bs9 1.0.0 → 1.1.0

package/src/commands/profile.ts

@@ -0,0 +1,338 @@
+#!/usr/bin/env bun
+
+import { execSync } from "node:child_process";
+import { setTimeout } from "node:timers/promises";
+
+interface ProfileOptions {
+  duration?: string;
+  output?: string;
+  service?: string;
+  interval?: string;
+}
+
+interface ProfileData {
+  timestamp: number;
+  cpu: number;
+  memory: number;
+  heapUsed: number;
+  heapTotal: number;
+  external: number;
+  eventLoopLag: number;
+  activeHandles: number;
+  activeRequests: number;
+}
+
+interface PerformanceProfile {
+  serviceName: string;
+  duration: number;
+  interval: number;
+  samples: ProfileData[];
+  summary: {
+    avgCpu: number;
+    maxCpu: number;
+    avgMemory: number;
+    maxMemory: number;
+    avgHeapUsed: number;
+    maxHeapUsed: number;
+    avgEventLoopLag: number;
+    maxEventLoopLag: number;
+  };
+}
+
+export async function profileCommand(options: ProfileOptions): Promise<void> {
+  const duration = Number(options.duration) || 60; // Default 60 seconds
+  const interval = Number(options.interval) || 1000; // Default 1 second
+  const serviceName = options.service;
+  
+  if (!serviceName) {
+    console.error('❌ Service name is required. Use --service <name>');
+    process.exit(1);
+  }
+  
+  console.log(`📊 Performance Profiling for Service: ${serviceName}`);
+  console.log(`⏱️  Duration: ${duration}s | Interval: ${interval}ms`);
+  console.log('='.repeat(80));
+  
+  try {
+    // Check if service is running
+    const serviceStatus = checkServiceStatus(serviceName);
+    if (serviceStatus !== 'active') {
+      console.error(`❌ Service '${serviceName}' is not running (status: ${serviceStatus})`);
+      process.exit(1);
+    }
+    
+    // Get service port for metrics
+    const port = getServicePort(serviceName);
+    if (!port) {
+      console.error(`❌ Could not determine port for service '${serviceName}'`);
+      process.exit(1);
+    }
+    
+    console.log(`🔍 Collecting metrics from http://localhost:${port}/metrics`);
+    console.log('Press Ctrl+C to stop profiling early\n');
+    
+    const profile = await collectPerformanceData(serviceName, port, duration, interval);
+    
+    // Display results
+    displayProfileResults(profile);
+    
+    // Save to file if requested
+    if (options.output) {
+      await saveProfileData(profile, options.output);
+      console.log(`💾 Profile data saved to: ${options.output}`);
+    }
+    
+  } catch (error) {
+    console.error(`❌ Failed to profile service: ${error}`);
+    process.exit(1);
+  }
+}
+
+function checkServiceStatus(serviceName: string): string {
+  try {
+    const output = execSync(`systemctl --user is-active ${serviceName}`, { encoding: "utf-8" }).trim();
+    return output;
+  } catch {
+    return 'unknown';
+  }
+}
+
+function getServicePort(serviceName: string): number | null {
+  try {
+    const servicePath = `/home/xarhang/.config/systemd/user/${serviceName}.service`;
+    const serviceContent = execSync(`cat ${servicePath}`, { encoding: "utf-8" });
+    
+    // Extract port from environment variables
+    const portMatch = serviceContent.match(/Environment=.*PORT=(\d+)/);
+    if (portMatch) {
+      return Number(portMatch[1]);
+    }
+    
+    // Extract port from description
+    const descMatch = serviceContent.match(/port[=:]?\s*(\d+)/i);
+    if (descMatch) {
+      return Number(descMatch[1]);
+    }
+    
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+async function collectPerformanceData(
+  serviceName: string,
+  port: number,
+  duration: number,
+  interval: number
+): Promise<PerformanceProfile> {
+  const samples: ProfileData[] = [];
