@trentapps/manager-protocol 1.1.2 → 1.2.0

package/dist/rules/security.js

@@ -3,6 +3,7 @@
  *
  * Built-in security rules for protecting against common vulnerabilities and threats.
  */
+import { createEncryptionRule } from './shared-patterns.js';
 export const securityRules = [
     // ============================================================================
     // DATA PROTECTION RULES
@@ -24,7 +25,9 @@ export const securityRules = [
             { type: 'log' }
         ],
         riskWeight: 45,
-        tags: ['pii', 'gdpr', 'privacy']
+        tags: ['pii', 'gdpr', 'privacy'],
+        // Task #37: Rule interdependencies
+        relatedRules: ['sec-002', 'sec-003'] // Related to data export and logging rules
     },
     {
         id: 'sec-002',
@@ -42,7 +45,10 @@ export const securityRules = [
             { type: 'require_approval', message: 'Bulk data export (>1000 records) requires human approval' }
         ],
         riskWeight: 35,
-        tags: ['data-export', 'bulk-operations']
+        tags: ['data-export', 'bulk-operations'],
+        // Task #37: Rule interdependencies
+        dependsOn: ['sec-001'], // Check PII access authorization first
+        relatedRules: ['sec-003'] // Related to logging sensitive data
     },
     {
         id: 'sec-003',
@@ -61,7 +67,10 @@ export const securityRules = [
             { type: 'warn', message: 'Sensitive data should not be logged - ensure data masking is enabled' }
         ],
         riskWeight: 25,
-        tags: ['logging', 'data-masking']
+        tags: ['logging', 'data-masking'],
+        // Task #37: Rule interdependencies
+        dependsOn: ['sec-001'], // PII access check should happen first
+        relatedRules: ['sec-002'] // Related to bulk export
     },
     // ============================================================================
     // AUTHENTICATION & AUTHORIZATION RULES
@@ -82,7 +91,9 @@ export const securityRules = [
             { type: 'deny', message: 'External API calls require authentication token' }
         ],
         riskWeight: 50,
-        tags: ['authentication', 'api']
+        tags: ['authentication', 'api'],
+        // Task #37: Rule interdependencies
+        relatedRules: ['sec-011', 'sec-012', 'sec-031'] // Related auth and API rules
     },
     {
         id: 'sec-011',
@@ -102,7 +113,10 @@ export const securityRules = [
             { type: 'notify', message: 'Security alert: Privilege escalation attempt detected' }
         ],
         riskWeight: 60,
-        tags: ['privilege-escalation', 'authorization']
+        tags: ['privilege-escalation', 'authorization'],
+        // Task #37: Rule interdependencies
+        dependsOn: ['sec-010'], // Check authentication before authorization
+        relatedRules: ['sec-012'] // Related session security
     },
     {
         id: 'sec-012',
@@ -120,7 +134,10 @@ export const securityRules = [
             { type: 'notify', message: 'Security alert: Possible session hijacking detected' }
         ],
         riskWeight: 55,
-        tags: ['session-security', 'anomaly-detection']
+        tags: ['session-security', 'anomaly-detection'],
+        // Task #37: Rule interdependencies
+        dependsOn: ['sec-010'], // Check authentication first
+        relatedRules: ['sec-011'] // Related to privilege escalation
     },
     // ============================================================================
     // CODE EXECUTION RULES
@@ -183,24 +200,21 @@ export const securityRules = [
         riskWeight: 35,
         tags: ['network', 'whitelist']
     },
-    {
+    // HTTPS for External APIs - uses shared encryption pattern
+    createEncryptionRule({
         id: 'sec-031',
         name: 'Enforce HTTPS for External APIs',
         description: 'Requires HTTPS for all external API communications',
-        type: 'security',
-        enabled: true,
+        encryptionType: 'transport',
+        scope: {
+            category: 'external_api'
+        },
+        actionType: 'deny',
+        message: 'External API calls must use HTTPS',
         priority: 930,
-        conditions: [
-            { field: 'actionCategory', operator: 'equals', value: 'external_api' },
-            { field: 'protocol', operator: 'not_equals', value: 'https' }
-        ],
-        conditionLogic: 'all',
-        actions: [
-            { type: 'deny', message: 'External API calls must use HTTPS' }
-        ],
         riskWeight: 40,
-        tags: ['https', 'encryption', 'api']
-    },
