@tamyla/clodo-framework 1.0.0

package/dist/security/SecretGenerator.js

@@ -0,0 +1,142 @@
+import crypto from 'crypto';
+
+/**
+ * Secret Generator for Secure Key Management
+ * Provides cryptographically secure key generation utilities
+ */
+export class SecretGenerator {
+  /**
+   * Generate a cryptographically secure API key
+   * @param {number} length - Length of the key in bytes (default: 32)
+   * @param {string} prefix - Optional prefix for the key
+   * @returns {string} Secure API key
+   */
+  static generateSecureApiKey(length = 32, prefix = '') {
+    const bytes = crypto.randomBytes(length);
+    const key = bytes.toString('hex');
+    if (prefix) {
+      return `${prefix}_${key}`;
+    }
+    return key;
+  }
+
+  /**
+   * Generate a cryptographically secure JWT secret
+   * @param {number} length - Length of the secret in bytes (default: 64)
+   * @returns {string} Secure JWT secret
+   */
+  static generateSecureJwtSecret(length = 64) {
+    const bytes = crypto.randomBytes(length);
+    return bytes.toString('hex');
+  }
+
+  /**
+   * Generate a secure key with specific service prefix
+   * @param {string} serviceName - Name of the service
+   * @param {string} environment - Environment (prod, staging, dev)
+   * @param {number} length - Length of the key in bytes
+   * @returns {string} Service-specific secure key
+   */
+  static generateServiceKey(serviceName, environment = 'prod', length = 32) {
+    const prefix = `${serviceName}_${environment}`;
+    return this.generateSecureApiKey(length, prefix);
+  }
+
+  /**
+   * Generate multiple keys at once
+   * @param {Array} keySpecs - Array of key specifications
+   * @returns {Object} Object with generated keys
+   */
+  static generateMultipleKeys(keySpecs) {
+    const keys = {};
+    for (const spec of keySpecs) {
+      const {
+        name,
+        type = 'api',
+        length,
+        prefix
+      } = spec;
+      if (type === 'jwt') {
+        keys[name] = this.generateSecureJwtSecret(length);
+      } else {
+        keys[name] = this.generateSecureApiKey(length, prefix);
+      }
+    }
+    return keys;
+  }
+
+  /**
+   * Validate key strength
+   * @param {string} key - Key to validate
+   * @param {Object} requirements - Strength requirements
+   * @returns {Object} Validation result
+   */
+  static validateKeyStrength(key, requirements = {}) {
+    const {
+      minLength = 32,
+      requireHex = true,
+      minEntropy = 3.0
+    } = requirements;
+    const result = {
+      valid: true,
+      issues: []
+    };
+
+    // Check length
+    if (key.length < minLength) {
+      result.valid = false;
+      result.issues.push(`Key too short: ${key.length} < ${minLength}`);
+    }
+
+    // Check if hex format is required
+    if (requireHex && !/^[a-f0-9]+$/i.test(key)) {
+      result.valid = false;
+      result.issues.push('Key must be hexadecimal format');
+    }
+
+    // Check entropy
+    const entropy = this.calculateEntropy(key);
+    if (entropy < minEntropy) {
+      result.valid = false;
+      result.issues.push(`Low entropy: ${entropy.toFixed(2)} < ${minEntropy}`);
+    }
+    return result;
+  }
+
+  /**
+   * Calculate Shannon entropy of a string
+   * @param {string} str - String to analyze
+   * @returns {number} Entropy value
+   */
+  static calculateEntropy(str) {
+    const charCounts = {};
+    for (const char of str) {
+      charCounts[char] = (charCounts[char] || 0) + 1;
+    }
+    let entropy = 0;
+    const len = str.length;
+    for (const count of Object.values(charCounts)) {
+      const p = count / len;
+      entropy -= p * Math.log2(p);
+    }
+    return entropy;
+  }
+
+  /**
+   * Generate a key with timestamp for rotation tracking
+   * @param {string} prefix - Key prefix
+   * @param {number} length - Key length
+   * @returns {Object} Key with metadata
+   */
+  static generateKeyWithMetadata(prefix = '', length = 32) {
+    const key = this.generateSecureApiKey(length, prefix);
+    const timestamp = new Date().toISOString();
+    return {
+      key,
+      generatedAt: timestamp,
+      length,
+      entropy: this.calculateEntropy(key),
+      algorithm: 'crypto.randomBytes'
+    };
+  }
+}

