@digilogiclabs/platform-core 1.2.0 → 1.4.0

package/dist/testing.mjs

@@ -346,6 +346,7 @@ var init_IAI = __esm({
 });
 
 // src/interfaces/IRAG.ts
+import { randomBytes as randomBytes6 } from "crypto";
 var ChunkingPresets, MemoryRAG;
 var init_IRAG = __esm({
   "src/interfaces/IRAG.ts"() {
@@ -475,7 +476,7 @@ var init_IRAG = __esm({
       }
       async ingestOne(collection, document, options) {
         const startTime = Date.now();
-        const docId = `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+        const docId = `doc_${Date.now()}_${randomBytes6(4).toString("hex")}`;
         const now = /* @__PURE__ */ new Date();
         try {
           const col = await this.getCollection(collection);
@@ -1126,7 +1127,11 @@ var MemoryQueryBuilder = class {
       const updated = [];
       const newTable = table.map((item) => {
         if (this.matchesWhere(item)) {
-          const updatedItem = { ...item, ...this._updateData, updated_at: (/* @__PURE__ */ new Date()).toISOString() };
+          const updatedItem = {
+            ...item,
+            ...this._updateData,
+            updated_at: (/* @__PURE__ */ new Date()).toISOString()
+          };
           updated.push(updatedItem);
           return updatedItem;
         }
@@ -1141,8 +1146,10 @@ var MemoryQueryBuilder = class {
       result.sort((a, b) => {
         const aVal = a[column];
         const bVal = b[column];
-        if (aVal === null || aVal === void 0) return direction === "asc" ? 1 : -1;
-        if (bVal === null || bVal === void 0) return direction === "asc" ? -1 : 1;
+        if (aVal === null || aVal === void 0)
+          return direction === "asc" ? 1 : -1;
+        if (bVal === null || bVal === void 0)
+          return direction === "asc" ? -1 : 1;
         const cmp = aVal < bVal ? -1 : aVal > bVal ? 1 : 0;
         return direction === "asc" ? cmp : -cmp;
       });
@@ -1223,7 +1230,9 @@ var MemoryCache = class {
     return Promise.all(keys.map((key) => this.get(key)));
   }
   async mset(entries) {
-    await Promise.all(entries.map(({ key, value, ttl }) => this.set(key, value, ttl)));
+    await Promise.all(
+      entries.map(({ key, value, ttl }) => this.set(key, value, ttl))
+    );
   }
   async incr(key, by = 1) {
     const current = await this.get(key) || 0;
@@ -1272,7 +1281,10 @@ var MemoryCache = class {
 var MemoryStorage = class {
   files = /* @__PURE__ */ new Map();
   async upload(key, data, options) {
-    this.files.set(key, { data: Buffer.from("mock"), contentType: options?.contentType });
+    this.files.set(key, {
+      data: Buffer.from("mock"),
+      contentType: options?.contentType
+    });
     return { url: "memory://" + key };
   }
   async download(key) {
@@ -1345,6 +1357,7 @@ var MemoryEmail = class {
 };
 
 // src/interfaces/IQueue.ts
+import { randomBytes } from "crypto";
 function calculateBackoff(attempt, options) {
   if (options.type === "fixed") {
     return options.delay;
@@ -1355,19 +1368,20 @@ function calculateBackoff(attempt, options) {
 }
 function generateJobId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes(4).toString("hex");
   return `job_${timestamp}_${random}`;
 }
 
 // src/context/CorrelationContext.ts
 import { AsyncLocalStorage } from "async_hooks";
+import { randomBytes as randomBytes2 } from "crypto";
 var CorrelationContextManager = class {
   storage = new AsyncLocalStorage();
   idGenerator;
   constructor() {
     this.idGenerator = () => {
       const timestamp = Date.now().toString(36);
-      const random = Math.random().toString(36).substring(2, 10);
+      const random = randomBytes2(4).toString("hex");
       return `${timestamp}-${random}`;
     };
   }
@@ -1973,16 +1987,19 @@ var MemoryQueue = class {
 };
 
