npm - @revealui/security - Versions diffs - 0.2.4 → 0.2.5 - Mend

@revealui/security 0.2.4 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/audit-UF7PIYBU.js +21 -0
package/dist/audit-UF7PIYBU.js.map +1 -0
package/dist/chunk-Q5KAPSST.js +429 -0
package/dist/chunk-Q5KAPSST.js.map +1 -0
package/dist/index.d.ts +149 -1
package/dist/index.js +199 -370
package/dist/index.js.map +1 -1
package/package.json +3 -3

package/dist/audit-UF7PIYBU.js ADDED Viewed

@@ -0,0 +1,21 @@
+import {
+  AuditReportGenerator,
+  AuditSystem,
+  AuditTrail,
+  InMemoryAuditStorage,
+  audit,
+  createAuditMiddleware,
+  signAuditEntry,
+  verifyAuditEntry
+} from "./chunk-Q5KAPSST.js";
+export {
+  AuditReportGenerator,
+  AuditSystem,
+  AuditTrail,
+  InMemoryAuditStorage,
+  audit,
+  createAuditMiddleware,
+  signAuditEntry,
+  verifyAuditEntry
+};
+//# sourceMappingURL=audit-UF7PIYBU.js.map

package/dist/audit-UF7PIYBU.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-Q5KAPSST.js ADDED Viewed

@@ -0,0 +1,429 @@
+// src/audit.ts
+var AuditSystem = class {
+  storage;
+  filters = [];
+  constructor(storage) {
+    this.storage = storage;
+  }
+  /**
+   * Replace the backing storage (e.g. swap InMemory for Postgres at startup).
+   * Events already written to the old storage are NOT migrated.
+   */
+  setStorage(storage) {
+    this.storage = storage;
+  }
+  /**
+   * Log audit event
+   */
+  async log(event) {
+    const fullEvent = {
+      ...event,
+      id: crypto.randomUUID(),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    const shouldLog = this.filters.every((filter) => filter(fullEvent));
+    if (!shouldLog) {
+      return;
+    }
+    await this.storage.write(fullEvent);
+  }
+  /**
+   * Log authentication event
+   */
+  async logAuth(type, actorId, result, metadata) {
+    await this.log({
+      type,
+      severity: result === "failure" ? "medium" : "low",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type.replace("auth.", ""),
+      result,
+      metadata
+    });
+  }
+  /**
+   * Log data access event
+   */
+  async logDataAccess(action, actorId, resourceType, resourceId, result, changes) {
+    await this.log({
+      type: `data.${action}`,
+      severity: action === "delete" ? "high" : "medium",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      resource: {
+        type: resourceType,
+        id: resourceId
+      },
+      action,
+      result,
+      changes
+    });
+  }
+  /**
+   * Log permission change
+   */
+  async logPermissionChange(action, actorId, targetUserId, permission, result) {
+    await this.log({
+      type: `permission.${action}`,
+      severity: "high",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      resource: {
+        type: "user",
+        id: targetUserId
+      },
+      action,
+      result,
+      metadata: {
+        permission
+      }
+    });
+  }
+  /**
+   * Log security event
+   */
+  async logSecurityEvent(type, severity, actorId, message, metadata) {
+    await this.log({
+      type: `security.${type}`,
+      severity,
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type,
+      result: "failure",
+      message,
+      metadata
+    });
+  }
+  /**
+   * Log GDPR event
+   */
+  async logGDPREvent(type, actorId, result, metadata) {
+    await this.log({
+      type: `gdpr.${type}`,
+      severity: "high",
+      actor: {
+        id: actorId,
+        type: "user"
+      },
+      action: type,
+      result,
+      metadata
+    });
+  }
+  /**
+   * Query audit logs
+   */
+  async query(query) {
+    return this.storage.query(query);
+  }
+  /**
+   * Count audit logs
+   */
+  async count(query) {
+    return this.storage.count(query);
+  }
+  /**
+   * Add filter
+   */
+  addFilter(filter) {
+    this.filters.push(filter);
+  }
+  /**
+   * Remove filter
+   */
+  removeFilter(filter) {
+    const index = this.filters.indexOf(filter);
+    if (index > -1) {
+      this.filters.splice(index, 1);
+    }
+  }
+};
+var InMemoryAuditStorage = class {
+  events = [];
+  maxEvents;
+  constructor(maxEvents = 1e4) {
+    this.maxEvents = maxEvents;
+  }
+  async write(event) {
+    this.events.push(event);
+    if (this.events.length > this.maxEvents) {
+      this.events.shift();
+    }
+  }
+  async query(query) {
+    let results = [...this.events];
+    if (query.types && query.types.length > 0) {
+      results = results.filter((e) => query.types?.includes(e.type));
+    }
+    if (query.actorId) {
+      results = results.filter((e) => e.actor.id === query.actorId);
+    }
+    if (query.resourceType) {
+      results = results.filter((e) => e.resource?.type === query.resourceType);
+    }
+    if (query.resourceId) {
+      results = results.filter((e) => e.resource?.id === query.resourceId);
+    }
+    if (query.startDate) {
+      const startDate = query.startDate;
+      results = results.filter((e) => new Date(e.timestamp) >= startDate);
+    }
+    if (query.endDate) {
+      const endDate = query.endDate;
+      results = results.filter((e) => new Date(e.timestamp) <= endDate);
+    }
+    if (query.severity && query.severity.length > 0) {
+      results = results.filter((e) => query.severity?.includes(e.severity));
+    }
+    if (query.result && query.result.length > 0) {
+      results = results.filter((e) => query.result?.includes(e.result));
+    }
+    results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+    const offset = query.offset || 0;
+    const limit = query.limit || 100;
