Merge pull request #1280 from mnfst/chore/review-security-module

Remove unused security module and endpoint

Author: brunobuddy

.changeset/remove-security-module.md

@@ -0,0 +1,5 @@
+---
+"manifest": patch
+---
+
+Remove unused security module, endpoint, entity, and seeder

packages/backend/src/app.module.ts

@@ -17,7 +17,6 @@ import { AuthModule } from './auth/auth.module';
 import { HealthModule } from './health/health.module';
 import { TelemetryModule } from './telemetry/telemetry.module';
 import { AnalyticsModule } from './analytics/analytics.module';
-import { SecurityModule } from './security/security.module';
 import { OtlpModule } from './otlp/otlp.module';
 import { ModelPricesModule } from './model-prices/model-prices.module';
 import { NotificationsModule } from './notifications/notifications.module';
@@ -69,7 +68,6 @@ const serveStaticImports = frontendPath
     HealthModule,
     TelemetryModule,
     AnalyticsModule,
-    SecurityModule,
     OtlpModule,
     ModelPricesModule,
     NotificationsModule,

packages/backend/src/database/database-seeder.service.spec.ts

@@ -27,7 +27,6 @@ describe('DatabaseSeederService', () => {
   let mockAgentRepo: ReturnType<typeof makeMockRepo>;
   let mockAgentKeyRepo: ReturnType<typeof makeMockRepo>;
   let mockApiKeyRepo: ReturnType<typeof makeMockRepo>;
-  let mockSecurityRepo: ReturnType<typeof makeMockRepo>;
   let mockMessageRepo: ReturnType<typeof makeMockRepo>;
   const originalSeedData = process.env['SEED_DATA'];
   const originalManifestMode = process.env['MANIFEST_MODE'];
@@ -41,7 +40,6 @@ describe('DatabaseSeederService', () => {
     mockAgentRepo = makeMockRepo();
     mockAgentKeyRepo = makeMockRepo();
     mockApiKeyRepo = makeMockRepo();
-    mockSecurityRepo = makeMockRepo();
     mockMessageRepo = makeMockRepo();
 
     service = new DatabaseSeederService(
@@ -51,7 +49,6 @@ describe('DatabaseSeederService', () => {
       mockAgentRepo as never,
       mockAgentKeyRepo as never,
       mockApiKeyRepo as never,
-      mockSecurityRepo as never,
       mockMessageRepo as never,
     );
 
@@ -345,48 +342,6 @@ describe('DatabaseSeederService', () => {
     });
   });
 
-  describe('seedSecurityEvents', () => {
-    it('should skip seeding when events already exist', async () => {
-      mockSecurityRepo.count.mockResolvedValue(5);
-
-      await service.onModuleInit();
-
-      expect(mockSecurityRepo.insert).not.toHaveBeenCalled();
-    });
-
-    it('should insert 12 security events when table is empty', async () => {
-      mockSecurityRepo.count.mockResolvedValue(0);
-
-      await service.onModuleInit();
-
-      expect(mockSecurityRepo.insert).toHaveBeenCalledTimes(12);
-    });
-
-    it('should include events of all severity levels', async () => {
-      mockSecurityRepo.count.mockResolvedValue(0);
-
-      await service.onModuleInit();
-
-      const insertedSeverities = mockSecurityRepo.insert.mock.calls.map(
-        (call: unknown[]) => (call[0] as { severity: string }).severity,
-      );
-      expect(insertedSeverities).toContain('critical');
-      expect(insertedSeverities).toContain('warning');
-      expect(insertedSeverities).toContain('info');
-    });
-
-    it('should attach admin user_id to security events', async () => {
-      mockSecurityRepo.count.mockResolvedValue(0);
-      mockDataSource.query.mockResolvedValue([{ id: 'admin-user-id' }]);
-
-      await service.onModuleInit();
-
-      for (const call of mockSecurityRepo.insert.mock.calls) {
-        expect((call[0] as { user_id: string }).user_id).toBe('admin-user-id');
-      }
-    });
-  });
-
   describe('getAdminUserId edge cases', () => {
     it('should handle checkBetterAuthUser failure gracefully', async () => {
       // checkBetterAuthUser catches DB errors and returns false,

