Commit graph

20 commits

Author SHA1 Message Date
jedarden
d10a9ac1fd fix(clippy): resolve unused type parameter, variables, and functions
- Remove unused type parameter S from explain_search function
- Add peer-discovery feature to miroir-proxy Cargo.toml
- Fix unused variables by prefixing with underscore
- Add #[allow(dead_code)] to modules with unused public API functions

Resolves clippy -D warnings for lib and binary targets.
2026-05-26 01:44:28 -04:00
jedarden
a3fdda208c fix(clippy): auto-fix format strings and deprecated IndexMap::remove
Address clippy warnings by:
- Prefixing unused variables with underscore
- Adding #[allow(dead_code)] for intentionally unused helper functions
- Using div_ceil() instead of manual ceiling division
- Simplifying map_or() to is_some_and()
- Fixing type complexity issues with type aliases
- Using .copied() instead of .map(|k| *k)
- Fixing digit grouping inconsistencies (3_600_000)
- Adding #[allow(non_snake_case)] for Meilisearch API-compatible structs
- Removing unnecessary casts
- Fixing await_holding_lock issues

Closes: bf-66nh

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-26 01:14:31 -04:00
jedarden
0033ad754f fix: remove trailing whitespace and formatting cleanup
- Remove trailing whitespace from multiple files
- Minor formatting fixes across crates
- Net reduction of 69 lines of whitespace

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-25 09:04:47 -04:00
jedarden
0b3552ee4f fix(clippy): apply auto-fixes for unused imports and variables
Apply cargo clippy --fix to remove unused imports, prefix unused
variables with underscore, and fix various clippy warnings across
miroir-core, miroir-proxy, and miroir-ctl.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-25 05:15:22 -04:00
jedarden
17b25e4cf1 feat(analytics): implement beacon idempotency and CDC integration (P5.21.f §13.21)
Implement analytics beacon endpoint with idempotency and CDC integration:

- Add `check_and_mark_beacon_event` to TaskStore trait for idempotency
- Implement for both Redis (HSET with 24h TTL) and SQLite (table with cleanup)
- Add JWT session extraction for session_id in beacon events
- Add server-side event_id generation fallback for old browsers (SHA256 hash)
- Integrate with CDC manager to publish AnalyticsEvents (click_through, latency)
- Respect cdc.emit_internal_writes for latency events
- Add Display impl for JwtValidationError for proper error logging
- Add jwt_decode_with_fallback helper for JWT rotation support
- Add unit tests for beacon idempotency (SQLite and Redis)

Closes: miroir-uhj.21.6
2026-05-25 02:48:55 -04:00
jedarden
1ea05975ef fix(tests): add missing vector_config field and fix test compilation
- Add VectorMode re-export to miroir-core lib.rs
- Add missing vector_config field to SearchRequest and MergeInput in tests
- Fix admin_ui.rs test assertion (Result doesn't impl Eq)
- Fix auth.rs CSRF test (remove Next::new usage that doesn't compile in axum 0.7)

These were compilation errors introduced after adding vector_config field to
search structs. All 173 miroir-proxy library tests now pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 20:45:02 -04:00
jedarden
4762bd3d46 feat(security): implement CSRF posture for Admin UI and Search UI (plan §9, P10.6)
Implement CSRF protection and origin checks per plan §9:

**Session endpoints (session.rs):**
- admin_login now sets HttpOnly, Secure, SameSite=Strict cookie with sealed session ID
- Returns JSON with session_id, csrf_token, expires_at in response body
- Origin checked against admin_ui.allowed_origins (default "same-origin")

**Admin UI (admin_ui.rs):**
- Add CSP header to all Admin UI responses
- CSP template from admin_ui.csp with csp_overrides merged additively

**Tests (auth.rs):**
- CSRF token generation, extraction, and validation
- Origin validation: same-origin, specific origins, wildcard, referer fallback
- CSP header builder: base template and overrides merging

**Pre-existing (already implemented):**
- CSRF middleware validates X-CSRF-Token on state-changing requests
- Bearer tokens bypass CSRF (non-simple header forces CORS preflight)
- Config validation rejects wildcard in csp_overrides

Acceptance criteria met:
- Cookie-auth POST without X-CSRF-Token → 403 missing_csrf
- Cookie-auth POST with wrong token → 403 csrf_mismatch
- Bearer-auth POST without X-CSRF-Token → 200 (bypasses CSRF)
- Session endpoint with Origin not in allowed_origins → 403
- csp_overrides merging works correctly
- Wildcard (*) in csp_overrides rejected by validation