+        tags: ['https', 'api']
+    }),
     // ============================================================================
     // FILE SYSTEM SECURITY RULES
     // ============================================================================
@@ -281,6 +295,553 @@ export const securityRules = [
         ],
         riskWeight: 80,
         tags: ['command-injection', 'owasp']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - PATH TRAVERSAL (A01:2021 - Broken Access Control)
+    // ============================================================================
+    {
+        id: 'sec-060',
+        name: 'Path Traversal Prevention',
+        description: 'Detects and blocks path traversal attacks (directory traversal)',
+        type: 'security',
+        enabled: true,
+        priority: 1000,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'file_system' },
+            { field: 'filePath', operator: 'matches_regex', value: '(\\.\\./|\\.\\.\\\\|%2e%2e%2f|%2e%2e/|\\.\\.%2f|%2e%2e%5c)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Path traversal attack detected - action blocked' },
+            { type: 'notify', message: 'Security alert: Path traversal attempt detected' }
+        ],
+        riskWeight: 85,
+        tags: ['path-traversal', 'owasp', 'a01-broken-access-control']
+    },
+    {
+        id: 'sec-061',
+        name: 'Null Byte Injection Prevention',
+        description: 'Blocks null byte injection in file paths',
+        type: 'security',
+        enabled: true,
+        priority: 995,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'file_system' },
+            { field: 'filePath', operator: 'matches_regex', value: '(%00|\\x00|\\0)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Null byte injection detected in file path' },
+            { type: 'notify', message: 'Security alert: Null byte injection attempt detected' }
+        ],
+        riskWeight: 80,
+        tags: ['null-byte', 'owasp', 'file-system']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - SSRF (A10:2021 - Server-Side Request Forgery)
+    // ============================================================================
+    {
+        id: 'sec-070',
+        name: 'SSRF Prevention - Internal Network',
+        description: 'Blocks server-side requests to internal network addresses',
+        type: 'security',
+        enabled: true,
+        priority: 990,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'network' },
+            { field: 'targetUrl', operator: 'matches_regex', value: '(localhost|127\\.0\\.0\\.1|0\\.0\\.0\\.0|10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|\\[::1\\]|\\[::\\])' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'SSRF attempt blocked - internal network address detected' },
+            { type: 'notify', message: 'Security alert: SSRF attempt to internal network' }
+        ],
+        riskWeight: 75,
+        tags: ['ssrf', 'owasp', 'a10-ssrf', 'network']
+    },
+    {
+        id: 'sec-071',
+        name: 'SSRF Prevention - Cloud Metadata',
+        description: 'Blocks server-side requests to cloud metadata endpoints',
+        type: 'security',
+        enabled: true,
+        priority: 995,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'network' },
+            { field: 'targetUrl', operator: 'matches_regex', value: '(169\\.254\\.169\\.254|metadata\\.google|metadata\\.azure)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'SSRF attempt blocked - cloud metadata endpoint detected' },
+            { type: 'notify', message: 'Security alert: SSRF attempt to cloud metadata' }
+        ],
+        riskWeight: 90,
+        tags: ['ssrf', 'owasp', 'a10-ssrf', 'cloud-metadata']
+    },
+    {
+        id: 'sec-072',
+        name: 'SSRF Prevention - File Protocol',
+        description: 'Blocks server-side requests using file:// protocol',
+        type: 'security',
+        enabled: true,
+        priority: 990,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'network' },
+            { field: 'targetUrl', operator: 'matches_regex', value: '^(file|gopher|dict|ldap|tftp)://' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'SSRF attempt blocked - dangerous protocol detected' },
+            { type: 'notify', message: 'Security alert: SSRF attempt with dangerous protocol' }
+        ],
+        riskWeight: 85,
+        tags: ['ssrf', 'owasp', 'a10-ssrf', 'protocol']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - INSECURE DESERIALIZATION (A08:2021 - Software and Data Integrity Failures)
