Skip to content

SECURITY.md

Latest commit

 

History

History
139 lines (108 loc) · 2.38 KB

SECURITY.md

File metadata and controls

139 lines (108 loc) · 2.38 KB

Security Framework

Version: 1.0

Seven-Layer Security Architecture

NQL implements defense-in-depth with seven security layers:

Layer 1: Input Validation
    ↓
Layer 2: Authentication
    ↓
Layer 3: Authorization (RBAC)
    ↓
Layer 4: Query Validation
    ↓
Layer 5: Row-Level Security (RLS)
    ↓
Layer 6: Rate Limiting
    ↓
Layer 7: Audit Logging

Layer 1: Input Validation

All queries validated against JSON schema:

const schema = {
  type: 'object',
  required: ['operation', 'resource'],
  properties: {
    operation: {
      enum: ['read', 'create', 'update', 'delete', 'aggregate']
    },
    resource: { type: 'string' },
    params: { type: 'object' }
  }
};

Layer 2: Authentication

Pluggable authentication adapters support:

  • JWT tokens
  • OAuth 2.0
  • API keys
  • Session cookies
  • mTLS

See AUTH_ADAPTERS.md

Layer 3: Authorization (RBAC)

Role-based access control:

resources:
  users:
    permissions:
      read: ["admin", "user"]
      create: ["admin"]
      update: ["admin", "self"]
      delete: ["admin"]

Layer 4: Query Validation

Validates:

  • Field names exist in schema
  • Operators valid for field types
  • Query complexity within limits

Layer 5: Row-Level Security

User-specific filtering:

// Non-admins see only their records
if (userContext.role !== 'admin') {
  nqlQuery.params.filter = {
    $and: [
      nqlQuery.params.filter || {},
      { user_id: { $eq: userContext.user_id } }
    ]
  };
}

Layer 6: Rate Limiting

Default limits:

  • 100 queries per hour per user
  • 10 concurrent queries per user
  • Query complexity score < 100

Layer 7: Audit Logging

All operations logged:

{
  "timestamp": "2024-11-27T14:32:15Z",
  "user_id": "uuid-123",
  "operation": "delete",
  "resource": "users",
  "risk_level": "high",
  "decision": "approved",
  "execution_time_ms": 125
}

Injection Prevention

All queries use parameterized statements:

// NQL generates
const sql = 'SELECT * FROM users WHERE email = $1';
const params = [userInput];

// NOT this
const sql = `SELECT * FROM users WHERE email = '${userInput}'`;

Compliance

Supports:

  • GDPR (data access, deletion)
  • HIPAA (audit logging, encryption)
  • SOC 2 (access controls, monitoring)
  • PCI DSS (data protection)

Version: 1.0
License: MIT
Author: nagibaba