+  const startTime = Date.now();
+  const endTime = startTime + (duration * 1000);
+  
+  while (Date.now() < endTime) {
+    try {
+      const sample = await collectSample(port);
+      samples.push(sample);
+      
+      // Show progress
+      const elapsed = Math.floor((Date.now() - startTime) / 1000);
+      const progress = Math.round((elapsed / duration) * 100);
+      process.stdout.write(`\r⏳ Progress: ${elapsed}s/${duration}s (${progress}%) | Samples: ${samples.length}`);
+      
+      await setTimeout(interval);
+    } catch (error) {
+      console.error(`\n⚠️  Failed to collect sample: ${error}`);
+      break;
+    }
+  }
+  
+  console.log('\n'); // New line after progress
+  
+  // Calculate summary
+  const summary = calculateSummary(samples);
+  
+  return {
+    serviceName,
+    duration,
+    interval,
+    samples,
+    summary,
+  };
+}
+
+async function collectSample(port: number): Promise<ProfileData> {
+  const response = await fetch(`http://localhost:${port}/metrics`);
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+  }
+  
+  const metricsText = await response.text();
+  const metrics = parsePrometheusMetrics(metricsText);
+  
+  return {
+    timestamp: Date.now(),
+    cpu: metrics.cpu || 0,
+    memory: metrics.memory || 0,
+    heapUsed: metrics.heapUsed || 0,
+    heapTotal: metrics.heapTotal || 0,
+    external: metrics.external || 0,
+    eventLoopLag: metrics.eventLoopLag || 0,
+    activeHandles: metrics.activeHandles || 0,
+    activeRequests: metrics.activeRequests || 0,
+  };
+}
+
+function parsePrometheusMetrics(metricsText: string): Record<string, number> {
+  const metrics: Record<string, number> = {};
+  const lines = metricsText.split('\n');
+  
+  for (const line of lines) {
+    if (line.startsWith('#') || !line.trim()) continue;
+    
+    const match = line.match(/^(.+)\s+([\d.]+)$/);
+    if (!match) continue;
+    
+    const [, name, value] = match;
+    
+    // Map Prometheus metrics to our internal names
+    switch (name) {
+      case 'process_cpu_seconds_total':
+        metrics.cpu = parseFloat(value);
+        break;
+      case 'process_resident_memory_bytes':
+        metrics.memory = parseFloat(value);
+        break;
+      case 'nodejs_heap_size_used_bytes':
+        metrics.heapUsed = parseFloat(value);
+        break;
+      case 'nodejs_heap_size_total_bytes':
+        metrics.heapTotal = parseFloat(value);
+        break;
+      case 'nodejs_external_memory_bytes':
+        metrics.external = parseFloat(value);
+        break;
+      case 'nodejs_eventloop_lag_seconds':
+        metrics.eventLoopLag = parseFloat(value) * 1000; // Convert to ms
+        break;
+      case 'nodejs_active_handles_total':
+        metrics.activeHandles = parseFloat(value);
+        break;
+      case 'nodejs_active_requests_total':
+        metrics.activeRequests = parseFloat(value);
+        break;
+    }
+  }
+  
+  return metrics;
+}
+
+function calculateSummary(samples: ProfileData[]): PerformanceProfile['summary'] {
+  if (samples.length === 0) {
+    return {
+      avgCpu: 0, maxCpu: 0,
+      avgMemory: 0, maxMemory: 0,
+      avgHeapUsed: 0, maxHeapUsed: 0,
+      avgEventLoopLag: 0, maxEventLoopLag: 0,
+    };
+  }
+  
+  const sum = samples.reduce((acc, sample) => ({
+    cpu: acc.cpu + sample.cpu,
+    memory: acc.memory + sample.memory,
+    heapUsed: acc.heapUsed + sample.heapUsed,
+    eventLoopLag: acc.eventLoopLag + sample.eventLoopLag,
+  }), { cpu: 0, memory: 0, heapUsed: 0, eventLoopLag: 0 });
+  
+  const count = samples.length;
+  
+  return {
+    avgCpu: sum.cpu / count,
+    maxCpu: Math.max(...samples.map(s => s.cpu)),
