botserver/docs/src/chapter-11/security-features.md

# 🔒 BotServer Security Features Guide

## Overview

This document provides a comprehensive overview of all security features and configurations available in BotServer, designed for security experts and enterprise deployments.

## 📋 Table of Contents

- [Feature Flags](#feature-flags)
- [Authentication & Authorization](#authentication--authorization)
- [Encryption & Cryptography](#encryption--cryptography)
- [Network Security](#network-security)
- [Data Protection](#data-protection)
- [Audit & Compliance](#audit--compliance)
- [Security Configuration](#security-configuration)
- [Best Practices](#best-practices)

## Feature Flags

### Core Security Features

Configure in `Cargo.toml` or via build flags:

```bash
# Basic build with desktop UI
cargo build --features desktop

# Full security-enabled build
cargo build --features "desktop,vectordb,email"

# Server-only build (no desktop UI)
cargo build --no-default-features --features "vectordb,email"
```

### Available Features

| Feature | Purpose | Security Impact | Default |
|---------|---------|-----------------|---------|
| `desktop` | Tauri desktop UI | Sandboxed runtime, controlled system access | ✅ |
| `vectordb` | Qdrant integration | AI-powered threat detection, semantic search | ❌ |
| `email` | IMAP/SMTP support | Requires secure credential storage | ❌ |

### Planned Security Features

Features to be implemented for enterprise deployments:

| Feature | Description | Implementation Status |
|---------|-------------|----------------------|
| `encryption` | Enhanced encryption for data at rest | Built-in via aes-gcm |
| `audit` | Comprehensive audit logging | Planned |
| `rbac` | Role-based access control | In Progress (Zitadel) |
| `mfa` | Multi-factor authentication | Planned |
| `sso` | SAML/OIDC SSO support | Planned |

## Authentication & Authorization

### Zitadel Integration

BotServer uses Zitadel as the primary identity provider:

```rust
// Location: src/auth/zitadel.rs
// Features:
- OAuth2/OIDC authentication
- JWT token validation
- User/group management
- Permission management
- Session handling
```

### Password Security

- **Algorithm**: Argon2id (memory-hard, GPU-resistant)
- **Configuration**: 
  - Memory: 19456 KB
  - Iterations: 2
  - Parallelism: 1
  - Salt: Random 32-byte

### Token Management

- **Access Tokens**: JWT with RS256 signing
- **Refresh Tokens**: Secure random 256-bit
- **Session Tokens**: UUID v4 with Redis storage
- **Token Rotation**: Automatic refresh on expiry

## Encryption & Cryptography

### Dependencies

| Library | Version | Purpose | Algorithm |
|---------|---------|---------|-----------|
| `aes-gcm` | 0.10 | Authenticated encryption | AES-256-GCM |
| `argon2` | 0.5 | Password hashing | Argon2id |
| `sha2` | 0.10.9 | Cryptographic hashing | SHA-256 |
| `hmac` | 0.12.1 | Message authentication | HMAC-SHA256 |
| `rand` | 0.9.2 | Cryptographic RNG | ChaCha20 |

### Data Encryption

```rust
// Encryption at rest
- Database: Column-level encryption for sensitive fields
- File storage: AES-256-GCM for uploaded files
- Configuration: Encrypted secrets with master key

// Encryption in transit
- TLS 1.3 for all external communications
- mTLS for service-to-service communication
- Certificate pinning for critical services
```

## Network Security

### API Security

1. **Rate Limiting** (via Caddy)
   - Per-IP: 100 requests/minute
   - Per-user: 1000 requests/hour
   - Configured in Caddyfile

2. **CORS Configuration** (via Caddy)
   ```
   # Strict CORS policy in Caddyfile
   - Origins: Whitelist only
   - Credentials: true for authenticated requests
   - Methods: Explicitly allowed
   ```

3. **Input Validation**
   - Schema validation for all inputs
   - SQL injection prevention via PostgreSQL prepared statements
   - XSS protection with output encoding
   - Path traversal prevention

### WebSocket Security

- Authentication required for connection
- Message size limits (default: 10MB)
- Heartbeat/ping-pong for connection validation
- Automatic disconnection on suspicious activity

