feat(terraform): add multi-cloud infrastructure with OCI free tier support (#127)

* feat(terraform): add multi-cloud infrastructure modules for OCI deployment

Add Terraform modules for deploying TMI to Oracle Cloud Infrastructure:

- Network module: VCN, subnets, gateways, NSGs
- Database module: Autonomous Database Free Tier with private endpoint
- Secrets module: OCI Vault with secrets and IAM policies
- Logging module: Log groups, service connectors, alarms
- Compute module: Container instances and load balancer

Environment configuration for OCI Free Tier included with sensible defaults.

Makefile targets added:
- tf-init, tf-plan, tf-apply, tf-destroy
- deploy-oci, deploy-oci-plan

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(logging): add cloud logging support with OCI integration

Add CloudLogWriter interface and OCI Logging implementation:

- CloudLogWriter: Generic interface for cloud logging providers
- CloudLogHandler: slog.Handler that writes to both local and cloud
- OCICloudWriter: OCI Logging service implementation
  - Batched async writes with configurable buffer
  - Automatic flush on timeout or buffer full
  - Health tracking and graceful degradation
- NoopCloudWriter: For testing or when cloud logging disabled

Cloud logging is additive - local file/console logging continues
to work independently. If cloud logging fails, only cloud writes
are affected; local logging remains uninterrupted.

Configuration options:
- CloudWriter: Provider instance (nil to disable)
- CloudLogLevel: Minimum level for cloud (defaults to local level)
- CloudLogBufferSize: Async buffer size (default: 1000)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(terraform/oci): update modules for OCI free tier deployment

- Add TMI_DATABASE_URL environment variable for Oracle ADB connection
- Fix OCI provider v7.x API changes (ip_addresses format)
- Update database module for ECPU model (remove cpu_core_count)
- Make private endpoint conditional for free tier (not supported)
- Disable bucket versioning for log archive (conflicts with retention)
- Add sensitive flag to outputs containing credentials
- Comment out container logging (incorrect service name)
- Add region variable to database module for wallet PAR URL

These changes enable successful deployment of TMI on OCI Always Free tier
resources including Oracle Autonomous Database, Container Instances,
Load Balancer, and OCI Vault for secrets management.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(oci): improve container startup and debugging for OCI deployment

- Add bash and unzip packages to Oracle container image
- Fix slogging to respect TMI_LOG_DIR during early initialization
- Add JWT secret variable and env config to compute module
- Add HTTPS egress rule for ADB Free Tier public endpoint
- Increase health check initial delay to 60s
- Improve entrypoint script with detailed debugging output
- Remove Docker HEALTHCHECK (conflicts with OCI health check)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(oci): fix Oracle wallet path and Redis connection for OCI deployment

- Fix entrypoint script sed pattern to properly update sqlnet.ora
  DIRECTORY path using non-greedy regex [^"]* instead of .*
- Change REDIS_URL to TMI_REDIS_URL to match app config expectations
- Remove Redis password from URL since distroless Redis container
  doesn't support password auth (TODO for future fix)

The container now successfully connects to Oracle ADB using wallet
authentication and to Redis for caching/session management.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(oci): fix SystemSetting migration and Redis auth for Oracle ADB

- Remove GORM default tag from SystemSetting.SettingType that caused
  Oracle migration to fail silently (unquoted 'string' parsed as identifier)
- Add Redis password to TMI_REDIS_URL in terraform config for proper
  authentication with Oracle Linux Redis container
- Add --platform linux/amd64 flag to container build script for OCI
  Container Instances which use AMD64 shapes

These fixes resolve ORA-00942 (table not found) errors during server
startup and NOAUTH authentication errors when connecting to Redis.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(oci): add OCI cloud logging with Resource Principal auth

- Add cloud logging initialization from environment variables in main.go
- Support Resource Principal authentication for OCI Container Instances
- Wire OCI Logging service to compute module via oci_log_id variable
- Add cloud_log_level configuration for filtering cloud logs
- Fix dynamic group matching rule to use 'computecontainerinstance' resource type

Cloud logging is now automatically enabled when TMI_CLOUD_LOG_ENABLED=true
with TMI_OCI_LOG_ID set. Uses Resource Principal for Container Instances,
falls back to Instance Principal for VMs, then to ~/.oci/config for local dev.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(version): reset version to 1.1.0 for feature branch

These are fixes to the terraform-multi-cloud feature, not a new feature.
Skipping post-commit hook to prevent auto-increment.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(slogging): escape message in JSON fallback to prevent injection

