@goldensheepai/toknxr-cli 0.2.0 → 0.3.0

package/lib/audit-logger.js

@@ -0,0 +1,500 @@
+/**
+ * Enterprise Audit Logging System for TokNxr
+ * Compliant audit trails for security monitoring and compliance
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+import chalk from 'chalk';
+// Audit event types for compliance monitoring
+export var AuditEventType;
+(function (AuditEventType) {
+    // Authentication & Authorization
+    AuditEventType["AUTH_LOGIN"] = "auth.login";
+    AuditEventType["AUTH_LOGOUT"] = "auth.logout";
+    AuditEventType["AUTH_FAILED"] = "auth.failed";
+    AuditEventType["AUTH_PASSWORD_CHANGE"] = "auth.password_change";
+    AuditEventType["AUTH_LOCKOUT"] = "auth.lockout";
+    AuditEventType["AUTH_SSO_ACCESS"] = "auth.sso_access";
+    // Data Access & Modification
+    AuditEventType["DATA_ACCESS"] = "data.access";
+    AuditEventType["DATA_MODIFY"] = "data.modify";
+    AuditEventType["DATA_DELETE"] = "data.delete";
+    AuditEventType["DATA_EXPORT"] = "data.export";
+    // AI Interaction Monitoring
+    AuditEventType["AI_REQUEST"] = "ai.request";
+    AuditEventType["AI_RESPONSE"] = "ai.response";
+    AuditEventType["AI_QUALITY_ANALYSIS"] = "ai.quality_analysis";
+    AuditEventType["AI_SECURITY_ALERT"] = "ai.security_alert";
+    AuditEventType["AI_PERFORMANCE_METRIC"] = "ai.performance_metric";
+    // System & Configuration Changes
+    AuditEventType["CONFIG_CHANGE"] = "config.change";
+    AuditEventType["POLICY_UPDATE"] = "policy.update";
+    AuditEventType["USER_MANAGEMENT"] = "user.management";
+    // Security Events
+    AuditEventType["SECURITY_VIOLATION"] = "security.violation";
+    AuditEventType["SECURITY_ANOMALY"] = "security.anomaly";
+    AuditEventType["INTEGRITY_CHECK"] = "security.integrity_check";
+    // Compliance Events
+    AuditEventType["COMPLIANCE_REPORT"] = "compliance.report";
+    AuditEventType["COMPLIANCE_VIOLATION"] = "compliance.violation";
+    AuditEventType["AUDIT_LOG_ACCESS"] = "audit.log_access";
+    // Error & System Events
+    AuditEventType["ERROR_OCCURRED"] = "error.occurred";
+    AuditEventType["SYSTEM_MAINTENANCE"] = "system.maintenance";
+    AuditEventType["PERFORMANCE_DEGRADATION"] = "performance.degradation";
+})(AuditEventType || (AuditEventType = {}));
+/**
+ * Enterprise Audit Logger with compliance and security features
+ */
+export class EnterpriseAuditLogger {
+    constructor(config = {}) {
+        this.eventBuffer = [];
+        this.bufferSize = 10; // Flush every 10 events
+        this.config = {
+            enabled: true,
+            logLevel: 'info',
+            retentionDays: 365, // 1 year retention
+            maxFileSize: 100, // 100MB per file
+            encryptionEnabled: false,
+            remoteSync: false,
+            complianceFrameworks: ['GDPR', 'SOX', 'HIPAA'],
+            alertThresholds: {
+                dailyEventLimit: 10000,
+                riskLevelThreshold: 'high'
+            },
+            ...config
+        };
+        this.logFilePath = path.resolve(process.cwd(), 'audit.log');
+        if (this.config.encryptionEnabled) {
+            this.initializeEncryption();
+        }
+        // Initialize log file if it doesn't exist
+        this.initializeLogFile();
+        // Don't start maintenance immediately - only when audit logging is actively used
+        // this.scheduleMaintenance();
+    }
+    /**
+     * Log an audit event
+     */
+    log(event) {
+        if (!this.config.enabled)
+            return;
+        // Start maintenance when audit logging is actively used
+        this.scheduleMaintenance();
+        const auditEvent = {
+            id: this.generateEventId(),
+            timestamp: new Date().toISOString(),
+            ...event
+        };
+        // Check risk level for alerting
+        if (this.shouldAlert(auditEvent)) {
+            this.emitAlert(auditEvent);
+        }
+        // Add to buffer
+        this.eventBuffer.push(auditEvent);
+        // Flush if buffer is full or contains high-risk events
+        if (this.eventBuffer.length >= this.bufferSize ||
+            auditEvent.riskLevel === 'critical' ||
+            auditEvent.riskLevel === 'high') {
+            this.flushBuffer();
+        }
+    }
+    /**
+     * Quick logging methods for common events
+     */
+    logAuthEvent(type, userId, success, details = {}) {
+        this.log({
+            eventType: type,
+            userId,
+            action: type.split('.')[1],
+            resource: 'authentication',
+            result: success ? 'success' : 'failure',
+            riskLevel: success ? 'low' : 'medium',
+            complianceTags: ['authentication', 'access_control'],
+            details: {
+                method: 'toknxr_cli',
+                ...details
+            },
+            metadata: {
+                version: '1.0.0',
+                environment: process.env.NODE_ENV || 'development',
