feat(security): Add security event logging + input length validation

- Add security-logger.ts with audit trail for security events
- Log: webhook requests, rate limits, signature failures, action execution
- Log: body too large, invalid content type, config validation errors, cleanup
- Add input length validation (1000 char SMS body, 20 char phone number)
- Logs written to ~/.stackmemory/logs/security.log with 0600 permissions
- IP addresses masked for privacy (keep first two octets only)
- Auto-rotation at 10000 entries

Completes security audit recommendations.

Author: jonathanpeterwu

src/hooks/schemas.ts

@@ -4,6 +4,7 @@
  */
 
 import { z } from 'zod';
+import { logConfigInvalid } from './security-logger.js';
 
 // SMS/WhatsApp notification schemas
 export const PromptOptionSchema = z.object({
@@ -111,11 +112,10 @@ export function parseConfigSafe<T>(
   if (result.success) {
     return result.data;
   }
-  console.error(
-    `[hooks] Invalid ${configName} config:`,
-    result.error.issues
-      .map((i) => `${i.path.join('.')}: ${i.message}`)
-      .join(', ')
+  const errors = result.error.issues.map(
+    (i) => `${i.path.join('.')}: ${i.message}`
   );
+  logConfigInvalid(configName, errors);
+  console.error(`[hooks] Invalid ${configName} config:`, errors.join(', '));
   return defaultValue;
 }

