elsabro 2.3.0 → 3.7.0

package/references/security-system.md

@@ -0,0 +1,1253 @@
+# Security & Access Control (v3.4)
+
+Sistema de seguridad con RBAC, secrets management, audit logging y políticas de acceso.
+
+## Arquitectura
+
+```
+┌─────────────────────────────────────────────────────────────────────────┐
+│                       SECURITY SYSTEM                                    │
+├─────────────────────────────────────────────────────────────────────────┤
+│                                                                          │
+│  ┌─────────────────────────────────────────────────────────────────┐    │
+│  │                    RBAC MANAGER                                  │    │
+│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │    │
+│  │  │   Roles     │  │ Permissions │  │   Grants    │              │    │
+│  │  │ admin/user  │  │ read/write  │  │ role→perm   │              │    │
+│  │  └─────────────┘  └─────────────┘  └─────────────┘              │    │
+│  └─────────────────────────────────────────────────────────────────┘    │
+│                                    │                                     │
+│                                    ▼                                     │
+│  ┌─────────────────────────────────────────────────────────────────┐    │
+│  │                    SECRETS VAULT                                 │    │
+│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │    │
+│  │  │ Encryption  │  │  Storage    │  │  Rotation   │              │    │
+│  │  │  AES-256    │  │  Secure     │  │  Automatic  │              │    │
+│  │  └─────────────┘  └─────────────┘  └─────────────┘              │    │
+│  └─────────────────────────────────────────────────────────────────┘    │
+│                                    │                                     │
+│                                    ▼                                     │
+│  ┌─────────────────────────────────────────────────────────────────┐    │
+│  │                    AUDIT LOGGER                                  │    │
+│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │    │
+│  │  │   Events    │  │  Tracking   │  │  Forensics  │              │    │
+│  │  │  Immutable  │  │  Real-time  │  │   Export    │              │    │
+│  │  └─────────────┘  └─────────────┘  └─────────────┘              │    │
+│  └─────────────────────────────────────────────────────────────────┘    │
+│                                    │                                     │
+│                                    ▼                                     │
+│  ┌─────────────────────────────────────────────────────────────────┐    │
+│  │                    POLICY ENGINE                                 │    │
+│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐              │    │
+│  │  │   Rules     │  │ Evaluation  │  │ Enforcement │              │    │
+│  │  │  Declarative│  │  Runtime    │  │   Strict    │              │    │
+│  │  └─────────────┘  └─────────────┘  └─────────────┘              │    │
+│  └─────────────────────────────────────────────────────────────────┘    │
+│                                                                          │
+└─────────────────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## RBACManager
+
+### API Principal
+
+```typescript
+interface Role {
+  id: string;
+  name: string;
+  description: string;
+  permissions: string[];
+  inherits?: string[];  // Inherit from other roles
+  constraints?: RoleConstraint[];
+}
+
+interface Permission {
+  id: string;
+  name: string;
+  resource: string;
+  actions: string[];  // read, write, execute, delete
+  conditions?: PermissionCondition[];
+}
+
+interface RoleConstraint {
+  type: 'time' | 'location' | 'resource_limit' | 'custom';
+  value: unknown;
+}
+
+interface PermissionCondition {
+  field: string;
+  operator: 'eq' | 'neq' | 'in' | 'not_in' | 'matches';
+  value: unknown;
+}
+
+interface Principal {
+  id: string;
+  type: 'user' | 'agent' | 'service';
+  roles: string[];
+  attributes?: Record<string, unknown>;
+}
+
+class RBACManager {
+  private roles: Map<string, Role>;
+  private permissions: Map<string, Permission>;
+  private principals: Map<string, Principal>;