+                component: 'cli'
+            }
+        });
+    }
+    logAIEvent(type, userId, model, tokens, cost, quality) {
+        this.log({
+            eventType: type,
+            userId,
+            action: type.split('.')[1],
+            resource: 'ai_interaction',
+            resourceId: model,
+            result: 'success',
+            riskLevel: cost > 1.0 ? 'medium' : 'low', // Higher cost = higher risk
+            complianceTags: ['ai_usage', 'cost_tracking'],
+            details: {
+                model,
+                tokens,
+                cost_usd: cost,
+                quality_score: quality
+            },
+            metadata: {
+                version: '1.0.0',
+                environment: process.env.NODE_ENV || 'development',
+                component: 'ai_proxy'
+            }
+        });
+    }
+    logSecurityEvent(type, severity, details) {
+        this.log({
+            eventType: type,
+            action: 'security_monitoring',
+            resource: 'system_security',
+            result: 'warning',
+            riskLevel: severity,
+            complianceTags: ['security', 'monitoring'],
+            details,
+            metadata: {
+                version: '1.0.0',
+                environment: process.env.NODE_ENV || 'development',
+                component: 'security_monitor'
+            }
+        });
+    }
+    /**
+     * Query audit events with filtering
+     */
+    query(options = {}) {
+        const events = this.loadAuditEvents();
+        return events.filter(event => {
+            if (options.eventType && event.eventType !== options.eventType)
+                return false;
+            if (options.userId && event.userId !== options.userId)
+                return false;
+            if (options.riskLevel && event.riskLevel !== options.riskLevel)
+                return false;
+            if (options.dateFrom && event.timestamp < options.dateFrom)
+                return false;
+            if (options.dateTo && event.timestamp > options.dateTo)
+                return false;
+            return true;
+        }).slice(0, options.limit || 1000);
+    }
+    /**
+     * Generate compliance report for specified period
+     */
+    generateComplianceReport(startDate, endDate) {
+        const events = this.query({
+            dateFrom: startDate,
+            dateTo: endDate
+        });
+        const eventsByType = {};
+        const eventsByRiskLevel = {};
+        const complianceViolations = [];
+        events.forEach(event => {
+            // Count by type
+            eventsByType[event.eventType] = (eventsByType[event.eventType] || 0) + 1;
+            // Count by risk level
+            eventsByRiskLevel[event.riskLevel] = (eventsByRiskLevel[event.riskLevel] || 0) + 1;
+            // Check for compliance violations
+            if (this.isComplianceViolation(event)) {
+                complianceViolations.push(event);
+            }
+        });
+        const recommendations = this.generateRecommendations(events, complianceViolations);
+        return {
+            period: { start: startDate, end: endDate },
+            totalEvents: events.length,
+            eventsByType,
+            eventsByRiskLevel,
+            complianceViolations,
+            riskSummary: {
+                critical: eventsByRiskLevel.critical || 0,
+                high: eventsByRiskLevel.high || 0,
+                medium: eventsByRiskLevel.medium || 0,
+                low: eventsByRiskLevel.low || 0
+            },
+            recommendations
+        };
+    }
+    /**
+     * Export audit logs in various formats
+     */
+    exportAuditData(format, options = {}) {
+        const events = this.query(options);
+        switch (format) {
+            case 'json':
+                return JSON.stringify(events, null, 2);
+            case 'csv':
+                return this.eventsToCSV(events);
+            case 'xml':
+                return this.eventsToXML(events);
+            default:
+                throw new Error(`Unsupported export format: ${format}`);
+        }
+    }
+    /**
+     * Private methods
+     */
+    generateEventId() {
+        return crypto.randomUUID();
+    }
+    shouldAlert(event) {
+        return event.riskLevel === this.config.alertThresholds.riskLevelThreshold ||
+            event.riskLevel === 'critical';
+    }
+    emitAlert(event) {
+        console.warn(chalk.red.bold('🚨 AUDIT ALERT:'), chalk.yellow(event.eventType));
+        console.warn(chalk.gray(`Risk Level: ${event.riskLevel.toUpperCase()}`));
+        console.warn(chalk.gray(`Action: ${event.action}`));
+        console.warn(chalk.gray(`Resource: ${event.resource}`));
+        console.warn(chalk.gray(`Time: ${event.timestamp}`));
+        // In a real enterprise system, this would send alerts to:
+        // - SIEM systems
+        // - Email notifications
