fetch_ml

jfraeysd/fetch_ml

Fork 0

Commit graph

Author	SHA1	Message	Date
Jeremie Fraeys	66f262d788	security: improve audit, crypto, and config handling - Enhance audit checkpoint system - Update KMS provider and tenant key management - Refine configuration constants - Improve TUI config handling	2026-03-04 13:23:42 -05:00
Jeremie Fraeys	7c03c8b5bd	feat(kms): add HashiCorp Vault and AWS KMS providers Implement VaultProvider with Transit engine: - AppRole, Kubernetes, and Token authentication - Encrypt/Decrypt via /transit/encrypt and /transit/decrypt - Key lifecycle via /transit/keys API - Health check via /sys/health Implement AWSProvider with SDK v2: - Per-region key naming with alias prefix - Encrypt/Decrypt via KMS SDK - Key lifecycle (CreateKey, Disable, ScheduleDeletion, Enable) - AWS endpoint support for LocalStack testing	2026-03-03 19:14:21 -05:00
Jeremie Fraeys	cb25677695	feat(kms): implement core KMS infrastructure with DEK cache Add KMSProvider interface for external key management systems: - Encrypt/Decrypt operations for DEK wrapping - Key lifecycle management (Create, Disable, ScheduleDeletion, Enable) - HealthCheck and Close methods Implement MemoryProvider for development/testing: - XOR encryption with HMAC-SHA256 authentication - Secure random key generation using crypto/rand - MAC verification to detect wrong keys Implement DEKCache per ADR-012: - 15-minute TTL with configurable grace window (1 hour) - LRU eviction with 1000 entry limit - Cache key includes (tenantID, artifactID, kmsKeyID) for isolation - Thread-safe operations with RWMutex - Secure memory wiping on eviction/cleanup Add config package with types: - ProviderType enum (vault, aws, memory) - VaultConfig with AppRole/Kubernetes/Token auth - AWSConfig with region and alias prefix - CacheConfig with TTL, MaxEntries, GraceWindow - Validation methods for all config types	2026-03-03 19:13:55 -05:00

Author

SHA1

Message

Date

Jeremie Fraeys

66f262d788

security: improve audit, crypto, and config handling

- Enhance audit checkpoint system
- Update KMS provider and tenant key management
- Refine configuration constants
- Improve TUI config handling

2026-03-04 13:23:42 -05:00

Jeremie Fraeys

7c03c8b5bd

feat(kms): add HashiCorp Vault and AWS KMS providers

Implement VaultProvider with Transit engine:
- AppRole, Kubernetes, and Token authentication
- Encrypt/Decrypt via /transit/encrypt and /transit/decrypt
- Key lifecycle via /transit/keys API
- Health check via /sys/health

Implement AWSProvider with SDK v2:
- Per-region key naming with alias prefix
- Encrypt/Decrypt via KMS SDK
- Key lifecycle (CreateKey, Disable, ScheduleDeletion, Enable)
- AWS endpoint support for LocalStack testing

2026-03-03 19:14:21 -05:00

Jeremie Fraeys

cb25677695

feat(kms): implement core KMS infrastructure with DEK cache

Add KMSProvider interface for external key management systems:
- Encrypt/Decrypt operations for DEK wrapping
- Key lifecycle management (Create, Disable, ScheduleDeletion, Enable)
- HealthCheck and Close methods

Implement MemoryProvider for development/testing:
- XOR encryption with HMAC-SHA256 authentication
- Secure random key generation using crypto/rand
- MAC verification to detect wrong keys

Implement DEKCache per ADR-012:
- 15-minute TTL with configurable grace window (1 hour)
- LRU eviction with 1000 entry limit
- Cache key includes (tenantID, artifactID, kmsKeyID) for isolation
- Thread-safe operations with RWMutex
- Secure memory wiping on eviction/cleanup

Add config package with types:
- ProviderType enum (vault, aws, memory)
- VaultConfig with AppRole/Kubernetes/Token auth
- AWSConfig with region and alias prefix
- CacheConfig with TTL, MaxEntries, GraceWindow
- Validation methods for all config types

2026-03-03 19:13:55 -05:00

3 commits