@bonginkan/maria
Version:
MARIA OS v5.9.5 – Self-Evolving Organizational Intelligence OS | Speed Improvement Phase 3: LLM Optimization + Command Refactoring | Performance Measurement + Run Evidence System | Zero ESLint/TypeScript Errors | 人とAIが役割を持ち、学び、進化し続けるための仕事のOS | GraphRAG ×
493 lines (492 loc) • 13.9 kB
TypeScript
/**
* MARIA Memory System - Phase 4: Enterprise Security Manager
*
* Advanced encryption, _key management, data security, and threat protection
* with support for HSM, _key rotation, and zero-trust architecture
*/
import { EventEmitter } from "node:events";
import { type DLPStatus, type EncryptionStatus, type MonitoringStatus, type ThreatSummary } from "./enterprise-security-manager.support";
export type { DLPStatus, EncryptionStatus, MonitoringStatus, ThreatSummary };
export interface SecurityConfig {
encryption: EncryptionConfig;
keyManagement: KeyManagementConfig;
threatProtection: ThreatProtectionConfig;
dataLossPrevention: DLPConfig;
monitoring: SecurityMonitoringConfig;
}
export interface EncryptionConfig {
_algorithm: "AES-256-GCM" | "AES-256-CBC" | "ChaCha20-Poly1305";
keySize: 256 | 512;
ivSize: 12 | 16;
tagSize: 16;
defaultClassification: DataClassification;
classificationRules: EncryptionRule[];
}
export interface EncryptionRule {
id: string;
condition: DataCondition;
encryption: EncryptionMethod;
keyRotation: KeyRotationPolicy;
}
export interface DataCondition {
field: string;
operator: "equals" | "contains" | "matches" | "in";
_value: unknown;
priority: number;
}
export interface EncryptionMethod {
_algorithm: string;
keyDerivation: KeyDerivationConfig;
additionalData?: string;
compressionBefore?: boolean;
}
export interface KeyDerivationConfig {
method: "PBKDF2" | "Argon2" | "scrypt";
iterations?: number;
saltSize: number;
memoryLimit?: number;
parallelism?: number;
}
export interface KeyRotationPolicy {
enabled: boolean;
interval: number;
gracePeriod: number;
autoRotate: boolean;
notifyBefore: number;
}
export interface KeyManagementConfig {
provider: "local" | "hsm" | "kms" | "vault";
hsmConfig?: HSMConfig;
kmsConfig?: KMSConfig;
vaultConfig?: VaultConfig;
masterKey: MasterKeyConfig;
keyBackup: KeyBackupConfig;
}
export interface HSMConfig {
provider: string;
slot: number;
pin: string;
library: string;
keyLabel: string;
}
export interface KMSConfig {
provider: "aws" | "azure" | "gcp";
region: string;
keyId: string;
credentials: Record<string, string>;
}
export interface VaultConfig {
url: string;
token: string;
namespace?: string;
mountPath: string;
keyName: string;
}
export interface MasterKeyConfig {
derivationMethod: "manual" | "password" | "key_file" | "hsm";
backupShares?: number;
requiredShares?: number;
escrowEnabled?: boolean;
}
export interface KeyBackupConfig {
enabled: boolean;
schedule: string;
encryption: boolean;
storage: BackupStorage[];
retention: number;
}
export interface BackupStorage {
type: "local" | "s3" | "azure_blob" | "gcs";
config: Record<string, unknown>;
priority: number;
}
export interface ThreatProtectionConfig {
intrusion: IntrusionDetectionConfig;
anomaly: AnomalyDetectionConfig;
malware: MalwareProtectionConfig;
dataExfiltration: DataExfiltrationConfig;
}
export interface IntrusionDetectionConfig {
enabled: boolean;
rules: IntrusionRule[];
alertThreshold: number;
blockThreshold: number;
quarantineEnabled: boolean;
}
export interface IntrusionRule {
id: string;
name: string;
pattern: string;
severity: SecuritySeverity;
action: SecurityAction;
conditions: ThreatCondition[];
}
export interface AnomalyDetectionConfig {
enabled: boolean;
models: AnomalyModel[];
sensitivity: number;
learningPeriod: number;
alertThreshold: number;
}
export interface AnomalyModel {
type: "statistical" | "ml" | "behavioral";
parameters: Record<string, unknown>;
features: string[];
updateInterval: number;
}
export interface MalwareProtectionConfig {
enabled: boolean;
scanners: MalwareScanner[];
quarantineEnabled: boolean;
autoClean: boolean;
}
export interface MalwareScanner {
type: "_signature" | "heuristic" | "sandbox";
provider: string;
config: Record<string, unknown>;
priority: number;
}
export interface DataExfiltrationConfig {
enabled: boolean;
monitors: ExfiltrationMonitor[];
preventionRules: ExfiltrationRule[];
alertThreshold: number;
