npm - @revealui/security - Versions diffs - 0.0.1-pre.1 → 0.2.0 - Mend

@revealui/security 0.0.1-pre.1 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,1358 @@
+/**
+ * Audit Logging System
+ *
+ * Track security-relevant events and user actions for compliance
+ */
+type AuditEventType = 'auth.login' | 'auth.logout' | 'auth.failed_login' | 'auth.password_change' | 'auth.password_reset' | 'auth.mfa_enabled' | 'auth.mfa_disabled' | 'user.create' | 'user.update' | 'user.delete' | 'user.view' | 'data.create' | 'data.read' | 'data.update' | 'data.delete' | 'data.export' | 'permission.grant' | 'permission.revoke' | 'role.assign' | 'role.remove' | 'config.change' | 'security.violation' | 'security.alert' | 'gdpr.consent' | 'gdpr.data_request' | 'gdpr.data_deletion' | `data.${string}` | `permission.${string}` | `security.${string}` | `gdpr.${string}`;
+type AuditSeverity = 'low' | 'medium' | 'high' | 'critical';
+interface AuditEvent {
+    id: string;
+    timestamp: string;
+    type: AuditEventType;
+    severity: AuditSeverity;
+    actor: {
+        id: string;
+        type: 'user' | 'system' | 'api';
+        ip?: string;
+        userAgent?: string;
+    };
+    resource?: {
+        type: string;
+        id: string;
+        name?: string;
+    };
+    action: string;
+    result: 'success' | 'failure' | 'partial';
+    changes?: {
+        before?: Record<string, unknown>;
+        after?: Record<string, unknown>;
+    };
+    metadata?: Record<string, unknown>;
+    message?: string;
+}
+interface AuditQuery {
+    types?: AuditEventType[];
+    actorId?: string;
+    resourceType?: string;
+    resourceId?: string;
+    startDate?: Date;
+    endDate?: Date;
+    severity?: AuditSeverity[];
+    result?: ('success' | 'failure' | 'partial')[];
+    limit?: number;
+    offset?: number;
+}
+interface AuditStorage {
+    write(event: AuditEvent): Promise<void>;
+    query(query: AuditQuery): Promise<AuditEvent[]>;
+    count(query: AuditQuery): Promise<number>;
+}
+/**
+ * Audit logging system
+ */
+declare class AuditSystem {
+    private storage;
+    private filters;
+    constructor(storage: AuditStorage);
+    /**
+     * Log audit event
+     */
+    log(event: Omit<AuditEvent, 'id' | 'timestamp'>): Promise<void>;
+    /**
+     * Log authentication event
+     */
+    logAuth(type: Extract<AuditEventType, 'auth.login' | 'auth.logout' | 'auth.failed_login' | 'auth.password_change'>, actorId: string, result: 'success' | 'failure', metadata?: Record<string, unknown>): Promise<void>;
+    /**
+     * Log data access event
+     */
+    logDataAccess(action: 'create' | 'read' | 'update' | 'delete', actorId: string, resourceType: string, resourceId: string, result: 'success' | 'failure', changes?: {
+        before?: Record<string, unknown>;
+        after?: Record<string, unknown>;
+    }): Promise<void>;
+    /**
+     * Log permission change
+     */
+    logPermissionChange(action: 'grant' | 'revoke', actorId: string, targetUserId: string, permission: string, result: 'success' | 'failure'): Promise<void>;
+    /**
+     * Log security event
+     */
+    logSecurityEvent(type: 'violation' | 'alert', severity: AuditSeverity, actorId: string, message: string, metadata?: Record<string, unknown>): Promise<void>;
+    /**
+     * Log GDPR event
+     */
+    logGDPREvent(type: 'consent' | 'data_request' | 'data_deletion', actorId: string, result: 'success' | 'failure', metadata?: Record<string, unknown>): Promise<void>;
+    /**
+     * Query audit logs
+     */
+    query(query: AuditQuery): Promise<AuditEvent[]>;
+    /**
+     * Count audit logs
+     */
+    count(query: AuditQuery): Promise<number>;
+    /**
+     * Add filter
+     */
+    addFilter(filter: (event: AuditEvent) => boolean): void;
+    /**
+     * Remove filter
+     */
+    removeFilter(filter: (event: AuditEvent) => boolean): void;
+}
+/**
+ * In-memory audit storage (for development)
+ */
+declare class InMemoryAuditStorage implements AuditStorage {
+    private events;
+    private maxEvents;
+    constructor(maxEvents?: number);
+    write(event: AuditEvent): Promise<void>;
+    query(query: AuditQuery): Promise<AuditEvent[]>;
+    count(query: AuditQuery): Promise<number>;
+    /**
+     * Clear all events
+     */
+    clear(): void;
+    /**
+     * Get all events
+     */
+    getAll(): AuditEvent[];
+}
+/**
+ * Audit trail decorator
+ */
+declare function AuditTrail(type: AuditEventType, action: string, options?: {
+    severity?: AuditSeverity;
+    captureChanges?: boolean;
+    resourceType?: string;
+}): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+/**
+ * Audit middleware
+ */
+declare function createAuditMiddleware<TRequest = unknown, TResponse = unknown>(audit: AuditSystem, getUser: (request: TRequest) => {
+    id: string;
+    ip?: string;
+    userAgent?: string;
+}): (request: TRequest & {
+    method: string;
+    url: string;
+}, next: () => Promise<TResponse & {
+    status?: number;
+}>) => Promise<TResponse & {
+    status?: number;
+}>;
+/**
+ * Audit report generator
+ */
+declare class AuditReportGenerator {
+    private audit;
+    constructor(audit: AuditSystem);
+    /**
+     * Generate security report
+     */
+    generateSecurityReport(startDate: Date, endDate: Date): Promise<{
+        totalEvents: number;
+        securityViolations: number;
+        failedLogins: number;
+        permissionChanges: number;
+        dataExports: number;
+        criticalEvents: AuditEvent[];
+    }>;
+    /**
+     * Generate user activity report
+     */
+    generateUserActivityReport(userId: string, startDate: Date, endDate: Date): Promise<{
+        totalActions: number;
+        actionsByType: Record<string, number>;
+        failedActions: number;
+        recentActions: AuditEvent[];
+    }>;
+    /**
+     * Generate compliance report
+     */
+    generateComplianceReport(startDate: Date, endDate: Date): Promise<{
+        dataAccesses: number;
+        dataModifications: number;
+        dataDeletions: number;
+        gdprRequests: number;
+        auditTrailComplete: boolean;
+    }>;
+    /**
+     * Check audit trail continuity
+     */
+    private checkAuditTrailContinuity;
+}
+/**
+ * Global audit system
+ */
+declare const audit: AuditSystem;
+/**
+ * Authentication Utilities
+ *
+ * OAuth support, password hashing, and two-factor authentication.