+        // - Incident response teams
+        // - Compliance dashboards
+    }
+    flushBuffer() {
+        if (this.eventBuffer.length === 0)
+            return;
+        try {
+            const eventsToWrite = [...this.eventBuffer];
+            this.eventBuffer = [];
+            const logEntries = eventsToWrite.map(event => {
+                const entry = JSON.stringify(event);
+                if (this.config.encryptionEnabled && this.encryptionKey) {
+                    return this.encrypt(entry);
+                }
+                return entry;
+            }).join('\n') + '\n';
+            // Check file size before writing
+            this.checkFileSize();
+            fs.appendFileSync(this.logFilePath, logEntries);
+        }
+        catch (error) {
+            console.error('Failed to write audit logs:', error);
+            // Re-add failed events back to buffer
+            this.eventBuffer.unshift(...this.eventBuffer);
+        }
+    }
+    loadAuditEvents() {
+        try {
+            if (!fs.existsSync(this.logFilePath))
+                return [];
+            const content = fs.readFileSync(this.logFilePath, 'utf8');
+            const lines = content.trim().split('\n');
+            return lines.map(line => {
+                try {
+                    let parsed;
+                    if (this.config.encryptionEnabled && this.encryptionKey) {
+                        parsed = this.decrypt(line);
+                    }
+                    else {
+                        parsed = line;
+                    }
+                    return JSON.parse(parsed);
+                }
+                catch {
+                    // Skip invalid lines but don't break the entire log
+                    return null;
+                }
+            }).filter((event) => event !== null);
+        }
+        catch (error) {
+            console.error('Failed to load audit events:', error);
+            return [];
+        }
+    }
+    initializeLogFile() {
+        if (!fs.existsSync(this.logFilePath)) {
+            fs.writeFileSync(this.logFilePath, '');
+        }
+    }
+    checkFileSize() {
+        try {
+            const stats = fs.statSync(this.logFilePath);
+            const fileSizeMB = stats.size / (1024 * 1024);
+            if (fileSizeMB > this.config.maxFileSize) {
+                this.rotateLogFile();
+            }
+        }
+        catch {
+            // File might not exist, that's fine
+        }
+    }
+    rotateLogFile() {
+        const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+        const rotatedPath = `${this.logFilePath}.${timestamp}.rotated`;
+        try {
+            fs.renameSync(this.logFilePath, rotatedPath);
+            this.initializeLogFile();
+            // Log rotation event
+            this.log({
+                eventType: AuditEventType.SYSTEM_MAINTENANCE,
+                action: 'log_rotation',
+                resource: 'audit_system',
+                result: 'success',
+                riskLevel: 'low',
+                complianceTags: ['system_maintenance'],
+                details: { rotatedFile: rotatedPath },
+                metadata: {
+                    version: '1.0.0',
+                    environment: process.env.NODE_ENV || 'development',
+                    component: 'audit_logger'
+                }
+            });
+        }
+        catch (error) {
+            console.error('Failed to rotate audit log:', error);
+        }
+    }
+    scheduleMaintenance() {
+        // Only start maintenance if not already running
+        if (this.maintenanceInterval)
+            return;
+        // Run maintenance every hour
+        this.maintenanceInterval = setInterval(() => {
+            try {
+                this.performMaintenance();
+            }
+            catch (error) {
+                console.error('Audit maintenance failed:', error);
+            }
+        }, 60 * 60 * 1000); // 1 hour
+    }
+    /**
+     * Stop maintenance interval (useful for CLI commands that don't need persistent logging)
+     */
+    stopMaintenance() {
+        if (this.maintenanceInterval) {
+            clearInterval(this.maintenanceInterval);
+            this.maintenanceInterval = undefined;
+        }
+    }
+    performMaintenance() {
+        // Clean up old rotated files
+        const retentionMs = this.config.retentionDays * 24 * 60 * 60 * 1000;
+        try {
+            const files = fs.readdirSync(path.dirname(this.logFilePath))
+                .filter(file => file.startsWith(path.basename(this.logFilePath)) && file.includes('.rotated'));
+            files.forEach(file => {
+                const filePath = path.join(path.dirname(this.logFilePath), file);
+                const stats = fs.statSync(filePath);
+                if (Date.now() - stats.mtime.getTime() > retentionMs) {
+                    fs.unlinkSync(filePath);
