@digilogiclabs/platform-core 1.3.0 → 1.4.0

package/dist/testing.mjs

@@ -346,6 +346,7 @@ var init_IAI = __esm({
 });
 
 // src/interfaces/IRAG.ts
+import { randomBytes as randomBytes6 } from "crypto";
 var ChunkingPresets, MemoryRAG;
 var init_IRAG = __esm({
   "src/interfaces/IRAG.ts"() {
@@ -475,7 +476,7 @@ var init_IRAG = __esm({
       }
       async ingestOne(collection, document, options) {
         const startTime = Date.now();
-        const docId = `doc_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+        const docId = `doc_${Date.now()}_${randomBytes6(4).toString("hex")}`;
         const now = /* @__PURE__ */ new Date();
         try {
           const col = await this.getCollection(collection);
@@ -1356,6 +1357,7 @@ var MemoryEmail = class {
 };
 
 // src/interfaces/IQueue.ts
+import { randomBytes } from "crypto";
 function calculateBackoff(attempt, options) {
   if (options.type === "fixed") {
     return options.delay;
@@ -1366,19 +1368,20 @@ function calculateBackoff(attempt, options) {
 }
 function generateJobId() {
   const timestamp = Date.now().toString(36);
-  const random = Math.random().toString(36).substring(2, 10);
+  const random = randomBytes(4).toString("hex");
   return `job_${timestamp}_${random}`;
 }
 
 // src/context/CorrelationContext.ts
 import { AsyncLocalStorage } from "async_hooks";
+import { randomBytes as randomBytes2 } from "crypto";
 var CorrelationContextManager = class {
   storage = new AsyncLocalStorage();
   idGenerator;
   constructor() {
     this.idGenerator = () => {
       const timestamp = Date.now().toString(36);
-      const random = Math.random().toString(36).substring(2, 10);
+      const random = randomBytes2(4).toString("hex");
       return `${timestamp}-${random}`;
     };
   }
@@ -1984,10 +1987,11 @@ var MemoryQueue = class {
 };
 
 // src/adapters/console/ConsoleEmail.ts
+import { randomBytes as randomBytes3 } from "crypto";
 var ConsoleEmail = class {
   sentEmails = [];
   async send(message) {
-    const id = `console_${Date.now()}_${Math.random().toString(36).slice(2, 9)}`;
+    const id = `console_${Date.now()}_${randomBytes3(4).toString("hex")}`;
     console.log("\n" + "=".repeat(60));
     console.log("\u{1F4E7} EMAIL SENT (Console Adapter)");
     console.log("=".repeat(60));
@@ -2062,6 +2066,7 @@ var ConsoleEmail = class {
 };
 