+    // ============================================================================
+    {
+        id: 'sec-080',
+        name: 'Insecure Deserialization Prevention - Java',
+        description: 'Detects Java deserialization attacks',
+        type: 'security',
+        enabled: true,
+        priority: 985,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'payload', operator: 'matches_regex', value: '(rO0AB|ac ed 00 05|java\\.lang\\.(Runtime|ProcessBuilder)|ysoserial)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Java deserialization attack detected - action blocked' },
+            { type: 'notify', message: 'Security alert: Java deserialization attack attempt' }
+        ],
+        riskWeight: 90,
+        tags: ['deserialization', 'owasp', 'a08-integrity', 'java']
+    },
+    {
+        id: 'sec-081',
+        name: 'Insecure Deserialization Prevention - PHP',
+        description: 'Detects PHP object injection attacks',
+        type: 'security',
+        enabled: true,
+        priority: 985,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'payload', operator: 'matches_regex', value: '(O:\\d+:"|a:\\d+:\\{|s:\\d+:|__wakeup|__destruct|__toString)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'PHP object injection detected - action blocked' },
+            { type: 'notify', message: 'Security alert: PHP object injection attempt' }
+        ],
+        riskWeight: 85,
+        tags: ['deserialization', 'owasp', 'a08-integrity', 'php']
+    },
+    {
+        id: 'sec-082',
+        name: 'Insecure Deserialization Prevention - Python Pickle',
+        description: 'Detects Python pickle deserialization attacks',
+        type: 'security',
+        enabled: true,
+        priority: 985,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'payload', operator: 'matches_regex', value: '(cos\\nsystem|posix\\nsystem|__reduce__|\\x80\\x04)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Python deserialization attack detected - action blocked' },
+            { type: 'notify', message: 'Security alert: Python deserialization attempt' }
+        ],
+        riskWeight: 85,
+        tags: ['deserialization', 'owasp', 'a08-integrity', 'python']
+    },
+    {
+        id: 'sec-083',
+        name: 'Insecure Deserialization Prevention - .NET',
+        description: 'Detects .NET deserialization attacks',
+        type: 'security',
+        enabled: true,
+        priority: 985,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'payload', operator: 'matches_regex', value: '(BinaryFormatter|ObjectStateFormatter|SoapFormatter|NetDataContractSerializer|LosFormatter)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: '.NET deserialization attack detected - action blocked' },
+            { type: 'notify', message: 'Security alert: .NET deserialization attack attempt' }
+        ],
+        riskWeight: 85,
+        tags: ['deserialization', 'owasp', 'a08-integrity', 'dotnet']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - XXE (A05:2021 - Security Misconfiguration)
+    // ============================================================================
+    {
+        id: 'sec-090',
+        name: 'XXE Prevention - External Entity',
+        description: 'Detects XML External Entity injection attacks',
+        type: 'security',
+        enabled: true,
+        priority: 995,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_access', 'data_modification'] },
+            { field: 'payload', operator: 'matches_regex', value: '(<!ENTITY|<!DOCTYPE.*\\[|SYSTEM\\s+["\']|PUBLIC\\s+["\'])' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'XXE attack detected - external entity declaration blocked' },
+            { type: 'notify', message: 'Security alert: XXE injection attempt detected' }
+        ],
+        riskWeight: 85,
+        tags: ['xxe', 'owasp', 'a05-misconfiguration', 'xml']
+    },
+    {
+        id: 'sec-091',
+        name: 'XXE Prevention - Parameter Entity',
+        description: 'Detects XXE parameter entity attacks',
+        type: 'security',
+        enabled: true,
+        priority: 990,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_access', 'data_modification'] },
+            { field: 'payload', operator: 'matches_regex', value: '(%[a-zA-Z0-9]+;|<!ENTITY\\s+%\\s+)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'XXE parameter entity attack detected - action blocked' },
+            { type: 'notify', message: 'Security alert: XXE parameter entity attempt' }
+        ],
+        riskWeight: 80,