+    avgMemory: sum.memory / count,
+    maxMemory: Math.max(...samples.map(s => s.memory)),
+    avgHeapUsed: sum.heapUsed / count,
+    maxHeapUsed: Math.max(...samples.map(s => s.heapUsed)),
+    avgEventLoopLag: sum.eventLoopLag / count,
+    maxEventLoopLag: Math.max(...samples.map(s => s.eventLoopLag)),
+  };
+}
+
+function displayProfileResults(profile: PerformanceProfile): void {
+  console.log('\n📊 Performance Profile Results');
+  console.log('='.repeat(80));
+  
+  console.log(`\n🔧 Service: ${profile.serviceName}`);
+  console.log(`⏱️  Duration: ${profile.duration}s | Samples: ${profile.samples.length}`);
+  console.log(`📏 Interval: ${profile.interval}ms`);
+  
+  console.log('\n💾 Memory Usage:');
+  console.log(`   Average: ${formatBytes(profile.summary.avgMemory)} | Peak: ${formatBytes(profile.summary.maxMemory)}`);
+  console.log(`   Heap Avg: ${formatBytes(profile.summary.avgHeapUsed)} | Heap Peak: ${formatBytes(profile.summary.maxHeapUsed)}`);
+  console.log(`   External: ${formatBytes(profile.samples[0]?.external || 0)}`);
+  
+  console.log('\n⚡ Performance:');
+  console.log(`   CPU Avg: ${profile.summary.avgCpu.toFixed(2)}s | Peak: ${profile.summary.maxCpu.toFixed(2)}s`);
+  console.log(`   Event Loop Avg: ${profile.summary.avgEventLoopLag.toFixed(2)}ms | Peak: ${profile.summary.maxEventLoopLag.toFixed(2)}ms`);
+  
+  console.log('\n🔗 Resources:');
+  const lastSample = profile.samples[profile.samples.length - 1];
+  if (lastSample) {
+    console.log(`   Active Handles: ${lastSample.activeHandles} | Active Requests: ${lastSample.activeRequests}`);
+  }
+  
+  // Performance recommendations
+  console.log('\n💡 Performance Insights:');
+  
+  if (profile.summary.maxMemory > 500 * 1024 * 1024) { // > 500MB
+    console.log('   ⚠️  High memory usage detected - consider memory optimization');
+  }
+  
+  if (profile.summary.maxEventLoopLag > 100) { // > 100ms
+    console.log('   ⚠️  High event loop lag detected - consider optimizing async operations');
+  }
+  
+  if (profile.samples.length > 0) {
+    const firstSample = profile.samples[0];
+    if (firstSample.heapTotal > 0 && profile.summary.avgHeapUsed / firstSample.heapTotal > 0.8) { // > 80%
+      console.log('   ⚠️  High heap usage ratio - potential memory leak');
+    }
+  }
+  
+  if (profile.samples.length < profile.duration * 1000 / profile.interval * 0.9) {
+    console.log('   ⚠️  Some samples failed to collect - check service health');
+  }
+  
+  console.log('\n📈 Sample Timeline (last 10 samples):');
+  const recentSamples = profile.samples.slice(-10);
+  for (let i = 0; i < recentSamples.length; i++) {
+    const sample = recentSamples[i];
+    const time = new Date(sample.timestamp).toLocaleTimeString();
+    console.log(`   ${time} | CPU: ${sample.cpu.toFixed(2)}s | Memory: ${formatBytes(sample.memory)} | Heap: ${formatBytes(sample.heapUsed)}`);
+  }
+}
+
+function formatBytes(bytes: number): string {
+  if (bytes === 0) return '0B';
+  const k = 1024;
+  const sizes = ['B', 'KB', 'MB', 'GB'];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return `${parseFloat((bytes / Math.pow(k, i)).toFixed(1))}${sizes[i]}`;
+}
+
+async function saveProfileData(profile: PerformanceProfile, filename: string): Promise<void> {
+  const data = {
+    metadata: {
+      serviceName: profile.serviceName,
+      duration: profile.duration,
+      interval: profile.interval,
+      sampleCount: profile.samples.length,
+      timestamp: new Date().toISOString(),
+    },
+    summary: profile.summary,
+    samples: profile.samples,
+  };
+  
+  const json = JSON.stringify(data, null, 2);
+  await Bun.write(filename, json);
+}

