0xray 2.1.1 → 2.1.3

package/dist/security/security-hardening-system.js

@@ -1,727 +0,0 @@
-/**
- * Security Hardening System
- *
- * Comprehensive security hardening implementation with OWASP compliance.
- * Implements defense-in-depth security architecture for enterprise applications.
- *
- * @version 1.0.0
- * @since 2026-01-08
- */
-import { EventEmitter } from "events";
-import * as crypto from "crypto";
-import { frameworkLogger } from "../core/framework-logger.js";
-// Security configuration constants
-export const SECURITY_CONFIG = {
-    headers: {
-        "X-Content-Type-Options": "nosniff",
-        "X-Frame-Options": "DENY",
-        "X-XSS-Protection": "1; mode=block",
-        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
-        "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
-        "Referrer-Policy": "strict-origin-when-cross-origin",
-        "Permissions-Policy": "geolocation=(), microphone=(), camera=()",
-        "Cross-Origin-Embedder-Policy": "require-corp",
-        "Cross-Origin-Opener-Policy": "same-origin",
-        "Cross-Origin-Resource-Policy": "same-origin",
-    },
-    rateLimiting: {
-        windowMs: 15 * 60 * 1000, // 15 minutes
-        maxRequests: 100, // limit each IP to 100 requests per windowMs
-        skipSuccessfulRequests: false,
-        skipFailedRequests: false,
-    },
-    inputValidation: {
-        maxStringLength: 10000,
-        maxArrayLength: 1000,
-        maxObjectDepth: 10,
-        allowedCharacters: /^[a-zA-Z0-9\s\-_.@]+$/,
-        sqlInjectionPatterns: [
-            /(\b(union|select|insert|delete|update|drop|create|alter|exec|execute)\b)/i,
-            /('|(\\x27)|(\\x2D\\x2D)|(\-\-)|(\#)|(\;)|(\*))/i,
-        ],
-        xssPatterns: [
-            /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
-            /javascript:/gi,
-            /on\w+\s*=/gi,
-            /<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi,
-        ],
-    },
-    encryption: {
-        algorithm: "aes-256-gcm",
-        keyLength: 32,
-        ivLength: 16,
-        saltRounds: 12,
-    },
-    audit: {
-        logLevel: "detailed",
-        retentionDays: 90,
-        sensitiveFields: ["password", "token", "secret", "key", "authorization"],
-    },
-};
-/**
- * Core security hardening system
- */
-export class SecurityHardeningSystem extends EventEmitter {
-    rateLimitStore = new Map();
-    securityEvents = [];
-    encryptionKey = Buffer.alloc(0);
-    auditLogEnabled = true;
-    started = false;
-    pendingEncryptionKey;
-    boundSecurityEvent;
-    boundRateLimitExceeded;
-    boundValidationFailure;
-    constructor(encryptionKey) {
-        super();
-        this.pendingEncryptionKey = encryptionKey;
-    }
-    start() {
-        if (this.started)
-            return;
-        this.started = true;
-        this.encryptionKey = this.pendingEncryptionKey
-            ? crypto.scryptSync(this.pendingEncryptionKey, "salt", SECURITY_CONFIG.encryption.keyLength)
-            : crypto.randomBytes(SECURITY_CONFIG.encryption.keyLength);
-        this.setupEventHandlers();
-    }
-    /**
-     * Setup event handlers for security events
-     */
-    setupEventHandlers() {
-        this.boundSecurityEvent = this.handleSecurityEvent.bind(this);
-        this.boundRateLimitExceeded = this.handleRateLimitExceeded.bind(this);
-        this.boundValidationFailure = this.handleValidationFailure.bind(this);
-        this.on("security-event", this.boundSecurityEvent);
-        this.on("rate-limit-exceeded", this.boundRateLimitExceeded);
-        this.on("validation-failure", this.boundValidationFailure);
-    }
-    destroy() {
-        this.off("security-event", this.boundSecurityEvent);
-        this.off("rate-limit-exceeded", this.boundRateLimitExceeded);
-        this.off("validation-failure", this.boundValidationFailure);
-        this.removeAllListeners();
-    }
-    /**
-     * Create security middleware for HTTP requests
-     */
-    createSecurityMiddleware(options = {}) {
-        const config = {
-            enableRateLimiting: true,
-            enableInputValidation: true,
-            enableSecurityHeaders: true,
-            enableAuditLogging: true,
-            enableCsrfProtection: true,
-            enableHsts: true,
-            ...options,
-        };
-        return async (req, res) => {
-            try {
-                // Rate limiting check
-                if (config.enableRateLimiting) {
-                    const rateLimitResult = this.checkRateLimit(req);
-                    if (!rateLimitResult.allowed) {
-                        this.emitSecurityEvent({
-                            type: "rate_limit_exceeded",
-                            severity: "medium",
-                            message: `Rate limit exceeded for IP: ${rateLimitResult.ip}`,
