archicore 0.3.6 → 0.3.7

package/dist/server/routes/api.js

@@ -11,6 +11,7 @@ import { ExportManager } from '../../export/index.js';
 import { authMiddleware } from './auth.js';
 import { FileUtils } from '../../utils/file-utils.js';
 import { taskQueue } from '../services/task-queue.js';
+import { EnterpriseIndexer, TIER_CONFIG } from '../services/enterprise-indexer.js';
 export const apiRouter = Router();
 // Singleton сервиса проектов
 const projectService = new ProjectService();
@@ -761,8 +762,10 @@ apiRouter.post('/projects/:id/documentation', authMiddleware, checkProjectAccess
  */
 apiRouter.get('/projects/:id/index-progress', async (req, res) => {
     const { id } = req.params;
-    // Handle auth via query param (EventSource doesn't support headers)
-    const token = req.query.token || req.headers.authorization?.substring(7);
+    // Handle auth via query param, header, or cookie (EventSource doesn't support custom headers)
+    const token = req.query.token
+        || req.headers.authorization?.substring(7)
+        || req.cookies?.archicore_token;
     if (!token) {
         res.status(401).json({ error: 'Authentication required' });
         return;
@@ -1035,6 +1038,243 @@ apiRouter.get('/queue/stats', authMiddleware, async (req, res) => {
         res.status(500).json({ error: 'Failed to get queue stats' });
     }
 });
+// ==================== ENTERPRISE ENDPOINTS ====================
+/**
+ * GET /api/projects/:id/enterprise/estimate
+ * Get estimation for enterprise-scale project analysis
+ */
+apiRouter.get('/projects/:id/enterprise/estimate', authMiddleware, checkProjectAccess, async (req, res) => {
+    try {
+        const { id } = req.params;
+        const project = await projectService.getProject(id);
+        if (!project) {
+            res.status(404).json({ error: 'Project not found' });
+            return;
+        }
+        const indexer = new EnterpriseIndexer(project.path);
+        await indexer.initialize();
+        const estimate = await indexer.getProjectSize();
+        res.json({
+            projectId: id,
+            projectName: project.name,
+            ...estimate,
+            tiers: {
+                quick: {
+                    ...TIER_CONFIG.quick,
+                    estimatedFiles: Math.min(estimate.totalFiles, TIER_CONFIG.quick.maxFiles),
+                },
+                standard: {
+                    ...TIER_CONFIG.standard,
+                    estimatedFiles: Math.min(estimate.totalFiles, TIER_CONFIG.standard.maxFiles),
+                },
+                deep: {
+                    ...TIER_CONFIG.deep,
+                    estimatedFiles: Math.min(estimate.totalFiles, TIER_CONFIG.deep.maxFiles),
+                },
+            },
+        });
+    }
+    catch (error) {
+        Logger.error('Failed to estimate project:', error);
+        res.status(500).json({ error: 'Failed to estimate project' });
+    }
+});
+/**
+ * POST /api/projects/:id/enterprise/index
+ * Index large project with enterprise options
+ */
+apiRouter.post('/projects/:id/enterprise/index', authMiddleware, checkProjectAccess, async (req, res) => {
+    try {
+        const { id } = req.params;
+        const userId = getUserId(req);
+        const options = req.body;
+        // Check tier access
+        if (options.tier === 'deep' && req.user?.tier !== 'enterprise') {
+            res.status(403).json({
+                error: 'Deep analysis requires Enterprise tier',
+                upgradeUrl: '/pricing'
+            });
+            return;
+        }
+        const project = await projectService.getProject(id);
+        if (!project) {
+            res.status(404).json({ error: 'Project not found' });
+            return;
+        }
+        // Create async task for enterprise indexing
+        const task = taskQueue.createTask('enterprise-index', id, userId || 'anonymous');
+        // Store options in task
+        task.enterpriseOptions = options;
+        res.json({
+            taskId: task.id,
+            status: task.status,
+            message: 'Enterprise indexing task queued. Poll /api/tasks/:taskId for status.',
+            options: {
+                tier: options.tier || 'standard',
+                sampling: options.sampling,
+                incremental: options.incremental,
+            },
+        });
+    }
+    catch (error) {
+        Logger.error('Failed to start enterprise indexing:', error);
+        res.status(500).json({ error: 'Failed to start enterprise indexing' });
+    }
+});
+/**
+ * GET /api/projects/:id/enterprise/files
+ * Get list of files that would be analyzed based on current options
+ */
+apiRouter.get('/projects/:id/enterprise/files', authMiddleware, checkProjectAccess, async (req, res) => {
+    try {
+        const { id } = req.params;
+        const tier = req.query.tier || 'standard';
+        const strategy = req.query.strategy || 'smart';
+        const project = await projectService.getProject(id);
+        if (!project) {
+            res.status(404).json({ error: 'Project not found' });
+            return;
+        }
+        const indexer = new EnterpriseIndexer(project.path, {
+            tier,
+            sampling: {
+                enabled: true,
+                maxFiles: TIER_CONFIG[tier].maxFiles,
+                strategy
+            }
+        });
+        await indexer.initialize();