+        tags: ['xxe', 'owasp', 'a05-misconfiguration', 'xml']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - OPEN REDIRECTS (A01:2021 - Broken Access Control)
+    // ============================================================================
+    {
+        id: 'sec-100',
+        name: 'Open Redirect Prevention',
+        description: 'Detects and blocks open redirect vulnerabilities',
+        type: 'security',
+        enabled: true,
+        priority: 920,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'network' },
+            { field: 'redirectUrl', operator: 'matches_regex', value: '^(https?://|//|\\\\\\\\)(?!localhost|127\\.0\\.0\\.1)' },
+            { field: 'redirectValidated', operator: 'not_equals', value: true }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Open redirect detected - external redirect not allowed' },
+            { type: 'notify', message: 'Security alert: Open redirect attempt detected' }
+        ],
+        riskWeight: 60,
+        tags: ['open-redirect', 'owasp', 'a01-broken-access-control']
+    },
+    {
+        id: 'sec-101',
+        name: 'Open Redirect Prevention - JavaScript Protocol',
+        description: 'Blocks javascript: protocol in redirects',
+        type: 'security',
+        enabled: true,
+        priority: 950,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'network' },
+            { field: 'redirectUrl', operator: 'matches_regex', value: '(javascript:|data:|vbscript:)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Dangerous protocol in redirect URL blocked' },
+            { type: 'notify', message: 'Security alert: JavaScript protocol redirect attempt' }
+        ],
+        riskWeight: 75,
+        tags: ['open-redirect', 'owasp', 'xss', 'a01-broken-access-control']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - MASS ASSIGNMENT (A01:2021 - Broken Access Control)
+    // ============================================================================
+    {
+        id: 'sec-110',
+        name: 'Mass Assignment Prevention - Admin Fields',
+        description: 'Blocks mass assignment of admin/privileged fields',
+        type: 'security',
+        enabled: true,
+        priority: 960,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'assignedFields', operator: 'contains', value: 'isAdmin' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Mass assignment blocked - cannot assign admin fields directly' },
+            { type: 'notify', message: 'Security alert: Mass assignment attempt on admin field' }
+        ],
+        riskWeight: 70,
+        tags: ['mass-assignment', 'owasp', 'a01-broken-access-control']
+    },
+    {
+        id: 'sec-111',
+        name: 'Mass Assignment Prevention - Role Fields',
+        description: 'Blocks mass assignment of role/permission fields',
+        type: 'security',
+        enabled: true,
+        priority: 955,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'assignedFields', operator: 'matches_regex', value: '(role|permission|privilege|access_level|is_superuser|is_staff)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Mass assignment blocked - cannot assign role/permission fields directly' },
+            { type: 'notify', message: 'Security alert: Mass assignment attempt on role field' }
+        ],
+        riskWeight: 70,
+        tags: ['mass-assignment', 'owasp', 'a01-broken-access-control']
+    },
+    {
+        id: 'sec-112',
+        name: 'Mass Assignment Prevention - Sensitive Fields',
+        description: 'Blocks mass assignment of password and sensitive fields',
+        type: 'security',
+        enabled: true,
+        priority: 965,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'assignedFields', operator: 'matches_regex', value: '(password|password_hash|secret|api_key|token|credit_card|ssn|account_number)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Mass assignment blocked - cannot assign sensitive fields directly' },
+            { type: 'notify', message: 'Security alert: Mass assignment attempt on sensitive field' }
+        ],
+        riskWeight: 80,
+        tags: ['mass-assignment', 'owasp', 'a01-broken-access-control', 'pii']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - BROKEN ACCESS CONTROL (A01:2021)
+    // ============================================================================
+    {
+        id: 'sec-120',
+        name: 'IDOR Prevention - Direct Object Reference',
+        description: 'Detects insecure direct object reference patterns',
