@omniradiology/omnirad 0.1.3

package/lib/security/audit.ts

@@ -0,0 +1,180 @@
+/**
+ * OmniRad Audit Logging Module
+ * 
+ * Central immutable audit trail for all PHI access and modifications.
+ * HIPAA §164.312(b) — Audit controls.
+ */
+import { db, sqlite } from "@/db";
+import { randomUUID } from "crypto";
+import type { AuthContext } from "./authz";
+
+// ─── Types ───────────────────────────────────────────────────────────────────
+
+export interface AuditEvent {
+    actorUserId?: string;
+    actorRole?: string;
+    actorType?: "user" | "system" | "integration";
+    action: string;
+    resourceType: string;
+    resourceId?: string;
+    patientId?: string;
+    ipAddress?: string;
+    userAgent?: string;
+    success?: boolean;
+    reason?: string;
+    metadata?: Record<string, unknown>;
+}
+
+// ─── Table Creation (called from db/index.ts) ────────────────────────────────
+
+export const AUDIT_LOGS_CREATE_SQL = `
+    CREATE TABLE IF NOT EXISTS audit_logs (
+        id TEXT PRIMARY KEY,
+        actor_user_id TEXT,
+        actor_role TEXT,
+        actor_type TEXT DEFAULT 'user',
+        action TEXT NOT NULL,
+        resource_type TEXT NOT NULL,
+        resource_id TEXT,
+        patient_id TEXT,
+        ip_address TEXT,
+        user_agent TEXT,
+        success INTEGER DEFAULT 1,
+        reason TEXT,
+        metadata_json TEXT,
+        created_at TEXT NOT NULL
+    );
+
+    CREATE INDEX IF NOT EXISTS idx_audit_logs_action ON audit_logs(action);
+    CREATE INDEX IF NOT EXISTS idx_audit_logs_patient_id ON audit_logs(patient_id);
+    CREATE INDEX IF NOT EXISTS idx_audit_logs_actor ON audit_logs(actor_user_id);
+    CREATE INDEX IF NOT EXISTS idx_audit_logs_created_at ON audit_logs(created_at);
+`;
+
+// ─── Core Logging Function ───────────────────────────────────────────────────
+
+// Prepare statement once for performance (lazy init)
+let _insertStmt: ReturnType<typeof sqlite.prepare> | null = null;
+
+function getInsertStmt() {
+    if (!_insertStmt) {
+        try {
+            _insertStmt = sqlite.prepare(`
+                INSERT INTO audit_logs 
+                (id, actor_user_id, actor_role, actor_type, action, resource_type, resource_id, patient_id, ip_address, user_agent, success, reason, metadata_json, created_at)
+                VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+            `);
+        } catch {
+            // Table might not exist yet during initial setup
+            return null;
+        }
+    }
+    return _insertStmt;
+}
+
+/**
+ * Writes an immutable audit log entry.
+ * Never stores raw PHI in metadata — only IDs, counts, route names, model names, and status codes.
+ */
+export async function auditLog(event: AuditEvent): Promise<void> {
+    try {
+        const stmt = getInsertStmt();
+        if (!stmt) return; // Table not ready yet
+
+        const id = randomUUID();
+        const now = new Date().toISOString();
+
+        // Sanitize metadata — ensure no PHI sneaks in
+        let metadataJson: string | null = null;
+        if (event.metadata) {
+            const safeMetadata = sanitizeAuditMetadata(event.metadata);
+            metadataJson = JSON.stringify(safeMetadata);
+        }
+
+        (stmt as any).run(
+            id,
+            event.actorUserId || null,
+            event.actorRole || null,
+            event.actorType || "user",
+            event.action,
+            event.resourceType,
+            event.resourceId || null,
+            event.patientId || null,
+            event.ipAddress || null,
+            event.userAgent || null,
+            event.success !== false ? 1 : 0,
+            event.reason || null,
+            metadataJson,
+            now
+        );
+    } catch (err) {
+        // Audit logging should never crash the application
+        console.error("[Audit] Failed to write audit log:", err instanceof Error ? err.message : "Unknown error");
+    }
+}
+
+/**
+ * Shorthand for logging a successful event.
