@de-otio/chaoskb-server 0.2.0

package/dist/lib/handler/routes/tenants.js

@@ -0,0 +1,181 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handleCreateTenant = handleCreateTenant;
+exports.handleListTenants = handleListTenants;
+exports.handleDeleteTenant = handleDeleteTenant;
+const crypto = __importStar(require("crypto"));
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+async function handleCreateTenant(body, tenantId, ddb, tableName) {
+    if (!body) {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+        };
+    }
+    let request;
+    try {
+        request = JSON.parse(body);
+    }
+    catch {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+        };
+    }
+    if (!request.name || typeof request.name !== 'string') {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'invalid_request', message: 'name is required' }),
+        };
+    }
+    const projectTenantId = crypto.randomUUID().replace(/-/g, '').slice(0, 16);
+    const now = new Date().toISOString();
+    try {
+        await ddb.send(new lib_dynamodb_1.PutCommand({
+            TableName: tableName,
+            Item: {
+                PK: `TENANT#${tenantId}`,
+                SK: `PROJECT#${request.name}`,
+                projectTenantId,
+                name: request.name,
+                createdAt: now,
+                updatedAt: now,
+            },
+            ConditionExpression: 'attribute_not_exists(SK)',
+        }));
+    }
+    catch (err) {
+        if (err.name === 'ConditionalCheckFailedException') {
+            return {
+                statusCode: 409,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ error: 'already_exists', message: 'A project with this name already exists' }),
+            };
+        }
+        throw err;
+    }
+    logger_js_1.logger.info('Tenant project created', { tenantId, operation: 'CREATE_TENANT' });
+    return {
+        statusCode: 201,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ tenantId: projectTenantId, name: request.name }),
+    };
+}
+async function handleListTenants(tenantId, ddb, tableName) {
+    const result = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+        ExpressionAttributeValues: {
+            ':pk': `TENANT#${tenantId}`,
+            ':prefix': 'PROJECT#',
+        },
+    }));
+    const tenants = (result.Items ?? []).map((item) => ({
+        tenantId: item['projectTenantId'],
+        name: item['name'],
+        createdAt: item['createdAt'],
+    }));
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ tenants }),
+    };
+}
+async function handleDeleteTenant(projectTenantId, tenantId, ddb, tableName) {
+    // First find the project record
+    const projects = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+        ExpressionAttributeValues: {
+            ':pk': `TENANT#${tenantId}`,
+            ':prefix': 'PROJECT#',
+        },
+    }));
+    const projectItem = (projects.Items ?? []).find((item) => item['projectTenantId'] === projectTenantId);
+    if (!projectItem) {
+        return {
+            statusCode: 404,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'not_found', message: 'Tenant not found' }),
+        };
+    }
+    // Delete all blobs in the project tenant's partition
+    const blobsResult = await ddb.send(new lib_dynamodb_1.QueryCommand({
+        TableName: tableName,
+        KeyConditionExpression: 'PK = :pk',
+        ExpressionAttributeValues: {
+            ':pk': `TENANT#${projectTenantId}`,
+        },
+        ProjectionExpression: 'PK, SK',
+    }));
+    const blobItems = blobsResult.Items ?? [];
+    // Batch delete in groups of 25
+    for (let i = 0; i < blobItems.length; i += 25) {
+        const batch = blobItems.slice(i, i + 25);
+        await ddb.send(new lib_dynamodb_1.BatchWriteCommand({
+            RequestItems: {
+                [tableName]: batch.map((item) => ({
+                    DeleteRequest: {
+                        Key: { PK: item['PK'], SK: item['SK'] },
+                    },
+                })),
+            },
+        }));
+    }
+    // Delete the project record itself
+    await ddb.send(new lib_dynamodb_1.BatchWriteCommand({
+        RequestItems: {
+            [tableName]: [
+                {
+                    DeleteRequest: {
+                        Key: { PK: projectItem['PK'], SK: projectItem['SK'] },
+                    },
+                },
+            ],
+        },
+    }));
+    logger_js_1.logger.info('Tenant deleted', { tenantId, operation: 'DELETE_TENANT' });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ deleted: true }),
+    };
+}
+//# sourceMappingURL=tenants.js.map