-                            source: "rate-limiter",
-                            ipAddress: rateLimitResult.ip,
-                            metadata: {
-                                limit: rateLimitResult.limit,
-                                remaining: rateLimitResult.remaining,
-                            },
-                        });
-                        res.writeHead(429, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({
-                            error: "Too Many Requests",
-                            message: "Rate limit exceeded. Please try again later.",
-                            retryAfter: Math.ceil((rateLimitResult.resetTime - Date.now()) / 1000),
-                        }));
-                        return false;
-                    }
-                }
-                // Security headers
-                if (config.enableSecurityHeaders) {
-                    this.applySecurityHeaders(res, config);
-                }
-                // CSRF protection
-                if (config.enableCsrfProtection) {
-                    const csrfValid = this.validateCsrfToken(req);
-                    if (!csrfValid) {
-                        this.emitSecurityEvent({
-                            type: "csrf_attempt",
-                            severity: "high",
-                            message: "CSRF token validation failed",
-                            source: "csrf-protection",
-                            ipAddress: this.getClientIP(req),
-                            userAgent: req.headers["user-agent"],
-                            metadata: { path: req.url },
-                        });
-                        res.writeHead(403, { "Content-Type": "application/json" });
-                        res.end(JSON.stringify({
-                            error: "Forbidden",
-                            message: "CSRF validation failed",
-                        }));
-                        return false;
-                    }
-                }
-                // Audit logging
-                if (config.enableAuditLogging) {
-                    this.logAuditEvent(req, "request-processed");
-                }
-                return true;
-            }
-            catch (error) {
-                frameworkLogger.log("security-hardening", "middleware-error", "error", { error: error instanceof Error ? error.message : String(error) });
-                this.emitSecurityEvent({
-                    type: "suspicious_activity",
-                    severity: "high",
-                    message: `Security middleware error: ${error instanceof Error ? error.message : String(error)}`,
-                    source: "security-middleware",
-                    ipAddress: this.getClientIP(req),
-                    metadata: {
-                        error: error instanceof Error ? error.message : String(error),
-                    },
-                });
-                res.writeHead(500, { "Content-Type": "application/json" });
-                res.end(JSON.stringify({
-                    error: "Internal Server Error",
-                    message: "Security validation failed",
-                }));
-                return false;
-            }
-        };
-    }
-    /**
-     * Check rate limiting for requests
-     */
-    checkRateLimit(req) {
-        const ip = this.getClientIP(req);
-        const now = Date.now();
-        const windowMs = SECURITY_CONFIG.rateLimiting.windowMs;
-        const maxRequests = SECURITY_CONFIG.rateLimiting.maxRequests;
-        let entry = this.rateLimitStore.get(ip);
-        if (!entry || now > entry.resetTime) {
-            entry = {
-                count: 0,
-                resetTime: now + windowMs,
-                lastRequest: now,
-            };
-        }
-        entry.count++;
-        entry.lastRequest = now;
-        this.rateLimitStore.set(ip, entry);
-        // Clean up old entries periodically
-        if (Math.random() < 0.01) {
-            // 1% chance to clean up
-            this.cleanupRateLimitStore();
-        }
-        const allowed = entry.count <= maxRequests;
-        const remaining = Math.max(0, maxRequests - entry.count);
-        return {
-            allowed,
-            ip,
-            limit: maxRequests,
-            remaining,
-            resetTime: entry.resetTime,
-        };
-    }
-    /**
-     * Apply security headers to response
-     */
-    applySecurityHeaders(res, config) {
-        const headers = { ...SECURITY_CONFIG.headers };
-        // Apply custom headers
-        if (config.customHeaders) {
-            Object.assign(headers, config.customHeaders);
-        }
-        // Conditionally remove HSTS
-        if (!config.enableHsts) {
-            const headersRecord = headers;