+ * JWT-based auth was removed — session auth is handled by @revealui/auth.
+ */
+interface User {
+    id: string;
+    email: string;
+    username?: string;
+    roles: string[];
+    permissions: string[];
+    metadata?: Record<string, unknown>;
+}
+/**
+ * OAuth configuration
+ */
+interface OAuthConfig {
+    provider: 'google' | 'github' | 'microsoft' | 'custom';
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scope?: string[];
+    authorizationUrl?: string;
+    tokenUrl?: string;
+    userInfoUrl?: string;
+}
+/**
+ * OAuth provider configurations
+ */
+declare const OAuthProviders: {
+    google: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        userInfoUrl: string;
+        scope: string[];
+    };
+    github: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        userInfoUrl: string;
+        scope: string[];
+    };
+    microsoft: {
+        authorizationUrl: string;
+        tokenUrl: string;
+        userInfoUrl: string;
+        scope: string[];
+    };
+};
+/**
+ * OAuth client
+ */
+declare class OAuthClient {
+    private config;
+    constructor(config: OAuthConfig);
+    /**
+     * Get authorization URL
+     */
+    getAuthorizationUrl(state?: string): string;
+    /**
+     * Exchange code for token
+     */
+    exchangeCodeForToken(code: string): Promise<{
+        access_token: string;
+        refresh_token?: string;
+        expires_in: number;
+        token_type: string;
+    }>;
+    /**
+     * Get user info
+     */
+    getUserInfo(accessToken: string): Promise<{
+        id: string;
+        email: string;
+        name?: string;
+        picture?: string;
+    }>;
+}
+/**
+ * Hash password with PBKDF2 and random salt
+ */
+declare function hashPassword(password: string): Promise<string>;
+/**
+ * Verify password against stored hash
+ */
+declare function verifyPassword(password: string, storedHash: string): Promise<boolean>;
+declare const PasswordHasher: {
+    readonly hash: typeof hashPassword;
+    readonly verify: typeof verifyPassword;
+};
+/**
+ * Generate TOTP secret
+ */
+declare function generateSecret(): string;
+/**
+ * Generate TOTP code
+ */
+declare function generateCode(secret: string, timestamp?: number): string;
+/**
+ * Verify TOTP code
+ */
+declare function verifyCode(secret: string, code: string, window?: number): boolean;
+declare const TwoFactorAuth: {
+    readonly generateSecret: typeof generateSecret;
+    readonly generateCode: typeof generateCode;
+    readonly verifyCode: typeof verifyCode;
+};
+/**
+ * Authorization System
+ *
+ * Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
+ */
+interface Permission {
+    resource: string;
+    action: string;
+    conditions?: Record<string, unknown>;
+}
+interface Role {
+    id: string;
+    name: string;
+    description?: string;
+    permissions: Permission[];
+    inherits?: string[];
+}
+interface Policy {
+    id: string;
+    name: string;
+    effect: 'allow' | 'deny';
+    resources: string[];
+    actions: string[];
+    conditions?: PolicyCondition[];
+    priority?: number;
+}
+interface PolicyCondition {
+    field: string;
+    operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'contains';
+    value: unknown;
+}
+interface AuthorizationContext {
+    user: {
+        id: string;
+        roles: string[];
+        attributes?: Record<string, unknown>;
+    };
+    resource?: {
+        type: string;
+        id?: string;
+        owner?: string;
+        attributes?: Record<string, unknown>;
+    };
+    environment?: {
+        time?: Date;
+        ip?: string;
+        userAgent?: string;
+    };
+}
+/**
+ * Authorization system
+ */
+declare class AuthorizationSystem {
+    private roles;
+    private policies;
+    /**
+     * Register role
+     */
+    registerRole(role: Role): void;
+    /**
+     * Get role
+     */
+    getRole(roleId: string): Role | undefined;
+    /**
+     * Register policy
+     */
+    registerPolicy(policy: Policy): void;
+    /**
+     * Check if user has permission (RBAC)
+     */
+    hasPermission(userRoles: string[], resource: string, action: string): boolean;
+    /**
+     * Check access with policies (ABAC)
+     */
+    checkAccess(context: AuthorizationContext, resource: string, action: string): {
+        allowed: boolean;
+        reason?: string;
+    };
+    /**
+     * Get all permissions for roles
+     */
+    private getUserPermissions;
+    /**
+     * Get applicable policies
+     */
+    private getApplicablePolicies;
+    /**
+     * Match resource pattern
+     */
+    private matchesResource;
+    /**
+     * Match action pattern
+     */
+    private matchesAction;
+    /**
+     * Evaluate policy conditions
+     */
+    private evaluateConditions;
+    /**
+     * Get value from context
+     */
+    private getContextValue;
+    /**
+     * Evaluate single condition
+     */
+    private evaluateCondition;
+    /**
+     * Check if user owns resource
+     */
+    ownsResource(userId: string, resource: {
+        owner?: string;
+    }): boolean;
+    /**
+     * Clear all roles and policies
+     */
+    clear(): void;
+}
+/**
+ * Global authorization instance
+ */
+declare const authorization: AuthorizationSystem;
+/**
+ * Common roles — aligned with DB schema (`users.role` column)
+ * and `UserRoleSchema` in @revealui/contracts.
