0nmcp 1.7.0 → 2.1.0

package/vault/crypto-container.js

@@ -0,0 +1,278 @@
+// ============================================================
+// 0nMCP — Vault: Container Crypto Primitives
+// ============================================================
+// AES-256-GCM encryption, Argon2id key derivation, X25519 ECDH,
+// Ed25519 signing, SHA3-256 hashing for the 0nVault container.
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// "System and Method for Semantically-Layered Encrypted Digital
+//  Business Asset Transfer with Multi-Party Escrow Key Distribution
+//  and Public-Verifiable State Certification"
+// ============================================================
+
+import { randomBytes, createCipheriv, createDecipheriv, randomUUID, pbkdf2Sync } from "crypto";
+import { createRequire } from "module";
+
+const require = createRequire(import.meta.url);
+
+// ── Load optional dependencies ───────────────────────────────
+let naclModule = null;
+let sha3Module = null;
+
+try { naclModule = require("tweetnacl"); } catch {}
+try { sha3Module = require("js-sha3"); } catch {}
+
+function requireNacl() {
+  if (naclModule) return naclModule;
+  throw new Error("tweetnacl package required. Install: npm i tweetnacl");
+}
+
+function requireSha3() {
+  if (sha3Module) return sha3Module;
+  throw new Error("js-sha3 package required. Install: npm i js-sha3");
+}
+
+// ── Constants ────────────────────────────────────────────────
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;  // 256 bits
+const IV_LENGTH = 12;   // 96 bits (GCM recommended)
+const SALT_LENGTH = 32; // 256 bits
+const TAG_LENGTH = 16;  // 128 bits (GCM auth tag)
+
+// Argon2id parameters for credentials double-encryption
+const ARGON2_MEMORY = 65536;     // 64MB
+const ARGON2_ITERATIONS = 4;
+const ARGON2_PARALLELISM = 2;
+const ARGON2_HASH_LENGTH = 32;   // 256 bits
+
+// ── Key Derivation ───────────────────────────────────────────
+
+/**
+ * Derive key from passphrase using PBKDF2-SHA512.
+ */
+function deriveKeyPBKDF2(passphrase, salt) {
+  return pbkdf2Sync(passphrase, salt, 100000, KEY_LENGTH, "sha512");
+}
+
+/**
+ * Derive key using Argon2id for credentials double-encryption.
+ *
+ * @param {string} passphrase
+ * @param {Buffer} salt
+ * @returns {Promise<Buffer>} 32-byte key
+ */
+export async function deriveKeyArgon2(passphrase, salt) {
+  let argon2;
+  try { argon2 = await import("argon2"); } catch {
+    throw new Error("argon2 package required for credentials layer. Install: npm i argon2");
+  }
+  const mod = argon2.default || argon2;
+  const hash = await mod.hash(passphrase, {
+    type: 2, // argon2id
+    memoryCost: ARGON2_MEMORY,
+    timeCost: ARGON2_ITERATIONS,
+    parallelism: ARGON2_PARALLELISM,
+    hashLength: ARGON2_HASH_LENGTH,
+    salt,
+    raw: true,
+  });
+  return hash;
+}
+
+// ── AES-256-GCM ──────────────────────────────────────────────
+
+/**
+ * Encrypt data with AES-256-GCM using a passphrase-derived key.
+ * Each call generates a unique IV and salt.
+ *
+ * @param {Buffer|string} plaintext - Data to encrypt
+ * @param {string} passphrase - Encryption passphrase
+ * @returns {{ ciphertext: Buffer, iv: Buffer, salt: Buffer, tag: Buffer }}
+ */
+export function encryptAES(plaintext, passphrase) {
+  const salt = randomBytes(SALT_LENGTH);
+  const iv = randomBytes(IV_LENGTH);
+  const key = deriveKeyPBKDF2(passphrase, salt);
+
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const data = typeof plaintext === "string" ? Buffer.from(plaintext, "utf8") : plaintext;
+  const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+  const tag = cipher.getAuthTag();
+
+  return { ciphertext: encrypted, iv, salt, tag };
+}
+
+/**
+ * Decrypt AES-256-GCM encrypted data.