src/hooks/security-logger.ts

@@ -0,0 +1,240 @@
+/**
+ * Security Event Logger for hooks
+ * Logs security-relevant events for audit trail
+ */
+
+import { appendFileSync, existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+import { ensureSecureDir } from './secure-fs.js';
+
+const LOG_DIR = join(homedir(), '.stackmemory', 'logs');
+const SECURITY_LOG = join(LOG_DIR, 'security.log');
+const MAX_LOG_ENTRIES = 10000;
+
+export type SecurityEventType =
+  | 'auth_success'
+  | 'auth_failure'
+  | 'rate_limit'
+  | 'action_allowed'
+  | 'action_blocked'
+  | 'config_invalid'
+  | 'config_loaded'
+  | 'webhook_request'
+  | 'signature_invalid'
+  | 'body_too_large'
+  | 'content_type_invalid'
+  | 'cleanup';
+
+export interface SecurityEvent {
+  timestamp: string;
+  type: SecurityEventType;
+  source: string;
+  message: string;
+  details?: Record<string, unknown>;
+  ip?: string;
+}
+
+let logCount = 0;
+
+/**
+ * Log a security event
+ */
+export function logSecurityEvent(
+  type: SecurityEventType,
+  source: string,
+  message: string,
+  details?: Record<string, unknown>,
+  ip?: string
+): void {
+  try {
+    ensureSecureDir(LOG_DIR);
+
+    const event: SecurityEvent = {
+      timestamp: new Date().toISOString(),
+      type,
+      source,
+      message,
+      ...(details && { details }),
+      ...(ip && { ip: maskIp(ip) }),
+    };
+
+    const logLine = JSON.stringify(event) + '\n';
+    appendFileSync(SECURITY_LOG, logLine, { mode: 0o600 });
+
+    logCount++;
+
+    // Rotate log if too large (simple rotation - truncate)
+    if (logCount > MAX_LOG_ENTRIES) {
+      rotateLog();
+    }
+  } catch {
+    // Don't let logging failures break the application
+  }
+}
+
+/**
+ * Mask IP address for privacy (keep first two octets)
+ */
+function maskIp(ip: string): string {
+  if (!ip) return 'unknown';
+
+  // Handle IPv6 localhost
+  if (ip === '::1' || ip === '::ffff:127.0.0.1') return '127.0.0.x';
+
+  // Handle IPv4
+  const parts = ip.replace('::ffff:', '').split('.');
+  if (parts.length === 4) {
+    return `${parts[0]}.${parts[1]}.x.x`;
+  }
+
+  // Handle IPv6 - mask last 64 bits
+  if (ip.includes(':')) {
+    const segments = ip.split(':');
+    if (segments.length >= 4) {
+      return segments.slice(0, 4).join(':') + ':x:x:x:x';
+    }
+  }
+
+  return 'masked';
+}
+
+/**
+ * Simple log rotation - keep last half of entries
+ */
+function rotateLog(): void {
+  try {
+    if (existsSync(SECURITY_LOG)) {
+      const content = readFileSync(SECURITY_LOG, 'utf8');
+      const lines = content.trim().split('\n');
+      const keepLines = lines.slice(-MAX_LOG_ENTRIES / 2);
+      writeFileSync(SECURITY_LOG, keepLines.join('\n') + '\n', { mode: 0o600 });
+      logCount = keepLines.length;
+    }
+  } catch {
+    // Ignore rotation errors
+  }
+}
+
+// Convenience functions for common events
+
+export function logAuthSuccess(
+  source: string,
+  details?: Record<string, unknown>
+): void {
+  logSecurityEvent(
+    'auth_success',
+    source,
+    'Authentication successful',
+    details
+  );
+}
+
+export function logAuthFailure(
+  source: string,
+  reason: string,
+  ip?: string,
+  details?: Record<string, unknown>
+): void {
+  logSecurityEvent(
+    'auth_failure',
+    source,
+    `Authentication failed: ${reason}`,
+    details,
+    ip
+  );
+}
+
+export function logRateLimit(source: string, ip: string): void {
+  logSecurityEvent('rate_limit', source, 'Rate limit exceeded', undefined, ip);
+}
+
+export function logActionAllowed(source: string, action: string): void {
+  logSecurityEvent(
+    'action_allowed',
+    source,
+    `Action executed: ${action.substring(0, 100)}`
+  );
+}
+
+export function logActionBlocked(
+  source: string,
+  action: string,
+  reason: string
+): void {
+  logSecurityEvent('action_blocked', source, `Action blocked: ${reason}`, {
+    action: action.substring(0, 100),
+  });
+}
+
+export function logConfigInvalid(source: string, errors: string[]): void {
+  logSecurityEvent('config_invalid', source, 'Invalid config rejected', {
+    errors: errors.slice(0, 5),
+  });
+}
+
+export function logWebhookRequest(
+  source: string,
+  method: string,
+  path: string,
+  ip?: string
+): void {
+  logSecurityEvent(
+    'webhook_request',
+    source,
+    `${method} ${path}`,
+    undefined,
+    ip
+  );
+}
+
+export function logSignatureInvalid(source: string, ip?: string): void {
+  logSecurityEvent(
+    'signature_invalid',
+    source,
+    'Invalid request signature',
+    undefined,
+    ip
+  );
+}
+
+export function logBodyTooLarge(
+  source: string,
+  size: number,
+  ip?: string
+): void {
+  logSecurityEvent(
+    'body_too_large',
+    source,
+    `Request body too large: ${size} bytes`,
+    undefined,
+    ip
+  );
+}
+
+export function logContentTypeInvalid(
+  source: string,
+  contentType: string,
+  ip?: string
+): void {
+  logSecurityEvent(
+    'content_type_invalid',
+    source,
+    `Invalid content type: ${contentType}`,
+    undefined,
+    ip
+  );
+}
+
+export function logCleanup(
+  source: string,
+  expiredPrompts: number,
+  oldActions: number
+): void {
+  if (expiredPrompts > 0 || oldActions > 0) {
+    logSecurityEvent('cleanup', source, 'Cleanup completed', {
+      expiredPrompts,
+      oldActions,
+    });
+  }
+}

src/hooks/sms-webhook.ts

@@ -28,10 +28,24 @@ import {
   cleanupOldActions,
 } from './sms-action-runner.js';
 import { writeFileSecure, ensureSecureDir } from './secure-fs.js';
+import {
+  logWebhookRequest,
+  logRateLimit,
+  logSignatureInvalid,
+  logBodyTooLarge,
+  logContentTypeInvalid,
+  logActionAllowed,
+  logActionBlocked,
+  logCleanup,
+} from './security-logger.js';
 