+ */
+export async function auditSuccess(event: AuditEvent): Promise<void> {
+    return auditLog({ ...event, success: true });
+}
+
+/**
+ * Shorthand for logging a failed event.
+ */
+export async function auditFailure(event: AuditEvent, error?: unknown): Promise<void> {
+    const reason = event.reason || (error instanceof Error ? error.message : "Unknown error");
+    return auditLog({ ...event, success: false, reason });
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+/**
+ * Creates an AuditEvent from an AuthContext + action details.
+ */
+export function auditEventFromContext(
+    ctx: AuthContext,
+    action: string,
+    resourceType: string,
+    extra?: Partial<AuditEvent>
+): AuditEvent {
+    return {
+        actorUserId: ctx.userId,
+        actorRole: ctx.role,
+        actorType: "user",
+        action,
+        resourceType,
+        ipAddress: ctx.ipAddress,
+        userAgent: ctx.userAgent,
+        ...extra,
+    };
+}
+
+/**
+ * Sanitize metadata to ensure no PHI is stored.
+ * Only allow safe primitive values and known-safe keys.
+ */
+function sanitizeAuditMetadata(metadata: Record<string, unknown>): Record<string, unknown> {
+    const SAFE_KEYS = new Set([
+        "method", "route", "statusCode", "status",
+        "count", "total", "page", "limit",
+        "modelName", "model_name", "providerName", "provider_name",
+        "purpose", "modality", "urgency", "reportStatus", "report_status",
+        "format", "exportFormat",
+        "restriction", "legalBasis", "consentStatus",
+        "tokenCount", "generationTimeMs",
+        "oldRole", "newRole", "targetUserId",
+        "scope", "clientType", "integrationId",
+    ]);
+
+    const safe: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(metadata)) {
+        if (!SAFE_KEYS.has(key)) continue;
+        // Only allow primitives
+        if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+            safe[key] = value;
+        }
+    }
+    return safe;
+}

package/lib/security/authz.ts

@@ -0,0 +1,246 @@
+/**
+ * OmniRad Authorization & RBAC Module
+ * 
+ * Centralized authentication and role-based access control.
+ * Every PHI API route MUST use one of these helpers.
+ */
+import { db } from "@/db";
+import { users, sessions } from "@/db/schema";
+import { eq } from "drizzle-orm";
+import { cookies } from "next/headers";
+import { NextRequest } from "next/server";
+
+// ─── Types ───────────────────────────────────────────────────────────────────
+
+export type UserRole = "Admin" | "Radiologist" | "Technician" | "Viewer" | "User";
+
+export type Permission =
+    | "patient.read" | "patient.create" | "patient.update" | "patient.delete"
+    | "report.read" | "report.create" | "report.update" | "report.finalize" | "report.delete"
+    | "image.view" | "pacs.query" | "pacs.retrieve"
+    | "copilot.use" | "ai.configure"
+    | "fhir.read" | "fhir.write"
+    | "settings.read" | "settings.write"
+    | "users.manage" | "compliance.manage"
+    | "data.clear" | "data.wipe";
+
+export interface AuthContext {
+    userId: string;
+    role: UserRole;
+    fullName: string;
+    username: string;
+    email: string;
+    sessionId: string;
+    ipAddress: string;
+    userAgent: string;
+}
+
+// ─── Role-Permission Matrix ─────────────────────────────────────────────────
+
+const ROLE_PERMISSIONS: Record<UserRole, Permission[]> = {
+    Admin: [
+        "patient.read", "patient.create", "patient.update", "patient.delete",
+        "report.read", "report.create", "report.update", "report.finalize", "report.delete",
+        "image.view", "pacs.query", "pacs.retrieve",
+        "copilot.use", "ai.configure",
+        "fhir.read", "fhir.write",
+        "settings.read", "settings.write",
