@donotdev/security 0.0.1

package/README.md

@@ -0,0 +1,201 @@
+# @donotdev/security
+
+Opt-in SOC2-grade security controls for DoNotDev apps — audit logging, rate limiting, PII encryption, anomaly detection, auth hardening, and GDPR privacy management.
+
+> **Opt-in by design.** Baseline safety (brute-force lockout, session timeout) lives in `@donotdev/core` and is always active. This package adds the compliance and observability layer for teams that need SOC2, GDPR, or enterprise-grade audit trails.
+
+## Installation
+
+```bash
+bun add @donotdev/security
+```
+
+## Import Paths
+
+```typescript
+// Client-safe (HealthMonitor, AuthHardening, SecurityContext type)
+import { HealthMonitor, AuthHardening } from '@donotdev/security';
+
+// Server-only (DndevSecurity, AuditLogger, PiiEncryptor, etc.)
+import { DndevSecurity } from '@donotdev/security/server';
+```
+
+## Quick Start
+
+### Zero-config (all baseline controls active)
+
+```typescript
+// functions/src/security.ts
+import { DndevSecurity } from '@donotdev/security/server';
+
+export const security = new DndevSecurity();
+```
+
+Pass to `CrudService` and base functions:
+
+```typescript
+import { createBaseFunction } from '@donotdev/functions/firebase';
+import { security } from './security';
+
+export const myFunction = createBaseFunction(
+  'my-operation',
+  schema,
+  handler,
+  'user',
+  undefined, // requiredRole config
+  security   // ← opt-in SOC2 audit trail
+);
+```
+
+### Full SOC2 config
+
+```typescript
+export const security = new DndevSecurity({
+  // PII field encryption (AES-256-GCM)
+  piiSecret: process.env.PII_SECRET,
+
+  // Auth hardening overrides (default: 5 attempts → 15min lockout, 8h session)
+  auth: {
+    maxAttempts: 3,
+    lockoutMs: 30 * 60 * 1000,
+  },
+
+  // Data retention (SOC2 P6)
+  retention: [
+    { collection: 'audit_logs', days: 365 },
+    { collection: 'sessions', days: 90 },
+  ],
+
+  // Anomaly detection with custom handler
+  anomaly: {
+    authFailures: 5,
+    onAnomaly: (type, count, userId) =>
+      notifySlack(`[ANOMALY] ${type} x${count} by ${userId}`),
+  },
+
+  // Pluggable rate limit backend (Firestore, Postgres, Redis)
+  // Default: in-memory (fine for single-instance, not for serverless)
+  rateLimitBackend: {
+    check: (key, cfg) => checkRateLimitWithFirestore(key, cfg),
+  },
+});
+```
+
+## Controls
+
+| Control | Default | Config |
+|---|---|---|
+| Structured audit log (stdout JSON) | ✅ on | `logger` |
+| Rate limiting (100 writes / 500 reads per min) | ✅ on | `rateLimit` |
+| In-memory rate limit backend | ✅ default | `rateLimitBackend` to swap |
+| Brute-force lockout (5 attempts → 15min) | ✅ on | `auth` |
+| Session timeout tracking (8h idle) | ✅ on | `auth.sessionTimeoutMs` |
+| Anomaly detection (stderr warn) | ✅ on | `anomaly` + `onAnomaly` |
+| Secret scrubbing on all log output | ✅ on | — |
+| PII field encryption (AES-256-GCM) | ❌ opt-in | `piiSecret` |
+| Data retention / right-to-erasure | ❌ opt-in | `retention` |
+
+## Package Structure
+
+```
+security/src/
+├── client/
+│   └── HealthMonitor.ts     # Circuit breaker + uptime tracking (browser-safe)
+├── common/
+│   ├── AuthHardening.ts     # Re-export stub → canonical impl in @donotdev/core
+│   └── SecurityConfig.ts    # Re-exports SecurityContext types from @donotdev/core
+└── server/
+    ├── DndevSecurity.ts     # Main SOC2 orchestrator (implements SecurityContext)
+    ├── AuditLogger.ts       # Structured JSON audit log (stdout / custom transport)
+    ├── RateLimiter.ts       # In-memory fixed-window rate limiter
+    ├── PiiEncryptor.ts      # AES-256-GCM field-level encryption
+    ├── AuthHardening.ts     # Re-export → common/AuthHardening
+    ├── AnomalyDetector.ts   # Threshold-based behavioral alerts
+    ├── PrivacyManager.ts    # Retention policies + right-to-erasure
+    └── SecretValidator.ts   # Secret scrubbing for log output
+```
+
+> **`AuthHardening` canonical implementation** lives in `@donotdev/core` (always installed).
+> `@donotdev/security` re-exports it for backwards compatibility.
+> Firebase and Supabase providers import directly from `@donotdev/core` — no forced security dep.
+
+## SecurityContext Interface
+
+`DndevSecurity` implements `SecurityContext` from `@donotdev/core`:
+
+```typescript
+interface SecurityContext {
+  audit(event: Omit<AuditEvent, 'timestamp'>): void | Promise<void>;
+  checkRateLimit(key: string, operation: 'read' | 'write'): Promise<void>;
+  encryptPii<T>(data: T, piiFields: string[]): T;
+  decryptPii<T>(data: T, piiFields: string[]): T;
+  authHardening?: AuthHardeningContext;
+}
+```
+
+Any object implementing this interface can be passed as `security` — no hard dep on this package.
+
+## Audit Event Types
+
+Covers SOC2 CC6, CC7, C1, P1–P8:
+
+```typescript
+type AuditEventType =
+  | 'auth.login.success' | 'auth.login.failure' | 'auth.logout'
+  | 'auth.locked' | 'auth.unlocked' | 'auth.session.expired'
+  | 'auth.mfa.enrolled' | 'auth.mfa.challenged'
+  | 'auth.password.reset' | 'auth.role.changed'
+  | 'crud.create' | 'crud.read' | 'crud.update' | 'crud.delete'
+  | 'pii.access' | 'pii.export' | 'pii.erase'
+  | 'rate_limit.exceeded' | 'anomaly.detected' | 'config.changed';
+```
+
+## PII Encryption
+
+Mark fields for encryption in your entity definition, then pass `security` to `CrudService`:
+
+```typescript
+// Entity definition
+const UserEntity = defineEntity('users', {
+  fields: { email: field.email(), ssn: field.string() },
+  security: { piiFields: ['email', 'ssn'] },
+});
+
+// Service setup
+const security = new DndevSecurity({ piiSecret: process.env.PII_SECRET });
+crudService.setSecurity(security);
+// email + ssn are now transparently encrypted at rest
+```
+
+## Pluggable Rate Limit Backend
+
+For serverless/distributed deployments where in-memory state is lost between invocations:
+
+```typescript
+import { checkRateLimitWithFirestore } from '@donotdev/functions/shared';
+
+const security = new DndevSecurity({
+  rateLimitBackend: {
+    check: (key, cfg) => checkRateLimitWithFirestore(key, cfg),
+  },
+});
+```
+
+Implement `RateLimitBackend` from `@donotdev/core` for custom backends (Redis, Postgres, etc.):
+
+```typescript
+import type { RateLimitBackend } from '@donotdev/core';
+
+const redisBackend: RateLimitBackend = {
+  async check(key, { maxAttempts, windowMs, blockDurationMs }) {
+    // your Redis logic
+    return { allowed: true, remaining: 99, resetAt: null, blockRemainingSeconds: null };
+  },
+};
+```
+
+## License
+
+All rights reserved. The DoNotDev framework and its premium features are the exclusive property of **Ambroise Park Consulting**.
+
+© Ambroise Park Consulting – 2025