package/dist/lib/handler/routes/tenants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenants.js","sourceRoot":"","sources":["../../../../lib/handler/routes/tenants.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAeA,gDAqEC;AAED,8CA2BC;AAED,gDAkFC;AArMD,+CAAiC;AACjC,wDAK+B;AAC/B,4CAAsC;AAQ/B,KAAK,UAAU,kBAAkB,CACtC,IAA+B,EAC/B,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;SACxF,CAAC;IACJ,CAAC;IAED,IAAI,OAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,mBAAmB,EAAE,CAAC;SACjF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtD,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;SAChF,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3E,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;YACb,SAAS,EAAE,SAAS;YACpB,IAAI,EAAE;gBACJ,EAAE,EAAE,UAAU,QAAQ,EAAE;gBACxB,EAAE,EAAE,WAAW,OAAO,CAAC,IAAI,EAAE;gBAC7B,eAAe;gBACf,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,GAAG;aACf;YACD,mBAAmB,EAAE,0BAA0B;SAChD,CAAC,CACH,CAAC;IACJ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAK,GAAyB,CAAC,IAAI,KAAK,iCAAiC,EAAE,CAAC;YAC1E,OAAO;gBACL,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,OAAO,EAAE,yCAAyC,EAAE,CAAC;aACtG,CAAC;QACJ,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,kBAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;IAEhF,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;KACxE,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,uCAAuC;QAC/D,yBAAyB,EAAE;YACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;YAC3B,SAAS,EAAE,UAAU;SACtB;KACF,CAAC,CACH,CAAC;IAEF,MAAM,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAClD,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAW;QAC3C,IAAI,EAAE,IAAI,CAAC,MAAM,CAAW;QAC5B,SAAS,EAAE,IAAI,CAAC,WAAW,CAAW;KACvC,CAAC,CAAC,CAAC;IAEJ,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC;KAClC,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,kBAAkB,CACtC,eAAuB,EACvB,QAAgB,EAChB,GAA2B,EAC3B,SAAiB;IAEjB,gCAAgC;IAChC,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAC7B,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,uCAAuC;QAC/D,yBAAyB,EAAE;YACzB,KAAK,EAAE,UAAU,QAAQ,EAAE;YAC3B,SAAS,EAAE,UAAU;SACtB;KACF,CAAC,CACH,CAAC;IAEF,MAAM,WAAW,GAAG,CAAC,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAC7C,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,eAAe,CACtD,CAAC;IAEF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC;SAC1E,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,IAAI,CAChC,IAAI,2BAAY,CAAC;QACf,SAAS,EAAE,SAAS;QACpB,sBAAsB,EAAE,UAAU;QAClC,yBAAyB,EAAE;YACzB,KAAK,EAAE,UAAU,eAAe,EAAE;SACnC;QACD,oBAAoB,EAAE,QAAQ;KAC/B,CAAC,CACH,CAAC;IAEF,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC;IAE1C,+BAA+B;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,gCAAiB,CAAC;YACpB,YAAY,EAAE;gBACZ,CAAC,SAAS,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;oBAChC,aAAa,EAAE;wBACb,GAAG,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;qBACxC;iBACF,CAAC,CAAC;aACJ;SACF,CAAC,CACH,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,gCAAiB,CAAC;QACpB,YAAY,EAAE;YACZ,CAAC,SAAS,CAAC,EAAE;gBACX;oBACE,aAAa,EAAE;wBACb,GAAG,EAAE,EAAE,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,IAAI,CAAC,EAAE;qBACtD;iBACF;aACF;SACF;KACF,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,eAAe,EAAE,CAAC,CAAC;IAExE,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/tenants.ts

