Enterprise hardening baseline: security, reliability, CI gates, and runbooks

[ndycode]

Summary

This PR implements a comprehensive enterprise hardening baseline across runtime behavior, storage safety, CLI contracts, CI policy gates, and operations documentation.

What’s Included

• Runtime/data hardening:
  • Cross-process file locking for settings/quota writes
  • At-rest secret encryption + key rotation support
  • Idempotency key support for codex auth rotate-secrets
  • RBAC/ABAC-style authorization gates for CLI actions
  • JSON output redaction mode for sensitive fields
  • Startup data retention enforcement
  • Background retry + dead-letter queue for failed async persistence jobs
• CLI/API contract maturity:
  • schemaVersion in JSON outputs
  • JSON list pagination standard (--page-size, --cursor)
• Enterprise CI/security controls:
  • Secret scanning workflow
  • Supply-chain workflow (dependency review, SCA/license gate, SBOM generation)
  • Expanded CI checks and cross-platform smoke coverage
  • Required checks policy-as-code (.github/settings.yml)
• Ops maturity:
  • Operations runbook
  • Incident response playbook
• Docs updated for commands/settings/privacy/API/testing references.

Validation

• npm run typecheck
• npm run lint
• npm run build && npm test
• npm run coverage
• npm run audit:ci
• npm run license:check
• npm run clean:repo:check

Notes

• Work performed in isolated worktree on branch feat/enterprise-hardening.
• No changes were made on main during implementation.

note: greptile review for oc-chatgpt-multi-auth. cite files like lib/foo.ts:123. confirm regression tests + windows concurrency/token redaction coverage.

Greptile Summary

comprehensive enterprise hardening baseline implementing cross-process file locking for all settings/account writes (defends windows antivirus/concurrent access races), at-rest token encryption with scrypt kdf and key rotation, rbac/abac authorization gates with audited break-glass, background job retry + dead-letter queue, idempotency key support for rotate-secrets, json output redaction, and data retention enforcement.

key improvements addressing windows filesystem safety:

• all account/settings writes now guarded by cross-process file locks using exclusive write mode (wx)
• stale lock cleanup after 2min timeout handles crashed processes
• retry logic with exponential backoff for EBUSY/EPERM errors
• temp-file-rename pattern for atomic writes
• sync operations use Atomics.wait instead of blocking event loop
• test/file-lock.test.ts:83-174 spawns 6 concurrent processes verifying mutual exclusion under contention

security/reliability enhancements:

• refresh/access tokens encrypted at rest with aes-256-gcm + scrypt (v2), backward-compatible v1 decryption
• authorization module now audits break-glass bypass (addresses previous comment)
• background job failures written to dlq with redacted context
• debounced account saves use retry mechanism preventing lost writes

ci/supply-chain controls:

• cross-platform smoke tests on windows/macos runners
• gitleaks secret scanning weekly + on pr/push
• dependency review blocking high severity runtime deps
• license gate denying gpl/agpl
• sbom generation

test coverage:

• multi-process concurrent write race test reproduces windows contention bugs
• authorization tests verify break-glass audit trail
• secrets-crypto tests cover v1/v2 compatibility and key rotation

all validation commands pass per pr description. previous review comments addressed: scrypt kdf replaces sha256, break-glass now audited, concurrent write race test added.

Confidence Score: 5/5

• safe to merge - thorough hardening with comprehensive test coverage and all previous security concerns addressed
• all three previous review comments have been resolved (scrypt kdf, break-glass audit, concurrent race test). file locking defends windows filesystem races, encryption protects tokens at rest, authorization gates cli actions, comprehensive test suite including multi-process concurrency verification. ci expanded with cross-platform smoke tests and supply-chain gates. no logical errors or security vulnerabilities found.
• no files require special attention - implementation follows security best practices throughout

