@jmruthers/pace-core 0.5.4 → 0.5.6

package/src/utils/__tests__/secureStorage.unit.test.ts

@@ -0,0 +1,293 @@
+/**
+ * @file Secure Storage Unit Tests
+ * @package @jmruthers/pace-core
+ * @module Utils/SecureStorage
+ * @since 0.4.0
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { secureStorage } from '../secureStorage';
+
+// Mock localStorage
+const mockLocalStorage = {
+  getItem: vi.fn(),
+  setItem: vi.fn(),
+  removeItem: vi.fn(),
+  clear: vi.fn(),
+  key: vi.fn(),
+  length: 0
+};
+
+// Mock crypto API
+const mockCrypto = {
+  subtle: {
+    generateKey: vi.fn(),
+    importKey: vi.fn(),
+    exportKey: vi.fn(),
+    encrypt: vi.fn(),
+    decrypt: vi.fn()
+  },
+  getRandomValues: vi.fn()
+};
+
+describe('Secure Storage', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    
+    // Mock global objects
+    Object.defineProperty(global, 'localStorage', {
+      value: mockLocalStorage,
+      writable: true
+    });
+    
+    Object.defineProperty(global, 'crypto', {
+      value: mockCrypto,
+      writable: true
+    });
+
+    // Mock window.crypto
+    Object.defineProperty(global, 'window', {
+      value: { crypto: mockCrypto },
+      writable: true
+    });
+
+    // Mock getRandomValues
+    mockCrypto.getRandomValues.mockReturnValue(new Uint8Array(12));
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe('initialization', () => {
+    it('should initialize without existing key', async () => {
+      mockLocalStorage.getItem.mockReturnValue(null);
+      mockCrypto.subtle.generateKey.mockResolvedValue({} as CryptoKey);
+      mockCrypto.subtle.exportKey.mockResolvedValue(new ArrayBuffer(32));
+
+      await secureStorage.init();
+
+      expect(mockCrypto.subtle.generateKey).toHaveBeenCalled();
+    });
+
+    it('should initialize with existing key', async () => {
+      // Reset the initialized state
+      (secureStorage as any).initialized = false;
+      
+      const mockKeyData = 'dGVzdC1rZXktZGF0YQ=='; // Valid base64 for "test-key-data"
+      mockLocalStorage.getItem.mockReturnValue(mockKeyData);
+      mockCrypto.subtle.importKey.mockResolvedValue({} as CryptoKey);
+
+      // Mock the base64ToArrayBuffer function to avoid base64 decoding issues
+      const originalBase64ToArrayBuffer = (secureStorage as any).base64ToArrayBuffer;
+      (secureStorage as any).base64ToArrayBuffer = vi.fn().mockReturnValue(new ArrayBuffer(32));
+
+      await secureStorage.init();
+
+      expect(mockLocalStorage.getItem).toHaveBeenCalledWith('_sec_key');
+      expect(mockCrypto.subtle.importKey).toHaveBeenCalled();
+
+      // Restore original function
+      (secureStorage as any).base64ToArrayBuffer = originalBase64ToArrayBuffer;
+    });
+
+    it('should handle initialization errors gracefully', async () => {
+      mockLocalStorage.getItem.mockImplementation(() => {
+        throw new Error('Storage error');
+      });
+
+      await expect(secureStorage.init()).resolves.not.toThrow();
+    });
+  });
+
+  describe('setItem', () => {
+    it('should store item without encryption by default', async () => {
+      await secureStorage.setItem('test-key', 'test-value');
+
+      expect(mockLocalStorage.setItem).toHaveBeenCalledWith('test-key', expect.any(String));
+    });
+
+    it('should store item with encryption when enabled', async () => {
+      // Setup encryption key
+      mockCrypto.subtle.generateKey.mockResolvedValue({} as CryptoKey);
+      mockCrypto.subtle.exportKey.mockResolvedValue(new ArrayBuffer(32));
+      await secureStorage.init();
+      
+      mockCrypto.subtle.encrypt.mockResolvedValue(new ArrayBuffer(8));
+      
+      await secureStorage.setItem('test-key', 'test-value', { encrypt: true });
+
+      expect(mockCrypto.subtle.encrypt).toHaveBeenCalled();
+      expect(mockLocalStorage.setItem).toHaveBeenCalledWith('_sec_test-key', expect.any(String));
+    });
+
+    it('should handle encryption failure gracefully', async () => {
+      // Setup encryption key
+      mockCrypto.subtle.generateKey.mockResolvedValue({} as CryptoKey);
+      mockCrypto.subtle.exportKey.mockResolvedValue(new ArrayBuffer(32));
+      await secureStorage.init();
+      
+      mockCrypto.subtle.encrypt.mockRejectedValue(new Error('Encryption failed'));