+ *
+ * @param {Buffer} ciphertext - Encrypted data
+ * @param {string} passphrase - Decryption passphrase
+ * @param {Buffer} iv - Initialization vector
+ * @param {Buffer} salt - PBKDF2 salt
+ * @param {Buffer} tag - GCM auth tag
+ * @returns {Buffer} Decrypted data
+ */
+export function decryptAES(ciphertext, passphrase, iv, salt, tag) {
+  const key = deriveKeyPBKDF2(passphrase, salt);
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+
+  try {
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  } catch {
+    throw new Error("Decryption failed — wrong passphrase or corrupted data");
+  }
+}
+
+/**
+ * Encrypt data with a raw 256-bit key (for escrow layer keys).
+ *
+ * @param {Buffer} plaintext - Data to encrypt
+ * @param {Buffer} key - 32-byte AES key
+ * @returns {{ ciphertext: Buffer, iv: Buffer, tag: Buffer }}
+ */
+export function encryptAESRaw(plaintext, key) {
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return { ciphertext: encrypted, iv, tag };
+}
+
+/**
+ * Decrypt with a raw 256-bit key.
+ *
+ * @param {Buffer} ciphertext
+ * @param {Buffer} key - 32-byte AES key
+ * @param {Buffer} iv
+ * @param {Buffer} tag
+ * @returns {Buffer}
+ */
+export function decryptAESRaw(ciphertext, key, iv, tag) {
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  try {
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  } catch {
+    throw new Error("Decryption failed — wrong key or corrupted data");
+  }
+}
+
+// ── Ed25519 Signing ──────────────────────────────────────────
+
+/**
+ * Generate Ed25519 signing keypair.
+ * @returns {{ publicKey: Buffer, secretKey: Buffer }}
+ */
+export function generateSigningKeyPair() {
+  const nacl = requireNacl();
+  const pair = nacl.sign.keyPair();
+  return {
+    publicKey: Buffer.from(pair.publicKey),
+    secretKey: Buffer.from(pair.secretKey),
+  };
+}
+
+/**
+ * Sign data with Ed25519.
+ * @param {Buffer} data - Data to sign
+ * @param {Buffer} secretKey - 64-byte Ed25519 secret key
+ * @returns {Buffer} 64-byte signature
+ */
+export function sign(data, secretKey) {
+  const nacl = requireNacl();
+  const sig = nacl.sign.detached(new Uint8Array(data), new Uint8Array(secretKey));
+  return Buffer.from(sig);
+}
+
+/**
+ * Verify Ed25519 signature.
+ * @param {Buffer} data
+ * @param {Buffer} signature - 64-byte signature
+ * @param {Buffer} publicKey - 32-byte public key
+ * @returns {boolean}
+ */
+export function verifySignature(data, signature, publicKey) {
+  const nacl = requireNacl();
+  return nacl.sign.detached.verify(
+    new Uint8Array(data),
+    new Uint8Array(signature),
+    new Uint8Array(publicKey)
+  );
+}
+
+// ── X25519 ECDH ──────────────────────────────────────────────
+
+/**
+ * Generate X25519 keypair for escrow key exchange.
+ * @returns {{ publicKey: Buffer, secretKey: Buffer }}
+ */
+export function generateEscrowKeyPair() {
+  const nacl = requireNacl();
+  const pair = nacl.box.keyPair();
+  return {
+    publicKey: Buffer.from(pair.publicKey),
+    secretKey: Buffer.from(pair.secretKey),
+  };
+}
+
+/**
+ * Compute shared secret via X25519 ECDH.
