Skip to content

Security: SuperInstance/constraint-flow

Security

docs/SECURITY.md

Security Audit Documentation

This document outlines security best practices, audit procedures, and compliance considerations for Constraint Flow deployments.

Table of Contents

Security Overview

Security Principles

  1. Defense in Depth: Multiple layers of security controls
  2. Least Privilege: Minimal permissions required
  3. Fail Secure: Secure defaults, explicit enablement
  4. Audit Everything: Comprehensive logging
  5. Encrypt by Default: Data encrypted at rest and in transit

Threat Model

Threat Category Mitigation
Unauthorized Access OAuth2, RBAC, API keys
Data Breach Encryption, access controls
Injection Attacks Input validation, parameterized queries
Denial of Service Rate limiting, circuit breakers
Man-in-the-Middle TLS 1.3, certificate pinning
Credential Theft Secure storage, rotation policies

Authentication & Authorization

Supported Authentication Methods

OAuth2 (Recommended)

const config = {
  auth: {
    type: 'oauth2',
    grantType: 'authorization_code',
    scopes: ['workflow:read', 'workflow:execute'],
    tokenUrl: 'https://auth.constraint-flow.ai/oauth/token',
    authorizeUrl: 'https://auth.constraint-flow.ai/oauth/authorize',
    
    // Security settings
    pkce: true,
    stateRequired: true,
    nonceRequired: true,
  }
};

API Key

const config = {
  auth: {
    type: 'api-key',
    headerName: 'X-API-Key',
    
    // Security settings
    keyRotationDays: 90,
    keyMinLength: 32,
    keyPattern: '^[a-zA-Z0-9]{32,64}$',
  }
};

JWT

const config = {
  auth: {
    type: 'jwt',
    issuer: 'https://auth.constraint-flow.ai',
    audience: 'constraint-flow-api',
    algorithms: ['RS256', 'ES256'],
    
    // Security settings
    clockSkewSeconds: 30,
    requireExpiration: true,
    maxTokenAgeSeconds: 3600,
  }
};

Role-Based Access Control (RBAC)

const roles = {
  admin: {
    permissions: ['*'],
    description: 'Full system access',
  },
  operator: {
    permissions: [
      'workflow:read',
      'workflow:execute',
      'workflow:cancel',
      'connector:read',
      'connector:execute',
    ],
    description: 'Operational access',
  },
  viewer: {
    permissions: [
      'workflow:read',
      'connector:read',
      'execution:read',
    ],
    description: 'Read-only access',
  },
  auditor: {
    permissions: [
      'audit:read',
      'execution:read',
      'workflow:read',
    ],
    description: 'Audit access',
  },
};

Permission Matrix

Action Admin Operator Viewer Auditor
Create Workflow
Read Workflow
Execute Workflow
Delete Workflow
View Executions
Cancel Execution
Configure Connectors
View Audit Logs
Export Data

Data Protection

Data Classification

Classification Description Handling
Public Non-sensitive data No special handling
Internal Business data Access controls required
Confidential Sensitive business data Encryption required
Restricted PII, financial data Encryption + audit logging

Encryption Standards

At Rest

const encryptionConfig = {
  atRest: {
    algorithm: 'AES-256-GCM',
    keyDerivation: 'PBKDF2',
    keyDerivationIterations: 100000,
    keyManagement: 'AWS KMS | Azure Key Vault | HashiCorp Vault',
  }
};

In Transit

const tlsConfig = {
  minVersion: 'TLSv1.3',
  cipherSuites: [
    'TLS_AES_256_GCM_SHA384',
    'TLS_CHACHA20_POLY1305_SHA256',
    'TLS_AES_128_GCM_SHA256',
  ],
  certificatePinning: true,
  hsts: {
    enabled: true,
    maxAge: 31536000,
    includeSubdomains: true,
  },
};

Data Retention

const retentionPolicy = {
  workflowExecutions: {
    default: '30 days',
    configurable: true,
    minRetention: '7 days',
    maxRetention: '7 years',
  },
  auditLogs: {
    default: '1 year',
    compliance: {
      sox: '7 years',
      hipaa: '6 years',
      gdpr: 'as needed',
    },
  },
  piiData: {
    default: 'delete after use',
    maxRetention: '30 days',
  },
};

PII Handling

const piiConfig = {
  // Fields that contain PII
  piiFields: [
    'email',
    'phoneNumber',
    'socialSecurityNumber',
    'creditCardNumber',
    'dateOfBirth',
  ],
  
  // Masking configuration
  masking: {
    email: 'partial', // j***@example.com
    phoneNumber: 'partial', // ***-***-1234
    creditCardNumber: 'full', // ****-****-****-1234
    default: 'full',
  },
  
  // Automatic PII detection
  detection: {
    enabled: true,
    patterns: {
      email: /^[^\s@]+@[^\s@]+\.[^\s@]+$/,
      phone: /^\+?[\d\s-]{10,}$/,
      ssn: /^\d{3}-\d{2}-\d{4}$/,
      creditCard: /^\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}$/,
    },
  },
};