package/dist/client/HealthMonitor.d.ts

@@ -0,0 +1,85 @@
+/**
+ * @fileoverview HealthMonitor
+ * @description Circuit breaker pattern + health check probes for availability.
+ * Covers SOC2 Availability Principle (A1): health monitoring, graceful degradation.
+ *
+ * Zero deps — uses fetch + AbortSignal for liveness probes.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export type HealthStatus = 'healthy' | 'degraded' | 'unhealthy';
+export interface CircuitBreakerConfig {
+    /**
+     * Failure count threshold before circuit opens (default: 5).
+     */
+    failureThreshold?: number;
+    /**
+     * Cooldown before attempting half-open (ms, default: 10_000).
+     */
+    resetTimeoutMs?: number;
+    /**
+     * Request timeout for health checks (ms, default: 3_000).
+     */
+    probeTimeoutMs?: number;
+}
+export interface HealthMonitorConfig extends CircuitBreakerConfig {
+    /**
+     * URL to probe for liveness (e.g., '/api/health').
+     * If not set, liveness checks always return true.
+     */
+    livenessUrl?: string;
+}
+/**
+ * Availability monitor: circuit breaker + liveness probe (SOC2 A1).
+ *
+ * Wrap downstream calls with `protect()` to prevent cascading failures.
+ * Use `checkLiveness()` in health check endpoints.
+ *
+ * @example
+ * ```typescript
+ * const monitor = new HealthMonitor({ livenessUrl: '/api/health', failureThreshold: 3 });
+ *
+ * // Protect a downstream call:
+ * const safeCall = monitor.protect(async () => fetchUserData(id));
+ * try {
+ *   const data = await safeCall();
+ * } catch {
+ *   // Circuit open — show cached/degraded UI
+ * }
+ *
+ * // Liveness probe in API route:
+ * const alive = await monitor.checkLiveness();
+ * ```
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class HealthMonitor {
+    private readonly breaker;
+    private readonly config;
+    private _status;
+    /**
+     * Guards the half-open state: only one probe executes at a time.
+     * Concurrent calls in half-open state are rejected rather than all executing,
+     * which would re-open the circuit on a mass failure storm.
+     */
+    private _probing;
+    constructor(config?: HealthMonitorConfig);
+    /**
+     * Wrap an async function with circuit-breaker protection.
+     * The returned function throws when the circuit is open.
+     * In half-open state only one probe executes at a time — concurrent calls are rejected.
+     */
+    protect<T>(fn: () => Promise<T>): () => Promise<T>;
+    /** Current circuit health status. */
+    get status(): HealthStatus;
+    /**
+     * HTTP liveness probe — returns true if the endpoint responds 2xx within timeout.
+     * Always returns true if no `livenessUrl` configured.
+     */
+    checkLiveness(): Promise<boolean>;
+}
+//# sourceMappingURL=HealthMonitor.d.ts.map

package/dist/client/HealthMonitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"HealthMonitor.d.ts","sourceRoot":"","sources":["../../src/client/HealthMonitor.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AAEH,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,UAAU,GAAG,WAAW,CAAC;AAEhE,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAwDD,MAAM,WAAW,mBAAoB,SAAQ,oBAAoB;IAC/D;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;IAC7C,OAAO,CAAC,OAAO,CAA2B;IAC1C;;;;OAIG;IACH,OAAO,CAAC,QAAQ,CAAS;gBAEb,MAAM,GAAE,mBAAwB;IAK5C;;;;OAIG;IACH,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GAAG,MAAM,OAAO,CAAC,CAAC,CAAC;IAuClD,qCAAqC;IACrC,IAAI,MAAM,IAAI,YAAY,CAEzB;IAED;;;OAGG;IACG,aAAa,IAAI,OAAO,CAAC,OAAO,CAAC;CAWxC"}

package/dist/client/HealthMonitor.js

@@ -0,0 +1 @@
+class i{state="closed";failures=0;lastOpenedAt=0;failureThreshold;resetTimeoutMs;constructor(e={}){this.failureThreshold=e.failureThreshold??5,this.resetTimeoutMs=e.resetTimeoutMs??1e4}_evaluateState(){return this.state==="open"&&Date.now()-this.lastOpenedAt>this.resetTimeoutMs&&(this.state="half-open"),this.state}get currentState(){return this.state}isOpen(){return this._evaluateState()==="open"}recordSuccess(){this.failures=0,this.state="closed"}recordFailure(){this.failures+=1,this.failures>=this.failureThreshold&&(this.state="open",this.lastOpenedAt=Date.now())}}class a{breaker;config;_status="healthy";_probing=!1;constructor(e={}){this.config=e,this.breaker=new i(e)}protect(e){return async()=>{if(this.breaker.isOpen())throw this._status="unhealthy",new Error("[dndev/security] Circuit breaker open \u2014 downstream service unavailable");const s=this.breaker.currentState==="half-open";if(s){if(this._probing)throw this._status="unhealthy",new Error("[dndev/security] Circuit breaker half-open \u2014 probe in progress, retry shortly");this._probing=!0}try{const t=await e();return this.breaker.recordSuccess(),this._status="healthy",t}catch(t){throw this.breaker.recordFailure(),this._status=this.breaker.isOpen()?"unhealthy":"degraded",t}finally{s&&(this._probing=!1)}}}get status(){return this._status}async checkLiveness(){if(!this.config.livenessUrl)return!0;try{return(await fetch(this.config.livenessUrl,{signal:AbortSignal.timeout(this.config.probeTimeoutMs??3e3)})).ok}catch{return!1}}}export{a as HealthMonitor};

package/dist/client/index.d.ts

@@ -0,0 +1,6 @@
+export { HealthMonitor } from './HealthMonitor';
+export type { HealthMonitorConfig, HealthStatus, CircuitBreakerConfig } from './HealthMonitor';
+export type { SecurityContext, AuditEvent, AuditEventType } from '../common/SecurityConfig';
+export { AuthHardening } from '../common/AuthHardening';
+export type { AuthHardeningConfig, LockoutResult } from '../common/AuthHardening';
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAG/F,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAG5F,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/client/index.js

@@ -0,0 +1 @@
+import{HealthMonitor as t}from"./HealthMonitor";import{AuthHardening as n}from"../common/AuthHardening";export{n as AuthHardening,t as HealthMonitor};

package/dist/common/AuthHardening.d.ts

@@ -0,0 +1,3 @@
+export { AuthHardening } from '@donotdev/core';
+export type { AuthHardeningConfig, LockoutResult } from '@donotdev/core';
+//# sourceMappingURL=AuthHardening.d.ts.map

package/dist/common/AuthHardening.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthHardening.d.ts","sourceRoot":"","sources":["../../src/common/AuthHardening.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/common/AuthHardening.js

@@ -0,0 +1 @@
+import{AuthHardening as n}from"@donotdev/core";export{n as AuthHardening};

package/dist/common/SecurityConfig.d.ts

@@ -0,0 +1,11 @@
+/**
+ * @fileoverview Security Config Types
+ * @description Re-exports SecurityContext types from @donotdev/core.
+ * Keeping the canonical definition in core avoids circular deps.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export type { AuditEventType, AuditEvent, SecurityContext, AuthHardeningContext, ServerRateLimitConfig, ServerRateLimitResult, RateLimitBackend } from '@donotdev/core';
+//# sourceMappingURL=SecurityConfig.d.ts.map

package/dist/common/SecurityConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecurityConfig.d.ts","sourceRoot":"","sources":["../../src/common/SecurityConfig.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,eAAe,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/common/index.d.ts

