npm - tlc-claude-code - Versions diffs - 1.4.7 → 1.4.9 - Mend

tlc-claude-code 1.4.7 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/docker-compose.dev.yml +6 -3
package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/vps/deploy-script.js ADDED Viewed

@@ -0,0 +1,211 @@
+/**
+ * Deploy Script Generator
+ * Blue-green and rolling deployment scripts for VPS
+ */
+/**
+ * Generates a blue-green deployment script
+ * @param {Object} options - Deployment options
+ * @param {string} options.service - Service name
+ * @returns {string} Blue-green deployment script
+ */
+export function generateBlueGreenScript({ service }) {
+  return `#!/bin/bash
+set -euo pipefail
+# Blue-green deployment for ${service}
+SERVICE="${service}"
+CURRENT_COLOR=$(docker ps --filter "name=\${SERVICE}" --format '{{.Names}}' | grep -o 'blue\\|green' || echo "blue")
+if [ "\$CURRENT_COLOR" = "blue" ]; then
+  NEW_COLOR="green"
+else
+  NEW_COLOR="blue"
+fi
+echo "Current: \$CURRENT_COLOR, Deploying to: \$NEW_COLOR"
+# Deploy to new color
+docker-compose up -d "\${SERVICE}-\${NEW_COLOR}"
+# Wait for health check
+sleep 10
+# Switch traffic
+docker exec nginx nginx -s reload
+# Stop old color
+docker-compose stop "\${SERVICE}-\${CURRENT_COLOR}"
+echo "Deployed \${SERVICE} to \${NEW_COLOR}"
+`;
+}
+/**
+ * Generates a rolling update deployment script
+ * @param {Object} options - Deployment options
+ * @param {string} options.service - Service name
+ * @param {number} [options.replicas=3] - Number of replicas
+ * @returns {string} Rolling update script
+ */
+export function generateRollingScript({ service, replicas = 3 }) {
+  return `#!/bin/bash
+set -euo pipefail
+# Rolling update for ${service}
+SERVICE="${service}"
+REPLICAS=${replicas}
+echo "Starting rolling update for \${SERVICE} with \${REPLICAS} replicas"
+for i in $(seq 1 \$REPLICAS); do
+  echo "Updating replica \$i of \$REPLICAS..."
+  # Stop old instance
+  docker-compose stop "\${SERVICE}-\$i" || true
+  # Start new instance
+  docker-compose up -d "\${SERVICE}-\$i"
+  # Wait for health
+  sleep 5
+  echo "Replica \$i updated"
+done
+echo "Rolling update complete"
+`;
+}
+/**
+ * Adds health verification to deployment
+ * @param {Object} options - Health check options
+ * @param {string} options.endpoint - Health endpoint
+ * @param {number} [options.timeout=30] - Timeout in seconds
+ * @param {number} [options.retries=5] - Number of retries
+ * @returns {string} Health verification script snippet
+ */
+export function addHealthVerification({ endpoint, timeout = 30, retries = 5 }) {
+  return `# Health check verification
+HEALTH_ENDPOINT="${endpoint}"
+TIMEOUT=${timeout}
+RETRIES=${retries}
+check_health() {
+  local attempt=1
+  while [ \$attempt -le \$RETRIES ]; do
+    echo "Health check attempt \$attempt/\$RETRIES..."
+    if curl -sf "\${HEALTH_ENDPOINT}" > /dev/null; then
+      echo "Health check passed"
+      return 0
+    fi
+    sleep \$(( TIMEOUT / RETRIES ))
+    attempt=\$((attempt + 1))
+  done
+  echo "Health check failed"
+  return 1
+}
+`;
+}
+/**
+ * Adds rollback support to deployment
+ * @param {Object} options - Rollback options
+ * @returns {string} Rollback script snippet
+ */
+export function addRollbackSupport(options = {}) {
+  return `# Rollback support
+PREVIOUS_VERSION=""
+save_previous_version() {
+  PREVIOUS_VERSION=\$(docker images --format '{{.Tag}}' | head -1)
+  echo "Saved previous version: \$PREVIOUS_VERSION"
+}
+rollback() {
+  echo "Rolling back to \$PREVIOUS_VERSION..."
