better demo

Author: sharon77242

quotes-demo-app/DEMO.md

@@ -0,0 +1,69 @@
+# Argus Demo — Simulation Scenarios
+
+Run with: `node simulate.js` (requires Postgres; see `docker-compose-pg-only.yml`).
+
+The simulator boots an Express server, attaches the DiagnosticAgent, then replays the traffic sequence below. Each scenario triggers a specific agent feature and prints a labelled event to the terminal.
+
+---
+
+## Traffic sequence
+
+| Step | Route | Agent event / hint | Label |
+|------|-------|--------------------|-------|
+| 1 | `GET /` | health check (no event) | — |
+| 2 | `GET /quotes` | `offset-pagination` hint | QUERY |
+| 3 | `GET /quotes?page=1` × 6 | `n-plus-one` hint (repeated identical queries) | QUERY |
+| 4 | `POST /quotes` | clean INSERT, no hints | QUERY |
+| 5 | `GET /debug/scrub` | high-entropy secret redacted from log | SCRUB |
+| 6 | `GET /debug/busy-spin` | 120ms synchronous busy-loop → `event-loop-lag` anomaly | ANOM |
+| 7 | `GET /debug/select-star` | `no-select-star` + `missing-limit` + `full-table-scan` hints | QUERY |
+| 8 | `POST /debug/update-all` | `missing-where-update` hint (critical) | QUERY |
+| 9 | `GET /debug/sync-read` × 5 | `synchronous-fs` hint (every call) + `missing-fs-cache` hint (5th call) | FS |
+| 10 | `GET /debug/log-unstructured` | `unstructured-log` hint | LOG |
+| 11 | `GET /debug/log-large` | `large-log-payload` hint | LOG |
+| 12 | `GET /debug/log-storm` | `log-error-storm` hint (6 errors in < 1 s) | LOG |
+| 13 | `GET /debug/path-traversal` | `path-traversal-risk` hint | FS |
+| 14 | `GET /debug/sensitive-file` | `sensitive-file-access` hint (.env) | FS |
+| 15 | `GET /debug/leak-memory` | ~12 MB V8 heap growth → `memory-leak` anomaly | ANOM |
+| 16 | `GET /debug/outbound` | `insecure-http` hint (plain http:// to remote host) | HTTP |
+| 17 | `POST /debug/delete-all` | `missing-where-delete` hint (critical — no WHERE clause) | QUERY |
+| 18 | `GET /debug/slow-query` | `pg_sleep(0.6)` exceeds 500 ms pg threshold → `slow-query` event | SLOW |
+| 19 | `GET /debug/transaction` | `BEGIN` / `SELECT` / `COMMIT` cycle → `transaction` event (committed) | TXN |
+| 20 | `GET /debug/rollback` | `BEGIN` / `SELECT` / `ROLLBACK` cycle → `transaction` event (aborted) | TXN |
+| 21 | `GET /debug/crash` | `Promise.reject()` with no `.catch()` → `unhandledRejection` → `crash` event | CRASH |
+| 22 | `GET /debug/dns-lookup` | `dns.lookup('example.com')` → `dns` event (+ `slow-dns` if > 100 ms) | DNS |
+| 23 | `GET /debug/error-500` | outbound HTTP call receives 500 → `http-server-error` hint | HTTP |
+| 24 | `GET /debug/rate-limited` | outbound HTTP call receives 429 → `http-rate-limited` hint | HTTP |
+| 25 | `GET /debug/slow-outbound` | outbound HTTP call takes ~2.5 s → `slow-http-request` hint | HTTP |
+
+Startup also fires:
+- `audit` — npm audit scan for high/critical CVEs
+- `scan` — static analysis (TypeScript + ESLint diagnostics)
+
+---
+
+## Agent features exercised
+
+| Feature | Triggered by |
+|---------|-------------|
+| Query analysis (7 rules) | steps 2–3, 7–8, 17 |
+| Slow query monitor | step 18 |
+| Transaction monitor | steps 19–20 |
+| Runtime monitor — event-loop lag | step 6 |
+| Runtime monitor — memory leak | step 15 |
+| Log instrumentation + scrubbing | steps 5, 10–12 |
+| FS instrumentation | steps 9, 13–14 |
+| HTTP instrumentation + analysis | steps 16, 23–25 |
+| DNS monitor | step 22 |
+| GC monitor | passive (fires if GC pauses exceed 10% of 10 s window) |
+| Crash guard | step 21 |
+| Resource leak monitor | passive (fires if OS handles exceed threshold) |
+| Audit scanner | startup |
+| Static scanner | startup |
+
+---
+
+## Monitors enabled but not directly triggered
+
+- **GC pressure** (`gc-pressure`): enabled via `withGcMonitor()`. Fires automatically if accumulated GC pause time exceeds 10% of the 10-second sliding window. No synthetic trigger is needed.
+- **Pool exhaustion / slow-acquire**: requires calling `agent.watchPool(pool, 'pg')` with a registered pg pool. Not wired in this demo; add it in `diagnostic.js` to observe `pool-exhaustion` and `slow-acquire` events under load.

