# ๐Ÿš€ SFERA Security System - Deployment Guide ## ๐Ÿ“‹ Pre-Deployment Checklist ### Environment Requirements - [ ] Node.js >= 18.0.0 - [ ] PostgreSQL >= 14.0 - [ ] Redis >= 6.2 (for caching) - [ ] RAM >= 4GB - [ ] CPU >= 2 cores ### Infrastructure Setup ```bash # 1. Database Setup psql -U postgres -c "CREATE DATABASE sfera_security;" # 2. Redis Setup docker run -d --name sfera-redis \ -p 6379:6379 \ -v redis-data:/data \ redis:6.2-alpine redis-server --appendonly yes # 3. Environment Variables cp .env.example .env.production ``` ## ๐Ÿ”ง Configuration ### Environment Variables ```env # Security System Configuration ENABLE_SUPPLY_SECURITY=true ENABLE_SECURITY_AUDIT=true SECURITY_STRICT_MODE=false ENABLE_SECURITY_CACHE=true # Feature Flags FEATURE_SUPPLY_DATA_FILTERING=true FEATURE_COMMERCIAL_AUDIT=true FEATURE_THREAT_DETECTION=true FEATURE_REAL_TIME_ALERTS=true FEATURE_EXTERNAL_MONITORING=true # Database DATABASE_URL="postgresql://user:password@localhost:5432/sfera_security" DATABASE_POOL_MIN=2 DATABASE_POOL_MAX=10 # Redis Cache REDIS_HOST=localhost REDIS_PORT=6379 REDIS_PASSWORD=your_redis_password REDIS_TLS=false # Security Settings JWT_SECRET=your_jwt_secret_here ENCRYPTION_KEY=your_32_byte_encryption_key SESSION_TIMEOUT=3600 # Monitoring SIEM_INTEGRATION_ENABLED=true SIEM_TYPE=ELASTIC_SIEM SIEM_ENDPOINT=https://your-siem.example.com SIEM_API_KEY=your_siem_api_key # Alerts SLACK_INTEGRATION_ENABLED=true SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxx EMAIL_ALERTS_ENABLED=true EMAIL_SMTP_HOST=smtp.example.com EMAIL_SMTP_PORT=587 # Performance MAX_CONCURRENT_FILTERS=100 CACHE_TTL_SECONDS=300 BATCH_SIZE_AUDIT_LOGS=100 WORKER_THREADS_ENABLED=true WORKER_THREADS_COUNT=4 ``` ### Database Migrations ```bash # Run all migrations npm run migrate:deploy # Verify migrations npm run migrate:status # Seed initial data (if needed) npm run seed:security ``` ### Security Indexes ```sql -- Run these manually for better performance CREATE INDEX CONCURRENTLY idx_commercial_audits_lookup ON commercial_data_audits(user_id, created_at DESC); CREATE INDEX CONCURRENTLY idx_partnerships_active_lookup ON partnerships(organization_id, partner_id) WHERE active = true; CREATE INDEX CONCURRENTLY idx_supply_orders_security ON supply_orders(organization_id, status, created_at DESC); -- Analyze tables for query optimization ANALYZE commercial_data_audits; ANALYZE partnerships; ANALYZE supply_orders; ``` ## ๐Ÿšฆ Deployment Steps ### 1. **Gradual Rollout with Feature Flags** ```typescript // config/deployment-stages.ts export const DEPLOYMENT_STAGES = { STAGE_1: { name: 'Basic Security', duration: '24 hours', features: { FEATURE_SUPPLY_DATA_FILTERING: true, FEATURE_COMMERCIAL_AUDIT: false, FEATURE_THREAT_DETECTION: false, FEATURE_REAL_TIME_ALERTS: false, }, targetUsers: 0.1, // 10% of users }, STAGE_2: { name: 'Audit & Monitoring', duration: '48 hours', features: { FEATURE_SUPPLY_DATA_FILTERING: true, FEATURE_COMMERCIAL_AUDIT: true, FEATURE_THREAT_DETECTION: false, FEATURE_REAL_TIME_ALERTS: true, }, targetUsers: 0.25, // 25% of users }, STAGE_3: { name: 'Full Security', duration: '72 hours', features: { FEATURE_SUPPLY_DATA_FILTERING: true, FEATURE_COMMERCIAL_AUDIT: true, FEATURE_THREAT_DETECTION: true, FEATURE_REAL_TIME_ALERTS: true, }, targetUsers: 0.5, // 50% of users }, STAGE_4: { name: 'Complete Rollout', duration: 'Permanent', features: { FEATURE_SUPPLY_DATA_FILTERING: true, FEATURE_COMMERCIAL_AUDIT: true, FEATURE_THREAT_DETECTION: true, FEATURE_REAL_TIME_ALERTS: true, FEATURE_EXTERNAL_MONITORING: true, }, targetUsers: 1.0, // 100% of users }, } ``` ### 2. **Deployment Script** ```bash #!