+        type: 'security',
+        enabled: true,
+        priority: 940,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_access' },
+            { field: 'objectId', operator: 'exists', value: null },
+            { field: 'ownershipVerified', operator: 'not_equals', value: true }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'require_approval', message: 'Direct object access requires ownership verification' },
+            { type: 'warn', message: 'IDOR risk: Ensure object ownership is verified' }
+        ],
+        riskWeight: 55,
+        tags: ['idor', 'owasp', 'a01-broken-access-control']
+    },
+    {
+        id: 'sec-121',
+        name: 'Horizontal Privilege Escalation Prevention',
+        description: 'Blocks access to resources owned by other users',
+        type: 'security',
+        enabled: true,
+        priority: 970,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_access', 'data_modification'] },
+            { field: 'resourceOwnerId', operator: 'not_equals', value: '@userId' },
+            { field: 'userRole', operator: 'not_in', value: ['admin', 'superuser'] }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Access denied - resource belongs to another user' },
+            { type: 'notify', message: 'Security alert: Horizontal privilege escalation attempt' }
+        ],
+        riskWeight: 65,
+        tags: ['privilege-escalation', 'owasp', 'a01-broken-access-control']
+    },
+    {
+        id: 'sec-122',
+        name: 'Force Browsing Prevention',
+        description: 'Blocks access to unauthorized admin/system endpoints',
+        type: 'security',
+        enabled: true,
+        priority: 950,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'network' },
+            { field: 'targetUrl', operator: 'matches_regex', value: '(/admin|/management|/console|/debug|/actuator|/swagger|/api-docs)' },
+            { field: 'userRole', operator: 'not_in', value: ['admin', 'developer'] }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Access to admin endpoints denied - insufficient privileges' },
+            { type: 'notify', message: 'Security alert: Unauthorized admin endpoint access attempt' }
+        ],
+        riskWeight: 60,
+        tags: ['force-browsing', 'owasp', 'a01-broken-access-control']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - CRYPTOGRAPHIC FAILURES (A02:2021)
+    // ============================================================================
+    {
+        id: 'sec-130',
+        name: 'Weak Cryptography Detection - MD5/SHA1',
+        description: 'Detects use of weak cryptographic algorithms',
+        type: 'security',
+        enabled: true,
+        priority: 900,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_access', 'data_modification', 'authentication'] },
+            { field: 'algorithm', operator: 'in', value: ['md5', 'sha1', 'des', '3des', 'rc4', 'rc2'] }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'warn', message: 'Weak cryptographic algorithm detected - use SHA-256 or stronger' },
+            { type: 'log' }
+        ],
+        riskWeight: 45,
+        tags: ['cryptography', 'owasp', 'a02-crypto-failures']
+    },
+    {
+        id: 'sec-131',
+        name: 'Hardcoded Secrets Detection',
+        description: 'Detects hardcoded secrets, passwords, and API keys',
+        type: 'security',
+        enabled: true,
+        priority: 980,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'code_execution' },
+            { field: 'code', operator: 'matches_regex', value: '(password\\s*=\\s*["\'][^"\']+["\']|api[_-]?key\\s*=\\s*["\'][^"\']+["\']|secret\\s*=\\s*["\'][^"\']+["\']|-----BEGIN (RSA |DSA |EC )?PRIVATE KEY-----)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'Hardcoded secret detected - use environment variables or secret management' },
+            { type: 'notify', message: 'Security alert: Hardcoded secret detected in code' }
+        ],
+        riskWeight: 75,
+        tags: ['secrets', 'owasp', 'a02-crypto-failures']
+    },
+    {
+        id: 'sec-132',
+        name: 'Insufficient Key Length Detection',
+        description: 'Detects cryptographic keys that are too short',
+        type: 'security',
+        enabled: true,
+        priority: 890,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['authentication', 'data_modification'] },
+            { field: 'keyLength', operator: 'less_than', value: 2048 },