+ * @param {Buffer} mySecretKey - 32-byte secret key
+ * @param {Buffer} theirPublicKey - 32-byte public key
+ * @returns {Buffer} 32-byte shared secret
+ */
+export function computeSharedSecret(mySecretKey, theirPublicKey) {
+  const nacl = requireNacl();
+  const shared = nacl.box.before(
+    new Uint8Array(theirPublicKey),
+    new Uint8Array(mySecretKey)
+  );
+  return Buffer.from(shared);
+}
+
+// ── SHA3-256 ─────────────────────────────────────────────────
+
+/**
+ * Compute SHA3-256 hash.
+ * @param {Buffer|string} data
+ * @returns {Buffer} 32-byte hash
+ */
+export function sha3(data) {
+  const sha3Lib = requireSha3();
+  const input = typeof data === "string" ? data : new Uint8Array(data);
+  const hash = sha3Lib.sha3_256.create().update(input).digest();
+  return Buffer.from(hash);
+}
+
+/**
+ * Compute SHA3-256 hash and return hex string.
+ * @param {Buffer|string} data
+ * @returns {string} 64-char hex hash
+ */
+export function sha3Hex(data) {
+  return sha3(data).toString("hex");
+}
+
+// ── UUID ─────────────────────────────────────────────────────
+
+/**
+ * Generate a UUID v4 transfer ID.
+ * @returns {string}
+ */
+export function generateTransferId() {
+  return randomUUID();
+}
+
+// ── Exports ──────────────────────────────────────────────────
+export {
+  ALGORITHM,
+  KEY_LENGTH,
+  IV_LENGTH,
+  SALT_LENGTH,
+  TAG_LENGTH,
+  ARGON2_MEMORY,
+  ARGON2_ITERATIONS,
+  ARGON2_PARALLELISM,
+  ARGON2_HASH_LENGTH,
+};

package/vault/deed-collector.js

@@ -0,0 +1,286 @@
+// ============================================================
+// 0nMCP — Vault: Deed Credential Collector
+// ============================================================
+// Collects credentials from multiple sources (files, dirs,
+// manual entry) and auto-detects services using the engine
+// mapper. Feeds into BusinessDeed.create().
+//
+// Patent Pending: US Provisional Patent Application #63/990,046
+// ============================================================
+
+import { existsSync, readdirSync, readFileSync } from "fs";
+import { join, extname } from "path";
+import { homedir } from "os";
+import { parseFile, parseEnvString, parseJsonString, parseCsvString } from "../engine/parser.js";
+import { mapEnvVars, groupByService } from "../engine/mapper.js";
+import { verifyCredentials } from "../engine/validator.js";
+
+const CONNECTIONS_DIR = join(homedir(), ".0n", "connections");
+
+// ── Collect from .0n connection files ───────────────────────
+
+/**
+ * Load credentials from ~/.0n/connections/*.0n files.
+ *
+ * @param {string} [dir] - Connections directory (default: ~/.0n/connections/)
+ * @returns {{ credentials: Object, services: string[] }}
+ */
+export function collectFromConnections(dir = CONNECTIONS_DIR) {
+  const credentials = {};
+  const services = [];
+
+  if (!existsSync(dir)) return { credentials, services };
+
+  const files = readdirSync(dir).filter(f => f.endsWith(".0n"));
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(join(dir, file), "utf-8");
+      const data = JSON.parse(content);
+
+      // .0n connection file format: { $0n: { type, service }, credentials: { ... } }
+      const service = data?.$0n?.service || file.replace(".0n", "");
+      if (data.credentials && typeof data.credentials === "object") {
+        credentials[service] = data.credentials;
+        services.push(service);
+      }
+    } catch {
+      // Skip invalid files
+    }
+  }
+
+  return { credentials, services };
+}
+
+// ── Collect from file (auto-detect format) ──────────────────
+
+/**
+ * Collect credentials from a file (.env, .json, .csv).