+  docker-compose down
+  docker tag "\${SERVICE}:\${PREVIOUS_VERSION}" "\${SERVICE}:latest"
+  docker-compose up -d
+  echo "Rollback complete"
+}
+# Call rollback on failure
+trap 'rollback' ERR
+`;
+}
+/**
+ * Generates pre and post deployment hooks
+ * @param {Object} options - Hook options
+ * @param {string} [options.pre] - Pre-deployment command
+ * @param {string} [options.post] - Post-deployment command
+ * @returns {Object} Generated hooks
+ */
+export function generateHooks({ pre, post }) {
+  const hooks = {};
+  if (pre) {
+    hooks.pre = `# Pre-deployment hook
+echo "Running pre-deployment hook..."
+${pre}
+echo "Pre-deployment hook complete"
+`;
+  }
+  if (post) {
+    hooks.post = `# Post-deployment hook
+echo "Running post-deployment hook..."
+${post}
+echo "Post-deployment hook complete"
+`;
+  }
+  return hooks;
+}
+/**
+ * Creates a deploy script generator instance
+ * @returns {Object} Generator with blueGreen and rolling methods
+ */
+export function createDeployScriptGenerator() {
+  return {
+    /**
+     * Generates a blue-green deployment script
+     * @param {Object} options - Deployment options
+     * @returns {string} Deployment script
+     */
+    blueGreen(options) {
+      let script = generateBlueGreenScript(options);
+      if (options.healthEndpoint) {
+        script += '\n' + addHealthVerification({ endpoint: options.healthEndpoint });
+      }
+      if (options.rollback !== false) {
+        script += '\n' + addRollbackSupport();
+      }
+      return script;
+    },
+    /**
+     * Generates a rolling update deployment script
+     * @param {Object} options - Deployment options
+     * @returns {string} Deployment script
+     */
+    rolling(options) {
+      let script = generateRollingScript(options);
+      if (options.healthEndpoint) {
+        script += '\n' + addHealthVerification({ endpoint: options.healthEndpoint });
+      }
+      if (options.rollback !== false) {
+        script += '\n' + addRollbackSupport();
+      }
+      return script;
+    }
+  };
+}

package/server/lib/vps/deploy-script.test.js ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Deploy Script Generator Tests
+ */
+import { describe, it, expect } from 'vitest';
+import { generateBlueGreenScript, generateRollingScript, addHealthVerification, addRollbackSupport, generateHooks, createDeployScriptGenerator } from './deploy-script.js';
+describe('deploy-script', () => {
+  describe('generateBlueGreenScript', () => {
+    it('generates blue-green deploy script', () => {
+      const script = generateBlueGreenScript({ service: 'app' });
+      expect(script).toContain('blue');
+      expect(script).toContain('green');
+    });
+  });
+  describe('generateRollingScript', () => {
+    it('generates rolling update script', () => {
+      const script = generateRollingScript({ service: 'app', replicas: 3 });
+      expect(script).toContain('rolling');
+    });
+  });
+  describe('addHealthVerification', () => {
+    it('includes health check', () => {
+      const script = addHealthVerification({ endpoint: '/health' });
+      expect(script).toContain('health');
+      expect(script).toContain('curl');
+    });
+  });
+  describe('addRollbackSupport', () => {
+    it('supports rollback on failure', () => {
+      const script = addRollbackSupport({});
+      expect(script).toContain('rollback');
+    });
+  });
+  describe('generateHooks', () => {
+    it('generates pre/post hooks', () => {
+      const hooks = generateHooks({ pre: 'npm run migrate', post: 'npm run notify' });
+      expect(hooks.pre).toContain('migrate');
+      expect(hooks.post).toContain('notify');
+    });
+  });
+  describe('createDeployScriptGenerator', () => {
+    it('creates generator', () => {
+      const generator = createDeployScriptGenerator();
+      expect(generator.blueGreen).toBeDefined();
