@clef-sh/broker 0.1.11 → 0.1.12

package/dist/envelope.d.ts

@@ -5,6 +5,10 @@ export interface ArtifactEnvelopeField {
     keyId: string;
     wrappedKey: string;
     algorithm: string;
+    /** Base64-encoded 12-byte AES-GCM initialization vector. */
+    iv: string;
+    /** Base64-encoded 16-byte AES-GCM authentication tag. */
+    authTag: string;
 }
 /** JSON envelope produced by the broker. Matches the runtime's expected artifact shape. */
 export interface BrokerArtifact {
@@ -39,8 +43,8 @@ export interface PackEnvelopeOptions {
 /**
  * Pack credentials into a Clef artifact envelope with KMS envelope encryption.
  *
- * 1. age-encrypt plaintext with an ephemeral key
- * 2. Wrap the ephemeral private key via KMS
+ * 1. AES-256-GCM encrypt plaintext with a random DEK
+ * 2. Wrap the DEK via KMS
  * 3. Return the complete JSON envelope string
  */
 export declare function packEnvelope(options: PackEnvelopeOptions): Promise<string>;

package/dist/envelope.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,6CAA6C;AAC7C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,2FAA2F;AAC3F,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,qBAAqB,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,mBAAmB;IAClC,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,wDAAwD;IACxD,GAAG,EAAE,MAAM,CAAC;IACZ,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB,wEAAwE;IACxE,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CA8ChF"}
+{"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,6CAA6C;AAC7C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,2FAA2F;AAC3F,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,qBAAqB,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,mBAAmB;IAClC,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,wDAAwD;IACxD,GAAG,EAAE,MAAM,CAAC;IACZ,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB,wEAAwE;IACxE,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAqDhF"}

package/dist/envelope.js

@@ -38,26 +38,32 @@ const crypto = __importStar(require("crypto"));
 /**
  * Pack credentials into a Clef artifact envelope with KMS envelope encryption.
  *
- * 1. age-encrypt plaintext with an ephemeral key
- * 2. Wrap the ephemeral private key via KMS
+ * 1. AES-256-GCM encrypt plaintext with a random DEK
+ * 2. Wrap the DEK via KMS
  * 3. Return the complete JSON envelope string
  */
 async function packEnvelope(options) {
     const { identity, environment, data, ttl, kmsProvider, kmsProviderName, kmsKeyId } = options;
     const plaintext = JSON.stringify(data);
-    // Generate ephemeral age key pair
-    const { generateIdentity, identityToRecipient, Encrypter } = await Promise.resolve(`${
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic ESM import of CJS-incompatible package
-    "age-encryption"}`).then(s => __importStar(require(s)));
-    const ephemeralPrivateKey = (await generateIdentity());
-    const ephemeralPublicKey = (await identityToRecipient(ephemeralPrivateKey));
-    // age-encrypt plaintext to ephemeral public key
-    const e = new Encrypter();
-    e.addRecipient(ephemeralPublicKey);
-    const encrypted = await e.encrypt(plaintext);
-    const ciphertext = Buffer.from(encrypted).toString("base64");
-    // Wrap the ephemeral private key with KMS
-    const wrapped = await kmsProvider.wrap(kmsKeyId, Buffer.from(ephemeralPrivateKey));
+    const dek = crypto.randomBytes(32);
+    const iv = crypto.randomBytes(12);
+    let ciphertext;
+    let authTag;
+    let wrapped;
+    try {
+        const cipher = crypto.createCipheriv("aes-256-gcm", dek, iv);
+        const ciphertextBuf = Buffer.concat([
+            cipher.update(Buffer.from(plaintext, "utf-8")),
+            cipher.final(),
+        ]);
+        authTag = cipher.getAuthTag();
+        ciphertext = ciphertextBuf.toString("base64");
+        // Wrap the DEK with KMS
+        wrapped = await kmsProvider.wrap(kmsKeyId, dek);
+    }
+    finally {
+        dek.fill(0);
+    }
     const revision = `${Date.now()}-${crypto.randomBytes(4).toString("hex")}`;
     const ciphertextHash = crypto.createHash("sha256").update(ciphertext).digest("hex");
     const packedAt = new Date().toISOString();
@@ -76,6 +82,8 @@ async function packEnvelope(options) {
             keyId: kmsKeyId,
             wrappedKey: wrapped.wrappedKey.toString("base64"),
             algorithm: wrapped.algorithm,
+            iv: iv.toString("base64"),
+            authTag: authTag.toString("base64"),
         },
         expiresAt,
     };

package/dist/envelope.js.map

@@ -1 +1 @@
-{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDA,oCA8CC;AAhGD,+CAAiC;AA2CjC;;;;;;GAMG;AACI,KAAK,UAAU,YAAY,CAAC,OAA4B;IAC7D,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7F,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEvC,kCAAkC;IAClC,MAAM,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,SAAS,EAAE,GAAG;IAC3D,gHAAgH;IAChH,gBAAuB,uCACxB,CAAC;IACF,MAAM,mBAAmB,GAAG,CAAC,MAAM,gBAAgB,EAAE,CAAW,CAAC;IACjE,MAAM,kBAAkB,GAAG,CAAC,MAAM,mBAAmB,CAAC,mBAAmB,CAAC,CAAW,CAAC;IAEtF,gDAAgD;IAChD,MAAM,CAAC,GAAG,IAAI,SAAS,EAAE,CAAC;IAC1B,CAAC,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAuB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE3E,0CAA0C;IAC1C,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAEnF,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC1E,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAElE,MAAM,QAAQ,GAAmB;QAC/B,OAAO,EAAE,CAAC;QACV,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,QAAQ;QACR,cAAc;QACd,UAAU;QACV,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;QACvB,QAAQ,EAAE;YACR,QAAQ,EAAE,eAAe;YACzB,KAAK,EAAE,QAAQ;YACf,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjD,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B;QACD,SAAS;KACV,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"envelope.js","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsDA,oCAqDC;AA3GD,+CAAiC;AA+CjC;;;;;;GAMG;AACI,KAAK,UAAU,YAAY,CAAC,OAA4B;IAC7D,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7F,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEvC,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAElC,IAAI,UAAkB,CAAC;IACvB,IAAI,OAAe,CAAC;IACpB,IAAI,OAAiD,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAC7D,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAC9C,MAAM,CAAC,KAAK,EAAE;SACf,CAAC,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC9B,UAAU,GAAG,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE9C,wBAAwB;QACxB,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAClD,CAAC;YAAS,CAAC;QACT,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC1E,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAElE,MAAM,QAAQ,GAAmB;QAC/B,OAAO,EAAE,CAAC;QACV,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,QAAQ;QACR,cAAc;QACd,UAAU;QACV,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;QACvB,QAAQ,EAAE;YACR,QAAQ,EAAE,eAAe;YACzB,KAAK,EAAE,QAAQ;YACf,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjD,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzB,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;SACpC;QACD,SAAS;KACV,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC3C,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clef-sh/broker",
-  "version": "0.1.11",
+  "version": "0.1.12",
   "description": "Runtime harness for Clef dynamic credential brokers",
   "repository": {
     "type": "git",