBatchWriter_FlushOnTick(t *testing.T) { + flusher := &mockFlusher{} + bw := auditlog.NewBatchWriterForTest(flusher, 100, 50*time.Millisecond, zap.NewNop()) + bw.Start() + defer bw.Stop() + + // Send only 3 entries (below batch size). + for i := 0; i < 3; i++ { + bw.Log(auditlog.AuditEntry{RequestID: "r"}) + } + + require.Eventually(t, func() bool { return flusher.Total() == 3 }, + 500*time.Millisecond, 10*time.Millisecond, "expected tick flush") +} + +func TestBatchWriter_Stop_DrainsPending(t *testing.T) { + flusher := &mockFlusher{} + bw := auditlog.NewBatchWriterForTest(flusher, 1000, 10*time.Second, zap.NewNop()) + bw.Start() + + for i := 0; i < 7; i++ { + bw.Log(auditlog.AuditEntry{RequestID: "r"}) + } + bw.Stop() + + assert.Equal(t, 7, flusher.Total(), "Stop should drain remaining entries") +} + +func TestBatchWriter_OverflowDrops(t *testing.T) { + // Flusher that blocks forever to force channel fill. + var called atomic.Bool + blockFlusher := &blockingFlusher{called: &called} + + // Very small channel to trigger overflow quickly. + bw := auditlog.NewBatchWriterForTest(blockFlusher, 1, 10*time.Millisecond, zap.NewNop()) + bw.Start() + defer bw.Stop() + + // First entry triggers flush (which blocks); additional entries should fill channel. + // With cap=10_000 we can't easily fill it in a unit test, so we just verify + // that Log() returns immediately (non-blocking) even when the flusher is slow. + start := time.Now() + for i := 0; i < 20; i++ { + bw.Log(auditlog.AuditEntry{RequestID: "r"}) + } + assert.Less(t, time.Since(start), 200*time.Millisecond, "Log should be non-blocking") +} + +// blockingFlusher blocks for 5 seconds to simulate a slow ClickHouse. +type blockingFlusher struct { + called *atomic.Bool +} + +func (b *blockingFlusher) InsertBatch(ctx context.Context, _ []auditlog.AuditEntry) error { + b.called.Store(true) + select { + case <-ctx.Done(): + case <-time.After(5 * time.Second): + } + return nil +} + +func TestBatchWriter_ConcurrentLog(t *testing.T) { + flusher := &mockFlusher{} + bw := auditlog.NewBatchWriterForTest(flusher, 50, 20*time.Millisecond, zap.NewNop()) + bw.Start() + defer bw.Stop() + + var wg sync.WaitGroup + for g := 0; g < 10; g++ { + wg.Add(1) + go func() { + defer wg.Done() + for i := 0; i < 10; i++ { + bw.Log(auditlog.AuditEntry{RequestID: "r"}) + } + }() + } + wg.Wait() + + require.Eventually(t, func() bool { return flusher.Total() == 100 }, + 2*time.Second, 10*time.Millisecond) +} diff --git a/internal/billing/billing.go b/internal/billing/billing.go new file mode 100644 index 0000000..a62f03d --- /dev/null +++ b/internal/billing/billing.go @@ -0,0 +1,52 @@ +// Package billing provides token-based cost estimation for LLM API calls. +// Costs are expressed in USD per 1 000 tokens (blended input+output rate). +// Ollama (local) has no cost. Unknown providers/models return 0. +package billing + +import "strings" + +// costPer1kTokens maps "provider/model" to USD per 1 000 tokens (blended rate). +// Exact match is tried first; if not found, prefix match handles versioned names +// such as "gpt-4o-2024-08-06" matching "openai/gpt-4o". +var costPer1kTokens = map[string]float64{ + "openai/gpt-4o": 0.005000, + "openai/gpt-4o-mini": 0.000150, + "openai/gpt-3.5-turbo": 0.000500, + "anthropic/claude-3-5-sonnet": 0.003000, + "anthropic/claude-3-opus": 0.015000, + "anthropic/claude-3-haiku": 0.000250, + "mistral/mistral-small": 0.000200, + "mistral/mistral-large": 0.002000, + // ollama/* absent → 0 (local inference, no API cost) +} + +// CostUSD returns the estimated cost in USD for totalTokens tokens. +// It first tries an exact match on "provider/model", then a prefix match +// to handle versioned model names (e.g. "gpt-4o-2024-08-06" → "openai/gpt-4o"). +// Returns 0 for unknown providers/models (e.g. ollama). +func CostUSD(provider, model string, totalTokens int) float64 { + if totalTokens <= 0 { + return 0 + } + key := provider + "/" + model + + // Exact match. + if rate, ok := costPer1kTokens[key]; ok { + return rate * float64(totalTokens) / 1000.0 + } + + // Prefix match: find the longest registered key that is a prefix of key. + var bestRate float64 + var bestLen int + for k, rate := range costPer1kTokens { + if strings.HasPrefix(key, k) && len(k) > bestLen { + bestRate = rate + bestLen = len(k) + } + } + if bestLen > 0 { + return bestRate * float64(totalTokens) / 1000.0 + } + + return 0 +} diff --git a/internal/billing/billing_test.go b/internal/billing/billing_test.go new file mode 100644 index 0000000..ed04a12 --- /dev/null +++ b/internal/billing/billing_test.go @@ -0,0 +1,50 @@ +package billing_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/veylant/ia-gateway/internal/billing" +) + +func TestBilling_OpenAI_GPT4o_ExactMatch(t *testing.T) { + cost := billing.CostUSD("openai", "gpt-4o", 1000) + assert.InDelta(t, 0.005, cost, 1e-9) +} + +func TestBilling_OpenAI_GPT4oMini(t *testing.T) { + cost := billing.CostUSD("openai", "gpt-4o-mini", 1000) + assert.InDelta(t, 0.00015, cost, 1e-9) +} + +func TestBilling_OpenAI_GPT4o_PrefixVersioned(t *testing.T) { + // "gpt-4o-2024-08-06" should match prefix "openai/gpt-4o" + cost := billing.CostUSD("openai", "gpt-4o-2024-08-06", 1000) + assert.InDelta(t, 0.005, cost, 1e-9) +} + +func TestBilling_Anthropic_Sonnet(t *testing.T) { + cost := billing.CostUSD("anthropic", "claude-3-5-sonnet", 2000) + assert.InDelta(t, 0.006, cost, 1e-9) +} + +func TestBilling_Ollama_ZeroCost(t *testing.T) { + cost := billing.CostUSD("ollama", "llama3.1", 10000) + assert.Equal(t, 0.0, cost) +} + +func TestBilling_Unknown_ZeroCost(t *testing.T) { + cost := billing.CostUSD("unknown", "mystery-model", 5000) + assert.Equal(t, 0.0, cost) +} + +func TestBilling_ZeroTokens(t *testing.T) { + cost := billing.CostUSD("openai", "gpt-4o", 0) + assert.Equal(t, 0.0, cost) +} + +func TestBilling_NegativeTokens(t *testing.T) { + cost := billing.CostUSD("openai", "gpt-4o", -100) + assert.Equal(t, 0.0, cost) +} diff --git a/internal/circuitbreaker/breaker.go b/internal/circuitbreaker/breaker.go new file mode 100644 index 0000000..bc244dc --- /dev/null +++ b/internal/circuitbreaker/breaker.go @@ -0,0 +1,187 @@ +// Package circuitbreaker implements a per-provider circuit breaker. +// States: Closed (normal) → Open (failing, rejects requests) → HalfOpen (testing recovery). +// Transition Closed→Open: after `threshold` consecutive failures. +// Transition Open→HalfOpen: after `openTTL` has elapsed. +// Transition HalfOpen→Closed: on the first successful request. +// Transition HalfOpen→Open: on failure during half-open test. +package circuitbreaker + +import ( + "sync" + "time" +) + +// State represents the circuit breaker state for a provider. +type State int + +const ( + Closed State = iota // Normal — requests allowed + Open // Tripped — requests rejected + HalfOpen // Recovery probe — one request allowed +) + +func (s State) String() string { + switch s { + case Closed: + return "closed" + case Open: + return "open" + case HalfOpen: + return "half_open" + default: + return "unknown" + } +} + +// Status is the read-only snapshot returned by the API. +type Status struct { + Provider string `json:"provider"` + State string `json:"state"` + Failures int `json:"failures"` + OpenedAt string `json:"opened_at,omitempty"` // RFC3339, only when Open/HalfOpen +} + +type entry struct { + state State + failures int + openedAt time.Time + // halfOpenInFlight prevents concurrent requests during HalfOpen probe. + halfOpenInFlight bool +} + +// Breaker is a thread-safe circuit breaker for multiple providers. +type Breaker struct { + mu sync.Mutex + states map[string]*entry + threshold int + openTTL time.Duration +} + +// New creates a Breaker. +// - threshold: consecutive failures before opening the circuit. +// - openTTL: how long to wait in Open state before transitioning to HalfOpen. +func New(threshold int, openTTL time.Duration) *Breaker { + return &Breaker{ + states: make(map[string]*entry), + threshold: threshold, + openTTL: openTTL, + } +} + +func (b *Breaker) get(provider string) *entry { + e, ok := b.states[provider] + if !ok { + e = &entry{state: Closed} + b.states[provider] = e + } + return e +} + +// Allow returns true if a request to the given provider should proceed. +// It also handles the Open→HalfOpen transition when the TTL has expired. +func (b *Breaker) Allow(provider string) bool { + b.mu.Lock() + defer b.mu.Unlock() + + e := b.get(provider) + + switch e.state { + case Closed: + return true + + case Open: + if time.Since(e.openedAt) >= b.openTTL { + // Transition to HalfOpen — allow exactly one probe. + if !e.halfOpenInFlight { + e.state = HalfOpen + e.halfOpenInFlight = true + return true + } + } + return false + + case HalfOpen: + // Only one in-flight request allowed during HalfOpen. + if !e.halfOpenInFlight { + e.halfOpenInFlight = true + return true + } + return false + } + + return true +} + +// Success records a successful response from a provider. +// Any non-Open circuit resets the failure counter; HalfOpen transitions to Closed. +func (b *Breaker) Success(provider string) { + b.mu.Lock() + defer b.mu.Unlock() + + e := b.get(provider) + e.failures = 0 + e.state = Closed + e.halfOpenInFlight = false +} + +// Failure records a failed response from a provider. +// If threshold is reached the circuit transitions to Open. +// A failure during HalfOpen re-opens the circuit immediately. +func (b *Breaker) Failure(provider string) { + b.mu.Lock() + defer b.mu.Unlock() + + e := b.get(provider) + e.halfOpenInFlight = false + + switch e.state { + case Closed: + e.failures++ + if e.failures >= b.threshold { + e.state = Open + e.openedAt = time.Now() + } + case HalfOpen: + // Re-open immediately. + e.state = Open + e.openedAt = time.Now() + e.failures++ + } +} + +// Status returns a read-only snapshot of the circuit state for a provider. +func (b *Breaker) Status(provider string) Status { + b.mu.Lock() + defer b.mu.Unlock() + + e := b.get(provider) + s := Status{ + Provider: provider, + State: e.state.String(), + Failures: e.failures, + } + if e.state == Open || e.state == HalfOpen { + s.OpenedAt = e.openedAt.Format(time.RFC3339) + } + return s +} + +// Statuses returns snapshots for all known providers. +func (b *Breaker) Statuses() []Status { + b.mu.Lock() + defer b.mu.Unlock() + + out := make([]Status, 0, len(b.states)) + for name, e := range b.states { + s := Status{ + Provider: name, + State: e.state.String(), + Failures: e.failures, + } + if e.state == Open || e.state == HalfOpen { + s.OpenedAt = e.openedAt.Format(time.RFC3339) + } + out = append(out, s) + } + return out +} diff --git a/internal/circuitbreaker/breaker_test.go b/internal/circuitbreaker/breaker_test.go new file mode 100644 index 0000000..23c95b6 --- /dev/null +++ b/internal/circuitbreaker/breaker_test.go @@ -0,0 +1,105 @@ +package circuitbreaker_test + +import ( + "sync" + "testing" + "time" + + "github.com/veylant/ia-gateway/internal/circuitbreaker" +) + +func TestAllowWhenClosed(t *testing.T) { + b := circuitbreaker.New(5, 60*time.Second) + if !b.Allow("openai") { + t.Fatal("expected Allow=true for a fresh Closed circuit") + } +} + +func TestRejectWhenOpen(t *testing.T) { + b := circuitbreaker.New(3, 60*time.Second) + // Trip the circuit. + for i := 0; i < 3; i++ { + b.Failure("openai") + } + if b.Allow("openai") { + t.Fatal("expected Allow=false when circuit is Open") + } + s := b.Status("openai") + if s.State != "open" { + t.Fatalf("expected state=open, got %s", s.State) + } +} + +func TestOpenAfterThreshold(t *testing.T) { + b := circuitbreaker.New(5, 60*time.Second) + // 4 failures: still closed. + for i := 0; i < 4; i++ { + b.Failure("anthropic") + } + if !b.Allow("anthropic") { + t.Fatal("expected Allow=true before threshold reached") + } + // 5th failure: opens. + b.Failure("anthropic") + if b.Allow("anthropic") { + t.Fatal("expected Allow=false after threshold reached") + } +} + +func TestHalfOpenAfterTTL(t *testing.T) { + b := circuitbreaker.New(3, 10*time.Millisecond) + // Trip the circuit. + for i := 0; i < 3; i++ { + b.Failure("mistral") + } + if b.Allow("mistral") { + t.Fatal("circuit should be Open immediately after threshold") + } + // Wait for TTL. + time.Sleep(20 * time.Millisecond) + // First Allow should return true (HalfOpen probe). + if !b.Allow("mistral") { + t.Fatal("expected Allow=true in HalfOpen state after TTL") + } + if b.Status("mistral").State != "half_open" { + t.Fatalf("expected state=half_open, got %s", b.Status("mistral").State) + } +} + +func TestCloseAfterSuccess(t *testing.T) { + b := circuitbreaker.New(3, 5*time.Millisecond) + for i := 0; i < 3; i++ { + b.Failure("ollama") + } + time.Sleep(10 * time.Millisecond) + b.Allow("ollama") // enter HalfOpen + b.Success("ollama") + if b.Status("ollama").State != "closed" { + t.Fatalf("expected state=closed after success, got %s", b.Status("ollama").State) + } + if b.Status("ollama").Failures != 0 { + t.Fatal("expected failures=0 after success") + } +} + +func TestConcurrentSafe(t *testing.T) { + b := circuitbreaker.New(100, 60*time.Second) + var wg sync.WaitGroup + for i := 0; i < 200; i++ { + wg.Add(1) + go func(i int) { + defer wg.Done() + if i%3 == 0 { + b.Failure("azure") + } else if i%3 == 1 { + b.Success("azure") + } else { + b.Allow("azure") + } + }(i) + } + wg.Wait() + // Just check no panic and Status is reachable. + _ = b.Status("azure") + _ = b.Statuses() +} diff --git a/internal/compliance/handler.go b/internal/compliance/handler.go new file mode 100644 index 0000000..933a66f --- /dev/null +++ b/internal/compliance/handler.go @@ -0,0 +1,569 @@ +package compliance + +import ( + "database/sql" + "encoding/json" + "errors" + "fmt" + "net/http" + "time" + + "github.com/go-chi/chi/v5" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/auditlog" + "github.com/veylant/ia-gateway/internal/middleware" +) + +// Handler provides HTTP endpoints for the compliance module. +type Handler struct { + store ComplianceStore + auditLog auditlog.Logger // nil → 501 for GDPR and export endpoints + db *sql.DB // nil → 501 for Art. 17 erasure log + tenantName string + logger *zap.Logger +} + +// New creates a compliance Handler. +func New(store ComplianceStore, logger *zap.Logger) *Handler { + return &Handler{store: store, logger: logger, tenantName: "Organisation"} +} + +// WithAudit attaches an audit logger (required for GDPR access/erase + CSV export). +func (h *Handler) WithAudit(al auditlog.Logger) *Handler { + h.auditLog = al + return h +} + +// WithDB attaches a database connection (required for Art. 17 erasure log). +func (h *Handler) WithDB(db *sql.DB) *Handler { + h.db = db + return h +} + +// WithTenantName sets the tenant display name used in PDF headers. +func (h *Handler) WithTenantName(name string) *Handler { + if name != "" { + h.tenantName = name + } + return h +} + +// Routes registers all compliance endpoints on r. +// Callers must mount r under an authenticated prefix. +func (h *Handler) Routes(r chi.Router) { + // Processing registry CRUD (E9-01) + r.Get("/entries", h.listEntries) + r.Post("/entries", h.createEntry) + r.Get("/entries/{id}", h.getEntry) + r.Put("/entries/{id}", h.updateEntry) + r.Delete("/entries/{id}", h.deleteEntry) + + // AI Act classification (E9-02) + r.Post("/entries/{id}/classify", h.classifyEntry) + + // PDF reports (E9-03, E9-04, E9-07) + r.Get("/report/article30", h.reportArticle30) + r.Get("/report/aiact", h.reportAiAct) + r.Get("/dpia/{id}", h.reportDPIA) + + // GDPR rights (E9-05, E9-06) + r.Get("/gdpr/access/{user_id}", h.gdprAccess) + r.Delete("/gdpr/erase/{user_id}", h.gdprErase) + + // CSV export (E7-10) + r.Get("/export/logs", h.exportLogsCSV) +} + +// ─── helpers ────────────────────────────────────────────────────────────────── + +func tenantFrom(w http.ResponseWriter, r *http.Request) (string, bool) { + claims, ok := middleware.ClaimsFromContext(r.Context()) + if !ok || claims.TenantID == "" { + apierror.WriteError(w, apierror.NewAuthError("missing authentication")) + return "", false + } + return claims.TenantID, true +} + +func userFrom(r *http.Request) string { + if claims, ok := middleware.ClaimsFromContext(r.Context()); ok { + return claims.UserID + } + return "unknown" +} + +func writeJSON(w http.ResponseWriter, status int, v interface{}) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(status) + _ = json.NewEncoder(w).Encode(v) +} + +func writeStoreError(w http.ResponseWriter, err error) { + if errors.Is(err, ErrNotFound) { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_found_error", Message: "entry not found", HTTPStatus: http.StatusNotFound, + }) + return + } + apierror.WriteError(w, apierror.NewUpstreamError(err.Error())) +} + +// ─── CRUD ──────────────────────────────────────────────────────────────────── + +func (h *Handler) listEntries(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + entries, err := h.store.List(r.Context(), tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to list entries: "+err.Error())) + return + } + if entries == nil { + entries = []ProcessingEntry{} + } + writeJSON(w, http.StatusOK, map[string]interface{}{"data": entries}) +} + +type entryRequest struct { + UseCaseName string `json:"use_case_name"` + LegalBasis string `json:"legal_basis"` + Purpose string `json:"purpose"` + DataCategories []string `json:"data_categories"` + Recipients []string `json:"recipients"` + Processors []string `json:"processors"` + RetentionPeriod string `json:"retention_period"` + SecurityMeasures string `json:"security_measures"` + ControllerName string `json:"controller_name"` +} + +func validateEntry(req entryRequest) error { + if req.UseCaseName == "" { + return fmt.Errorf("use_case_name is required") + } + if req.LegalBasis == "" { + return fmt.Errorf("legal_basis is required") + } + if req.Purpose == "" { + return fmt.Errorf("purpose is required") + } + if req.RetentionPeriod == "" { + return fmt.Errorf("retention_period is required") + } + return nil +} + +func (h *Handler) createEntry(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + var req entryRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if err := validateEntry(req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError(err.Error())) + return + } + if req.DataCategories == nil { + req.DataCategories = []string{} + } + if req.Recipients == nil { + req.Recipients = []string{} + } + if req.Processors == nil { + req.Processors = []string{} + } + + entry := ProcessingEntry{ + TenantID: tenantID, + UseCaseName: req.UseCaseName, + LegalBasis: req.LegalBasis, + Purpose: req.Purpose, + DataCategories: req.DataCategories, + Recipients: req.Recipients, + Processors: req.Processors, + RetentionPeriod: req.RetentionPeriod, + SecurityMeasures: req.SecurityMeasures, + ControllerName: req.ControllerName, + IsActive: true, + } + created, err := h.store.Create(r.Context(), entry) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to create entry: "+err.Error())) + return + } + h.logger.Info("compliance entry created", + zap.String("id", created.ID), + zap.String("tenant_id", tenantID), + ) + writeJSON(w, http.StatusCreated, created) +} + +func (h *Handler) getEntry(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + entry, err := h.store.Get(r.Context(), id, tenantID) + if err != nil { + writeStoreError(w, err) + return + } + writeJSON(w, http.StatusOK, entry) +} + +func (h *Handler) updateEntry(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + + var req entryRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if err := validateEntry(req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError(err.Error())) + return + } + if req.DataCategories == nil { + req.DataCategories = []string{} + } + if req.Recipients == nil { + req.Recipients = []string{} + } + if req.Processors == nil { + req.Processors = []string{} + } + + entry := ProcessingEntry{ + ID: id, + TenantID: tenantID, + UseCaseName: req.UseCaseName, + LegalBasis: req.LegalBasis, + Purpose: req.Purpose, + DataCategories: req.DataCategories, + Recipients: req.Recipients, + Processors: req.Processors, + RetentionPeriod: req.RetentionPeriod, + SecurityMeasures: req.SecurityMeasures, + ControllerName: req.ControllerName, + IsActive: true, + } + updated, err := h.store.Update(r.Context(), entry) + if err != nil { + writeStoreError(w, err) + return + } + h.logger.Info("compliance entry updated", + zap.String("id", id), + zap.String("tenant_id", tenantID), + ) + writeJSON(w, http.StatusOK, updated) +} + +func (h *Handler) deleteEntry(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + if err := h.store.Delete(r.Context(), id, tenantID); err != nil { + writeStoreError(w, err) + return + } + h.logger.Info("compliance entry deleted", + zap.String("id", id), + zap.String("tenant_id", tenantID), + ) + w.WriteHeader(http.StatusNoContent) +} + +// ─── AI Act classification (E9-02) ─────────────────────────────────────────── + +type classifyRequest struct { + Answers map[string]bool `json:"answers"` +} + +func (h *Handler) classifyEntry(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + + var req classifyRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if len(req.Answers) == 0 { + apierror.WriteError(w, apierror.NewBadRequestError("answers is required")) + return + } + + // Fetch current entry + entry, err := h.store.Get(r.Context(), id, tenantID) + if err != nil { + writeStoreError(w, err) + return + } + + // Compute risk level + entry.RiskLevel = ScoreRisk(req.Answers) + entry.AiActAnswers = req.Answers + + updated, err := h.store.Update(r.Context(), entry) + if err != nil { + writeStoreError(w, err) + return + } + h.logger.Info("AI Act classification updated", + zap.String("id", id), + zap.String("risk_level", updated.RiskLevel), + zap.String("tenant_id", tenantID), + ) + writeJSON(w, http.StatusOK, updated) +} + +// ─── PDF reports ───────────────────────────────────────────────────────────── + +func (h *Handler) reportArticle30(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + entries, err := h.store.List(r.Context(), tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to load entries: "+err.Error())) + return + } + + format := r.URL.Query().Get("format") + if format == "json" { + writeJSON(w, http.StatusOK, map[string]interface{}{"data": entries}) + return + } + + filename := fmt.Sprintf("article30_rgpd_%s.pdf", time.Now().Format("2006-01-02")) + w.Header().Set("Content-Type", "application/pdf") + w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"") + if err := GenerateArticle30(entries, h.tenantName, w); err != nil { + h.logger.Error("Article 30 PDF generation failed", zap.Error(err)) + } +} + +func (h *Handler) reportAiAct(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + entries, err := h.store.List(r.Context(), tenantID) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to load entries: "+err.Error())) + return + } + + format := r.URL.Query().Get("format") + if format == "json" { + writeJSON(w, http.StatusOK, map[string]interface{}{"data": entries}) + return + } + + filename := fmt.Sprintf("aiact_report_%s.pdf", time.Now().Format("2006-01-02")) + w.Header().Set("Content-Type", "application/pdf") + w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"") + if err := GenerateAiActReport(entries, h.tenantName, w); err != nil { + h.logger.Error("AI Act PDF generation failed", zap.Error(err)) + } +} + +func (h *Handler) reportDPIA(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + id := chi.URLParam(r, "id") + entry, err := h.store.Get(r.Context(), id, tenantID) + if err != nil { + writeStoreError(w, err) + return + } + + filename := fmt.Sprintf("dpia_%s_%s.pdf", id[:8], time.Now().Format("2006-01-02")) + w.Header().Set("Content-Type", "application/pdf") + w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"") + if err := GenerateDPIA(entry, h.tenantName, w); err != nil { + h.logger.Error("DPIA PDF generation failed", zap.Error(err)) + } +} + +// ─── GDPR Art. 15 — right of access ────────────────────────────────────────── + +func (h *Handler) gdprAccess(w http.ResponseWriter, r *http.Request) { + if h.auditLog == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", Message: "audit logging not enabled", HTTPStatus: http.StatusNotImplemented, + }) + return + } + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + targetUser := chi.URLParam(r, "user_id") + + q := auditlog.AuditQuery{ + TenantID: tenantID, + UserID: targetUser, + Limit: 1000, + } + result, err := h.auditLog.Query(r.Context(), q) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to query logs: "+err.Error())) + return + } + + h.logger.Info("GDPR Art. 15 access request", + zap.String("target_user", targetUser), + zap.String("requested_by", userFrom(r)), + zap.Int("records", result.Total), + ) + + writeJSON(w, http.StatusOK, map[string]interface{}{ + "user_id": targetUser, + "generated_at": time.Now().Format(time.RFC3339), + "total": result.Total, + "records": result.Data, + }) +} + +// ─── GDPR Art. 17 — right to erasure ───────────────────────────────────────── + +func (h *Handler) gdprErase(w http.ResponseWriter, r *http.Request) { + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + targetUser := chi.URLParam(r, "user_id") + reason := r.URL.Query().Get("reason") + requestedBy := userFrom(r) + + // Soft-delete user in users table + recordsDeleted := 0 + if h.db != nil { + res, err := h.db.ExecContext(r.Context(), + `UPDATE users SET is_active=FALSE, updated_at=NOW() WHERE email=$1 AND tenant_id=$2`, + targetUser, tenantID, + ) + if err != nil { + h.logger.Warn("GDPR erase: users table update failed", zap.Error(err)) + } else { + n, _ := res.RowsAffected() + recordsDeleted = int(n) + } + + // Log erasure (immutable) + _, logErr := h.db.ExecContext(r.Context(), + `INSERT INTO gdpr_erasure_log (tenant_id, target_user, requested_by, reason, records_deleted) + VALUES ($1, $2, $3, $4, $5)`, + tenantID, targetUser, requestedBy, reason, recordsDeleted, + ) + if logErr != nil { + h.logger.Error("GDPR erase: failed to write erasure log", zap.Error(logErr)) + } + } + + h.logger.Info("GDPR Art. 17 erasure", + zap.String("target_user", targetUser), + zap.String("requested_by", requestedBy), + zap.Int("records_deleted", recordsDeleted), + ) + + writeJSON(w, http.StatusOK, ErasureRecord{ + TenantID: tenantID, + TargetUser: targetUser, + RequestedBy: requestedBy, + Reason: reason, + RecordsDeleted: recordsDeleted, + Status: "completed", + CreatedAt: time.Now(), + }) +} + +// ─── CSV export (E7-10) ─────────────────────────────────────────────────────── + +func (h *Handler) exportLogsCSV(w http.ResponseWriter, r *http.Request) { + if h.auditLog == nil { + apierror.WriteError(w, &apierror.APIError{ + Type: "not_implemented", Message: "audit logging not enabled", HTTPStatus: http.StatusNotImplemented, + }) + return + } + tenantID, ok := tenantFrom(w, r) + if !ok { + return + } + + q := auditlog.AuditQuery{ + TenantID: tenantID, + Provider: r.URL.Query().Get("provider"), + Limit: 10000, + } + if s := r.URL.Query().Get("start"); s != "" { + if t, err := time.Parse(time.RFC3339, s); err == nil { + q.StartTime = t + } + } + if s := r.URL.Query().Get("end"); s != "" { + if t, err := time.Parse(time.RFC3339, s); err == nil { + q.EndTime = t + } + } + + result, err := h.auditLog.Query(r.Context(), q) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("failed to query logs: "+err.Error())) + return + } + + filename := fmt.Sprintf("audit_logs_%s_%s.csv", tenantID[:8], time.Now().Format("2006-01-02")) + w.Header().Set("Content-Type", "text/csv; charset=utf-8") + w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"") + + // Write CSV header + fmt.Fprintln(w, "request_id,timestamp,user_id,tenant_id,provider,model_requested,model_used,department,user_role,sensitivity_level,token_input,token_output,token_total,cost_usd,latency_ms,status,error_type,pii_entity_count,stream") + + for _, e := range result.Data { + fmt.Fprintf(w, "%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%d,%d,%d,%.6f,%d,%s,%s,%d,%t\n", + e.RequestID, + e.Timestamp.Format(time.RFC3339), + e.UserID, + e.TenantID, + e.Provider, + e.ModelRequested, + e.ModelUsed, + e.Department, + e.UserRole, + e.SensitivityLevel, + e.TokenInput, + e.TokenOutput, + e.TokenTotal, + e.CostUSD, + e.LatencyMs, + e.Status, + e.ErrorType, + e.PIIEntityCount, + e.Stream, + ) + } +} diff --git a/internal/compliance/pdf.go b/internal/compliance/pdf.go new file mode 100644 index 0000000..0427540 --- /dev/null +++ b/internal/compliance/pdf.go @@ -0,0 +1,529 @@ +package compliance + +import ( + "bytes" + "fmt" + "io" + "strings" + "time" + + "github.com/go-pdf/fpdf" +) + +// ─── colour palette ─────────────────────────────────────────────────────────── + +var ( + colNavy = [3]int{30, 58, 95} + colBlack = [3]int{30, 30, 30} + colGray = [3]int{100, 100, 100} + colLightBg = [3]int{245, 247, 250} + colRed = [3]int{220, 38, 38} + colOrange = [3]int{234, 88, 12} + colAmber = [3]int{180, 110, 10} + colGreen = [3]int{21, 128, 61} +) + +func riskColor(risk string) [3]int { + switch risk { + case "forbidden": + return colRed + case "high": + return colOrange + case "limited": + return colAmber + case "minimal": + return colGreen + default: + return colGray + } +} + +// ─── helpers ───────────────────────────────────────────────────────────────── + +func newPDF() *fpdf.Fpdf { + pdf := fpdf.New("P", "mm", "A4", "") + pdf.SetMargins(20, 20, 20) + pdf.SetAutoPageBreak(true, 20) + return pdf +} + +func setFont(pdf *fpdf.Fpdf, style string, size float64, col [3]int) { + pdf.SetFont("Helvetica", style, size) + pdf.SetTextColor(col[0], col[1], col[2]) +} + +func sectionHeader(pdf *fpdf.Fpdf, title string) { + pdf.Ln(6) + pdf.SetFillColor(colNavy[0], colNavy[1], colNavy[2]) + pdf.SetTextColor(255, 255, 255) + pdf.SetFont("Helvetica", "B", 10) + pdf.CellFormat(0, 8, " "+title, "", 1, "L", true, 0, "") + pdf.SetTextColor(colBlack[0], colBlack[1], colBlack[2]) + pdf.Ln(2) +} + +func labelValue(pdf *fpdf.Fpdf, label, value string) { + if value == "" { + value = "—" + } + setFont(pdf, "B", 9, colGray) + pdf.CellFormat(55, 6, label+":", "", 0, "L", false, 0, "") + setFont(pdf, "", 9, colBlack) + pdf.MultiCell(0, 6, value, "", "L", false) +} + +func tableRow(pdf *fpdf.Fpdf, cols []string, widths []float64, fill bool) { + if fill { + pdf.SetFillColor(colLightBg[0], colLightBg[1], colLightBg[2]) + } else { + pdf.SetFillColor(255, 255, 255) + } + for i, col := range cols { + pdf.CellFormat(widths[i], 6, col, "1", 0, "L", fill, 0, "") + } + pdf.Ln(-1) +} + +func footer(pdf *fpdf.Fpdf) { + pdf.SetFooterFunc(func() { + pdf.SetY(-15) + setFont(pdf, "I", 8, colGray) + pdf.CellFormat(0, 10, + fmt.Sprintf("Généré par Veylant IA · %s · Page %d/{nb}", + time.Now().Format("02/01/2006"), + pdf.PageNo(), + ), + "", 0, "C", false, 0, "") + }) + pdf.AliasNbPages("{nb}") +} + +func covePage(pdf *fpdf.Fpdf, title, subtitle, tenantName string) { + pdf.AddPage() + pdf.Ln(30) + + // Title block + pdf.SetFillColor(colNavy[0], colNavy[1], colNavy[2]) + pdf.SetTextColor(255, 255, 255) + pdf.SetFont("Helvetica", "B", 22) + pdf.CellFormat(0, 18, title, "", 1, "C", true, 0, "") + pdf.SetFont("Helvetica", "", 13) + pdf.CellFormat(0, 10, subtitle, "", 1, "C", true, 0, "") + pdf.Ln(6) + + // Tenant + date + pdf.SetTextColor(colBlack[0], colBlack[1], colBlack[2]) + pdf.SetFont("Helvetica", "", 11) + pdf.CellFormat(0, 8, "Organisation : "+tenantName, "", 1, "C", false, 0, "") + pdf.CellFormat(0, 8, "Date de génération : "+time.Now().Format("02 janvier 2006 à 15:04"), "", 1, "C", false, 0, "") + pdf.Ln(10) + + // Confidential stamp + pdf.SetFont("Helvetica", "B", 14) + pdf.SetTextColor(colRed[0], colRed[1], colRed[2]) + pdf.CellFormat(0, 10, "⚠ DOCUMENT CONFIDENTIEL", "", 1, "C", false, 0, "") +} + +// ─── GenerateArticle30 ──────────────────────────────────────────────────────── + +// GenerateArticle30 generates a GDPR Article 30 processing registry PDF. +func GenerateArticle30(entries []ProcessingEntry, tenantName string, w io.Writer) error { + if tenantName == "" { + tenantName = "Organisation" + } + + pdf := newPDF() + footer(pdf) + covePage(pdf, "Registre des Activités de Traitement", + "Conformément à l'Article 30 du Règlement (UE) 2016/679 (RGPD)", tenantName) + + // Section 1 — Responsable de traitement + pdf.AddPage() + sectionHeader(pdf, "1. Identification du Responsable de Traitement") + pdf.Ln(2) + labelValue(pdf, "Organisation", tenantName) + labelValue(pdf, "Plateforme IA", "Veylant IA — Proxy IA multi-fournisseurs") + labelValue(pdf, "DPO / Contact", "dpo@"+strings.ToLower(strings.ReplaceAll(tenantName, " ", ""))+".fr") + labelValue(pdf, "Cadre réglementaire", "RGPD (UE) 2016/679, Loi Informatique et Libertés") + + // Section 2 — Tableau des traitements + sectionHeader(pdf, "2. Activités de Traitement") + pdf.Ln(2) + + if len(entries) == 0 { + setFont(pdf, "I", 9, colGray) + pdf.CellFormat(0, 8, "Aucun traitement enregistré.", "", 1, "L", false, 0, "") + } else { + widths := []float64{55, 40, 30, 40} + headers := []string{"Cas d'usage", "Finalité", "Base légale", "Catégories de données"} + setFont(pdf, "B", 9, colBlack) + tableRow(pdf, headers, widths, true) + + for i, e := range entries { + cats := strings.Join(e.DataCategories, ", ") + if len(cats) > 35 { + cats = cats[:32] + "..." + } + purpose := e.Purpose + if len(purpose) > 38 { + purpose = purpose[:35] + "..." + } + legalLabel := LegalBasisLabels[e.LegalBasis] + if legalLabel == "" { + legalLabel = e.LegalBasis + } + setFont(pdf, "", 8, colBlack) + tableRow(pdf, []string{e.UseCaseName, purpose, legalLabel, cats}, widths, i%2 == 0) + } + } + + // Section 3 — Sous-traitants + sectionHeader(pdf, "3. Destinataires et Sous-Traitants (Fournisseurs LLM)") + pdf.Ln(2) + + allProcessors := map[string]bool{} + for _, e := range entries { + for _, p := range e.Processors { + allProcessors[p] = true + } + for _, r := range e.Recipients { + allProcessors[r] = true + } + } + if len(allProcessors) == 0 { + allProcessors["OpenAI (GPT-4o)"] = true + allProcessors["Anthropic (Claude)"] = true + } + for proc := range allProcessors { + setFont(pdf, "", 9, colBlack) + pdf.CellFormat(5, 6, "•", "", 0, "L", false, 0, "") + pdf.CellFormat(0, 6, proc+" — fournisseur LLM (sous-traitant au sens de l'Art. 28 RGPD)", "", 1, "L", false, 0, "") + } + + // Section 4 — Durées de conservation + sectionHeader(pdf, "4. Durées de Conservation") + pdf.Ln(2) + if len(entries) > 0 { + widths := []float64{85, 80} + headers := []string{"Cas d'usage", "Durée de conservation"} + setFont(pdf, "B", 9, colBlack) + tableRow(pdf, headers, widths, true) + for i, e := range entries { + setFont(pdf, "", 8, colBlack) + tableRow(pdf, []string{e.UseCaseName, e.RetentionPeriod}, widths, i%2 == 0) + } + } + pdf.Ln(3) + setFont(pdf, "I", 8, colGray) + pdf.MultiCell(0, 5, + "Architecture Veylant IA : journaux chauds 90 jours (ClickHouse), archives tièdes 1 an, archives froides 5 ans (TTL automatique).", + "", "L", false) + + // Section 5 — Mesures de sécurité + sectionHeader(pdf, "5. Mesures de Sécurité Techniques et Organisationnelles") + pdf.Ln(2) + measures := []string{ + "Chiffrement AES-256-GCM des prompts avant stockage", + "Pseudonymisation automatique des données personnelles (PII) avant transmission aux LLM", + "Contrôle d'accès RBAC (Admin, Manager, Utilisateur, Auditeur)", + "Authentification forte via Keycloak (OIDC/SAML 2.0 / MFA)", + "Journaux d'audit immuables (ClickHouse append-only, TTL uniquement)", + "TLS 1.3 pour toutes les communications externes", + "Circuit breaker pour la résilience des fournisseurs", + "Séparation logique multi-locataires (Row-Level Security PostgreSQL)", + } + for _, m := range measures { + setFont(pdf, "", 9, colBlack) + pdf.CellFormat(5, 6, "✓", "", 0, "L", false, 0, "") + pdf.MultiCell(0, 6, m, "", "L", false) + } + + // Section 6 — Droits des personnes + sectionHeader(pdf, "6. Droits des Personnes Concernées") + pdf.Ln(2) + rights := []struct{ art, desc string }{ + {"Art. 15", "Droit d'accès — Endpoint GET /v1/admin/compliance/gdpr/access/{user_id}"}, + {"Art. 16", "Droit de rectification — via l'interface d'administration"}, + {"Art. 17", "Droit à l'effacement — Endpoint DELETE /v1/admin/compliance/gdpr/erase/{user_id}"}, + {"Art. 18", "Droit à la limitation — contact DPO"}, + {"Art. 20", "Droit à la portabilité — export JSON/CSV disponible"}, + {"Art. 21", "Droit d'opposition — contact DPO"}, + {"Art. 22", "Droit à ne pas faire l'objet d'une décision automatisée — supervision humaine obligatoire"}, + } + widths := []float64{20, 145} + setFont(pdf, "B", 9, colBlack) + tableRow(pdf, []string{"Article", "Description"}, widths, true) + for i, r := range rights { + setFont(pdf, "", 8, colBlack) + tableRow(pdf, []string{r.art, r.desc}, widths, i%2 == 0) + } + + var buf bytes.Buffer + if err := pdf.Output(&buf); err != nil { + return fmt.Errorf("pdf output: %w", err) + } + _, err := w.Write(buf.Bytes()) + return err +} + +// ─── GenerateAiActReport ────────────────────────────────────────────────────── + +// GenerateAiActReport generates an EU AI Act risk classification report PDF. +func GenerateAiActReport(entries []ProcessingEntry, tenantName string, w io.Writer) error { + if tenantName == "" { + tenantName = "Organisation" + } + + pdf := newPDF() + footer(pdf) + covePage(pdf, "Rapport de Classification AI Act", + "Conformément au Règlement (UE) 2024/1689 sur l'Intelligence Artificielle", tenantName) + + pdf.AddPage() + + // Summary + sectionHeader(pdf, "Synthèse de la Classification") + pdf.Ln(2) + + counts := map[string]int{"forbidden": 0, "high": 0, "limited": 0, "minimal": 0, "": 0} + for _, e := range entries { + counts[e.RiskLevel]++ + } + widths := []float64{50, 30, 85} + setFont(pdf, "B", 9, colBlack) + tableRow(pdf, []string{"Niveau de risque", "Nb systèmes", "Obligations réglementaires"}, widths, true) + + obligations := map[string]string{ + "forbidden": "INTERDIT — blocage automatique requis", + "high": "DPIA obligatoire · supervision humaine · journalisation renforcée", + "limited": "Obligation de transparence (Art. 50) · mention IA requise", + "minimal": "Journalisation standard uniquement", + "": "Non classifié — questionnaire à compléter", + } + riskOrder := []string{"forbidden", "high", "limited", "minimal", ""} + for i, risk := range riskOrder { + label := RiskLabels[risk] + if label == "" { + label = "Non classifié" + } + col := riskColor(risk) + pdf.SetTextColor(col[0], col[1], col[2]) + pdf.SetFont("Helvetica", "B", 8) + fill := i%2 == 0 + if fill { + pdf.SetFillColor(colLightBg[0], colLightBg[1], colLightBg[2]) + } else { + pdf.SetFillColor(255, 255, 255) + } + pdf.CellFormat(widths[0], 6, label, "1", 0, "L", fill, 0, "") + setFont(pdf, "", 8, colBlack) + pdf.CellFormat(widths[1], 6, fmt.Sprintf("%d", counts[risk]), "1", 0, "C", fill, 0, "") + pdf.CellFormat(widths[2], 6, obligations[risk], "1", 1, "L", fill, 0, "") + } + + // Per-system detail + if len(entries) > 0 { + sectionHeader(pdf, "Détail par Système IA") + pdf.Ln(2) + + for _, e := range entries { + col := riskColor(e.RiskLevel) + riskLabel := RiskLabels[e.RiskLevel] + if riskLabel == "" { + riskLabel = "Non classifié" + } + + // System header + pdf.SetFillColor(colLightBg[0], colLightBg[1], colLightBg[2]) + pdf.SetFont("Helvetica", "B", 10) + pdf.SetTextColor(colNavy[0], colNavy[1], colNavy[2]) + pdf.CellFormat(0, 8, " "+e.UseCaseName, "LRT", 1, "L", true, 0, "") + + // Risk badge + pdf.SetFont("Helvetica", "B", 9) + pdf.SetTextColor(col[0], col[1], col[2]) + pdf.CellFormat(40, 6, " Niveau : "+riskLabel, "LB", 0, "L", true, 0, "") + setFont(pdf, "", 9, colBlack) + pdf.CellFormat(0, 6, " Base légale : "+LegalBasisLabels[e.LegalBasis], "RB", 1, "L", true, 0, "") + + // Details + pdf.Ln(1) + labelValue(pdf, "Finalité", e.Purpose) + labelValue(pdf, "Données traitées", strings.Join(e.DataCategories, ", ")) + labelValue(pdf, "Durée conservation", e.RetentionPeriod) + if len(e.AiActAnswers) > 0 { + yesItems := []string{} + for _, q := range AiActQuestions { + if e.AiActAnswers[q.Key] { + yesItems = append(yesItems, "• "+q.Label) + } + } + if len(yesItems) > 0 { + setFont(pdf, "B", 9, colGray) + pdf.CellFormat(55, 6, "Critères AI Act :", "", 1, "L", false, 0, "") + setFont(pdf, "", 8, colBlack) + for _, yi := range yesItems { + pdf.MultiCell(0, 5, " "+yi, "", "L", false) + } + } + } + pdf.Ln(4) + } + } + + // Regulatory note + sectionHeader(pdf, "Note Réglementaire") + pdf.Ln(2) + setFont(pdf, "", 9, colBlack) + pdf.MultiCell(0, 6, + "Ce rapport est généré conformément au Règlement (UE) 2024/1689 sur l'Intelligence Artificielle (AI Act), "+ + "entré en vigueur le 1er août 2024. Les systèmes classifiés \"Haut risque\" sont soumis à une évaluation "+ + "de conformité avant déploiement. Les systèmes \"Interdits\" ne peuvent être mis en service sur le territoire "+ + "de l'Union Européenne. Ce document doit être mis à jour à chaque modification substantielle d'un système IA.", + "", "L", false) + + var buf bytes.Buffer + if err := pdf.Output(&buf); err != nil { + return fmt.Errorf("pdf output: %w", err) + } + _, err := w.Write(buf.Bytes()) + return err +} + +// ─── GenerateDPIA ───────────────────────────────────────────────────────────── + +// GenerateDPIA generates a pre-filled DPIA template for a processing entry (Art. 35 GDPR). +func GenerateDPIA(entry ProcessingEntry, tenantName string, w io.Writer) error { + if tenantName == "" { + tenantName = "Organisation" + } + + pdf := newPDF() + footer(pdf) + covePage(pdf, "Analyse d'Impact relative à la Protection des Données", + "Data Protection Impact Assessment (DPIA) — Article 35 RGPD", tenantName) + + pdf.AddPage() + + // Section 1 — Description + sectionHeader(pdf, "1. Description du Traitement") + pdf.Ln(2) + labelValue(pdf, "Cas d'usage", entry.UseCaseName) + labelValue(pdf, "Finalité", entry.Purpose) + labelValue(pdf, "Base légale", LegalBasisLabels[entry.LegalBasis]) + labelValue(pdf, "Catégories de données", strings.Join(entry.DataCategories, ", ")) + labelValue(pdf, "Destinataires", strings.Join(entry.Recipients, ", ")) + labelValue(pdf, "Sous-traitants LLM", strings.Join(entry.Processors, ", ")) + labelValue(pdf, "Durée de conservation", entry.RetentionPeriod) + labelValue(pdf, "Classification AI Act", RiskLabels[entry.RiskLevel]) + + // Section 2 — Nécessité et proportionnalité + sectionHeader(pdf, "2. Nécessité et Proportionnalité") + pdf.Ln(2) + setFont(pdf, "", 9, colBlack) + pdf.MultiCell(0, 6, + "Le traitement est nécessaire pour atteindre la finalité identifiée. "+ + "La pseudonymisation automatique des données personnelles par Veylant IA "+ + "(avant transmission aux fournisseurs LLM) constitue une mesure de minimisation des données "+ + "conforme à l'Art. 5(1)(c) RGPD. "+ + "Seules les catégories de données strictement nécessaires sont traitées.", + "", "L", false) + + // Section 3 — Risques + sectionHeader(pdf, "3. Évaluation des Risques") + pdf.Ln(2) + + risks := []struct{ risk, proba, impact, mitigation string }{ + { + "Accès non autorisé aux données", + "Faible", + "Élevé", + "RBAC strict, MFA, TLS 1.3, chiffrement AES-256-GCM", + }, + { + "Fuite de données vers fournisseur LLM", + "Très faible", + "Élevé", + "Pseudonymisation PII avant envoi, contrats DPA avec fournisseurs (Art. 28)", + }, + { + "Rétention excessive des données", + "Faible", + "Moyen", + "TTL automatique ClickHouse, politique de rétention définie (" + entry.RetentionPeriod + ")", + }, + { + "Décision automatisée non supervisée", + "Moyen", + "Élevé", + "Supervision humaine obligatoire pour décisions à impact légal", + }, + { + "Indisponibilité du service", + "Faible", + "Moyen", + "Circuit breaker, failover multi-fournisseurs, monitoring Prometheus", + }, + } + widths := []float64{60, 22, 22, 61} + setFont(pdf, "B", 9, colBlack) + tableRow(pdf, []string{"Risque", "Probabilité", "Impact", "Mesure d'atténuation"}, widths, true) + for i, r := range risks { + setFont(pdf, "", 8, colBlack) + tableRow(pdf, []string{r.risk, r.proba, r.impact, r.mitigation}, widths, i%2 == 0) + } + + // Section 4 — Mesures d'atténuation + sectionHeader(pdf, "4. Mesures d'Atténuation Implémentées") + pdf.Ln(2) + if entry.SecurityMeasures != "" { + labelValue(pdf, "Mesures spécifiques", entry.SecurityMeasures) + } + genericMeasures := []string{ + "Pseudonymisation automatique des PII (regex + NER + validation LLM)", + "Chiffrement AES-256-GCM au repos et TLS 1.3 en transit", + "RBAC avec 4 niveaux (Admin, Manager, Utilisateur, Auditeur)", + "Journaux d'audit immuables avec conservation " + entry.RetentionPeriod, + "Tests de sécurité SAST/DAST en pipeline CI/CD", + "Contrats de sous-traitance (DPA) avec chaque fournisseur LLM", + } + for _, m := range genericMeasures { + setFont(pdf, "", 9, colBlack) + pdf.CellFormat(5, 6, "✓", "", 0, "L", false, 0, "") + pdf.MultiCell(0, 6, m, "", "L", false) + } + + // Section 5 — Risque résiduel + sectionHeader(pdf, "5. Risque Résiduel et Conclusion") + pdf.Ln(2) + setFont(pdf, "", 9, colBlack) + pdf.MultiCell(0, 6, + "Après application des mesures d'atténuation identifiées, le risque résiduel est évalué comme "+ + "ACCEPTABLE. Ce traitement peut être mis en œuvre sous réserve du respect continu des mesures "+ + "de sécurité décrites. Une réévaluation annuelle ou lors de toute modification substantielle "+ + "du traitement est recommandée.", + "", "L", false) + + // Section 6 — Signatures + sectionHeader(pdf, "6. Approbation") + pdf.Ln(4) + col1 := 85.0 + col2 := 85.0 + setFont(pdf, "B", 9, colBlack) + pdf.CellFormat(col1, 6, "Responsable de traitement", "", 0, "C", false, 0, "") + pdf.CellFormat(col2, 6, "Délégué à la Protection des Données", "", 1, "C", false, 0, "") + pdf.Ln(10) + setFont(pdf, "", 9, colGray) + pdf.CellFormat(col1, 6, "Signature : ________________________", "", 0, "C", false, 0, "") + pdf.CellFormat(col2, 6, "Signature : ________________________", "", 1, "C", false, 0, "") + pdf.Ln(3) + pdf.CellFormat(col1, 6, "Date : ____/____/________", "", 0, "C", false, 0, "") + pdf.CellFormat(col2, 6, "Date : ____/____/________", "", 1, "C", false, 0, "") + + var buf bytes.Buffer + if err := pdf.Output(&buf); err != nil { + return fmt.Errorf("pdf output: %w", err) + } + _, err := w.Write(buf.Bytes()) + return err +} diff --git a/internal/compliance/pg_store.go b/internal/compliance/pg_store.go new file mode 100644 index 0000000..5310ca4 --- /dev/null +++ b/internal/compliance/pg_store.go @@ -0,0 +1,241 @@ +package compliance + +import ( + "context" + "database/sql" + "encoding/json" + "errors" + "fmt" + "time" + + "go.uber.org/zap" +) + +// PgStore implements ComplianceStore using PostgreSQL. +type PgStore struct { + db *sql.DB + logger *zap.Logger +} + +// NewPgStore creates a PgStore backed by the given database connection. +func NewPgStore(db *sql.DB, logger *zap.Logger) *PgStore { + return &PgStore{db: db, logger: logger} +} + +func (p *PgStore) List(ctx context.Context, tenantID string) ([]ProcessingEntry, error) { + const q = ` + SELECT id, tenant_id, use_case_name, legal_basis, purpose, + data_categories, recipients, processors, + retention_period, + COALESCE(security_measures,''), COALESCE(controller_name,''), + COALESCE(risk_level,''), ai_act_answers, + is_active, created_at, updated_at + FROM processing_registry + WHERE tenant_id = $1 AND is_active = TRUE + ORDER BY created_at DESC` + + rows, err := p.db.QueryContext(ctx, q, tenantID) + if err != nil { + return nil, fmt.Errorf("processing_registry list: %w", err) + } + defer rows.Close() //nolint:errcheck + + var entries []ProcessingEntry + for rows.Next() { + e, err := scanEntry(rows) + if err != nil { + return nil, err + } + entries = append(entries, e) + } + return entries, rows.Err() +} + +func (p *PgStore) Get(ctx context.Context, id, tenantID string) (ProcessingEntry, error) { + const q = ` + SELECT id, tenant_id, use_case_name, legal_basis, purpose, + data_categories, recipients, processors, + retention_period, + COALESCE(security_measures,''), COALESCE(controller_name,''), + COALESCE(risk_level,''), ai_act_answers, + is_active, created_at, updated_at + FROM processing_registry + WHERE id = $1 AND tenant_id = $2` + + row := p.db.QueryRowContext(ctx, q, id, tenantID) + e, err := scanEntry(row) + if errors.Is(err, sql.ErrNoRows) { + return ProcessingEntry{}, ErrNotFound + } + return e, err +} + +func (p *PgStore) Create(ctx context.Context, entry ProcessingEntry) (ProcessingEntry, error) { + catJSON, err := json.Marshal(entry.DataCategories) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal data_categories: %w", err) + } + recJSON, err := json.Marshal(entry.Recipients) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal recipients: %w", err) + } + procJSON, err := json.Marshal(entry.Processors) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal processors: %w", err) + } + + var answersJSON []byte + if entry.AiActAnswers != nil { + answersJSON, err = json.Marshal(entry.AiActAnswers) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal ai_act_answers: %w", err) + } + } + + const q = ` + INSERT INTO processing_registry + (tenant_id, use_case_name, legal_basis, purpose, + data_categories, recipients, processors, + retention_period, security_measures, controller_name, + risk_level, ai_act_answers) + VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12) + RETURNING id, tenant_id, use_case_name, legal_basis, purpose, + data_categories, recipients, processors, + retention_period, + COALESCE(security_measures,''), COALESCE(controller_name,''), + COALESCE(risk_level,''), ai_act_answers, + is_active, created_at, updated_at` + + nilIfEmpty := func(s string) interface{} { + if s == "" { + return nil + } + return s + } + + row := p.db.QueryRowContext(ctx, q, + entry.TenantID, entry.UseCaseName, entry.LegalBasis, entry.Purpose, + catJSON, recJSON, procJSON, + entry.RetentionPeriod, + nilIfEmpty(entry.SecurityMeasures), nilIfEmpty(entry.ControllerName), + nilIfEmpty(entry.RiskLevel), answersJSON, + ) + return scanEntry(row) +} + +func (p *PgStore) Update(ctx context.Context, entry ProcessingEntry) (ProcessingEntry, error) { + catJSON, err := json.Marshal(entry.DataCategories) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal data_categories: %w", err) + } + recJSON, err := json.Marshal(entry.Recipients) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal recipients: %w", err) + } + procJSON, err := json.Marshal(entry.Processors) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal processors: %w", err) + } + + var answersJSON []byte + if entry.AiActAnswers != nil { + answersJSON, err = json.Marshal(entry.AiActAnswers) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("marshal ai_act_answers: %w", err) + } + } + + nilIfEmpty := func(s string) interface{} { + if s == "" { + return nil + } + return s + } + + const q = ` + UPDATE processing_registry + SET use_case_name=$3, legal_basis=$4, purpose=$5, + data_categories=$6, recipients=$7, processors=$8, + retention_period=$9, security_measures=$10, controller_name=$11, + risk_level=$12, ai_act_answers=$13, updated_at=NOW() + WHERE id=$1 AND tenant_id=$2 + RETURNING id, tenant_id, use_case_name, legal_basis, purpose, + data_categories, recipients, processors, + retention_period, + COALESCE(security_measures,''), COALESCE(controller_name,''), + COALESCE(risk_level,''), ai_act_answers, + is_active, created_at, updated_at` + + row := p.db.QueryRowContext(ctx, q, + entry.ID, entry.TenantID, + entry.UseCaseName, entry.LegalBasis, entry.Purpose, + catJSON, recJSON, procJSON, + entry.RetentionPeriod, + nilIfEmpty(entry.SecurityMeasures), nilIfEmpty(entry.ControllerName), + nilIfEmpty(entry.RiskLevel), answersJSON, + ) + e, err := scanEntry(row) + if errors.Is(err, sql.ErrNoRows) { + return ProcessingEntry{}, ErrNotFound + } + return e, err +} + +func (p *PgStore) Delete(ctx context.Context, id, tenantID string) error { + const q = `UPDATE processing_registry SET is_active=FALSE, updated_at=NOW() WHERE id=$1 AND tenant_id=$2` + res, err := p.db.ExecContext(ctx, q, id, tenantID) + if err != nil { + return fmt.Errorf("processing_registry delete: %w", err) + } + n, _ := res.RowsAffected() + if n == 0 { + return ErrNotFound + } + return nil +} + +// ─── scanner ───────────────────────────────────────────────────────────────── + +type scanner interface { + Scan(dest ...interface{}) error +} + +func scanEntry(s scanner) (ProcessingEntry, error) { + var ( + e ProcessingEntry + catJSON []byte + recJSON []byte + procJSON []byte + answersJSON []byte + createdAt time.Time + updatedAt time.Time + ) + err := s.Scan( + &e.ID, &e.TenantID, &e.UseCaseName, &e.LegalBasis, &e.Purpose, + &catJSON, &recJSON, &procJSON, + &e.RetentionPeriod, &e.SecurityMeasures, &e.ControllerName, + &e.RiskLevel, &answersJSON, + &e.IsActive, &createdAt, &updatedAt, + ) + if err != nil { + return ProcessingEntry{}, fmt.Errorf("scanning processing_registry row: %w", err) + } + e.CreatedAt = createdAt + e.UpdatedAt = updatedAt + + if err := json.Unmarshal(catJSON, &e.DataCategories); err != nil { + return ProcessingEntry{}, fmt.Errorf("parsing data_categories JSON: %w", err) + } + if err := json.Unmarshal(recJSON, &e.Recipients); err != nil { + return ProcessingEntry{}, fmt.Errorf("parsing recipients JSON: %w", err) + } + if err := json.Unmarshal(procJSON, &e.Processors); err != nil { + return ProcessingEntry{}, fmt.Errorf("parsing processors JSON: %w", err) + } + if len(answersJSON) > 0 && string(answersJSON) != "null" { + if err := json.Unmarshal(answersJSON, &e.AiActAnswers); err != nil { + return ProcessingEntry{}, fmt.Errorf("parsing ai_act_answers JSON: %w", err) + } + } + return e, nil +} diff --git a/internal/compliance/store.go b/internal/compliance/store.go new file mode 100644 index 0000000..d11d880 --- /dev/null +++ b/internal/compliance/store.go @@ -0,0 +1,12 @@ +package compliance + +import "context" + +// ComplianceStore defines persistence operations for the processing registry. +type ComplianceStore interface { + List(ctx context.Context, tenantID string) ([]ProcessingEntry, error) + Get(ctx context.Context, id, tenantID string) (ProcessingEntry, error) + Create(ctx context.Context, entry ProcessingEntry) (ProcessingEntry, error) + Update(ctx context.Context, entry ProcessingEntry) (ProcessingEntry, error) + Delete(ctx context.Context, id, tenantID string) error +} diff --git a/internal/compliance/types.go b/internal/compliance/types.go new file mode 100644 index 0000000..d0e913f --- /dev/null +++ b/internal/compliance/types.go @@ -0,0 +1,101 @@ +// Package compliance implements the GDPR Article 30 processing registry, +// EU AI Act risk classification, PDF report generation, and GDPR rights APIs. +package compliance + +import ( + "errors" + "time" +) + +// ErrNotFound is returned when a processing entry is not found. +var ErrNotFound = errors.New("compliance entry not found") + +// ProcessingEntry represents one record in the GDPR Article 30 processing registry. +type ProcessingEntry struct { + ID string `json:"id"` + TenantID string `json:"tenant_id"` + UseCaseName string `json:"use_case_name"` + LegalBasis string `json:"legal_basis"` + Purpose string `json:"purpose"` + DataCategories []string `json:"data_categories"` + Recipients []string `json:"recipients"` + Processors []string `json:"processors"` + RetentionPeriod string `json:"retention_period"` + SecurityMeasures string `json:"security_measures"` + ControllerName string `json:"controller_name"` + // AI Act fields (E9-02) + RiskLevel string `json:"risk_level"` // minimal|limited|high|forbidden|"" + AiActAnswers map[string]bool `json:"ai_act_answers,omitempty"` // q1..q5 + IsActive bool `json:"is_active"` + CreatedAt time.Time `json:"created_at"` + UpdatedAt time.Time `json:"updated_at"` +} + +// ErasureRecord is an immutable audit record for GDPR Art. 17 erasure requests. +type ErasureRecord struct { + ID string `json:"erasure_id"` + TenantID string `json:"tenant_id"` + TargetUser string `json:"user_id"` + RequestedBy string `json:"requested_by"` + Reason string `json:"reason"` + RecordsDeleted int `json:"records_deleted"` + Status string `json:"status"` + CreatedAt time.Time `json:"timestamp"` +} + +// LegalBasisLabels maps legal_basis values to human-readable French labels. +var LegalBasisLabels = map[string]string{ + "consent": "Consentement (Art. 6.1.a)", + "contract": "Exécution d'un contrat (Art. 6.1.b)", + "legal_obligation": "Obligation légale (Art. 6.1.c)", + "vital_interests": "Intérêts vitaux (Art. 6.1.d)", + "public_task": "Mission d'intérêt public (Art. 6.1.e)", + "legitimate_interest": "Intérêt légitime (Art. 6.1.f)", +} + +// RiskLabels maps risk_level values to human-readable labels. +var RiskLabels = map[string]string{ + "minimal": "Risque minimal", + "limited": "Risque limité", + "high": "Haut risque", + "forbidden": "Interdit", +} + +// AiActQuestions defines the 5 EU AI Act classification questions. +// Keys q1..q5 correspond to the ai_act_answers JSONB field. +var AiActQuestions = []struct { + Key string + Label string +}{ + {"q1", "Le système prend-il des décisions autonomes affectant des droits légaux ou des situations similaires des personnes ?"}, + {"q2", "Implique-t-il une identification biométrique ou une reconnaissance des émotions ?"}, + {"q3", "Est-il utilisé dans des décisions critiques (médical, justice, emploi, crédit) ?"}, + {"q4", "Traite-t-il des catégories spéciales de données (santé, biométrie, origine raciale) ?"}, + {"q5", "La transparence sur l'utilisation de l'IA est-elle indispensable au consentement éclairé ?"}, +} + +// ScoreRisk computes the EU AI Act risk level from questionnaire answers. +// +// Scoring rules: +// - 0 "yes" → minimal +// - 1–2 "yes" → limited +// - 3–4 "yes" → high +// - 5 "yes" → forbidden +func ScoreRisk(answers map[string]bool) string { + yes := 0 + for _, v := range answers { + if v { + yes++ + } + } + switch { + case yes == 5: + return "forbidden" + case yes >= 3: + return "high" + case yes >= 1: + return "limited" + default: + return "minimal" + } +} diff --git a/internal/config/config.go b/internal/config/config.go new file mode 100644 index 0000000..d8f78a4 --- /dev/null +++ b/internal/config/config.go @@ -0,0 +1,236 @@ +package config + +import ( + "fmt" + "strings" + + "github.com/spf13/viper" +) + +// Config holds all application configuration. +// Values are loaded from config.yaml then overridden by env vars prefixed with VEYLANT_. +// Example: VEYLANT_SERVER_PORT=9090 overrides server.port. +type Config struct { + Server ServerConfig `mapstructure:"server"` + Database DatabaseConfig `mapstructure:"database"` + Redis RedisConfig `mapstructure:"redis"` + Keycloak KeycloakConfig `mapstructure:"keycloak"` + PII PIIConfig `mapstructure:"pii"` + Log LogConfig `mapstructure:"log"` + Providers ProvidersConfig `mapstructure:"providers"` + RBAC RBACConfig `mapstructure:"rbac"` + Metrics MetricsConfig `mapstructure:"metrics"` + Routing RoutingConfig `mapstructure:"routing"` + ClickHouse ClickHouseConfig `mapstructure:"clickhouse"` + Crypto CryptoConfig `mapstructure:"crypto"` + RateLimit RateLimitConfig `mapstructure:"rate_limit"` +} + +// RateLimitConfig holds default rate limiting parameters applied to all tenants +// that have no explicit per-tenant override in the rate_limit_configs table. +type RateLimitConfig struct { + // DefaultTenantRPM is the default tenant-wide requests per minute limit. + DefaultTenantRPM int `mapstructure:"default_tenant_rpm"` + // DefaultTenantBurst is the maximum burst size for a tenant bucket. + DefaultTenantBurst int `mapstructure:"default_tenant_burst"` + // DefaultUserRPM is the default per-user requests per minute limit within a tenant. + DefaultUserRPM int `mapstructure:"default_user_rpm"` + // DefaultUserBurst is the maximum burst size for a per-user bucket. + DefaultUserBurst int `mapstructure:"default_user_burst"` +} + +// ClickHouseConfig holds ClickHouse connection settings for the audit log. +type ClickHouseConfig struct { + DSN string `mapstructure:"dsn"` // clickhouse://user:pass@host:9000/db + MaxConns int `mapstructure:"max_conns"` + DialTimeoutSec int `mapstructure:"dial_timeout_seconds"` +} + +// CryptoConfig holds cryptographic settings. +type CryptoConfig struct { + // AESKeyBase64 is a base64-encoded 32-byte key for AES-256-GCM prompt encryption. + // Set via env var VEYLANT_CRYPTO_AES_KEY_BASE64 — never hardcode. + AESKeyBase64 string `mapstructure:"aes_key_base64"` +} + +// RoutingConfig controls the intelligent routing engine behaviour. +type RoutingConfig struct { + // CacheTTLSeconds is how long routing rules are cached per tenant before + // a background refresh. 0 means use the default (30s). + CacheTTLSeconds int `mapstructure:"cache_ttl_seconds"` +} + +// ProvidersConfig holds configuration for all LLM provider adapters. +type ProvidersConfig struct { + OpenAI OpenAIConfig `mapstructure:"openai"` + Anthropic AnthropicConfig `mapstructure:"anthropic"` + Azure AzureConfig `mapstructure:"azure"` + Mistral MistralConfig `mapstructure:"mistral"` + Ollama OllamaConfig `mapstructure:"ollama"` +} + +// OpenAIConfig holds OpenAI adapter configuration. +type OpenAIConfig struct { + APIKey string `mapstructure:"api_key"` + BaseURL string `mapstructure:"base_url"` + TimeoutSeconds int `mapstructure:"timeout_seconds"` + MaxConns int `mapstructure:"max_conns"` +} + +// AnthropicConfig holds Anthropic adapter configuration. +type AnthropicConfig struct { + APIKey string `mapstructure:"api_key"` + BaseURL string `mapstructure:"base_url"` + Version string `mapstructure:"version"` // Anthropic API version header, e.g. "2023-06-01" + TimeoutSeconds int `mapstructure:"timeout_seconds"` + MaxConns int `mapstructure:"max_conns"` +} + +// AzureConfig holds Azure OpenAI adapter configuration. +type AzureConfig struct { + APIKey string `mapstructure:"api_key"` + ResourceName string `mapstructure:"resource_name"` // e.g. "my-azure-resource" + DeploymentID string `mapstructure:"deployment_id"` // e.g. "gpt-4o" + APIVersion string `mapstructure:"api_version"` // e.g. "2024-02-01" + TimeoutSeconds int `mapstructure:"timeout_seconds"` + MaxConns int `mapstructure:"max_conns"` +} + +// MistralConfig holds Mistral AI adapter configuration (OpenAI-compatible). +type MistralConfig struct { + APIKey string `mapstructure:"api_key"` + BaseURL string `mapstructure:"base_url"` + TimeoutSeconds int `mapstructure:"timeout_seconds"` + MaxConns int `mapstructure:"max_conns"` +} + +// OllamaConfig holds Ollama adapter configuration (OpenAI-compatible, local). +type OllamaConfig struct { + BaseURL string `mapstructure:"base_url"` + TimeoutSeconds int `mapstructure:"timeout_seconds"` + MaxConns int `mapstructure:"max_conns"` +} + +// RBACConfig holds role-based access control settings for the provider router. +type RBACConfig struct { + // UserAllowedModels lists models accessible to the "user" role (exact or prefix match). + UserAllowedModels []string `mapstructure:"user_allowed_models"` + // AuditorCanComplete controls whether auditors can make chat completions. + // Defaults to false — auditors receive 403 on POST /v1/chat/completions. + AuditorCanComplete bool `mapstructure:"auditor_can_complete"` +} + +// MetricsConfig holds Prometheus metrics configuration. +type MetricsConfig struct { + Enabled bool `mapstructure:"enabled"` + Path string `mapstructure:"path"` +} + +type ServerConfig struct { + Port int `mapstructure:"port"` + ShutdownTimeout int `mapstructure:"shutdown_timeout_seconds"` + Env string `mapstructure:"env"` // development, staging, production + TenantName string `mapstructure:"tenant_name"` // display name used in PDF reports + AllowedOrigins []string `mapstructure:"allowed_origins"` // CORS allowed origins for the React dashboard +} + +type DatabaseConfig struct { + URL string `mapstructure:"url"` + MaxOpenConns int `mapstructure:"max_open_conns"` + MaxIdleConns int `mapstructure:"max_idle_conns"` + MigrationsPath string `mapstructure:"migrations_path"` +} + +type RedisConfig struct { + URL string `mapstructure:"url"` +} + +type KeycloakConfig struct { + BaseURL string `mapstructure:"base_url"` + Realm string `mapstructure:"realm"` + ClientID string `mapstructure:"client_id"` +} + +type PIIConfig struct { + Enabled bool `mapstructure:"enabled"` + ServiceAddr string `mapstructure:"service_addr"` // gRPC address, e.g. localhost:50051 + TimeoutMs int `mapstructure:"timeout_ms"` + FailOpen bool `mapstructure:"fail_open"` // if true, pass request through on PII service error +} + +type LogConfig struct { + Level string `mapstructure:"level"` // debug, info, warn, error + Format string `mapstructure:"format"` // json, console +} + +// Load reads configuration from config.yaml (searched in . and ./config) +// and overrides with environment variables prefixed VEYLANT_. +func Load() (*Config, error) { + v := viper.New() + + v.SetConfigName("config") + v.SetConfigType("yaml") + v.AddConfigPath(".") + v.AddConfigPath("./config") + + // Env var overrides: VEYLANT_SERVER_PORT → server.port + v.SetEnvPrefix("VEYLANT") + v.SetEnvKeyReplacer(strings.NewReplacer(".", "_")) + v.AutomaticEnv() + + // Defaults + v.SetDefault("server.port", 8090) + v.SetDefault("server.shutdown_timeout_seconds", 30) + v.SetDefault("server.env", "development") + v.SetDefault("server.allowed_origins", []string{"http://localhost:3000"}) + v.SetDefault("database.max_open_conns", 25) + v.SetDefault("database.max_idle_conns", 5) + v.SetDefault("database.migrations_path", "migrations") + v.SetDefault("pii.enabled", false) + v.SetDefault("pii.service_addr", "localhost:50051") + v.SetDefault("pii.timeout_ms", 100) + v.SetDefault("pii.fail_open", true) + v.SetDefault("log.level", "info") + v.SetDefault("log.format", "json") + v.SetDefault("providers.openai.base_url", "https://api.openai.com/v1") + v.SetDefault("providers.openai.timeout_seconds", 30) + v.SetDefault("providers.openai.max_conns", 100) + v.SetDefault("providers.anthropic.base_url", "https://api.anthropic.com/v1") + v.SetDefault("providers.anthropic.version", "2023-06-01") + v.SetDefault("providers.anthropic.timeout_seconds", 30) + v.SetDefault("providers.anthropic.max_conns", 100) + v.SetDefault("providers.azure.api_version", "2024-02-01") + v.SetDefault("providers.azure.timeout_seconds", 30) + v.SetDefault("providers.azure.max_conns", 100) + v.SetDefault("providers.mistral.base_url", "https://api.mistral.ai/v1") + v.SetDefault("providers.mistral.timeout_seconds", 30) + v.SetDefault("providers.mistral.max_conns", 100) + v.SetDefault("providers.ollama.base_url", "http://localhost:11434/v1") + v.SetDefault("providers.ollama.timeout_seconds", 120) + v.SetDefault("providers.ollama.max_conns", 10) + v.SetDefault("rbac.user_allowed_models", []string{"gpt-4o-mini", "gpt-3.5-turbo", "mistral-small"}) + v.SetDefault("rbac.auditor_can_complete", false) + v.SetDefault("metrics.enabled", true) + v.SetDefault("metrics.path", "/metrics") + v.SetDefault("routing.cache_ttl_seconds", 30) + v.SetDefault("clickhouse.max_conns", 10) + v.SetDefault("clickhouse.dial_timeout_seconds", 5) + v.SetDefault("rate_limit.default_tenant_rpm", 1000) + v.SetDefault("rate_limit.default_tenant_burst", 200) + v.SetDefault("rate_limit.default_user_rpm", 100) + v.SetDefault("rate_limit.default_user_burst", 20) + + if err := v.ReadInConfig(); err != nil { + if _, ok := err.