+      expect(generator.rolling).toBeDefined();
+    });
+  });
+});

package/server/lib/vps/secrets-manager.js ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * VPS Secrets Manager
+ * Secrets generation and rotation for VPS deployments
+ */
+import crypto from 'crypto';
+/**
+ * Creates a secrets directory with secure permissions
+ * @param {Object} options - Directory options
+ * @param {string} options.path - Directory path
+ * @param {Function} [options.mkdir] - mkdir function
+ * @param {Function} [options.chmod] - chmod function
+ * @returns {Promise<Object>} Creation result
+ */
+export async function createSecretsDir({ path, mkdir, chmod }) {
+  if (mkdir) {
+    await mkdir(path, { recursive: true });
+  }
+  if (chmod) {
+    await chmod(path, 0o600);
+  }
+  return { success: true, path };
+}
+/**
+ * Generates secrets from a template
+ * @param {Object} options - Generation options
+ * @param {Object} options.template - Secret template with name and length
+ * @returns {Object} Generated secrets
+ */
+export function generateSecrets({ template }) {
+  const secrets = {};
+  for (const [name, config] of Object.entries(template)) {
+    const length = config.length || 32;
+    // Generate a random string of the specified length
+    secrets[name] = crypto.randomBytes(Math.ceil(length / 2))
+      .toString('hex')
+      .slice(0, length);
+  }
+  return secrets;
+}
+/**
+ * Rotates secrets safely
+ * @param {Object} options - Rotation options
+ * @param {string[]} options.secrets - Secret names to rotate
+ * @param {Function} [options.mockRotate] - Mock rotate function for testing
+ * @returns {Promise<Object>} Rotation result
+ */
+export async function rotateSecrets({ secrets, mockRotate }) {
+  const rotated = [];
+  for (const secret of secrets) {
+    if (mockRotate) {
+      await mockRotate(secret);
+    }
+    rotated.push(secret);
+  }
+  return { rotated, timestamp: new Date().toISOString() };
+}
+/**
+ * Validates secret format
+ * @param {Object} options - Validation options
+ * @param {string} options.name - Secret name
+ * @param {string} options.value - Secret value
+ * @returns {Object} Validation result
+ */
+export function validateSecretFormat({ name, value }) {
+  // Secret names should not contain spaces
+  if (name.includes(' ')) {
+    return { valid: false, error: 'Secret name cannot contain spaces' };
+  }
+  // Secret names should be uppercase with underscores
+  if (!/^[A-Z][A-Z0-9_]*$/.test(name)) {
+    return { valid: false, error: 'Secret name must be uppercase with underscores' };
+  }
+  // Value should not be empty
+  if (!value || value.length === 0) {
+    return { valid: false, error: 'Secret value cannot be empty' };
+  }
+  return { valid: true };
+}
+/**
+ * Creates a secrets manager instance
+ * @returns {Object} Secrets manager with get, set, and rotate methods
+ */
+export function createSecretsManager() {
+  const secrets = new Map();
+  const manager = {
+    /**
+     * Gets a secret value
+     * @param {string} name - Secret name
+     * @returns {string|undefined} Secret value
+     */
+    get(name) {
+      return secrets.get(name);
+    },
+    /**
+     * Sets a secret value
+     * @param {string} name - Secret name
+     * @param {string} value - Secret value
+     * @returns {boolean} Success status
+     */
+    set(name, value) {
+      const validation = validateSecretFormat({ name, value });
+      if (!validation.valid) {
+        return false;
+      }
+      secrets.set(name, value);
+      return true;
+    },
+    /**
+     * Rotates a secret
+     * @param {string} name - Secret name to rotate
+     * @param {number} [length=32] - New secret length
+     * @returns {boolean} Success status
+     */
+    rotate(name, length = 32) {
+      const newValue = crypto.randomBytes(Math.ceil(length / 2))