 // src/adapters/console/ConsoleEmail.ts
+import { randomBytes as randomBytes3 } from "crypto";
 var ConsoleEmail = class {
   sentEmails = [];
   async send(message) {
-    const id = `console_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+    const id = `console_${Date.now()}_${randomBytes3(4).toString("hex")}`;
     console.log("\n" + "=".repeat(60));
     console.log("\u{1F4E7} EMAIL SENT (Console Adapter)");
     console.log("=".repeat(60));
     console.log(`ID:      ${id}`);
     console.log(`To:      ${this.formatAddresses(message.to)}`);
-    console.log(`From:    ${message.from ? this.formatAddress(message.from) : "(default)"}`);
+    console.log(
+      `From:    ${message.from ? this.formatAddress(message.from) : "(default)"}`
+    );
     console.log(`Subject: ${message.subject}`);
     if (message.replyTo) {
       console.log(`Reply-To: ${this.formatAddress(message.replyTo)}`);
@@ -1991,15 +2008,21 @@ var ConsoleEmail = class {
       console.log(`Tags:    ${message.tags.join(", ")}`);
     }
     if (message.attachments && message.attachments.length > 0) {
-      console.log(`Attachments: ${message.attachments.map((a) => a.filename).join(", ")}`);
+      console.log(
+        `Attachments: ${message.attachments.map((a) => a.filename).join(", ")}`
+      );
     }
     console.log("-".repeat(60));
     if (message.text) {
       console.log("TEXT BODY:");
-      console.log(message.text.slice(0, 500) + (message.text.length > 500 ? "\n...(truncated)" : ""));
+      console.log(
+        message.text.slice(0, 500) + (message.text.length > 500 ? "\n...(truncated)" : "")
+      );
     }
     if (message.html) {
-      console.log("HTML BODY: [HTML content - " + message.html.length + " chars]");
+      console.log(
+        "HTML BODY: [HTML content - " + message.html.length + " chars]"
+      );
     }
     console.log("=".repeat(60) + "\n");
     this.sentEmails.push(message);
@@ -2043,6 +2066,7 @@ var ConsoleEmail = class {
 };
 
 // src/interfaces/ISecrets.ts
+import { randomBytes as randomBytes4 } from "crypto";
 var EnvSecrets = class {
   prefix;
   cache = /* @__PURE__ */ new Map();
@@ -2243,12 +2267,7 @@ var MemorySecrets = class {
     return true;
   }
   generateSecureValue(length = 32) {
-    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
-    let result = "";
-    for (let i = 0; i < length; i++) {
-      result += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return result;
+    return randomBytes4(length).toString("base64url").slice(0, length);
   }
   /**
    * Clear all secrets (for testing)
@@ -2267,14 +2286,34 @@ var MemorySecrets = class {
 