+    return results.slice(offset, offset + limit);
+  }
+  async count(query) {
+    const results = await this.query({ ...query, limit: void 0, offset: void 0 });
+    return results.length;
+  }
+  /**
+   * Clear all events
+   */
+  clear() {
+    this.events = [];
+  }
+  /**
+   * Get all events
+   */
+  getAll() {
+    return [...this.events];
+  }
+};
+function AuditTrail(type, action, options) {
+  return (_target, _propertyKey, descriptor) => {
+    const originalMethod = descriptor.value;
+    descriptor.value = async function(...args) {
+      const actorId = this.user?.id || "system";
+      const before = options?.captureChanges ? args[0] : void 0;
+      let result = "success";
+      let error;
+      try {
+        const returnValue = await originalMethod.apply(this, args);
+        if (this.audit) {
+          await this.audit.log({
+            type,
+            severity: options?.severity || "medium",
+            actor: {
+              id: actorId,
+              type: "user"
+            },
+            resource: options?.resourceType ? {
+              type: options.resourceType,
+              id: args[0]?.id || "unknown"
+            } : void 0,
+            action,
+            result,
+            changes: options?.captureChanges ? {
+              before,
+              after: returnValue
+            } : void 0
+          });
+        }
+        return returnValue;
+      } catch (err) {
+        result = "failure";
+        error = err;
+        if (this.audit) {
+          await this.audit.log({
+            type,
+            severity: "high",
+            actor: {
+              id: actorId,
+              type: "user"
+            },
+            resource: options?.resourceType ? {
+              type: options.resourceType,
+              id: args[0]?.id || "unknown"
+            } : void 0,
+            action,
+            result,
+            message: error.message
+          });
+        }
+        throw error;
+      }
+    };
+    return descriptor;
+  };
+}
+function createAuditMiddleware(audit2, getUser) {
+  return async (request, next) => {
+    const user = getUser(request);
+    const startTime = Date.now();
+    try {
+      const response = await next();
+      await audit2.log({
+        type: "data.read",
+        severity: "low",
+        actor: {
+          id: user.id,
+          type: "user",
+          ip: user.ip,
+          userAgent: user.userAgent
+        },
+        action: request.method,
+        result: "success",
+        metadata: {
+          path: request.url,
+          duration: Date.now() - startTime,
+          status: response.status
+        }
+      });
+      return response;
+    } catch (error) {
+      await audit2.log({
+        type: "data.read",
+        severity: "medium",
+        actor: {
+          id: user.id,
+          type: "user",
+          ip: user.ip,
+          userAgent: user.userAgent
+        },
+        action: request.method,
+        result: "failure",
+        message: error instanceof Error ? error.message : "Unknown error",
+        metadata: {
+          path: request.url,
+          duration: Date.now() - startTime
+        }
+      });
+      throw error;
+    }
+  };
+}
+var AuditReportGenerator = class {
+  constructor(audit2) {
+    this.audit = audit2;
+  }
+  /**
+   * Generate security report
+   */
+  async generateSecurityReport(startDate, endDate) {
+    const allEvents = await this.audit.query({
+      startDate,
+      endDate
+    });
+    const securityViolations = allEvents.filter((e) => e.type.startsWith("security.")).length;
+    const failedLogins = allEvents.filter((e) => e.type === "auth.failed_login").length;
+    const permissionChanges = allEvents.filter((e) => e.type.startsWith("permission.")).length;
+    const dataExports = allEvents.filter((e) => e.type === "data.export").length;
+    const criticalEvents = allEvents.filter((e) => e.severity === "critical");
+    return {
+      totalEvents: allEvents.length,
+      securityViolations,
+      failedLogins,
+      permissionChanges,
+      dataExports,
+      criticalEvents
+    };
+  }
+  /**
+   * Generate user activity report
+   */
+  async generateUserActivityReport(userId, startDate, endDate) {
+    const events = await this.audit.query({
+      actorId: userId,
+      startDate,
+      endDate
+    });
+    const actionsByType = events.reduce(
+      (acc, event) => {
+        acc[event.type] = (acc[event.type] || 0) + 1;
+        return acc;
+      },
+      {}
+    );
+    const failedActions = events.filter((e) => e.result === "failure").length;
+    return {
+      totalActions: events.length,
+      actionsByType,
+      failedActions,
+      recentActions: events.slice(0, 10)
+    };
+  }
+  /**
+   * Generate compliance report
+   */
+  async generateComplianceReport(startDate, endDate) {
+    const events = await this.audit.query({
+      startDate,
+      endDate
+    });
+    const dataAccesses = events.filter((e) => e.type === "data.read").length;
+    const dataModifications = events.filter(
+      (e) => e.type === "data.update" || e.type === "data.create"
+    ).length;
+    const dataDeletions = events.filter((e) => e.type === "data.delete").length;
+    const gdprRequests = events.filter((e) => e.type.startsWith("gdpr.")).length;
+    const auditTrailComplete = this.checkAuditTrailContinuity(events);
+    return {
+      dataAccesses,
+      dataModifications,
+      dataDeletions,
+      gdprRequests,
+      auditTrailComplete
+    };
+  }
+  /**
