From 95d99602b8f0323a749ffd458a223853fd4b2d92 Mon Sep 17 00:00:00 2001 From: TheFlow Date: Tue, 14 Oct 2025 14:29:15 +1300 Subject: [PATCH] feat: add comprehensive security vetting framework (inst_041-046) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Created 6 permanent strategic instructions for rigorous external input vetting: **inst_041: File Upload Validation** - Mandatory malware scanning using sovereign tools (ClamAV, YARA, file(1)) - Multi-layer validation: type verification, virus scanning, pattern matching - Quarantine suspicious files, never auto-process flagged content - Implementation: src/middleware/file-security.middleware.js **inst_042: Email Security Pipeline** - Sovereign email stack (SpamAssassin, amavisd-new, postfix/dovecot) - DKIM/SPF/DMARC validation, attachment type restrictions - Rate limiting per sender, malware scanning via ClamAV - Quarantine suspicious attachments with admin alerts **inst_043: Form Input Sanitization** - Rigorous validation before processing/storage - DOMPurify HTML sanitization, parameterized queries only - NoSQL injection prevention, XSS prevention (CSP + output encoding) - CSRF protection on all state-changing endpoints - Implementation: src/middleware/input-validation.middleware.js **inst_044: HTTP Security Headers** - Comprehensive security headers on all responses - CSP enforcement at HTTP level (defense in depth with inst_008) - HSTS, X-Frame-Options, X-Content-Type-Options - CSP violation reporting endpoint for attack detection - Implementation: src/middleware/security-headers.middleware.js **inst_045: API Endpoint Protection** - Rate limiting (public/authenticated/admin tiers) - JWT authentication with short expiry (15min access, 7day refresh) - IP blocking after repeated violations (10 in 1hr = 24hr block) - Request validation, response sanitization - Monitoring for attack patterns (enumeration, brute force, etc.) **inst_046: Security Monitoring & Alerting** - Centralized logging to /var/log/tractatus/security-audit.log - Real-time monitoring dashboard at /admin/security-monitoring.html - Alert thresholds (10 violations/IP/hour = alert, 100 global/hour = attack alert) - fail2ban integration for automated IP blocking - Sovereign log analysis tools (grep, awk, jq) - no external services All instructions use sovereign tools (open-source, auditable, under organizational control) and implement defense in depth across multiple layers. Synced to production. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .claude/instruction-history.json | 551 ++++++++++++++++++++++++++++++- 1 file changed, 545 insertions(+), 6 deletions(-) diff --git a/.claude/instruction-history.json b/.claude/instruction-history.json index 8c36fb7e..079b0c90 100644 --- a/.claude/instruction-history.json +++ b/.claude/instruction-history.json @@ -1,6 +1,6 @@ { "version": "1.0", - "last_updated": "2025-10-12T19:50:00Z", + "last_updated": "2025-10-14T01:45:00Z", "description": "Persistent instruction database for Tractatus framework governance", "instructions": [ { @@ -974,20 +974,559 @@ }, "active": true, "notes": "IDENTIFIED 2025-10-14 - User directive: 'create a rule that stipulates that when the user says \"all\" as in \"update all...\" Claude may not choose to work on a subset'. Context: Footer standardization where user asked to update all pages, and Claude initially only updated FAQ page footer then used script for remaining pages. User expects 'all' to mean complete coverage without exceptions or representative samples. This prevents pattern where Claude selectively applies changes to subset of items when user explicitly requested universal application." + }, + { + "id": "inst_041", + "text": "ALL file uploads (case study submissions, media attachments, document uploads, user-provided files) MUST undergo mandatory malware scanning using sovereign tools before processing or storage. REQUIRED validation pipeline: (1) File type validation using file(1) command - reject mismatched MIME types and extensions, (2) ClamAV antivirus