+  private grants: Map<string, Set<string>>;  // principal -> roles
+
+  constructor(config: RBACConfig) {
+    this.roles = new Map();
+    this.permissions = new Map();
+    this.principals = new Map();
+    this.grants = new Map();
+    this.loadBuiltinRoles();
+  }
+
+  // Create role
+  createRole(role: Omit<Role, 'id'>): Role {
+    const newRole: Role = {
+      id: this.generateId('role'),
+      ...role
+    };
+
+    this.roles.set(newRole.id, newRole);
+
+    AuditLogger.log({
+      action: 'role.created',
+      resource: newRole.id,
+      details: { name: role.name }
+    });
+
+    return newRole;
+  }
+
+  // Create permission
+  createPermission(permission: Omit<Permission, 'id'>): Permission {
+    const newPerm: Permission = {
+      id: this.generateId('perm'),
+      ...permission
+    };
+
+    this.permissions.set(newPerm.id, newPerm);
+
+    return newPerm;
+  }
+
+  // Assign role to principal
+  assignRole(principalId: string, roleId: string): void {
+    const principal = this.principals.get(principalId);
+    if (!principal) throw new Error(`Principal not found: ${principalId}`);
+
+    const role = this.roles.get(roleId);
+    if (!role) throw new Error(`Role not found: ${roleId}`);
+
+    if (!this.grants.has(principalId)) {
+      this.grants.set(principalId, new Set());
+    }
+
+    this.grants.get(principalId)!.add(roleId);
+    principal.roles.push(roleId);
+
+    AuditLogger.log({
+      action: 'role.assigned',
+      principal: principalId,
+      resource: roleId
+    });
+  }
+
+  // Revoke role from principal
+  revokeRole(principalId: string, roleId: string): void {
+    const grants = this.grants.get(principalId);
+    if (grants) {
+      grants.delete(roleId);
+    }
+
+    const principal = this.principals.get(principalId);
+    if (principal) {
+      principal.roles = principal.roles.filter(r => r !== roleId);
+    }
+
+    AuditLogger.log({
+      action: 'role.revoked',
+      principal: principalId,
+      resource: roleId
+    });
+  }
+
+  // Check if principal has permission
+  hasPermission(
+    principalId: string,
+    resource: string,
+    action: string,
+    context?: PermissionContext
+  ): boolean {
+    const principal = this.principals.get(principalId);
+    if (!principal) return false;
+
+    // Get all effective permissions
+    const effectivePermissions = this.getEffectivePermissions(principal);
+
+    // Check each permission
+    for (const permId of effectivePermissions) {
+      const perm = this.permissions.get(permId);
+      if (!perm) continue;
+
+      // Check resource match
+      if (!this.matchesResource(perm.resource, resource)) continue;
+
+      // Check action
+      if (!perm.actions.includes(action) && !perm.actions.includes('*')) continue;
+
+      // Check conditions
+      if (perm.conditions && !this.evaluateConditions(perm.conditions, context)) continue;
+
+      return true;
+    }
+
+    return false;
+  }
+
+  // Enforce permission (throws if denied)
+  enforce(
+    principalId: string,
+    resource: string,
+    action: string,
+    context?: PermissionContext
+  ): void {
+    if (!this.hasPermission(principalId, resource, action, context)) {
+      AuditLogger.log({
+        action: 'permission.denied',
+        principal: principalId,
+        resource,
+        details: { action }
+      });
+
+      throw new PermissionDeniedError(
+        `Permission denied: ${principalId} cannot ${action} on ${resource}`
+      );
+    }
+
+    AuditLogger.log({
+      action: 'permission.granted',
+      principal: principalId,
+      resource,
+      details: { action }
+    });
+  }
+
+  // Get principal's effective permissions
+  getEffectivePermissions(principal: Principal): Set<string> {
+    const permissions = new Set<string>();
+
+    for (const roleId of principal.roles) {
+      const rolePerms = this.getRolePermissions(roleId);
+      rolePerms.forEach(p => permissions.add(p));
+    }
+
+    return permissions;
+  }
+
+  // Get role with inheritance
+  private getRolePermissions(roleId: string): string[] {
+    const role = this.roles.get(roleId);
+    if (!role) return [];
+
+    const permissions = [...role.permissions];
+
+    // Add inherited permissions
+    if (role.inherits) {
