security.py

"""
security.py - SKT OMNI-ARC V49 Security Module
Handles encryption, input sanitization, Entity Secret management,
and threat protection for developer-controlled wallets.
"""

import hashlib
import os
import base64
from datetime import datetime
import json

class SecurityManager:
    """Core security layer for SKT OMNI-ARC V49"""
    
    def __init__(self):
        self.entity_secret = os.getenv("CIRCLE_ENTITY_SECRET", "")
        self.secret_key = os.getenv("SECRET_KEY", "skt-omni-arc-v49-default-key-2026")  # Change in production
    
    def hash_data(self, data: str) -> str:
        """SHA-256 hashing for audit logs"""
        return hashlib.sha256(data.encode()).hexdigest()
    
    def sanitize_input(self, text: str) -> str:
        """Basic input sanitization against injection"""
        if not text:
            return ""
        return str(text).strip()[:500]  # Limit length
    
    def encrypt_sensitive(self, data: str) -> str:
        """Simple AES-like base64 encryption (production mein cryptography lib use karo)"""
        try:
            encoded = base64.b64encode(data.encode()).decode()
            return f"ENC:{encoded}"
        except:
            return data
    
    def validate_entity_secret(self) -> bool:
        """Check if Entity Secret is properly configured for Circle wallets"""
        if not self.entity_secret or len(self.entity_secret) < 32:
            print("⚠️ Warning: CIRCLE_ENTITY_SECRET not properly set. Using demo mode.")
            return False
        return True
    
    def log_audit(self, action: str, details: dict, user_id: str = "system"):
        """Audit logging for compliance"""
        log_entry = {
            "timestamp": datetime.now().isoformat(),
            "action": action,
            "user_id": user_id,
            "details_hash": self.hash_data(json.dumps(details)),
            "ip": "internal"  # In production use request IP
        }
        
        try:
            with open("audit_log.json", "a") as f:
                f.write(json.dumps(log_entry) + "\n")
        except:
            pass  # Fail silently in demo
        
        print(f"🔒 Audit: {action} | User: {user_id}")

# Global instance
security = SecurityManager()

# Utility functions
def generate_session_id():
    return f"SESS-{hashlib.sha256(str(datetime.now()).encode()).hexdigest()[:12].upper()}"

print("✅ security.py loaded - Entity Secret & Audit ready")