/bin/bash # deploy-security.sh set -e echo "๐Ÿš€ Starting SFERA Security Deployment..." # Stage 1: Pre-deployment checks echo "๐Ÿ“‹ Running pre-deployment checks..." npm run test:security npm run lint # Stage 2: Database backup echo "๐Ÿ’พ Backing up database..." pg_dump $DATABASE_URL > backup_$(date +%Y%m%d_%H%M%S).sql # Stage 3: Deploy database changes echo "๐Ÿ—„๏ธ Applying database migrations..." npm run migrate:deploy # Stage 4: Build application echo "๐Ÿ”จ Building application..." npm run build # Stage 5: Deploy with zero downtime echo "๐Ÿš€ Deploying application..." pm2 reload ecosystem.config.js --update-env # Stage 6: Health check echo "๐Ÿฅ Running health checks..." npm run health:check # Stage 7: Enable monitoring echo "๐Ÿ“Š Enabling monitoring..." npm run monitoring:enable echo "โœ… Deployment completed successfully!" ``` ### 3. **PM2 Ecosystem Configuration** ```javascript // ecosystem.config.js module.exports = { apps: [ { name: 'sfera-security', script: './dist/index.js', instances: 'max', exec_mode: 'cluster', max_memory_restart: '1G', env: { NODE_ENV: 'production', PORT: 3000, }, error_file: './logs/err.log', out_file: './logs/out.log', log_file: './logs/combined.log', time: true, // Graceful shutdown kill_timeout: 5000, listen_timeout: 3000, // Auto-restart autorestart: true, watch: false, max_restarts: 10, min_uptime: '10s', }, ], } ``` ## ๐Ÿ“Š Monitoring Setup ### 1. **Health Check Endpoints** ```typescript // src/graphql/security/health/health-check.ts export const securityHealthChecks = { '/health/security': async (req, res) => { const checks = { database: await checkDatabase(), redis: await checkRedis(), security_filters: await checkSecurityFilters(), threat_detection: await checkThreatDetection(), audit_system: await checkAuditSystem(), } const allHealthy = Object.values(checks).every((check) => check.status === 'healthy') res.status(allHealthy ? 200 : 503).json({ status: allHealthy ? 'healthy' : 'unhealthy', timestamp: new Date().toISOString(), checks, }) }, '/health/security/detailed': async (req, res) => { // Detailed health metrics const metrics = { filter_latency_ms: await getFilterLatency(), cache_hit_rate: await getCacheHitRate(), active_threats: await getActiveThreatCount(), audit_backlog: await getAuditBacklog(), memory_usage_mb: process.memoryUsage().heapUsed / 1024 / 1024, } res.json(metrics) }, } ``` ### 2. **Monitoring Alerts** ```yaml # prometheus-alerts.yml groups: - name: security_alerts interval: 30s rules: - alert: HighFilterLatency expr: histogram_quantile(0.95, security_filter_latency_ms) > 100 for: 5m labels: severity: warning annotations: summary: 'High security filter latency' description: '95th percentile latency is {{ $value }}ms' - alert: LowCacheHitRate expr: security_cache_hit_rate < 0.7 for: 10m labels: severity: warning annotations: summary: 'Low cache hit rate' description: 'Cache hit rate is {{ $value }}' - alert: ThreatDetectionSpike expr: rate(security_threats_detected[5m]) > 10 for: 2m labels: severity: critical annotations: summary: 'Spike in threat detections' description: '{{ $value }} threats/second detected' ``` ### 3. **Logging Configuration** ```typescript // src/config/logging.ts import winston from 'winston' import { ElasticsearchTransport } from 'winston-elasticsearch' export const securityLogger = winston.createLogger({ level: 'info', format: winston.format.combine( winston.format.timestamp(), winston.format.errors({ stack: true }), winston.format.json(), ), defaultMeta: { service: 'sfera-security' }, transports: [ // Console logging new winston.transports.Console({ format: winston.format.simple(), }), // File logging new winston.transports.File({ filename: 'logs/security-error.log', level: 'error', maxsize: 10485760, // 10MB maxFiles: 5, }), new winston.transports.File({ filename: 'logs/security-combined.log', maxsize: 10485760, // 10MB maxFiles: 10, }), // Elasticsearch for centralized logging new ElasticsearchTransport({ level: 'info', clientOpts: { node: process.env.ELASTICSEARCH_URL, }, index: 'sfera-security-logs', }), ], }) ``` ## ๐Ÿ›ก๏ธ Security Hardening ### 1. **Rate Limiting** ```typescript // src/middleware/rate-limit.ts import rateLimit from 'express-rate-limit' import RedisStore from 'rate-limit-redis' export const securityRateLimiter = rateLimit({ store: new RedisStore({ client: redis, prefix: 'rl:security:', }), windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // Limit each IP to 100 requests per windowMs message: 'Too many requests from this IP', standardHeaders: true, legacyHeaders: false, // Custom key generator keyGenerator: (req) => { return `${req.ip}:${req.user?.id || 'anonymous'}` }, // Skip successful requests skip: (req, res) => { return res.statusCode < 400 }, }) ``` ### 2. **Security Headers** ```typescript // src/middleware/security-headers.ts import helmet from 'helmet' export const securityHeaders = helmet({ contentSecurityPolicy: { directives: { defaultSrc: ["'self'"], styleSrc: ["'self'", "'unsafe-inline'"], scriptSrc: ["'self'"], imgSrc: ["'self'", 'data:', 'https:'], connectSrc: ["'self'"], fontSrc: ["'self'"], objectSrc: ["'none'"], mediaSrc: ["'self'"], frameSrc: ["'none'"], }, }, hsts: { maxAge: 31536000, includeSubDomains: true, preload: true, }, }) ``` ## ๐Ÿ”„ Rollback Plan ### Automated Rollback ```bash #!/bin/bash # rollback-security.sh set -e echo "๐Ÿ”„ Starting rollback procedure..." # Step 1: Disable feature flags echo "๐Ÿšซ Disabling security features..." redis-cli SET "feature:FEATURE_SUPPLY_DATA_FILTERING" "false" redis-cli SET "feature:FEATURE_THREAT_DETECTION" "false" # Step 2: Restore previous version echo "โฎ๏ธ Restoring previous version..." pm2 reload ecosystem.config.js --env previous # Step 3: Restore database if needed if [ "$1" == "--restore-db" ]; then echo "๐Ÿ’พ Restoring database..." psql $DATABASE_URL < $2 fi # Step 4: Clear cache echo "๐Ÿงน Clearing cache..." redis-cli FLUSHDB # Step 5: Health check echo "๐Ÿฅ Running health check..." npm run health:check echo "โœ… Rollback completed!" ``` ### Manual Rollback Steps 1. **Disable Features** ```sql UPDATE feature_flags SET enabled = false WHERE feature_name LIKE 'SECURITY_%'; ``` 2. **Clear Cache** ```bash redis-cli FLUSHALL ``` 3. **Restore Application** ```bash pm2 stop all git checkout previous-release-tag npm install npm run build pm2 start ecosystem.config.js ``` ## ๐Ÿ“ˆ Post-Deployment Monitoring ### Key Metrics to Monitor | Metric | Alert Threshold | Check Frequency | | ------------------- | --------------- | --------------- | | Error Rate | > 1% | Every 1 min | | Response Time (p95) | > 200ms | Every 1 min | | CPU Usage | > 80% | Every 30 sec | | Memory Usage | > 3GB | Every 30 sec | | Cache Hit Rate | < 70% | Every 5 min | | Active Threats | > 50 | Every 1 min | ### Monitoring Dashboard ```javascript // monitoring-queries.js const monitoringQueries = { // Performance metrics filterLatency: ` histogram_quantile(0.95, rate(security_filter_latency_ms_bucket[5m]) ) `, // Security metrics threatDetectionRate: ` rate(security_threats_detected_total[5m]) `, // System health errorRate: ` rate(http_requests_total{status=~"5.."}[5m]) / rate(http_requests_total[5m]) `, // Resource usage memoryUsage: ` process_resident_memory_bytes / 1024 / 1024 `, } ``` ## โœ… Post-Deployment Checklist ### Immediate (First Hour) - [ ] All health checks passing - [ ] No error spike in logs - [ ] Performance metrics within limits - [ ] Security filters working correctly - [ ] Audit logs being recorded ### Short Term (First 24 Hours) - [ ] Monitor user feedback - [ ] Check cache effectiveness - [ ] Validate threat detection - [ ] Review security alerts - [ ] Performance optimization ### Long Term (First Week) - [ ] Analyze security patterns - [ ] Optimize cache strategy - [ ] Fine-tune threat models - [ ] Review resource usage - [ ] Plan next improvements ## ๐Ÿ†˜ Troubleshooting ### Common Issues 1. **High Memory Usage** ```bash # Check memory usage pm2 monit # Force garbage collection pm2 trigger sfera-security gc # Restart if needed pm2 restart sfera-security ``` 2. **Cache Connection Issues** ```bash # Test Redis connection redis-cli ping # Check Redis memory redis-cli info memory # Clear cache if corrupted redis-cli FLUSHDB ``` 3. **Database Performance** ```sql -- Check slow queries SELECT * FROM pg_stat_statements WHERE mean_exec_time > 100 ORDER BY mean_exec_time DESC; -- Update statistics ANALYZE; ``` ## ๐Ÿ“ž Support Contacts - **Security Team**: security@sfera.com - **DevOps**: devops@sfera.com - **On-Call**: +1-XXX-XXX-XXXX - **Slack**: #security-incidents --- _Document Version: 1.0_ _Last Updated: January 2024_ _Next Review: Monthly_