scan with updated virus definitions (minimum daily updates), (3) YARA rule scanning for malware signatures and suspicious patterns, (4) File size limits enforced (max 10MB for documents, 50MB for media), (5) Quarantine suspicious files for manual review - NEVER auto-process flagged content. ALL scans must complete successfully before file is accessible to application logic. Failed scans trigger immediate rejection and security alert logging. Implement in src/middleware/file-security.middleware.js with detailed logging to security audit trail.", + "timestamp": "2025-10-14T01:45:00Z", + "quadrant": "SYSTEM", + "persistence": "HIGH", + "temporal_scope": "PERMANENT", + "verification_required": "MANDATORY", + "explicitness": 1.0, + "source": "user", + "session_id": "2025-10-14-security-vetting", + "parameters": { + "trigger_conditions": [ + "file_upload", + "document_submission", + "media_attachment", + "case_study_upload", + "any_external_file" + ], + "sovereign_tools": { + "file_type_validation": "file(1) - UNIX file command", + "antivirus": "ClamAV (clamscan/clamdscan)", + "pattern_matching": "YARA rules engine", + "update_frequency": "ClamAV definitions: minimum daily" + }, + "validation_pipeline": [ + "file_type_validation", + "mime_type_verification", + "clamav_scan", + "yara_scan", + "size_limit_check" + ], + "size_limits": { + "documents": "10MB", + "media": "50MB", + "default": "5MB" + }, + "rejection_criteria": [ + "mime_type_mismatch", + "virus_detected", + "malware_signature_match", + "size_exceeded", + "suspicious_patterns" + ], + "quarantine_directory": "/var/quarantine/tractatus", + "security_logging": "src/utils/security-logger.js", + "implementation_file": "src/middleware/file-security.middleware.js" + }, + "active": true, + "notes": "SECURITY REQUIREMENT 2025-10-14 - User directive: 'Create a set of tractatus permanent strategic rules that ensures any external input to the website or incoming mail or case study submissions etc are rigorously vetted for malware, viruses, sleeper code or any other bad actor infiltration attempts.' Part 1 of comprehensive security vetting framework. File uploads are primary attack vector for malware injection. Sovereign tools (ClamAV, YARA, file(1)) are open-source, auditable, and under organizational control - no reliance on external services or proprietary scanning APIs. Multi-layer validation creates defense in depth: type validation catches file extension spoofing, ClamAV catches known malware, YARA catches suspicious patterns and zero-days." + }, + { + "id": "inst_042", + "text": "ALL email attachments and incoming mail to system addresses (media inquiries, case submissions, contact forms processed via email) MUST be scanned using sovereign email security stack before delivery to application. REQUIRED email security pipeline: (1) SpamAssassin content filtering with custom rules for governance domain (minimum score 5.0 = spam), (2) amavisd-new integration for virus scanning (ClamAV backend), (3) Attachment type restrictions - only allow: PDF, TXT, MD, DOC/DOCX, images (PNG/JPG). Block: executables, scripts, archives, macros, (4) DKIM/SPF/DMARC validation for sender authentication, (5) Rate limiting per sender (max 10 emails/hour from unknown senders), (6) Suspicious attachments quarantined to /var/quarantine/email/ with alert to admin. Configure postfix/dovecot with these filters. ALL blocked emails logged to security audit trail with sender IP, timestamp, rejection reason. Implement monitoring dashboard for security team.", + "timestamp": "2025-10-14T01:45:00Z", + "quadrant": "SYSTEM", + "persistence": "HIGH", + "temporal_scope": "PERMANENT", + "verification_required": "MANDATORY", + "explicitness": 1.0, + "source": "user", + "session_id": "2025-10-14-security-vetting", + "parameters": { + "trigger_conditions": [ + "incoming_email", + "email_attachments", + "contact_form_email", + "media_inquiry_email", + "case_submission_email" + ], + "sovereign_tools": { + "spam_filter": "SpamAssassin", + "virus_scanning": "amavisd-new with ClamAV backend", + "mail_server": "postfix/dovecot", + "authentication": "OpenDKIM, opendmarc" + }, + "email_pipeline": [ + "spamassassin_filtering", + "dkim_spf_dmarc_validation", + "amavisd_virus_scan", + "attachment_type_validation", + "rate_limiting_check" + ], + "allowed_attachments": [ + "application/pdf", + "text/plain", + "text/markdown", + "application/msword", + "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "image/png", + "image/jpeg" + ], + "blocked_attachments": [ + "executables (.exe, .bat, .cmd, .sh)", + "scripts (.js, .vbs, .ps1, .py)", + "archives (.zip, .rar, .tar, .gz)", + "macros (macro-enabled documents)", + "suspicious extensions (.scr, .pif, .com)" + ], + "spamassassin_config": { + "required_score": "5.0", + "custom_rules": "/etc/spamassassin/local.cf", + "auto_learn": true + }, + "rate_limiting": { + "unknown_senders": "10 emails per hour", + "known_senders": "100 emails per hour", + "implementation": "postfix policyd-weight" + }, + "quarantine_directory": "/var/quarantine/email", + "monitoring": "security dashboard for blocked emails" + }, + "active": true, + "notes": "SECURITY REQUIREMENT 2025-10-14 - Part 2 of comprehensive security vetting framework. Email is secondary attack vector - phishing, malware attachments, social engineering attempts. Sovereign email stack (SpamAssassin, amavisd-new, postfix) provides complete control over filtering rules and logging. DKIM/SPF/DMARC prevents sender spoofing. Attachment restrictions prevent executable delivery. Rate limiting prevents spam floods and automated attacks. This creates layered defense for email-based threats while maintaining full auditability and control of security infrastructure." + }, + { + "id": "inst_043", + "text": "ALL user input from web forms (contact forms, case submissions, media inquiries, comment fields, search inputs) MUST undergo rigorous sanitization and validation BEFORE processing or storage. MANDATORY validation layers: (1) Input length limits enforced (configurable per field, default max 5000 chars), (2) HTML sanitization using DOMPurify (sovereign JS library) - strip ALL HTML tags except safe whitelist for markdown fields, (3) SQL injection prevention via parameterized queries ONLY (NEVER string concatenation in MongoDB queries), (4) NoSQL injection prevention - validate all user input against expected data types and patterns before database operations, (5) XSS prevention - Content Security Policy enforcement (inst_008) + output encoding, (6) CSRF protection on all POST/PUT/DELETE endpoints using signed tokens. Implement in src/middleware/input-validation.middleware.js with comprehensive logging. Use validator.js library for email, URL, and data format validation. Rate limit form submissions: 5 requests per minute per IP.", + "timestamp": "2025-10-14T01:45:00Z", + "quadrant": "SYSTEM", + "persistence": "HIGH", + "temporal_scope": "PERMANENT", + "verification_required": "MANDATORY", + "explicitness": 1.0, + "source": "user", + "session_id": "2025-10-14-security-vetting", + "parameters": { + "trigger_conditions": [ + "form_submission", + "user_input", + "search_query", + "contact_form", + "case_submission", + "media_inquiry", + "comment_field", + "any_external_text_input" + ], + "sovereign_tools": { + "html_sanitization": "DOMPurify (client + server)", + "validation_library": "validator.js", + "parameterized_queries": "MongoDB driver with prepared statements", + "csrf_protection": "csurf middleware" + }, + "validation_pipeline": [ + "length_limit_check", + "data_type_validation", + "html_sanitization", + "nosql_injection_check", + "xss_pattern_detection", + "csrf_token_validation" + ], + "input_limits": { + "default_max_length": 5000, + "email": 254, + "url": 2048, + "phone": 20, + "name": 100, + "title": 200, + "description": 5000, + "case_study": 50000 + }, + "html_sanitization": { + "default": "strip_all_html", + "markdown_fields": "allow_safe_whitelist", + "safe_tags": [ + "p", + "br", + "strong", + "em", + "ul", + "ol", + "li", + "a", + "code", + "pre" + ], + "blocked_tags": [ + "script", + "iframe", + "object", + "embed", + "style", + "link" + ] + }, + "injection_prevention": { + "sql": "parameterized_queries_only", + "nosql": "type_validation_before_query", + "mongodb_unsafe_operators": [ + "$where", + "mapReduce", + "eval" + ], + "validation": "mongoose_schema_validation" + }, + "xss_prevention": [ + "csp_enforcement (inst_008)", + "output_encoding", + "dompurify_sanitization", + "no_dangerouslySetInnerHTML" + ], + "csrf_protection": { + "implementation": "csurf middleware", + "token_rotation": "per_session", + "applies_to": [ + "POST", + "PUT", + "DELETE", + "PATCH" + ] + }, + "rate_limiting": { + "form_submissions": "5 requests per minute per IP", + "search_queries": "20 requests per minute per IP", + "implementation": "express-rate-limit" + }, + "implementation_file": "src/middleware/input-validation.middleware.js", + "logging": "security audit trail for rejected inputs" + }, + "active": true, + "notes": "SECURITY REQUIREMENT 2025-10-14 - Part 3 of comprehensive security vetting framework. Web form inputs are most common attack vector for XSS, injection attacks, and data exfiltration. DOMPurify is sovereign (open-source, client+server capable) and industry-standard for HTML sanitization. Parameterized queries prevent SQL/NoSQL injection. CSP (inst_008) provides defense in depth for XSS. CSRF tokens prevent cross-site request forgery. Rate limiting prevents automated form spam and brute force attempts. Multi-layer validation creates defense in depth: input validation, sanitization, parameterized queries, output encoding, CSP enforcement." + }, + { + "id": "inst_044", + "text": "ALL HTTP responses MUST include comprehensive security headers to prevent common web attacks and provide defense in depth. MANDATORY security headers: (1) Content-Security-Policy with strict directives (enforces inst_008 at HTTP level), (2) X-Content-Type-Options: nosniff - prevent MIME type sniffing attacks, (3) X-Frame-Options: DENY - prevent clickjacking via iframes, (4) X-XSS-Protection: 1; mode=block - enable browser XSS filter, (5) Strict-Transport-Security: max-age=31536000; includeSubDomains; preload - enforce HTTPS, (6) Referrer-Policy: strict-origin-when-cross-origin - limit referrer leakage, (7) Permissions-Policy to restrict dangerous browser features. Implement in src/middleware/security-headers.middleware.js applied to ALL routes. CSP directives must match inst_008: script-src 'self', no inline scripts, no unsafe-eval. Regularly audit CSP violations via report-uri endpoint. Monitor SecurityHeaders.com grade (target: A+).", + "timestamp": "2025-10-14T01:45:00Z", + "quadrant": "SYSTEM", + "persistence": "HIGH", + "temporal_scope": "PERMANENT", + "verification_required": "MANDATORY", + "explicitness": 1.0, + "source": "user", + "session_id": "2025-10-14-security-vetting", + "parameters": { + "trigger_conditions": [ + "all_http_responses", + "every_route", + "api_responses", + "static_files", + "error_pages" + ], + "mandatory_headers": { + "Content-Security-Policy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content", + "X-Content-Type-Options": "nosniff", + "X-Frame-Options": "DENY", + "X-XSS-Protection": "1; mode=block", + "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload", + "Referrer-Policy": "strict-origin-when-cross-origin", + "Permissions-Policy": "geolocation=(), microphone=(), camera=(), payment=()" + }, + "csp_directives": { + "default-src": "'self'", + "script-src": "'self'", + "style-src": "'self' 'unsafe-inline'", + "img-src": "'self' data: https:", + "font-src": "'self' https://fonts.gstatic.com", + "connect-src": "'self'", + "frame-ancestors": "'none'", + "base-uri": "'self'", + "form-action": "'self'", + "upgrade-insecure-requests": true, + "block-all-mixed-content": true, + "report-uri": "/api/csp-violations" + }, + "csp_violations_endpoint": { + "route": "/api/csp-violations", + "logging": "security audit trail", + "monitoring": "alert on repeated violations" + }, + "hsts_preload": { + "status": "required for production", + "submission": "https://hstspreload.org/", + "prerequisites": [ + "valid_certificate", + "https_on_all_subdomains", + "redirect_http_to_https" + ] + }, + "implementation_file": "src/middleware/security-headers.middleware.js", + "application_point": "app.use(securityHeadersMiddleware) - before all routes", + "monitoring": { + "tool": "SecurityHeaders.com", + "target_grade": "A+", + "audit_frequency": "weekly" + }, + "related_tools": { + "helmet_js": "optional convenience wrapper", + "manual_implementation": "preferred for full control" + } + }, + "related_instructions": [ + "inst_008" + ], + "active": true, + "notes": "SECURITY REQUIREMENT 2025-10-14 - Part 4 of comprehensive security vetting framework. HTTP security headers provide browser-level defense against common web attacks. CSP enforcement at HTTP level (inst_008 enforces at code level, inst_044 enforces at protocol level) creates defense in depth. HSTS prevents SSL stripping attacks. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME confusion attacks. These headers are 'sovereign' in the sense that they're implemented entirely within our control (no external dependencies), enforce security policies at protocol level, and provide defense even if application-level protections fail. CSP violation reporting provides early warning of attack attempts or policy violations." + }, + { + "id": "inst_045", + "text": "ALL API endpoints MUST implement rate limiting, authentication requirements, and input validation to prevent automated attacks, brute force attempts, and API abuse. MANDATORY protections: (1) Rate limiting with express-rate-limit: public endpoints 100 req/15min per IP, authenticated endpoints 1000 req/15min per user, admin endpoints 50 req/15min per admin, (2) Authentication middleware for sensitive endpoints - JWT validation with short expiry (15min access, 7day refresh), (3) IP-based blocking after repeated rate limit violations (10 violations in 1 hour = 24 hour block), (4) Request validation for all POST/PUT/PATCH - reject requests with unexpected fields or malformed JSON, (5) Response sanitization - NEVER expose stack traces, internal paths, or sensitive errors to clients (inst_013), (6) API key rotation for service-to-service communication every 90 days. Implement monitoring for unusual API patterns: rapid endpoint enumeration, repeated 401s, large payloads, unusual user agents. Log all rate limit violations and authentication failures to security audit trail.", + "timestamp": "2025-10-14T01:45:00Z", + "quadrant": "SYSTEM", + "persistence": "HIGH", + "temporal_scope": "PERMANENT", + "verification_required": "MANDATORY", + "explicitness": 1.0, + "source": "user", + "session_id": "2025-10-14-security-vetting", + "parameters": { + "trigger_conditions": [ + "all_api_endpoints", + "public_routes", + "authenticated_routes", + "admin_routes", + "service_to_service_communication" + ], + "rate_limiting": { + "public_endpoints": "100 requests per 15 minutes per IP", + "authenticated_endpoints": "1000 requests per 15 minutes per user", + "admin_endpoints": "50 requests per 15 minutes per admin", + "implementation": "express-rate-limit", + "storage": "Redis for distributed rate limiting", + "violation_threshold": "10 violations in 1 hour = 24 hour IP block" + }, + "authentication": { + "mechanism": "JWT (JSON Web Tokens)", + "access_token_expiry": "15 minutes", + "refresh_token_expiry": "7 days", + "algorithm": "HS256", + "secret_rotation": "every 90 days", + "middleware": "src/middleware/auth.middleware.js" + }, + "endpoint_classification": { + "public": [ + "/health", + "/api/documents", + "/api/blog" + ], + "authenticated": [ + "/api/cases", + "/api/media", + "/api/koha" + ], + "admin": [ + "/api/admin/*", + "/api/governance/*" + ] + }, + "input_validation": { + "reject_unexpected_fields": true, + "reject_malformed_json": true, + "max_payload_size": "1MB", + "content_type_enforcement": "application/json for