Closes: miroir-46p.6
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 11:17:08 -04:00
jedarden
ec3ecedfd7 feat(proxy): implement JWT session minting with filter injection (P5.21.c, §13.21)
- Add injected_filter, user, and groups claims to JwtClaims
- Implement filter template rendering in oauth_proxy mode
  - Replace {groups} with JSON-encoded groups array
  - Replace {user} with user identifier
  - Bake rendered filter into JWT injected_filter claim
- Apply injected_filter in search handler
  - AND injected_filter with user-supplied filter on every search
  - Pass filter through JWT claims extension
- Add config validation: scoped_key_rotate_before_expiry_days < scoped_key_max_age_days
- Add JwtClaimsExtension to pass claims from middleware to handlers
- Update auth middleware to insert JWT claims into request extensions
- Update sign_jwt to accept new optional filter fields

Closes: miroir-uhj.21.3

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 04:58:34 -04:00
jedarden
bb5f46403a feat(proxy): implement JWT session minting with scope validation (P5.21.b, §13.21)
Implement plan §13.21 auth layer 2 for search UI session tokens:

**JWT Claims Structure (plan §13.21):**
- Add `iss: "miroir"` claim to identify token issuer
- Add `scope: Vec<String>` for allowed actions (search, multi_search, beacon)
- Keep `idx`, `sub`, `iat`, `exp` claims
- Update `sign_jwt` to use "search-ui-session" as default sub

**Scope Validation (defense-in-depth):**
- Add `validate_jwt_scope()` function to check (method, path) against scope
- Validate `idx` claim matches target index for search/beacon endpoints
- Return `JwtValidationError::ScopeDenied` on mismatch
- Integrate into `dispatch_bearer()` for automatic enforcement

**Session Response (plan §13.21):**
- Update `SearchUiSessionResponse` to include `index` and `rate_limit` fields
- Return `token`, `expires_at`, `index`, `rate_limit` from session endpoint

**Authentication Modes:**
- `public`: unauthenticated, IP rate-limited
- `shared_key`: requires X-Search-UI-Key header
- `oauth_proxy`: requires upstream auth headers

Closes: miroir-uhj.21.2

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 04:47:27 -04:00
jedarden
158752fe7b feat(multi-search): implement timeout enforcement and acceptance tests (§13.11)
- Add per-query and total timeout enforcement to MultiSearchExecutor
- Improve SearchResult with helper methods (ok, err, timeout, is_success)
- Fix ModeACoordinator feature-gate compilation issues
- Add comprehensive acceptance tests for multi-search:
  - 5-query batch completion
  - Slow query doesn't block fast queries (parallel execution)
  - Partial failure handling
  - Per-query timeout
  - Total timeout
  - 100-query batch completion

Closes: miroir-uhj.11
2026-05-24 01:54:20 -04:00
jedarden
35cb63c0ce P2.7: Add test coverage for /health and /version dispatch-exempt endpoints
Added 6 new unit tests for the /health and /version endpoints which are
dispatch-exempt according to plan §5 rule 0:
- exempt_get_health: verifies GET /health is exempt, POST is not
- exempt_get_version: verifies GET /version is exempt, POST is not
- exempt_health_ignores_all_tokens: dispatch_bearer returns Exempt
- exempt_health_with_no_token: dispatch_bearer returns Exempt with no auth
- exempt_version_ignores_all_tokens: dispatch_bearer returns Exempt
- exempt_version_with_no_token: dispatch_bearer returns Exempt with no auth

All 68 auth tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 15:26:49 -04:00
jedarden
ee3ef23133 P10.5: scoped Meilisearch key rotation with multi-pod coordination
Implements plan §13.21 leader-based rotation of per-index scoped search
keys with zero-403 overlap guarantees:

- Leader lease (Redis, Mode B §14.5) serializes rotation across pods
- Per-pod beacon with 60s TTL refreshed on every search request
- Revocation safety gate: leader checks all live peers observed new
  generation before DELETE /keys/{previous_uid}
- Drain wait (default 120s) for stragglers before revocation
- Auto-rotation trigger: scoped_key_rotate_before_expiry_days (30d)
  before scoped_key_max_age_days (60d)
- Manual trigger: POST /_miroir/ui/search/{index}/rotate-scoped-key
  with force:true to bypass timing gate
- Config validation rejects rotate_before >= max_age at startup
- Helm _helpers.tpl render-time guard against rotation loop
- values.schema.json schema validation for scoped key config fields

Also includes session management routes (admin login/logout/session,
search UI JWT session) and auth middleware CSRF protection needed
by the admin-gated rotation endpoint.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 07:33:29 -04:00
jedarden
43e3367c73 P10.4 followup: log warning on admin session cookie unseal failure
Logs a warning with path and error when cookie unseal fails, helping
operators diagnose cross-pod ADMIN_SESSION_SEAL_KEY mismatches in HA
deployments (acceptance criterion 2).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 17:26:20 -04:00
jedarden
48f7c0aabf P10.4: ADMIN_SESSION_SEAL_KEY cookie sealing with XChaCha20-Poly1305
Implement admin session cookie sealing per plan §9 and §13.19:
- SealKey loaded from ADMIN_SESSION_SEAL_KEY env (base64-encoded 32 bytes),
  with random fallback and startup warning for multi-pod deployments
- Cookie sealed via XChaCha20-Poly1305 AEAD (confidentiality + integrity)
- Wire format: base64([24-byte nonce][ciphertext][16-byte tag])
- AuthState initialized with revoked_sessions DashMap + revoked counter
- miroir_admin_session_key_generated gauge set at startup (1=random, 0=env)
- Revocation cache checked on every cookie-authenticated admin request

