momentry_core/CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

## [Unreleased]

### Added
- Gitea API token integration
- n8n API key integration
- API key caching with Moka
- Rate limiting for API key validation
- Constant-time hash comparison
- OpenAPI documentation with utoipa

## [0.1.0] - 2026-03-21

### Added

#### API Key Management System
- API key generation with secure random (UUID v4)
- SHA256 key hashing
- 5 key types: System, User, Service, Integration, Emergency
- Key expiration with configurable TTL
- Grace period for key rotation

#### Anomaly Detection
- High request rate detection (>1000/min)
- High error rate detection (>50%)
- Multiple IP detection (>5/hour)
- Unusual time activity detection
- Redis Pub/Sub for anomaly alerts

#### Rotation Mechanism
- Automatic rotation scheduling
- Manual rotation requests
- Forced rotation for security incidents
- Grace period management per key type:
  - System: 72 hours
  - User: 24 hours
  - Service: 48 hours
  - Integration: 24 hours
  - Emergency: 0 hours (immediate)

#### PostgreSQL Integration
- `api_keys` table for key storage
- `api_key_audit_log` table for audit trail
- `api_key_anomalies` table for anomaly records
- Full CRUD operations for API keys

#### Redis Integration
- Anomaly alert Pub/Sub (`momentry:anomaly:alerts`)
- Key anomaly state tracking
- Real-time alert notifications

#### CLI Commands
- `momentry api-key create` - Create new API key
- `momentry api-key list` - List all API keys
- `momentry api-key validate` - Validate an API key
- `momentry api-key revoke` - Revoke an API key
- `momentry api-key rotate` - Request key rotation
- `momentry api-key stats` - Show statistics

#### Gitea Integration
- Create Gitea Personal Access Tokens
- List user tokens
- Delete tokens
- Local token tracking
- CLI commands:
  - `momentry gitea create`
  - `momentry gitea list`
  - `momentry gitea delete`
  - `momentry gitea verify`

#### n8n Integration
- Create n8n API keys
- List API keys
- Delete API keys
- Local key tracking
- CLI commands:
  - `momentry n8n create`
  - `momentry n8n list`
  - `momentry n8n delete`
  - `momentry n8n verify`

#### Security Features
- Constant-time hash comparison (subtle crate)
- Rate limiting for validation attempts
- IP-based lockout after failed attempts
- Configurable thresholds via environment variables

#### Performance Optimizations
- Moka-based API key validation cache
- Configurable TTL and capacity
- Reduced database queries for hot keys

#### Documentation
- API Key Management design document
- Redis user configuration guide
- Gitea token integration guide
- n8n API key integration guide
- Optimization plan with task codes

### Environment Variables

#### API Key Configuration
```
CACHE_TTL_SECONDS=300          # Cache TTL (default: 300)
CACHE_MAX_CAPACITY=10000       # Max cache entries (default: 10000)
RATE_LIMIT_MAX_ATTEMPTS=5      # Max failed attempts (default: 5)
RATE_LIMIT_WINDOW_SECONDS=900  # Lockout duration (default: 900)
```

#### Service URLs
```
GITEA_URL=http://localhost:3000
N8N_URL=https://n8n.momentry.ddns.net
```

### Database Schema

#### Tables Created
- `api_keys` - API key storage
- `api_key_audit_log` - Audit trail
- `api_key_anomalies` - Anomaly records
- `gitea_tokens` - Gitea token tracking
- `n8n_api_keys` - n8n API key tracking

### Dependencies Added
- `uuid` - UUID generation
- `subtle` - Constant-time comparison
- `moka` - Async cache
- `utoipa` - OpenAPI documentation
- `utoipa-swagger-ui` - Swagger UI

---

## Version History

| Version | Date | Description |
|---------|------|-------------|
| 0.1.0 | 2026-03-21 | Initial release with API Key Management |