@de-otio/chaoskb-server 0.2.0

package/dist/lib/handler/routes/register.ts

@@ -0,0 +1,363 @@
+import * as crypto from 'crypto';
+import { DynamoDBDocumentClient, PutCommand, GetCommand, DeleteCommand } from '@aws-sdk/lib-dynamodb';
+import { logAuditEvent } from './audit.js';
+import { GetParameterCommand, SSMClient } from '@aws-sdk/client-ssm';
+import { logger } from '../logger.js';
+import {
+  verifyKeyOnGitHub,
+  storeGitHubAssociation,
+  storeGitHubReverseLookup,
+  findTenantByGitHub,
+  GitHubVerificationError,
+} from './github.js';
+
+interface RegisterRequest {
+  publicKey: string;
+  signedChallenge: string;
+  challengeNonce: string;
+  github?: string;
+}
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+const CHALLENGE_EXPIRY_SECONDS = 60;
+const JSON_HEADERS = { 'Content-Type': 'application/json' };
+
+let cachedSignupsEnabled: { value: boolean; expiresAt: number } | null = null;
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+const ssmClient = new SSMClient({});
+
+export async function checkSignupsEnabled(paramName: string): Promise<boolean> {
+  const now = Date.now();
+  if (cachedSignupsEnabled && now < cachedSignupsEnabled.expiresAt) {
+    return cachedSignupsEnabled.value;
+  }
+
+  try {
+    const result = await ssmClient.send(
+      new GetParameterCommand({ Name: paramName }),
+    );
+    const value = result.Parameter?.Value !== 'false';
+    cachedSignupsEnabled = { value, expiresAt: now + CACHE_TTL_MS };
+    return value;
+  } catch (err) {
+    logger.error('Failed to fetch signups-enabled parameter', { error: String(err) });
+    // Default to enabled if parameter fetch fails
+    return true;
+  }
+}
+
+// Exported for testing
+export function _resetSignupsCache(): void {
+  cachedSignupsEnabled = null;
+}
+
+function tenantIdFromPublicKey(publicKeyBase64: string): string {
+  const hash = crypto.createHash('sha256').update(publicKeyBase64).digest('hex');
+  return hash.slice(0, 32);
+}
+
+function isValidSSHPublicKey(publicKey: string): boolean {
+  // Basic validation: must be base64 and reasonable length
+  if (!publicKey || publicKey.length < 16 || publicKey.length > 2048) {
+    return false;
+  }
+  try {
+    const decoded = Buffer.from(publicKey, 'base64');
+    return decoded.length > 0 && publicKey === decoded.toString('base64');
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Verify an Ed25519 signature of a challenge nonce against a public key.
+ * The signed data is: "chaoskb-register\n" + nonce (base64).
+ */
+function verifyRegistrationSignature(
+  publicKeyBase64: string,
+  nonce: string,
+  signatureBase64: string,
+): boolean {
+  try {
+    const publicKeyBuffer = Buffer.from(publicKeyBase64, 'base64');
+    const signatureBuffer = Buffer.from(signatureBase64, 'base64');
+    const data = Buffer.from(`chaoskb-register\n${nonce}`);
+
+    const keyObject = crypto.createPublicKey({
+      key: Buffer.concat([
+        // Ed25519 DER prefix for a 32-byte public key
+        Buffer.from('302a300506032b6570032100', 'hex'),
+        publicKeyBuffer,
+      ]),
+      format: 'der',
+      type: 'spki',
+    });
+
+    return crypto.verify(null, data, keyObject, signatureBuffer);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * GET /v1/register/challenge — generate a registration challenge nonce.
+ *
+ * Returns a 32-byte random nonce (base64-encoded) that must be signed by the
+ * client's SSH private key and submitted with the registration request.
+ * Challenge expires after 60 seconds and is single-use.
+ */
+export async function handleChallenge(
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const nonce = crypto.randomBytes(32).toString('base64');
+  const now = Math.floor(Date.now() / 1000);
+  const ttl = now + CHALLENGE_EXPIRY_SECONDS + 60; // DynamoDB TTL: generous buffer
+  const expiresAt = new Date((now + CHALLENGE_EXPIRY_SECONDS) * 1000).toISOString();
+
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `CHALLENGE#${nonce}`,
+        SK: 'META',
+        expiresAt,
+        ttl,
+      },
+    }),
+  );
+
+  logger.info('Registration challenge created');
+
+  return {
+    statusCode: 200,
+    headers: JSON_HEADERS,
+    body: JSON.stringify({ challenge: nonce, expiresAt }),
+  };
+}
+
+export async function handleRegister(
+  body: string | null | undefined,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+  signupsParamName: string,
+): Promise<HandlerResponse> {
+  // Check if signups are enabled
+  const signupsEnabled = await checkSignupsEnabled(signupsParamName);
+  if (!signupsEnabled) {
+    return {
+      statusCode: 403,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'signups_disabled', message: 'New registrations are currently disabled' }),
+    };
+  }
+
+  // Parse and validate request body
+  if (!body) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+
+  let request: RegisterRequest;
+  try {
+    request = JSON.parse(body);
+  } catch {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+    };