@@ -0,0 +1,198 @@
+import * as crypto from 'crypto';
+import {
+  DynamoDBDocumentClient,
+  PutCommand,
+  QueryCommand,
+  BatchWriteCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+export async function handleCreateTenant(
+  body: string | null | undefined,
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  if (!body) {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+
+  let request: { name?: string };
+  try {
+    request = JSON.parse(body);
+  } catch {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'invalid_request', message: 'Invalid JSON body' }),
+    };
+  }
+
+  if (!request.name || typeof request.name !== 'string') {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'invalid_request', message: 'name is required' }),
+    };
+  }
+
+  const projectTenantId = crypto.randomUUID().replace(/-/g, '').slice(0, 16);
+  const now = new Date().toISOString();
+
+  try {
+    await ddb.send(
+      new PutCommand({
+        TableName: tableName,
+        Item: {
+          PK: `TENANT#${tenantId}`,
+          SK: `PROJECT#${request.name}`,
+          projectTenantId,
+          name: request.name,
+          createdAt: now,
+          updatedAt: now,
+        },
+        ConditionExpression: 'attribute_not_exists(SK)',
+      }),
+    );
+  } catch (err: unknown) {
+    if ((err as { name?: string }).name === 'ConditionalCheckFailedException') {
+      return {
+        statusCode: 409,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ error: 'already_exists', message: 'A project with this name already exists' }),
+      };
+    }
+    throw err;
+  }
+
+  logger.info('Tenant project created', { tenantId, operation: 'CREATE_TENANT' });
+
+  return {
+    statusCode: 201,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ tenantId: projectTenantId, name: request.name }),
+  };
+}
+
+export async function handleListTenants(
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+      ExpressionAttributeValues: {
+        ':pk': `TENANT#${tenantId}`,
+        ':prefix': 'PROJECT#',
+      },
+    }),
+  );
+
+  const tenants = (result.Items ?? []).map((item) => ({
+    tenantId: item['projectTenantId'] as string,
+    name: item['name'] as string,
+    createdAt: item['createdAt'] as string,
+  }));
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ tenants }),
+  };
+}
+
+export async function handleDeleteTenant(
+  projectTenantId: string,
+  tenantId: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  // First find the project record
+  const projects = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk AND begins_with(SK, :prefix)',
+      ExpressionAttributeValues: {
+        ':pk': `TENANT#${tenantId}`,
+        ':prefix': 'PROJECT#',
+      },
+    }),
+  );
+
+  const projectItem = (projects.Items ?? []).find(
+    (item) => item['projectTenantId'] === projectTenantId,
+  );
+
+  if (!projectItem) {
+    return {
+      statusCode: 404,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'not_found', message: 'Tenant not found' }),
+    };
+  }
+
+  // Delete all blobs in the project tenant's partition
+  const blobsResult = await ddb.send(
+    new QueryCommand({
+      TableName: tableName,
+      KeyConditionExpression: 'PK = :pk',
+      ExpressionAttributeValues: {
+        ':pk': `TENANT#${projectTenantId}`,
+      },
+      ProjectionExpression: 'PK, SK',
+    }),
+  );
+
+  const blobItems = blobsResult.Items ?? [];
+
+  // Batch delete in groups of 25
+  for (let i = 0; i < blobItems.length; i += 25) {
+    const batch = blobItems.slice(i, i + 25);
+    await ddb.send(
+      new BatchWriteCommand({
+        RequestItems: {
+          [tableName]: batch.map((item) => ({
+            DeleteRequest: {
+              Key: { PK: item['PK'], SK: item['SK'] },
+            },
+          })),
+        },
+      }),
+    );
+  }
+
+  // Delete the project record itself
+  await ddb.send(
+    new BatchWriteCommand({
+      RequestItems: {
+        [tableName]: [
+          {
+            DeleteRequest: {
+              Key: { PK: projectItem['PK'], SK: projectItem['SK'] },
+            },
+          },
+        ],
+      },
+    }),
+  );
+
+  logger.info('Tenant deleted', { tenantId, operation: 'DELETE_TENANT' });
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ deleted: true }),
+  };
+}

package/dist/lib/handler/routes/wrapped-key.d.ts

@@ -0,0 +1,21 @@
+import { DynamoDBDocumentClient } from '@aws-sdk/lib-dynamodb';
+interface HandlerResponse {
+    statusCode: number;
+    body: string;
+    headers: Record<string, string>;
+}
+/**
+ * Store a wrapped master key blob for the authenticated tenant.
+ *
+ * The blob is a crypto_box_seal output (Ed25519) or RSA-OAEP KEM+DEM output.
+ * The server cannot decrypt it — only the holder of the SSH private key can.
+ */
+export declare function handlePutWrappedKey(tenantId: string, fingerprint: string, rawBody: string | null | undefined, isBase64Encoded: boolean, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+/**
+ * Retrieve the wrapped master key blob for the authenticated tenant.
+ *
+ * Returns the blob as application/octet-stream.
+ */
+export declare function handleGetWrappedKey(tenantId: string, fingerprint: string, ddb: DynamoDBDocumentClient, tableName: string): Promise<HandlerResponse>;
+export {};
+//# sourceMappingURL=wrapped-key.d.ts.map