+ *
+ * @param {string} filePath
+ * @returns {{ credentials: Object, envVars: Object, services: string[], unmapped: Array }}
+ */
+export function collectFromFile(filePath) {
+  const { entries } = parseFile(filePath);
+  return processEntries(entries);
+}
+
+// ── Collect from string content ─────────────────────────────
+
+/**
+ * Collect from raw .env string content.
+ * @param {string} content
+ * @returns {{ credentials: Object, envVars: Object, services: string[], unmapped: Array }}
+ */
+export function collectFromEnvString(content) {
+  const entries = parseEnvString(content);
+  return processEntries(entries);
+}
+
+/**
+ * Collect from raw JSON string content.
+ * @param {string} content
+ * @returns {{ credentials: Object, envVars: Object, services: string[], unmapped: Array }}
+ */
+export function collectFromJsonString(content) {
+  const entries = parseJsonString(content);
+  return processEntries(entries);
+}
+
+/**
+ * Collect from raw CSV string content.
+ * @param {string} content
+ * @returns {{ credentials: Object, envVars: Object, services: string[], unmapped: Array }}
+ */
+export function collectFromCsvString(content) {
+  const entries = parseCsvString(content);
+  return processEntries(entries);
+}
+
+// ── Collect from manual key-value pairs ─────────────────────
+
+/**
+ * Collect from manual key-value pairs.
+ *
+ * @param {Array<{ key: string, value: string }>} pairs
+ * @returns {{ credentials: Object, envVars: Object, services: string[], unmapped: Array }}
+ */
+export function collectFromManual(pairs) {
+  return processEntries(pairs);
+}
+
+// ── Collect from pre-structured service credentials ─────────
+
+/**
+ * Collect from already-structured credentials object.
+ * Format: { stripe: { apiKey: "sk_..." }, github: { token: "ghp_..." } }
+ *
+ * @param {Object} structured
+ * @returns {{ credentials: Object, services: string[] }}
+ */
+export function collectFromStructured(structured) {
+  const services = Object.keys(structured);
+  return { credentials: structured, services };
+}
+
+// ── Process entries through mapper ──────────────────────────
+
+/**
+ * Process raw key-value entries through the mapper pipeline.
+ *
+ * @param {Array<{ key: string, value: string }>} entries
+ * @returns {{ credentials: Object, envVars: Object, services: string[], unmapped: Array }}
+ */
+function processEntries(entries) {
+  const { mapped, unmapped } = mapEnvVars(entries);
+  const grouped = groupByService(mapped);
+
+  // Build credentials and envVars
+  const credentials = {};
+  const envVars = {};
+  const services = [];
+
+  for (const [service, group] of Object.entries(grouped)) {
+    credentials[service] = group.credentials;
+    services.push(service);
+    for (const envVar of group.envVars) {
+      const entry = entries.find(e => e.key === envVar);
+      if (entry) envVars[entry.key] = entry.value;
+    }
+  }
+
+  // Unmapped entries go to envVars
+  for (const entry of unmapped) {
+    envVars[entry.key] = entry.value;
+  }
+
+  return { credentials, envVars, services, unmapped };
+}
+
+// ── Validate credentials live ───────────────────────────────
+
+/**
+ * Validate collected credentials against live API endpoints.
+ *
+ * @param {Object} credentials - { service: { field: value } }
+ * @returns {Promise<Object>} Validation results per service
+ */
+export async function validateCollected(credentials) {
+  const results = {};
+  const summary = { total: 0, valid: 0, invalid: 0, skipped: 0 };
+
+  const entries = Object.entries(credentials);
+  summary.total = entries.length;
+
+  // Validate in parallel batches of 5
+  const batchSize = 5;
+  for (let i = 0; i < entries.length; i += batchSize) {
+    const batch = entries.slice(i, i + batchSize);
+    const promises = batch.map(([service, creds]) =>
+      verifyCredentials(service, creds).then(r => ({ service, ...r }))
+    );
+    const batchResults = await Promise.allSettled(promises);
+
+    for (const result of batchResults) {
+      if (result.status === "fulfilled") {
+        const r = result.value;
+        results[r.service] = r;
+        if (r.skipped) summary.skipped++;
+        else if (r.valid) summary.valid++;
+        else summary.invalid++;
+      }
+    }
+  }
+
+  return { results, summary };
+}
+
+// ── Master collection function ──────────────────────────────
+
+/**
+ * Collect credentials from multiple sources at once.
