# WIA-SEC-017: Security Audit ## Phases 2, 3, and 4 - Advanced Implementation **Standard ID:** WIA-SEC-017 **Category:** Security (SEC) **Version:** 1.0.0 **Status:** Active **Last Updated:** 2025-12-25 --- # PHASE 2: Advanced Analytics & Machine Learning ## 1. Anomaly Detection Engine ### 1.1 Behavioral Analysis The anomaly detection engine uses machine learning to identify suspicious patterns in audit logs: ```javascript class AuditAnomalyDetector { constructor() { this.model = new IsolationForest({ contamination: 0.1, // Expected anomaly rate nEstimators: 100 }); this.userProfiles = new Map(); } /** * Train model on historical audit data */ async train(historicalLogs) { const features = historicalLogs.map(log => this.extractFeatures(log) ); await this.model.fit(features); // Build user behavior profiles this.buildUserProfiles(historicalLogs); } /** * Extract features from audit log */ extractFeatures(auditLog) { return { // Temporal features hour_of_day: new Date(auditLog.timestamp).getHours(), day_of_week: new Date(auditLog.timestamp).getDay(), is_weekend: [0, 6].includes(new Date(auditLog.timestamp).getDay()), // Location features country_code: this.encodeCountry(auditLog.actor.location.country), is_vpn: this.detectVPN(auditLog.actor.ip_address), distance_from_usual: this.calculateLocationDeviation( auditLog.actor.user_id, auditLog.actor.location ), // Access pattern features resource_sensitivity: this.classifyResourceSensitivity(auditLog.resource), operation_type: this.encodeOperation(auditLog.action.operation), failure_rate: this.calculateRecentFailureRate(auditLog.actor.user_id), // User features user_tenure_days: this.calculateUserTenure(auditLog.actor.user_id), privilege_level: this.getUserPrivilegeLevel(auditLog.actor.user_id), recent_activity_volume: this.getRecentActivityVolume(auditLog.actor.user_id) }; } /** * Detect anomalies in real-time */ async detectAnomaly(auditLog) { const features = this.extractFeatures(auditLog); const anomalyScore = await this.model.predict([features]); // Multi-layer anomaly detection const detections = { ml_score: anomalyScore[0], rule_based: this.ruleBasedDetection(auditLog), behavioral: this.behavioralDetection(auditLog), statistical: this.statisticalDetection(auditLog) }; // Aggregate scores const finalScore = this.aggregateScores(detections); return { is_anomaly: finalScore > 0.7, confidence: finalScore, detections: detections, recommended_actions: this.recommendActions(finalScore, detections) }; } /** * Rule-based anomaly detection */ ruleBasedDetection(auditLog) { let score = 0; const reasons = []; // Check for impossible travel if (this.isImpossibleTravel(auditLog)) { score += 0.9; reasons.push('Impossible travel detected'); } // Check for unusual access time if (this.isUnusualTime(auditLog)) { score += 0.3; reasons.push('Access outside normal hours'); } // Check for privilege escalation if (auditLog.event_type === 'PRIVILEGE_ESCALATION') { score += 0.6; reasons.push('Privilege escalation event'); } // Check for repeated failures const failureRate = this.calculateRecentFailureRate(auditLog.actor.user_id); if (failureRate > 0.5) { score += 0.8; reasons.push(`High failure rate: ${(failureRate * 100).toFixed(1)}%`); } return { score: Math.min(score, 1.0), reasons }; } /** * Behavioral deviation detection */ behavioralDetection(auditLog) { const userId = auditLog.actor.user_id; const profile = this.userProfiles.get(userId); if (!profile) { return { score: 0.5, reasons: ['New user - no baseline'] }; } let score = 0; const reasons = []; // Check location deviation const locationDev = this.calculateLocationDeviation(userId, auditLog.actor.location); if (locationDev > 1000) { // km score += 0.5; reasons.push(`Unusual location: ${locationDev.toFixed(0)}km from normal`); } // Check resource access pattern if (!profile.typical_resources.includes(auditLog.resource.id)) { score += 0.4; reasons.push('Accessing unusual resource'); } // Check time pattern const hourDev = Math.abs( new Date(auditLog.timestamp).getHours() - profile.typical_hour ); if (hourDev > 4) { score += 0.3; reasons.push('Unusual time of access'); } return { score: Math.min(score, 1.0), reasons }; } /** * Statistical outlier detection */ statisticalDetection(auditLog) { const userId = auditLog.actor.user_id; const profile = this.userProfiles.get(userId); if (!profile || !profile.statistics) { return { score: 0.3, reasons: ['Insufficient data'] }; } let score = 0; const reasons = []; // Check if current activity is outlier const currentVolume = this.getRecentActivityVolume(userId, 1); // last hour const zscore = (currentVolume - profile.statistics.mean_hourly_activity) / profile.statistics.std_hourly_activity; if (Math.abs(zscore) > 3) { score += 0.7; reasons.push(`Unusual activity volume: ${zscore.toFixed(2)} std devs`); } return { score: Math.min(score, 1.0), reasons }; } } ``` ### 1.2 Threat Intelligence Integration ```javascript class ThreatIntelligenceIntegration { constructor() { this.feeds = { ip_reputation: new IPReputationService(), malware_indicators: new MalwareIndicatorService(), threat_actors: new ThreatActorService() }; } /** * Enrich audit log with threat intelligence */ async enrichAuditLog(auditLog) { const enrichment = { ip_reputation: await this.checkIPReputation(auditLog.actor.ip_address), known_threats: await this.checkKnownThreats(auditLog), geo_risk: await this.assessGeoRisk(auditLog.actor.location) }; // Calculate threat score const threatScore = this.calculateThreatScore(enrichment); return { ...auditLog, threat_intelligence: enrichment, threat_score: threatScore, risk_level: this.classifyRisk(threatScore) }; } async checkIPReputation(ipAddress) { const reputation = await this.feeds.ip_reputation.check(ipAddress); return { score: reputation.score, // 0-100 categories: reputation.categories, // ['proxy', 'tor', 'vpn', 'malicious'] last_seen_malicious: reputation.last_seen, threat_feeds: reputation.feeds_reporting }; } } ``` --- # PHASE 3: Real-time Monitoring & Alerting ## 2. Real-time Event Streaming ### 2.1 Event Stream Architecture ```javascript // WebSocket-based real-time audit streaming class AuditEventStream { constructor(config) { this.kafka = new KafkaClient(config.kafka); this.subscriptions = new Map(); this.filters = new Map(); } /** * Subscribe to audit events with filters */ subscribe(clientId, filters) { const subscription = { id: clientId, filters: filters, socket: null, last_sequence: 0 }; this.subscriptions.set(clientId, subscription); // Create filtered Kafka consumer this.createConsumer(clientId, filters); return subscription.id; } /** * Create Kafka consumer for filtered audit stream */ async createConsumer(clientId, filters) { const consumer = this.kafka.consumer({ groupId: `audit-stream-${clientId}`, sessionTimeout: 30000 }); await consumer.connect(); await consumer.subscribe({ topic: 'security-audit-events', fromBeginning: false }); await consumer.run({ eachMessage: async ({ topic, partition, message }) => { const auditEvent = JSON.parse(message.value.toString()); // Apply client filters if (this.matchesFilters(auditEvent, filters)) { this.sendToClient(clientId, auditEvent); } } }); } /** * Filter matching logic */ matchesFilters(auditEvent, filters) { // Severity filter if (filters.severity && !filters.severity.includes(auditEvent.severity)) { return false; } // Event type filter if (filters.event_types && !filters.event_types.includes(auditEvent.event_type)) { return false; } // Compliance tags filter if (filters.compliance_tags) { const hasTag = filters.compliance_tags.some(tag => auditEvent.metadata.compliance_tags.includes(tag) ); if (!hasTag) return false; } // User filter if (filters.users && !filters.users.includes(auditEvent.actor.user_id)) { return false; } // Resource filter if (filters.resources && !filters.resources.includes(auditEvent.resource.id)) { return false; } return true; } } ``` ### 2.2 Alert Configuration ```json { "alert_rules": [ { "id": "RULE-001", "name": "Critical Security Event", "description": "Alert on any critical severity event", "enabled": true, "conditions": { "severity": ["CRITICAL"], "event_types": ["*"] }, "actions": [ { "type": "email", "recipients": ["security@company.com"], "template": "critical_security_event" }, { "type": "sms", "recipients": ["+1-555-0100"], "message": "CRITICAL: {{event_type}} by {{actor.user_id}}" }, { "type": "webhook", "url": "https://incident.company.com/api/create", "method": "POST" }, { "type": "slack", "channel": "#security-alerts", "mention": ["@security-oncall"] } ], "throttle": { "window_seconds": 300, "max_alerts": 5 } }, { "id": "RULE-002", "name": "Privilege Escalation Detected", "description": "Alert on privilege escalation events", "enabled": true, "conditions": { "event_type": ["PRIVILEGE_ESCALATION"], "severity": ["HIGH", "CRITICAL"] }, "actions": [ { "type": "incident", "severity": "high", "runbook": "https://runbooks.company.com/privilege-escalation" } ] }, { "id": "RULE-003", "name": "Anomalous Access Pattern", "description": "Alert on detected anomalies", "enabled": true, "conditions": { "anomaly_score": { "gte": 0.8 } }, "actions": [ { "type": "email", "recipients": ["soc@company.com"] }, { "type": "automatic_response", "action": "require_mfa_reverification" } ] } ] } ``` ### 2.3 Incident Response Automation ```javascript class AutomatedIncidentResponse { constructor() { this.playbooks = new Map(); this.loadPlaybooks(); } /** * Execute automated response to security event */ async respondToEvent(auditEvent, anomalyDetection) { // Determine response level const responseLevel = this.determineResponseLevel( auditEvent.severity, anomalyDetection.confidence ); // Select appropriate playbook const playbook = this.selectPlaybook(auditEvent.event_type, responseLevel); // Execute response actions const results = await this.executePlaybook(playbook, auditEvent); // Log response actions await this.logResponseActions(auditEvent, playbook, results); return results; } /** * Example playbook: Suspicious Login */ async executeSuspiciousLoginPlaybook(auditEvent) { const actions = []; // 1. Require MFA re-verification actions.push( await this.requireMFAReverification(auditEvent.actor.session_id) ); // 2. Notify user of suspicious activity actions.push( await this.notifyUser(auditEvent.actor.user_id, { type: 'suspicious_login', location: auditEvent.actor.location, ip: auditEvent.actor.ip_address }) ); // 3. Limit session permissions actions.push( await this.limitSessionPermissions(auditEvent.actor.session_id, { allowed_operations: ['READ'], restricted_resources: ['CONFIDENTIAL', 'RESTRICTED'] }) ); // 4. Monitor subsequent activity actions.push( await this.enableEnhancedMonitoring(auditEvent.actor.user_id, { duration_minutes: 60, capture_all_actions: true }) ); return actions; } /** * Example playbook: Data Breach Attempt */ async executeDataBreachPlaybook(auditEvent) { const actions = []; // 1. Immediately terminate session actions.push( await this.terminateSession(auditEvent.actor.session_id) ); // 2. Lock user account actions.push( await this.lockAccount(auditEvent.actor.user_id, { reason: 'Suspected data breach attempt', require_security_review: true }) ); // 3. Block IP address actions.push( await this.blockIPAddress(auditEvent.actor.ip_address, { duration_hours: 24, scope: 'GLOBAL' }) ); // 4. Create critical incident actions.push( await this.createIncident({ severity: 'CRITICAL', type: 'DATA_BREACH_ATTEMPT', details: auditEvent, assignee: 'security-oncall' }) ); // 5. Notify security team actions.push( await this.notifySecurityTeam({ priority: 'URGENT', event: auditEvent, automated_actions: actions }) ); return actions; } } ``` --- # PHASE 4: Advanced Reporting & Compliance Automation ## 3. Compliance Report Generation ### 3.1 SOC 2 Report Generator ```javascript class SOC2ReportGenerator { /** * Generate SOC 2 Type II compliance report */ async generateReport(startDate, endDate) { const report = { report_type: 'SOC2_TYPE_II', period: { start: startDate, end: endDate }, organization: await this.getOrganizationInfo(), trust_service_criteria: await this.evaluateTrustServiceCriteria(startDate, endDate), control_testing: await this.testControls(startDate, endDate), exceptions: await this.identifyExceptions(startDate, endDate), evidence: await this.collectEvidence(startDate, endDate) }; return report; } /** * Evaluate Trust Service Criteria (CC controls) */ async