+   * Check audit trail continuity
+   */
+  checkAuditTrailContinuity(events) {
+    if (events.length === 0) return true;
+    const sorted = events.sort(
+      (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime()
+    );
+    return sorted.length > 0;
+  }
+};
+async function signAuditEntry(entry, secret) {
+  const { createHmac } = await import("crypto");
+  const canonical = JSON.stringify({
+    timestamp: entry.timestamp,
+    eventType: entry.eventType,
+    severity: entry.severity,
+    agentId: entry.agentId,
+    payload: entry.payload
+  });
+  return createHmac("sha256", secret).update(canonical).digest("hex");
+}
+async function verifyAuditEntry(entry, signature, secret) {
+  const { timingSafeEqual } = await import("crypto");
+  const expected = await signAuditEntry(entry, secret);
+  if (expected.length !== signature.length) {
+    return false;
+  }
+  return timingSafeEqual(Buffer.from(expected), Buffer.from(signature));
+}
+var audit = new AuditSystem(new InMemoryAuditStorage());
+export {
+  AuditSystem,
+  InMemoryAuditStorage,
+  AuditTrail,
+  createAuditMiddleware,
+  AuditReportGenerator,
+  signAuditEntry,
+  verifyAuditEntry,
+  audit
+};
+//# sourceMappingURL=chunk-Q5KAPSST.js.map

package/dist/chunk-Q5KAPSST.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/audit.ts"],"sourcesContent":["/**\n * Audit Logging System\n *\n * Track security-relevant events and user actions for compliance\n */\n\nexport type AuditEventType =\n | 'auth.login'\n | 'auth.logout'\n | 'auth.failed_login'\n | 'auth.password_change'\n | 'auth.password_reset'\n | 'auth.mfa_enabled'\n | 'auth.mfa_disabled'\n | 'user.create'\n | 'user.update'\n | 'user.delete'\n | 'user.view'\n | 'data.create'\n | 'data.read'\n | 'data.update'\n | 'data.delete'\n | 'data.export'\n | 'permission.grant'\n | 'permission.revoke'\n | 'role.assign'\n | 'role.remove'\n | 'config.change'\n | 'security.violation'\n | 'security.alert'\n | 'gdpr.consent'\n | 'gdpr.data_request'\n | 'gdpr.data_deletion'\n | `data.${string}`\n | `permission.${string}`\n | `security.${string}`\n | `gdpr.${string}`;\n\nexport type AuditSeverity = 'low' | 'medium' | 'high' | 'critical';\n\nexport interface AuditEvent {\n id: string;\n timestamp: string;\n type: AuditEventType;\n severity: AuditSeverity;\n actor: {\n id: string;\n type: 'user' | 'system' | 'api';\n ip?: string;\n userAgent?: string;\n };\n resource?: {\n type: string;\n id: string;\n name?: string;\n };\n action: string;\n result: 'success' | 'failure' | 'partial';\n changes?: {\n before?: Record<string, unknown>;\n after?: Record<string, unknown>;\n };\n metadata?: Record<string, unknown>;\n message?: string;\n}\n\nexport interface AuditQuery {\n types?: AuditEventType[];\n actorId?: string;\n resourceType?: string;\n resourceId?: string;\n startDate?: Date;\n endDate?: Date;\n severity?: AuditSeverity[];\n result?: ('success' | 'failure' | 'partial')[];\n limit?: number;\n offset?: number;\n}\n\nexport interface AuditStorage {\n write(event: AuditEvent): Promise<void>;\n query(query: AuditQuery): Promise<AuditEvent[]>;\n count(query: AuditQuery): Promise<number>;\n}\n\n/**\n * Audit logging system\n */\nexport class AuditSystem {\n private storage: AuditStorage;\n private filters: Array<(event: AuditEvent) => boolean> = [];\n\n constructor(storage: AuditStorage) {\n this.storage = storage;\n }\n\n /**\n * Replace the backing storage (e.g. swap InMemory for Postgres at startup).\n * Events already written to the old storage are NOT migrated.\n */\n setStorage(storage: AuditStorage): void {\n this.storage = storage;\n }\n\n /**\n * Log audit event\n */\n async log(event: Omit<AuditEvent, 'id' | 'timestamp'>): Promise<void> {\n const fullEvent: AuditEvent = {\n ...event,\n id: crypto.randomUUID(),\n timestamp: new Date().toISOString(),\n };\n\n // Apply filters\n const shouldLog = this.filters.every((filter) => filter(fullEvent));\n\n if (!shouldLog) {\n return;\n }\n\n await this.storage.write(fullEvent);\n }\n\n /**\n * Log authentication event\n */\n async logAuth(\n type: Extract<\n AuditEventType,\n 'auth.login' | 'auth.logout' | 'auth.failed_login' | 'auth.password_change'\n >,\n actorId: string,\n result: 'success' | 'failure',\n metadata?: Record<string, unknown>,\n ): Promise<void> {\n await this.log({\n type,\n severity: result === 'failure' ? 'medium' : 'low',\n actor: {\n id: actorId,\n type: 'user',\n },\n action: (type as string).replace('auth.', ''),\n result,\n metadata,\n });\n }\n\n /**\n * Log data access event\n */\n async logDataAccess(\n action: 'create' | 'read' | 'update' | 'delete',\n actorId: string,\n resourceType: string,\n resourceId: string,\n result: 'success' | 'failure',\n changes?: { before?: Record<string, unknown>; after?: Record<string, unknown> },\n ): Promise<void> {\n await this.log({\n type: `data.${action}` as AuditEventType,\n severity: action === 'delete' ? 'high' : 'medium',\n actor: {\n id: actorId,\n type: 'user',\n },\n resource: {\n type: resourceType,\n id: resourceId,\n },\n action,\n result,\n changes,\n });\n }\n\n /**\n * Log permission change\n */\n async logPermissionChange(\n action: 'grant' | 'revoke',\n actorId: string,\n targetUserId: string,\n permission: string,\n result: 'success' | 'failure',\n ): Promise<void> {\n await this.log({\n type: `permission.