+      for (const inheritedRole of role.inherits) {
+        permissions.push(...this.getRolePermissions(inheritedRole));
+      }
+    }
+
+    return permissions;
+  }
+
+  private matchesResource(pattern: string, resource: string): boolean {
+    if (pattern === '*') return true;
+    if (pattern === resource) return true;
+
+    // Wildcard matching
+    const regex = new RegExp(
+      '^' + pattern.replace(/\*/g, '.*').replace(/\?/g, '.') + '$'
+    );
+    return regex.test(resource);
+  }
+
+  private evaluateConditions(
+    conditions: PermissionCondition[],
+    context?: PermissionContext
+  ): boolean {
+    if (!context) return true;
+
+    for (const condition of conditions) {
+      const value = context[condition.field];
+
+      switch (condition.operator) {
+        case 'eq':
+          if (value !== condition.value) return false;
+          break;
+        case 'neq':
+          if (value === condition.value) return false;
+          break;
+        case 'in':
+          if (!Array.isArray(condition.value) || !condition.value.includes(value))
+            return false;
+          break;
+        case 'not_in':
+          if (Array.isArray(condition.value) && condition.value.includes(value))
+            return false;
+          break;
+        case 'matches':
+          if (!new RegExp(condition.value as string).test(String(value)))
+            return false;
+          break;
+      }
+    }
+
+    return true;
+  }
+
+  private loadBuiltinRoles(): void {
+    // Admin role
+    this.createRole({
+      name: 'admin',
+      description: 'Full system access',
+      permissions: ['*']
+    });
+
+    // Agent roles
+    this.createRole({
+      name: 'agent:explore',
+      description: 'Read-only exploration',
+      permissions: ['file:read', 'search:*', 'web:fetch']
+    });
+
+    this.createRole({
+      name: 'agent:implement',
+      description: 'Read and write access',
+      permissions: ['file:read', 'file:write', 'file:create', 'bash:safe']
+    });
+
+    this.createRole({
+      name: 'agent:review',
+      description: 'Review access',
+      permissions: ['file:read', 'git:read']
+    });
+  }
+
+  private generateId(prefix: string): string {
+    return `${prefix}_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+}
+```
+
+---
+
+## SecretsVault
+
+```typescript
+interface Secret {
+  id: string;
+  name: string;
+  value: string;  // Encrypted
+  type: 'api_key' | 'password' | 'token' | 'certificate' | 'custom';
+  metadata: {
+    created_at: string;
+    updated_at: string;
+    expires_at?: string;
+    rotation_policy?: RotationPolicy;
+    access_count: number;
+    last_accessed?: string;
+  };
+  tags?: string[];
+}
+
+interface RotationPolicy {
+  enabled: boolean;
+  interval_days: number;
+  notification_days: number;
+  auto_rotate?: boolean;
+}
+
+class SecretsVault {
+  private secrets: Map<string, Secret>;
+  private encryptionKey: Buffer;
+  private config: SecretsVaultConfig;
+
+  constructor(config: SecretsVaultConfig) {
+    this.config = config;
+    this.secrets = new Map();
+    this.encryptionKey = this.deriveKey(config.masterPassword);
+    this.loadSecrets();
+  }
+
+  // Store secret
+  async store(
+    name: string,
+    value: string,
+    options?: StoreOptions
+  ): Promise<Secret> {
+    const encrypted = this.encrypt(value);
+
+    const secret: Secret = {
+      id: this.generateId(),
+      name,
+      value: encrypted,
+      type: options?.type || 'custom',
+      metadata: {
+        created_at: new Date().toISOString(),
+        updated_at: new Date().toISOString(),
+        expires_at: options?.expires_at,
+        rotation_policy: options?.rotation_policy,
+        access_count: 0
+      },
+      tags: options?.tags
+    };
+
+    this.secrets.set(name, secret);
+    await this.persist();
+
+    AuditLogger.log({
+      action: 'secret.stored',
+      resource: name,
+      details: { type: secret.type }
+    });
+
+    return { ...secret, value: '[REDACTED]' };
+  }
+
+  // Retrieve secret
+  async get(name: string, principalId?: string): Promise<string> {
+    const secret = this.secrets.get(name);
+    if (!secret) throw new Error(`Secret not found: ${name}`);
+
