npm - tlc-claude-code - Versions diffs - 1.4.8 → 1.4.9 - Mend

tlc-claude-code 1.4.8 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/network/security-headers.js ADDED Viewed

@@ -0,0 +1,251 @@
+/**
+ * Security Headers Manager
+ * Generates and validates security headers for HTTP responses
+ */
+export const HEADER_PRESETS = {
+  STRICT: {
+    csp: {
+      strict: true,
+    },
+    hsts: {
+      maxAge: 31536000,
+      includeSubDomains: true,
+      preload: true,
+    },
+    xFrameOptions: 'DENY',
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    permissionsPolicy: {
+      strict: true,
+    },
+  },
+  RELAXED: {
+    csp: {
+      strict: false,
+    },
+    hsts: {
+      maxAge: 31536000,
+      includeSubDomains: false,
+    },
+    xFrameOptions: 'SAMEORIGIN',
+    referrerPolicy: 'strict-origin-when-cross-origin',
+  },
+};
+/**
+ * Generate Content Security Policy header value
+ */
+export function generateCsp(options) {
+  const { strict, scriptSrc, styleSrc, reportUri, frameAncestors, upgradeInsecureRequests } =
+    options;
+  const directives = [];
+  // Default source
+  directives.push("default-src 'self'");
+  // Script source
+  if (scriptSrc) {
+    directives.push(`script-src ${scriptSrc.join(' ')}`);
+  } else if (strict) {
+    directives.push("script-src 'self'");
+  }
+  // Style source
+  if (styleSrc) {
+    directives.push(`style-src ${styleSrc.join(' ')}`);
+  } else if (strict) {
+    directives.push("style-src 'self'");
+  }
+  // Frame ancestors
+  if (frameAncestors) {
+    directives.push(`frame-ancestors ${frameAncestors.join(' ')}`);
+  }
+  // Upgrade insecure requests
+  if (upgradeInsecureRequests) {
+    directives.push('upgrade-insecure-requests');
+  }
+  // Report URI
+  if (reportUri) {
+    directives.push(`report-uri ${reportUri}`);
+  }
+  return directives.join('; ');
+}
+/**
+ * Generate HSTS header value
+ */
+export function generateHsts(options) {
+  const { maxAge = 31536000, includeSubDomains, preload } = options;
+  let value = `max-age=${maxAge}`;
+  if (includeSubDomains) {
+    value += '; includeSubDomains';
+  }
+  if (preload) {
+    value += '; preload';
+  }
+  return value;
+}
+/**
+ * Generate Permissions-Policy header value
+ */
+export function generatePermissionsPolicy(options) {
+  const { strict, camera, microphone, geolocation, payment } = options;
+  const policies = [];
+  // Helper to format policy value
+  const formatValue = (value) => {
+    if (!value || value.length === 0) {
+      return '()';
+    }
+    const formatted = value
+      .map((v) => {
+        if (v === 'self') return 'self';
+        return `"${v}"`;
+      })
+      .join(' ');
+    return `(${formatted})`;
+  };
+  if (strict) {
+    policies.push('camera=()');
+    policies.push('microphone=()');
+    policies.push('geolocation=()');
+    policies.push('payment=()');
+    policies.push('usb=()');
+    policies.push('magnetometer=()');
+    policies.push('gyroscope=()');
+    policies.push('accelerometer=()');
+  } else {
+    if (camera !== undefined) {
+      policies.push(`camera=${formatValue(camera)}`);
+    }
+    if (microphone !== undefined) {
+      policies.push(`microphone=${formatValue(microphone)}`);
+    }
+    if (geolocation !== undefined) {
+      policies.push(`geolocation=${formatValue(geolocation)}`);
+    }
+    if (payment !== undefined) {
+      policies.push(`payment=${formatValue(payment)}`);
+    }
+  }
+  return policies.join(', ');
+}
+/**
+ * Generate Cross-Origin headers (COOP, COEP, CORP)
+ */
+export function generateCrossOriginHeaders(options) {
+  const { coopPolicy, coepPolicy, corpPolicy } = options;
+  const headers = {};
+  if (coopPolicy) {
+    headers['Cross-Origin-Opener-Policy'] = coopPolicy;
+  }
+  if (coepPolicy) {
+    headers['Cross-Origin-Embedder-Policy'] = coepPolicy;
+  }
+  if (corpPolicy) {
+    headers['Cross-Origin-Resource-Policy'] = corpPolicy;
+  }
+  return headers;
+}
+/**
+ * Generate all security headers
+ */
+export function generateSecurityHeaders(options) {
+  const { preset, referrerPolicy } = options;
+  const presetConfig = preset ? HEADER_PRESETS[preset.toUpperCase()] : null;
+  const headers = {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': presetConfig?.xFrameOptions || 'DENY',
+    'Referrer-Policy': referrerPolicy || presetConfig?.referrerPolicy || 'strict-origin-when-cross-origin',
+  };
+  if (preset === 'strict' || presetConfig) {
+    headers['Content-Security-Policy'] = generateCsp(presetConfig?.csp || { strict: true });
+    headers['Strict-Transport-Security'] = generateHsts(presetConfig?.hsts || {});
+    headers['Permissions-Policy'] = generatePermissionsPolicy(
+      presetConfig?.permissionsPolicy || { strict: true }
+    );
+  }
+  return headers;
+}
+/**