POST/PUT/PATCH" + }, + "response_sanitization": { + "production_mode": "hide_stack_traces", + "hide_internal_paths": true, + "generic_error_messages": true, + "error_codes_only": "specific details logged, not exposed", + "relates_to": "inst_013" + }, + "service_to_service": { + "api_key_rotation": "every 90 days", + "mutual_tls": "consider for high security services", + "key_storage": "environment variables, not in code" + }, + "monitoring_alerts": [ + "rapid_endpoint_enumeration (>50 unique endpoints in 1 minute)", + "repeated_401_errors (>10 from single IP in 5 minutes)", + "large_payloads (>10MB)", + "unusual_user_agents (automated scanners)", + "rate_limit_violations (repeated from same IP)", + "authentication_failures (>5 failed attempts in 5 minutes)" + ], + "ip_blocking": { + "automatic_block": "10 rate limit violations in 1 hour", + "block_duration": "24 hours", + "whitelist": "monitoring services, known good IPs", + "implementation": "express-slow-down + custom blocking middleware", + "storage": "Redis for distributed blocking" + }, + "logging": { + "security_audit_trail": "all violations, failures, blocks", + "log_fields": [ + "timestamp", + "ip", + "endpoint", + "method", + "user_agent", + "violation_type", + "user_id (if authenticated)" + ] + }, + "implementation_files": [ + "src/middleware/rate-limit.middleware.js", + "src/middleware/auth.middleware.js", + "src/middleware/api-validation.middleware.js", + "src/utils/security-logger.js" + ] + }, + "related_instructions": [ + "inst_013" + ], + "active": true, + "notes": "SECURITY REQUIREMENT 2025-10-14 - Part 5 of comprehensive security vetting framework. API endpoints are primary targets for automated attacks, brute force attempts, credential stuffing, and reconnaissance. Rate limiting prevents abuse and DoS attacks. JWT authentication with short expiry limits impact of token theft. IP blocking prevents persistent attackers. Request validation prevents injection attacks and malformed input exploitation. Response sanitization (inst_013) prevents information disclosure. Monitoring unusual patterns provides early warning of attacks. This creates defense in depth for API security: rate limiting (prevent volume), authentication (verify identity), input validation (prevent injection), response sanitization (prevent info disclosure), monitoring (detect attacks)." + }, + { + "id": "inst_046", + "text": "ALL security events (file upload rejections, email blocks, input validation failures, rate limit violations, authentication failures, CSP violations, suspicious patterns) MUST be logged to centralized security audit trail with comprehensive monitoring and alerting. MANDATORY security monitoring: (1) Centralized logging to /var/log/tractatus/security-audit.log with rotation (daily, keep 90 days), (2) Real-time monitoring dashboard showing: rejected uploads, blocked emails, rate limit violations, failed authentications, CSP violations, IP blocks, (3) Alert thresholds: >10 violations from single IP in 1 hour = immediate email alert, >100 violations globally in 1 hour = potential attack underway alert, (4) Weekly security reports: summary of all security events, top violating IPs, attack patterns identified, (5) Integration with fail2ban for automatic IP blocking across services. Implement security dashboard at /admin/security-monitoring.html (admin auth required). Log format: JSON with timestamp, event_type, source_ip, user_id, endpoint, violation_details, action_taken. Use sovereign log analysis tools: grep, awk, custom scripts (no external log aggregation services unless encrypted).", + "timestamp": "2025-10-14T01:45:00Z", + "quadrant": "OPERATIONAL", + "persistence": "HIGH", + "temporal_scope": "PERMANENT", + "verification_required": "MANDATORY", + "explicitness": 1.0, + "source": "user", + "session_id": "2025-10-14-security-vetting", + "parameters": { + "trigger_conditions": [ + "any_security_event", + "file_upload_rejection", + "email_block", + "input_validation_failure", + "rate_limit_violation", + "authentication_failure", + "csp_violation", + "suspicious_pattern_detection", + "ip_block_applied" + ], + "security_events": [ + "file_upload_rejected", + "malware_detected", + "email_blocked", + "spam_filtered", + "input_sanitization_applied", + "injection_attempt_blocked", + "rate_limit_exceeded", + "authentication_failed", + "csp_violation_reported", + "ip_blocked", + "unusual_api_pattern" + ], + "centralized_logging": { + "log_file": "/var/log/tractatus/security-audit.log", + "rotation": "daily", + "retention": "90 days", + "format": "JSON", + "fields": [ + "timestamp", + "event_type", + "source_ip", + "user_id", + "endpoint", + "user_agent", + "violation_details", + "action_taken", + "severity" + ] + }, + "monitoring_dashboard": { + "route": "/admin/security-monitoring.html", + "authentication": "admin_only", + "metrics": [ + "rejected_uploads_count", + "blocked_emails_count", + "rate_limit_violations", + "failed_authentications", + "csp_violations", + "active_ip_blocks", + "attack_patterns_identified" + ], + "time_ranges": [ + "last_hour", + "last_24_hours", + "last_7_days", + "last_30_days" + ] + }, + "alert_thresholds": { + "single_ip_violations": { + "threshold": "10 violations in 1 hour", + "action": "immediate email alert to admin", + "includes": "IP address, violation types, affected endpoints" + }, + "global_violations": { + "threshold": "100 violations in 1 hour", + "action": "potential attack alert", + "includes": "event summary, top violating IPs, attack pattern analysis" + }, + "authentication_failures": { + "threshold": "5 failures in 5 minutes for single user", + "action": "account lockout + alert" + }, + "critical_events": { + "malware_detected": "immediate alert", + "admin_account_compromise_attempt": "immediate alert", + "data_exfiltration_pattern": "immediate alert" + } + }, + "reporting": { + "weekly_security_report": { + "recipients": [ + "admin@tractatus.local", + "security@tractatus.local" + ], + "includes": [ + "security_events_summary", + "top_violating_ips", + "attack_patterns_identified", + "blocked_threats_count", + "recommendations" + ] + } + }, + "fail2ban_integration": { + "enabled": true, + "log_parsing": "parse security-audit.log for IP violations", + "ban_duration": "24 hours", + "ban_action": "iptables block + log", + "whitelist": "monitoring services, admin IPs" + }, + "sovereign_analysis_tools": [ + "grep", + "awk", + "sed", + "jq (for JSON)", + "custom shell scripts", + "NO external log aggregation (unless encrypted)" + ], + "implementation_files": [ + "src/utils/security-logger.js", + "public/admin/security-monitoring.html", + "public/js/admin/security-monitoring.js", + "scripts/generate-security-report.js", + "/etc/fail2ban/filter.d/tractatus.conf" + ] + }, + "active": true, + "notes": "SECURITY REQUIREMENT 2025-10-14 - Part 6 of comprehensive security vetting framework. Comprehensive logging and monitoring are essential for: (1) detecting attacks in progress, (2) forensic analysis after incidents, (3) compliance and audit requirements, (4) continuous improvement of security rules. Centralized logging provides single source of truth for all security events. Real-time monitoring dashboard provides visibility for security team. Alert thresholds enable rapid response to attacks. fail2ban integration provides automated defense. Sovereign tools (grep, awk, jq) ensure full control over log analysis without external dependencies. 90-day retention balances forensic needs with storage costs. This completes the 6-layer security vetting framework: file uploads (inst_041), email (inst_042), form inputs (inst_043), HTTP headers (inst_044), API protection (inst_045), monitoring/alerting (inst_046)." } ], "stats": { - "total_instructions": 40, - "active_instructions": 40, + "total_instructions": 46, + "active_instructions": 46, "by_quadrant": { "STRATEGIC": 7, - "OPERATIONAL": 18, + "OPERATIONAL": 19, "TACTICAL": 1, - "SYSTEM": 10, + "SYSTEM": 15, "STOCHASTIC": 0 }, "by_persistence": { - "HIGH": 36, + "HIGH": 42, "MEDIUM": 2, "LOW": 0, "VARIABLE": 0