+    // Check permissions
+    if (principalId) {
+      RBACManager.enforce(principalId, `secret:${name}`, 'read');
+    }
+
+    // Check expiration
+    if (secret.metadata.expires_at) {
+      if (new Date(secret.metadata.expires_at) < new Date()) {
+        throw new Error(`Secret expired: ${name}`);
+      }
+    }
+
+    // Update access metadata
+    secret.metadata.access_count++;
+    secret.metadata.last_accessed = new Date().toISOString();
+
+    AuditLogger.log({
+      action: 'secret.accessed',
+      resource: name,
+      principal: principalId
+    });
+
+    return this.decrypt(secret.value);
+  }
+
+  // Rotate secret
+  async rotate(name: string, newValue: string): Promise<void> {
+    const secret = this.secrets.get(name);
+    if (!secret) throw new Error(`Secret not found: ${name}`);
+
+    const oldValue = secret.value;
+    secret.value = this.encrypt(newValue);
+    secret.metadata.updated_at = new Date().toISOString();
+
+    await this.persist();
+
+    AuditLogger.log({
+      action: 'secret.rotated',
+      resource: name
+    });
+
+    // Emit rotation event
+    EventBus.publish('secret.rotated', {
+      name,
+      type: secret.type
+    });
+  }
+
+  // Delete secret
+  async delete(name: string): Promise<boolean> {
+    const deleted = this.secrets.delete(name);
+
+    if (deleted) {
+      await this.persist();
+
+      AuditLogger.log({
+        action: 'secret.deleted',
+        resource: name
+      });
+    }
+
+    return deleted;
+  }
+
+  // List secrets (metadata only)
+  list(): SecretMetadata[] {
+    return Array.from(this.secrets.values()).map(s => ({
+      id: s.id,
+      name: s.name,
+      type: s.type,
+      metadata: s.metadata,
+      tags: s.tags
+    }));
+  }
+
+  // Check for expiring secrets
+  getExpiring(days: number = 7): SecretMetadata[] {
+    const cutoff = new Date();
+    cutoff.setDate(cutoff.getDate() + days);
+
+    return this.list().filter(s => {
+      if (!s.metadata.expires_at) return false;
+      return new Date(s.metadata.expires_at) <= cutoff;
+    });
+  }
+
+  // Auto-rotate secrets based on policy
+  async autoRotate(): Promise<string[]> {
+    const rotated: string[] = [];
+
+    for (const [name, secret] of this.secrets) {
+      const policy = secret.metadata.rotation_policy;
+      if (!policy?.enabled || !policy.auto_rotate) continue;
+
+      const lastRotation = new Date(secret.metadata.updated_at);
+      const daysSinceRotation = Math.floor(
+        (Date.now() - lastRotation.getTime()) / (1000 * 60 * 60 * 24)
+      );
+
+      if (daysSinceRotation >= policy.interval_days) {
+        // Generate new value (for supported types)
+        const newValue = await this.generateNewValue(secret.type);
+        if (newValue) {
+          await this.rotate(name, newValue);
+          rotated.push(name);
+        }
+      }
+    }
+
+    return rotated;
+  }
+
+  // Encryption helpers
+  private encrypt(plaintext: string): string {
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv('aes-256-gcm', this.encryptionKey, iv);
+
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+
+    const authTag = cipher.getAuthTag();
+
+    return JSON.stringify({
+      iv: iv.toString('base64'),
+      data: encrypted,
+      tag: authTag.toString('base64')
+    });
+  }
+
+  private decrypt(ciphertext: string): string {
+    const { iv, data, tag } = JSON.parse(ciphertext);
+
+    const decipher = crypto.createDecipheriv(
+      'aes-256-gcm',
+      this.encryptionKey,
+      Buffer.from(iv, 'base64')
+    );
+
+    decipher.setAuthTag(Buffer.from(tag, 'base64'));
+
+    let decrypted = decipher.update(data, 'base64', 'utf8');
+    decrypted += decipher.final('utf8');
+
+    return decrypted;
+  }
+
+  private deriveKey(password: string): Buffer {
+    return crypto.scryptSync(password, this.config.salt || 'elsabro', 32);
+  }
+
+  private async persist(): Promise<void> {
+    const data = JSON.stringify(Array.from(this.secrets.entries()));
+    const encrypted = this.encrypt(data);
+    await fs.writeFile(this.config.vaultPath, encrypted);
+  }
+
+  private async loadSecrets(): Promise<void> {
+    try {
+      const encrypted = await fs.readFile(this.config.vaultPath, 'utf-8');