## Data Protection

### Database Security

```sql
-- PostgreSQL security features used:
- Row-level security (RLS)
- Column encryption for PII
- Audit logging
- Connection pooling
- Prepared statements only
- SSL/TLS connections enforced
```

### File Storage Security (MinIO)

- **MinIO Configuration**:
  - Bucket encryption: AES-256
  - Access: Policy-based access control
  - Versioning: Enabled
  - Immutable objects support
  - TLS encryption in transit

- **Local Storage**:
  - Directory permissions: 700
  - File permissions: 600
  - Temporary files: Secure deletion

### Memory Security

```rust
// Memory protection measures
- Zeroization of sensitive data
- No logging of secrets
- Secure random generation
- Protected memory pages for crypto keys
```

## Audit & Compliance

### Logging Configuration

```rust
// Structured logging with tracing
- Level: INFO (production), DEBUG (development)
- Format: JSON for machine parsing
- Rotation: Daily with 30-day retention
- Sensitive data: Redacted
```

### Audit Events

Events automatically logged:

- Authentication attempts
- Authorization failures
- Data access (read/write)
- Configuration changes
- Admin actions
- API calls
- Security violations

### Compliance Support

- **GDPR**: Data deletion, export capabilities
- **SOC2**: Audit trails, access controls
- **HIPAA**: Encryption, access logging (with configuration)
- **PCI DSS**: No credit card storage, tokenization support

## Security Configuration

### Environment Variables

```bash
# Required security settings
BOTSERVER_JWT_SECRET="[256-bit hex string]"
BOTSERVER_ENCRYPTION_KEY="[256-bit hex string]"
DATABASE_ENCRYPTION_KEY="[256-bit hex string]"

# Zitadel (Directory) configuration
ZITADEL_DOMAIN="https://your-instance.zitadel.cloud"
ZITADEL_CLIENT_ID="your-client-id"
ZITADEL_CLIENT_SECRET="your-client-secret"

# MinIO (Drive) configuration
MINIO_ENDPOINT="http://localhost:9000"
MINIO_ACCESS_KEY="minioadmin"
MINIO_SECRET_KEY="minioadmin"
MINIO_USE_SSL=true

# Qdrant (Vector Database) configuration
QDRANT_URL="http://localhost:6333"
QDRANT_API_KEY="your-api-key"

# Valkey (Cache) configuration
VALKEY_URL="redis://localhost:6379"
VALKEY_PASSWORD="your-password"

# Optional security enhancements
BOTSERVER_ENABLE_AUDIT=true
BOTSERVER_REQUIRE_MFA=false
BOTSERVER_SESSION_TIMEOUT=3600
BOTSERVER_MAX_LOGIN_ATTEMPTS=5
BOTSERVER_LOCKOUT_DURATION=900

# Network security (Caddy handles TLS automatically)
BOTSERVER_ALLOWED_ORIGINS="https://app.example.com"
BOTSERVER_RATE_LIMIT_PER_IP=100
BOTSERVER_RATE_LIMIT_PER_USER=1000
BOTSERVER_MAX_UPLOAD_SIZE=104857600  # 100MB
```

### Database Configuration

```sql
-- PostgreSQL security settings
-- Add to postgresql.conf:
ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
ssl_prefer_server_ciphers = on
ssl_ecdh_curve = 'prime256v1'

-- Connection string:
DATABASE_URL="postgres://user:pass@localhost/db?sslmode=require"
```

### Caddy Configuration

```
# Caddyfile for secure reverse proxy
{
    # Global options
    admin off
    auto_https on
}

app.example.com {
    # TLS 1.3 only
    tls {
        protocols tls1.3
        ciphers TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256
    }
    
    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
        Referrer-Policy "strict-origin-when-cross-origin"
        Content-Security-Policy "default-src 'self'"
    }
    
    # Rate limiting
    rate_limit {
        zone static {
            key {remote_host}
            events 100
            window 1m
        }
    }
    
    # Reverse proxy to BotServer
    reverse_proxy localhost:3000 {
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
    }
    
    # Access logging
    log {
        output file /var/log/caddy/access.log
        format json
    }
}
```