}
export interface ExfiltrationMonitor {
type: "network" | "file" | "api" | "clipboard";
thresholds: TrafficThreshold[];
timeWindow: number;
}
export interface TrafficThreshold {
metric: "volume" | "frequency" | "destination";
_value: number;
action: SecurityAction;
}
export interface ExfiltrationRule {
id: string;
dataTypes: DataClassification[];
destinations: string[];
maxSize: number;
requireApproval: boolean;
}
export interface DLPConfig {
enabled: boolean;
policies: DLPPolicy[];
contentInspection: ContentInspectionConfig;
actionTemplates: DLPActionTemplate[];
}
export interface DLPPolicy {
id: string;
name: string;
description: string;
dataTypes: DataClassification[];
rules: DLPRule[];
actions: DLPAction[];
exceptions: DLPException[];
enabled: boolean;
}
export interface DLPRule {
id: string;
pattern: string;
type: "regex" | "keyword" | "fingerprint" | "ml";
confidence: number;
context: string[];
}
export interface DLPAction {
type: "block" | "encrypt" | "redact" | "quarantine" | "alert" | "log";
parameters: Record<string, unknown>;
condition?: ActionCondition;
}
export interface ActionCondition {
field: string;
operator: string;
_value: unknown;
}
export interface DLPException {
id: string;
condition: DataCondition;
justification: string;
approvedBy: string;
expiryDate?: Date;
}
export interface DLPActionTemplate {
id: string;
name: string;
actions: DLPAction[];
description: string;
}
export interface ContentInspectionConfig {
enabled: boolean;
maxFileSize: number;
supportedTypes: string[];
deepInspection: boolean;
ocrEnabled: boolean;
}
export interface SecurityMonitoringConfig {
realtime: RealtimeMonitoringConfig;
logging: SecurityLoggingConfig;
alerting: SecurityAlertingConfig;
metrics: SecurityMetricsConfig;
}
export interface RealtimeMonitoringConfig {
enabled: boolean;
dashboards: MonitoringDashboard[];
alerts: RealtimeAlert[];
correlationRules: CorrelationRule[];
}
export interface MonitoringDashboard {
id: string;
name: string;
widgets: DashboardWidget[];
refreshInterval: number;
permissions: string[];
}
export interface DashboardWidget {
type: "chart" | "table" | "metric" | "alert";
title: string;
query: string;
config: Record<string, unknown>;
}
export interface RealtimeAlert {
id: string;
name: string;
query: string;
threshold: AlertThreshold;
channels: AlertChannel[];
cooldown: number;
}
export interface AlertThreshold {
operator: "greater_than" | "less_than" | "equals" | "not_equals";
_value: number;
timeWindow: number;
}
export interface AlertChannel {
type: "email" | "slack" | "webhook" | "sms" | "pagerduty";
config: Record<string, unknown>;
severity: SecuritySeverity[];
}
export interface CorrelationRule {
id: string;
name: string;
events: string[];
timeWindow: number;
threshold: number;
action: SecurityAction;
}
export interface SecurityLoggingConfig {
level: "debug" | "info" | "warn" | "_error" | "critical";
destinations: LogDestination[];
format: "json" | "syslog" | "cef";
retention: number;
encryption: boolean;
}
export interface LogDestination {
type: "file" | "syslog" | "elasticsearch" | "splunk" | "datadog";
config: Record<string, unknown>;
filters: LogFilter[];
}
export interface LogFilter {
field: string;
operator: string;
_value: unknown;
action: "include" | "exclude";
}
export interface SecurityAlertingConfig {
enabled: boolean;
severityThresholds: Map<SecuritySeverity, number>;
escalationPolicies: EscalationPolicy[];
suppressionRules: SuppressionRule[];
}
export interface EscalationPolicy {
id: string;
name: string;
levels: EscalationLevel[];
conditions: EscalationCondition[];
}
export interface EscalationLevel {
order: number;
delayMinutes: number;
channels: AlertChannel[];
requireAcknowledgment: boolean;
}
export interface EscalationCondition {
severity: SecuritySeverity[];
categories: string[];
sources: string[];
}
export interface SuppressionRule {
id: string;
condition: DataCondition;
duration: number;
reason: string;
}
export interface SecurityMetricsConfig {
collection: MetricsCollectionConfig;
storage: MetricsStorageConfig;
dashboards: MetricsDashboard[];
}
export interface MetricsCollectionConfig {
interval: number;
metrics: SecurityMetric[];
tags: MetricsTag[];
}
export interface SecurityMetric {
name: string;