packages/backend/src/database/database-seeder.service.ts

@@ -7,7 +7,6 @@ import { Tenant } from '../entities/tenant.entity';
 import { Agent } from '../entities/agent.entity';
 import { AgentApiKey } from '../entities/agent-api-key.entity';
 import { ApiKey } from '../entities/api-key.entity';
-import { SecurityEvent } from '../entities/security-event.entity';
 import { AgentMessage } from '../entities/agent-message.entity';
 import { hashKey, keyPrefix } from '../common/utils/hash.util';
 import { seedAgentMessages } from './seed-messages';
@@ -28,7 +27,6 @@ export class DatabaseSeederService implements OnModuleInit {
     @InjectRepository(Agent) private readonly agentRepo: Repository<Agent>,
     @InjectRepository(AgentApiKey) private readonly agentKeyRepo: Repository<AgentApiKey>,
     @InjectRepository(ApiKey) private readonly apiKeyRepo: Repository<ApiKey>,
-    @InjectRepository(SecurityEvent) private readonly securityRepo: Repository<SecurityEvent>,
     @InjectRepository(AgentMessage) private readonly messageRepo: Repository<AgentMessage>,
   ) {}
 
@@ -45,7 +43,6 @@ export class DatabaseSeederService implements OnModuleInit {
       await this.seedAdminUser();
       await this.seedApiKey();
       await this.seedTenantAndAgent();
-      await this.seedSecurityEvents();
       await this.seedAgentMessages();
       this.logger.log('Seeded demo data (dev/test only, SEED_DATA=true)');
     }
@@ -151,112 +148,6 @@ export class DatabaseSeederService implements OnModuleInit {
     this.logger.log(`Seeded tenant/agent with OTLP key: ${SEED_OTLP_KEY.substring(0, 8)}***`);
   }
 
-  private async seedSecurityEvents() {
-    const count = await this.securityRepo.count();
-    if (count > 0) return;
-
-    const userId = await this.getAdminUserId();
-
-    const now = Date.now();
-    const events = [
-      [
-        'sec-001',
-        'sess-001',
-        -2,
-        'critical',
-        'unauthorized_access',
-        'Unauthorized API key attempt from unknown IP',
-      ],
-      [
-        'sec-002',
-        'sess-002',
-        -3,
-        'warning',
-        'rate_limit',
-        'Rate limit exceeded for agent — 150 req/min threshold',
-      ],
-      [
-        'sec-003',
-        'sess-003',
-        -5,
-        'info',
-        'config_change',
-        'Alert rule "High cost threshold" updated by admin',
-      ],
-      [
-        'sec-004',
-        'sess-004',
-        -6,
-        'warning',
-        'sandbox_escape',
-        'Sandbox escape attempt detected in agent session',
-      ],
-      [
-        'sec-005',
-        'sess-005',
-        -8,
-        'critical',
-        'data_exfiltration',
-        'Suspicious outbound data transfer detected',
-      ],
-      ['sec-006', 'sess-006', -10, 'info', 'login', 'New login from device'],
-      [
-        'sec-007',
-        'sess-007',
-        -12,
-        'warning',
-        'permission_escalation',
-        'Agent requested elevated permissions outside scope',
-      ],
-      [
-        'sec-008',
-        'sess-008',
-        -14,
-        'info',
-        'api_key_rotation',
-        'API key rotated for production environment',
-      ],
-      [
-        'sec-009',
-        'sess-009',
-        -18,
-        'critical',
-        'injection_attempt',
-        'Prompt injection attempt detected in agent input',
-      ],
-      [
-        'sec-010',
-        'sess-010',
-        -22,
-        'warning',
-        'token_anomaly',
-        'Unusual token consumption spike: 340% above baseline',
-      ],
-      [
-        'sec-011',
-        'sess-011',
-        -24,
-        'info',
-        'audit',
-        'Weekly security audit completed — 3 findings resolved',
-      ],
-      ['sec-012', 'sess-012', -48, 'warning', 'certificate', 'TLS certificate expiring in 14 days'],
-    ] as const;
-
-    for (const [id, sessionKey, hoursAgo, severity, category, description] of events) {
-      const ts = new Date(now + hoursAgo * 3600000).toISOString();
-      await this.securityRepo.insert({
-        id,
-        session_key: sessionKey,
-        timestamp: ts,
-        severity,
-        category,
-        description,
-        user_id: userId,
-      });
-    }
-  }
-
   private async seedAgentMessages() {
     const userId = await this.getAdminUserId();
     if (!userId) return;

