npm - tlc-claude-code - Versions diffs - 1.4.7 → 1.4.9 - Mend

tlc-claude-code 1.4.7 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/docker-compose.dev.yml +6 -3
package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/security/dockerfile-templates.js ADDED Viewed

@@ -0,0 +1,278 @@
+/**
+ * Hardened Dockerfile Templates
+ *
+ * CIS Docker Benchmark compliant templates for production deployments.
+ */
+export const SECURITY_HEADERS = {
+  nginx: `
+# Security headers
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;" always;
+`,
+  express: `
+// Security headers middleware
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  next();
+});
+`,
+};
+/**
+ * Generate hardened Node.js server Dockerfile
+ */
+export function generateServerDockerfile(options = {}) {
+  const {
+    nodeVersion = '20',
+    port = 5001,
+    appDir = '/app',
+    user = 'node',
+    maintainer = '',
+  } = options;
+  const labelSection = maintainer ? `LABEL maintainer="${maintainer}"\n` : 'LABEL maintainer="team@example.com"\n';
+  return `# Stage 1: Build
+FROM node:${nodeVersion}-alpine AS builder
+WORKDIR ${appDir}
+# Install build dependencies
+RUN apk add --no-cache python3 make g++
+# Copy package files first for layer caching
+COPY package*.json ./
+# Install all dependencies (including devDependencies for build)
+RUN npm ci --ignore-scripts
+# Copy source code
+COPY . .
+# Build if needed (TypeScript, etc.)
+RUN npm run build --if-present
+# Remove devDependencies
+RUN npm prune --production
+# Stage 2: Production
+FROM node:${nodeVersion}-alpine AS production
+${labelSection}
+# Install dumb-init for proper signal handling
+RUN apk add --no-cache dumb-init
+# Set non-root user
+USER ${user}
+WORKDIR ${appDir}
+# Copy built application from builder
+COPY --from=builder --chown=${user}:${user} ${appDir}/node_modules ./node_modules
+COPY --from=builder --chown=${user}:${user} ${appDir}/package*.json ./
+COPY --from=builder --chown=${user}:${user} ${appDir}/dist ./dist
+COPY --from=builder --chown=${user}:${user} ${appDir}/lib ./lib
+# Set production environment
+ENV NODE_ENV=production
+ENV PORT=${port}
+EXPOSE ${port}
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \\
+  CMD node -e "require('http').get('http://localhost:${port}/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))"
+# Use dumb-init as entrypoint
+ENTRYPOINT ["dumb-init", "--"]
+CMD ["node", "lib/index.js"]
+`;
+}
+/**
+ * Generate hardened React/Vite dashboard Dockerfile with nginx
+ */
+export function generateDashboardDockerfile(options = {}) {
+  const {
+    nodeVersion = '20',
+    nginxVersion = '1.25',
+    port = 80,
+    buildDir = 'dist',
+    user = 'nginx',
+    maintainer = '',
+  } = options;
+  const labelSection = maintainer ? `LABEL maintainer="${maintainer}"\n` : 'LABEL maintainer="team@example.com"\n';
+  return `# Stage 1: Build
+FROM node:${nodeVersion}-alpine AS builder
+WORKDIR /app
+# Copy package files
+COPY package*.json ./
+# Install dependencies
+RUN npm ci
+# Copy source
+COPY . .
+# Build the application
+RUN npm run build
+# Stage 2: Production with nginx
+FROM nginx:${nginxVersion}-alpine AS production
+${labelSection}
+# Remove default nginx config
+RUN rm /etc/nginx/conf.d/default.conf
+# Create non-root user if not nginx
+USER ${user}
+WORKDIR /usr/share/nginx/html
+# Copy built files
+COPY --from=builder --chown=${user}:${user} /app/${buildDir} .