+        const files = await indexer.getFilesToIndex();
+        // Return relative paths
+        const relativePaths = files.map(f => {
+            const rel = f.replace(project.path, '').replace(/^[\/\\]/, '');
+            return rel;
+        });
+        res.json({
+            projectId: id,
+            tier,
+            strategy,
+            totalSelected: files.length,
+            maxAllowed: TIER_CONFIG[tier].maxFiles,
+            files: relativePaths.slice(0, 100), // Return first 100 for preview
+            hasMore: relativePaths.length > 100
+        });
+    }
+    catch (error) {
+        Logger.error('Failed to get enterprise files:', error);
+        res.status(500).json({ error: 'Failed to get files' });
+    }
+});
+/**
+ * POST /api/projects/:id/enterprise/incremental
+ * Run incremental indexing (only changed files)
+ */
+apiRouter.post('/projects/:id/enterprise/incremental', authMiddleware, checkProjectAccess, async (req, res) => {
+    try {
+        const { id } = req.params;
+        const { since } = req.body;
+        if (!since) {
+            res.status(400).json({ error: 'since parameter required (ISO date or commit hash)' });
+            return;
+        }
+        const project = await projectService.getProject(id);
+        if (!project) {
+            res.status(404).json({ error: 'Project not found' });
+            return;
+        }
+        const indexer = new EnterpriseIndexer(project.path, {
+            tier: 'standard',
+            incremental: { enabled: true, since },
+            sampling: { enabled: false, maxFiles: 50000, strategy: 'smart' }
+        });
+        await indexer.initialize();
+        const changedFiles = await indexer.getChangedFiles(since);
+        if (changedFiles.length === 0) {
+            res.json({
+                message: 'No changed files found',
+                since,
+                changedFiles: 0
+            });
+            return;
+        }
+        // Return changed files info
+        const relativePaths = changedFiles.map(f => f.replace(project.path, '').replace(/^[\/\\]/, ''));
+        res.json({
+            projectId: id,
+            since,
+            changedFiles: changedFiles.length,
+            files: relativePaths.slice(0, 50),
+            hasMore: relativePaths.length > 50,
+            message: `Found ${changedFiles.length} changed files. Use POST /api/projects/:id/enterprise/index with incremental.enabled=true to index them.`
+        });
+    }
+    catch (error) {
+        Logger.error('Failed to check incremental changes:', error);
+        res.status(500).json({ error: 'Failed to check incremental changes' });
+    }
+});
+/**
+ * GET /api/enterprise/tiers
+ * Get available analysis tiers info
+ */
+apiRouter.get('/enterprise/tiers', async (_req, res) => {
+    res.json({
+        tiers: TIER_CONFIG,
+        recommendations: {
+            quick: 'Best for initial exploration of large projects (50K+ files)',
+            standard: 'Recommended for most projects - balances speed and depth',
+            deep: 'For critical projects requiring comprehensive analysis (Enterprise only)'
+        },
+        samplingStrategies: {
+            smart: 'AI-powered selection based on importance, imports, and git activity',
+            'hot-files': 'Files with most git commits in the last year',
+            'directory-balanced': 'Equal representation from each directory',
+            random: 'Random sampling'
+        }
+    });
+});
+// Register enterprise indexing task executor
+taskQueue.registerExecutor('enterprise-index', async (task, updateProgress) => {
+    try {
+        const project = await projectService.getProject(task.projectId);
+        if (!project) {
+            return { success: false, error: 'Project not found' };
+        }
+        const options = task.enterpriseOptions || {};
+        updateProgress({ phase: 'initializing', current: 5, message: 'Initializing enterprise indexer...' });
+        const indexer = new EnterpriseIndexer(project.path, options);
+        await indexer.initialize();
+        updateProgress({ phase: 'scanning', current: 10, message: 'Scanning project files...' });
+        const files = await indexer.getFilesToIndex();
+        const tierConfig = indexer.getTierConfig();
+        updateProgress({
+            phase: 'indexing',
+            current: 15,
+            message: `Selected ${files.length} files using ${options.sampling?.strategy || 'smart'} strategy`
+        });
+        // Return the selected files info - actual indexing happens in project service
+        // This task prepares the files, project service handles the rest
+        return {
+            success: true,
+            data: {
+                tier: options.tier || 'standard',
+                selectedFiles: files.length,
+                maxFiles: tierConfig.maxFiles,
+                strategy: options.sampling?.strategy || 'smart',
+                skipEmbeddings: tierConfig.skipEmbeddings,
+                skipSecurity: tierConfig.skipSecurity,
+                skipDuplication: tierConfig.skipDuplication,
+                files: files.slice(0, 100), // First 100 for reference
+            }
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: error instanceof Error ? error.message : String(error),
+        };
+    }
+});
 // Helper function to format time
 function formatTime(seconds) {
     if (seconds < 60) {