+  }
+
+  if (!request.publicKey) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'publicKey is required' }),
+    };
+  }
+
+  if (!request.signedChallenge || !request.challengeNonce) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'signedChallenge and challengeNonce are required' }),
+    };
+  }
+
+  if (!isValidSSHPublicKey(request.publicKey)) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid SSH public key format' }),
+    };
+  }
+
+  // Look up and consume the challenge nonce (single-use)
+  const challengeResult = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `CHALLENGE#${request.challengeNonce}`,
+        SK: 'META',
+      },
+    }),
+  );
+
+  if (!challengeResult.Item) {
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_challenge', message: 'Challenge not found or already used' }),
+    };
+  }
+
+  // Check challenge expiry
+  if (new Date(challengeResult.Item['expiresAt'] as string) < new Date()) {
+    // Clean up expired challenge
+    await ddb.send(
+      new DeleteCommand({
+        TableName: tableName,
+        Key: { PK: `CHALLENGE#${request.challengeNonce}`, SK: 'META' },
+      }),
+    );
+    return {
+      statusCode: 400,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'challenge_expired', message: 'Challenge has expired' }),
+    };
+  }
+
+  // Consume the challenge (delete it — single-use)
+  await ddb.send(
+    new DeleteCommand({
+      TableName: tableName,
+      Key: { PK: `CHALLENGE#${request.challengeNonce}`, SK: 'META' },
+    }),
+  );
+
+  // Verify the SSH signature of the challenge nonce against the public key
+  const validSignature = verifyRegistrationSignature(
+    request.publicKey,
+    request.challengeNonce,
+    request.signedChallenge,
+  );
+
+  if (!validSignature) {
+    logger.warn('Registration signature verification failed');
+    return {
+      statusCode: 401,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({ error: 'invalid_signature', message: 'Challenge signature verification failed' }),
+    };
+  }
+
+  // GitHub verification (if --github was provided)
+  if (request.github) {
+    try {
+      const keyOnGitHub = await verifyKeyOnGitHub(request.publicKey, request.github);
+      if (!keyOnGitHub) {
+        return {
+          statusCode: 400,
+          headers: JSON_HEADERS,
+          body: JSON.stringify({
+            error: 'github_key_not_found',
+            message: `Public key not found on GitHub account "${request.github}"`,
+          }),
+        };
+      }
+    } catch (err) {
+      if (err instanceof GitHubVerificationError) {
+        return {
+          statusCode: 400,
+          headers: JSON_HEADERS,
+          body: JSON.stringify({ error: err.code, message: err.message }),
+        };
+      }
+      throw err;
+    }
+
+    // Check if an existing tenant is associated with this GitHub username (auto-link)
+    const existingTenantId = await findTenantByGitHub(request.github, ddb, tableName);
+    if (existingTenantId) {
+      logger.info('GitHub auto-link: existing tenant found', {
+        existingTenantId,
+        github: request.github,
+      });
+      return {
+        statusCode: 200,
+        headers: JSON_HEADERS,
+        body: JSON.stringify({
+          status: 'auto_linked',
+          tenantId: existingTenantId,
+          github: request.github,
+        }),
+      };
+    }
+  }
+
+  const tenantId = tenantIdFromPublicKey(request.publicKey);
+  const now = new Date().toISOString();
+
+  try {
+    await ddb.send(
+      new PutCommand({
+        TableName: tableName,
+        Item: {
+          PK: `TENANT#${tenantId}`,
+          SK: 'META',
+          publicKey: request.publicKey,
+          createdAt: now,
+          updatedAt: now,
+          storageUsedBytes: 0,
+        },
+        ConditionExpression: 'attribute_not_exists(SK)',
+      }),
+    );
+
+    logger.info('Tenant registered', { tenantId, operation: 'register' });
+
+    // Store GitHub association if provided
+    if (request.github) {
+      await storeGitHubAssociation(tenantId, request.github, ddb, tableName);
+      await storeGitHubReverseLookup(request.github, tenantId, ddb, tableName);
+    }
+
+    await logAuditEvent(ddb, tableName, tenantId, {
+      eventType: 'registered',
+      fingerprint: '',
+      metadata: {
+        publicKey: request.publicKey,
+        ...(request.github && { github: request.github }),
+      },
+    });
+
+    return {
+      statusCode: 201,
+      headers: JSON_HEADERS,
+      body: JSON.stringify({
+        tenantId,
+        publicKey: request.publicKey,
+        ...(request.github && { github: request.github }),
+      }),
+    };
+  } catch (err: unknown) {
+    if ((err as { name?: string }).name === 'ConditionalCheckFailedException') {
+      return {
+        statusCode: 409,
+        headers: JSON_HEADERS,
+        body: JSON.stringify({ error: 'already_registered', message: 'This public key is already registered' }),
+      };
+    }
+    throw err;
+  }
+}