packages/backend/src/database/database.module.ts

@@ -5,7 +5,6 @@ import { ConfigService } from '@nestjs/config';
 import { AgentMessage } from '../entities/agent-message.entity';
 import { LlmCall } from '../entities/llm-call.entity';
 import { ToolExecution } from '../entities/tool-execution.entity';
-import { SecurityEvent } from '../entities/security-event.entity';
 import { TokenUsageSnapshot } from '../entities/token-usage-snapshot.entity';
 import { CostSnapshot } from '../entities/cost-snapshot.entity';
 import { AgentLog } from '../entities/agent-log.entity';
@@ -57,12 +56,12 @@ import { AddEmailProviderKeyPrefix1773300000000 } from './migrations/17733000000
 import { AddProviderModelCache1773400000000 } from './migrations/1773400000000-AddProviderModelCache';
 import { DropModelPricingTables1773500000000 } from './migrations/1773500000000-DropModelPricingTables';
 import { AddOverrideProvider1773600000000 } from './migrations/1773600000000-AddOverrideProvider';
+import { DropSecurityEventTable1773700000000 } from './migrations/1773700000000-DropSecurityEventTable';
 
 const entities = [
   AgentMessage,
   LlmCall,
   ToolExecution,
-  SecurityEvent,
   TokenUsageSnapshot,
   CostSnapshot,
   AgentLog,
@@ -114,6 +113,7 @@ const migrations = [
   AddProviderModelCache1773400000000,
   DropModelPricingTables1773500000000,
   AddOverrideProvider1773600000000,
+  DropSecurityEventTable1773700000000,
 ];
 
 const isLocalMode = process.env['MANIFEST_MODE'] === 'local';
@@ -163,7 +163,6 @@ function buildModeServices() {
       AgentApiKey,
       AgentMessage,
       ApiKey,
-      SecurityEvent,
       UserProvider,
       TierAssignment,
       CustomProvider,

packages/backend/src/database/migrations/1773700000000-DropSecurityEventTable.spec.ts

@@ -0,0 +1,40 @@
+import { QueryRunner } from 'typeorm';
+import { DropSecurityEventTable1773700000000 } from './1773700000000-DropSecurityEventTable';
+
+describe('DropSecurityEventTable1773700000000', () => {
+  let migration: DropSecurityEventTable1773700000000;
+  let queryRunner: jest.Mocked<Pick<QueryRunner, 'query'>>;
+
+  beforeEach(() => {
+    migration = new DropSecurityEventTable1773700000000();
+    queryRunner = { query: jest.fn().mockResolvedValue(undefined) };
+  });
+
+  describe('up', () => {
+    it('should drop the security_event table', async () => {
+      await migration.up(queryRunner as unknown as QueryRunner);
+
+      expect(queryRunner.query).toHaveBeenCalledTimes(1);
+      expect(queryRunner.query).toHaveBeenCalledWith(
+        expect.stringContaining('DROP TABLE IF EXISTS "security_event"'),
+      );
+    });
+  });
+
+  describe('down', () => {
+    it('should recreate the security_event table', async () => {
+      await migration.down(queryRunner as unknown as QueryRunner);
+
+      expect(queryRunner.query).toHaveBeenCalledTimes(2);
+      expect(queryRunner.query).toHaveBeenCalledWith(
+        expect.stringContaining('CREATE TABLE "security_event"'),
+      );
+    });
+
+    it('should recreate the user_id/timestamp index', async () => {
+      await migration.down(queryRunner as unknown as QueryRunner);
+
+      expect(queryRunner.query).toHaveBeenCalledWith(expect.stringContaining('CREATE INDEX'));
+    });
+  });
+});

packages/backend/src/database/migrations/1773700000000-DropSecurityEventTable.ts

@@ -0,0 +1,24 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+
+export class DropSecurityEventTable1773700000000 implements MigrationInterface {
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_event"`);
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    await queryRunner.query(`
+      CREATE TABLE "security_event" (
+        "id" varchar PRIMARY KEY NOT NULL,
+        "session_key" varchar,
+        "timestamp" timestamp NOT NULL,
+        "severity" varchar NOT NULL,
+        "category" varchar NOT NULL,
+        "description" varchar NOT NULL,
+        "user_id" varchar
+      )
+    `);
+    await queryRunner.query(
+      `CREATE INDEX "IDX_security_event_user_id_timestamp" ON "security_event" ("user_id", "timestamp")`,
+    );
+  }
+}