evaluateTrustServiceCriteria(startDate, endDate) { return { CC6_1_monitoring: await this.evaluateCC61(startDate, endDate), CC6_2_change_management: await this.evaluateCC62(startDate, endDate), CC6_3_access_monitoring: await this.evaluateCC63(startDate, endDate), CC7_1_detection: await this.evaluateCC71(startDate, endDate), CC7_2_response: await this.evaluateCC72(startDate, endDate) }; } /** * CC6.1 - System Monitoring */ async evaluateCC61(startDate, endDate) { const auditLogs = await this.queryAuditLogs({ start_date: startDate, end_date: endDate, event_types: ['SECURITY_EVENT', 'SYSTEM_EVENT'] }); return { control_id: 'CC6.1', description: 'System is monitored for security events', status: auditLogs.length > 0 ? 'EFFECTIVE' : 'DEFICIENT', evidence_count: auditLogs.length, testing_results: { total_days: this.daysBetween(startDate, endDate), days_with_monitoring: this.countDaysWithActivity(auditLogs), coverage_percentage: this.calculateCoverage(auditLogs, startDate, endDate) }, sample_evidence: auditLogs.slice(0, 10) }; } /** * CC7.2 - Incident Response */ async evaluateCC72(startDate, endDate) { const incidents = await this.queryIncidents(startDate, endDate); const responses = await this.queryIncidentResponses(startDate, endDate); return { control_id: 'CC7.2', description: 'Incidents are responded to in accordance with procedures', status: this.evaluateIncidentResponseEffectiveness(incidents, responses), metrics: { total_incidents: incidents.length, incidents_responded: responses.length, avg_response_time_minutes: this.calculateAvgResponseTime(incidents, responses), within_sla: this.countWithinSLA(incidents, responses) }, exceptions: this.identifyResponseExceptions(incidents, responses) }; } /** * Collect evidence for auditor review */ async collectEvidence(startDate, endDate) { return { audit_logs: await this.exportAuditLogsForPeriod(startDate, endDate), system_configurations: await this.exportSystemConfigurations(), access_reviews: await this.exportAccessReviews(startDate, endDate), change_logs: await this.exportChangeLogs(startDate, endDate), incident_reports: await this.exportIncidentReports(startDate, endDate), monitoring_reports: await this.exportMonitoringReports(startDate, endDate) }; } } ``` ### 3.2 ISO 27001 Compliance Report ```javascript class ISO27001ReportGenerator { async generateReport(startDate, endDate) { return { standard: 'ISO/IEC 27001:2022', certification_scope: await this.getCertificationScope(), controls_assessment: { A_12_4_1_event_logging: await this.assessA1241(startDate, endDate), A_12_4_2_log_protection: await this.assessA1242(startDate, endDate), A_12_4_3_admin_logs: await this.assessA1243(startDate, endDate), A_12_4_4_clock_sync: await this.assessA1244(startDate, endDate) }, risk_assessment: await this.performRiskAssessment(startDate, endDate), statement_of_applicability: await this.generateSOA() }; } /** * A.12.4.1 - Event logging */ async assessA1241(startDate, endDate) { const loggingCoverage = await this.calculateLoggingCoverage(); return { control: 'A.12.4.1', requirement: 'Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed', implementation_status: loggingCoverage > 0.95 ? 'IMPLEMENTED' : 'PARTIALLY_IMPLEMENTED', evidence: { systems_covered: await this.getMonitoredSystems(), coverage_percentage: loggingCoverage, log_types: ['authentication', 'authorization', 'data_access', 'config_change'], retention_compliance: await this.verifyRetentionCompliance(), review_frequency: 'CONTINUOUS' } }; } /** * A.12.4.2 - Protection of log information */ async assessA1242(startDate, endDate) { const integrity = await this.verifyLogIntegrity(startDate, endDate); return { control: 'A.12.4.2', requirement: 'Logging facilities and log information shall be protected against tampering and unauthorized access', implementation_status: integrity.violations === 0 ? 