+                }
+            });
+        }
+        catch (error) {
+            console.error('Failed to perform audit maintenance:', error);
+        }
+    }
+    initializeEncryption() {
+        const keyEnv = process.env.AUDIT_ENCRYPTION_KEY;
+        if (keyEnv) {
+            this.encryptionKey = Buffer.from(keyEnv, 'hex');
+        }
+        else {
+            // Generate a new key (in production, this should be stored securely)
+            this.encryptionKey = crypto.randomBytes(32);
+            console.warn(chalk.yellow('⚠️  No AUDIT_ENCRYPTION_KEY found. Using generated key (not secure for production)'));
+        }
+    }
+    encrypt(text) {
+        if (!this.encryptionKey)
+            return text;
+        const iv = crypto.randomBytes(16);
+        const cipher = crypto.createCipheriv('aes-256-cbc', this.encryptionKey, iv);
+        let encrypted = cipher.update(text, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        return iv.toString('hex') + ':' + encrypted;
+    }
+    decrypt(encryptedText) {
+        if (!this.encryptionKey)
+            return encryptedText;
+        const [ivHex, encrypted] = encryptedText.split(':');
+        const iv = Buffer.from(ivHex, 'hex');
+        const decipher = crypto.createDecipheriv('aes-256-cbc', this.encryptionKey, iv);
+        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    isComplianceViolation(event) {
+        // Check for various compliance rule violations
+        const violations = [];
+        // GDPR: Data access without consent
+        if (event.eventType === AuditEventType.DATA_ACCESS &&
+            !event.details.consentObtained) {
+            violations.push('GDPR: Missing data consent');
+        }
+        // SOX: Unauthorized configuration changes
+        if (event.eventType === AuditEventType.CONFIG_CHANGE &&
+            event.result === 'failure') {
+            violations.push('SOX: Unauthorized config change');
+        }
+        // HIPAA: Access to sensitive health data
+        if (event.details.sensitiveDataType === 'health' &&
+            !event.details.accessAuthorized) {
+            violations.push('HIPAA: Unauthorized health data access');
+        }
+        return violations.length > 0;
+    }
+    generateRecommendations(events, violations) {
+        const recommendations = [];
+        const highRiskCount = events.filter(e => e.riskLevel === 'high' || e.riskLevel === 'critical').length;
+        if (highRiskCount > events.length * 0.1) {
+            recommendations.push('Implement additional access controls for high-risk operations');
+        }
+        if (violations.length > 0) {
+            recommendations.push('Review and address compliance violations in audit logs');
+        }
+        const authFailures = events.filter(e => e.eventType.includes('auth') && e.result === 'failure').length;
+        if (authFailures > events.length * 0.05) {
+            recommendations.push('Strengthen authentication controls and monitor for brute force attempts');
+        }
+        return recommendations;
+    }
+    eventsToCSV(events) {
+        if (events.length === 0)
+            return '';
+        const headers = Object.keys(events[0]).join(',');
+        const rows = events.map(event => Object.values(event).map(value => typeof value === 'object' ? JSON.stringify(value) : String(value)).join(','));
+        return [headers, ...rows].join('\n');
+    }
+    eventsToXML(events) {
+        let xml = '<?xml version="1.0" encoding="UTF-8"?>\n<audit-events>\n';
+        events.forEach(event => {
+            xml += '  <event>\n';
+            Object.entries(event).forEach(([key, value]) => {
+                const valueStr = typeof value === 'object' ? JSON.stringify(value) : String(value);
+                xml += `    <${key}>${this.escapeXml(valueStr)}</${key}>\n`;
+            });
+            xml += '  </event>\n';
+        });
+        xml += '</audit-events>';
+        return xml;
+    }
+    escapeXml(unsafe) {
+        return unsafe
+            .replace(/&/g, '&')
+            .replace(/</g, '<')
+            .replace(/>/g, '>')
+            .replace(/"/g, '"')
+            .replace(/'/g, '&#39;');
+    }
+}
+// Export singleton instance for global use
+export const auditLogger = new EnterpriseAuditLogger();
+// Helper function to enable audit logging globally
+export function initializeAuditLogging(config) {
+    // Re-initialize with new config if provided
+    if (config) {
+        Object.assign(auditLogger, config);
+    }
+    console.log(chalk.blue('📋 Enterprise audit logging initialized'));
+    console.log(chalk.gray(`   Log file: ${auditLogger['logFilePath']}`));
+    console.log(chalk.gray(`   Encryption: ${auditLogger['config'].encryptionEnabled ? 'enabled' : 'disabled'}`));
+    console.log(chalk.gray(`   Remote sync: ${auditLogger['config'].remoteSync ? 'enabled' : 'disabled'}`));
+}