package/dist/server/routes/auth.d.ts

@@ -4,6 +4,7 @@
 import { Request, Response, NextFunction } from 'express';
 import { User as ArchiCoreUser } from '../../types/user.js';
 export declare const authRouter: import("express-serve-static-core").Router;
+export declare function cleanupAuthIntervals(): void;
 declare global {
     namespace Express {
         interface Request {

package/dist/server/routes/auth.js

@@ -2,6 +2,7 @@
  * Authentication API Routes for ArchiCore
  */
 import { Router } from 'express';
+import crypto from 'crypto';
 import { AuthService } from '../services/auth-service.js';
 import { auditService } from '../services/audit-service.js';
 import { Logger } from '../../utils/logger.js';
@@ -64,12 +65,14 @@ async function deleteVerificationCode(email) {
     await cache.del(key);
     verificationCodes.delete(email);
 }
-// Generate 6-digit verification code
+// Generate 6-digit verification code using cryptographically secure random
 function generateVerificationCode() {
-    return Math.floor(100000 + Math.random() * 900000).toString();
+    // Use crypto.randomInt for secure random number generation
+    const code = crypto.randomInt(100000, 1000000);
+    return code.toString();
 }
 // Cleanup expired memory codes
-setInterval(() => {
+const cleanupIntervalId = setInterval(() => {
     const now = Date.now();
     for (const [email, data] of verificationCodes.entries()) {
         if (data.expiresAt < now) {
@@ -77,6 +80,11 @@ setInterval(() => {
         }
     }
 }, 60 * 1000); // Clean up every minute
+// Export cleanup function for graceful shutdown
+export function cleanupAuthIntervals() {
+    clearInterval(cleanupIntervalId);
+    Logger.info('Auth cleanup intervals cleared');
+}
 // Middleware to check authentication (supports both Bearer token and httpOnly cookie)
 export async function authMiddleware(req, res, next) {
     const authHeader = req.headers.authorization;