 // src/config.ts
 import { z } from "zod";
-var DatabaseProviderSchema = z.enum(["memory", "postgres", "supabase"]);
+var DatabaseProviderSchema = z.enum([
+  "memory",
+  "postgres",
+  "supabase"
+]);
 var CacheProviderSchema = z.enum(["memory", "redis", "upstash"]);
-var StorageProviderSchema = z.enum(["memory", "s3", "minio", "r2", "supabase"]);
-var EmailProviderSchema = z.enum(["memory", "console", "smtp", "resend"]);
+var StorageProviderSchema = z.enum([
+  "memory",
+  "s3",
+  "minio",
+  "r2",
+  "supabase"
+]);
+var EmailProviderSchema = z.enum([
+  "memory",
+  "console",
+  "smtp",
+  "resend"
+]);
 var QueueProviderSchema = z.enum(["memory", "bullmq"]);
 var TracingProviderSchema = z.enum(["noop", "memory", "otlp"]);
 var LogLevelSchema = z.enum(["debug", "info", "warn", "error"]);
-var AIProviderSchema = z.enum(["memory", "openai", "anthropic", "google"]);
+var AIProviderSchema = z.enum([
+  "memory",
+  "openai",
+  "anthropic",
+  "google"
+]);
 var RAGProviderSchema = z.enum(["memory", "pinecone", "weaviate"]);
 var DatabaseConfigSchema = z.object({
   provider: DatabaseProviderSchema.default("memory"),
@@ -2285,7 +2324,10 @@ var DatabaseConfigSchema = z.object({
   supabaseServiceRoleKey: z.string().optional().describe("Supabase service role key"),
   poolSize: z.number().int().min(1).max(100).default(10).describe("Connection pool size"),
   connectionTimeout: z.number().int().min(1e3).max(6e4).default(5e3).describe("Connection timeout in ms"),
-  ssl: z.union([z.boolean(), z.object({ rejectUnauthorized: z.boolean().optional() })]).optional().describe("SSL configuration")
+  ssl: z.union([
+    z.boolean(),
+    z.object({ rejectUnauthorized: z.boolean().optional() })
+  ]).optional().describe("SSL configuration")
 }).refine(
   (data) => {
     if (data.provider === "supabase") {
@@ -2416,7 +2458,9 @@ var RAGConfigSchema = z.object({
   indexName: z.string().optional().describe("Pinecone index name or Weaviate class"),
   namespace: z.string().optional().describe("Default namespace"),
   host: z.string().url().optional().describe("Weaviate host URL"),
-  embeddingProvider: AIProviderSchema.default("memory").describe("Provider for generating embeddings"),
+  embeddingProvider: AIProviderSchema.default("memory").describe(
+    "Provider for generating embeddings"
+  ),
   embeddingApiKey: z.string().optional().describe("API key for embedding provider"),
   embeddingModel: z.string().optional().describe("Model for generating embeddings")
 }).refine(
@@ -2433,6 +2477,25 @@ var RAGConfigSchema = z.object({
     message: "Pinecone requires apiKey and indexName; Weaviate requires host"
   }
 );
+var CryptoConfigSchema = z.object({
+  enabled: z.boolean().default(false).describe("Enable field-level encryption"),
+  masterKey: z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
+  hmacKey: z.string().optional().describe("HMAC key for deterministic hashing (derived from master key if not provided)")
+}).refine(
+  (data) => {
+    if (data.enabled) {
+      return data.masterKey && data.masterKey.length >= 64;
+    }
+    return true;
+  },
+  {
+    message: "Crypto requires a 256-bit master key (64 hex characters) when enabled"
+  }
+);
+var SecurityConfigSchema = z.object({
+  enforceTls: z.boolean().default(true).describe("Enforce TLS for production connections"),
+  tlsWarnOnly: z.boolean().default(false).describe("Warn instead of throwing when TLS is missing in production")
+});
 var RetryConfigSchema = z.object({
   enabled: z.boolean().default(true).describe("Enable retry for failed operations"),
   maxAttempts: z.number().int().min(1).max(10).default(3).describe("Maximum retry attempts"),
@@ -2522,6 +2585,10 @@ var PlatformConfigSchema = z.object({
   // AI configurations
   ai: AIConfigSchema.default({ enabled: false }),
   rag: RAGConfigSchema.default({ enabled: false }),
+  // Crypto configuration
+  crypto: CryptoConfigSchema.default({ enabled: false }),
+  // Security configuration
+  security: SecurityConfigSchema.default({}),
   // Resilience configuration
   resilience: ResilienceConfigSchema.default({}),
   // Observability configuration
@@ -2599,6 +2666,15 @@ function loadConfig() {
       embeddingApiKey: process.env.EMBEDDING_API_KEY || process.env.OPENAI_API_KEY,
       embeddingModel: process.env.EMBEDDING_MODEL
     },
+    crypto: {
+      enabled: process.env.CRYPTO_ENABLED === "true",
+      masterKey: process.env.CRYPTO_MASTER_KEY,
+      hmacKey: process.env.CRYPTO_HMAC_KEY
+    },
+    security: {
+      enforceTls: process.env.SECURITY_ENFORCE_TLS !== "false",
+      tlsWarnOnly: process.env.SECURITY_TLS_WARN_ONLY === "true"
+    },
     resilience: {
       retry: {
         enabled: process.env.RESILIENCE_RETRY_ENABLED !== "false",
@@ -2649,6 +2725,7 @@ function loadConfig() {
 }
 