quotes-demo-app/diagnostic.js

@@ -22,6 +22,11 @@ const agent = DiagnosticAgent.createProfile({
 // (Normally reserved for the 'worker' profile — included here to showcase all free-mode features.)
 agent.withRuntimeMonitor();
 
+// Additional monitors not included in the web/db profile — enabled here for the demo.
+agent.withTransactionMonitor();
+agent.withDnsMonitor();
+agent.withGcMonitor();
+
 // ── live event listeners ──────────────────────────────────────────────────────
 
 agent.on('query', (q) => {
@@ -106,6 +111,46 @@ agent.on('crash', (crash) => {
   );
 });
 
+agent.on('slow-query', (q) => {
+  console.warn(
+    `${c.dim}${stamp()}${c.reset} ${tag(c.yellow,'SLOW ')} ` +
+    `[${q.driver}] ${c.bold}${q.sanitizedQuery?.slice(0, 80)}${c.reset} ` +
+    `${c.red}${q.durationMs.toFixed(1)}ms > ${q.thresholdMs}ms threshold${c.reset}`
+  );
+});
+
+agent.on('transaction', (t) => {
+  const outcome = t.aborted ? `${c.red}ROLLBACK${c.reset}` : `${c.green}COMMIT${c.reset}`;
+  console.log(
+    `${c.dim}${stamp()}${c.reset} ${tag(c.cyan,'TXN  ')} ` +
+    `[${t.driver}] ${outcome} — ${t.queryCount} quer${t.queryCount !== 1 ? 'ies' : 'y'} ` +
+    `${c.dim}(${t.durationMs.toFixed(1)}ms)${c.reset}`
+  );
+});
+
+agent.on('dns', (d) => {
+  console.log(
+    `${c.dim}${stamp()}${c.reset} ${tag(c.cyan,'DNS  ')} ` +
+    `${d.hostname} → ${(d.addresses || []).join(', ') || '(error)'} ` +
+    `${c.dim}(${d.durationMs.toFixed(1)}ms)${c.reset}`
+  );
+});
+
+agent.on('slow-dns', (d) => {
+  console.warn(
+    `${c.dim}${stamp()}${c.reset} ${tag(c.yellow,'SDNS ')} ` +
+    `${d.hostname} resolved in ${c.yellow}${d.durationMs.toFixed(1)}ms${c.reset} (slow-dns threshold exceeded)`
+  );
+});
+
+agent.on('gc-pressure', (g) => {
+  console.warn(
+    `${c.dim}${stamp()}${c.reset} ${tag(c.yellow,'GC   ')} ` +
+    `${g.gcCount} GC cycle(s), ${g.totalPauseMs.toFixed(1)}ms total ` +
+    `${c.yellow}(${g.pausePct.toFixed(1)}% of ${g.windowMs}ms window)${c.reset}`
+  );
+});
+
 agent.on('audit', (result) => {
   const total = result.suggestions?.length ?? 0;
   const colour = total > 0 ? c.red : c.dim;

quotes-demo-app/routes/debug.js

@@ -8,6 +8,7 @@
 const express = require('express');
 const router = express.Router();
 const db = require('../services/db');
+const dns = require('dns');
 const fs = require('fs');
 const http = require('http');
 const path = require('path');
@@ -117,4 +118,117 @@ router.get('/outbound', (_req, res) => {
   }).on('error', () => res.json({ ok: true, note: 'httpbin unreachable' }));
 });
 