${action}` as AuditEventType,\n severity: 'high',\n actor: {\n id: actorId,\n type: 'user',\n },\n resource: {\n type: 'user',\n id: targetUserId,\n },\n action,\n result,\n metadata: {\n permission,\n },\n });\n }\n\n /**\n * Log security event\n */\n async logSecurityEvent(\n type: 'violation' | 'alert',\n severity: AuditSeverity,\n actorId: string,\n message: string,\n metadata?: Record<string, unknown>,\n ): Promise<void> {\n await this.log({\n type: `security.${type}` as AuditEventType,\n severity,\n actor: {\n id: actorId,\n type: 'user',\n },\n action: type,\n result: 'failure',\n message,\n metadata,\n });\n }\n\n /**\n * Log GDPR event\n */\n async logGDPREvent(\n type: 'consent' | 'data_request' | 'data_deletion',\n actorId: string,\n result: 'success' | 'failure',\n metadata?: Record<string, unknown>,\n ): Promise<void> {\n await this.log({\n type: `gdpr.${type}` as AuditEventType,\n severity: 'high',\n actor: {\n id: actorId,\n type: 'user',\n },\n action: type,\n result,\n metadata,\n });\n }\n\n /**\n * Query audit logs\n */\n async query(query: AuditQuery): Promise<AuditEvent[]> {\n return this.storage.query(query);\n }\n\n /**\n * Count audit logs\n */\n async count(query: AuditQuery): Promise<number> {\n return this.storage.count(query);\n }\n\n /**\n * Add filter\n */\n addFilter(filter: (event: AuditEvent) => boolean): void {\n this.filters.push(filter);\n }\n\n /**\n * Remove filter\n */\n removeFilter(filter: (event: AuditEvent) => boolean): void {\n const index = this.filters.indexOf(filter);\n if (index > -1) {\n this.filters.splice(index, 1);\n }\n }\n}\n\n/**\n * In-memory audit storage (for development)\n */\nexport class InMemoryAuditStorage implements AuditStorage {\n private events: AuditEvent[] = [];\n private maxEvents: number;\n\n constructor(maxEvents: number = 10000) {\n this.maxEvents = maxEvents;\n }\n\n async write(event: AuditEvent): Promise<void> {\n this.events.push(event);\n\n // Trim old events\n if (this.events.length > this.maxEvents) {\n this.events.shift();\n }\n }\n\n async query(query: AuditQuery): Promise<AuditEvent[]> {\n let results = [...this.events];\n\n // Filter by type\n if (query.types && query.types.length > 0) {\n results = results.filter((e) => query.types?.includes(e.type));\n }\n\n // Filter by actor\n if (query.actorId) {\n results = results.filter((e) => e.actor.id === query.actorId);\n }\n\n // Filter by resource\n if (query.resourceType) {\n results = results.filter((e) => e.resource?.type === query.resourceType);\n }\n\n if (query.resourceId) {\n results = results.filter((e) => e.resource?.id === query.resourceId);\n }\n\n // Filter by date range\n if (query.startDate) {\n const startDate = query.startDate;\n results = results.filter((e) => new Date(e.timestamp) >= startDate);\n }\n\n if (query.endDate) {\n const endDate = query.endDate;\n results = results.filter((e) => new Date(e.timestamp) <= endDate);\n }\n\n // Filter by severity\n if (query.severity && query.severity.length > 0) {\n results = results.filter((e) => query.severity?.includes(e.severity));\n }\n\n // Filter by result\n if (query.result && query.result.length > 0) {\n results = results.filter((e) => query.result?.includes(e.result));\n }\n\n // Sort by timestamp (newest first)\n results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());\n\n // Apply pagination\n const offset = query.offset || 0;\n const limit = query.limit || 100;\n\n return results.slice(offset, offset + limit);\n }\n\n async count(query: AuditQuery): Promise<number> {\n const results = await this.query({ ...query, limit: undefined, offset: undefined });\n return results.length;\n }\n\n /**\n * Clear all events\n */\n clear(): void {\n this.events = [];\n }\n\n /**\n * Get all events\n */\n getAll(): AuditEvent[] {\n return [...this.events];\n }\n}\n\n/**\n * Audit trail decorator\n */\nexport function AuditTrail(\n type: AuditEventType,\n action: string,\n options?: {\n severity?: AuditSeverity;\n captureChanges?: boolean;\n resourceType?: string;\n },\n) {\n return (_target: object, _propertyKey: string, descriptor: PropertyDescriptor) => {\n const originalMethod = descriptor.value;\n\n descriptor.value = async function (\n this: { user?: { id?: string }; audit?: AuditSystem },\n ...args: unknown[]\n ) {\n const actorId = this.user?.id || 'system';\n const before = options?.captureChanges ? args[0] : undefined;\n\n let result: 'success' | 'failure' | 'partial' = 'success';\n let error: Error | undefined;\n\n try {\n const returnValue = await originalMethod.apply(this, args);\n\n // Log audit event\n if (this.audit) {\n await this.audit.log({\n type,\n severity: options?.severity || 'medium',\n actor: {\n id: actorId,\n type: 'user',\n },\n resource: options?.resourceType\n ? {\n type: options.resourceType,\n id: (args[0] as { id?: string })?.id || 'unknown',\n }\n : undefined,\n action,\n result,\n changes: options?.captureChanges\n ? {\n before: before as Record<string, unknown> | undefined,\n after: returnValue as Record<string, unknown> | undefined,\n }\n : undefined,\n });\n }\n\n return returnValue;\n } catch (err) {\n result = 'failure';\n error = err as Error;\n\n // Log failure\n if (this.audit) {\n await this.audit.log({\n type,\n severity: 'high',\n actor: {\n id: actorId,\n type: 'user',\n },\n resource: options?.resourceType\n ? {\n type: options.resourceType,\n id: (args[0] as { id?: string })?.id || 'unknown',\n }\n : undefined,\n action,\n result,\n message: error.message,\n });\n }\n\n throw error;\n }\n };\n\n return descriptor;\n };\n}\n\n/**\n * Audit middleware\n */\nexport function createAuditMiddleware<TRequest = unknown, TResponse = unknown>(\n audit: AuditSystem,\n getUser: (request: TRequest) => { id: string; ip?: string; userAgent?: string },\n) {\n return async (\n request: TRequest & { method: string; url: string },\n next: () => Promise<TResponse & { status?: number }>,\n ) => {\n const user = getUser(request);\n const startTime = Date.now();\n\n try {\n const response = await next();\n\n // Log successful request\n await audit.log({\n type: 'data.read',\n severity: 'low',\n actor: {\n id: user.id,\n type: 'user',\n ip: user.ip,\n userAgent: user.userAgent,\n },\n action: request.method,\n result: 'success',\n metadata: {\n path: request.url,\n duration: Date.now() - startTime,\n status: response.status,\n },\n });\n\n return response;\n } catch (error) {\n // Log failed request\n await audit.log({\n type: 'data.read',\n severity: 'medium',\n actor: {\n id: user.id,\n type: 'user',\n ip: user.ip,\n userAgent: user.userAgent,\n },\n action: request.method,\n result: 'failure',\n message: error instanceof Error ? error.message : 'Unknown error',\n metadata: {\n path: request.url,\n duration: Date.now() - startTime,\n },\n });\n\n throw error;\n }\n };\n}\n\n/**\n * Audit report generator\n */\nexport class AuditReportGenerator {\n constructor(private audit: AuditSystem) {}\n\n /**\n * Generate security report\n */\n async generateSecurityReport(\n startDate: Date,\n endDate: Date,\n ): Promise<{\n totalEvents: number;\n securityViolations: number;\n failedLogins: number;\n permissionChanges: number;\n dataExports: number;\n criticalEvents: AuditEvent[];\n }> {\n const allEvents = await this.audit.query({\n startDate,\n endDate,\n });\n\n const securityViolations = allEvents.filter((e) => e.type.startsWith('security.')).length;\n\n const failedLogins = allEvents.filter((e) => e.type === 'auth.failed_login').length;\n\n const permissionChanges = allEvents.filter((e) => e.type.startsWith('permission.')).length;\n\n const dataExports = allEvents.filter((e) => e.type === 'data.export').length;\n\n const criticalEvents = allEvents.filter((e) => e.severity === 'critical');\n\n return {\n totalEvents: allEvents.length,\n securityViolations,\n failedLogins,\n permissionChanges,\n dataExports,\n criticalEvents,\n };\n }\n\n /**\n * Generate user activity report\n */\n async generateUserActivityReport(\n userId: string,\n startDate: Date,\n endDate: Date,\n ): Promise<{\n totalActions: number;\n actionsByType: Record<string, number>;\n failedActions: number;\n recentActions: AuditEvent[];\n }> {\n const events = await this.audit.query({\n actorId: userId,\n startDate,\n endDate,\n });\n\n const actionsByType = events.reduce(\n (acc, event) => {\n acc[event.type] = (acc[event.type] || 0) + 1;\n return acc;\n },\n {} as Record<string, number>,\n );\n\n const failedActions = events.filter((e) => e.result === 'failure').length;\n\n return {\n totalActions: events.length,\n actionsByType,\n failedActions,\n recentActions: events.slice(0, 10),\n };\n }\n\n /**\n * Generate compliance report\n */\n async generateComplianceReport(\n startDate: Date,\n endDate: Date,\n ): Promise<{\n dataAccesses: number;\n dataModifications: number;\n dataDeletions: number;\n gdprRequests: number;\n auditTrailComplete: boolean;\n }> {\n const events = await this.audit.query({\n startDate,\n endDate,\n });\n\n const dataAccesses = events.filter((e) => e.type === 'data.read').length;\n\n const dataModifications = events.filter(\n (e) => e.type === 'data.update' || e.type === 'data.create',\n ).length;\n\n const dataDeletions = events.filter((e) => e.type === 'data.delete').length;\n\n const gdprRequests = events.filter((e) => e.type.startsWith('gdpr.')).length;\n\n // Check if audit trail is complete (no gaps)\n const auditTrailComplete = this.checkAuditTrailContinuity(events);\n\n return {\n dataAccesses,\n dataModifications,\n dataDeletions,\n gdprRequests,\n auditTrailComplete,\n };\n }\n\n /**\n * Check audit trail continuity\n */\n private checkAuditTrailContinuity(events: AuditEvent[]): boolean {\n if (events.length === 0) return true;\n\n // Sort by timestamp\n const sorted = events.sort(\n (a, b) => new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime(),\n );\n\n // Check for gaps (simplified - just check if we have events)\n return sorted.length > 0;\n }\n}\n\n// =============================================================================\n// Audit Log Integrity — HMAC-SHA256 Signing\n// =============================================================================\n\n/** Fields included in the HMAC signature for tamper detection. */\ninterface SignableFields {\n timestamp: string;\n eventType: string;\n severity: string;\n agentId: string;\n payload: unknown;\n}\n\n/**\n * Compute an HMAC-SHA256 signature over the canonical fields of an audit entry.\n *\n * The signature covers `timestamp`, `eventType`, `severity`, `agentId`, and\n * `payload` — the immutable core of every audit record. Changing any of\n * these fields after signing will cause verification to fail.\n *\n * @param entry - The audit entry fields to sign\n * @param secret - The HMAC secret key\n * @returns Hex-encoded HMAC-SHA256 signature\n */\nexport async function signAuditEntry(entry: SignableFields, secret: string): Promise<string> {\n const { createHmac } = await import('node:crypto');\n const canonical = JSON.stringify({\n timestamp: entry.timestamp,\n eventType: entry.eventType,\n severity: entry.severity,\n agentId: entry.agentId,\n payload: entry.payload,\n });\n return createHmac('sha256', secret).update(canonical).digest('hex');\n}\n\n/**\n * Verify an HMAC-SHA256 signature against the canonical fields of an audit entry.