feat: zentryx-status v0.1.0 - enterprise dogfood of sealed-env

Author: davidalmeidac

.env.example

@@ -0,0 +1,24 @@
+# zentryx-status secrets template.
+# Copy to .env in src/main/resources/, fill in real values, then run:
+#
+#   mvn sealed-env:encrypt -Dsealed-env.input=src/main/resources/.env
+#   # or with the CLI directly if installed:
+#   sealed-env encrypt src/main/resources/.env -o src/main/resources/.env.sealed
+#
+# That produces .env.sealed (which IS safe to commit). Delete the
+# plaintext .env afterwards.
+
+# H2 file-mode database password. Used to lock the local H2 file so a
+# second JVM cannot accidentally open it. Doesn't have to be strong —
+# the file lives in /data inside the container with restrictive perms.
+H2_PASSWORD=change-me
+
+# Resend API key for the Monday weekly digest email.
+RESEND_API_KEY=re_REPLACE_ME
+
+# Where to send the weekly digest.
+DIGEST_TO=david@zentryxnet.lat
+
+# Discord webhook for state-change alerts (target goes down or recovers).
+# Get one at: Server Settings → Integrations → Webhooks → New Webhook.
+ALERT_DISCORD_WEBHOOK=https://discord.com/api/webhooks/REPLACE_ME

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Build & test
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '21'
+          cache: 'maven'
+
+      - name: Compile
+        run: mvn -B -q compile
+
+      - name: Test
+        run: mvn -B -q test
+        env:
+          # CI doesn't have a real .env.sealed yet — the test profile
+          # uses an in-memory H2 with placeholder values, so sealed-env
+          # auto-config falls back to plain @Value defaults.
+          SEALED_ENV_KEY: ci-placeholder-not-used
+
+  docker:
+    name: Docker build
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - name: Build image (no push)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          tags: zentryx-status:ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -0,0 +1,43 @@
+# Plaintext secrets — NEVER commit
+.env
+.env.local
+.env.*.local
+src/main/resources/.env
+src/main/resources/.env.local
+
+# OK to commit (encrypted)
+!.env.sealed
+!.env.example
+!src/main/resources/.env.sealed
+
+# Maven
+target/
+*.jar
+*.war
+.mvn/
+
+# IDE
+.idea/
+*.iml
+.vscode/
+.settings/
+.classpath
+.project
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local DB
+data/
+*.h2.db
+*.mv.db
+*.trace.db
+
+# Added by sealed-env
+.env.local
+.env
+
+# Added by sealed-env
+.env.local
+.env