+        "users.manage", "compliance.manage",
+        "data.clear", "data.wipe",
+    ],
+    Radiologist: [
+        "patient.read", "patient.create", "patient.update",
+        "report.read", "report.create", "report.update", "report.finalize",
+        "image.view", "pacs.query", "pacs.retrieve",
+        "copilot.use",
+        "fhir.read",
+        "settings.read",
+    ],
+    Technician: [
+        "patient.read", "patient.create", "patient.update",
+        "report.read", "report.create",
+        "image.view", "pacs.query", "pacs.retrieve",
+        "settings.read",
+    ],
+    Viewer: [
+        "patient.read",
+        "report.read",
+        "image.view",
+        "settings.read",
+    ],
+    // Legacy "User" role — maps to Radiologist-level access for backward compat
+    User: [
+        "patient.read", "patient.create", "patient.update",
+        "report.read", "report.create", "report.update", "report.finalize",
+        "image.view", "pacs.query", "pacs.retrieve",
+        "copilot.use",
+        "fhir.read",
+        "settings.read",
+    ],
+};
+
+// ─── Errors ──────────────────────────────────────────────────────────────────
+
+export class AuthError extends Error {
+    constructor(
+        message: string,
+        public statusCode: number = 401,
+        public code: string = "UNAUTHORIZED"
+    ) {
+        super(message);
+        this.name = "AuthError";
+    }
+}
+
+export class ForbiddenError extends AuthError {
+    constructor(message: string = "Forbidden") {
+        super(message, 403, "FORBIDDEN");
+        this.name = "ForbiddenError";
+    }
+}
+
+// ─── Helper: Extract IP & User-Agent ─────────────────────────────────────────
+
+function extractClientInfo(request?: NextRequest | Request): { ipAddress: string; userAgent: string } {
+    if (!request) return { ipAddress: "unknown", userAgent: "unknown" };
+    
+    const headers = request.headers;
+    const ipAddress =
+        headers.get("x-forwarded-for")?.split(",")[0]?.trim() ||
+        headers.get("x-real-ip") ||
+        "unknown";
+    const userAgent = headers.get("user-agent") || "unknown";
+    
+    return { ipAddress, userAgent };
+}
+
+// ─── Core: Validate Session & Get User ───────────────────────────────────────
+
+/**
+ * Validates the session cookie and returns the authenticated user context.
+ * Throws AuthError if not authenticated.
+ */
+export async function requireUser(request?: NextRequest | Request): Promise<AuthContext> {
+    const cookieStore = await cookies();
+    const sessionId = cookieStore.get("omnirad_session_id")?.value;
+
+    if (!sessionId) {
+        throw new AuthError("Authentication required");
+    }
+
+    // Look up session
+    const sessionList = await db.select().from(sessions).where(eq(sessions.id, sessionId)).limit(1);
+    const session = sessionList[0];
+
+    if (!session) {
+        throw new AuthError("Invalid session");
+    }
+
+    // Check expiration
+    if (session.expiresAt * 1000 < Date.now()) {
+        // Clean up expired session
+        await db.delete(sessions).where(eq(sessions.id, sessionId));
+        throw new AuthError("Session expired");
+    }
+
+    // Look up user
+    const userList = await db.select().from(users).where(eq(users.id, session.userId)).limit(1);
+    const user = userList[0];
+
+    if (!user) {
+        throw new AuthError("User not found");
+    }
+
+    const { ipAddress, userAgent } = extractClientInfo(request);
+
+    return {
+        userId: user.id,
+        role: (user.role as UserRole) || "User",
+        fullName: user.fullName,
+        username: user.username,
+        email: user.email,
+        sessionId,
+        ipAddress,
+        userAgent,
+    };
+}
+
+/**
+ * Optionally gets the user context without throwing.