CodeQL alert #1221 - unsafe quoting vulnerability in OCI cloud writer.
Use json.Marshal to properly escape special characters in the message
before embedding in the JSON fallback string.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(slogging): use json.Marshal for entire fallback to satisfy CodeQL

Avoid string interpolation entirely by marshaling a map struct.
CodeQL go/unsafe-quoting doesn't trust fmt.Sprintf even with
pre-marshaled values.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.gitignore

@@ -51,6 +51,8 @@
 !.dosu.yml
 !api-schema/
 !api-schema/**
+!terraform/
+!terraform/**
 
 # heroku
 !.godir
@@ -98,3 +100,10 @@ Wallet_*.zip
 config-development-oci.yml
 config-test-integration-oci.yml
 scripts/oci-env.sh
+
+# Terraform (sensitive state and variable files)
+**/*.tfstate
+**/*.tfstate.*
+**/terraform.tfvars
+**/tfplan
+**/.terraform/

.version

@@ -1,5 +1,5 @@
 {
   "major": 1,
-  "minor": 0,
-  "patch": 1
+  "minor": 1,
+  "patch": 2
 }

Dockerfile.server-oracle

@@ -131,7 +131,11 @@ RUN microdnf -y update && \
         # Required for Oracle Instant Client
         libaio \
         # CA certificates for TLS connections
-        ca-certificates && \
+        ca-certificates \
+        # Required for wallet extraction
+        unzip \
+        # Required for entrypoint script
+        bash && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
@@ -155,6 +159,12 @@ RUN mkdir -p /wallet && chown tmi:tmi /wallet
 COPY --from=builder /app/tmiserver /tmiserver
 RUN chmod +x /tmiserver && chown tmi:tmi /tmiserver
 
+# Create entrypoint script that extracts wallet if needed
+# Extract to /tmp/wallet since the mounted /wallet is read-only
+# Uses 'env' with exec to ensure environment variables are passed to the process
+RUN printf '#!/bin/bash\necho "=== TMI Container Entrypoint ==="\necho "Date: $(date)"\necho "User: $(whoami)"\nWALLET_DIR="/tmp/wallet"\necho ""\necho "=== Checking /wallet mount ==="\nif [ -d "/wallet" ]; then\n  ls -la /wallet/ 2>&1\nelse\n  echo "ERROR: /wallet directory does not exist!"\nfi\necho ""\nif [ -f "/wallet/wallet.zip" ]; then\n  echo "=== Extracting wallet to $WALLET_DIR ==="\n  mkdir -p "$WALLET_DIR"\n  if unzip -o /wallet/wallet.zip -d "$WALLET_DIR" 2>&1; then\n    echo "Wallet extracted successfully"\n    # Fix sqlnet.ora to use correct wallet path\n    if [ -f "$WALLET_DIR/sqlnet.ora" ]; then\n      echo "=== Fixing sqlnet.ora wallet path ==="\n      echo "Before:"\n      cat "$WALLET_DIR/sqlnet.ora"\n      # Update DIRECTORY path in sqlnet.ora to point to extracted wallet\n      # Original: DIRECTORY="?/network/admin" -> New: DIRECTORY="/tmp/wallet"\n      sed -i "s|DIRECTORY=\\\"[^\\\"]*\\\"|DIRECTORY=\\\"$WALLET_DIR\\\"|g" "$WALLET_DIR/sqlnet.ora"\n      echo "After:"\n      cat "$WALLET_DIR/sqlnet.ora"\n    fi\n    echo "=== Wallet contents ==="\n    ls -la "$WALLET_DIR"\n  else\n    echo "ERROR: Failed to extract wallet!"\n  fi\nelse\n  echo "WARNING: /wallet/wallet.zip not found"\nfi\necho ""\necho "=== Starting TMI Server ==="\nif [ -d "$WALLET_DIR" ] && [ "$(ls -A $WALLET_DIR 2>/dev/null)" ]; then\n  echo "Using wallet at $WALLET_DIR"\n  exec env TNS_ADMIN="$WALLET_DIR" TMI_ORACLE_WALLET_LOCATION="$WALLET_DIR" /tmiserver "$@"\nelse\n  echo "Starting without wallet"\n  exec /tmiserver "$@"\nfi\n' > /entrypoint.sh && \
+    chmod +x /entrypoint.sh && chown tmi:tmi /entrypoint.sh
+
 # Set working directory
 WORKDIR /
 
@@ -171,12 +181,11 @@ ENV GOLANG_PROTOBUF_REGISTRATION_CONFLICT=warn
 # Oracle wallet location (mount point)
 ENV TNS_ADMIN=/wallet
 