-            const { "Strict-Transport-Security": _, ...remainingHeaders } = headersRecord;
-            Object.assign(headers, remainingHeaders);
-        }
-        // Set all headers
-        Object.entries(headers).forEach(([key, value]) => {
-            res.setHeader(key, value);
-        });
-        // Add rate limit headers
-        const rateLimitInfo = this.getRateLimitInfo(this.getClientIP({ headers: {}, socket: { remoteAddress: "unknown" } }));
-        if (rateLimitInfo) {
-            res.setHeader("X-RateLimit-Limit", rateLimitInfo.limit.toString());
-            res.setHeader("X-RateLimit-Remaining", rateLimitInfo.remaining.toString());
-            res.setHeader("X-RateLimit-Reset", Math.ceil(rateLimitInfo.resetTime / 1000).toString());
-        }
-    }
-    /**
-     * Validate CSRF token
-     */
-    validateCsrfToken(req) {
-        const token = req.headers["x-csrf-token"];
-        const reqWithSession = req;
-        const sessionToken = reqWithSession.session?.csrfToken;
-        if (!token || !sessionToken) {
-            return false;
-        }
-        return crypto.timingSafeEqual(Buffer.from(token, "hex"), Buffer.from(sessionToken, "hex"));
-    }
-    /**
-     * Validate and sanitize input data
-     */
-    validateInput(input, context = "general") {
-        const result = {
-            isValid: true,
-            errors: [],
-            securityEvents: [],
-        };
-        try {
-            // Type validation
-            if (input === null || input === undefined) {
-                result.isValid = false;
-                result.errors.push("Input cannot be null or undefined");
-                return result;
-            }
-            // String validation
-            if (typeof input === "string") {
-                result.sanitizedValue = this.validateString(input, context, result);
-            }
-            // Object validation
-            else if (typeof input === "object") {
-                result.sanitizedValue = this.validateObject(input, context, result);
-            }
-            // Array validation
-            else if (Array.isArray(input)) {
-                result.sanitizedValue = this.validateArray(input, context, result);
-            }
-            // Security pattern checks
-            this.checkSecurityPatterns(input, context, result);
-        }
-        catch (error) {
-            result.isValid = false;
-            result.errors.push(`Validation error: ${error instanceof Error ? error.message : String(error)}`);
-            frameworkLogger.log("security-hardening-system", "-security-data-decryption-failed-error-instanceof-", "error", {
-                message: `[SECURITY] Data decryption failed: ${error instanceof Error ? error.message : String(error)}`,
-            });
-        }
-        return result;
-    }
-    /**
-     * Validate string input
-     */
-    validateString(input, context, result) {
-        // Length check
-        if (input.length > SECURITY_CONFIG.inputValidation.maxStringLength) {
-            result.isValid = false;
-            result.errors.push(`String length exceeds maximum (${SECURITY_CONFIG.inputValidation.maxStringLength})`);
-            return input.substring(0, SECURITY_CONFIG.inputValidation.maxStringLength);
-        }
-        // Character validation
-        if (!SECURITY_CONFIG.inputValidation.allowedCharacters.test(input)) {
-            result.isValid = false;
-            result.errors.push("String contains invalid characters");
-        }
-        // SQL injection check
-        for (const pattern of SECURITY_CONFIG.inputValidation
-            .sqlInjectionPatterns) {
-            if (pattern.test(input)) {
-                result.isValid = false;
-                result.errors.push("Potential SQL injection detected");
-                this.emitSecurityEvent({
-                    type: "sql_injection_attempt",
-                    severity: "high",
-                    message: "SQL injection pattern detected in input",
-                    source: "input-validator",
-                    metadata: { context, pattern: pattern.source },
-                });
-                break;
-            }
-        }
-        // XSS check
-        for (const pattern of SECURITY_CONFIG.inputValidation.xssPatterns) {
-            if (pattern.test(input)) {
-                result.isValid = false;
-                result.errors.push("Potential XSS attack detected");
-                this.emitSecurityEvent({
-                    type: "xss_attempt",
-                    severity: "high",
-                    message: "XSS pattern detected in input",
-                    source: "input-validator",
-                    metadata: { context, pattern: pattern.source },
-                });
-                break;
-            }
-        }
-        return input;
-    }
-    /**
-     * Validate object input