+
+      await secureStorage.setItem('test-key', 'test-value', { encrypt: true });
+
+      expect(mockLocalStorage.setItem).toHaveBeenCalledWith('test-key', expect.any(String));
+    });
+
+    it('should store item with expiry', async () => {
+      await secureStorage.setItem('test-key', 'test-value', { expiry: 1000 });
+
+      const storedData = JSON.parse(mockLocalStorage.setItem.mock.calls[0][1]);
+      expect(storedData.expiry).toBeDefined();
+    });
+  });
+
+  describe('getItem', () => {
+    it('should retrieve unencrypted item', async () => {
+      // Mock getItem to return null for encrypted data, then return plain data
+      mockLocalStorage.getItem
+        .mockReturnValueOnce(null) // No encrypted data
+        .mockReturnValueOnce(JSON.stringify({ value: 'test', timestamp: Date.now() })); // Plain data
+
+      const result = await secureStorage.getItem('test-key');
+
+      expect(result).toBe('test');
+    });
+
+    it('should retrieve encrypted item', async () => {
+      // Setup encryption key
+      mockCrypto.subtle.generateKey.mockResolvedValue({} as CryptoKey);
+      mockCrypto.subtle.exportKey.mockResolvedValue(new ArrayBuffer(32));
+      await secureStorage.init();
+      
+      const encryptedData = 'dGVzdC1lbmNyeXB0ZWQ='; // Valid base64 for "test-encrypted"
+      // Mock getItem to return encrypted data for the _sec_ key
+      mockLocalStorage.getItem.mockReturnValue(encryptedData);
+      mockCrypto.subtle.decrypt.mockResolvedValue(new TextEncoder().encode(JSON.stringify({ value: 'test' })));
+
+      // Mock the base64ToArrayBuffer function to avoid base64 decoding issues
+      const originalBase64ToArrayBuffer = (secureStorage as any).base64ToArrayBuffer;
+      (secureStorage as any).base64ToArrayBuffer = vi.fn().mockReturnValue(new ArrayBuffer(32));
+
+      const result = await secureStorage.getItem('test-key');
+
+      expect(mockCrypto.subtle.decrypt).toHaveBeenCalled();
+      expect(result).toBe('test');
+
+      // Restore original function
+      (secureStorage as any).base64ToArrayBuffer = originalBase64ToArrayBuffer;
+    });
+
+    it('should handle decryption failure gracefully', async () => {
+      // Setup encryption key
+      mockCrypto.subtle.generateKey.mockResolvedValue({} as CryptoKey);
+      mockCrypto.subtle.exportKey.mockResolvedValue(new ArrayBuffer(32));
+      await secureStorage.init();
+      
+      const encryptedData = 'encrypted-data';
+      mockLocalStorage.getItem.mockReturnValue(encryptedData);
+      mockCrypto.subtle.decrypt.mockRejectedValue(new Error('Decryption failed'));
+
+      const result = await secureStorage.getItem('test-key');
+
+      expect(result).toBe('encrypted-data');
+    });
+
+    it('should handle malformed stored data', async () => {
+      // Mock getItem to return null for encrypted data, then return malformed data
+      mockLocalStorage.getItem
+        .mockReturnValueOnce(null) // No encrypted data
+        .mockReturnValueOnce('invalid-json'); // Malformed plain data
+
+      const result = await secureStorage.getItem('test-key');
+
+      expect(result).toBe('invalid-json');
+    });
+
+    it('should return null for non-existent item', async () => {
+      // Mock getItem to return null for both encrypted and plain data
+      mockLocalStorage.getItem
+        .mockReturnValueOnce(null) // No encrypted data
+        .mockReturnValueOnce(null); // No plain data
+
+      const result = await secureStorage.getItem('test-key');
+
+      expect(result).toBeNull();
+    });
+
+    it('should handle expired items', async () => {
+      const expiredData = JSON.stringify({ 
+        value: 'test', 
+        timestamp: Date.now(),
+        expiry: Date.now() - 1000 // Expired
+      });
+      
+      // Mock getItem to return null for encrypted data, then return expired data
+      mockLocalStorage.getItem
+        .mockReturnValueOnce(null) // No encrypted data
+        .mockReturnValueOnce(expiredData); // Expired plain data
+
+      const result = await secureStorage.getItem('test-key');
+
+      expect(result).toBeNull();
+    });
+  });
+
+  describe('removeItem', () => {
+    it('should remove both encrypted and unencrypted items', async () => {