Important Files Changed

Filename	Overview
lib/file-lock.ts	new cross-process file locking with exponential backoff, stale lock cleanup, and windows filesystem concurrency handling via exclusive write mode and atomics-based sync sleep
lib/authorization.ts	rbac/abac authorization gates for cli actions with break-glass bypass that now correctly audits emergency access
lib/secrets-crypto.ts	at-rest encryption using aes-256-gcm with scrypt kdf (v2) and legacy sha256 (v1) support, key rotation via primary/previous keys
lib/storage.ts	guards all account writes with file locks, encrypts refresh/access tokens at rest, supports key rotation, decrypts on read
lib/unified-settings.ts	settings persistence with file locks on all writes, in-process queue for async writes, temp-file-rename pattern, windows ebusy/eperm retry logic
lib/background-jobs.ts	retry mechanism with exponential backoff and dead-letter queue for failed async persistence, uses file locks for dlq writes, redacts context
lib/idempotency.ts	idempotency key storage with file locks, 24h ttl, supports rotate-secrets command replay protection
test/file-lock.test.ts	comprehensive test suite including multi-process concurrent write race test with 6 workers verifying mutual exclusion under contention
.github/workflows/ci.yml	expanded ci with node 20/22 matrix, coverage gate, cross-platform smoke tests on windows/macos, security audit, lockfile floor guard
.github/workflows/supply-chain.yml	dependency review, license gate denying gpl/agpl, sca audit, sbom generation with cyclonedx

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CLI Command] --> B{Authorization Check}
    B -->|Break-Glass Set| C[Audit Break-Glass]
    B -->|ABAC Policy| D{Policy Allows?}
    D -->|Denied| E[Return Error]
    D -->|Allowed| F{RBAC Role Check}
    F -->|Denied| E
    F -->|Allowed| G[Execute Action]
    C --> G
    
    G --> H{Mutates Storage?}
    H -->|No| I[Return Success]
    H -->|Yes| J[Acquire File Lock]
    J --> K{Lock Acquired?}
    K -->|Timeout/Fail| L[Background Job Retry]
    K -->|Success| M[Encrypt Secrets]
    M --> N[Write Temp File]
    N --> O[Atomic Rename]
    O --> P[Release Lock]
    P --> I
    
    L --> Q{Max Retries?}
    Q -->|Yes| R[Write to DLQ]
    Q -->|No| S[Exponential Backoff]
    S --> J
    R --> E

Loading

_{Last reviewed commit: d1c603e}

[coderabbitai]

Warning

Rate limit exceeded

@ndycode has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 58 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between d36b04f and d1c603e.

📒 Files selected for processing (46)

• .github/settings.yml
• .github/workflows/ci.yml
• .github/workflows/secret-scan.yml
• .github/workflows/supply-chain.yml
• README.md
• docs/README.md
• docs/configuration.md
• docs/development/CONFIG_FIELDS.md
• docs/development/TESTING.md
• docs/index.md
• docs/privacy.md
• docs/reference/commands.md
• docs/reference/error-contracts.md
• docs/reference/public-api.md
• docs/reference/settings.md
• docs/reference/storage-paths.md
• docs/runbooks/README.md
• docs/runbooks/incident-response.md
• docs/runbooks/operations.md
• index.ts
• lib/accounts.ts
• lib/audit.ts
• lib/authorization.ts
• lib/background-jobs.ts
• lib/codex-manager.ts
• lib/data-redaction.ts
• lib/data-retention.ts
• lib/file-lock.ts
• lib/idempotency.ts
• lib/index.ts
• lib/quota-cache.ts
• lib/secrets-crypto.ts
• lib/storage.ts
• lib/unified-settings.ts
• package.json
• scripts/license-policy-check.js
• test/audit.test.ts
• test/authorization.test.ts
• test/background-jobs.test.ts
• test/codex-manager-cli.test.ts
• test/data-redaction.test.ts
• test/data-retention.test.ts
• test/file-lock.test.ts
• test/idempotency.test.ts
• test/quota-cache.test.ts
• test/secrets-crypto.test.ts

📝 Walkthrough

📝 Walkthrough

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	Title exceeds 72-character limit (76 chars) and uses capital letters, violating conventional commits format.	Reformat to lowercase imperative within 72 chars: 'feat: enterprise hardening with security, reliability, and ci gates'
Docstring Coverage	⚠️ Warning	Docstring coverage is 6.59% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description check	✅ Passed	Description covers all required sections with comprehensive details on changes, validation steps, and risk assessment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/enterprise-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

_{44 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

lib/storage.ts, line 113
accounts storage uses in-memory mutex but not file locks. settings (lib/unified-settings.ts:130), quota cache (lib/quota-cache.ts:230), dlq, and idempotency store all use acquireFileLock for cross-process safety. if cli and plugin can write accounts.json concurrently, this mutex won't prevent windows filesystem corruption. consider adding file lock wrapper like other critical stores.