+      const data = this.decrypt(encrypted);
+      const entries = JSON.parse(data);
+      this.secrets = new Map(entries);
+    } catch {
+      // No vault file yet
+    }
+  }
+
+  private async generateNewValue(type: string): Promise<string | null> {
+    switch (type) {
+      case 'api_key':
+        return crypto.randomBytes(32).toString('hex');
+      case 'password':
+        return crypto.randomBytes(24).toString('base64');
+      case 'token':
+        return crypto.randomBytes(48).toString('base64url');
+      default:
+        return null;  // Cannot auto-generate
+    }
+  }
+
+  private generateId(): string {
+    return `secret_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+}
+```
+
+---
+
+## AuditLogger
+
+```typescript
+interface AuditEvent {
+  id: string;
+  timestamp: string;
+  action: string;
+  principal?: string;
+  resource?: string;
+  details?: Record<string, unknown>;
+  outcome: 'success' | 'failure' | 'denied';
+  ip_address?: string;
+  session_id?: string;
+  trace_id?: string;
+}
+
+interface AuditQuery {
+  action?: string;
+  principal?: string;
+  resource?: string;
+  outcome?: string;
+  from?: string;
+  to?: string;
+  limit?: number;
+  offset?: number;
+}
+
+class AuditLogger {
+  private static instance: AuditLogger;
+  private events: AuditEvent[] = [];
+  private config: AuditLoggerConfig;
+  private writeStream?: fs.WriteStream;
+
+  private constructor(config: AuditLoggerConfig) {
+    this.config = config;
+    this.initializeStorage();
+  }
+
+  static getInstance(config?: AuditLoggerConfig): AuditLogger {
+    if (!AuditLogger.instance && config) {
+      AuditLogger.instance = new AuditLogger(config);
+    }
+    return AuditLogger.instance;
+  }
+
+  // Log audit event
+  static log(event: Partial<AuditEvent>): void {
+    const instance = AuditLogger.getInstance();
+    instance.logEvent(event);
+  }
+
+  // Log with automatic success outcome
+  static success(action: string, details?: Partial<AuditEvent>): void {
+    AuditLogger.log({ action, outcome: 'success', ...details });
+  }
+
+  // Log with automatic failure outcome
+  static failure(action: string, details?: Partial<AuditEvent>): void {
+    AuditLogger.log({ action, outcome: 'failure', ...details });
+  }
+
+  // Log with automatic denied outcome
+  static denied(action: string, details?: Partial<AuditEvent>): void {
+    AuditLogger.log({ action, outcome: 'denied', ...details });
+  }
+
+  private logEvent(partial: Partial<AuditEvent>): void {
+    const event: AuditEvent = {
+      id: this.generateId(),
+      timestamp: new Date().toISOString(),
+      action: partial.action || 'unknown',
+      principal: partial.principal,
+      resource: partial.resource,
+      details: partial.details,
+      outcome: partial.outcome || 'success',
+      ip_address: partial.ip_address,
+      session_id: partial.session_id,
+      trace_id: partial.trace_id || TelemetryManager.getCurrentTraceId()
+    };
+
+    // Store in memory (with limit)
+    this.events.push(event);
+    if (this.events.length > this.config.maxMemoryEvents) {
+      this.events.shift();
+    }
+
+    // Write to file
+    if (this.writeStream) {
+      this.writeStream.write(JSON.stringify(event) + '\n');
+    }
+
+    // Emit event for real-time monitoring
+    EventBus.publish('audit.event', event);
+
+    // Check for alert conditions
+    this.checkAlerts(event);
+  }
+
+  // Query audit log
+  query(options: AuditQuery): AuditEvent[] {
+    let filtered = this.events;
+
+    if (options.action) {
+      filtered = filtered.filter(e =>
+        e.action.includes(options.action!)
+      );
+    }
+
+    if (options.principal) {
+      filtered = filtered.filter(e =>
+        e.principal === options.principal
+      );
+    }
+
+    if (options.resource) {
+      filtered = filtered.filter(e =>
+        e.resource?.includes(options.resource!)
+      );
+    }
+
+    if (options.outcome) {
+      filtered = filtered.filter(e =>
+        e.outcome === options.outcome
+      );
+    }
+
+    if (options.from) {
+      filtered = filtered.filter(e =>
+        e.timestamp >= options.from!
+      );
+    }
+
+    if (options.to) {
+      filtered = filtered.filter(e =>
+        e.timestamp <= options.to!