@@ -0,0 +1,2 @@
+export type { AuditEventType, AuditEvent, SecurityContext } from './SecurityConfig';
+//# sourceMappingURL=index.d.ts.map

package/dist/common/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/common/index.ts"],"names":[],"mappings":"AAEA,YAAY,EAAE,cAAc,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { HealthMonitor } from './client/HealthMonitor';
+export type { HealthMonitorConfig, HealthStatus, CircuitBreakerConfig } from './client/HealthMonitor';
+export type { SecurityContext, AuditEvent, AuditEventType } from './common/SecurityConfig';
+export { AuthHardening } from './common/AuthHardening';
+export type { AuthHardeningConfig, LockoutResult } from './common/AuthHardening';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EAAE,mBAAmB,EAAE,YAAY,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAEtG,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAG3F,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/index.js

@@ -0,0 +1 @@
+import{HealthMonitor as t}from"./client/HealthMonitor";import{AuthHardening as n}from"./common/AuthHardening";export{n as AuthHardening,t as HealthMonitor};

package/dist/server/AnomalyDetector.d.ts

@@ -0,0 +1,68 @@
+/**
+ * @fileoverview AnomalyDetector
+ * @description Threshold-based behavioral anomaly detection with configurable alerting.
+ * Covers SOC2 CC7.2 (anomaly detection), CC7.3 (incident response triggers).
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export type AnomalyType = 'auth.failures' | 'bulk.deletes' | 'bulk.reads' | 'bulk.exports' | 'rate_limit.exceeded';
+export interface AnomalyThresholds {
+    /**
+     * Max auth failures per window before alert.
+     * @default 10
+     */
+    authFailures?: number;
+    /**
+     * Max deletes per window before alert.
+     * @default 50
+     */
+    bulkDeletes?: number;
+    /**
+     * Max reads per window before alert.
+     * @default 1000
+     */
+    bulkReads?: number;
+    /**
+     * Max bulk exports per window before alert.
+     * @default 5
+     */
+    bulkExports?: number;
+    /**
+     * Max rate-limit-exceeded events per window before alert.
+     * Defaults to 10 rather than 1 to prevent flooding alert handlers (Slack, PagerDuty)
+     * during sustained attacks. Every individual breach is still recorded in the audit log.
+     * @default 10
+     */
+    rateLimitExceeded?: number;
+    /**
+     * Window size in milliseconds.
+     * @default 60_000 (1 minute)
+     */
+    windowMs?: number;
+}
+/**
+ * Called when an anomaly is detected.
+ * @param type - anomaly type
+ * @param count - current count in window
+ * @param userId - user who triggered it (undefined for system)
+ */
+export type AnomalyHandler = (type: AnomalyType, count: number, userId?: string) => void;
+export declare class AnomalyDetector {
+    private readonly counters;
+    private readonly thresholds;
+    private readonly onAnomaly;
+    constructor(thresholds?: AnomalyThresholds, onAnomaly?: AnomalyHandler);
+    /**
+     * Record an event and fire `onAnomaly` if threshold is breached.
+     * For `rate_limit.exceeded`, the handler fires once per window threshold
+     * (not on every single breach) to prevent flooding alert sinks during attacks.
+     */
+    record(type: AnomalyType, userId?: string): void;
+    private getThreshold;
+    private _evictExpired;
+    /** Current count for a type + userId in the active window. */
+    getCount(type: AnomalyType, userId?: string): number;
+}
+//# sourceMappingURL=AnomalyDetector.d.ts.map

package/dist/server/AnomalyDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AnomalyDetector.d.ts","sourceRoot":"","sources":["../../src/server/AnomalyDetector.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,MAAM,MAAM,WAAW,GACnB,eAAe,GACf,cAAc,GACd,YAAY,GACZ,cAAc,GACd,qBAAqB,CAAC;AAE1B,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;AA8BzF,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAmC;IAC5D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAA8B;IACzD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAiB;gBAE/B,UAAU,GAAE,iBAAsB,EAAE,SAAS,CAAC,EAAE,cAAc;IA0B1E;;;;OAIG;IACH,MAAM,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;IA4BhD,OAAO,CAAC,YAAY;IAUpB,OAAO,CAAC,aAAa;IAQrB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM;CAOrD"}

package/dist/server/AnomalyDetector.js

@@ -0,0 +1,2 @@
+const c=1e4;class l{counters=new Map;thresholds;onAnomaly;constructor(t={},o){this.thresholds={authFailures:t.authFailures??10,bulkDeletes:t.bulkDeletes??50,bulkReads:t.bulkReads??1e3,bulkExports:t.bulkExports??5,rateLimitExceeded:t.rateLimitExceeded??10,windowMs:t.windowMs??6e4},this.onAnomaly=o??((s,e,n)=>{process.stderr.write(JSON.stringify({level:"warn",service:"dndev-anomaly",type:"anomaly.detected",anomalyType:s,count:e,userId:n,timestamp:new Date().toISOString()})+`
+`)})}record(t,o){const s=`${t}:${o??"__global__"}`,e=Date.now();!this.counters.has(s)&&this.counters.size>=1e4&&this._evictExpired(e);const r=this.counters.get(s)??{count:0,windowStart:e};e-r.windowStart>this.thresholds.windowMs&&(r.count=0,r.windowStart=e),r.count+=1,this.counters.set(s,r);const i=this.getThreshold(t);r.count===i&&this.onAnomaly(t,r.count,o)}getThreshold(t){switch(t){case"auth.failures":return this.thresholds.authFailures;case"bulk.deletes":return this.thresholds.bulkDeletes;case"bulk.reads":return this.thresholds.bulkReads;case"bulk.exports":return this.thresholds.bulkExports;case"rate_limit.exceeded":return this.thresholds.rateLimitExceeded}}_evictExpired(t){for(const[o,s]of this.counters)t-s.windowStart>this.thresholds.windowMs&&this.counters.delete(o)}getCount(t,o){const s=`${t}:${o??"__global__"}`,e=this.counters.get(s);return!e||Date.now()-e.windowStart>this.thresholds.windowMs?0:e.count}}export{l as AnomalyDetector};

package/dist/server/AuditLogger.d.ts

@@ -0,0 +1,40 @@
+import type { AuditEvent } from '../common/SecurityConfig';
+export interface AuditLoggerOptions {
+    /** Log level (default: 'info') */
+    level?: 'debug' | 'info' | 'warn' | 'error';
+    /** Service name tag added to every entry (default: 'dndev') */
+    service?: string;
+    /** Custom writer — defaults to process.stdout (JSON per line) */
+    write?: (entry: Record<string, unknown>) => void;
+}
+/**
+ * Structured JSON audit logger (SOC2 CC7.1).
+ *
+ * Produces one JSON object per line on stdout. Pipe to cloud logging
+ * (Cloud Logging, Datadog, Splunk, etc.) for SIEM ingestion and immutable storage.
+ *
+ * @example
+ * ```typescript
+ * const logger = new AuditLogger({ service: 'my-app' });
+ * logger.log({ type: 'auth.login.success', userId: 'u123' });
+ * // → {"level":"info","service":"my-app","type":"auth.login.success","userId":"u123","timestamp":"..."}
+ * ```
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class AuditLogger {
+    private readonly service;
+    private readonly level;
+    private readonly write;
+    constructor(opts?: AuditLoggerOptions);
+    /**
+     * Log an audit event with automatic timestamp.
+     * Secrets in all event fields are automatically scrubbed before writing.
+     */
+    log(event: Omit<AuditEvent, 'timestamp'> & {
+        timestamp?: string;
+    }): void;
+}
+//# sourceMappingURL=AuditLogger.d.ts.map