package/dist/lib/handler/routes/wrapped-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapped-key.d.ts","sourceRoot":"","sources":["../../../../lib/handler/routes/wrapped-key.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EAGvB,MAAM,uBAAuB,CAAC;AAG/B,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAClC,eAAe,EAAE,OAAO,EACxB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CA2C1B;AAED;;;;GAIG;AACH,wBAAsB,mBAAmB,CACvC,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,GAAG,EAAE,sBAAsB,EAC3B,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,eAAe,CAAC,CA0B1B"}

package/dist/lib/handler/routes/wrapped-key.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.handlePutWrappedKey = handlePutWrappedKey;
+exports.handleGetWrappedKey = handleGetWrappedKey;
+const lib_dynamodb_1 = require("@aws-sdk/lib-dynamodb");
+const logger_js_1 = require("../logger.js");
+/**
+ * Store a wrapped master key blob for the authenticated tenant.
+ *
+ * The blob is a crypto_box_seal output (Ed25519) or RSA-OAEP KEM+DEM output.
+ * The server cannot decrypt it — only the holder of the SSH private key can.
+ */
+async function handlePutWrappedKey(tenantId, fingerprint, rawBody, isBase64Encoded, ddb, tableName) {
+    if (!rawBody) {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+        };
+    }
+    const bodyBuffer = isBase64Encoded
+        ? Buffer.from(rawBody, 'base64')
+        : Buffer.from(rawBody, 'utf-8');
+    // Max wrapped key size: 4 KB (wrapped master key is typically ~80 bytes for Ed25519, ~512 for RSA)
+    if (bodyBuffer.length > 4096) {
+        return {
+            statusCode: 400,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'invalid_request', message: 'Wrapped key too large (max 4KB)' }),
+        };
+    }
+    const now = new Date().toISOString();
+    await ddb.send(new lib_dynamodb_1.PutCommand({
+        TableName: tableName,
+        Item: {
+            PK: `TENANT#${tenantId}`,
+            SK: `WRAPPED_KEY#${fingerprint}`,
+            data: bodyBuffer.toString('base64'),
+            updatedAt: now,
+        },
+    }));
+    logger_js_1.logger.info('Wrapped key stored', { tenantId, fingerprint, size: bodyBuffer.length });
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ status: 'stored' }),
+    };
+}
+/**
+ * Retrieve the wrapped master key blob for the authenticated tenant.
+ *
+ * Returns the blob as application/octet-stream.
+ */
+async function handleGetWrappedKey(tenantId, fingerprint, ddb, tableName) {
+    const result = await ddb.send(new lib_dynamodb_1.GetCommand({
+        TableName: tableName,
+        Key: {
+            PK: `TENANT#${tenantId}`,
+            SK: `WRAPPED_KEY#${fingerprint}`,
+        },
+    }));
+    if (!result.Item) {
+        return {
+            statusCode: 404,
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ error: 'not_found', message: 'No wrapped key found for this device' }),
+        };
+    }
+    const data = result.Item['data'];
+    return {
+        statusCode: 200,
+        headers: { 'Content-Type': 'application/octet-stream' },
+        body: data, // base64-encoded wrapped key blob
+    };
+}
+//# sourceMappingURL=wrapped-key.js.map

