feat(M11+M12): Email notifications, audit hardening, deployment packaging, backup/DR, integration testing

M11 - Email Notifications + Audit Logging Hardening: - Email notifier (lettre crate) with templates for patch failure, job completion, maintenance reminders - Audit log hash chaining (prev_hash + row_hash) for tamper-evident logging - Periodic + on-demand audit integrity verification - Audit logging for all config changes and certificate operations - Frontend: email settings integration, audit integrity verification action M12 - Deployment Packaging, Backup/DR, Integration Testing: - scripts/backup.sh: Nightly pg_dump, CA backup (GPG), config backup (secrets excluded unless encrypted) - scripts/setup.sh: Enhanced with backup dir, seed migration, backup cron, systemd target install - systemd units: Restart=always, WatchdogSec, ReadWritePaths, security hardening - systemd/patch-manager.target: Service target for coordinated lifecycle - docs/runbooks/restore.md: Full DR runbook with RPO 24h / RTO 4h targets - scripts/integration-test.sh: 9 test suites covering full API lifecycle - scripts/performance-test.sh: NFR validation (dashboard <5s, CIDR /22 <10s, API <2s) - docs/security-review.md: Comprehensive security control verification - docs/compliance-mapping.md: HIPAA (6 sections) + PCI-DSS v4.0 (9 requirements) mapped
2026-04-24 00:45:51 +00:00
parent 84ab92f4f0
commit 297bf1bd83
26 changed files with 2651 additions and 65 deletions
--- a/frontend/src/api/client.ts
+++ b/frontend/src/api/client.ts
@ -197,7 +197,6 @@ export const reportsApi = {
      timeout: 120_000,   // reports can take a while
    }),
 }
-
 // ── Settings API (M10) ────────────────────────────────────────────────────
 export interface AzureSsoConfig {
  enabled: boolean
@ -221,12 +220,19 @@ export interface PollingConfig {
  patch_poll_interval_secs: number
 }

+export interface NotificationConfig {
+  email_enabled: boolean
+  email_from: string
+  recipients: string[]
+}
+
 export interface SettingsResponse {
  azure_sso: AzureSsoConfig
  smtp: SmtpConfig
  polling: PollingConfig
  ip_whitelist: string[]
  web_tls_strategy: string
+  notification: NotificationConfig
 }

 export interface TestResult {
@ -234,14 +240,26 @@ export interface TestResult {
  message: string
 }

+export interface AuditIntegrityResult {
+  intact: boolean
+  rows_checked: number
+  errors: Array<{
+    row_id: number
+    expected_hash: string
+    actual_hash: string
+  }>
+}
+
 export const settingsApi = {
  get: () => apiClient.get<SettingsResponse>('/settings'),
  update: (data: Partial<SettingsResponse> & {
    azure_sso?: AzureSsoConfig & { client_secret?: string }
    smtp?: SmtpConfig & { password?: string }
+    notification?: NotificationConfig
  }) => apiClient.put<SettingsResponse>('/settings', data),
  testAzureSso: () => apiClient.post<TestResult>('/settings/azure-sso/test'),
  testSmtp: () => apiClient.post<TestResult>('/settings/smtp/test'),
  getIpWhitelist: () => apiClient.get<{ entries: string[] }>('/settings/ip-whitelist'),
  updateIpWhitelist: (entries: string[]) => apiClient.put<{ entries: string[] }>('/settings/ip-whitelist', { entries }),
+  auditIntegrity: () => apiClient.post<AuditIntegrityResult>('/settings/audit-integrity'),
 }