Merge pull request #58 from Prescott-Data/feat/observability-and-hardening

Feat/observability and hardening

Author: sangalo20

CHANGELOG.md

@@ -5,6 +5,36 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.2.1] - 2026-05-10
+
+### Changed
+- **Service Layer**: Refactored `connection_part2.go` into `credential.go`, separating credential capture, token refresh, and credential validation by responsibility.
+- **HTTP Client**: `validateCredentials`, `refreshTokens`, and `executeExchange` now use the centrally injected `httpClient` instead of creating inline clients, ensuring the configured transport is respected across all outbound calls.
+- **Audit Interface**: `ConnectionService` now accepts the `audit.Logger` interface instead of a concrete `*audit.Service` pointer, enabling proper mocking in unit tests.
+- **Method Promotion**: `validateCredentials` and `refreshTokens` promoted from standalone functions to methods on `connectionService` to allow struct field access.
+
+### Added
+- **Service Layer Tests**: 7 new unit tests covering the previously untested `SaveCredential`, `Refresh`, and `ExchangeCodeForTokens` methods, including OAuth2 flows validated against `httptest` mock servers.
+- **SOC 2 Integration Tests**: Enterprise-grade compliance test suite (`soc_test.go`, `soc_livedb_test.go`) verifying encryption at rest (SOC-CTRL-01), immutable audit trail (SOC-CTRL-02), API key enforcement (SOC-CTRL-03), IP allowlisting (SOC-CTRL-04), and defense-in-depth middleware (SOC-CTRL-05).
+- **Architecture Enforcement**: `TestSeparationOfConcerns` statically analyzes import paths via `go/parser` to enforce layer boundaries at CI time.
+- **Docker Compose**: Local PostgreSQL and Redis containers for running live integration tests against a real database schema.
+
+---
+
+## [0.2.0] - 2026-05-05
+
+### Added
+- **Security-as-Code CLI**: Declarative provider manifest management via YAML (`nexus apply`, `nexus plan`, `nexus diff`), with field-level diff output and concurrent provider fetching.
+- **Audit Subsystem**: Structured audit event logging to `audit_events` table with caller IP, User-Agent, and JSON event data.
+- **Secret Masking**: CLI masks sensitive fields in plan output to prevent credential exposure in logs.
+
+### Changed
+- **CI/CD**: Removed CI workflow from the open repository; internal Azure deployment pipeline secured behind manual trigger.
+- **Documentation**: All registry examples standardized to `localhost:8090` to support OSS adoption without exposing internal infrastructure.
+- **Providers Endpoint**: Fixed path references (`/v1/providers` → `/providers`, `/v1/audit` → `/audit`) throughout documentation and code.
+
+---
+
 ## [0.1.0] - 2026-02-19
 