-     */
-    validateObject(input, context, result) {
-        const sanitized = {};
-        // Depth check
-        const depth = this.getObjectDepth(input);
-        if (depth > SECURITY_CONFIG.inputValidation.maxObjectDepth) {
-            result.isValid = false;
-            result.errors.push(`Object depth exceeds maximum (${SECURITY_CONFIG.inputValidation.maxObjectDepth})`);
-            return sanitized;
-        }
-        // Validate each property
-        for (const [key, value] of Object.entries(input)) {
-            if (typeof key === "string" && key.length > 0) {
-                const keyValidation = this.validateInput(key, `${context}.key`);
-                const valueValidation = this.validateInput(value, `${context}.${key}`);
-                if (!keyValidation.isValid) {
-                    result.isValid = false;
-                    result.errors.push(...keyValidation.errors.map((e) => `Key '${key}': ${e}`));
-                }
-                if (!valueValidation.isValid) {
-                    result.isValid = false;
-                    result.errors.push(...valueValidation.errors.map((e) => `Property '${key}': ${e}`));
-                }
-                result.securityEvents.push(...keyValidation.securityEvents, ...valueValidation.securityEvents);
-                sanitized[key] =
-                    valueValidation.sanitizedValue !== undefined
-                        ? valueValidation.sanitizedValue
-                        : value;
-            }
-        }
-        return sanitized;
-    }
-    /**
-     * Validate array input
-     */
-    validateArray(input, context, result) {
-        const sanitized = [];
-        // Length check
-        if (input.length > SECURITY_CONFIG.inputValidation.maxArrayLength) {
-            result.isValid = false;
-            result.errors.push(`Array length exceeds maximum (${SECURITY_CONFIG.inputValidation.maxArrayLength})`);
-            return sanitized;
-        }
-        // Validate each element
-        for (let i = 0; i < input.length; i++) {
-            const elementValidation = this.validateInput(input[i], `${context}[${i}]`);
-            if (!elementValidation.isValid) {
-                result.isValid = false;
-                result.errors.push(...elementValidation.errors.map((e) => `Element ${i}: ${e}`));
-            }
-            result.securityEvents.push(...elementValidation.securityEvents);
-            sanitized.push(elementValidation.sanitizedValue !== undefined
-                ? elementValidation.sanitizedValue
-                : input[i]);
-        }
-        return sanitized;
-    }
-    /**
-     * Check for security patterns in input
-     */
-    checkSecurityPatterns(input, context, result) {
-        const inputString = JSON.stringify(input);
-        // Additional security checks can be added here
-        // For example: path traversal, command injection, etc.
-    }
-    /**
-     * Encrypt sensitive data using AES-256-GCM
-     * SECURITY: Proper encryption with random IV and authentication tag (H-001 fix)
-     *
-     * @param data - Plaintext data to encrypt
-     * @returns Base64-encoded string containing encrypted data + IV + auth tag
-     */
-    encryptData(data) {
-        try {
-            // Generate random IV (Initialization Vector) for each encryption
-            const iv = crypto.randomBytes(SECURITY_CONFIG.encryption.ivLength);
-            // Create cipher with AES-256-GCM
-            const cipher = crypto.createCipheriv(SECURITY_CONFIG.encryption.algorithm, this.encryptionKey, iv);
-            // Encrypt the data
-            let encrypted = cipher.update(data, "utf8", "binary");
-            encrypted += cipher.final("binary");
-            // Get authentication tag (for integrity verification)
-            const authTag = cipher.getAuthTag();
-            // Combine: IV + encrypted data + auth tag (all in binary)
-            const combined = Buffer.concat([
-                iv,
-                Buffer.from(encrypted, "binary"),
-                authTag,
-            ]);
-            // Return as Base64 string for storage/transmission
-            return combined.toString("base64");
-        }
-        catch (error) {
-            frameworkLogger.log("security-hardening-system", "-security-data-encryption-failed-error-instanceof-", "error", {
-                message: `[SECURITY] Data encryption failed: ${error instanceof Error ? error.message : String(error)}`,
-            });
-            throw new Error(`Encryption failed: ${error instanceof Error ? error.message : String(error)}`);
-        }
-    }
-    /**
-     * Decrypt sensitive data using AES-256-GCM
-     * SECURITY: Proper decryption with IV and auth tag verification (H-001 fix)
-     *
-     * @param encryptedData - Base64-encoded string containing encrypted data + IV + auth tag