package/dist/server/AuditLogger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuditLogger.d.ts","sourceRoot":"","sources":["../../src/server/AuditLogger.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAE3D,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IAC5C,+DAA+D;IAC/D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,IAAI,CAAC;CAClD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;IACjE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA2C;gBAErD,IAAI,GAAE,kBAAuB;IAqBzC;;;OAGG;IACH,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI;CAUzE"}

package/dist/server/AuditLogger.js

@@ -0,0 +1,2 @@
+import{scrubSecrets as s}from"./SecretValidator";class c{service;level;write;constructor(t={}){this.service=t.service??"dndev",this.level=t.level??"info",this.write=t.write??(e=>{let i;try{i=JSON.stringify(e)}catch{i=JSON.stringify({level:e.level,service:e.service,type:e.type,timestamp:e.timestamp,_serializeError:"Audit entry contained non-serializable values"})}process.stdout.write(i+`
+`)})}log(t){const e=s(t),i={level:this.level,service:this.service,...e,timestamp:e.timestamp??new Date().toISOString()};this.write(i)}}export{c as AuditLogger};

package/dist/server/AuthHardening.d.ts

@@ -0,0 +1,3 @@
+export { AuthHardening } from '../common/AuthHardening';
+export type { AuthHardeningConfig, LockoutResult } from '../common/AuthHardening';
+//# sourceMappingURL=AuthHardening.d.ts.map

package/dist/server/AuthHardening.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthHardening.d.ts","sourceRoot":"","sources":["../../src/server/AuthHardening.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/server/AuthHardening.js

@@ -0,0 +1 @@
+import{AuthHardening as n}from"../common/AuthHardening";export{n as AuthHardening};

package/dist/server/DndevSecurity.d.ts

@@ -0,0 +1,147 @@
+/**
+ * @fileoverview DndevSecurity
+ * @description Main SOC2 security context. Wires all server-side security controls
+ * into a single object that CrudService and auth adapters consume.
+ *
+ * Zero-config path: all baseline controls active with sensible defaults.
+ * Advanced controls (PII encryption, MFA, retention) require explicit config.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+import { AuditLogger } from './AuditLogger';
+import { DndevRateLimiter } from './RateLimiter';
+import { PiiEncryptor } from './PiiEncryptor';
+import { AuthHardening } from './AuthHardening';
+import { AnomalyDetector } from './AnomalyDetector';
+import { PrivacyManager } from './PrivacyManager';
+import type { AuditLoggerOptions } from './AuditLogger';
+import type { RateLimiterOptions } from './RateLimiter';
+import type { AuthHardeningConfig } from './AuthHardening';
+import type { AnomalyThresholds, AnomalyHandler } from './AnomalyDetector';
+import type { RetentionPolicy } from './PrivacyManager';
+import type { SecurityContext, AuditEvent, AuthHardeningContext, RateLimitBackend } from '../common/SecurityConfig';
+export interface DndevSecurityConfig {
+    /**
+     * Master secret for PII field encryption (AES-256-GCM).
+     * Required if any entity defines `security.piiFields`.
+     * Store in your secret manager — never in code.
+     */
+    piiSecret?: string;
+    /** PII encryption salt override (default: 'dndev-pii-v1') */
+    piiSalt?: string;
+    /** Rate limiter options (default: 100 writes/min, 500 reads/min) */
+    rateLimit?: RateLimiterOptions;
+    /** Auth hardening options (default: 5 attempts → 15min lockout, 8h session) */
+    auth?: AuthHardeningConfig;
+    /** Anomaly detection thresholds + handler */
+    anomaly?: AnomalyThresholds & {
+        onAnomaly?: AnomalyHandler;
+    };
+    /** Data retention policies (required for SOC2 P6) */
+    retention?: RetentionPolicy[];
+    /** Audit logger options (default: JSON to stdout) */
+    logger?: AuditLoggerOptions;
+    /**
+     * Pluggable rate limit backend (default: in-memory).
+     * Provide a Firestore, Postgres, or Redis-backed implementation for
+     * distributed/serverless deployments where in-memory state is lost between invocations.
+     *
+     * @example
+     * ```typescript
+     * import { checkRateLimitWithFirestore } from '@donotdev/functions/shared';
+     * const security = new DndevSecurity({
+     *   rateLimitBackend: { check: (key, cfg) => checkRateLimitWithFirestore(key, cfg) },
+     * });
+     * ```
+     */
+    rateLimitBackend?: RateLimitBackend;
+}
+/**
+ * Main SOC2 security context for DoNotDev applications.
+ *
+ * Implements `SecurityContext` — pass an instance to `CrudService` and auth adapters.
+ * All baseline controls are ON by default at zero config:
+ * - Structured audit logging (stdout JSON)
+ * - Rate limiting (100 writes/min, 500 reads/min per key)
+ * - Brute-force lockout (5 attempts → 15min lockout)
+ * - Session timeout tracking (8h idle)
+ * - Anomaly detection (stderr warn at thresholds)
+ * - Secret scrubbing on all log output
+ *
+ * Advanced controls require explicit config:
+ * - PII encryption → `piiSecret`
+ * - Data retention/erasure → `retention`
+ * - Custom anomaly handler → `anomaly.onAnomaly`
+ *
+ * @example
+ * ```typescript
+ * // Zero-config (baseline SOC2 controls):
+ * export const security = new DndevSecurity();
+ *
+ * // Full SOC2 config:
+ * export const security = new DndevSecurity({
+ *   piiSecret: process.env.PII_SECRET,
+ *   auth: { maxAttempts: 3, lockoutMs: 30 * 60 * 1000 },
+ *   retention: [
+ *     { collection: 'audit_logs', days: 365 },
+ *     { collection: 'sessions', days: 90 },
+ *   ],
+ *   anomaly: {
+ *     authFailures: 5,
+ *     onAnomaly: (type, count, userId) => notifySlack(`${type} x${count} by ${userId}`),
+ *   },
+ * });
+ * ```
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class DndevSecurity implements SecurityContext {
+    /** Structured audit logger (stdout JSON) */
+    readonly auditLogger: AuditLogger;
+    /** Rate limiter (in-memory fixed-window, used when no rateLimitBackend provided) */
+    readonly rateLimiter: DndevRateLimiter;
+    /** PII field encryptor (null if piiSecret not provided) */
+    readonly piiEncryptor: PiiEncryptor | null;
+    /**
+     * Auth hardening (brute-force lockout, session timeout).
+     * Also satisfies `SecurityContext.authHardening` — auth adapters delegate
+     * lockout here to avoid running a second, hardcoded lockout Map in parallel.
+     */
+    readonly authHardening: AuthHardening & AuthHardeningContext;
+    /** Anomaly detector (threshold-based behavioral alerts) */
+    readonly anomalyDetector: AnomalyDetector;
+    /** Privacy manager (retention policies, right-to-erasure) */
+    readonly privacyManager: PrivacyManager;
+    /** Optional pluggable backend (Firestore, Postgres, Redis) — replaces in-memory limiter */
+    private readonly _rateLimitBackend?;
+    /** RateLimitConfig derived from rateLimit options, used when delegating to backend */
+    private readonly _backendWriteConfig;
+    private readonly _backendReadConfig;
+    constructor(config?: DndevSecurityConfig);
+    /**
+     * Emit a structured audit event. Secrets in metadata are automatically scrubbed.
+     */
+    audit(event: Omit<AuditEvent, 'timestamp'>): void;
+    /**
+     * Check rate limit for key + operation.
+     * Delegates to injected `rateLimitBackend` when provided (Firestore, Postgres, Redis),
+     * otherwise falls back to the in-memory limiter.
+     * @throws {Error} 'Rate limit exceeded' when threshold is breached.
+     */
+    checkRateLimit(key: string, operation: 'read' | 'write'): Promise<void>;
+    /** Encrypt PII fields using AES-256-GCM (no-op if piiSecret not configured). */
+    encryptPii<T extends Record<string, unknown>>(data: T, piiFields: string[]): T;
+    /** Decrypt PII fields (no-op if piiSecret not configured). */
+    decryptPii<T extends Record<string, unknown>>(data: T, piiFields: string[]): T;
+    /**
+     * Record a behavioral anomaly event. Called by CrudService after mutations so
+     * the anomaly detector can fire alerts when thresholds are breached.
+     */
+    private static readonly VALID_ANOMALY_TYPES;
+    recordAnomaly(type: string, userId?: string): void;
+}
+//# sourceMappingURL=DndevSecurity.d.ts.map