+      );
+    }
+
+    // Pagination
+    const offset = options.offset || 0;
+    const limit = options.limit || 100;
+
+    return filtered.slice(offset, offset + limit);
+  }
+
+  // Export audit log
+  async exportLogs(
+    format: 'json' | 'csv',
+    query?: AuditQuery
+  ): Promise<string> {
+    const events = query ? this.query(query) : this.events;
+
+    if (format === 'csv') {
+      const headers = [
+        'id', 'timestamp', 'action', 'principal',
+        'resource', 'outcome', 'trace_id'
+      ];
+      const rows = events.map(e => [
+        e.id, e.timestamp, e.action, e.principal || '',
+        e.resource || '', e.outcome, e.trace_id || ''
+      ]);
+      return [headers.join(','), ...rows.map(r => r.join(','))].join('\n');
+    }
+
+    return JSON.stringify(events, null, 2);
+  }
+
+  // Get statistics
+  getStats(timeRange?: { from: string; to: string }): AuditStats {
+    const events = timeRange
+      ? this.query({ from: timeRange.from, to: timeRange.to })
+      : this.events;
+
+    const byAction: Record<string, number> = {};
+    const byOutcome: Record<string, number> = {};
+    const byPrincipal: Record<string, number> = {};
+
+    for (const event of events) {
+      byAction[event.action] = (byAction[event.action] || 0) + 1;
+      byOutcome[event.outcome] = (byOutcome[event.outcome] || 0) + 1;
+      if (event.principal) {
+        byPrincipal[event.principal] = (byPrincipal[event.principal] || 0) + 1;
+      }
+    }
+
+    return {
+      total: events.length,
+      byAction,
+      byOutcome,
+      byPrincipal,
+      timeRange
+    };
+  }
+
+  private checkAlerts(event: AuditEvent): void {
+    // Multiple failed authentications
+    if (event.action === 'auth.failed') {
+      const recentFailures = this.events.filter(e =>
+        e.action === 'auth.failed' &&
+        e.principal === event.principal &&
+        new Date(e.timestamp) > new Date(Date.now() - 5 * 60 * 1000)
+      );
+
+      if (recentFailures.length >= 5) {
+        this.triggerAlert('multiple_auth_failures', event);
+      }
+    }
+
+    // Permission denied spike
+    if (event.outcome === 'denied') {
+      const recentDenials = this.events.filter(e =>
+        e.outcome === 'denied' &&
+        new Date(e.timestamp) > new Date(Date.now() - 60 * 1000)
+      );
+
+      if (recentDenials.length >= 10) {
+        this.triggerAlert('permission_denial_spike', event);
+      }
+    }
+
+    // Sensitive resource access
+    const sensitiveResources = ['secret:*', 'config:*', 'admin:*'];
+    if (event.resource && sensitiveResources.some(p =>
+      event.resource!.match(new RegExp(p.replace('*', '.*')))
+    )) {
+      this.triggerAlert('sensitive_access', event);
+    }
+  }
+
+  private triggerAlert(type: string, event: AuditEvent): void {
+    EventBus.publish('audit.alert', {
+      type,
+      event,
+      timestamp: new Date().toISOString()
+    });
+  }
+
+  private initializeStorage(): void {
+    if (this.config.logPath) {
+      this.writeStream = fs.createWriteStream(this.config.logPath, {
+        flags: 'a'
+      });
+    }
+  }
+
+  private generateId(): string {
+    return `audit_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+}
+```
+
+---
+
+## PolicyEngine
+
+```typescript
+interface Policy {
+  id: string;
+  name: string;
+  description: string;
+  effect: 'allow' | 'deny';
+  principals: string[];  // Patterns
+  resources: string[];   // Patterns
+  actions: string[];
+  conditions?: PolicyCondition[];
+  priority: number;
+}
+
+interface PolicyCondition {
+  type: 'time' | 'ip' | 'rate_limit' | 'attribute' | 'custom';
+  config: Record<string, unknown>;
+}
+
+interface PolicyEvaluationResult {
+  allowed: boolean;
+  matchedPolicy?: Policy;
+  reason: string;
+}
+
+class PolicyEngine {
+  private policies: Policy[] = [];
+  private cache: Map<string, PolicyEvaluationResult>;
+  private rateLimits: Map<string, RateLimitState>;
+
+  constructor(config: PolicyEngineConfig) {
+    this.cache = new Map();
+    this.rateLimits = new Map();
+    this.loadPolicies(config.policiesPath);
+  }
+
+  // Add policy
+  addPolicy(policy: Omit<Policy, 'id'>): Policy {
+    const newPolicy: Policy = {
+      id: this.generateId(),
+      ...policy
+    };
+
+    this.policies.push(newPolicy);
+    this.policies.sort((a, b) => b.priority - a.priority);