+        .toString('hex')
+        .slice(0, length);
+      secrets.set(name, newValue);
+      return true;
+    },
+    /**
+     * Returns safe string representation (no secrets exposed)
+     * @returns {string} Safe string representation
+     */
+    toString() {
+      return `[SecretsManager: ${secrets.size} secrets]`;
+    }
+  };
+  return manager;
+}

package/server/lib/vps/secrets-manager.test.js ADDED Viewed

@@ -0,0 +1,58 @@
+/**
+ * VPS Secrets Manager Tests
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { createSecretsDir, generateSecrets, rotateSecrets, validateSecretFormat, createSecretsManager } from './secrets-manager.js';
+describe('secrets-manager', () => {
+  describe('createSecretsDir', () => {
+    it('creates directory with 600 permissions', async () => {
+      const mockMkdir = vi.fn().mockResolvedValue(true);
+      const mockChmod = vi.fn().mockResolvedValue(true);
+      await createSecretsDir({ path: '/etc/tlc/secrets', mkdir: mockMkdir, chmod: mockChmod });
+      expect(mockChmod).toHaveBeenCalledWith('/etc/tlc/secrets', 0o600);
+    });
+  });
+  describe('generateSecrets', () => {
+    it('generates secrets from template', () => {
+      const secrets = generateSecrets({ template: { DB_PASSWORD: { length: 32 }, API_KEY: { length: 64 } } });
+      expect(secrets.DB_PASSWORD.length).toBe(32);
+      expect(secrets.API_KEY.length).toBe(64);
+    });
+  });
+  describe('rotateSecrets', () => {
+    it('rotates secrets safely', async () => {
+      const result = await rotateSecrets({ secrets: ['DB_PASSWORD'], mockRotate: vi.fn().mockResolvedValue(true) });
+      expect(result.rotated).toContain('DB_PASSWORD');
+    });
+  });
+  describe('validateSecretFormat', () => {
+    it('validates secret format', () => {
+      const result = validateSecretFormat({ name: 'API_KEY', value: 'abc123' });
+      expect(result.valid).toBe(true);
+    });
+    it('rejects secrets with spaces', () => {
+      const result = validateSecretFormat({ name: 'API KEY', value: 'abc' });
+      expect(result.valid).toBe(false);
+    });
+  });
+  describe('createSecretsManager', () => {
+    it('creates manager', () => {
+      const manager = createSecretsManager();
+      expect(manager.get).toBeDefined();
+      expect(manager.set).toBeDefined();
+      expect(manager.rotate).toBeDefined();
+    });
+    it('never exposes secrets in logs', () => {
+      const manager = createSecretsManager();
+      const output = manager.toString();
+      expect(output).not.toContain('password');
+    });
+  });
+});

package/server/lib/vps/server-hardening.js ADDED Viewed

@@ -0,0 +1,174 @@
+/**
+ * Server Hardening Configuration
+ * SSH config, sysctl, user management, security limits
+ */
+/**
+ * Generate SSH daemon configuration
+ * @param {Object} options - SSH configuration options
+ * @param {boolean} [options.passwordAuth=false] - Enable password authentication
+ * @param {number} [options.port=22] - SSH port
+ * @param {boolean} [options.permitRootLogin=false] - Allow root login
+ * @returns {string} SSH configuration
+ */
+export function generateSshConfig(options = {}) {
+  const {
+    passwordAuth = false,
+    port = 22,
+    permitRootLogin = false,
+  } = options;
+  const lines = [
+    '# SSH Server Configuration',
+    '# Generated by TLC Server Hardening',
+    '',
+    `Port ${port}`,
+    'Protocol 2',
+    '',
+    '# Authentication',
+    `PasswordAuthentication ${passwordAuth ? 'yes' : 'no'}`,
+    'PubkeyAuthentication yes',
+    `PermitRootLogin ${permitRootLogin ? 'yes' : 'no'}`,
+    'PermitEmptyPasswords no',
+    'ChallengeResponseAuthentication no',
+    '',
+    '# Security',
+    'X11Forwarding no',
+    'MaxAuthTries 3',
+    'LoginGraceTime 60',
+    'ClientAliveInterval 300',
+    'ClientAliveCountMax 2',
+    '',
+    '# Logging',
+    'SyslogFacility AUTH',