-     * @returns Decrypted plaintext data
-     * @throws Error if decryption fails or authentication tag doesn't match
-     */
-    decryptData(encryptedData) {
-        try {
-            const combined = Buffer.from(encryptedData, "base64");
-            const iv = combined.subarray(0, SECURITY_CONFIG.encryption.ivLength);
-            const authTag = combined.subarray(combined.length - 16);
-            const encrypted = combined.subarray(SECURITY_CONFIG.encryption.ivLength, combined.length - 16);
-            const decipher = crypto.createDecipheriv(SECURITY_CONFIG.encryption.algorithm, this.encryptionKey, iv);
-            decipher.setAuthTag(authTag);
-            const decrypted = Buffer.concat([
-                decipher.update(encrypted),
-                decipher.final(),
-            ]).toString("utf8");
-            return decrypted;
-        }
-        catch (error) {
-            frameworkLogger.log("security-hardening-system", "decryption-failed", "warning", {
-                message: `Data decryption failed (likely key mismatch from prior session): ${error instanceof Error ? error.message : String(error)}`,
-            });
-            return null;
-        }
-    }
-    /**
-     * Hash password securely with unique salt
-     * SECURITY: Generates unique random salt for each password (H-003 fix)
-     */
-    async hashPassword(password) {
-        return new Promise((resolve, reject) => {
-            // Generate unique random salt for each password (prevents rainbow table attacks)
-            const salt = crypto.randomBytes(32).toString("hex");
-            crypto.scrypt(password, salt, SECURITY_CONFIG.encryption.keyLength, { N: 16384, r: 8, p: 1 }, (err, derivedKey) => {
-                if (err)
-                    reject(err);
-                else
-                    resolve({ hash: derivedKey.toString("hex"), salt });
-            });
-        });
-    }
-    /**
-     * Verify password hash
-     */
-    async verifyPassword(password, hash, salt) {
-        return new Promise((resolve, reject) => {
-            crypto.scrypt(password, salt, SECURITY_CONFIG.encryption.keyLength, { N: 16384, r: 8, p: 1 }, (err, derivedKey) => {
-                if (err) {
-                    resolve(false);
-                }
-                else {
-                    try {
-                        const isMatch = crypto.timingSafeEqual(Buffer.from(derivedKey.toString("hex"), "hex"), Buffer.from(hash, "hex"));
-                        resolve(isMatch);
-                    }
-                    catch (error) {
-                        resolve(false);
-                    }
-                }
-            });
-        });
-    }
-    /**
-     * Generate secure random token
-     */
-    generateSecureToken(length = 32) {
-        return crypto.randomBytes(length).toString("hex");
-    }
-    /**
-     * Log audit event
-     */
-    logAuditEvent(req, action) {
-        if (!this.auditLogEnabled)
-            return;
-        const auditEvent = {
-            timestamp: new Date().toISOString(),
-            action,
-            ip: this.getClientIP(req),
-            userAgent: req.headers["user-agent"],
-            method: req.method,
-            url: req.url,
-            headers: this.sanitizeHeadersForAudit(req.headers),
-        };
-        frameworkLogger.log("security-hardening-system", "-audit-json-stringify-auditevent-", "info", { message: `[AUDIT] ${JSON.stringify(auditEvent)}` });
-    }
-    /**
-     * Sanitize headers for audit logging
-     */
-    sanitizeHeadersForAudit(headers) {
-        const sanitized = { ...headers };
-        SECURITY_CONFIG.audit.sensitiveFields.forEach((field) => {
-            if (sanitized[field]) {
-                sanitized[field] = "[REDACTED]";
-            }
-        });
-        return sanitized;
-    }
-    /**
-     * Emit security event
-     */
-    emitSecurityEvent(event) {
-        const securityEvent = {
-            id: this.generateSecureToken(16),
-            timestamp: Date.now(),
-            ...event,
-        };
-        this.securityEvents.push(securityEvent);
-        this.emit("security-event", securityEvent);
-        // Log high-severity events
-        if (event.severity === "high" || event.severity === "critical") {
-            frameworkLogger.log("security-hardening", "high-severity-event", "error", {
-                severity: event.severity,
-                message: event.message,
-                type: event.type,
-                source: event.source,
-                ipAddress: event.ipAddress,
-            });
-        }
-    }
-    /**
-     * Handle security events
-     */
-    handleSecurityEvent(event) {
-        // Store event for analysis
-        // In production, this would be sent to SIEM, logged to database, etc.