'IMPLEMENTED' : 'DEFICIENT', evidence: { cryptographic_protection: true, integrity_violations: integrity.violations, unauthorized_access_attempts: integrity.unauthorized_access, protection_mechanisms: [ 'Cryptographic signing', 'Blockchain-inspired chain', 'Access control', 'Encryption at rest' ] } }; } } ``` ### 3.3 GDPR Compliance Report ```javascript class GDPRComplianceReportGenerator { async generateReport(startDate, endDate) { return { regulation: 'GDPR (EU 2016/679)', data_controller: await this.getDataControllerInfo(), article_30_records: await this.generateArticle30Records(), article_32_security: await this.assessArticle32(startDate, endDate), article_33_breaches: await this.reportArticle33Breaches(startDate, endDate), data_subject_rights: await this.reportDataSubjectRights(startDate, endDate), dpia_summary: await this.getDPIASummary() }; } /** * Article 30 - Records of processing activities */ async generateArticle30Records() { const dataAccess = await this.queryAuditLogs({ event_types: ['DATA_ACCESS', 'DATA_MODIFICATION'], data_classification: ['PII'] }); return { processing_activities: await this.identifyProcessingActivities(dataAccess), purposes: await this.identifyProcessingPurposes(dataAccess), categories_of_data: this.categorizePersonalData(dataAccess), categories_of_recipients: this.identifyDataRecipients(dataAccess), transfers_to_third_countries: await this.identifyThirdCountryTransfers(dataAccess), retention_periods: this.extractRetentionPeriods(dataAccess) }; } /** * Article 33 - Notification of personal data breach */ async reportArticle33Breaches(startDate, endDate) { const breaches = await this.identifyDataBreaches(startDate, endDate); return breaches.map(breach => ({ breach_id: breach.id, discovery_date: breach.discovered_at, notification_date: breach.notified_at, notification_within_72h: this.hoursBetween( breach.discovered_at, breach.notified_at ) <= 72, nature_of_breach: breach.description, affected_data_subjects: breach.affected_count, likely_consequences: breach.impact_assessment, measures_taken: breach.remediation_actions, dpo_contact: breach.dpo_contact })); } } ``` --- ## 4. Advanced Query & Analytics ### 4.1 SQL-like Query Language ```javascript // WIA Audit Query Language (WAQL) const auditQuery = new WIAAuditQuery(); // Example: Find all failed authentication attempts from unusual locations const results = await auditQuery .select(['audit_id', 'timestamp', 'actor', 'location']) .from('security_audit') .where({ event_type: 'AUTHENTICATION', 'action.status': 'FAILURE', 'actor.location.country': { not_in: ['US', 'CA', 'GB'] } }) .timeRange('2025-12-01', '2025-12-31') .orderBy('timestamp', 'DESC') .limit(1000) .execute(); // Example: Aggregate query for compliance reporting const stats = await auditQuery .select([ 'event_type', 'count(*) as total_events', 'count(distinct actor.user_id) as unique_users', 'avg(action.duration_ms) as avg_duration' ]) .from('security_audit') .where({ severity: { in: ['HIGH', 'CRITICAL'] } }) .groupBy('event_type') .having('total_events > 100') .execute(); // Example: Anomaly detection query const anomalies = await auditQuery .select('*') .from('security_audit') .where({ anomaly_score: { gte: 0.8 } }) .join('threat_intelligence', { on: 'actor.ip_address = threat_intelligence.ip' }) .execute(); ``` ### 4.2 Predictive Analytics ```javascript class AuditPredictiveAnalytics { /** * Predict future security incidents based on historical patterns */ async predictIncidents(forecastDays = 30) { // Fetch historical incident data const historical = await this.fetchHistoricalIncidents(365); // Time series analysis const timeSeriesModel = new ARIMAModel({ p: 5, // autoregressive terms d: 1, // differencing q: 2 // moving average terms }); await timeSeriesModel.fit(historical.daily_incidents); // Generate forecast const forecast = await timeSeriesModel.predict(forecastDays); return { forecast_period_days: forecastDays, predicted_incidents: forecast, confidence_intervals: this.calculateConfidenceIntervals(forecast), risk_assessment: this.assessForecastRisk(forecast), recommendations: this.generateRecommendations(forecast) }; } /** * Predict user behavior anomalies */ async predictUserAnomalies(userId) { const userHistory = await this.fetchUserAuditHistory(userId, 90); // LSTM model for sequence prediction const lstm = new LSTMModel({ inputShape: [30, 15], // 30 timesteps, 15 features units: 64, layers: 2 }); await