package/src/commands/restart.ts

@@ -1,13 +1,38 @@
 #!/usr/bin/env bun
 
 import { execSync } from "node:child_process";
+import { getPlatformInfo } from "../platform/detect.js";
+
+// Security: Service name validation
+function isValidServiceName(name: string): boolean {
+  const validPattern = /^[a-zA-Z0-9._-]+$/;
+  return validPattern.test(name) && name.length <= 64 && !name.includes('..') && !name.includes('/');
+}
 
 export async function restartCommand(name: string): Promise<void> {
+  // Security: Validate service name
+  if (!isValidServiceName(name)) {
+    console.error(`❌ Security: Invalid service name: ${name}`);
+    process.exit(1);
+  }
+  
+  const platformInfo = getPlatformInfo();
+  
   try {
-    execSync(`systemctl --user restart ${name}`, { stdio: "inherit" });
-    console.log(`🔄 User service '${name}' restarted`);
+    if (platformInfo.isLinux) {
+      // Security: Use shell escaping to prevent injection
+      const escapedName = name.replace(/[^a-zA-Z0-9._-]/g, '');
+      execSync(`systemctl --user restart "${escapedName}"`, { stdio: "inherit" });
+      console.log(`🔄 User service '${name}' restarted`);
+    } else if (platformInfo.isMacOS) {
+      const { launchdCommand } = await import("../macos/launchd.js");
+      await launchdCommand('restart', { name: `bs9.${name}` });
+    } else if (platformInfo.isWindows) {
+      const { windowsCommand } = await import("../windows/service.js");
+      await windowsCommand('restart', { name: `BS9_${name}` });
+    }
   } catch (err) {
-    console.error(`❌ Failed to restart user service '${name}': ${err}`);
+    console.error(`❌ Failed to restart service '${name}': ${err}`);
     process.exit(1);
   }
 }

package/src/commands/start.ts

@@ -6,34 +6,101 @@ import { execSync } from "node:child_process";
 import { randomUUID } from "node:crypto";
 import { writeFileSync, mkdirSync } from "node:fs";
 import { homedir } from "node:os";
+import { getPlatformInfo } from "../platform/detect.js";
+
+// Security: Host validation function
+function isValidHost(host: string): boolean {
+  // Allow localhost, 0.0.0.0, and valid IP addresses
+  const localhostRegex = /^(localhost|127\.0\.0\.1|::1)$/;
+  const anyIPRegex = /^(0\.0\.0\.0|::)$/;
+  const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}$/;
+  const ipv6Regex = /^([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$/;
+  const hostnameRegex = /^[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*$/;
+  
+  if (localhostRegex.test(host) || anyIPRegex.test(host)) {
+    return true;
+  }
+  
+  if (ipv4Regex.test(host)) {
+    const parts = host.split('.');
+    return parts.every(part => {
+      const num = parseInt(part, 10);
+      return num >= 0 && num <= 255;
+    });
+  }
+  
+  if (ipv6Regex.test(host)) {
+    return true;
+  }
+  
+  if (hostnameRegex.test(host) && host.length <= 253) {
+    return true;
+  }
+  
+  return false;
+}
 
 interface StartOptions {
   name?: string;
   port?: string;
+  host?: string;
   env?: string[];
   otel?: boolean;
   prometheus?: boolean;
   build?: boolean;
+  https?: boolean;
 }
 
 export async function startCommand(file: string, options: StartOptions): Promise<void> {
+  const platformInfo = getPlatformInfo();
+  
+  // Security: Validate and sanitize file path
   const fullPath = resolve(file);
   if (!existsSync(fullPath)) {
     console.error(`❌ File not found: ${fullPath}`);
     process.exit(1);
   }
-
-  const serviceName = options.name || basename(fullPath, fullPath.endsWith('.ts') ? '.ts' : '.js').replace(/[^a-zA-Z0-9-_]/g, "_");
+  
+  // Security: Prevent directory traversal and ensure file is within allowed paths
+  const allowedPaths = [process.cwd(), homedir()];
+  const isAllowedPath = allowedPaths.some(allowed => fullPath.startsWith(allowed));
+  if (!isAllowedPath) {
+    console.error(`❌ Security: File path outside allowed directories: ${fullPath}`);
+    process.exit(1);
+  }
+  
+  // Security: Validate and sanitize service name
+  const rawServiceName = options.name || basename(fullPath, fullPath.endsWith('.ts') ? '.ts' : '.js');
+  const serviceName = rawServiceName.replace(/[^a-zA-Z0-9-_]/g, "_").replace(/^[^a-zA-Z]/, "_").substring(0, 64);
+  
+  // Security: Validate port number
   const port = options.port || "3000";
+  const portNum = Number(port);
+  if (isNaN(portNum) || portNum < 1 || portNum > 65535) {
+    console.error(`❌ Security: Invalid port number: ${port}. Must be 1-65535`);
+    process.exit(1);
+  }
+  
+  // Security: Validate host
+  const host = options.host || "localhost";
+  if (!isValidHost(host)) {
+    console.error(`❌ Security: Invalid host: ${host}`);
+    process.exit(1);
+  }
+  
+  const protocol = options.https ? "https" : "http";
 
   // Port warning for privileged ports
-  const portNum = Number(port);
   if (portNum < 1024) {
     console.warn(`⚠️  Port ${port} is privileged (< 1024).`);
     console.warn("   Options:");
     console.warn("   - Use port >= 1024 (recommended)");
-    console.warn("   - Run with sudo (not recommended for user services)");
-    console.warn("   - Use port forwarding: `sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000`");
+    if (platformInfo.isWindows) {
+      console.warn("   - Run as Administrator (not recommended)");
+    } else {
+      console.warn("   - Run with sudo (not recommended for user services)");
+      console.warn("   - Use port forwarding: `sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000`");
+    }
   }
 
