/**
 * V3 Security Module
 *
 * Comprehensive security module addressing all identified vulnerabilities:
 * - CVE-2: Weak Password Hashing (password-hasher.ts)
 * - CVE-3: Hardcoded Default Credentials (credential-generator.ts)
 * - HIGH-1: Command Injection (safe-executor.ts)
 * - HIGH-2: Path Traversal (path-validator.ts)
 *
 * Also provides:
 * - Input validation with Zod schemas
 * - Secure token generation
 *
 * @module v3/security
 */
// Password Hashing (CVE-2 Fix)
export { PasswordHasher, PasswordHashError, createPasswordHasher, } from './password-hasher.js';
// Credential Generation (CVE-3 Fix)
export { CredentialGenerator, CredentialGeneratorError, createCredentialGenerator, generateCredentials, } from './credential-generator.js';
// Safe Command Execution (HIGH-1 Fix)
export { SafeExecutor, SafeExecutorError, createDevelopmentExecutor, createReadOnlyExecutor, } from './safe-executor.js';
// Path Validation (HIGH-2 Fix)
export { PathValidator, PathValidatorError, createProjectPathValidator, createFullProjectPathValidator, } from './path-validator.js';
// Input Validation
export { InputValidator, sanitizeString, sanitizeHtml, sanitizePath, 
// Base schemas
SafeStringSchema, IdentifierSchema, FilenameSchema, EmailSchema, PasswordSchema, UUIDSchema, HttpsUrlSchema, UrlSchema, SemverSchema, PortSchema, IPv4Schema, IPSchema, 
// Auth schemas
UserRoleSchema, PermissionSchema, LoginRequestSchema, CreateUserSchema, CreateApiKeySchema, 
// Agent & Task schemas
AgentTypeSchema, SpawnAgentSchema, TaskInputSchema, 
// Command & Path schemas
CommandArgumentSchema, PathSchema, 
// Config schemas
SecurityConfigSchema, ExecutorConfigSchema, 
// Utilities
PATTERNS, LIMITS, z, } from './input-validator.js';
// Token Generation
export { TokenGenerator, TokenGeneratorError, createTokenGenerator, getDefaultGenerator, quickGenerate, } from './token-generator.js';
// ============================================================================
// Convenience Factory Functions
// ============================================================================
import { PasswordHasher } from './password-hasher.js';
import { CredentialGenerator } from './credential-generator.js';
import { SafeExecutor } from './safe-executor.js';
import { PathValidator } from './path-validator.js';
import { TokenGenerator } from './token-generator.js';
/**
 * Creates a complete security module with all components configured.
 *
 * @param config - Module configuration
 * @returns Complete security module
 *
 * @example
 * ```typescript
 * const security = createSecurityModule({
 *   projectRoot: '/workspaces/project',
 *   hmacSecret: process.env.HMAC_SECRET!,
 * });
 *
 * // Hash password
 * const hash = await security.passwordHasher.hash('password');
 *
 * // Validate path
 * const result = await security.pathValidator.validate('/workspaces/project/src/file.ts');
 *
 * // Execute command safely
 * const output = await security.safeExecutor.execute('git', ['status']);
 * ```
 */
export function createSecurityModule(config) {
    return {
        passwordHasher: new PasswordHasher({
            rounds: config.bcryptRounds ?? 12,
        }),
        credentialGenerator: new CredentialGenerator(),
        safeExecutor: new SafeExecutor({
            allowedCommands: config.allowedCommands ?? ['git', 'npm', 'npx', 'node'],
        }),
        pathValidator: new PathValidator({
            allowedPrefixes: [config.projectRoot],
            allowHidden: true,
        }),
        tokenGenerator: new TokenGenerator({
            hmacSecret: config.hmacSecret,
        }),
    };
}
// ============================================================================
// Security Constants
// ============================================================================
/**
 * Minimum recommended bcrypt rounds for production
 */
export const MIN_BCRYPT_ROUNDS = 12;
/**
 * Maximum recommended bcrypt rounds (performance consideration)
 */
export const MAX_BCRYPT_ROUNDS = 14;
/**
 * Minimum password length
 */
export const MIN_PASSWORD_LENGTH = 8;
/**
 * Maximum password length (bcrypt limitation)
 */
export const MAX_PASSWORD_LENGTH = 72;
/**
 * Default token expiration in seconds (1 hour)
 */
export const DEFAULT_TOKEN_EXPIRATION = 3600;
/**
 * Default session expiration in seconds (24 hours)
 */
export const DEFAULT_SESSION_EXPIRATION = 86400;
// ============================================================================
// Security Audit Helper
// ============================================================================
/**
 * Checks security configuration for common issues.
 *
 * @param config - Configuration to audit
 * @returns Array of security warnings
 */
export function auditSecurityConfig(config) {
    const warnings = [];
    if (config.bcryptRounds && config.bcryptRounds < MIN_BCRYPT_ROUNDS) {
        warnings.push(`bcryptRounds (${config.bcryptRounds}) below recommended minimum (${MIN_BCRYPT_ROUNDS})`);
    }
    if (config.hmacSecret && config.hmacSecret.length < 32) {
        warnings.push('hmacSecret should be at least 32 characters');
    }
    if (!config.projectRoot) {
        warnings.push('projectRoot not configured - path validation may be disabled');
    }
    if (config.allowedCommands && config.allowedCommands.length === 0) {
        warnings.push('No commands allowed - executor will reject all commands');
    }
    return warnings;
}
/**
 * Security module version
 */
export const SECURITY_MODULE_VERSION = '3.0.0-alpha.1';
//# sourceMappingURL=index.js.map