+ *
+ * Values: owner | admin | editor | viewer | agent | contributor
+ */
+declare const CommonRoles: Record<string, Role>;
+/**
+ * Permission builder
+ */
+declare class PermissionBuilder {
+    private permission;
+    resource(resource: string): this;
+    action(action: string): this;
+    conditions(conditions: Record<string, unknown>): this;
+    build(): Permission;
+}
+/**
+ * Policy builder
+ */
+declare class PolicyBuilder {
+    private policy;
+    id(id: string): this;
+    name(name: string): this;
+    allow(): this;
+    deny(): this;
+    resources(...resources: string[]): this;
+    actions(...actions: string[]): this;
+    condition(field: string, operator: PolicyCondition['operator'], value: unknown): this;
+    priority(priority: number): this;
+    build(): Policy;
+}
+/**
+ * Authorization decorators
+ */
+declare function RequirePermission(resource: string, action: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+declare function RequireRole(requiredRole: string): (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+/**
+ * Authorization middleware
+ */
+declare function createAuthorizationMiddleware<TRequest = unknown>(getUser: (request: TRequest) => {
+    id: string;
+    roles: string[];
+}, resource: string, action: string): (request: TRequest, next: () => Promise<unknown>) => Promise<unknown>;
+/**
+ * Resource ownership check
+ */
+declare function canAccessResource(userId: string, userRoles: string[], resource: {
+    type: string;
+    id?: string;
+    owner?: string;
+}, action: string): boolean;
+/**
+ * Attribute-based access control helper
+ */
+declare function checkAttributeAccess(context: AuthorizationContext, resource: string, action: string, requiredAttributes?: Record<string, unknown>): boolean;
+/**
+ * Permission cache for performance
+ */
+declare class PermissionCache {
+    private cache;
+    private ttl;
+    private maxEntries;
+    constructor(ttl?: number, maxEntries?: number);
+    /**
+     * Get cached permission
+     */
+    get(userId: string, resource: string, action: string): boolean | undefined;
+    /**
+     * Set cached permission
+     */
+    set(userId: string, resource: string, action: string, allowed: boolean): void;
+    /**
+     * Clear cache for user
+     */
+    clearUser(userId: string): void;
+    /**
+     * Clear all cache
+     */
+    clear(): void;
+    /**
+     * Get cache key
+     */
+    private getCacheKey;
+}
+/**
+ * Global permission cache
+ */
+declare const permissionCache: PermissionCache;
+/**
+ * Encryption Utilities
+ *
+ * Data encryption for at-rest and in-transit protection
+ */
+interface EncryptionConfig {
+    algorithm: 'AES-GCM' | 'AES-CTR';
+    keySize: 128 | 192 | 256;
+    ivSize?: number;
+    /** Allow key export via exportKey(). Default: false (keys are non-extractable). */
+    extractable?: boolean;
+}
+interface EncryptedData {
+    data: string;
+    iv: string;
+    tag?: string;
+    algorithm: string;
+}
+/**
+ * Encryption system
+ */
+declare class EncryptionSystem {
+    private config;
+    private keys;
+    constructor(config?: Partial<EncryptionConfig>);
+    /**
+     * Generate encryption key
+     */
+    generateKey(keyId?: string): Promise<CryptoKey>;
+    /**
+     * Import key from raw data
+     */
+    importKey(keyData: ArrayBuffer, keyId?: string): Promise<CryptoKey>;
+    /**
+     * Export key to raw data
+     */
+    exportKey(key: CryptoKey): Promise<ArrayBuffer>;
+    /**
+     * Encrypt data
+     */
+    encrypt(data: string, keyOrId: CryptoKey | string): Promise<EncryptedData>;
+    /**
+     * Decrypt data
+     */
+    decrypt(encryptedData: EncryptedData, keyOrId: CryptoKey | string): Promise<string>;
+    /**
+     * Encrypt object
+     */
+    encryptObject<T extends Record<string, unknown>>(obj: T, keyOrId: CryptoKey | string): Promise<EncryptedData>;
+    /**
+     * Decrypt object
+     */
+    decryptObject<T extends Record<string, unknown>>(encryptedData: EncryptedData, keyOrId: CryptoKey | string): Promise<T>;
+    /**
+     * Hash data
+     */
+    hash(data: string, algorithm?: 'SHA-256' | 'SHA-384' | 'SHA-512'): Promise<string>;
+    /**
+     * Generate random bytes
+     */
+    randomBytes(length: number): Uint8Array;
+    /**
+     * Generate random string
+     */
+    randomString(length: number, charset?: string): string;
+    /**
+     * Convert ArrayBuffer to base64
+     */
+    private arrayBufferToBase64;
+    /**
+     * Convert base64 to ArrayBuffer
+     */
+    private base64ToArrayBuffer;
+    /**
+     * Store key
+     */