package/dist/server/DndevSecurity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DndevSecurity.d.ts","sourceRoot":"","sources":["../../src/server/DndevSecurity.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAGlD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACxD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,KAAK,EAAE,iBAAiB,EAAE,cAAc,EAAe,MAAM,mBAAmB,CAAC;AACxF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,oBAAoB,EAAE,gBAAgB,EAAyB,MAAM,0BAA0B,CAAC;AAE3I,MAAM,WAAW,mBAAmB;IAClC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,6DAA6D;IAC7D,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,oEAAoE;IACpE,SAAS,CAAC,EAAE,kBAAkB,CAAC;IAC/B,+EAA+E;IAC/E,IAAI,CAAC,EAAE,mBAAmB,CAAC;IAC3B,6CAA6C;IAC7C,OAAO,CAAC,EAAE,iBAAiB,GAAG;QAAE,SAAS,CAAC,EAAE,cAAc,CAAA;KAAE,CAAC;IAC7D,qDAAqD;IACrD,SAAS,CAAC,EAAE,eAAe,EAAE,CAAC;IAC9B,qDAAqD;IACrD,MAAM,CAAC,EAAE,kBAAkB,CAAC;IAC5B;;;;;;;;;;;;OAYG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,qBAAa,aAAc,YAAW,eAAe;IACnD,4CAA4C;IAC5C,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,oFAAoF;IACpF,QAAQ,CAAC,WAAW,EAAE,gBAAgB,CAAC;IACvC,2DAA2D;IAC3D,QAAQ,CAAC,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,aAAa,EAAE,aAAa,GAAG,oBAAoB,CAAC;IAC7D,2DAA2D;IAC3D,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAC;IAC1C,6DAA6D;IAC7D,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,2FAA2F;IAC3F,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAmB;IACtD,sFAAsF;IACtF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAwB;IAC5D,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAwB;gBAE/C,MAAM,GAAE,mBAAwB;IAkC5C;;OAEG;IACH,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,IAAI;IAOjD;;;;;OAKG;IACG,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;IAqB7E,gFAAgF;IAChF,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;IAK9E,8DAA8D;IAC9D,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;IAK9E;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAMxC;IAEH,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI;CASnD"}

package/dist/server/DndevSecurity.js

@@ -0,0 +1 @@
+import{AuditLogger as n}from"./AuditLogger";import{DndevRateLimiter as o}from"./RateLimiter";import{PiiEncryptor as d}from"./PiiEncryptor";import{AuthHardening as s}from"./AuthHardening";import{AnomalyDetector as c}from"./AnomalyDetector";import{PrivacyManager as m}from"./PrivacyManager";import{scrubSecrets as l}from"./SecretValidator";class i{auditLogger;rateLimiter;piiEncryptor;authHardening;anomalyDetector;privacyManager;_rateLimitBackend;_backendWriteConfig;_backendReadConfig;constructor(t={}){if(this.auditLogger=new n(t.logger),this.rateLimiter=new o(t.rateLimit),t.piiSecret&&!t.piiSalt)throw new Error("[dndev/security] DndevSecurity: PII encryption requires both piiSecret and piiSalt configuration. Provide a per-deployment unique salt stored in your secret manager.");this.piiEncryptor=t.piiSecret&&t.piiSalt?new d(t.piiSecret,t.piiSalt):null,this.authHardening=new s(t.auth),this.anomalyDetector=new c(t.anomaly,t.anomaly?.onAnomaly),this.privacyManager=new m(t.retention),this._rateLimitBackend=t.rateLimitBackend;const e=(t.rateLimit?.writes?.durationSeconds??60)*1e3,r=(t.rateLimit?.reads?.durationSeconds??60)*1e3;this._backendWriteConfig={maxAttempts:t.rateLimit?.writes?.points??100,windowMs:e,blockDurationMs:e},this._backendReadConfig={maxAttempts:t.rateLimit?.reads?.points??500,windowMs:r,blockDurationMs:r}}audit(t){const e=t.metadata?l(t.metadata):void 0;this.auditLogger.log({...t,metadata:e})}async checkRateLimit(t,e){if(this._rateLimitBackend){const r=e==="write"?this._backendWriteConfig:this._backendReadConfig,a=await this._rateLimitBackend.check(t,r);if(!a.allowed)throw this.anomalyDetector.record("rate_limit.exceeded",t),new Error(`Rate limit exceeded. Try again in ${a.blockRemainingSeconds} seconds.`);return}try{await this.rateLimiter.check(t,e)}catch(r){throw this.anomalyDetector.record("rate_limit.exceeded",t),r}}encryptPii(t,e){return!this.piiEncryptor||e.length===0?t:this.piiEncryptor.encryptFields(t,e)}decryptPii(t,e){return!this.piiEncryptor||e.length===0?t:this.piiEncryptor.decryptFields(t,e)}static VALID_ANOMALY_TYPES=new Set(["auth.failures","bulk.deletes","bulk.reads","bulk.exports","rate_limit.exceeded"]);recordAnomaly(t,e){if(!i.VALID_ANOMALY_TYPES.has(t))throw new Error(`[dndev/security] DndevSecurity: unknown anomaly type "${t}". Valid types: ${[...i.VALID_ANOMALY_TYPES].join(", ")}`);this.anomalyDetector.record(t,e)}}export{i as DndevSecurity};