package/dist/lib/handler/routes/wrapped-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrapped-key.js","sourceRoot":"","sources":["../../../../lib/handler/routes/wrapped-key.ts"],"names":[],"mappings":";;AAmBA,kDAkDC;AAOD,kDA+BC;AA3GD,wDAI+B;AAC/B,4CAAsC;AAQtC;;;;;GAKG;AACI,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,WAAmB,EACnB,OAAkC,EAClC,eAAwB,EACxB,GAA2B,EAC3B,SAAiB;IAEjB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC;SACxF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,eAAe;QAChC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC;QAChC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAElC,mGAAmG;IACnG,IAAI,UAAU,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAC7B,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC;SAC/F,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE;YACJ,EAAE,EAAE,UAAU,QAAQ,EAAE;YACxB,EAAE,EAAE,eAAe,WAAW,EAAE;YAChC,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACnC,SAAS,EAAE,GAAG;SACf;KACF,CAAC,CACH,CAAC;IAEF,kBAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAEtF,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,mBAAmB,CACvC,QAAgB,EAChB,WAAmB,EACnB,GAA2B,EAC3B,SAAiB;IAEjB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,IAAI,CAC3B,IAAI,yBAAU,CAAC;QACb,SAAS,EAAE,SAAS;QACpB,GAAG,EAAE;YACH,EAAE,EAAE,UAAU,QAAQ,EAAE;YACxB,EAAE,EAAE,eAAe,WAAW,EAAE;SACjC;KACF,CAAC,CACH,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO;YACL,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC;SAC9F,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAW,CAAC;IAE3C,OAAO;QACL,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;QACvD,IAAI,EAAE,IAAI,EAAE,kCAAkC;KAC/C,CAAC;AACJ,CAAC"}

package/dist/lib/handler/routes/wrapped-key.ts

@@ -0,0 +1,108 @@
+import {
+  DynamoDBDocumentClient,
+  PutCommand,
+  GetCommand,
+} from '@aws-sdk/lib-dynamodb';
+import { logger } from '../logger.js';
+
+interface HandlerResponse {
+  statusCode: number;
+  body: string;
+  headers: Record<string, string>;
+}
+
+/**
+ * Store a wrapped master key blob for the authenticated tenant.
+ *
+ * The blob is a crypto_box_seal output (Ed25519) or RSA-OAEP KEM+DEM output.
+ * The server cannot decrypt it — only the holder of the SSH private key can.
+ */
+export async function handlePutWrappedKey(
+  tenantId: string,
+  fingerprint: string,
+  rawBody: string | null | undefined,
+  isBase64Encoded: boolean,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  if (!rawBody) {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'invalid_request', message: 'Request body is required' }),
+    };
+  }
+
+  const bodyBuffer = isBase64Encoded
+    ? Buffer.from(rawBody, 'base64')
+    : Buffer.from(rawBody, 'utf-8');
+
+  // Max wrapped key size: 4 KB (wrapped master key is typically ~80 bytes for Ed25519, ~512 for RSA)
+  if (bodyBuffer.length > 4096) {
+    return {
+      statusCode: 400,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'invalid_request', message: 'Wrapped key too large (max 4KB)' }),
+    };
+  }
+
+  const now = new Date().toISOString();
+
+  await ddb.send(
+    new PutCommand({
+      TableName: tableName,
+      Item: {
+        PK: `TENANT#${tenantId}`,
+        SK: `WRAPPED_KEY#${fingerprint}`,
+        data: bodyBuffer.toString('base64'),
+        updatedAt: now,
+      },
+    }),
+  );
+
+  logger.info('Wrapped key stored', { tenantId, fingerprint, size: bodyBuffer.length });
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ status: 'stored' }),
+  };
+}
+
+/**
+ * Retrieve the wrapped master key blob for the authenticated tenant.
+ *
+ * Returns the blob as application/octet-stream.
+ */
+export async function handleGetWrappedKey(
+  tenantId: string,
+  fingerprint: string,
+  ddb: DynamoDBDocumentClient,
+  tableName: string,
+): Promise<HandlerResponse> {
+  const result = await ddb.send(
+    new GetCommand({
+      TableName: tableName,
+      Key: {
+        PK: `TENANT#${tenantId}`,
+        SK: `WRAPPED_KEY#${fingerprint}`,
+      },
+    }),
+  );
+
+  if (!result.Item) {
+    return {
+      statusCode: 404,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: 'not_found', message: 'No wrapped key found for this device' }),
+    };
+  }
+
+  const data = result.Item['data'] as string;
+
+  return {
+    statusCode: 200,
+    headers: { 'Content-Type': 'application/octet-stream' },
+    body: data, // base64-encoded wrapped key blob
+  };
+}