\n *\n * Uses timing-safe comparison to prevent timing attacks.\n *\n * @param entry - The audit entry fields to verify\n * @param signature - The hex-encoded HMAC-SHA256 signature to verify\n * @param secret - The HMAC secret key\n * @returns True if the signature is valid\n */\nexport async function verifyAuditEntry(\n entry: SignableFields,\n signature: string,\n secret: string,\n): Promise<boolean> {\n const { timingSafeEqual } = await import('node:crypto');\n const expected = await signAuditEntry(entry, secret);\n\n // Lengths must match for timingSafeEqual\n if (expected.length !== signature.length) {\n return false;\n }\n\n return timingSafeEqual(Buffer.from(expected), Buffer.from(signature));\n}\n\n/**\n * Global audit system\n */\nexport const audit = new AuditSystem(new InMemoryAuditStorage());\n"],"mappings":";AAwFO,IAAM,cAAN,MAAkB;AAAA,EACf;AAAA,EACA,UAAiD,CAAC;AAAA,EAE1D,YAAY,SAAuB;AACjC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,WAAW,SAA6B;AACtC,SAAK,UAAU;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,IAAI,OAA4D;AACpE,UAAM,YAAwB;AAAA,MAC5B,GAAG;AAAA,MACH,IAAI,OAAO,WAAW;AAAA,MACtB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpC;AAGA,UAAM,YAAY,KAAK,QAAQ,MAAM,CAAC,WAAW,OAAO,SAAS,CAAC;AAElE,QAAI,CAAC,WAAW;AACd;AAAA,IACF;AAEA,UAAM,KAAK,QAAQ,MAAM,SAAS;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QACJ,MAIA,SACA,QACA,UACe;AACf,UAAM,KAAK,IAAI;AAAA,MACb;AAAA,MACA,UAAU,WAAW,YAAY,WAAW;AAAA,MAC5C,OAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM;AAAA,MACR;AAAA,MACA,QAAS,KAAgB,QAAQ,SAAS,EAAE;AAAA,MAC5C;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,cACJ,QACA,SACA,cACA,YACA,QACA,SACe;AACf,UAAM,KAAK,IAAI;AAAA,MACb,MAAM,QAAQ,MAAM;AAAA,MACpB,UAAU,WAAW,WAAW,SAAS;AAAA,MACzC,OAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM;AAAA,MACR;AAAA,MACA,UAAU;AAAA,QACR,MAAM;AAAA,QACN,IAAI;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBACJ,QACA,SACA,cACA,YACA,QACe;AACf,UAAM,KAAK,IAAI;AAAA,MACb,MAAM,cAAc,MAAM;AAAA,MAC1B,UAAU;AAAA,MACV,OAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM;AAAA,MACR;AAAA,MACA,UAAU;AAAA,QACR,MAAM;AAAA,QACN,IAAI;AAAA,MACN;AAAA,MACA;AAAA,MACA;AAAA,MACA,UAAU;AAAA,QACR;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,iBACJ,MACA,UACA,SACA,SACA,UACe;AACf,UAAM,KAAK,IAAI;AAAA,MACb,MAAM,YAAY,IAAI;AAAA,MACtB;AAAA,MACA,OAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aACJ,MACA,SACA,QACA,UACe;AACf,UAAM,KAAK,IAAI;AAAA,MACb,MAAM,QAAQ,IAAI;AAAA,MAClB,UAAU;AAAA,MACV,OAAO;AAAA,QACL,IAAI;AAAA,QACJ,MAAM;AAAA,MACR;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAA0C;AACpD,WAAO,KAAK,QAAQ,MAAM,KAAK;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,OAAoC;AAC9C,WAAO,KAAK,QAAQ,MAAM,KAAK;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,QAA8C;AACtD,SAAK,QAAQ,KAAK,MAAM;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,QAA8C;AACzD,UAAM,QAAQ,KAAK,QAAQ,QAAQ,MAAM;AACzC,QAAI,QAAQ,IAAI;AACd,WAAK,QAAQ,OAAO,OAAO,CAAC;AAAA,IAC9B;AAAA,EACF;AACF;AAKO,IAAM,uBAAN,MAAmD;AAAA,EAChD,SAAuB,CAAC;AAAA,EACxB;AAAA,EAER,YAAY,YAAoB,KAAO;AACrC,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,MAAM,MAAM,OAAkC;AAC5C,SAAK,OAAO,KAAK,KAAK;AAGtB,QAAI,KAAK,OAAO,SAAS,KAAK,WAAW;AACvC,WAAK,OAAO,MAAM;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAM,MAAM,OAA0C;AACpD,QAAI,UAAU,CAAC,GAAG,KAAK,MAAM;AAG7B,QAAI,MAAM,SAAS,MAAM,MAAM,SAAS,GAAG;AACzC,gBAAU,QAAQ,OAAO,CAAC,MAAM,MAAM,OAAO,SAAS,EAAE,IAAI,CAAC;AAAA,IAC/D;AAGA,QAAI,MAAM,SAAS;AACjB,gBAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,MAAM,OAAO,MAAM,OAAO;AAAA,IAC9D;AAGA,QAAI,MAAM,cAAc;AACtB,gBAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,UAAU,SAAS,MAAM,YAAY;AAAA,IACzE;AAEA,QAAI,MAAM,YAAY;AACpB,gBAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,UAAU,OAAO,MAAM,UAAU;AAAA,IACrE;AAGA,QAAI,MAAM,WAAW;AACnB,YAAM,YAAY,MAAM;AACxB,gBAAU,QAAQ,OAAO,CAAC,MAAM,IAAI,KAAK,EAAE,SAAS,KAAK,SAAS;AAAA,IACpE;AAEA,QAAI,MAAM,SAAS;AACjB,YAAM,UAAU,MAAM;AACtB,gBAAU,QAAQ,OAAO,CAAC,MAAM,IAAI,KAAK,EAAE,SAAS,KAAK,OAAO;AAAA,IAClE;AAGA,QAAI,MAAM,YAAY,MAAM,SAAS,SAAS,GAAG;AAC/C,gBAAU,QAAQ,OAAO,CAAC,MAAM,MAAM,UAAU,SAAS,EAAE,QAAQ,CAAC;AAAA,IACtE;AAGA,QAAI,MAAM,UAAU,MAAM,OAAO,SAAS,GAAG;AAC3C,gBAAU,QAAQ,OAAO,CAAC,MAAM,MAAM,QAAQ,SAAS,EAAE,MAAM,CAAC;AAAA,IAClE;AAGA,YAAQ,KAAK,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,SAAS,EAAE,QAAQ,IAAI,IAAI,KAAK,EAAE,SAAS,EAAE,QAAQ,CAAC;AAGxF,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,QAAQ,MAAM,SAAS;AAE7B,WAAO,QAAQ,MAAM,QAAQ,SAAS,KAAK;AAAA,EAC7C;AAAA,EAEA,MAAM,MAAM,OAAoC;AAC9C,UAAM,UAAU,MAAM,KAAK,MAAM,EAAE,GAAG,OAAO,OAAO,QAAW,QAAQ,OAAU,CAAC;AAClF,WAAO,QAAQ;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,QAAc;AACZ,SAAK,SAAS,CAAC;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,SAAuB;AACrB,WAAO,CAAC,GAAG,KAAK,MAAM;AAAA,EACxB;AACF;AAKO,SAAS,WACd,MACA,QACA,SAKA;AACA,SAAO,CAAC,SAAiB,cAAsB,eAAmC;AAChF,UAAM,iBAAiB,WAAW;AAElC,eAAW,QAAQ,kBAEd,MACH;AACA,YAAM,UAAU,KAAK,MAAM,MAAM;AACjC,YAAM,SAAS,SAAS,iBAAiB,KAAK,CAAC,IAAI;AAEnD,UAAI,SAA4C;AAChD,UAAI;AAEJ,UAAI;AACF,cAAM,cAAc,MAAM,eAAe,MAAM,MAAM,IAAI;AAGzD,YAAI,KAAK,OAAO;AACd,gBAAM,KAAK,MAAM,IAAI;AAAA,YACnB;AAAA,YACA,UAAU,SAAS,YAAY;AAAA,YAC/B,OAAO;AAAA,cACL,IAAI;AAAA,cACJ,MAAM;AAAA,YACR;AAAA,YACA,UAAU,SAAS,eACf;AAAA,cACE,MAAM,QAAQ;AAAA,cACd,IAAK,KAAK,CAAC,GAAuB,MAAM;AAAA,YAC1C,IACA;AAAA,YACJ;AAAA,YACA;AAAA,YACA,SAAS,SAAS,iBACd;AAAA,cACE;AAAA,cACA,OAAO;AAAA,YACT,IACA;AAAA,UACN,CAAC;AAAA,QACH;AAEA,eAAO;AAAA,MACT,SAAS,KAAK;AACZ,iBAAS;AACT,gBAAQ;AAGR,YAAI,KAAK,OAAO;AACd,gBAAM,KAAK,MAAM,IAAI;AAAA,YACnB;AAAA,YACA,UAAU;AAAA,YACV,OAAO;AAAA,cACL,IAAI;AAAA,cACJ,MAAM;AAAA,YACR;AAAA,YACA,UAAU,SAAS,eACf;AAAA,cACE,MAAM,QAAQ;AAAA,cACd,IAAK,KAAK,CAAC,GAAuB,MAAM;AAAA,YAC1C,IACA;AAAA,YACJ;AAAA,YACA;AAAA,YACA,SAAS,MAAM;AAAA,UACjB,CAAC;AAAA,QACH;AAEA,cAAM;AAAA,MACR;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AACF;AAKO,SAAS,sBACdA,QACA,SACA;AACA,SAAO,OACL,SACA,SACG;AACH,UAAM,OAAO,QAAQ,OAAO;AAC5B,UAAM,YAAY,KAAK,IAAI;AAE3B,QAAI;AACF,YAAM,WAAW,MAAM,KAAK;AAG5B,YAAMA,OAAM,IAAI;AAAA,QACd,MAAM;AAAA,QACN,UAAU;AAAA,QACV,OAAO;AAAA,UACL,IAAI,KAAK;AAAA,UACT,MAAM;AAAA,UACN,IAAI,KAAK;AAAA,UACT,WAAW,KAAK;AAAA,QAClB;AAAA,QACA,QAAQ,QAAQ;AAAA,QAChB,QAAQ;AAAA,QACR,UAAU;AAAA,UACR,MAAM,QAAQ;AAAA,UACd,UAAU,KAAK,IAAI,IAAI;AAAA,UACvB,QAAQ,SAAS;AAAA,QACnB;AAAA,MACF,CAAC;AAED,aAAO;AAAA,IACT,SAAS,OAAO;AAEd,YAAMA,OAAM,IAAI;AAAA,QACd,MAAM;AAAA,QACN,UAAU;AAAA,QACV,OAAO;AAAA,UACL,IAAI,KAAK;AAAA,UACT,MAAM;AAAA,UACN,IAAI,KAAK;AAAA,UACT,WAAW,KAAK;AAAA,QAClB;AAAA,QACA,QAAQ,QAAQ;AAAA,QAChB,QAAQ;AAAA,QACR,SAAS,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,UAAU;AAAA,UACR,MAAM,QAAQ;AAAA,UACd,UAAU,KAAK,IAAI,IAAI;AAAA,QACzB;AAAA,MACF,CAAC;AAED,YAAM;AAAA,IACR;AAAA,EACF;AACF;AAKO,IAAM,uBAAN,MAA2B;AAAA,EAChC,YAAoBA,QAAoB;AAApB,iBAAAA;AAAA,EAAqB;AAAA;AAAA;AAAA;AAAA,EAKzC,MAAM,uBACJ,WACA,SAQC;AACD,UAAM,YAAY,MAAM,KAAK,MAAM,MAAM;AAAA,MACvC;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAM,qBAAqB,UAAU,OAAO,CAAC,MAAM,EAAE,KAAK,WAAW,WAAW,CAAC,EAAE;AAEnF,UAAM,eAAe,UAAU,OAAO,CAAC,MAAM,EAAE,SAAS,mBAAmB,EAAE;AAE7E,UAAM,oBAAoB,UAAU,OAAO,CAAC,MAAM,EAAE,KAAK,WAAW,aAAa,CAAC,EAAE;AAEpF,UAAM,cAAc,UAAU,OAAO,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE;AAEtE,UAAM,iBAAiB,UAAU,OAAO,CAAC,MAAM,EAAE,aAAa,UAAU;AAExE,WAAO;AAAA,MACL,aAAa,UAAU;AAAA,MACvB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,2BACJ,QACA,WACA,SAMC;AACD,UAAM,SAAS,MAAM,KAAK,MAAM,MAAM;AAAA,MACpC,SAAS;AAAA,MACT;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAM,gBAAgB,OAAO;AAAA,MAC3B,CAAC,KAAK,UAAU;AACd,YAAI,MAAM,IAAI,KAAK,IAAI,MAAM,IAAI,KAAK,KAAK;AAC3C,eAAO;AAAA,MACT;AAAA,MACA,CAAC;AAAA,IACH;AAEA,UAAM,gBAAgB,OAAO,OAAO,CAAC,MAAM,EAAE,WAAW,SAAS,EAAE;AAEnE,WAAO;AAAA,MACL,cAAc,OAAO;AAAA,MACrB;AAAA,MACA;AAAA,MACA,eAAe,OAAO,MAAM,GAAG,EAAE;AAAA,IACnC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,yBACJ,WACA,SAOC;AACD,UAAM,SAAS,MAAM,KAAK,MAAM,MAAM;AAAA,MACpC;AAAA,MACA;AAAA,IACF,CAAC;AAED,UAAM,eAAe,OAAO,OAAO,CAAC,MAAM,EAAE,SAAS,WAAW,EAAE;AAElE,UAAM,oBAAoB,OAAO;AAAA,MAC/B,CAAC,MAAM,EAAE,SAAS,iBAAiB,EAAE,SAAS;AAAA,IAChD,EAAE;AAEF,UAAM,gBAAgB,OAAO,OAAO,CAAC,MAAM,EAAE,SAAS,aAAa,EAAE;AAErE,UAAM,eAAe,OAAO,OAAO,CAAC,MAAM,EAAE,KAAK,WAAW,OAAO,CAAC,EAAE;AAGtE,UAAM,qBAAqB,KAAK,0BAA0B,MAAM;AAEhE,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,0BAA0B,QAA+B;AAC/D,QAAI,OAAO,WAAW,EAAG,QAAO;AAGhC,UAAM,SAAS,OAAO;AAAA,MACpB,CAAC,GAAG,MAAM,IAAI,KAAK,EAAE,SAAS,EAAE,QAAQ,IAAI,IAAI,KAAK,EAAE,SAAS,EAAE,QAAQ;AAAA,IAC5E;AAGA,WAAO,OAAO,SAAS;AAAA,EACzB;AACF;AA0BA,eAAsB,eAAe,OAAuB,QAAiC;AAC3F,QAAM,EAAE,WAAW,IAAI,MAAM,OAAO,QAAa;AACjD,QAAM,YAAY,KAAK,UAAU;AAAA,IAC/B,WAAW,MAAM;AAAA,IACjB,WAAW,MAAM;AAAA,IACjB,UAAU,MAAM;AAAA,IAChB,SAAS,MAAM;AAAA,IACf,SAAS,MAAM;AAAA,EACjB,CAAC;AACD,SAAO,WAAW,UAAU,MAAM,EAAE,OAAO,SAAS,EAAE,OAAO,KAAK;AACpE;AAYA,eAAsB,iBACpB,OACA,WACA,QACkB;AAClB,QAAM,EAAE,gBAAgB,IAAI,MAAM,OAAO,QAAa;AACtD,QAAM,WAAW,MAAM,eAAe,OAAO,MAAM;AAGnD,MAAI,SAAS,WAAW,UAAU,QAAQ;AACxC,WAAO;AAAA,EACT;AAEA,SAAO,gBAAgB,OAAO,KAAK,QAAQ,GAAG,OAAO,KAAK,SAAS,CAAC;AACtE;AAKO,IAAM,QAAQ,IAAI,YAAY,IAAI,qBAAqB,CAAC;","names":["audit"]}

package/dist/index.d.ts CHANGED Viewed

@@ -54,6 +54,11 @@ declare class AuditSystem {
     private storage;
     private filters;
     constructor(storage: AuditStorage);
+    /**
+     * Replace the backing storage (e.g. swap InMemory for Postgres at startup).
+     * Events already written to the old storage are NOT migrated.
+     */
+    setStorage(storage: AuditStorage): void;
     /**
      * Log audit event
      */
@@ -181,11 +186,154 @@ declare class AuditReportGenerator {
      */
     private checkAuditTrailContinuity;
 }
+/** Fields included in the HMAC signature for tamper detection. */
+interface SignableFields {
+    timestamp: string;
+    eventType: string;
+    severity: string;
+    agentId: string;
+    payload: unknown;
+}
+/**
+ * Compute an HMAC-SHA256 signature over the canonical fields of an audit entry.
+ *
+ * The signature covers `timestamp`, `eventType`, `severity`, `agentId`, and
+ * `payload` — the immutable core of every audit record. Changing any of
+ * these fields after signing will cause verification to fail.
+ *
+ * @param entry - The audit entry fields to sign
+ * @param secret - The HMAC secret key
+ * @returns Hex-encoded HMAC-SHA256 signature
+ */
+declare function signAuditEntry(entry: SignableFields, secret: string): Promise<string>;
+/**
+ * Verify an HMAC-SHA256 signature against the canonical fields of an audit entry.
+ *
+ * Uses timing-safe comparison to prevent timing attacks.
+ *
+ * @param entry - The audit entry fields to verify
+ * @param signature - The hex-encoded HMAC-SHA256 signature to verify
+ * @param secret - The HMAC secret key
+ * @returns True if the signature is valid
+ */
+declare function verifyAuditEntry(entry: SignableFields, signature: string, secret: string): Promise<boolean>;
 /**
  * Global audit system
  */
 declare const audit: AuditSystem;
+/**
+ * Security Alerting Service
+ *
+ * Evaluates audit events against configurable threshold rules and
+ * dispatches alerts through pluggable handlers (logging, audit trail,
+ * webhook / SIEM integration).