+    storeKey(keyId: string, key: CryptoKey): void;
+    /**
+     * Get key
+     */
+    getKey(keyId: string): CryptoKey | undefined;
+    /**
+     * Remove key
+     */
+    removeKey(keyId: string): void;
+    /**
+     * Clear all keys
+     */
+    clearKeys(): void;
+}
+/**
+ * Global encryption instance
+ */
+declare const encryption: EncryptionSystem;
+/**
+ * Field-level encryption
+ */
+declare class FieldEncryption {
+    private encryption;
+    private key;
+    constructor(encryption: EncryptionSystem);
+    /**
+     * Initialize with key
+     */
+    initialize(key: CryptoKey): Promise<void>;
+    /**
+     * Encrypt field
+     */
+    encryptField(value: unknown): Promise<EncryptedData>;
+    /**
+     * Decrypt field
+     */
+    decryptField(encryptedData: EncryptedData): Promise<unknown>;
+    /**
+     * Encrypt object fields
+     */
+    encryptFields<T extends Record<string, unknown>>(obj: T, fields: (keyof T)[]): Promise<T>;
+    /**
+     * Decrypt object fields
+     */
+    decryptFields<T extends Record<string, unknown>>(obj: T, fields: (keyof T)[]): Promise<T>;
+}
+/**
+ * Key rotation
+ */
+declare class KeyRotationManager {
+    private encryption;
+    private currentKeyId;
+    private oldKeys;
+    private keyCreationDates;
+    constructor(encryption: EncryptionSystem, initialKeyId: string);
+    /**
+     * Rotate to new key
+     */
+    rotate(newKeyId: string, newKey: CryptoKey): Promise<void>;
+    /**
+     * Re-encrypt data with new key
+     */
+    reencrypt(encryptedData: EncryptedData, oldKeyId: string): Promise<EncryptedData>;
+    /**
+     * Get current key ID
+     */
+    getCurrentKeyId(): string;
+    /**
+     * Clean up old keys created before the specified date.
+     * Never removes the current active key.
+     */
+    cleanupOldKeys(olderThan: Date): void;
+}
+/**
+ * Envelope encryption for large data
+ */
+declare class EnvelopeEncryption {
+    private encryption;
+    private masterKey;
+    constructor(encryption: EncryptionSystem, masterKey: CryptoKey);
+    /**
+     * Encrypt with envelope encryption
+     */
+    encrypt(data: string): Promise<{
+        encryptedData: EncryptedData;
+        encryptedKey: EncryptedData;
+    }>;
+    /**
+     * Decrypt with envelope encryption
+     */
+    decrypt(encryptedData: EncryptedData, encryptedKey: EncryptedData): Promise<string>;
+    private arrayBufferToBase64;
+    private base64ToArrayBuffer;
+}
+/**
+ * Data masking utilities
+ */
+/**
+ * Mask email
+ */
+declare function maskEmail(email: string): string;
+/**
+ * Mask phone number
+ */
+declare function maskPhone(phone: string): string;
+/**
+ * Mask credit card
+ */
+declare function maskCreditCard(card: string): string;
+/**
+ * Mask SSN
+ */
+declare function maskSSN(ssn: string): string;
+/**
+ * Mask string (keep first and last character)
+ */
+declare function maskString(str: string, keepChars?: number): string;
+declare const DataMasking: {
+    readonly maskEmail: typeof maskEmail;
+    readonly maskPhone: typeof maskPhone;
+    readonly maskCreditCard: typeof maskCreditCard;
+    readonly maskSSN: typeof maskSSN;
+    readonly maskString: typeof maskString;
+};
+/**
+ * Secure random token generator
+ */
+/**
+ * Generate secure token. `length` is the number of random bytes;
+ * the returned string is hex-encoded, so it will be `length * 2` characters.
+ */
+declare function generateToken(length?: number): string;
+/**
+ * Generate UUID v4
+ */
+declare function generateUUID(): string;
+/**
+ * Generate API key
+ */
+declare function generateAPIKey(prefix?: string): string;
+/**
+ * Generate session ID
+ */
+declare function generateSessionID(): string;
+declare const TokenGenerator: {
+    readonly generate: typeof generateToken;
+    readonly generateUUID: typeof generateUUID;
+    readonly generateAPIKey: typeof generateAPIKey;
+    readonly generateSessionID: typeof generateSessionID;
+};
+/**
+ * GDPR Storage Abstraction
+ *
+ * Record-oriented storage interface for GDPR compliance data.
+ * Provides a clean seam for replacing the default in-memory implementation
+ * with a database-backed store in production.
+ */
+/**
+ * Storage interface for GDPR consent records and deletion requests.
+ *
+ * All methods are async to support database-backed implementations.
+ * The default `InMemoryGDPRStorage` is suitable for testing and development
+ * but must be replaced with a persistent store for production use.
+ */
+interface GDPRStorage {
+    /**
+     * Store or update a consent record, keyed by `userId:consentType`.