+# Copy custom nginx config
+COPY --chown=${user}:${user} nginx.conf /etc/nginx/conf.d/app.conf
+EXPOSE ${port}
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \\
+  CMD wget --no-verbose --tries=1 --spider http://localhost:${port}/ || exit 1
+CMD ["nginx", "-g", "daemon off;"]
+`;
+}
+/**
+ * Generate customizable base Dockerfile
+ */
+export function generateBaseDockerfile(options = {}) {
+  const {
+    baseImage,
+    user = 'appuser',
+    workdir = '/app',
+    maintainer = '',
+    packages = [],
+  } = options;
+  if (!baseImage) {
+    throw new Error('baseImage is required');
+  }
+  const isAlpine = baseImage.includes('alpine');
+  const labelSection = maintainer ? `LABEL maintainer="${maintainer}"\n` : '';
+  let packageInstall = '';
+  if (packages.length > 0) {
+    if (isAlpine) {
+      packageInstall = `RUN apk add --no-cache ${packages.join(' ')}\n`;
+    } else {
+      packageInstall = `RUN apt-get update && apt-get install -y --no-install-recommends ${packages.join(' ')} && rm -rf /var/lib/apt/lists/*\n`;
+    }
+  } else {
+    // Add minimal security hardening
+    if (isAlpine) {
+      packageInstall = `RUN apk add --no-cache dumb-init\n`;
+    } else {
+      packageInstall = `RUN apt-get update && apt-get install -y --no-install-recommends dumb-init && rm -rf /var/lib/apt/lists/*\n`;
+    }
+  }
+  // Create non-root user
+  let userSetup = '';
+  if (user !== 'root') {
+    if (isAlpine) {
+      userSetup = `
+# Create non-root user
+RUN addgroup -g 1001 ${user} && adduser -u 1001 -G ${user} -s /bin/sh -D ${user}
+`;
+    } else {
+      userSetup = `
+# Create non-root user
+RUN groupadd -g 1001 ${user} && useradd -u 1001 -g ${user} -s /bin/bash -m ${user}
+`;
+    }
+  }
+  return `FROM ${baseImage}
+${labelSection}${packageInstall}${userSetup}
+WORKDIR ${workdir}
+USER ${user}
+`;
+}
+/**
+ * Generate nginx config for security headers
+ */
+export function generateNginxConfig(options = {}) {
+  const { port = 80, upstream = null } = options;
+  const upstreamBlock = upstream
+    ? `
+upstream backend {
+    server ${upstream};
+}
+`
+    : '';
+  const proxyBlock = upstream
+    ? `
+    location /api {
+        proxy_pass http://backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+`
+    : '';
+  return `${upstreamBlock}
+server {
+    listen ${port};
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    # Gzip compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+    # SPA routing
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+${proxyBlock}
+    # Static file caching
+    location ~* \\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}
+`;
+}

package/server/lib/security/dockerfile-templates.test.js ADDED Viewed

@@ -0,0 +1,164 @@
+/**
+ * Hardened Dockerfile Templates Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  generateServerDockerfile,
+  generateDashboardDockerfile,
+  generateBaseDockerfile,
+  SECURITY_HEADERS,
+} from './dockerfile-templates.js';
+import { checkDockerfileCompliance } from './cis-benchmark.js';
+import { lintDockerfile } from './dockerfile-linter.js';
+describe('dockerfile-templates', () => {
+  describe('generateServerDockerfile', () => {
+    it('generates a valid Dockerfile', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).toContain('FROM');
+      expect(dockerfile).toContain('USER');
+      expect(dockerfile).toContain('HEALTHCHECK');
+    });
+    it('uses multi-stage build', () => {
+      const dockerfile = generateServerDockerfile();
+      const fromCount = (dockerfile.match(/^FROM /gm) || []).length;
+      expect(fromCount).toBeGreaterThanOrEqual(2);
+    });
+    it('runs as non-root user', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).toMatch(/USER\s+(?!root)\w+/i);
+    });
+    it('has HEALTHCHECK instruction', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).toContain('HEALTHCHECK');
+    });
+    it('uses specific version tags, not latest', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).not.toMatch(/FROM\s+\w+:latest/i);
+    });
+    it('drops privileges with dumb-init or tini', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).toMatch(/dumb-init|tini/i);