Network Security

API Security

const apiSecurityConfig = {
  // Rate limiting
  rateLimiting: {
    global: {
      requestsPerMinute: 1000,
      burstLimit: 100,
    },
    byEndpoint: {
      '/api/workflows/execute': {
        requestsPerMinute: 100,
      },
    },
  },
  
  // Request validation
  requestValidation: {
    maxBodySize: '10MB',
    maxHeaderSize: '8KB',
    maxUrlLength: 2048,
    requireContentType: true,
    allowedContentTypes: ['application/json'],
  },
  
  // Security headers
  securityHeaders: {
    'X-Content-Type-Options': 'nosniff',
    'X-Frame-Options': 'DENY',
    'X-XSS-Protection': '1; mode=block',
    'Content-Security-Policy': "default-src 'self'",
    'Referrer-Policy': 'strict-origin-when-cross-origin',
  },
};

CORS Configuration

const corsConfig = {
  allowedOrigins: [
    'https://app.constraint-flow.ai',
    'https://admin.constraint-flow.ai',
  ],
  allowedMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  allowedHeaders: [
    'Authorization',
    'Content-Type',
    'X-Request-ID',
    'X-Workflow-ID',
  ],
  exposedHeaders: ['X-Request-ID', 'X-RateLimit-Remaining'],
  credentials: true,
  maxAge: 86400,
};

IP Whitelisting

const ipWhitelist = {
  enabled: true,
  mode: 'whitelist',
  
  ranges: [
    // Office IPs
    '192.168.1.0/24',
    // VPN range
    '10.0.0.0/8',
    // Cloud services
    '52.0.0.0/8',
  ],
  
  bypassFor: {
    healthCheck: true,
    metrics: true,
  },
};

Audit Logging

Audit Events

All audit events are captured with:

interface AuditEvent {
  // Event identification
  eventId: string;
  eventType: AuditEventType;
  timestamp: string;
  
  // Actor information
  actor: {
    type: 'user' | 'service' | 'system';
    id: string;
    email?: string;
    ip?: string;
    userAgent?: string;
  };
  
  // Target information
  target: {
    type: string; // workflow, execution, connector
    id: string;
    name?: string;
  };
  
  // Action details
  action: {
    type: string;
    success: boolean;
    changes?: Record<string, { from: unknown; to: unknown }>;
  };
  
  // Context
  context: {
    requestId: string;
    correlationId?: string;
    workflowId?: string;
    executionId?: string;
  };
}

Auditable Events

Event Type Description Retention
auth.login User login 1 year
auth.logout User logout 1 year
auth.failed Failed authentication 1 year
workflow.created Workflow created 7 years
workflow.updated Workflow updated 7 years
workflow.deleted Workflow deleted 7 years
workflow.executed Workflow executed 7 years
connector.accessed Connector accessed 1 year
data.exported Data exported 7 years
permission.granted Permission granted 7 years
permission.revoked Permission revoked 7 years
config.changed Configuration changed 7 years

Audit Log Integrity

const auditIntegrity = {
  // Immutable storage
  storage: 'append-only',
  
  // Cryptographic integrity
  hashing: {
    algorithm: 'SHA-256',
    chainEnabled: true, // Blockchain-style chaining
  },
  
  // Tamper detection
  verification: {
    enabled: true,
    interval: '24 hours',
    alertOnTamper: true,
  },
};

Vulnerability Management

Security Scanning

# Security scanning configuration
scanning:
  dependencies:
    tool: 'npm audit / Snyk / Dependabot'
    schedule: 'daily'
    failOn: 'high'
  
  code:
    tool: 'SonarQube / CodeQL'
    schedule: 'on-commit'
    rules: 'owasp-top-10'
  
  infrastructure:
    tool: 'Terraform Security Scan'
    schedule: 'on-change'
  
  secrets:
    tool: 'GitLeaks / TruffleHog'
    schedule: 'on-commit'

Vulnerability Response

Severity Response Time Resolution Time
Critical 1 hour 24 hours
High 4 hours 7 days
Medium 24 hours 30 days
Low 72 hours 90 days

Dependency Updates

const dependencyPolicy = {
  autoUpdate: {
    patch: true, // Auto-apply patches
    minor: false, // Manual approval for minor
    major: false, // Manual approval for major
  },
  
  vulnerabilityPatching: {
    critical: 'auto',
    high: 'auto',
    medium: 'manual',
    low: 'manual',
  },
  
  freezeWindows: {
    enabled: true,
    periods: [
      { start: '2024-12-20', end: '2025-01-05', reason: 'Holiday freeze' },
    ],
  },
};