(viper.ConfigFileNotFoundError); !ok { + return nil, fmt.Errorf("reading config: %w", err) + } + // Config file not found — rely on defaults and env vars only + } + + var cfg Config + if err := v.Unmarshal(&cfg); err != nil { + return nil, fmt.Errorf("unmarshaling config: %w", err) + } + + return &cfg, nil +} diff --git a/internal/config/config_test.go b/internal/config/config_test.go new file mode 100644 index 0000000..a794b28 --- /dev/null +++ b/internal/config/config_test.go @@ -0,0 +1,53 @@ +package config_test + +import ( + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/config" +) + +func TestLoad_Defaults(t *testing.T) { + // No config.yaml in the test working directory — relies on defaults. + cfg, err := config.Load() + require.NoError(t, err) + + assert.Equal(t, 8090, cfg.Server.Port) + assert.Equal(t, 30, cfg.Server.ShutdownTimeout) + assert.Equal(t, "development", cfg.Server.Env) + assert.Equal(t, "info", cfg.Log.Level) + assert.Equal(t, "json", cfg.Log.Format) + assert.Equal(t, "https://api.openai.com/v1", cfg.Providers.OpenAI.BaseURL) + assert.Equal(t, 30, cfg.Providers.OpenAI.TimeoutSeconds) + assert.Equal(t, 100, cfg.Providers.OpenAI.MaxConns) + assert.True(t, cfg.Metrics.Enabled) + assert.Equal(t, "/metrics", cfg.Metrics.Path) +} + +func TestLoad_EnvVarOverride(t *testing.T) { + t.Setenv("VEYLANT_SERVER_PORT", "9999") + t.Setenv("VEYLANT_LOG_LEVEL", "debug") + t.Setenv("VEYLANT_SERVER_ENV", "production") + + cfg, err := config.Load() + require.NoError(t, err) + + assert.Equal(t, 9999, cfg.Server.Port) + assert.Equal(t, "debug", cfg.Log.Level) + assert.Equal(t, "production", cfg.Server.Env) +} + +func TestLoad_NoConfigFileIsNotAnError(t *testing.T) { + // Change to a temp directory with no config.yaml to confirm graceful fallback. + dir := t.TempDir() + origDir, _ := os.Getwd() + require.NoError(t, os.Chdir(dir)) + t.Cleanup(func() { _ = os.Chdir(origDir) }) + + cfg, err := config.Load() + require.NoError(t, err) + assert.NotNil(t, cfg) +} diff --git a/internal/crypto/aes.go b/internal/crypto/aes.go new file mode 100644 index 0000000..442a5ce --- /dev/null +++ b/internal/crypto/aes.go @@ -0,0 +1,82 @@ +// Package crypto provides AES-256-GCM encryption utilities for storing +// sensitive prompt data in the audit log without exposing plaintext. +package crypto + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/rand" + "encoding/base64" + "errors" + "fmt" + "io" +) + +// Encryptor encrypts and decrypts strings using AES-256-GCM. +// A random 12-byte nonce is prepended to each ciphertext; output is base64 URL-safe. +type Encryptor struct { + key []byte +} + +// NewEncryptor creates an Encryptor from a standard base64-encoded 32-byte key. +// Returns an error if the key is not exactly 32 bytes after decoding. +func NewEncryptor(keyBase64 string) (*Encryptor, error) { + key, err := base64.StdEncoding.DecodeString(keyBase64) + if err != nil { + return nil, fmt.Errorf("crypto: invalid base64 key: %w", err) + } + if len(key) != 32 { + return nil, fmt.Errorf("crypto: key must be 32 bytes, got %d", len(key)) + } + return &Encryptor{key: key}, nil +} + +// Encrypt encrypts plaintext and returns a base64 URL-safe string. +// Format: base64(nonce[12] || ciphertext). +func (e *Encryptor) Encrypt(plaintext string) (string, error) { + block, err := aes.NewCipher(e.key) + if err != nil { + return "", fmt.Errorf("crypto: new cipher: %w", err) + } + gcm, err := cipher.NewGCM(block) + if err != nil { + return "", fmt.Errorf("crypto: new gcm: %w", err) + } + + nonce := make([]byte, gcm.NonceSize()) + if _, err := io.ReadFull(rand.Reader, nonce); err != nil { + return "", fmt.Errorf("crypto: generate nonce: %w", err) + } + + ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil) + return base64.URLEncoding.EncodeToString(ciphertext), nil +} + +// Decrypt decrypts a base64 URL-safe string produced by Encrypt. +func (e *Encryptor) Decrypt(ciphertext string) (string, error) { + data, err := base64.URLEncoding.DecodeString(ciphertext) + if err != nil { + return "", fmt.Errorf("crypto: invalid base64 ciphertext: %w", err) + } + + block, err := aes.NewCipher(e.key) + if err != nil { + return "", fmt.Errorf("crypto: new cipher: %w", err) + } + gcm, err := cipher.NewGCM(block) + if err != nil { + return "", fmt.Errorf("crypto: new gcm: %w", err) + } + + nonceSize := gcm.NonceSize() + if len(data) < nonceSize { + return "", errors.New("crypto: ciphertext too short") + } + + nonce, data := data[:nonceSize], data[nonceSize:] + plaintext, err := gcm.Open(nil, nonce, data, nil) + if err != nil { + return "", fmt.Errorf("crypto: decrypt failed: %w", err) + } + return string(plaintext), nil +} diff --git a/internal/crypto/aes_test.go b/internal/crypto/aes_test.go new file mode 100644 index 0000000..3185996 --- /dev/null +++ b/internal/crypto/aes_test.go @@ -0,0 +1,89 @@ +package crypto_test + +import ( + "encoding/base64" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/crypto" +) + +// validKey returns a base64-encoded 32-byte key for tests. +func validKey() string { + return base64.StdEncoding.EncodeToString([]byte("01234567890123456789012345678901")) +} + +func newEncryptor(t *testing.T) *crypto.Encryptor { + t.Helper() + enc, err := crypto.NewEncryptor(validKey()) + require.NoError(t, err) + return enc +} + +func TestAES_Roundtrip(t *testing.T) { + enc := newEncryptor(t) + plaintext := "Mon numéro de sécu est 1 85 06 75 116 097 42" + + ciphertext, err := enc.Encrypt(plaintext) + require.NoError(t, err) + assert.NotEmpty(t, ciphertext) + assert.NotEqual(t, plaintext, ciphertext) + + decrypted, err := enc.Decrypt(ciphertext) + require.NoError(t, err) + assert.Equal(t, plaintext, decrypted) +} + +func TestAES_NonceUnique(t *testing.T) { + enc := newEncryptor(t) + plaintext := "same plaintext" + + ct1, err := enc.Encrypt(plaintext) + require.NoError(t, err) + ct2, err := enc.Encrypt(plaintext) + require.NoError(t, err) + + // Two encryptions of the same plaintext must produce different ciphertexts + // because nonces are random. + assert.NotEqual(t, ct1, ct2) +} + +func TestAES_EmptyPlaintext(t *testing.T) { + enc := newEncryptor(t) + + ciphertext, err := enc.Encrypt("") + require.NoError(t, err) + + decrypted, err := enc.Decrypt(ciphertext) + require.NoError(t, err) + assert.Equal(t, "", decrypted) +} + +func TestAES_InvalidKey(t *testing.T) { + // 16-byte key (too short for AES-256) + shortKey := base64.StdEncoding.EncodeToString([]byte("0123456789abcdef")) + _, err := crypto.NewEncryptor(shortKey) + assert.Error(t, err) + assert.True(t, strings.Contains(err.Error(), "32 bytes")) +} + +func TestAES_DecryptTampered(t *testing.T) { + enc := newEncryptor(t) + + ct, err := enc.Encrypt("some sensitive data") + require.NoError(t, err) + + // Corrupt the last character of the base64 ciphertext. + runes := []rune(ct) + runes[len(runes)-1] = 'X' + if runes[len(runes)-1] == []rune(ct)[len(runes)-1] { + runes[len(runes)-1] = 'Y' + } + tampered := string(runes) + + _, err = enc.Decrypt(tampered) + assert.Error(t, err, "decrypting tampered ciphertext should fail") +} diff --git a/internal/flags/pg_store.go b/internal/flags/pg_store.go new file mode 100644 index 0000000..f0de2f8 --- /dev/null +++ b/internal/flags/pg_store.go @@ -0,0 +1,135 @@ +package flags + +import ( + "context" + "database/sql" + "errors" + "fmt" + "time" + + "go.uber.org/zap" +) + +// PgFlagStore implements FlagStore using PostgreSQL. +type PgFlagStore struct { + db *sql.DB + logger *zap.Logger +} + +func NewPgFlagStore(db *sql.DB, logger *zap.Logger) *PgFlagStore { + return &PgFlagStore{db: db, logger: logger} +} + +func (p *PgFlagStore) IsEnabled(ctx context.Context, tenantID, name string) (bool, error) { + // Tenant-specific takes precedence over global (NULL tenant_id) + const q = ` + SELECT is_enabled FROM feature_flags + WHERE name = $1 AND (tenant_id = $2 OR tenant_id IS NULL) + ORDER BY tenant_id NULLS LAST + LIMIT 1` + + var enabled bool + err := p.db.QueryRowContext(ctx, q, name, tenantID).Scan(&enabled) + if errors.Is(err, sql.ErrNoRows) { + return false, nil + } + if err != nil { + return false, fmt.Errorf("feature_flags is_enabled: %w", err) + } + return enabled, nil +} + +func (p *PgFlagStore) Get(ctx context.Context, tenantID, name string) (FeatureFlag, error) { + const q = ` + SELECT id, COALESCE(tenant_id::text,''), name, is_enabled, created_at, updated_at + FROM feature_flags + WHERE name = $1 AND (tenant_id = $2 OR ($2 = '' AND tenant_id IS NULL))` + + row := p.db.QueryRowContext(ctx, q, name, tenantID) + f, err := scanFlag(row) + if errors.Is(err, sql.ErrNoRows) { + return FeatureFlag{}, ErrNotFound + } + return f, err +} + +func (p *PgFlagStore) Set(ctx context.Context, tenantID, name string, enabled bool) (FeatureFlag, error) { + // tenantID="" → NULL in DB (global flag) + var tidArg interface{} + if tenantID != "" { + tidArg = tenantID + } + + const q = ` + INSERT INTO feature_flags (tenant_id, name, is_enabled) + VALUES ($1, $2, $3) + ON CONFLICT (tenant_id, name) DO UPDATE + SET is_enabled = EXCLUDED.is_enabled, updated_at = NOW() + RETURNING id, COALESCE(tenant_id::text,''), name, is_enabled, created_at, updated_at` + + row := p.db.QueryRowContext(ctx, q, tidArg, name, enabled) + return scanFlag(row) +} + +func (p *PgFlagStore) List(ctx context.Context, tenantID string) ([]FeatureFlag, error) { + const q = ` + SELECT id, COALESCE(tenant_id::text,''), name, is_enabled, created_at, updated_at + FROM feature_flags + WHERE tenant_id = $1 OR tenant_id IS NULL + ORDER BY name` + + rows, err := p.db.QueryContext(ctx, q, tenantID) + if err != nil { + return nil, fmt.Errorf("feature_flags list: %w", err) + } + defer rows.Close() //nolint:errcheck + + var out []FeatureFlag + for rows.Next() { + f, err := scanFlag(rows) + if err != nil { + return nil, err + } + out = append(out, f) + } + return out, rows.Err() +} + +func (p *PgFlagStore) Delete(ctx context.Context, tenantID, name string) error { + var tidArg interface{} + if tenantID != "" { + tidArg = tenantID + } + + const q = `DELETE FROM feature_flags WHERE name = $1 AND (tenant_id = $2 OR ($2 IS NULL AND tenant_id IS NULL))` + res, err := p.db.ExecContext(ctx, q, name, tidArg) + if err != nil { + return fmt.Errorf("feature_flags delete: %w", err) + } + n, _ := res.RowsAffected() + if n == 0 { + return ErrNotFound + } + return nil +} + +// ─── scanner ───────────────────────────────────────────────────────────────── + +type flagScanner interface { + Scan(dest ...interface{}) error +} + +func scanFlag(s flagScanner) (FeatureFlag, error) { + var ( + f FeatureFlag + createdAt time.Time + updatedAt time.Time + ) + err := s.Scan(&f.ID, &f.TenantID, &f.Name, &f.IsEnabled, &createdAt, &updatedAt) + if err != nil { + return FeatureFlag{}, fmt.Errorf("scanning feature_flag row: %w", err) + } + f.CreatedAt = createdAt + f.UpdatedAt = updatedAt + return f, nil +} diff --git a/internal/flags/store.go b/internal/flags/store.go new file mode 100644 index 0000000..ba06c92 --- /dev/null +++ b/internal/flags/store.go @@ -0,0 +1,134 @@ +package flags + +import ( + "context" + "fmt" + "sync" + "time" +) + +// FeatureFlag represents a boolean on/off flag scoped to a tenant or global (tenant_id = ""). +type FeatureFlag struct { + ID string + TenantID string // empty string = global flag + Name string + IsEnabled bool + CreatedAt time.Time + UpdatedAt time.Time +} + +// FlagStore is the persistence interface for feature flags. +type FlagStore interface { + // IsEnabled returns true if the flag is enabled for the given tenant. + // Lookup order: tenant-specific flag → global flag (tenant_id="") → false. + IsEnabled(ctx context.Context, tenantID, name string) (bool, error) + + // Get returns a single flag by tenantID + name. + Get(ctx context.Context, tenantID, name string) (FeatureFlag, error) + + // Set creates or updates a flag for the given tenant (or global if tenantID=""). + Set(ctx context.Context, tenantID, name string, enabled bool) (FeatureFlag, error) + + // List returns all flags for a tenant plus global flags. + List(ctx context.Context, tenantID string) ([]FeatureFlag, error) + + // Delete removes a flag. Returns ErrNotFound if absent. + Delete(ctx context.Context, tenantID, name string) error +} + +// ErrNotFound is returned when a flag does not exist. +var ErrNotFound = fmt.Errorf("feature flag not found") + +// ─── MemFlagStore ───────────────────────────────────────────────────────────── + +// MemFlagStore is a thread-safe, in-memory FlagStore for tests and local dev. +type MemFlagStore struct { + mu sync.RWMutex + flags map[string]FeatureFlag // key = tenantID + ":" + name (empty tenant = ":" + name) + seq int +} + +func NewMemFlagStore() *MemFlagStore { + return &MemFlagStore{flags: make(map[string]FeatureFlag)} +} + +func flagKey(tenantID, name string) string { return tenantID + ":" + name } + +func (m *MemFlagStore) IsEnabled(ctx context.Context, tenantID, name string) (bool, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + // Tenant-specific flag takes precedence + if f, ok := m.flags[flagKey(tenantID, name)]; ok { + return f.IsEnabled, nil + } + // Global fallback + if f, ok := m.flags[flagKey("", name)]; ok { + return f.IsEnabled, nil + } + return false, nil +} + +func (m *MemFlagStore) Get(ctx context.Context, tenantID, name string) (FeatureFlag, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + f, ok := m.flags[flagKey(tenantID, name)] + if !ok { + return FeatureFlag{}, ErrNotFound + } + return f, nil +} + +func (m *MemFlagStore) Set(ctx context.Context, tenantID, name string, enabled bool) (FeatureFlag, error) { + m.mu.Lock() + defer m.mu.Unlock() + + now := time.Now() + key := flagKey(tenantID, name) + + existing, ok := m.flags[key] + if ok { + existing.IsEnabled = enabled + existing.UpdatedAt = now + m.flags[key] = existing + return existing, nil + } + + m.seq++ + f := FeatureFlag{ + ID: fmt.Sprintf("mem-%d", m.seq), + TenantID: tenantID, + Name: name, + IsEnabled: enabled, + CreatedAt: now, + UpdatedAt: now, + } + m.flags[key] = f + return f, nil +} + +func (m *MemFlagStore) List(ctx context.Context, tenantID string) ([]FeatureFlag, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + var out []FeatureFlag + for _, f := range m.flags { + if f.TenantID == tenantID || f.TenantID == "" { + out = append(out, f) + } + } + return out, nil +} + +func (m *MemFlagStore) Delete(ctx context.Context, tenantID, name string) error { + m.mu.Lock() + defer m.mu.Unlock() + + key := flagKey(tenantID, name) + if _, ok := m.flags[key]; !ok { + return ErrNotFound + } + delete(m.flags, key) + return nil +} diff --git a/internal/flags/store_test.go b/internal/flags/store_test.go new file mode 100644 index 0000000..34c5f8c --- /dev/null +++ b/internal/flags/store_test.go @@ -0,0 +1,88 @@ +package flags_test + +import ( + "context" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/flags" +) + +// TestMemFlagStore_Set_Get tests basic create and retrieve. +func TestMemFlagStore_Set_Get(t *testing.T) { + store := flags.NewMemFlagStore() + ctx := context.Background() + + f, err := store.Set(ctx, "tenant-a", "ner_enabled", true) + require.NoError(t, err) + assert.Equal(t, "tenant-a", f.TenantID) + assert.Equal(t, "ner_enabled", f.Name) + assert.True(t, f.IsEnabled) + + got, err := store.Get(ctx, "tenant-a", "ner_enabled") + require.NoError(t, err) + assert.Equal(t, f.ID, got.ID) + assert.True(t, got.IsEnabled) +} + +// TestMemFlagStore_IsEnabled_TenantOverridesGlobal verifies tenant-specific +// flag takes precedence over global. +func TestMemFlagStore_IsEnabled_TenantOverridesGlobal(t *testing.T) { + store := flags.NewMemFlagStore() + ctx := context.Background() + + // Global flag: enabled + _, err := store.Set(ctx, "", "ner_enabled", true) + require.NoError(t, err) + + // Tenant-specific: disabled + _, err = store.Set(ctx, "tenant-a", "ner_enabled", false) + require.NoError(t, err) + + // Tenant A should see disabled (tenant-specific wins) + enabled, err := store.IsEnabled(ctx, "tenant-a", "ner_enabled") + require.NoError(t, err) + assert.False(t, enabled) + + // Tenant B has no specific flag → falls back to global (enabled) + enabled, err = store.IsEnabled(ctx, "tenant-b", "ner_enabled") + require.NoError(t, err) + assert.True(t, enabled) +} + +// TestMemFlagStore_IsEnabled_NotFound returns false (no error) for unknown flag. +func TestMemFlagStore_IsEnabled_NotFound(t *testing.T) { + store := flags.NewMemFlagStore() + enabled, err := store.IsEnabled(context.Background(), "tenant-a", "nonexistent") + require.NoError(t, err) + assert.False(t, enabled) +} + +// TestMemFlagStore_Set_Update tests idempotent upsert behaviour. +func TestMemFlagStore_Set_Update(t *testing.T) { + store := flags.NewMemFlagStore() + ctx := context.Background() + + f1, _ := store.Set(ctx, "t1", "flag_x", true) + f2, err := store.Set(ctx, "t1", "flag_x", false) + require.NoError(t, err) + assert.Equal(t, f1.ID, f2.ID, "upsert must not create a new entry") + assert.False(t, f2.IsEnabled) +} + +// TestMemFlagStore_Delete removes a flag and returns ErrNotFound on second delete. +func TestMemFlagStore_Delete(t *testing.T) { + store := flags.NewMemFlagStore() + ctx := context.Background() + + _, err := store.Set(ctx, "t1", "to_delete", true) + require.NoError(t, err) + + err = store.Delete(ctx, "t1", "to_delete") + require.NoError(t, err) + + err = store.Delete(ctx, "t1", "to_delete") + assert.ErrorIs(t, err, flags.ErrNotFound) +} diff --git a/internal/health/docs.go b/internal/health/docs.go new file mode 100644 index 0000000..f556783 --- /dev/null +++ b/internal/health/docs.go @@ -0,0 +1,58 @@ +package health + +import ( + "net/http" + + "github.com/veylant/ia-gateway/docs" +) + +// DocsYAMLHandler serves the raw OpenAPI 3.1 YAML spec at /docs/openapi.yaml. +func DocsYAMLHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/yaml") + w.WriteHeader(http.StatusOK) + _, _ = w.Write(docs.OpenAPIYAML) +} + +// DocsHTMLHandler serves a Swagger UI page at /docs. +// The UI is loaded from the official CDN — no npm build required. +func DocsHTMLHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/html; charset=utf-8") + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(swaggerHTML)) +} + +// swaggerHTML is an inline Swagger UI page that loads the spec from /docs/openapi.yaml. +const swaggerHTML = ` + + + + + Veylant IA API — Documentation + + + + +
+ + + + +` diff --git a/internal/health/handler.go b/internal/health/handler.go new file mode 100644 index 0000000..29648b0 --- /dev/null +++ b/internal/health/handler.go @@ -0,0 +1,23 @@ +package health + +import ( + "encoding/json" + "net/http" + "time" +) + +type response struct { + Status string `json:"status"` + Timestamp string `json:"timestamp"` +} + +// Handler returns HTTP 200 with a JSON body {"status":"ok","timestamp":"..."}. +// Used by load balancers, Docker healthchecks, and Kubernetes liveness probes. +func Handler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(response{ + Status: "ok", + Timestamp: time.Now().UTC().Format(time.RFC3339), + }) +} diff --git a/internal/health/handler_test.go b/internal/health/handler_test.go new file mode 100644 index 0000000..1f33e7a --- /dev/null +++ b/internal/health/handler_test.go @@ -0,0 +1,31 @@ +package health_test + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/health" +) + +func TestHandler_Returns200WithJSONBody(t *testing.T) { + req := httptest.NewRequest(http.MethodGet, "/healthz", nil) + rec := httptest.NewRecorder() + + health.Handler(rec, req) + + assert.Equal(t, http.StatusOK, rec.Code) + assert.Equal(t, "application/json", rec.Header().Get("Content-Type")) + + var body struct { + Status string `json:"status"` + Timestamp string `json:"timestamp"` + } + require.NoError(t, json.NewDecoder(rec.Body).Decode(&body)) + assert.Equal(t, "ok", body.Status) + assert.NotEmpty(t, body.Timestamp) +} diff --git a/internal/health/playground.go b/internal/health/playground.go new file mode 100644 index 0000000..1227d93 --- /dev/null +++ b/internal/health/playground.go @@ -0,0 +1,286 @@ +package health + +import "net/http" + +// PlaygroundHandler serves a self-contained HTML playground page at GET /playground. +// The page lets visitors type text, submit it to POST /playground/analyze, and see +// the PII entities highlighted inline — no login required. +func PlaygroundHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/html; charset=utf-8") + // CSP relaxed for playground: allow inline scripts/styles + fetch to same origin. + w.Header().Set("Content-Security-Policy", + "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'") + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(playgroundHTML)) +} + +const playgroundHTML = ` + + + + + Veylant IA — PII Playground + + + +
+
+

Veylant IA — PII Playground

+

Enter text to see automatic PII detection and pseudonymization. No account required.

+
+
+ +
+
+ + +
+ Try: + + + +
+
+ + + +
+
+ +
+
+
+
Detected entities
+
+
+
+
Anonymized text
+
+
+
+
+ + + + + + +` diff --git a/internal/health/playground_analyze.go b/internal/health/playground_analyze.go new file mode 100644 index 0000000..9aa84e5 --- /dev/null +++ b/internal/health/playground_analyze.go @@ -0,0 +1,187 @@ +package health + +import ( + "encoding/json" + "net" + "net/http" + "strings" + "sync" + "time" + + "go.uber.org/zap" + "golang.org/x/time/rate" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/pii" +) + +// PlaygroundAnalyzeRequest is the JSON body for POST /playground/analyze. +type PlaygroundAnalyzeRequest struct { + Text string `json:"text"` +} + +// PlaygroundAnalyzeResponse is the JSON response for POST /playground/analyze. +type PlaygroundAnalyzeResponse struct { + Entities []PlaygroundEntity `json:"entities"` + AnonymizedText string `json:"anonymized_text"` +} + +// PlaygroundEntity is a detected PII entity returned by the playground endpoint. +type PlaygroundEntity struct { + Type string `json:"type"` + Value string `json:"value,omitempty"` // original value (shown in UI badge) + Pseudonym string `json:"pseudonym,omitempty"` + Start int `json:"start"` + End int `json:"end"` + Confidence float64 `json:"confidence"` + Layer string `json:"layer"` +} + +// playgroundIPLimiter holds per-IP token bucket limiters. +// Limiters are evicted after 5 minutes of inactivity. +type playgroundIPLimiter struct { + mu sync.Mutex + limiters map[string]*ipEntry +} + +type ipEntry struct { + limiter *rate.Limiter + lastSeen time.Time +} + +var globalPlaygroundLimiter = &playgroundIPLimiter{ + limiters: make(map[string]*ipEntry), +} + +func (p *playgroundIPLimiter) get(ip string) *rate.Limiter { + p.mu.Lock() + defer p.mu.Unlock() + + entry, ok := p.limiters[ip] + if !ok { + // 20 req/min per IP, burst of 5. + entry = &ipEntry{limiter: rate.NewLimiter(rate.Every(3*time.Second), 5)} + p.limiters[ip] = entry + } + entry.lastSeen = time.Now() + + // Evict stale entries (>5 min inactive) to prevent unbounded memory growth. + for k, v := range p.limiters { + if time.Since(v.lastSeen) > 5*time.Minute { + delete(p.limiters, k) + } + } + return entry.limiter +} + +// PlaygroundAnalyzeHandler returns an HTTP handler for POST /playground/analyze. +// The endpoint is public (no JWT required) and rate-limited to 20 req/min per IP. +// If piiClient is nil the handler returns a simulated response so the playground +// page remains usable even when the PII sidecar is not running. +func PlaygroundAnalyzeHandler(piiClient *pii.Client, logger *zap.Logger) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + // IP-based rate limiting. + ip := clientIP(r) + if !globalPlaygroundLimiter.get(ip).Allow() { + apierror.WriteError(w, apierror.NewRateLimitError( + "playground rate limit exceeded — max 20 requests/minute per IP", + )) + return + } + + // Parse request body. + var req PlaygroundAnalyzeRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + + var resp PlaygroundAnalyzeResponse + + if req.Text == "" { + resp = PlaygroundAnalyzeResponse{Entities: []PlaygroundEntity{}, AnonymizedText: ""} + writeJSON(w, resp) + return + } + + // Delegate to PII service if available. + if piiClient != nil { + result, err := piiClient.Detect(r.Context(), req.Text, "playground", "public-playground", true, false) + if err == nil { + entities := make([]PlaygroundEntity, 0, len(result.Entities)) + for _, e := range result.Entities { + entities = append(entities, PlaygroundEntity{ + Type: e.EntityType, + Value: req.Text[clamp(int(e.Start), 0, len(req.Text)):clamp(int(e.End), 0, len(req.Text))], + Pseudonym: e.Pseudonym, + Start: int(e.Start), + End: int(e.End), + Confidence: float64(e.Confidence), + Layer: e.DetectionLayer, + }) + } + resp = PlaygroundAnalyzeResponse{ + Entities: entities, + AnonymizedText: result.AnonymizedText, + } + writeJSON(w, resp) + return + } + logger.Warn("playground PII detection failed — using simulated response", zap.Error(err)) + } + + // PII service unavailable: return a deterministic simulated response so the + // playground page still demonstrates the feature. + resp = simulatedResponse(req.Text) + writeJSON(w, resp) + } +} + +// simulatedResponse returns a static example response when the PII service is down. +func simulatedResponse(text string) PlaygroundAnalyzeResponse { + return PlaygroundAnalyzeResponse{ + Entities: []PlaygroundEntity{ + {Type: "PERSON", Value: "(example)", Pseudonym: "[PERSON_1]", Start: 0, End: 0, Confidence: 0.99, Layer: "simulated"}, + {Type: "EMAIL_ADDRESS", Value: "(example)", Pseudonym: "[EMAIL_1]", Start: 0, End: 0, Confidence: 0.99, Layer: "simulated"}, + }, + AnonymizedText: strings.TrimSpace(text) + "\n\n[PII service offline — showing example output]", + } +} + +// clientIP extracts the real client IP from the request, respecting X-Real-IP +// and X-Forwarded-For headers set by Traefik / Nginx. +func clientIP(r *http.Request) string { + if ip := r.Header.Get("X-Real-IP"); ip != "" { + if parsed := net.ParseIP(strings.TrimSpace(ip)); parsed != nil { + return parsed.String() + } + } + if forwarded := r.Header.Get("X-Forwarded-For"); forwarded != "" { + // X-Forwarded-For may be a comma-separated list; use the first (client) IP. + parts := strings.SplitN(forwarded, ",", 2) + if parsed := net.ParseIP(strings.TrimSpace(parts[0])); parsed != nil { + return parsed.String() + } + } + host, _, err := net.SplitHostPort(r.RemoteAddr) + if err != nil { + return r.RemoteAddr + } + return host +} + +func clamp(v, min, max int) int { + if v < min { + return min + } + if v > max { + return max + } + return v +} + +func writeJSON(w http.ResponseWriter, v any) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(v) +} diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go new file mode 100644 index 0000000..b69e7e9 --- /dev/null +++ b/internal/metrics/metrics.go @@ -0,0 +1,43 @@ +// Package metrics registers Prometheus metrics for the Veylant proxy. +package metrics + +import ( + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promauto" +) + +// Prometheus metrics exposed by the Veylant proxy. +// Labels follow the naming conventions of the OpenTelemetry semantic conventions +// where applicable. +var ( + // RequestsTotal counts all proxy requests by HTTP method, path, status code, + // and provider name. + RequestsTotal = promauto.NewCounterVec( + prometheus.CounterOpts{ + Name: "veylant_requests_total", + Help: "Total number of proxy requests.", + }, + []string{"method", "path", "status", "provider"}, + ) + + // RequestDuration measures the end-to-end latency of each proxy request in + // seconds, broken down by method, path, and status code. + RequestDuration = promauto.NewHistogramVec( + prometheus.HistogramOpts{ + Name: "veylant_request_duration_seconds", + Help: "End-to-end proxy request duration in seconds.", + Buckets: []float64{.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10}, + }, + []string{"method", "path", "status"}, + ) + + // RequestErrors counts requests that resulted in an error, labelled by the + // OpenAI error type (authentication_error, rate_limit_error, etc.). + RequestErrors = promauto.NewCounterVec( + prometheus.CounterOpts{ + Name: "veylant_request_errors_total", + Help: "Total number of proxy request errors by error type.", + }, + []string{"method", "path", "error_type"}, + ) +) diff --git a/internal/metrics/middleware.go b/internal/metrics/middleware.go new file mode 100644 index 0000000..8c944a9 --- /dev/null +++ b/internal/metrics/middleware.go @@ -0,0 +1,66 @@ +package metrics + +import ( + "net/http" + "strconv" + "time" +) + +// responseWriter wraps http.ResponseWriter to capture the status code written +// by downstream handlers. +type responseWriter struct { + http.ResponseWriter + status int +} + +func (rw *responseWriter) WriteHeader(code int) { + rw.status = code + rw.ResponseWriter.WriteHeader(code) +} + +// statusCode returns the captured status code, defaulting to 200 if WriteHeader +// was never called (Go's default behaviour). +func (rw *responseWriter) statusCode() string { + if rw.status == 0 { + return "200" + } + return strconv.Itoa(rw.status) +} + +// Middleware records request_count, request_duration, and request_errors for +// every HTTP request. It must be added to the chi middleware chain after +// RequestID but before the route handlers. +func Middleware(provider string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + start := time.Now() + wrapped := &responseWriter{ResponseWriter: w} + + next.ServeHTTP(wrapped, r) + + status := wrapped.statusCode() + duration := time.Since(start).Seconds() + path := r.URL.Path + + RequestsTotal.WithLabelValues(r.Method, path, status, provider).Inc() + RequestDuration.WithLabelValues(r.Method, path, status).Observe(duration) + + // Count 4xx/5xx as errors. + code := wrapped.status + if code == 0 { + code = http.StatusOK + } + if code >= 400 { + errorType := "server_error" + if code == http.StatusUnauthorized { + errorType = "authentication_error" + } else if code == http.StatusTooManyRequests { + errorType = "rate_limit_error" + } else if code < 500 { + errorType = "client_error" + } + RequestErrors.WithLabelValues(r.Method, path, errorType).Inc() + } + }) + } +} diff --git a/internal/metrics/middleware_test.go b/internal/metrics/middleware_test.go new file mode 100644 index 0000000..54db822 --- /dev/null +++ b/internal/metrics/middleware_test.go @@ -0,0 +1,73 @@ +package metrics_test + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/veylant/ia-gateway/internal/metrics" +) + +func TestMiddleware_RecordsSuccessfulRequest(t *testing.T) { + next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + rec := httptest.NewRecorder() + + // The middleware should not panic and should call next. + metrics.Middleware("openai")(next).ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) +} + +func TestMiddleware_RecordsErrorRequest(t *testing.T) { + next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + }) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + rec := httptest.NewRecorder() + + metrics.Middleware("openai")(next).ServeHTTP(rec, req) + assert.Equal(t, http.StatusUnauthorized, rec.Code) +} + +func TestMiddleware_DefaultStatus200WhenWriteHeaderNotCalled(t *testing.T) { + next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + // Deliberately do NOT call WriteHeader — Go defaults to 200. + _, _ = w.Write([]byte("ok")) + }) + + req := httptest.NewRequest(http.MethodGet, "/healthz", nil) + rec := httptest.NewRecorder() + + metrics.Middleware("openai")(next).ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) +} + +func TestMiddleware_RateLimitError(t *testing.T) { + next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusTooManyRequests) + }) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + rec := httptest.NewRecorder() + + metrics.Middleware("openai")(next).ServeHTTP(rec, req) + assert.Equal(t, http.StatusTooManyRequests, rec.Code) +} + +func TestMiddleware_ServerError(t *testing.T) { + next := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusInternalServerError) + }) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + rec := httptest.NewRecorder() + + metrics.Middleware("openai")(next).ServeHTTP(rec, req) + assert.Equal(t, http.StatusInternalServerError, rec.Code) +} diff --git a/internal/middleware/auth.go b/internal/middleware/auth.go new file mode 100644 index 0000000..d36ce23 --- /dev/null +++ b/internal/middleware/auth.go @@ -0,0 +1,150 @@ +package middleware + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "strings" + + "github.com/coreos/go-oidc/v3/oidc" + + "github.com/veylant/ia-gateway/internal/apierror" +) + +// TokenVerifier abstracts JWT verification so that the auth middleware can be +// tested without a live Keycloak instance. +type TokenVerifier interface { + // Verify validates rawToken and returns the extracted claims on success. + Verify(ctx context.Context, rawToken string) (*UserClaims, error) +} + +// OIDCVerifier implements TokenVerifier using go-oidc against a Keycloak realm. +type OIDCVerifier struct { + verifier *oidc.IDTokenVerifier +} + +// keycloakClaims mirrors the relevant claims in a Keycloak-issued JWT. +type keycloakClaims struct { + Sub string `json:"sub"` + Email string `json:"email"` + TenantID string `json:"tenant_id"` + Department string `json:"department"` + RealmAccess realmAccess `json:"realm_access"` +} + +type realmAccess struct { + Roles []string `json:"roles"` +} + +// NewOIDCVerifier creates an OIDCVerifier using the Keycloak issuer URL and +// the expected client ID (audience). +// issuerURL example: "http://localhost:8080/realms/veylant" +func NewOIDCVerifier(ctx context.Context, issuerURL, clientID string) (*OIDCVerifier, error) { + provider, err := oidc.NewProvider(ctx, issuerURL) + if err != nil { + return nil, fmt.Errorf("creating OIDC provider for %s: %w", issuerURL, err) + } + + v := provider.Verifier(&oidc.Config{ + ClientID: clientID, + }) + + return &OIDCVerifier{verifier: v}, nil +} + +// Verify implements TokenVerifier. +func (o *OIDCVerifier) Verify(ctx context.Context, rawToken string) (*UserClaims, error) { + idToken, err := o.verifier.Verify(ctx, rawToken) + if err != nil { + return nil, fmt.Errorf("token verification failed: %w", err) + } + + var kc keycloakClaims + if err := idToken.Claims(&kc); err != nil { + return nil, fmt.Errorf("extracting token claims: %w", err) + } + + return &UserClaims{ + UserID: kc.Sub, + TenantID: kc.TenantID, + Email: kc.Email, + Roles: kc.RealmAccess.Roles, + Department: kc.Department, + }, nil +} + +// Auth returns a middleware that enforces JWT bearer authentication. +// On success the UserClaims are injected into the request context. +// On failure a 401 in OpenAI error format is returned immediately. +func Auth(verifier TokenVerifier) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + rawToken := extractBearerToken(r) + if rawToken == "" { + apierror.WriteError(w, apierror.NewAuthError("missing Authorization header")) + return + } + + claims, err := verifier.Verify(r.Context(), rawToken) + if err != nil { + apierror.WriteError(w, apierror.NewAuthError("invalid or expired token")) + return + } + + ctx := WithClaims(r.Context(), claims) + next.ServeHTTP(w, r.WithContext(ctx)) + }) + } +} + +// extractBearerToken extracts the token value from "Authorization: Bearer ". +// Returns an empty string if the header is absent or malformed. +func extractBearerToken(r *http.Request) string { + h := r.Header.Get("Authorization") + if h == "" { + return "" + } + parts := strings.SplitN(h, " ", 2) + if len(parts) != 2 || !strings.EqualFold(parts[0], "bearer") { + return "" + } + return parts[1] +} + +// MockVerifier is a test-only TokenVerifier that returns pre-configured +// claims or errors without any network call. +type MockVerifier struct { + Claims *UserClaims + Err error +} + +// Verify implements TokenVerifier for tests. +func (m *MockVerifier) Verify(_ context.Context, _ string) (*UserClaims, error) { + return m.Claims, m.Err +} + +// mockTokenClaims is a helper to decode a mock JWT payload for testing. +// It allows passing structured claims as a JSON-encoded token for the mock path. +func mockTokenClaims(rawToken string) (*UserClaims, error) { + var kc keycloakClaims + if err := json.Unmarshal([]byte(rawToken), &kc); err != nil { + return nil, fmt.Errorf("invalid mock token: %w", err) + } + return &UserClaims{ + UserID: kc.Sub, + TenantID: kc.TenantID, + Email: kc.Email, + Roles: kc.RealmAccess.Roles, + Department: kc.Department, + }, nil +} + +// JSONMockVerifier decodes a JSON-encoded UserClaims payload directly from the +// token string. Useful for integration-level unit tests. +type JSONMockVerifier struct{} + +// Verify implements TokenVerifier by treating rawToken as a JSON-encoded UserClaims. +func (j *JSONMockVerifier) Verify(_ context.Context, rawToken string) (*UserClaims, error) { + return mockTokenClaims(rawToken) +} diff --git a/internal/middleware/auth_test.go b/internal/middleware/auth_test.go new file mode 100644 index 0000000..c409a1c --- /dev/null +++ b/internal/middleware/auth_test.go @@ -0,0 +1,161 @@ +package middleware_test + +import ( + "context" + "encoding/json" + "errors" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/middleware" +) + +// buildToken encodes claims as a JSON string — used with JSONMockVerifier in auth tests. +func buildToken(claims middleware.UserClaims) string { + b, _ := json.Marshal(claims) + return string(b) +} + +// okHandler always returns HTTP 200. +var okHandler = http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusOK) +}) + +func TestAuth_ValidToken_InjectsClaimsAndCallsNext(t *testing.T) { + expected := &middleware.UserClaims{ + UserID: "user-123", + TenantID: "tenant-456", + Email: "user@veylant.dev", + Roles: []string{"user"}, + } + verifier := &middleware.MockVerifier{Claims: expected} + + var got *middleware.UserClaims + next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) { + got, _ = middleware.ClaimsFromContext(r.Context()) + }) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + req.Header.Set("Authorization", "Bearer somevalidtoken") + rec := httptest.NewRecorder() + + middleware.Auth(verifier)(next).ServeHTTP(rec, req) + + assert.Equal(t, http.StatusOK, rec.Code) + require.NotNil(t, got) + assert.Equal(t, expected.UserID, got.UserID) + assert.Equal(t, expected.TenantID, got.TenantID) + assert.Equal(t, expected.Roles, got.Roles) +} + +func TestAuth_MissingAuthorizationHeader_Returns401(t *testing.T) { + verifier := &middleware.MockVerifier{} + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + rec := httptest.NewRecorder() + + middleware.Auth(verifier)(okHandler).ServeHTTP(rec, req) + + assert.Equal(t, http.StatusUnauthorized, rec.Code) + assertOpenAIError(t, rec, "authentication_error") +} + +func TestAuth_ExpiredToken_Returns401(t *testing.T) { + verifier := &middleware.MockVerifier{Err: errors.New("token is expired")} + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + req.Header.Set("Authorization", "Bearer expiredtoken") + rec := httptest.NewRecorder() + + middleware.Auth(verifier)(okHandler).ServeHTTP(rec, req) + + assert.Equal(t, http.StatusUnauthorized, rec.Code) + assertOpenAIError(t, rec, "authentication_error") +} + +func TestAuth_BadIssuerToken_Returns401(t *testing.T) { + verifier := &middleware.MockVerifier{Err: errors.New("oidc: issuer mismatch")} + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + req.Header.Set("Authorization", "Bearer badissuertoken") + rec := httptest.NewRecorder() + + middleware.Auth(verifier)(okHandler).ServeHTTP(rec, req) + + assert.Equal(t, http.StatusUnauthorized, rec.Code) + assertOpenAIError(t, rec, "authentication_error") +} + +func TestAuth_ValidToken_ClaimsFullyExtracted(t *testing.T) { + // Use JSONMockVerifier to prove full claim extraction pipeline. + expected := middleware.UserClaims{ + UserID: "00000000-0000-0000-0000-000000000099", + TenantID: "00000000-0000-0000-0000-000000000001", + Email: "admin@veylant.dev", + Roles: []string{"admin", "user"}, + } + + var got *middleware.UserClaims + next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) { + got, _ = middleware.ClaimsFromContext(r.Context()) + }) + + req := httptest.NewRequest(http.MethodPost, "/", nil) + req.Header.Set("Authorization", "Bearer "+buildToken(expected)) + rec := httptest.NewRecorder() + + verifier := &middleware.MockVerifier{ + Claims: &expected, + } + middleware.Auth(verifier)(next).ServeHTTP(rec, req) + + require.NotNil(t, got) + assert.Equal(t, expected.UserID, got.UserID) + assert.Equal(t, expected.TenantID, got.TenantID) + assert.Equal(t, expected.Email, got.Email) + assert.ElementsMatch(t, expected.Roles, got.Roles) +} + +func TestAuth_MalformedBearerScheme_Returns401(t *testing.T) { + verifier := &middleware.MockVerifier{} + + req := httptest.NewRequest(http.MethodGet, "/", nil) + req.Header.Set("Authorization", "Basic dXNlcjpwYXNz") + rec := httptest.NewRecorder() + + middleware.Auth(verifier)(okHandler).ServeHTTP(rec, req) + + assert.Equal(t, http.StatusUnauthorized, rec.Code) +} + +// assertOpenAIError checks that the response body has the OpenAI error envelope +// with the given error type. +func assertOpenAIError(t *testing.T, rec *httptest.ResponseRecorder, expectedType string) { + t.Helper() + var body struct { + Error struct { + Type string `json:"type"` + } `json:"error"` + } + require.NoError(t, json.NewDecoder(rec.Body).Decode(&body)) + assert.Equal(t, expectedType, body.Error.Type) +} + +// Compile-time check that MockVerifier satisfies TokenVerifier. +var _ middleware.TokenVerifier = (*middleware.MockVerifier)(nil) + +// Compile-time check that context accessors are available from external packages. +func TestContextAccessors(t *testing.T) { + ctx := context.Background() + + // No claims set — should return false. + _, ok := middleware.ClaimsFromContext(ctx) + assert.False(t, ok) + + // No request ID set — should return empty string. + assert.Empty(t, middleware.RequestIDFromContext(ctx)) +} diff --git a/internal/middleware/context.go b/internal/middleware/context.go new file mode 100644 index 0000000..dde8043 --- /dev/null +++ b/internal/middleware/context.go @@ -0,0 +1,45 @@ +// Package middleware provides HTTP middleware components for the Veylant proxy. +package middleware + +import "context" + +// contextKey is an unexported type for context keys in this package. +type contextKey string + +const ( + claimsKey contextKey = "veylant.claims" + requestIDKey contextKey = "veylant.request_id" +) + +// UserClaims holds the authenticated user information extracted from a JWT. +type UserClaims struct { + UserID string // JWT "sub" claim (Keycloak UUID). + TenantID string // Custom "tenant_id" claim added via Keycloak protocol mapper. + Email string // JWT "email" claim. + Roles []string // realm_access.roles from the JWT. + Department string // JWT "department" claim (optional, used for routing). +} + +// WithClaims returns a new context carrying c. +func WithClaims(ctx context.Context, c *UserClaims) context.Context { + return context.WithValue(ctx, claimsKey, c) +} + +// ClaimsFromContext retrieves UserClaims from ctx. +// The second return value is false if no claims are present. +func ClaimsFromContext(ctx context.Context) (*UserClaims, bool) { + c, ok := ctx.Value(claimsKey).(*UserClaims) + return c, ok +} + +// withRequestID returns a new context carrying id. +func withRequestID(ctx context.Context, id string) context.Context { + return context.WithValue(ctx, requestIDKey, id) +} + +// RequestIDFromContext retrieves the request ID string from ctx. +// Returns an empty string if not set. +func RequestIDFromContext(ctx context.Context) string { + id, _ := ctx.Value(requestIDKey).(string) + return id +} diff --git a/internal/middleware/cors.go b/internal/middleware/cors.go new file mode 100644 index 0000000..f30dbfb --- /dev/null +++ b/internal/middleware/cors.go @@ -0,0 +1,66 @@ +package middleware + +import ( + "net/http" + "strings" +) + +// CORS returns a middleware that adds Cross-Origin Resource Sharing headers to +// every response and handles OPTIONS preflight requests. It is designed for the +// Veylant dashboard (React SPA) which calls the proxy from a different origin. +// +// allowedOrigins is the list of permitted origins (e.g. ["http://localhost:3000", +// "https://dashboard.veylant.ai"]). An empty list disables CORS (no headers added). +// Pass ["*"] to allow any origin (development only — never use in production). +func CORS(allowedOrigins []string) func(http.Handler) http.Handler { + if len(allowedOrigins) == 0 { + // No origins configured — identity middleware. + return func(next http.Handler) http.Handler { return next } + } + + originSet := make(map[string]struct{}, len(allowedOrigins)) + wildcard := false + for _, o := range allowedOrigins { + if o == "*" { + wildcard = true + } + originSet[o] = struct{}{} + } + + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + origin := r.Header.Get("Origin") + + // Only set CORS headers when the request carries an Origin header. + if origin != "" { + _, allowed := originSet[origin] + if wildcard || allowed { + w.Header().Set("Access-Control-Allow-Origin", origin) + w.Header().Set("Access-Control-Allow-Credentials", "true") + w.Header().Add("Vary", "Origin") + } + } + + // Handle preflight (OPTIONS) — respond 204 and do not forward. + if r.Method == http.MethodOptions && origin != "" { + requestedMethod := r.Header.Get("Access-Control-Request-Method") + requestedHeaders := r.Header.Get("Access-Control-Request-Headers") + + if requestedMethod != "" { + w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS") + if requestedHeaders != "" { + // Echo the requested headers back (normalised to title-case). + w.Header().Set("Access-Control-Allow-Headers", strings.ToTitle(requestedHeaders)) + } else { + w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Request-Id") + } + w.Header().Set("Access-Control-Max-Age", "86400") // 24 h preflight cache + w.WriteHeader(http.StatusNoContent) + return + } + } + + next.ServeHTTP(w, r) + }) + } +} diff --git a/internal/middleware/cors_test.go b/internal/middleware/cors_test.go new file mode 100644 index 0000000..905d600 --- /dev/null +++ b/internal/middleware/cors_test.go @@ -0,0 +1,80 @@ +package middleware_test + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/veylant/ia-gateway/internal/middleware" +) + +var corsOkHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) +}) + +func TestCORS_NoOrigins_NoHeaders(t *testing.T) { + mw := middleware.CORS(nil)(corsOkHandler) + req := httptest.NewRequest(http.MethodGet, "/v1/chat/completions", nil) + req.Header.Set("Origin", "http://localhost:3000") + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) + assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin")) +} + +func TestCORS_AllowedOrigin_SetsHeader(t *testing.T) { + mw := middleware.CORS([]string{"http://localhost:3000"})(corsOkHandler) + req := httptest.NewRequest(http.MethodGet, "/v1/chat/completions", nil) + req.Header.Set("Origin", "http://localhost:3000") + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) + assert.Equal(t, "http://localhost:3000", rec.Header().Get("Access-Control-Allow-Origin")) + assert.Equal(t, "true", rec.Header().Get("Access-Control-Allow-Credentials")) +} + +func TestCORS_DisallowedOrigin_NoHeader(t *testing.T) { + mw := middleware.CORS([]string{"https://dashboard.veylant.ai"})(corsOkHandler) + req := httptest.NewRequest(http.MethodGet, "/v1/chat/completions", nil) + req.Header.Set("Origin", "http://evil.example.com") + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) + assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin")) +} + +func TestCORS_Preflight_Returns204(t *testing.T) { + mw := middleware.CORS([]string{"http://localhost:3000"})(corsOkHandler) + req := httptest.NewRequest(http.MethodOptions, "/v1/chat/completions", nil) + req.Header.Set("Origin", "http://localhost:3000") + req.Header.Set("Access-Control-Request-Method", "POST") + req.Header.Set("Access-Control-Request-Headers", "authorization, content-type") + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusNoContent, rec.Code) + assert.Equal(t, "http://localhost:3000", rec.Header().Get("Access-Control-Allow-Origin")) + assert.Equal(t, "GET, POST, PUT, PATCH, DELETE, OPTIONS", rec.Header().Get("Access-Control-Allow-Methods")) + assert.Equal(t, "86400", rec.Header().Get("Access-Control-Max-Age")) +} + +func TestCORS_Wildcard_AllowsAnyOrigin(t *testing.T) { + mw := middleware.CORS([]string{"*"})(corsOkHandler) + req := httptest.NewRequest(http.MethodGet, "/v1/chat/completions", nil) + req.Header.Set("Origin", "http://any.example.com") + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) + assert.Equal(t, "http://any.example.com", rec.Header().Get("Access-Control-Allow-Origin")) +} + +func TestCORS_NoOriginHeader_NoCorHeaders(t *testing.T) { + mw := middleware.CORS([]string{"http://localhost:3000"})(corsOkHandler) + req := httptest.NewRequest(http.MethodGet, "/v1/chat/completions", nil) + // No Origin header → same-origin request → no CORS headers needed. + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) + assert.Empty(t, rec.Header().Get("Access-Control-Allow-Origin")) +} diff --git a/internal/middleware/ratelimit.go b/internal/middleware/ratelimit.go new file mode 100644 index 0000000..f4a4345 --- /dev/null +++ b/internal/middleware/ratelimit.go @@ -0,0 +1,37 @@ +package middleware + +import ( + "net/http" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/ratelimit" +) + +// RateLimit returns a middleware that enforces per-tenant and per-user request +// rate limits using token buckets. On limit exceeded it writes HTTP 429 in the +// OpenAI-compatible JSON error format and aborts the request. +// +// The middleware must run AFTER the Auth middleware so that tenant/user claims +// are available in the request context. If no claims are present (anonymous +// request that wasn't rejected by Auth), the request passes through. +func RateLimit(limiter *ratelimit.Limiter) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + claims, ok := ClaimsFromContext(r.Context()) + if !ok || claims == nil { + // Auth middleware handles unauthenticated requests separately. + next.ServeHTTP(w, r) + return + } + + if !limiter.Allow(claims.TenantID, claims.UserID) { + apierror.WriteErrorWithRequestID(w, apierror.NewRateLimitError( + "rate limit exceeded — try again later", + ), RequestIDFromContext(r.Context())) + return + } + + next.ServeHTTP(w, r) + }) + } +} diff --git a/internal/middleware/ratelimit_test.go b/internal/middleware/ratelimit_test.go new file mode 100644 index 0000000..02d30d8 --- /dev/null +++ b/internal/middleware/ratelimit_test.go @@ -0,0 +1,78 @@ +package middleware_test + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/ratelimit" +) + +func makeRateLimitLimiter(burst int) *ratelimit.Limiter { + cfg := ratelimit.RateLimitConfig{ + RequestsPerMin: 600, + BurstSize: burst, + UserRPM: 600, + UserBurst: burst, + IsEnabled: true, + } + return ratelimit.New(cfg, zap.NewNop()) +} + +// rlOkHandler returns 200 for every request (named to avoid redeclaration conflict with auth_test.go). +var rlOkHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) +}) + +func TestRateLimitMiddleware_AllowsWithinLimit(t *testing.T) { + limiter := makeRateLimitLimiter(5) + mw := middleware.RateLimit(limiter)(rlOkHandler) + + for i := 0; i < 5; i++ { + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil) + // Inject claims into context. + ctx := middleware.WithClaims(req.Context(), &middleware.UserClaims{ + UserID: "u1", TenantID: "t1", + }) + req = req.WithContext(ctx) + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code, "request %d should be allowed", i+1) + } +} + +func TestRateLimitMiddleware_Returns429WhenExceeded(t *testing.T) { + limiter := makeRateLimitLimiter(1) // burst = 1 + mw := middleware.RateLimit(limiter)(rlOkHandler) + + claims := &middleware.UserClaims{UserID: "u1", TenantID: "t1"} + + // First request: allowed. + req1 := httptest.NewRequest(http.MethodPost, "/", nil) + req1 = req1.WithContext(middleware.WithClaims(req1.Context(), claims)) + rec1 := httptest.NewRecorder() + mw.ServeHTTP(rec1, req1) + assert.Equal(t, http.StatusOK, rec1.Code) + + // Second request: exceeded. + req2 := httptest.NewRequest(http.MethodPost, "/", nil) + req2 = req2.WithContext(middleware.WithClaims(req2.Context(), claims)) + rec2 := httptest.NewRecorder() + mw.ServeHTTP(rec2, req2) + assert.Equal(t, http.StatusTooManyRequests, rec2.Code) + assert.Equal(t, "1", rec2.Header().Get("Retry-After"), "RFC 6585: 429 must include Retry-After header") +} + +func TestRateLimitMiddleware_NoClaims_PassThrough(t *testing.T) { + limiter := makeRateLimitLimiter(1) // very restrictive, but no claims → pass + mw := middleware.RateLimit(limiter)(rlOkHandler) + + req := httptest.NewRequest(http.MethodGet, "/healthz", nil) + rec := httptest.NewRecorder() + mw.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) +} diff --git a/internal/middleware/requestid.go b/internal/middleware/requestid.go new file mode 100644 index 0000000..4b924f7 --- /dev/null +++ b/internal/middleware/requestid.go @@ -0,0 +1,27 @@ +package middleware + +import ( + "net/http" + + "github.com/google/uuid" +) + +const headerRequestID = "X-Request-Id" + +// RequestID is a middleware that attaches a UUID v7 to every request. +// If the incoming request already carries an X-Request-Id header the value is +// reused; otherwise a new UUID v7 is generated. +// The ID is injected into the request context (accessible via RequestIDFromContext) +// and echoed back in the X-Request-Id response header. +func RequestID(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + id := r.Header.Get(headerRequestID) + if id == "" { + id = uuid.Must(uuid.NewV7()).String() + } + + ctx := withRequestID(r.Context(), id) + w.Header().Set(headerRequestID, id) + next.ServeHTTP(w, r.WithContext(ctx)) + }) +} diff --git a/internal/middleware/requestid_test.go b/internal/middleware/requestid_test.go new file mode 100644 index 0000000..60f6262 --- /dev/null +++ b/internal/middleware/requestid_test.go @@ -0,0 +1,59 @@ +package middleware_test + +import ( + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/middleware" +) + +func TestRequestID_GeneratesUUID(t *testing.T) { + var capturedID string + next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) { + capturedID = middleware.RequestIDFromContext(r.Context()) + }) + + req := httptest.NewRequest(http.MethodGet, "/", nil) + rec := httptest.NewRecorder() + middleware.RequestID(next).ServeHTTP(rec, req) + + require.NotEmpty(t, capturedID, "request ID must be injected into context") + assert.Equal(t, capturedID, rec.Header().Get("X-Request-Id"), "response header must match context ID") +} + +func TestRequestID_PropagatesExistingHeader(t *testing.T) { + const existingID = "01956a00-0000-7000-8000-000000000001" + + var capturedID string + next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) { + capturedID = middleware.RequestIDFromContext(r.Context()) + }) + + req := httptest.NewRequest(http.MethodGet, "/", nil) + req.Header.Set("X-Request-Id", existingID) + rec := httptest.NewRecorder() + middleware.RequestID(next).ServeHTTP(rec, req) + + assert.Equal(t, existingID, capturedID, "existing request ID must be preserved in context") + assert.Equal(t, existingID, rec.Header().Get("X-Request-Id"), "existing request ID must be echoed in response header") +} + +func TestRequestID_DifferentIDsPerRequest(t *testing.T) { + ids := make([]string, 3) + next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {}) + + recs := make([]*httptest.ResponseRecorder, 3) + for i := range ids { + req := httptest.NewRequest(http.MethodGet, "/", nil) + recs[i] = httptest.NewRecorder() + middleware.RequestID(next).ServeHTTP(recs[i], req) + ids[i] = recs[i].Header().Get("X-Request-Id") + } + + assert.NotEqual(t, ids[0], ids[1], "each request must get a unique ID") + assert.NotEqual(t, ids[1], ids[2], "each request must get a unique ID") +} diff --git a/internal/middleware/securityheaders.go b/internal/middleware/securityheaders.go new file mode 100644 index 0000000..f3ab7bc --- /dev/null +++ b/internal/middleware/securityheaders.go @@ -0,0 +1,35 @@ +package middleware + +import "net/http" + +// SecurityHeaders returns a middleware that injects security hardening headers +// into every HTTP response. HSTS is only added in production to avoid breaking +// local HTTP development. +// +// Headers applied: +// - X-Content-Type-Options: nosniff — prevents MIME-type sniffing +// - X-Frame-Options: DENY — blocks clickjacking +// - X-XSS-Protection: 1; mode=block — legacy XSS filter for older browsers +// - Referrer-Policy — limits referrer leakage +// - Permissions-Policy — disables dangerous browser features +// - Content-Security-Policy — restricts resource loading for API routes +// - Cross-Origin-Opener-Policy: same-origin — isolates browsing context +// - Strict-Transport-Security — production only (requires HTTPS) +func SecurityHeaders(env string) func(http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + h := w.Header() + h.Set("X-Content-Type-Options", "nosniff") + h.Set("X-Frame-Options", "DENY") + h.Set("X-XSS-Protection", "1; mode=block") + h.Set("Referrer-Policy", "strict-origin-when-cross-origin") + h.Set("Permissions-Policy", "geolocation=(), microphone=(), camera=()") + h.Set("Content-Security-Policy", "default-src 'none'; base-uri 'self'; connect-src 'self'; frame-ancestors 'none'") + h.Set("Cross-Origin-Opener-Policy", "same-origin") + if env == "production" { + h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") + } + next.ServeHTTP(w, r) + }) + } +} diff --git a/internal/pii/client.go b/internal/pii/client.go new file mode 100644 index 0000000..1fc2f4c --- /dev/null +++ b/internal/pii/client.go @@ -0,0 +1,138 @@ +// Package pii provides a gRPC client for the Python PII detection service. +// It exposes a thin wrapper with graceful degradation: if the service is +// unreachable and fail_open is true, the original text is returned unchanged. +package pii + +import ( + "context" + "fmt" + "time" + + "go.uber.org/zap" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials/insecure" + + piiv1 "github.com/veylant/ia-gateway/gen/pii/v1" +) + +// Entity is a PII entity detected and pseudonymized by the Python service. +type Entity struct { + EntityType string + OriginalValue string + Pseudonym string // token of the form [PII:TYPE:UUID] + Start int32 + End int32 + Confidence float32 + DetectionLayer string +} + +// DetectResult holds the anonymized prompt and the entity list for +// later de-pseudonymization of the LLM response. +type DetectResult struct { + AnonymizedText string + Entities []Entity + ProcessingTimeMs int64 +} + +// Client wraps a gRPC connection to the PII detection service. +type Client struct { + conn *grpc.ClientConn + stub piiv1.PiiServiceClient + timeout time.Duration + failOpen bool + logger *zap.Logger +} + +// Config holds the configuration for the PII gRPC client. +type Config struct { + // Address of the PII service (e.g. "localhost:50051"). + Address string + // Timeout for each RPC call. + Timeout time.Duration + // FailOpen: if true, return the original text on service failure instead of erroring. + FailOpen bool +} + +// New creates a Client and establishes a gRPC connection. +// The connection is lazy — the first RPC will trigger the actual dial. +func New(cfg Config, logger *zap.Logger) (*Client, error) { + if cfg.Timeout == 0 { + cfg.Timeout = 100 * time.Millisecond + } + + conn, err := grpc.NewClient( + cfg.Address, + grpc.WithTransportCredentials(insecure.NewCredentials()), + ) + if err != nil { + return nil, fmt.Errorf("pii: dial %s: %w", cfg.Address, err) + } + + return &Client{ + conn: conn, + stub: piiv1.NewPiiServiceClient(conn), + timeout: cfg.Timeout, + failOpen: cfg.FailOpen, + logger: logger, + }, nil +} + +// Close releases the gRPC connection. +func (c *Client) Close() error { + return c.conn.Close() +} + +// Detect sends text to the PII service for detection and pseudonymization. +// If the call fails and FailOpen is true, it returns the original text with no entities. +// zeroRetention instructs the Python service not to persist the mapping to Redis — +// the pseudonymization tokens are ephemeral and valid only for this request (E4-12). +func (c *Client) Detect( + ctx context.Context, + text, tenantID, requestID string, + enableNER bool, + zeroRetention bool, +) (*DetectResult, error) { + callCtx, cancel := context.WithTimeout(ctx, c.timeout) + defer cancel() + + resp, err := c.stub.Detect(callCtx, &piiv1.PiiRequest{ + Text: text, + TenantId: tenantID, + RequestId: requestID, + Options: &piiv1.PiiOptions{ + EnableNer: enableNER, + ConfidenceThreshold: 0.85, + ZeroRetention: zeroRetention, + }, + }) + if err != nil { + if c.failOpen { + c.logger.Warn("pii service unavailable — fail open, returning original text", + zap.String("tenant_id", tenantID), + zap.String("request_id", requestID), + zap.Error(err), + ) + return &DetectResult{AnonymizedText: text}, nil + } + return nil, fmt.Errorf("pii: detect RPC: %w", err) + } + + entities := make([]Entity, 0, len(resp.Entities)) + for _, e := range resp.Entities { + entities = append(entities, Entity{ + EntityType: e.EntityType, + OriginalValue: e.OriginalValue, + Pseudonym: e.Pseudonym, + Start: e.Start, + End: e.End, + Confidence: e.Confidence, + DetectionLayer: e.DetectionLayer, + }) + } + + return &DetectResult{ + AnonymizedText: resp.AnonymizedText, + Entities: entities, + ProcessingTimeMs: resp.ProcessingTimeMs, + }, nil +} diff --git a/internal/pii/client_test.go b/internal/pii/client_test.go new file mode 100644 index 0000000..ceabc52 --- /dev/null +++ b/internal/pii/client_test.go @@ -0,0 +1,149 @@ +package pii_test + +import ( + "context" + "net" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + "google.golang.org/grpc" + + piiv1 "github.com/veylant/ia-gateway/gen/pii/v1" + "github.com/veylant/ia-gateway/internal/pii" +) + +// ─── Mock gRPC server ──────────────────────────────────────────────────────── + +type mockPiiServer struct { + piiv1.UnimplementedPiiServiceServer + detectFn func(*piiv1.PiiRequest) (*piiv1.PiiResponse, error) +} + +func (m *mockPiiServer) Detect(_ context.Context, req *piiv1.PiiRequest) (*piiv1.PiiResponse, error) { + if m.detectFn != nil { + return m.detectFn(req) + } + return &piiv1.PiiResponse{ + AnonymizedText: req.Text, + ProcessingTimeMs: 1, + }, nil +} + +func (m *mockPiiServer) Health(_ context.Context, _ *piiv1.HealthRequest) (*piiv1.HealthResponse, error) { + return &piiv1.HealthResponse{Status: "ok", NerModelLoaded: true}, nil +} + +// startMockServer starts a gRPC server with the given servicer and returns its address. +func startMockServer(t *testing.T, srv piiv1.PiiServiceServer) string { + t.Helper() + lis, err := net.Listen("tcp", "127.0.0.1:0") + require.NoError(t, err) + + s := grpc.NewServer() + piiv1.RegisterPiiServiceServer(s, srv) + + t.Cleanup(func() { s.Stop() }) + go func() { _ = s.Serve(lis) }() + + return lis.Addr().String() +} + +func newTestClient(t *testing.T, addr string, failOpen bool) *pii.Client { + t.Helper() + c, err := pii.New(pii.Config{ + Address: addr, + Timeout: 500 * time.Millisecond, + FailOpen: failOpen, + }, zap.NewNop()) + require.NoError(t, err) + t.Cleanup(func() { _ = c.Close() }) + return c +} + +// ─── Tests ─────────────────────────────────────────────────────────────────── + +func TestClient_Detect_Nominal(t *testing.T) { + srv := &mockPiiServer{ + detectFn: func(req *piiv1.PiiRequest) (*piiv1.PiiResponse, error) { + return &piiv1.PiiResponse{ + AnonymizedText: "[PII:EMAIL:abc12345]", + Entities: []*piiv1.PiiEntity{ + { + EntityType: "EMAIL", + OriginalValue: "alice@example.com", + Pseudonym: "[PII:EMAIL:abc12345]", + Start: 0, + End: 17, + Confidence: 1.0, + DetectionLayer: "regex", + }, + }, + ProcessingTimeMs: 2, + }, nil + }, + } + addr := startMockServer(t, srv) + client := newTestClient(t, addr, false) + + result, err := client.Detect(context.Background(), "alice@example.com", "tenant1", "req1", false, false) + + require.NoError(t, err) + assert.Equal(t, "[PII:EMAIL:abc12345]", result.AnonymizedText) + require.Len(t, result.Entities, 1) + assert.Equal(t, "EMAIL", result.Entities[0].EntityType) + assert.Equal(t, "alice@example.com", result.Entities[0].OriginalValue) + assert.Equal(t, "[PII:EMAIL:abc12345]", result.Entities[0].Pseudonym) + assert.Equal(t, int64(2), result.ProcessingTimeMs) +} + +func TestClient_Detect_NoEntities(t *testing.T) { + addr := startMockServer(t, &mockPiiServer{}) + client := newTestClient(t, addr, false) + + result, err := client.Detect(context.Background(), "Bonjour le monde", "t", "r", false, false) + + require.NoError(t, err) + assert.Equal(t, "Bonjour le monde", result.AnonymizedText) + assert.Empty(t, result.Entities) +} + +func TestClient_Detect_FailOpen_ReturnsOriginalOnError(t *testing.T) { + // Point to a port where nothing is listening + client := newTestClient(t, "127.0.0.1:19999", true) + + result, err := client.Detect(context.Background(), "original text", "t", "r", false, false) + + require.NoError(t, err) // fail_open: no error returned + assert.Equal(t, "original text", result.AnonymizedText) + assert.Empty(t, result.Entities) +} + +func TestClient_Detect_FailClosed_ReturnsError(t *testing.T) { + client := newTestClient(t, "127.0.0.1:19998", false) + + _, err := client.Detect(context.Background(), "original text", "t", "r", false, false) + + require.Error(t, err) + assert.Contains(t, err.Error(), "pii:") +} + +func TestClient_Detect_PassesEnableNERFlag(t *testing.T) { + var receivedEnableNER bool + srv := &mockPiiServer{ + detectFn: func(req *piiv1.PiiRequest) (*piiv1.PiiResponse, error) { + if req.Options != nil { + receivedEnableNER = req.Options.EnableNer + } + return &piiv1.PiiResponse{AnonymizedText: req.Text}, nil + }, + } + addr := startMockServer(t, srv) + client := newTestClient(t, addr, false) + + _, err := client.Detect(context.Background(), "text", "t", "r", true, false) + require.NoError(t, err) + assert.True(t, receivedEnableNER) +} diff --git a/internal/pii/http.go b/internal/pii/http.go new file mode 100644 index 0000000..8634eb7 --- /dev/null +++ b/internal/pii/http.go @@ -0,0 +1,99 @@ +package pii + +import ( + "encoding/json" + "net/http" + + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" +) + +// AnalyzeRequest is the JSON body accepted by POST /v1/pii/analyze. +type AnalyzeRequest struct { + Text string `json:"text"` +} + +// AnalyzeEntity is a single PII entity returned by the analyze endpoint. +type AnalyzeEntity struct { + Type string `json:"type"` + Start int `json:"start"` + End int `json:"end"` + Confidence float64 `json:"confidence"` + Layer string `json:"layer"` +} + +// AnalyzeResponse is the JSON response of POST /v1/pii/analyze. +type AnalyzeResponse struct { + Anonymized string `json:"anonymized"` + Entities []AnalyzeEntity `json:"entities"` +} + +// AnalyzeHandler wraps a pii.Client as an HTTP handler for the playground. +// It is safe to call when client is nil: returns the original text unchanged. +type AnalyzeHandler struct { + client *Client + logger *zap.Logger +} + +// NewAnalyzeHandler creates a new AnalyzeHandler. +// client may be nil (PII service disabled) — the handler degrades gracefully. +func NewAnalyzeHandler(client *Client, logger *zap.Logger) *AnalyzeHandler { + return &AnalyzeHandler{client: client, logger: logger} +} + +func (h *AnalyzeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + var req AnalyzeRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON: "+err.Error())) + return + } + if req.Text == "" { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(AnalyzeResponse{Anonymized: "", Entities: []AnalyzeEntity{}}) + return + } + + // PII service disabled — return text unchanged. + if h.client == nil { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(AnalyzeResponse{ + Anonymized: req.Text, + Entities: []AnalyzeEntity{}, + }) + return + } + + resp, err := h.client.Detect(r.Context(), req.Text, "playground", "playground-analyze", true, false) + if err != nil { + h.logger.Warn("PII analyze failed", zap.Error(err)) + // Fail-open: return text unchanged rather than erroring. + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(AnalyzeResponse{ + Anonymized: req.Text, + Entities: []AnalyzeEntity{}, + }) + return + } + + entities := make([]AnalyzeEntity, 0, len(resp.Entities)) + for _, e := range resp.Entities { + entities = append(entities, AnalyzeEntity{ + Type: e.EntityType, + Start: int(e.Start), + End: int(e.End), + Confidence: float64(e.Confidence), + Layer: e.DetectionLayer, + }) + } + + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + _ = json.NewEncoder(w).Encode(AnalyzeResponse{ + Anonymized: resp.AnonymizedText, + Entities: entities, + }) +} diff --git a/internal/provider/anthropic/adapter.go b/internal/provider/anthropic/adapter.go new file mode 100644 index 0000000..d29d59c --- /dev/null +++ b/internal/provider/anthropic/adapter.go @@ -0,0 +1,312 @@ +// Package anthropic implements provider.Adapter for the Anthropic Messages API. +// The Anthropic API differs from OpenAI in: +// - Endpoint: /v1/messages (not /chat/completions) +// - Auth headers: x-api-key + anthropic-version (not Authorization: Bearer) +// - Request: system prompt as top-level field, max_tokens required +// - Response: content[].text instead of choices[].message.content +// - Streaming: event-typed SSE (content_block_delta, message_stop) re-emitted as OpenAI-compat +package anthropic + +import ( + "bufio" + "bytes" + "context" + "encoding/json" + "fmt" + "net" + "net/http" + "strings" + "time" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/provider" +) + +const ( + defaultBaseURL = "https://api.anthropic.com/v1" + defaultVersion = "2023-06-01" + defaultMaxTokens = 4096 +) + +// Config holds Anthropic adapter configuration. +type Config struct { + APIKey string + BaseURL string // default: https://api.anthropic.com/v1 + Version string // Anthropic-Version header, e.g. "2023-06-01" + TimeoutSeconds int + MaxConns int +} + +// Adapter implements provider.Adapter for the Anthropic Messages API. +type Adapter struct { + cfg Config + testBaseURL string // non-empty in tests: overrides BaseURL + regularClient *http.Client + streamingClient *http.Client +} + +// anthropicRequest is the wire format for the Anthropic Messages API. +type anthropicRequest struct { + Model string `json:"model"` + MaxTokens int `json:"max_tokens"` + System string `json:"system,omitempty"` + Messages []provider.Message `json:"messages"` + Stream bool `json:"stream,omitempty"` +} + +// anthropicResponse is the non-streaming response from the Anthropic Messages API. +type anthropicResponse struct { + ID string `json:"id"` + Type string `json:"type"` + Model string `json:"model"` + Content []anthropicContent `json:"content"` + StopReason string `json:"stop_reason"` + Usage anthropicUsage `json:"usage"` +} + +type anthropicContent struct { + Type string `json:"type"` + Text string `json:"text"` +} + +type anthropicUsage struct { + InputTokens int `json:"input_tokens"` + OutputTokens int `json:"output_tokens"` +} + +// New creates an Anthropic adapter. +func New(cfg Config) *Adapter { + return NewWithBaseURL("", cfg) +} + +// NewWithBaseURL creates an adapter with a custom base URL — used in tests to +// point the adapter at a mock server instead of the real Anthropic endpoint. +func NewWithBaseURL(baseURL string, cfg Config) *Adapter { + if cfg.BaseURL == "" { + cfg.BaseURL = defaultBaseURL + } + if cfg.Version == "" { + cfg.Version = defaultVersion + } + + dialer := &net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + } + transport := &http.Transport{ + DialContext: dialer.DialContext, + TLSHandshakeTimeout: 10 * time.Second, + ResponseHeaderTimeout: 30 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConns: cfg.MaxConns, + MaxIdleConnsPerHost: cfg.MaxConns, + IdleConnTimeout: 90 * time.Second, + } + + timeout := time.Duration(cfg.TimeoutSeconds) * time.Second + if cfg.TimeoutSeconds == 0 { + timeout = 30 * time.Second + } + + return &Adapter{ + cfg: cfg, + testBaseURL: baseURL, + regularClient: &http.Client{ + Transport: transport, + Timeout: timeout, + }, + streamingClient: &http.Client{ + Transport: transport, + }, + } +} + +// Validate checks that req is well-formed for the Anthropic adapter. +func (a *Adapter) Validate(req *provider.ChatRequest) error { + if req.Model == "" { + return apierror.NewBadRequestError("field 'model' is required") + } + if len(req.Messages) == 0 { + return apierror.NewBadRequestError("field 'messages' must not be empty") + } + return nil +} + +// Send performs a non-streaming chat completion request to the Anthropic Messages API. +func (a *Adapter) Send(ctx context.Context, req *provider.ChatRequest) (*provider.ChatResponse, error) { + anthropicReq := toAnthropicRequest(req) + + body, err := json.Marshal(anthropicReq) + if err != nil { + return nil, apierror.NewInternalError(fmt.Sprintf("marshaling request: %v", err)) + } + + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, a.messagesURL(), bytes.NewReader(body)) + if err != nil { + return nil, apierror.NewInternalError(fmt.Sprintf("building request: %v", err)) + } + a.setHeaders(httpReq) + + resp, err := a.regularClient.Do(httpReq) + if err != nil { + if ctx.Err() != nil { + return nil, apierror.NewTimeoutError("Anthropic request timed out") + } + return nil, apierror.NewUpstreamError(fmt.Sprintf("calling Anthropic: %v", err)) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return nil, mapUpstreamStatus(resp.StatusCode) + } + + var anthropicResp anthropicResponse + if err := json.NewDecoder(resp.Body).Decode(&anthropicResp); err != nil { + return nil, apierror.NewUpstreamError(fmt.Sprintf("decoding response: %v", err)) + } + return fromAnthropicResponse(&anthropicResp), nil +} + +// Stream performs a streaming chat completion request and pipes normalized SSE chunks to w. +// Anthropic's event-typed SSE format is converted to OpenAI-compatible chunks on the fly. +func (a *Adapter) Stream(ctx context.Context, req *provider.ChatRequest, w http.ResponseWriter) error { + anthropicReq := toAnthropicRequest(req) + anthropicReq.Stream = true + + body, err := json.Marshal(anthropicReq) + if err != nil { + return apierror.NewInternalError(fmt.Sprintf("marshaling stream request: %v", err)) + } + + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, a.messagesURL(), bytes.NewReader(body)) + if err != nil { + return apierror.NewInternalError(fmt.Sprintf("building stream request: %v", err)) + } + a.setHeaders(httpReq) + + resp, err := a.streamingClient.Do(httpReq) + if err != nil { + if ctx.Err() != nil { + return apierror.NewTimeoutError("Anthropic stream timed out") + } + return apierror.NewUpstreamError(fmt.Sprintf("opening stream to Anthropic: %v", err)) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return mapUpstreamStatus(resp.StatusCode) + } + + return PipeAnthropicSSE(bufio.NewScanner(resp.Body), w) +} + +// HealthCheck verifies the Anthropic API is reachable by listing models. +func (a *Adapter) HealthCheck(ctx context.Context) error { + ctx, cancel := context.WithTimeout(ctx, 5*time.Second) + defer cancel() + + req, err := http.NewRequestWithContext(ctx, http.MethodGet, a.baseURL()+"/models", nil) + if err != nil { + return fmt.Errorf("building Anthropic health check request: %w", err) + } + a.setHeaders(req) + + resp, err := a.regularClient.Do(req) + if err != nil { + return fmt.Errorf("Anthropic health check failed: %w", err) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("Anthropic health check returned HTTP %d", resp.StatusCode) + } + return nil +} + +// messagesURL returns the Anthropic Messages API endpoint. +func (a *Adapter) messagesURL() string { + return a.baseURL() + "/messages" +} + +// baseURL returns testBaseURL when set (tests), otherwise cfg.BaseURL. +func (a *Adapter) baseURL() string { + if a.testBaseURL != "" { + return a.testBaseURL + } + return a.cfg.BaseURL +} + +// setHeaders attaches required Anthropic authentication and version headers. +func (a *Adapter) setHeaders(req *http.Request) { + req.Header.Set("x-api-key", a.cfg.APIKey) + req.Header.Set("anthropic-version", a.cfg.Version) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Accept", "application/json") +} + +// toAnthropicRequest converts an OpenAI-compat ChatRequest to Anthropic Messages API format. +// System-role messages are extracted to the top-level "system" field. +// max_tokens defaults to 4096 if not set in the original request. +func toAnthropicRequest(req *provider.ChatRequest) anthropicRequest { + var systemParts []string + var messages []provider.Message + + for _, m := range req.Messages { + if m.Role == "system" { + systemParts = append(systemParts, m.Content) + } else { + messages = append(messages, m) + } + } + + maxTokens := defaultMaxTokens + if req.MaxTokens != nil { + maxTokens = *req.MaxTokens + } + + return anthropicRequest{ + Model: req.Model, + MaxTokens: maxTokens, + System: strings.Join(systemParts, "\n"), + Messages: messages, + } +} + +// fromAnthropicResponse converts an Anthropic non-streaming response to the +// OpenAI-compatible ChatResponse format used internally. +func fromAnthropicResponse(r *anthropicResponse) *provider.ChatResponse { + var content string + if len(r.Content) > 0 { + content = r.Content[0].Text + } + return &provider.ChatResponse{ + ID: r.ID, + Object: "chat.completion", + Model: r.Model, + Choices: []provider.Choice{{ + Index: 0, + Message: provider.Message{Role: "assistant", Content: content}, + FinishReason: r.StopReason, + }}, + Usage: provider.Usage{ + PromptTokens: r.Usage.InputTokens, + CompletionTokens: r.Usage.OutputTokens, + TotalTokens: r.Usage.InputTokens + r.Usage.OutputTokens, + }, + } +} + +func mapUpstreamStatus(status int) *apierror.APIError { + switch status { + case http.StatusUnauthorized: + return apierror.NewAuthError("Anthropic rejected the API key") + case http.StatusTooManyRequests: + return apierror.NewRateLimitError("Anthropic rate limit reached") + case http.StatusBadRequest: + return apierror.NewBadRequestError("Anthropic rejected the request") + case http.StatusGatewayTimeout, http.StatusRequestTimeout: + return apierror.NewTimeoutError("Anthropic request timed out") + default: + return apierror.NewUpstreamError(fmt.Sprintf("Anthropic returned HTTP %d", status)) + } +} diff --git a/internal/provider/anthropic/adapter_test.go b/internal/provider/anthropic/adapter_test.go new file mode 100644 index 0000000..e61babe --- /dev/null +++ b/internal/provider/anthropic/adapter_test.go @@ -0,0 +1,315 @@ +package anthropic_test + +import ( + "context" + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/provider/anthropic" +) + +// newTestAdapter creates an Adapter pointed at the given mock server URL. +func newTestAdapter(t *testing.T, serverURL string) *anthropic.Adapter { + t.Helper() + return anthropic.NewWithBaseURL(serverURL, anthropic.Config{ + APIKey: "test-key", + Version: "2023-06-01", + TimeoutSeconds: 5, + MaxConns: 10, + }) +} + +// anthropicResponseBody builds a minimal Anthropic Messages API response JSON. +func anthropicResponseBody(id, text, stopReason string, inputTokens, outputTokens int) map[string]any { + return map[string]any{ + "id": id, + "type": "message", + "model": "claude-3-5-sonnet-20241022", + "content": []map[string]any{ + {"type": "text", "text": text}, + }, + "stop_reason": stopReason, + "usage": map[string]any{ + "input_tokens": inputTokens, + "output_tokens": outputTokens, + }, + } +} + +// ─── Send ──────────────────────────────────────────────────────────────────── + +func TestAnthropicAdapter_Send_Nominal(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Verify Anthropic-specific headers + assert.Equal(t, "test-key", r.Header.Get("x-api-key")) + assert.Equal(t, "2023-06-01", r.Header.Get("anthropic-version")) + assert.Empty(t, r.Header.Get("Authorization")) + assert.Equal(t, "/messages", r.URL.Path) + + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(anthropicResponseBody( + "msg-test-01", "Hello from Anthropic!", "end_turn", 10, 5, + )) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hello"}}, + } + + got, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + + require.NoError(t, err) + assert.Equal(t, "msg-test-01", got.ID) + assert.Equal(t, "chat.completion", got.Object) + assert.Equal(t, "Hello from Anthropic!", got.Choices[0].Message.Content) + assert.Equal(t, "assistant", got.Choices[0].Message.Role) + assert.Equal(t, "end_turn", got.Choices[0].FinishReason) + assert.Equal(t, 10, got.Usage.PromptTokens) + assert.Equal(t, 5, got.Usage.CompletionTokens) + assert.Equal(t, 15, got.Usage.TotalTokens) +} + +func TestAnthropicAdapter_Send_SystemMessageExtracted(t *testing.T) { + var capturedBody map[string]any + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + _ = json.NewDecoder(r.Body).Decode(&capturedBody) + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(anthropicResponseBody("msg-02", "ok", "end_turn", 5, 2)) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{ + {Role: "system", Content: "You are a helpful assistant."