+     */
+    setConsent(userId: string, type: ConsentType, record: ConsentRecord): Promise<void>;
+    /**
+     * Retrieve a consent record by user and type. Returns `undefined` if not found.
+     */
+    getConsent(userId: string, type: ConsentType): Promise<ConsentRecord | undefined>;
+    /**
+     * Retrieve all consent records for a given user.
+     */
+    getConsentsByUser(userId: string): Promise<ConsentRecord[]>;
+    /**
+     * Retrieve every consent record in storage (used for aggregate statistics).
+     */
+    getAllConsents(): Promise<ConsentRecord[]>;
+    /**
+     * Store a deletion request, keyed by its `id`.
+     */
+    setDeletionRequest(request: DataDeletionRequest): Promise<void>;
+    /**
+     * Retrieve a deletion request by ID. Returns `undefined` if not found.
+     */
+    getDeletionRequest(requestId: string): Promise<DataDeletionRequest | undefined>;
+    /**
+     * Retrieve all deletion requests for a given user.
+     */
+    getDeletionRequestsByUser(userId: string): Promise<DataDeletionRequest[]>;
+}
+/**
+ * Storage interface for data breach records.
+ *
+ * All methods are async to support database-backed implementations.
+ * The default `InMemoryBreachStorage` is suitable for testing and development
+ * but must be replaced with a persistent store for production GDPR compliance.
+ */
+interface BreachStorage {
+    /**
+     * Store a data breach record.
+     */
+    setBreach(breach: DataBreach): Promise<void>;
+    /**
+     * Retrieve a breach by ID. Returns `undefined` if not found.
+     */
+    getBreach(id: string): Promise<DataBreach | undefined>;
+    /**
+     * Retrieve all breach records.
+     */
+    getAllBreaches(): Promise<DataBreach[]>;
+    /**
+     * Update an existing breach record (e.g., status change, add mitigation).
+     */
+    updateBreach(id: string, updates: Partial<DataBreach>): Promise<void>;
+}
+/**
+ * In-memory implementation of `BreachStorage`.
+ *
+ * WARNING: All data is lost on process restart or serverless cold start.
+ * GDPR requires breach records be retained — use database-backed storage in production.
+ */
+declare class InMemoryBreachStorage implements BreachStorage {
+    private breaches;
+    setBreach(breach: DataBreach): Promise<void>;
+    getBreach(id: string): Promise<DataBreach | undefined>;
+    getAllBreaches(): Promise<DataBreach[]>;
+    updateBreach(id: string, updates: Partial<DataBreach>): Promise<void>;
+}
+/**
+ * In-memory implementation of `GDPRStorage`.
+ *
+ * WARNING: All data is lost on process restart or serverless cold start.
+ * Use this only for development, testing, or as a reference implementation.
+ * Production deployments MUST supply a database-backed `GDPRStorage`.
+ */
+declare class InMemoryGDPRStorage implements GDPRStorage {
+    private consents;
+    private deletionRequests;
+    setConsent(userId: string, type: ConsentType, record: ConsentRecord): Promise<void>;
+    getConsent(userId: string, type: ConsentType): Promise<ConsentRecord | undefined>;
+    getConsentsByUser(userId: string): Promise<ConsentRecord[]>;
+    getAllConsents(): Promise<ConsentRecord[]>;
+    setDeletionRequest(request: DataDeletionRequest): Promise<void>;
+    getDeletionRequest(requestId: string): Promise<DataDeletionRequest | undefined>;
+    getDeletionRequestsByUser(userId: string): Promise<DataDeletionRequest[]>;
+}
+/**
+ * GDPR Compliance Utilities
+ *
+ * Data privacy, consent management, data export, and right to be forgotten
+ */
+type ConsentType = 'necessary' | 'functional' | 'analytics' | 'marketing' | 'personalization';
+type DataCategory = 'personal' | 'sensitive' | 'financial' | 'health' | 'behavioral' | 'location';
+interface ConsentRecord {
+    id: string;
+    userId: string;
+    type: ConsentType;
+    granted: boolean;
+    timestamp: string;
+    expiresAt?: string;
+    source: 'explicit' | 'implicit' | 'legitimate_interest';
+    version: string;
+    metadata?: Record<string, unknown>;
+}
+interface DataProcessingPurpose {
+    id: string;
+    name: string;
+    description: string;
+    legalBasis: 'consent' | 'contract' | 'legal_obligation' | 'vital_interest' | 'public_interest' | 'legitimate_interest';
+    dataCategories: DataCategory[];
+    retentionPeriod: number;
+    consentRequired: boolean;
+}
+interface PersonalDataExport {
+    userId: string;
+    exportedAt: string;
+    data: {
+        profile: Record<string, unknown>;
+        activities: Record<string, unknown>[];
+        consents: ConsentRecord[];
+        dataProcessing: DataProcessingPurpose[];
+    };
+    format: 'json' | 'csv' | 'pdf';
+}
+interface DataDeletionRequest {
+    id: string;
+    userId: string;
+    requestedAt: string;
+    processedAt?: string;
+    status: 'pending' | 'processing' | 'completed' | 'failed';
+    dataCategories: DataCategory[];
+    reason?: string;
+    retainedData?: string[];
+    deletedData?: string[];
+}
+/**
+ * Consent management system
+ */
+declare class ConsentManager {
+    private readonly storage;
+    private consentVersion;
+    constructor(storage: GDPRStorage);
+    /**