+    });
+    it('copies only necessary files', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).toContain('COPY --from=');
+    });
+    it('sets NODE_ENV to production', () => {
+      const dockerfile = generateServerDockerfile();
+      expect(dockerfile).toMatch(/ENV\s+NODE_ENV\s*=?\s*production/i);
+    });
+    it('exposes correct port', () => {
+      const dockerfile = generateServerDockerfile({ port: 5001 });
+      expect(dockerfile).toContain('EXPOSE 5001');
+    });
+    it('passes CIS benchmark checks', () => {
+      const dockerfile = generateServerDockerfile();
+      const result = checkDockerfileCompliance(dockerfile);
+      // Should have no high severity findings
+      const highFindings = result.findings.filter(f => f.severity === 'high');
+      expect(highFindings.length).toBe(0);
+    });
+    it('passes dockerfile linter', () => {
+      const dockerfile = generateServerDockerfile();
+      const result = lintDockerfile(dockerfile);
+      const critical = result.findings.filter(f => f.severity === 'critical');
+      expect(critical.length).toBe(0);
+    });
+  });
+  describe('generateDashboardDockerfile', () => {
+    it('generates a valid Dockerfile for React/Vite', () => {
+      const dockerfile = generateDashboardDockerfile();
+      expect(dockerfile).toContain('FROM');
+      expect(dockerfile).toContain('npm run build');
+    });
+    it('uses nginx for serving static files', () => {
+      const dockerfile = generateDashboardDockerfile();
+      expect(dockerfile).toContain('nginx');
+    });
+    it('uses multi-stage build', () => {
+      const dockerfile = generateDashboardDockerfile();
+      const fromCount = (dockerfile.match(/^FROM /gm) || []).length;
+      expect(fromCount).toBeGreaterThanOrEqual(2);
+    });
+    it('runs nginx as non-root', () => {
+      const dockerfile = generateDashboardDockerfile();
+      expect(dockerfile).toMatch(/USER\s+(?!root)\w+/i);
+    });
+    it('has HEALTHCHECK', () => {
+      const dockerfile = generateDashboardDockerfile();
+      expect(dockerfile).toContain('HEALTHCHECK');
+    });
+    it('removes default nginx config', () => {
+      const dockerfile = generateDashboardDockerfile();
+      expect(dockerfile).toMatch(/rm.*default\.conf|COPY.*nginx\.conf/i);
+    });
+    it('exposes correct port', () => {
+      const dockerfile = generateDashboardDockerfile({ port: 80 });
+      expect(dockerfile).toContain('EXPOSE 80');
+    });
+    it('passes CIS benchmark checks', () => {
+      const dockerfile = generateDashboardDockerfile();
+      const result = checkDockerfileCompliance(dockerfile);
+      const highFindings = result.findings.filter(f => f.severity === 'high');
+      expect(highFindings.length).toBe(0);
+    });
+  });
+  describe('generateBaseDockerfile', () => {
+    it('generates customizable base image', () => {
+      const dockerfile = generateBaseDockerfile({
+        baseImage: 'node:20-alpine',
+        user: 'appuser',
+        workdir: '/app',
+      });
+      expect(dockerfile).toContain('FROM node:20-alpine');
+      expect(dockerfile).toContain('USER appuser');
+      expect(dockerfile).toContain('WORKDIR /app');
+    });
+    it('includes security hardening by default', () => {
+      const dockerfile = generateBaseDockerfile({ baseImage: 'node:20-alpine' });
+      // Should have no shell or setuid binaries
+      expect(dockerfile).toMatch(/apk.*--no-cache|apt-get.*--no-install-recommends/i);
+    });
+    it('adds LABEL for maintainer', () => {
+      const dockerfile = generateBaseDockerfile({
+        baseImage: 'node:20-alpine',
+        maintainer: 'team@example.com',
+      });
+      expect(dockerfile).toContain('LABEL maintainer=');
+    });
+  });
+  describe('SECURITY_HEADERS', () => {
+    it('includes nginx security headers', () => {
+      expect(SECURITY_HEADERS.nginx).toBeDefined();
+      expect(SECURITY_HEADERS.nginx).toContain('X-Content-Type-Options');
+      expect(SECURITY_HEADERS.nginx).toContain('X-Frame-Options');
+    });
+    it('includes express security headers', () => {
+      expect(SECURITY_HEADERS.express).toBeDefined();
+    });
+  });
+});