+    this.cache.clear();
+
+    return newPolicy;
+  }
+
+  // Remove policy
+  removePolicy(policyId: string): boolean {
+    const index = this.policies.findIndex(p => p.id === policyId);
+    if (index === -1) return false;
+
+    this.policies.splice(index, 1);
+    this.cache.clear();
+
+    return true;
+  }
+
+  // Evaluate request against policies
+  evaluate(request: PolicyRequest): PolicyEvaluationResult {
+    // Check cache
+    const cacheKey = this.getCacheKey(request);
+    if (this.cache.has(cacheKey)) {
+      return this.cache.get(cacheKey)!;
+    }
+
+    // Find matching policies
+    const matchingPolicies = this.policies.filter(policy =>
+      this.matchesPolicy(policy, request)
+    );
+
+    if (matchingPolicies.length === 0) {
+      const result = {
+        allowed: false,
+        reason: 'No matching policy'
+      };
+      this.cache.set(cacheKey, result);
+      return result;
+    }
+
+    // Evaluate in priority order
+    for (const policy of matchingPolicies) {
+      // Check conditions
+      const conditionsMet = this.evaluateConditions(policy.conditions, request);
+
+      if (conditionsMet) {
+        const result: PolicyEvaluationResult = {
+          allowed: policy.effect === 'allow',
+          matchedPolicy: policy,
+          reason: policy.effect === 'allow'
+            ? `Allowed by policy: ${policy.name}`
+            : `Denied by policy: ${policy.name}`
+        };
+
+        this.cache.set(cacheKey, result);
+        return result;
+      }
+    }
+
+    const result = {
+      allowed: false,
+      reason: 'No policy conditions met'
+    };
+    this.cache.set(cacheKey, result);
+    return result;
+  }
+
+  // Enforce policy (throws if denied)
+  enforce(request: PolicyRequest): void {
+    const result = this.evaluate(request);
+
+    if (!result.allowed) {
+      AuditLogger.denied('policy.denied', {
+        principal: request.principal,
+        resource: request.resource,
+        details: {
+          action: request.action,
+          policy: result.matchedPolicy?.name,
+          reason: result.reason
+        }
+      });
+
+      throw new PolicyDeniedError(result.reason);
+    }
+
+    AuditLogger.success('policy.allowed', {
+      principal: request.principal,
+      resource: request.resource,
+      details: {
+        action: request.action,
+        policy: result.matchedPolicy?.name
+      }
+    });
+  }
+
+  private matchesPolicy(policy: Policy, request: PolicyRequest): boolean {
+    // Check principal
+    const principalMatch = policy.principals.some(p =>
+      this.matchPattern(p, request.principal)
+    );
+    if (!principalMatch) return false;
+
+    // Check resource
+    const resourceMatch = policy.resources.some(r =>
+      this.matchPattern(r, request.resource)
+    );
+    if (!resourceMatch) return false;
+
+    // Check action
+    const actionMatch = policy.actions.some(a =>
+      a === '*' || a === request.action
+    );
+    if (!actionMatch) return false;
+
+    return true;
+  }
+
+  private evaluateConditions(
+    conditions: PolicyCondition[] | undefined,
+    request: PolicyRequest
+  ): boolean {
+    if (!conditions || conditions.length === 0) return true;
+
+    for (const condition of conditions) {
+      switch (condition.type) {
+        case 'time':
+          if (!this.evaluateTimeCondition(condition.config)) return false;
+          break;
+
+        case 'ip':
+          if (!this.evaluateIPCondition(condition.config, request.ip)) return false;
+          break;
+
+        case 'rate_limit':
+          if (!this.evaluateRateLimit(condition.config, request)) return false;
+          break;
+
+        case 'attribute':
+          if (!this.evaluateAttribute(condition.config, request.attributes))
+            return false;
+          break;
+
+        case 'custom':
+          if (!this.evaluateCustom(condition.config, request)) return false;
+          break;
+      }
+    }
+
+    return true;
+  }
+
+  private evaluateTimeCondition(config: Record<string, unknown>): boolean {
+    const now = new Date();
+    const hour = now.getHours();
+    const day = now.getDay();
+
+    if (config.hours) {
+      const { start, end } = config.hours as { start: number; end: number };
+      if (hour < start || hour >= end) return false;
+    }
+
+    if (config.days) {
+      const days = config.days as number[];
