Create SECURITY.md for security policy

[salar-masdoumnejad]

Add a security policy document outlining supported versions and vulnerability reporting.Coding partner
Building a v1 Enterprise Tracking Layer requires moving from a "client-to-platform" model to a "client-to-server-to-platform" model.

In this architecture, your frontend SDK becomes a simple data transmitter, while your Node.js/Next.js API Gateway acts as the brain—validating schemas, scrubbing PII, and routing data to GA4, BigQuery, or your AI scoring engine.

Phase 1: The Server-Side Gateway (v1)
This implementation uses Zod for schema enforcement and the GA4 Measurement Protocol for server-side dispatching.

1. The Event Schema & Validator (lib/schema.js)
   We define a unified structure that every event across all your brands (SMN, BWGG) must follow.

JavaScript
import { z } from 'zod';

// Unified Event Schema
export const EventSchema = z.object({
company_id: z.enum(['SMN', 'BWGG', 'GHO']), // Restrict to your specific brands
event_name: z.string().min(1).max(40),
client_id: z.string(), // GA4 cid
session_id: z.string().optional(),
user_id_hashed: z.string().optional(),
properties: z.record(z.any()).default({}),
context: z.object({
url: z.string().url(),
user_agent: z.string(),
ip_anonymized: z.string().optional(),
}),
metadata: z.object({
trace_id: z.string(),
ts: z.number(),
})
});
2. The API Gateway Controller (pages/api/collect.js)
This is your single ingestion point. It acts as the PII Firewall.

JavaScript
import { EventSchema } from '../../lib/schema';

const GA_API_SECRET = process.env.GA_MEASUREMENT_SECRET;
const GA_MEASUREMENT_ID = process.env.NEXT_PUBLIC_GA_ID;

export default async function handler(req, res) {
if (req.method !== 'POST') return res.status(405).end();

try {
// 1. Validation & Schema Enforcement
const validatedData = EventSchema.parse(req.body);

// 2. Security: Server-Side PII Scrubbing (Pattern Based)
const sanitizedProps = { ...validatedData.properties };
const SENSITIVE_REGEX = /(email|password|token|phone|card|ssn)/i;

Object.keys(sanitizedProps).forEach(key => {
  if (SENSITIVE_REGEX.test(key)) delete sanitizedProps[key];
});

// 3. Routing: Forward to GA4 via Measurement Protocol
// This survives ad-blockers because it's a server-to-server call
const ga4Payload = {
  client_id: validatedData.client_id,
  events: [{
    name: validatedData.event_name,
    params: {
      ...sanitizedProps,
      company_id: validatedData.company_id,
      engagement_time_msec: 1,
    },
  }],
};

const gaResponse = await fetch(
  `https://www.google-analytics.com/mp/collect?measurement_id=${GA_MEASUREMENT_ID}&api_secret=${GA_API_SECRET}`,
  {
    method: 'POST',
    body: JSON.stringify(ga4Payload),
  }
);

// 4. Optional: Pipe to BigQuery / internal DB here
// await logToBigQuery(validatedData);

return res.status(200).json({ status: 'success', trace_id: validatedData.metadata.trace_id });

} catch (error) {
console.error('[Gateway Error]', error);
return res.status(400).json({ error: 'Invalid payload or security violation' });
}
}
Phase 2: Updating the Client SDK
Now, update your frontend track function to hit your own server, not Google's.

JavaScript
// Inside your frontend utils/analytics.js
export const track = async (eventName, props = {}) => {
const payload = {
company_id: 'BWGG', // Set per app
event_name: eventName,
client_id: getOrCreateClientId(), // Utility to persist a unique ID in cookies
properties: props,
context: {
url: window.location.href,
user_agent: navigator.userAgent,
},
metadata: {
trace_id: Math.random().toString(36).slice(2),
ts: Date.now(),
}
};

// Secure Transmission
return fetch('/api/collect', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(payload),
keepalive: true,
});
};
3. Why this is "Enterprise Grade"
Bypasses Ad-Blockers: Since the browser only talks to yourdomain.com/api/collect, most privacy extensions won't block the request. The server then talks to Google.

Data Normalization: You ensure that purchase events from SMN Luxury and BWGG look identical in your database.

Zero-Leakage: Even if a junior developer logs a user's password in a track() call, your server-side PII Firewall strips it before it hits any external platform.

Audit Trail: Every event has a trace_id, making it easy to debug disputes or technical failures in your BigQuery logs.

Testing your v1
Trigger an event on your site.

Inspect the Network Tab: You should see a POST to /api/collect.

Check GA4 DebugView: You should see the event appear, even if you are using an Ad-Blocker (like uBlock Origin).

Would you like me to add the "AI Layer" now to score these events as they pass through the gateway?
Fixes #