Dockerfile

@@ -0,0 +1,49 @@
+# ─────────────────────────────────────────────────────────────────
+# zentryx-status · multi-stage Docker build
+#
+# Stage 1: build the fat jar with Eclipse Temurin 21 + Maven (cached
+#          .m2 layer keeps incremental builds fast).
+# Stage 2: minimal JRE image, runs as a non-root user, exposes 8090.
+# ─────────────────────────────────────────────────────────────────
+
+FROM eclipse-temurin:21-jdk-alpine AS build
+WORKDIR /workspace
+
+# Cache the dependency resolution layer
+COPY pom.xml ./
+RUN apk add --no-cache maven && \
+    mvn -B -q dependency:go-offline
+
+COPY src ./src
+RUN mvn -B -q -DskipTests package && \
+    cp target/zentryx-status-*.jar app.jar
+
+# ── Runtime ──────────────────────────────────────────────────────
+FROM eclipse-temurin:21-jre-alpine
+
+# Non-root user for the runtime — matches the rest of our security model
+RUN addgroup -S zentryx && \
+    adduser  -S -G zentryx -h /app zentryx && \
+    mkdir -p /app/data && \
+    chown -R zentryx:zentryx /app
+
+USER zentryx
+WORKDIR /app
+
+COPY --from=build --chown=zentryx:zentryx /workspace/app.jar app.jar
+
+EXPOSE 8090
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+    CMD wget -qO- http://127.0.0.1:8090/actuator/health || exit 1
+
+# Enterprise-mode unsealing: the deploy script mints a JWS via
+# `sealed-env unseal --totp <code> --deploy-id <sha> --ttl 60` and
+# injects it as SEALED_ENV_UNSEAL_TOKEN. Spring Boot reads it on
+# startup, validates signature + TTL + deploy_id binding, decrypts
+# .env.sealed, exposes vars to the Environment.
+#
+# If the token is missing, expired, or bound to a different deploy_id,
+# the JVM exits non-zero. Docker restart-policy will keep retrying —
+# operator must re-deploy with a fresh TOTP to recover. This is by
+# design: secrets are never re-decrypted without human approval.
+ENTRYPOINT ["java", "-XX:MaxRAMPercentage=75", "-XX:+UseG1GC", "-jar", "app.jar"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Zentryx Network
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,152 @@
+# zentryx-status
+
+> Public status page service for Zentryx Network. Polls every critical
+> endpoint, persists checks in H2, exposes a small REST API, alerts on
+> state changes via Discord.
+
+Built specifically as a **production dogfood** for [`sealed-env`](https://github.com/davidalmeidac/sealed-env)
+in **enterprise mode** — secrets are sealed behind a TOTP-bound JWS
+unseal token. Every deploy requires a fresh 6-digit code from the
+operator's authenticator app; the token is bound to a specific commit
+SHA and expires in 60 seconds.
+
+If the JVM restarts (OOM, host reboot, etc.) the token is gone and
+the service crash-loops until a human re-runs `deploy.sh`. By design:
+secrets never re-decrypt without explicit human approval.
+
+## Threat model
+
+| Attacker has... | Can they decrypt secrets? |
+|---|---|
+| `.env.sealed` only | ❌ — needs master key |
+| Master key only | ❌ — needs current TOTP code |
+| TOTP secret (base32) only | ❌ — needs master key + signing key |
+| Stolen unseal token from CI logs | ❌ — bound to deploy_id, expired in 60s |
+| Master key + TOTP secret + signing key | ✅ — but that's 3 separate exfils |
+| Container memory dump while running | ✅ — same as any service, mitigated by host hardening |
+
+## What it monitors (out of the box)
+
+| Target | URL | Expects |
+|---|---|---|
+| `zentryxnet-web` | https://zentryxnet.lat/health | 200 |
+| `zentryxnet-blog` | https://zentryxnet.lat/blog | 200 |
+| `speedtest-ping` | https://speed.zentryxnet.lat/ping | 204 |
+| `mail-https` | https://mail.zentryxnet.lat/ | 200 |
+
+Edit `application.yml → zentryx.status.targets` to add/remove. Every
+target gets one HTTP probe every 30s.
+
+## Public API
+
+| Endpoint | Description |
+|---|---|
+| `GET /api/v1/status` | Current snapshot — last known state per target |
+| `GET /api/v1/uptime?days=7` | Uptime % per target over N days (1-90) |
+| `GET /api/v1/history?target=X&hours=24` | Raw checks for a single target |
+
+All three are public and CORS-friendly — embed them in dashboards,
+hit them from `curl`, scrape them with a bot.
+
+## Local development (basic mode)
+
+For day-to-day dev you don't want to type a TOTP every restart. Use
+basic mode locally:
+
+```bash
+# 1. Switch to basic mode in dev
+sealed-env init                                   # generates master key in .env.local
+cp .env.example src/main/resources/.env
+# edit src/main/resources/.env with real values
+
+sealed-env encrypt src/main/resources/.env \
+  -o src/main/resources/.env.sealed
+
+# 2. application.yml: temporarily set sealed-env.mode=basic for dev
+# 3. Run
+mvn spring-boot:run
+```
+
+Production stays in enterprise mode regardless.
+
+## Production deploy (enterprise mode)
+
+### One-time setup on `zentryx-web`
+
+```bash
+ssh zentryx-web
+
+# 1. Install sealed-env CLI
+sudo npm i -g sealed-env
+
+# 2. Clone the repo
+sudo mkdir -p /opt/zentryx
+sudo git clone https://github.com/Zentryx-Network/zentryx-status.git \
+  /opt/zentryx/status
+cd /opt/zentryx/status
+
+# 3. Drop the master key + signing key + TOTP secret
+#    These were created by `sealed-env init --mode enterprise`
+#    on YOUR LAPTOP — copy that .env.local here.
+sudo install -m 600 -o root -g root /tmp/sealed.env.local .env.local
+rm /tmp/sealed.env.local
+```
+
+### Every deploy
+
+```bash
+ssh zentryx-web
+cd /opt/zentryx/status
+git pull --ff-only
+./deploy.sh
+# It asks for a 6-digit TOTP, mints a 60s token bound to the new
+# commit, builds Docker, starts container, tails logs, verifies
+# health. Total time ~25-40 seconds.
+```
+
+The deploy script refuses to run on a dirty working tree — your
+working copy must be clean and the code that ships matches the
+deploy_id the token is bound to.
+
+### External monitor (mandatory)
+
+Because zentryx-status uses fail-safe crashloops on bad/expired
+tokens, its own AlertDispatcher can't tell you when it's down. The
+companion [`external-monitor/`](./external-monitor/) lives on
+zentryx-web (different host), runs every 60s via systemd timer,
+and posts to Discord after 5min of consecutive failures.
+
+The Discord webhook for the canary is **NOT** inside `.env.sealed`
+— it's in plaintext at `/etc/zentryx/external-monitor.env` (chmod
+600, root-owned). Different threat model: this webhook is the one
+piece that keeps working when the sealed pipeline fails.
+
+See [`external-monitor/README.md`](./external-monitor/README.md) for
+install instructions.
+
+## How it differs from a generic Spring Boot service
+
+- **`sealed-env-spring-boot-starter` in enterprise mode**: every
+  deploy requires a fresh TOTP code from the operator. Token is
+  bound to commit SHA; expires in 60 seconds. Same encrypted file
+  format works in Node ([news-scout](https://github.com/Zentryx-Network/news-scout))
+  and Spring Boot.
+- **Strict timeouts on every outbound request**: 4s connect + 8s
+  read. A frozen target never holds up the next polling cycle.
+- **Append-only schema**: `health_check` is INSERT-only, no
+  UPDATEs. Daily prune drops anything older than 30 days.
+- **Cooldown on alerts**: a flapping target generates one Discord
+  ping every 15 minutes max, not one every 30 seconds.
+- **Bound to 127.0.0.1**: Spring app only listens on localhost.
+  External access goes through Caddy/nginx, which terminates TLS.
+- **External canary**: a separate process (different host, different
+  webhook, no shared deps) tells you when this service goes silent.
+
+## License
+
+MIT. See [LICENSE](./LICENSE).
+
+---
+
+Built by [Zentryx Network](https://zentryxnet.lat). Powered by
+[sealed-env](https://github.com/davidalmeidac/sealed-env) (enterprise mode).