+ *
+ * @param {Object} sources
+ * @param {string}  [sources.envFile] - Path to .env file
+ * @param {string}  [sources.jsonFile] - Path to JSON file
+ * @param {string}  [sources.csvFile] - Path to CSV file
+ * @param {string}  [sources.connectionsDir] - Path to connections dir
+ * @param {Array}   [sources.manual] - Manual key-value pairs
+ * @param {Object}  [sources.structured] - Pre-structured credentials
+ * @param {boolean} [sources.validate] - Validate credentials live
+ * @returns {Promise<Object>}
+ */
+export async function collectCredentials(sources) {
+  const allCredentials = {};
+  const allEnvVars = {};
+  const allServices = new Set();
+  const allUnmapped = [];
+
+  // Collect from each source
+  if (sources.envFile && existsSync(sources.envFile)) {
+    const result = collectFromFile(sources.envFile);
+    mergeResults(allCredentials, allEnvVars, allServices, allUnmapped, result);
+  }
+
+  if (sources.jsonFile && existsSync(sources.jsonFile)) {
+    const result = collectFromFile(sources.jsonFile);
+    mergeResults(allCredentials, allEnvVars, allServices, allUnmapped, result);
+  }
+
+  if (sources.csvFile && existsSync(sources.csvFile)) {
+    const result = collectFromFile(sources.csvFile);
+    mergeResults(allCredentials, allEnvVars, allServices, allUnmapped, result);
+  }
+
+  if (sources.connectionsDir || existsSync(CONNECTIONS_DIR)) {
+    const dir = sources.connectionsDir || CONNECTIONS_DIR;
+    const result = collectFromConnections(dir);
+    for (const [svc, creds] of Object.entries(result.credentials)) {
+      allCredentials[svc] = { ...allCredentials[svc], ...creds };
+      allServices.add(svc);
+    }
+  }
+
+  if (sources.manual && Array.isArray(sources.manual)) {
+    const result = collectFromManual(sources.manual);
+    mergeResults(allCredentials, allEnvVars, allServices, allUnmapped, result);
+  }
+
+  if (sources.structured && typeof sources.structured === "object") {
+    const result = collectFromStructured(sources.structured);
+    for (const [svc, creds] of Object.entries(result.credentials)) {
+      allCredentials[svc] = { ...allCredentials[svc], ...creds };
+      allServices.add(svc);
+    }
+  }
+
+  const output = {
+    credentials: allCredentials,
+    envVars: allEnvVars,
+    services: Array.from(allServices),
+    unmapped: allUnmapped,
+    credentialCount: Object.values(allCredentials).reduce(
+      (sum, svc) => sum + Object.keys(svc).length, 0
+    ),
+  };
+
+  // Optional live validation
+  if (sources.validate) {
+    output.validation = await validateCollected(allCredentials);
+  }
+
+  return output;
+}
+
+// ── Merge helper ────────────────────────────────────────────
+
+function mergeResults(allCreds, allEnv, allServices, allUnmapped, result) {
+  for (const [svc, creds] of Object.entries(result.credentials || {})) {
+    allCreds[svc] = { ...allCreds[svc], ...creds };
+    allServices.add(svc);
+  }
+  for (const [k, v] of Object.entries(result.envVars || {})) {
+    allEnv[k] = v;
+  }
+  if (result.unmapped) allUnmapped.push(...result.unmapped);
+}