package/dist/lib/index.d.ts

@@ -0,0 +1,7 @@
+export { ChaosKBStack, type ChaosKBStackProps } from './chaoskb-stack.js';
+export { BlobStore } from './constructs/blob-store.js';
+export { Api } from './constructs/api.js';
+export { Auth } from './constructs/auth.js';
+export { AdminDashboard } from './constructs/admin-dashboard.js';
+export { AdminApi } from './constructs/admin-api.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,KAAK,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AACvD,OAAO,EAAE,GAAG,EAAE,MAAM,qBAAqB,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC"}

package/dist/lib/index.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminApi = exports.AdminDashboard = exports.Auth = exports.Api = exports.BlobStore = exports.ChaosKBStack = void 0;
+var chaoskb_stack_js_1 = require("./chaoskb-stack.js");
+Object.defineProperty(exports, "ChaosKBStack", { enumerable: true, get: function () { return chaoskb_stack_js_1.ChaosKBStack; } });
+var blob_store_js_1 = require("./constructs/blob-store.js");
+Object.defineProperty(exports, "BlobStore", { enumerable: true, get: function () { return blob_store_js_1.BlobStore; } });
+var api_js_1 = require("./constructs/api.js");
+Object.defineProperty(exports, "Api", { enumerable: true, get: function () { return api_js_1.Api; } });
+var auth_js_1 = require("./constructs/auth.js");
+Object.defineProperty(exports, "Auth", { enumerable: true, get: function () { return auth_js_1.Auth; } });
+var admin_dashboard_js_1 = require("./constructs/admin-dashboard.js");
+Object.defineProperty(exports, "AdminDashboard", { enumerable: true, get: function () { return admin_dashboard_js_1.AdminDashboard; } });
+var admin_api_js_1 = require("./constructs/admin-api.js");
+Object.defineProperty(exports, "AdminApi", { enumerable: true, get: function () { return admin_api_js_1.AdminApi; } });
+//# sourceMappingURL=index.js.map

package/dist/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/index.ts"],"names":[],"mappings":";;;AAAA,uDAA0E;AAAjE,gHAAA,YAAY,OAAA;AACrB,4DAAuD;AAA9C,0GAAA,SAAS,OAAA;AAClB,8CAA0C;AAAjC,6FAAA,GAAG,OAAA;AACZ,gDAA4C;AAAnC,+FAAA,IAAI,OAAA;AACb,sEAAiE;AAAxD,oHAAA,cAAc,OAAA;AACvB,0DAAqD;AAA5C,wGAAA,QAAQ,OAAA"}

package/dist/vitest.config.d.ts

@@ -0,0 +1,3 @@
+declare const _default: import("vite", { with: { "resolution-mode": "import" } }).UserConfig;
+export default _default;
+//# sourceMappingURL=vitest.config.d.ts.map

package/dist/vitest.config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vitest.config.d.ts","sourceRoot":"","sources":["../vitest.config.ts"],"names":[],"mappings":";AAEA,wBAaG"}

package/dist/vitest.config.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const config_1 = require("vitest/config");
+exports.default = (0, config_1.defineConfig)({
+    test: {
+        include: ['**/__tests__/**/*.test.ts'],
+        coverage: {
+            provider: 'v8',
+            reporter: ['text', 'lcov'],
+            thresholds: {
+                lines: 80,
+                branches: 80,
+                functions: 80,
+            },
+        },
+    },
+});
+//# sourceMappingURL=vitest.config.js.map

package/dist/vitest.config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vitest.config.js","sourceRoot":"","sources":["../vitest.config.ts"],"names":[],"mappings":";;AAAA,0CAA6C;AAE7C,kBAAe,IAAA,qBAAY,EAAC;IAC1B,IAAI,EAAE;QACJ,OAAO,EAAE,CAAC,2BAA2B,CAAC;QACtC,QAAQ,EAAE;YACR,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC;YAC1B,UAAU,EAAE;gBACV,KAAK,EAAE,EAAE;gBACT,QAAQ,EAAE,EAAE;gBACZ,SAAS,EAAE,EAAE;aACd;SACF;KACF;CACF,CAAC,CAAC"}