+      if (!days.includes(day)) return false;
+    }
+
+    return true;
+  }
+
+  private evaluateIPCondition(
+    config: Record<string, unknown>,
+    ip?: string
+  ): boolean {
+    if (!ip) return false;
+
+    const allowed = config.allowed as string[] | undefined;
+    const blocked = config.blocked as string[] | undefined;
+
+    if (blocked && blocked.some(b => this.matchIP(b, ip))) return false;
+    if (allowed && !allowed.some(a => this.matchIP(a, ip))) return false;
+
+    return true;
+  }
+
+  private evaluateRateLimit(
+    config: Record<string, unknown>,
+    request: PolicyRequest
+  ): boolean {
+    const { requests, window_seconds } = config as {
+      requests: number;
+      window_seconds: number;
+    };
+
+    const key = `${request.principal}:${request.resource}:${request.action}`;
+    const state = this.rateLimits.get(key) || {
+      count: 0,
+      window_start: Date.now()
+    };
+
+    // Reset window if expired
+    if (Date.now() - state.window_start > window_seconds * 1000) {
+      state.count = 0;
+      state.window_start = Date.now();
+    }
+
+    // Check limit
+    if (state.count >= requests) {
+      return false;
+    }
+
+    // Increment
+    state.count++;
+    this.rateLimits.set(key, state);
+
+    return true;
+  }
+
+  private evaluateAttribute(
+    config: Record<string, unknown>,
+    attributes?: Record<string, unknown>
+  ): boolean {
+    if (!attributes) return false;
+
+    for (const [key, expected] of Object.entries(config)) {
+      if (attributes[key] !== expected) return false;
+    }
+
+    return true;
+  }
+
+  private evaluateCustom(
+    config: Record<string, unknown>,
+    request: PolicyRequest
+  ): boolean {
+    // Custom condition evaluation via config
+    // Could call external service, run script, etc.
+    return true;
+  }
+
+  private matchPattern(pattern: string, value: string): boolean {
+    if (pattern === '*') return true;
+    const regex = new RegExp(
+      '^' + pattern.replace(/\*/g, '.*').replace(/\?/g, '.') + '$'
+    );
+    return regex.test(value);
+  }
+
+  private matchIP(pattern: string, ip: string): boolean {
+    // Support CIDR notation
+    if (pattern.includes('/')) {
+      return this.matchCIDR(pattern, ip);
+    }
+    return this.matchPattern(pattern, ip);
+  }
+
+  private matchCIDR(cidr: string, ip: string): boolean {
+    // Simplified CIDR matching
+    const [network, bits] = cidr.split('/');
+    const mask = ~(Math.pow(2, 32 - parseInt(bits)) - 1);
+
+    const ipNum = this.ipToNum(ip);
+    const networkNum = this.ipToNum(network);
+
+    return (ipNum & mask) === (networkNum & mask);
+  }
+
+  private ipToNum(ip: string): number {
+    return ip.split('.').reduce((acc, octet) =>
+      (acc << 8) + parseInt(octet), 0
+    );
+  }
+
+  private getCacheKey(request: PolicyRequest): string {
+    return `${request.principal}:${request.resource}:${request.action}`;
+  }
+
+  private async loadPolicies(path?: string): Promise<void> {
+    if (!path) return;
+    try {
+      const content = await fs.readFile(path, 'utf-8');
+      const policies = JSON.parse(content);
+      this.policies = policies;
+      this.policies.sort((a: Policy, b: Policy) => b.priority - a.priority);
+    } catch {
+      // No policies file
+    }
+  }
+
+  private generateId(): string {
+    return `policy_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+}
+```
+
+---
+
+## Comandos
+
+```bash
+/elsabro:security roles            # Listar roles
+/elsabro:security permissions      # Ver permisos
+/elsabro:security audit            # Ver audit log
+/elsabro:security secrets list     # Listar secrets
+/elsabro:security policies         # Ver políticas
+```
+
+---
+
+## Configuración
+
+```json
+{
+  "security": {
+    "enabled": true,
+    "rbac": {
+      "enabled": true,
+      "defaultRole": "agent:explore"
+    },
+    "secrets": {
+      "vaultPath": ".elsabro/vault.enc",
+      "autoRotate": true
+    },
+    "audit": {
+      "enabled": true,
+      "logPath": ".elsabro/audit.log"
+    },
+    "policies": {
+      "enabled": true,
+      "defaultEffect": "deny"
+    }
+  }
+}
+```
+
+---
+
+## Changelog
+
+- **v3.4.0**: Initial Security System
+  - RBACManager with role inheritance
+  - SecretsVault with encryption
+  - AuditLogger with alerts
+  - PolicyEngine with conditions