+     * Grant consent
+     */
+    grantConsent(userId: string, type: ConsentType, source?: ConsentRecord['source'], expiresIn?: number): Promise<ConsentRecord>;
+    /**
+     * Revoke consent
+     */
+    revokeConsent(userId: string, type: ConsentType): Promise<void>;
+    /**
+     * Check if consent is granted
+     */
+    hasConsent(userId: string, type: ConsentType): Promise<boolean>;
+    /**
+     * Get all consents for user
+     */
+    getUserConsents(userId: string): Promise<ConsentRecord[]>;
+    /**
+     * Update consent version
+     */
+    setConsentVersion(version: string): void;
+    /**
+     * Check if consent needs renewal
+     */
+    needsRenewal(userId: string, type: ConsentType, maxAge: number): Promise<boolean>;
+    /**
+     * Get consent statistics
+     */
+    getStatistics(): Promise<{
+        total: number;
+        granted: number;
+        revoked: number;
+        expired: number;
+        byType: Record<ConsentType, number>;
+    }>;
+}
+/**
+ * Data export system
+ */
+declare class DataExportSystem {
+    /**
+     * Export user data
+     */
+    exportUserData(userId: string, getUserData: (userId: string) => Promise<{
+        profile: Record<string, unknown>;
+        activities: Record<string, unknown>[];
+        consents: ConsentRecord[];
+    }>, format?: PersonalDataExport['format']): Promise<PersonalDataExport>;
+    /**
+     * Format export as JSON
+     */
+    formatAsJSON(exportData: PersonalDataExport): string;
+    /**
+     * Format export as CSV
+     */
+    formatAsCSV(exportData: PersonalDataExport): string;
+    /**
+     * Create download link
+     */
+    createDownloadLink(content: string, _filename: string, mimeType: string): string;
+}
+/**
+ * Data deletion system (Right to be Forgotten)
+ */
+declare class DataDeletionSystem {
+    private readonly storage;
+    constructor(storage: GDPRStorage);
+    /**
+     * Request data deletion
+     */
+    requestDeletion(userId: string, dataCategories: DataCategory[], reason?: string): Promise<DataDeletionRequest>;
+    /**
+     * Process deletion request
+     */
+    processDeletion(requestId: string, deleteData: (userId: string, categories: DataCategory[]) => Promise<{
+        deleted: string[];
+        retained: string[];
+    }>): Promise<void>;
+    /**
+     * Get deletion request
+     */
+    getRequest(requestId: string): Promise<DataDeletionRequest | undefined>;
+    /**
+     * Get user deletion requests
+     */
+    getUserRequests(userId: string): Promise<DataDeletionRequest[]>;
+    /**
+     * Check if data can be deleted
+     */
+    canDelete(_dataCategory: DataCategory, legalBasis: DataProcessingPurpose['legalBasis']): boolean;
+    /**
+     * Calculate retention period
+     */
+    calculateRetentionEnd(createdAt: Date, retentionPeriod: number): Date;
+    /**
+     * Check if data should be deleted (retention period expired)
+     */
+    shouldDelete(createdAt: Date, retentionPeriod: number): boolean;
+}
+/**
+ * Data anonymization utilities
+ */
+/**
+ * Hash value (irreversible) using SHA-256
+ */
+declare function hashValue(value: string): string;
+/**
+ * Anonymize user data
+ */
+declare function anonymizeUser(user: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Pseudonymize data (one-way, key-dependent)
+ *
+ * Uses HMAC-SHA256 — cryptographically bound to the key, resistant to
+ * length-extension attacks and GPU brute-force (unlike plain SHA-256).
+ */
+declare function pseudonymize(value: string, key: string): string;
+/**
+ * Anonymize dataset
+ */
+declare function anonymizeDataset<T extends Record<string, unknown>>(data: T[], sensitiveFields: (keyof T)[]): T[];
+/**
+ * K-anonymity check
+ */
+declare function checkKAnonymity<T extends Record<string, unknown>>(data: T[], quasiIdentifiers: (keyof T)[], k: number): boolean;
+declare const DataAnonymization: {
+    readonly anonymizeUser: typeof anonymizeUser;
+    readonly pseudonymize: typeof pseudonymize;
+    readonly hashValue: typeof hashValue;
+    readonly anonymizeDataset: typeof anonymizeDataset;
+    readonly checkKAnonymity: typeof checkKAnonymity;
+};
+/**
+ * Privacy policy manager
+ */
+declare class PrivacyPolicyManager {
+    private policies;
+    private currentVersion;
+    /**
+     * Add policy version
+     */
+    addPolicy(version: string, content: string, effectiveDate: Date): void;
+    /**
+     * Get current policy
+     */
+    getCurrentPolicy(): {
+        version: string;
+        content: string;
+        effectiveDate: Date;
+    } | undefined;
+    /**
+     * Get policy by version
+     */
+    getPolicy(version: string): {
+        version: string;
+        content: string;
+        effectiveDate: Date;
+    } | undefined;
+    /**
+     * Check if user accepted current policy
+     */
+    hasAcceptedCurrent(userAcceptedVersion: string): boolean;
+    /**
+     * Get all versions
+     */
+    getAllVersions(): string[];
+}
+/**
+ * Cookie consent banner
+ */
+interface CookieConsentConfig {
+    necessary: boolean;
+    functional: boolean;
+    analytics: boolean;