 // Cleanup interval (5 minutes)
 const CLEANUP_INTERVAL_MS = 5 * 60 * 1000;
 
+// Input validation constants
+const MAX_SMS_BODY_LENGTH = 1000;
+const MAX_PHONE_LENGTH = 20;
+
 // Security constants
 const MAX_BODY_SIZE = 50 * 1024; // 50KB max body
 const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
@@ -132,6 +146,17 @@ export function handleSMSWebhook(payload: TwilioWebhookPayload): {
 } {
   const { From, Body } = payload;
 
+  // Input length validation
+  if (Body && Body.length > MAX_SMS_BODY_LENGTH) {
+    console.log(`[sms-webhook] Body too long: ${Body.length} chars`);
+    return { response: 'Message too long. Max 1000 characters.' };
+  }
+
+  if (From && From.length > MAX_PHONE_LENGTH) {
+    console.log(`[sms-webhook] Invalid phone number length`);
+    return { response: 'Invalid phone number.' };
+  }
+
   console.log(`[sms-webhook] Received from ${From}: ${Body}`);
 
   const result = processIncomingResponse(From, Body);
@@ -165,6 +190,7 @@ export function handleSMSWebhook(payload: TwilioWebhookPayload): {
     );
 
     if (actionResult.success) {
+      logActionAllowed('sms-webhook', result.action);
       console.log(
         `[sms-webhook] Action completed: ${(actionResult.output || '').substring(0, 200)}`
       );
@@ -175,6 +201,11 @@ export function handleSMSWebhook(payload: TwilioWebhookPayload): {
         queued: false,
       };
     } else {
+      logActionBlocked(
+        'sms-webhook',
+        result.action,
+        actionResult.error || 'unknown'
+      );
       console.log(`[sms-webhook] Action failed: ${actionResult.error}`);
 
       // Queue for retry
@@ -281,9 +312,19 @@ export function startWebhookServer(port: number = 3456): void {
           url.pathname === '/webhook') &&
         req.method === 'POST'
       ) {
-        // Rate limiting
         const clientIp = req.socket.remoteAddress || 'unknown';
+
+        // Log webhook request
+        logWebhookRequest(
+          'sms-webhook',
+          req.method || 'POST',
+          url.pathname || '/sms',
+          clientIp
+        );
+
+        // Rate limiting
         if (!checkRateLimit(clientIp)) {
+          logRateLimit('sms-webhook', clientIp);
           res.writeHead(429, {
             'Content-Type': 'text/xml',
             'Retry-After': '60',
@@ -295,6 +336,7 @@ export function startWebhookServer(port: number = 3456): void {
         // Content-type validation
         const contentType = req.headers['content-type'] || '';
         if (!contentType.includes('application/x-www-form-urlencoded')) {
+          logContentTypeInvalid('sms-webhook', contentType, clientIp);
           res.writeHead(400, { 'Content-Type': 'text/xml' });
           res.end(twimlResponse('Invalid content type'));
           return;
@@ -308,6 +350,7 @@ export function startWebhookServer(port: number = 3456): void {
           // Body size limit
           if (body.length > MAX_BODY_SIZE) {
             bodyTooLarge = true;
+            logBodyTooLarge('sms-webhook', body.length, clientIp);
             req.destroy();
           }
         });
@@ -336,6 +379,7 @@ export function startWebhookServer(port: number = 3456): void {
                 twilioSignature
               )
             ) {
+              logSignatureInvalid('sms-webhook', clientIp);
               console.error('[sms-webhook] Invalid Twilio signature');
               res.writeHead(401, { 'Content-Type': 'text/xml' });
               res.end(twimlResponse('Unauthorized'));
@@ -426,6 +470,7 @@ export function startWebhookServer(port: number = 3456): void {
         const expiredPrompts = cleanupExpiredPrompts();
         const oldActions = cleanupOldActions();
         if (expiredPrompts > 0 || oldActions > 0) {
+          logCleanup('sms-webhook', expiredPrompts, oldActions);
           console.log(
             `[sms-webhook] Cleanup: ${expiredPrompts} expired prompts, ${oldActions} old actions`
           );