+      await secureStorage.removeItem('test-key');
+
+      expect(mockLocalStorage.removeItem).toHaveBeenCalledWith('test-key');
+      expect(mockLocalStorage.removeItem).toHaveBeenCalledWith('_sec_test-key');
+    });
+  });
+
+  describe('clear', () => {
+    it('should clear all secure storage', async () => {
+      // Mock Object.keys to return secure keys
+      const originalKeys = Object.keys;
+      Object.keys = vi.fn().mockReturnValue(['_sec_key1', '_sec_key2', 'normal_key']);
+
+      await secureStorage.clear();
+
+      expect(mockLocalStorage.removeItem).toHaveBeenCalledWith('_sec_key1');
+      expect(mockLocalStorage.removeItem).toHaveBeenCalledWith('_sec_key2');
+
+      // Restore original Object.keys
+      Object.keys = originalKeys;
+    });
+  });
+
+  describe('Edge Cases', () => {
+    it('should handle multiple initializations', async () => {
+      mockLocalStorage.getItem.mockReturnValue(null);
+      mockCrypto.subtle.generateKey.mockResolvedValue({} as CryptoKey);
+      mockCrypto.subtle.exportKey.mockResolvedValue(new ArrayBuffer(32));
+
+      await secureStorage.init();
+      
+      // Reset the initialized state to test the second call
+      (secureStorage as any).initialized = false;
+      await secureStorage.init(); // Should not reinitialize
+
+      expect(mockCrypto.subtle.generateKey).toHaveBeenCalledTimes(1);
+    });
+
+    it('should handle retrieval errors gracefully', async () => {
+      // Mock getItem to throw an error
+      mockLocalStorage.getItem.mockImplementation(() => {
+        throw new Error('Retrieval failed');
+      });
+
+      await expect(secureStorage.getItem('test-key')).rejects.toThrow('Retrieval failed');
+    });
+
+    it('should handle storage errors gracefully', async () => {
+      mockLocalStorage.setItem.mockImplementation(() => {
+        throw new Error('Storage failed');
+      });
+
+      await expect(secureStorage.setItem('test-key', 'test-value')).rejects.toThrow();
+    });
+  });
+}); 

package/src/utils/__tests__/security.unit.test.ts

@@ -0,0 +1,127 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import {
+  logSecurityEvent,
+  validateUserSession,
+  createSecureSession,
+  invalidateSession,
+  getSecurityHeaders,
+  validateSecurityHeaders,
+  generateDeviceFingerprint,
+  validateDeviceFingerprint
+} from '../security';
+
+describe('Security Utils', () => {
+  beforeEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it('logSecurityEvent logs to console.warn', () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const event = { type: 'test', timestamp: new Date(), details: { foo: 1 } };
+    logSecurityEvent(event);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'test', details: { foo: 1 }, timestamp: event.timestamp.toISOString() }));
+  });
+
+  it('validateUserSession returns false and logs for invalid userId', async () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const result = await validateUserSession('', 'sometoken');
+    expect(result).toBe(false);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'invalid_session_validation' }));
+  });
+
+  it('validateUserSession returns false and logs for short sessionToken', async () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const result = await validateUserSession('user1', 'short');
+    expect(result).toBe(false);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'suspicious_session_token' }));
+  });
+
+  it('validateUserSession returns true for valid input', async () => {
+    const result = await validateUserSession('user1', 'longenoughsessiontoken');
+    expect(result).toBe(true);
+  });
+
+  it('createSecureSession returns a session ID and logs', async () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const fakeClient = {} as any;
+    const sessionId = await createSecureSession(fakeClient, { userId: 'user1', deviceFingerprint: 'abc' });
+    expect(typeof sessionId).toBe('string');
+    expect(sessionId).toMatch(/^sess_/);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'session_created' }));
+  });
+
+  it('invalidateSession logs and resolves', async () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const fakeClient = {} as any;