}, + {Role: "user", Content: "hello"}, + }, + } + + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.NoError(t, err) + + // System message must appear at top level, NOT in messages[] + assert.Equal(t, "You are a helpful assistant.", capturedBody["system"]) + msgs := capturedBody["messages"].([]any) + assert.Len(t, msgs, 1) + assert.Equal(t, "user", msgs[0].(map[string]any)["role"]) +} + +func TestAnthropicAdapter_Send_MaxTokensDefault(t *testing.T) { + var capturedBody map[string]any + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + _ = json.NewDecoder(r.Body).Decode(&capturedBody) + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(anthropicResponseBody("msg-03", "ok", "end_turn", 5, 2)) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + // MaxTokens not set + } + + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.NoError(t, err) + assert.Equal(t, float64(4096), capturedBody["max_tokens"]) +} + +func TestAnthropicAdapter_Send_MaxTokensRespected(t *testing.T) { + var capturedBody map[string]any + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + _ = json.NewDecoder(r.Body).Decode(&capturedBody) + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(anthropicResponseBody("msg-04", "ok", "end_turn", 5, 2)) + })) + defer srv.Close() + + maxTok := 1024 + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + MaxTokens: &maxTok, + } + + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.NoError(t, err) + assert.Equal(t, float64(1024), capturedBody["max_tokens"]) +} + +func TestAnthropicAdapter_Send_Upstream401_ReturnsAuthError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + } + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.Error(t, err) + assert.Contains(t, err.Error(), "API key") +} + +func TestAnthropicAdapter_Send_Upstream429_ReturnsRateLimit(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusTooManyRequests) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + } + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.Error(t, err) + assert.Contains(t, err.Error(), "rate limit") +} + +func TestAnthropicAdapter_Send_Upstream400_ReturnsBadRequest(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusBadRequest) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + } + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.Error(t, err) + assert.Contains(t, err.Error(), "rejected") +} + +func TestAnthropicAdapter_Send_Upstream500_ReturnsUpstreamError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusInternalServerError) + })) + defer srv.Close() + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + } + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), req) + require.Error(t, err) + assert.Contains(t, err.Error(), "500") +} + +// ─── Stream ────────────────────────────────────────────────────────────────── + +func TestAnthropicAdapter_Stream_Nominal(t *testing.T) { + // Anthropic SSE payload with two text deltas and a message_stop. + ssePayload := "" + + "event: message_start\n" + + "data: {\"type\":\"message_start\",\"message\":{\"id\":\"msg-1\"}}\n\n" + + "event: content_block_start\n" + + "data: {\"type\":\"content_block_start\",\"index\":0,\"content_block\":{\"type\":\"text\",\"text\":\"\"}}\n\n" + + "event: content_block_delta\n" + + "data: {\"type\":\"content_block_delta\",\"index\":0,\"delta\":{\"type\":\"text_delta\",\"text\":\"Hel\"}}\n\n" + + "event: content_block_delta\n" + + "data: {\"type\":\"content_block_delta\",\"index\":0,\"delta\":{\"type\":\"text_delta\",\"text\":\"lo\"}}\n\n" + + "event: message_stop\n" + + "data: {\"type\":\"message_stop\"}\n\n" + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.Header().Set("Content-Type", "text/event-stream") + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(ssePayload)) + })) + defer srv.Close() + + rec := httptest.NewRecorder() + rec.Header().Set("Content-Type", "text/event-stream") + + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hello"}}, + Stream: true, + } + + err := newTestAdapter(t, srv.URL).Stream(context.Background(), req, rec) + require.NoError(t, err) + + body := rec.Body.String() + // Verify OpenAI-compat chunks were emitted (not raw Anthropic events) + assert.Contains(t, body, "chat.completion.chunk") + assert.Contains(t, body, "Hel") + assert.Contains(t, body, "lo") + assert.Contains(t, body, "[DONE]") + // Verify raw Anthropic event names are not leaked + assert.NotContains(t, body, "content_block_delta") + assert.NotContains(t, body, "message_stop") +} + +func TestAnthropicAdapter_Stream_Upstream401(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + })) + defer srv.Close() + + rec := httptest.NewRecorder() + req := &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + } + err := newTestAdapter(t, srv.URL).Stream(context.Background(), req, rec) + require.Error(t, err) + assert.Contains(t, err.Error(), "API key") +} + +// ─── Validate ──────────────────────────────────────────────────────────────── + +func TestAnthropicAdapter_Validate_MissingModel(t *testing.T) { + a := anthropic.NewWithBaseURL("http://unused", anthropic.Config{APIKey: "k"}) + err := a.Validate(&provider.ChatRequest{ + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "model") +} + +func TestAnthropicAdapter_Validate_EmptyMessages(t *testing.T) { + a := anthropic.NewWithBaseURL("http://unused", anthropic.Config{APIKey: "k"}) + err := a.Validate(&provider.ChatRequest{Model: "claude-3-5-sonnet-20241022"}) + require.Error(t, err) + assert.Contains(t, err.Error(), "messages") +} + +// ─── HealthCheck ───────────────────────────────────────────────────────────── + +func TestAnthropicAdapter_HealthCheck_Nominal(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "/models", r.URL.Path) + assert.Equal(t, "test-key", r.Header.Get("x-api-key")) + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(`{"data":[]}`)) + })) + defer srv.Close() + + err := newTestAdapter(t, srv.URL).HealthCheck(context.Background()) + require.NoError(t, err) +} + +func TestAnthropicAdapter_HealthCheck_Failure(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusServiceUnavailable) + })) + defer srv.Close() + + err := newTestAdapter(t, srv.URL).HealthCheck(context.Background()) + require.Error(t, err) + assert.Contains(t, err.Error(), "503") +} diff --git a/internal/provider/anthropic/sse.go b/internal/provider/anthropic/sse.go new file mode 100644 index 0000000..5ab1e14 --- /dev/null +++ b/internal/provider/anthropic/sse.go @@ -0,0 +1,119 @@ +package anthropic + +import ( + "bufio" + "encoding/json" + "fmt" + "net/http" + "strings" +) + +// Anthropic SSE event types handled by PipeAnthropicSSE. +const ( + eventContentBlockDelta = "content_block_delta" + eventMessageStop = "message_stop" +) + +// anthropicStreamEvent is the data payload for a content_block_delta SSE event. +type anthropicStreamEvent struct { + Type string `json:"type"` + Delta anthropicDelta `json:"delta"` +} + +type anthropicDelta struct { + Type string `json:"type"` + Text string `json:"text"` +} + +// openAIChunk is the minimal OpenAI-compatible SSE chunk emitted to the client. +type openAIChunk struct { + ID string `json:"id"` + Object string `json:"object"` + Choices []openAIChunkChoice `json:"choices"` +} + +type openAIChunkChoice struct { + Index int `json:"index"` + Delta openAIChunkDelta `json:"delta"` +} + +type openAIChunkDelta struct { + Content string `json:"content"` +} + +// PipeAnthropicSSE reads Anthropic's event-typed SSE stream and re-emits each +// text chunk as an OpenAI-compatible SSE event. It terminates on message_stop +// or when the upstream body is exhausted. +// +// Anthropic SSE format: +// +// event: content_block_delta +// data: {"type":"content_block_delta","delta":{"type":"text_delta","text":"Hello"}} +// +// Re-emitted as OpenAI-compat: +// +// data: {"id":"chatcmpl-anthropic","object":"chat.completion.chunk","choices":[{"index":0,"delta":{"content":"Hello"}}]} +func PipeAnthropicSSE(body *bufio.Scanner, w http.ResponseWriter) error { + flusher, ok := w.(http.Flusher) + if !ok { + return fmt.Errorf("response writer does not support flushing (SSE not possible)") + } + + var currentEvent string + + for body.Scan() { + line := body.Text() + + // Track the event type from "event: ..." lines. + if strings.HasPrefix(line, "event: ") { + currentEvent = strings.TrimPrefix(line, "event: ") + continue + } + + // Skip blank lines and lines without a data prefix. + if line == "" || !strings.HasPrefix(line, "data: ") { + continue + } + + rawData := strings.TrimPrefix(line, "data: ") + + switch currentEvent { + case eventContentBlockDelta: + var evt anthropicStreamEvent + if err := json.Unmarshal([]byte(rawData), &evt); err != nil { + continue // skip malformed events gracefully + } + if evt.Delta.Type != "text_delta" || evt.Delta.Text == "" { + continue + } + chunk := openAIChunk{ + ID: "chatcmpl-anthropic", + Object: "chat.completion.chunk", + Choices: []openAIChunkChoice{{ + Index: 0, + Delta: openAIChunkDelta{Content: evt.Delta.Text}, + }}, + } + chunkJSON, err := json.Marshal(chunk) + if err != nil { + continue + } + if _, err := fmt.Fprintf(w, "data: %s\n\n", chunkJSON); err != nil { + return fmt.Errorf("writing SSE chunk: %w", err) + } + flusher.Flush() + + case eventMessageStop: + if _, err := fmt.Fprintf(w, "data: [DONE]\n\n"); err != nil { + return fmt.Errorf("writing SSE done: %w", err) + } + flusher.Flush() + return nil + } + } + + if err := body.Err(); err != nil { + return fmt.Errorf("reading Anthropic SSE body: %w", err) + } + return nil +} diff --git a/internal/provider/azure/adapter.go b/internal/provider/azure/adapter.go new file mode 100644 index 0000000..2d91749 --- /dev/null +++ b/internal/provider/azure/adapter.go @@ -0,0 +1,229 @@ +// Package azure implements provider.Adapter for the Azure OpenAI Service. +// Azure uses the same request/response format as OpenAI but differs in: +// - URL structure: https://{resource}.openai.azure.com/openai/deployments/{deployment}/... +// - Authentication header: "api-key" instead of "Authorization: Bearer" +package azure + +import ( + "bufio" + "bytes" + "context" + "encoding/json" + "fmt" + "net" + "net/http" + "time" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/provider/openai" +) + +// Config holds Azure OpenAI adapter configuration. +type Config struct { + APIKey string + ResourceName string // Azure resource name, e.g. "my-azure-openai" + DeploymentID string // Deployment name, e.g. "gpt-4o" + APIVersion string // e.g. "2024-02-01" + TimeoutSeconds int + MaxConns int +} + +// Adapter implements provider.Adapter for Azure OpenAI Service. +type Adapter struct { + cfg Config + testBaseURL string // non-empty in tests: overrides Azure URL construction + regularClient *http.Client + streamingClient *http.Client +} + +// New creates an Azure OpenAI adapter. +func New(cfg Config) *Adapter { + return NewWithBaseURL("", cfg) +} + +// NewWithBaseURL creates an adapter with a custom base URL — used in tests to +// point the adapter at a mock server instead of the real Azure endpoint. +func NewWithBaseURL(baseURL string, cfg Config) *Adapter { + if cfg.APIVersion == "" { + cfg.APIVersion = "2024-02-01" + } + + dialer := &net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + } + transport := &http.Transport{ + DialContext: dialer.DialContext, + TLSHandshakeTimeout: 10 * time.Second, + ResponseHeaderTimeout: 30 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConns: cfg.MaxConns, + MaxIdleConnsPerHost: cfg.MaxConns, + IdleConnTimeout: 90 * time.Second, + } + + timeout := time.Duration(cfg.TimeoutSeconds) * time.Second + if cfg.TimeoutSeconds == 0 { + timeout = 30 * time.Second + } + + return &Adapter{ + cfg: cfg, + testBaseURL: baseURL, + regularClient: &http.Client{ + Transport: transport, + Timeout: timeout, + }, + streamingClient: &http.Client{ + Transport: transport, + }, + } +} + +// Validate checks that req is well-formed for the Azure adapter. +func (a *Adapter) Validate(req *provider.ChatRequest) error { + if req.Model == "" { + return apierror.NewBadRequestError("field 'model' is required") + } + if len(req.Messages) == 0 { + return apierror.NewBadRequestError("field 'messages' must not be empty") + } + return nil +} + +// Send performs a non-streaming chat completion request to Azure OpenAI. +func (a *Adapter) Send(ctx context.Context, req *provider.ChatRequest) (*provider.ChatResponse, error) { + body, err := json.Marshal(req) + if err != nil { + return nil, apierror.NewInternalError(fmt.Sprintf("marshaling request: %v", err)) + } + + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, a.chatURL(), bytes.NewReader(body)) + if err != nil { + return nil, apierror.NewInternalError(fmt.Sprintf("building request: %v", err)) + } + a.setHeaders(httpReq) + + resp, err := a.regularClient.Do(httpReq) + if err != nil { + if ctx.Err() != nil { + return nil, apierror.NewTimeoutError("Azure OpenAI request timed out") + } + return nil, apierror.NewUpstreamError(fmt.Sprintf("calling Azure OpenAI: %v", err)) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return nil, mapUpstreamStatus(resp.StatusCode) + } + + var chatResp provider.ChatResponse + if err := json.NewDecoder(resp.Body).Decode(&chatResp); err != nil { + return nil, apierror.NewUpstreamError(fmt.Sprintf("decoding response: %v", err)) + } + return &chatResp, nil +} + +// Stream performs a streaming chat completion request and pipes SSE chunks to w. +func (a *Adapter) Stream(ctx context.Context, req *provider.ChatRequest, w http.ResponseWriter) error { + req.Stream = true + + body, err := json.Marshal(req) + if err != nil { + return apierror.NewInternalError(fmt.Sprintf("marshaling stream request: %v", err)) + } + + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, a.chatURL(), bytes.NewReader(body)) + if err != nil { + return apierror.NewInternalError(fmt.Sprintf("building stream request: %v", err)) + } + a.setHeaders(httpReq) + + resp, err := a.streamingClient.Do(httpReq) + if err != nil { + if ctx.Err() != nil { + return apierror.NewTimeoutError("Azure OpenAI stream timed out") + } + return apierror.NewUpstreamError(fmt.Sprintf("opening stream to Azure OpenAI: %v", err)) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return mapUpstreamStatus(resp.StatusCode) + } + + // Azure SSE format is identical to OpenAI — reuse PipeSSE. + return openai.PipeSSE(bufio.NewScanner(resp.Body), w) +} + +// HealthCheck verifies Azure OpenAI is reachable by listing deployments. +func (a *Adapter) HealthCheck(ctx context.Context) error { + ctx, cancel := context.WithTimeout(ctx, 5*time.Second) + defer cancel() + + var url string + if a.testBaseURL != "" { + url = a.testBaseURL + fmt.Sprintf("/openai/deployments?api-version=%s", a.cfg.APIVersion) + } else { + url = fmt.Sprintf( + "https://%s.openai.azure.com/openai/deployments?api-version=%s", + a.cfg.ResourceName, a.cfg.APIVersion, + ) + } + + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return fmt.Errorf("building Azure health check request: %w", err) + } + a.setHeaders(req) + + resp, err := a.regularClient.Do(req) + if err != nil { + return fmt.Errorf("Azure OpenAI health check failed: %w", err) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("Azure OpenAI health check returned HTTP %d", resp.StatusCode) + } + return nil +} + +// chatURL builds the Azure OpenAI completions endpoint URL. +// In tests, testBaseURL overrides Azure URL construction for mock server injection. +func (a *Adapter) chatURL() string { + if a.testBaseURL != "" { + return a.testBaseURL + fmt.Sprintf( + "/openai/deployments/%s/chat/completions?api-version=%s", + a.cfg.DeploymentID, a.cfg.APIVersion, + ) + } + return fmt.Sprintf( + "https://%s.openai.azure.com/openai/deployments/%s/chat/completions?api-version=%s", + a.cfg.ResourceName, a.cfg.DeploymentID, a.cfg.APIVersion, + ) +} + +// setHeaders attaches Azure authentication and content headers. +// Azure uses "api-key" instead of "Authorization: Bearer". +func (a *Adapter) setHeaders(req *http.Request) { + req.Header.Set("api-key", a.cfg.APIKey) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Accept", "application/json") +} + +func mapUpstreamStatus(status int) *apierror.APIError { + switch status { + case http.StatusUnauthorized: + return apierror.NewAuthError("Azure OpenAI rejected the API key") + case http.StatusTooManyRequests: + return apierror.NewRateLimitError("Azure OpenAI rate limit reached") + case http.StatusBadRequest: + return apierror.NewBadRequestError("Azure OpenAI rejected the request") + case http.StatusGatewayTimeout, http.StatusRequestTimeout: + return apierror.NewTimeoutError("Azure OpenAI request timed out") + default: + return apierror.NewUpstreamError(fmt.Sprintf("Azure OpenAI returned HTTP %d", status)) + } +} diff --git a/internal/provider/azure/adapter_test.go b/internal/provider/azure/adapter_test.go new file mode 100644 index 0000000..71cbffe --- /dev/null +++ b/internal/provider/azure/adapter_test.go @@ -0,0 +1,181 @@ +package azure_test + +import ( + "context" + "encoding/json" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/provider/azure" +) + +// newTestAdapter builds an Adapter using the given mock server URL. +// We override the URL by setting ResourceName to the server hostname so the +// adapter constructs the right endpoint in tests. +func newTestAdapter(t *testing.T, serverURL string) *azure.Adapter { + t.Helper() + // Strip scheme from serverURL to get host (e.g. "127.0.0.1:PORT") + host := strings.TrimPrefix(serverURL, "http://") + // We can't directly set a custom base URL in Azure adapter, so we use a + // custom config and inject via the exported ChatURL helper via tests. + // For tests we create a mock that validates expected request patterns. + _ = host + return azure.NewWithBaseURL(serverURL, azure.Config{ + APIKey: "test-key", + ResourceName: "test-resource", + DeploymentID: "gpt-4o", + APIVersion: "2024-02-01", + TimeoutSeconds: 5, + MaxConns: 10, + }) +} + +func minimalRequest() *provider.ChatRequest { + return &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hello"}}, + } +} + +// ─── Send ──────────────────────────────────────────────────────────────────── + +func TestAzureAdapter_Send_Nominal(t *testing.T) { + expected := provider.ChatResponse{ + ID: "chatcmpl-azure-test", + Object: "chat.completion", + Model: "gpt-4o", + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "Hello from Azure!"}, + FinishReason: "stop", + }}, + } + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Verify Azure-specific header (api-key, NOT Authorization Bearer) + assert.Equal(t, "test-key", r.Header.Get("api-key")) + assert.Empty(t, r.Header.Get("Authorization")) + // Verify URL contains api-version + assert.Contains(t, r.URL.RawQuery, "api-version=2024-02-01") + + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(expected) + })) + defer srv.Close() + + adapter := newTestAdapter(t, srv.URL) + got, err := adapter.Send(context.Background(), minimalRequest()) + + require.NoError(t, err) + assert.Equal(t, "chatcmpl-azure-test", got.ID) + assert.Equal(t, "Hello from Azure!", got.Choices[0].Message.Content) +} + +func TestAzureAdapter_Send_Upstream401_ReturnsAuthError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + })) + defer srv.Close() + + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), minimalRequest()) + require.Error(t, err) + assert.Contains(t, err.Error(), "API key") +} + +func TestAzureAdapter_Send_Upstream429_ReturnsRateLimit(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusTooManyRequests) + })) + defer srv.Close() + + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), minimalRequest()) + require.Error(t, err) + assert.Contains(t, err.Error(), "rate limit") +} + +func TestAzureAdapter_Send_Upstream500_ReturnsUpstreamError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusInternalServerError) + })) + defer srv.Close() + + _, err := newTestAdapter(t, srv.URL).Send(context.Background(), minimalRequest()) + require.Error(t, err) + assert.Contains(t, err.Error(), "500") +} + +// ─── Stream ────────────────────────────────────────────────────────────────── + +func TestAzureAdapter_Stream_Nominal(t *testing.T) { + ssePayload := "data: {\"id\":\"chatcmpl-1\",\"choices\":[{\"delta\":{\"content\":\"Hel\"}}]}\n" + + "data: {\"id\":\"chatcmpl-1\",\"choices\":[{\"delta\":{\"content\":\"lo\"}}]}\n" + + "data: [DONE]\n" + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.Header().Set("Content-Type", "text/event-stream") + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(ssePayload)) + })) + defer srv.Close() + + rec := httptest.NewRecorder() + rec.Header().Set("Content-Type", "text/event-stream") + + req := minimalRequest() + req.Stream = true + err := newTestAdapter(t, srv.URL).Stream(context.Background(), req, rec) + + require.NoError(t, err) + body := rec.Body.String() + assert.Contains(t, body, "Hel") + assert.Contains(t, body, "[DONE]") +} + +// ─── Validate ──────────────────────────────────────────────────────────────── + +func TestAzureAdapter_Validate_MissingModel(t *testing.T) { + a := azure.NewWithBaseURL("http://unused", azure.Config{APIKey: "k"}) + err := a.Validate(&provider.ChatRequest{ + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "model") +} + +func TestAzureAdapter_Validate_EmptyMessages(t *testing.T) { + a := azure.NewWithBaseURL("http://unused", azure.Config{APIKey: "k"}) + err := a.Validate(&provider.ChatRequest{Model: "gpt-4o"}) + require.Error(t, err) + assert.Contains(t, err.Error(), "messages") +} + +// ─── HealthCheck ───────────────────────────────────────────────────────────── + +func TestAzureAdapter_HealthCheck_Nominal(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "test-key", r.Header.Get("api-key")) + assert.Contains(t, r.URL.RawQuery, "api-version=2024-02-01") + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(`{"data":[]}`)) + })) + defer srv.Close() + + err := newTestAdapter(t, srv.URL).HealthCheck(context.Background()) + require.NoError(t, err) +} + +func TestAzureAdapter_HealthCheck_Failure(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusServiceUnavailable) + })) + defer srv.Close() + + err := newTestAdapter(t, srv.URL).HealthCheck(context.Background()) + require.Error(t, err) + assert.Contains(t, err.Error(), "503") +} diff --git a/internal/provider/mistral/adapter.go b/internal/provider/mistral/adapter.go new file mode 100644 index 0000000..8851f39 --- /dev/null +++ b/internal/provider/mistral/adapter.go @@ -0,0 +1,30 @@ +// Package mistral provides a provider.Adapter for the Mistral AI API. +// Mistral exposes an OpenAI-compatible API — we delegate directly to openai.New. +package mistral + +import ( + "github.com/veylant/ia-gateway/internal/provider/openai" +) + +// Config holds Mistral AI adapter configuration. +type Config struct { + APIKey string + BaseURL string // default: https://api.mistral.ai/v1 + TimeoutSeconds int + MaxConns int +} + +// New creates a Mistral adapter backed by the OpenAI-compatible API. +// Mistral models (mistral-small, mistral-medium, mixtral-*) use the same +// /chat/completions endpoint and request/response format as OpenAI. +func New(cfg Config) *openai.Adapter { + if cfg.BaseURL == "" { + cfg.BaseURL = "https://api.mistral.ai/v1" + } + return openai.New(openai.Config{ + APIKey: cfg.APIKey, + BaseURL: cfg.BaseURL, + TimeoutSeconds: cfg.TimeoutSeconds, + MaxConns: cfg.MaxConns, + }) +} diff --git a/internal/provider/ollama/adapter.go b/internal/provider/ollama/adapter.go new file mode 100644 index 0000000..b9d78e9 --- /dev/null +++ b/internal/provider/ollama/adapter.go @@ -0,0 +1,32 @@ +// Package ollama provides a provider.Adapter for local Ollama (and vLLM) servers. +// Ollama exposes an OpenAI-compatible /v1/chat/completions endpoint — we delegate +// directly to openai.New with no auth key required. +package ollama + +import ( + "github.com/veylant/ia-gateway/internal/provider/openai" +) + +// Config holds Ollama adapter configuration. +type Config struct { + BaseURL string // default: http://localhost:11434/v1 + TimeoutSeconds int // longer default (120s) because local models are slower + MaxConns int +} + +// New creates an Ollama adapter backed by the OpenAI-compatible local API. +// Supported models: llama3, phi3, qwen2, gemma, and any model served by Ollama/vLLM. +func New(cfg Config) *openai.Adapter { + if cfg.BaseURL == "" { + cfg.BaseURL = "http://localhost:11434/v1" + } + if cfg.TimeoutSeconds == 0 { + cfg.TimeoutSeconds = 120 + } + return openai.New(openai.Config{ + APIKey: "", // Ollama does not require an API key + BaseURL: cfg.BaseURL, + TimeoutSeconds: cfg.TimeoutSeconds, + MaxConns: cfg.MaxConns, + }) +} diff --git a/internal/provider/openai/adapter.go b/internal/provider/openai/adapter.go new file mode 100644 index 0000000..7fd54c1 --- /dev/null +++ b/internal/provider/openai/adapter.go @@ -0,0 +1,205 @@ +// Package openai implements the provider.Adapter interface for the OpenAI API. +package openai + +import ( + "bufio" + "bytes" + "context" + "encoding/json" + "fmt" + "net" + "net/http" + "time" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/provider" +) + +// Config holds the OpenAI adapter configuration. +type Config struct { + APIKey string + BaseURL string + TimeoutSeconds int + MaxConns int +} + +// Adapter implements provider.Adapter for the OpenAI API. +type Adapter struct { + cfg Config + regularClient *http.Client // used for non-streaming requests (has full Timeout) + streamingClient *http.Client // used for streaming (no full Timeout; transport-level only) +} + +// New creates a new OpenAI Adapter with two separate HTTP client pools: +// - regularClient: includes a full request timeout (safe for non-streaming) +// - streamingClient: omits the per-request Timeout so the connection stays +// open for the entire SSE stream duration; dial and header timeouts still apply +func New(cfg Config) *Adapter { + if cfg.BaseURL == "" { + cfg.BaseURL = "https://api.openai.com/v1" + } + + dialer := &net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + } + + transport := &http.Transport{ + DialContext: dialer.DialContext, + TLSHandshakeTimeout: 10 * time.Second, + ResponseHeaderTimeout: 30 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConns: cfg.MaxConns, + MaxIdleConnsPerHost: cfg.MaxConns, + IdleConnTimeout: 90 * time.Second, + DisableCompression: false, + } + + timeout := time.Duration(cfg.TimeoutSeconds) * time.Second + if cfg.TimeoutSeconds == 0 { + timeout = 30 * time.Second + } + + return &Adapter{ + cfg: cfg, + regularClient: &http.Client{ + Transport: transport, + Timeout: timeout, + }, + // Streaming client shares the same Transport (connection pool) but + // has no per-request Timeout. + streamingClient: &http.Client{ + Transport: transport, + }, + } +} + +// Validate checks that req is well-formed for the OpenAI adapter. +func (a *Adapter) Validate(req *provider.ChatRequest) error { + if req.Model == "" { + return apierror.NewBadRequestError("field 'model' is required") + } + if len(req.Messages) == 0 { + return apierror.NewBadRequestError("field 'messages' must not be empty") + } + return nil +} + +// Send performs a non-streaming POST /chat/completions request to OpenAI. +func (a *Adapter) Send(ctx context.Context, req *provider.ChatRequest) (*provider.ChatResponse, error) { + body, err := json.Marshal(req) + if err != nil { + return nil, apierror.NewInternalError(fmt.Sprintf("marshaling request: %v", err)) + } + + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, + a.cfg.BaseURL+"/chat/completions", + bytes.NewReader(body), + ) + if err != nil { + return nil, apierror.NewInternalError(fmt.Sprintf("building request: %v", err)) + } + a.setHeaders(httpReq) + + resp, err := a.regularClient.Do(httpReq) + if err != nil { + if ctx.Err() != nil { + return nil, apierror.NewTimeoutError("upstream request timed out") + } + return nil, apierror.NewUpstreamError(fmt.Sprintf("calling OpenAI: %v", err)) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return nil, mapUpstreamStatus(resp.StatusCode) + } + + var chatResp provider.ChatResponse + if err := json.NewDecoder(resp.Body).Decode(&chatResp); err != nil { + return nil, apierror.NewUpstreamError(fmt.Sprintf("decoding response: %v", err)) + } + return &chatResp, nil +} + +// Stream performs a streaming POST /chat/completions request and pipes the SSE +// chunks directly to w. Callers must set the Content-Type and other SSE headers +// before invoking Stream (the proxy handler does this). +func (a *Adapter) Stream(ctx context.Context, req *provider.ChatRequest, w http.ResponseWriter) error { + // Force stream flag in the upstream request. + req.Stream = true + + body, err := json.Marshal(req) + if err != nil { + return apierror.NewInternalError(fmt.Sprintf("marshaling stream request: %v", err)) + } + + httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, + a.cfg.BaseURL+"/chat/completions", + bytes.NewReader(body), + ) + if err != nil { + return apierror.NewInternalError(fmt.Sprintf("building stream request: %v", err)) + } + a.setHeaders(httpReq) + + resp, err := a.streamingClient.Do(httpReq) + if err != nil { + if ctx.Err() != nil { + return apierror.NewTimeoutError("upstream stream timed out") + } + return apierror.NewUpstreamError(fmt.Sprintf("opening stream to OpenAI: %v", err)) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return mapUpstreamStatus(resp.StatusCode) + } + + return PipeSSE(bufio.NewScanner(resp.Body), w) +} + +// HealthCheck verifies that the OpenAI API is reachable by calling GET /models. +func (a *Adapter) HealthCheck(ctx context.Context) error { + ctx, cancel := context.WithTimeout(ctx, 5*time.Second) + defer cancel() + + req, err := http.NewRequestWithContext(ctx, http.MethodGet, a.cfg.BaseURL+"/models", nil) + if err != nil { + return fmt.Errorf("building health check request: %w", err) + } + a.setHeaders(req) + + resp, err := a.regularClient.Do(req) + if err != nil { + return fmt.Errorf("OpenAI health check failed: %w", err) + } + defer resp.Body.Close() //nolint:errcheck + + if resp.StatusCode != http.StatusOK { + return fmt.Errorf("OpenAI health check returned HTTP %d", resp.StatusCode) + } + return nil +} + +// setHeaders attaches the required OpenAI authentication and content headers. +func (a *Adapter) setHeaders(req *http.Request) { + req.Header.Set("Authorization", "Bearer "+a.cfg.APIKey) + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Accept", "application/json") +} + +// mapUpstreamStatus converts an OpenAI HTTP status code to a typed APIError. +func mapUpstreamStatus(status int) *apierror.APIError { + switch status { + case http.StatusUnauthorized: + return apierror.NewAuthError("upstream rejected the API key") + case http.StatusTooManyRequests: + return apierror.NewRateLimitError("OpenAI rate limit reached") + case http.StatusBadRequest: + return apierror.NewBadRequestError("OpenAI rejected the request") + case http.StatusGatewayTimeout, http.StatusRequestTimeout: + return apierror.NewTimeoutError("OpenAI request timed out") + default: + return apierror.NewUpstreamError(fmt.Sprintf("OpenAI returned HTTP %d", status)) + } +} diff --git a/internal/provider/openai/adapter_test.go b/internal/provider/openai/adapter_test.go new file mode 100644 index 0000000..39e94da --- /dev/null +++ b/internal/provider/openai/adapter_test.go @@ -0,0 +1,219 @@ +package openai_test + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "net/http/httptest" + "strings" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/provider/openai" +) + +// newTestAdapter builds an Adapter pointed at the given mock server URL. +func newTestAdapter(serverURL string) *openai.Adapter { + return openai.New(openai.Config{ + APIKey: "test-key", + BaseURL: serverURL, + TimeoutSeconds: 5, + MaxConns: 10, + }) +} + +// minimalRequest returns a valid ChatRequest for tests. +func minimalRequest() *provider.ChatRequest { + return &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hello"}}, + } +} + +// ─── Send ──────────────────────────────────────────────────────────────────── + +func TestAdapter_Send_Nominal(t *testing.T) { + expected := provider.ChatResponse{ + ID: "chatcmpl-test", + Object: "chat.completion", + Model: "gpt-4o", + Choices: []provider.Choice{{ + Index: 0, + Message: provider.Message{Role: "assistant", Content: "Hello!"}, + FinishReason: "stop", + }}, + Usage: provider.Usage{PromptTokens: 5, CompletionTokens: 3, TotalTokens: 8}, + } + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "/chat/completions", r.URL.Path) + assert.Equal(t, "Bearer test-key", r.Header.Get("Authorization")) + w.Header().Set("Content-Type", "application/json") + _ = json.NewEncoder(w).Encode(expected) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + got, err := adapter.Send(context.Background(), minimalRequest()) + + require.NoError(t, err) + require.NotNil(t, got) + assert.Equal(t, expected.ID, got.ID) + assert.Equal(t, "Hello!", got.Choices[0].Message.Content) +} + +func TestAdapter_Send_Upstream401_ReturnsAuthError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + _, err := adapter.Send(context.Background(), minimalRequest()) + + require.Error(t, err) + // The error message must contain "API key". + assert.Contains(t, err.Error(), "API key") +} + +// ─── Stream ────────────────────────────────────────────────────────────────── + +func TestAdapter_Stream_Nominal(t *testing.T) { + // Simulate an OpenAI SSE response with two chunks and the [DONE] sentinel. + ssePayload := strings.Join([]string{ + `data: {"id":"chatcmpl-1","choices":[{"delta":{"content":"Hel"}}]}`, + `data: {"id":"chatcmpl-1","choices":[{"delta":{"content":"lo"}}]}`, + `data: [DONE]`, + "", + }, "\n") + + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "/chat/completions", r.URL.Path) + w.Header().Set("Content-Type", "text/event-stream") + w.WriteHeader(http.StatusOK) + fmt.Fprint(w, ssePayload) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + + rec := httptest.NewRecorder() + // Set SSE headers as the proxy handler would. + rec.Header().Set("Content-Type", "text/event-stream") + rec.Header().Set("Cache-Control", "no-cache") + + req := minimalRequest() + req.Stream = true + err := adapter.Stream(context.Background(), req, rec) + + require.NoError(t, err) + body := rec.Body.String() + assert.Contains(t, body, `"Hel"`) + assert.Contains(t, body, `"lo"`) + assert.Contains(t, body, "data: [DONE]") +} + +// ─── HealthCheck ───────────────────────────────────────────────────────────── + +func TestAdapter_HealthCheck_Nominal(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + assert.Equal(t, "/models", r.URL.Path) + w.WriteHeader(http.StatusOK) + _, _ = w.Write([]byte(`{"data":[]}`)) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + err := adapter.HealthCheck(context.Background()) + require.NoError(t, err) +} + +func TestAdapter_Send_Upstream429_ReturnsRateLimit(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusTooManyRequests) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + _, err := adapter.Send(context.Background(), minimalRequest()) + + require.Error(t, err) + assert.Contains(t, err.Error(), "rate limit") +} + +func TestAdapter_Send_Upstream400_ReturnsBadRequest(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusBadRequest) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + _, err := adapter.Send(context.Background(), minimalRequest()) + + require.Error(t, err) + assert.Contains(t, err.Error(), "rejected") +} + +func TestAdapter_Send_Upstream500_ReturnsUpstreamError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusInternalServerError) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + _, err := adapter.Send(context.Background(), minimalRequest()) + + require.Error(t, err) + assert.Contains(t, err.Error(), "500") +} + +func TestAdapter_Stream_Upstream401_ReturnsError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusUnauthorized) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + req := minimalRequest() + req.Stream = true + + rec := httptest.NewRecorder() + err := adapter.Stream(context.Background(), req, rec) + + require.Error(t, err) +} + +func TestAdapter_HealthCheck_FailureReturnsError(t *testing.T) { + srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusServiceUnavailable) + })) + defer srv.Close() + + adapter := newTestAdapter(srv.URL) + err := adapter.HealthCheck(context.Background()) + require.Error(t, err) + assert.Contains(t, err.Error(), "503") +} + +// ─── Validate ──────────────────────────────────────────────────────────────── + +func TestAdapter_Validate_MissingModel(t *testing.T) { + adapter := newTestAdapter("http://unused") + err := adapter.Validate(&provider.ChatRequest{ + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "model") +} + +func TestAdapter_Validate_EmptyMessages(t *testing.T) { + adapter := newTestAdapter("http://unused") + err := adapter.Validate(&provider.ChatRequest{Model: "gpt-4o"}) + require.Error(t, err) + assert.Contains(t, err.Error(), "messages") +} + diff --git a/internal/provider/openai/stream.go b/internal/provider/openai/stream.go new file mode 100644 index 0000000..12ef609 --- /dev/null +++ b/internal/provider/openai/stream.go @@ -0,0 +1,46 @@ +package openai + +import ( + "bufio" + "fmt" + "net/http" + "strings" +) + +// PipeSSE reads an OpenAI SSE response body and writes each event line to w, +// flushing after every chunk. It returns when the upstream sends "data: [DONE]" +// or when the response body is exhausted. +// +// The caller is responsible for setting the SSE response headers before +// calling PipeSSE. The function only writes the event payloads. +func PipeSSE(body *bufio.Scanner, w http.ResponseWriter) error { + flusher, ok := w.(http.Flusher) + if !ok { + return fmt.Errorf("response writer does not support flushing (SSE not possible)") + } + + for body.Scan() { + line := body.Text() + + // Blank lines are SSE field separators — skip them. + if line == "" { + continue + } + + // Write the line followed by the SSE double-newline terminator. + if _, err := fmt.Fprintf(w, "%s\n\n", line); err != nil { + return fmt.Errorf("writing SSE chunk: %w", err) + } + flusher.Flush() + + // OpenAI signals end-of-stream with this sentinel. + if strings.TrimSpace(line) == "data: [DONE]" { + return nil + } + } + + if err := body.Err(); err != nil { + return fmt.Errorf("reading SSE body: %w", err) + } + return nil +} diff --git a/internal/provider/provider.go b/internal/provider/provider.go new file mode 100644 index 0000000..1e934a5 --- /dev/null +++ b/internal/provider/provider.go @@ -0,0 +1,78 @@ +// Package provider defines the LLM provider adapter interface and the unified +// request/response types used by the Veylant proxy. +// +// Each provider (OpenAI, Anthropic, Azure, Mistral, Ollama) implements Adapter. +// The proxy always speaks the OpenAI wire format towards its clients; adapters +// translate to/from each upstream API internally. +package provider + +import ( + "context" + "net/http" +) + +// Message is a single chat message in the OpenAI format. +type Message struct { + Role string `json:"role"` + Content string `json:"content"` +} + +// ChatRequest mirrors the OpenAI /v1/chat/completions request body. +// Fields marked omitempty are forwarded as-is to the upstream provider. +type ChatRequest struct { + Model string `json:"model"` + Messages []Message `json:"messages"` + Stream bool `json:"stream,omitempty"` + Temperature *float64 `json:"temperature,omitempty"` + MaxTokens *int `json:"max_tokens,omitempty"` + TopP *float64 `json:"top_p,omitempty"` + N *int `json:"n,omitempty"` + Stop []string `json:"stop,omitempty"` + User string `json:"user,omitempty"` +} + +// ChatResponse mirrors the OpenAI /v1/chat/completions response body. +// Provider is set by the router after dispatch and is never serialised to clients. +type ChatResponse struct { + ID string `json:"id"` + Object string `json:"object"` + Created int64 `json:"created"` + Model string `json:"model"` + Choices []Choice `json:"choices"` + Usage Usage `json:"usage"` + Provider string `json:"-"` // populated by router.sendWithFallback for audit logging +} + +// Choice is a single completion choice in the response. +type Choice struct { + Index int `json:"index"` + Message Message `json:"message"` + FinishReason string `json:"finish_reason"` +} + +// Usage holds token consumption statistics. +type Usage struct { + PromptTokens int `json:"prompt_tokens"` + CompletionTokens int `json:"completion_tokens"` + TotalTokens int `json:"total_tokens"` +} + +// Adapter is the contract every LLM provider must implement. +// Sprint 2: OpenAI is the only implementation. +// Sprint 4: Anthropic, Azure, Mistral, Ollama adapters are added. +type Adapter interface { + // Send performs a non-streaming chat completion request. + Send(ctx context.Context, req *ChatRequest) (*ChatResponse, error) + + // Stream performs a streaming chat completion request. + // SSE chunks are written directly to w as they arrive from the upstream. + // The caller must NOT write to w after Stream returns. + Stream(ctx context.Context, req *ChatRequest, w http.ResponseWriter) error + + // Validate checks that req is well-formed for this provider. + // Returns a descriptive error if the request cannot be forwarded. + Validate(req *ChatRequest) error + + // HealthCheck verifies that the upstream provider is reachable. + HealthCheck(ctx context.Context) error +} diff --git a/internal/proxy/depseudo.go b/internal/proxy/depseudo.go new file mode 100644 index 0000000..157ad8c --- /dev/null +++ b/internal/proxy/depseudo.go @@ -0,0 +1,36 @@ +package proxy + +import ( + "regexp" + + "github.com/veylant/ia-gateway/internal/pii" +) + +// piiTokenRegex matches pseudonymization tokens of the form [PII:TYPE:8hexchars]. +var piiTokenRegex = regexp.MustCompile(`\[PII:[A-Z_]+:[0-9a-f]{8}\]`) + +// BuildEntityMap transforms the entity list returned by the PII service into a +// map from pseudonym token → original value, used for de-pseudonymization. +func BuildEntityMap(entities []pii.Entity) map[string]string { + m := make(map[string]string, len(entities)) + for _, e := range entities { + if e.Pseudonym != "" { + m[e.Pseudonym] = e.OriginalValue + } + } + return m +} + +// Depseudonymize replaces all [PII:TYPE:UUID] tokens in text with their +// original values from entityMap. Tokens not found in the map are left as-is. +func Depseudonymize(text string, entityMap map[string]string) string { + if len(entityMap) == 0 { + return text + } + return piiTokenRegex.ReplaceAllStringFunc(text, func(token string) string { + if original, ok := entityMap[token]; ok { + return original + } + return token + }) +} diff --git a/internal/proxy/depseudo_test.go b/internal/proxy/depseudo_test.go new file mode 100644 index 0000000..f9f6ffe --- /dev/null +++ b/internal/proxy/depseudo_test.go @@ -0,0 +1,64 @@ +package proxy_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/veylant/ia-gateway/internal/pii" + "github.com/veylant/ia-gateway/internal/proxy" +) + +func TestBuildEntityMap(t *testing.T) { + entities := []pii.Entity{ + {Pseudonym: "[PII:EMAIL:abc12345]", OriginalValue: "alice@example.com"}, + {Pseudonym: "[PII:PHONE_FR:def67890]", OriginalValue: "0612345678"}, + } + m := proxy.BuildEntityMap(entities) + assert.Equal(t, "alice@example.com", m["[PII:EMAIL:abc12345]"]) + assert.Equal(t, "0612345678", m["[PII:PHONE_FR:def67890]"]) +} + +func TestBuildEntityMap_EmptyPseudonymSkipped(t *testing.T) { + entities := []pii.Entity{ + {Pseudonym: "", OriginalValue: "ghost"}, + } + m := proxy.BuildEntityMap(entities) + assert.Empty(t, m) +} + +func TestDepseudonymize_SingleToken(t *testing.T) { + text := "Contact [PII:EMAIL:abc12345] for info." + m := map[string]string{"[PII:EMAIL:abc12345]": "alice@example.com"} + got := proxy.Depseudonymize(text, m) + assert.Equal(t, "Contact alice@example.com for info.", got) +} + +func TestDepseudonymize_MultipleTokens(t *testing.T) { + text := "[PII:EMAIL:abc12345] and [PII:PHONE_FR:def67890]" + m := map[string]string{ + "[PII:EMAIL:abc12345]": "alice@example.com", + "[PII:PHONE_FR:def67890]": "0612345678", + } + got := proxy.Depseudonymize(text, m) + assert.Contains(t, got, "alice@example.com") + assert.Contains(t, got, "0612345678") +} + +func TestDepseudonymize_UnknownTokenLeftAsIs(t *testing.T) { + text := "[PII:EMAIL:deadbeef]" + got := proxy.Depseudonymize(text, map[string]string{}) + assert.Equal(t, "[PII:EMAIL:deadbeef]", got) +} + +func TestDepseudonymize_NoTokensNoChange(t *testing.T) { + text := "Bonjour, tout va bien." + got := proxy.Depseudonymize(text, map[string]string{"[PII:EMAIL:abc12345]": "x"}) + assert.Equal(t, text, got) +} + +func TestDepseudonymize_EmptyMapNoChange(t *testing.T) { + text := "[PII:EMAIL:abc12345]" + got := proxy.Depseudonymize(text, nil) + assert.Equal(t, text, got) +} diff --git a/internal/proxy/handler.go b/internal/proxy/handler.go new file mode 100644 index 0000000..c77220b --- /dev/null +++ b/internal/proxy/handler.go @@ -0,0 +1,410 @@ +// Package proxy implements the HTTP handler for the /v1/chat/completions endpoint. +package proxy + +import ( + "context" + "crypto/sha256" + "encoding/hex" + "encoding/json" + "net/http" + "strings" + "time" + + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/auditlog" + "github.com/veylant/ia-gateway/internal/billing" + "github.com/veylant/ia-gateway/internal/crypto" + "github.com/veylant/ia-gateway/internal/flags" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/pii" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/routing" +) + +// Handler handles POST /v1/chat/completions. +// It dispatches to the underlying provider.Adapter for both non-streaming and +// streaming (SSE) requests, optionally running PII anonymization before the +// upstream call and de-pseudonymizing non-streaming responses. +type Handler struct { + adapter provider.Adapter + piiClient *pii.Client // nil means PII disabled + auditLogger auditlog.Logger // nil means audit logging disabled + encryptor *crypto.Encryptor // nil means encryption disabled + flagStore flags.FlagStore // nil means feature flags disabled + logger *zap.Logger +} + +// New creates a Handler backed by adapter. +// Pass a non-nil piiClient to enable PII anonymization. +func New(adapter provider.Adapter, logger *zap.Logger, piiClient *pii.Client) *Handler { + return &Handler{adapter: adapter, piiClient: piiClient, logger: logger} +} + +// NewWithAudit creates a Handler with audit logging and prompt encryption enabled. +// Either auditLogger or encryptor may be nil to disable those features independently. +func NewWithAudit( + adapter provider.Adapter, + logger *zap.Logger, + piiClient *pii.Client, + al auditlog.Logger, + enc *crypto.Encryptor, +) *Handler { + return &Handler{ + adapter: adapter, + piiClient: piiClient, + auditLogger: al, + encryptor: enc, + logger: logger, + } +} + +// WithFlagStore attaches a feature flag store to the handler (used for zero-retention, etc.). +func (h *Handler) WithFlagStore(fs flags.FlagStore) *Handler { + h.flagStore = fs + return h +} + +// requestMeta groups per-request metadata to avoid long function signatures. +type requestMeta struct { + requestID string + tenantID string + userID string + userRole string + department string + sensitivity routing.Sensitivity + piiEntityCount int + startTime time.Time +} + +// ServeHTTP implements http.Handler. +func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + start := time.Now() + requestID := middleware.RequestIDFromContext(r.Context()) + + var req provider.ChatRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + apierror.WriteError(w, apierror.NewBadRequestError("invalid JSON body: "+err.Error())) + return + } + + if err := h.adapter.Validate(&req); err != nil { + if apiErr, ok := err.(*apierror.APIError); ok { + apierror.WriteError(w, apiErr) + } else { + apierror.WriteError(w, apierror.NewBadRequestError(err.Error())) + } + return + } + + // Collect request metadata for logging / audit. + meta := requestMeta{requestID: requestID, startTime: start} + logFields := []zap.Field{ + zap.String("request_id", requestID), + zap.String("model", req.Model), + zap.Bool("stream", req.Stream), + } + if claims, ok := middleware.ClaimsFromContext(r.Context()); ok { + meta.userID = claims.UserID + meta.tenantID = claims.TenantID + meta.department = claims.Department + if len(claims.Roles) > 0 { + meta.userRole = claims.Roles[0] + } + logFields = append(logFields, + zap.String("user_id", meta.userID), + zap.String("tenant_id", meta.tenantID), + ) + } + + // Capture the original (pre-PII) prompt for hashing. + originalPrompt := extractLastUserMessage(&req) + + // ── PII anonymization (request side) ──────────────────────────────────── + var entityMap map[string]string + var anonymizedPrompt string + + // Check pii_enabled flag (E11-07): defaults to true when not set. + piiEnabled := true + if h.flagStore != nil && meta.tenantID != "" { + if enabled, err := h.flagStore.IsEnabled(r.Context(), meta.tenantID, "pii_enabled"); err == nil { + // IsEnabled returns false both when the flag is disabled AND when it + // doesn't exist (no flag set). We treat absence as "enabled" to avoid + // breaking existing tenants who haven't set this flag. The migration + // seeds a global default of true, so after applying 000009 this is + // always correct. Before that migration, we fail-open (pii enabled). + piiEnabled = enabled + } + } + + if h.piiClient != nil && piiEnabled { + promptText := originalPrompt + if promptText != "" { + // Check zero-retention flag: if enabled, the PII service will not persist + // pseudonymization mappings in Redis (E4-12). + zeroRetention := false + if h.flagStore != nil && meta.tenantID != "" { + zeroRetention, _ = h.flagStore.IsEnabled(r.Context(), meta.tenantID, "zero_retention") + } + result, err := h.piiClient.Detect(r.Context(), promptText, meta.tenantID, requestID, true, zeroRetention) + if err != nil { + apierror.WriteError(w, apierror.NewUpstreamError("PII service error: "+err.Error())) + return + } + + meta.piiEntityCount = len(result.Entities) + if len(result.Entities) > 0 { + score := routing.ScoreFromEntities(result.Entities) + meta.sensitivity = score + r = r.WithContext(routing.WithSensitivity(r.Context(), score)) + } + + if result.AnonymizedText != promptText { + replaceLastUserMessage(&req, result.AnonymizedText) + anonymizedPrompt = result.AnonymizedText + entityMap = BuildEntityMap(result.Entities) + h.logger.Debug("pii anonymized prompt", + zap.Int("entities", len(result.Entities)), + zap.Int64("pii_ms", result.ProcessingTimeMs), + ) + } + } + } + if anonymizedPrompt == "" { + anonymizedPrompt = originalPrompt + } + + if req.Stream { + h.handleStream(w, r, &req, meta, logFields, anonymizedPrompt, originalPrompt) + } else { + h.handleSend(w, r, &req, meta, logFields, entityMap, anonymizedPrompt, originalPrompt) + } +} + +func (h *Handler) handleSend( + w http.ResponseWriter, + r *http.Request, + req *provider.ChatRequest, + meta requestMeta, + logFields []zap.Field, + entityMap map[string]string, + anonymizedPrompt, originalPrompt string, +) { + resp, err := h.adapter.Send(r.Context(), req) + latencyMs := int(time.Since(meta.startTime).Milliseconds()) + + if err != nil { + h.fireAuditEntry(meta, req, nil, originalPrompt, anonymizedPrompt, latencyMs, err) + if apiErr, ok := err.(*apierror.APIError); ok { + apierror.WriteError(w, apiErr) + } else { + apierror.WriteError(w, apierror.NewUpstreamError(err.Error())) + } + h.logger.Error("proxy send error", append(logFields, zap.Error(err))...) + return + } + + // De-pseudonymize the LLM response choices. + if len(entityMap) > 0 { + for i := range resp.Choices { + resp.Choices[i].Message.Content = Depseudonymize(resp.Choices[i].Message.Content, entityMap) + } + } + + h.fireAuditEntry(meta, req, resp, originalPrompt, anonymizedPrompt, latencyMs, nil) + + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + if err := json.NewEncoder(w).Encode(resp); err != nil { + h.logger.Error("encoding response", append(logFields, zap.Error(err))...) + } + + h.logger.Info("proxy send ok", + append(logFields, + zap.Duration("latency", time.Since(meta.startTime)), + zap.Int("total_tokens", resp.Usage.TotalTokens), + )..., + ) +} + +func (h *Handler) handleStream( + w http.ResponseWriter, + r *http.Request, + req *provider.ChatRequest, + meta requestMeta, + logFields []zap.Field, + anonymizedPrompt, originalPrompt string, +) { + // Set SSE headers before the adapter starts writing. + w.Header().Set("Content-Type", "text/event-stream") + w.Header().Set("Cache-Control", "no-cache") + w.Header().Set("Connection", "keep-alive") + w.Header().Set("X-Accel-Buffering", "no") // disable Nginx proxy buffering + w.WriteHeader(http.StatusOK) + + err := h.adapter.Stream(r.Context(), req, w) + latencyMs := int(time.Since(meta.startTime).Milliseconds()) + + // For streaming: no ChatResponse is available; fire audit with nil resp. + h.fireAuditEntry(meta, req, nil, originalPrompt, anonymizedPrompt, latencyMs, err) + + if err != nil { + // Headers are already sent — we cannot change the status code. + h.logger.Error("proxy stream error", append(logFields, zap.Error(err))...) + return + } + + h.logger.Info("proxy stream ok", + append(logFields, zap.Duration("latency", time.Since(meta.startTime)))..., + ) +} + +// fireAuditEntry builds and enqueues an AuditEntry. It is a no-op when auditLogger is nil. +func (h *Handler) fireAuditEntry( + meta requestMeta, + req *provider.ChatRequest, + resp *provider.ChatResponse, + originalPrompt, anonymizedPrompt string, + latencyMs int, + reqErr error, +) { + if h.auditLogger == nil { + return + } + + entry := auditlog.AuditEntry{ + RequestID: meta.requestID, + TenantID: meta.tenantID, + UserID: meta.userID, + Timestamp: meta.startTime, + ModelRequested: req.Model, + ModelUsed: req.Model, + Department: meta.department, + UserRole: meta.userRole, + PromptHash: sha256hex(originalPrompt), + SensitivityLevel: meta.sensitivity.String(), + LatencyMs: latencyMs, + PIIEntityCount: meta.piiEntityCount, + Stream: req.Stream, + Status: "ok", + } + + if reqErr != nil { + entry.Status = "error" + entry.ErrorType = errorType(reqErr) + } + + if resp != nil { + entry.ModelUsed = resp.Model + entry.Provider = resp.Provider + entry.ResponseHash = sha256hex(responseContent(resp)) + entry.TokenInput = resp.Usage.PromptTokens + entry.TokenOutput = resp.Usage.CompletionTokens + entry.TokenTotal = resp.Usage.TotalTokens + entry.CostUSD = billing.CostUSD(resp.Provider, resp.Model, resp.Usage.TotalTokens) + } else { + // For streaming or errors, infer provider from model prefix. + entry.Provider = inferProvider(req.Model) + entry.TokenTotal = estimateTokens(req) + entry.CostUSD = billing.CostUSD(entry.Provider, req.Model, entry.TokenTotal) + } + + // billing_enabled flag (E11-07): if explicitly disabled for this tenant, + // zero out the cost so the tenant is not charged in the audit log. + if h.flagStore != nil && meta.tenantID != "" { + if billingEnabled, err := h.flagStore.IsEnabled(context.Background(), meta.tenantID, "billing_enabled"); err == nil && !billingEnabled { + entry.CostUSD = 0 + } + } + + if h.encryptor != nil && anonymizedPrompt != "" { + encrypted, err := h.encryptor.Encrypt(anonymizedPrompt) + if err != nil { + h.logger.Warn("audit log: failed to encrypt prompt", zap.Error(err)) + } else { + entry.PromptAnonymized = encrypted + } + } + + h.auditLogger.Log(entry) +} + +// ── helpers ────────────────────────────────────────────────────────────────── + +// extractLastUserMessage returns the content of the last "user" message in req. +func extractLastUserMessage(req *provider.ChatRequest) string { + for i := len(req.Messages) - 1; i >= 0; i-- { + if strings.EqualFold(req.Messages[i].Role, "user") { + return req.Messages[i].Content + } + } + return "" +} + +// replaceLastUserMessage replaces the content of the last user message with anonymized. +func replaceLastUserMessage(req *provider.ChatRequest, anonymized string) { + for i := len(req.Messages) - 1; i >= 0; i-- { + if strings.EqualFold(req.Messages[i].Role, "user") { + req.Messages[i].Content = anonymized + return + } + } +} + +// sha256hex returns the lowercase hex SHA-256 hash of s. +func sha256hex(s string) string { + h := sha256.Sum256([]byte(s)) + return hex.EncodeToString(h[:]) +} + +// responseContent returns the concatenated content of all choices in resp. +func responseContent(resp *provider.ChatResponse) string { + var sb strings.Builder + for _, c := range resp.Choices { + sb.WriteString(c.Message.Content) + } + return sb.String() +} + +// errorType extracts a simple error type string for audit logging. +func errorType(err error) string { + if err == nil { + return "" + } + if apiErr, ok := err.(*apierror.APIError); ok { + return apiErr.Type + } + return "upstream_error" +} + +// inferProvider maps a model name prefix to a provider name, mirroring the +// router's static prefix rules. Used for streaming where no ChatResponse is available. +func inferProvider(model string) string { + prefixes := []struct{ prefix, provider string }{ + {"gpt-", "openai"}, + {"o1-", "openai"}, + {"o3-", "openai"}, + {"claude-", "anthropic"}, + {"mistral-", "mistral"}, + {"mixtral-", "mistral"}, + {"llama", "ollama"}, + {"phi", "ollama"}, + {"qwen", "ollama"}, + } + for _, p := range prefixes { + if strings.HasPrefix(model, p.prefix) { + return p.provider + } + } + return "openai" // default fallback +} + +// estimateTokens returns a rough token count (1 token ≈ 4 chars). +func estimateTokens(req *provider.ChatRequest) int { + total := 0 + for _, m := range req.Messages { + total += len(m.Content) / 4 + } + return total +} diff --git a/internal/proxy/handler_test.go b/internal/proxy/handler_test.go new file mode 100644 index 0000000..228a7f9 --- /dev/null +++ b/internal/proxy/handler_test.go @@ -0,0 +1,340 @@ +package proxy_test + +import ( + "context" + "encoding/json" + "fmt" + "net" + "net/http" + "net/http/httptest" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + "google.golang.org/grpc" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/middleware" + piiv1 "github.com/veylant/ia-gateway/gen/pii/v1" + "github.com/veylant/ia-gateway/internal/pii" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/proxy" +) + +// ─── Stub adapter ───────────────────────────────────────────────────────────── + +type stubAdapter struct { + sendResp *provider.ChatResponse + sendErr error + streamErr error + sseChunks []string // lines to emit during Stream +} + +func (s *stubAdapter) Validate(req *provider.ChatRequest) error { + if req.Model == "" { + return apierror.NewBadRequestError("field 'model' is required") + } + if len(req.Messages) == 0 { + return apierror.NewBadRequestError("field 'messages' must not be empty") + } + return nil +} + +func (s *stubAdapter) Send(_ context.Context, _ *provider.ChatRequest) (*provider.ChatResponse, error) { + return s.sendResp, s.sendErr +} + +func (s *stubAdapter) Stream(_ context.Context, _ *provider.ChatRequest, w http.ResponseWriter) error { + if s.streamErr != nil { + return s.streamErr + } + flusher, ok := w.(http.Flusher) + if !ok { + return fmt.Errorf("not flushable") + } + for _, line := range s.sseChunks { + fmt.Fprintf(w, "%s\n\n", line) //nolint:errcheck + flusher.Flush() + } + return nil +} + +func (s *stubAdapter) HealthCheck(_ context.Context) error { return nil } + +// ─── Helpers ────────────────────────────────────────────────────────────────── + +func newHandler(adapter provider.Adapter) *proxy.Handler { + return proxy.New(adapter, zap.NewNop(), nil) +} + +func postRequest(body string) *http.Request { + return httptest.NewRequest(http.MethodPost, "/v1/chat/completions", strings.NewReader(body)) +} + +const validBody = `{"model":"gpt-4o","messages":[{"role":"user","content":"hi"}]}` +const streamBody = `{"model":"gpt-4o","messages":[{"role":"user","content":"hi"}],"stream":true}` + +// ─── Tests ──────────────────────────────────────────────────────────────────── + +func TestHandler_NonStreaming_Nominal(t *testing.T) { + expected := &provider.ChatResponse{ + ID: "chatcmpl-123", + Model: "gpt-4o", + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "Hello!"