+ * Returns null if not authenticated.
+ */
+export async function getOptionalUser(request?: NextRequest | Request): Promise<AuthContext | null> {
+    try {
+        return await requireUser(request);
+    } catch {
+        return null;
+    }
+}
+
+// ─── Role Checks ─────────────────────────────────────────────────────────────
+
+/**
+ * Requires the user to have one of the specified roles.
+ * Throws ForbiddenError if not authorized.
+ */
+export function requireRole(ctx: AuthContext, roles: UserRole[]): void {
+    if (!roles.includes(ctx.role)) {
+        throw new ForbiddenError(
+            `Role '${ctx.role}' is not authorized. Required: ${roles.join(", ")}`
+        );
+    }
+}
+
+/**
+ * Requires the user to have a specific permission based on their role.
+ * Throws ForbiddenError if not authorized.
+ */
+export function requirePermission(ctx: AuthContext, permission: Permission): void {
+    const permissions = ROLE_PERMISSIONS[ctx.role];
+    if (!permissions || !permissions.includes(permission)) {
+        throw new ForbiddenError(
+            `Permission '${permission}' not granted for role '${ctx.role}'`
+        );
+    }
+}
+
+/**
+ * Checks if a user has a specific permission (non-throwing).
+ */
+export function hasPermission(ctx: AuthContext, permission: Permission): boolean {
+    const permissions = ROLE_PERMISSIONS[ctx.role];
+    return permissions?.includes(permission) ?? false;
+}
+
+// ─── Valid Roles List ────────────────────────────────────────────────────────
+
+export const VALID_ROLES: UserRole[] = ["Admin", "Radiologist", "Technician", "Viewer", "User"];
+
+/**
+ * Validates that a role string is a valid UserRole.
+ */
+export function isValidRole(role: string): role is UserRole {
+    return VALID_ROLES.includes(role as UserRole);
+}
+
+// ─── Error Response Helper ───────────────────────────────────────────────────
+
+import { NextResponse } from "next/server";
+
+/**
+ * Wraps an API handler with auth error handling.
+ * Returns appropriate JSON error responses for auth failures.
+ */
+export function handleAuthError(error: unknown): NextResponse {
+    if (error instanceof AuthError) {
+        return NextResponse.json(
+            { error: error.message, code: error.code },
+            { status: error.statusCode }
+        );
+    }
+    // Unknown error — don't leak details
+    return NextResponse.json(
+        { error: "Internal server error" },
+        { status: 500 }
+    );
+}

package/lib/security/phi-redaction.ts

@@ -0,0 +1,156 @@
+/**
+ * OmniRad PHI Redaction & Safe Logging Module
+ * 
+ * Prevents Protected Health Information from leaking into server logs.
+ * All PHI API routes must use safeLog/safeError instead of console.log/console.error.