+    await expect(invalidateSession(fakeClient, 'sess_123')).resolves.toBeUndefined();
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'session_invalidated' }));
+  });
+
+  it('getSecurityHeaders returns required headers', () => {
+    const headers = getSecurityHeaders();
+    expect(headers['X-Content-Type-Options']).toBe('nosniff');
+    expect(headers['X-Frame-Options']).toBe('DENY');
+    expect(headers['X-XSS-Protection']).toBe('1; mode=block');
+    expect(headers['Referrer-Policy']).toBe('strict-origin-when-cross-origin');
+    expect(headers['Strict-Transport-Security']).toMatch(/max-age/);
+  });
+
+  it('validateSecurityHeaders returns true for valid headers', () => {
+    const headers = getSecurityHeaders();
+    expect(validateSecurityHeaders(headers)).toBe(true);
+  });
+
+  it('validateSecurityHeaders returns false and logs for missing headers', () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const headers = { 'X-Content-Type-Options': 'nosniff' };
+    expect(validateSecurityHeaders(headers)).toBe(false);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'missing_security_headers' }));
+  });
+
+  it('generateDeviceFingerprint returns a string', () => {
+    // Mock browser APIs
+    globalThis.navigator = { userAgent: 'test', language: 'en-US' } as any;
+    globalThis.screen = { width: 100, height: 200 } as any;
+    
+    // Mock HTMLCanvasElement for JSDOM environment
+    const mockCanvas = {
+      getContext: vi.fn().mockReturnValue({
+        fillText: vi.fn(),
+        measureText: vi.fn().mockReturnValue({ width: 100 })
+      }),
+      toDataURL: vi.fn().mockReturnValue('data:image/png;base64,mockdata')
+    };
+    
+    // Mock document.createElement to return our mock canvas
+    const originalCreateElement = document.createElement;
+    document.createElement = vi.fn().mockImplementation((tagName) => {
+      if (tagName === 'canvas') {
+        return mockCanvas as any;
+      }
+      return originalCreateElement.call(document, tagName);
+    });
+    
+    const fingerprint = generateDeviceFingerprint();
+    expect(typeof fingerprint).toBe('string');
+    expect(fingerprint.length).toBeGreaterThan(0);
+    
+    // Restore original createElement
+    document.createElement = originalCreateElement;
+  });
+
+  it('validateDeviceFingerprint returns true for valid match', () => {
+    expect(validateDeviceFingerprint('abc', 'abc')).toBe(true);
+  });
+
+  it('validateDeviceFingerprint returns false and logs for invalid input', () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    expect(validateDeviceFingerprint('', 'abc')).toBe(false);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'invalid_device_fingerprint' }));
+  });
+
+  it('validateDeviceFingerprint returns false and logs for mismatch', () => {
+    const spy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    expect(validateDeviceFingerprint('abc', 'def')).toBe(false);
+    expect(spy).toHaveBeenCalledWith('[SECURITY EVENT]', expect.objectContaining({ type: 'device_fingerprint_mismatch' }));
+  });
+}); 

package/src/utils/__tests__/securityMonitor.unit.test.ts

@@ -0,0 +1,280 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { securityMonitor } from '../securityMonitor';
+
+describe('securityMonitor', () => {
+  beforeEach(() => {
+    // Reset the monitor before each test
+    securityMonitor.clearEvents();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe('logEvent', () => {
+    it('should log a security event with generated ID and timestamp', () => {
+      const event = {
+        action: 'login_attempt',
+        details: { userId: 'user-123', ip: '192.168.1.1' }
+      };
+
+      securityMonitor.logEvent(event);
+
+      const events = securityMonitor.getEvents();
+      expect(events).toHaveLength(1);
+      expect(events[0].action).toBe('login_attempt');
+      expect(events[0].details).toEqual({ userId: 'user-123', ip: '192.168.1.1' });
+      expect(events[0].id).toBeDefined();
+      expect(events[0].timestamp).toBeDefined();
+      expect(typeof events[0].id).toBe('string');
+      expect(typeof events[0].timestamp).toBe('number');
+    });
+
+    it('should log multiple events', () => {