-# Health check using curl (available in oraclelinux:9-slim)
-HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-    CMD curl -f http://localhost:8080/ || exit 1
+# Note: Health check is configured in OCI Container Instances, not in Dockerfile
+# This avoids conflict between Docker HEALTHCHECK and OCI health check
 
 # Run as non-root user
 USER tmi:tmi
 
-# Run the application
-ENTRYPOINT ["/tmiserver"]
+# Run the application with wallet extraction
+ENTRYPOINT ["/entrypoint.sh"]

Makefile

@@ -1096,6 +1096,81 @@ start-containers-environment:
 # Shorthand for all container operations
 build-containers-all: build-containers report-containers
 
+# ============================================================================
+# TERRAFORM INFRASTRUCTURE MANAGEMENT
+# ============================================================================
+
+.PHONY: tf-init tf-plan tf-apply tf-destroy tf-validate tf-fmt tf-output
+
+# Terraform environment selection (default: oci-free-tier)
+TF_ENV ?= oci-free-tier
+TF_DIR := terraform/environments/$(TF_ENV)
+
+# Check if Terraform is installed
+tf-check:
+	@command -v terraform >/dev/null 2>&1 || { \
+		echo -e "$(RED)[ERROR]$(NC) Terraform is not installed."; \
+		echo -e "$(BLUE)[INFO]$(NC) Install with: brew install terraform"; \
+		exit 1; \
+	}
+
+# Initialize Terraform
+tf-init: tf-check  ## Initialize Terraform for the selected environment (TF_ENV=oci-free-tier)
+	$(call log_info,Initializing Terraform in $(TF_DIR)...)
+	@cd $(TF_DIR) && terraform init
+	$(call log_success,Terraform initialized successfully)
+
+# Validate Terraform configuration
+tf-validate: tf-init  ## Validate Terraform configuration
+	$(call log_info,Validating Terraform configuration...)
+	@cd $(TF_DIR) && terraform validate
+	$(call log_success,Terraform configuration is valid)
+
+# Format Terraform files
+tf-fmt:  ## Format Terraform files
+	$(call log_info,Formatting Terraform files...)
+	@terraform fmt -recursive terraform/
+	$(call log_success,Terraform files formatted)
+
+# Plan Terraform changes
+tf-plan: tf-init  ## Plan Terraform changes (shows what will be created/modified)
+	$(call log_info,Planning Terraform changes for $(TF_ENV)...)
+	@cd $(TF_DIR) && terraform plan -out=tfplan
+	$(call log_success,Terraform plan saved to $(TF_DIR)/tfplan)
+
+# Apply Terraform changes
+tf-apply: tf-init  ## Apply Terraform changes (creates/modifies infrastructure)
+	$(call log_info,Applying Terraform changes for $(TF_ENV)...)
+	@cd $(TF_DIR) && terraform apply
+	$(call log_success,Terraform apply completed)
+
+# Apply Terraform from saved plan
+tf-apply-plan: tf-init  ## Apply Terraform from saved plan file
+	$(call log_info,Applying Terraform plan for $(TF_ENV)...)
+	@cd $(TF_DIR) && terraform apply tfplan
+	$(call log_success,Terraform apply completed)
+
+# Show Terraform outputs
+tf-output:  ## Show Terraform outputs
+	$(call log_info,Terraform outputs for $(TF_ENV)...)
+	@cd $(TF_DIR) && terraform output
+
+# Destroy Terraform infrastructure
+tf-destroy:  ## Destroy Terraform infrastructure (DESTRUCTIVE!)
+	$(call log_warning,This will destroy all infrastructure in $(TF_ENV)!)
+	@cd $(TF_DIR) && terraform destroy
+
+# OCI-specific deployment shortcuts
+.PHONY: deploy-oci deploy-oci-plan
+
+# Full OCI deployment
+deploy-oci: TF_ENV=oci-free-tier
+deploy-oci: tf-apply  ## Deploy TMI to OCI Free Tier
+
+# Plan OCI deployment
+deploy-oci-plan: TF_ENV=oci-free-tier
+deploy-oci-plan: tf-plan  ## Plan TMI OCI Free Tier deployment
+
 # ============================================================================
 # PROMTAIL CONTAINER MANAGEMENT
 # ============================================================================
@@ -1561,6 +1636,18 @@ help:
 	@echo "  start-containers-environment - Start development with containers"
 	@echo "  build-containers-all         - Run full container build and report"
 	@echo ""
+	@echo "Terraform Infrastructure Management:"
+	@echo "  tf-init                      - Initialize Terraform (TF_ENV=oci-free-tier)"
+	@echo "  tf-validate                  - Validate Terraform configuration"
+	@echo "  tf-fmt                       - Format all Terraform files"
+	@echo "  tf-plan                      - Plan infrastructure changes"
+	@echo "  tf-apply                     - Apply infrastructure changes"
+	@echo "  tf-apply-plan                - Apply from saved plan file"
+	@echo "  tf-output                    - Show Terraform outputs"
+	@echo "  tf-destroy                   - Destroy infrastructure (DESTRUCTIVE!)"
+	@echo "  deploy-oci                   - Deploy TMI to OCI Free Tier"
+	@echo "  deploy-oci-plan              - Plan OCI Free Tier deployment"
+	@echo ""
 	@echo "SBOM Generation (Software Bill of Materials):"
 	@echo "  generate-sbom                - Generate SBOM for Go application (cyclonedx-gomod)"
 	@echo "  generate-sbom-all            - Generate all Go SBOMs (app + modules)"