   // Handle TypeScript files and build option
@@ -77,43 +144,137 @@ export async function startCommand(file: string, options: StartOptions): Promise
     auditResult.warning.forEach(issue => console.warn(`  - ${issue}`));
   }
 
+  // Platform-specific service creation
+  if (platformInfo.isLinux) {
+    await createLinuxService(serviceName, execPath, host, port, protocol, options);
+  } else if (platformInfo.isMacOS) {
+    await createMacOSService(serviceName, execPath, host, port, protocol, options);
+  } else if (platformInfo.isWindows) {
+    await createWindowsService(serviceName, execPath, host, port, protocol, options);
+  } else {
+    console.error(`❌ Platform ${platformInfo.platform} is not supported`);
+    process.exit(1);
+  }
+}
+
+async function createLinuxService(serviceName: string, execPath: string, host: string, port: string, protocol: string, options: StartOptions): Promise<void> {
   // Phase 1: Generate hardened systemd unit
   const unitContent = generateSystemdUnit({
     serviceName,
     fullPath: execPath,
+    host,
     port,
+    protocol,
     env: options.env || [],
     otel: options.otel ?? true,
     prometheus: options.prometheus ?? true,
   });
 
-  const unitPath = join(homedir(), ".config/systemd/user", `${serviceName}.service`);
+  const platformInfo = getPlatformInfo();
+  const unitPath = join(platformInfo.serviceDir, `${serviceName}.service`);
   
   // Create user systemd directory if it doesn't exist
-  const userSystemdDir = join(homedir(), ".config/systemd/user");
-  if (!existsSync(userSystemdDir)) {
-    mkdirSync(userSystemdDir, { recursive: true });
-    console.log(`📁 Created user systemd directory: ${userSystemdDir}`);
+  if (!existsSync(platformInfo.serviceDir)) {
+    mkdirSync(platformInfo.serviceDir, { recursive: true });
+    console.log(`📁 Created user systemd directory: ${platformInfo.serviceDir}`);
   }
   
   try {
-    writeFileSync(unitPath, unitContent, { encoding: "utf-8" });
+    writeFileSync(unitPath, unitContent);
     console.log(`✅ Systemd user unit written to: ${unitPath}`);
-  } catch (err) {
-    console.error(`❌ Failed to write systemd user unit: ${err}`);
+    
+    execSync("systemctl --user daemon-reload");
+    execSync(`systemctl --user enable ${serviceName}`);
+    execSync(`systemctl --user start ${serviceName}`);
+    
+    console.log(`🚀 Service '${serviceName}' started successfully`);
+    console.log(`   Health: ${protocol}://${host}:${port}/healthz`);
+    console.log(`   Metrics: ${protocol}://${host}:${port}/metrics`);
+  } catch (error) {
+    console.error(`❌ Failed to start service: ${error}`);
     process.exit(1);
   }
+}
 