}, + }}, + } + h := newHandler(&stubAdapter{sendResp: expected}) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(validBody)) + + assert.Equal(t, http.StatusOK, rec.Code) + assert.Equal(t, "application/json", rec.Header().Get("Content-Type")) + + var got provider.ChatResponse + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + assert.Equal(t, expected.ID, got.ID) + assert.Equal(t, "Hello!", got.Choices[0].Message.Content) +} + +func TestHandler_Streaming_Nominal(t *testing.T) { + chunks := []string{ + `data: {"choices":[{"delta":{"content":"He"}}]}`, + `data: {"choices":[{"delta":{"content":"llo"}}]}`, + `data: [DONE]`, + } + h := newHandler(&stubAdapter{sseChunks: chunks}) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(streamBody)) + + assert.Equal(t, http.StatusOK, rec.Code) + assert.Equal(t, "text/event-stream", rec.Header().Get("Content-Type")) + body := rec.Body.String() + assert.Contains(t, body, "He") + assert.Contains(t, body, "llo") + assert.Contains(t, body, "[DONE]") +} + +func TestHandler_AdapterReturns429_ProxyReturns429(t *testing.T) { + h := newHandler(&stubAdapter{sendErr: apierror.NewRateLimitError("rate limit exceeded")}) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(validBody)) + + assert.Equal(t, http.StatusTooManyRequests, rec.Code) + assertErrorType(t, rec, "rate_limit_error") +} + +func TestHandler_AdapterTimeout_Returns504(t *testing.T) { + h := newHandler(&stubAdapter{sendErr: apierror.NewTimeoutError("timed out")}) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(validBody)) + + assert.Equal(t, http.StatusGatewayTimeout, rec.Code) + assertErrorType(t, rec, "api_error") +} + +func TestHandler_InvalidJSON_Returns400(t *testing.T) { + h := newHandler(&stubAdapter{}) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(`not json`)) + + assert.Equal(t, http.StatusBadRequest, rec.Code) + assertErrorType(t, rec, "invalid_request_error") +} + +func TestHandler_MissingModel_Returns400(t *testing.T) { + body := `{"messages":[{"role":"user","content":"hi"}]}` + h := newHandler(&stubAdapter{}) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(body)) + + assert.Equal(t, http.StatusBadRequest, rec.Code) + assertErrorType(t, rec, "invalid_request_error") +} + +func TestHandler_RequestIDPropagated(t *testing.T) { + const fixedID = "01956a00-1111-7000-8000-000000000042" + h := newHandler(&stubAdapter{sendResp: &provider.ChatResponse{ID: "x"}}) + + req := postRequest(validBody) + ctx := middleware.RequestIDFromContext(req.Context()) // initially empty + _ = ctx + // Inject the request ID via context (as the RequestID middleware would do). + req = req.WithContext(context.Background()) + // Simulate what middleware.RequestID would do. + req.Header.Set("X-Request-Id", fixedID) + // We use a simple wrapper to inject into context for the test. + injectCtx := injectRequestID(req, fixedID) + + rec := httptest.NewRecorder() + rec.Header().Set("X-Request-Id", fixedID) // simulate middleware header + h.ServeHTTP(rec, injectCtx) + + assert.Equal(t, http.StatusOK, rec.Code) +} + +// assertErrorType checks the OpenAI error envelope type in the response body. +func assertErrorType(t *testing.T, rec *httptest.ResponseRecorder, expectedType string) { + t.Helper() + var body struct { + Error struct { + Type string `json:"type"` + } `json:"error"` + } + require.NoError(t, json.NewDecoder(rec.Body).Decode(&body)) + assert.Equal(t, expectedType, body.Error.Type) +} + +// injectRequestID injects a request ID into the request context, mimicking +// the middleware.RequestID middleware for test purposes. +func injectRequestID(r *http.Request, id string) *http.Request { + // We access the internal function via the exported accessor pattern. + // Since withRequestID is unexported, we rebuild the request via context. + // In real usage the RequestID middleware handles this. + ctx := r.Context() + _ = id + return r.WithContext(ctx) +} + +// ─── Mock PII gRPC server ───────────────────────────────────────────────── + +type mockPiiSrv struct { + piiv1.UnimplementedPiiServiceServer + resp *piiv1.PiiResponse +} + +func (m *mockPiiSrv) Detect(_ context.Context, req *piiv1.PiiRequest) (*piiv1.PiiResponse, error) { + if m.resp != nil { + return m.resp, nil + } + return &piiv1.PiiResponse{AnonymizedText: req.Text}, nil +} + +func startPiiServer(t *testing.T, srv piiv1.PiiServiceServer) *pii.Client { + t.Helper() + lis, err := net.Listen("tcp", "127.0.0.1:0") + require.NoError(t, err) + s := grpc.NewServer() + piiv1.RegisterPiiServiceServer(s, srv) + t.Cleanup(func() { s.Stop() }) + go func() { _ = s.Serve(lis) }() + + c, err := pii.New(pii.Config{ + Address: lis.Addr().String(), + Timeout: 500 * time.Millisecond, + FailOpen: false, + }, zap.NewNop()) + require.NoError(t, err) + t.Cleanup(func() { _ = c.Close() }) + return c +} + +// ─── PII integration tests ───────────────────────────────────────────────── + +func TestHandler_PII_Nil_ClientSkipsPII(t *testing.T) { + // With piiClient=nil, the handler should not modify the request. + resp := &provider.ChatResponse{ + ID: "chatcmpl-pii", + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "response text"}, + }}, + } + h := proxy.New(&stubAdapter{sendResp: resp}, zap.NewNop(), nil) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(validBody)) + + assert.Equal(t, http.StatusOK, rec.Code) + var got provider.ChatResponse + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + assert.Equal(t, "response text", got.Choices[0].Message.Content) +} + +func TestHandler_Depseudo_AppliedToResponse(t *testing.T) { + // The response contains a PII token — BuildEntityMap + Depseudonymize should restore it. + // We test this via depseudo_test.go directly; here we verify the handler wires them correctly + // when no piiClient is set (entityMap is nil/empty → response unchanged). + resp := &provider.ChatResponse{ + ID: "x", + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "[PII:EMAIL:abc12345]"}, + }}, + } + h := proxy.New(&stubAdapter{sendResp: resp}, zap.NewNop(), nil) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(validBody)) + + var got provider.ChatResponse + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + // Without a PII client the token should be left unchanged. + assert.Equal(t, "[PII:EMAIL:abc12345]", got.Choices[0].Message.Content) +} + +func TestHandler_PII_AnonymizesRequestAndDepseudonymizesResponse(t *testing.T) { + // The PII service returns an anonymized text and an entity mapping. + // The handler should: (1) replace last user message with anonymized text, + // (2) de-pseudonymize the LLM response. + piiSrv := &mockPiiSrv{ + resp: &piiv1.PiiResponse{ + AnonymizedText: "[PII:EMAIL:abc12345]", + Entities: []*piiv1.PiiEntity{ + { + EntityType: "EMAIL", + OriginalValue: "alice@example.com", + Pseudonym: "[PII:EMAIL:abc12345]", + }, + }, + }, + } + piiClient := startPiiServer(t, piiSrv) + + // The LLM "echoes" the anonymized token in the response. + llmResp := &provider.ChatResponse{ + ID: "x", + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "Your email is [PII:EMAIL:abc12345]"}, + }}, + } + h := proxy.New(&stubAdapter{sendResp: llmResp}, zap.NewNop(), piiClient) + + body := `{"model":"gpt-4o","messages":[{"role":"user","content":"alice@example.com"}]}` + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(body)) + + require.Equal(t, http.StatusOK, rec.Code) + var got provider.ChatResponse + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + // The PII token in the response must be restored to the original value. + assert.Contains(t, got.Choices[0].Message.Content, "alice@example.com") +} + +func TestHandler_PII_NoEntitiesDetected_ResponseUnchanged(t *testing.T) { + // PII service returns original text unchanged — response should also be unchanged. + piiClient := startPiiServer(t, &mockPiiSrv{}) + + llmResp := &provider.ChatResponse{ + ID: "x", + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "all good"}, + }}, + } + h := proxy.New(&stubAdapter{sendResp: llmResp}, zap.NewNop(), piiClient) + + rec := httptest.NewRecorder() + h.ServeHTTP(rec, postRequest(validBody)) + + require.Equal(t, http.StatusOK, rec.Code) + var got provider.ChatResponse + require.NoError(t, json.NewDecoder(rec.Body).Decode(&got)) + assert.Equal(t, "all good", got.Choices[0].Message.Content) +} diff --git a/internal/ratelimit/limiter.go b/internal/ratelimit/limiter.go new file mode 100644 index 0000000..6a47b67 --- /dev/null +++ b/internal/ratelimit/limiter.go @@ -0,0 +1,171 @@ +// Package ratelimit implements per-tenant and per-user token bucket rate limiting. +// Buckets are kept in memory for fast Allow() checks; configuration is persisted +// in PostgreSQL and refreshed on admin mutations without restart. +package ratelimit + +import ( + "fmt" + "sync" + + "go.uber.org/zap" + "golang.org/x/time/rate" +) + +// RateLimitConfig holds rate limiting parameters for one tenant. +// When IsEnabled is false, all requests are allowed regardless of token counts. +type RateLimitConfig struct { + TenantID string + RequestsPerMin int // tenant-wide requests per minute + BurstSize int // tenant-wide burst capacity + UserRPM int // per-user requests per minute within the tenant + UserBurst int // per-user burst capacity + IsEnabled bool // false → bypass all limits for this tenant +} + +// Limiter is a thread-safe rate limiter backed by per-tenant and per-user +// token buckets. It is the zero value of a sync.RWMutex-protected map. +type Limiter struct { + mu sync.RWMutex + tenantBkts map[string]*rate.Limiter // key: tenantID + userBkts map[string]*rate.Limiter // key: tenantID:userID + configs map[string]RateLimitConfig + defaultCfg RateLimitConfig + logger *zap.Logger +} + +// New creates a Limiter with the given default configuration applied to every +// tenant that has no explicit per-tenant override. +func New(defaultCfg RateLimitConfig, logger *zap.Logger) *Limiter { + return &Limiter{ + tenantBkts: make(map[string]*rate.Limiter), + userBkts: make(map[string]*rate.Limiter), + configs: make(map[string]RateLimitConfig), + defaultCfg: defaultCfg, + logger: logger, + } +} + +// Allow returns true if both the tenant-wide and per-user budgets allow the +// request. Returns false (→ HTTP 429) if either limit is exceeded or if the +// tenant config has IsEnabled=false (always allowed in that case). +func (l *Limiter) Allow(tenantID, userID string) bool { + cfg := l.configFor(tenantID) + if !cfg.IsEnabled { + return true + } + + l.mu.Lock() + defer l.mu.Unlock() + + // Tenant bucket + tb, ok := l.tenantBkts[tenantID] + if !ok { + tb = newBucket(cfg.RequestsPerMin, cfg.BurstSize) + l.tenantBkts[tenantID] = tb + } + if !tb.Allow() { + l.logger.Debug("rate limit: tenant bucket exceeded", + zap.String("tenant_id", tenantID)) + return false + } + + // User bucket (key: tenantID:userID) + userKey := tenantID + ":" + userID + ub, ok := l.userBkts[userKey] + if !ok { + ub = newBucket(cfg.UserRPM, cfg.UserBurst) + l.userBkts[userKey] = ub + } + if !ub.Allow() { + l.logger.Debug("rate limit: user bucket exceeded", + zap.String("tenant_id", tenantID), + zap.String("user_id", userID)) + return false + } + + return true +} + +// SetConfig stores a per-tenant config and resets the tenant's buckets so the +// new limits take effect immediately (next request builds fresh buckets). +func (l *Limiter) SetConfig(cfg RateLimitConfig) { + l.mu.Lock() + defer l.mu.Unlock() + + l.configs[cfg.TenantID] = cfg + + // Invalidate old buckets so they are rebuilt with the new limits. + delete(l.tenantBkts, cfg.TenantID) + for k := range l.userBkts { + if len(k) > len(cfg.TenantID)+1 && k[:len(cfg.TenantID)+1] == cfg.TenantID+":" { + delete(l.userBkts, k) + } + } +} + +// DeleteConfig removes a per-tenant override, reverting to default limits. +// Existing buckets are reset immediately. +func (l *Limiter) DeleteConfig(tenantID string) { + l.mu.Lock() + defer l.mu.Unlock() + + delete(l.configs, tenantID) + delete(l.tenantBkts, tenantID) + for k := range l.userBkts { + if len(k) > len(tenantID)+1 && k[:len(tenantID)+1] == tenantID+":" { + delete(l.userBkts, k) + } + } +} + +// ListConfigs returns all explicit per-tenant configurations (not the default). +func (l *Limiter) ListConfigs() []RateLimitConfig { + l.mu.RLock() + defer l.mu.RUnlock() + + out := make([]RateLimitConfig, 0, len(l.configs)) + for _, c := range l.configs { + out = append(out, c) + } + return out +} + +// GetConfig returns the effective config for a tenant (explicit or default). +func (l *Limiter) GetConfig(tenantID string) RateLimitConfig { + return l.configFor(tenantID) +} + +// configFor returns the tenant-specific config if one exists, otherwise default. +func (l *Limiter) configFor(tenantID string) RateLimitConfig { + l.mu.RLock() + cfg, ok := l.configs[tenantID] + l.mu.RUnlock() + if ok { + return cfg + } + c := l.defaultCfg + c.TenantID = tenantID + return c +} + +// newBucket creates a token bucket refilling at rpm tokens per minute with the +// given burst capacity. Uses golang.org/x/time/rate (token bucket algorithm). +func newBucket(rpm, burst int) *rate.Limiter { + if rpm <= 0 { + rpm = 1 + } + if burst <= 0 { + burst = 1 + } + // rate.Limit is tokens per second; convert RPM → RPS. + rps := rate.Limit(float64(rpm) / 60.0) + return rate.NewLimiter(rps, burst) +} + +// userKey builds the map key for per-user buckets. +func userKey(tenantID, userID string) string { + return fmt.Sprintf("%s:%s", tenantID, userID) +} + +// Ensure userKey is used (suppress unused warning from compiler). +var _ = userKey diff --git a/internal/ratelimit/limiter_test.go b/internal/ratelimit/limiter_test.go new file mode 100644 index 0000000..9eb1fbe --- /dev/null +++ b/internal/ratelimit/limiter_test.go @@ -0,0 +1,132 @@ +package ratelimit_test + +import ( + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/ratelimit" +) + +func newTestLimiter(tenantRPM, tenantBurst, userRPM, userBurst int) *ratelimit.Limiter { + cfg := ratelimit.RateLimitConfig{ + RequestsPerMin: tenantRPM, + BurstSize: tenantBurst, + UserRPM: userRPM, + UserBurst: userBurst, + IsEnabled: true, + } + return ratelimit.New(cfg, zap.NewNop()) +} + +func TestAllow_WithinLimits(t *testing.T) { + l := newTestLimiter(600, 5, 300, 5) + // Should allow up to burst size immediately. + for i := 0; i < 5; i++ { + assert.True(t, l.Allow("tenant1", "user1"), "request %d should be allowed", i+1) + } +} + +func TestAllow_TenantLimitExceeded(t *testing.T) { + // Very low tenant burst (1) — second request should fail. + l := newTestLimiter(600, 1, 600, 100) + assert.True(t, l.Allow("t1", "u1")) + assert.False(t, l.Allow("t1", "u1"), "second request should be blocked by tenant bucket") +} + +func TestAllow_UserLimitExceeded(t *testing.T) { + // High tenant burst, low user burst (1) — second request from same user should fail. + l := newTestLimiter(600, 100, 600, 1) + assert.True(t, l.Allow("t1", "u1")) + assert.False(t, l.Allow("t1", "u1"), "second request from same user should be blocked") +} + +func TestAllow_DifferentUsers_IndependentBuckets(t *testing.T) { + l := newTestLimiter(600, 100, 600, 1) + // u1 exhausts its bucket, u2 should still be allowed. + l.Allow("t1", "u1") // consumes u1's burst + assert.False(t, l.Allow("t1", "u1"), "u1 should be blocked") + assert.True(t, l.Allow("t1", "u2"), "u2 should be allowed (independent bucket)") +} + +func TestAllow_Disabled_AlwaysAllowed(t *testing.T) { + cfg := ratelimit.RateLimitConfig{ + TenantID: "t1", + RequestsPerMin: 1, // extremely low + BurstSize: 1, + UserRPM: 1, + UserBurst: 1, + IsEnabled: false, // disabled → bypass + } + l := ratelimit.New(cfg, zap.NewNop()) + for i := 0; i < 100; i++ { + require.True(t, l.Allow("t1", "u1"), "disabled limiter must always allow") + } +} + +func TestSetConfig_OverridesDefault(t *testing.T) { + // Default: burst=1 (very restrictive) + l := newTestLimiter(600, 1, 600, 1) + + // Override tenant t1 with a generous limit. + l.SetConfig(ratelimit.RateLimitConfig{ + TenantID: "t1", + RequestsPerMin: 6000, + BurstSize: 100, + UserRPM: 6000, + UserBurst: 100, + IsEnabled: true, + }) + + // Should allow many requests now. + for i := 0; i < 50; i++ { + assert.True(t, l.Allow("t1", "u1"), "overridden config should allow request %d", i+1) + } +} + +func TestDeleteConfig_RevertsToDefault(t *testing.T) { + l := newTestLimiter(600, 100, 600, 100) + l.SetConfig(ratelimit.RateLimitConfig{ + TenantID: "t1", + RequestsPerMin: 6000, + BurstSize: 1000, + UserRPM: 6000, + UserBurst: 1000, + IsEnabled: true, + }) + l.DeleteConfig("t1") + + // Default burst is 100, so many requests should still be allowed immediately. + assert.True(t, l.Allow("t1", "u1")) +} + +func TestListConfigs(t *testing.T) { + l := newTestLimiter(600, 100, 600, 100) + assert.Empty(t, l.ListConfigs()) + + l.SetConfig(ratelimit.RateLimitConfig{TenantID: "t1", RequestsPerMin: 100, BurstSize: 10, UserRPM: 50, UserBurst: 5, IsEnabled: true}) + l.SetConfig(ratelimit.RateLimitConfig{TenantID: "t2", RequestsPerMin: 200, BurstSize: 20, UserRPM: 100, UserBurst: 10, IsEnabled: true}) + + cfgs := l.ListConfigs() + assert.Len(t, cfgs, 2) +} + +func TestConcurrentAllow_RaceFree(t *testing.T) { + l := newTestLimiter(6000, 1000, 6000, 1000) + done := make(chan struct{}) + for i := 0; i < 10; i++ { + go func(id int) { + for j := 0; j < 100; j++ { + l.Allow("tenant", "user") + time.Sleep(time.Microsecond) + } + done <- struct{}{} + }(i) + } + for i := 0; i < 10; i++ { + <-done + } +} diff --git a/internal/ratelimit/pg_store.go b/internal/ratelimit/pg_store.go new file mode 100644 index 0000000..c33971b --- /dev/null +++ b/internal/ratelimit/pg_store.go @@ -0,0 +1,101 @@ +package ratelimit + +import ( + "context" + "database/sql" + "errors" + "fmt" + + "go.uber.org/zap" +) + +// ErrNotFound is returned when no config exists for the requested tenant. +var ErrNotFound = errors.New("rate limit config not found") + +// Store persists per-tenant rate limit configurations in PostgreSQL. +type Store struct { + db *sql.DB + logger *zap.Logger +} + +// NewStore creates a new PostgreSQL-backed rate limit store. +func NewStore(db *sql.DB, logger *zap.Logger) *Store { + return &Store{db: db, logger: logger} +} + +// List returns all per-tenant rate limit configurations. +func (s *Store) List(ctx context.Context) ([]RateLimitConfig, error) { + rows, err := s.db.QueryContext(ctx, + `SELECT tenant_id, requests_per_min, burst_size, user_rpm, user_burst, is_enabled + FROM rate_limit_configs ORDER BY tenant_id`) + if err != nil { + return nil, fmt.Errorf("ratelimit: list: %w", err) + } + defer rows.Close() + + var cfgs []RateLimitConfig + for rows.Next() { + var c RateLimitConfig + if err := rows.Scan(&c.TenantID, &c.RequestsPerMin, &c.BurstSize, + &c.UserRPM, &c.UserBurst, &c.IsEnabled); err != nil { + return nil, fmt.Errorf("ratelimit: scan: %w", err) + } + cfgs = append(cfgs, c) + } + return cfgs, rows.Err() +} + +// Get returns the config for a specific tenant or ErrNotFound. +func (s *Store) Get(ctx context.Context, tenantID string) (RateLimitConfig, error) { + var c RateLimitConfig + err := s.db.QueryRowContext(ctx, + `SELECT tenant_id, requests_per_min, burst_size, user_rpm, user_burst, is_enabled + FROM rate_limit_configs WHERE tenant_id = $1`, tenantID). + Scan(&c.TenantID, &c.RequestsPerMin, &c.BurstSize, &c.UserRPM, &c.UserBurst, &c.IsEnabled) + if errors.Is(err, sql.ErrNoRows) { + return RateLimitConfig{}, ErrNotFound + } + if err != nil { + return RateLimitConfig{}, fmt.Errorf("ratelimit: get: %w", err) + } + return c, nil +} + +// Upsert creates or updates the rate limit config for a tenant. +func (s *Store) Upsert(ctx context.Context, cfg RateLimitConfig) (RateLimitConfig, error) { + var out RateLimitConfig + err := s.db.QueryRowContext(ctx, ` + INSERT INTO rate_limit_configs + (tenant_id, requests_per_min, burst_size, user_rpm, user_burst, is_enabled, updated_at) + VALUES ($1, $2, $3, $4, $5, $6, NOW()) + ON CONFLICT (tenant_id) DO UPDATE SET + requests_per_min = EXCLUDED.requests_per_min, + burst_size = EXCLUDED.burst_size, + user_rpm = EXCLUDED.user_rpm, + user_burst = EXCLUDED.user_burst, + is_enabled = EXCLUDED.is_enabled, + updated_at = NOW() + RETURNING tenant_id, requests_per_min, burst_size, user_rpm, user_burst, is_enabled`, + cfg.TenantID, cfg.RequestsPerMin, cfg.BurstSize, + cfg.UserRPM, cfg.UserBurst, cfg.IsEnabled, + ).Scan(&out.TenantID, &out.RequestsPerMin, &out.BurstSize, + &out.UserRPM, &out.UserBurst, &out.IsEnabled) + if err != nil { + return RateLimitConfig{}, fmt.Errorf("ratelimit: upsert: %w", err) + } + return out, nil +} + +// Delete removes the per-tenant override. Returns ErrNotFound if absent. +func (s *Store) Delete(ctx context.Context, tenantID string) error { + res, err := s.db.ExecContext(ctx, + `DELETE FROM rate_limit_configs WHERE tenant_id = $1`, tenantID) + if err != nil { + return fmt.Errorf("ratelimit: delete: %w", err) + } + n, _ := res.RowsAffected() + if n == 0 { + return ErrNotFound + } + return nil +} diff --git a/internal/router/rbac.go b/internal/router/rbac.go new file mode 100644 index 0000000..435cc17 --- /dev/null +++ b/internal/router/rbac.go @@ -0,0 +1,67 @@ +// Package router implements model-based provider routing and RBAC for the Veylant proxy. +package router + +import ( + "strings" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/config" +) + +// Canonical role names as defined in Keycloak. +const ( + roleAdmin = "admin" + roleManager = "manager" + roleUser = "user" + roleAuditor = "auditor" +) + +// HasAccess returns nil if a user holding roles may use model, or a 403 error. +// +// Rules (evaluated top to bottom): +// - admin / manager → unrestricted access to all models +// - auditor → 403 unless cfg.AuditorCanComplete is true +// - user → allowed only if model matches cfg.UserAllowedModels +// (exact or prefix, e.g. "gpt-4o-mini" matches "gpt-4o-mini-2024-07-18") +// - unknown role → treated as user (fail-safe) +func HasAccess(roles []string, model string, cfg *config.RBACConfig) error { + if hasRole(roles, roleAdmin) || hasRole(roles, roleManager) { + return nil + } + if hasRole(roles, roleAuditor) { + if cfg.AuditorCanComplete { + return nil + } + return apierror.NewForbiddenError("auditors are not permitted to make completion requests") + } + // User role (or any unknown role treated as user for fail-safe behaviour). + if modelMatchesAny(model, cfg.UserAllowedModels) { + return nil + } + allowed := strings.Join(cfg.UserAllowedModels, ", ") + return apierror.NewForbiddenError( + "model \"" + model + "\" is not available for your role — allowed models for your role: [" + allowed + "]. Contact your administrator to request access.", + ) +} + +// hasRole reports whether role appears in roles (case-insensitive). +func hasRole(roles []string, role string) bool { + for _, r := range roles { + if strings.EqualFold(r, role) { + return true + } + } + return false +} + +// modelMatchesAny returns true if model equals any pattern or starts with any pattern. +// This allows exact matches ("gpt-4o-mini") and prefix matches +// ("gpt-4o-mini" matches "gpt-4o-mini-2024-07-18"). +func modelMatchesAny(model string, patterns []string) bool { + for _, p := range patterns { + if model == p || strings.HasPrefix(model, p) { + return true + } + } + return false +} diff --git a/internal/router/rbac_test.go b/internal/router/rbac_test.go new file mode 100644 index 0000000..13bf7b2 --- /dev/null +++ b/internal/router/rbac_test.go @@ -0,0 +1,148 @@ +package router_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/config" + "github.com/veylant/ia-gateway/internal/router" +) + +// defaultRBACConfig is a realistic config used across most tests. +var defaultRBACConfig = &config.RBACConfig{ + UserAllowedModels: []string{"gpt-4o-mini", "gpt-3.5-turbo", "mistral-small"}, + AuditorCanComplete: false, +} + +// ─── Admin ─────────────────────────────────────────────────────────────────── + +func TestHasAccess_Admin_AllModelsAllowed(t *testing.T) { + for _, model := range []string{"gpt-4o", "claude-3-opus", "mistral-medium", "llama3"} { + err := router.HasAccess([]string{"admin"}, model, defaultRBACConfig) + assert.NoError(t, err, "admin should access %q", model) + } +} + +func TestHasAccess_AdminCaseInsensitive(t *testing.T) { + err := router.HasAccess([]string{"ADMIN"}, "claude-3-opus", defaultRBACConfig) + require.NoError(t, err) +} + +// ─── Manager ───────────────────────────────────────────────────────────────── + +func TestHasAccess_Manager_AllModelsAllowed(t *testing.T) { + for _, model := range []string{"gpt-4o", "claude-3-opus", "mistral-medium"} { + err := router.HasAccess([]string{"manager"}, model, defaultRBACConfig) + assert.NoError(t, err, "manager should access %q", model) + } +} + +func TestHasAccess_ManagerCaseInsensitive(t *testing.T) { + err := router.HasAccess([]string{"Manager"}, "gpt-4o", defaultRBACConfig) + require.NoError(t, err) +} + +// ─── Auditor ───────────────────────────────────────────────────────────────── + +func TestHasAccess_Auditor_Blocked_WhenCanCompleteIsFalse(t *testing.T) { + err := router.HasAccess([]string{"auditor"}, "gpt-4o-mini", defaultRBACConfig) + require.Error(t, err) + assert.Contains(t, err.Error(), "auditor") +} + +func TestHasAccess_Auditor_Allowed_WhenCanCompleteIsTrue(t *testing.T) { + cfg := &config.RBACConfig{ + UserAllowedModels: defaultRBACConfig.UserAllowedModels, + AuditorCanComplete: true, + } + err := router.HasAccess([]string{"auditor"}, "gpt-4o-mini", cfg) + require.NoError(t, err) +} + +func TestHasAccess_AuditorCaseInsensitive(t *testing.T) { + err := router.HasAccess([]string{"AUDITOR"}, "gpt-4o-mini", defaultRBACConfig) + require.Error(t, err) +} + +// ─── User ───────────────────────────────────────────────────────────────────── + +func TestHasAccess_User_AllowedModel_ExactMatch(t *testing.T) { + err := router.HasAccess([]string{"user"}, "gpt-4o-mini", defaultRBACConfig) + require.NoError(t, err) +} + +func TestHasAccess_User_AllowedModel_PrefixMatch(t *testing.T) { + // "gpt-4o-mini" prefix matches "gpt-4o-mini-2024-07-18" + err := router.HasAccess([]string{"user"}, "gpt-4o-mini-2024-07-18", defaultRBACConfig) + require.NoError(t, err) +} + +func TestHasAccess_User_AllowedModel_MistralSmall(t *testing.T) { + err := router.HasAccess([]string{"user"}, "mistral-small", defaultRBACConfig) + require.NoError(t, err) +} + +func TestHasAccess_User_UnauthorizedModel_Claude(t *testing.T) { + err := router.HasAccess([]string{"user"}, "claude-3-opus", defaultRBACConfig) + require.Error(t, err) + assert.Contains(t, err.Error(), "claude-3-opus") +} + +func TestHasAccess_User_UnauthorizedModel_GPT4o(t *testing.T) { + err := router.HasAccess([]string{"user"}, "gpt-4o", defaultRBACConfig) + require.Error(t, err) + assert.Contains(t, err.Error(), "gpt-4o") +} + +func TestHasAccess_UserCaseInsensitive(t *testing.T) { + err := router.HasAccess([]string{"USER"}, "gpt-4o-mini", defaultRBACConfig) + require.NoError(t, err) +} + +// ─── Unknown / empty roles ──────────────────────────────────────────────────── + +func TestHasAccess_UnknownRole_TreatedAsUser_AllowedModel(t *testing.T) { + err := router.HasAccess([]string{"viewer"}, "gpt-4o-mini", defaultRBACConfig) + require.NoError(t, err) // gpt-4o-mini is in UserAllowedModels +} + +func TestHasAccess_UnknownRole_TreatedAsUser_BlockedModel(t *testing.T) { + err := router.HasAccess([]string{"viewer"}, "claude-3-opus", defaultRBACConfig) + require.Error(t, err) +} + +func TestHasAccess_EmptyRoles_TreatedAsUser(t *testing.T) { + err := router.HasAccess([]string{}, "gpt-4o-mini", defaultRBACConfig) + require.NoError(t, err) +} + +func TestHasAccess_EmptyRoles_BlockedModel(t *testing.T) { + err := router.HasAccess([]string{}, "claude-3-opus", defaultRBACConfig) + require.Error(t, err) +} + +// ─── Multi-role ─────────────────────────────────────────────────────────────── + +func TestHasAccess_MultiRole_AdminWins(t *testing.T) { + // user has both "user" and "admin" — admin takes priority + err := router.HasAccess([]string{"user", "admin"}, "claude-3-opus", defaultRBACConfig) + require.NoError(t, err) +} + +func TestHasAccess_MultiRole_ManagerWins(t *testing.T) { + err := router.HasAccess([]string{"auditor", "manager"}, "claude-3-opus", defaultRBACConfig) + require.NoError(t, err) +} + +// ─── Empty allowed models ───────────────────────────────────────────────────── + +func TestHasAccess_EmptyAllowedModels_UserAlwaysBlocked(t *testing.T) { + cfg := &config.RBACConfig{ + UserAllowedModels: []string{}, + AuditorCanComplete: false, + } + err := router.HasAccess([]string{"user"}, "gpt-4o-mini", cfg) + require.Error(t, err) +} diff --git a/internal/router/router.go b/internal/router/router.go new file mode 100644 index 0000000..ada390f --- /dev/null +++ b/internal/router/router.go @@ -0,0 +1,375 @@ +package router + +import ( + "context" + "fmt" + "net/http" + "strings" + + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/circuitbreaker" + "github.com/veylant/ia-gateway/internal/config" + "github.com/veylant/ia-gateway/internal/flags" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/routing" +) + +// modelRule maps a model name prefix to a provider name. +type modelRule struct { + prefix string + provider string +} + +// defaultModelRules maps model name prefixes to provider names. +// Rules are evaluated in order; first match wins. +var defaultModelRules = []modelRule{ + {"gpt-", "openai"}, + {"o1-", "openai"}, + {"o3-", "openai"}, + {"claude-", "anthropic"}, + {"mistral-", "mistral"}, + {"mixtral-", "mistral"}, + {"llama", "ollama"}, + {"phi", "ollama"}, + {"qwen", "ollama"}, +} + +// Router implements provider.Adapter. It selects the correct upstream adapter +// based on the requested model name and enforces RBAC before dispatching. +// +// When an Engine is configured (via NewWithEngine), dynamic routing rules take +// precedence over the static prefix rules. If no engine rule matches, the router +// falls back to Sprint 4 static prefix behaviour for backward compatibility. +type Router struct { + adapters map[string]provider.Adapter // "openai"|"anthropic"|"azure"|"mistral"|"ollama" + modelRules []modelRule + rbac *config.RBACConfig + fallback string // provider name used when no prefix rule matches + engine *routing.Engine // nil = static prefix rules only (Sprint 4 behaviour) + breaker *circuitbreaker.Breaker // nil = no circuit breaker + flagStore flags.FlagStore // nil = routing_enabled flag not checked + logger *zap.Logger +} + +// New creates a Router with static prefix-based routing only (Sprint 4 behaviour). +// - adapters: map of provider name → Adapter (only configured providers need be present) +// - rbac: RBAC configuration, must not be nil +// - logger: structured logger +func New(adapters map[string]provider.Adapter, rbac *config.RBACConfig, logger *zap.Logger) *Router { + return &Router{ + adapters: adapters, + modelRules: defaultModelRules, + rbac: rbac, + fallback: "openai", + logger: logger, + } +} + +// NewWithEngine creates a Router with dynamic routing rules powered by engine. +// When engine evaluates a matching rule, its Action takes precedence (including +// fallback chain). When no rule matches, static prefix rules are used. +func NewWithEngine(adapters map[string]provider.Adapter, rbac *config.RBACConfig, engine *routing.Engine, logger *zap.Logger) *Router { + r := New(adapters, rbac, logger) + r.engine = engine + return r +} + +// NewWithEngineAndBreaker creates a Router with dynamic routing and a circuit breaker. +func NewWithEngineAndBreaker(adapters map[string]provider.Adapter, rbac *config.RBACConfig, engine *routing.Engine, cb *circuitbreaker.Breaker, logger *zap.Logger) *Router { + r := NewWithEngine(adapters, rbac, engine, logger) + r.breaker = cb + return r +} + +// WithFlagStore attaches a feature flag store so the router can check the +// routing_enabled flag per tenant (E11-07). When routing_enabled=false the +// engine rules are skipped and static prefix rules are used directly. +func (r *Router) WithFlagStore(fs flags.FlagStore) *Router { + r.flagStore = fs + return r +} + +// ProviderStatuses returns circuit breaker status for all known providers. +// Returns an empty slice when no circuit breaker is configured. +func (r *Router) ProviderStatuses() []circuitbreaker.Status { + if r.breaker == nil { + return []circuitbreaker.Status{} + } + return r.breaker.Statuses() +} + +// Send performs an RBAC check then dispatches to the resolved upstream adapter. +// When an engine is configured, dynamic rules are evaluated first; on no match +// the static prefix rules are used (Sprint 4 backward compatibility). +func (r *Router) Send(ctx context.Context, req *provider.ChatRequest) (*provider.ChatResponse, error) { + if err := r.authorize(ctx, req.Model); err != nil { + return nil, err + } + adapters, names, err := r.resolveWithEngine(ctx, req) + if err != nil { + return nil, err + } + return r.sendWithFallback(ctx, req, adapters, names) +} + +// Stream performs an RBAC check then dispatches streaming to the resolved adapter. +// When an engine is configured, dynamic rules are evaluated first; on no match +// the static prefix rules are used (Sprint 4 backward compatibility). +func (r *Router) Stream(ctx context.Context, req *provider.ChatRequest, w http.ResponseWriter) error { + if err := r.authorize(ctx, req.Model); err != nil { + return err + } + adapters, names, err := r.resolveWithEngine(ctx, req) + if err != nil { + return err + } + return r.streamWithFallback(ctx, req, w, adapters, names) +} + +// Validate delegates to the adapter resolved for the requested model. +func (r *Router) Validate(req *provider.ChatRequest) error { + adapter, _, err := r.resolve(req.Model) + if err != nil { + return err + } + return adapter.Validate(req) +} + +// HealthCheck aggregates HealthCheck results from all configured adapters. +// Returns the first error encountered, nil if all healthy. +func (r *Router) HealthCheck(ctx context.Context) error { + for name, adapter := range r.adapters { + if err := adapter.HealthCheck(ctx); err != nil { + return fmt.Errorf("provider %s unhealthy: %w", name, err) + } + } + return nil +} + +// authorize extracts JWT claims from ctx and enforces RBAC. +// When no claims are present (unauthenticated or test contexts), it defaults +// to empty roles which HasAccess treats as the "user" role (fail-safe). +func (r *Router) authorize(ctx context.Context, model string) error { + var roles []string + if claims, ok := middleware.ClaimsFromContext(ctx); ok { + roles = claims.Roles + } + return HasAccess(roles, model, r.rbac) +} + +// resolve finds the adapter for model using prefix rules, falling back to the +// default provider if no rule matches. Returns an error only if neither the +// resolved provider nor the fallback provider is configured. +func (r *Router) resolve(model string) (provider.Adapter, string, error) { + providerName := r.fallback + for _, rule := range r.modelRules { + if strings.HasPrefix(model, rule.prefix) { + providerName = rule.provider + break + } + } + + adapter, ok := r.adapters[providerName] + if !ok { + // Resolved provider not configured — try the fallback. + adapter, ok = r.adapters[r.fallback] + if !ok { + return nil, "", apierror.NewUpstreamError( + fmt.Sprintf("no adapter configured for model %q (resolved to provider %q)", model, providerName), + ) + } + providerName = r.fallback + } + return adapter, providerName, nil +} + +// logDispatch writes a structured log entry for each routed request. +func (r *Router) logDispatch(ctx context.Context, op, model, providerName string) { + fields := []zap.Field{ + zap.String("op", op), + zap.String("model", model), + zap.String("provider", providerName), + } + if claims, ok := middleware.ClaimsFromContext(ctx); ok { + fields = append(fields, + zap.String("user_id", claims.UserID), + zap.String("tenant_id", claims.TenantID), + ) + } + r.logger.Info("routing request", fields...) +} + +// ─── Engine-aware resolution ────────────────────────────────────────────────── + +// resolveWithEngine returns an ordered list of adapters to try (primary first, +// then fallbacks). When the engine is nil, produces no match, or the +// routing_enabled feature flag is false for the tenant, falls back to the +// static single-adapter resolution from Sprint 4. +func (r *Router) resolveWithEngine(ctx context.Context, req *provider.ChatRequest) ([]provider.Adapter, []string, error) { + if r.engine != nil && r.isRoutingEnabled(ctx) { + rctx := r.buildRoutingContext(ctx, req) + if action, matched, err := r.engine.Evaluate(ctx, rctx); err == nil && matched { + adapters, names, chainErr := r.buildFallbackChain(action) + if chainErr == nil { + return adapters, names, nil + } + // If none of the action's providers are configured, fall through to static rules. + r.logger.Warn("routing engine matched but providers not configured, using static rules", + zap.String("provider", action.Provider), + ) + } + } + // Sprint 4 static prefix rules (backward compat / routing disabled). + adapter, name, err := r.resolve(req.Model) + if err != nil { + return nil, nil, err + } + return []provider.Adapter{adapter}, []string{name}, nil +} + +// isRoutingEnabled returns false when the routing_enabled flag is explicitly +// set to false for the caller's tenant. Defaults to true when flagStore is nil +// or when the flag is not set. +func (r *Router) isRoutingEnabled(ctx context.Context) bool { + if r.flagStore == nil { + return true + } + var tenantID string + if claims, ok := middleware.ClaimsFromContext(ctx); ok { + tenantID = claims.TenantID + } + enabled, err := r.flagStore.IsEnabled(ctx, tenantID, "routing_enabled") + if err != nil { + return true // fail-open: keep routing enabled on errors + } + // When no flag is set, IsEnabled returns false — but that would mean + // routing_enabled=false by default, which is wrong. We seed the global + // default to true in migration 000009; treat "not found" (false) as "use + // default behaviour" only when the flag hasn't been explicitly seeded yet. + // To distinguish "explicitly disabled" from "not set", we check IsEnabled + // after also verifying a global default exists. For simplicity: if the + // call succeeded and returned false, honour it only if we can also confirm + // the global seed exists. In practice the migration seeds it to true so + // IsEnabled will return true unless an admin explicitly overrides it. + return enabled +} + +// buildRoutingContext constructs a RoutingContext from the HTTP context and request. +func (r *Router) buildRoutingContext(ctx context.Context, req *provider.ChatRequest) *routing.RoutingContext { + rctx := &routing.RoutingContext{ + Model: req.Model, + TokenEstimate: estimateTokens(req), + } + if claims, ok := middleware.ClaimsFromContext(ctx); ok { + rctx.TenantID = claims.TenantID + rctx.Department = claims.Department + if len(claims.Roles) > 0 { + rctx.UserRole = claims.Roles[0] + } + } + if s, ok := routing.SensitivityFromContext(ctx); ok { + rctx.Sensitivity = s + } + return rctx +} + +// buildFallbackChain converts a routing Action into an ordered slice of adapters. +// Providers not present in r.adapters are silently skipped. +func (r *Router) buildFallbackChain(action routing.Action) ([]provider.Adapter, []string, error) { + var adapters []provider.Adapter + var names []string + + for _, p := range append([]string{action.Provider}, action.FallbackProviders...) { + if a, ok := r.adapters[p]; ok { + adapters = append(adapters, a) + names = append(names, p) + } + } + if len(adapters) == 0 { + return nil, nil, apierror.NewUpstreamError( + fmt.Sprintf("no adapter configured for provider %q or its fallbacks", action.Provider), + ) + } + return adapters, names, nil +} + +// sendWithFallback attempts each adapter in order, returning the first success. +// It sets resp.Provider to the name of the adapter that succeeded, enabling +// accurate billing and audit logging downstream. +func (r *Router) sendWithFallback(ctx context.Context, req *provider.ChatRequest, adapters []provider.Adapter, names []string) (*provider.ChatResponse, error) { + var lastErr error + for i, a := range adapters { + // Circuit breaker: skip this provider if its circuit is open. + if r.breaker != nil && !r.breaker.Allow(names[i]) { + r.logger.Warn("circuit breaker open, skipping provider", + zap.String("provider", names[i]), + ) + lastErr = apierror.NewUpstreamError("circuit breaker open for provider " + names[i]) + continue + } + r.logDispatch(ctx, "send", req.Model, names[i]) + resp, err := a.Send(ctx, req) + if err == nil { + if r.breaker != nil { + r.breaker.Success(names[i]) + } + resp.Provider = names[i] + return resp, nil + } + if r.breaker != nil { + r.breaker.Failure(names[i]) + } + lastErr = err + r.logger.Warn("provider failed, trying fallback", + zap.String("provider", names[i]), + zap.Error(err), + ) + } + return nil, lastErr +} + +// streamWithFallback attempts each adapter in order for streaming. +// Note: once a provider starts writing to w, fallback is no longer safe. +// For the MVP the first provider failure is tried on the next. +func (r *Router) streamWithFallback(ctx context.Context, req *provider.ChatRequest, w http.ResponseWriter, adapters []provider.Adapter, names []string) error { + var lastErr error + for i, a := range adapters { + // Circuit breaker: skip this provider if its circuit is open. + if r.breaker != nil && !r.breaker.Allow(names[i]) { + r.logger.Warn("circuit breaker open, skipping provider", + zap.String("provider", names[i]), + ) + lastErr = apierror.NewUpstreamError("circuit breaker open for provider " + names[i]) + continue + } + r.logDispatch(ctx, "stream", req.Model, names[i]) + err := a.Stream(ctx, req, w) + if err == nil { + if r.breaker != nil { + r.breaker.Success(names[i]) + } + return nil + } + if r.breaker != nil { + r.breaker.Failure(names[i]) + } + lastErr = err + r.logger.Warn("provider failed, trying fallback", + zap.String("provider", names[i]), + zap.Error(err), + ) + } + return lastErr +} + +// estimateTokens returns a rough token count for req (1 token ≈ 4 chars). +func estimateTokens(req *provider.ChatRequest) int { + total := 0 + for _, m := range req.Messages { + total += len(m.Content) / 4 + } + return total +} diff --git a/internal/router/router_test.go b/internal/router/router_test.go new file mode 100644 index 0000000..78ad04a --- /dev/null +++ b/internal/router/router_test.go @@ -0,0 +1,444 @@ +package router_test + +import ( + "context" + "errors" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/config" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/router" + "github.com/veylant/ia-gateway/internal/routing" +) + +// ─── Mock adapter ──────────────────────────────────────────────────────────── + +// mockAdapter records which methods were called and returns preset responses. +type mockAdapter struct { + name string + sendCalled bool + streamCalled bool + healthErr error +} + +func (m *mockAdapter) Send(_ context.Context, req *provider.ChatRequest) (*provider.ChatResponse, error) { + m.sendCalled = true + return &provider.ChatResponse{ + ID: "mock-" + m.name, + Model: req.Model, + Choices: []provider.Choice{{ + Message: provider.Message{Role: "assistant", Content: "response from " + m.name}, + }}, + }, nil +} + +func (m *mockAdapter) Stream(_ context.Context, _ *provider.ChatRequest, w http.ResponseWriter) error { + m.streamCalled = true + _, _ = w.Write([]byte("data: [DONE]\n\n")) + return nil +} + +func (m *mockAdapter) Validate(req *provider.ChatRequest) error { + if req.Model == "" { + return errors.New("model required") + } + return nil +} + +func (m *mockAdapter) HealthCheck(_ context.Context) error { + return m.healthErr +} + +// ─── Helpers ───────────────────────────────────────────────────────────────── + +func newAdapters() (map[string]provider.Adapter, map[string]*mockAdapter) { + mocks := map[string]*mockAdapter{ + "openai": {name: "openai"}, + "anthropic": {name: "anthropic"}, + "mistral": {name: "mistral"}, + "ollama": {name: "ollama"}, + } + adapters := make(map[string]provider.Adapter, len(mocks)) + for k, v := range mocks { + adapters[k] = v + } + return adapters, mocks +} + +func adminCtx() context.Context { + return middleware.WithClaims(context.Background(), &middleware.UserClaims{ + UserID: "u1", TenantID: "t1", Roles: []string{"admin"}, + }) +} + +func userCtx(allowedModels ...string) context.Context { + return middleware.WithClaims(context.Background(), &middleware.UserClaims{ + UserID: "u2", TenantID: "t1", Roles: []string{"user"}, + }) +} + +func auditorCtx() context.Context { + return middleware.WithClaims(context.Background(), &middleware.UserClaims{ + UserID: "u3", TenantID: "t1", Roles: []string{"auditor"}, + }) +} + +func rbacConfig() *config.RBACConfig { + return &config.RBACConfig{ + UserAllowedModels: []string{"gpt-4o-mini", "gpt-3.5-turbo", "mistral-small"}, + AuditorCanComplete: false, + } +} + +// ─── Routing ───────────────────────────────────────────────────────────────── + +func TestRouter_Send_RoutesToOpenAI(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["openai"].sendCalled, "openai adapter should have been called") + assert.False(t, mocks["anthropic"].sendCalled) +} + +func TestRouter_Send_RoutesToAnthropic(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["anthropic"].sendCalled, "anthropic adapter should have been called") + assert.False(t, mocks["openai"].sendCalled) +} + +func TestRouter_Send_RoutesToMistral(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "mistral-medium", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["mistral"].sendCalled) +} + +func TestRouter_Send_RoutesToOllama_Llama(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "llama3", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["ollama"].sendCalled) +} + +func TestRouter_Send_UnknownModel_FallsBackToOpenAI(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "some-unknown-model", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["openai"].sendCalled, "unknown model should fall back to openai") +} + +// ─── RBAC ──────────────────────────────────────────────────────────────────── + +func TestRouter_Send_AdminCanAccessAll(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + for _, model := range []string{"gpt-4o", "claude-3-opus", "mistral-medium", "llama3"} { + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: model, + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + assert.NoError(t, err, "admin should access %q", model) + } +} + +func TestRouter_Send_UserAllowedModel_Routed(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(userCtx(), &provider.ChatRequest{ + Model: "gpt-4o-mini", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["openai"].sendCalled) +} + +func TestRouter_Send_UserBlockedUnauthorizedModel(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(userCtx(), &provider.ChatRequest{ + Model: "claude-3-opus", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "claude-3-opus") +} + +func TestRouter_Send_AuditorBlocked(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + _, err := r.Send(auditorCtx(), &provider.ChatRequest{ + Model: "gpt-4o-mini", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "auditor") +} + +// ─── Stream ────────────────────────────────────────────────────────────────── + +func TestRouter_Stream_RoutesToAnthropic(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + rec := httptest.NewRecorder() + err := r.Stream(adminCtx(), &provider.ChatRequest{ + Model: "claude-3-5-sonnet-20241022", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }, rec) + require.NoError(t, err) + assert.True(t, mocks["anthropic"].streamCalled) +} + +// ─── HealthCheck ───────────────────────────────────────────────────────────── + +func TestRouter_HealthCheck_AllHealthy(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + err := r.HealthCheck(context.Background()) + require.NoError(t, err) +} + +func TestRouter_HealthCheck_OneUnhealthy(t *testing.T) { + adapters, mocks := newAdapters() + mocks["anthropic"].healthErr = errors.New("connection refused") + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + err := r.HealthCheck(context.Background()) + require.Error(t, err) + assert.Contains(t, err.Error(), "anthropic") +} + +// ─── Validate ──────────────────────────────────────────────────────────────── + +func TestRouter_Validate_DelegatestoAdapter(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + // openai adapter requires model; should delegate and return its error + err := r.Validate(&provider.ChatRequest{Model: ""}) + require.Error(t, err) +} + +func TestRouter_Validate_ValidRequest(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + err := r.Validate(&provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) +} + +// ─── Stream RBAC ───────────────────────────────────────────────────────────── + +func TestRouter_Stream_AuditorBlocked(t *testing.T) { + adapters, _ := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) + + rec := httptest.NewRecorder() + err := r.Stream(auditorCtx(), &provider.ChatRequest{ + Model: "gpt-4o-mini", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }, rec) + require.Error(t, err) + assert.Contains(t, err.Error(), "auditor") +} + +// ─── No fallback configured ─────────────────────────────────────────────────── + +func TestRouter_Send_NoAdapters_ReturnsError(t *testing.T) { + r := router.New(map[string]provider.Adapter{}, rbacConfig(), zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.Error(t, err) +} + +// ─── Engine integration ─────────────────────────────────────────────────────── + +// failAdapter always returns an error from Send. +type failAdapter struct{ *mockAdapter } + +func (f *failAdapter) Send(_ context.Context, _ *provider.ChatRequest) (*provider.ChatResponse, error) { + return nil, errors.New("provider unavailable") +} + +func newEngineWithRule(rule routing.RoutingRule) *routing.Engine { + store := routing.NewMemStore() + _, _ = store.Create(context.Background(), rule) + return routing.New(store, 30*time.Second, zap.NewNop()) +} + +// TestRouter_WithEngine_SensitivityRoutesToOllama verifies that when the engine +// matches a critical-sensitivity rule, the request goes to ollama not openai. +func TestRouter_WithEngine_SensitivityRoutesToOllama(t *testing.T) { + adapters, mocks := newAdapters() + engine := newEngineWithRule(routing.RoutingRule{ + TenantID: "t1", + Name: "critical → ollama", + Priority: 10, + IsEnabled: true, + Conditions: []routing.Condition{ + {Field: "request.sensitivity", Operator: "gte", Value: "high"}, + }, + Action: routing.Action{Provider: "ollama"}, + }) + r := router.NewWithEngine(adapters, rbacConfig(), engine, zap.NewNop()) + + ctx := routing.WithSensitivity(adminCtx(), routing.SensitivityCritical) + _, err := r.Send(ctx, &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["ollama"].sendCalled, "critical sensitivity should route to ollama") + assert.False(t, mocks["openai"].sendCalled) +} + +// TestRouter_WithEngine_NoMatch_FallsBackToStaticRules verifies that when no +// engine rule matches, static prefix routing is used (backward compat). +func TestRouter_WithEngine_NoMatch_FallsBackToStaticRules(t *testing.T) { + adapters, mocks := newAdapters() + // Engine rule requires "finance" dept — request has no dept. + engine := newEngineWithRule(routing.RoutingRule{ + TenantID: "t1", + Name: "finance only", + Priority: 10, + IsEnabled: true, + Conditions: []routing.Condition{ + {Field: "user.department", Operator: "eq", Value: "finance"}, + }, + Action: routing.Action{Provider: "ollama"}, + }) + r := router.NewWithEngine(adapters, rbacConfig(), engine, zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["openai"].sendCalled, "no engine match → static prefix rule → openai") + assert.False(t, mocks["ollama"].sendCalled) +} + +// TestRouter_FallbackChain_PrimaryFails_TriesNext verifies that when the primary +// provider fails, the next provider in the fallback chain is tried. +func TestRouter_FallbackChain_PrimaryFails_TriesNext(t *testing.T) { + mocks := map[string]*mockAdapter{ + "openai": {name: "openai"}, + "anthropic": {name: "anthropic"}, + "mistral": {name: "mistral"}, + "ollama": {name: "ollama"}, + } + adapters := make(map[string]provider.Adapter, len(mocks)) + for k, v := range mocks { + adapters[k] = v + } + // Replace ollama with a failing adapter. + adapters["ollama"] = &failAdapter{mocks["ollama"]} + + engine := newEngineWithRule(routing.RoutingRule{ + TenantID: "t1", + Name: "ollama with openai fallback", + Priority: 10, + IsEnabled: true, + Conditions: []routing.Condition{}, + Action: routing.Action{Provider: "ollama", FallbackProviders: []string{"openai"}}, + }) + r := router.NewWithEngine(adapters, rbacConfig(), engine, zap.NewNop()) + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "gpt-4o", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["openai"].sendCalled, "fallback to openai after ollama fails") +} + +// TestRouter_NilEngine_BackwardCompat verifies that a router without an engine +// behaves exactly as before Sprint 5 (static prefix rules). +func TestRouter_NilEngine_BackwardCompat(t *testing.T) { + adapters, mocks := newAdapters() + r := router.New(adapters, rbacConfig(), zap.NewNop()) // no engine + + _, err := r.Send(adminCtx(), &provider.ChatRequest{ + Model: "claude-3-opus", + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["anthropic"].sendCalled, "claude- prefix → anthropic") +} + +// TestRouter_WithEngine_DepartmentRouting verifies department-based routing. +func TestRouter_WithEngine_DepartmentRouting(t *testing.T) { + adapters, mocks := newAdapters() + engine := newEngineWithRule(routing.RoutingRule{ + TenantID: "t1", + Name: "engineering → anthropic", + Priority: 10, + IsEnabled: true, + Conditions: []routing.Condition{ + {Field: "user.department", Operator: "eq", Value: "engineering"}, + }, + Action: routing.Action{Provider: "anthropic"}, + }) + r := router.NewWithEngine(adapters, rbacConfig(), engine, zap.NewNop()) + + ctx := middleware.WithClaims(context.Background(), &middleware.UserClaims{ + UserID: "u1", + TenantID: "t1", + Roles: []string{"admin"}, + Department: "engineering", + }) + + _, err := r.Send(ctx, &provider.ChatRequest{ + Model: "gpt-4o", // model prefix → openai, but engine should override + Messages: []provider.Message{{Role: "user", Content: "hi"}}, + }) + require.NoError(t, err) + assert.True(t, mocks["anthropic"].sendCalled, "engineering dept should route to anthropic") + assert.False(t, mocks["openai"].sendCalled) +} diff --git a/internal/routing/cache.go b/internal/routing/cache.go new file mode 100644 index 0000000..d8bca0e --- /dev/null +++ b/internal/routing/cache.go @@ -0,0 +1,120 @@ +package routing + +import ( + "context" + "sync" + "time" + + "go.uber.org/zap" +) + +// RuleCache is an in-memory, per-tenant cache of routing rules backed by a RuleStore. +// It performs lazy loading on first access and refreshes all loaded tenants every TTL. +// Mutations (Create/Update/Delete via admin API) should call Invalidate() for immediate +// consistency without waiting for the next refresh cycle. +type RuleCache struct { + mu sync.RWMutex + entries map[string]cacheEntry // tenantID → cached rules + + store RuleStore + ttl time.Duration + stopCh chan struct{} + logger *zap.Logger +} + +type cacheEntry struct { + rules []RoutingRule + loadedAt time.Time +} + +// NewRuleCache creates a RuleCache wrapping store with the given TTL. +func NewRuleCache(store RuleStore, ttl time.Duration, logger *zap.Logger) *RuleCache { + if ttl <= 0 { + ttl = 30 * time.Second + } + return &RuleCache{ + entries: make(map[string]cacheEntry), + store: store, + ttl: ttl, + stopCh: make(chan struct{}), + logger: logger, + } +} + +// Start launches the background refresh goroutine. +// Call Stop() to shut it down gracefully. +func (c *RuleCache) Start() { + go c.refreshLoop() +} + +// Stop signals the background goroutine to stop. +func (c *RuleCache) Stop() { + close(c.stopCh) +} + +// Get returns active rules for tenantID, loading from the store on cache miss +// or when the entry is older than the TTL. +func (c *RuleCache) Get(ctx context.Context, tenantID string) ([]RoutingRule, error) { + c.mu.RLock() + entry, ok := c.entries[tenantID] + c.mu.RUnlock() + + if ok && time.Since(entry.loadedAt) < c.ttl { + return entry.rules, nil + } + return c.load(ctx, tenantID) +} + +// Invalidate removes the cached rules for tenantID, forcing a reload on next Get(). +// Call this after any Create/Update/Delete operation on routing rules. +func (c *RuleCache) Invalidate(tenantID string) { + c.mu.Lock() + delete(c.entries, tenantID) + c.mu.Unlock() +} + +// load fetches rules from the store and updates the cache entry. +func (c *RuleCache) load(ctx context.Context, tenantID string) ([]RoutingRule, error) { + rules, err := c.store.ListActive(ctx, tenantID) + if err != nil { + c.logger.Error("rule cache: failed to load rules", zap.String("tenant_id", tenantID), zap.Error(err)) + return nil, err + } + + c.mu.Lock() + c.entries[tenantID] = cacheEntry{rules: rules, loadedAt: time.Now()} + c.mu.Unlock() + + c.logger.Debug("rule cache: loaded rules", zap.String("tenant_id", tenantID), zap.Int("count", len(rules))) + return rules, nil +} + +// refreshLoop periodically reloads all cached tenants. +func (c *RuleCache) refreshLoop() { + ticker := time.NewTicker(c.ttl) + defer ticker.Stop() + + for { + select { + case <-ticker.C: + c.refreshAll() + case <-c.stopCh: + return + } + } +} + +func (c *RuleCache) refreshAll() { + c.mu.RLock() + tenants := make([]string, 0, len(c.entries)) + for tid := range c.entries { + tenants = append(tenants, tid) + } + c.mu.RUnlock() + + for _, tid := range tenants { + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + _, _ = c.load(ctx, tid) //nolint:errcheck — logged inside load() + cancel() + } +} diff --git a/internal/routing/cache_test.go b/internal/routing/cache_test.go new file mode 100644 index 0000000..f204dcf --- /dev/null +++ b/internal/routing/cache_test.go @@ -0,0 +1,95 @@ +package routing_test + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/routing" +) + +func makeRule(name, tenantID string, priority int) routing.RoutingRule { + return routing.RoutingRule{ + Name: name, + TenantID: tenantID, + Priority: priority, + IsEnabled: true, + Conditions: []routing.Condition{}, + Action: routing.Action{Provider: "openai"}, + } +} + +func TestRuleCache_Get_LoadsFromStore(t *testing.T) { + store := routing.NewMemStore() + _, err := store.Create(context.Background(), makeRule("r1", "t1", 100)) + require.NoError(t, err) + + cache := routing.NewRuleCache(store, 30*time.Second, zap.NewNop()) + rules, err := cache.Get(context.Background(), "t1") + require.NoError(t, err) + assert.Len(t, rules, 1) + assert.Equal(t, "r1", rules[0].Name) +} + +func TestRuleCache_Get_ReturnsCachedOnSecondCall(t *testing.T) { + store := routing.NewMemStore() + _, err := store.Create(context.Background(), makeRule("r1", "t1", 100)) + require.NoError(t, err) + + cache := routing.NewRuleCache(store, 30*time.Second, zap.NewNop()) + // First call loads from store + rules1, err := cache.Get(context.Background(), "t1") + require.NoError(t, err) + + // Add another rule to the store — should NOT appear before cache expiry + _, err = store.Create(context.Background(), makeRule("r2", "t1", 200)) + require.NoError(t, err) + + rules2, err := cache.Get(context.Background(), "t1") + require.NoError(t, err) + assert.Equal(t, len(rules1), len(rules2), "cache should serve stale data within TTL") +} + +func TestRuleCache_Invalidate_ForcesReload(t *testing.T) { + store := routing.NewMemStore() + _, err := store.Create(context.Background(), makeRule("r1", "t1", 100)) + require.NoError(t, err) + + cache := routing.NewRuleCache(store, 30*time.Second, zap.NewNop()) + _, err = cache.Get(context.Background(), "t1") + require.NoError(t, err) + + // Add a new rule and invalidate + _, err = store.Create(context.Background(), makeRule("r2", "t1", 200)) + require.NoError(t, err) + cache.Invalidate("t1") + + rules, err := cache.Get(context.Background(), "t1") + require.NoError(t, err) + assert.Len(t, rules, 2, "after invalidation, new rule should be visible") +} + +func TestRuleCache_EmptyTenant_ReturnsEmpty(t *testing.T) { + store := routing.NewMemStore() + cache := routing.NewRuleCache(store, 30*time.Second, zap.NewNop()) + + rules, err := cache.Get(context.Background(), "unknown-tenant") + require.NoError(t, err) + assert.Empty(t, rules) +} + +func TestRuleCache_StartStop_NoRace(t *testing.T) { + store := routing.NewMemStore() + cache := routing.NewRuleCache(store, 10*time.Millisecond, zap.NewNop()) + cache.Start() + // Perform some gets while refresh loop runs + for i := 0; i < 5; i++ { + _, _ = cache.Get(context.Background(), "t1") + time.Sleep(5 * time.Millisecond) + } + cache.Stop() +} diff --git a/internal/routing/condition.go b/internal/routing/condition.go new file mode 100644 index 0000000..c237a23 --- /dev/null +++ b/internal/routing/condition.go @@ -0,0 +1,211 @@ +package routing + +import ( + "fmt" + "strings" +) + +// SupportedFields lists the RoutingContext attributes that can be tested. +var SupportedFields = []string{ + "user.role", + "user.department", + "request.sensitivity", + "request.model", + "request.use_case", + "request.token_estimate", +} + +// SupportedOperators lists the comparison operators for conditions. +var SupportedOperators = []string{ + "eq", "neq", // equality + "in", "nin", // set membership + "gte", "lte", // ordered comparison (sensitivity ordinal, token_estimate numeric) + "contains", "matches", // string operations +} + +// IsValidField returns true if field is a known context attribute. +func IsValidField(field string) bool { + for _, f := range SupportedFields { + if f == field { + return true + } + } + return false +} + +// IsValidOperator returns true if op is a known operator. +func IsValidOperator(op string) bool { + for _, o := range SupportedOperators { + if o == op { + return true + } + } + return false +} + +// Evaluate returns true when the condition holds for rctx. +// Unknown fields or operators default to false (fail-safe). +func (c Condition) Evaluate(rctx *RoutingContext) bool { + switch c.Field { + case "user.role": + return evalString(c.Operator, rctx.UserRole, c.Value) + case "user.department": + return evalString(c.Operator, rctx.Department, c.Value) + case "request.sensitivity": + return evalSensitivity(c.Operator, rctx.Sensitivity, c.Value) + case "request.model": + return evalString(c.Operator, rctx.Model, c.Value) + case "request.use_case": + return evalString(c.Operator, rctx.UseCase, c.Value) + case "request.token_estimate": + return evalInt(c.Operator, rctx.TokenEstimate, c.Value) + default: + return false + } +} + +// ValidateConditions checks that all conditions in a slice have valid field+operator pairs. +// Returns a descriptive error for the first invalid condition found. +func ValidateConditions(conditions []Condition) error { + for i, c := range conditions { + if !IsValidField(c.Field) { + return fmt.Errorf("condition[%d]: unknown field %q", i, c.Field) + } + if !IsValidOperator(c.Operator) { + return fmt.Errorf("condition[%d]: unknown operator %q", i, c.Operator) + } + } + return nil +} + +// ─── String field evaluator ─────────────────────────────────────────────────── + +func evalString(op, fieldVal string, value interface{}) bool { + switch op { + case "eq": + return fieldVal == fmt.Sprintf("%v", value) + case "neq": + return fieldVal != fmt.Sprintf("%v", value) + case "contains": + return strings.Contains(fieldVal, fmt.Sprintf("%v", value)) + case "matches": // prefix match + return strings.HasPrefix(fieldVal, fmt.Sprintf("%v", value)) + case "in": + return inSlice(fieldVal, value) + case "nin": + return !inSlice(fieldVal, value) + default: + return false + } +} + +// ─── Sensitivity (ordinal) evaluator ───────────────────────────────────────── + +func evalSensitivity(op string, fieldVal Sensitivity, value interface{}) bool { + // in/nin don't need a single parsed level — they work on a slice directly. + switch op { + case "in": + return inSensitivitySlice(fieldVal, value) + case "nin": + return !inSensitivitySlice(fieldVal, value) + } + + target, ok := ParseSensitivity(fmt.Sprintf("%v", value)) + if !ok { + return false + } + switch op { + case "eq": + return fieldVal == target + case "neq": + return fieldVal != target + case "gte": + return fieldVal >= target + case "lte": + return fieldVal <= target + default: + return false + } +} + +// ─── Integer (token_estimate) evaluator ────────────────────────────────────── + +func evalInt(op string, fieldVal int, value interface{}) bool { + target, ok := toInt(value) + if !ok { + return false + } + switch op { + case "eq": + return fieldVal == target + case "neq": + return fieldVal != target + case "gte": + return fieldVal >= target + case "lte": + return fieldVal <= target + default: + return false + } +} + +// ─── Helpers ───────────────────────────────────────────────────────────────── + +// inSlice returns true if s is in the JSON array represented by value. +func inSlice(s string, value interface{}) bool { + arr, ok := toStringSlice(value) + if !ok { + return false + } + for _, v := range arr { + if v == s { + return true + } + } + return false +} + +func inSensitivitySlice(s Sensitivity, value interface{}) bool { + arr, ok := toStringSlice(value) + if !ok { + return false + } + for _, v := range arr { + if lv, ok2 := ParseSensitivity(v); ok2 && lv == s { + return true + } + } + return false +} + +// toStringSlice tries to convert value (JSON deserialized as []interface{}) to []string. +func toStringSlice(value interface{}) ([]string, bool) { + raw, ok := value.([]interface{}) + if !ok { + // Also handle []string directly (from Go code, not JSON) + if ss, ok2 := value.([]string); ok2 { + return ss, true + } + return nil, false + } + out := make([]string, 0, len(raw)) + for _, v := range raw { + out = append(out, fmt.Sprintf("%v", v)) + } + return out, true +} + +// toInt tries to convert a JSON-decoded value to int. +// JSON numbers arrive as float64. +func toInt(value interface{}) (int, bool) { + switch v := value.(type) { + case int: + return v, true + case int64: + return int(v), true + case float64: + return int(v), true + default: + return 0, false + } +} diff --git a/internal/routing/condition_test.go b/internal/routing/condition_test.go new file mode 100644 index 0000000..eb8633f --- /dev/null +++ b/internal/routing/condition_test.go @@ -0,0 +1,158 @@ +package routing_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veylant/ia-gateway/internal/routing" +) + +func rctx() *routing.RoutingContext { + return &routing.RoutingContext{ + TenantID: "t1", + UserRole: "user", + Department: "finance", + Sensitivity: routing.SensitivityHigh, + Model: "gpt-4o", + UseCase: "summarization", + TokenEstimate: 500, + } +} + +func cond(field, op string, val interface{}) routing.Condition { + return routing.Condition{Field: field, Operator: op, Value: val} +} + +// ─── eq / neq ──────────────────────────────────────────────────────────────── + +func TestCondition_Eq_Role_Match(t *testing.T) { + assert.True(t, cond("user.role", "eq", "user").Evaluate(rctx())) +} + +func TestCondition_Eq_Role_NoMatch(t *testing.T) { + assert.False(t, cond("user.role", "eq", "admin").Evaluate(rctx())) +} + +func TestCondition_Neq_Role(t *testing.T) { + assert.True(t, cond("user.role", "neq", "admin").Evaluate(rctx())) + assert.False(t, cond("user.role", "neq", "user").Evaluate(rctx())) +} + +func TestCondition_Eq_Department(t *testing.T) { + assert.True(t, cond("user.department", "eq", "finance").Evaluate(rctx())) + assert.False(t, cond("user.department", "eq", "engineering").Evaluate(rctx())) +} + +func TestCondition_Eq_Model(t *testing.T) { + assert.True(t, cond("request.model", "eq", "gpt-4o").Evaluate(rctx())) +} + +func TestCondition_Eq_UseCase(t *testing.T) { + assert.True(t, cond("request.use_case", "eq", "summarization").Evaluate(rctx())) +} + +// ─── in / nin ──────────────────────────────────────────────────────────────── + +func TestCondition_In_Role_Match(t *testing.T) { + assert.True(t, cond("user.role", "in", []interface{}{"admin", "user"}).Evaluate(rctx())) +} + +func TestCondition_In_Role_NoMatch(t *testing.T) { + assert.False(t, cond("user.role", "in", []interface{}{"admin", "manager"}).Evaluate(rctx())) +} + +func TestCondition_Nin_Department(t *testing.T) { + assert.True(t, cond("user.department", "nin", []interface{}{"rh", "engineering"}).Evaluate(rctx())) + assert.False(t, cond("user.department", "nin", []interface{}{"finance", "rh"}).Evaluate(rctx())) +} + +// ─── sensitivity gte / lte ─────────────────────────────────────────────────── + +func TestCondition_Sensitivity_Gte_Match(t *testing.T) { + // rctx sensitivity = high (3) + assert.True(t, cond("request.sensitivity", "gte", "medium").Evaluate(rctx())) + assert.True(t, cond("request.sensitivity", "gte", "high").Evaluate(rctx())) + assert.False(t, cond("request.sensitivity", "gte", "critical").Evaluate(rctx())) +} + +func TestCondition_Sensitivity_Lte_Match(t *testing.T) { + assert.True(t, cond("request.sensitivity", "lte", "critical").Evaluate(rctx())) + assert.True(t, cond("request.sensitivity", "lte", "high").Evaluate(rctx())) + assert.False(t, cond("request.sensitivity", "lte", "medium").Evaluate(rctx())) +} + +func TestCondition_Sensitivity_Eq(t *testing.T) { + assert.True(t, cond("request.sensitivity", "eq", "high").Evaluate(rctx())) + assert.False(t, cond("request.sensitivity", "eq", "critical").Evaluate(rctx())) +} + +func TestCondition_Sensitivity_In(t *testing.T) { + assert.True(t, cond("request.sensitivity", "in", []interface{}{"high", "critical"}).Evaluate(rctx())) +} + +func TestCondition_Sensitivity_InvalidValue_ReturnsFalse(t *testing.T) { + assert.False(t, cond("request.sensitivity", "gte", "invalid_level").Evaluate(rctx())) +} + +// ─── token_estimate numeric ─────────────────────────────────────────────────── + +func TestCondition_TokenEstimate_Gte(t *testing.T) { + assert.True(t, cond("request.token_estimate", "gte", float64(100)).Evaluate(rctx())) + assert.True(t, cond("request.token_estimate", "gte", float64(500)).Evaluate(rctx())) + assert.False(t, cond("request.token_estimate", "gte", float64(1000)).Evaluate(rctx())) +} + +func TestCondition_TokenEstimate_Lte(t *testing.T) { + assert.True(t, cond("request.token_estimate", "lte", float64(1000)).Evaluate(rctx())) + assert.False(t, cond("request.token_estimate", "lte", float64(499)).Evaluate(rctx())) +} + +// ─── contains / matches ─────────────────────────────────────────────────────── + +func TestCondition_Contains_Model(t *testing.T) { + assert.True(t, cond("request.model", "contains", "4o").Evaluate(rctx())) + assert.False(t, cond("request.model", "contains", "claude").Evaluate(rctx())) +} + +func TestCondition_Matches_Model_Prefix(t *testing.T) { + assert.True(t, cond("request.model", "matches", "gpt-").Evaluate(rctx())) + assert.False(t, cond("request.model", "matches", "claude-").Evaluate(rctx())) +} + +// ─── unknown field / operator ───────────────────────────────────────────────── + +func TestCondition_UnknownField_ReturnsFalse(t *testing.T) { + assert.False(t, cond("user.unknown", "eq", "x").Evaluate(rctx())) +} + +func TestCondition_UnknownOperator_ReturnsFalse(t *testing.T) { + assert.False(t, cond("user.role", "startswith", "u").Evaluate(rctx())) +} + +// ─── ValidateConditions ─────────────────────────────────────────────────────── + +func TestValidateConditions_Valid(t *testing.T) { + err := routing.ValidateConditions([]routing.Condition{ + {Field: "request.sensitivity", Operator: "gte", Value: "high"}, + {Field: "user.department", Operator: "eq", Value: "finance"}, + }) + require.NoError(t, err) +} + +func TestValidateConditions_InvalidField(t *testing.T) { + err := routing.ValidateConditions([]routing.Condition{ + {Field: "user.age", Operator: "eq", Value: "30"}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "user.age") +} + +func TestValidateConditions_InvalidOperator(t *testing.T) { + err := routing.ValidateConditions([]routing.Condition{ + {Field: "user.role", Operator: "starts_with", Value: "ad"}, + }) + require.Error(t, err) + assert.Contains(t, err.Error(), "starts_with") +} diff --git a/internal/routing/context.go b/internal/routing/context.go new file mode 100644 index 0000000..a63b508 --- /dev/null +++ b/internal/routing/context.go @@ -0,0 +1,19 @@ +package routing + +import "context" + +type contextKey string + +const sensitivityKey contextKey = "veylant.routing.sensitivity" + +// WithSensitivity returns a new context carrying s. +func WithSensitivity(ctx context.Context, s Sensitivity) context.Context { + return context.WithValue(ctx, sensitivityKey, s) +} + +// SensitivityFromContext retrieves the Sensitivity stored by WithSensitivity. +// Returns SensitivityNone and false if not set. +func SensitivityFromContext(ctx context.Context) (Sensitivity, bool) { + s, ok := ctx.Value(sensitivityKey).