+      const event1 = { action: 'login_attempt', details: { userId: 'user-123' } };
+      const event2 = { action: 'logout', details: { userId: 'user-123' } };
+
+      securityMonitor.logEvent(event1);
+      securityMonitor.logEvent(event2);
+
+      const events = securityMonitor.getEvents();
+      expect(events).toHaveLength(2);
+      expect(events[0].action).toBe('login_attempt');
+      expect(events[1].action).toBe('logout');
+    });
+
+    it('should generate unique IDs for each event', () => {
+      const event1 = { action: 'event1', details: {} };
+      const event2 = { action: 'event2', details: {} };
+
+      securityMonitor.logEvent(event1);
+      securityMonitor.logEvent(event2);
+
+      const events = securityMonitor.getEvents();
+      expect(events[0].id).not.toBe(events[1].id);
+    });
+
+    it('should always generate new ID and timestamp', () => {
+      const event = {
+        id: 'custom-id',
+        action: 'custom_action',
+        details: { custom: 'data' },
+        timestamp: 1234567890
+      };
+
+      securityMonitor.logEvent(event);
+
+      const events = securityMonitor.getEvents();
+      expect(events[0].id).not.toBe('custom-id');
+      expect(events[0].timestamp).not.toBe(1234567890);
+      expect(typeof events[0].id).toBe('string');
+      expect(typeof events[0].timestamp).toBe('number');
+    });
+
+    it('should handle events with complex details', () => {
+      const event = {
+        action: 'data_access',
+        details: {
+          userId: 'user-123',
+          resource: 'sensitive_data',
+          permissions: ['read', 'write'],
+          metadata: {
+            browser: 'Chrome',
+            ip: '192.168.1.1',
+            userAgent: 'Mozilla/5.0...'
+          }
+        }
+      };
+
+      securityMonitor.logEvent(event);
+
+      const events = securityMonitor.getEvents();
+      expect(events[0].details).toEqual(event.details);
+    });
+  });
+
+  describe('getEvents', () => {
+    it('should return empty array when no events logged', () => {
+      const events = securityMonitor.getEvents();
+      expect(events).toEqual([]);
+    });
+
+    it('should return copy of events array', () => {
+      const event = { action: 'test', details: {} };
+      securityMonitor.logEvent(event);
+
+      const events1 = securityMonitor.getEvents();
+      const events2 = securityMonitor.getEvents();
+
+      expect(events1).toEqual(events2);
+      expect(events1).not.toBe(events2); // Should be different references
+    });
+
+    it('should return all logged events in order', () => {
+      const events = [
+        { action: 'event1', details: {} },
+        { action: 'event2', details: {} },
+        { action: 'event3', details: {} }
+      ];
+
+      events.forEach(event => securityMonitor.logEvent(event));
+
+      const retrievedEvents = securityMonitor.getEvents();
+      expect(retrievedEvents).toHaveLength(3);
+      expect(retrievedEvents[0].action).toBe('event1');
+      expect(retrievedEvents[1].action).toBe('event2');
+      expect(retrievedEvents[2].action).toBe('event3');
+    });
+  });
+
+  describe('clearEvents', () => {
+    it('should clear all logged events', () => {
+      const event = { action: 'test', details: {} };
+      securityMonitor.logEvent(event);
+
+      expect(securityMonitor.getEvents()).toHaveLength(1);
+
+      securityMonitor.clearEvents();
+
+      expect(securityMonitor.getEvents()).toHaveLength(0);
+    });
+
+    it('should clear events multiple times', () => {
+      const event = { action: 'test', details: {} };
+      securityMonitor.logEvent(event);
+      securityMonitor.clearEvents();
+      securityMonitor.logEvent(event);
+      securityMonitor.clearEvents();
+
+      expect(securityMonitor.getEvents()).toHaveLength(0);
+    });
+  });
+
+  describe('createAlert', () => {
+    it('should create an alert with generated ID and timestamp', () => {
+      const alertData = {
+        type: 'suspicious_activity',
+        message: 'Multiple failed login attempts detected'
+      };
+
+      const alert = securityMonitor.createAlert(alertData);
+
+      expect(alert.id).toBeDefined();
+      expect(alert.type).toBe('suspicious_activity');