-  // Reload and start using user systemd
+async function createMacOSService(serviceName: string, execPath: string, host: string, port: string, protocol: string, options: StartOptions): Promise<void> {
+  const { launchdCommand } = await import("../macos/launchd.js");
+  
+  const envVars: Record<string, string> = {
+    PORT: port,
+    HOST: host,
+    PROTOCOL: protocol,
+    NODE_ENV: "production",
+    SERVICE_NAME: serviceName,
+    ...(options.env || []).reduce((acc, env) => {
+      const [key, value] = env.split('=');
+      if (key && value) acc[key] = value;
+      return acc;
+    }, {} as Record<string, string>)
+  };
+  
+  if (options.otel) {
+    envVars.OTEL_SERVICE_NAME = serviceName;
+    envVars.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = "http://localhost:4318/v1/traces";
+  }
+  
   try {
-    execSync("systemctl --user daemon-reload", { stdio: "inherit" });
-    execSync(`systemctl --user enable ${serviceName}`, { stdio: "inherit" });
-    execSync(`systemctl --user start ${serviceName}`, { stdio: "inherit" });
+    await launchdCommand('create', {
+      name: `bs9.${serviceName}`,
+      file: execPath,
+      workingDir: dirname(execPath),
+      env: JSON.stringify(envVars),
+      autoStart: true,
+      keepAlive: true,
+      logOut: `${getPlatformInfo().logDir}/${serviceName}.out.log`,
+      logErr: `${getPlatformInfo().logDir}/${serviceName}.err.log`
+    });
+    
     console.log(`🚀 Service '${serviceName}' started successfully`);
-    console.log(`   Health: http://localhost:${port}/healthz`);
-    console.log(`   Metrics: http://localhost:${port}/metrics`);
-  } catch (err) {
-    console.error(`❌ Failed to start user service: ${err}`);
+    console.log(`   Health: ${protocol}://${host}:${port}/healthz`);
+    console.log(`   Metrics: ${protocol}://${host}:${port}/metrics`);
+  } catch (error) {
+    console.error(`❌ Failed to start macOS service: ${error}`);
+    process.exit(1);
+  }
+}
+
+async function createWindowsService(serviceName: string, execPath: string, host: string, port: string, protocol: string, options: StartOptions): Promise<void> {
+  const { windowsCommand } = await import("../windows/service.js");
+  
+  const envVars: Record<string, string> = {
+    PORT: port,
+    HOST: host,
+    PROTOCOL: protocol,
+    NODE_ENV: "production",
+    SERVICE_NAME: serviceName,
+    ...(options.env || []).reduce((acc, env) => {
+      const [key, value] = env.split('=');
+      if (key && value) acc[key] = value;
+      return acc;
+    }, {} as Record<string, string>)
+  };
+  
+  if (options.otel) {
+    envVars.OTEL_SERVICE_NAME = serviceName;
+    envVars.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = "http://localhost:4318/v1/traces";
+  }
+  
+  try {
+    await windowsCommand('create', {
+      name: `BS9_${serviceName}`,
+      file: execPath,
+      displayName: `BS9 Service: ${serviceName}`,
+      description: `BS9 managed service: ${serviceName}`,
+      workingDir: dirname(execPath),
+      args: ['run', execPath],
+      env: JSON.stringify(envVars)
+    });
+    
+    console.log(`🚀 Service '${serviceName}' started successfully`);
+    console.log(`   Health: ${protocol}://${host}:${port}/healthz`);
+    console.log(`   Metrics: ${protocol}://${host}:${port}/metrics`);
+  } catch (error) {
+    console.error(`❌ Failed to start Windows service: ${error}`);
     process.exit(1);
   }
 }
@@ -140,6 +301,9 @@ async function securityAudit(filePath: string): Promise<SecurityAuditResult> {
     { pattern: /child_process\.exec\s*\(/, msg: "Unsafe child_process.exec() detected" },
     { pattern: /require\s*\(\s*["']fs["']\s*\)/, msg: "Direct fs module usage (potential file system access)" },
     { pattern: /process\.env\.\w+\s*\+\s*["']/, msg: "Potential command injection via env concatenation" },
+    { pattern: /require\s*\(\s*["']child_process["']\s*\)/, msg: "Child process module usage detected" },
+    { pattern: /spawn\s*\(/, msg: "Process spawning detected" },
+    { pattern: /execSync\s*\(/, msg: "Synchronous execution detected" },
   ];
 
   for (const { pattern, msg } of dangerousPatterns) {
@@ -164,7 +328,9 @@ async function securityAudit(filePath: string): Promise<SecurityAuditResult> {
 interface SystemdUnitOptions {
   serviceName: string;
   fullPath: string;
+  host: string;
   port: string;
+  protocol: string;
   env: string[];
   otel: boolean;
   prometheus: boolean;
@@ -173,6 +339,8 @@ interface SystemdUnitOptions {
 function generateSystemdUnit(opts: SystemdUnitOptions): string {
   const envVars = [
     `PORT=${opts.port}`,
+    `HOST=${opts.host}`,
+    `PROTOCOL=${opts.protocol}`,
     `NODE_ENV=production`,
     `SERVICE_NAME=${opts.serviceName}`,
     ...opts.env,
@@ -190,6 +358,7 @@ function generateSystemdUnit(opts: SystemdUnitOptions): string {
   return `[Unit]
 Description=BS9 Service: ${opts.serviceName}
 After=network.target
+Documentation=https://github.com/bs9/bs9
 
 [Service]
 Type=simple
@@ -201,6 +370,17 @@ WorkingDirectory=${workingDir}
 ExecStart=${bunPath} run ${opts.fullPath}
 ${envSection}
 
+# Security hardening (user systemd compatible)
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+ReadWritePaths=${workingDir}
+UMask=0022
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
 [Install]
 WantedBy=default.target
 `;