 ### Added

nexus-broker/README.md

@@ -208,13 +208,38 @@ curl -X POST -H "X-API-Key: $API_KEY" \
 
 ## Metrics and Logging
 
-Prometheus at `/metrics`:
-- `oauth_consents_created_total`
-- `oauth_consents_with_openid_total`
-- `oauth_token_exchanges_total{status=success|error}`
-- `oauth_exchange_duration_seconds`
-- `oauth_id_tokens_returned_total`
-- `oauth_token_get_total{provider,has_id_token}`
+Prometheus at `/metrics`. All metrics are registered on startup.
+
+#### Token Flows
+| Metric | Type | Labels | Description |
+|:---|:---|:---|:---|
+| `oauth_consents_created_total` | Counter | — | Consent specs issued |
+| `oauth_consents_with_openid_total` | Counter | — | Consents requesting OpenID scope |
+| `oauth_token_exchanges_total` | Counter | `status={success,error}` | Code-for-token exchanges |
+| `oauth_exchange_duration_seconds` | Histogram | — | Duration of token exchange |
+| `oauth_id_tokens_returned_total` | Counter | — | Exchanges that returned an `id_token` |
+| `oauth_token_refreshes_total` | Counter | `status={success,error}` | On-demand refresh attempts |
+| `oauth_refresh_duration_seconds` | Histogram | — | Duration of token refresh |
+| `oauth_credential_captures_total` | Counter | `status={success,error}` | API-key credential captures (SaveCredential) |
+
+#### Token Retrieval
+| Metric | Type | Labels | Description |
+|:---|:---|:---|:---|
+| `oauth_token_get_total` | Counter | `provider`, `has_id_token` | Token retrievals by provider |
+
+#### OIDC Infrastructure
+| Metric | Type | Labels | Description |
+|:---|:---|:---|:---|
+| `oidc_verifications_total` | Counter | `result={success,error}` | ID token verifications |
+| `oidc_verification_duration_seconds` | Histogram | — | ID token verification latency |
+| `oidc_discovery_total` | Counter | `result={success,error}` | OIDC discovery attempts |
+| `oidc_discovery_duration_seconds` | Histogram | — | OIDC discovery latency |
+
+#### System Health
+| Metric | Type | Labels | Description |
+|:---|:---|:---|:---|
+| `nexus_connections_total` | Gauge | `status` | Live count of connections by status (polled every 30s) |
+| `nexus_db_operation_duration_seconds` | Histogram | `operation` | Repository-level DB operation latency |
 
 Access logs are structured; audit events are recorded in `audit_events`.
 
@@ -231,7 +256,7 @@ Access logs are structured; audit events are recorded in `audit_events`.
 
 See `docs/SECURITY.md` for detailed guardrails and operations.
 
-OIDC hardening (id_token verification via JWKS, nonce, discovery) is deferred. See `docs/TECH_DEBT.md`.
+OIDC hardening (id_token verification via JWKS, nonce, discovery) is fully implemented. See `pkg/oidc` for the validator and `pkg/discovery` for provider discovery.
 
 ---
 
@@ -271,10 +296,3 @@ go build -o nexus-broker ./cmd/nexus-broker
 - `docs/PROVIDERS.md` – registry and templates for supported providers
 - `docs/TECH_DEBT.md` – OIDC hardening plan and acceptance criteria
 
-Touching to test pipeline
-
-<!-- trigger build Mon Jan 26 11:07:00 EAT 2026 -->
-<!-- trigger build Tue Jan 27 12:39:45 EAT 2026 env update -->
-
-Triggering broker build
-

nexus-broker/cmd/nexus-broker/main.go

@@ -7,13 +7,15 @@ import (
 	"time"
 
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/audit"
+	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/repository/instrumented"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/repository/postgres"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/service"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/caching"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/config"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/handlers"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/provider"
 	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/server"
+	"github.com/Prescott-Data/nexus-framework/nexus-broker/pkg/telemetry"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-redis/redis/v8"
 	"github.com/jmoiron/sqlx"
@@ -65,8 +67,8 @@ func main() {
 
 	providersHandler := handlers.NewProvidersHandler(store, auditSvc)
 
-	connRepo := postgres.NewConnectionRepository(db)
-	tokenRepo := postgres.NewTokenRepository(db)
+	connRepo := instrumented.NewConnectionRepository(postgres.NewConnectionRepository(db))
+	tokenRepo := instrumented.NewTokenRepository(postgres.NewTokenRepository(db))
 
 	connSvc := service.NewConnectionService(
 		connRepo,
@@ -123,6 +125,9 @@ func main() {
 	defer cleanupCancel()
 	go handlers.StartOrphanTokenCleanup(cleanupCtx, db, 1*time.Hour)
 