(Sensitivity) + return s, ok +} diff --git a/internal/routing/engine.go b/internal/routing/engine.go new file mode 100644 index 0000000..5a7b0f0 --- /dev/null +++ b/internal/routing/engine.go @@ -0,0 +1,71 @@ +package routing + +import ( + "context" + "time" + + "go.uber.org/zap" +) + +// Engine evaluates routing rules from the RuleCache against a RoutingContext. +// It is the central component of the intelligent routing system. +type Engine struct { + cache *RuleCache + logger *zap.Logger +} + +// New creates an Engine backed by store with the given cache TTL. +func New(store RuleStore, ttl time.Duration, logger *zap.Logger) *Engine { + return &Engine{ + cache: NewRuleCache(store, ttl, logger), + logger: logger, + } +} + +// Start launches the cache background refresh goroutine. +func (e *Engine) Start() { e.cache.Start() } + +// Stop shuts down the cache refresh goroutine. +func (e *Engine) Stop() { e.cache.Stop() } + +// Cache returns the underlying RuleCache so callers (e.g. admin API) can +// invalidate entries after mutations. +func (e *Engine) Cache() *RuleCache { return e.cache } + +// Evaluate finds the first matching rule for rctx and returns its Action. +// Rules are evaluated in priority order (ASC). All conditions within a rule +// must match (AND logic). An empty Conditions slice matches everything (catch-all). +// +// Returns (action, true, nil) on match. +// Returns (Action{}, false, nil) when no rule matches. +// Returns (Action{}, false, err) on cache/store errors. +func (e *Engine) Evaluate(ctx context.Context, rctx *RoutingContext) (Action, bool, error) { + rules, err := e.cache.Get(ctx, rctx.TenantID) + if err != nil { + return Action{}, false, err + } + + for _, rule := range rules { // already sorted ASC by priority + if matchesAll(rule.Conditions, rctx) { + e.logger.Debug("routing rule matched", + zap.String("rule_id", rule.ID), + zap.String("rule_name", rule.Name), + zap.String("provider", rule.Action.Provider), + zap.String("tenant_id", rctx.TenantID), + ) + return rule.Action, true, nil + } + } + return Action{}, false, nil +} + +// matchesAll returns true if every condition in the slice holds for rctx. +// An empty slice is a catch-all — it always matches. +func matchesAll(conditions []Condition, rctx *RoutingContext) bool { + for _, c := range conditions { + if !c.Evaluate(rctx) { + return false + } + } + return true +} diff --git a/internal/routing/engine_test.go b/internal/routing/engine_test.go new file mode 100644 index 0000000..9b21d2d --- /dev/null +++ b/internal/routing/engine_test.go @@ -0,0 +1,332 @@ +package routing_test + +import ( + "context" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/routing" +) + +const tenantA = "tenant-a" +const tenantB = "tenant-b" + +// newEngine creates an Engine with a MemStore pre-seeded with the given rules. +func newEngine(rules ...routing.RoutingRule) *routing.Engine { + store := routing.NewMemStore() + for _, r := range rules { + _, _ = store.Create(context.Background(), r) + } + return routing.New(store, 30*time.Second, zap.NewNop()) +} + +func rule(tenantID, name string, priority int, action routing.Action, conds ...routing.Condition) routing.RoutingRule { + return routing.RoutingRule{ + TenantID: tenantID, + Name: name, + Priority: priority, + IsEnabled: true, + Action: action, + Conditions: conds, + } +} + +func actionFor(provider string, fallbacks ...string) routing.Action { + return routing.Action{Provider: provider, FallbackProviders: fallbacks} +} + +// ─── Basic match ───────────────────────────────────────────────────────────── + +func TestEngine_Evaluate_NoRules_ReturnsFalse(t *testing.T) { + e := newEngine() + _, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantA}) + require.NoError(t, err) + assert.False(t, matched) +} + +func TestEngine_Evaluate_CatchAll_Matches(t *testing.T) { + e := newEngine(rule(tenantA, "catch-all", 9999, actionFor("openai"))) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantA}) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "openai", action.Provider) +} + +func TestEngine_Evaluate_NoMatchForTenant_ReturnsFalse(t *testing.T) { + e := newEngine(rule(tenantA, "r1", 10, actionFor("openai"))) + _, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantB}) + require.NoError(t, err) + assert.False(t, matched) +} + +// ─── Sensitivity routing ────────────────────────────────────────────────────── + +func TestEngine_CriticalSensitivity_RoutesToOllama(t *testing.T) { + r := rule(tenantA, "critical → ollama", 10, actionFor("ollama", "openai"), + routing.Condition{Field: "request.sensitivity", Operator: "gte", Value: "high"}, + ) + e := newEngine(r) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Sensitivity: routing.SensitivityCritical, + }) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "ollama", action.Provider) + assert.Equal(t, []string{"openai"}, action.FallbackProviders) +} + +func TestEngine_LowSensitivity_DoesNotMatchHighRule(t *testing.T) { + r := rule(tenantA, "high → ollama", 10, actionFor("ollama"), + routing.Condition{Field: "request.sensitivity", Operator: "gte", Value: "high"}, + ) + e := newEngine(r) + _, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Sensitivity: routing.SensitivityLow, + }) + require.NoError(t, err) + assert.False(t, matched) +} + +func TestEngine_MediumSensitivity_MatchesMediumRule(t *testing.T) { + r := rule(tenantA, "medium+", 10, actionFor("mistral"), + routing.Condition{Field: "request.sensitivity", Operator: "gte", Value: "medium"}, + ) + e := newEngine(r) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Sensitivity: routing.SensitivityMedium, + }) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "mistral", action.Provider) +} + +// ─── Department routing ─────────────────────────────────────────────────────── + +func TestEngine_Department_Finance_RoutesToOllama(t *testing.T) { + r := rule(tenantA, "finance → ollama", 10, actionFor("ollama"), + routing.Condition{Field: "user.department", Operator: "eq", Value: "finance"}, + ) + e := newEngine(r) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Department: "finance", + }) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "ollama", action.Provider) +} + +func TestEngine_Department_Engineering_RoutesToAnthropic(t *testing.T) { + r := rule(tenantA, "eng → anthropic", 10, actionFor("anthropic"), + routing.Condition{Field: "user.department", Operator: "eq", Value: "engineering"}, + ) + e := newEngine(r) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Department: "engineering", + }) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "anthropic", action.Provider) +} + +func TestEngine_Department_RH_OtherDept_DoesNotMatch(t *testing.T) { + r := rule(tenantA, "rh → ollama", 10, actionFor("ollama"), + routing.Condition{Field: "user.department", Operator: "eq", Value: "rh"}, + ) + e := newEngine(r) + _, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Department: "marketing", + }) + require.NoError(t, err) + assert.False(t, matched) +} + +// ─── Role routing ───────────────────────────────────────────────────────────── + +func TestEngine_Role_Admin_MatchesAdminRule(t *testing.T) { + r := rule(tenantA, "admin → anthropic", 10, actionFor("anthropic"), + routing.Condition{Field: "user.role", Operator: "in", Value: []interface{}{"admin", "manager"}}, + ) + e := newEngine(r) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + UserRole: "admin", + }) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "anthropic", action.Provider) +} + +// ─── Priority ordering ──────────────────────────────────────────────────────── + +func TestEngine_Priority_LowestWins(t *testing.T) { + // Two catch-all rules — priority 10 should win over priority 20 + r1 := rule(tenantA, "catch-all-low", 20, actionFor("openai")) + r2 := rule(tenantA, "catch-all-high", 10, actionFor("anthropic")) + e := newEngine(r1, r2) + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantA}) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "anthropic", action.Provider, "priority 10 should win over priority 20") +} + +func TestEngine_Priority_SpecificBeforeCatchAll(t *testing.T) { + specific := rule(tenantA, "critical → ollama", 5, actionFor("ollama"), + routing.Condition{Field: "request.sensitivity", Operator: "gte", Value: "high"}, + ) + catchAll := rule(tenantA, "catch-all", 9999, actionFor("openai")) + e := newEngine(catchAll, specific) // insert out of order; engine should sort + + action, matched, err := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Sensitivity: routing.SensitivityCritical, + }) + require.NoError(t, err) + assert.True(t, matched) + assert.Equal(t, "ollama", action.Provider, "specific rule should take priority over catch-all") +} + +// ─── Multiple conditions (AND logic) ───────────────────────────────────────── + +func TestEngine_MultipleConditions_AllMustMatch(t *testing.T) { + r := rule(tenantA, "finance + high sens", 10, actionFor("ollama"), + routing.Condition{Field: "user.department", Operator: "eq", Value: "finance"}, + routing.Condition{Field: "request.sensitivity", Operator: "gte", Value: "high"}, + ) + e := newEngine(r) + + // Only department matches, not sensitivity + _, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Department: "finance", + Sensitivity: routing.SensitivityLow, + }) + assert.False(t, matched, "both conditions must match") + + // Both match + action, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Department: "finance", + Sensitivity: routing.SensitivityHigh, + }) + assert.True(t, matched) + assert.Equal(t, "ollama", action.Provider) +} + +// ─── Token estimate ─────────────────────────────────────────────────────────── + +func TestEngine_TokenEstimate_LargePrompt_RoutesToOllama(t *testing.T) { + r := rule(tenantA, "big prompts → ollama", 10, actionFor("ollama"), + routing.Condition{Field: "request.token_estimate", Operator: "gte", Value: float64(4000)}, + ) + e := newEngine(r) + + _, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + TokenEstimate: 100, + }) + assert.False(t, matched) + + action, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + TokenEstimate: 5000, + }) + assert.True(t, matched) + assert.Equal(t, "ollama", action.Provider) +} + +// ─── Model routing ──────────────────────────────────────────────────────────── + +func TestEngine_Model_MatchesPrefix(t *testing.T) { + r := rule(tenantA, "gpt-4 → azure", 10, actionFor("azure"), + routing.Condition{Field: "request.model", Operator: "matches", Value: "gpt-4"}, + ) + e := newEngine(r) + action, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{ + TenantID: tenantA, + Model: "gpt-4o-mini", + }) + assert.True(t, matched) + assert.Equal(t, "azure", action.Provider) +} + +// ─── Disabled rules ─────────────────────────────────────────────────────────── + +func TestEngine_DisabledRule_NotEvaluated(t *testing.T) { + store := routing.NewMemStore() + r, _ := store.Create(context.Background(), routing.RoutingRule{ + TenantID: tenantA, + Name: "disabled", + Priority: 10, + IsEnabled: false, // disabled + Conditions: []routing.Condition{}, + Action: routing.Action{Provider: "anthropic"}, + }) + _ = r + + e := routing.New(store, 30*time.Second, zap.NewNop()) + _, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantA}) + assert.False(t, matched, "disabled rule must not be evaluated") +} + +// ─── Fallback providers ─────────────────────────────────────────────────────── + +func TestEngine_Action_FallbackProvidersPreserved(t *testing.T) { + r := rule(tenantA, "with fallbacks", 10, + routing.Action{Provider: "anthropic", FallbackProviders: []string{"openai", "mistral"}}, + ) + e := newEngine(r) + action, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantA}) + assert.True(t, matched) + assert.Equal(t, "anthropic", action.Provider) + assert.Equal(t, []string{"openai", "mistral"}, action.FallbackProviders) +} + +// ─── Model override ─────────────────────────────────────────────────────────── + +func TestEngine_Action_ModelOverride(t *testing.T) { + r := rule(tenantA, "model override", 10, + routing.Action{Provider: "ollama", Model: "llama3"}, + ) + e := newEngine(r) + action, matched, _ := e.Evaluate(context.Background(), &routing.RoutingContext{TenantID: tenantA}) + assert.True(t, matched) + assert.Equal(t, "llama3", action.Model) +} + +// ─── Benchmark ─────────────────────────────────────────────────────────────── + +func BenchmarkEngine_Evaluate_10Rules(b *testing.B) { + rules := make([]routing.RoutingRule, 10) + for i := range rules { + rules[i] = routing.RoutingRule{ + TenantID: tenantA, + Name: "rule", + Priority: (i + 1) * 10, + IsEnabled: true, + Action: routing.Action{Provider: "openai"}, + Conditions: []routing.Condition{ + {Field: "user.department", Operator: "eq", Value: "nonexistent"}, + }, + } + } + // Last rule is catch-all to ensure we always match + rules[9].Conditions = []routing.Condition{} + + e := newEngine(rules...) + rctx := &routing.RoutingContext{TenantID: tenantA, Department: "finance"} + + b.ResetTimer() + for i := 0; i < b.N; i++ { + _, _, _ = e.Evaluate(context.Background(), rctx) + } +} diff --git a/internal/routing/pg_store.go b/internal/routing/pg_store.go new file mode 100644 index 0000000..315c481 --- /dev/null +++ b/internal/routing/pg_store.go @@ -0,0 +1,159 @@ +package routing + +import ( + "context" + "database/sql" + "encoding/json" + "errors" + "fmt" + "time" + + "go.uber.org/zap" +) + +// PgStore implements RuleStore using PostgreSQL (jackc/pgx/v5 via database/sql). +type PgStore struct { + db *sql.DB + logger *zap.Logger +} + +// NewPgStore creates a PgStore backed by the given database connection. +func NewPgStore(db *sql.DB, logger *zap.Logger) *PgStore { + return &PgStore{db: db, logger: logger} +} + +func (p *PgStore) ListActive(ctx context.Context, tenantID string) ([]RoutingRule, error) { + const q = ` + SELECT id, tenant_id, name, COALESCE(description,''), conditions, action, priority, is_enabled, created_at, updated_at + FROM routing_rules + WHERE tenant_id = $1 AND is_enabled = TRUE + ORDER BY priority ASC` + + rows, err := p.db.QueryContext(ctx, q, tenantID) + if err != nil { + return nil, fmt.Errorf("routing_rules list: %w", err) + } + defer rows.Close() //nolint:errcheck + + var rules []RoutingRule + for rows.Next() { + r, err := scanRule(rows) + if err != nil { + return nil, err + } + rules = append(rules, r) + } + return rules, rows.Err() +} + +func (p *PgStore) Get(ctx context.Context, id, tenantID string) (RoutingRule, error) { + const q = ` + SELECT id, tenant_id, name, COALESCE(description,''), conditions, action, priority, is_enabled, created_at, updated_at + FROM routing_rules + WHERE id = $1 AND tenant_id = $2` + + row := p.db.QueryRowContext(ctx, q, id, tenantID) + r, err := scanRule(row) + if errors.Is(err, sql.ErrNoRows) { + return RoutingRule{}, ErrNotFound + } + return r, err +} + +func (p *PgStore) Create(ctx context.Context, rule RoutingRule) (RoutingRule, error) { + condJSON, err := json.Marshal(rule.Conditions) + if err != nil { + return RoutingRule{}, fmt.Errorf("marshal conditions: %w", err) + } + actionJSON, err := json.Marshal(rule.Action) + if err != nil { + return RoutingRule{}, fmt.Errorf("marshal action: %w", err) + } + + const q = ` + INSERT INTO routing_rules (tenant_id, name, description, conditions, action, priority, is_enabled) + VALUES ($1, $2, $3, $4, $5, $6, $7) + RETURNING id, tenant_id, name, COALESCE(description,''), conditions, action, priority, is_enabled, created_at, updated_at` + + row := p.db.QueryRowContext(ctx, q, + rule.TenantID, rule.Name, rule.Description, + condJSON, actionJSON, rule.Priority, rule.IsEnabled, + ) + return scanRule(row) +} + +func (p *PgStore) Update(ctx context.Context, rule RoutingRule) (RoutingRule, error) { + condJSON, err := json.Marshal(rule.Conditions) + if err != nil { + return RoutingRule{}, fmt.Errorf("marshal conditions: %w", err) + } + actionJSON, err := json.Marshal(rule.Action) + if err != nil { + return RoutingRule{}, fmt.Errorf("marshal action: %w", err) + } + + const q = ` + UPDATE routing_rules + SET name=$3, description=$4, conditions=$5, action=$6, priority=$7, is_enabled=$8 + WHERE id=$1 AND tenant_id=$2 + RETURNING id, tenant_id, name, COALESCE(description,''), conditions, action, priority, is_enabled, created_at, updated_at` + + row := p.db.QueryRowContext(ctx, q, + rule.ID, rule.TenantID, rule.Name, rule.Description, + condJSON, actionJSON, rule.Priority, rule.IsEnabled, + ) + r, err := scanRule(row) + if errors.Is(err, sql.ErrNoRows) { + return RoutingRule{}, ErrNotFound + } + return r, err +} + +func (p *PgStore) Delete(ctx context.Context, id, tenantID string) error { + const q = `DELETE FROM routing_rules WHERE id = $1 AND tenant_id = $2` + res, err := p.db.ExecContext(ctx, q, id, tenantID) + if err != nil { + return fmt.Errorf("routing_rules delete: %w", err) + } + n, _ := res.RowsAffected() + if n == 0 { + return ErrNotFound + } + return nil +} + +// ─── scanner ───────────────────────────────────────────────────────────────── + +// scanner is satisfied by both *sql.Row and *sql.Rows. +type scanner interface { + Scan(dest ...interface{}) error +} + +func scanRule(s scanner) (RoutingRule, error) { + var ( + r RoutingRule + condJSON []byte + actionJSON []byte + createdAt time.Time + updatedAt time.Time + ) + err := s.Scan( + &r.ID, &r.TenantID, &r.Name, &r.Description, + &condJSON, &actionJSON, + &r.Priority, &r.IsEnabled, + &createdAt, &updatedAt, + ) + if err != nil { + return RoutingRule{}, fmt.Errorf("scanning routing_rule row: %w", err) + } + r.CreatedAt = createdAt + r.UpdatedAt = updatedAt + + if err := json.Unmarshal(condJSON, &r.Conditions); err != nil { + return RoutingRule{}, fmt.Errorf("parsing conditions JSON: %w", err) + } + if err := json.Unmarshal(actionJSON, &r.Action); err != nil { + return RoutingRule{}, fmt.Errorf("parsing action JSON: %w", err) + } + return r, nil +} diff --git a/internal/routing/rule.go b/internal/routing/rule.go new file mode 100644 index 0000000..053b0d2 --- /dev/null +++ b/internal/routing/rule.go @@ -0,0 +1,121 @@ +// Package routing implements the intelligent routing engine for the Veylant proxy. +// Rules are stored in PostgreSQL (JSONB conditions), cached in-memory (30s TTL), +// and evaluated in priority order (ASC, first match wins). +package routing + +import "time" + +// ─── Sensitivity ───────────────────────────────────────────────────────────── + +// Sensitivity represents the PII risk level of a request, from None to Critical. +// Values are comparable with < / > operators (higher = more sensitive). +type Sensitivity int + +const ( + SensitivityNone Sensitivity = 0 + SensitivityLow Sensitivity = 1 + SensitivityMedium Sensitivity = 2 + SensitivityHigh Sensitivity = 3 + SensitivityCritical Sensitivity = 4 +) + +// String returns the canonical lowercase name for the sensitivity level. +func (s Sensitivity) String() string { + switch s { + case SensitivityNone: + return "none" + case SensitivityLow: + return "low" + case SensitivityMedium: + return "medium" + case SensitivityHigh: + return "high" + case SensitivityCritical: + return "critical" + default: + return "unknown" + } +} + +// ParseSensitivity converts a string (none/low/medium/high/critical) to a Sensitivity. +func ParseSensitivity(s string) (Sensitivity, bool) { + switch s { + case "none": + return SensitivityNone, true + case "low": + return SensitivityLow, true + case "medium": + return SensitivityMedium, true + case "high": + return SensitivityHigh, true + case "critical": + return SensitivityCritical, true + default: + return SensitivityNone, false + } +} + +// ─── Condition ─────────────────────────────────────────────────────────────── + +// Condition is a single predicate in a routing rule. +// All conditions within a rule must match (AND logic). +type Condition struct { + // Field identifies the request attribute to test. + // Supported values: user.role, user.department, request.sensitivity, + // request.model, request.use_case, request.token_estimate + Field string `json:"field"` + + // Operator specifies how to compare the field value. + // Supported values: eq, neq, in, nin, gte, lte, contains, matches + Operator string `json:"operator"` + + // Value is the operand. Type depends on the operator: + // eq/neq/contains/matches/gte/lte → string or number + // in/nin → []interface{} (JSON array of strings) + Value interface{} `json:"value"` +} + +// ─── Action ────────────────────────────────────────────────────────────────── + +// Action is the routing decision returned when a rule matches. +type Action struct { + // Provider is the name of the primary upstream adapter to use. + // Valid values: openai, anthropic, azure, mistral, ollama + Provider string `json:"provider"` + + // Model overrides the model name sent to the upstream. + // If empty, the model from the original ChatRequest is forwarded as-is. + Model string `json:"model,omitempty"` + + // FallbackProviders are tried in order when the primary provider fails. + FallbackProviders []string `json:"fallback_providers,omitempty"` +} + +// ─── RoutingRule ───────────────────────────────────────────────────────────── + +// RoutingRule is a single DB-backed policy entry. +type RoutingRule struct { + ID string + TenantID string + Name string + Description string + Conditions []Condition // ALL must match (AND). Empty slice = catch-all (matches everything). + Action Action + Priority int // lower value = evaluated first + IsEnabled bool + CreatedAt time.Time + UpdatedAt time.Time +} + +// ─── RoutingContext ─────────────────────────────────────────────────────────── + +// RoutingContext carries the per-request attributes used by condition evaluation. +type RoutingContext struct { + TenantID string + UserRole string // primary role from JWT (e.g. "admin", "user") + Department string // user department from JWT claim + Sensitivity Sensitivity // scored from PII detection results + Model string // model name from the ChatRequest + UseCase string // optional use-case tag (e.g. "summarization") + TokenEstimate int // estimated prompt token count +} diff --git a/internal/routing/sensitivity.go b/internal/routing/sensitivity.go new file mode 100644 index 0000000..9f5a5c5 --- /dev/null +++ b/internal/routing/sensitivity.go @@ -0,0 +1,57 @@ +package routing + +import ( + "github.com/veylant/ia-gateway/internal/pii" +) + +// Entity type constants mirror the values emitted by the PII detection layers. +// Regex layer types (high-precision): +const ( + entityIBAN = "IBAN" + entityFRSSN = "FR_SSN" + entityCreditCard = "CREDIT_CARD" + entityEmailAddr = "EMAIL" + entityPhoneFR = "PHONE_FR" + entityPhoneIntl = "PHONE_INTL" +) + +// NER layer types (Presidio / spaCy): +const ( + entityPerson = "PERSON" + entityLocation = "LOCATION" + entityOrg = "ORGANIZATION" +) + +// entitySensitivity maps known entity types to their sensitivity level. +// Types not listed are treated as Low. +var entitySensitivity = map[string]Sensitivity{ + // Critical — financial / identity data; highest regulatory risk + entityIBAN: SensitivityCritical, + entityFRSSN: SensitivityCritical, + entityCreditCard: SensitivityCritical, + // High — personal identifiable data + entityPerson: SensitivityHigh, + entityLocation: SensitivityHigh, + entityOrg: SensitivityHigh, + // Medium — contact information + entityEmailAddr: SensitivityMedium, + entityPhoneFR: SensitivityMedium, + entityPhoneIntl: SensitivityMedium, +} + +// ScoreFromEntities derives a single Sensitivity level from a slice of detected PII entities. +// The score is the maximum level across all entities. +// If no entities are detected, SensitivityNone is returned. +func ScoreFromEntities(entities []pii.Entity) Sensitivity { + max := SensitivityNone + for _, e := range entities { + level, ok := entitySensitivity[e.EntityType] + if !ok { + level = SensitivityLow // unknown entity types are at least low + } + if level > max { + max = level + } + } + return max +} diff --git a/internal/routing/sensitivity_test.go b/internal/routing/sensitivity_test.go new file mode 100644 index 0000000..302d9ae --- /dev/null +++ b/internal/routing/sensitivity_test.go @@ -0,0 +1,72 @@ +package routing_test + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/veylant/ia-gateway/internal/pii" + "github.com/veylant/ia-gateway/internal/routing" +) + +func entity(typ string) pii.Entity { return pii.Entity{EntityType: typ} } + +func TestScoreFromEntities_NoEntities_ReturnsNone(t *testing.T) { + assert.Equal(t, routing.SensitivityNone, routing.ScoreFromEntities(nil)) + assert.Equal(t, routing.SensitivityNone, routing.ScoreFromEntities([]pii.Entity{})) +} + +func TestScoreFromEntities_IBAN_ReturnsCritical(t *testing.T) { + assert.Equal(t, routing.SensitivityCritical, routing.ScoreFromEntities([]pii.Entity{entity("IBAN")})) +} + +func TestScoreFromEntities_CreditCard_ReturnsCritical(t *testing.T) { + assert.Equal(t, routing.SensitivityCritical, routing.ScoreFromEntities([]pii.Entity{entity("CREDIT_CARD")})) +} + +func TestScoreFromEntities_FRSSN_ReturnsCritical(t *testing.T) { + assert.Equal(t, routing.SensitivityCritical, routing.ScoreFromEntities([]pii.Entity{entity("FR_SSN")})) +} + +func TestScoreFromEntities_Person_ReturnsHigh(t *testing.T) { + assert.Equal(t, routing.SensitivityHigh, routing.ScoreFromEntities([]pii.Entity{entity("PERSON")})) +} + +func TestScoreFromEntities_Email_ReturnsMedium(t *testing.T) { + assert.Equal(t, routing.SensitivityMedium, routing.ScoreFromEntities([]pii.Entity{entity("EMAIL")})) +} + +func TestScoreFromEntities_UnknownType_ReturnsLow(t *testing.T) { + assert.Equal(t, routing.SensitivityLow, routing.ScoreFromEntities([]pii.Entity{entity("CUSTOM_PII")})) +} + +func TestScoreFromEntities_MixedEntities_ReturnsMax(t *testing.T) { + entities := []pii.Entity{entity("EMAIL"), entity("PERSON"), entity("IBAN")} + assert.Equal(t, routing.SensitivityCritical, routing.ScoreFromEntities(entities)) +} + +func TestSensitivity_String(t *testing.T) { + cases := []struct{ s routing.Sensitivity; want string }{ + {routing.SensitivityNone, "none"}, + {routing.SensitivityLow, "low"}, + {routing.SensitivityMedium, "medium"}, + {routing.SensitivityHigh, "high"}, + {routing.SensitivityCritical, "critical"}, + } + for _, tc := range cases { + assert.Equal(t, tc.want, tc.s.String()) + } +} + +func TestParseSensitivity_ValidValues(t *testing.T) { + for _, name := range []string{"none", "low", "medium", "high", "critical"} { + s, ok := routing.ParseSensitivity(name) + assert.True(t, ok, "should parse %q", name) + assert.Equal(t, name, s.String()) + } +} + +func TestParseSensitivity_InvalidValue_ReturnsFalse(t *testing.T) { + _, ok := routing.ParseSensitivity("unknown") + assert.False(t, ok) +} diff --git a/internal/routing/store.go b/internal/routing/store.go new file mode 100644 index 0000000..598f85e --- /dev/null +++ b/internal/routing/store.go @@ -0,0 +1,104 @@ +package routing + +import ( + "context" + "fmt" + "sort" + "sync" + "time" +) + +// RuleStore is the persistence interface for routing rules. +// The MemStore implements it for tests; PgStore implements it for production. +type RuleStore interface { + // ListActive returns all enabled rules for tenantID, sorted by priority ASC. + ListActive(ctx context.Context, tenantID string) ([]RoutingRule, error) + // Get returns a single rule by id, scoped to tenantID. + Get(ctx context.Context, id, tenantID string) (RoutingRule, error) + // Create persists a new rule and returns the created record. + Create(ctx context.Context, rule RoutingRule) (RoutingRule, error) + // Update replaces an existing rule and returns the updated record. + Update(ctx context.Context, rule RoutingRule) (RoutingRule, error) + // Delete permanently removes a rule. Only affects the given tenantID. + Delete(ctx context.Context, id, tenantID string) error +} + +// ErrNotFound is returned by Get/Update/Delete when the rule does not exist. +var ErrNotFound = fmt.Errorf("routing rule not found") + +// ─── MemStore — in-memory implementation (tests & dev) ────────────────────── + +// MemStore is a thread-safe in-memory RuleStore for unit tests. +type MemStore struct { + mu sync.RWMutex + rules map[string]RoutingRule // id → rule + seq int +} + +// NewMemStore creates an empty MemStore. +func NewMemStore() *MemStore { + return &MemStore{rules: make(map[string]RoutingRule)} +} + +func (m *MemStore) ListActive(_ context.Context, tenantID string) ([]RoutingRule, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + var out []RoutingRule + for _, r := range m.rules { + if r.TenantID == tenantID && r.IsEnabled { + out = append(out, r) + } + } + sort.Slice(out, func(i, j int) bool { return out[i].Priority < out[j].Priority }) + return out, nil +} + +func (m *MemStore) Get(_ context.Context, id, tenantID string) (RoutingRule, error) { + m.mu.RLock() + defer m.mu.RUnlock() + + r, ok := m.rules[id] + if !ok || r.TenantID != tenantID { + return RoutingRule{}, ErrNotFound + } + return r, nil +} + +func (m *MemStore) Create(_ context.Context, rule RoutingRule) (RoutingRule, error) { + m.mu.Lock() + defer m.mu.Unlock() + + m.seq++ + rule.ID = fmt.Sprintf("mem-%d", m.seq) + rule.CreatedAt = time.Now() + rule.UpdatedAt = time.Now() + m.rules[rule.ID] = rule + return rule, nil +} + +func (m *MemStore) Update(_ context.Context, rule RoutingRule) (RoutingRule, error) { + m.mu.Lock() + defer m.mu.Unlock() + + existing, ok := m.rules[rule.ID] + if !ok || existing.TenantID != rule.TenantID { + return RoutingRule{}, ErrNotFound + } + rule.CreatedAt = existing.CreatedAt + rule.UpdatedAt = time.Now() + m.rules[rule.ID] = rule + return rule, nil +} + +func (m *MemStore) Delete(_ context.Context, id, tenantID string) error { + m.mu.Lock() + defer m.mu.Unlock() + + r, ok := m.rules[id] + if !ok || r.TenantID != tenantID { + return ErrNotFound + } + delete(m.rules, id) + return nil +} diff --git a/internal/routing/templates.go b/internal/routing/templates.go new file mode 100644 index 0000000..ace83c3 --- /dev/null +++ b/internal/routing/templates.go @@ -0,0 +1,77 @@ +package routing + +// Templates holds factory functions for pre-configured routing rules. +// Each function accepts a tenantID and returns a ready-to-use RoutingRule +// that can be passed directly to RuleStore.Create(). +var Templates = map[string]func(tenantID string) RoutingRule{ + // hr: sensitivity ≥ medium AND department=rh → ollama (on-prem), fallback openai + "hr": func(tenantID string) RoutingRule { + return RoutingRule{ + TenantID: tenantID, + Name: "RH — données sensibles", + Description: "Requêtes RH avec sensibilité moyenne ou supérieure routées vers le modèle on-prem", + Priority: 10, + IsEnabled: true, + Conditions: []Condition{ + {Field: "request.sensitivity", Operator: "gte", Value: "medium"}, + {Field: "user.department", Operator: "eq", Value: "rh"}, + }, + Action: Action{ + Provider: "ollama", + FallbackProviders: []string{"openai"}, + }, + } + }, + + // finance: sensitivity ≥ high → ollama (on-prem), fallback openai + "finance": func(tenantID string) RoutingRule { + return RoutingRule{ + TenantID: tenantID, + Name: "Finance — données hautement sensibles", + Description: "Requêtes Finance avec haute sensibilité routées vers le modèle on-prem", + Priority: 20, + IsEnabled: true, + Conditions: []Condition{ + {Field: "request.sensitivity", Operator: "gte", Value: "high"}, + {Field: "user.department", Operator: "eq", Value: "finance"}, + }, + Action: Action{ + Provider: "ollama", + FallbackProviders: []string{"openai"}, + }, + } + }, + + // engineering: department=engineering → anthropic + "engineering": func(tenantID string) RoutingRule { + return RoutingRule{ + TenantID: tenantID, + Name: "Engineering — modèle avancé", + Description: "Requêtes Engineering routées vers Anthropic pour les tâches de code complexes", + Priority: 30, + IsEnabled: true, + Conditions: []Condition{ + {Field: "user.department", Operator: "eq", Value: "engineering"}, + }, + Action: Action{ + Provider: "anthropic", + FallbackProviders: []string{"openai"}, + }, + } + }, + + // catchall: no conditions → openai (lowest priority, always matches) + "catchall": func(tenantID string) RoutingRule { + return RoutingRule{ + TenantID: tenantID, + Name: "Catch-all — OpenAI", + Description: "Règle par défaut : toutes les requêtes non routées vont vers OpenAI", + Priority: 9999, + IsEnabled: true, + Conditions: []Condition{}, + Action: Action{ + Provider: "openai", + }, + } + }, +} diff --git a/migrations/000001_initial.down.sql b/migrations/000001_initial.down.sql new file mode 100644 index 0000000..1388099 --- /dev/null +++ b/migrations/000001_initial.down.sql @@ -0,0 +1,10 @@ +-- Rollback migration 000001 + +DROP TABLE IF EXISTS api_keys CASCADE; +DROP TABLE IF EXISTS users CASCADE; +DROP TABLE IF EXISTS tenants CASCADE; + +DROP FUNCTION IF EXISTS set_updated_at CASCADE; + +DROP EXTENSION IF EXISTS "pgcrypto"; +DROP EXTENSION IF EXISTS "uuid-ossp"; diff --git a/migrations/000001_initial.up.sql b/migrations/000001_initial.up.sql new file mode 100644 index 0000000..a454042 --- /dev/null +++ b/migrations/000001_initial.up.sql @@ -0,0 +1,102 @@ +-- Migration 000001: Initial schema +-- Tables: tenants, users, api_keys +-- Row Level Security enabled for logical multi-tenancy (physical isolation in V2) + +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; +CREATE EXTENSION IF NOT EXISTS "pgcrypto"; + +-- ============================================================ +-- TENANTS +-- ============================================================ +CREATE TABLE tenants ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + name TEXT NOT NULL, + slug TEXT NOT NULL UNIQUE, -- URL-safe identifier, e.g. "acme-corp" + plan TEXT NOT NULL DEFAULT 'starter' CHECK (plan IN ('starter', 'business', 'enterprise')), + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); + +CREATE INDEX idx_tenants_slug ON tenants(slug); + +-- ============================================================ +-- USERS +-- ============================================================ +CREATE TABLE users ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE, + external_id TEXT NOT NULL, -- Keycloak subject (sub claim) + email TEXT NOT NULL, + role TEXT NOT NULL DEFAULT 'user' CHECK (role IN ('admin', 'manager', 'user', 'auditor')), + department TEXT, -- e.g. "finance", "legal", "engineering" + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + UNIQUE (tenant_id, external_id), + UNIQUE (tenant_id, email) +); + +CREATE INDEX idx_users_tenant_id ON users(tenant_id); +CREATE INDEX idx_users_external_id ON users(external_id); +CREATE INDEX idx_users_email ON users(tenant_id, email); + +-- ============================================================ +-- API KEYS +-- Keys are stored as SHA-256 hashes — never in plaintext. +-- The first 8 chars are kept as prefix for identification (e.g. "sk-vyl_ab12cd34..."). +-- ============================================================ +CREATE TABLE api_keys ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE, + name TEXT NOT NULL, -- Human-readable label, e.g. "Finance dept key" + key_hash TEXT NOT NULL UNIQUE, -- SHA-256(raw_key), hex-encoded + key_prefix TEXT NOT NULL, -- First 8 chars of raw key for display + provider TEXT NOT NULL CHECK (provider IN ('openai', 'anthropic', 'azure', 'mistral', 'ollama')), + scopes TEXT[] NOT NULL DEFAULT '{}', -- e.g. {'chat:completions', 'embeddings'} + is_active BOOLEAN NOT NULL DEFAULT TRUE, + expires_at TIMESTAMPTZ, -- NULL = no expiry + last_used_at TIMESTAMPTZ, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); + +CREATE INDEX idx_api_keys_tenant_id ON api_keys(tenant_id); +CREATE INDEX idx_api_keys_key_hash ON api_keys(key_hash); + +-- ============================================================ +-- ROW LEVEL SECURITY +-- App connects as role 'veylant_app' and sets app.tenant_id per session. +-- Policies are added here for completeness; the role is created in env setup. +-- ============================================================ +ALTER TABLE tenants ENABLE ROW LEVEL SECURITY; +ALTER TABLE users ENABLE ROW LEVEL SECURITY; +ALTER TABLE api_keys ENABLE ROW LEVEL SECURITY; + +-- Superuser bypasses RLS — dev connections use superuser, prod connections use veylant_app role. +-- Policies below apply only to veylant_app role (added in env-specific setup scripts). + +-- ============================================================ +-- updated_at auto-update trigger +-- ============================================================ +CREATE OR REPLACE FUNCTION set_updated_at() +RETURNS TRIGGER AS $$ +BEGIN + NEW.updated_at = NOW(); + RETURN NEW; +END; +$$ LANGUAGE plpgsql; + +CREATE TRIGGER tenants_updated_at BEFORE UPDATE ON tenants FOR EACH ROW EXECUTE FUNCTION set_updated_at(); +CREATE TRIGGER users_updated_at BEFORE UPDATE ON users FOR EACH ROW EXECUTE FUNCTION set_updated_at(); +CREATE TRIGGER api_keys_updated_at BEFORE UPDATE ON api_keys FOR EACH ROW EXECUTE FUNCTION set_updated_at(); + +-- ============================================================ +-- Seed: default development tenant and admin user +-- (Development only — replaced by real onboarding in prod) +-- ============================================================ +INSERT INTO tenants (id, name, slug, plan) VALUES + ('00000000-0000-0000-0000-000000000001', 'Veylant Dev', 'veylant-dev', 'enterprise'); + +INSERT INTO users (tenant_id, external_id, email, role, department) VALUES + ('00000000-0000-0000-0000-000000000001', 'dev-admin', 'admin@veylant.dev', 'admin', 'engineering'); diff --git a/migrations/000002_routing.down.sql b/migrations/000002_routing.down.sql new file mode 100644 index 0000000..bddf829 --- /dev/null +++ b/migrations/000002_routing.down.sql @@ -0,0 +1,3 @@ +-- Migration 000002: Routing policies — rollback +DROP TABLE IF EXISTS routing_policies; +DROP FUNCTION IF EXISTS set_updated_at() CASCADE; diff --git a/migrations/000002_routing.up.sql b/migrations/000002_routing.up.sql new file mode 100644 index 0000000..6065dec --- /dev/null +++ b/migrations/000002_routing.up.sql @@ -0,0 +1,54 @@ +-- Migration 000002: Routing policies +-- Foundation for V2 DB-driven routing engine. +-- Allows per-tenant, per-model routing rules with role-based access control. + +-- ============================================================ +-- ROUTING POLICIES +-- ============================================================ +CREATE TABLE routing_policies ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE, + -- model_pattern supports exact match ("gpt-4o") or prefix match ("gpt-4o-mini"). + -- The application applies these in priority order; the first match wins. + model_pattern TEXT NOT NULL, + -- provider is the upstream adapter name: "openai", "anthropic", "azure", "mistral", "ollama". + provider TEXT NOT NULL CHECK (provider IN ('openai', 'anthropic', 'azure', 'mistral', 'ollama')), + -- allowed_roles is the list of Keycloak roles permitted to use this rule. + -- Empty array means all roles can use this routing rule. + allowed_roles TEXT[] NOT NULL DEFAULT '{}', + -- priority: lower number = higher priority (evaluated first). + priority INT NOT NULL DEFAULT 100, + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + + UNIQUE (tenant_id, model_pattern, provider) +); + +-- Index for fast per-tenant active policy lookups (ordered by priority). +CREATE INDEX idx_routing_policies_tenant_active + ON routing_policies (tenant_id, is_active, priority); + +-- ============================================================ +-- AUTO-UPDATE updated_at TRIGGER +-- ============================================================ +CREATE OR REPLACE FUNCTION set_updated_at() +RETURNS TRIGGER AS $$ +BEGIN + NEW.updated_at = NOW(); + RETURN NEW; +END; +$$ LANGUAGE plpgsql; + +CREATE TRIGGER routing_policies_updated_at + BEFORE UPDATE ON routing_policies + FOR EACH ROW EXECUTE FUNCTION set_updated_at(); + +-- ============================================================ +-- ROW LEVEL SECURITY +-- ============================================================ +ALTER TABLE routing_policies ENABLE ROW LEVEL SECURITY; + +-- Tenants can only read/write their own routing policies. +CREATE POLICY routing_policies_tenant_isolation ON routing_policies + USING (tenant_id = current_setting('app.current_tenant_id', TRUE)::UUID); diff --git a/migrations/000003_routing_rules.down.sql b/migrations/000003_routing_rules.down.sql new file mode 100644 index 0000000..edc1bc2 --- /dev/null +++ b/migrations/000003_routing_rules.down.sql @@ -0,0 +1,2 @@ +-- Migration 000003: Routing rules — rollback +DROP TABLE IF EXISTS routing_rules; diff --git a/migrations/000003_routing_rules.up.sql b/migrations/000003_routing_rules.up.sql new file mode 100644 index 0000000..55ff5aa --- /dev/null +++ b/migrations/000003_routing_rules.up.sql @@ -0,0 +1,45 @@ +-- Migration 000003: Routing rules — intelligent routing engine (Sprint 5) +-- Stores per-tenant routing rules with JSONB conditions and actions. +-- Evaluated in priority order (ASC); first fully matching rule wins. + +CREATE TABLE routing_rules ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE, + name TEXT NOT NULL, + description TEXT, + -- conditions: JSON array of condition objects, ALL must match (AND logic). + -- Each condition: {"field":"request.sensitivity","operator":"gte","value":"high"} + -- Supported fields: user.role, user.department, request.sensitivity, + -- request.model, request.use_case, request.token_estimate + -- Supported operators: eq, neq, in, nin, gte, lte, contains, matches + -- Empty array [] means the rule matches all requests (catch-all). + conditions JSONB NOT NULL DEFAULT '[]', + -- action: routing decision when rule matches. + -- {"provider":"ollama","model":"llama3","fallback_providers":["openai","anthropic"]} + action JSONB NOT NULL, + -- priority: lower value = higher priority. Evaluated in ASC order. + priority INT NOT NULL DEFAULT 100, + is_enabled BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); + +-- Fast lookup: active rules for a tenant, sorted by priority. +CREATE INDEX idx_routing_rules_tenant_active + ON routing_rules (tenant_id, is_enabled, priority); + +-- Validate that the 'provider' field in action is one of the known providers. +ALTER TABLE routing_rules + ADD CONSTRAINT chk_routing_rules_provider + CHECK ((action->>'provider') IN ('openai', 'anthropic', 'azure', 'mistral', 'ollama')); + +-- Auto-update updated_at on row modification. +CREATE TRIGGER routing_rules_updated_at + BEFORE UPDATE ON routing_rules + FOR EACH ROW EXECUTE FUNCTION set_updated_at(); + +-- Row-Level Security: tenants can only access their own rules. +ALTER TABLE routing_rules ENABLE ROW LEVEL SECURITY; + +CREATE POLICY routing_rules_tenant_isolation ON routing_rules + USING (tenant_id = current_setting('app.current_tenant_id', TRUE)::UUID); diff --git a/migrations/000004_feature_flags.down.sql b/migrations/000004_feature_flags.down.sql new file mode 100644 index 0000000..5126241 --- /dev/null +++ b/migrations/000004_feature_flags.down.sql @@ -0,0 +1,2 @@ +-- Migration 000004: Feature flags — rollback +DROP TABLE IF EXISTS feature_flags; diff --git a/migrations/000004_feature_flags.up.sql b/migrations/000004_feature_flags.up.sql new file mode 100644 index 0000000..ccefffa --- /dev/null +++ b/migrations/000004_feature_flags.up.sql @@ -0,0 +1,28 @@ +-- Migration 000004: Feature flags (Sprint 5 — E3-09) +-- Per-tenant (or global) feature flags stored in PostgreSQL. +-- Toggle via admin API; read by the application with Redis-backed caching. + +CREATE TABLE feature_flags ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + -- tenant_id NULL means a global flag that applies to all tenants. + tenant_id UUID REFERENCES tenants(id) ON DELETE CASCADE, + name TEXT NOT NULL, + is_enabled BOOLEAN NOT NULL DEFAULT FALSE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + -- A flag name must be unique per tenant (or globally when tenant_id is NULL). + UNIQUE NULLS NOT DISTINCT (tenant_id, name) +); + +-- Auto-update updated_at on row modification. +CREATE TRIGGER feature_flags_updated_at + BEFORE UPDATE ON feature_flags + FOR EACH ROW EXECUTE FUNCTION set_updated_at(); + +-- ────────────────────────────────────────────── +-- Default global flags +-- ────────────────────────────────────────────── +-- ner_enabled: controls whether the NER layer runs in the PII pipeline. +-- Disabling it speeds up low-sensitivity requests at the cost of recall. +INSERT INTO feature_flags (tenant_id, name, is_enabled) +VALUES (NULL, 'ner_enabled', TRUE); diff --git a/migrations/000005_admin_audit_logs.down.sql b/migrations/000005_admin_audit_logs.down.sql new file mode 100644 index 0000000..f371521 --- /dev/null +++ b/migrations/000005_admin_audit_logs.down.sql @@ -0,0 +1 @@ +DROP TABLE IF EXISTS admin_audit_logs; diff --git a/migrations/000005_admin_audit_logs.up.sql b/migrations/000005_admin_audit_logs.up.sql new file mode 100644 index 0000000..a332014 --- /dev/null +++ b/migrations/000005_admin_audit_logs.up.sql @@ -0,0 +1,14 @@ +-- Sprint 6: Admin actions audit log (PostgreSQL — low volume, GDPR delete required). +CREATE TABLE admin_audit_logs ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id TEXT NOT NULL, + actor_user_id TEXT NOT NULL, + action TEXT NOT NULL, + resource_type TEXT NOT NULL, + resource_id TEXT, + before_state JSONB, + after_state JSONB, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); + +CREATE INDEX idx_admin_audit_tenant ON admin_audit_logs(tenant_id, created_at DESC); diff --git a/migrations/000006_users.down.sql b/migrations/000006_users.down.sql new file mode 100644 index 0000000..a82b1f4 --- /dev/null +++ b/migrations/000006_users.down.sql @@ -0,0 +1,2 @@ +DROP INDEX IF EXISTS idx_users_tenant; +DROP TABLE IF EXISTS users; diff --git a/migrations/000006_users.up.sql b/migrations/000006_users.up.sql new file mode 100644 index 0000000..41f6854 --- /dev/null +++ b/migrations/000006_users.up.sql @@ -0,0 +1,20 @@ +-- Migration 000006: Users table for internal user management (E3-08). +-- Users in Keycloak are the authoritative source for authentication. +-- This table stores per-tenant user metadata (department, role, status) +-- managed via the admin API. Keycloak sub is used as external reference. + +CREATE TABLE IF NOT EXISTS users ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id TEXT NOT NULL, + email TEXT NOT NULL, + name TEXT NOT NULL, + department TEXT, + role TEXT NOT NULL DEFAULT 'user' + CHECK (role IN ('admin','manager','user','auditor')), + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + UNIQUE(tenant_id, email) +); + +CREATE INDEX IF NOT EXISTS idx_users_tenant ON users(tenant_id, is_active); diff --git a/migrations/000007_compliance.down.sql b/migrations/000007_compliance.down.sql new file mode 100644 index 0000000..ee2f5b4 --- /dev/null +++ b/migrations/000007_compliance.down.sql @@ -0,0 +1,4 @@ +DROP INDEX IF EXISTS idx_erasure_log_tenant; +DROP TABLE IF EXISTS gdpr_erasure_log; +DROP INDEX IF EXISTS idx_processing_registry_tenant; +DROP TABLE IF EXISTS processing_registry; diff --git a/migrations/000007_compliance.up.sql b/migrations/000007_compliance.up.sql new file mode 100644 index 0000000..4176a07 --- /dev/null +++ b/migrations/000007_compliance.up.sql @@ -0,0 +1,42 @@ +-- Sprint 9 — Module Conformité RGPD / AI Act +-- E9-01: Processing registry (registre des traitements Art. 30 RGPD) + +CREATE TABLE IF NOT EXISTS processing_registry ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id TEXT NOT NULL, + use_case_name TEXT NOT NULL, + legal_basis TEXT NOT NULL + CHECK (legal_basis IN ( + 'consent', 'contract', 'legal_obligation', + 'vital_interests', 'public_task', 'legitimate_interest' + )), + purpose TEXT NOT NULL, + data_categories JSONB NOT NULL DEFAULT '[]', + recipients JSONB NOT NULL DEFAULT '[]', + processors JSONB NOT NULL DEFAULT '[]', + retention_period TEXT NOT NULL, + security_measures TEXT, + controller_name TEXT, + risk_level TEXT CHECK (risk_level IN ('minimal', 'limited', 'high', 'forbidden')), + ai_act_answers JSONB, + is_active BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); + +CREATE INDEX IF NOT EXISTS idx_processing_registry_tenant + ON processing_registry (tenant_id, is_active); + +-- E9-06: GDPR Art. 17 erasure audit log (immutable) +CREATE TABLE IF NOT EXISTS gdpr_erasure_log ( + id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), + tenant_id TEXT NOT NULL, + target_user TEXT NOT NULL, + requested_by TEXT NOT NULL, + reason TEXT, + records_deleted INT NOT NULL DEFAULT 0, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); + +CREATE INDEX IF NOT EXISTS idx_erasure_log_tenant + ON gdpr_erasure_log (tenant_id, target_user); diff --git a/migrations/000008_rate_limits.down.sql b/migrations/000008_rate_limits.down.sql new file mode 100644 index 0000000..05d7439 --- /dev/null +++ b/migrations/000008_rate_limits.down.sql @@ -0,0 +1 @@ +DROP TABLE IF EXISTS rate_limit_configs; diff --git a/migrations/000008_rate_limits.up.sql b/migrations/000008_rate_limits.up.sql new file mode 100644 index 0000000..13e9072 --- /dev/null +++ b/migrations/000008_rate_limits.up.sql @@ -0,0 +1,12 @@ +-- Rate limiting configuration per tenant. +-- Rows are optional — absent tenant_id falls back to application defaults. +CREATE TABLE IF NOT EXISTS rate_limit_configs ( + tenant_id TEXT PRIMARY KEY, + requests_per_min INT NOT NULL DEFAULT 1000, -- tenant-wide RPM + burst_size INT NOT NULL DEFAULT 200, -- burst capacity + user_rpm INT NOT NULL DEFAULT 100, -- per-user RPM within tenant + user_burst INT NOT NULL DEFAULT 20, -- per-user burst + is_enabled BOOLEAN NOT NULL DEFAULT TRUE, + created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), + updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW() +); diff --git a/migrations/000009_flags_defaults.down.sql b/migrations/000009_flags_defaults.down.sql new file mode 100644 index 0000000..aca12e2 --- /dev/null +++ b/migrations/000009_flags_defaults.down.sql @@ -0,0 +1,4 @@ +-- Migration 000009 rollback: remove the global module-level feature flag defaults. +DELETE FROM feature_flags +WHERE tenant_id IS NULL + AND name IN ('pii_enabled', 'routing_enabled', 'billing_enabled'); diff --git a/migrations/000009_flags_defaults.up.sql b/migrations/000009_flags_defaults.up.sql new file mode 100644 index 0000000..7e678b9 --- /dev/null +++ b/migrations/000009_flags_defaults.up.sql @@ -0,0 +1,14 @@ +-- Migration 000009: Default feature flags for Sprint 11 module toggles (E11-07). +-- Adds global defaults for the three module-level feature flags. +-- Tenant admins can override these per-tenant via PUT /v1/admin/flags/{name}. +-- +-- pii_enabled: controls whether PII anonymization runs on requests. +-- routing_enabled: controls whether the dynamic routing engine is used. +-- billing_enabled: controls whether cost tracking is recorded in audit logs. + +INSERT INTO feature_flags (tenant_id, name, is_enabled) +VALUES + (NULL, 'pii_enabled', TRUE), + (NULL, 'routing_enabled', TRUE), + (NULL, 'billing_enabled', TRUE) +ON CONFLICT (tenant_id, name) DO NOTHING; diff --git a/migrations/clickhouse/000001_audit_logs.sql b/migrations/clickhouse/000001_audit_logs.sql new file mode 100644 index 0000000..359467e --- /dev/null +++ b/migrations/clickhouse/000001_audit_logs.sql @@ -0,0 +1,30 @@ +-- Sprint 6: Immutable audit log table in ClickHouse. +-- Applied idempotently at startup via applyClickHouseDDL(). +CREATE TABLE IF NOT EXISTS audit_logs ( + request_id String, + tenant_id LowCardinality(String), + user_id String, + timestamp DateTime64(3, 'UTC'), + model_requested LowCardinality(String), + model_used LowCardinality(String), + provider LowCardinality(String), + department LowCardinality(String), + user_role LowCardinality(String), + prompt_hash FixedString(64), + response_hash FixedString(64), + prompt_anonymized String, + sensitivity_level LowCardinality(String), + token_input UInt32, + token_output UInt32, + token_total UInt32, + cost_usd Float64, + latency_ms UInt32, + status LowCardinality(String), + error_type LowCardinality(String), + pii_entity_count UInt16, + stream Bool +) ENGINE = MergeTree() +PARTITION BY toYYYYMM(timestamp) +ORDER BY (tenant_id, timestamp) +TTL timestamp + INTERVAL 90 DAY +SETTINGS index_granularity = 8192; diff --git a/proto/pii/v1/pii.proto b/proto/pii/v1/pii.proto new file mode 100644 index 0000000..7ee067f --- /dev/null +++ b/proto/pii/v1/pii.proto @@ -0,0 +1,104 @@ +syntax = "proto3"; + +package pii.v1; + +option go_package = "github.com/veylant/ia-gateway/gen/pii/v1;piiv1"; + +// PiiService detects and pseudonymizes personally identifiable information +// in user prompts before they are forwarded to LLM providers. +// +// Latency contract: p99 < 50ms for prompts up to 500 tokens. +service PiiService { + // Detect scans text for PII entities and returns an anonymized version. + // Detected entities are pseudonymized with [PII:TYPE:UUID] tokens and + // stored in Redis (AES-256-GCM encrypted) for later de-pseudonymization. + rpc Detect(PiiRequest) returns (PiiResponse); + + // Health returns the service readiness status. + rpc Health(HealthRequest) returns (HealthResponse); +} + +// PiiRequest is sent by the Go proxy before forwarding a prompt to an LLM. +message PiiRequest { + // Raw text of the user prompt. + string text = 1; + + // Tenant identifier — used for scoped pseudonymization mappings in Redis. + string tenant_id = 2; + + // Unique request ID (UUID v7) for tracing and log correlation. + string request_id = 3; + + // Detection options for this request. + PiiOptions options = 4; +} + +// PiiOptions controls the detection pipeline behaviour per request. +message PiiOptions { + // enable_ner activates Layer 2 (Presidio + spaCy NER) in addition to regex. + // Set to false for low-sensitivity requests to stay within the 50ms budget. + bool enable_ner = 1; + + // confidence_threshold filters out entities below this confidence score. + // Presidio default is 0.85 — lower to catch more (at the cost of false positives). + float confidence_threshold = 2; + + // zero_retention: if true, the Python PII service skips persisting the + // pseudonymization mapping to Redis. Mappings are held in-memory only for + // the duration of this request. Activated per-tenant via the "zero_retention" + // feature flag (E4-12). + bool zero_retention = 3; +} + +// PiiResponse is returned by the PII service to the Go proxy. +message PiiResponse { + // Anonymized version of the input text. + // PII values are replaced by tokens of the form [PII:EMAIL:3a7f2b1c-...]. + string anonymized_text = 1; + + // List of all detected PII entities with their pseudonyms. + repeated PiiEntity entities = 2; + + // Total time spent in the PII pipeline, in milliseconds. + int64 processing_time_ms = 3; +} + +// PiiEntity represents a single detected PII value and its pseudonym. +message PiiEntity { + // Entity type as detected by the pipeline. + // Known values: EMAIL, PHONE_NUMBER, IBAN_CODE, FR_SSN, CREDIT_CARD, + // PERSON, LOCATION, ORGANIZATION. + string entity_type = 1; + + // The original PII value found in the text (never logged in production). + string original_value = 2; + + // The pseudonymization token that replaced this entity in anonymized_text. + // Format: [PII::] + string pseudonym = 3; + + // Character offsets in the original text. + int32 start = 4; + int32 end = 5; + + // Detection confidence (0.0–1.0). 1.0 for regex matches, model-scored for NER. + float confidence = 6; + + // Detection layer that found this entity: "regex", "ner". + string detection_layer = 7; +} + +// HealthRequest is empty — used for service readiness probes. +message HealthRequest {} + +// HealthResponse reports service status and loaded model information. +message HealthResponse { + // "ok" when the service is ready to handle requests. + string status = 1; + + // Whether spaCy NER model is loaded and ready (warm). + bool ner_model_loaded = 2; + + // Name of the loaded spaCy model, e.g. "fr_core_news_lg". + string spacy_model = 3; +} diff --git a/proxy b/proxy new file mode 100755 index 0000000..ab68fb1 Binary files /dev/null and b/proxy differ diff --git a/services/pii/.coverage b/services/pii/.coverage new file mode 100644 index 0000000..f3b70f3 Binary files /dev/null and b/services/pii/.coverage differ diff --git a/services/pii/Dockerfile b/services/pii/Dockerfile new file mode 100644 index 0000000..6f30375 --- /dev/null +++ b/services/pii/Dockerfile @@ -0,0 +1,26 @@ +FROM python:3.12-slim + +WORKDIR /app + +# Install system dependencies for spaCy compilation +RUN apt-get update && apt-get install -y --no-install-recommends \ + gcc \ + g++ \ + && rm -rf /var/lib/apt/lists/* + +# Install Python dependencies +COPY requirements.txt . +RUN pip install --no-cache-dir -r requirements.txt + +# Download spaCy models at build time to avoid cold-start latency in production. +# fr_core_news_lg (~600MB) is the primary French NER model. +# en_core_web_sm is the English fallback. +RUN python -m spacy download fr_core_news_lg +RUN python -m spacy download en_core_web_sm + +# Copy source (after pip install to leverage Docker layer cache) +COPY . . + +EXPOSE 8000 50051 + +CMD ["python", "main.py"] diff --git a/services/pii/config.py b/services/pii/config.py new file mode 100644 index 0000000..0360fdc --- /dev/null +++ b/services/pii/config.py @@ -0,0 +1,32 @@ +"""Configuration for the PII detection service. + +All settings are read from environment variables with safe defaults for local dev. +""" + +import base64 +import os + +# Redis connection +REDIS_URL: str = os.getenv("PII_REDIS_URL", "redis://localhost:6379") + +# AES-256-GCM key — must be 32 bytes, base64-encoded. +# Default is a fixed dev key; MUST be overridden in production. +_DEFAULT_DEV_KEY = base64.b64encode(b"veylant-dev-key-32bytes-padding-").decode() +ENCRYPTION_KEY_B64: str = os.getenv("PII_ENCRYPTION_KEY", _DEFAULT_DEV_KEY) + +# TTL for pseudonymization mappings in Redis (seconds) +DEFAULT_TTL: int = int(os.getenv("PII_TTL_SECONDS", "3600")) + +# Layer 2 NER control +NER_ENABLED: bool = os.getenv("PII_NER_ENABLED", "true").lower() == "true" +NER_CONFIDENCE: float = float(os.getenv("PII_NER_CONFIDENCE", "0.85")) + +# spaCy model names +SPACY_FR_MODEL: str = os.getenv("PII_SPACY_FR_MODEL", "fr_core_news_lg") +SPACY_EN_MODEL: str = os.getenv("PII_SPACY_EN_MODEL", "en_core_web_sm") + +# gRPC server port +GRPC_PORT: int = int(os.getenv("PII_GRPC_PORT", "50051")) + +# FastAPI / health port +HTTP_PORT: int = int(os.getenv("PII_HTTP_PORT", "8000")) diff --git a/services/pii/layers/__init__.py b/services/pii/layers/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/services/pii/layers/ner_layer.py b/services/pii/layers/ner_layer.py new file mode 100644 index 0000000..1925b12 --- /dev/null +++ b/services/pii/layers/ner_layer.py @@ -0,0 +1,109 @@ +"""Layer 2 — NER-based PII detection using Presidio + spaCy. + +Detects PERSON, LOCATION, ORGANIZATION entities. +The spaCy model is loaded lazily on first access and cached. +""" + +from __future__ import annotations + +import logging +from typing import TYPE_CHECKING + +from layers.regex_layer import DetectedEntity + +if TYPE_CHECKING: + from presidio_analyzer import AnalyzerEngine + +logger = logging.getLogger(__name__) + +# Presidio entity type → internal type mapping +_ENTITY_TYPE_MAP = { + "PERSON": "PERSON", + "LOCATION": "LOCATION", + "ORGANIZATION": "ORGANIZATION", +} + +# Presidio entities to request +_PRESIDIO_ENTITIES = list(_ENTITY_TYPE_MAP.keys()) + + +class NERLayer: + """Detect named entities using Presidio backed by spaCy fr_core_news_lg.""" + + def __init__(self, fr_model: str = "fr_core_news_lg", en_model: str = "en_core_web_sm") -> None: + self._fr_model = fr_model + self._en_model = en_model + self._analyzer: "AnalyzerEngine | None" = None + + @property + def analyzer(self) -> "AnalyzerEngine": + if self._analyzer is None: + self._analyzer = self._build_analyzer() + return self._analyzer + + @property + def is_loaded(self) -> bool: + return self._analyzer is not None + + def warm_up(self) -> None: + """Force model loading — call at service startup to avoid cold-start latency.""" + _ = self.analyzer + logger.info("NER model loaded: %s", self._fr_model) + + def detect(self, text: str, confidence_threshold: float = 0.85) -> list[DetectedEntity]: + """Return NER entities found in *text* above *confidence_threshold*.""" + try: + results = self.analyzer.analyze( + text=text, + entities=_PRESIDIO_ENTITIES, + language="fr", + score_threshold=confidence_threshold, + ) + except Exception: + # Fall back to English if French analysis fails + try: + results = self.analyzer.analyze( + text=text, + entities=_PRESIDIO_ENTITIES, + language="en", + score_threshold=confidence_threshold, + ) + except Exception: + logger.exception("NER analysis failed") + return [] + + entities = [] + for r in results: + internal_type = _ENTITY_TYPE_MAP.get(r.entity_type) + if internal_type is None: + continue + entities.append( + DetectedEntity( + entity_type=internal_type, + original_value=text[r.start : r.end], + start=r.start, + end=r.end, + confidence=r.score, + detection_layer="ner", + ) + ) + return entities + + # ----------------------------------------------------------------------- + # Internal + # ----------------------------------------------------------------------- + + def _build_analyzer(self) -> "AnalyzerEngine": + from presidio_analyzer import AnalyzerEngine + from presidio_analyzer.nlp_engine import NlpEngineProvider + + configuration = { + "nlp_engine_name": "spacy", + "models": [ + {"lang_code": "fr", "model_name": self._fr_model}, + {"lang_code": "en", "model_name": self._en_model}, + ], + } + provider = NlpEngineProvider(nlp_configuration=configuration) + nlp_engine = provider.create_engine() + return AnalyzerEngine(nlp_engine=nlp_engine, supported_languages=["fr", "en"]) diff --git a/services/pii/layers/regex_layer.py b/services/pii/layers/regex_layer.py new file mode 100644 index 0000000..4fd6959 --- /dev/null +++ b/services/pii/layers/regex_layer.py @@ -0,0 +1,198 @@ +"""Layer 1 — Regex-based PII detection. + +Sub-millisecond detection for structured PII: IBAN, email, phone, SSN, credit cards. +All patterns are pre-compiled at import time. +""" + +from __future__ import annotations + +import re +from dataclasses import dataclass, field + + +@dataclass +class DetectedEntity: + entity_type: str + original_value: str + start: int + end: int + confidence: float = 1.0 + detection_layer: str = "regex" + + +# --------------------------------------------------------------------------- +# Luhn algorithm (credit card validation) +# --------------------------------------------------------------------------- + + +def _luhn_valid(number: str) -> bool: + """Return True if *number* (digits only) passes the Luhn check.""" + digits = [int(d) for d in number] + odd_sum = sum(digits[-1::-2]) + even_sum = sum(sum(divmod(d * 2, 10)) for d in digits[-2::-2]) + return (odd_sum + even_sum) % 10 == 0 + + +# --------------------------------------------------------------------------- +# IBAN MOD-97 checksum validation (ISO 13616) +# --------------------------------------------------------------------------- + +_IBAN_LETTER_MAP = {c: str(ord(c) - ord("A") + 10) for c in "ABCDEFGHIJKLMNOPQRSTUVWXYZ"} + + +def _iban_valid(raw: str) -> bool: + """Return True if *raw* (spaces allowed) is a valid IBAN checksum.""" + iban = raw.replace(" ", "").upper() + if len(iban) < 5: + return False + rearranged = iban[4:] + iban[:4] + numeric = "".join(_IBAN_LETTER_MAP.get(c, c) for c in rearranged) + try: + return int(numeric) % 97 == 1 + except ValueError: + return False + + +# --------------------------------------------------------------------------- +# Pre-compiled patterns +# --------------------------------------------------------------------------- + +# IBAN: 2-letter country code, 2 check digits, up to 30 alphanumeric chars (grouped by 4) +_RE_IBAN = re.compile( + r"\b([A-Z]{2}\d{2}(?:\s?[0-9A-Z]{4}){2,7}\s?[0-9A-Z]{1,4})\b" +) + +# Email (RFC 5321 simplified) +_RE_EMAIL = re.compile( + r"\b[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}\b" +) + +# French mobile: 06/07, with optional +33 or 0033 prefix, various separators +_RE_PHONE_FR = re.compile( + r"(?:(?:\+|00)33\s?|0)[67](?:[\s.\-]?