gitpod-io
diff --git a/‎memory-bank/activeContext.md‎
Lines changed: 3 additions & 0 deletions b/‎memory-bank/activeContext.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎memory-bank/components/scrubber.md‎
Lines changed: 162 additions & 0 deletions b/‎memory-bank/components/scrubber.md‎
Lines changed: 162 additions & 0 deletions
diff --git a/‎memory-bank/components/service-waiter.md‎
Lines changed: 154 additions & 0 deletions b/‎memory-bank/components/service-waiter.md‎
Lines changed: 154 additions & 0 deletions
@@ -40,6 +40,9 @@ Key areas of focus include:
   - usage: Tracks, calculates, and manages workspace usage and billing
   - common-go: Foundational Go library providing shared utilities across services
   - workspacekit: Manages container setup and namespace isolation for workspaces
+  - spicedb: Provides authorization and permission management
+  - scrubber: Removes or masks sensitive information from data
+  - service-waiter: Waits for services to become available
 
 As work progresses, this section will continue to be updated to reflect:
 - Additional component documentation
 
@@ -0,0 +1,162 @@
+# Scrubber Component
+
+## Overview
+
+The Scrubber component in Gitpod is a Go library that provides functionality for removing or masking sensitive information from data. It's designed to protect personally identifiable information (PII) and other sensitive data from being exposed in logs, error messages, and other outputs. The component offers various methods for scrubbing different types of data structures, including strings, key-value pairs, JSON, and Go structs.
+
+## Purpose
+
+The primary purposes of the Scrubber component are:
+- Remove or mask personally identifiable information (PII) from data
+- Protect sensitive information such as passwords, tokens, and secrets
+- Provide consistent data sanitization across the Gitpod platform
+- Support various data formats and structures
+- Enable customizable scrubbing rules
+- Reduce the risk of sensitive data exposure
+- Comply with privacy regulations and best practices
+- Facilitate safe logging and error reporting
+
+## Architecture
+
+The Scrubber component is structured as a Go library with several key parts:
+
+1. **Core Scrubber Interface**: Defines the methods for scrubbing different types of data
+2. **Scrubber Implementation**: Provides the actual scrubbing functionality
+3. **Sanitization Functions**: Implements different sanitization strategies (redaction, hashing)
+4. **Configuration**: Defines what fields and patterns should be scrubbed
+5. **Struct Walking**: Uses reflection to traverse and scrub complex data structures
+
+The component is designed to be used by other Gitpod components that need to sanitize data before logging, storing, or transmitting it.
+
+## Key Features
+
+### Scrubbing Methods
+
+The Scrubber interface provides several methods for scrubbing different types of data:
+
+1. **Value**: Scrubs a single string value using heuristics to detect sensitive data
+2. **KeyValue**: Scrubs a key-value pair, using the key as a hint for how to sanitize the value
+3. **JSON**: Scrubs a JSON structure, handling nested objects and arrays
+4. **Struct**: Scrubs a Go struct in-place, respecting struct tags for customization
+5. **DeepCopyStruct**: Creates a scrubbed deep copy of a Go struct
+
+### Sanitization Strategies
+
+The component implements different sanitization strategies:
+
+1. **Redaction**: Replaces sensitive values with `[redacted]` or `[redacted:keyname]`
+2. **Hashing**: Replaces sensitive values with an MD5 hash (`[redacted:md5:hash:keyname]`)
+3. **URL Path Hashing**: Specially handles URLs by preserving the structure but hashing path segments
+
+### Configuration
+
+The scrubber is configured with several lists and patterns:
+
+1. **RedactedFieldNames**: Field names whose values should be completely redacted
+2. **HashedFieldNames**: Field names whose values should be hashed
+3. **HashedURLPathsFieldNames**: Field names containing URLs whose paths should be hashed
+4. **HashedValues**: Regular expressions that, when matched, cause values to be hashed
+5. **RedactedValues**: Regular expressions that, when matched, cause values to be redacted
+
+### Struct Tag Support
+
+When scrubbing structs, the component respects the `scrub` struct tag:
+
+- `scrub:"ignore"`: Skip scrubbing this field
+- `scrub:"hash"`: Hash this field's value
+- `scrub:"redact"`: Redact this field's value
+
+### Trusted Values
+
+The component supports a `TrustedValue` interface that allows marking specific values to be exempted from scrubbing:
+
+```go
+type TrustedValue interface {
+    IsTrustedValue()
+}
+```
+
+## Usage Patterns
+
+### Basic Value Scrubbing
+```go
+// Scrub a single value
+scrubbedValue := scrubber.Default.Value("[email protected]")
+// Result: "[redacted:md5:hash]" or similar
+```
+
+### Key-Value Scrubbing
+```go
+// Scrub a value with key context
+scrubbedValue := scrubber.Default.KeyValue("password", "secret123")
+// Result: "[redacted]"
+```
+
+### JSON Scrubbing
+```go
+// Scrub a JSON structure
+jsonData := []byte(`{"username": "johndoe", "email": "[email protected]"}`)
+scrubbedJSON, err := scrubber.Default.JSON(jsonData)
+// Result: {"username": "[redacted:md5:hash]", "email": "[redacted]"}
+```
+
+### Struct Scrubbing
+```go
+// Scrub a struct in-place
+type User struct {
+    Username string
+    Email    string `scrub:"redact"`
+    Password string
+}
+user := User{Username: "johndoe", Email: "[email protected]", Password: "secret123"}
+err := scrubber.Default.Struct(&user)
+// Result: user.Username is hashed, user.Email is redacted, user.Password is redacted
+```
+
+### Deep Copy Struct Scrubbing
+```go
+// Create a scrubbed copy of a struct
+type User struct {
+    Username string
+    Email    string `scrub:"redact"`
+    Password string
+}
+user := User{Username: "johndoe", Email: "[email protected]", Password: "secret123"}
+scrubbedUser := scrubber.Default.DeepCopyStruct(user).(User)
+// Original user is unchanged, scrubbedUser has sanitized values
+```
+
+## Integration Points
+
+The Scrubber component integrates with:
+1. **Logging Systems**: To sanitize log messages
+2. **Error Handling**: To sanitize error messages
+3. **API Responses**: To sanitize sensitive data in responses
+4. **Monitoring Systems**: To sanitize metrics and traces
+5. **Other Gitpod Components**: To provide consistent data sanitization
+
+## Dependencies
+
+### Internal Dependencies
+None specified in the component's build configuration.
+
+### External Dependencies
+- `github.com/hashicorp/golang-lru`: For caching sanitization decisions
+- `github.com/mitchellh/reflectwalk`: For traversing complex data structures
+
+## Security Considerations
+
+The component implements several security measures:
+
+1. **Default Deny**: Fields are scrubbed by default if they match sensitive patterns
+2. **Multiple Strategies**: Different sanitization strategies for different types of data
+3. **Caching**: Caches sanitization decisions for performance
+4. **Customization**: Allows customization of scrubbing rules
+5. **Trusted Values**: Supports marking values as trusted to exempt them from scrubbing
+
+## Related Components
+
+- **Common-Go**: Uses the Scrubber for logging
+- **Server**: Uses the Scrubber for API request/response sanitization
+- **Workspace Services**: Use the Scrubber to protect workspace data
+- **Monitoring Components**: Use the Scrubber to sanitize metrics and traces
@@ -0,0 +1,154 @@
+# Service-Waiter Component
+
+## Overview
+
+The Service-Waiter component in Gitpod is a utility service that waits for other services to become available before proceeding. It's designed to be used in initialization and deployment scenarios where services have dependencies on other services being ready. The component can wait for different types of services, including databases, Redis instances, and Kubernetes components, ensuring that a service doesn't start until its dependencies are fully operational.
+
+## Purpose
+
+The primary purposes of the Service-Waiter component are:
+- Ensure services start in the correct order during deployment
+- Prevent services from starting before their dependencies are ready
+- Provide a consistent way to wait for different types of services
+- Handle timeouts and failure scenarios gracefully
+- Support different types of service readiness checks
+- Enable orchestration of complex multi-service deployments
+- Improve reliability of service startup sequences
+- Provide clear logging and error reporting for troubleshooting
+
+## Architecture
+
+The Service-Waiter component is structured as a command-line tool with several subcommands for different types of services:
+
+1. **Database Waiter**: Waits for a MySQL database to become available
+2. **Redis Waiter**: Waits for a Redis instance to become reachable
+3. **Component Waiter**: Waits for a Kubernetes component to be ready with the correct image
+
+The component is designed to be run as a Kubernetes init container or as part of a deployment script, blocking until the target service is ready or a timeout is reached.