+	// Start connection health gauge (polls every 30s)
+	telemetry.NewConnectionGaugeCollector(connRepo, 30*time.Second)
+
 	log.Printf("Starting OAuth Broker server on port %s", cfg.Port)
 	log.Printf("Version: %s", Version)
 	log.Printf("Base URL: %s", cfg.BaseURL)

nexus-broker/docker-compose.yml

@@ -12,7 +12,7 @@ services:
       - "5432:5432"
     volumes:
       - postgres_data:/var/lib/postgresql/data
-      - ./migrations/00_create_tables.sql:/docker-entrypoint-initdb.d/00_create_tables.sql
+      - ./migrations:/docker-entrypoint-initdb.d
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U oauth_user -d oauth_broker"]
       interval: 5s

nexus-broker/internal/architecture_test.go

@@ -56,6 +56,22 @@ func TestSeparationOfConcerns(t *testing.T) {
 			},
 			Description: "HTTP Handlers must not bypass the Service layer to talk directly to Repositories.",
 		},
+		{
+			Package: "pkg/provider",
+			ShouldNot: []string{
+				modulePrefix + "/pkg/handlers",
+				modulePrefix + "/internal/service",
+			},
+			Description: "The Provider store infrastructure must not depend on HTTP handlers or business logic.",
+		},
+		{
+			Package: "pkg/telemetry",
+			ShouldNot: []string{
+				modulePrefix + "/pkg/handlers",
+				modulePrefix + "/internal/service",
+			},
+			Description: "Telemetry collectors must be independent of HTTP handlers and business logic.",
+		},
 	}
 
 	basePath := ".." // We are inside internal, so .. is the broker root

nexus-broker/internal/domain/models.go

@@ -23,6 +23,7 @@ type Connection struct {
 // ConnectionWithProvider joins connection and basic provider info
 type ConnectionWithProvider struct {
 	Connection
+	ProviderName     string
 	AuthType         string
 	AuthHeader       string
 	APIBaseURL       string

nexus-broker/internal/repository/instrumented/instrumented.go

@@ -0,0 +1,92 @@
+package instrumented
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+
+	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/domain"
+	"github.com/Prescott-Data/nexus-framework/nexus-broker/internal/repository"
+)
+
+var (
+	dbOpDuration = prometheus.NewHistogramVec(prometheus.HistogramOpts{
+		Name:    "nexus_db_operation_duration_seconds",
+		Help:    "Duration of database operations by repository and method",
+		Buckets: []float64{0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0},
+	}, []string{"repo", "method"})
+)
+
+func init() {
+	prometheus.MustRegister(dbOpDuration)
+}
+
+func observe(repo, method string, start time.Time) {
+	dbOpDuration.WithLabelValues(repo, method).Observe(time.Since(start).Seconds())
+}
+
+// --- ConnectionRepository decorator ---
+
+// ConnectionRepository wraps repository.ConnectionRepository with latency instrumentation.
+type ConnectionRepository struct {
+	inner repository.ConnectionRepository
+}
+
+// NewConnectionRepository wraps a ConnectionRepository with Prometheus latency histograms.
+func NewConnectionRepository(inner repository.ConnectionRepository) repository.ConnectionRepository {
+	return &ConnectionRepository{inner: inner}
+}
+
+func (r *ConnectionRepository) Create(ctx context.Context, conn *domain.Connection) error {
+	defer observe("connection", "Create", time.Now())
+	return r.inner.Create(ctx, conn)
+}
+
+func (r *ConnectionRepository) GetPending(ctx context.Context, id uuid.UUID) (*domain.Connection, error) {
+	defer observe("connection", "GetPending", time.Now())
+	return r.inner.GetPending(ctx, id)
+}
+
+func (r *ConnectionRepository) GetWithProvider(ctx context.Context, id uuid.UUID) (*domain.ConnectionWithProvider, error) {
+	defer observe("connection", "GetWithProvider", time.Now())
+	return r.inner.GetWithProvider(ctx, id)
+}
+
+func (r *ConnectionRepository) GetReturnURL(ctx context.Context, id uuid.UUID) (string, error) {
+	defer observe("connection", "GetReturnURL", time.Now())
+	return r.inner.GetReturnURL(ctx, id)
+}
+
+func (r *ConnectionRepository) UpdateStatus(ctx context.Context, id uuid.UUID, status string) error {
+	defer observe("connection", "UpdateStatus", time.Now())
+	return r.inner.UpdateStatus(ctx, id, status)
+}
+
+func (r *ConnectionRepository) CountByStatus(ctx context.Context) (map[string]int64, error) {
+	defer observe("connection", "CountByStatus", time.Now())
+	return r.inner.CountByStatus(ctx)
+}
+
+// --- TokenRepository decorator ---
+
+// TokenRepository wraps repository.TokenRepository with latency instrumentation.
+type TokenRepository struct {
+	inner repository.TokenRepository
+}
+
+// NewTokenRepository wraps a TokenRepository with Prometheus latency histograms.
+func NewTokenRepository(inner repository.TokenRepository) repository.TokenRepository {
+	return &TokenRepository{inner: inner}
+}
+
+func (r *TokenRepository) Upsert(ctx context.Context, token *domain.Token) error {
+	defer observe("token", "Upsert", time.Now())
+	return r.inner.Upsert(ctx, token)
+}
+
+func (r *TokenRepository) Get(ctx context.Context, connectionID uuid.UUID) (*domain.Token, error) {
+	defer observe("token", "Get", time.Now())
+	return r.inner.Get(ctx, connectionID)
+}