+ */
+
+// ─── PHI Field Names ────────────────────────────────────────────────────────
+
+const PHI_FIELD_NAMES = new Set([
+    // Patient demographics
+    "patientName", "patient_name", "patientname", "name", "fullName", "full_name",
+    "dob", "date_of_birth", "dateOfBirth", "birthDate",
+    "mobile", "phone", "phoneNumber", "phone_number",
+    "address", "streetAddress", "street_address",
+    "contactInfo", "contact_info", "email",
+    "notes", "patientNotes",
+    "patientIdNumber", "patient_id_number", "mrn",
+    // Report content
+    "reportData", "report_data",
+    "findings", "impression", "conclusion", "technique",
+    "clinical_history", "clinicalHistory",
+    "recommendation", "recommendations",
+    // Images
+    "imageData", "image_data", "imageBase64",
+    "signature",
+    // AI
+    "rawLlmResponse", "raw_llm_response",
+    "content", // copilot chat content
+    "message",
+    "prompt", "systemPrompt", "system_prompt",
+    // Secrets
+    "apiSecretKey", "api_secret_key", "apiKey", "api_key",
+    "password", "passwordHash", "password_hash",
+    "token", "bearerToken", "bearer_token",
+    "pacsBearerToken", "pacs_bearer_token",
+    "pacsPassword", "pacs_password",
+    "supabaseAnonKey", "supabase_anon_key",
+    "langsmithApiKey", "langsmith_api_key",
+    "externalFhirClientSecret", "external_fhir_client_secret",
+    "externalFhirBearerToken", "external_fhir_bearer_token",
+    "apiTokenHash", "api_token_hash",
+    "tokenHash", "token_hash",
+    // FHIR payloads
+    "rawFhir", "raw_fhir",
+    // DICOM
+    "dicomMetadata", "dicom_metadata",
+    "viewerActions", "viewer_actions",
+    "references_data",
+]);
+
+// ─── Base64 Detection ────────────────────────────────────────────────────────
+
+const BASE64_PATTERN = /^(?:[A-Za-z0-9+/]{4}){10,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+
+function isLikelyBase64(value: string): boolean {
+    if (value.length < 100) return false;
+    return BASE64_PATTERN.test(value.substring(0, 200));
+}
+
+// ─── Redaction ───────────────────────────────────────────────────────────────
+
+const REDACTED = "[PHI_REDACTED]";
+const SECRET_REDACTED = "[SECRET_REDACTED]";
+
+/**
+ * Recursively redacts known PHI fields and base64 data from an object.
+ * Returns a safe copy of the value.
+ */
+export function redactPhi(value: unknown, depth: number = 0): unknown {
+    // Prevent infinite recursion
+    if (depth > 10) return REDACTED;
+
+    if (value === null || value === undefined) return value;
+
+    if (typeof value === "string") {
+        // Redact base64 strings
+        if (isLikelyBase64(value)) return "[BASE64_REDACTED]";
+        // Redact long strings that look like they could contain PHI
+        if (value.length > 500) return `[LONG_STRING length=${value.length}]`;
+        return value;
+    }
+
+    if (typeof value === "number" || typeof value === "boolean") return value;
+
+    if (Array.isArray(value)) {
+        if (value.length > 20) return `[ARRAY length=${value.length}]`;
+        return value.map((item) => redactPhi(item, depth + 1));
+    }
+
+    if (typeof value === "object") {
+        const result: Record<string, unknown> = {};
+        for (const [key, val] of Object.entries(value as Record<string, unknown>)) {
+            if (PHI_FIELD_NAMES.has(key)) {
+                // Show type/length but not content
+                if (typeof val === "string") {
+                    result[key] = val.length > 0 ? `${REDACTED} (${val.length} chars)` : "";
+                } else if (val === null || val === undefined) {
+                    result[key] = val;
+                } else {
+                    result[key] = REDACTED;
+                }
+            } else {
+                result[key] = redactPhi(val, depth + 1);
+            }
+        }
+        return result;
+    }
+
+    return REDACTED;
+}
+
+// ─── Safe Logging ────────────────────────────────────────────────────────────
+
+/**
+ * Logs a message with automatic PHI redaction.
+ * Use instead of console.log in PHI-handling code.
+ */
+export function safeLog(message: string, metadata?: unknown): void {
+    if (metadata !== undefined) {
+        console.log(`[OmniRad] ${message}`, redactPhi(metadata));
+    } else {
+        console.log(`[OmniRad] ${message}`);
+    }
+}
+
+/**
+ * Logs an error with automatic PHI redaction.
+ * Use instead of console.error in PHI-handling code.
