Skip to content

APPNEURAL-OSs/SecurityOS

BranchesTags

Repository files navigation

SecurityOS

SecurityOS is a reusable security operating layer for Appneural platforms. It manages IAM, RBAC, policies, audit logs, sessions, API keys, secrets, compliance controls, access reviews, findings, events, and security analytics.

This starter uses TypeScript, Node.js built-ins, and a JSON-file datastore for local development. For production, replace the datastore with PostgreSQL using database/schema.sql and replace demo secret sealing with KMS/HSM-backed encryption.

Features

  • Identity management
  • Role and permission management
  • Group management
  • Role assignments
  • Access check engine
  • Allow/deny security policies
  • Sessions and revocation
  • API key hashing, verification, and revocation
  • Secret vault with masking, reveal, rotation, and version history
  • Compliance controls and evidence
  • Access reviews and decisions
  • Security findings and resolution
  • Audit logs with sensitive field redaction
  • Event logs
  • Security analytics
  • Seed demo data
  • PostgreSQL schema example
  • Automated tests

Run

npm run build
npm start

Open:

http://localhost:5400/health
http://localhost:5400/docs

Default tenant:

demo-tenant

Demo auth headers

x-tenant-id: demo-tenant
x-user-id: admin-user
x-role: security_admin

Supported API roles:

viewer
security_analyst
iam_admin
secret_manager
compliance_manager
security_admin
admin
owner
auditor

Main demo IDs

ident_demo_maya
ident_demo_rahul
ident_demo_asha
ident_demo_service_commerce
role_security_admin
role_iam_operator
role_security_auditor
role_commerce_operator
role_secret_operator
group_security
group_engineering
group_compliance
assign_maya_admin
assign_asha_auditor
assign_eng_commerce
policy_deny_secret_reveal_commerce
policy_allow_auditor_read
secret_demo_stripe
ctrl_soc2_cc6_1
ctrl_iso_a_5_15
review_q2_access
finding_rahul_mfa
finding_expired_session

Example API calls

Check access:

curl -X POST http://localhost:5400/securityos/access/check \
  -H "Content-Type: application/json" \
  -H "x-role: security_analyst" \
  -d '{"subjectId":"ident_demo_rahul","action":"commerce.orders.write","resource":"commerce.orders"}'

Create identity:

curl -X POST http://localhost:5400/securityos/identities \
  -H "Content-Type: application/json" \
  -H "x-role: iam_admin" \
  -d '{"email":"dev@appneural.com","displayName":"Dev Engineer","mfaEnabled":true}'

Create secret:

curl -X POST http://localhost:5400/securityos/secrets \
  -H "Content-Type: application/json" \
  -H "x-role: secret_manager" \
  -d '{"name":"OPENAI_API_KEY","environment":"prod","value":"sk-demo-secret","tags":["aios","prod"]}'

Production notes

The included secret engine is demo-only. Replace it with a proper KMS/HSM provider before production. Replace header-based demo auth with SSO/OIDC, and persist audit logs in an append-only datastore.

Planning Alignment

  • Official package: @appneurox/securityos
  • Manifest: manifest.json
  • Domain API namespace: /v1/security
  • Modes: standalone and PlatformOS integrated
  • Related systems: PlatformOS, ComplianceOS

See docs/planning.md for the planning contract applied from APPNEURAL Plannings/OSs.

About

SecurityOS: reusable TypeScript operating layer for Auth, roles, permissions, policies, approvals, secrets, and audit.

Topics

security typescript sdk permissions auth audit operating-system platform-os appneural compliance-os security-os appneurox securityos

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages