john/tractatus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tractatus/scripts/validate-document-security.js
TheFlow d95dc4663c feat(infra): semantic versioning and systemd service implementation 
**Cache-Busting Improvements:**
- Switched from timestamp-based to semantic versioning (v1.0.2)
- Updated all HTML files: index.html, docs.html, leader.html
- CSS: tailwind.css?v=1.0.2
- JS: navbar.js, document-cards.js, docs-app.js v1.0.2
- Professional versioning approach for production stability

**systemd Service Implementation:**
- Created tractatus-dev.service for development environment
- Created tractatus-prod.service for production environment
- Added install-systemd.sh script for easy deployment
- Security hardening: NoNewPrivileges, PrivateTmp, ProtectSystem
- Resource limits: 1GB dev, 2GB prod memory limits
- Proper logging integration with journalctl
- Automatic restart on failure (RestartSec=10)

**Why systemd over pm2:**
1. Native Linux integration, no additional dependencies
2. Better OS-level security controls (ProtectSystem, ProtectHome)
3. Superior logging with journalctl integration
4. Standard across Linux distributions
5. More robust process management for production

**Usage:**
  # Development:
  sudo ./scripts/install-systemd.sh dev

  # Production:
  sudo ./scripts/install-systemd.sh prod

  # View logs:
  sudo journalctl -u tractatus -f

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-09 09:16:22 +13:00

154 lines
5.3 KiB
JavaScript
Executable file
Raw Blame History

#!/usr/bin/env node
/**
* Document Security Validation Script
* Validates that documents being deployed are appropriate for their visibility level
*
* This script is called before document import/deployment to prevent
* accidental exposure of sensitive internal documentation.
*/
const SECURITY_KEYWORDS = {
credentials: ['password', 'api_key', 'secret', 'token', 'mongodb_uri', 'stripe_secret', 'auth'],
financial: ['stripe', 'payment', 'pricing', 'revenue', 'cost', 'billing'],
vulnerability: ['security audit', 'vulnerability', 'exploit', 'cve-', 'penetration test'],
infrastructure: ['deployment', 'server', 'ssh', 'production environment', 'database credentials']
};
/**
* Classify document security level based on content and metadata
*/
function classifyDocumentSecurity(docConfig, contentMarkdown) {
const classification = {
contains_credentials: false,
contains_financial_info: false,
contains_vulnerability_info: false,
contains_infrastructure_details: false,
recommended_visibility: 'public'
};
const lowerContent = contentMarkdown.toLowerCase();
const lowerTitle = docConfig.title.toLowerCase();
// Check for credentials
if (SECURITY_KEYWORDS.credentials.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
classification.contains_credentials = true;
}
// Check for financial information
if (SECURITY_KEYWORDS.financial.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
classification.contains_financial_info = true;
}
// Check for vulnerability information
if (SECURITY_KEYWORDS.vulnerability.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
classification.contains_vulnerability_info = true;
}
// Check for infrastructure details
if (SECURITY_KEYWORDS.infrastructure.some(kw => lowerContent.includes(kw) || lowerTitle.includes(kw))) {
classification.contains_infrastructure_details = true;
}
// Determine recommended visibility
if (classification.contains_credentials || classification.contains_vulnerability_info) {
classification.recommended_visibility = 'confidential';
} else if (classification.contains_financial_info || classification.contains_infrastructure_details) {
classification.recommended_visibility = 'internal';
}
return classification;
}
/**
* Validate document configuration before deployment
*/
function validateDocumentSecurity(docConfig, contentMarkdown) {
const classification = classifyDocumentSecurity(docConfig, contentMarkdown);
const visibility = docConfig.visibility || 'public';
const issues = [];
const warnings = [];
// CRITICAL: Credentials or vulnerabilities marked as public
if (visibility === 'public') {
if (classification.contains_credentials) {
issues.push('❌ BLOCKED: Document contains credentials but is marked public');
}
if (classification.contains_vulnerability_info) {
issues.push('❌ BLOCKED: Document contains vulnerability information but is marked public');
}
if (classification.contains_financial_info) {
warnings.push('⚠️ WARNING: Document contains financial information but is marked public');
}
if (classification.contains_infrastructure_details) {
warnings.push('⚠️ WARNING: Document contains infrastructure details but is marked public');
}
}
// Recommendations
if (classification.recommended_visibility !== visibility) {
warnings.push(`⚠️ RECOMMEND: Change visibility from '${visibility}' to '${classification.recommended_visibility}'`);
}
return {
valid: issues.length === 0,
issues,
warnings,
classification,
recommended_visibility: classification.recommended_visibility
};
}
module.exports = {
classifyDocumentSecurity,
validateDocumentSecurity,
SECURITY_KEYWORDS
};
// CLI usage
if (require.main === module) {
const args = process.argv.slice(2);
if (args.length < 2) {
console.log('Usage: node validate-document-security.js <title> <markdown-file>');
process.exit(1);
}
const fs = require('fs');
const title = args[0];
const filePath = args[1];
if (!fs.existsSync(filePath)) {
console.error(`File not found: ${filePath}`);
process.exit(1);
}
const content = fs.readFileSync(filePath, 'utf-8');
const result = validateDocumentSecurity({ title, visibility: 'public' }, content);
console.log(`\n🔒 Security Validation: ${title}`);
console.log('─'.repeat(60));
if (result.issues.length > 0) {
console.log('\nISSUES:');
result.issues.forEach(issue => console.log(` ${issue}`));
}
if (result.warnings.length > 0) {
console.log('\nWARNINGS:');
result.warnings.forEach(warning => console.log(` ${warning}`));
}
console.log('\nCLASSIFICATION:');
console.log(` Credentials: ${result.classification.contains_credentials}`);
console.log(` Financial Info: ${result.classification.contains_financial_info}`);
console.log(` Vulnerabilities: ${result.classification.contains_vulnerability_info}`);
console.log(` Infrastructure: ${result.classification.contains_infrastructure_details}`);
console.log(` Recommended: ${result.classification.recommended_visibility}`);
console.log('\n' + '─'.repeat(60));
console.log(result.valid ? '✅ VALIDATION PASSED' : '❌ VALIDATION FAILED');
console.log();
process.exit(result.valid ? 0 : 1);
}
Reference in a new issue View git blame Copy permalink