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 17:18:39 -04:00
jedarden
6e35e420a9 P10.3: SEARCH_UI_JWT_SECRET dual-secret overlap rotation
Implement plan §9 JWT signing-secret rotation with zero-downtime dual-secret
overlap window. Primary secret signs new tokens (kid header identifies it),
optional previous secret validates old tokens during rotation. Validation tries
primary first, falls through to previous on signature mismatch, and propagates
Expired immediately when the correct secret is found.

Key pieces:
- auth.rs: dual-secret JWT validation with kid header, leak response via empty
  previous, full test coverage (62 tests including e2e rotation scenario)
- main.rs: read SEARCH_UI_JWT_SECRET_PREVIOUS, refuse startup without primary
- config: jwt_secret_previous_env + jwt_rotation_buffer_s in SearchUiAuthConfig
- miroir-ctl: rotate-jwt-secret command (5-step dual-secret overlap procedure)
- Helm CronJob: quarterly schedule, suspended by default, Forbid concurrency

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 16:17:33 -04:00
jedarden
1b9dc1d8c3 P2.1: Implement axum server skeleton with health/version/ready/topology/shards/metrics endpoints
- Load Config (file + env + CLI args overlay) via MiroirConfig::load()
- Initialize tracing with JSON-to-stdout format (plan §10)
- Start two axum listeners: :7700 (client API) + :9090 (metrics, unauthenticated)
- Signal handlers for graceful shutdown (SIGTERM → drain → exit)
- GET /health returns {"status":"available"} immediately (Meilisearch-compatible)
- GET /version returns Meilisearch version from healthy node (60s TTL cache)
- GET /_miroir/ready returns 503 during startup, 200 once covering quorum reachable
- GET /_miroir/topology returns cluster state per plan §10 JSON shape
- GET /_miroir/shards returns shard → node mapping table
- GET /_miroir/metrics returns admin-key-gated Prometheus metrics
- Background health checker promotes nodes to Active when reachable
- UnifiedState bundles AuthState, Metrics, and admin_endpoints::AppState

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 06:12:05 -04:00
jedarden
1d486553a6 Fix /_miroir/metrics to require admin key (not exempt)
Per plan §10, GET /_miroir/metrics is admin-key-gated so it can be
exposed outside the cluster. It was incorrectly marked as dispatch-exempt
with comment "admin-key-optional" - changed to require admin authentication.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 05:57:31 -04:00
jedarden
fca081e1bd Integrate MeilisearchError into proxy (IntoResponse, auth middleware) + telemetry
- Add axum feature flag to miroir-core with IntoResponse impl for MeilisearchError
- Refactor auth middleware to use MeilisearchError::new() + MiroirCode instead of
  manual JSON construction, ensuring consistent error shape across all auth errors
- Add proxy error.rs re-export alias for ApiError
- Implement full telemetry middleware with Prometheus metrics (request duration,
  in-flight gauge, scatter counters, node health)
- Reorder middleware layers: auth before telemetry so 401s are also instrumented

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 05:21:09 -04:00
jedarden
625e414b6c Implement bearer-token dispatch chain (plan §5 rules 0-5) + X-Admin-Key
Add deterministic bearer-token dispatch with five rules:
- Rule 0: dispatch-exempt endpoints skip all auth (metrics, locale, login,
  session, SPA)
- Rule 1: JWT-shape probe stub (Phase 5 will add full validation)
- Rule 2: admin-path (/__miroir/*) matches only admin_key
- Rule 3: non-admin paths match only master_key
- Rule 4: mismatch returns 401 miroir_invalid_auth

Also adds X-Admin-Key header short-circuit for admin endpoints,
constant-time comparison via subtle::ConstantTimeEq, rate-limit hook
types (Phase 2 in-memory stub), and 54 unit tests covering all
acceptance criteria.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 05:11:57 -04:00
jedarden
9b5cf0ddcd P0.3: Scaffold miroir-proxy crate
- Added Cargo.toml with axum, tokio, reqwest, serde, tracing, prometheus
- Created main.rs: binds :7700 (main API) and :9090 (metrics)
- Route handler stubs: documents, search, indexes, settings, tasks, health, admin
- auth.rs: bearer-token dispatch skeleton (client/admin token kinds)
- middleware.rs: tracing/logging + Prometheus middleware stubs
- Fixed miroir-core/migration.rs: Display impls, Instant serialization, borrow fixes

Acceptance:
- Binary builds successfully
- Health endpoint returns {"status":"available"}
- Stripped binary: 2.3 MB (< 20 MB target)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 20:57:58 -04:00