+    marketing: boolean;
+}
+declare class CookieConsentManager {
+    private config;
+    /**
+     * Set consent configuration
+     */
+    setConsent(config: Partial<CookieConsentConfig>): void;
+    /**
+     * Get consent configuration
+     */
+    getConsent(): CookieConsentConfig;
+    /**
+     * Check if specific consent is granted
+     */
+    hasConsent(type: keyof CookieConsentConfig): boolean;
+    /**
+     * Save to storage
+     */
+    private saveToStorage;
+    /**
+     * Load from storage
+     */
+    loadFromStorage(): void;
+    /**
+     * Clear consent
+     */
+    clearConsent(): void;
+}
+/**
+ * Data breach notification system
+ */
+interface DataBreach {
+    id: string;
+    detectedAt: string;
+    reportedAt?: string;
+    type: 'unauthorized_access' | 'data_loss' | 'data_leak' | 'system_compromise';
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    affectedUsers: string[];
+    dataCategories: DataCategory[];
+    description: string;
+    mitigation?: string;
+    status: 'detected' | 'investigating' | 'notified' | 'resolved';
+}
+declare class DataBreachManager {
+    private readonly storage;
+    constructor(storage?: BreachStorage);
+    /**
+     * Report data breach
+     */
+    reportBreach(breach: Omit<DataBreach, 'id' | 'detectedAt' | 'status'>): Promise<DataBreach>;
+    /**
+     * Notify authorities (required within 72 hours under GDPR)
+     */
+    notifyAuthorities(breach: DataBreach): Promise<void>;
+    /**
+     * Notify affected users
+     */
+    notifyAffectedUsers(breachId: string, notifyFn: (userId: string, breach: DataBreach) => Promise<void>): Promise<void>;
+    /**
+     * Check if breach notification is required
+     */
+    requiresNotification(breach: DataBreach): boolean;
+    /**
+     * Get breach
+     */
+    getBreach(id: string): Promise<DataBreach | undefined>;
+    /**
+     * Get all breaches
+     */
+    getAllBreaches(): Promise<DataBreach[]>;
+}
+/**
+ * Factory functions for GDPR subsystems.
+ *
+ * `ConsentManager` and `DataDeletionSystem` require a `GDPRStorage` implementation.
+ * Use `InMemoryGDPRStorage` only in tests — production MUST use a database-backed store.
+ *
+ * `DataExportSystem`, `PrivacyPolicyManager`, `CookieConsentManager`, and
+ * `DataBreachManager` are stateless or client-side only, so singletons are safe.
+ */
+declare function createConsentManager(storage: GDPRStorage): ConsentManager;
+declare function createDataDeletionSystem(storage: GDPRStorage): DataDeletionSystem;
+declare const dataExportSystem: DataExportSystem;
+declare const privacyPolicyManager: PrivacyPolicyManager;
+declare const cookieConsentManager: CookieConsentManager;
+declare function createDataBreachManager(storage?: BreachStorage): DataBreachManager;
+declare const dataBreachManager: DataBreachManager;
+/**
+ * Security Headers and CORS Configuration
+ *
+ * HTTP security headers and CORS policy management
+ */
+interface SecurityHeadersConfig {
+    contentSecurityPolicy?: string | ContentSecurityPolicyConfig;
+    strictTransportSecurity?: boolean | HSTSConfig;
+    xFrameOptions?: 'DENY' | 'SAMEORIGIN' | string;
+    xContentTypeOptions?: boolean;
+    referrerPolicy?: ReferrerPolicyValue;
+    permissionsPolicy?: string | PermissionsPolicyConfig;
+    crossOriginEmbedderPolicy?: 'require-corp' | 'credentialless';
+    crossOriginOpenerPolicy?: 'same-origin' | 'same-origin-allow-popups' | 'unsafe-none';
+    crossOriginResourcePolicy?: 'same-origin' | 'same-site' | 'cross-origin';
+}
+interface ContentSecurityPolicyConfig {
+    defaultSrc?: string[];
+    scriptSrc?: string[];
+    styleSrc?: string[];
+    imgSrc?: string[];
+    fontSrc?: string[];
+    connectSrc?: string[];
+    frameSrc?: string[];
+    objectSrc?: string[];
+    mediaSrc?: string[];
+    workerSrc?: string[];
+    childSrc?: string[];
+    formAction?: string[];
+    frameAncestors?: string[];
+    baseUri?: string[];
+    manifestSrc?: string[];
+    upgradeInsecureRequests?: boolean;
+    blockAllMixedContent?: boolean;
+    reportUri?: string;
+    reportTo?: string;
+}
+interface HSTSConfig {
+    maxAge: number;
+    includeSubDomains?: boolean;
+    preload?: boolean;
+}
+type ReferrerPolicyValue = 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
+interface PermissionsPolicyConfig {
+    accelerometer?: string[];
+    ambientLightSensor?: string[];
+    autoplay?: string[];
+    battery?: string[];
+    camera?: string[];
+    displayCapture?: string[];
+    documentDomain?: string[];
+    encryptedMedia?: string[];
+    fullscreen?: string[];
+    geolocation?: string[];
+    gyroscope?: string[];
+    magnetometer?: string[];
+    microphone?: string[];
+    midi?: string[];
+    payment?: string[];
+    pictureInPicture?: string[];
+    publicKeyCredentials?: string[];
+    screenWakeLock?: string[];
+    syncXhr?: string[];
+    usb?: string[];
+    webShare?: string[];
+    xrSpatialTracking?: string[];
+}
+interface CORSConfig {
+    origin?: string | string[] | ((origin: string) => boolean);
+    methods?: string[];
+    allowedHeaders?: string[];