+ */
+export function safeError(message: string, error?: unknown): void {
+    if (error instanceof Error) {
+        // Only log the message and stack, not the full error object which may contain PHI
+        console.error(`[OmniRad] ${message}`, {
+            errorMessage: error.message,
+            errorName: error.name,
+            // Don't include stack in production
+            ...(process.env.NODE_ENV !== "production" && { stack: error.stack }),
+        });
+    } else if (error !== undefined) {
+        console.error(`[OmniRad] ${message}`, redactPhi(error));
+    } else {
+        console.error(`[OmniRad] ${message}`);
+    }
+}
+
+/**
+ * Logs a warning with automatic PHI redaction.
+ */
+export function safeWarn(message: string, metadata?: unknown): void {
+    if (metadata !== undefined) {
+        console.warn(`[OmniRad] ${message}`, redactPhi(metadata));
+    } else {
+        console.warn(`[OmniRad] ${message}`);
+    }
+}

package/lib/security/rate-limit.ts

@@ -0,0 +1,106 @@
+/**
+ * OmniRad Rate Limiting Module
+ * 
+ * Simple in-memory rate limiter for auth endpoints.
+ * Protects against brute-force login attempts.
+ */
+
+// ─── Types ───────────────────────────────────────────────────────────────────
+
+interface RateLimitEntry {
+    count: number;
+    resetAt: number; // Unix timestamp in ms
+}
+
+interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+}
+
+// ─── In-Memory Store ─────────────────────────────────────────────────────────
+
+const store = new Map<string, RateLimitEntry>();
+
+// Cleanup interval — remove expired entries every 60 seconds
+const CLEANUP_INTERVAL_MS = 60_000;
+let cleanupTimer: ReturnType<typeof setInterval> | null = null;
+
+function startCleanup(): void {
+    if (cleanupTimer) return;
+    cleanupTimer = setInterval(() => {
+        const now = Date.now();
+        for (const [key, entry] of store.entries()) {
+            if (entry.resetAt <= now) {
+                store.delete(key);
+            }
+        }
+    }, CLEANUP_INTERVAL_MS);
+
+    // Don't prevent process exit
+    if (cleanupTimer && typeof cleanupTimer === "object" && "unref" in cleanupTimer) {
+        cleanupTimer.unref();
+    }
+}
+
+// ─── Rate Limit Function ─────────────────────────────────────────────────────
+
+/**
+ * Checks and enforces a rate limit for a given key.
+ * 
+ * @param key - Unique identifier (e.g., IP address, "login:192.168.1.1")
+ * @param maxAttempts - Maximum number of attempts allowed in the window
+ * @param windowMs - Time window in milliseconds
+ * @returns Object with allowed flag, remaining attempts, and reset timestamp
+ */
+export function rateLimit(
+    key: string,
+    maxAttempts: number = 5,
+    windowMs: number = 60_000
+): RateLimitResult {
+    startCleanup();
+
+    const now = Date.now();
+    const entry = store.get(key);
+
+    // No entry or expired — create fresh
+    if (!entry || entry.resetAt <= now) {
+        store.set(key, {
+            count: 1,
+            resetAt: now + windowMs,
+        });
+        return {
+            allowed: true,
+            remaining: maxAttempts - 1,
+            resetAt: now + windowMs,
+        };
+    }
+
+    // Increment count
+    entry.count += 1;
+
+    if (entry.count > maxAttempts) {
+        return {
+            allowed: false,
+            remaining: 0,
+            resetAt: entry.resetAt,
+        };
+    }
+
+    return {
+        allowed: true,
+        remaining: maxAttempts - entry.count,
+        resetAt: entry.resetAt,
+    };
+}
+
+/**
+ * Creates a rate limit key from a request's IP address.
+ */
+export function rateLimitKey(prefix: string, request: Request): string {
+    const forwarded = request.headers.get("x-forwarded-for");
+    const ip = forwarded?.split(",")[0]?.trim() || 
+               request.headers.get("x-real-ip") || 
+               "unknown";
+    return `${prefix}:${ip}`;
+}