+      expect(alert.message).toBe('Multiple failed login attempts detected');
+      expect(alert.timestamp).toBeInstanceOf(Date);
+      expect(typeof alert.id).toBe('string');
+    });
+
+    it('should generate unique IDs for each alert', () => {
+      const alert1 = securityMonitor.createAlert({
+        type: 'alert1',
+        message: 'First alert'
+      });
+
+      const alert2 = securityMonitor.createAlert({
+        type: 'alert2',
+        message: 'Second alert'
+      });
+
+      expect(alert1.id).not.toBe(alert2.id);
+    });
+
+    it('should create alerts with different types', () => {
+      const alertTypes = [
+        { type: 'suspicious_activity', message: 'Suspicious activity detected' },
+        { type: 'authentication_failure', message: 'Authentication failed' },
+        { type: 'data_breach', message: 'Potential data breach detected' }
+      ];
+
+      const alerts = alertTypes.map(data => securityMonitor.createAlert(data));
+
+      alerts.forEach((alert, index) => {
+        expect(alert.type).toBe(alertTypes[index].type);
+        expect(alert.message).toBe(alertTypes[index].message);
+        expect(alert.id).toBeDefined();
+        expect(alert.timestamp).toBeInstanceOf(Date);
+      });
+    });
+
+    it('should create alerts with complex messages', () => {
+      const alertData = {
+        type: 'security_violation',
+        message: 'User admin@example.com attempted to access restricted resource /api/admin/users from IP 192.168.1.100 without proper permissions'
+      };
+
+      const alert = securityMonitor.createAlert(alertData);
+
+      expect(alert.message).toBe(alertData.message);
+      expect(alert.type).toBe('security_violation');
+    });
+  });
+
+  describe('Integration tests', () => {
+    it('should handle complete security monitoring workflow', () => {
+      // Log some security events
+      securityMonitor.logEvent({
+        action: 'login_attempt',
+        details: { userId: 'user-123', success: false }
+      });
+
+      securityMonitor.logEvent({
+        action: 'login_attempt',
+        details: { userId: 'user-123', success: false }
+      });
+
+      securityMonitor.logEvent({
+        action: 'login_attempt',
+        details: { userId: 'user-123', success: false }
+      });
+
+      // Create an alert for multiple failed attempts
+      const alert = securityMonitor.createAlert({
+        type: 'multiple_failed_logins',
+        message: 'User user-123 has 3 failed login attempts'
+      });
+
+      // Verify events and alert
+      const events = securityMonitor.getEvents();
+      expect(events).toHaveLength(3);
+      expect(events.every(e => e.action === 'login_attempt')).toBe(true);
+      expect(alert.type).toBe('multiple_failed_logins');
+      expect(alert.message).toBe('User user-123 has 3 failed login attempts');
+
+      // Clear events
+      securityMonitor.clearEvents();
+      expect(securityMonitor.getEvents()).toHaveLength(0);
+    });
+
+    it('should handle high-volume event logging', () => {
+      const events = Array.from({ length: 100 }, (_, i) => ({
+        action: `event_${i}`,
+        details: { index: i, timestamp: Date.now() }
+      }));
+
+      events.forEach(event => securityMonitor.logEvent(event));
+
+      const retrievedEvents = securityMonitor.getEvents();
+      expect(retrievedEvents).toHaveLength(100);
+      expect(retrievedEvents[0].action).toBe('event_0');
+      expect(retrievedEvents[99].action).toBe('event_99');
+    });
+
+    it('should maintain event order under concurrent access simulation', () => {
+      const events = [
+        { action: 'start_session', details: { userId: 'user-123' } },
+        { action: 'access_resource', details: { resource: '/api/data' } },
+        { action: 'end_session', details: { userId: 'user-123' } }
+      ];
+
+      // Simulate concurrent logging
+      events.forEach(event => securityMonitor.logEvent(event));
+
+      const retrievedEvents = securityMonitor.getEvents();
+      expect(retrievedEvents).toHaveLength(3);
+      expect(retrievedEvents[0].action).toBe('start_session');
+      expect(retrievedEvents[1].action).toBe('access_resource');
+      expect(retrievedEvents[2].action).toBe('end_session');
+    });
+  });
+});