Merge remote-tracking branch 'origin/master' into oss/tier1-security-scanners

mastermanas805 · mastermanas805 · commit 58bec6819051 · 2026-05-21T22:46:38.000+05:30
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,24 @@
+# Code of conduct
+
+InstaNode is a small, focused engineering community. We want everyone who participates — issue reporters, PR authors, reviewers, maintainers — to feel safe and respected.
+
+## Expectations
+
+- Be respectful in code review and issues. Critique code, not people.
+- Assume good intent. Ask questions before making accusations.
+- Keep discussions on topic. Off-topic and inflammatory threads will be closed.
+- No harassment, personal attacks, discriminatory language, or unwelcome sexual attention.
+
+## Enforcement
+
+Maintainers may close issues, lock threads, edit comments, or block accounts that violate these expectations.
+
+## Reporting
+
+Email security@instanode.dev to report a concern. We treat reports confidentially. We aim to respond within 72 hours.
+
+## Scope
+
+These expectations apply to all project spaces — issues, pull requests, discussions, and any official InstaNode communication channel — and to public spaces when someone is representing the project.
+
+This policy is intentionally short; we will lengthen it as the community grows.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,40 @@
+# Contributing to common
+
+`common/` is shared Go code consumed by api, worker, and provisioner. Most platform feature work happens in those repos; changes here should be tightly scoped (interface additions, bug fixes, new providers).
+
+## Filing issues
+
+- Bugs in a specific package: open here.
+- Platform-wide behaviour (provisioning, billing, deploys): file in the api repo at https://github.com/InstaNode-dev/api/issues.
+
+## Workflow
+
+```
+git clone https://github.com/InstaNode-dev/common
+cd common
+go build ./...
+go vet ./...
+go test ./... -short -p 1
+```
+
+All three must pass before opening a PR.
+
+## Style
+
+- Follow existing patterns in the package you're touching.
+- Tests next to source (`pkg/foo.go` + `pkg/foo_test.go`).
+- Public symbols get godoc comments.
+- Errors wrapped with `fmt.Errorf("context: %w", err)`.
+
+## PR checklist
+
+- `go build ./...` green
+- `go vet ./...` green
+- `go test ./... -short -p 1` green
+- New public symbol → godoc comment
+- New behavior → test
+- Commit message: short imperative subject, fuller body explaining the why
+
+## License
+
+MIT. By contributing, you agree your contributions are licensed under the same.
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 InstaNode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -0,0 +1,84 @@
+# common
+
+Shared Go packages for the [InstaNode](https://instanode.dev) platform — the
+zero-friction developer infrastructure that lets agents provision databases,
+caches, queues, object storage, and full application deployments with a single
+HTTP call.
+
+This repo is the **shared substrate** consumed by the three backend services:
+
+- **api** — agent-facing HTTP surface (port 8080)
+- **worker** — River-backed background jobs (expiry, billing, propagation, email)
+- **provisioner** — gRPC service that creates and destroys real databases
+
+Module path: `instant.dev/common` (Go 1.25+).
+
+## Why a separate module?
+
+Every backend service depends on the same tier definitions, the same encryption
+keyring, the same readiness check shape, and the same provider interfaces. We
+factored those out so a change to a tier limit, a new provisioner backend, or a
+new readiness check lands in one place and propagates to every service via a
+single `go mod` bump — instead of three drifting copies.
+
+## Packages
+
+| Package | Purpose |
+|---|---|
+| [`buildinfo`](./buildinfo) | ldflag-stamped `GitSHA` + `BuildTime` + `Version` exposed on every service's `/healthz`. Lets ops verify "is the running pod actually the commit I just pushed?" — see [InstaNode CLAUDE.md rule 14](https://instanode.dev) (Build-SHA gate). |
+| [`crypto`](./crypto) | AES-256-GCM keyring (multi-key with rotation), JWT signing helpers, IP fingerprint hashing (SHA256 over `/24` subnet + ASN), and base32 token generation. Fails open on decrypt errors so a key rotation doesn't break reads. |
+| [`logctx`](./logctx) | `slog.Handler` wrapper that injects `commit_id`, `request_id`, `team_id`, `resource_token` from `context.Context` into every structured log line. Keys are defined once here so api, worker, and provisioner emit consistent JSON. |
+| [`plans`](./plans) | Tier registry loaded from `plans.yaml` — the single source of truth for per-tier limits (storage MB, connection caps, deployment slots, webhook retention, etc.). Iterated by `/api/v1/capabilities` so adding a tier in `plans.yaml` + `rank.go` automatically surfaces to clients. |
+| [`queueprovider`](./queueprovider) | Pluggable factory + `QueueCredentialProvider` interface for NATS / RabbitMQ / Kafka / `legacyopen` backends. NATS impl mints per-tenant account JWTs + user NKeys; RabbitMQ + Kafka are portability skeletons (return `ErrNotImplemented`); `legacyopen` is the cutover shim for pre-isolation tenants. |