package/dist/lib/handler/routes/restore.d.ts

@@ -0,0 +1,9 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+export declare function handleRestore(blobId: string, tenantId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=restore.d.ts.map

package/dist/lib/handler/routes/restore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"restore.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/restore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAA6B,MAAM,uBAAuB,CAAC;AAG1F,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CA0D1B"}

package/dist/lib/handler/routes/restore.js

@@ -0,0 +1,52 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleRestore = handleRestore;
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+async function handleRestore(blobId, tenantId, ddb, tableName) {
+    // Get the blob to verify it exists and is deleted
+    const existing = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+        ProjectionExpression: 'deletedAt, #s',
+        ExpressionAttributeNames: { '#s': 'size' },
+    }));
+    if (!existing.Item) {
+        return {
+            statusCode: 404,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'not_found', message: 'Blob not found' }),
+        };
+    }
+    if (!existing.Item['deletedAt']) {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'not_deleted', message: 'Blob is not deleted' }),
+        };
+    }
+    const blobSize = existing.Item['size'] ?? 0;
+    const now = new Date().toISOString();
+    // Remove deletedAt and ttl
+    await ddb.send(new lib_dynamodb_1.UpdateCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+        UpdateExpression: 'REMOVE deletedAt, #ttl SET updatedAt = :updatedAt',
+        ExpressionAttributeNames: { '#ttl': 'ttl' },
+        ExpressionAttributeValues: { ':updatedAt': now },
+    }));
+    // Re-increment storage used
+    await ddb.send(new lib_dynamodb_1.UpdateCommand({
+        TableName: tableName,
+        Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+        UpdateExpression: 'SET storageUsedBytes = storageUsedBytes + :size',
+        ExpressionAttributeValues: { ':size': blobSize },
+    }));
+    logger_js_1.logger.info('Blob restored', { tenantId, operation: 'RESTORE' });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ id: blobId, restored: true }),
+    };
+}
+//# sourceMappingURL=restore.js.map

package/dist/lib/handler/routes/restore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"restore.js","sourceRoot":"","sources":["../../../../lib/handler/routes/restore.ts"],"names":[],"mappings":";;AASA,sCA+DC;AAxED,wDAA0F;AAC1F,4CAAsC;AAQ/B,KAAK,UAAU,aAAa,CACjC,MAAc,EACd,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,kDAAkD;IAClD,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAC7B,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,MAAM,EAAE,EAAE;QACvD,oBAAoB,EAAE,eAAe;QACrC,wBAAwB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;KAC3C,CAAC,CACH,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC;SACxE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC;SAC/E,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAY,IAAI,CAAC,CAAC;IACxD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,2BAA2B;IAC3B,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,MAAM,EAAE,EAAE;QACvD,gBAAgB,EAAE,mDAAmD;QACrE,wBAAwB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;QAC3C,yBAAyB,EAAE,EAAE,YAAY,EAAE,GAAG,EAAE;KACjD,CAAC,CACH,CAAC;IAEF,4BAA4B;IAC5B,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,4BAAa,CAAC;QAChB,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE,EAAE,EAAE,EAAE,UAAU,QAAQ,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE;QAC7C,gBAAgB,EAAE,iDAAiD;QACnE,yBAAyB,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE;KACjD,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,eAAe,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;IAEjE,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;KACrD,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/restore.ts