-        if (event.severity === "critical") {
-            // Immediate action required for critical events
-            frameworkLogger.log("security-hardening", "critical-event", "error", {
-                message: event.message,
-                type: event.type,
-                source: event.source,
-                ipAddress: event.ipAddress,
-            });
-            // Could trigger alerts, notifications, etc.
-        }
-    }
-    /**
-     * Handle rate limit exceeded
-     */
-    handleRateLimitExceeded(event) {
-        frameworkLogger.log("security-hardening", "rate-limit-exceeded", "warning", {
-            ipAddress: event.ipAddress,
-            message: event.message,
-        });
-    }
-    /**
-     * Handle validation failure
-     */
-    handleValidationFailure(event) {
-        frameworkLogger.log("security-hardening", "input-validation-failed", "warning", {
-            message: event.message,
-            type: event.type,
-            source: event.source,
-        });
-    }
-    /**
-     * Get client IP address
-     */
-    getClientIP(req) {
-        const forwarded = req.headers["x-forwarded-for"];
-        const realIP = req.headers["x-real-ip"];
-        const clientIP = req.headers["x-client-ip"];
-        return (forwarded?.split(",")[0]?.trim() ||
-            realIP ||
-            clientIP ||
-            req.socket?.remoteAddress ||
-            "unknown");
-    }
-    /**
-     * Get rate limit info for IP
-     */
-    getRateLimitInfo(ip) {
-        const entry = this.rateLimitStore.get(ip);
-        if (!entry)
-            return null;
-        const maxRequests = SECURITY_CONFIG.rateLimiting.maxRequests;
-        return {
-            limit: maxRequests,
-            remaining: Math.max(0, maxRequests - entry.count),
-            resetTime: entry.resetTime,
-        };
-    }
-    /**
-     * Get object depth
-     */
-    getObjectDepth(obj, currentDepth = 0) {
-        if (typeof obj !== "object" || obj === null) {
-            return currentDepth;
-        }
-        let maxDepth = currentDepth;
-        for (const value of Object.values(obj)) {
-            if (typeof value === "object" && value !== null) {
-                const depth = this.getObjectDepth(value, currentDepth + 1);
-                maxDepth = Math.max(maxDepth, depth);
-            }
-        }
-        return maxDepth;
-    }
-    /**
-     * Cleanup old rate limit entries
-     */
-    cleanupRateLimitStore() {
-        const now = Date.now();
-        const entriesToDelete = [];
-        this.rateLimitStore.forEach((entry, ip) => {
-            if (now > entry.resetTime) {
-                entriesToDelete.push(ip);
-            }
-        });
-        entriesToDelete.forEach((ip) => this.rateLimitStore.delete(ip));
-    }
-    /**
-     * Get security events
-     */
-    getSecurityEvents(limit = 100) {
-        return this.securityEvents.slice(-limit);
-    }
-    /**
-     * Clear security events
-     */
-    clearSecurityEvents() {
-        this.securityEvents = [];
-    }
-    /**
-     * Get security statistics
-     */
-    getSecurityStats() {
-        const eventsByType = {
-            input_validation_failure: 0,
-            rate_limit_exceeded: 0,
-            authentication_failure: 0,
-            authorization_failure: 0,
-            suspicious_activity: 0,
-            sql_injection_attempt: 0,
-            xss_attempt: 0,
-            csrf_attempt: 0,
-            security_header_missing: 0,
-            encryption_failure: 0,
-            audit_log_failure: 0,
-        };
-        const eventsBySeverity = {
-            low: 0,
-            medium: 0,
-            high: 0,
-            critical: 0,
-        };
-        this.securityEvents.forEach((event) => {
-            eventsByType[event.type] = (eventsByType[event.type] || 0) + 1;
-            eventsBySeverity[event.severity] =
-                (eventsBySeverity[event.severity] || 0) + 1;
-        });
-        return {
-            totalEvents: this.securityEvents.length,
-            eventsByType,
-            eventsBySeverity,
-            recentEvents: this.securityEvents.slice(-10),
-        };
-    }
-    /**
-     * Enable/disable audit logging
-     */
-    setAuditLogging(enabled) {
-        this.auditLogEnabled = enabled;
-    }
-}
-// Export singleton instance
-export const securityHardeningSystem = new SecurityHardeningSystem();