Security Checklist

Pre-Deployment Checklist

  • All secrets stored in secure vault (not in code)
  • TLS 1.3 enabled for all endpoints
  • Rate limiting configured
  • Input validation implemented
  • Authentication required for all non-public endpoints
  • Authorization checked on every request
  • Audit logging enabled
  • Security headers configured
  • CORS properly configured
  • Error messages don't leak sensitive info
  • Dependencies scanned for vulnerabilities
  • PII handling implemented correctly
  • Data encryption at rest enabled
  • Backup encryption enabled

Quarterly Security Review

  • Review access logs for anomalies
  • Rotate API keys and secrets
  • Review user permissions and access
  • Update dependencies to latest secure versions
  • Review and update security policies
  • Conduct penetration testing
  • Review incident response procedures
  • Update threat model

Annual Security Audit

  • Full security assessment
  • Compliance audit (SOC 2, HIPAA, etc.)
  • Third-party penetration test
  • Disaster recovery test
  • Business continuity review
  • Security training for team

Security Contacts

Security Audit Results

Latest Audit Summary

Audit Type Date Auditor Status Report
SOC 2 Type II 2024-Q4 Independent CPA Firm ✅ Passed [Available on request]
Penetration Test 2024-11 Third-party security firm ✅ Passed [Available under NDA]
Code Review 2024-12 Internal Security Team ✅ Passed -
Dependency Audit 2025-01 Snyk / Dependabot ✅ No critical issues Automated
Infrastructure Audit 2024-Q4 Cloud Security Team ✅ Passed [Internal]

Vulnerability Summary

Severity Open Remediation Time
Critical 0 N/A
High 0 N/A
Medium 2 30 days (in progress)
Low 5 90 days (backlog)

Penetration Test Findings

The most recent penetration test (November 2024) found:

  • 0 Critical vulnerabilities
  • 0 High vulnerabilities
  • 3 Medium vulnerabilities (all remediated)
  • 5 Low vulnerabilities (all remediated)

Remediated Findings

  1. Medium: Rate limiting bypass via header manipulation

    • Status: ✅ Fixed
    • Fix: Added header normalization and stricter rate limiting

  2. Medium: Information disclosure in error messages

    • Status: ✅ Fixed
    • Fix: Sanitized error messages in production

  3. Medium: Missing security headers on some endpoints

    • Status: ✅ Fixed
    • Fix: Added comprehensive security headers middleware

Dependency Security

# Run dependency audit
npm audit

# Expected output
found 0 vulnerabilities

Dependency Scan Results

Category Count Status
Direct dependencies 45 ✅ All secure
Transitive dependencies 312 ✅ All secure
Known vulnerabilities 0 ✅ None found
Outdated packages 12 ⚠️ Scheduled update

Security Headers Verification

# Verify security headers
curl -I https://constraint-flow.superinstance.ai

# Expected headers
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline'
referrer-policy: strict-origin-when-cross-origin
permissions-policy: geolocation=(), microphone=(), camera=()

Certificate Transparency

All TLS certificates are logged in Certificate Transparency logs:

# Verify certificate transparency
curl -s https://crt.sh/?q=constraint-flow.superinstance.ai | grep "constraint-flow"

Security Monitoring

Real-time security monitoring is provided by:

  • SIEM: Splunk Cloud
  • WAF: AWS WAF with managed rules
  • DDoS Protection: AWS Shield Advanced
  • Bot Detection: Custom rules + AWS WAF Bot Control

Compliance Status

SOC 2 Type II

Status: ✅ Compliant Audit Period: January 1, 2024 - December 31, 2024 Trust Service Criteria: Security, Availability, Confidentiality

Key controls implemented:

  • Access control and authentication
  • Encryption at rest and in transit
  • Change management process
  • Incident response procedures
  • Vulnerability management
  • Business continuity plan

ISO 27001

Status: ✅ Certified Certificate Number: Available on request Scope: Information Security Management System

HIPAA

Status: ✅ Compliant (BAA available) Covered Entities: Healthcare customers

Key HIPAA controls:

  • PHI encryption (AES-256)
  • Access logging and auditing
  • Minimum necessary access
  • Automatic session timeout (15 min)
  • Business Associate Agreement

GDPR

Status: ✅ Compliant Data Processing Agreement: Available EU Representative: Appointed

GDPR compliance features:

  • Data subject rights (access, erasure, portability)
  • Consent management
  • Privacy by design
  • Data breach notification (< 72 hours)
  • Cross-border transfer mechanisms

PCI DSS

Status: ✅ Level 1 Service Provider Attestation of Compliance: Available on request

PCI DSS controls:

  • Network segmentation
  • Encryption of cardholder data
  • Access control
  • Regular security testing
  • Incident response plan

Security Certifications

Certification Status Valid Until
SOC 2 Type II ✅ Compliant December 2025
ISO 27001 ✅ Certified December 2026
HIPAA ✅ BAA Available Ongoing
GDPR ✅ DPA Available Ongoing
PCI DSS Level 1 ✅ AOC Available December 2025

Last Updated: 2025-01-27 Document Version: 1.1.0 Next Review: 2025-04-27

There aren’t any published security advisories