package/dist/security/SecurityCLI.js

@@ -0,0 +1,228 @@
+/**
+ * Clodo Framework - Security CLI
+ * Programmatic API for security operations
+ */
+
+import { ConfigurationValidator } from '../security/ConfigurationValidator.js';
+import { SecretGenerator } from '../security/SecretGenerator.js';
+import { DeploymentManager } from '../security/DeploymentManager.js';
+export class SecurityCLI {
+  constructor() {
+    // Initialize with default settings
+  }
+
+  /**
+   * Validate configuration security for a customer and environment
+   * @param {string} customer - Customer name
+   * @param {string} environment - Environment name
+   * @returns {Object} Validation result
+   */
+  async validateConfiguration(customer, environment) {
+    try {
+      if (!customer || !environment) {
+        throw new Error('Customer and environment are required');
+      }
+      const result = ConfigurationValidator.validateConfiguration(customer, environment);
+      return {
+        success: result.valid,
+        customer,
+        environment,
+        valid: result.valid,
+        securityIssues: result.securityIssues || [],
+        message: result.valid ? 'Security validation passed' : 'Security issues found'
+      };
+    } catch (error) {
+      return {
+        success: false,
+        customer,
+        environment,
+        error: error.message
+      };
+    }
+  }
+
+  /**
+   * Generate a secure key
+   * @param {string} type - Key type ('api', 'jwt', or custom prefix)
+   * @param {number} length - Key length (optional)
+   * @returns {Object} Key generation result
+   */
+  generateKey(type = 'api', length) {
+    try {
+      let key;
+      let keyType;
+      if (type === 'jwt') {
+        key = SecretGenerator.generateSecureJwtSecret(length);
+        keyType = 'JWT secret';
+      } else {
+        const prefix = type && type !== 'api' ? type : '';
+        key = SecretGenerator.generateSecureApiKey(length || 32, prefix);
+        keyType = 'API key';
+      }
+      return {
+        success: true,
+        type: keyType,
+        key,
+        length: key.length
+      };
+    } catch (error) {
+      return {
+        success: false,
+        type,
+        error: error.message
+      };
+    }
+  }
+
+  /**
+   * Deploy with security validation
+   * @param {string} customer - Customer name
+   * @param {string} environment - Environment name
+   * @param {Object} options - Deployment options
+   * @param {boolean} options.dryRun - Perform dry run (default: false)
+   * @returns {Object} Deployment result
+   */
+  async deployWithSecurity(customer, environment, options = {}) {
+    try {
+      if (!customer || !environment) {
+        throw new Error('Customer and environment are required');
+      }
+      const result = await DeploymentManager.deployWithSecurity({
+        customer,
+        environment,
+        dryRun: options.dryRun || false
+      });
+      return {
+        success: true,
+        customer,
+        environment,
+        dryRun: options.dryRun,
+        deployed: !options.dryRun,
+        result
+      };
+    } catch (error) {
+      return {
+        success: false,
+        customer,
+        environment,
+        error: error.message
+      };
+    }
+  }
+
+  /**
+   * Generate secure configuration
+   * @param {string} customer - Customer name
+   * @param {string} environment - Environment name
+   * @returns {Object} Configuration generation result
+   */
+  generateSecureConfig(customer, environment) {
+    try {
+      if (!customer || !environment) {
+        throw new Error('Customer and environment are required');
+      }
+      const config = DeploymentManager.generateSecureConfig(customer, environment);
+      return {
+        success: true,
+        customer,
+        environment,
+        config
+      };
+    } catch (error) {
+      return {
+        success: false,
+        customer,
+        environment,
+        error: error.message
+      };
+    }
+  }
+
+  /**
+   * Check deployment readiness
+   * @param {string} customer - Customer name
+   * @param {string} environment - Environment name
+   * @returns {Object} Readiness check result
+   */
+  checkDeploymentReadiness(customer, environment) {
+    try {
+      if (!customer || !environment) {
+        throw new Error('Customer and environment are required');
+      }
+      const result = DeploymentManager.validateDeploymentReadiness(customer, environment);
+      return {
+        success: true,
+        customer,
+        environment,
+        ready: result.ready,
+        issues: result.issues || []
+      };
+    } catch (error) {
+      return {
+        success: false,
+        customer,
+        environment,
+        ready: false,
+        error: error.message
+      };
+    }
+  }
+
+  /**
+   * Get available commands
+   * @returns {string[]} Array of available commands
+   */
+  getAvailableCommands() {
+    return ['validate', 'generate-key', 'deploy', 'generate-config', 'check-readiness'];
+  }
+
+  /**
+   * Get command help
+   * @param {string} command - Command name (optional)
+   * @returns {string} Help text
+   */
+  getHelp(command) {
+    const help = {
+      validate: 'validate <customer> <environment> - Validate configuration security',
+      'generate-key': 'generate-key [type] [length] - Generate secure key (api/jwt)',
+      deploy: 'deploy <customer> <environment> - Deploy with security validation',
+      'generate-config': 'generate-config <customer> <environment> - Generate secure configuration',
+      'check-readiness': 'check-readiness <customer> <environment> - Check deployment readiness'
+    };
+    if (command && help[command]) {
+      return help[command];
+    }
+    return `Clodo Framework Security CLI
+
+Commands:
+${Object.values(help).map(cmd => `  ${cmd}`).join('\n')}
+
+Examples:
+  validate tamyla production
+  generate-key jwt 64
+  generate-key content-skimmer
+  deploy tamyla staging --dry-run`;
+  }
+}
+
+// Convenience functions for direct use
+export async function validateSecurity(customer, environment) {
+  const cli = new SecurityCLI();
+  return await cli.validateConfiguration(customer, environment);
+}
+export function generateSecureKey(type = 'api', length) {
+  const cli = new SecurityCLI();
+  return cli.generateKey(type, length);
+}
+export async function deployWithSecurity(customer, environment, options = {}) {
+  const cli = new SecurityCLI();
+  return await cli.deployWithSecurity(customer, environment, options);
+}
+export function generateSecureConfig(customer, environment) {
+  const cli = new SecurityCLI();
+  return cli.generateSecureConfig(customer, environment);
+}
+export function checkDeploymentReadiness(customer, environment) {
+  const cli = new SecurityCLI();
+  return cli.checkDeploymentReadiness(customer, environment);
+}