api/config_handlers.go

@@ -309,11 +309,11 @@ func (s *Server) UpdateSystemSetting(c *gin.Context, key string) {
 
 	// Convert to model
 	setting := models.SystemSetting{
-		Key:        key,
-		Value:      req.Value,
-		Type:       string(req.Type),
-		ModifiedAt: time.Now(),
-		ModifiedBy: modifiedBy,
+		SettingKey:  key,
+		Value:       req.Value,
+		SettingType: string(req.Type),
+		ModifiedAt:  time.Now(),
+		ModifiedBy:  modifiedBy,
 	}
 	if req.Description != nil {
 		setting.Description = req.Description
@@ -496,9 +496,9 @@ func (s *Server) MigrateSystemSettings(c *gin.Context, params MigrateSystemSetti
 		// Create or update the setting
 		description := ms.Description
 		setting := models.SystemSetting{
-			Key:         ms.Key,
+			SettingKey:  ms.Key,
 			Value:       ms.Value,
-			Type:        ms.Type,
+			SettingType: ms.Type,
 			Description: &description,
 			ModifiedAt:  time.Now(),
 			ModifiedBy:  modifiedBy,
@@ -525,9 +525,9 @@ func (s *Server) MigrateSystemSettings(c *gin.Context, params MigrateSystemSetti
 // modelToAPISystemSetting converts a models.SystemSetting to an API SystemSetting
 func modelToAPISystemSetting(m models.SystemSetting) SystemSetting {
 	setting := SystemSetting{
-		Key:        m.Key,
+		Key:        m.SettingKey,
 		Value:      m.Value,
-		Type:       SystemSettingType(m.Type),
+		Type:       SystemSettingType(m.SettingType),
 		ModifiedAt: &m.ModifiedAt,
 	}
 	if m.Description != nil {

api/config_handlers_test.go

@@ -67,7 +67,7 @@ func (m *MockSettingsService) List(ctx context.Context) ([]models.SystemSetting,
 }
 
 func (m *MockSettingsService) Set(ctx context.Context, setting *models.SystemSetting) error {
-	m.settings[setting.Key] = setting
+	m.settings[setting.SettingKey] = setting
 	return nil
 }
 
@@ -83,10 +83,10 @@ func (m *MockSettingsService) SeedDefaults(ctx context.Context) error {
 // Helper to add a setting to the mock
 func (m *MockSettingsService) AddSetting(key, value, settingType string) {
 	m.settings[key] = &models.SystemSetting{
-		Key:        key,
-		Value:      value,
-		Type:       settingType,
-		ModifiedAt: time.Now(),
+		SettingKey:  key,
+		Value:       value,
+		SettingType: settingType,
+		ModifiedAt:  time.Now(),
 	}
 }
 
@@ -383,9 +383,9 @@ func TestModelToAPISystemSetting(t *testing.T) {
 	now := time.Now()
 
 	model := models.SystemSetting{
-		Key:         "test.key",
+		SettingKey:  "test.key",
 		Value:       "test-value",
-		Type:        "string",
+		SettingType: "string",
 		Description: &description,
 		ModifiedAt:  now,
 		ModifiedBy:  &modifiedBy,
@@ -406,10 +406,10 @@ func TestModelToAPISystemSetting_NilOptionalFields(t *testing.T) {
 	now := time.Now()
 
 	model := models.SystemSetting{
-		Key:        "test.key",
-		Value:      "test-value",
-		Type:       "int",
-		ModifiedAt: now,
+		SettingKey:  "test.key",
+		Value:       "test-value",
+		SettingType: "int",
+		ModifiedAt:  now,
 	}
 