+ * Validate security headers
+ */
+export function validateHeaders(headers, options = {}) {
+  const { required = [], strict = false } = options;
+  const result = {
+    valid: true,
+    missing: [],
+    warnings: [],
+  };
+  // Check required headers
+  for (const header of required) {
+    if (!headers[header]) {
+      result.missing.push(header);
+      result.valid = false;
+    }
+  }
+  // Check for unsafe CSP directives in strict mode
+  if (strict === true && headers['Content-Security-Policy']) {
+    const cspValue = headers['Content-Security-Policy'];
+    // Check for unsafe-inline
+    if (cspValue.includes('unsafe-inline')) {
+      result.warnings.push('unsafe-inline detected in CSP - this weakens security');
+    }
+    // Check for unsafe-eval
+    if (cspValue.includes('unsafe-eval')) {
+      result.warnings.push('unsafe-eval detected in CSP - this weakens security');
+    }
+  }
+  return result;
+}
+/**
+ * Create a security headers manager with default options
+ */
+export function createSecurityHeadersManager(config = {}) {
+  const { preset } = config;
+  return {
+    generate(options) {
+      return generateSecurityHeaders({ preset, ...options });
+    },
+    validate(headers, options) {
+      return validateHeaders(headers, options);
+    },
+    getCsp(options) {
+      return generateCsp(options);
+    },
+    getHsts(options) {
+      return generateHsts(options);
+    },
+  };
+}

package/server/lib/network/security-headers.test.js ADDED Viewed

@@ -0,0 +1,283 @@
+/**
+ * Security Headers Manager Tests
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  generateSecurityHeaders,
+  generateCsp,
+  generateHsts,
+  generatePermissionsPolicy,
+  generateCrossOriginHeaders,
+  validateHeaders,
+  HEADER_PRESETS,
+  createSecurityHeadersManager,
+} from './security-headers.js';
+describe('security-headers', () => {
+  describe('HEADER_PRESETS', () => {
+    it('defines strict preset', () => {
+      expect(HEADER_PRESETS.STRICT).toBeDefined();
+      expect(HEADER_PRESETS.STRICT.csp).toBeDefined();
+    });
+    it('defines relaxed preset', () => {
+      expect(HEADER_PRESETS.RELAXED).toBeDefined();
+    });
+  });
+  describe('generateCsp', () => {
+    it('generates strict CSP without unsafe-inline', () => {
+      const csp = generateCsp({ strict: true });
+      expect(csp).not.toContain("'unsafe-inline'");
+      expect(csp).not.toContain("'unsafe-eval'");
+    });
+    it('includes default-src directive', () => {
+      const csp = generateCsp({});
+      expect(csp).toContain("default-src 'self'");
+    });
+    it('configures script-src', () => {
+      const csp = generateCsp({
+        scriptSrc: ["'self'", 'https://cdn.example.com'],
+      });
+      expect(csp).toContain('script-src');
+      expect(csp).toContain('https://cdn.example.com');
+    });
+    it('configures style-src', () => {
+      const csp = generateCsp({
+        styleSrc: ["'self'"],
+      });
+      expect(csp).toContain('style-src');
+    });
+    it('adds report-uri when specified', () => {
+      const csp = generateCsp({
+        reportUri: 'https://example.com/csp-report',
+      });
+      expect(csp).toContain('report-uri https://example.com/csp-report');
+    });
+    it('supports frame-ancestors', () => {
+      const csp = generateCsp({
+        frameAncestors: ["'none'"],
+      });
+      expect(csp).toContain("frame-ancestors 'none'");
+    });
+    it('supports upgrade-insecure-requests', () => {
+      const csp = generateCsp({
+        upgradeInsecureRequests: true,
+      });
+      expect(csp).toContain('upgrade-insecure-requests');
+    });
+  });
+  describe('generateHsts', () => {
+    it('sets max-age', () => {
+      const hsts = generateHsts({ maxAge: 31536000 });
+      expect(hsts).toContain('max-age=31536000');
+    });
+    it('includes includeSubDomains', () => {
+      const hsts = generateHsts({
+        maxAge: 31536000,
+        includeSubDomains: true,
+      });
+      expect(hsts).toContain('includeSubDomains');
+    });
+    it('includes preload directive', () => {
+      const hsts = generateHsts({
+        maxAge: 31536000,
+        includeSubDomains: true,
+        preload: true,
+      });
+      expect(hsts).toContain('preload');
+    });
+    it('defaults to one year max-age', () => {
+      const hsts = generateHsts({});
+      expect(hsts).toContain('max-age=31536000');
+    });
+  });
+  describe('generatePermissionsPolicy', () => {
+    it('disables camera by default', () => {
+      const policy = generatePermissionsPolicy({ strict: true });
+      expect(policy).toContain('camera=()');
+    });
+    it('disables microphone by default', () => {
+      const policy = generatePermissionsPolicy({ strict: true });
+      expect(policy).toContain('microphone=()');