package/dist/server/PiiEncryptor.d.ts

@@ -0,0 +1,70 @@
+/**
+ * AES-256-GCM PII encryptor with per-field IV (SOC2 C1, CC6.1).
+ *
+ * **IMPORTANT:** Instantiate ONCE at app startup (e.g. inside `DndevSecurity`).
+ * The constructor calls `scryptSync` which is CPU-intensive by design — repeated
+ * construction per-request is a DoS vector.
+ *
+ * Each field gets a fresh random IV — identical plaintext produces different ciphertext.
+ * Output format: `dnpii1:<ivHex>:<authTagHex>:<ciphertextHex>`
+ *
+ * @example
+ * ```typescript
+ * // Salt MUST be a per-deployment secret stored alongside piiSecret in your secret manager.
+ * // NEVER use a hard-coded or framework-level salt.
+ * const enc = new PiiEncryptor(process.env.PII_SECRET!, process.env.PII_SALT!);
+ * const stored = enc.encryptFields({ email: 'alice@example.com', name: 'Alice' }, ['email']);
+ * // stored.email → 'dnpii1:a1b2...:c3d4...:e5f6...' (encrypted)
+ * // stored.name  → 'Alice' (unchanged)
+ *
+ * const plain = enc.decryptFields(stored, ['email']);
+ * // plain.email → 'alice@example.com'
+ * ```
+ *
+ * @version 0.0.2
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class PiiEncryptor {
+    private readonly key;
+    /**
+     * @param secret - Master secret (min 32 chars). Store in secret manager, never in code.
+     * @param salt   - Per-deployment salt. Must be unique per deployment and stored as a secret.
+     *                 Do NOT use a shared or hard-coded value — a universal salt eliminates
+     *                 rainbow-table resistance for the derived key.
+     */
+    constructor(secret: string, salt: string);
+    /**
+     * Encrypt a single string value.
+     * @returns `dnpii1:<iv>:<tag>:<ciphertext>` (all hex, prefixed for unambiguous detection)
+     */
+    encrypt(plaintext: string): string;
+    /**
+     * Decrypt a value produced by `encrypt()`.
+     * Supports the legacy format (no `dnpii1:` prefix) for backward compatibility.
+     * @throws if ciphertext is malformed or authentication tag is invalid.
+     */
+    decrypt(ciphertext: string): string;
+    /**
+     * Encrypt specified fields in a data object (returns new object, input unchanged).
+     * Non-string field values and missing fields are silently skipped.
+     */
+    encryptFields<T extends Record<string, unknown>>(data: T, piiFields: string[]): T;
+    /**
+     * Detect whether a string was produced by `encrypt()`.
+     * Checks for the `dnpii1:` version prefix — unambiguous, no false positives.
+     * Also accepts the legacy format (24-char IV hex + 32-char tag hex) for backward compat.
+     */
+    private isEncrypted;
+    /** Zero the derived key buffer. Call when the encryptor is no longer needed. */
+    dispose(): void;
+    /** TC39 explicit resource management support. */
+    [Symbol.dispose](): void;
+    /**
+     * Decrypt specified fields in a data object (returns new object, input unchanged).
+     * Fields that do not pass the encrypted-format check are left as-is.
+     * Auth tag failures (wrong key / tampered data) are re-thrown — they must not be silenced.
+     */
+    decryptFields<T extends Record<string, unknown>>(data: T, piiFields: string[]): T;
+}
+//# sourceMappingURL=PiiEncryptor.d.ts.map

package/dist/server/PiiEncryptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PiiEncryptor.d.ts","sourceRoot":"","sources":["../../src/server/PiiEncryptor.ts"],"names":[],"mappings":"AAmCA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAS;IAE7B;;;;;OAKG;gBACS,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IAexC;;;OAGG;IACH,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAWlC;;;;OAIG;IACH,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM;IA8BnC;;;OAGG;IACH,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;IAYjF;;;;OAIG;IACH,OAAO,CAAC,WAAW;IAgBnB,gFAAgF;IAChF,OAAO,IAAI,IAAI;IAIf,iDAAiD;IACjD,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB;;;;OAIG;IACH,aAAa,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC;CAYlF"}

package/dist/server/PiiEncryptor.js

@@ -0,0 +1 @@
+import{createCipheriv as y,createDecipheriv as u,randomBytes as g,scryptSync as E}from"node:crypto";const d="aes-256-gcm",v=32,i=12,a=16,o="dnpii1:";class w{key;constructor(t,r){if(!t||t.length<32)throw new Error("[dndev/security] PiiEncryptor: secret must be at least 32 characters");if(!r||r.length<8)throw new Error("[dndev/security] PiiEncryptor: salt is required and must be at least 8 characters. Use a per-deployment secret stored in your secret manager \u2014 never a hard-coded value.");this.key=E(t,r,v,{N:65536,r:8,p:1})}encrypt(t){const r=g(i),e=y(d,this.key,r),s=Buffer.concat([e.update(t,"utf8"),e.final()]),n=e.getAuthTag();return`${o}${r.toString("hex")}:${n.toString("hex")}:${s.toString("hex")}`}decrypt(t){const e=(t.startsWith(o)?t.slice(o.length):t).split(":");if(e.length!==3)throw new Error("[dndev/security] PiiEncryptor: invalid ciphertext format");const[s,n,l]=e,c=Buffer.from(s,"hex"),h=Buffer.from(n,"hex"),p=Buffer.from(l,"hex");if(c.length!==i)throw new Error(`[dndev/security] PiiEncryptor: invalid IV length ${c.length}, expected ${i}`);if(h.length!==a)throw new Error(`[dndev/security] PiiEncryptor: invalid auth tag length ${h.length}, expected ${a}`);const f=u(d,this.key,c);return f.setAuthTag(h),f.update(p).toString("utf8")+f.final("utf8")}encryptFields(t,r){if(r.length===0)return t;const e={...t};for(const s of r){const n=e[s];typeof n=="string"&&(e[s]=this.encrypt(n))}return e}isEncrypted(t){if(t.startsWith(o))return!0;const r=t.split(":");if(r.length!==3)return!1;const[e,s]=r,n=/^[0-9a-f]+$/i;return e.length===i*2&&s.length===a*2&&n.test(e)&&n.test(s)}dispose(){this.key.fill(0)}[Symbol.dispose](){this.dispose()}decryptFields(t,r){if(r.length===0)return t;const e={...t};for(const s of r){const n=e[s];typeof n=="string"&&this.isEncrypted(n)&&(e[s]=this.decrypt(n))}return e}}export{w as PiiEncryptor};

package/dist/server/PrivacyManager.d.ts

@@ -0,0 +1,89 @@
+/**
+ * @fileoverview PrivacyManager
+ * @description Right-to-erasure workflows and data retention policies.
+ * Covers SOC2 Privacy Principle (P1-P8) and GDPR Article 17.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export interface RetentionPolicy {
+    /** Collection/table name */
+    collection: string;
+    /**
+     * Days to retain data. 0 = no automatic purge.
+     * After `days` days, `shouldPurge()` returns true.
+     */
+    days: number;
+    /**
+     * Field to read for the document's creation timestamp (ISO 8601 string).
+     * @default 'createdAt'
+     */
+    dateField?: string;
+}
+export interface ErasureRequest {
+    /** User whose data should be erased */
+    userId: string;
+    /** Collections to erase data from */
+    collections: string[];
+    /**
+     * Callback that performs the actual deletion for one collection.
+     * Called once per collection in `collections`.
+     */
+    deleteUserData: (collection: string, userId: string) => Promise<void>;
+}
+export interface ErasureResult {
+    /** Collections successfully erased */
+    erased: string[];
+    /** Collections that failed with error messages */
+    errors: Array<{
+        collection: string;
+        message: string;
+    }>;
+}
+/**
+ * Privacy Manager — right-to-erasure (GDPR Art. 17) and retention policies (SOC2 P6).
+ *
+ * @example
+ * ```typescript
+ * const privacy = new PrivacyManager([
+ *   { collection: 'audit_logs', days: 365 },
+ *   { collection: 'sessions', days: 90 },
+ * ]);
+ *
+ * // Erase all user data across collections:
+ * await privacy.eraseUser({
+ *   userId: 'u123',
+ *   collections: ['users', 'orders', 'sessions'],
+ *   deleteUserData: async (col, uid) => db.from(col).delete().eq('user_id', uid),
+ * });
+ *
+ * // Check if a document should be purged:
+ * privacy.shouldPurge('audit_logs', doc.createdAt); // true if > 365 days old
+ * ```
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class PrivacyManager {
+    private readonly policies;
+    constructor(policies?: RetentionPolicy[]);
+    /**
+     * Execute right-to-erasure for a user across multiple collections.
+     * Calls `deleteUserData` for each collection; collects partial errors without aborting.
+     * @throws {Error} if `collections` is empty — a silent no-op would be a GDPR violation.
+     */
+    eraseUser(request: ErasureRequest): Promise<ErasureResult>;
+    /**
+     * Check if a document should be purged based on its age and the configured retention policy.
+     * Returns `false` if no policy is configured for the collection.
+     *
+     * @param collection - Collection name
+     * @param dateIso - ISO 8601 creation timestamp of the document
+     */
+    shouldPurge(collection: string, dateIso: string): boolean;
+    /** Return all configured retention policies (used by `dn soc2` checker). */
+    getPolicies(): RetentionPolicy[];
+}
+//# sourceMappingURL=PrivacyManager.d.ts.map