+            { field: 'algorithm', operator: 'in', value: ['rsa', 'dsa'] }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'warn', message: 'Cryptographic key length too short - use at least 2048 bits for RSA/DSA' },
+            { type: 'log' }
+        ],
+        riskWeight: 40,
+        tags: ['cryptography', 'owasp', 'a02-crypto-failures']
+    },
+    {
+        id: 'sec-133',
+        name: 'Insecure Random Number Generation',
+        description: 'Detects use of weak random number generators for security purposes',
+        type: 'security',
+        enabled: true,
+        priority: 910,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['authentication', 'code_execution'] },
+            { field: 'randomGenerator', operator: 'in', value: ['Math.random', 'random.random', 'rand', 'srand'] },
+            { field: 'securityContext', operator: 'equals', value: true }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'warn', message: 'Weak random number generator used in security context - use cryptographically secure RNG' },
+            { type: 'log' }
+        ],
+        riskWeight: 50,
+        tags: ['cryptography', 'owasp', 'a02-crypto-failures']
+    },
+    {
+        id: 'sec-134',
+        name: 'Unencrypted Sensitive Data Storage',
+        description: 'Detects storage of sensitive data without encryption',
+        type: 'security',
+        enabled: true,
+        priority: 920,
+        conditions: [
+            { field: 'actionCategory', operator: 'equals', value: 'data_modification' },
+            { field: 'dataClassification', operator: 'in', value: ['confidential', 'restricted'] },
+            { field: 'encrypted', operator: 'not_equals', value: true }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'require_approval', message: 'Storing sensitive data without encryption requires approval' },
+            { type: 'warn', message: 'Sensitive data should be encrypted at rest' }
+        ],
+        riskWeight: 55,
+        tags: ['encryption', 'owasp', 'a02-crypto-failures', 'data-protection']
+    },
+    // ============================================================================
+    // OWASP TOP 10 - XSS (A03:2021 - Injection)
+    // ============================================================================
+    {
+        id: 'sec-140',
+        name: 'XSS Prevention - Script Tags',
+        description: 'Detects script tag injection attempts',
+        type: 'security',
+        enabled: true,
+        priority: 990,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_modification', 'user_communication'] },
+            { field: 'payload', operator: 'matches_regex', value: '(<script|<\\/script|javascript:|on\\w+\\s*=)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'XSS attack detected - script injection blocked' },
+            { type: 'notify', message: 'Security alert: XSS injection attempt detected' }
+        ],
+        riskWeight: 80,
+        tags: ['xss', 'owasp', 'a03-injection']
+    },
+    {
+        id: 'sec-141',
+        name: 'XSS Prevention - Event Handlers',
+        description: 'Detects event handler injection attempts',
+        type: 'security',
+        enabled: true,
+        priority: 985,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_modification', 'user_communication'] },
+            { field: 'payload', operator: 'matches_regex', value: '(onerror|onload|onclick|onmouseover|onfocus|onblur|onchange|onsubmit)\\s*=' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'XSS attack detected - event handler injection blocked' },
+            { type: 'notify', message: 'Security alert: XSS event handler injection attempt' }
+        ],
+        riskWeight: 75,
+        tags: ['xss', 'owasp', 'a03-injection']
+    },
+    {
+        id: 'sec-142',
+        name: 'XSS Prevention - Data URI',
+        description: 'Detects data URI XSS injection attempts',
+        type: 'security',
+        enabled: true,
+        priority: 980,
+        conditions: [
+            { field: 'actionCategory', operator: 'in', value: ['data_modification', 'user_communication'] },
+            { field: 'payload', operator: 'matches_regex', value: 'data:\\s*(text\\/html|application\\/javascript|text\\/javascript)' }
+        ],
+        conditionLogic: 'all',
+        actions: [
+            { type: 'deny', message: 'XSS attack detected - data URI injection blocked' },
+            { type: 'notify', message: 'Security alert: XSS data URI injection attempt' }
+        ],
+        riskWeight: 70,
+        tags: ['xss', 'owasp', 'a03-injection']
     }
 ];
 export default securityRules;