 // src/interfaces/ITracing.ts
+import { randomBytes as randomBytes5 } from "crypto";
 var MemorySpan = class {
   name;
   context;
@@ -2668,7 +2745,7 @@ var MemorySpan = class {
     };
   }
   generateSpanId() {
-    return Math.random().toString(16).substring(2, 18).padStart(16, "0");
+    return randomBytes5(8).toString("hex");
   }
   setAttribute(key, value) {
     this._attributes[key] = value;
@@ -2728,7 +2805,7 @@ var MemoryTracing = class {
     this.traceId = this.generateTraceId();
   }
   generateTraceId() {
-    return Math.random().toString(16).substring(2, 34).padStart(32, "0");
+    return randomBytes5(16).toString("hex");
   }
   startSpan(name, options) {
     const span = new MemorySpan(
@@ -3168,6 +3245,147 @@ var NoopMetrics = class {
 // src/factory.ts
 init_IAI();
 init_IRAG();
+
+// src/adapters/memory/MemoryCrypto.ts
+import { randomBytes as randomBytes7, createCipheriv, createDecipheriv, createHmac } from "crypto";
+var MemoryCrypto = class {
+  keys = /* @__PURE__ */ new Map();
+  activeKeyId;
+  hmacKey;
+  constructor(options) {
+    const masterKeyBuf = options?.masterKey ? Buffer.from(options.masterKey, "hex") : randomBytes7(32);
+    this.hmacKey = options?.hmacKey ? Buffer.from(options.hmacKey, "hex") : randomBytes7(32);
+    const keyId = this.generateKeyId();
+    this.keys.set(keyId, {
+      id: keyId,
+      key: masterKeyBuf,
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = keyId;
+  }
+  async encrypt(plaintext, options) {
+    const keyId = options?.keyId || this.activeKeyId;
+    const stored = this.keys.get(keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired: ${keyId}`);
+    }
+    if (stored.status === "decrypt-only" && !options?.keyId) {
+      throw new Error(`Key is decrypt-only: ${keyId}`);
+    }
+    const iv = randomBytes7(12);
+    const cipher = createCipheriv("aes-256-gcm", stored.key, iv);
+    if (options?.aad) {
+      cipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf8"),
+      cipher.final()
+    ]);
+    const tag = cipher.getAuthTag();
+    return {
+      ciphertext: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      keyId,
+      algorithm: "aes-256-gcm",
+      version: 1
+    };
+  }
+  async decrypt(field, options) {
+    const stored = this.keys.get(field.keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${field.keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+    }
+    const decipher = createDecipheriv(
+      "aes-256-gcm",
+      stored.key,
+      Buffer.from(field.iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+    if (options?.aad) {
+      decipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(field.ciphertext, "base64")),
+      decipher.final()
+    ]);
+    return decrypted.toString("utf8");
+  }
+  async encryptDeterministic(plaintext, options) {
+    const hash = await this.computeHash(plaintext);
+    const encrypted = await this.encrypt(plaintext, options);
+    return { hash, encrypted };
+  }
+  async computeHash(plaintext) {
+    return createHmac("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+  }
+  async encryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.encrypt(value, options);
+    }
+    return result;
+  }
+  async decryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.decrypt(value, options);
+    }
+    return result;
+  }
+  async rotateKey() {
+    const previousKeyId = this.activeKeyId;
+    const currentKey = this.keys.get(previousKeyId);
+    if (currentKey) {
+      currentKey.status = "decrypt-only";
+    }
+    const newKeyId = this.generateKeyId();
+    this.keys.set(newKeyId, {
+      id: newKeyId,
+      key: randomBytes7(32),
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = newKeyId;
+    return { newKeyId, previousKeyId };
+  }
+  async reEncrypt(field, options) {
+    const plaintext = await this.decrypt(field);
+    return this.encrypt(plaintext, options);
+  }
+  async listKeys() {
+    return Array.from(this.keys.values()).map((k) => ({
+      keyId: k.id,
+      createdAt: k.createdAt,
+      status: k.status
+    }));
+  }