package/dist/server/PrivacyManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"PrivacyManager.d.ts","sourceRoot":"","sources":["../../src/server/PrivacyManager.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AAEH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,uCAAuC;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB;;;OAGG;IACH,cAAc,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACvE;AAED,MAAM,WAAW,aAAa;IAC5B,sCAAsC;IACtC,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,kDAAkD;IAClD,MAAM,EAAE,KAAK,CAAC;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACxD;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAoB;gBAEjC,QAAQ,GAAE,eAAe,EAAO;IAI5C;;;;OAIG;IACG,SAAS,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC;IA2BhE;;;;;;OAMG;IACH,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IAwBzD,4EAA4E;IAC5E,WAAW,IAAI,eAAe,EAAE;CAGjC"}

package/dist/server/PrivacyManager.js

@@ -0,0 +1 @@
+class a{policies;constructor(e=[]){this.policies=e}async eraseUser(e){if(e.collections.length===0)throw new Error("[dndev/security] eraseUser: collections array is empty. Provide at least one collection to erase user data from. A no-op erasure silently violates GDPR Art. 17.");const r=[],s=[];for(const o of e.collections)try{await e.deleteUserData(o,e.userId),r.push(o)}catch(t){s.push({collection:o,message:t instanceof Error?t.message:String(t)})}return{erased:r,errors:s}}shouldPurge(e,r){const s=this.policies.find(n=>n.collection===e);if(!s||s.days===0)return!1;if(!r)throw new Error(`[dndev/security] shouldPurge: missing dateIso for collection "${e}". Expected ISO 8601 string. Cannot determine if document should be purged.`);const o=new Date(r).getTime();if(isNaN(o))throw new Error(`[dndev/security] shouldPurge: invalid dateIso "${r}" for collection "${e}". Expected ISO 8601 string. Cannot determine if document should be purged.`);const t=Date.now()-o,i=s.days*24*60*60*1e3;return t>i}getPolicies(){return this.policies}}export{a as PrivacyManager};

package/dist/server/RateLimiter.d.ts

@@ -0,0 +1,80 @@
+/**
+ * @fileoverview RateLimiter
+ * @description In-memory fixed-window rate limiter. Zero deps.
+ * Covers SOC2 CC6.6 / OWASP API4: unrestricted resource consumption.
+ *
+ * Note: This is a fixed-window (not sliding-window) implementation. A burst of
+ * `points` requests at the end of window N and `points` at the start of N+1 can
+ * briefly double the effective rate. Use a Redis-backed backend with a true
+ * sliding-window for strict rate control in production.
+ *
+ * For distributed (multi-replica) deployments, implement RateLimiterBackend
+ * and provide a Redis-backed implementation.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export interface RateLimitWindow {
+    /** Max requests in window (default: 100 for writes, 500 for reads) */
+    points: number;
+    /** Window duration in seconds (default: 60) */
+    durationSeconds: number;
+}
+/**
+ * Backend interface for rate limiting — implement with Redis in production.
+ *
+ * @version 0.0.2
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export interface RateLimiterBackend {
+    increment(key: string, windowMs: number): Promise<number>;
+    reset(key: string): Promise<void>;
+}
+/**
+ * In-memory rate limiter (single instance / single replica).
+ * Performs lazy eviction of expired entries when the store exceeds
+ * {@link EVICTION_THRESHOLD} keys to prevent unbounded memory growth.
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class MemoryRateLimiterBackend implements RateLimiterBackend {
+    private readonly store;
+    increment(key: string, windowMs: number): Promise<number>;
+    reset(key: string): Promise<void>;
+    private _evictExpired;
+}
+export interface RateLimiterOptions {
+    writes?: Partial<RateLimitWindow>;
+    reads?: Partial<RateLimitWindow>;
+    /** Custom backend (default: MemoryRateLimiterBackend) */
+    backend?: RateLimiterBackend;
+}
+/**
+ * Rate limiter with separate write/read limits (SOC2 CC6.6).
+ *
+ * @example
+ * ```typescript
+ * const limiter = new DndevRateLimiter({ writes: { points: 50 } });
+ * await limiter.check('user:abc', 'write'); // throws if > 50 writes/min
+ * ```
+ *
+ * @version 0.0.1
+ * @since 0.0.1
+ * @author AMBROISE PARK Consulting
+ */
+export declare class DndevRateLimiter {
+    private readonly backend;
+    private readonly writes;
+    private readonly reads;
+    constructor(opts?: RateLimiterOptions);
+    /**
+     * Consume one point for key + operation.
+     * @throws {Error} with message 'Rate limit exceeded' when threshold breached.
+     */
+    check(key: string, operation: 'read' | 'write'): Promise<void>;
+}
+//# sourceMappingURL=RateLimiter.d.ts.map

package/dist/server/RateLimiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"RateLimiter.d.ts","sourceRoot":"","sources":["../../src/server/RateLimiter.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,eAAe;IAC9B,sEAAsE;IACtE,MAAM,EAAE,MAAM,CAAC;IACf,+CAA+C;IAC/C,eAAe,EAAE,MAAM,CAAC;CACzB;AASD;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1D,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnC;AAKD;;;;;;;;GAQG;AACH,qBAAa,wBAAyB,YAAW,kBAAkB;IACjE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IAElD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBzD,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIvC,OAAO,CAAC,aAAa;CAStB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IAClC,KAAK,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACjC,yDAAyD;IACzD,OAAO,CAAC,EAAE,kBAAkB,CAAC;CAC9B;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAqB;IAC7C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAkB;IACzC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkB;gBAE5B,IAAI,GAAE,kBAAuB;IAYzC;;;OAGG;IACG,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;CAWrE"}