lstm.fit(userHistory.sequences, userHistory.labels); // Predict next 7 days of activity const predictions = await lstm.predict( userHistory.recent_sequence ); return { user_id: userId, prediction_period: '7 days', expected_patterns: predictions, anomaly_likelihood: this.calculateAnomalyLikelihood(predictions), recommended_monitoring_level: this.determineMonitoringLevel(predictions) }; } } ``` --- ## 5. Distributed Audit System ### 5.1 Multi-Region Architecture ``` ┌─────────────────────────────────────────────────────────────────┐ │ Global Audit System │ └─────────────────────────────────────────────────────────────────┘ │ │ │ ▼ ▼ ▼ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────┐ │ US-EAST-1 │ │ EU-WEST-1 │ │ AP-SOUTH-1 │ │ (Primary) │ │ (Secondary) │ │ (Secondary) │ │ │ │ │ │ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ │ Collectors │ │ │ │ Collectors │ │ │ │ Collectors │ │ │ └─────┬──────┘ │ │ └─────┬──────┘ │ │ └─────┬──────┘ │ │ │ │ │ │ │ │ │ │ │ ┌─────▼──────┐ │ │ ┌─────▼──────┐ │ │ ┌─────▼──────┐ │ │ │ Storage │◄─┼──┼─▶│ Storage │◄─┼──┼─▶│ Storage │ │ │ │(Replication)│ │ │ │(Replication)│ │ │ │(Replication)│ │ │ └────────────┘ │ │ └────────────┘ │ │ └────────────┘ │ │ │ │ │ │ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ │ Analytics │ │ │ │ Analytics │ │ │ │ Analytics │ │ │ └────────────┘ │ │ └────────────┘ │ │ └────────────┘ │ └──────────────────┘ └──────────────────┘ └──────────────────┘ ``` ### 5.2 Cross-Region Synchronization ```javascript class DistributedAuditSystem { constructor() { this.regions = ['us-east-1', 'eu-west-1', 'ap-south-1']; this.primaryRegion = 'us-east-1'; this.replicationFactor = 3; } /** * Submit audit event to distributed system */ async submitAuditEvent(event) { // 1. Write to local region (fast) const localWrite = await this.writeToLocalRegion(event); // 2. Async replication to other regions this.replicateToOtherRegions(event, localWrite.sequence); // 3. Return immediately with local confirmation return { receipt_id: localWrite.receipt_id, primary_region: localWrite.region, replicated_regions: this.regions.filter(r => r !== localWrite.region), replication_status: 'IN_PROGRESS' }; } /** * Async replication with conflict resolution */ async replicateToOtherRegions(event, sequence) { const replicationPromises = this.regions .filter(region => region !== this.getCurrentRegion()) .map(region => this.replicateToRegion(event, sequence, region)); // Fire and forget, but monitor for failures Promise.all(replicationPromises) .then(results => { this.logReplicationSuccess(event.audit_id, results); }) .catch(error => { this.handleReplicationFailure(event.audit_id, error); // Queue for retry this.queueForRetry(event, sequence); }); } } ``` --- ## 6. Performance Optimization ### 6.1 Indexing Strategy ```javascript // Audit log indices for optimal query performance const indices = [ { name: 'idx_timestamp', fields: ['timestamp'], type: 'BTREE', use_case: 'Time-range queries' }, { name: 'idx_user_timestamp', fields: ['actor.user_id', 'timestamp'], type: 'BTREE', use_case: 'User activity history' }, { name: 'idx_event_type_severity', fields: ['event_type', 'severity'], type: 'BTREE', use_case: 'Filtering by event type and severity' }, { name: 'idx_compliance_tags', fields: ['metadata.compliance_tags'], type: 'GIN', use_case: 'Compliance-specific queries' }, { name: 'idx_full_text_search', fields: ['actor.user_id', 'resource.id', 'action.operation'], type: 'GIN', use_case: 'Full-text search across audit logs' } ]; ``` ### 6.2 Caching Strategy ```javascript class AuditQueryCache { constructor() { this.redis = new RedisClient(); this.defaultTTL = 300; // 5 minutes } async cachedQuery(queryKey, queryFn, ttl = this.defaultTTL) { // Check cache const cached = await this.redis.get(queryKey); if (cached) { return JSON.parse(cached); } // Execute query const result = await queryFn(); // Cache result await this.redis.setex(queryKey, ttl, JSON.stringify(result)); return result; } } ``` --- **Previous Phase:** [PHASE-1-CORE.md](./PHASE-1-CORE.md) **Next:** [SPEC-APPENDIX.md](./SPEC-APPENDIX.md) --- © 2025 SmileStory Inc. / WIA 弘益人間 (홍익인간) · Benefit All Humanity