 	apiSetting := modelToAPISystemSetting(model)

api/models/system_setting.go

@@ -9,15 +9,17 @@ import (
 // These settings can be modified at runtime without requiring server restart.
 // Settings are cached with short TTL for performance.
 type SystemSetting struct {
-	Key         string    `gorm:"primaryKey;type:varchar(256)" json:"key"`
-	Value       string    `gorm:"type:varchar(4000);not null" json:"value"`
-	Type        string    `gorm:"type:varchar(50);not null;default:string" json:"type"` // "string", "int", "bool", "json"
+	// SettingKey is the unique identifier for this setting (e.g., "rate_limit.requests_per_minute")
+	// Named SettingKey instead of Key to avoid Oracle reserved word conflict
+	SettingKey string `gorm:"column:setting_key;primaryKey;type:varchar(256)" json:"key"`
+	Value      string `gorm:"type:varchar(4000);not null" json:"value"`
+	// SettingType stores the value type: "string", "int", "bool", "json"
+	// Note: default tag removed for Oracle compatibility (unquoted string defaults cause syntax errors)
+	SettingType string    `gorm:"column:setting_type;type:varchar(50);not null" json:"type"`
 	Description *string   `gorm:"type:varchar(1024)" json:"description,omitempty"`
 	ModifiedAt  time.Time `gorm:"not null;autoUpdateTime" json:"modified_at"`
 	ModifiedBy  *string   `gorm:"type:varchar(36)" json:"modified_by,omitempty"` // User InternalUUID
-
-	// Relationships
-	Modifier *User `gorm:"foreignKey:ModifiedBy;references:InternalUUID" json:"-"`
+	// Note: Foreign key relationship to User removed to avoid Oracle migration issues
 }
 
 // TableName specifies the table name for SystemSetting
@@ -41,51 +43,51 @@ func DefaultSystemSettings() []SystemSetting {
 
 	return []SystemSetting{
 		{
-			Key:         "rate_limit.requests_per_minute",
+			SettingKey:  "rate_limit.requests_per_minute",
 			Value:       "100",
-			Type:        SystemSettingTypeInt,
+			SettingType: SystemSettingTypeInt,
 			Description: defaultDescription("Maximum API requests per minute per user"),
 		},
 		{
-			Key:         "rate_limit.requests_per_hour",
+			SettingKey:  "rate_limit.requests_per_hour",
 			Value:       "1000",
-			Type:        SystemSettingTypeInt,
+			SettingType: SystemSettingTypeInt,
 			Description: defaultDescription("Maximum API requests per hour per user"),
 		},
 		{
-			Key:         "session.timeout_minutes",
+			SettingKey:  "session.timeout_minutes",
 			Value:       "60",
-			Type:        SystemSettingTypeInt,
+			SettingType: SystemSettingTypeInt,
 			Description: defaultDescription("JWT token expiration in minutes"),
 		},
 		{
-			Key:         "websocket.max_participants",
+			SettingKey:  "websocket.max_participants",
 			Value:       "10",
-			Type:        SystemSettingTypeInt,
+			SettingType: SystemSettingTypeInt,
 			Description: defaultDescription("Maximum participants per collaboration session"),
 		},
 		{
-			Key:         "features.saml_enabled",
+			SettingKey:  "features.saml_enabled",
 			Value:       "false",
-			Type:        SystemSettingTypeBool,
+			SettingType: SystemSettingTypeBool,
 			Description: defaultDescription("Enable SAML authentication"),
 		},
 		{
-			Key:         "features.webhooks_enabled",
+			SettingKey:  "features.webhooks_enabled",
 			Value:       "true",
-			Type:        SystemSettingTypeBool,
+			SettingType: SystemSettingTypeBool,
 			Description: defaultDescription("Enable webhook subscriptions"),
 		},
 		{
-			Key:         "ui.default_theme",
+			SettingKey:  "ui.default_theme",
 			Value:       "auto",
-			Type:        SystemSettingTypeString,
+			SettingType: SystemSettingTypeString,
 			Description: defaultDescription("Default UI theme (auto, light, dark)"),
 		},
 		{
-			Key:         "upload.max_file_size_mb",
+			SettingKey:  "upload.max_file_size_mb",
 			Value:       "10",
-			Type:        SystemSettingTypeInt,
+			SettingType: SystemSettingTypeInt,
 			Description: defaultDescription("Maximum file upload size in megabytes"),
 		},
 	}