package/dist/server/routes/gitlab.js

@@ -10,7 +10,9 @@
 import { Router } from 'express';
 import { mkdir } from 'fs/promises';
 import { join } from 'path';
-import AdmZip from 'adm-zip';
+import { Readable } from 'stream';
+import { pipeline } from 'stream/promises';
+import * as tar from 'tar';
 import { GitLabService } from '../../gitlab/gitlab-service.js';
 import { ProjectService } from '../services/project-service.js';
 import { AuthService } from '../services/auth-service.js';
@@ -106,31 +108,18 @@ gitlabRouter.post('/connect', authMiddleware, async (req, res) => {
         // Download and create ArchiCore project
         const targetBranch = branch || project.default_branch || 'main';
         Logger.progress(`Downloading GitLab repository: ${project.path_with_namespace} (branch: ${targetBranch})`);
-        const zipBuffer = await gitlabService.downloadRepository(req.user.id, instance.id, project.id, targetBranch);
+        const tarGzBuffer = await gitlabService.downloadRepository(req.user.id, instance.id, project.id, targetBranch);
+        Logger.info(`Downloaded tar.gz: ${tarGzBuffer.length} bytes`);
         // Create projects directory
         const projectsDir = process.env.PROJECTS_DIR || join('.archicore', 'projects');
         await mkdir(projectsDir, { recursive: true });
-        // Extract to project directory
+        // Extract tar.gz to project directory
         const projectPath = join(projectsDir, project.name);
         await mkdir(projectPath, { recursive: true });
-        const zip = new AdmZip(zipBuffer);
-        const zipEntries = zip.getEntries();
-        // Extract files
-        for (const entry of zipEntries) {
-            if (entry.isDirectory) {
-                const dirPath = join(projectPath, entry.entryName);
-                await mkdir(dirPath, { recursive: true });
-            }
-            else {
-                const filePath = join(projectPath, entry.entryName);
-                const fileDir = join(projectPath, entry.entryName.split('/').slice(0, -1).join('/'));
-                await mkdir(fileDir, { recursive: true });
-                const content = entry.getData();
-                const { writeFile } = await import('fs/promises');
-                await writeFile(filePath, content);
-            }
-        }
-        // GitLab creates a folder like "project-branch" inside, find it
+        // Extract tar.gz archive from buffer
+        const tarStream = Readable.from(tarGzBuffer);
+        await pipeline(tarStream, tar.extract({ cwd: projectPath }));
+        // GitLab creates a folder like "project-branch-sha" inside, find it
         const { readdir, stat } = await import('fs/promises');
         const contents = await readdir(projectPath);
         let actualPath = projectPath;
@@ -390,36 +379,19 @@ gitlabRouter.post('/repositories/connect', authMiddleware, async (req, res) => {
                 const project = await gitlabService.getProject(req.user.id, instanceId, projectId);
                 const targetBranch = branch || project.default_branch || 'main';
                 Logger.progress(`Downloading GitLab repository: ${project.path_with_namespace} (branch: ${targetBranch})`);
-                const zipBuffer = await gitlabService.downloadRepository(req.user.id, instanceId, projectId, targetBranch);
-                Logger.info(`Downloaded ZIP: ${zipBuffer.length} bytes`);
+                const tarGzBuffer = await gitlabService.downloadRepository(req.user.id, instanceId, projectId, targetBranch);
+                Logger.info(`Downloaded tar.gz: ${tarGzBuffer.length} bytes`);
                 // Create projects directory
                 const projectsDir = process.env.PROJECTS_DIR || join('.archicore', 'projects');
                 await mkdir(projectsDir, { recursive: true });
-                // Extract to project directory
+                // Extract tar.gz to project directory
                 const projectPath = join(projectsDir, project.name);
                 await mkdir(projectPath, { recursive: true });
-                const zip = new AdmZip(zipBuffer);
-                const zipEntries = zip.getEntries();
-                Logger.info(`ZIP contains ${zipEntries.length} entries`);
-                // Extract files
-                let extractedCount = 0;
-                for (const entry of zipEntries) {
-                    if (entry.isDirectory) {
-                        const dirPath = join(projectPath, entry.entryName);
-                        await mkdir(dirPath, { recursive: true });
-                    }
-                    else {
-                        const filePath = join(projectPath, entry.entryName);
-                        const fileDir = join(projectPath, entry.entryName.split('/').slice(0, -1).join('/'));
-                        await mkdir(fileDir, { recursive: true });
-                        const content = entry.getData();
-                        const { writeFile } = await import('fs/promises');
-                        await writeFile(filePath, content);
-                        extractedCount++;
-                    }
-                }
-                Logger.info(`Extraction complete: ${extractedCount} files extracted`);
-                // GitLab creates a folder like "project-branch" inside, find it
+                // Extract tar.gz archive from buffer
+                const tarStream = Readable.from(tarGzBuffer);
+                await pipeline(tarStream, tar.extract({ cwd: projectPath }));
+                Logger.info(`Extraction complete`);
+                // GitLab creates a folder like "project-branch-sha" inside, find it
                 const { readdir, stat } = await import('fs/promises');
                 const contents = await readdir(projectPath);
                 let actualPath = projectPath;