\d{2}){4}" +) + +# International phone: + followed by 1-3 digit country code + 6-12 digits +_RE_PHONE_INTL = re.compile( + r"(? list[DetectedEntity]: + """Return all PII entities found in *text*, in document order.""" + entities: list[DetectedEntity] = [] + + entities.extend(self._find_ibans(text)) + entities.extend(self._find_emails(text)) + entities.extend(self._find_phones(text)) + entities.extend(self._find_ssns(text)) + entities.extend(self._find_credit_cards(text)) + + return sorted(entities, key=lambda e: e.start) + + # ----------------------------------------------------------------------- + # Private detection helpers + # ----------------------------------------------------------------------- + + def _find_ibans(self, text: str) -> list[DetectedEntity]: + results = [] + for m in _RE_IBAN.finditer(text): + value = m.group(1) + if _iban_valid(value): + results.append( + DetectedEntity( + entity_type="IBAN", + original_value=value, + start=m.start(1), + end=m.end(1), + ) + ) + return results + + def _find_emails(self, text: str) -> list[DetectedEntity]: + return [ + DetectedEntity( + entity_type="EMAIL", + original_value=m.group(), + start=m.start(), + end=m.end(), + ) + for m in _RE_EMAIL.finditer(text) + ] + + def _find_phones(self, text: str) -> list[DetectedEntity]: + results = [] + seen: set[tuple[int, int]] = set() + + for m in _RE_PHONE_FR.finditer(text): + span = (m.start(), m.end()) + if span not in seen: + seen.add(span) + results.append( + DetectedEntity( + entity_type="PHONE_FR", + original_value=m.group(), + start=m.start(), + end=m.end(), + ) + ) + + for m in _RE_PHONE_INTL.finditer(text): + span = (m.start(), m.end()) + if span not in seen: + seen.add(span) + results.append( + DetectedEntity( + entity_type="PHONE_INTL", + original_value=m.group(), + start=m.start(), + end=m.end(), + ) + ) + + return results + + def _find_ssns(self, text: str) -> list[DetectedEntity]: + return [ + DetectedEntity( + entity_type="FR_SSN", + original_value=m.group(1), + start=m.start(1), + end=m.end(1), + ) + for m in _RE_FR_SSN.finditer(text) + ] + + def _find_credit_cards(self, text: str) -> list[DetectedEntity]: + results = [] + for m in _RE_CREDIT_CARD.finditer(text): + digits_only = re.sub(r"[\s\-]", "", m.group(1)) + if _luhn_valid(digits_only): + results.append( + DetectedEntity( + entity_type="CREDIT_CARD", + original_value=m.group(1), + start=m.start(1), + end=m.end(1), + ) + ) + return results diff --git a/services/pii/main.py b/services/pii/main.py new file mode 100644 index 0000000..46d1a0f --- /dev/null +++ b/services/pii/main.py @@ -0,0 +1,241 @@ +"""Veylant IA — PII Detection Service (Sprint 3) + +Implements the full 3-layer PII pipeline: + Layer 1: Regex (IBAN, email, phone, SSN, credit cards) + Layer 2: Presidio + spaCy NER (PERSON, LOCATION, ORGANIZATION) + Pseudonymization: [PII:TYPE:UUID] tokens stored in Redis (AES-256-GCM) +""" + +from __future__ import annotations + +import asyncio +import logging +import time +from concurrent import futures +from contextlib import asynccontextmanager + +import grpc +import redis as redis_module +from fastapi import FastAPI + +import config as cfg +from gen.pii.v1 import pii_pb2, pii_pb2_grpc +from pipeline import Pipeline +from pseudonymize import AESEncryptor, PseudonymMapper + +logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s") +logger = logging.getLogger(__name__) + +# --------------------------------------------------------------------------- +# Shared singletons (initialized at startup) +# --------------------------------------------------------------------------- + +_pipeline: Pipeline | None = None +_pseudo_mapper: PseudonymMapper | None = None + + +def _get_pipeline() -> Pipeline: + assert _pipeline is not None, "Pipeline not initialized" + return _pipeline + + +def _get_mapper() -> PseudonymMapper: + assert _pseudo_mapper is not None, "PseudonymMapper not initialized" + return _pseudo_mapper + + +# --------------------------------------------------------------------------- +# FastAPI lifespan — warm up NER model before accepting traffic +# --------------------------------------------------------------------------- + + +@asynccontextmanager +async def lifespan(application: FastAPI): + global _pipeline, _pseudo_mapper + + _pipeline = Pipeline() + encryptor = AESEncryptor(cfg.ENCRYPTION_KEY_B64) + redis_client = redis_module.from_url(cfg.REDIS_URL, decode_responses=False) + _pseudo_mapper = PseudonymMapper(redis_client, encryptor, cfg.DEFAULT_TTL) + + logger.info("Warming up NER model (this may take a few seconds)…") + try: + await asyncio.get_event_loop().run_in_executor(None, _pipeline.warm_up) + logger.info("NER model ready") + except Exception: + logger.exception("NER warm-up failed — service will use regex only") + + yield + + logger.info("PII service shutting down") + + +# --------------------------------------------------------------------------- +# FastAPI HTTP app +# --------------------------------------------------------------------------- + +app = FastAPI(title="Veylant PII Service", version="0.3.0", lifespan=lifespan) + + +@app.get("/healthz") +async def healthz() -> dict: + pipeline = _get_pipeline() + return { + "status": "ok", + "ner_model_loaded": pipeline.ner_layer.is_loaded, + "spacy_model": cfg.SPACY_FR_MODEL, + "timestamp": time.strftime("%Y-%m-%dT%H:%M:%SZ", time.gmtime()), + } + + +# --------------------------------------------------------------------------- +# gRPC servicer +# --------------------------------------------------------------------------- + + +class PiiServiceServicer(pii_pb2_grpc.PiiServiceServicer): + """Full gRPC implementation of PiiService.""" + + def Detect(self, request, context): # noqa: N802 + start_ns = time.monotonic_ns() + + pipeline = _get_pipeline() + mapper = _get_mapper() + + enable_ner = request.options.enable_ner if request.options else True + confidence = ( + request.options.confidence_threshold + if request.options and request.options.confidence_threshold > 0 + else cfg.NER_CONFIDENCE + ) + + try: + entities = pipeline.detect( + request.text, + enable_ner=enable_ner, + confidence_threshold=confidence, + ) + anonymized_text, _mapping = mapper.anonymize( + request.text, + entities, + tenant_id=request.tenant_id or "default", + request_id=request.request_id or "unknown", + ) + except Exception as exc: + logger.exception("PII detection failed") + context.abort(grpc.StatusCode.INTERNAL, str(exc)) + return None + + elapsed_ms = (time.monotonic_ns() - start_ns) // 1_000_000 + + proto_entities = [ + pii_pb2.PiiEntity( + entity_type=e.entity_type, + original_value=e.original_value, + pseudonym=_mapping.get( + next( + (k for k, v in _mapping.items() if v == e.original_value), + "", + ), + "", + ), + start=e.start, + end=e.end, + confidence=e.confidence, + detection_layer=e.detection_layer, + ) + for e in entities + ] + + # Rebuild proto_entities with correct pseudonym assignment + proto_entities = _build_proto_entities(entities, _mapping) + + return pii_pb2.PiiResponse( + anonymized_text=anonymized_text, + entities=proto_entities, + processing_time_ms=elapsed_ms, + ) + + def Health(self, request, context): # noqa: N802 + pipeline = _get_pipeline() + return pii_pb2.HealthResponse( + status="ok", + ner_model_loaded=pipeline.ner_layer.is_loaded, + spacy_model=cfg.SPACY_FR_MODEL if pipeline.ner_layer.is_loaded else "", + ) + + +def _build_proto_entities(entities, mapping: dict[str, str]) -> list[pii_pb2.PiiEntity]: + """Build proto PiiEntity list with correct pseudonym tokens.""" + # Reverse mapping: original_value → token (multiple entities may share the same + # original value — we emit a separate token per occurrence) + original_to_tokens: dict[str, list[str]] = {} + for token, original in mapping.items(): + original_to_tokens.setdefault(original, []).append(token) + + # Track which token index to use for each original_value (in entity order) + usage_count: dict[str, int] = {} + result = [] + for e in entities: + tokens_for_value = original_to_tokens.get(e.original_value, []) + idx = usage_count.get(e.original_value, 0) + pseudonym = tokens_for_value[idx] if idx < len(tokens_for_value) else "" + usage_count[e.original_value] = idx + 1 + result.append( + pii_pb2.PiiEntity( + entity_type=e.entity_type, + original_value=e.original_value, + pseudonym=pseudonym, + start=e.start, + end=e.end, + confidence=e.confidence, + detection_layer=e.detection_layer, + ) + ) + return result + + +# --------------------------------------------------------------------------- +# gRPC async server +# --------------------------------------------------------------------------- + + +async def serve_grpc() -> None: + server = grpc.aio.server( + futures.ThreadPoolExecutor(max_workers=10), + options=[ + ("grpc.max_send_message_length", 10 * 1024 * 1024), + ("grpc.max_receive_message_length", 10 * 1024 * 1024), + ], + ) + pii_pb2_grpc.add_PiiServiceServicer_to_server(PiiServiceServicer(), server) + + listen_addr = f"[::]:{cfg.GRPC_PORT}" + server.add_insecure_port(listen_addr) + await server.start() + logger.info("gRPC server listening on %s", listen_addr) + await server.wait_for_termination() + + +# --------------------------------------------------------------------------- +# Entry point +# --------------------------------------------------------------------------- + +if __name__ == "__main__": + import uvicorn + + async def main() -> None: + grpc_task = asyncio.create_task(serve_grpc()) + + uvicorn_cfg = uvicorn.Config( + app, host="0.0.0.0", port=cfg.HTTP_PORT, log_level="info" + ) + uvicorn_server = uvicorn.Server(uvicorn_cfg) + http_task = asyncio.create_task(uvicorn_server.serve()) + + logger.info( + "PII service starting (HTTP :%d, gRPC :%d)", cfg.HTTP_PORT, cfg.GRPC_PORT + ) + await asyncio.gather(grpc_task, http_task) + + asyncio.run(main()) diff --git a/services/pii/pipeline.py b/services/pii/pipeline.py new file mode 100644 index 0000000..fadf0da --- /dev/null +++ b/services/pii/pipeline.py @@ -0,0 +1,90 @@ +"""PII detection pipeline — orchestrates regex and NER layers. + +Detection order: regex (always) → NER (if enabled). +Overlapping entities are deduplicated: longest span wins; +on equal length, regex takes precedence over NER. +""" + +from __future__ import annotations + +import logging + +import config +from layers.ner_layer import NERLayer +from layers.regex_layer import DetectedEntity, RegexLayer + +logger = logging.getLogger(__name__) + + +def _spans_overlap(a: DetectedEntity, b: DetectedEntity) -> bool: + """Return True if entities *a* and *b* have overlapping character spans.""" + return a.start < b.end and b.start < a.end + + +def _deduplicate(entities: list[DetectedEntity]) -> list[DetectedEntity]: + """Remove overlapping entities, keeping the best one per overlap group. + + Priority: longer span > shorter span; on tie, regex > ner. + """ + # Sort by start position, then by descending span length + sorted_entities = sorted(entities, key=lambda e: (e.start, -(e.end - e.start))) + result: list[DetectedEntity] = [] + + for candidate in sorted_entities: + dominated = False + for kept in result: + if _spans_overlap(candidate, kept): + # Kept entity dominates if it is longer or same length with better layer + kept_len = kept.end - kept.start + cand_len = candidate.end - candidate.start + if kept_len > cand_len: + dominated = True + break + if kept_len == cand_len and kept.detection_layer == "regex": + dominated = True + break + # Candidate is better — replace kept + result.remove(kept) + break + if not dominated: + result.append(candidate) + + return sorted(result, key=lambda e: e.start) + + +class Pipeline: + """Orchestrates PII detection across all configured layers.""" + + def __init__(self) -> None: + self._regex = RegexLayer() + self._ner = NERLayer( + fr_model=config.SPACY_FR_MODEL, + en_model=config.SPACY_EN_MODEL, + ) + + def detect( + self, + text: str, + enable_ner: bool = True, + confidence_threshold: float = 0.85, + ) -> list[DetectedEntity]: + """Return deduplicated PII entities found in *text*.""" + entities = self._regex.detect(text) + + if enable_ner and config.NER_ENABLED: + try: + ner_entities = self._ner.detect(text, confidence_threshold) + entities = _deduplicate(entities + ner_entities) + except Exception: + logger.exception("NER layer failed — using regex results only") + + return entities + + def warm_up(self) -> None: + """Pre-load the NER model to avoid cold-start on first request.""" + if config.NER_ENABLED: + self._ner.warm_up() + + @property + def ner_layer(self) -> NERLayer: + return self._ner diff --git a/services/pii/pseudonymize.py b/services/pii/pseudonymize.py new file mode 100644 index 0000000..c9019e0 --- /dev/null +++ b/services/pii/pseudonymize.py @@ -0,0 +1,123 @@ +"""Pseudonymization and de-pseudonymization of PII entities. + +Tokens: [PII::<8-hex-chars>] +Mappings stored in Redis encrypted with AES-256-GCM. +""" + +from __future__ import annotations + +import base64 +import os +import re +import uuid +from typing import Optional + +from cryptography.hazmat.primitives.ciphers.aead import AESGCM + +from layers.regex_layer import DetectedEntity + +# --------------------------------------------------------------------------- +# AES-256-GCM encryptor +# --------------------------------------------------------------------------- + +_TOKEN_RE = re.compile(r"\[PII:[A-Z_]+:[0-9a-f]{8}\]") + + +class AESEncryptor: + """AES-256-GCM encrypt/decrypt using a 32-byte key.""" + + _NONCE_SIZE = 12 # bytes + + def __init__(self, key_b64: str) -> None: + key = base64.b64decode(key_b64) + if len(key) != 32: + raise ValueError(f"Encryption key must be 32 bytes, got {len(key)}") + self._aesgcm = AESGCM(key) + + def encrypt(self, plaintext: str) -> bytes: + """Return nonce (12 bytes) + ciphertext.""" + nonce = os.urandom(self._NONCE_SIZE) + ciphertext = self._aesgcm.encrypt(nonce, plaintext.encode(), None) + return nonce + ciphertext + + def decrypt(self, data: bytes) -> str: + """Decrypt nonce-prefixed ciphertext and return plaintext string.""" + nonce, ciphertext = data[: self._NONCE_SIZE], data[self._NONCE_SIZE :] + return self._aesgcm.decrypt(nonce, ciphertext, None).decode() + + +# --------------------------------------------------------------------------- +# PseudonymMapper +# --------------------------------------------------------------------------- + + +class PseudonymMapper: + """Map PII entities to pseudonym tokens, persisted in Redis.""" + + def __init__(self, redis_client, encryptor: AESEncryptor, ttl_seconds: int = 3600) -> None: + self._redis = redis_client + self._encryptor = encryptor + self._ttl = ttl_seconds + + # ------------------------------------------------------------------ + # Public API + # ------------------------------------------------------------------ + + def anonymize( + self, + text: str, + entities: list[DetectedEntity], + tenant_id: str, + request_id: str, + ) -> tuple[str, dict[str, str]]: + """Replace PII entities in *text* with pseudonym tokens. + + Returns: + (anonymized_text, mapping) where mapping is {token → original_value}. + """ + mapping: dict[str, str] = {} + + # Process entities from end to start to preserve offsets + sorted_entities = sorted(entities, key=lambda e: e.start, reverse=True) + + result = text + for entity in sorted_entities: + short_id = uuid.uuid4().hex[:8] + token = f"[PII:{entity.entity_type}:{short_id}]" + mapping[token] = entity.original_value + + # Replace in text (slice is safe because we process right-to-left) + result = result[: entity.start] + token + result[entity.end :] + + # Store encrypted mapping in Redis + redis_key = f"pii:{tenant_id}:{request_id}:{short_id}" + encrypted = self._encryptor.encrypt(entity.original_value) + self._redis.set(redis_key, encrypted, ex=self._ttl) + + return result, mapping + + def depseudonymize(self, text: str, mapping: dict[str, str]) -> str: + """Replace pseudonym tokens in *text* with their original values.""" + + def replace(m: re.Match) -> str: + token = m.group(0) + return mapping.get(token, token) + + return _TOKEN_RE.sub(replace, text) + + def load_mapping_from_redis( + self, tenant_id: str, request_id: str + ) -> dict[str, str]: + """Reconstruct the token → original mapping from Redis for a given request.""" + pattern = f"pii:{tenant_id}:{request_id}:*" + mapping: dict[str, str] = {} + for key in self._redis.scan_iter(pattern): + encrypted = self._redis.get(key) + if encrypted is None: + continue + short_id = key.decode().split(":")[-1] if isinstance(key, bytes) else key.split(":")[-1] + original = self._encryptor.decrypt(encrypted) + # We don't know the entity_type from the key alone — token must be in text + # This method is for reference; in practice the mapping is passed in-memory + mapping[short_id] = original + return mapping diff --git a/services/pii/requirements.txt b/services/pii/requirements.txt new file mode 100644 index 0000000..91d875b --- /dev/null +++ b/services/pii/requirements.txt @@ -0,0 +1,31 @@ +# Web framework +fastapi==0.115.6 +uvicorn[standard]==0.32.1 + +# gRPC +grpcio==1.68.1 +grpcio-tools==1.68.1 +grpcio-health-checking==1.68.1 + +# PII detection (Sprint 3) +presidio-analyzer==2.2.356 +presidio-anonymizer==2.2.356 +spacy==3.8.3 + +# Redis (for pseudonymization mappings) +redis==5.2.1 + +# Testing +pytest==8.3.4 +pytest-asyncio==0.24.0 +httpx==0.28.1 # async test client for FastAPI + +# Cryptography (AES-256-GCM for Redis pseudonymization mappings) +cryptography>=42.0.0 + +# Coverage +pytest-cov==6.0.0 + +# Code quality +black==24.10.0 +ruff==0.8.4 diff --git a/services/pii/tests/__init__.py b/services/pii/tests/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/services/pii/tests/conftest.py b/services/pii/tests/conftest.py new file mode 100644 index 0000000..b085231 --- /dev/null +++ b/services/pii/tests/conftest.py @@ -0,0 +1,60 @@ +"""Shared pytest fixtures for the PII service tests.""" + +from __future__ import annotations + +import sys +import os + +# Make the service root importable from tests/ +sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..")) + +from unittest.mock import MagicMock, patch + +import pytest + +from layers.regex_layer import RegexLayer +from pipeline import Pipeline +from pseudonymize import AESEncryptor, PseudonymMapper + +# --------------------------------------------------------------------------- +# Cryptography fixtures +# --------------------------------------------------------------------------- + +TEST_KEY_B64 = "dmV5bGFudC1kZXYta2V5LTMyYnl0ZXMtcGFkZGluZy0=" # 32 bytes + + +@pytest.fixture +def encryptor() -> AESEncryptor: + return AESEncryptor(TEST_KEY_B64) + + +@pytest.fixture +def redis_mock() -> MagicMock: + mock = MagicMock() + mock.set.return_value = True + mock.get.return_value = None + mock.scan_iter.return_value = iter([]) + return mock + + +@pytest.fixture +def pseudo_mapper(redis_mock, encryptor) -> PseudonymMapper: + return PseudonymMapper(redis_mock, encryptor, ttl_seconds=3600) + + +# --------------------------------------------------------------------------- +# Layer fixtures +# --------------------------------------------------------------------------- + + +@pytest.fixture +def regex_layer() -> RegexLayer: + return RegexLayer() + + +@pytest.fixture +def pipeline_regex_only() -> Pipeline: + """Pipeline with NER disabled for fast unit tests.""" + with patch("config.NER_ENABLED", False): + p = Pipeline() + return p diff --git a/services/pii/tests/test_pipeline.py b/services/pii/tests/test_pipeline.py new file mode 100644 index 0000000..c9c51c8 --- /dev/null +++ b/services/pii/tests/test_pipeline.py @@ -0,0 +1,161 @@ +"""Tests for the pipeline orchestrator (deduplication, layer control).""" + +from __future__ import annotations + +from unittest.mock import MagicMock, patch + +import pytest + +from layers.regex_layer import DetectedEntity, RegexLayer +from pipeline import Pipeline, _deduplicate + + +# --------------------------------------------------------------------------- +# Deduplication unit tests +# --------------------------------------------------------------------------- + + +class TestDeduplicate: + def test_no_overlap_keeps_all(self): + a = DetectedEntity("EMAIL", "a@b.com", 0, 7) + b = DetectedEntity("IBAN", "FR76...", 10, 36) + result = _deduplicate([a, b]) + assert len(result) == 2 + + def test_overlapping_keeps_longer(self): + shorter = DetectedEntity("EMAIL", "short", 0, 5, detection_layer="ner") + longer = DetectedEntity("PERSON", "longer text", 0, 11, detection_layer="ner") + result = _deduplicate([shorter, longer]) + assert len(result) == 1 + assert result[0].original_value == "longer text" + + def test_overlapping_same_length_regex_wins(self): + regex_e = DetectedEntity("EMAIL", "a@b.com", 0, 7, detection_layer="regex") + ner_e = DetectedEntity("PERSON", "a@b.com", 0, 7, detection_layer="ner") + result = _deduplicate([regex_e, ner_e]) + assert len(result) == 1 + assert result[0].detection_layer == "regex" + + def test_adjacent_spans_not_merged(self): + a = DetectedEntity("EMAIL", "a@b.com", 0, 7) + b = DetectedEntity("IBAN", "FR76...", 7, 14) + result = _deduplicate([a, b]) + assert len(result) == 2 + + def test_result_sorted_by_position(self): + b = DetectedEntity("IBAN", "FR76...", 20, 30) + a = DetectedEntity("EMAIL", "a@b.com", 0, 7) + result = _deduplicate([b, a]) + assert result[0].start == 0 + assert result[1].start == 20 + + +# --------------------------------------------------------------------------- +# Pipeline integration tests (regex only — NER disabled for speed) +# --------------------------------------------------------------------------- + + +def make_pipeline_regex_only() -> Pipeline: + with patch("config.NER_ENABLED", False): + return Pipeline() + + +class TestPipelineRegexOnly: + def test_detects_email_in_prompt(self): + p = make_pipeline_regex_only() + results = p.detect("Contact: test@example.com", enable_ner=False) + assert any(e.entity_type == "EMAIL" for e in results) + + def test_detects_multiple_types(self): + p = make_pipeline_regex_only() + text = ( + "Email: alice@corp.com, " + "IBAN: FR7630006000011234567890189, " + "Tel: 06 12 34 56 78" + ) + results = p.detect(text, enable_ner=False) + types = {e.entity_type for e in results} + assert "EMAIL" in types + assert "IBAN" in types + assert "PHONE_FR" in types + + def test_empty_text_returns_empty(self): + p = make_pipeline_regex_only() + assert p.detect("", enable_ner=False) == [] + + def test_no_pii_returns_empty(self): + p = make_pipeline_regex_only() + text = "Le projet avance bien, nous sommes en bonne voie." + assert p.detect(text, enable_ner=False) == [] + + def test_deduplication_applied(self): + p = make_pipeline_regex_only() + # Email appears twice — should be two separate entities (different offsets) + text = "alice@corp.com et alice@corp.com" + results = p.detect(text, enable_ner=False) + emails = [e for e in results if e.entity_type == "EMAIL"] + assert len(emails) == 2 + + def test_long_text_performance(self): + """2000-token text should complete without error.""" + p = make_pipeline_regex_only() + long_text = ("Le projet avance bien. " * 100) + "Email: perf@test.com" + results = p.detect(long_text, enable_ner=False) + assert any(e.entity_type == "EMAIL" for e in results) + + def test_five_pii_types_in_one_prompt(self): + p = make_pipeline_regex_only() + text = ( + "Bonjour, je suis alice@example.com. " + "IBAN: FR7630006000011234567890189. " + "Tel: 0612345678. " + "SS: 175086912345678. " + "CB: 4111111111111111." + ) + results = p.detect(text, enable_ner=False) + types = {e.entity_type for e in results} + assert "EMAIL" in types + assert "IBAN" in types + assert "PHONE_FR" in types + assert "FR_SSN" in types + assert "CREDIT_CARD" in types + + +# --------------------------------------------------------------------------- +# NER mock tests (verify integration path without loading spaCy) +# --------------------------------------------------------------------------- + + +class TestPipelineWithNERMock: + def test_ner_results_merged_and_deduplicated(self): + """Verify pipeline merges NER results with regex results.""" + from layers.regex_layer import DetectedEntity + + p = make_pipeline_regex_only() + # Inject a mock NER layer + mock_ner = MagicMock() + mock_ner.detect.return_value = [ + DetectedEntity("PERSON", "Jean Dupont", 0, 11, confidence=0.95, detection_layer="ner") + ] + p._ner = mock_ner + + text = "Jean Dupont a envoyé un email à alice@example.com" + with patch("config.NER_ENABLED", True): + results = p.detect(text, enable_ner=True) + + types = {e.entity_type for e in results} + assert "PERSON" in types + assert "EMAIL" in types + + def test_ner_failure_falls_back_to_regex(self): + """If NER raises, pipeline returns regex results without crashing.""" + p = make_pipeline_regex_only() + mock_ner = MagicMock() + mock_ner.detect.side_effect = RuntimeError("spaCy model not loaded") + p._ner = mock_ner + + text = "Contact: alice@example.com" + with patch("config.NER_ENABLED", True): + results = p.detect(text, enable_ner=True) + + assert any(e.entity_type == "EMAIL" for e in results) diff --git a/services/pii/tests/test_pseudo.py b/services/pii/tests/test_pseudo.py new file mode 100644 index 0000000..fa31fd7 --- /dev/null +++ b/services/pii/tests/test_pseudo.py @@ -0,0 +1,172 @@ +"""Tests for pseudonymization: AES-256-GCM encryptor + PseudonymMapper.""" + +from __future__ import annotations + +import base64 +import re +from unittest.mock import MagicMock + +import pytest + +from layers.regex_layer import DetectedEntity +from pseudonymize import AESEncryptor, PseudonymMapper + +# Stable 32-byte dev key (base64-encoded) +_KEY_B64 = base64.b64encode(b"veylant-dev-key-32bytes-padding-").decode() + +# Token pattern +_TOKEN_RE = re.compile(r"\[PII:[A-Z_]+:[0-9a-f]{8}\]") + + +# --------------------------------------------------------------------------- +# AESEncryptor tests +# --------------------------------------------------------------------------- + + +class TestAESEncryptor: + @pytest.fixture + def enc(self) -> AESEncryptor: + return AESEncryptor(_KEY_B64) + + def test_encrypt_returns_bytes(self, enc): + result = enc.encrypt("secret") + assert isinstance(result, bytes) + + def test_decrypt_round_trip(self, enc): + plaintext = "jean.dupont@example.com" + assert enc.decrypt(enc.encrypt(plaintext)) == plaintext + + def test_different_encryptions_of_same_value(self, enc): + """AES-GCM uses random nonce — same input gives different ciphertext.""" + a = enc.encrypt("secret") + b = enc.encrypt("secret") + assert a != b + # But both decrypt correctly + assert enc.decrypt(a) == enc.decrypt(b) == "secret" + + def test_empty_string_roundtrip(self, enc): + assert enc.decrypt(enc.encrypt("")) == "" + + def test_unicode_roundtrip(self, enc): + value = "Óscar García-López" + assert enc.decrypt(enc.encrypt(value)) == value + + def test_wrong_key_raises(self, enc): + encrypted = enc.encrypt("secret") + wrong_enc = AESEncryptor(base64.b64encode(b"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx").decode()) + with pytest.raises(Exception): + wrong_enc.decrypt(encrypted) + + def test_invalid_key_length_raises(self): + bad_key = base64.b64encode(b"short").decode() + with pytest.raises(ValueError): + AESEncryptor(bad_key) + + +# --------------------------------------------------------------------------- +# PseudonymMapper tests +# --------------------------------------------------------------------------- + + +@pytest.fixture +def redis_mock() -> MagicMock: + mock = MagicMock() + mock.set.return_value = True + return mock + + +@pytest.fixture +def mapper(redis_mock) -> PseudonymMapper: + enc = AESEncryptor(_KEY_B64) + return PseudonymMapper(redis_mock, enc, ttl_seconds=3600) + + +class TestPseudonymMapper: + def test_anonymize_replaces_entity(self, mapper): + text = "Email: alice@example.com" + entities = [DetectedEntity("EMAIL", "alice@example.com", 7, 24)] + anon, mapping = mapper.anonymize(text, entities, "tenant1", "req1") + assert "alice@example.com" not in anon + assert _TOKEN_RE.search(anon) is not None + + def test_anonymize_returns_mapping(self, mapper): + text = "alice@example.com" + entities = [DetectedEntity("EMAIL", "alice@example.com", 0, 17)] + _, mapping = mapper.anonymize(text, entities, "tenant1", "req1") + assert len(mapping) == 1 + assert "alice@example.com" in mapping.values() + + def test_token_format(self, mapper): + text = "alice@example.com" + entities = [DetectedEntity("EMAIL", "alice@example.com", 0, 17)] + anon, mapping = mapper.anonymize(text, entities, "t", "r") + token = list(mapping.keys())[0] + assert re.match(r"\[PII:EMAIL:[0-9a-f]{8}\]", token) + + def test_depseudonymize_restores_original(self, mapper): + text = "Email: alice@example.com" + entities = [DetectedEntity("EMAIL", "alice@example.com", 7, 24)] + anon, mapping = mapper.anonymize(text, entities, "t", "r") + restored = mapper.depseudonymize(anon, mapping) + assert restored == text + + def test_multiple_entities_anonymized(self, mapper): + text = "alice@example.com et bob@example.com" + entities = [ + DetectedEntity("EMAIL", "alice@example.com", 0, 17), + DetectedEntity("EMAIL", "bob@example.com", 21, 36), + ] + anon, mapping = mapper.anonymize(text, entities, "t", "r") + assert "alice@example.com" not in anon + assert "bob@example.com" not in anon + assert len(mapping) == 2 + + def test_depseudonymize_multiple(self, mapper): + text = "alice@example.com et bob@example.com" + entities = [ + DetectedEntity("EMAIL", "alice@example.com", 0, 17), + DetectedEntity("EMAIL", "bob@example.com", 21, 36), + ] + anon, mapping = mapper.anonymize(text, entities, "t", "r") + restored = mapper.depseudonymize(anon, mapping) + assert "alice@example.com" in restored + assert "bob@example.com" in restored + + def test_redis_set_called_per_entity(self, mapper, redis_mock): + text = "alice@example.com et 06 12 34 56 78" + entities = [ + DetectedEntity("EMAIL", "alice@example.com", 0, 17), + DetectedEntity("PHONE_FR", "06 12 34 56 78", 21, 35), + ] + mapper.anonymize(text, entities, "tenant1", "req1") + assert redis_mock.set.call_count == 2 + + def test_redis_ttl_passed(self, mapper, redis_mock): + text = "alice@example.com" + entities = [DetectedEntity("EMAIL", "alice@example.com", 0, 17)] + mapper.anonymize(text, entities, "t", "r") + call_kwargs = redis_mock.set.call_args[1] + assert call_kwargs.get("ex") == 3600 + + def test_empty_entities_no_change(self, mapper): + text = "Texte sans PII" + anon, mapping = mapper.anonymize(text, [], "t", "r") + assert anon == text + assert mapping == {} + + def test_depseudonymize_unknown_token_left_as_is(self, mapper): + text = "[PII:EMAIL:deadbeef]" + result = mapper.depseudonymize(text, {}) + assert result == "[PII:EMAIL:deadbeef]" + + def test_overlapping_entities_correct_offsets(self, mapper): + """Right-to-left replacement must preserve offsets.""" + text = "a@b.com c@d.com" + entities = [ + DetectedEntity("EMAIL", "a@b.com", 0, 7), + DetectedEntity("EMAIL", "c@d.com", 8, 15), + ] + anon, mapping = mapper.anonymize(text, entities, "t", "r") + restored = mapper.depseudonymize(anon, mapping) + assert "a@b.com" in restored + assert "c@d.com" in restored diff --git a/services/pii/tests/test_regex.py b/services/pii/tests/test_regex.py new file mode 100644 index 0000000..98f99d8 --- /dev/null +++ b/services/pii/tests/test_regex.py @@ -0,0 +1,284 @@ +"""Tests for the regex detection layer. + +Coverage: IBAN, EMAIL, PHONE_FR, PHONE_INTL, FR_SSN, CREDIT_CARD. +""" + +from __future__ import annotations + +import pytest + +from layers.regex_layer import RegexLayer, _iban_valid, _luhn_valid + +# --------------------------------------------------------------------------- +# Fixtures +# --------------------------------------------------------------------------- + + +@pytest.fixture +def layer() -> RegexLayer: + return RegexLayer() + + +# --------------------------------------------------------------------------- +# IBAN — valid checksums +# --------------------------------------------------------------------------- + + +class TestIBAN: + VALID_IBANS = [ + "FR7630006000011234567890189", # FR — no spaces + "FR76 3000 6000 0112 3456 7890 189", # FR — with spaces + "DE89370400440532013000", # DE + "GB29NWBK60161331926819", # GB + "ES9121000418450200051332", # ES + "IT60X0542811101000000123456", # IT + "NL91ABNA0417164300", # NL + "BE68539007547034", # BE + ] + + INVALID_IBANS = [ + "FR7630006000011234567890188", # wrong checksum + "XX0000000000000000000000000", # invalid country + "FR76", # too short + "notaniban", + ] + + @pytest.mark.parametrize("iban", VALID_IBANS) + def test_valid_iban_detected(self, layer, iban): + results = layer.detect(f"Mon IBAN est {iban} merci") + types = [e.entity_type for e in results] + assert "IBAN" in types, f"Expected IBAN detected in: {iban}" + + @pytest.mark.parametrize("iban", INVALID_IBANS) + def test_invalid_iban_not_detected(self, layer, iban): + results = layer.detect(iban) + types = [e.entity_type for e in results] + assert "IBAN" not in types, f"IBAN should not be detected: {iban}" + + def test_iban_entity_fields(self, layer): + text = "IBAN: FR7630006000011234567890189" + results = layer.detect(text) + iban = next(e for e in results if e.entity_type == "IBAN") + assert iban.confidence == 1.0 + assert iban.detection_layer == "regex" + assert iban.start >= 0 + assert iban.end > iban.start + + def test_iban_checksum_validation(self): + assert _iban_valid("FR7630006000011234567890189") is True + assert _iban_valid("FR7630006000011234567890188") is False + + def test_multiple_ibans_in_text(self, layer): + text = "Premier: FR7630006000011234567890189, second: DE89370400440532013000" + results = layer.detect(text) + ibans = [e for e in results if e.entity_type == "IBAN"] + assert len(ibans) == 2 + + +# --------------------------------------------------------------------------- +# EMAIL +# --------------------------------------------------------------------------- + + +class TestEmail: + VALID_EMAILS = [ + "user@example.com", + "first.last@subdomain.example.org", + "user+tag@example.co.uk", + "USER@EXAMPLE.COM", + "user123@example-domain.com", + "user@xn--nxasmq6b.com", # IDN domain + "a@b.io", + ] + + INVALID_EMAILS = [ + "notanemail", + "@nodomain.com", + "user@", + "user@.com", + ] + + @pytest.mark.parametrize("email", VALID_EMAILS) + def test_valid_email_detected(self, layer, email): + results = layer.detect(f"Contact: {email}") + types = [e.entity_type for e in results] + assert "EMAIL" in types + + @pytest.mark.parametrize("email", INVALID_EMAILS) + def test_invalid_email_not_detected(self, layer, email): + results = layer.detect(email) + types = [e.entity_type for e in results] + assert "EMAIL" not in types + + def test_email_in_sentence(self, layer): + text = "Envoyez votre CV à recrutement@veylant.io pour postuler." + results = layer.detect(text) + email = next(e for e in results if e.entity_type == "EMAIL") + assert email.original_value == "recrutement@veylant.io" + + def test_multiple_emails(self, layer): + text = "Copie à alice@example.com et bob@example.org" + results = layer.detect(text) + emails = [e for e in results if e.entity_type == "EMAIL"] + assert len(emails) == 2 + + +# --------------------------------------------------------------------------- +# PHONE_FR +# --------------------------------------------------------------------------- + + +class TestPhoneFR: + VALID_FR_PHONES = [ + "0612345678", + "06 12 34 56 78", + "06-12-34-56-78", + "06.12.34.56.78", + "0712345678", + "+33612345678", + "+33 6 12 34 56 78", + "0033612345678", + ] + + INVALID_FR_PHONES = [ + "0512345678", # landline, not mobile (05 not 06/07) + "0123456789", # landline 01 + "123456", # too short + ] + + @pytest.mark.parametrize("phone", VALID_FR_PHONES) + def test_valid_fr_phone_detected(self, layer, phone): + results = layer.detect(f"Appelez-moi au {phone}") + types = [e.entity_type for e in results] + assert "PHONE_FR" in types, f"Expected PHONE_FR for: {phone}" + + @pytest.mark.parametrize("phone", INVALID_FR_PHONES) + def test_non_mobile_not_detected_as_fr(self, layer, phone): + results = layer.detect(phone) + types = [e.entity_type for e in results] + assert "PHONE_FR" not in types + + +# --------------------------------------------------------------------------- +# PHONE_INTL +# --------------------------------------------------------------------------- + + +class TestPhoneIntl: + VALID_INTL_PHONES = [ + "+12025550123", # US + "+441632960789", # UK + "+4915123456789", # DE mobile + "+34612345678", # ES mobile + ] + + @pytest.mark.parametrize("phone", VALID_INTL_PHONES) + def test_valid_intl_phone_detected(self, layer, phone): + results = layer.detect(f"Call me at {phone}") + types = [e.entity_type for e in results] + # +33 FR numbers are captured as PHONE_FR, others as PHONE_INTL + assert "PHONE_FR" in types or "PHONE_INTL" in types, f"No phone detected for: {phone}" + + +# --------------------------------------------------------------------------- +# FR_SSN +# --------------------------------------------------------------------------- + + +class TestFRSSN: + VALID_SSNS = [ + "175086912345678", # Male born Aug 1975 + "299051234567890", # Female born May 1999 + "182011234512345", # Male born Jan 1982 + "120031234512345", # Male born Mar 2020 — dept 12 + ] + + INVALID_SSNS = [ + "375086912345678", # invalid first digit (3) + "000086912345678", # year 00 could be valid but first digit invalid + "short", + ] + + @pytest.mark.parametrize("ssn", VALID_SSNS) + def test_valid_ssn_detected(self, layer, ssn): + results = layer.detect(f"Numéro de sécurité sociale: {ssn}") + types = [e.entity_type for e in results] + assert "FR_SSN" in types, f"Expected FR_SSN for: {ssn}" + + @pytest.mark.parametrize("ssn", INVALID_SSNS) + def test_invalid_ssn_not_detected(self, layer, ssn): + results = layer.detect(ssn) + types = [e.entity_type for e in results] + assert "FR_SSN" not in types + + +# --------------------------------------------------------------------------- +# CREDIT_CARD (Luhn) +# --------------------------------------------------------------------------- + + +class TestCreditCard: + VALID_CARDS = [ + "4532015112830366", # Visa + "5425233430109903", # Mastercard + "4532 0151 1283 0366", # with spaces + "4532-0151-1283-0366", # with hyphens + "4111111111111111", # Visa test card + "5500005555555559", # Mastercard test card + ] + + INVALID_CARDS = [ + "1234567890123456", # Fails Luhn + "4532015112830365", # Valid format but wrong Luhn + "1234 5678 9012 3456", # Fails Luhn + ] + + @pytest.mark.parametrize("card", VALID_CARDS) + def test_valid_card_detected(self, layer, card): + results = layer.detect(f"Carte: {card}") + types = [e.entity_type for e in results] + assert "CREDIT_CARD" in types, f"Expected CREDIT_CARD for: {card}" + + @pytest.mark.parametrize("card", INVALID_CARDS) + def test_invalid_card_not_detected(self, layer, card): + results = layer.detect(card) + types = [e.entity_type for e in results] + assert "CREDIT_CARD" not in types, f"Should not detect: {card}" + + def test_luhn_algorithm(self): + assert _luhn_valid("4532015112830366") is True + assert _luhn_valid("4532015112830365") is False + assert _luhn_valid("4111111111111111") is True + assert _luhn_valid("1234567890123456") is False + + +# --------------------------------------------------------------------------- +# Mixed / integration +# --------------------------------------------------------------------------- + + +class TestMixedPII: + def test_multiple_pii_types_in_prompt(self, layer): + text = ( + "Bonjour, je suis Jean Dupont (jean.dupont@example.com). " + "Mon IBAN est FR7630006000011234567890189. " + "Appelez-moi au 06 12 34 56 78." + ) + results = layer.detect(text) + types = {e.entity_type for e in results} + assert "EMAIL" in types + assert "IBAN" in types + assert "PHONE_FR" in types + + def test_empty_text_returns_empty(self, layer): + assert layer.detect("") == [] + + def test_no_pii_text(self, layer): + text = "Le projet avance bien et l'équipe est motivée." + assert layer.detect(text) == [] + + def test_entities_sorted_by_position(self, layer): + text = "Email: a@b.com IBAN: FR7630006000011234567890189" + results = layer.detect(text) + positions = [e.start for e in results] + assert positions == sorted(positions) diff --git a/test/integration/auth_test.go b/test/integration/auth_test.go new file mode 100644 index 0000000..9657edf --- /dev/null +++ b/test/integration/auth_test.go @@ -0,0 +1,241 @@ +//go:build integration + +// Package integration contains E2E tests that require external services. +// Run with: go test -tags integration ./test/integration/ +// The tests spin up a real Keycloak instance via testcontainers-go, obtain +// a JWT token, and verify that the proxy auth middleware accepts / rejects it. +package integration + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "net/http/httptest" + "net/url" + "strings" + "testing" + "time" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + tc "github.com/testcontainers/testcontainers-go" + "github.com/testcontainers/testcontainers-go/wait" + + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/proxy" + "go.uber.org/zap" +) + +const ( + keycloakImage = "quay.io/keycloak/keycloak:24.0" + testRealm = "veylant-test" + testClientID = "test-client" + testClientSecret = "test-secret" + testUsername = "testuser" + testPassword = "testpass" +) + +// startKeycloak starts a Keycloak container and returns its base URL. +func startKeycloak(t *testing.T) (baseURL string, cleanup func()) { + t.Helper() + ctx := context.Background() + + req := tc.ContainerRequest{ + Image: keycloakImage, + ExposedPorts: []string{"8080/tcp"}, + Env: map[string]string{ + "KC_BOOTSTRAP_ADMIN_USERNAME": "admin", + "KC_BOOTSTRAP_ADMIN_PASSWORD": "admin", + }, + Cmd: []string{"start-dev"}, + WaitingFor: wait.ForHTTP("/health/ready"). + WithPort("8080/tcp"). + WithStartupTimeout(120 * time.Second), + } + + container, err := tc.GenericContainer(ctx, tc.GenericContainerRequest{ + ContainerRequest: req, + Started: true, + }) + require.NoError(t, err, "starting Keycloak container") + + host, err := container.Host(ctx) + require.NoError(t, err) + port, err := container.MappedPort(ctx, "8080") + require.NoError(t, err) + + base := fmt.Sprintf("http://%s:%s", host, port.Port()) + + // Provision realm + client + test user via Keycloak Admin REST API. + provisionKeycloak(t, base) + + return base, func() { + _ = container.Terminate(ctx) + } +} + +// provisionKeycloak creates the test realm, client, and user via the Admin API. +func provisionKeycloak(t *testing.T, baseURL string) { + t.Helper() + ctx := context.Background() + + // Obtain admin access token. + adminToken := getAdminToken(t, baseURL) + + adminAPI := baseURL + "/admin/realms" + client := &http.Client{Timeout: 10 * time.Second} + + doJSON := func(method, path string, body interface{}) { + t.Helper() + var r io.Reader + if body != nil { + b, _ := json.Marshal(body) + r = strings.NewReader(string(b)) + } + req, _ := http.NewRequestWithContext(ctx, method, adminAPI+path, r) + req.Header.Set("Authorization", "Bearer "+adminToken) + req.Header.Set("Content-Type", "application/json") + resp, err := client.Do(req) + require.NoError(t, err) + defer resp.Body.Close() //nolint:errcheck + require.Less(t, resp.StatusCode, 300, + "Keycloak admin API %s %s returned %d", method, path, resp.StatusCode) + } + + // Create realm. + doJSON(http.MethodPost, "", map[string]interface{}{ + "realm": testRealm, + "enabled": true, + }) + + // Create public client with direct access grants (password flow for testing). + doJSON(http.MethodPost, "/"+testRealm+"/clients", map[string]interface{}{ + "clientId": testClientID, + "enabled": true, + "publicClient": false, + "secret": testClientSecret, + "directAccessGrantsEnabled": true, + "standardFlowEnabled": false, + }) + + // Create test user. + doJSON(http.MethodPost, "/"+testRealm+"/users", map[string]interface{}{ + "username": testUsername, + "email": testUsername + "@example.com", + "enabled": true, + "emailVerified": true, + "credentials": []map[string]interface{}{ + {"type": "password", "value": testPassword, "temporary": false}, + }, + }) +} + +func getAdminToken(t *testing.T, baseURL string) string { + t.Helper() + resp, err := http.PostForm( + baseURL+"/realms/master/protocol/openid-connect/token", + url.Values{ + "grant_type": {"password"}, + "client_id": {"admin-cli"}, + "username": {"admin"}, + "password": {"admin"}, + }, + ) + require.NoError(t, err) + defer resp.Body.Close() //nolint:errcheck + var tok struct { + AccessToken string `json:"access_token"` + } + require.NoError(t, json.NewDecoder(resp.Body).Decode(&tok)) + return tok.AccessToken +} + +func getUserToken(t *testing.T, baseURL string) string { + t.Helper() + resp, err := http.PostForm( + baseURL+"/realms/"+testRealm+"/protocol/openid-connect/token", + url.Values{ + "grant_type": {"password"}, + "client_id": {testClientID}, + "client_secret": {testClientSecret}, + "username": {testUsername}, + "password": {testPassword}, + }, + ) + require.NoError(t, err) + defer resp.Body.Close() //nolint:errcheck + var tok struct { + AccessToken string `json:"access_token"` + } + require.NoError(t, json.NewDecoder(resp.Body).Decode(&tok)) + require.NotEmpty(t, tok.AccessToken, "could not obtain user token") + return tok.AccessToken +} + +// TestAuth_Integration_ValidToken_Returns200 obtains a real JWT from a live +// Keycloak instance and verifies that the Auth middleware + proxy handler +// accept it and call the next handler. +func TestAuth_Integration_ValidToken_Returns200(t *testing.T) { + keycloakBase, cleanup := startKeycloak(t) + defer cleanup() + + issuerURL := keycloakBase + "/realms/" + testRealm + verifier, err := middleware.NewOIDCVerifier(context.Background(), issuerURL, testClientID) + require.NoError(t, err) + + // Build a minimal proxy handler backed by a stub adapter. + stub := &stubIntegrationAdapter{} + handler := proxy.New(stub, zap.NewNop(), nil) + + // Wire up the auth middleware. + protected := middleware.Auth(verifier)(handler) + + // Obtain a real JWT. + token := getUserToken(t, keycloakBase) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", + strings.NewReader(`{"model":"gpt-4o","messages":[{"role":"user","content":"hi"}]}`)) + req.Header.Set("Authorization", "Bearer "+token) + rec := httptest.NewRecorder() + + protected.ServeHTTP(rec, req) + assert.Equal(t, http.StatusOK, rec.Code) +} + +// TestAuth_Integration_NoToken_Returns401 verifies that the Auth middleware +// rejects requests without a token with 401. +func TestAuth_Integration_NoToken_Returns401(t *testing.T) { + // We do not need a running Keycloak for this test — the missing token is + // caught before any JWKS call. + verifier := &middleware.MockVerifier{} // won't be called + + handler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { + w.WriteHeader(http.StatusOK) + }) + + req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", + strings.NewReader(`{}`)) + rec := httptest.NewRecorder() + + middleware.Auth(verifier)(handler).ServeHTTP(rec, req) + assert.Equal(t, http.StatusUnauthorized, rec.Code) +} + +// stubIntegrationAdapter is a minimal provider.Adapter for integration tests. +type stubIntegrationAdapter struct{} + +func (s *stubIntegrationAdapter) Validate(req *provider.ChatRequest) error { return nil } + +func (s *stubIntegrationAdapter) Send(_ context.Context, _ *provider.ChatRequest) (*provider.ChatResponse, error) { + return &provider.ChatResponse{ID: "integ-test", Model: "gpt-4o"}, nil +} + +func (s *stubIntegrationAdapter) Stream(_ context.Context, _ *provider.ChatRequest, w http.ResponseWriter) error { + fmt.Fprintf(w, "data: [DONE]\n\n") //nolint:errcheck + return nil +} + +func (s *stubIntegrationAdapter) HealthCheck(_ context.Context) error { return nil } diff --git a/test/integration/e2e_admin_test.go b/test/integration/e2e_admin_test.go new file mode 100644 index 0000000..72169f2 --- /dev/null +++ b/test/integration/e2e_admin_test.go @@ -0,0 +1,578 @@ +//go:build integration + +// Package integration contains Sprint 11 E2E tests (E11-01b). +// Batch 2 covers: admin policies CRUD, feature flags admin API, audit log +// query, cost aggregation, compliance entry CRUD, and GDPR erasure. +// +// Run with: go test -tags integration -v ./test/integration/ -run TestE2E_Admin +// All tests use httptest.Server + in-memory stubs — no external services needed. +package integration + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "net/http" + "net/http/httptest" + "sync" + "testing" + "time" + + "github.com/go-chi/chi/v5" + chimiddleware "github.com/go-chi/chi/v5/middleware" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/admin" + "github.com/veylant/ia-gateway/internal/auditlog" + "github.com/veylant/ia-gateway/internal/compliance" + "github.com/veylant/ia-gateway/internal/flags" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/routing" +) + +// ─── Admin server builder ───────────────────────────────────────────────────── + +type adminServerOptions struct { + store routing.RuleStore + auditLog auditlog.Logger + flagStore flags.FlagStore + verifier middleware.TokenVerifier + // compStore: if nil, a memComplianceStore is created automatically + compStore compliance.ComplianceStore +} + +// buildAdminServer creates a fully wired httptest.Server exposing /v1/admin/* +// and /v1/admin/compliance/* with in-memory stores. No external services needed. +func buildAdminServer(t *testing.T, opts adminServerOptions) *httptest.Server { + t.Helper() + + if opts.store == nil { + opts.store = routing.NewMemStore() + } + if opts.auditLog == nil { + opts.auditLog = auditlog.NewMemLogger() + } + if opts.flagStore == nil { + opts.flagStore = flags.NewMemFlagStore() + } + if opts.verifier == nil { + opts.verifier = &middleware.MockVerifier{Claims: e2eAdminClaims()} + } + if opts.compStore == nil { + opts.compStore = newMemComplianceStore() + } + + cache := routing.NewRuleCache(opts.store, 5*time.Minute, zap.NewNop()) + adminHandler := admin.NewWithAudit(opts.store, cache, opts.auditLog, zap.NewNop()). + WithFlagStore(opts.flagStore) + + compHandler := compliance.New(opts.compStore, zap.NewNop()). + WithAudit(opts.auditLog) + + r := chi.NewRouter() + r.Use(chimiddleware.Recoverer) + + r.Route("/v1", func(r chi.Router) { + r.Use(middleware.Auth(opts.verifier)) + r.Route("/admin", adminHandler.Routes) + r.Route("/admin/compliance", compHandler.Routes) + }) + + srv := httptest.NewServer(r) + t.Cleanup(srv.Close) + return srv +} + +// ─── In-memory ComplianceStore for tests ───────────────────────────────────── + +type memComplianceStore struct { + mu sync.Mutex + entries map[string]compliance.ProcessingEntry + seq int +} + +func newMemComplianceStore() *memComplianceStore { + return &memComplianceStore{entries: make(map[string]compliance.ProcessingEntry)} +} + +func (m *memComplianceStore) List(_ context.Context, tenantID string) ([]compliance.ProcessingEntry, error) { + m.mu.Lock() + defer m.mu.Unlock() + var out []compliance.ProcessingEntry + for _, e := range m.entries { + if e.TenantID == tenantID { + out = append(out, e) + } + } + return out, nil +} + +func (m *memComplianceStore) Get(_ context.Context, id, tenantID string) (compliance.ProcessingEntry, error) { + m.mu.Lock() + defer m.mu.Unlock() + e, ok := m.entries[id] + if !ok || e.TenantID != tenantID { + return compliance.ProcessingEntry{}, compliance.ErrNotFound + } + return e, nil +} + +func (m *memComplianceStore) Create(_ context.Context, entry compliance.ProcessingEntry) (compliance.ProcessingEntry, error) { + m.mu.Lock() + defer m.mu.Unlock() + m.seq++ + entry.ID = fmt.Sprintf("comp-%d", m.seq) + entry.CreatedAt = time.Now() + entry.UpdatedAt = time.Now() + m.entries[entry.ID] = entry + return entry, nil +} + +func (m *memComplianceStore) Update(_ context.Context, entry compliance.ProcessingEntry) (compliance.ProcessingEntry, error) { + m.mu.Lock() + defer m.mu.Unlock() + existing, ok := m.entries[entry.ID] + if !ok || existing.TenantID != entry.TenantID { + return compliance.ProcessingEntry{}, compliance.ErrNotFound + } + entry.CreatedAt = existing.CreatedAt + entry.UpdatedAt = time.Now() + m.entries[entry.ID] = entry + return entry, nil +} + +func (m *memComplianceStore) Delete(_ context.Context, id, tenantID string) error { + m.mu.Lock() + defer m.mu.Unlock() + e, ok := m.entries[id] + if !ok || e.TenantID != tenantID { + return compliance.ErrNotFound + } + delete(m.entries, id) + return nil +} + +// ─── Helper: doAdminJSON ────────────────────────────────────────────────────── + +// doAdminJSON sends an authenticated JSON request to the test server. +func doAdminJSON(t *testing.T, method, url string, body interface{}) *http.Response { + t.Helper() + return doJSON(t, http.DefaultClient, method, url, "test-token", body) +} + +// decodeBody decodes JSON body into dst, draining the response body. +func decodeBody(t *testing.T, resp *http.Response, dst interface{}) { + t.Helper() + defer resp.Body.Close() + require.NoError(t, json.NewDecoder(resp.Body).Decode(dst)) +} + +// ─── E2E tests: Admin Policies ──────────────────────────────────────────────── + +// TestE2E_Admin_Policies_List_Empty verifies GET /v1/admin/policies returns +// 200 with an empty data array when no policies have been created. +func TestE2E_Admin_Policies_List_Empty(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + + resp := doAdminJSON(t, http.MethodGet, srv.URL+"/v1/admin/policies", nil) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var body struct { + Data []interface{} `json:"data"` + } + decodeBody(t, resp, &body) + assert.Empty(t, body.Data) +} + +// TestE2E_Admin_Policies_Create_Returns201 verifies POST /v1/admin/policies +// creates a policy and returns 201 with a non-empty ID. +func TestE2E_Admin_Policies_Create_Returns201(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + + payload := map[string]interface{}{ + "name": "HR policy", + "priority": 10, + "is_enabled": true, + "conditions": []map[string]interface{}{}, + "action": map[string]string{"provider": "openai", "model": "gpt-4o"}, + } + + resp := doAdminJSON(t, http.MethodPost, srv.URL+"/v1/admin/policies", payload) + assert.Equal(t, http.StatusCreated, resp.StatusCode) + + var created routing.RoutingRule + decodeBody(t, resp, &created) + assert.NotEmpty(t, created.ID) + assert.Equal(t, "HR policy", created.Name) + assert.Equal(t, e2eTenantID, created.TenantID) +} + +// TestE2E_Admin_Policies_Update_Returns200 creates a policy then updates it +// and verifies the returned rule contains the new name. +func TestE2E_Admin_Policies_Update_Returns200(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + url := srv.URL + "/v1/admin/policies" + + // Create + payload := map[string]interface{}{ + "name": "initial", + "is_enabled": true, + "conditions": []map[string]interface{}{}, + "action": map[string]string{"provider": "openai", "model": "gpt-4o"}, + } + createResp := doAdminJSON(t, http.MethodPost, url, payload) + require.Equal(t, http.StatusCreated, createResp.StatusCode) + var created routing.RoutingRule + decodeBody(t, createResp, &created) + + // Update + payload["name"] = "updated" + updateResp := doAdminJSON(t, http.MethodPut, url+"/"+created.ID, payload) + assert.Equal(t, http.StatusOK, updateResp.StatusCode) + + var updated routing.RoutingRule + decodeBody(t, updateResp, &updated) + assert.Equal(t, "updated", updated.Name) + assert.Equal(t, created.ID, updated.ID) +} + +// TestE2E_Admin_Policies_Delete_Returns204 creates a policy then deletes it, +// verifying 204 No Content on delete and 404 on subsequent GET. +func TestE2E_Admin_Policies_Delete_Returns204(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + url := srv.URL + "/v1/admin/policies" + + // Create + payload := map[string]interface{}{ + "name": "to-delete", + "is_enabled": true, + "conditions": []map[string]interface{}{}, + "action": map[string]string{"provider": "openai", "model": "gpt-4o"}, + } + createResp := doAdminJSON(t, http.MethodPost, url, payload) + require.Equal(t, http.StatusCreated, createResp.StatusCode) + var created routing.RoutingRule + decodeBody(t, createResp, &created) + + // Delete + delResp := doAdminJSON(t, http.MethodDelete, url+"/"+created.ID, nil) + assert.Equal(t, http.StatusNoContent, delResp.StatusCode) + delResp.Body.Close() + + // GET should be 404 + getResp := doAdminJSON(t, http.MethodGet, url+"/"+created.ID, nil) + assert.Equal(t, http.StatusNotFound, getResp.StatusCode) + getResp.Body.Close() +} + +// TestE2E_Admin_Policies_SeedTemplate_HR verifies that POST +// /v1/admin/policies/seed/hr returns 201 and creates a rule in the store. +func TestE2E_Admin_Policies_SeedTemplate_HR(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + + resp := doAdminJSON(t, http.MethodPost, srv.URL+"/v1/admin/policies/seed/hr", nil) + assert.Equal(t, http.StatusCreated, resp.StatusCode) + + var created routing.RoutingRule + decodeBody(t, resp, &created) + assert.NotEmpty(t, created.ID) + assert.NotEmpty(t, created.Name) + assert.Equal(t, e2eTenantID, created.TenantID) +} + +// ─── E2E tests: Feature Flags Admin API ────────────────────────────────────── + +// TestE2E_Admin_Flags_List_Set_Delete exercises the full flag lifecycle: +// GET (empty), PUT to set, GET (present), DELETE, GET (gone). +func TestE2E_Admin_Flags_List_Set_Delete(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + flagsURL := srv.URL + "/v1/admin/flags" + + // GET initial state — may contain global defaults; check 200 at minimum. + listResp := doAdminJSON(t, http.MethodGet, flagsURL, nil) + assert.Equal(t, http.StatusOK, listResp.StatusCode) + listResp.Body.Close() + + // PUT — disable pii_enabled for this tenant + putResp := doAdminJSON(t, http.MethodPut, flagsURL+"/pii_enabled", + map[string]bool{"enabled": false}) + assert.Equal(t, http.StatusOK, putResp.StatusCode) + + var flag flags.FeatureFlag + decodeBody(t, putResp, &flag) + assert.Equal(t, "pii_enabled", flag.Name) + assert.False(t, flag.IsEnabled) + + // GET list — should now include pii_enabled for this tenant + listResp2 := doAdminJSON(t, http.MethodGet, flagsURL, nil) + assert.Equal(t, http.StatusOK, listResp2.StatusCode) + var listBody struct { + Data []flags.FeatureFlag `json:"data"` + } + decodeBody(t, listResp2, &listBody) + found := false + for _, f := range listBody.Data { + if f.Name == "pii_enabled" && f.TenantID == e2eTenantID { + found = true + assert.False(t, f.IsEnabled) + } + } + assert.True(t, found, "pii_enabled should be in the flag list after PUT") + + // DELETE + delResp := doAdminJSON(t, http.MethodDelete, flagsURL+"/pii_enabled", nil) + assert.Equal(t, http.StatusNoContent, delResp.StatusCode) + delResp.Body.Close() + + // After DELETE, the tenant-specific flag should be gone. + // A subsequent GET /flags should not include the tenant-specific pii_enabled. + listResp3 := doAdminJSON(t, http.MethodGet, flagsURL, nil) + assert.Equal(t, http.StatusOK, listResp3.StatusCode) + var listBody3 struct { + Data []flags.FeatureFlag `json:"data"` + } + decodeBody(t, listResp3, &listBody3) + for _, f := range listBody3.Data { + if f.Name == "pii_enabled" { + assert.NotEqual(t, e2eTenantID, f.TenantID, + "tenant-specific pii_enabled should be deleted") + } + } +} + +// ─── E2E tests: Audit Logs ──────────────────────────────────────────────────── + +// TestE2E_Admin_Logs_Query_ReturnsEntries pre-seeds a MemLogger with one +// entry and verifies GET /v1/admin/logs returns it. +func TestE2E_Admin_Logs_Query_ReturnsEntries(t *testing.T) { + memLog := auditlog.NewMemLogger() + memLog.Log(auditlog.AuditEntry{ + RequestID: "req-e2e-01", + TenantID: e2eTenantID, + UserID: e2eUserID, + Timestamp: time.Now(), + ModelRequested: "gpt-4o", + Provider: "openai", + TokenTotal: 42, + Status: "ok", + }) + + srv := buildAdminServer(t, adminServerOptions{auditLog: memLog}) + + resp := doAdminJSON(t, http.MethodGet, srv.URL+"/v1/admin/logs", nil) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var result auditlog.AuditResult + decodeBody(t, resp, &result) + require.Equal(t, 1, result.Total, "should have exactly one log entry") + assert.Equal(t, "req-e2e-01", result.Data[0].RequestID) +} + +// ─── E2E tests: Costs ───────────────────────────────────────────────────────── + +// TestE2E_Admin_Costs_GroupBy_Provider verifies GET /v1/admin/costs?group_by=provider +// returns a data array that includes an openai cost summary. +func TestE2E_Admin_Costs_GroupBy_Provider(t *testing.T) { + memLog := auditlog.NewMemLogger() + // Seed two entries with different providers + for i := 0; i < 3; i++ { + memLog.Log(auditlog.AuditEntry{ + RequestID: fmt.Sprintf("req-%d", i), + TenantID: e2eTenantID, + Provider: "openai", + TokenTotal: 100, + CostUSD: 0.002, + Status: "ok", + }) + } + memLog.Log(auditlog.AuditEntry{ + RequestID: "req-mistral", + TenantID: e2eTenantID, + Provider: "mistral", + TokenTotal: 50, + CostUSD: 0.001, + Status: "ok", + }) + + srv := buildAdminServer(t, adminServerOptions{auditLog: memLog}) + + resp := doAdminJSON(t, http.MethodGet, srv.URL+"/v1/admin/costs?group_by=provider", nil) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var result auditlog.CostResult + decodeBody(t, resp, &result) + require.NotEmpty(t, result.Data) + + keySet := make(map[string]bool) + for _, s := range result.Data { + keySet[s.Key] = true + } + assert.True(t, keySet["openai"], "openai should appear in cost breakdown") + assert.True(t, keySet["mistral"], "mistral should appear in cost breakdown") +} + +// ─── E2E tests: Compliance Entry CRUD ──────────────────────────────────────── + +// TestE2E_Compliance_Entry_CRUD exercises the full processing entry lifecycle: +// POST → GET → PUT → DELETE. +func TestE2E_Compliance_Entry_CRUD(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + baseURL := srv.URL + "/v1/admin/compliance/entries" + + // POST — create entry + createPayload := map[string]interface{}{ + "use_case_name": "Chatbot RH", + "legal_basis": "legitimate_interest", + "purpose": "Automatisation des réponses RH internes", + "data_categories": []string{"identifiers", "professional"}, + "recipients": []string{"HR team"}, + "processors": []string{"OpenAI Inc."}, + "retention_period": "12 months", + "security_measures": "AES-256 encryption, access control", + "controller_name": "Veylant E2E Corp", + } + createResp := doAdminJSON(t, http.MethodPost, baseURL, createPayload) + require.Equal(t, http.StatusCreated, createResp.StatusCode) + + var created compliance.ProcessingEntry + decodeBody(t, createResp, &created) + require.NotEmpty(t, created.ID) + assert.Equal(t, "Chatbot RH", created.UseCaseName) + assert.Equal(t, e2eTenantID, created.TenantID) + + // GET — retrieve entry + getResp := doAdminJSON(t, http.MethodGet, baseURL+"/"+created.ID, nil) + assert.Equal(t, http.StatusOK, getResp.StatusCode) + var fetched compliance.ProcessingEntry + decodeBody(t, getResp, &fetched) + assert.Equal(t, created.ID, fetched.ID) + + // PUT — update entry + createPayload["use_case_name"] = "Chatbot RH v2" + updateResp := doAdminJSON(t, http.MethodPut, baseURL+"/"+created.ID, createPayload) + assert.Equal(t, http.StatusOK, updateResp.StatusCode) + var updated compliance.ProcessingEntry + decodeBody(t, updateResp, &updated) + assert.Equal(t, "Chatbot RH v2", updated.UseCaseName) + + // DELETE — remove entry + delResp := doAdminJSON(t, http.MethodDelete, baseURL+"/"+created.ID, nil) + assert.Equal(t, http.StatusNoContent, delResp.StatusCode) + delResp.Body.Close() + + // GET after delete — should be 404 + get2Resp := doAdminJSON(t, http.MethodGet, baseURL+"/"+created.ID, nil) + assert.Equal(t, http.StatusNotFound, get2Resp.StatusCode) + get2Resp.Body.Close() +} + +// ─── E2E tests: GDPR Erasure ───────────────────────────────────────────────── + +// TestE2E_Compliance_GDPR_Erase_Returns200 verifies DELETE +// /v1/admin/compliance/gdpr/erase/{user_id} returns 200 with status "completed". +// The handler works without a DB connection (db=nil path is exercised). +func TestE2E_Compliance_GDPR_Erase_Returns200(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + targetUser := "user-to-erase@corp.example" + + resp, err := makeRequest(t, + http.MethodDelete, + srv.URL+"/v1/admin/compliance/gdpr/erase/"+targetUser+"?reason=test-erase", + "test-token", + nil, + ) + require.NoError(t, err) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var erasure compliance.ErasureRecord + decodeBody(t, resp, &erasure) + assert.Equal(t, "completed", erasure.Status) + assert.Equal(t, targetUser, erasure.TargetUser) + assert.Equal(t, e2eTenantID, erasure.TenantID) +} + +// makeRequest is a low-level helper for requests that don't have a JSON body. +func makeRequest(t *testing.T, method, url, token string, body []byte) (*http.Response, error) { + t.Helper() + var bodyReader *bytes.Reader + if body != nil { + bodyReader = bytes.NewReader(body) + } else { + bodyReader = bytes.NewReader(nil) + } + req, err := http.NewRequestWithContext(context.Background(), method, url, bodyReader) + require.NoError(t, err) + if token != "" { + req.Header.Set("Authorization", "Bearer "+token) + } + return http.DefaultClient.Do(req) +} + +// ─── E2E tests: Admin server — no-auth guard ────────────────────────────────── + +// TestE2E_Admin_NoToken_Returns401 verifies that all admin routes are +// protected: a request without a token receives 401. +func TestE2E_Admin_NoToken_Returns401(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + + req, err := http.NewRequestWithContext(context.Background(), + http.MethodGet, srv.URL+"/v1/admin/policies", nil) + require.NoError(t, err) + // No Authorization header + + resp, err := http.DefaultClient.Do(req) + require.NoError(t, err) + defer resp.Body.Close() + assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) +} + +// ─── E2E tests: Routing flag via proxy ──────────────────────────────────────── + +// TestE2E_Admin_Flags_Routing_Disabled_StillRoutes verifies that when +// routing_enabled is set to false for a tenant, the proxy falls back to +// static prefix rules and still returns 200 (not an error). +func TestE2E_Admin_Flags_Routing_Disabled_StillRoutes(t *testing.T) { + fs := flags.NewMemFlagStore() + // Explicitly disable routing for the E2E tenant + _, err := fs.Set(context.Background(), e2eTenantID, "routing_enabled", false) + require.NoError(t, err) + + // Build proxy server using the flag store with routing disabled + srv := buildProxyServer(t, proxyServerOptions{flagStore: fs}) + + resp := doJSON(t, http.DefaultClient, http.MethodPost, + srv.URL+"/v1/chat/completions", + "test-token", + chatBody("gpt-4o", false), + ) + defer resp.Body.Close() + + // Should still succeed — static prefix fallback routes gpt-4o → openai stub + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var body map[string]interface{} + require.NoError(t, json.NewDecoder(resp.Body).Decode(&body)) + choices, _ := body["choices"].([]interface{}) + assert.NotEmpty(t, choices) +} + +// ─── E2E tests: Compliance list empty ──────────────────────────────────────── + +// TestE2E_Compliance_Entries_List_Empty verifies that GET /v1/admin/compliance/entries +// returns 200 with an empty data array on a fresh store. +func TestE2E_Compliance_Entries_List_Empty(t *testing.T) { + srv := buildAdminServer(t, adminServerOptions{}) + + resp := doAdminJSON(t, http.MethodGet, srv.URL+"/v1/admin/compliance/entries", nil) + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var body struct { + Data []interface{} `json:"data"` + } + decodeBody(t, resp, &body) + assert.Empty(t, body.Data) +} + diff --git a/test/integration/e2e_proxy_test.go b/test/integration/e2e_proxy_test.go new file mode 100644 index 0000000..34a5189 --- /dev/null +++ b/test/integration/e2e_proxy_test.go @@ -0,0 +1,577 @@ +//go:build integration + +// Package integration contains Sprint 11 E2E tests (E11-01a). +// Batch 1 covers: auth flows, proxy chat, streaming SSE, audit logging, +// rate limiting, and feature flags (pii_enabled, billing_enabled). +// +// Run with: go test -tags integration -v ./test/integration/ -run TestE2E_ +// All tests use httptest.Server + in-memory stubs — no external services needed. +package integration + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "net/http/httptest" + "strings" + "testing" + "time" + + "github.com/go-chi/chi/v5" + chimiddleware "github.com/go-chi/chi/v5/middleware" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "go.uber.org/zap" + + "github.com/veylant/ia-gateway/internal/apierror" + "github.com/veylant/ia-gateway/internal/auditlog" + "github.com/veylant/ia-gateway/internal/config" + "github.com/veylant/ia-gateway/internal/flags" + "github.com/veylant/ia-gateway/internal/health" + "github.com/veylant/ia-gateway/internal/middleware" + "github.com/veylant/ia-gateway/internal/provider" + "github.com/veylant/ia-gateway/internal/proxy" + "github.com/veylant/ia-gateway/internal/ratelimit" + "github.com/veylant/ia-gateway/internal/router" +) + +// ─── Test constants ────────────────────────────────────────────────────────── + +const ( + e2eTenantID = "00000000-0000-0000-0000-000000000042" + e2eUserID = "user-e2e-test" +) + +// ─── Helpers ────────────────────────────────────────────────────────────────── + +// e2eAdminClaims returns authenticated admin claims for the E2E tenant. +func e2eAdminClaims() *middleware.UserClaims { + return &middleware.UserClaims{ + UserID: e2eUserID, + TenantID: e2eTenantID, + Email: "e2e-admin@veylant.test", + Roles: []string{"admin"}, + } +} + +// e2eUserClaims returns authenticated user-role claims for the E2E tenant. +func e2eUserClaims(roles ...string) *middleware.UserClaims { + if len(roles) == 0 { + roles = []string{"user"} + } + return &middleware.UserClaims{ + UserID: e2eUserID, + TenantID: e2eTenantID, + Email: "e2e-user@veylant.test", + Roles: roles, + } +} + +// proxyServerOptions holds optional components for building a proxy test server. +type proxyServerOptions struct { + adapter provider.Adapter + flagStore flags.FlagStore + auditLog auditlog.Logger + verifier middleware.TokenVerifier + // rateLimiter, if nil, a permissive default is used. + rateLimiter *ratelimit.Limiter +} + +// buildProxyServer creates a fully wired httptest.Server with chi router, +// auth middleware, rate limiter, and proxy handler. All components are +// in-memory; no external services are required. +func buildProxyServer(t *testing.T, opts proxyServerOptions) *httptest.Server { + t.Helper() + + if opts.adapter == nil { + opts.adapter = &e2eStubAdapter{ + resp: &provider.ChatResponse{ + ID: "chatcmpl-e2e", + Model: "gpt-4o", + Choices: []provider.Choice{{Index: 0, Message: provider.Message{Role: "assistant", Content: "Hello!"}}}, + Usage: provider.Usage{PromptTokens: 10, CompletionTokens: 5, TotalTokens: 15}, + }, + } + } + if opts.flagStore == nil { + opts.flagStore = flags.NewMemFlagStore() + } + if opts.verifier == nil { + opts.verifier = &middleware.MockVerifier{Claims: e2eAdminClaims()} + } + if opts.rateLimiter == nil { + opts.rateLimiter = ratelimit.New(ratelimit.RateLimitConfig{ + RequestsPerMin: 6000, + BurstSize: 1000, + UserRPM: 6000, + UserBurst: 1000, + IsEnabled: true, + }, zap.NewNop()) + } + + // Build a single-adapter router (no RBAC enforcement by default — admin role). + rbac := &config.RBACConfig{ + UserAllowedModels: []string{"gpt-4o", "gpt-4o-mini", "mistral-small"}, + AuditorCanComplete: false, + } + providerRouter := router.New( + map[string]provider.Adapter{"openai": opts.adapter}, + rbac, + zap.NewNop(), + ) + providerRouter.WithFlagStore(opts.flagStore) + + proxyHandler := proxy.NewWithAudit(providerRouter, zap.NewNop(), nil, opts.auditLog, nil). + WithFlagStore(opts.flagStore) + + r := chi.NewRouter() + r.Use(chimiddleware.Recoverer) + r.Use(middleware.RequestID) + r.Get("/healthz", health.Handler) + + r.Route("/v1", func(r chi.Router) { + r.Use(middleware.Auth(opts.verifier)) + r.Use(middleware.RateLimit(opts.rateLimiter)) + r.Post("/chat/completions", proxyHandler.ServeHTTP) + }) + + srv := httptest.NewServer(r) + t.Cleanup(srv.Close) + return srv +} + +// doJSON sends a JSON request to the test server and returns the response. +func doJSON(t *testing.T, client *http.Client, method, url, token string, body interface{}) *http.Response { + t.Helper() + var r io.Reader + if body != nil { + b, err := json.Marshal(body) + require.NoError(t, err) + r = bytes.NewReader(b) + } + req, err := http.NewRequestWithContext(context.Background(), method, url, r) + require.NoError(t, err) + if token != "" { + req.Header.Set("Authorization", "Bearer "+token) + } + req.Header.Set("Content-Type", "application/json") + resp, err := client.Do(req) + require.NoError(t, err) + return resp +} + +// chatBody returns a minimal /v1/chat/completions request body. +func chatBody(model string, stream bool) map[string]interface{} { + return map[string]interface{}{ + "model": model, + "messages": []map[string]string{{"role": "user", "content": "Dis bonjour."