## Best Practices

### Development

1. **Dependency Management**
   ```bash
   # Regular security updates
   cargo audit
   cargo update
   
   # Check for known vulnerabilities
   cargo audit --deny warnings
   ```

2. **Code Quality**
   ```rust
   // Enforced via Cargo.toml lints:
   - No unsafe code
   - No unwrap() in production
   - No panic!() macros
   - Complete error handling
   ```

3. **Testing**
   ```bash
   # Security testing suite
   cargo test --features security_tests
   
   # Fuzzing for input validation
   cargo fuzz run api_fuzzer
   ```

### Deployment

1. **Container Security**
   ```dockerfile
   # Multi-stage build
   FROM rust:1.75 as builder
   # ... build steps ...
   
   # Minimal runtime
   FROM gcr.io/distroless/cc-debian12
   USER nonroot:nonroot
   ```

2. **LXD/LXC Container Security**
   ```yaml
   # Container security profile
   config:
     security.nesting: "false"
     security.privileged: "false"
     limits.cpu: "4"
     limits.memory: "8GB"
   devices:
     root:
       path: /
       pool: default
       type: disk
   ```

3. **Network Policies**
   ```
   # Firewall rules (UFW/iptables)
   - Ingress: Only from Caddy proxy
   - Egress: PostgreSQL, MinIO, Qdrant, Valkey
   - Block: All other traffic
   - Internal: Component isolation
   ```

### Monitoring

1. **Security Metrics**
   - Failed authentication rate
   - Unusual API patterns
   - Resource usage anomalies
   - Geographic access patterns

2. **Alerting Thresholds**
   - 5+ failed logins: Warning
   - 10+ failed logins: Lock account
   - Unusual geographic access: Alert
   - Privilege escalation: Critical alert

3. **Incident Response**
   - Automatic session termination
   - Account lockout procedures
   - Audit log preservation
   - Forensic data collection

## Security Checklist

### Pre-Production

- [ ] All secrets in environment variables
- [ ] Database encryption enabled (PostgreSQL)
- [ ] MinIO encryption enabled
- [ ] Caddy TLS configured (automatic with Let's Encrypt)
- [ ] Rate limiting enabled (Caddy)
- [ ] CORS properly configured (Caddy)
- [ ] Audit logging enabled
- [ ] Backup encryption verified
- [ ] Security headers configured (Caddy)
- [ ] Input validation complete
- [ ] Error messages sanitized
- [ ] Zitadel MFA configured
- [ ] Qdrant authentication enabled
- [ ] Valkey password protection enabled

### Production

- [ ] MFA enabled for all admin accounts (Zitadel)
- [ ] Regular security updates scheduled (all components)
- [ ] Monitoring alerts configured
- [ ] Incident response plan documented
- [ ] Regular security audits scheduled
- [ ] Penetration testing completed
- [ ] Compliance requirements met
- [ ] Disaster recovery tested (PostgreSQL, MinIO backups)
- [ ] Access reviews scheduled (Zitadel)
- [ ] Security training completed
- [ ] Stalwart email security configured (DKIM, SPF, DMARC)
- [ ] LiveKit secure signaling enabled

## Contact

For security issues or questions:
- Security Email: security@pragmatismo.com.br
- Bug Bounty: See SECURITY.md
- Emergency: Use PGP-encrypted email

## Component Security Documentation

### Core Components
- [Caddy Security](https://caddyserver.com/docs/security) - Reverse proxy and TLS
- [PostgreSQL Security](https://www.postgresql.org/docs/current/security.html) - Database
- [Zitadel Security](https://zitadel.com/docs/guides/manage/security) - Identity and access
- [MinIO Security](https://min.io/docs/minio/linux/operations/security.html) - Object storage
- [Qdrant Security](https://qdrant.tech/documentation/guides/security/) - Vector database
- [Valkey Security](https://valkey.io/topics/security/) - Cache

### Communication Components
- [Stalwart Security](https://stalw.art/docs/security/) - Email server
- [LiveKit Security](https://docs.livekit.io/realtime/server/security/) - Video conferencing

## References

- [OWASP Top 10](https://owasp.org/Top10/)
- [CIS Controls](https://www.cisecurity.org/controls/)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
- [Rust Security Guidelines](https://anssi-fr.github.io/rust-guide/)