package/dist/server/routes/report-issue.js

@@ -7,7 +7,31 @@ import { Router } from 'express';
 import multer from 'multer';
 import path from 'path';
 import fs from 'fs/promises';
+import nodemailer from 'nodemailer';
 import { Logger } from '../../utils/logger.js';
+// SMTP transporter (lazy initialized)
+let mailTransporter = null;
+function getMailTransporter() {
+    if (mailTransporter)
+        return mailTransporter;
+    const smtpHost = process.env.SMTP_HOST;
+    const smtpPort = process.env.SMTP_PORT;
+    const smtpUser = process.env.SMTP_USER;
+    const smtpPass = process.env.SMTP_PASS;
+    if (!smtpHost || !smtpUser || !smtpPass) {
+        return null;
+    }
+    mailTransporter = nodemailer.createTransport({
+        host: smtpHost,
+        port: parseInt(smtpPort || '465', 10),
+        secure: process.env.SMTP_SECURE !== 'false',
+        auth: {
+            user: smtpUser,
+            pass: smtpPass,
+        },
+    });
+    return mailTransporter;
+}
 export const reportIssueRouter = Router();
 // Directory for storing reports
 const REPORTS_DIR = process.env.REPORTS_DIR || path.join('.archicore', 'reports');
@@ -229,6 +253,85 @@ reportIssueRouter.patch('/:id/status', async (req, res) => {
  * Send notification about new report (optional integrations)
  */
 async function sendNotification(report) {
+    // Email notification (primary)
+    const transporter = getMailTransporter();
+    const emailTo = process.env.REPORT_EMAIL || process.env.SMTP_USER || 'info@archicore.io';
+    const emailFrom = process.env.EMAIL_FROM || process.env.SMTP_USER;
+    const emailFromName = process.env.EMAIL_FROM_NAME || 'ArchiCore';
+    if (transporter && emailFrom) {
+        try {
+            const priorityColors = {
+                critical: '#ff0000',
+                high: '#ff6600',
+                medium: '#ffcc00',
+                low: '#00cc00'
+            };
+            const htmlContent = `
+        <div style="font-family: Arial, sans-serif; max-width: 600px; margin: 0 auto;">
+          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 20px; border-radius: 8px 8px 0 0;">
+            <h1 style="color: white; margin: 0;">New Issue Report</h1>
+          </div>
+          <div style="background: #f9f9f9; padding: 20px; border: 1px solid #ddd; border-top: none;">
+            <table style="width: 100%; border-collapse: collapse;">
+              <tr>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;"><strong>Report ID:</strong></td>
+                <td style="padding: 10px; border-bottom: 1px solid #eee; font-family: monospace;">${report.id}</td>
+              </tr>
+              <tr>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;"><strong>Category:</strong></td>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;">${report.category}</td>
+              </tr>
+              <tr>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;"><strong>Priority:</strong></td>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;">
+                  <span style="background: ${priorityColors[report.priority] || '#808080'}; color: white; padding: 3px 8px; border-radius: 4px; font-weight: bold;">
+                    ${report.priority.toUpperCase()}
+                  </span>
+                </td>
+              </tr>
+              ${report.email ? `
+              <tr>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;"><strong>Reporter Email:</strong></td>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;"><a href="mailto:${report.email}">${report.email}</a></td>
+              </tr>
+              ` : ''}
+              <tr>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;"><strong>Submitted:</strong></td>
+                <td style="padding: 10px; border-bottom: 1px solid #eee;">${new Date(report.timestamp).toLocaleString()}</td>
+              </tr>
+            </table>
+            <div style="margin-top: 20px; padding: 15px; background: white; border: 1px solid #ddd; border-radius: 4px;">
+              <strong>Description:</strong>
+              <p style="white-space: pre-wrap; margin: 10px 0 0 0;">${report.description}</p>
+            </div>
+            ${report.additionalInfo ? `
+            <div style="margin-top: 15px; padding: 15px; background: white; border: 1px solid #ddd; border-radius: 4px;">
+              <strong>Additional Info:</strong>
+              <p style="white-space: pre-wrap; margin: 10px 0 0 0;">${report.additionalInfo}</p>
+            </div>
+            ` : ''}
+            ${report.hasScreenshot ? `
+            <p style="margin-top: 15px; color: #666;"><em>📎 Screenshot attached to this report</em></p>
+            ` : ''}
+          </div>
+          <div style="background: #333; color: #999; padding: 15px; border-radius: 0 0 8px 8px; text-align: center; font-size: 12px;">
+            ArchiCore Issue Tracker - Automated Notification
+          </div>
+        </div>
+      `;
+            await transporter.sendMail({
+                from: `"${emailFromName}" <${emailFrom}>`,
+                to: emailTo,
+                subject: `[${report.priority.toUpperCase()}] New Issue Report: ${report.category}`,
+                html: htmlContent,
+                text: `New Issue Report\n\nID: ${report.id}\nCategory: ${report.category}\nPriority: ${report.priority}\nEmail: ${report.email || 'Not provided'}\n\nDescription:\n${report.description}\n\nAdditional Info:\n${report.additionalInfo || 'None'}`
+            });
+            Logger.info(`Email notification sent for report ${report.id}`);
+        }
+        catch (err) {
+            Logger.warn('Failed to send email notification:', err);
+        }
+    }
     // Discord webhook
     const discordWebhook = process.env.DISCORD_WEBHOOK_URL;
     if (discordWebhook) {