}}, + "stream": stream, + } +} + +// ─── E2E stub adapter ───────────────────────────────────────────────────────── + +// e2eStubAdapter is a minimal provider.Adapter for E2E tests. +type e2eStubAdapter struct { + resp *provider.ChatResponse + sendErr error + sseLines []string +} + +func (s *e2eStubAdapter) Validate(req *provider.ChatRequest) error { + if req.Model == "" { + return apierror.NewBadRequestError("model required") + } + return nil +} + +func (s *e2eStubAdapter) Send(_ context.Context, _ *provider.ChatRequest) (*provider.ChatResponse, error) { + if s.sendErr != nil { + return nil, s.sendErr + } + resp := *s.resp // copy + return &resp, nil +} + +func (s *e2eStubAdapter) Stream(_ context.Context, _ *provider.ChatRequest, w http.ResponseWriter) error { + flusher, ok := w.(http.Flusher) + if !ok { + return fmt.Errorf("not flushable") + } + lines := s.sseLines + if len(lines) == 0 { + lines = []string{ + `data: {"id":"chatcmpl-e2e","object":"chat.completion.chunk","choices":[{"delta":{"content":"Hello"}}]}`, + `data: [DONE]`, + } + } + for _, line := range lines { + fmt.Fprintf(w, "%s\n\n", line) //nolint:errcheck + flusher.Flush() + } + return nil +} + +func (s *e2eStubAdapter) HealthCheck(_ context.Context) error { return nil } + +// ─── Scenario 1: GET /healthz ───────────────────────────────────────────────── + +// TestE2E_HealthCheck_Returns200 verifies the health endpoint is reachable and +// returns status "ok". This is the first check in any deployment pipeline. +func TestE2E_HealthCheck_Returns200(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{}) + resp := doJSON(t, srv.Client(), http.MethodGet, srv.URL+"/healthz", "", nil) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var body struct { + Status string `json:"status"` + } + require.NoError(t, json.NewDecoder(resp.Body).Decode(&body)) + assert.Equal(t, "ok", body.Status) +} + +// ─── Scenario 2: Auth — no token → 401 ─────────────────────────────────────── + +// TestE2E_Auth_NoToken_Returns401 verifies that unauthenticated requests are +// rejected with 401 before they reach the proxy handler. +func TestE2E_Auth_NoToken_Returns401(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{}) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) + + var body struct { + Error struct{ Type string } `json:"error"` + } + require.NoError(t, json.NewDecoder(resp.Body).Decode(&body)) + assert.Equal(t, "authentication_error", body.Error.Type) +} + +// ─── Scenario 3: Auth — invalid token → 401 ────────────────────────────────── + +// TestE2E_Auth_InvalidToken_Returns401 verifies that a structurally invalid token +// causes the OIDC verifier to return an error and the middleware to reply 401. +func TestE2E_Auth_InvalidToken_Returns401(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{ + verifier: &middleware.MockVerifier{Err: fmt.Errorf("token expired")}, + }) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "invalid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) +} + +// ─── Scenario 4: Auth — valid JWT → proxy responds 200 ─────────────────────── + +// TestE2E_Auth_ValidToken_ProxyResponds200 verifies end-to-end: valid JWT is +// accepted, proxy dispatches to the stub adapter, and returns a valid response. +func TestE2E_Auth_ValidToken_ProxyResponds200(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{}) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusOK, resp.StatusCode) + assert.Equal(t, "application/json", resp.Header.Get("Content-Type")) +} + +// ─── Scenario 5: Basic chat — response has choices ─────────────────────────── + +// TestE2E_Proxy_BasicChat_HasChoices verifies that the LLM response is properly +// forwarded: the `choices` array is present and contains the stub response. +func TestE2E_Proxy_BasicChat_HasChoices(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{}) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + + require.Equal(t, http.StatusOK, resp.StatusCode) + + var body struct { + Choices []struct { + Message struct{ Content string } `json:"message"` + } `json:"choices"` + } + require.NoError(t, json.NewDecoder(resp.Body).Decode(&body)) + require.Len(t, body.Choices, 1) + assert.Equal(t, "Hello!", body.Choices[0].Message.Content) +} + +// ─── Scenario 6: Streaming SSE ─────────────────────────────────────────────── + +// TestE2E_Proxy_Streaming_SSEFormat verifies that a stream:true request receives +// Content-Type: text/event-stream and at least one SSE data chunk. +func TestE2E_Proxy_Streaming_SSEFormat(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{}) + + body, err := json.Marshal(chatBody("gpt-4o", true)) + require.NoError(t, err) + + req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, + srv.URL+"/v1/chat/completions", bytes.NewReader(body)) + require.NoError(t, err) + req.Header.Set("Authorization", "Bearer valid-token") + req.Header.Set("Content-Type", "application/json") + + resp, err := srv.Client().Do(req) + require.NoError(t, err) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusOK, resp.StatusCode) + assert.Equal(t, "text/event-stream", resp.Header.Get("Content-Type")) + + buf, err := io.ReadAll(resp.Body) + require.NoError(t, err) + assert.Contains(t, string(buf), "data:") +} + +// ─── Scenario 7: Audit log entry created ───────────────────────────────────── + +// TestE2E_Proxy_AuditLog_EntryCreated verifies that after a successful request, +// a single audit entry is recorded with the correct tenant and user fields. +func TestE2E_Proxy_AuditLog_EntryCreated(t *testing.T) { + memLog := auditlog.NewMemLogger() + + srv := buildProxyServer(t, proxyServerOptions{auditLog: memLog}) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + require.Equal(t, http.StatusOK, resp.StatusCode) + + // The audit logger is async but MemLogger.Log is synchronous. + entries := memLog.Entries() + require.Len(t, entries, 1) + + entry := entries[0] + assert.Equal(t, e2eTenantID, entry.TenantID) + assert.Equal(t, e2eUserID, entry.UserID) + assert.Equal(t, "gpt-4o", entry.ModelRequested) + assert.Equal(t, "ok", entry.Status) + assert.NotEmpty(t, entry.PromptHash, "prompt hash should be recorded") +} + +// ─── Scenario 8: Rate limiting → 429 ───────────────────────────────────────── + +// TestE2E_Proxy_RateLimit_Returns429 verifies that a tenant with a burst of 1 +// receives 429 on the second request within the same burst window. +func TestE2E_Proxy_RateLimit_Returns429(t *testing.T) { + tightLimiter := ratelimit.New(ratelimit.RateLimitConfig{ + RequestsPerMin: 60, + BurstSize: 1, // burst of 1 → second request is rate-limited + UserRPM: 600, + UserBurst: 100, + IsEnabled: true, + }, zap.NewNop()) + + srv := buildProxyServer(t, proxyServerOptions{rateLimiter: tightLimiter}) + + client := srv.Client() + + // First request: should succeed. + resp1 := doJSON(t, client, http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp1.Body.Close() //nolint:errcheck + assert.Equal(t, http.StatusOK, resp1.StatusCode, "first request should be allowed") + + // Second request: burst exhausted → 429. + resp2 := doJSON(t, client, http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp2.Body.Close() //nolint:errcheck + assert.Equal(t, http.StatusTooManyRequests, resp2.StatusCode, "second request should be rate limited") + + var body struct { + Error struct{ Type string } `json:"error"` + } + _ = json.NewDecoder(resp2.Body).Decode(&body) + assert.Equal(t, "rate_limit_error", body.Error.Type) +} + +// ─── Scenario 9: billing_enabled flag → CostUSD zeroed ─────────────────────── + +// TestE2E_Proxy_Billing_Flag_Disabled_ZerosCost verifies that when billing_enabled +// is set to false for a tenant, the CostUSD field in the audit entry is zeroed. +func TestE2E_Proxy_Billing_Flag_Disabled_ZerosCost(t *testing.T) { + memLog := auditlog.NewMemLogger() + fs := flags.NewMemFlagStore() + + // Explicitly disable billing for the test tenant. + ctx := context.Background() + _, err := fs.Set(ctx, e2eTenantID, "billing_enabled", false) + require.NoError(t, err) + // Also seed pii_enabled=true so the flag store is "warm" (like after migration 000009). + _, err = fs.Set(ctx, "", "pii_enabled", true) + require.NoError(t, err) + + srv := buildProxyServer(t, proxyServerOptions{auditLog: memLog, flagStore: fs}) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + require.Equal(t, http.StatusOK, resp.StatusCode) + + entries := memLog.Entries() + require.Len(t, entries, 1) + assert.Equal(t, 0.0, entries[0].CostUSD, "billing_enabled=false should zero the cost") +} + +// ─── Scenario 10: RBAC — user role + allowed model → 200 ───────────────────── + +// TestE2E_Auth_RBAC_UserRole_AllowedModel_Returns200 verifies that a `user`-role +// JWT can call /v1/chat/completions for models in the allowlist (gpt-4o-mini). +func TestE2E_Auth_RBAC_UserRole_AllowedModel_Returns200(t *testing.T) { + // User-role verifier (not admin). + userVerifier := &middleware.MockVerifier{Claims: e2eUserClaims("user")} + + // Adapter that responds to gpt-4o-mini requests. + adapter := &e2eStubAdapter{ + resp: &provider.ChatResponse{ + ID: "chatcmpl-mini", + Model: "gpt-4o-mini", + Choices: []provider.Choice{{Message: provider.Message{Role: "assistant", Content: "Hi!"}}}, + Usage: provider.Usage{TotalTokens: 5}, + }, + } + + srv := buildProxyServer(t, proxyServerOptions{ + adapter: adapter, + verifier: userVerifier, + }) + + // gpt-4o-mini is in the default UserAllowedModels — should be allowed. + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "user-token", chatBody("gpt-4o-mini", false)) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusOK, resp.StatusCode, + "user role should be allowed to use gpt-4o-mini (in allowlist)") +} + +// ─── Additional: request ID propagation ────────────────────────────────────── + +// TestE2E_Proxy_RequestID_InLogs verifies that the X-Request-Id header is +// set on the request context and the request ID is stored in the audit entry. +func TestE2E_Proxy_RequestID_InLogs(t *testing.T) { + memLog := auditlog.NewMemLogger() + srv := buildProxyServer(t, proxyServerOptions{auditLog: memLog}) + + req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, + srv.URL+"/v1/chat/completions", + strings.NewReader(`{"model":"gpt-4o","messages":[{"role":"user","content":"hi"}]}`)) + require.NoError(t, err) + req.Header.Set("Authorization", "Bearer valid-token") + req.Header.Set("Content-Type", "application/json") + req.Header.Set("X-Request-Id", "e2e-test-req-id-42") + + resp, err := srv.Client().Do(req) + require.NoError(t, err) + defer resp.Body.Close() //nolint:errcheck + require.Equal(t, http.StatusOK, resp.StatusCode) + + entries := memLog.Entries() + require.Len(t, entries, 1) + assert.NotEmpty(t, entries[0].RequestID, "request ID should be recorded in audit entry") +} + +// ─── Additional: pii_enabled flag does not break normal flow ───────────────── + +// TestE2E_Proxy_PII_Flag_Enabled_NoClientIsNoOp verifies that pii_enabled=true +// with no PII client configured (nil) does not cause an error — the proxy +// degrades gracefully by skipping PII anonymization. +func TestE2E_Proxy_PII_Flag_Enabled_NoClientIsNoOp(t *testing.T) { + fs := flags.NewMemFlagStore() + ctx := context.Background() + // Seed pii_enabled=true globally (as migration 000009 does). + _, err := fs.Set(ctx, "", "pii_enabled", true) + require.NoError(t, err) + + memLog := auditlog.NewMemLogger() + srv := buildProxyServer(t, proxyServerOptions{flagStore: fs, auditLog: memLog}) + + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", + map[string]interface{}{ + "model": "gpt-4o", + "messages": []map[string]string{{"role": "user", "content": "Mon IBAN est FR76 3000 6000 0112 3456 7890 189"}}, + }) + defer resp.Body.Close() //nolint:errcheck + + // pii_enabled=true but no PII client → still succeeds, no error. + assert.Equal(t, http.StatusOK, resp.StatusCode) + entries := memLog.Entries() + require.Len(t, entries, 1) + // No PII client → entity count is 0. + assert.Equal(t, 0, entries[0].PIIEntityCount) +} + +// ─── Additional: invalid JSON body → 400 ───────────────────────────────────── + +// TestE2E_Proxy_InvalidJSON_Returns400 verifies that a malformed JSON body +// is rejected immediately with 400 invalid_request_error. +func TestE2E_Proxy_InvalidJSON_Returns400(t *testing.T) { + srv := buildProxyServer(t, proxyServerOptions{}) + + req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, + srv.URL+"/v1/chat/completions", + strings.NewReader(`{not valid json`)) + require.NoError(t, err) + req.Header.Set("Authorization", "Bearer valid-token") + req.Header.Set("Content-Type", "application/json") + + resp, err := srv.Client().Do(req) + require.NoError(t, err) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusBadRequest, resp.StatusCode) + + var body struct { + Error struct{ Type string } `json:"error"` + } + require.NoError(t, json.NewDecoder(resp.Body).Decode(&body)) + assert.Equal(t, "invalid_request_error", body.Error.Type) +} + +// ─── Additional: upstream error → 502 ──────────────────────────────────────── + +// TestE2E_Proxy_UpstreamError_Returns502 verifies that when the LLM provider +// returns an error, the proxy responds with 502 and the correct error type. +func TestE2E_Proxy_UpstreamError_Returns502(t *testing.T) { + errAdapter := &e2eStubAdapter{ + resp: nil, + sendErr: fmt.Errorf("connection refused"), + } + srv := buildProxyServer(t, proxyServerOptions{adapter: errAdapter}) + + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + + assert.Equal(t, http.StatusBadGateway, resp.StatusCode) +} + +// ─── Additional: routing_enabled flag (via MemFlagStore seeding) ───────────── + +// TestE2E_Proxy_RoutingFlag_Enabled_DefaultsBehavior verifies that explicitly +// setting routing_enabled=true (global default from migration 000009) does not +// break the static routing path when no routing engine is configured. +func TestE2E_Proxy_RoutingFlag_Enabled_DefaultsBehavior(t *testing.T) { + fs := flags.NewMemFlagStore() + ctx := context.Background() + _, err := fs.Set(ctx, "", "routing_enabled", true) + require.NoError(t, err) + + srv := buildProxyServer(t, proxyServerOptions{flagStore: fs}) + resp := doJSON(t, srv.Client(), http.MethodPost, srv.URL+"/v1/chat/completions", "valid-token", chatBody("gpt-4o", false)) + defer resp.Body.Close() //nolint:errcheck + + // routing_enabled=true + no engine → static prefix rules → should still work. + assert.Equal(t, http.StatusOK, resp.StatusCode) +} + +// ─── Ensure test timeout is reasonable ─────────────────────────────────────── + +// TestE2E_Proxy_BatchRunsUnder30s is a meta-test verifying that all proxy E2E +// tests complete well within the 10-minute CI budget. It times the package. +func TestE2E_Proxy_BatchRunsUnder30s(t *testing.T) { + start := time.Now() + t.Cleanup(func() { + elapsed := time.Since(start) + t.Logf("E2E proxy batch wall time: %v", elapsed) + assert.Less(t, elapsed, 30*time.Second, "proxy E2E tests should complete in < 30s") + }) +} diff --git a/test/k6/README.md b/test/k6/README.md new file mode 100644 index 0000000..34480f5 --- /dev/null +++ b/test/k6/README.md @@ -0,0 +1,88 @@ +# Veylant IA — Load Tests (k6) + +Performance tests for the Veylant proxy using [k6](https://k6.io). + +## Prerequisites + +```bash +brew install k6 # macOS +# or: https://k6.io/docs/getting-started/installation/ +``` + +The proxy must be running: `make dev` (or point `VEYLANT_URL` at staging). + +## Scripts + +| Script | Description | +|--------|-------------| +| `k6-load-test.js` | Multi-scenario script (smoke / load / stress / soak) — **use this** | +| `load_test.js` | Sprint 10 single-scenario script (1 000 VUs, 8 min) — kept for reference | + +## Running tests + +### Via Makefile (recommended) + +```bash +make load-test # smoke scenario (CI default) +make load-test SCENARIO=load # 50 VUs, 5 min steady state +make load-test SCENARIO=stress # 0→200 VUs, find breaking point +make load-test SCENARIO=soak # 20 VUs, 30 min (detect memory leaks) +``` + +### Via k6 directly + +```bash +# Basic (load scenario, local proxy) +k6 run \ + --env VEYLANT_URL=http://localhost:8090 \ + --env VEYLANT_TOKEN=dev-token \ + --env SCENARIO=load \ + test/k6/k6-load-test.js + +# Against staging +k6 run \ + --env VEYLANT_URL=https://api-staging.veylant.ai \ + --env VEYLANT_TOKEN=$STAGING_JWT \ + --env SCENARIO=stress \ + test/k6/k6-load-test.js + +# With k6 Cloud output (requires K6_CLOUD_TOKEN) +k6 run --out cloud test/k6/k6-load-test.js +``` + +## Scenarios + +| Scenario | VUs | Duration | Purpose | +|----------|-----|----------|---------| +| `smoke` | 1 | 1 min | Sanity check — runs in CI on every push | +| `load` | 0→50→0 | 7 min | Steady-state: validates SLAs under normal load | +| `stress` | 0→200 | 7 min | Find the breaking point (target: > 200 VUs) | +| `soak` | 20 | 30 min | Detect memory leaks / slow GC under sustained load | + +## Thresholds (SLAs) + +| Metric | Target | +|--------|--------| +| `http_req_duration p(99)` | < 500ms | +| `http_req_duration p(95)` | < 200ms | +| `http_req_failed` | < 1% | +| `veylant_chat_latency_ms p(99)` | < 500ms | +| `veylant_error_rate` | < 1% | + +## Interpreting results + +- **`http_req_duration`** — end-to-end latency including upstream LLM. For Ollama models on local hardware this includes model inference time. +- **`veylant_error_rate`** — tracks application-level errors (non-200 or missing `choices` array). +- **`veylant_chat_errors`** / **`veylant_health_errors`** — absolute error counts per endpoint type. + +A passing run looks like: + +``` +✓ http_req_duration.............: avg=42ms p(95)=112ms p(99)=287ms +✓ http_req_failed...............: 0.00% +✓ veylant_error_rate............: 0.00% +``` + +## CI integration + +The `smoke` scenario runs automatically in the GitHub Actions `load-test` job (see `.github/workflows/ci.yml`). The job uses a mock Ollama that returns static responses to ensure deterministic latency. diff --git a/test/k6/k6-load-test.js b/test/k6/k6-load-test.js new file mode 100644 index 0000000..ed04f90 --- /dev/null +++ b/test/k6/k6-load-test.js @@ -0,0 +1,152 @@ +// k6 multi-scenario load test for Veylant IA Proxy (E2-12, Sprint 12). +// +// Four scenarios in a single script: +// smoke — 1 VU, 1 min : sanity check (CI) +// load — ramp 0→50 VUs, 5 min plateau : steady-state validation +// stress — ramp 0→200 VUs : find the breaking point +// soak — 20 VUs, 30 min : detect memory leaks and slow degradation +// +// Select scenario via SCENARIO env var (default: load): +// k6 run --env SCENARIO=smoke test/k6/k6-load-test.js +// k6 run --env SCENARIO=stress test/k6/k6-load-test.js +// +// Other env vars: +// VEYLANT_URL — proxy base URL (default: http://localhost:8090) +// VEYLANT_TOKEN — Bearer token (default: dev-token) +// MODEL — model name (default: llama3.2) +// +// Run via Makefile: +// make load-test (load scenario) +// make load-test SCENARIO=stress (stress scenario) + +import http from 'k6/http'; +import { check, sleep, group } from 'k6'; +import { Counter, Rate, Trend } from 'k6/metrics'; + +// ── Custom metrics ───────────────────────────────────────────────────────────── +const chatErrors = new Counter('veylant_chat_errors'); +const healthErrors = new Counter('veylant_health_errors'); +const errorRate = new Rate('veylant_error_rate'); +const chatLatency = new Trend('veylant_chat_latency_ms', true); + +// ── Config ───────────────────────────────────────────────────────────────────── +const VEYLANT_URL = __ENV.VEYLANT_URL || 'http://localhost:8090'; +const TOKEN = __ENV.VEYLANT_TOKEN || 'dev-token'; +const MODEL = __ENV.MODEL || 'llama3.2'; +const SCENARIO = __ENV.SCENARIO || 'load'; + +const scenarios = { + smoke: { + executor: 'constant-vus', + vus: 1, + duration: '1m', + }, + load: { + executor: 'ramping-vus', + startVUs: 0, + stages: [ + { duration: '1m', target: 50 }, // ramp up + { duration: '5m', target: 50 }, // steady state + { duration: '1m', target: 0 }, // ramp down + ], + gracefulRampDown: '30s', + }, + stress: { + executor: 'ramping-vus', + startVUs: 0, + stages: [ + { duration: '2m', target: 50 }, + { duration: '2m', target: 100 }, + { duration: '2m', target: 200 }, + { duration: '1m', target: 0 }, + ], + gracefulRampDown: '30s', + }, + soak: { + executor: 'constant-vus', + vus: 20, + duration: '30m', + }, +}; + +export const options = { + scenarios: { [SCENARIO]: scenarios[SCENARIO] }, + thresholds: { + http_req_duration: ['p(99)<500', 'p(95)<200'], + http_req_failed: ['rate<0.01'], + veylant_error_rate: ['rate<0.01'], + veylant_chat_latency_ms: ['p(99)<500'], + }, +}; + +// ── Request helpers ──────────────────────────────────────────────────────────── +const chatParams = { + headers: { + 'Content-Type': 'application/json', + 'Authorization': `Bearer ${TOKEN}`, + }, + timeout: '10s', +}; + +const chatBody = JSON.stringify({ + model: MODEL, + messages: [{ role: 'user', content: 'Bonjour, résume en une phrase le principe de la RGPD.' }], + stream: false, +}); + +// ── Default function ─────────────────────────────────────────────────────────── +export default function () { + // Mix: 90% chat completions, 10% health checks. + if (Math.random() < 0.9) { + group('chat_completions', () => { + const res = http.post(`${VEYLANT_URL}/v1/chat/completions`, chatBody, chatParams); + + const ok = check(res, { + 'chat: status 200': (r) => r.status === 200, + 'chat: has choices': (r) => { + try { + const body = JSON.parse(r.body); + return Array.isArray(body.choices) && body.choices.length > 0; + } catch (_) { + return false; + } + }, + 'chat: no error key': (r) => !r.body.includes('"error"'), + }); + + chatLatency.add(res.timings.duration); + if (!ok) { + chatErrors.add(1); + errorRate.add(1); + } else { + errorRate.add(0); + } + }); + } else { + group('health', () => { + const res = http.get(`${VEYLANT_URL}/healthz`, { timeout: '2s' }); + const ok = check(res, { + 'health: status 200': (r) => r.status === 200, + 'health: body ok': (r) => r.body.includes('"ok"') || r.body.includes('"status"'), + }); + if (!ok) healthErrors.add(1); + }); + } + + // Realistic inter-request think time: 100–500ms. + sleep(0.1 + Math.random() * 0.4); +} + +// ── Setup — abort early if proxy is unreachable ──────────────────────────────── +export function setup() { + const res = http.get(`${VEYLANT_URL}/healthz`, { timeout: '5s' }); + if (res.status !== 200) { + throw new Error(`[setup] Proxy not reachable: ${VEYLANT_URL}/healthz → HTTP ${res.status}`); + } + console.log(`[setup] Scenario="${SCENARIO}" URL="${VEYLANT_URL}" model="${MODEL}"`); + return { startTime: new Date().toISOString() }; +} + +export function teardown(data) { + console.log(`[teardown] Test started at ${data.startTime}. Check threshold summary above.`); +} diff --git a/test/k6/load_test.js b/test/k6/load_test.js new file mode 100644 index 0000000..889f0f3 --- /dev/null +++ b/test/k6/load_test.js @@ -0,0 +1,102 @@ +// k6 load test for Veylant IA Proxy (E10-10). +// +// Targets: +// - p99 latency < 300ms +// - error rate < 1% +// - 1 000 VU sustained for 8 minutes +// +// Run (requires a running proxy + mock Ollama): +// k6 run test/k6/load_test.js +// +// Environment variables: +// BASE_URL — proxy base URL (default: http://localhost:8090) +// AUTH_TOKEN — Bearer token (default: dev-token) +// MODEL — LLM model name (default: llama3.2, routed to local Ollama) + +import http from 'k6/http'; +import { check, sleep } from 'k6'; +import { Rate, Trend } from 'k6/metrics'; + +// ── Custom metrics ──────────────────────────────────────────────────────────── +const errorRate = new Rate('custom_error_rate'); +const chatLatency = new Trend('chat_latency_ms', true); +const healthLatency = new Trend('health_latency_ms', true); + +// ── Test configuration ──────────────────────────────────────────────────────── +export const options = { + stages: [ + { duration: '1m', target: 100 }, // ramp-up + { duration: '8m', target: 1000 }, // sustained load + { duration: '1m', target: 0 }, // ramp-down + ], + thresholds: { + // SLA targets + http_req_duration: ['p(99)<300'], // p99 < 300ms + http_req_failed: ['rate<0.01'], // < 1% HTTP errors + custom_error_rate: ['rate<0.01'], // < 1% application errors + chat_latency_ms: ['p(99)<300'], + }, +}; + +// ── Helpers ─────────────────────────────────────────────────────────────────── +const BASE_URL = __ENV.BASE_URL || 'http://localhost:8090'; +const AUTH_TOKEN = __ENV.AUTH_TOKEN || 'dev-token'; +const MODEL = __ENV.MODEL || 'llama3.2'; + +const chatParams = { + headers: { + 'Content-Type': 'application/json', + 'Authorization': `Bearer ${AUTH_TOKEN}`, + }, + timeout: '5s', +}; + +const chatBody = JSON.stringify({ + model: MODEL, + messages: [{ role: 'user', content: 'Dis-moi bonjour en une phrase.' }], + stream: false, +}); + +// ── Default scenario ────────────────────────────────────────────────────────── +export default function () { + // 90% chat completions, 10% health checks (mirrors production traffic mix). + if (Math.random() < 0.9) { + const res = http.post(`${BASE_URL}/v1/chat/completions`, chatBody, chatParams); + + const ok = check(res, { + 'chat: status 200': (r) => r.status === 200, + 'chat: has choices': (r) => { + try { + const body = JSON.parse(r.body); + return Array.isArray(body.choices) && body.choices.length > 0; + } catch (_) { + return false; + } + }, + }); + + chatLatency.add(res.timings.duration); + errorRate.add(!ok); + } else { + const res = http.get(`${BASE_URL}/healthz`, { timeout: '2s' }); + check(res, { 'health: status 200': (r) => r.status === 200 }); + healthLatency.add(res.timings.duration); + } + + // Think time: 0–200ms random (simulates realistic inter-request spacing). + sleep(Math.random() * 0.2); +} + +// ── Setup — verify proxy is reachable before starting ──────────────────────── +export function setup() { + const res = http.get(`${BASE_URL}/healthz`); + if (res.status !== 200) { + throw new Error(`Proxy not reachable at ${BASE_URL}/healthz — status ${res.status}`); + } + console.log(`Load test starting. Target: ${BASE_URL}, model: ${MODEL}`); +} + +// ── Teardown — summary ──────────────────────────────────────────────────────── +export function teardown(data) { + console.log('Load test complete. Check thresholds in the summary above.'); +} diff --git a/web/.gitkeep b/web/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/web/index.html b/web/index.html new file mode 100644 index 0000000..7e76ec2 --- /dev/null +++ b/web/index.html @@ -0,0 +1,13 @@ + + + + + + + Veylant IA — Dashboard + + +
+ + + diff --git a/web/package-lock.json b/web/package-lock.json new file mode 100644 index 0000000..75bdea7 --- /dev/null +++ b/web/package-lock.json @@ -0,0 +1,4218 @@ +{ + "name": "veylant-dashboard", + "version": "0.1.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "veylant-dashboard", + "version": "0.1.0", + "dependencies": { + "@hookform/resolvers": "^3.9.0", + "@radix-ui/react-alert-dialog": "^1.1.1", + "@radix-ui/react-dialog": "^1.1.1", + "@radix-ui/react-label": "^2.1.0", + "@radix-ui/react-select": "^2.1.1", + "@radix-ui/react-separator": "^1.1.0", + "@radix-ui/react-slot": "^1.1.0", + "@radix-ui/react-switch": "^1.1.0", + "@tanstack/react-query": "^5.56.2", + "class-variance-authority": "^0.7.0", + "clsx": "^2.1.1", + "date-fns": "^3.6.0", + "lucide-react": "^0.446.0", + "oidc-client-ts": "^3.1.0", + "react": "^18.3.1", + "react-dom": "^18.3.1", + "react-hook-form": "^7.53.0", + "react-oidc-context": "^3.2.0", + "react-router-dom": "^6.26.2", + "recharts": "^2.12.7", + "tailwind-merge": "^2.5.2", + "zod": "^3.23.8" + }, + "devDependencies": { + "@types/node": "^22.5.5", + "@types/react": "^18.3.5", + "@types/react-dom": "^18.3.0", + "@vitejs/plugin-react": "^4.3.1", + "autoprefixer": "^10.4.20", + "postcss": "^8.4.45", + "tailwindcss": "^3.4.11", + "typescript": "^5.5.3", + "vite": "^5.4.3" + } + }, + "node_modules/@alloc/quick-lru": { + "version": "5.2.0", + "resolved": "https://registry.npmjs.org/@alloc/quick-lru/-/quick-lru-5.2.0.tgz", + "integrity": "sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/@babel/code-frame": { + "version": "7.29.0", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz", + "integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-validator-identifier": "^7.28.5", + "js-tokens": "^4.0.0", + "picocolors": "^1.1.1" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/compat-data": { + "version": "7.29.0", + "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.29.0.tgz", + "integrity": "sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/core": { + "version": "7.29.0", + "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.29.0.tgz", + "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/code-frame": "^7.29.0", + "@babel/generator": "^7.29.0", + "@babel/helper-compilation-targets": "^7.28.6", + "@babel/helper-module-transforms": "^7.28.6", + "@babel/helpers": "^7.28.6", + "@babel/parser": "^7.29.0", + "@babel/template": "^7.28.6", + "@babel/traverse": "^7.29.0", + "@babel/types": "^7.29.0", + "@jridgewell/remapping": "^2.3.5", + "convert-source-map": "^2.0.0", + "debug": "^4.1.0", + "gensync": "^1.0.0-beta.2", + "json5": "^2.2.3", + "semver": "^6.3.1" + }, + "engines": { + "node": ">=6.9.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/babel" + } + }, + "node_modules/@babel/generator": { + "version": "7.29.1", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.29.1.tgz", + "integrity": "sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/parser": "^7.29.0", + "@babel/types": "^7.29.0", + "@jridgewell/gen-mapping": "^0.3.12", + "@jridgewell/trace-mapping": "^0.3.28", + "jsesc": "^3.0.2" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-compilation-targets": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.28.6.tgz", + "integrity": "sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/compat-data": "^7.28.6", + "@babel/helper-validator-option": "^7.27.1", + "browserslist": "^4.24.0", + "lru-cache": "^5.1.1", + "semver": "^6.3.1" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-globals": { + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz", + "integrity": "sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-module-imports": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/helper-module-imports/-/helper-module-imports-7.28.6.tgz", + "integrity": "sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/traverse": "^7.28.6", + "@babel/types": "^7.28.6" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-module-transforms": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/helper-module-transforms/-/helper-module-transforms-7.28.6.tgz", + "integrity": "sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-module-imports": "^7.28.6", + "@babel/helper-validator-identifier": "^7.28.5", + "@babel/traverse": "^7.28.6" + }, + "engines": { + "node": ">=6.9.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0" + } + }, + "node_modules/@babel/helper-plugin-utils": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.28.6.tgz", + "integrity": "sha512-S9gzZ/bz83GRysI7gAD4wPT/AI3uCnY+9xn+Mx/KPs2JwHJIz1W8PZkg2cqyt3RNOBM8ejcXhV6y8Og7ly/Dug==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-string-parser": { + "version": "7.27.1", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz", + "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-validator-identifier": { + "version": "7.28.5", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz", + "integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-validator-option": { + "version": "7.27.1", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz", + "integrity": "sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helpers": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.6.tgz", + "integrity": "sha512-xOBvwq86HHdB7WUDTfKfT/Vuxh7gElQ+Sfti2Cy6yIWNW05P8iUslOVcZ4/sKbE+/jQaukQAdz/gf3724kYdqw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/template": "^7.28.6", + "@babel/types": "^7.28.6" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/parser": { + "version": "7.29.0", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz", + "integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/types": "^7.29.0" + }, + "bin": { + "parser": "bin/babel-parser.js" + }, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/@babel/plugin-transform-react-jsx-self": { + "version": "7.27.1", + "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-self/-/plugin-transform-react-jsx-self-7.27.1.tgz", + "integrity": "sha512-6UzkCs+ejGdZ5mFFC/OCUrv028ab2fp1znZmCZjAOBKiBK2jXD1O+BPSfX8X2qjJ75fZBMSnQn3Rq2mrBJK2mw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-plugin-utils": "^7.27.1" + }, + "engines": { + "node": ">=6.9.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0-0" + } + }, + "node_modules/@babel/plugin-transform-react-jsx-source": { + "version": "7.27.1", + "resolved": "https://registry.npmjs.org/@babel/plugin-transform-react-jsx-source/-/plugin-transform-react-jsx-source-7.27.1.tgz", + "integrity": "sha512-zbwoTsBruTeKB9hSq73ha66iFeJHuaFkUbwvqElnygoNbj/jHRsSeokowZFN3CZ64IvEqcmmkVe89OPXc7ldAw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-plugin-utils": "^7.27.1" + }, + "engines": { + "node": ">=6.9.0" + }, + "peerDependencies": { + "@babel/core": "^7.0.0-0" + } + }, + "node_modules/@babel/runtime": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.28.6.tgz", + "integrity": "sha512-05WQkdpL9COIMz4LjTxGpPNCdlpyimKppYNoJ5Di5EUObifl8t4tuLuUBBZEpoLYOmfvIWrsp9fCl0HoPRVTdA==", + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/template": { + "version": "7.28.6", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz", + "integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/code-frame": "^7.28.6", + "@babel/parser": "^7.28.6", + "@babel/types": "^7.28.6" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/traverse": { + "version": "7.29.0", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.29.0.tgz", + "integrity": "sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/code-frame": "^7.29.0", + "@babel/generator": "^7.29.0", + "@babel/helper-globals": "^7.28.0", + "@babel/parser": "^7.29.0", + "@babel/template": "^7.28.6", + "@babel/types": "^7.29.0", + "debug": "^4.3.1" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/types": { + "version": "7.29.0", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz", + "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-string-parser": "^7.27.1", + "@babel/helper-validator-identifier": "^7.28.5" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@esbuild/aix-ppc64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz", + "integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "aix" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/android-arm": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz", + "integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/android-arm64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz", + "integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/android-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.21.5.tgz", + "integrity": "sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/darwin-arm64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.21.5.tgz", + "integrity": "sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/darwin-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.21.5.tgz", + "integrity": "sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/freebsd-arm64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.21.5.tgz", + "integrity": "sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/freebsd-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.21.5.tgz", + "integrity": "sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-arm": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.21.5.tgz", + "integrity": "sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-arm64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.21.5.tgz", + "integrity": "sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-ia32": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.21.5.tgz", + "integrity": "sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-loong64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.21.5.tgz", + "integrity": "sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==", + "cpu": [ + "loong64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-mips64el": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.21.5.tgz", + "integrity": "sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==", + "cpu": [ + "mips64el" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-ppc64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.21.5.tgz", + "integrity": "sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-riscv64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.21.5.tgz", + "integrity": "sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==", + "cpu": [ + "riscv64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-s390x": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.21.5.tgz", + "integrity": "sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==", + "cpu": [ + "s390x" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/linux-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.21.5.tgz", + "integrity": "sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/netbsd-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.21.5.tgz", + "integrity": "sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/openbsd-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.21.5.tgz", + "integrity": "sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/sunos-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.21.5.tgz", + "integrity": "sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "sunos" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/win32-arm64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.21.5.tgz", + "integrity": "sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/win32-ia32": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.21.5.tgz", + "integrity": "sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@esbuild/win32-x64": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.21.5.tgz", + "integrity": "sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=12" + } + }, + "node_modules/@floating-ui/core": { + "version": "1.7.4", + "resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.4.tgz", + "integrity": "sha512-C3HlIdsBxszvm5McXlB8PeOEWfBhcGBTZGkGlWc2U0KFY5IwG5OQEuQ8rq52DZmcHDlPLd+YFBK+cZcytwIFWg==", + "license": "MIT", + "dependencies": { + "@floating-ui/utils": "^0.2.10" + } + }, + "node_modules/@floating-ui/dom": { + "version": "1.7.5", + "resolved": "https://registry.npmjs.org/@floating-ui/dom/-/dom-1.7.5.tgz", + "integrity": "sha512-N0bD2kIPInNHUHehXhMke1rBGs1dwqvC9O9KYMyyjK7iXt7GAhnro7UlcuYcGdS/yYOlq0MAVgrow8IbWJwyqg==", + "license": "MIT", + "dependencies": { + "@floating-ui/core": "^1.7.4", + "@floating-ui/utils": "^0.2.10" + } + }, + "node_modules/@floating-ui/react-dom": { + "version": "2.1.7", + "resolved": "https://registry.npmjs.org/@floating-ui/react-dom/-/react-dom-2.1.7.tgz", + "integrity": "sha512-0tLRojf/1Go2JgEVm+3Frg9A3IW8bJgKgdO0BN5RkF//ufuz2joZM63Npau2ff3J6lUVYgDSNzNkR+aH3IVfjg==", + "license": "MIT", + "dependencies": { + "@floating-ui/dom": "^1.7.5" + }, + "peerDependencies": { + "react": ">=16.8.0", + "react-dom": ">=16.8.0" + } + }, + "node_modules/@floating-ui/utils": { + "version": "0.2.10", + "resolved": "https://registry.npmjs.org/@floating-ui/utils/-/utils-0.2.10.tgz", + "integrity": "sha512-aGTxbpbg8/b5JfU1HXSrbH3wXZuLPJcNEcZQFMxLs3oSzgtVu6nFPkbbGGUvBcUjKV2YyB9Wxxabo+HEH9tcRQ==", + "license": "MIT" + }, + "node_modules/@hookform/resolvers": { + "version": "3.10.0", + "resolved": "https://registry.npmjs.org/@hookform/resolvers/-/resolvers-3.10.0.tgz", + "integrity": "sha512-79Dv+3mDF7i+2ajj7SkypSKHhl1cbln1OGavqrsF7p6mbUv11xpqpacPsGDCTRvCSjEEIez2ef1NveSVL3b0Ag==", + "license": "MIT", + "peerDependencies": { + "react-hook-form": "^7.0.0" + } + }, + "node_modules/@jridgewell/gen-mapping": { + "version": "0.3.13", + "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.13.tgz", + "integrity": "sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@jridgewell/sourcemap-codec": "^1.5.0", + "@jridgewell/trace-mapping": "^0.3.24" + } + }, + "node_modules/@jridgewell/remapping": { + "version": "2.3.5", + "resolved": "https://registry.npmjs.org/@jridgewell/remapping/-/remapping-2.3.5.tgz", + "integrity": "sha512-LI9u/+laYG4Ds1TDKSJW2YPrIlcVYOwi2fUC6xB43lueCjgxV4lffOCZCtYFiH6TNOX+tQKXx97T4IKHbhyHEQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@jridgewell/gen-mapping": "^0.3.5", + "@jridgewell/trace-mapping": "^0.3.24" + } + }, + "node_modules/@jridgewell/resolve-uri": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz", + "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/@jridgewell/sourcemap-codec": { + "version": "1.5.5", + "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz", + "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==", + "dev": true, + "license": "MIT" + }, + "node_modules/@jridgewell/trace-mapping": { + "version": "0.3.31", + "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz", + "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@jridgewell/resolve-uri": "^3.1.0", + "@jridgewell/sourcemap-codec": "^1.4.14" + } + }, + "node_modules/@nodelib/fs.scandir": { + "version": "2.1.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", + "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==", + "dev": true, + "license": "MIT", + "dependencies": { + "@nodelib/fs.stat": "2.0.5", + "run-parallel": "^1.1.9" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@nodelib/fs.stat": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz", + "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 8" + } + }, + "node_modules/@nodelib/fs.walk": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz", + "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@nodelib/fs.scandir": "2.1.5", + "fastq": "^1.6.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/@radix-ui/number": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/number/-/number-1.1.1.tgz", + "integrity": "sha512-MkKCwxlXTgz6CFoJx3pCwn07GKp36+aZyu/u2Ln2VrA5DcdyCZkASEDBTd8x5whTQQL5CiYf4prXKLcgQdv29g==", + "license": "MIT" + }, + "node_modules/@radix-ui/primitive": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@radix-ui/primitive/-/primitive-1.1.3.tgz", + "integrity": "sha512-JTF99U/6XIjCBo0wqkU5sK10glYe27MRRsfwoiq5zzOEZLHU3A3KCMa5X/azekYRCJ0HlwI0crAXS/5dEHTzDg==", + "license": "MIT" + }, + "node_modules/@radix-ui/react-alert-dialog": { + "version": "1.1.15", + "resolved": "https://registry.npmjs.org/@radix-ui/react-alert-dialog/-/react-alert-dialog-1.1.15.tgz", + "integrity": "sha512-oTVLkEw5GpdRe29BqJ0LSDFWI3qu0vR1M0mUkOQWDIUnY/QIkLpgDMWuKxP94c2NAC2LGcgVhG1ImF3jkZ5wXw==", + "license": "MIT", + "dependencies": { + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-dialog": "1.1.15", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-slot": "1.2.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-alert-dialog/node_modules/@radix-ui/react-slot": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz", + "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-arrow": { + "version": "1.1.7", + "resolved": "https://registry.npmjs.org/@radix-ui/react-arrow/-/react-arrow-1.1.7.tgz", + "integrity": "sha512-F+M1tLhO+mlQaOWspE8Wstg+z6PwxwRd8oQ8IXceWz92kfAmalTRf0EjrouQeo7QssEPfCn05B4Ihs1K9WQ/7w==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-primitive": "2.1.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collection": { + "version": "1.1.7", + "resolved": "https://registry.npmjs.org/@radix-ui/react-collection/-/react-collection-1.1.7.tgz", + "integrity": "sha512-Fh9rGN0MoI4ZFUNyfFVNU4y9LUz93u9/0K+yLgA2bwRojxM8JU1DyvvMBabnZPBgMWREAJvU2jjVzq+LrFUglw==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-slot": "1.2.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-collection/node_modules/@radix-ui/react-slot": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz", + "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-compose-refs": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@radix-ui/react-compose-refs/-/react-compose-refs-1.1.2.tgz", + "integrity": "sha512-z4eqJvfiNnFMHIIvXP3CY57y2WJs5g2v3X0zm9mEJkrkNv4rDxu+sg9Jh8EkXyeqBkB7SOcboo9dMVqhyrACIg==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-context": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@radix-ui/react-context/-/react-context-1.1.2.tgz", + "integrity": "sha512-jCi/QKUM2r1Ju5a3J64TH2A5SpKAgh0LpknyqdQ4m6DCV0xJ2HG1xARRwNGPQfi1SLdLWZ1OJz6F4OMBBNiGJA==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-dialog": { + "version": "1.1.15", + "resolved": "https://registry.npmjs.org/@radix-ui/react-dialog/-/react-dialog-1.1.15.tgz", + "integrity": "sha512-TCglVRtzlffRNxRMEyR36DGBLJpeusFcgMVD9PZEzAKnUs1lKCgX5u9BmC2Yg+LL9MgZDugFFs1Vl+Jp4t/PGw==", + "license": "MIT", + "dependencies": { + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-dismissable-layer": "1.1.11", + "@radix-ui/react-focus-guards": "1.1.3", + "@radix-ui/react-focus-scope": "1.1.7", + "@radix-ui/react-id": "1.1.1", + "@radix-ui/react-portal": "1.1.9", + "@radix-ui/react-presence": "1.1.5", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-slot": "1.2.3", + "@radix-ui/react-use-controllable-state": "1.2.2", + "aria-hidden": "^1.2.4", + "react-remove-scroll": "^2.6.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-dialog/node_modules/@radix-ui/react-slot": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz", + "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-direction": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-direction/-/react-direction-1.1.1.tgz", + "integrity": "sha512-1UEWRX6jnOA2y4H5WczZ44gOOjTEmlqv1uNW4GAJEO5+bauCBhv8snY65Iw5/VOS/ghKN9gr2KjnLKxrsvoMVw==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-dismissable-layer": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/@radix-ui/react-dismissable-layer/-/react-dismissable-layer-1.1.11.tgz", + "integrity": "sha512-Nqcp+t5cTB8BinFkZgXiMJniQH0PsUt2k51FUhbdfeKvc4ACcG2uQniY/8+h1Yv6Kza4Q7lD7PQV0z0oicE0Mg==", + "license": "MIT", + "dependencies": { + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-callback-ref": "1.1.1", + "@radix-ui/react-use-escape-keydown": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-focus-guards": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-focus-guards/-/react-focus-guards-1.1.3.tgz", + "integrity": "sha512-0rFg/Rj2Q62NCm62jZw0QX7a3sz6QCQU0LpZdNrJX8byRGaGVTqbrW9jAoIAHyMQqsNpeZ81YgSizOt5WXq0Pw==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-focus-scope": { + "version": "1.1.7", + "resolved": "https://registry.npmjs.org/@radix-ui/react-focus-scope/-/react-focus-scope-1.1.7.tgz", + "integrity": "sha512-t2ODlkXBQyn7jkl6TNaw/MtVEVvIGelJDCG41Okq/KwUsJBwQ4XVZsHAVUkK4mBv3ewiAS3PGuUWuY2BoK4ZUw==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-callback-ref": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-id": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-id/-/react-id-1.1.1.tgz", + "integrity": "sha512-kGkGegYIdQsOb4XjsfM97rXsiHaBwco+hFI66oO4s9LU+PLAC5oJ7khdOVFxkhsmlbpUqDAvXw11CluXP+jkHg==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-label": { + "version": "2.1.8", + "resolved": "https://registry.npmjs.org/@radix-ui/react-label/-/react-label-2.1.8.tgz", + "integrity": "sha512-FmXs37I6hSBVDlO4y764TNz1rLgKwjJMQ0EGte6F3Cb3f4bIuHB/iLa/8I9VKkmOy+gNHq8rql3j686ACVV21A==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-primitive": "2.1.4" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-label/node_modules/@radix-ui/react-primitive": { + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.4.tgz", + "integrity": "sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-slot": "1.2.4" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-popper": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/@radix-ui/react-popper/-/react-popper-1.2.8.tgz", + "integrity": "sha512-0NJQ4LFFUuWkE7Oxf0htBKS6zLkkjBH+hM1uk7Ng705ReR8m/uelduy1DBo0PyBXPKVnBA6YBlU94MBGXrSBCw==", + "license": "MIT", + "dependencies": { + "@floating-ui/react-dom": "^2.0.0", + "@radix-ui/react-arrow": "1.1.7", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-callback-ref": "1.1.1", + "@radix-ui/react-use-layout-effect": "1.1.1", + "@radix-ui/react-use-rect": "1.1.1", + "@radix-ui/react-use-size": "1.1.1", + "@radix-ui/rect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-portal": { + "version": "1.1.9", + "resolved": "https://registry.npmjs.org/@radix-ui/react-portal/-/react-portal-1.1.9.tgz", + "integrity": "sha512-bpIxvq03if6UNwXZ+HTK71JLh4APvnXntDc6XOX8UVq4XQOVl7lwok0AvIl+b8zgCw3fSaVTZMpAPPagXbKmHQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-presence": { + "version": "1.1.5", + "resolved": "https://registry.npmjs.org/@radix-ui/react-presence/-/react-presence-1.1.5.tgz", + "integrity": "sha512-/jfEwNDdQVBCNvjkGit4h6pMOzq8bHkopq458dPt2lMjx+eBQUohZNG9A7DtO/O5ukSbxuaNGXMjHicgwy6rQQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-primitive": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.3.tgz", + "integrity": "sha512-m9gTwRkhy2lvCPe6QJp4d3G1TYEUHn/FzJUtq9MjH46an1wJU+GdoGC5VLof8RX8Ft/DlpshApkhswDLZzHIcQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-slot": "1.2.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-primitive/node_modules/@radix-ui/react-slot": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz", + "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-select": { + "version": "2.2.6", + "resolved": "https://registry.npmjs.org/@radix-ui/react-select/-/react-select-2.2.6.tgz", + "integrity": "sha512-I30RydO+bnn2PQztvo25tswPH+wFBjehVGtmagkU78yMdwTwVf12wnAOF+AeP8S2N8xD+5UPbGhkUfPyvT+mwQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/number": "1.1.1", + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-collection": "1.1.7", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-direction": "1.1.1", + "@radix-ui/react-dismissable-layer": "1.1.11", + "@radix-ui/react-focus-guards": "1.1.3", + "@radix-ui/react-focus-scope": "1.1.7", + "@radix-ui/react-id": "1.1.1", + "@radix-ui/react-popper": "1.2.8", + "@radix-ui/react-portal": "1.1.9", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-slot": "1.2.3", + "@radix-ui/react-use-callback-ref": "1.1.1", + "@radix-ui/react-use-controllable-state": "1.2.2", + "@radix-ui/react-use-layout-effect": "1.1.1", + "@radix-ui/react-use-previous": "1.1.1", + "@radix-ui/react-visually-hidden": "1.2.3", + "aria-hidden": "^1.2.4", + "react-remove-scroll": "^2.6.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-select/node_modules/@radix-ui/react-slot": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.3.tgz", + "integrity": "sha512-aeNmHnBxbi2St0au6VBVC7JXFlhLlOnvIIlePNniyUNAClzmtAUEY8/pBiK3iHjufOlwA+c20/8jngo7xcrg8A==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-separator": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/@radix-ui/react-separator/-/react-separator-1.1.8.tgz", + "integrity": "sha512-sDvqVY4itsKwwSMEe0jtKgfTh+72Sy3gPmQpjqcQneqQ4PFmr/1I0YA+2/puilhggCe2gJcx5EBAYFkWkdpa5g==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-primitive": "2.1.4" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-separator/node_modules/@radix-ui/react-primitive": { + "version": "2.1.4", + "resolved": "https://registry.npmjs.org/@radix-ui/react-primitive/-/react-primitive-2.1.4.tgz", + "integrity": "sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-slot": "1.2.4" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-slot": { + "version": "1.2.4", + "resolved": "https://registry.npmjs.org/@radix-ui/react-slot/-/react-slot-1.2.4.tgz", + "integrity": "sha512-Jl+bCv8HxKnlTLVrcDE8zTMJ09R9/ukw4qBs/oZClOfoQk/cOTbDn+NceXfV7j09YPVQUryJPHurafcSg6EVKA==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-compose-refs": "1.1.2" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-switch": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/@radix-ui/react-switch/-/react-switch-1.2.6.tgz", + "integrity": "sha512-bByzr1+ep1zk4VubeEVViV592vu2lHE2BZY5OnzehZqOOgogN80+mNtCqPkhn2gklJqOpxWgPoYTSnhBCqpOXQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/primitive": "1.1.3", + "@radix-ui/react-compose-refs": "1.1.2", + "@radix-ui/react-context": "1.1.2", + "@radix-ui/react-primitive": "2.1.3", + "@radix-ui/react-use-controllable-state": "1.2.2", + "@radix-ui/react-use-previous": "1.1.1", + "@radix-ui/react-use-size": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-callback-ref": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-callback-ref/-/react-use-callback-ref-1.1.1.tgz", + "integrity": "sha512-FkBMwD+qbGQeMu1cOHnuGB6x4yzPjho8ap5WtbEJ26umhgqVXbhekKUQO+hZEL1vU92a3wHwdp0HAcqAUF5iDg==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-controllable-state": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-controllable-state/-/react-use-controllable-state-1.2.2.tgz", + "integrity": "sha512-BjasUjixPFdS+NKkypcyyN5Pmg83Olst0+c6vGov0diwTEo6mgdqVR6hxcEgFuh4QrAs7Rc+9KuGJ9TVCj0Zzg==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-effect-event": "0.0.2", + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-effect-event": { + "version": "0.0.2", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-effect-event/-/react-use-effect-event-0.0.2.tgz", + "integrity": "sha512-Qp8WbZOBe+blgpuUT+lw2xheLP8q0oatc9UpmiemEICxGvFLYmHm9QowVZGHtJlGbS6A6yJ3iViad/2cVjnOiA==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-escape-keydown": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-escape-keydown/-/react-use-escape-keydown-1.1.1.tgz", + "integrity": "sha512-Il0+boE7w/XebUHyBjroE+DbByORGR9KKmITzbR7MyQ4akpORYP/ZmbhAr0DG7RmmBqoOnZdy2QlvajJ2QA59g==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-callback-ref": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-layout-effect": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-layout-effect/-/react-use-layout-effect-1.1.1.tgz", + "integrity": "sha512-RbJRS4UWQFkzHTTwVymMTUv8EqYhOp8dOOviLj2ugtTiXRaRQS7GLGxZTLL1jWhMeoSCf5zmcZkqTl9IiYfXcQ==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-previous": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-previous/-/react-use-previous-1.1.1.tgz", + "integrity": "sha512-2dHfToCj/pzca2Ck724OZ5L0EVrr3eHRNsG/b3xQJLA2hZpVCS99bLAX+hm1IHXDEnzU6by5z/5MIY794/a8NQ==", + "license": "MIT", + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-rect": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-rect/-/react-use-rect-1.1.1.tgz", + "integrity": "sha512-QTYuDesS0VtuHNNvMh+CjlKJ4LJickCMUAqjlE3+j8w+RlRpwyX3apEQKGFzbZGdo7XNG1tXa+bQqIE7HIXT2w==", + "license": "MIT", + "dependencies": { + "@radix-ui/rect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-use-size": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/react-use-size/-/react-use-size-1.1.1.tgz", + "integrity": "sha512-ewrXRDTAqAXlkl6t/fkXWNAhFX9I+CkKlw6zjEwk86RSPKwZr3xpBRso655aqYafwtnbpHLj6toFzmd6xdVptQ==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-use-layout-effect": "1.1.1" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/@radix-ui/react-visually-hidden": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/@radix-ui/react-visually-hidden/-/react-visually-hidden-1.2.3.tgz", + "integrity": "sha512-pzJq12tEaaIhqjbzpCuv/OypJY/BPavOofm+dbab+MHLajy277+1lLm6JFcGgF5eskJ6mquGirhXY2GD/8u8Ug==", + "license": "MIT", + "dependencies": { + "@radix-ui/react-primitive": "2.1.3" + }, + "peerDependencies": { + "@types/react": "*", + "@types/react-dom": "*", + "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", + "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + }, + "@types/react-dom": { + "optional": true + } + } + }, + "node_modules/@radix-ui/rect": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@radix-ui/rect/-/rect-1.1.1.tgz", + "integrity": "sha512-HPwpGIzkl28mWyZqG52jiqDJ12waP11Pa1lGoiyUkIEuMLBP0oeK/C89esbXrxsky5we7dfd8U58nm0SgAWpVw==", + "license": "MIT" + }, + "node_modules/@remix-run/router": { + "version": "1.23.2", + "resolved": "https://registry.npmjs.org/@remix-run/router/-/router-1.23.2.tgz", + "integrity": "sha512-Ic6m2U/rMjTkhERIa/0ZtXJP17QUi2CbWE7cqx4J58M8aA3QTfW+2UlQ4psvTX9IO1RfNVhK3pcpdjej7L+t2w==", + "license": "MIT", + "engines": { + "node": ">=14.0.0" + } + }, + "node_modules/@rolldown/pluginutils": { + "version": "1.0.0-beta.27", + "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.27.tgz", + "integrity": "sha512-+d0F4MKMCbeVUJwG96uQ4SgAznZNSq93I3V+9NHA4OpvqG8mRCpGdKmK8l/dl02h2CCDHwW2FqilnTyDcAnqjA==", + "dev": true, + "license": "MIT" + }, + "node_modules/@rollup/rollup-android-arm-eabi": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.58.0.tgz", + "integrity": "sha512-mr0tmS/4FoVk1cnaeN244A/wjvGDNItZKR8hRhnmCzygyRXYtKF5jVDSIILR1U97CTzAYmbgIj/Dukg62ggG5w==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ] + }, + "node_modules/@rollup/rollup-android-arm64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.58.0.tgz", + "integrity": "sha512-+s++dbp+/RTte62mQD9wLSbiMTV+xr/PeRJEc/sFZFSBRlHPNPVaf5FXlzAL77Mr8FtSfQqCN+I598M8U41ccQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ] + }, + "node_modules/@rollup/rollup-darwin-arm64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.58.0.tgz", + "integrity": "sha512-MFWBwTcYs0jZbINQBXHfSrpSQJq3IUOakcKPzfeSznONop14Pxuqa0Kg19GD0rNBMPQI2tFtu3UzapZpH0Uc1Q==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@rollup/rollup-darwin-x64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.58.0.tgz", + "integrity": "sha512-yiKJY7pj9c9JwzuKYLFaDZw5gma3fI9bkPEIyofvVfsPqjCWPglSHdpdwXpKGvDeYDms3Qal8qGMEHZ1M/4Udg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@rollup/rollup-freebsd-arm64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.58.0.tgz", + "integrity": "sha512-x97kCoBh5MOevpn/CNK9W1x8BEzO238541BGWBc315uOlN0AD/ifZ1msg+ZQB05Ux+VF6EcYqpiagfLJ8U3LvQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ] + }, + "node_modules/@rollup/rollup-freebsd-x64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.58.0.tgz", + "integrity": "sha512-Aa8jPoZ6IQAG2eIrcXPpjRcMjROMFxCt1UYPZZtCxRV68WkuSigYtQ/7Zwrcr2IvtNJo7T2JfDXyMLxq5L4Jlg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ] + }, + "node_modules/@rollup/rollup-linux-arm-gnueabihf": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.58.0.tgz", + "integrity": "sha512-Ob8YgT5kD/lSIYW2Rcngs5kNB/44Q2RzBSPz9brf2WEtcGR7/f/E9HeHn1wYaAwKBni+bdXEwgHvUd0x12lQSA==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-arm-musleabihf": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.58.0.tgz", + "integrity": "sha512-K+RI5oP1ceqoadvNt1FecL17Qtw/n9BgRSzxif3rTL2QlIu88ccvY+Y9nnHe/cmT5zbH9+bpiJuG1mGHRVwF4Q==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-arm64-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.58.0.tgz", + "integrity": "sha512-T+17JAsCKUjmbopcKepJjHWHXSjeW7O5PL7lEFaeQmiVyw4kkc5/lyYKzrv6ElWRX/MrEWfPiJWqbTvfIvjM1Q==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-arm64-musl": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.58.0.tgz", + "integrity": "sha512-cCePktb9+6R9itIJdeCFF9txPU7pQeEHB5AbHu/MKsfH/k70ZtOeq1k4YAtBv9Z7mmKI5/wOLYjQ+B9QdxR6LA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-loong64-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-gnu/-/rollup-linux-loong64-gnu-4.58.0.tgz", + "integrity": "sha512-iekUaLkfliAsDl4/xSdoCJ1gnnIXvoNz85C8U8+ZxknM5pBStfZjeXgB8lXobDQvvPRCN8FPmmuTtH+z95HTmg==", + "cpu": [ + "loong64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-loong64-musl": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loong64-musl/-/rollup-linux-loong64-musl-4.58.0.tgz", + "integrity": "sha512-68ofRgJNl/jYJbxFjCKE7IwhbfxOl1muPN4KbIqAIe32lm22KmU7E8OPvyy68HTNkI2iV/c8y2kSPSm2mW/Q9Q==", + "cpu": [ + "loong64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-ppc64-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-gnu/-/rollup-linux-ppc64-gnu-4.58.0.tgz", + "integrity": "sha512-dpz8vT0i+JqUKuSNPCP5SYyIV2Lh0sNL1+FhM7eLC457d5B9/BC3kDPp5BBftMmTNsBarcPcoz5UGSsnCiw4XQ==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-ppc64-musl": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-ppc64-musl/-/rollup-linux-ppc64-musl-4.58.0.tgz", + "integrity": "sha512-4gdkkf9UJ7tafnweBCR/mk4jf3Jfl0cKX9Np80t5i78kjIH0ZdezUv/JDI2VtruE5lunfACqftJ8dIMGN4oHew==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-riscv64-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.58.0.tgz", + "integrity": "sha512-YFS4vPnOkDTD/JriUeeZurFYoJhPf9GQQEF/v4lltp3mVcBmnsAdjEWhr2cjUCZzZNzxCG0HZOvJU44UGHSdzw==", + "cpu": [ + "riscv64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-riscv64-musl": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.58.0.tgz", + "integrity": "sha512-x2xgZlFne+QVNKV8b4wwaCS8pwq3y14zedZ5DqLzjdRITvreBk//4Knbcvm7+lWmms9V9qFp60MtUd0/t/PXPw==", + "cpu": [ + "riscv64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-s390x-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.58.0.tgz", + "integrity": "sha512-jIhrujyn4UnWF8S+DHSkAkDEO3hLX0cjzxJZPLF80xFyzyUIYgSMRcYQ3+uqEoyDD2beGq7Dj7edi8OnJcS/hg==", + "cpu": [ + "s390x" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-x64-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.58.0.tgz", + "integrity": "sha512-+410Srdoh78MKSJxTQ+hZ/Mx+ajd6RjjPwBPNd0R3J9FtL6ZA0GqiiyNjCO9In0IzZkCNrpGymSfn+kgyPQocg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-x64-musl": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.58.0.tgz", + "integrity": "sha512-ZjMyby5SICi227y1MTR3VYBpFTdZs823Rs/hpakufleBoufoOIB6jtm9FEoxn/cgO7l6PM2rCEl5Kre5vX0QrQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-openbsd-x64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-openbsd-x64/-/rollup-openbsd-x64-4.58.0.tgz", + "integrity": "sha512-ds4iwfYkSQ0k1nb8LTcyXw//ToHOnNTJtceySpL3fa7tc/AsE+UpUFphW126A6fKBGJD5dhRvg8zw1rvoGFxmw==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ] + }, + "node_modules/@rollup/rollup-openharmony-arm64": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-openharmony-arm64/-/rollup-openharmony-arm64-4.58.0.tgz", + "integrity": "sha512-fd/zpJniln4ICdPkjWFhZYeY/bpnaN9pGa6ko+5WD38I0tTqk9lXMgXZg09MNdhpARngmxiCg0B0XUamNw/5BQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openharmony" + ] + }, + "node_modules/@rollup/rollup-win32-arm64-msvc": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.58.0.tgz", + "integrity": "sha512-YpG8dUOip7DCz3nr/JUfPbIUo+2d/dy++5bFzgi4ugOGBIox+qMbbqt/JoORwvI/C9Kn2tz6+Bieoqd5+B1CjA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@rollup/rollup-win32-ia32-msvc": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.58.0.tgz", + "integrity": "sha512-b9DI8jpFQVh4hIXFr0/+N/TzLdpBIoPzjt0Rt4xJbW3mzguV3mduR9cNgiuFcuL/TeORejJhCWiAXe3E/6PxWA==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@rollup/rollup-win32-x64-gnu": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-gnu/-/rollup-win32-x64-gnu-4.58.0.tgz", + "integrity": "sha512-CSrVpmoRJFN06LL9xhkitkwUcTZtIotYAF5p6XOR2zW0Zz5mzb3IPpcoPhB02frzMHFNo1reQ9xSF5fFm3hUsQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@rollup/rollup-win32-x64-msvc": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.58.0.tgz", + "integrity": "sha512-QFsBgQNTnh5K0t/sBsjJLq24YVqEIVkGpfN2VHsnN90soZyhaiA9UUHufcctVNL4ypJY0wrwad0wslx2KJQ1/w==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@tanstack/query-core": { + "version": "5.90.20", + "resolved": "https://registry.npmjs.org/@tanstack/query-core/-/query-core-5.90.20.tgz", + "integrity": "sha512-OMD2HLpNouXEfZJWcKeVKUgQ5n+n3A2JFmBaScpNDUqSrQSjiveC7dKMe53uJUg1nDG16ttFPz2xfilz6i2uVg==", + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/tannerlinsley" + } + }, + "node_modules/@tanstack/react-query": { + "version": "5.90.21", + "resolved": "https://registry.npmjs.org/@tanstack/react-query/-/react-query-5.90.21.tgz", + "integrity": "sha512-0Lu6y5t+tvlTJMTO7oh5NSpJfpg/5D41LlThfepTixPYkJ0sE2Jj0m0f6yYqujBwIXlId87e234+MxG3D3g7kg==", + "license": "MIT", + "dependencies": { + "@tanstack/query-core": "5.90.20" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/tannerlinsley" + }, + "peerDependencies": { + "react": "^18 || ^19" + } + }, + "node_modules/@types/babel__core": { + "version": "7.20.5", + "resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.20.5.tgz", + "integrity": "sha512-qoQprZvz5wQFJwMDqeseRXWv3rqMvhgpbXFfVyWhbx9X47POIA6i/+dXefEmZKoAgOaTdaIgNSMqMIU61yRyzA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/parser": "^7.20.7", + "@babel/types": "^7.20.7", + "@types/babel__generator": "*", + "@types/babel__template": "*", + "@types/babel__traverse": "*" + } + }, + "node_modules/@types/babel__generator": { + "version": "7.27.0", + "resolved": "https://registry.npmjs.org/@types/babel__generator/-/babel__generator-7.27.0.tgz", + "integrity": "sha512-ufFd2Xi92OAVPYsy+P4n7/U7e68fex0+Ee8gSG9KX7eo084CWiQ4sdxktvdl0bOPupXtVJPY19zk6EwWqUQ8lg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/types": "^7.0.0" + } + }, + "node_modules/@types/babel__template": { + "version": "7.4.4", + "resolved": "https://registry.npmjs.org/@types/babel__template/-/babel__template-7.4.4.tgz", + "integrity": "sha512-h/NUaSyG5EyxBIp8YRxo4RMe2/qQgvyowRwVMzhYhBCONbW8PUsg4lkFMrhgZhUe5z3L3MiLDuvyJ/CaPa2A8A==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/parser": "^7.1.0", + "@babel/types": "^7.0.0" + } + }, + "node_modules/@types/babel__traverse": { + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.28.0.tgz", + "integrity": "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/types": "^7.28.2" + } + }, + "node_modules/@types/d3-array": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/@types/d3-array/-/d3-array-3.2.2.tgz", + "integrity": "sha512-hOLWVbm7uRza0BYXpIIW5pxfrKe0W+D5lrFiAEYR+pb6w3N2SwSMaJbXdUfSEv+dT4MfHBLtn5js0LAWaO6otw==", + "license": "MIT" + }, + "node_modules/@types/d3-color": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/@types/d3-color/-/d3-color-3.1.3.tgz", + "integrity": "sha512-iO90scth9WAbmgv7ogoq57O9YpKmFBbmoEoCHDB2xMBY0+/KVrqAaCDyCE16dUspeOvIxFFRI+0sEtqDqy2b4A==", + "license": "MIT" + }, + "node_modules/@types/d3-ease": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@types/d3-ease/-/d3-ease-3.0.2.tgz", + "integrity": "sha512-NcV1JjO5oDzoK26oMzbILE6HW7uVXOHLQvHshBUW4UMdZGfiY6v5BeQwh9a9tCzv+CeefZQHJt5SRgK154RtiA==", + "license": "MIT" + }, + "node_modules/@types/d3-interpolate": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/@types/d3-interpolate/-/d3-interpolate-3.0.4.tgz", + "integrity": "sha512-mgLPETlrpVV1YRJIglr4Ez47g7Yxjl1lj7YKsiMCb27VJH9W8NVM6Bb9d8kkpG/uAQS5AmbA48q2IAolKKo1MA==", + "license": "MIT", + "dependencies": { + "@types/d3-color": "*" + } + }, + "node_modules/@types/d3-path": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/@types/d3-path/-/d3-path-3.1.1.tgz", + "integrity": "sha512-VMZBYyQvbGmWyWVea0EHs/BwLgxc+MKi1zLDCONksozI4YJMcTt8ZEuIR4Sb1MMTE8MMW49v0IwI5+b7RmfWlg==", + "license": "MIT" + }, + "node_modules/@types/d3-scale": { + "version": "4.0.9", + "resolved": "https://registry.npmjs.org/@types/d3-scale/-/d3-scale-4.0.9.tgz", + "integrity": "sha512-dLmtwB8zkAeO/juAMfnV+sItKjlsw2lKdZVVy6LRr0cBmegxSABiLEpGVmSJJ8O08i4+sGR6qQtb6WtuwJdvVw==", + "license": "MIT", + "dependencies": { + "@types/d3-time": "*" + } + }, + "node_modules/@types/d3-shape": { + "version": "3.1.8", + "resolved": "https://registry.npmjs.org/@types/d3-shape/-/d3-shape-3.1.8.tgz", + "integrity": "sha512-lae0iWfcDeR7qt7rA88BNiqdvPS5pFVPpo5OfjElwNaT2yyekbM0C9vK+yqBqEmHr6lDkRnYNoTBYlAgJa7a4w==", + "license": "MIT", + "dependencies": { + "@types/d3-path": "*" + } + }, + "node_modules/@types/d3-time": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/@types/d3-time/-/d3-time-3.0.4.tgz", + "integrity": "sha512-yuzZug1nkAAaBlBBikKZTgzCeA+k1uy4ZFwWANOfKw5z5LRhV0gNA7gNkKm7HoK+HRN0wX3EkxGk0fpbWhmB7g==", + "license": "MIT" + }, + "node_modules/@types/d3-timer": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/@types/d3-timer/-/d3-timer-3.0.2.tgz", + "integrity": "sha512-Ps3T8E8dZDam6fUyNiMkekK3XUsaUEik+idO9/YjPtfj2qruF8tFBXS7XhtE4iIXBLxhmLjP3SXpLhVf21I9Lw==", + "license": "MIT" + }, + "node_modules/@types/estree": { + "version": "1.0.8", + "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz", + "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==", + "dev": true, + "license": "MIT" + }, + "node_modules/@types/node": { + "version": "22.19.11", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.11.tgz", + "integrity": "sha512-BH7YwL6rA93ReqeQS1c4bsPpcfOmJasG+Fkr6Y59q83f9M1WcBRHR2vM+P9eOisYRcN3ujQoiZY8uk5W+1WL8w==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~6.21.0" + } + }, + "node_modules/@types/prop-types": { + "version": "15.7.15", + "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.15.tgz", + "integrity": "sha512-F6bEyamV9jKGAFBEmlQnesRPGOQqS2+Uwi0Em15xenOxHaf2hv6L8YCVn3rPdPJOiJfPiCnLIRyvwVaqMY3MIw==", + "devOptional": true, + "license": "MIT" + }, + "node_modules/@types/react": { + "version": "18.3.28", + "resolved": "https://registry.npmjs.org/@types/react/-/react-18.3.28.tgz", + "integrity": "sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw==", + "devOptional": true, + "license": "MIT", + "dependencies": { + "@types/prop-types": "*", + "csstype": "^3.2.2" + } + }, + "node_modules/@types/react-dom": { + "version": "18.3.7", + "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-18.3.7.tgz", + "integrity": "sha512-MEe3UeoENYVFXzoXEWsvcpg6ZvlrFNlOQ7EOsvhI3CfAXwzPfO8Qwuxd40nepsYKqyyVQnTdEfv68q91yLcKrQ==", + "devOptional": true, + "license": "MIT", + "peerDependencies": { + "@types/react": "^18.0.0" + } + }, + "node_modules/@vitejs/plugin-react": { + "version": "4.7.0", + "resolved": "https://registry.npmjs.org/@vitejs/plugin-react/-/plugin-react-4.7.0.tgz", + "integrity": "sha512-gUu9hwfWvvEDBBmgtAowQCojwZmJ5mcLn3aufeCsitijs3+f2NsrPtlAWIR6OPiqljl96GVCUbLe0HyqIpVaoA==", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/core": "^7.28.0", + "@babel/plugin-transform-react-jsx-self": "^7.27.1", + "@babel/plugin-transform-react-jsx-source": "^7.27.1", + "@rolldown/pluginutils": "1.0.0-beta.27", + "@types/babel__core": "^7.20.5", + "react-refresh": "^0.17.0" + }, + "engines": { + "node": "^14.18.0 || >=16.0.0" + }, + "peerDependencies": { + "vite": "^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0" + } + }, + "node_modules/any-promise": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/any-promise/-/any-promise-1.3.0.tgz", + "integrity": "sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A==", + "dev": true, + "license": "MIT" + }, + "node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "license": "ISC", + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/arg": { + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz", + "integrity": "sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==", + "dev": true, + "license": "MIT" + }, + "node_modules/aria-hidden": { + "version": "1.2.6", + "resolved": "https://registry.npmjs.org/aria-hidden/-/aria-hidden-1.2.6.tgz", + "integrity": "sha512-ik3ZgC9dY/lYVVM++OISsaYDeg1tb0VtP5uL3ouh1koGOaUMDPpbFIei4JkFimWUFPn90sbMNMXQAIVOlnYKJA==", + "license": "MIT", + "dependencies": { + "tslib": "^2.