+| [`readiness`](./readiness) | Shared `Registry` + `Check` interface for deep `/readyz` endpoints. Reusable check constructors for HTTP/GET, gRPC dial, Postgres ping, Redis ping, Mongo ping, NATS ping. Per-check criticality (critical / degraded) and 10-15s cache TTL. Emits Prometheus + slog. |
+| [`resourcestatus`](./resourcestatus) | Shared enum for resource lifecycle states (`active`, `expired`, `deleting`, `deleted`, …) plus the expiry-warning ladder stages (6h / 2h / 1h imminent). |
+| [`resourcetype`](./resourcetype) | Shared enum for provisioned resource kinds (`postgres`, `redis`, `mongodb`, `queue`, `storage`, `webhook`, `deploy`, …). |
+| [`storageprovider`](./storageprovider) | Pluggable factory + `StorageCredentialProvider` interface for DigitalOcean Spaces / Cloudflare R2 / AWS S3 / MinIO backends. Capability-aware: each backend declares whether it supports prefix-scoped keys, bucket-scoped keys, STS temp credentials, and bucket-per-tenant — the api uses this to decide between `prefix-scoped`, `prefix-scoped-temporary`, `shared-master-key`, and `broker` modes. Live prod uses DO Spaces in `prefix-scoped` mode. |
+
+## Using in a downstream service
+
+```go
+import (
+    "instant.dev/common/buildinfo"
+    "instant.dev/common/logctx"
+    "instant.dev/common/plans"
+    "instant.dev/common/readiness"
+)
+```
+
+This module is consumed via a `replace` directive in the api / worker /
+provisioner `go.mod` files when developing across the repo bundle locally. In
+prod CI, tagged releases are pulled directly.
+
+## Versioning
+
+`common` follows semantic versioning. **Contract changes** (a new tier in
+`plans.yaml`, a renamed `resourcetype`, a changed `readiness.Status` shape)
+must land in synchronised PRs across `common` + `api` + `worker` +
+`provisioner` — see the [InstaNode handoff doc](https://instanode.dev)
+rule 22 ("Contract changes touch all surfaces in one PR").
+
+## Testing
+
+```bash
+go test ./...
+```
+
+Each package ships unit tests; contract tests live alongside the factory in
+`queueprovider/contract_test.go` and `storageprovider/contract_test.go` to
+verify every backend implements the interface consistently.
+
+## Contributing
+
+See [CONTRIBUTING.md](./CONTRIBUTING.md). Issues + PRs on this repo are
+welcome for shared-package bugs; platform-wide bugs (API behaviour, dashboard,
+billing, deploy pipeline) belong on the [api repo](https://github.com/InstaNode-dev).
+
+## Security
+
+See [SECURITY.md](./SECURITY.md). Report vulnerabilities privately to
+**security@instanode.dev** — do not open a public issue.
+
+## License
+
+[MIT](./LICENSE) © 2026 InstaNode.
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,48 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you believe you have found a security vulnerability in `common` or any
+downstream InstaNode service that consumes it (api, worker, provisioner,
+dashboard, MCP, SDK, CLI), please report it privately by emailing
+**security@instanode.dev**. Do not open a public GitHub issue, do not file a
+public PR with a fix, and do not disclose the issue on social media or in
+chat channels until we have had a chance to investigate and ship a fix.
+
+We will acknowledge receipt within **2 business days** and aim to provide an
+initial assessment within **5 business days**. For critical vulnerabilities
+(remote code execution, credential disclosure, tenant isolation breach, billing
+bypass) we will ship a patch and coordinated disclosure within **30 days**.
+For lower-severity issues we will work with you on a reasonable timeline.
+
+## Scope
+
+This repository contains shared Go packages — `crypto` (AES-256-GCM keyring,
+JWT signing), `queueprovider` (NATS / RabbitMQ / Kafka credential issuance),
+`storageprovider` (DO Spaces / R2 / S3 / MinIO credential issuance),
+`readiness` (deep `/readyz` checks), `plans` (tier limits), `logctx`,
+`buildinfo`, `resourcestatus`, and `resourcetype`. A bug in any of these
+packages affects all three backend services, so we treat reports against this
+repo with the same urgency as a report against api or provisioner.
+
+In-scope issues include: cryptographic weaknesses, key-handling bugs,
+tenant-isolation bypasses in the credential providers, secret leakage through
+logs or readiness output, signature-verification flaws, and denial-of-service
+vectors that can be triggered by a single tenant. Out of scope: bugs in
+upstream dependencies (please report those upstream), self-inflicted issues
+from running the code with development-mode secrets, and theoretical attacks
+that require a pre-existing compromise of the host.
+
+## Safe harbor
+
+We will not pursue legal action against researchers who act in good faith,
+who give us a reasonable opportunity to respond before disclosing publicly,
+who do not access or exfiltrate data beyond what is necessary to demonstrate
+the vulnerability, who do not perform attacks that degrade service for our
+users (DoS, social engineering of staff, physical attacks), and who comply
+with all applicable laws. We are happy to publicly credit researchers who
+report responsibly.
+
+## Contact
+
+**security@instanode.dev**