package/dist/server/RateLimiter.js

@@ -0,0 +1 @@
+const c=1e4;class o{store=new Map;async increment(t,s){const e=Date.now(),n=this.store.get(t);return!n||e-n.windowStart>s?(!n&&this.store.size>=1e4&&this._evictExpired(e),this.store.set(t,{count:1,windowStart:e,windowMs:s}),1):(n.count+=1,n.count)}async reset(t){this.store.delete(t)}_evictExpired(t){for(const[s,e]of this.store)t-e.windowStart>e.windowMs&&this.store.delete(s)}}class d{backend;writes;reads;constructor(t={}){this.backend=t.backend??new o,this.writes={points:t.writes?.points??100,durationSeconds:t.writes?.durationSeconds??60},this.reads={points:t.reads?.points??500,durationSeconds:t.reads?.durationSeconds??60}}async check(t,s){const e=s==="write"?this.writes:this.reads,n=e.durationSeconds*1e3,i=await this.backend.increment(`${s}:${t}`,n);if(i>e.points)throw new Error(`Rate limit exceeded: ${i}/${e.points} ${s} requests in ${e.durationSeconds}s`)}}export{d as DndevRateLimiter,o as MemoryRateLimiterBackend};

package/dist/server/SecretValidator.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Recursively scrub secret values from a log payload.
+ * Replaces matching string values with `[REDACTED]`.
+ * Safe to use as a Pino serializer or before any `console.log` call.
+ *
+ * @example
+ * ```typescript
+ * const payload = { user: 'alice', password: 'hunter2', meta: { apiKey: 'sk_live_abc' } };
+ * console.log(JSON.stringify(scrubSecrets(payload)));
+ * // → {"user":"alice","password":"[REDACTED]","meta":{"apiKey":"[REDACTED]"}}
+ * ```
+ */
+export declare function scrubSecrets(value: unknown): unknown;
+/**
+ * Assert that an object does NOT contain any detectable secrets.
+ * Throws before the value would reach a log sink.
+ *
+ * @example
+ * ```typescript
+ * assertNoSecrets(responsePayload, 'API response');
+ * ```
+ *
+ * @throws {Error} if secrets are detected or if the value is non-serializable
+ */
+export declare function assertNoSecrets(obj: unknown, context: string): void;
+//# sourceMappingURL=SecretValidator.d.ts.map

package/dist/server/SecretValidator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SecretValidator.d.ts","sourceRoot":"","sources":["../../src/server/SecretValidator.ts"],"names":[],"mappings":"AAqCA;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAsBpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI,CAmBnE"}

package/dist/server/SecretValidator.js

@@ -0,0 +1 @@
+const n=[/password\s*[:=]\s*\S+/gi,/secret\s*[:=]\s*\S+/gi,/api[_-]?key\s*[:=]\s*\S+/gi,/token\s*[:=]\s*\S+/gi,/bearer\s+[A-Za-z0-9\-._~+/]+=*/gi,/-----BEGIN .+?-----/g,/sk_live_[A-Za-z0-9]+/g,/sk_test_[A-Za-z0-9]+/g,/ghp_[A-Za-z0-9]{36,}/g,/gho_[A-Za-z0-9]{36,}/g,/AKIA[A-Z0-9]{16}/g,/xox[bpsa]-[A-Za-z0-9\-]+/g,/glpat-[A-Za-z0-9\-_]{20,}/g],a=/password|passwd|secret|token|apikey|api_key|credential|private_key|access_key|\bauth\b/i;function i(e){if(typeof e=="string"){let t=e;for(const r of n)t=t.replace(r,"[REDACTED]");return t}if(Array.isArray(e))return e.map(i);if(e!==null&&typeof e=="object"){const t={};for(const[r,s]of Object.entries(e))t[r]=a.test(r)?"[REDACTED]":i(s);return t}return e}function o(e,t){let r,s;try{s=JSON.stringify(e),r=JSON.stringify(i(e))}catch{throw new Error(`[dndev/security] assertNoSecrets: cannot serialize value in "${t}". Non-serializable values cannot be verified for secrets. Audit the object manually.`)}if(r!==s)throw new Error(`[dndev/security] Secret detected in ${t}. Aborting to prevent credential leak.`)}export{o as assertNoSecrets,i as scrubSecrets};

package/dist/server/index.d.ts

@@ -0,0 +1,16 @@
+export { AuditLogger } from './AuditLogger';
+export type { AuditLoggerOptions } from './AuditLogger';
+export { DndevRateLimiter, MemoryRateLimiterBackend } from './RateLimiter';
+export type { RateLimiterBackend, RateLimiterOptions, RateLimitWindow } from './RateLimiter';
+export { PiiEncryptor } from './PiiEncryptor';
+export { AuthHardening } from './AuthHardening';
+export type { AuthHardeningConfig, LockoutResult } from './AuthHardening';
+export { AnomalyDetector } from './AnomalyDetector';
+export type { AnomalyThresholds, AnomalyHandler, AnomalyType } from './AnomalyDetector';
+export { PrivacyManager } from './PrivacyManager';
+export type { RetentionPolicy, ErasureRequest, ErasureResult } from './PrivacyManager';
+export { scrubSecrets, assertNoSecrets } from './SecretValidator';
+export { DndevSecurity } from './DndevSecurity';
+export type { DndevSecurityConfig } from './DndevSecurity';
+export type { SecurityContext, AuditEvent, AuditEventType } from '../common/SecurityConfig';
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,YAAY,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAExD,OAAO,EAAE,gBAAgB,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAC3E,YAAY,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAE7F,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAE1E,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAExF,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEvF,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAElE,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,YAAY,EAAE,mBAAmB,EAAE,MAAM,iBAAiB,CAAC;AAG3D,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/server/index.js

@@ -0,0 +1 @@
+import{AuditLogger as o}from"./AuditLogger";import{DndevRateLimiter as m,MemoryRateLimiterBackend as i}from"./RateLimiter";import{PiiEncryptor as p}from"./PiiEncryptor";import{AuthHardening as f}from"./AuthHardening";import{AnomalyDetector as x}from"./AnomalyDetector";import{PrivacyManager as s}from"./PrivacyManager";import{scrubSecrets as g,assertNoSecrets as u}from"./SecretValidator";import{DndevSecurity as A}from"./DndevSecurity";export{x as AnomalyDetector,o as AuditLogger,f as AuthHardening,m as DndevRateLimiter,A as DndevSecurity,i as MemoryRateLimiterBackend,p as PiiEncryptor,s as PrivacyManager,u as assertNoSecrets,g as scrubSecrets};

package/package.json

@@ -0,0 +1,58 @@
+{
+  "name": "@donotdev/security",
+  "version": "0.0.1",
+  "private": false,
+  "type": "module",
+  "license": "SEE LICENSE IN LICENSE.md",
+  "description": "SOC2-grade security controls for DoNotDev — audit logging, rate limiting, PII encryption, auth hardening, anomaly detection, privacy management",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./server": {
+      "types": "./dist/server/index.d.ts",
+      "import": "./dist/server/index.js",
+      "default": "./dist/server/index.js"
+    }
+  },
+  "scripts": {
+    "dev": "tsc --noEmit --watch --listFiles false --listEmittedFiles false",
+    "clean": "rimraf dist tsconfig.tsbuildinfo",
+    "type-check": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest"
+  },
+  "dependencies": {},
+  "peerDependencies": {
+    "@donotdev/core": "^0.0.24"
+  },
+  "files": [
+    "dist",
+    "package.json",
+    "README.md",
+    "LICENSE.md"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/donotdev/dndev.git"
+  },
+  "keywords": [
+    "donotdev",
+    "dndev",
+    "security",
+    "soc2",
+    "audit",
+    "rate-limit",
+    "encryption",
+    "privacy",
+    "typescript"
+  ],
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org",
+    "access": "public"
+  }
+}