+    exposedHeaders?: string[];
+    credentials?: boolean;
+    maxAge?: number;
+    preflightContinue?: boolean;
+    optionsSuccessStatus?: number;
+}
+/**
+ * Security headers manager
+ */
+declare class SecurityHeaders {
+    private config;
+    constructor(config?: SecurityHeadersConfig);
+    /**
+     * Get all security headers
+     */
+    getHeaders(): Record<string, string>;
+    /**
+     * Build Content Security Policy header
+     */
+    private buildCSP;
+    /**
+     * Build HSTS header
+     */
+    private buildHSTS;
+    /**
+     * Build Permissions-Policy header
+     */
+    private buildPermissionsPolicy;
+    /**
+     * Apply headers to response
+     */
+    applyHeaders(response: Response): Response;
+}
+/**
+ * CORS manager
+ */
+declare class CORSManager {
+    private config;
+    constructor(config?: CORSConfig);
+    /**
+     * Check if origin is allowed
+     */
+    isOriginAllowed(origin: string): boolean;
+    /**
+     * Get CORS headers
+     */
+    getCORSHeaders(origin: string): Record<string, string>;
+    /**
+     * Get preflight headers
+     */
+    getPreflightHeaders(origin: string): Record<string, string>;
+    /**
+     * Handle CORS request
+     */
+    handleRequest(request: Request): Response | null;
+    /**
+     * Handle preflight request
+     */
+    handlePreflight(_request: Request, origin: string): Response;
+    /**
+     * Apply CORS headers to response
+     */
+    applyHeaders(response: Response, origin: string): Response;
+}
+/**
+ * Common security header presets
+ */
+declare const SecurityPresets: {
+    /**
+     * Strict security (recommended for production)
+     */
+    strict: () => SecurityHeadersConfig;
+    /**
+     * Moderate security (balanced)
+     */
+    moderate: () => SecurityHeadersConfig;
+    /**
+     * Development (permissive)
+     */
+    development: () => SecurityHeadersConfig;
+};
+/**
+ * Common CORS presets
+ */
+declare const CORSPresets: {
+    /**
+     * Strict CORS (same origin only)
+     */
+    strict: () => CORSConfig;
+    /**
+     * Moderate CORS (specific origins)
+     */
+    moderate: (allowedOrigins: string[]) => CORSConfig;
+    /**
+     * Permissive CORS (all origins) — development only.
+     * Logs a warning if used when NODE_ENV === 'production'.
+     */
+    permissive: () => CORSConfig;
+    /**
+     * API CORS (public read-only APIs) — credentials disabled.
+     * Logs a warning if used when NODE_ENV === 'production'.
+     */
+    api: () => CORSConfig;
+};
+/**
+ * Security middleware creator
+ */
+declare function createSecurityMiddleware(securityConfig?: SecurityHeadersConfig, corsConfig?: CORSConfig): (request: Request, next: () => Promise<Response>) => Promise<Response>;
+/**
+ * Rate limiting headers
+ */
+declare function setRateLimitHeaders(response: Response, limit: number, remaining: number, reset: number): void;
+/**
+ * Internal logger for @revealui/security.
+ *
+ * Defaults to `console`. Consumers should call `configureSecurityLogger()`
+ * to supply a structured logger (e.g. from `@revealui/utils/logger`).
+ */
+interface SecurityLogger {
+    warn(message: string, ...args: unknown[]): void;
+    error(message: string, ...args: unknown[]): void;
+    info(message: string, ...args: unknown[]): void;
+    debug(message: string, ...args: unknown[]): void;
+}
+/**
+ * Replace the default console logger with a structured logger.
+ */
+declare function configureSecurityLogger(logger: SecurityLogger): void;
+export { type AuditEvent, type AuditEventType, type AuditQuery, AuditReportGenerator, type AuditSeverity, type AuditStorage, AuditSystem, AuditTrail, type AuthorizationContext, AuthorizationSystem, type BreachStorage, type CORSConfig, CORSManager, CORSPresets, CommonRoles, ConsentManager, type ConsentRecord, type ConsentType, type ContentSecurityPolicyConfig, type CookieConsentConfig, CookieConsentManager, DataAnonymization, type DataBreach, DataBreachManager, type DataCategory, type DataDeletionRequest, DataDeletionSystem, DataExportSystem, DataMasking, type DataProcessingPurpose, type EncryptedData, type EncryptionConfig, EncryptionSystem, EnvelopeEncryption, FieldEncryption, type GDPRStorage, type HSTSConfig, InMemoryAuditStorage, InMemoryBreachStorage, InMemoryGDPRStorage, KeyRotationManager, OAuthClient, type OAuthConfig, OAuthProviders, PasswordHasher, type Permission, PermissionBuilder, PermissionCache, type PermissionsPolicyConfig, type PersonalDataExport, type Policy, PolicyBuilder, type PolicyCondition, PrivacyPolicyManager, type ReferrerPolicyValue, RequirePermission, RequireRole, type Role, SecurityHeaders, type SecurityHeadersConfig, type SecurityLogger, SecurityPresets, TokenGenerator, TwoFactorAuth, type User, audit, authorization, canAccessResource, checkAttributeAccess, configureSecurityLogger, cookieConsentManager, createAuditMiddleware, createAuthorizationMiddleware, createConsentManager, createDataBreachManager, createDataDeletionSystem, createSecurityMiddleware, dataBreachManager, dataExportSystem, encryption, permissionCache, privacyPolicyManager, setRateLimitHeaders };