package/dist/server/routes/upload.js

@@ -111,7 +111,7 @@ uploadRouter.post('/', authMiddleware, upload.single('file'), async (req, res) =
  * - threats: SecurityThreat[]
  * - warnings: string[]
  */
-uploadRouter.post('/scan', upload.single('file'), async (req, res) => {
+uploadRouter.post('/scan', authMiddleware, upload.single('file'), async (req, res) => {
     try {
         if (!req.file) {
             res.status(400).json({ error: 'No file uploaded' });
@@ -151,7 +151,7 @@ uploadRouter.post('/scan', upload.single('file'), async (req, res) => {
  * GET /api/upload/projects
  * Получить список загруженных проектов
  */
-uploadRouter.get('/projects', async (_req, res) => {
+uploadRouter.get('/projects', authMiddleware, async (_req, res) => {
     try {
         const projects = await uploadService.listUploadedProjects();
         res.json({ projects });
@@ -165,7 +165,7 @@ uploadRouter.get('/projects', async (_req, res) => {
  * DELETE /api/upload/:uploadId
  * Удалить загруженный проект
  */
-uploadRouter.delete('/:uploadId', async (req, res) => {
+uploadRouter.delete('/:uploadId', authMiddleware, async (req, res) => {
     try {
         const { uploadId } = req.params;
         await uploadService.deleteProject(uploadId);

package/dist/server/services/encryption.js

@@ -19,14 +19,27 @@ class EncryptionService {
         if (this.initialized)
             return;
         const encryptionKey = process.env.ENCRYPTION_KEY;
+        const encryptionSalt = process.env.ENCRYPTION_SALT;
+        // SECURITY: Require encryption key in production
         if (!encryptionKey) {
+            if (process.env.NODE_ENV === 'production') {
+                Logger.error('CRITICAL: ENCRYPTION_KEY is required in production');
+                throw new Error('ENCRYPTION_KEY environment variable is required');
+            }
             Logger.warn('ENCRYPTION_KEY not set - generating temporary key (NOT FOR PRODUCTION)');
-            // Generate a temporary key for development
             this.key = crypto.randomBytes(32);
         }
         else {
+            // SECURITY: Require salt in production
+            if (!encryptionSalt) {
+                if (process.env.NODE_ENV === 'production') {
+                    Logger.error('CRITICAL: ENCRYPTION_SALT is required in production');
+                    throw new Error('ENCRYPTION_SALT environment variable is required');
+                }
+                Logger.warn('ENCRYPTION_SALT not set - using random salt (NOT FOR PRODUCTION)');
+            }
             // Derive key from password using PBKDF2
-            const salt = process.env.ENCRYPTION_SALT || 'archicore-default-salt';
+            const salt = encryptionSalt || crypto.randomBytes(32).toString('hex');
             this.key = crypto.pbkdf2Sync(encryptionKey, salt, 100000, 32, 'sha256');
         }
         this.initialized = true;
@@ -93,9 +106,12 @@ class EncryptionService {
      * Hash a value (one-way, for comparison)
      */
     hash(value) {
-        const salt = process.env.ENCRYPTION_SALT || 'archicore-default-salt';
+        const salt = process.env.ENCRYPTION_SALT;
+        if (!salt && process.env.NODE_ENV === 'production') {
+            throw new Error('ENCRYPTION_SALT is required for hashing in production');
+        }
         return crypto
-            .createHmac('sha256', salt)
+            .createHmac('sha256', salt || 'dev-only-salt')
             .update(value)
             .digest('hex');
     }