+    'LogLevel VERBOSE',
+  ];
+  return lines.join('\n');
+}
+/**
+ * Generate sysctl kernel parameter configuration
+ * @param {Object} options - Sysctl options
+ * @returns {string} Sysctl configuration
+ */
+export function generateSysctlConfig(options = {}) {
+  const lines = [
+    '# Sysctl Security Configuration',
+    '# Generated by TLC Server Hardening',
+    '',
+    '# Disable IP forwarding',
+    'net.ipv4.ip_forward = 0',
+    'net.ipv6.conf.all.forwarding = 0',
+    '',
+    '# Disable source routing',
+    'net.ipv4.conf.all.accept_source_route = 0',
+    'net.ipv4.conf.default.accept_source_route = 0',
+    'net.ipv6.conf.all.accept_source_route = 0',
+    '',
+    '# Disable ICMP redirects',
+    'net.ipv4.conf.all.accept_redirects = 0',
+    'net.ipv4.conf.default.accept_redirects = 0',
+    'net.ipv4.conf.all.send_redirects = 0',
+    'net.ipv4.conf.default.send_redirects = 0',
+    '',
+    '# Enable SYN flood protection',
+    'net.ipv4.tcp_syncookies = 1',
+    'net.ipv4.tcp_max_syn_backlog = 2048',
+    '',
+    '# Enable reverse path filtering',
+    'net.ipv4.conf.all.rp_filter = 1',
+    'net.ipv4.conf.default.rp_filter = 1',
+    '',
+    '# Log martian packets',
+    'net.ipv4.conf.all.log_martians = 1',
+    '',
+    '# Ignore ICMP broadcast requests',
+    'net.ipv4.icmp_echo_ignore_broadcasts = 1',
+    '',
+    '# Kernel hardening',
+    'kernel.randomize_va_space = 2',
+    'kernel.kptr_restrict = 2',
+  ];
+  return lines.join('\n');
+}
+/**
+ * Generate commands to disable unnecessary services
+ * @param {string[]} services - List of services to disable
+ * @returns {string[]} Array of systemctl commands
+ */
+export function disableServices(services = []) {
+  const commands = [];
+  for (const service of services) {
+    commands.push(`systemctl stop ${service}`);
+    commands.push(`systemctl disable ${service}`);
+    commands.push(`systemctl mask ${service}`);
+  }
+  return commands;
+}
+/**
+ * Generate unattended-upgrades configuration
+ * @param {Object} options - Auto-update options
+ * @returns {string} Unattended-upgrades configuration
+ */
+export function enableAutoUpdates(options = {}) {
+  const {
+    rebootTime = '02:00',
+    autoReboot = false,
+  } = options;
+  const lines = [
+    '// Unattended-Upgrade Configuration',
+    '// Generated by TLC Server Hardening',
+    '',
+    'Unattended-Upgrade::Allowed-Origins {',
+    '    "${distro_id}:${distro_codename}";',
+    '    "${distro_id}:${distro_codename}-security";',
+    '    "${distro_id}ESMApps:${distro_codename}-apps-security";',
+    '    "${distro_id}ESM:${distro_codename}-infra-security";',
+    '};',
+    '',
+    'Unattended-Upgrade::Package-Blacklist {',
+    '};',
+    '',
+    `Unattended-Upgrade::Automatic-Reboot "${autoReboot ? 'true' : 'false'}";`,
+    `Unattended-Upgrade::Automatic-Reboot-Time "${rebootTime}";`,
+    '',
+    'Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";',
+    'Unattended-Upgrade::Remove-Unused-Dependencies "true";',
+  ];
+  return lines.join('\n');
+}
+/**
+ * Create a server hardening manager
+ * @returns {Object} Server hardening manager with methods
+ */
+export function createServerHardening() {
+  return {
+    generateSshConfig,
+    generateSysctl: generateSysctlConfig,
+    disableServices,
+    enableAutoUpdates,
+    /**
+     * Generate all hardening configurations
+     * @param {Object} options - Configuration options
+     * @returns {Object} All generated configurations
+     */
+    generateAll(options = {}) {
+      return {
+        ssh: generateSshConfig(options.ssh || {}),
+        sysctl: generateSysctlConfig(options.sysctl || {}),
+        disableCommands: disableServices(options.disableServices || []),
+        autoUpdates: enableAutoUpdates(options.autoUpdates || {}),
+      };
+    },
+  };
+}