john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/.claude
History
TheFlow 95d99602b8 feat: add comprehensive security vetting framework (inst_041-046) 
Created 6 permanent strategic instructions for rigorous external input vetting:

**inst_041: File Upload Validation**
- Mandatory malware scanning using sovereign tools (ClamAV, YARA, file(1))
- Multi-layer validation: type verification, virus scanning, pattern matching
- Quarantine suspicious files, never auto-process flagged content
- Implementation: src/middleware/file-security.middleware.js

**inst_042: Email Security Pipeline**
- Sovereign email stack (SpamAssassin, amavisd-new, postfix/dovecot)
- DKIM/SPF/DMARC validation, attachment type restrictions
- Rate limiting per sender, malware scanning via ClamAV
- Quarantine suspicious attachments with admin alerts

**inst_043: Form Input Sanitization**
- Rigorous validation before processing/storage
- DOMPurify HTML sanitization, parameterized queries only
- NoSQL injection prevention, XSS prevention (CSP + output encoding)
- CSRF protection on all state-changing endpoints
- Implementation: src/middleware/input-validation.middleware.js

**inst_044: HTTP Security Headers**
- Comprehensive security headers on all responses
- CSP enforcement at HTTP level (defense in depth with inst_008)
- HSTS, X-Frame-Options, X-Content-Type-Options
- CSP violation reporting endpoint for attack detection
- Implementation: src/middleware/security-headers.middleware.js

**inst_045: API Endpoint Protection**
- Rate limiting (public/authenticated/admin tiers)
- JWT authentication with short expiry (15min access, 7day refresh)
- IP blocking after repeated violations (10 in 1hr = 24hr block)
- Request validation, response sanitization
- Monitoring for attack patterns (enumeration, brute force, etc.)

**inst_046: Security Monitoring & Alerting**
- Centralized logging to /var/log/tractatus/security-audit.log
- Real-time monitoring dashboard at /admin/security-monitoring.html
- Alert thresholds (10 violations/IP/hour = alert, 100 global/hour = attack alert)
- fail2ban integration for automated IP blocking
- Sovereign log analysis tools (grep, awk, jq) - no external services

All instructions use sovereign tools (open-source, auditable, under organizational control)
and implement defense in depth across multiple layers. Synced to production.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-14 14:29:15 +13:00
..
sessions feat: fix CSP violations & implement three audience paths 2025-10-07 12:21:00 +13:00
instruction-history.json feat: add comprehensive security vetting framework (inst_041-046) 2025-10-14 14:29:15 +13:00
instruction-history.json.backup-20251012-143441 feat: newsletter modal and deployment script enhancements 2025-10-14 13:11:46 +13:00
plan-registry.json feat: comprehensive accessibility improvements (WCAG 2.1 AA) 2025-10-12 07:08:40 +13:00
tractatus-config.json feat: ACTIVATE Tractatus Governance Framework 🤖 2025-10-07 09:22:05 +13:00