@@ -0,0 +1,73 @@
+import { DynamoDBDocumentClient, UpdateCommand, GetCommand } from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+export async function handleRestore(
+  blobId: string,
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  // Get the blob to verify it exists and is deleted
+  const existing = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+      ProjectionExpression: 'deletedAt, #s',
+      ExpressionAttributeNames: { '#s': 'size' },
+    }),
+  );
+
+  if (!existing.Item) {
+    return {
+      statusCode: 404,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'not_found', message: 'Blob not found' }),
+    };
+  }
+
+  if (!existing.Item['deletedAt']) {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'not_deleted', message: 'Blob is not deleted' }),
+    };
+  }
+
+  const blobSize = (existing.Item['size'] as number) ?? 0;
+  const now = new Date().toISOString();
+
+  // Remove deletedAt and ttl
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: `BLOB#${blobId}` },
+      UpdateExpression: 'REMOVE deletedAt, #ttl SET updatedAt = :updatedAt',
+      ExpressionAttributeNames: { '#ttl': 'ttl' },
+      ExpressionAttributeValues: { ':updatedAt': now },
+    }),
+  );
+
+  // Re-increment storage used
+  await ddb.send(
+    new UpdateCommand({
+      TableName: tableName,
+      Key: { PK: `TENANT#${tenantId}`, SK: 'META' },
+      UpdateExpression: 'SET storageUsedBytes = storageUsedBytes + :size',
+      ExpressionAttributeValues: { ':size': blobSize },
+    }),
+  );
+
+  logger.info('Blob restored', { tenantId, operation: 'RESTORE' });
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ id: blobId, restored: true }),
+  };
+}

package/dist/lib/handler/routes/revocation.d.ts

@@ -0,0 +1,13 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+/**
+ * Emergency revocation: delete all KEY#, WRAPPED_KEY#, ROTATION, and SEQUENCE# items
+ * for a tenant, then log an audit event.
+ */
+export declare function handleRevokeAll(tenantId: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=revocation.d.ts.map

package/dist/lib/handler/routes/revocation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocation.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/revocation.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EAGvB,MAAM,uBAAuB,CAAC;AAI/B,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CAgE1B"}

package/dist/lib/handler/routes/revocation.js

@@ -0,0 +1,63 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleRevokeAll = handleRevokeAll;
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const audit_js_1 = require("./audit.js");
+const logger_js_1 = require("../logger.js");
+/**
+ * Emergency revocation: delete all KEY#, WRAPPED_KEY#, ROTATION, and SEQUENCE# items
+ * for a tenant, then log an audit event.
+ */
+async function handleRevokeAll(tenantId, ddb, tableName) {
+    const pk = `TENANT#${tenantId}`;
+    // Query all items in the tenant partition
+    const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk',
+        ExpressionAttributeValues: {
+            ':pk': pk,
+        },
+        ProjectionExpression: 'PK, SK',
+    }));
+    const allItems = result.Items ?? [];
+    // Filter to revocable SK prefixes
+    const toDelete = allItems.filter((item) => {
+        const sk = item['SK'];
+        return (sk.startsWith('KEY#') ||
+            sk.startsWith('WRAPPED_KEY#') ||
+            sk === 'ROTATION' ||
+            sk.startsWith('SEQUENCE#'));
+    });
+    // Batch delete in groups of 25
+    for (let i = 0; i < toDelete.length; i += 25) {
+        const batch = toDelete.slice(i, i + 25);
+        await ddb.send(new lib_dynamodb_1.BatchWriteCommand({
+            RequestItems: {
+                [tableName]: batch.map((item) => ({
+                    DeleteRequest: {
+                        Key: { PK: item['PK'], SK: item['SK'] },
+                    },
+                })),
+            },
+        }));
+    }
+    logger_js_1.logger.info('Emergency revocation completed', {
+        tenantId,
+        deletedItems: toDelete.length,
+    });
+    // Log audit event
+    await (0, audit_js_1.logAuditEvent)(ddb, tableName, tenantId, {
+        eventType: 'revoked',
+        fingerprint: 'all',
+        metadata: { deletedItems: toDelete.length },
+    });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            status: 'revoked',
+            message: 'All devices revoked. Re-register with a new SSH key.',
+        }),
+    };
+}
+//# sourceMappingURL=revocation.js.map

