@sentinel-atl/hardening 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +102 -0
  2. package/dist/audit-rotation.d.ts +33 -0
  3. package/dist/audit-rotation.d.ts.map +1 -0
  4. package/dist/audit-rotation.js +120 -0
  5. package/dist/audit-rotation.js.map +1 -0
  6. package/dist/auth.d.ts +59 -0
  7. package/dist/auth.d.ts.map +1 -0
  8. package/dist/auth.js +117 -0
  9. package/dist/auth.js.map +1 -0
  10. package/dist/cors.d.ts +34 -0
  11. package/dist/cors.d.ts.map +1 -0
  12. package/dist/cors.js +86 -0
  13. package/dist/cors.js.map +1 -0
  14. package/dist/index.d.ts +19 -0
  15. package/dist/index.d.ts.map +1 -0
  16. package/dist/index.js +19 -0
  17. package/dist/index.js.map +1 -0
  18. package/dist/nonce-store.d.ts +50 -0
  19. package/dist/nonce-store.d.ts.map +1 -0
  20. package/dist/nonce-store.js +88 -0
  21. package/dist/nonce-store.js.map +1 -0
  22. package/dist/rate-limit.d.ts +55 -0
  23. package/dist/rate-limit.d.ts.map +1 -0
  24. package/dist/rate-limit.js +116 -0
  25. package/dist/rate-limit.js.map +1 -0
  26. package/dist/security-headers.d.ts +36 -0
  27. package/dist/security-headers.d.ts.map +1 -0
  28. package/dist/security-headers.js +48 -0
  29. package/dist/security-headers.js.map +1 -0
  30. package/dist/tls.d.ts +33 -0
  31. package/dist/tls.d.ts.map +1 -0
  32. package/dist/tls.js +41 -0
  33. package/dist/tls.js.map +1 -0
  34. package/package.json +43 -0
  35. package/src/__tests__/hardening.test.ts +472 -0
  36. package/src/audit-rotation.ts +149 -0
  37. package/src/auth.ts +162 -0
  38. package/src/cors.ts +118 -0
  39. package/src/index.ts +62 -0
  40. package/src/nonce-store.ts +111 -0
  41. package/src/rate-limit.ts +141 -0
  42. package/src/security-headers.ts +79 -0
  43. package/src/tls.ts +66 -0
  44. package/tsconfig.json +9 -0
package/src/tls.ts ADDED
@@ -0,0 +1,66 @@
1
+ /**
2
+ * TLS support — wraps HTTP servers with HTTPS using Node.js native TLS.
3
+ *
4
+ * Reads cert/key from files or environment variables:
5
+ * SENTINEL_TLS_CERT — path to PEM certificate
6
+ * SENTINEL_TLS_KEY — path to PEM private key
7
+ */
8
+
9
+ import { createServer as createHttpsServer, type Server as HttpsServer } from 'node:https';
10
+ import { createServer as createHttpServer, type Server as HttpServer, type RequestListener } from 'node:http';
11
+ import { readFileSync } from 'node:fs';
12
+
13
+ // ─── Types ───────────────────────────────────────────────────────────
14
+
15
+ export interface TlsConfig {
16
+ /** Whether TLS is enabled */
17
+ enabled: boolean;
18
+ /** Path to PEM certificate file */
19
+ certPath?: string;
20
+ /** Path to PEM private key file */
21
+ keyPath?: string;
22
+ /** PEM certificate string (alternative to certPath) */
23
+ cert?: string;
24
+ /** PEM private key string (alternative to keyPath) */
25
+ key?: string;
26
+ }
27
+
28
+ // ─── Factory ──────────────────────────────────────────────────────────
29
+
30
+ /**
31
+ * Create an HTTP or HTTPS server based on TLS configuration.
32
+ */
33
+ export function createSecureServer(
34
+ handler: RequestListener,
35
+ tls?: TlsConfig
36
+ ): HttpServer | HttpsServer {
37
+ if (!tls?.enabled) {
38
+ return createHttpServer(handler);
39
+ }
40
+
41
+ const cert = tls.cert ?? (tls.certPath ? readFileSync(tls.certPath, 'utf-8') : undefined);
42
+ const key = tls.key ?? (tls.keyPath ? readFileSync(tls.keyPath, 'utf-8') : undefined);
43
+
44
+ if (!cert || !key) {
45
+ throw new Error('TLS enabled but no certificate/key provided. Set certPath/keyPath or cert/key.');
46
+ }
47
+
48
+ return createHttpsServer({ cert, key }, handler);
49
+ }
50
+
51
+ /**
52
+ * Create TLS config from environment variables.
53
+ *
54
+ * SENTINEL_TLS_CERT=./certs/server.crt
55
+ * SENTINEL_TLS_KEY=./certs/server.key
56
+ */
57
+ export function tlsConfigFromEnv(): TlsConfig {
58
+ const certPath = process.env['SENTINEL_TLS_CERT'];
59
+ const keyPath = process.env['SENTINEL_TLS_KEY'];
60
+
61
+ return {
62
+ enabled: !!(certPath && keyPath),
63
+ certPath,
64
+ keyPath,
65
+ };
66
+ }
package/tsconfig.json ADDED
@@ -0,0 +1,9 @@
1
+ {
2
+ "extends": "../../tsconfig.base.json",
3
+ "compilerOptions": {
4
+ "outDir": "dist",
5
+ "rootDir": "src"
6
+ },
7
+ "include": ["src"],
8
+ "exclude": ["src/__tests__"]
9
+ }