+// ── Query hints: missing-where-delete ─────────────────────────────────────────
+
+// Triggers: missing-where-delete (critical — deletes every row without WHERE)
+router.post('/delete-all', async (_req, res) => {
+  try {
+    await db.query('DELETE FROM quote');
+    res.json({ deleted: 'all rows' });
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+
+// ── Slow query ────────────────────────────────────────────────────────────────
+
+// Triggers: slow-query event (pg_sleep(0.6) exceeds the 500ms pg default threshold)
+router.get('/slow-query', async (_req, res) => {
+  try {
+    await db.query('SELECT pg_sleep(0.6)');
+    res.json({ ok: true });
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+
+// ── Transaction monitoring ────────────────────────────────────────────────────
+
+// Triggers: transaction event with aborted=false (COMMIT)
+// Note: pool.query() may use different connections per call; the DB-level transaction
+// may be a no-op, but TransactionMonitor correlates by SQL pattern, not connection.
+router.get('/transaction', async (_req, res) => {
+  try {
+    await db.query('BEGIN');
+    await db.query('SELECT id FROM quote LIMIT 1');
+    await db.query('COMMIT');
+    res.json({ ok: true, outcome: 'committed' });
+  } catch (err) {
+    await db.query('ROLLBACK').catch(() => {});
+    res.status(500).json({ message: err.message });
+  }
+});
+
+// Triggers: transaction event with aborted=true (ROLLBACK)
+router.get('/rollback', async (_req, res) => {
+  try {
+    await db.query('BEGIN');
+    await db.query('SELECT id FROM quote LIMIT 1');
+    await db.query('ROLLBACK');
+    res.json({ ok: true, outcome: 'rolled back' });
+  } catch (err) {
+    res.status(500).json({ message: err.message });
+  }
+});
+
+// ── Crash detection ───────────────────────────────────────────────────────────
+
+// Triggers: crash event via unhandledRejection.
+// CrashGuard intercepts the rejection and emits 'crash' without exiting the process
+// (unhandledRejection is recoverable since Node 15+ when a listener is registered).
+router.get('/crash', (_req, res) => {
+  Promise.reject(new Error('[demo] Simulated unhandled rejection — .catch() was intentionally omitted'));
+  res.json({ ok: true, note: 'unhandledRejection fired — watch for CRASH event' });
+});
+
+// ── DNS monitoring ────────────────────────────────────────────────────────────
+
+// Triggers: dns event (+ slow-dns if resolution exceeds the 100ms threshold)
+router.get('/dns-lookup', (_req, res) => {
+  dns.lookup('example.com', (err, address) => {
+    if (err) return res.json({ ok: false, error: err.message });
+    res.json({ ok: true, address });
+  });
+});
+
+// ── HTTP hint sinks ────────────────────────────────────────────────────────────
+// These are internal targets used by the outbound routes below.
+// They are NOT meant to be called directly from traffic.js.
+
+router.get('/sink-500', (_req, res) => res.status(500).json({ error: 'demo server error' }));
+router.get('/sink-429', (_req, res) => res.status(429).json({ error: 'demo rate limit' }));
+router.get('/sink-slow', (_req, res) => { setTimeout(() => res.json({ ok: true }), 2500); });
+
+// ── HTTP hints via outbound calls ─────────────────────────────────────────────
+
+function selfGet(urlPath) {
+  const port = parseInt(process.env.TARGET_PORT || '3000', 10);
+  return new Promise((resolve) => {
+    const req = http.request({ host: 'localhost', port, path: urlPath, method: 'GET' }, (r) => {
+      r.resume();
+      r.on('end', resolve);
+    });
+    req.on('error', resolve);
+    req.end();
+  });
+}
+
+// Triggers: http-server-error hint (outbound call receives 500)
+router.get('/error-500', async (_req, res) => {
+  await selfGet('/debug/sink-500');
+  res.json({ ok: true });
+});
+
+// Triggers: http-rate-limited hint (outbound call receives 429)
+router.get('/rate-limited', async (_req, res) => {
+  await selfGet('/debug/sink-429');
+  res.json({ ok: true });
+});
+
+// Triggers: slow-http-request hint (outbound call takes > 2000ms)
+router.get('/slow-outbound', async (_req, res) => {
+  await selfGet('/debug/sink-slow');
+  res.json({ ok: true });
+});
+
 module.exports = router;

quotes-demo-app/traffic.js

@@ -121,6 +121,42 @@ async function run() {
   await get('/debug/outbound');
   await wait(200);
 
+  console.log('\n[TRAFFIC] ── POST /debug/delete-all (missing-where-delete: critical) ────');
+  await post('/debug/delete-all', {});
+  await wait(100);
+
+  console.log('\n[TRAFFIC] ── GET /debug/slow-query (slow-query: 600ms > 500ms threshold) ─');
+  await get('/debug/slow-query');
+  await wait(200);
+
+  console.log('\n[TRAFFIC] ── GET /debug/transaction (transaction: COMMIT) ─────────────────');
+  await get('/debug/transaction');
+  await wait(100);
+
+  console.log('\n[TRAFFIC] ── GET /debug/rollback (transaction: ROLLBACK / aborted) ────────');
+  await get('/debug/rollback');
+  await wait(100);
+
+  console.log('\n[TRAFFIC] ── GET /debug/crash (crash: unhandledRejection) ──────────────────');
+  await get('/debug/crash');
+  await wait(200); // allow CrashGuard to emit the event
+
+  console.log('\n[TRAFFIC] ── GET /debug/dns-lookup (dns + possible slow-dns) ──────────────');
+  await get('/debug/dns-lookup');
+  await wait(200);
+
+  console.log('\n[TRAFFIC] ── GET /debug/error-500 (http-server-error hint) ─────────────────');
+  await get('/debug/error-500');
+  await wait(100);
+
+  console.log('\n[TRAFFIC] ── GET /debug/rate-limited (http-rate-limited hint) ──────────────');
+  await get('/debug/rate-limited');
+  await wait(100);
+
+  console.log('\n[TRAFFIC] ── GET /debug/slow-outbound (slow-http-request hint, ~2.5s) ──────');
+  await get('/debug/slow-outbound');
+  await wait(200);
+
   console.log('\n[TRAFFIC] ── Done ───────────────────────────────────────────────────────\n');
 }