+    });
+    it('disables geolocation by default', () => {
+      const policy = generatePermissionsPolicy({ strict: true });
+      expect(policy).toContain('geolocation=()');
+    });
+    it('allows specific features when configured', () => {
+      const policy = generatePermissionsPolicy({
+        camera: ['self'],
+        geolocation: ['self', 'https://maps.example.com'],
+      });
+      expect(policy).toContain('camera=(self)');
+      expect(policy).toContain('geolocation=(self "https://maps.example.com")');
+    });
+    it('handles payment feature', () => {
+      const policy = generatePermissionsPolicy({
+        payment: ['self'],
+      });
+      expect(policy).toContain('payment=(self)');
+    });
+  });
+  describe('generateCrossOriginHeaders', () => {
+    it('generates COOP header', () => {
+      const headers = generateCrossOriginHeaders({
+        coopPolicy: 'same-origin',
+      });
+      expect(headers['Cross-Origin-Opener-Policy']).toBe('same-origin');
+    });
+    it('generates COEP header', () => {
+      const headers = generateCrossOriginHeaders({
+        coepPolicy: 'require-corp',
+      });
+      expect(headers['Cross-Origin-Embedder-Policy']).toBe('require-corp');
+    });
+    it('generates CORP header', () => {
+      const headers = generateCrossOriginHeaders({
+        corpPolicy: 'same-origin',
+      });
+      expect(headers['Cross-Origin-Resource-Policy']).toBe('same-origin');
+    });
+    it('supports cross-origin-isolated', () => {
+      const headers = generateCrossOriginHeaders({
+        coopPolicy: 'same-origin',
+        coepPolicy: 'require-corp',
+      });
+      expect(headers['Cross-Origin-Opener-Policy']).toBe('same-origin');
+      expect(headers['Cross-Origin-Embedder-Policy']).toBe('require-corp');
+    });
+  });
+  describe('generateSecurityHeaders', () => {
+    it('includes X-Content-Type-Options', () => {
+      const headers = generateSecurityHeaders({});
+      expect(headers['X-Content-Type-Options']).toBe('nosniff');
+    });
+    it('includes X-Frame-Options', () => {
+      const headers = generateSecurityHeaders({});
+      expect(headers['X-Frame-Options']).toBe('DENY');
+    });
+    it('includes Referrer-Policy', () => {
+      const headers = generateSecurityHeaders({});
+      expect(headers['Referrer-Policy']).toBe('strict-origin-when-cross-origin');
+    });
+    it('includes all headers for strict preset', () => {
+      const headers = generateSecurityHeaders({ preset: 'strict' });
+      expect(headers['Content-Security-Policy']).toBeDefined();
+      expect(headers['Strict-Transport-Security']).toBeDefined();
+      expect(headers['X-Content-Type-Options']).toBeDefined();
+      expect(headers['X-Frame-Options']).toBeDefined();
+      expect(headers['Referrer-Policy']).toBeDefined();
+      expect(headers['Permissions-Policy']).toBeDefined();
+    });
+    it('allows custom Referrer-Policy', () => {
+      const headers = generateSecurityHeaders({
+        referrerPolicy: 'no-referrer',
+      });
+      expect(headers['Referrer-Policy']).toBe('no-referrer');
+    });
+  });
+  describe('validateHeaders', () => {
+    it('validates correct headers', () => {
+      const headers = {
+        'Content-Security-Policy': "default-src 'self'",
+        'Strict-Transport-Security': 'max-age=31536000',
+        'X-Content-Type-Options': 'nosniff',
+      };
+      const result = validateHeaders(headers);
+      expect(result.valid).toBe(true);
+    });
+    it('detects missing required headers', () => {
+      const headers = {
+        'X-Content-Type-Options': 'nosniff',
+      };
+      const result = validateHeaders(headers, { required: ['Content-Security-Policy'] });
+      expect(result.valid).toBe(false);
+      expect(result.missing).toContain('Content-Security-Policy');
+    });
+    it('detects unsafe CSP directives', () => {
+      const headers = {
+        'Content-Security-Policy': "script-src 'unsafe-inline'",
+      };
+      const result = validateHeaders(headers, { strict: true });
+      expect(result.warnings).toEqual(
+        expect.arrayContaining([expect.stringContaining('unsafe-inline')])
+      );
+    });
+  });
+  describe('createSecurityHeadersManager', () => {
+    it('creates manager with methods', () => {
+      const manager = createSecurityHeadersManager();
+      expect(manager.generate).toBeDefined();
+      expect(manager.validate).toBeDefined();
+      expect(manager.getCsp).toBeDefined();
+      expect(manager.getHsts).toBeDefined();
+    });
+    it('applies default preset', () => {
+      const manager = createSecurityHeadersManager({
+        preset: 'strict',
+      });
+      const headers = manager.generate({});
+      expect(headers['X-Frame-Options']).toBe('DENY');
+    });
+  });
+});