package/dist/security/index.js

@@ -0,0 +1,51 @@
+/**
+ * Clodo Framework Security Module
+ * Comprehensive security validation and management for Clodo services
+ */
+
+import { ConfigurationValidator } from './ConfigurationValidator.js';
+import { DeploymentManager } from './DeploymentManager.js';
+import { SecretGenerator } from './SecretGenerator.js';
+import { ErrorHandler } from '../utils/ErrorHandler.js';
+import { InteractiveDeploymentConfigurator } from '../config/ConfigurationManager.js';
+export { ConfigurationValidator } from './ConfigurationValidator.js';
+export { DeploymentManager } from './DeploymentManager.js';
+export { SecretGenerator } from './SecretGenerator.js';
+export { ErrorHandler } from '../utils/ErrorHandler.js';
+export { InteractiveDeploymentConfigurator } from '../config/ConfigurationManager.js';
+
+// Re-export patterns and rules for advanced usage
+export { INSECURE_PATTERNS } from './patterns/insecure-patterns.js';
+export { ENVIRONMENT_REQUIREMENTS, getEnvironmentRequirements } from './patterns/environment-rules.js';
+
+// Main security validation function for easy access
+export function validateSecurity(config, environment = 'production') {
+  return ConfigurationValidator.validate(config, environment);
+}
+
+// Main secure deployment function
+export async function deployWithSecurity(options) {
+  return DeploymentManager.deployWithSecurity(options);
+}
+
+// Main key generation function
+export function generateSecureKey(type = 'api', options = {}) {
+  const {
+    length = 32,
+    prefix = ''
+  } = options;
+  if (type === 'jwt') {
+    return SecretGenerator.generateSecureJwtSecret(length);
+  }
+  return SecretGenerator.generateSecureApiKey(length, prefix);
+}
+
+// Main error handling function
+export function handleDeploymentError(error, context = {}) {
+  return ErrorHandler.handleDeploymentError(error, context);
+}
+
+// Main configuration function
+export async function generateConfiguration(defaults = {}) {
+  return InteractiveDeploymentConfigurator.generateFromUserInput(defaults);
+}