 // src/interfaces/ISecrets.ts
+import { randomBytes as randomBytes4 } from "crypto";
 var EnvSecrets = class {
   prefix;
   cache = /* @__PURE__ */ new Map();
@@ -2262,12 +2267,7 @@ var MemorySecrets = class {
     return true;
   }
   generateSecureValue(length = 32) {
-    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*";
-    let result = "";
-    for (let i = 0; i < length; i++) {
-      result += chars[Math.floor(Math.random() * chars.length)];
-    }
-    return result;
+    return randomBytes4(length).toString("base64url").slice(0, length);
   }
   /**
    * Clear all secrets (for testing)
@@ -2477,6 +2477,25 @@ var RAGConfigSchema = z.object({
     message: "Pinecone requires apiKey and indexName; Weaviate requires host"
   }
 );
+var CryptoConfigSchema = z.object({
+  enabled: z.boolean().default(false).describe("Enable field-level encryption"),
+  masterKey: z.string().optional().describe("256-bit master key as hex (64 chars). Required when enabled."),
+  hmacKey: z.string().optional().describe("HMAC key for deterministic hashing (derived from master key if not provided)")
+}).refine(
+  (data) => {
+    if (data.enabled) {
+      return data.masterKey && data.masterKey.length >= 64;
+    }
+    return true;
+  },
+  {
+    message: "Crypto requires a 256-bit master key (64 hex characters) when enabled"
+  }
+);
+var SecurityConfigSchema = z.object({
+  enforceTls: z.boolean().default(true).describe("Enforce TLS for production connections"),
+  tlsWarnOnly: z.boolean().default(false).describe("Warn instead of throwing when TLS is missing in production")
+});
 var RetryConfigSchema = z.object({
   enabled: z.boolean().default(true).describe("Enable retry for failed operations"),
   maxAttempts: z.number().int().min(1).max(10).default(3).describe("Maximum retry attempts"),
@@ -2566,6 +2585,10 @@ var PlatformConfigSchema = z.object({
   // AI configurations
   ai: AIConfigSchema.default({ enabled: false }),
   rag: RAGConfigSchema.default({ enabled: false }),
+  // Crypto configuration
+  crypto: CryptoConfigSchema.default({ enabled: false }),
+  // Security configuration
+  security: SecurityConfigSchema.default({}),
   // Resilience configuration
   resilience: ResilienceConfigSchema.default({}),
   // Observability configuration
@@ -2643,6 +2666,15 @@ function loadConfig() {
       embeddingApiKey: process.env.EMBEDDING_API_KEY || process.env.OPENAI_API_KEY,
       embeddingModel: process.env.EMBEDDING_MODEL
     },
+    crypto: {
+      enabled: process.env.CRYPTO_ENABLED === "true",
+      masterKey: process.env.CRYPTO_MASTER_KEY,
+      hmacKey: process.env.CRYPTO_HMAC_KEY
+    },
+    security: {
+      enforceTls: process.env.SECURITY_ENFORCE_TLS !== "false",
+      tlsWarnOnly: process.env.SECURITY_TLS_WARN_ONLY === "true"
+    },
     resilience: {
       retry: {
         enabled: process.env.RESILIENCE_RETRY_ENABLED !== "false",
@@ -2693,6 +2725,7 @@ function loadConfig() {
 }
 