+ */
+/** A security alert produced when a threshold is breached. */
+interface SecurityAlert {
+    /** Alert rule that triggered (e.g. 'failedLogins', 'accountLockout'). */
+    type: string;
+    /** Severity of the alert. */
+    severity: AuditSeverity;
+    /** Human-readable description. */
+    message: string;
+    /** Contextual data attached to the alert. */
+    context: Record<string, unknown>;
+    /** When the alert was raised (ISO-8601). */
+    timestamp: string;
+}
+/** Handler that receives dispatched security alerts. */
+interface AlertHandler {
+    /** Process a single alert. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/** Configuration for a single threshold rule. */
+interface ThresholdRule {
+    /** Maximum event count before an alert fires. */
+    maxCount: number;
+    /** Sliding window duration in milliseconds. */
+    windowMs: number;
+    /** Severity assigned to alerts from this rule. */
+    severity: AuditSeverity;
+    /** Human-readable message template — `{count}` is replaced at runtime. */
+    messageTemplate: string;
+}
+/** Top-level configuration for the alerting service. */
+interface AlertingConfig {
+    /** Threshold rules keyed by rule name. */
+    thresholds: Record<string, ThresholdRule>;
+    /** Handlers that receive dispatched alerts. */
+    handlers: AlertHandler[];
+}
+/** Default threshold rules aligned with SOC2 6.2 requirements. */
+declare const DEFAULT_THRESHOLDS: Record<string, ThresholdRule>;
+/**
+ * Logs alerts to the structured security logger.
+ */
+declare class LogAlertHandler implements AlertHandler {
+    /** Write alert details to the configured security logger. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/**
+ * Writes alerts as critical audit events into the audit log.
+ */
+declare class AuditAlertHandler implements AlertHandler {
+    /** Record the alert in the audit trail with severity 'critical'. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/**
+ * POSTs alerts to a configurable webhook URL for SIEM integration.
+ */
+declare class WebhookAlertHandler implements AlertHandler {
+    private url;
+    private headers;
+    /**
+     * Create a webhook alert handler.
+     *
+     * @param url - The webhook endpoint URL
+     * @param headers - Additional HTTP headers (e.g. authorization)
+     */
+    constructor(url: string, headers?: Record<string, string>);
+    /** POST the alert payload to the configured webhook URL. */
+    handle(alert: SecurityAlert): Promise<void>;
+}
+/**
+ * Evaluates audit events against threshold rules and dispatches alerts.
+ *
+ * Maintains an in-memory sliding window per rule/group key. When the
+ * event count within the window exceeds the threshold, an alert is
+ * dispatched to all configured handlers.
+ */
+declare class SecurityAlertService {
+    private config;
+    private windows;
+    /**
+     * Create a new SecurityAlertService.
+     *
+     * @param config - Alerting configuration with thresholds and handlers
+     */
+    constructor(config: AlertingConfig);
+    /**
+     * Evaluate a single audit event against all threshold rules.
+     * If a threshold is breached, dispatches alerts to all handlers.
+     *
+     * @param event - The audit event to evaluate
+     * @returns The alert that was dispatched, or null if no threshold was breached
+     */
+    evaluateEvent(event: AuditEvent): Promise<SecurityAlert | null>;
+    /**
+     * Clear all sliding window state. Useful for testing.
+     */
+    reset(): void;
+    /**
+     * Dispatch an alert to all configured handlers.
+     * Errors in individual handlers are logged but do not prevent
+     * other handlers from receiving the alert.
+     */
+    private dispatchAlert;
+}
 /**
  * Authentication Utilities
  *
@@ -1356,4 +1504,4 @@ interface SecurityLogger {
  */
 declare function configureSecurityLogger(logger: SecurityLogger): void;
-export { type AuditEvent, type AuditEventType, type AuditQuery, AuditReportGenerator, type AuditSeverity, type AuditStorage, AuditSystem, AuditTrail, type AuthorizationContext, AuthorizationSystem, type BreachStorage, type CORSConfig, CORSManager, CORSPresets, CommonRoles, ConsentManager, type ConsentRecord, type ConsentType, type ContentSecurityPolicyConfig, type CookieConsentConfig, CookieConsentManager, DataAnonymization, type DataBreach, DataBreachManager, type DataCategory, type DataDeletionRequest, DataDeletionSystem, DataExportSystem, DataMasking, type DataProcessingPurpose, type EncryptedData, type EncryptionConfig, EncryptionSystem, EnvelopeEncryption, FieldEncryption, type GDPRStorage, type HSTSConfig, InMemoryAuditStorage, InMemoryBreachStorage, InMemoryGDPRStorage, KeyRotationManager, OAuthClient, type OAuthConfig, OAuthProviders, PasswordHasher, type Permission, PermissionBuilder, PermissionCache, type PermissionsPolicyConfig, type PersonalDataExport, type Policy, PolicyBuilder, type PolicyCondition, PrivacyPolicyManager, type ReferrerPolicyValue, RequirePermission, RequireRole, type Role, SecurityHeaders, type SecurityHeadersConfig, type SecurityLogger, SecurityPresets, TokenGenerator, TwoFactorAuth, type User, audit, authorization, canAccessResource, checkAttributeAccess, configureSecurityLogger, cookieConsentManager, createAuditMiddleware, createAuthorizationMiddleware, createConsentManager, createDataBreachManager, createDataDeletionSystem, createSecurityMiddleware, dataExportSystem, encryption, permissionCache, privacyPolicyManager, setRateLimitHeaders };
+export { type AlertHandler, type AlertingConfig, AuditAlertHandler, type AuditEvent, type AuditEventType, type AuditQuery, AuditReportGenerator, type AuditSeverity, type AuditStorage, AuditSystem, AuditTrail, type AuthorizationContext, AuthorizationSystem, type BreachStorage, type CORSConfig, CORSManager, CORSPresets, CommonRoles, ConsentManager, type ConsentRecord, type ConsentType, type ContentSecurityPolicyConfig, type CookieConsentConfig, CookieConsentManager, DEFAULT_THRESHOLDS, DataAnonymization, type DataBreach, DataBreachManager, type DataCategory, type DataDeletionRequest, DataDeletionSystem, DataExportSystem, DataMasking, type DataProcessingPurpose, type EncryptedData, type EncryptionConfig, EncryptionSystem, EnvelopeEncryption, FieldEncryption, type GDPRStorage, type HSTSConfig, InMemoryAuditStorage, InMemoryBreachStorage, InMemoryGDPRStorage, KeyRotationManager, LogAlertHandler, OAuthClient, type OAuthConfig, OAuthProviders, PasswordHasher, type Permission, PermissionBuilder, PermissionCache, type PermissionsPolicyConfig, type PersonalDataExport, type Policy, PolicyBuilder, type PolicyCondition, PrivacyPolicyManager, type ReferrerPolicyValue, RequirePermission, RequireRole, type Role, type SecurityAlert, SecurityAlertService, SecurityHeaders, type SecurityHeadersConfig, type SecurityLogger, SecurityPresets, type ThresholdRule, TokenGenerator, TwoFactorAuth, type User, WebhookAlertHandler, audit, authorization, canAccessResource, checkAttributeAccess, configureSecurityLogger, cookieConsentManager, createAuditMiddleware, createAuthorizationMiddleware, createConsentManager, createDataBreachManager, createDataDeletionSystem, createSecurityMiddleware, dataExportSystem, encryption, permissionCache, privacyPolicyManager, setRateLimitHeaders, signAuditEntry, verifyAuditEntry };