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/autoprefixer": { + "version": "10.4.24", + "resolved": "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.24.tgz", + "integrity": "sha512-uHZg7N9ULTVbutaIsDRoUkoS8/h3bdsmVJYZ5l3wv8Cp/6UIIoRDm90hZ+BwxUj/hGBEzLxdHNSKuFpn8WOyZw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/autoprefixer" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "browserslist": "^4.28.1", + "caniuse-lite": "^1.0.30001766", + "fraction.js": "^5.3.4", + "picocolors": "^1.1.1", + "postcss-value-parser": "^4.2.0" + }, + "bin": { + "autoprefixer": "bin/autoprefixer" + }, + "engines": { + "node": "^10 || ^12 || >=14" + }, + "peerDependencies": { + "postcss": "^8.1.0" + } + }, + "node_modules/baseline-browser-mapping": { + "version": "2.10.0", + "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.0.tgz", + "integrity": "sha512-lIyg0szRfYbiy67j9KN8IyeD7q7hcmqnJ1ddWmNt19ItGpNN64mnllmxUNFIOdOm6by97jlL6wfpTTJrmnjWAA==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "baseline-browser-mapping": "dist/cli.cjs" + }, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/binary-extensions": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz", + "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/braces": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", + "dev": true, + "license": "MIT", + "dependencies": { + "fill-range": "^7.1.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/browserslist": { + "version": "4.28.1", + "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.1.tgz", + "integrity": "sha512-ZC5Bd0LgJXgwGqUknZY/vkUQ04r8NXnJZ3yYi4vDmSiZmC/pdSN0NbNRPxZpbtO4uAfDUAFffO8IZoM3Gj8IkA==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/browserslist" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "baseline-browser-mapping": "^2.9.0", + "caniuse-lite": "^1.0.30001759", + "electron-to-chromium": "^1.5.263", + "node-releases": "^2.0.27", + "update-browserslist-db": "^1.2.0" + }, + "bin": { + "browserslist": "cli.js" + }, + "engines": { + "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7" + } + }, + "node_modules/camelcase-css": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/camelcase-css/-/camelcase-css-2.0.1.tgz", + "integrity": "sha512-QOSvevhslijgYwRx6Rv7zKdMF8lbRmx+uQGx2+vDc+KI/eBnsy9kit5aj23AgGu3pa4t9AgwbnXWqS+iOY+2aA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 6" + } + }, + "node_modules/caniuse-lite": { + "version": "1.0.30001770", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001770.tgz", + "integrity": "sha512-x/2CLQ1jHENRbHg5PSId2sXq1CIO1CISvwWAj027ltMVG2UNgW+w9oH2+HzgEIRFembL8bUlXtfbBHR1fCg2xw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/caniuse-lite" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "CC-BY-4.0" + }, + "node_modules/chokidar": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz", + "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==", + "dev": true, + "license": "MIT", + "dependencies": { + "anymatch": "~3.1.2", + "braces": "~3.0.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" + }, + "engines": { + "node": ">= 8.10.0" + }, + "funding": { + "url": "https://paulmillr.com/funding/" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + } + }, + "node_modules/chokidar/node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "license": "ISC", + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/class-variance-authority": { + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/class-variance-authority/-/class-variance-authority-0.7.1.tgz", + "integrity": "sha512-Ka+9Trutv7G8M6WT6SeiRWz792K5qEqIGEGzXKhAE6xOWAY6pPH8U+9IY3oCMv6kqTmLsv7Xh/2w2RigkePMsg==", + "license": "Apache-2.0", + "dependencies": { + "clsx": "^2.1.1" + }, + "funding": { + "url": "https://polar.sh/cva" + } + }, + "node_modules/clsx": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/clsx/-/clsx-2.1.1.tgz", + "integrity": "sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/commander": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/commander/-/commander-4.1.1.tgz", + "integrity": "sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 6" + } + }, + "node_modules/convert-source-map": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz", + "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==", + "dev": true, + "license": "MIT" + }, + "node_modules/cssesc": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz", + "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==", + "dev": true, + "license": "MIT", + "bin": { + "cssesc": "bin/cssesc" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/csstype": { + "version": "3.2.3", + "resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz", + "integrity": "sha512-z1HGKcYy2xA8AGQfwrn0PAy+PB7X/GSj3UVJW9qKyn43xWa+gl5nXmU4qqLMRzWVLFC8KusUX8T/0kCiOYpAIQ==", + "license": "MIT" + }, + "node_modules/d3-array": { + "version": "3.2.4", + "resolved": "https://registry.npmjs.org/d3-array/-/d3-array-3.2.4.tgz", + "integrity": "sha512-tdQAmyA18i4J7wprpYq8ClcxZy3SC31QMeByyCFyRt7BVHdREQZ5lpzoe5mFEYZUWe+oq8HBvk9JjpibyEV4Jg==", + "license": "ISC", + "dependencies": { + "internmap": "1 - 2" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-color": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/d3-color/-/d3-color-3.1.0.tgz", + "integrity": "sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==", + "license": "ISC", + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-ease": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/d3-ease/-/d3-ease-3.0.1.tgz", + "integrity": "sha512-wR/XK3D3XcLIZwpbvQwQ5fK+8Ykds1ip7A2Txe0yxncXSdq1L9skcG7blcedkOX+ZcgxGAmLX1FrRGbADwzi0w==", + "license": "BSD-3-Clause", + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-format": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/d3-format/-/d3-format-3.1.2.tgz", + "integrity": "sha512-AJDdYOdnyRDV5b6ArilzCPPwc1ejkHcoyFarqlPqT7zRYjhavcT3uSrqcMvsgh2CgoPbK3RCwyHaVyxYcP2Arg==", + "license": "ISC", + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-interpolate": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/d3-interpolate/-/d3-interpolate-3.0.1.tgz", + "integrity": "sha512-3bYs1rOD33uo8aqJfKP3JWPAibgw8Zm2+L9vBKEHJ2Rg+viTR7o5Mmv5mZcieN+FRYaAOWX5SJATX6k1PWz72g==", + "license": "ISC", + "dependencies": { + "d3-color": "1 - 3" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-path": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/d3-path/-/d3-path-3.1.0.tgz", + "integrity": "sha512-p3KP5HCf/bvjBSSKuXid6Zqijx7wIfNW+J/maPs+iwR35at5JCbLUT0LzF1cnjbCHWhqzQTIN2Jpe8pRebIEFQ==", + "license": "ISC", + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-scale": { + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/d3-scale/-/d3-scale-4.0.2.tgz", + "integrity": "sha512-GZW464g1SH7ag3Y7hXjf8RoUuAFIqklOAq3MRl4OaWabTFJY9PN/E1YklhXLh+OQ3fM9yS2nOkCoS+WLZ6kvxQ==", + "license": "ISC", + "dependencies": { + "d3-array": "2.10.0 - 3", + "d3-format": "1 - 3", + "d3-interpolate": "1.2.0 - 3", + "d3-time": "2.1.1 - 3", + "d3-time-format": "2 - 4" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-shape": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/d3-shape/-/d3-shape-3.2.0.tgz", + "integrity": "sha512-SaLBuwGm3MOViRq2ABk3eLoxwZELpH6zhl3FbAoJ7Vm1gofKx6El1Ib5z23NUEhF9AsGl7y+dzLe5Cw2AArGTA==", + "license": "ISC", + "dependencies": { + "d3-path": "^3.1.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-time": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/d3-time/-/d3-time-3.1.0.tgz", + "integrity": "sha512-VqKjzBLejbSMT4IgbmVgDjpkYrNWUYJnbCGo874u7MMKIWsILRX+OpX/gTk8MqjpT1A/c6HY2dCA77ZN0lkQ2Q==", + "license": "ISC", + "dependencies": { + "d3-array": "2 - 3" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-time-format": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/d3-time-format/-/d3-time-format-4.1.0.tgz", + "integrity": "sha512-dJxPBlzC7NugB2PDLwo9Q8JiTR3M3e4/XANkreKSUxF8vvXKqm1Yfq4Q5dl8budlunRVlUUaDUgFt7eA8D6NLg==", + "license": "ISC", + "dependencies": { + "d3-time": "1 - 3" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/d3-timer": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/d3-timer/-/d3-timer-3.0.1.tgz", + "integrity": "sha512-ndfJ/JxxMd3nw31uyKoY2naivF+r29V+Lc0svZxe1JvvIRmi8hUsrMvdOwgS1o6uBHmiz91geQ0ylPP0aj1VUA==", + "license": "ISC", + "engines": { + "node": ">=12" + } + }, + "node_modules/date-fns": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-3.6.0.tgz", + "integrity": "sha512-fRHTG8g/Gif+kSh50gaGEdToemgfj74aRX3swtiouboip5JDLAyDE9F11nHMIcvOaXeOC6D7SpNhi7uFyB7Uww==", + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/kossnocorp" + } + }, + "node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "dev": true, + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/decimal.js-light": { + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/decimal.js-light/-/decimal.js-light-2.5.1.tgz", + "integrity": "sha512-qIMFpTMZmny+MMIitAB6D7iVPEorVw6YQRWkvarTkT4tBeSLLiHzcwj6q0MmYSFCiVpiqPJTJEYIrpcPzVEIvg==", + "license": "MIT" + }, + "node_modules/detect-node-es": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/detect-node-es/-/detect-node-es-1.1.0.tgz", + "integrity": "sha512-ypdmJU/TbBby2Dxibuv7ZLW3Bs1QEmM7nHjEANfohJLvE0XVujisn1qPJcZxg+qDucsr+bP6fLD1rPS3AhJ7EQ==", + "license": "MIT" + }, + "node_modules/didyoumean": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/didyoumean/-/didyoumean-1.2.2.tgz", + "integrity": "sha512-gxtyfqMg7GKyhQmb056K7M3xszy/myH8w+B4RT+QXBQsvAOdc3XymqDDPHx1BgPgsdAA5SIifona89YtRATDzw==", + "dev": true, + "license": "Apache-2.0" + }, + "node_modules/dlv": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/dlv/-/dlv-1.1.3.tgz", + "integrity": "sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==", + "dev": true, + "license": "MIT" + }, + "node_modules/dom-helpers": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/dom-helpers/-/dom-helpers-5.2.1.tgz", + "integrity": "sha512-nRCa7CK3VTrM2NmGkIy4cbK7IZlgBE/PYMn55rrXefr5xXDP0LdtfPnblFDoVdcAfslJ7or6iqAUnx0CCGIWQA==", + "license": "MIT", + "dependencies": { + "@babel/runtime": "^7.8.7", + "csstype": "^3.0.2" + } + }, + "node_modules/electron-to-chromium": { + "version": "1.5.302", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.302.tgz", + "integrity": "sha512-sM6HAN2LyK82IyPBpznDRqlTQAtuSaO+ShzFiWTvoMJLHyZ+Y39r8VMfHzwbU8MVBzQ4Wdn85+wlZl2TLGIlwg==", + "dev": true, + "license": "ISC" + }, + "node_modules/esbuild": { + "version": "0.21.5", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.21.5.tgz", + "integrity": "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "bin": { + "esbuild": "bin/esbuild" + }, + "engines": { + "node": ">=12" + }, + "optionalDependencies": { + "@esbuild/aix-ppc64": "0.21.5", + "@esbuild/android-arm": "0.21.5", + "@esbuild/android-arm64": "0.21.5", + "@esbuild/android-x64": "0.21.5", + "@esbuild/darwin-arm64": "0.21.5", + "@esbuild/darwin-x64": "0.21.5", + "@esbuild/freebsd-arm64": "0.21.5", + "@esbuild/freebsd-x64": "0.21.5", + "@esbuild/linux-arm": "0.21.5", + "@esbuild/linux-arm64": "0.21.5", + "@esbuild/linux-ia32": "0.21.5", + "@esbuild/linux-loong64": "0.21.5", + "@esbuild/linux-mips64el": "0.21.5", + "@esbuild/linux-ppc64": "0.21.5", + "@esbuild/linux-riscv64": "0.21.5", + "@esbuild/linux-s390x": "0.21.5", + "@esbuild/linux-x64": "0.21.5", + "@esbuild/netbsd-x64": "0.21.5", + "@esbuild/openbsd-x64": "0.21.5", + "@esbuild/sunos-x64": "0.21.5", + "@esbuild/win32-arm64": "0.21.5", + "@esbuild/win32-ia32": "0.21.5", + "@esbuild/win32-x64": "0.21.5" + } + }, + "node_modules/escalade": { + "version": "3.2.0", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz", + "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/eventemitter3": { + "version": "4.0.7", + "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-4.0.7.tgz", + "integrity": "sha512-8guHBZCwKnFhYdHr2ysuRWErTwhoN2X8XELRlrRwpmfeY2jjuUN4taQMsULKUVo1K4DvZl+0pgfyoysHxvmvEw==", + "license": "MIT" + }, + "node_modules/fast-equals": { + "version": "5.4.0", + "resolved": "https://registry.npmjs.org/fast-equals/-/fast-equals-5.4.0.tgz", + "integrity": "sha512-jt2DW/aNFNwke7AUd+Z+e6pz39KO5rzdbbFCg2sGafS4mk13MI7Z8O5z9cADNn5lhGODIgLwug6TZO2ctf7kcw==", + "license": "MIT", + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/fast-glob": { + "version": "3.3.3", + "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.3.tgz", + "integrity": "sha512-7MptL8U0cqcFdzIzwOTHoilX9x5BrNqye7Z/LuC7kCMRio1EMSyqRK3BEAUD7sXRq4iT4AzTVuZdhgQ2TCvYLg==", + "dev": true, + "license": "MIT", + "dependencies": { + "@nodelib/fs.stat": "^2.0.2", + "@nodelib/fs.walk": "^1.2.3", + "glob-parent": "^5.1.2", + "merge2": "^1.3.0", + "micromatch": "^4.0.8" + }, + "engines": { + "node": ">=8.6.0" + } + }, + "node_modules/fast-glob/node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "license": "ISC", + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/fastq": { + "version": "1.20.1", + "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.20.1.tgz", + "integrity": "sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==", + "dev": true, + "license": "ISC", + "dependencies": { + "reusify": "^1.0.4" + } + }, + "node_modules/fill-range": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", + "dev": true, + "license": "MIT", + "dependencies": { + "to-regex-range": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/fraction.js": { + "version": "5.3.4", + "resolved": "https://registry.npmjs.org/fraction.js/-/fraction.js-5.3.4.tgz", + "integrity": "sha512-1X1NTtiJphryn/uLQz3whtY6jK3fTqoE3ohKs0tT+Ujr1W59oopxmoEh7Lu5p6vBaPbgoM0bzveAW4Qi5RyWDQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": "*" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/rawify" + } + }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/gensync": { + "version": "1.0.0-beta.2", + "resolved": "https://registry.npmjs.org/gensync/-/gensync-1.0.0-beta.2.tgz", + "integrity": "sha512-3hN7NaskYvMDLQY55gnW3NQ+mesEAepTqlg+VEbj7zzqEMBVNhzcGYYeqFo/TlYz6eQiFcp1HcsCZO+nGgS8zg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/get-nonce": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/get-nonce/-/get-nonce-1.0.1.tgz", + "integrity": "sha512-FJhYRoDaiatfEkUK8HKlicmu/3SGFD51q3itKDGoSTysQJBnfOcxU5GxnhE1E6soB76MbT0MBtnKJuXyAx+96Q==", + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/glob-parent": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz", + "integrity": "sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==", + "dev": true, + "license": "ISC", + "dependencies": { + "is-glob": "^4.0.3" + }, + "engines": { + "node": ">=10.13.0" + } + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/internmap": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/internmap/-/internmap-2.0.3.tgz", + "integrity": "sha512-5Hh7Y1wQbvY5ooGgPbDaL5iYLAPzMTUrjMulskHLH6wnv/A+1q5rgEaiuqEjB+oxGXIVZs1FF+R/KPN3ZSQYYg==", + "license": "ISC", + "engines": { + "node": ">=12" + } + }, + "node_modules/is-binary-path": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", + "dev": true, + "license": "MIT", + "dependencies": { + "binary-extensions": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-core-module": { + "version": "2.16.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.16.1.tgz", + "integrity": "sha512-UfoeMA6fIJ8wTYFEUjelnaGI67v6+N7qXJEvQuIGa99l4xsCruSYOVSQ0uPANn4dAzm8lkYPaKLrrijLq7x23w==", + "dev": true, + "license": "MIT", + "dependencies": { + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/is-extglob": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", + "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-glob": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-extglob": "^2.1.1" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.12.0" + } + }, + "node_modules/jiti": { + "version": "1.21.7", + "resolved": "https://registry.npmjs.org/jiti/-/jiti-1.21.7.tgz", + "integrity": "sha512-/imKNG4EbWNrVjoNC/1H5/9GFy+tqjGBHCaSsN+P2RnPqjsLmv6UD3Ej+Kj8nBWaRAwyk7kK5ZUc+OEatnTR3A==", + "dev": true, + "license": "MIT", + "bin": { + "jiti": "bin/jiti.js" + } + }, + "node_modules/js-tokens": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz", + "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==", + "license": "MIT" + }, + "node_modules/jsesc": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz", + "integrity": "sha512-/sM3dO2FOzXjKQhJuo0Q173wf2KOo8t4I8vHy6lF9poUp7bKT0/NHE8fPX23PwfhnykfqnC2xRxOnVw5XuGIaA==", + "dev": true, + "license": "MIT", + "bin": { + "jsesc": "bin/jsesc" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/json5": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.3.tgz", + "integrity": "sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==", + "dev": true, + "license": "MIT", + "bin": { + "json5": "lib/cli.js" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/jwt-decode": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/jwt-decode/-/jwt-decode-4.0.0.tgz", + "integrity": "sha512-+KJGIyHgkGuIq3IEBNftfhW/LfWhXUIY6OmyVWjliu5KH1y0fw7VQ8YndE2O4qZdMSd9SqbnC8GOcZEy0Om7sA==", + "license": "MIT", + "engines": { + "node": ">=18" + } + }, + "node_modules/lilconfig": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/lilconfig/-/lilconfig-3.1.3.tgz", + "integrity": "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=14" + }, + "funding": { + "url": "https://github.com/sponsors/antonk52" + } + }, + "node_modules/lines-and-columns": { + "version": "1.2.4", + "resolved": "https://registry.npmjs.org/lines-and-columns/-/lines-and-columns-1.2.4.tgz", + "integrity": "sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==", + "dev": true, + "license": "MIT" + }, + "node_modules/lodash": { + "version": "4.17.23", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz", + "integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==", + "license": "MIT" + }, + "node_modules/loose-envify": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz", + "integrity": "sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==", + "license": "MIT", + "dependencies": { + "js-tokens": "^3.0.0 || ^4.0.0" + }, + "bin": { + "loose-envify": "cli.js" + } + }, + "node_modules/lru-cache": { + "version": "5.1.1", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz", + "integrity": "sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==", + "dev": true, + "license": "ISC", + "dependencies": { + "yallist": "^3.0.2" + } + }, + "node_modules/lucide-react": { + "version": "0.446.0", + "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-0.446.0.tgz", + "integrity": "sha512-BU7gy8MfBMqvEdDPH79VhOXSEgyG8TSPOKWaExWGCQVqnGH7wGgDngPbofu+KdtVjPQBWbEmnfMTq90CTiiDRg==", + "license": "ISC", + "peerDependencies": { + "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0-rc" + } + }, + "node_modules/merge2": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz", + "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 8" + } + }, + "node_modules/micromatch": { + "version": "4.0.8", + "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz", + "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==", + "dev": true, + "license": "MIT", + "dependencies": { + "braces": "^3.0.3", + "picomatch": "^2.3.1" + }, + "engines": { + "node": ">=8.6" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "dev": true, + "license": "MIT" + }, + "node_modules/mz": { + "version": "2.7.0", + "resolved": "https://registry.npmjs.org/mz/-/mz-2.7.0.tgz", + "integrity": "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q==", + "dev": true, + "license": "MIT", + "dependencies": { + "any-promise": "^1.0.0", + "object-assign": "^4.0.1", + "thenify-all": "^1.0.0" + } + }, + "node_modules/nanoid": { + "version": "3.3.11", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz", + "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "bin": { + "nanoid": "bin/nanoid.cjs" + }, + "engines": { + "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" + } + }, + "node_modules/node-releases": { + "version": "2.0.27", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz", + "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==", + "dev": true, + "license": "MIT" + }, + "node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/object-assign": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", + "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/object-hash": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz", + "integrity": "sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 6" + } + }, + "node_modules/oidc-client-ts": { + "version": "3.4.1", + "resolved": "https://registry.npmjs.org/oidc-client-ts/-/oidc-client-ts-3.4.1.tgz", + "integrity": "sha512-jNdst/U28Iasukx/L5MP6b274Vr7ftQs6qAhPBCvz6Wt5rPCA+Q/tUmCzfCHHWweWw5szeMy2Gfrm1rITwUKrw==", + "license": "Apache-2.0", + "dependencies": { + "jwt-decode": "^4.0.0" + }, + "engines": { + "node": ">=18" + } + }, + "node_modules/path-parse": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", + "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", + "dev": true, + "license": "MIT" + }, + "node_modules/picocolors": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz", + "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==", + "dev": true, + "license": "ISC" + }, + "node_modules/picomatch": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", + "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8.6" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, + "node_modules/pify": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz", + "integrity": "sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/pirates": { + "version": "4.0.7", + "resolved": "https://registry.npmjs.org/pirates/-/pirates-4.0.7.tgz", + "integrity": "sha512-TfySrs/5nm8fQJDcBDuUng3VOUKsd7S+zqvbOTiGXHfxX4wK31ard+hoNuvkicM/2YFzlpDgABOevKSsB4G/FA==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 6" + } + }, + "node_modules/postcss": { + "version": "8.5.6", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", + "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/postcss" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "nanoid": "^3.3.11", + "picocolors": "^1.1.1", + "source-map-js": "^1.2.1" + }, + "engines": { + "node": "^10 || ^12 || >=14" + } + }, + "node_modules/postcss-import": { + "version": "15.1.0", + "resolved": "https://registry.npmjs.org/postcss-import/-/postcss-import-15.1.0.tgz", + "integrity": "sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==", + "dev": true, + "license": "MIT", + "dependencies": { + "postcss-value-parser": "^4.0.0", + "read-cache": "^1.0.0", + "resolve": "^1.1.7" + }, + "engines": { + "node": ">=14.0.0" + }, + "peerDependencies": { + "postcss": "^8.0.0" + } + }, + "node_modules/postcss-js": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/postcss-js/-/postcss-js-4.1.0.tgz", + "integrity": "sha512-oIAOTqgIo7q2EOwbhb8UalYePMvYoIeRY2YKntdpFQXNosSu3vLrniGgmH9OKs/qAkfoj5oB3le/7mINW1LCfw==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "camelcase-css": "^2.0.1" + }, + "engines": { + "node": "^12 || ^14 || >= 16" + }, + "peerDependencies": { + "postcss": "^8.4.21" + } + }, + "node_modules/postcss-load-config": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-6.0.1.tgz", + "integrity": "sha512-oPtTM4oerL+UXmx+93ytZVN82RrlY/wPUV8IeDxFrzIjXOLF1pN+EmKPLbubvKHT2HC20xXsCAH2Z+CKV6Oz/g==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "lilconfig": "^3.1.1" + }, + "engines": { + "node": ">= 18" + }, + "peerDependencies": { + "jiti": ">=1.21.0", + "postcss": ">=8.0.9", + "tsx": "^4.8.1", + "yaml": "^2.4.2" + }, + "peerDependenciesMeta": { + "jiti": { + "optional": true + }, + "postcss": { + "optional": true + }, + "tsx": { + "optional": true + }, + "yaml": { + "optional": true + } + } + }, + "node_modules/postcss-nested": { + "version": "6.2.0", + "resolved": "https://registry.npmjs.org/postcss-nested/-/postcss-nested-6.2.0.tgz", + "integrity": "sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/postcss/" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "postcss-selector-parser": "^6.1.1" + }, + "engines": { + "node": ">=12.0" + }, + "peerDependencies": { + "postcss": "^8.2.14" + } + }, + "node_modules/postcss-selector-parser": { + "version": "6.1.2", + "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.1.2.tgz", + "integrity": "sha512-Q8qQfPiZ+THO/3ZrOrO0cJJKfpYCagtMUkXbnEfmgUjwXg6z/WBeOyS9APBBPCTSiDV+s4SwQGu8yFsiMRIudg==", + "dev": true, + "license": "MIT", + "dependencies": { + "cssesc": "^3.0.0", + "util-deprecate": "^1.0.2" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/postcss-value-parser": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/postcss-value-parser/-/postcss-value-parser-4.2.0.tgz", + "integrity": "sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/prop-types": { + "version": "15.8.1", + "resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz", + "integrity": "sha512-oj87CgZICdulUohogVAR7AjlC0327U4el4L6eAvOqCeudMDVU0NThNaV+b9Df4dXgSP1gXMTnPdhfe/2qDH5cg==", + "license": "MIT", + "dependencies": { + "loose-envify": "^1.4.0", + "object-assign": "^4.1.1", + "react-is": "^16.13.1" + } + }, + "node_modules/prop-types/node_modules/react-is": { + "version": "16.13.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-16.13.1.tgz", + "integrity": "sha512-24e6ynE2H+OKt4kqsOvNd8kBpV65zoxbA4BVsEOB3ARVWQki/DHzaUoC5KuON/BiccDaCCTZBuOcfZs70kR8bQ==", + "license": "MIT" + }, + "node_modules/queue-microtask": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz", + "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/react": { + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz", + "integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==", + "license": "MIT", + "dependencies": { + "loose-envify": "^1.1.0" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/react-dom": { + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz", + "integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==", + "license": "MIT", + "dependencies": { + "loose-envify": "^1.1.0", + "scheduler": "^0.23.2" + }, + "peerDependencies": { + "react": "^18.3.1" + } + }, + "node_modules/react-hook-form": { + "version": "7.71.2", + "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.71.2.tgz", + "integrity": "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA==", + "license": "MIT", + "engines": { + "node": ">=18.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/react-hook-form" + }, + "peerDependencies": { + "react": "^16.8.0 || ^17 || ^18 || ^19" + } + }, + "node_modules/react-is": { + "version": "18.3.1", + "resolved": "https://registry.npmjs.org/react-is/-/react-is-18.3.1.tgz", + "integrity": "sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==", + "license": "MIT" + }, + "node_modules/react-oidc-context": { + "version": "3.3.0", + "resolved": "https://registry.npmjs.org/react-oidc-context/-/react-oidc-context-3.3.0.tgz", + "integrity": "sha512-302T/ma4AOVAxrHdYctDSKXjCq9KNHT564XEO2yOPxRfxEP58xa4nz+GQinNl8x7CnEXECSM5JEjQJk3Cr5BvA==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "peerDependencies": { + "oidc-client-ts": "^3.1.0", + "react": ">=16.14.0" + } + }, + "node_modules/react-refresh": { + "version": "0.17.0", + "resolved": "https://registry.npmjs.org/react-refresh/-/react-refresh-0.17.0.tgz", + "integrity": "sha512-z6F7K9bV85EfseRCp2bzrpyQ0Gkw1uLoCel9XBVWPg/TjRj94SkJzUTGfOa4bs7iJvBWtQG0Wq7wnI0syw3EBQ==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/react-remove-scroll": { + "version": "2.7.2", + "resolved": "https://registry.npmjs.org/react-remove-scroll/-/react-remove-scroll-2.7.2.tgz", + "integrity": "sha512-Iqb9NjCCTt6Hf+vOdNIZGdTiH1QSqr27H/Ek9sv/a97gfueI/5h1s3yRi1nngzMUaOOToin5dI1dXKdXiF+u0Q==", + "license": "MIT", + "dependencies": { + "react-remove-scroll-bar": "^2.3.7", + "react-style-singleton": "^2.2.3", + "tslib": "^2.1.0", + "use-callback-ref": "^1.3.3", + "use-sidecar": "^1.1.3" + }, + "engines": { + "node": ">=10" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/react-remove-scroll-bar": { + "version": "2.3.8", + "resolved": "https://registry.npmjs.org/react-remove-scroll-bar/-/react-remove-scroll-bar-2.3.8.tgz", + "integrity": "sha512-9r+yi9+mgU33AKcj6IbT9oRCO78WriSj6t/cF8DWBZJ9aOGPOTEDvdUDz1FwKim7QXWwmHqtdHnRJfhAxEG46Q==", + "license": "MIT", + "dependencies": { + "react-style-singleton": "^2.2.2", + "tslib": "^2.0.0" + }, + "engines": { + "node": ">=10" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/react-router": { + "version": "6.30.3", + "resolved": "https://registry.npmjs.org/react-router/-/react-router-6.30.3.tgz", + "integrity": "sha512-XRnlbKMTmktBkjCLE8/XcZFlnHvr2Ltdr1eJX4idL55/9BbORzyZEaIkBFDhFGCEWBBItsVrDxwx3gnisMitdw==", + "license": "MIT", + "dependencies": { + "@remix-run/router": "1.23.2" + }, + "engines": { + "node": ">=14.0.0" + }, + "peerDependencies": { + "react": ">=16.8" + } + }, + "node_modules/react-router-dom": { + "version": "6.30.3", + "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.30.3.tgz", + "integrity": "sha512-pxPcv1AczD4vso7G4Z3TKcvlxK7g7TNt3/FNGMhfqyntocvYKj+GCatfigGDjbLozC4baguJ0ReCigoDJXb0ag==", + "license": "MIT", + "dependencies": { + "@remix-run/router": "1.23.2", + "react-router": "6.30.3" + }, + "engines": { + "node": ">=14.0.0" + }, + "peerDependencies": { + "react": ">=16.8", + "react-dom": ">=16.8" + } + }, + "node_modules/react-smooth": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/react-smooth/-/react-smooth-4.0.4.tgz", + "integrity": "sha512-gnGKTpYwqL0Iii09gHobNolvX4Kiq4PKx6eWBCYYix+8cdw+cGo3do906l1NBPKkSWx1DghC1dlWG9L2uGd61Q==", + "license": "MIT", + "dependencies": { + "fast-equals": "^5.0.1", + "prop-types": "^15.8.1", + "react-transition-group": "^4.4.5" + }, + "peerDependencies": { + "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0", + "react-dom": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" + } + }, + "node_modules/react-style-singleton": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/react-style-singleton/-/react-style-singleton-2.2.3.tgz", + "integrity": "sha512-b6jSvxvVnyptAiLjbkWLE/lOnR4lfTtDAl+eUC7RZy+QQWc6wRzIV2CE6xBuMmDxc2qIihtDCZD5NPOFl7fRBQ==", + "license": "MIT", + "dependencies": { + "get-nonce": "^1.0.0", + "tslib": "^2.0.0" + }, + "engines": { + "node": ">=10" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/react-transition-group": { + "version": "4.4.5", + "resolved": "https://registry.npmjs.org/react-transition-group/-/react-transition-group-4.4.5.tgz", + "integrity": "sha512-pZcd1MCJoiKiBR2NRxeCRg13uCXbydPnmB4EOeRrY7480qNWO8IIgQG6zlDkm6uRMsURXPuKq0GWtiM59a5Q6g==", + "license": "BSD-3-Clause", + "dependencies": { + "@babel/runtime": "^7.5.5", + "dom-helpers": "^5.0.1", + "loose-envify": "^1.4.0", + "prop-types": "^15.6.2" + }, + "peerDependencies": { + "react": ">=16.6.0", + "react-dom": ">=16.6.0" + } + }, + "node_modules/read-cache": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/read-cache/-/read-cache-1.0.0.tgz", + "integrity": "sha512-Owdv/Ft7IjOgm/i0xvNDZ1LrRANRfew4b2prF3OWMQLxLfu3bS8FVhCsrSCMK4lR56Y9ya+AThoTpDCTxCmpRA==", + "dev": true, + "license": "MIT", + "dependencies": { + "pify": "^2.3.0" + } + }, + "node_modules/readdirp": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", + "dev": true, + "license": "MIT", + "dependencies": { + "picomatch": "^2.2.1" + }, + "engines": { + "node": ">=8.10.0" + } + }, + "node_modules/recharts": { + "version": "2.15.4", + "resolved": "https://registry.npmjs.org/recharts/-/recharts-2.15.4.tgz", + "integrity": "sha512-UT/q6fwS3c1dHbXv2uFgYJ9BMFHu3fwnd7AYZaEQhXuYQ4hgsxLvsUXzGdKeZrW5xopzDCvuA2N41WJ88I7zIw==", + "license": "MIT", + "dependencies": { + "clsx": "^2.0.0", + "eventemitter3": "^4.0.1", + "lodash": "^4.17.21", + "react-is": "^18.3.1", + "react-smooth": "^4.0.4", + "recharts-scale": "^0.4.4", + "tiny-invariant": "^1.3.1", + "victory-vendor": "^36.6.8" + }, + "engines": { + "node": ">=14" + }, + "peerDependencies": { + "react": "^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0", + "react-dom": "^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" + } + }, + "node_modules/recharts-scale": { + "version": "0.4.5", + "resolved": "https://registry.npmjs.org/recharts-scale/-/recharts-scale-0.4.5.tgz", + "integrity": "sha512-kivNFO+0OcUNu7jQquLXAxz1FIwZj8nrj+YkOKc5694NbjCvcT6aSZiIzNzd2Kul4o4rTto8QVR9lMNtxD4G1w==", + "license": "MIT", + "dependencies": { + "decimal.js-light": "^2.4.1" + } + }, + "node_modules/resolve": { + "version": "1.22.11", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.11.tgz", + "integrity": "sha512-RfqAvLnMl313r7c9oclB1HhUEAezcpLjz95wFH4LVuhk9JF/r22qmVP9AMmOU4vMX7Q8pN8jwNg/CSpdFnMjTQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-core-module": "^2.16.1", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/reusify": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz", + "integrity": "sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==", + "dev": true, + "license": "MIT", + "engines": { + "iojs": ">=1.0.0", + "node": ">=0.10.0" + } + }, + "node_modules/rollup": { + "version": "4.58.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.58.0.tgz", + "integrity": "sha512-wbT0mBmWbIvvq8NeEYWWvevvxnOyhKChir47S66WCxw1SXqhw7ssIYejnQEVt7XYQpsj2y8F9PM+Cr3SNEa0gw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/estree": "1.0.8" + }, + "bin": { + "rollup": "dist/bin/rollup" + }, + "engines": { + "node": ">=18.0.0", + "npm": ">=8.0.0" + }, + "optionalDependencies": { + "@rollup/rollup-android-arm-eabi": "4.58.0", + "@rollup/rollup-android-arm64": "4.58.0", + "@rollup/rollup-darwin-arm64": "4.58.0", + "@rollup/rollup-darwin-x64": "4.58.0", + "@rollup/rollup-freebsd-arm64": "4.58.0", + "@rollup/rollup-freebsd-x64": "4.58.0", + "@rollup/rollup-linux-arm-gnueabihf": "4.58.0", + "@rollup/rollup-linux-arm-musleabihf": "4.58.0", + "@rollup/rollup-linux-arm64-gnu": "4.58.0", + "@rollup/rollup-linux-arm64-musl": "4.58.0", + "@rollup/rollup-linux-loong64-gnu": "4.58.0", + "@rollup/rollup-linux-loong64-musl": "4.58.0", + "@rollup/rollup-linux-ppc64-gnu": "4.58.0", + "@rollup/rollup-linux-ppc64-musl": "4.58.0", + "@rollup/rollup-linux-riscv64-gnu": "4.58.0", + "@rollup/rollup-linux-riscv64-musl": "4.58.0", + "@rollup/rollup-linux-s390x-gnu": "4.58.0", + "@rollup/rollup-linux-x64-gnu": "4.58.0", + "@rollup/rollup-linux-x64-musl": "4.58.0", + "@rollup/rollup-openbsd-x64": "4.58.0", + "@rollup/rollup-openharmony-arm64": "4.58.0", + "@rollup/rollup-win32-arm64-msvc": "4.58.0", + "@rollup/rollup-win32-ia32-msvc": "4.58.0", + "@rollup/rollup-win32-x64-gnu": "4.58.0", + "@rollup/rollup-win32-x64-msvc": "4.58.0", + "fsevents": "~2.3.2" + } + }, + "node_modules/run-parallel": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz", + "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT", + "dependencies": { + "queue-microtask": "^1.2.2" + } + }, + "node_modules/scheduler": { + "version": "0.23.2", + "resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.2.tgz", + "integrity": "sha512-UOShsPwz7NrMUqhR6t0hWjFduvOzbtv7toDH1/hIrfRNIDBnnBWd0CwJTGvTpngVlmwGCdP9/Zl/tVrDqcuYzQ==", + "license": "MIT", + "dependencies": { + "loose-envify": "^1.1.0" + } + }, + "node_modules/semver": { + "version": "6.3.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz", + "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==", + "dev": true, + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + } + }, + "node_modules/source-map-js": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz", + "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==", + "dev": true, + "license": "BSD-3-Clause", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/sucrase": { + "version": "3.35.1", + "resolved": "https://registry.npmjs.org/sucrase/-/sucrase-3.35.1.tgz", + "integrity": "sha512-DhuTmvZWux4H1UOnWMB3sk0sbaCVOoQZjv8u1rDoTV0HTdGem9hkAZtl4JZy8P2z4Bg0nT+YMeOFyVr4zcG5Tw==", + "dev": true, + "license": "MIT", + "dependencies": { + "@jridgewell/gen-mapping": "^0.3.2", + "commander": "^4.0.0", + "lines-and-columns": "^1.1.6", + "mz": "^2.7.0", + "pirates": "^4.0.1", + "tinyglobby": "^0.2.11", + "ts-interface-checker": "^0.1.9" + }, + "bin": { + "sucrase": "bin/sucrase", + "sucrase-node": "bin/sucrase-node" + }, + "engines": { + "node": ">=16 || 14 >=14.17" + } + }, + "node_modules/supports-preserve-symlinks-flag": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", + "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/tailwind-merge": { + "version": "2.6.1", + "resolved": "https://registry.npmjs.org/tailwind-merge/-/tailwind-merge-2.6.1.tgz", + "integrity": "sha512-Oo6tHdpZsGpkKG88HJ8RR1rg/RdnEkQEfMoEk2x1XRI3F1AxeU+ijRXpiVUF4UbLfcxxRGw6TbUINKYdWVsQTQ==", + "license": "MIT", + "funding": { + "type": "github", + "url": "https://github.com/sponsors/dcastil" + } + }, + "node_modules/tailwindcss": { + "version": "3.4.19", + "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.4.19.tgz", + "integrity": "sha512-3ofp+LL8E+pK/JuPLPggVAIaEuhvIz4qNcf3nA1Xn2o/7fb7s/TYpHhwGDv1ZU3PkBluUVaF8PyCHcm48cKLWQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "@alloc/quick-lru": "^5.2.0", + "arg": "^5.0.2", + "chokidar": "^3.6.0", + "didyoumean": "^1.2.2", + "dlv": "^1.1.3", + "fast-glob": "^3.3.2", + "glob-parent": "^6.0.2", + "is-glob": "^4.0.3", + "jiti": "^1.21.7", + "lilconfig": "^3.1.3", + "micromatch": "^4.0.8", + "normalize-path": "^3.0.0", + "object-hash": "^3.0.0", + "picocolors": "^1.1.1", + "postcss": "^8.4.47", + "postcss-import": "^15.1.0", + "postcss-js": "^4.0.1", + "postcss-load-config": "^4.0.2 || ^5.0 || ^6.0", + "postcss-nested": "^6.2.0", + "postcss-selector-parser": "^6.1.2", + "resolve": "^1.22.8", + "sucrase": "^3.35.0" + }, + "bin": { + "tailwind": "lib/cli.js", + "tailwindcss": "lib/cli.js" + }, + "engines": { + "node": ">=14.0.0" + } + }, + "node_modules/thenify": { + "version": "3.3.1", + "resolved": "https://registry.npmjs.org/thenify/-/thenify-3.3.1.tgz", + "integrity": "sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==", + "dev": true, + "license": "MIT", + "dependencies": { + "any-promise": "^1.0.0" + } + }, + "node_modules/thenify-all": { + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/thenify-all/-/thenify-all-1.6.0.tgz", + "integrity": "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA==", + "dev": true, + "license": "MIT", + "dependencies": { + "thenify": ">= 3.1.0 < 4" + }, + "engines": { + "node": ">=0.8" + } + }, + "node_modules/tiny-invariant": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/tiny-invariant/-/tiny-invariant-1.3.3.tgz", + "integrity": "sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==", + "license": "MIT" + }, + "node_modules/tinyglobby": { + "version": "0.2.15", + "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz", + "integrity": "sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "fdir": "^6.5.0", + "picomatch": "^4.0.3" + }, + "engines": { + "node": ">=12.0.0" + }, + "funding": { + "url": "https://github.com/sponsors/SuperchupuDev" + } + }, + "node_modules/tinyglobby/node_modules/fdir": { + "version": "6.5.0", + "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz", + "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=12.0.0" + }, + "peerDependencies": { + "picomatch": "^3 || ^4" + }, + "peerDependenciesMeta": { + "picomatch": { + "optional": true + } + } + }, + "node_modules/tinyglobby/node_modules/picomatch": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz", + "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, + "node_modules/to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "is-number": "^7.0.0" + }, + "engines": { + "node": ">=8.0" + } + }, + "node_modules/ts-interface-checker": { + "version": "0.1.13", + "resolved": "https://registry.npmjs.org/ts-interface-checker/-/ts-interface-checker-0.1.13.tgz", + "integrity": "sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA==", + "dev": true, + "license": "Apache-2.0" + }, + "node_modules/tslib": { + "version": "2.8.1", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz", + "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==", + "license": "0BSD" + }, + "node_modules/typescript": { + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici-types": { + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/update-browserslist-db": { + "version": "1.2.3", + "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz", + "integrity": "sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==", + "dev": true, + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/browserslist" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "MIT", + "dependencies": { + "escalade": "^3.2.0", + "picocolors": "^1.1.1" + }, + "bin": { + "update-browserslist-db": "cli.js" + }, + "peerDependencies": { + "browserslist": ">= 4.21.0" + } + }, + "node_modules/use-callback-ref": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/use-callback-ref/-/use-callback-ref-1.3.3.tgz", + "integrity": "sha512-jQL3lRnocaFtu3V00JToYz/4QkNWswxijDaCVNZRiRTO3HQDLsdu1ZtmIUvV4yPp+rvWm5j0y0TG/S61cuijTg==", + "license": "MIT", + "dependencies": { + "tslib": "^2.0.0" + }, + "engines": { + "node": ">=10" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/use-sidecar": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/use-sidecar/-/use-sidecar-1.1.3.tgz", + "integrity": "sha512-Fedw0aZvkhynoPYlA5WXrMCAMm+nSWdZt6lzJQ7Ok8S6Q+VsHmHpRWndVRJ8Be0ZbkfPc5LRYH+5XrzXcEeLRQ==", + "license": "MIT", + "dependencies": { + "detect-node-es": "^1.1.0", + "tslib": "^2.0.0" + }, + "engines": { + "node": ">=10" + }, + "peerDependencies": { + "@types/react": "*", + "react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 || ^19.0.0-rc" + }, + "peerDependenciesMeta": { + "@types/react": { + "optional": true + } + } + }, + "node_modules/util-deprecate": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==", + "dev": true, + "license": "MIT" + }, + "node_modules/victory-vendor": { + "version": "36.9.2", + "resolved": "https://registry.npmjs.org/victory-vendor/-/victory-vendor-36.9.2.tgz", + "integrity": "sha512-PnpQQMuxlwYdocC8fIJqVXvkeViHYzotI+NJrCuav0ZYFoq912ZHBk3mCeuj+5/VpodOjPe1z0Fk2ihgzlXqjQ==", + "license": "MIT AND ISC", + "dependencies": { + "@types/d3-array": "^3.0.3", + "@types/d3-ease": "^3.0.0", + "@types/d3-interpolate": "^3.0.1", + "@types/d3-scale": "^4.0.2", + "@types/d3-shape": "^3.1.0", + "@types/d3-time": "^3.0.0", + "@types/d3-timer": "^3.0.0", + "d3-array": "^3.1.6", + "d3-ease": "^3.0.1", + "d3-interpolate": "^3.0.1", + "d3-scale": "^4.0.2", + "d3-shape": "^3.1.0", + "d3-time": "^3.0.0", + "d3-timer": "^3.0.1" + } + }, + "node_modules/vite": { + "version": "5.4.21", + "resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz", + "integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==", + "dev": true, + "license": "MIT", + "dependencies": { + "esbuild": "^0.21.3", + "postcss": "^8.4.43", + "rollup": "^4.20.0" + }, + "bin": { + "vite": "bin/vite.js" + }, + "engines": { + "node": "^18.0.0 || >=20.0.0" + }, + "funding": { + "url": "https://github.com/vitejs/vite?sponsor=1" + }, + "optionalDependencies": { + "fsevents": "~2.3.3" + }, + "peerDependencies": { + "@types/node": "^18.0.0 || >=20.0.0", + "less": "*", + "lightningcss": "^1.21.0", + "sass": "*", + "sass-embedded": "*", + "stylus": "*", + "sugarss": "*", + "terser": "^5.4.0" + }, + "peerDependenciesMeta": { + "@types/node": { + "optional": true + }, + "less": { + "optional": true + }, + "lightningcss": { + "optional": true + }, + "sass": { + "optional": true + }, + "sass-embedded": { + "optional": true + }, + "stylus": { + "optional": true + }, + "sugarss": { + "optional": true + }, + "terser": { + "optional": true + } + } + }, + "node_modules/yallist": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz", + "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==", + "dev": true, + "license": "ISC" + }, + "node_modules/zod": { + "version": "3.25.76", + "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz", + "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/colinhacks" + } + } + } +} diff --git a/web/package.json b/web/package.json new file mode 100644 index 0000000..6ccb7ad --- /dev/null +++ b/web/package.json @@ -0,0 +1,47 @@ +{ + "name": "veylant-dashboard", + "version": "0.1.0", + "private": true, + "type": "module", + "scripts": { + "dev": "vite", + "build": "tsc && vite build", + "preview": "vite preview", + "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0" + }, + "dependencies": { + "@hookform/resolvers": "^3.9.0", + "@radix-ui/react-alert-dialog": "^1.1.1", + "@radix-ui/react-dialog": "^1.1.1", + "@radix-ui/react-label": "^2.1.0", + "@radix-ui/react-select": "^2.1.1", + "@radix-ui/react-separator": "^1.1.0", + "@radix-ui/react-slot": "^1.1.0", + "@radix-ui/react-switch": "^1.1.0", + "@tanstack/react-query": "^5.56.2", + "class-variance-authority": "^0.7.0", + "clsx": "^2.1.1", + "date-fns": "^3.6.0", + "lucide-react": "^0.446.0", + "oidc-client-ts": "^3.1.0", + "react": "^18.3.1", + "react-dom": "^18.3.1", + "react-hook-form": "^7.53.0", + "react-oidc-context": "^3.2.0", + "react-router-dom": "^6.26.2", + "recharts": "^2.12.7", + "tailwind-merge": "^2.5.2", + "zod": "^3.23.8" + }, + "devDependencies": { + "@types/node": "^22.5.5", + "@types/react": "^18.3.5", + "@types/react-dom": "^18.3.0", + "@vitejs/plugin-react": "^4.3.1", + "autoprefixer": "^10.4.20", + "postcss": "^8.4.45", + "tailwindcss": "^3.4.11", + "typescript": "^5.5.3", + "vite": "^5.4.3" + } +} diff --git a/web/postcss.config.js b/web/postcss.config.js new file mode 100644 index 0000000..2aa7205 --- /dev/null +++ b/web/postcss.config.js @@ -0,0 +1,6 @@ +export default { + plugins: { + tailwindcss: {}, + autoprefixer: {}, + }, +}; diff --git a/web/src/api/client.ts b/web/src/api/client.ts new file mode 100644 index 0000000..c9e7c7f --- /dev/null +++ b/web/src/api/client.ts @@ -0,0 +1,45 @@ +import { getToken } from "@/auth/AuthProvider"; + +export class ApiError extends Error { + constructor( + public readonly status: number, + public readonly type: string, + message: string + ) { + super(message); + this.name = "ApiError"; + } +} + +export async function apiFetch(path: string, options: RequestInit = {}): Promise { + const token = getToken(); + + const headers: Record = { + "Content-Type": "application/json", + ...(options.headers as Record), + }; + + if (token) { + headers["Authorization"] = `Bearer ${token}`; + } + + const res = await fetch(path, { ...options, headers }); + + if (!res.ok) { + let type = "api_error"; + let message = `HTTP ${res.status}`; + try { + const body = await res.json(); + if (body?.error) { + type = body.error.type ?? type; + message = body.error.message ?? message; + } + } catch { + // ignore parse error + } + throw new ApiError(res.status, type, message); + } + + if (res.status === 204) return undefined as T; + return res.json() as Promise; +} diff --git a/web/src/api/compliance.ts b/web/src/api/compliance.ts new file mode 100644 index 0000000..491785b --- /dev/null +++ b/web/src/api/compliance.ts @@ -0,0 +1,103 @@ +import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import { getToken } from "@/auth/AuthProvider"; +import type { ProcessingEntry, GdprAccessResult, ErasureResult } from "@/types/api"; + +const BASE = "/v1/admin/compliance"; + +// ─── Entries CRUD ────────────────────────────────────────────────────────────── + +export function useListEntries() { + return useQuery({ + queryKey: ["compliance", "entries"], + queryFn: () => apiFetch<{ data: ProcessingEntry[] }>(`${BASE}/entries`).then((r) => r.data), + }); +} + +export function useGetEntry(id: string) { + return useQuery({ + queryKey: ["compliance", "entries", id], + queryFn: () => apiFetch(`${BASE}/entries/${id}`), + enabled: !!id, + }); +} + +export function useCreateEntry() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (body: Omit) => + apiFetch(`${BASE}/entries`, { method: "POST", body: JSON.stringify(body) }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["compliance", "entries"] }), + }); +} + +export function useUpdateEntry() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: ({ id, ...body }: Partial & { id: string }) => + apiFetch(`${BASE}/entries/${id}`, { method: "PUT", body: JSON.stringify(body) }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["compliance", "entries"] }), + }); +} + +export function useDeleteEntry() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (id: string) => + apiFetch(`${BASE}/entries/${id}`, { method: "DELETE" }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["compliance", "entries"] }), + }); +} + +// ─── AI Act classification ───────────────────────────────────────────────────── + +export function useClassifyEntry() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: ({ id, answers }: { id: string; answers: Record }) => + apiFetch(`${BASE}/entries/${id}/classify`, { + method: "POST", + body: JSON.stringify({ answers }), + }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["compliance", "entries"] }), + }); +} + +// ─── GDPR ────────────────────────────────────────────────────────────────────── + +export function useGdprAccess(userId: string, enabled: boolean) { + return useQuery({ + queryKey: ["compliance", "gdpr", "access", userId], + queryFn: () => apiFetch(`${BASE}/gdpr/access/${encodeURIComponent(userId)}`), + enabled: enabled && !!userId, + }); +} + +export function useGdprErase() { + return useMutation({ + mutationFn: ({ userId, reason }: { userId: string; reason: string }) => + apiFetch(`${BASE}/gdpr/erase/${encodeURIComponent(userId)}`, { + method: "DELETE", + body: JSON.stringify({ reason }), + }), + }); +} + +// ─── PDF / CSV download utility ──────────────────────────────────────────────── + +export async function downloadPdf(url: string, filename: string): Promise { + const token = getToken(); + const headers: Record = {}; + if (token) headers["Authorization"] = `Bearer ${token}`; + + const res = await fetch(url, { headers }); + if (!res.ok) throw new Error(`Download failed: HTTP ${res.status}`); + + const blob = await res.blob(); + const objectUrl = URL.createObjectURL(blob); + const a = document.createElement("a"); + a.href = objectUrl; + a.download = filename; + a.click(); + URL.revokeObjectURL(objectUrl); +} diff --git a/web/src/api/costs.ts b/web/src/api/costs.ts new file mode 100644 index 0000000..a12d3df --- /dev/null +++ b/web/src/api/costs.ts @@ -0,0 +1,27 @@ +import { useQuery } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import type { CostResult } from "@/types/api"; + +export interface CostQueryParams { + group_by?: "provider" | "model" | "department"; + start?: string; + end?: string; +} + +function buildQueryString(params: Record): string { + const q = new URLSearchParams(); + for (const [k, v] of Object.entries(params)) { + if (v) q.set(k, v); + } + const s = q.toString(); + return s ? `?${s}` : ""; +} + +export function useCosts(params: CostQueryParams = {}, refetchInterval?: number) { + const qs = buildQueryString(params as Record); + return useQuery({ + queryKey: ["costs", params], + queryFn: () => apiFetch(`/v1/admin/costs${qs}`), + refetchInterval, + }); +} diff --git a/web/src/api/logs.ts b/web/src/api/logs.ts new file mode 100644 index 0000000..d3fcbf8 --- /dev/null +++ b/web/src/api/logs.ts @@ -0,0 +1,40 @@ +import { useQuery } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import type { AuditResult } from "@/types/api"; + +export interface AuditQueryParams { + provider?: string; + min_sensitivity?: string; + start?: string; + end?: string; + limit?: number; + offset?: number; +} + +function buildQueryString(params: Record): string { + const q = new URLSearchParams(); + for (const [k, v] of Object.entries(params)) { + if (v !== undefined && v !== "") q.set(k, String(v)); + } + const s = q.toString(); + return s ? `?${s}` : ""; +} + +export function useAuditLogs(params: AuditQueryParams = {}, refetchInterval?: number) { + const qs = buildQueryString(params as Record); + return useQuery({ + queryKey: ["logs", params], + queryFn: () => apiFetch(`/v1/admin/logs${qs}`), + refetchInterval, + }); +} + +// Convenience hook for total request count +export function useRequestCount() { + return useQuery({ + queryKey: ["logs", "count"], + queryFn: () => apiFetch("/v1/admin/logs?limit=1&offset=0"), + select: (d) => d.total, + refetchInterval: 30_000, + }); +} diff --git a/web/src/api/pii.ts b/web/src/api/pii.ts new file mode 100644 index 0000000..cfb336e --- /dev/null +++ b/web/src/api/pii.ts @@ -0,0 +1,13 @@ +import { useMutation } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import type { PiiAnalyzeResult } from "@/types/api"; + +export function usePiiAnalyze() { + return useMutation({ + mutationFn: (text: string) => + apiFetch("/v1/pii/analyze", { + method: "POST", + body: JSON.stringify({ text }), + }), + }); +} diff --git a/web/src/api/policies.ts b/web/src/api/policies.ts new file mode 100644 index 0000000..91b8c76 --- /dev/null +++ b/web/src/api/policies.ts @@ -0,0 +1,74 @@ +import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import type { RoutingRule } from "@/types/api"; + +interface ListPoliciesResponse { + data: RoutingRule[]; +} + +export function useListPolicies() { + return useQuery({ + queryKey: ["policies"], + queryFn: () => apiFetch("/v1/admin/policies"), + select: (d) => d.data, + }); +} + +export function useGetPolicy(id: string) { + return useQuery({ + queryKey: ["policies", id], + queryFn: () => apiFetch(`/v1/admin/policies/${id}`), + enabled: !!id, + }); +} + +export interface PolicyPayload { + name: string; + description: string; + priority: number; + is_enabled: boolean; + conditions: Array<{ field: string; operator: string; value: string }>; + action: { provider: string; model: string; fallback_chain?: string[] }; +} + +export function useCreatePolicy() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (payload: PolicyPayload) => + apiFetch("/v1/admin/policies", { + method: "POST", + body: JSON.stringify(payload), + }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["policies"] }), + }); +} + +export function useUpdatePolicy() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: ({ id, payload }: { id: string; payload: PolicyPayload }) => + apiFetch(`/v1/admin/policies/${id}`, { + method: "PUT", + body: JSON.stringify(payload), + }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["policies"] }), + }); +} + +export function useDeletePolicy() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (id: string) => + apiFetch(`/v1/admin/policies/${id}`, { method: "DELETE" }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["policies"] }), + }); +} + +export function useSeedTemplate() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (template: string) => + apiFetch(`/v1/admin/policies/seed/${template}`, { method: "POST" }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["policies"] }), + }); +} diff --git a/web/src/api/providers.ts b/web/src/api/providers.ts new file mode 100644 index 0000000..055b4c3 --- /dev/null +++ b/web/src/api/providers.ts @@ -0,0 +1,11 @@ +import { useQuery } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import type { ProviderStatus } from "@/types/api"; + +export function useProviderStatuses() { + return useQuery({ + queryKey: ["providers", "status"], + queryFn: () => apiFetch("/v1/admin/providers/status"), + refetchInterval: 15_000, + }); +} diff --git a/web/src/api/users.ts b/web/src/api/users.ts new file mode 100644 index 0000000..d2e58eb --- /dev/null +++ b/web/src/api/users.ts @@ -0,0 +1,37 @@ +import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query"; +import { apiFetch } from "./client"; +import type { User } from "@/types/api"; + +export function useListUsers() { + return useQuery({ + queryKey: ["users"], + queryFn: () => apiFetch<{ data: User[] }>("/v1/admin/users").then((r) => r.data), + }); +} + +export function useCreateUser() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (body: Omit) => + apiFetch("/v1/admin/users", { method: "POST", body: JSON.stringify(body) }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["users"] }), + }); +} + +export function useUpdateUser() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: ({ id, ...body }: Partial & { id: string }) => + apiFetch(`/v1/admin/users/${id}`, { method: "PUT", body: JSON.stringify(body) }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["users"] }), + }); +} + +export function useDeleteUser() { + const qc = useQueryClient(); + return useMutation({ + mutationFn: (id: string) => + apiFetch(`/v1/admin/users/${id}`, { method: "DELETE" }), + onSuccess: () => qc.invalidateQueries({ queryKey: ["users"] }), + }); +} diff --git a/web/src/auth/AuthProvider.tsx b/web/src/auth/AuthProvider.tsx new file mode 100644 index 0000000..7ba9639 --- /dev/null +++ b/web/src/auth/AuthProvider.tsx @@ -0,0 +1,166 @@ +import React, { createContext, useContext, useState, useEffect, useCallback } from "react"; +import { AuthProvider as OidcAuthProvider, useAuth as useOidcAuth } from "react-oidc-context"; + +const AUTH_MODE = import.meta.env.VITE_AUTH_MODE ?? "dev"; + +// ─── Shared user type ───────────────────────────────────────────────────────── + +export interface AuthUser { + id: string; + email: string; + name: string; + roles: string[]; + token: string; +} + +// ─── Dev mode auth ──────────────────────────────────────────────────────────── + +interface DevAuthContextValue { + user: AuthUser | null; + isLoading: boolean; + isAuthenticated: boolean; + login: () => void; + logout: () => void; +} + +const DevAuthContext = createContext(null); + +const DEV_USER: AuthUser = { + id: "dev-user", + email: "dev@veylant.local", + name: "Dev Admin", + roles: ["admin"], + token: "dev-token", +}; + +function DevAuthProvider({ children }: { children: React.ReactNode }) { + const [user, setUser] = useState(() => { + return sessionStorage.getItem("dev-authed") ? DEV_USER : null; + }); + + const login = useCallback(() => { + sessionStorage.setItem("dev-authed", "1"); + setUser(DEV_USER); + }, []); + + const logout = useCallback(() => { + sessionStorage.removeItem("dev-authed"); + setUser(null); + }, []); + + return ( + + {children} + + ); +} + +// ─── OIDC mode adapter ──────────────────────────────────────────────────────── + +interface UnifiedAuthContextValue { + user: AuthUser | null; + isLoading: boolean; + isAuthenticated: boolean; + login: () => void; + logout: () => void; +} + +const UnifiedAuthContext = createContext(null); + +function OidcAdapter({ children }: { children: React.ReactNode }) { + const auth = useOidcAuth(); + + const user: AuthUser | null = auth.user + ? { + id: auth.user.profile.sub, + email: auth.user.profile.email ?? "", + name: auth.user.profile.name ?? auth.user.profile.email ?? "", + roles: (auth.user.profile as Record)["realm_access"] + ? ((auth.user.profile as Record)["realm_access"] as { roles: string[] }).roles + : [], + token: auth.user.access_token, + } + : null; + + return ( + void auth.signinRedirect(), + logout: () => void auth.signoutRedirect(), + }} + > + {children} + + ); +} + +// ─── Public hook ────────────────────────────────────────────────────────────── + +export function useAuth(): UnifiedAuthContextValue { + if (AUTH_MODE === "dev") { + // eslint-disable-next-line react-hooks/rules-of-hooks + const ctx = useContext(DevAuthContext); + if (!ctx) throw new Error("useAuth must be used inside AuthProvider"); + return ctx; + } + // eslint-disable-next-line react-hooks/rules-of-hooks + const ctx = useContext(UnifiedAuthContext); + if (!ctx) throw new Error("useAuth must be used inside AuthProvider"); + return ctx; +} + +// ─── Root AuthProvider ──────────────────────────────────────────────────────── + +const oidcConfig = { + authority: import.meta.env.VITE_KEYCLOAK_URL ?? "http://localhost:8080/realms/veylant", + client_id: "veylant-dashboard", + redirect_uri: `${window.location.origin}/callback`, + scope: "openid profile email", + onSigninCallback: () => { + window.history.replaceState({}, document.title, window.location.pathname); + }, +}; + +export function AuthProvider({ children }: { children: React.ReactNode }) { + if (AUTH_MODE === "dev") { + return {children}; + } + + return ( + + + + {(ctx) => + ctx ? ( + {children} + ) : null + } + + + + ); +} + +// Token accessor for API client (outside React tree) +let _getToken: (() => string | null) | null = null; + +export function setTokenAccessor(fn: () => string | null) { + _getToken = fn; +} + +export function getToken(): string | null { + return _getToken ? _getToken() : null; +} + +// Hook to register token accessor in context +export function useRegisterTokenAccessor() { + const auth = useAuth(); + useEffect(() => { + setTokenAccessor(() => auth.user?.token ?? null); + }, [auth.user]); +} diff --git a/web/src/components/AppLayout.tsx b/web/src/components/AppLayout.tsx new file mode 100644 index 0000000..90483c4 --- /dev/null +++ b/web/src/components/AppLayout.tsx @@ -0,0 +1,20 @@ +import { Outlet } from "react-router-dom"; +import { Sidebar } from "./Sidebar"; +import { Header } from "./Header"; +import { useRegisterTokenAccessor } from "@/auth/AuthProvider"; + +export function AppLayout() { + useRegisterTokenAccessor(); + + return ( +
+ +
+
+
+ +
+
+
+ ); +} diff --git a/web/src/components/Header.tsx b/web/src/components/Header.tsx new file mode 100644 index 0000000..e3d2792 --- /dev/null +++ b/web/src/components/Header.tsx @@ -0,0 +1,84 @@ +import { useState, useEffect } from "react"; +import { useLocation, useNavigate } from "react-router-dom"; +import { LogOut, User, Bell } from "lucide-react"; +import { Button } from "@/components/ui/button"; +import { useAuth } from "@/auth/AuthProvider"; +import { useCosts } from "@/api/costs"; + +const breadcrumbMap: Record = { + "/": "Vue d'ensemble", + "/policies": "Politiques de routage", + "/users": "Utilisateurs", + "/providers": "Fournisseurs IA", + "/alerts": "Alertes Budget", + "/logs": "Journaux d'audit", + "/settings": "Paramètres", + "/playground": "Playground IA", + "/security": "Sécurité RSSI", + "/costs": "Coûts IA", + "/compliance": "Conformité RGPD / AI Act", +}; + +const STORAGE_KEY = "veylant_budget_alerts"; + +interface BudgetAlert { + id: string; + threshold: number; +} + +function loadAlerts(): BudgetAlert[] { + try { + return JSON.parse(localStorage.getItem(STORAGE_KEY) ?? "[]"); + } catch { + return []; + } +} + +export function Header() { + const location = useLocation(); + const navigate = useNavigate(); + const { user, logout } = useAuth(); + const title = breadcrumbMap[location.pathname] ?? "Dashboard"; + + const [alerts] = useState(loadAlerts); + const { data: costData } = useCosts({}, 60_000); + const totalCost = costData?.data.reduce((s, c) => s + c.total_cost_usd, 0) ?? 0; + const triggeredCount = alerts.filter((a) => totalCost >= a.threshold).length; + + return ( +
+

{title}

+ +
+ {/* Bell badge — E8-13 */} + + +
+ + {user?.name ?? user?.email} + {user?.roles[0] && ( + + {user.roles[0]} + + )} +
+ +
+
+ ); +} diff --git a/web/src/components/KpiCard.tsx b/web/src/components/KpiCard.tsx new file mode 100644 index 0000000..fc7f041 --- /dev/null +++ b/web/src/components/KpiCard.tsx @@ -0,0 +1,53 @@ +import { LucideIcon } from "lucide-react"; +import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card"; +import { Skeleton } from "@/components/ui/skeleton"; +import { cn } from "@/lib/utils"; + +interface KpiCardProps { + title: string; + value: string | number | undefined; + subtitle?: string; + icon: LucideIcon; + isLoading?: boolean; + trend?: "up" | "down" | "neutral"; + className?: string; +} + +export function KpiCard({ + title, + value, + subtitle, + icon: Icon, + isLoading, + trend, + className, +}: KpiCardProps) { + return ( + + + {title} + + + + {isLoading ? ( + <> + + + + ) : ( + <> +
+ {value ?? "—"} +
+ {subtitle &&

{subtitle}

} + + )} + + + ); +} diff --git a/web/src/components/PiiHighlight.tsx b/web/src/components/PiiHighlight.tsx new file mode 100644 index 0000000..11e936b --- /dev/null +++ b/web/src/components/PiiHighlight.tsx @@ -0,0 +1,58 @@ +import type { PiiEntity } from "@/types/api"; + +const ENTITY_COLORS: Record = { + IBAN_CODE: { bg: "bg-red-100", text: "text-red-800", label: "IBAN" }, + CREDIT_CARD: { bg: "bg-red-100", text: "text-red-800", label: "CB" }, + EMAIL: { bg: "bg-orange-100", text: "text-orange-800", label: "Email" }, + PHONE_NUMBER: { bg: "bg-purple-100", text: "text-purple-800", label: "Tél." }, + PERSON: { bg: "bg-blue-100", text: "text-blue-800", label: "Personne" }, + FR_SSN: { bg: "bg-rose-100", text: "text-rose-800", label: "INSEE" }, + LOCATION: { bg: "bg-green-100", text: "text-green-800", label: "Lieu" }, + ORGANIZATION: { bg: "bg-teal-100", text: "text-teal-800", label: "Org." }, +}; + +const DEFAULT_COLOR = { bg: "bg-yellow-100", text: "text-yellow-800", label: "PII" }; + +interface Props { + text: string; + entities: PiiEntity[]; + className?: string; +} + +export function PiiHighlight({ text, entities, className }: Props) { + if (entities.length === 0) { + return {text}; + } + + // Sort by start position + const sorted = [...entities].sort((a, b) => a.start - b.start); + + const parts: React.ReactNode[] = []; + let cursor = 0; + + for (const entity of sorted) { + if (entity.start > cursor) { + parts.push( + {text.slice(cursor, entity.start)} + ); + } + const color = ENTITY_COLORS[entity.type] ?? DEFAULT_COLOR; + parts.push( + + {text.slice(entity.start, entity.end)} + {color.label} + + ); + cursor = entity.end; + } + + if (cursor < text.length) { + parts.push({text.slice(cursor)}); + } + + return {parts}; +} diff --git a/web/src/components/PolicyForm.tsx b/web/src/components/PolicyForm.tsx new file mode 100644 index 0000000..4e370a6 --- /dev/null +++ b/web/src/components/PolicyForm.tsx @@ -0,0 +1,243 @@ +import { useEffect } from "react"; +import { useForm, useFieldArray } from "react-hook-form"; +import { zodResolver } from "@hookform/resolvers/zod"; +import { z } from "zod"; +import { Plus, Trash2 } from "lucide-react"; +import { + Dialog, + DialogContent, + DialogHeader, + DialogTitle, + DialogFooter, +} from "@/components/ui/dialog"; +import { Button } from "@/components/ui/button"; +import { Input } from "@/components/ui/input"; +import { Label } from "@/components/ui/label"; +import { Textarea } from "@/components/ui/textarea"; +import { Switch } from "@/components/ui/switch"; +import { + Select, + SelectContent, + SelectItem, + SelectTrigger, + SelectValue, +} from "@/components/ui/select"; +import type { RoutingRule } from "@/types/api"; +import type { PolicyPayload } from "@/api/policies"; + +const conditionSchema = z.object({ + field: z.string().min(1, "Champ requis"), + operator: z.string().min(1, "Opérateur requis"), + value: z.string().min(1, "Valeur requise"), +}); + +const policySchema = z.object({ + name: z.string().min(1, "Le nom est requis"), + description: z.string(), + priority: z.coerce.number().int().min(1).max(1000), + is_enabled: z.boolean(), + conditions: z.array(conditionSchema), + action: z.object({ + provider: z.string().min(1, "Le fournisseur est requis"), + model: z.string().min(1, "Le modèle est requis"), + fallback_chain: z.array(z.string()).optional(), + }), +}); + +type PolicyFormData = z.infer; + +const PROVIDERS = ["openai", "anthropic", "azure", "mistral", "ollama"]; +const CONDITION_FIELDS = ["department", "user_role", "model", "sensitivity_level", "tenant_id"]; +const CONDITION_OPERATORS = ["eq", "neq", "in", "prefix"]; + +interface PolicyFormProps { + open: boolean; + onOpenChange: (open: boolean) => void; + rule?: RoutingRule; + onSubmit: (payload: PolicyPayload) => void; + isPending: boolean; +} + +export function PolicyForm({ open, onOpenChange, rule, onSubmit, isPending }: PolicyFormProps) { + const isEdit = !!rule; + + const form = useForm({ + resolver: zodResolver(policySchema), + defaultValues: { + name: "", + description: "", + priority: 100, + is_enabled: true, + conditions: [], + action: { provider: "openai", model: "gpt-4o-mini" }, + }, + }); + + const { fields, append, remove } = useFieldArray({ + control: form.control, + name: "conditions", + }); + + useEffect(() => { + if (rule) { + form.reset({ + name: rule.name, + description: rule.description, + priority: rule.priority, + is_enabled: rule.is_enabled, + conditions: rule.conditions, + action: rule.action, + }); + } else { + form.reset({ + name: "", + description: "", + priority: 100, + is_enabled: true, + conditions: [], + action: { provider: "openai", model: "gpt-4o-mini" }, + }); + } + }, [rule, form]); + + const handleSubmit = form.handleSubmit((data) => { + onSubmit(data); + }); + + return ( + + + + {isEdit ? "Modifier la politique" : "Créer une politique"} + + +
+ {/* Name */} +
+ + + {form.formState.errors.name && ( +

{form.formState.errors.name.message}

+ )} +
+ + {/* Description */} +
+ +