 // src/interfaces/ITracing.ts
+import { randomBytes as randomBytes5 } from "crypto";
 var MemorySpan = class {
   name;
   context;
@@ -2712,7 +2745,7 @@ var MemorySpan = class {
     };
   }
   generateSpanId() {
-    return Math.random().toString(16).substring(2, 18).padStart(16, "0");
+    return randomBytes5(8).toString("hex");
   }
   setAttribute(key, value) {
     this._attributes[key] = value;
@@ -2772,7 +2805,7 @@ var MemoryTracing = class {
     this.traceId = this.generateTraceId();
   }
   generateTraceId() {
-    return Math.random().toString(16).substring(2, 34).padStart(32, "0");
+    return randomBytes5(16).toString("hex");
   }
   startSpan(name, options) {
     const span = new MemorySpan(
@@ -3212,6 +3245,147 @@ var NoopMetrics = class {
 // src/factory.ts
 init_IAI();
 init_IRAG();
+
+// src/adapters/memory/MemoryCrypto.ts
+import { randomBytes as randomBytes7, createCipheriv, createDecipheriv, createHmac } from "crypto";
+var MemoryCrypto = class {
+  keys = /* @__PURE__ */ new Map();
+  activeKeyId;
+  hmacKey;
+  constructor(options) {
+    const masterKeyBuf = options?.masterKey ? Buffer.from(options.masterKey, "hex") : randomBytes7(32);
+    this.hmacKey = options?.hmacKey ? Buffer.from(options.hmacKey, "hex") : randomBytes7(32);
+    const keyId = this.generateKeyId();
+    this.keys.set(keyId, {
+      id: keyId,
+      key: masterKeyBuf,
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = keyId;
+  }
+  async encrypt(plaintext, options) {
+    const keyId = options?.keyId || this.activeKeyId;
+    const stored = this.keys.get(keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired: ${keyId}`);
+    }
+    if (stored.status === "decrypt-only" && !options?.keyId) {
+      throw new Error(`Key is decrypt-only: ${keyId}`);
+    }
+    const iv = randomBytes7(12);
+    const cipher = createCipheriv("aes-256-gcm", stored.key, iv);
+    if (options?.aad) {
+      cipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, "utf8"),
+      cipher.final()
+    ]);
+    const tag = cipher.getAuthTag();
+    return {
+      ciphertext: encrypted.toString("base64"),
+      iv: iv.toString("base64"),
+      tag: tag.toString("base64"),
+      keyId,
+      algorithm: "aes-256-gcm",
+      version: 1
+    };
+  }
+  async decrypt(field, options) {
+    const stored = this.keys.get(field.keyId);
+    if (!stored) {
+      throw new Error(`Key not found: ${field.keyId}`);
+    }
+    if (stored.status === "retired") {
+      throw new Error(`Key is retired and cannot decrypt: ${field.keyId}`);
+    }
+    const decipher = createDecipheriv(
+      "aes-256-gcm",
+      stored.key,
+      Buffer.from(field.iv, "base64")
+    );
+    decipher.setAuthTag(Buffer.from(field.tag, "base64"));
+    if (options?.aad) {
+      decipher.setAAD(Buffer.from(options.aad, "utf8"));
+    }
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(field.ciphertext, "base64")),
+      decipher.final()
+    ]);
+    return decrypted.toString("utf8");
+  }
+  async encryptDeterministic(plaintext, options) {
+    const hash = await this.computeHash(plaintext);
+    const encrypted = await this.encrypt(plaintext, options);
+    return { hash, encrypted };
+  }
+  async computeHash(plaintext) {
+    return createHmac("sha256", this.hmacKey).update(plaintext, "utf8").digest("hex");
+  }
+  async encryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.encrypt(value, options);
+    }
+    return result;
+  }
+  async decryptBatch(fields, options) {
+    const result = {};
+    for (const [key, value] of Object.entries(fields)) {
+      result[key] = await this.decrypt(value, options);
+    }
+    return result;
+  }
+  async rotateKey() {
+    const previousKeyId = this.activeKeyId;
+    const currentKey = this.keys.get(previousKeyId);
+    if (currentKey) {
+      currentKey.status = "decrypt-only";
+    }
+    const newKeyId = this.generateKeyId();
+    this.keys.set(newKeyId, {
+      id: newKeyId,
+      key: randomBytes7(32),
+      status: "active",
+      createdAt: /* @__PURE__ */ new Date()
+    });
+    this.activeKeyId = newKeyId;
+    return { newKeyId, previousKeyId };
+  }
+  async reEncrypt(field, options) {
+    const plaintext = await this.decrypt(field);
+    return this.encrypt(plaintext, options);
+  }
+  async listKeys() {
+    return Array.from(this.keys.values()).map((k) => ({
+      keyId: k.id,
+      createdAt: k.createdAt,
+      status: k.status
+    }));
+  }
+  async getActiveKeyId() {
+    return this.activeKeyId;
+  }
+  async healthCheck() {
+    try {
+      const testPlain = "health-check-test";
+      const encrypted = await this.encrypt(testPlain);
+      const decrypted = await this.decrypt(encrypted);
+      return decrypted === testPlain;
+    } catch {
+      return false;
+    }
+  }
+  generateKeyId() {
+    return `key_${randomBytes7(8).toString("hex")}`;
+  }
+};
+
+// src/factory.ts
 function createLogger(config) {
   if (!config.observability.logging) {
     return new NoopLogger();
@@ -3246,6 +3420,7 @@ function createPlatform(config) {
   const tracing = finalConfig.observability.tracing.provider === "memory" ? new MemoryTracing() : new NoopTracing();
   const ai = finalConfig.ai.enabled ? new MemoryAI() : null;
   const rag = finalConfig.rag.enabled ? new MemoryRAG() : null;
+  const crypto2 = finalConfig.crypto.enabled ? new MemoryCrypto() : null;
   return createPlatformFromAdapters(
     db,
     cache,
@@ -3256,10 +3431,11 @@ function createPlatform(config) {
     metrics,
     tracing,
     ai,
-    rag
+    rag,
+    crypto2
   );
 }
-function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag) {
+function createPlatformFromAdapters(db, cache, storage, email, queue, logger, metrics, tracing, ai, rag, crypto2) {
   const platform = {
     db,
     cache,
@@ -3313,6 +3489,9 @@ function createPlatformFromAdapters(db, cache, storage, email, queue, logger, me
   if (rag) {
     platform.rag = rag;
   }
+  if (crypto2) {
+    platform.crypto = crypto2;
+  }
   return platform;
 }
 function deepMerge(target, source) {