type: "counter" | "gauge" | "histogram" | "summary";
description: string;
labels: string[];
}
export interface MetricsTag {
_key: string;
_value: string;
condition?: string;
}
export interface MetricsStorageConfig {
provider: "prometheus" | "influxdb" | "cloudwatch" | "datadog";
retention: number;
compression: boolean;
config: Record<string, unknown>;
}
export interface MetricsDashboard {
id: string;
name: string;
panels: MetricsPanel[];
timeRange: string;
}
export interface MetricsPanel {
title: string;
query: string;
type: "line" | "bar" | "pie" | "table" | "stat";
config: Record<string, unknown>;
}
export type DataClassification = "public" | "internal" | "confidential" | "restricted" | "top_secret";
export type SecuritySeverity = "low" | "medium" | "high" | "critical";
export type SecurityAction = "log" | "alert" | "block" | "quarantine" | "encrypt" | "redact";
export interface EncryptedData {
ciphertext: string;
iv: string;
_tag: string;
_algorithm: string;
keyId: string;
metadata: EncryptionMetadata;
}
export interface EncryptionMetadata {
classification: DataClassification;
encryptedAt: Date;
keyVersion: number;
compression?: string;
_checksum: string;
}
export interface ThreatEvent {
id: string;
timestamp: Date;
type: ThreatType;
severity: SecuritySeverity;
source: ThreatSource;
target: ThreatTarget;
indicators: ThreatIndicator[];
mitigated: boolean;
_mitigation?: ThreatMitigation;
}
export type ThreatType = "intrusion_attempt" | "anomalous_behavior" | "malware_detected" | "data_exfiltration" | "privilege_escalation" | "brute_force" | "ddos" | "injection_attack";
export interface ThreatSource {
type: "internal" | "external" | "unknown";
identifier: string;
location?: string;
reputation?: number;
}
export interface ThreatTarget {
type: "user" | "system" | "data" | "network";
identifier: string;
classification?: DataClassification;
}
export interface ThreatIndicator {
type: "ip" | "hash" | "domain" | "pattern" | "behavior";
_value: string;
confidence: number;
source: string;
}
export interface ThreatMitigation {
action: SecurityAction;
timestamp: Date;
automated: boolean;
effectiveness: number;
details?: Record<string, unknown>;
}
export interface ThreatCondition {
field: string;
operator: string;
_value: unknown;
weight: number;
}
export declare class EnterpriseSecurityManager extends EventEmitter {
private config;
private keyManager;
private encryptionEngine;
private threatDetector;
private dlpEngine;
private securityMonitor;
private auditLogger;
constructor(_config: SecurityConfig);
/**
* Encrypt data based on classification and policies
*/
encryptData(data: unknown, classification: DataClassification, context?: Record<string, unknown>): Promise<EncryptedData>;
/**
* Decrypt data with security checks
*/
decryptData(encryptedData: EncryptedData, context?: Record<string, unknown>): Promise<unknown>;
/**
* Detect and analyze threats
*/
detectThreats(data: unknown, context: Record<string, unknown>): Promise<ThreatEvent[]>;
/**
* Secure data transfer
*/
secureTransfer(data: unknown, destination: string, classification: DataClassification, context?: Record<string, unknown>): Promise<{
_encrypted: EncryptedData;
_signature: string;
_transferId: string;
}>;
/**
* Verify secure transfer integrity
*/
verifyTransfer(encrypted: EncryptedData, signature: string, transferId: string): Promise<boolean>;
/**
* Rotate encryption keys
*/
rotateKeys(keyId?: string): Promise<{
rotated: string[];
failed: string[];
}>;
/**
* Get security status and metrics
*/
getSecurityStatus(): Promise<{
overall: SecuritySeverity;
threats: ThreatSummary;
encryption: EncryptionStatus;
dlp: DLPStatus;
monitoring: MonitoringStatus;
}>;
private initializeSecurityPipeline;
private getEncryptionRule;
private getDefaultEncryptionRule;
private evaluateDataCondition;
private getFieldValue;
private validateEncryptedData;
private checkDecryptionPermissions;
private verifyDataIntegrity;
private processThreat;
private autoMitigate;
private determineMitigationAction;
private blockThreatSource;
private quarantineThreatTarget;
private emergencyEncrypt;
private processDLPViolation;
private handleKeyExpiry;
private scheduleKeyRotation;
private calculateOverallSecurity;
private handleSecurityError;
private generateTransferId;
}