package/dist/lib/handler/routes/revocation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"revocation.js","sourceRoot":"","sources":["../../../../lib/handler/routes/revocation.ts"],"names":[],"mappings":";;AAkBA,0CAoEC;AAtFD,wDAI+B;AAC/B,yCAA2C;AAC3C,4CAAsC;AAQtC;;;GAGG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,EAAE,GAAG,UAAU,QAAQ,EAAE,CAAC;IAEhC,0CAA0C;IAC1C,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,UAAU;QAClC,yBAAyB,EAAE;YACzB,KAAK,EAAE,EAAE;SACV;QACD,oBAAoB,EAAE,QAAQ;KAC/B,CAAC,CACH,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC;IAEpC,kCAAkC;IAClC,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;QACxC,MAAM,EAAE,GAAG,IAAI,CAAC,IAAI,CAAW,CAAC;QAChC,OAAO,CACL,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;YACrB,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC;YAC7B,EAAE,KAAK,UAAU;YACjB,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAC3B,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,+BAA+B;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACxC,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,gCAAiB,CAAC;YACpB,YAAY,EAAE;gBACZ,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;oBAChC,aAAa,EAAE;wBACb,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;qBACxC;iBACF,CAAC,CAAC;aACJ;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAED,kBAAM,CAAC,IAAI,CAAC,gCAAgC,EAAE;QAC5C,QAAQ;QACR,YAAY,EAAE,QAAQ,CAAC,MAAM;KAC9B,CAAC,CAAC;IAEH,kBAAkB;IAClB,MAAM,IAAA,wBAAa,EAAC,GAAG,EAAE,SAAS,EAAE,QAAQ,EAAE;QAC5C,SAAS,EAAE,SAAS;QACpB,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE,EAAE,YAAY,EAAE,QAAQ,CAAC,MAAM,EAAE;KAC5C,CAAC,CAAC;IAEH,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,sDAAsD;SAChE,CAAC;KACH,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/revocation.ts

@@ -0,0 +1,87 @@
+import {
+  DynamoDBDocumentClient,
+  QueryCommand,
+  BatchWriteCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { logAuditEvent } from './audit.js';
+import { logger } from '../logger.js';
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+/**
+ * Emergency revocation: delete all KEY#, WRAPPED_KEY#, ROTATION, and SEQUENCE# items
+ * for a tenant, then log an audit event.
+ */
+export async function handleRevokeAll(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const pk = `TENANT#${tenantId}`;
+
+  // Query all items in the tenant partition
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk',
+      ExpressionAttributeValues: {
+        ':pk': pk,
+      },
+      ProjectionExpression: 'PK, SK',
+    }),
+  );
+
+  const allItems = result.Items ?? [];
+
+  // Filter to revocable SK prefixes
+  const toDelete = allItems.filter((item) => {
+    const sk = item['SK'] as string;
+    return (
+      sk.startsWith('KEY#') ||
+      sk.startsWith('WRAPPED_KEY#') ||
+      sk === 'ROTATION' ||
+      sk.startsWith('SEQUENCE#')
+    );
+  });
+
+  // Batch delete in groups of 25
+  for (let i = 0; i < toDelete.length; i += 25) {
+    const batch = toDelete.slice(i, i + 25);
+    await ddb.send(
+      new BatchWriteCommand({
+        RequestItems: {
+          [tableName]: batch.map((item) => ({
+            DeleteRequest: {
+              Key: { PK: item['PK'], SK: item['SK'] },
+            },
+          })),
+        },
+      }),
+    );
+  }
+
+  logger.info('Emergency revocation completed', {
+    tenantId,
+    deletedItems: toDelete.length,
+  });
+
+  // Log audit event
+  await logAuditEvent(ddb, tableName, tenantId, {
+    eventType: 'revoked',
+    fingerprint: 'all',
+    metadata: { deletedItems: toDelete.length },
+  });
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      status: 'revoked',
+      message: 'All devices revoked. Re-register with a new SSH key.',
+    }),
+  };
+}