package/dist/security/patterns/environment-rules.js

@@ -0,0 +1,66 @@
+/**
+ * Environment-Specific Security Rules
+ * Defines security requirements for different deployment environments
+ */
+
+export const ENVIRONMENT_REQUIREMENTS = {
+  production: {
+    minSecretLength: 32,
+    requireHttps: true,
+    allowDummyKeys: false,
+    requireStrongJWT: true,
+    allowLocalhostUrls: false,
+    minKeyEntropy: 4.0,
+    // bits of entropy per character
+    requireComplexPasswords: true,
+    maxDummyKeyTolerance: 0
+  },
+  staging: {
+    minSecretLength: 24,
+    requireHttps: true,
+    allowDummyKeys: false,
+    requireStrongJWT: true,
+    allowLocalhostUrls: false,
+    minKeyEntropy: 3.5,
+    requireComplexPasswords: true,
+    maxDummyKeyTolerance: 0
+  },
+  development: {
+    minSecretLength: 16,
+    requireHttps: false,
+    allowDummyKeys: true,
+    requireStrongJWT: false,
+    allowLocalhostUrls: true,
+    minKeyEntropy: 2.0,
+    requireComplexPasswords: false,
+    maxDummyKeyTolerance: 5 // Allow some dummy keys for development
+  },
+  testing: {
+    minSecretLength: 8,
+    requireHttps: false,
+    allowDummyKeys: true,
+    requireStrongJWT: false,
+    allowLocalhostUrls: true,
+    minKeyEntropy: 1.0,
+    requireComplexPasswords: false,
+    maxDummyKeyTolerance: 10
+  }
+};
+
+/**
+ * Get environment requirements with fallback to production
+ * @param {string} environment - Environment name
+ * @returns {Object} Environment security requirements
+ */
+export function getEnvironmentRequirements(environment) {
+  return ENVIRONMENT_REQUIREMENTS[environment] || ENVIRONMENT_REQUIREMENTS.production;
+}
+
+/**
+ * Validate environment name
+ * @param {string} environment - Environment to validate
+ * @returns {boolean} True if environment is valid
+ */
+export function isValidEnvironment(environment) {
+  return Object.keys(ENVIRONMENT_REQUIREMENTS).includes(environment);
+}

package/dist/security/patterns/insecure-patterns.js

@@ -0,0 +1,21 @@
+/**
+ * Insecure Patterns Database
+ * Known patterns that indicate security vulnerabilities
+ */
+
+export const INSECURE_PATTERNS = {
+  // Development/dummy API keys
+  DUMMY_API_KEYS: ['content-skimmer-dev-key', 'logger-service-dev-key', 'auth-service-dev-key', 'test-key', 'dev-key', 'dummy-key', 'placeholder-key', 'example-key', 'sample-key', 'demo-key', 'test-api-key-*', 'dummy-*-key', 'dev-*-secret', 'placeholder-*', 'example-*-token', 'fake-*-credential', 'mock-*-password'],
+  // Weak secrets (common insecure values)
+  WEAK_SECRETS: ['secret', 'password', '123456', 'admin', 'test', 'changeme', 'default', 'password123', 'admin123', 'root', 'guest'],
+  // Development URLs that shouldn't be in production
+  DEV_URLS: ['localhost', '127.0.0.1', '0.0.0.0', 'dev.', 'test.', 'staging.', 'local.'],
+  // Insecure JWT secrets (too short or common)
+  WEAK_JWT_PATTERNS: [/^.{1,31}$/,
+  // Less than 32 characters
+  /^(secret|jwt|token|key|password)/i, /^[a-zA-Z0-9]{1,20}$/,
+  // Simple alphanumeric short strings
+  /^(password|secret|token|key|jwt|auth)$/i],
+  // Common insecure password patterns
+  COMMON_PASSWORDS: ['password', 'password123', 'admin', 'admin123', 'root', 'root123', 'guest', 'user', 'test', 'demo', '123456', '123456789', 'qwerty', 'abc123', 'letmein', 'welcome', 'monkey', 'dragon', 'passw0rd', 'p@ssword']
+};