+  async getActiveKeyId() {
+    return this.activeKeyId;
+  }
+  async healthCheck() {
+    try {
+      const testPlain = "health-check-test";
+      const encrypted = await this.encrypt(testPlain);
+      const decrypted = await this.decrypt(encrypted);
+      return decrypted === testPlain;
+    } catch {
+      return false;
+    }
+  }
+  generateKeyId() {
+    return `key_${randomBytes7(8).toString("hex")}`;
+  }
+};
+
+// src/factory.ts
 function createLogger(config) {
   if (!config.observability.logging) {
     return new NoopLogger();
@@ -3202,9 +3420,22 @@ function createPlatform(config) {
   const tracing = finalConfig.observability.tracing.provider === "memory" ? new MemoryTracing() : new NoopTracing();
   const ai = finalConfig.ai.enabled ? new MemoryAI() : null;
   const rag = finalConfig.rag.enabled ? new MemoryRAG() : null;
-  return createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag);
+  const crypto2 = finalConfig.crypto.enabled ? new MemoryCrypto() : null;
+  return createPlatformFromAdapters(
+    db,
+    cache,
+    storage,
+    email,
+    queue,
+    logger,
+    metrics,
+    tracing,
+    ai,
+    rag,
+    crypto2
+  );
 }
-function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag) {
+function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag, crypto2) {
   const platform = {
     db,
     cache,
@@ -3215,7 +3446,14 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
     metrics,
     tracing,
     async healthCheck() {
-      const [dbHealth, cacheHealth, storageHealth, emailHealth, queueHealth, tracingHealth] = await Promise.all([
+      const [
+        dbHealth,
+        cacheHealth,
+        storageHealth,
+        emailHealth,
+        queueHealth,
+        tracingHealth
+      ] = await Promise.all([
         db.healthCheck(),
         cache.healthCheck(),
         storage.healthCheck(),
@@ -3237,7 +3475,12 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
       };
     },
     async close() {
-      await Promise.all([db.close(), cache.close(), queue.close(), tracing.close()]);
+      await Promise.all([
+        db.close(),
+        cache.close(),
+        queue.close(),
+        tracing.close()
+      ]);
     }
   };
   if (ai) {
@@ -3246,6 +3489,9 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
   if (rag) {
     platform.rag = rag;
   }
+  if (crypto2) {
+    platform.crypto = crypto2;
+  }
   return platform;
 }
 function deepMerge(target, source) {
@@ -3304,7 +3550,11 @@ function createTestPlatformWithInternals() {
       };
     },
     async close() {
-      await Promise.all([memoryDb.close(), memoryCache.close(), memoryQueue.close()]);
+      await Promise.all([
+        memoryDb.close(),
+        memoryCache.close(),
+        memoryQueue.close()
+      ]);
     }
   };
   return {
@@ -3344,15 +3594,20 @@ function assertEmailSent(memoryEmail, expected) {
   const matchesTo = (emailTo, expectedTo) => {
     if (!emailTo) return false;
     if (Array.isArray(emailTo)) {
-      return emailTo.some((addr) => addr === expectedTo || typeof addr === "object" && addr.email === expectedTo);
+      return emailTo.some(
+        (addr) => addr === expectedTo || typeof addr === "object" && addr.email === expectedTo
+      );
     }
     return emailTo === expectedTo || typeof emailTo === "object" && emailTo.email === expectedTo;
   };
   const found = emails.find((email) => {
-    if (expected.to && !matchesTo(email.to, expected.to)) return false;
+    if (expected.to && !matchesTo(email.to, expected.to))
+      return false;
     if (expected.subject) {
-      if (typeof expected.subject === "string" && email.subject !== expected.subject) return false;
-      if (expected.subject instanceof RegExp && !expected.subject.test(email.subject)) return false;
+      if (typeof expected.subject === "string" && email.subject !== expected.subject)
+        return false;
+      if (expected.subject instanceof RegExp && !expected.subject.test(email.subject))
+        return false;
     }
     if (expected.bodyContains) {
       const body = email.html || email.text || "";