+
+## Key Features
+
+### Database Waiting
+
+The database waiter:
+- Connects to a MySQL database using provided credentials
+- Checks if the database is reachable and responsive
+- Optionally verifies that the latest migration has been applied
+- Supports TLS connections with custom CA certificates
+- Retries connections with backoff until success or timeout
+
+### Redis Waiting
+
+The Redis waiter:
+- Connects to a Redis instance at the specified host and port
+- Verifies connectivity by sending a PING command
+- Retries connections until success or timeout
+- Provides detailed logging of connection attempts
+
+### Component Waiting
+
+The component waiter:
+- Checks if Kubernetes pods with specific labels are running
+- Verifies that pods are using the expected container image
+- Ensures that pods are in the Ready state
+- Monitors pod status until all pods are ready or timeout
+- Supports namespace-specific checks
+
+## Configuration
+
+The Service-Waiter component can be configured through command-line flags or environment variables:
+
+### Global Configuration
+- `--timeout`, `-t`: Maximum time to wait (default: 5m or `SERVICE_WAITER_TIMEOUT` env var)
+- `--verbose`, `-v`: Enable verbose logging
+- `--json-log`, `-j`: Produce JSON log output
+
+### Database Waiter Configuration
+- `--host`, `-H`: Database host (from `DB_HOST` env var)
+- `--port`, `-p`: Database port (from `DB_PORT` env var, default: 3306)
+- `--username`, `-u`: Database username (from `DB_USERNAME` env var, default: gitpod)
+- `--password`, `-P`: Database password (from `DB_PASSWORD` env var)
+- `--caCert`: Custom CA certificate (from `DB_CA_CERT` env var)
+- `--migration-check`: Enable checking if the latest migration has been applied
+
+### Redis Waiter Configuration
+- `--host`, `-H`: Redis host (default: redis)
+- `--port`, `-p`: Redis port (default: 6379)
+
+### Component Waiter Configuration
+- `--image`: The latest image of current installer build
+- `--namespace`: The namespace of deployment
+- `--component`: Component name of deployment
+- `--labels`: Labels of deployment
+
+## Usage Patterns
+
+### Waiting for a Database
+```bash
+service-waiter database --host mysql.example.com --port 3306 --username gitpod --password secret
+```
+
+### Waiting for Redis
+```bash
+service-waiter redis --host redis.example.com --port 6379
+```
+
+### Waiting for a Kubernetes Component
+```bash
+service-waiter component --namespace default --component server --labels "app=gitpod,component=server" --image gitpod/server:latest
+```
+
+### Using as an Init Container
+```yaml
+initContainers:
+- name: wait-for-db
+  image: gitpod/service-waiter:latest
+  command: ["service-waiter", "database"]
+  env:
+  - name: DB_HOST
+    value: mysql
+  - name: DB_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: mysql-secrets
+        key: password
+```
+
+## Integration Points
+
+The Service-Waiter component integrates with:
+1. **MySQL Databases**: For database readiness checks
+2. **Redis Instances**: For Redis readiness checks
+3. **Kubernetes API**: For component readiness checks
+4. **Deployment Systems**: As part of deployment scripts or init containers
+5. **Logging Systems**: For reporting readiness status
+
+## Dependencies
+
+### Internal Dependencies
+- `components/common-go`: Common Go utilities
+- `components/gitpod-db`: For database migration information
+
+### External Dependencies
+- MySQL client for database connections
+- Redis client for Redis connections
+- Kubernetes client for component checks
+- Cobra for command-line interface
+- Viper for configuration management
+
+## Security Considerations
+
+The component implements several security measures:
+
+1. **TLS Support**: For secure database connections
+2. **Password Masking**: Passwords are masked in logs
+3. **Minimal Permissions**: Only requires read access to check service status
+4. **Timeout Handling**: Prevents indefinite hanging
+5. **Error Handling**: Proper handling of connection errors
+
+## Related Components
+
+- **Database**: The service-waiter checks database availability
+- **Redis**: The service-waiter checks Redis availability
+- **Kubernetes Components**: The service-waiter checks component readiness
+- **Deployment Systems**: Use service-waiter to orchestrate deployments