nexus-broker/internal/repository/interfaces.go

@@ -14,6 +14,7 @@ type ConnectionRepository interface {
 	GetWithProvider(ctx context.Context, id uuid.UUID) (*domain.ConnectionWithProvider, error)
 	GetReturnURL(ctx context.Context, id uuid.UUID) (string, error)
 	UpdateStatus(ctx context.Context, id uuid.UUID, status string) error
+	CountByStatus(ctx context.Context) (map[string]int64, error)
 }
 
 // TokenRepository handles database operations for tokens

nexus-broker/internal/repository/postgres/connection.go

@@ -44,12 +44,12 @@ func (r *connectionRepository) GetWithProvider(ctx context.Context, id uuid.UUID
 	var conn domain.ConnectionWithProvider
 	err := r.db.QueryRowContext(ctx, `
 		SELECT c.id, c.provider_id, c.status, c.scopes, c.return_url,
-		       p.auth_type, COALESCE(p.auth_header, ''), COALESCE(p.api_base_url, ''), COALESCE(p.user_info_endpoint, ''), p.params
+		       p.name, p.auth_type, COALESCE(p.auth_header, ''), COALESCE(p.api_base_url, ''), COALESCE(p.user_info_endpoint, ''), p.params
 		FROM connections c
 		JOIN provider_profiles p ON p.id = c.provider_id
 		WHERE c.id = $1`, id).
 		Scan(&conn.ID, &conn.ProviderID, &conn.Status, pq.Array(&conn.Scopes), &conn.ReturnURL,
-			&conn.AuthType, &conn.AuthHeader, &conn.APIBaseURL, &conn.UserInfoEndpoint, &conn.ProviderParams)
+			&conn.ProviderName, &conn.AuthType, &conn.AuthHeader, &conn.APIBaseURL, &conn.UserInfoEndpoint, &conn.ProviderParams)
 	if err != nil {
 		return nil, err
 	}
@@ -66,3 +66,22 @@ func (r *connectionRepository) UpdateStatus(ctx context.Context, id uuid.UUID, s
 	_, err := r.db.ExecContext(ctx, "UPDATE connections SET status = $1, updated_at = NOW() WHERE id = $2", status, id)
 	return err
 }
+
+func (r *connectionRepository) CountByStatus(ctx context.Context) (map[string]int64, error) {
+	rows, err := r.db.QueryContext(ctx, "SELECT status, COUNT(*) FROM connections GROUP BY status")
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	counts := make(map[string]int64)
+	for rows.Next() {
+		var status string
+		var count int64
+		if err := rows.Scan(&status, &count); err != nil {
+			return nil, err
+		}
+		counts[status] = count
+	}
+	return counts, rows.Err()
+}