@elevasis/core 0.11.2 → 0.12.0

package/src/auth/multi-tenancy/credentials/server/encryption.ts

@@ -1,39 +1,83 @@
-import crypto from 'crypto'
-
-const MASTER_KEY = process.env.SECRETS_ENCRYPTION_KEY
-const ALGORITHM = 'aes-256-gcm'
-
-interface EncryptedData {
-  iv: string
-  authTag: string
-  data: string
-}
-
-export function encryptCredential(plaintext: string): string {
-  if (!MASTER_KEY) {
-    throw new Error('SECRETS_ENCRYPTION_KEY not configured')
-  }
-
-  const iv = crypto.randomBytes(16)
-  const cipher = crypto.createCipheriv(ALGORITHM, Buffer.from(MASTER_KEY, 'hex'), iv)
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
-  const authTag = cipher.getAuthTag()
-
-  return JSON.stringify({
-    iv: iv.toString('base64'),
-    authTag: authTag.toString('base64'),
-    data: encrypted.toString('base64')
-  })
-}
-
-export function decryptCredential(encrypted: string): string {
-  if (!MASTER_KEY) {
-    throw new Error('SECRETS_ENCRYPTION_KEY not configured')
-  }
-
-  const { iv, authTag, data } = JSON.parse(encrypted) as EncryptedData
-  const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(MASTER_KEY, 'hex'), Buffer.from(iv, 'base64'))
-  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
-
-  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
-}
+import crypto from 'crypto'
+
+const ALGORITHM = 'aes-256-gcm'
+
+// keyId stamped on all newly encrypted ciphertexts.
+export const CURRENT_KEY_ID = 'platform-v1'
+
+// Implicit keyId for pre-Vault ciphertext rows that were encrypted before this
+// field existed. The kek-loader registers the legacy SECRETS_ENCRYPTION_KEY env
+// value under this id during the migration window so existing rows decrypt
+// until the re-encryption script (B4) restamps them with CURRENT_KEY_ID.
+export const LEGACY_KEY_ID = 'platform-v0-legacy'
+
+interface EncryptedData {
+  iv: string
+  authTag: string
+  data: string
+  keyId?: string
+}
+
+const kekMap = new Map<string, Buffer>()
+
+export function setKek(keyId: string, key: Buffer): void {
+  if (key.length !== 32) {
+    throw new Error(`KEK must be 32 bytes (256 bits); got ${key.length}`)
+  }
+  kekMap.set(keyId, key)
+}
+
+export function clearKeks(): void {
+  kekMap.clear()
+}
+
+function resolveKek(keyId: string): Buffer | undefined {
+  const cached = kekMap.get(keyId)
+  if (cached) return cached
+
+  // Non-production fallback: bootstrap from SECRETS_ENCRYPTION_KEY so tests and
+  // local dev keep working without an explicit setKek() boot step. Production
+  // must register KEKs via the kek-loader; the env var is removed in Wave B5.
+  if (process.env.NODE_ENV !== 'production' && process.env.SECRETS_ENCRYPTION_KEY) {
+    const envKey = Buffer.from(process.env.SECRETS_ENCRYPTION_KEY, 'hex')
+    if (envKey.length === 32) {
+      kekMap.set(keyId, envKey)
+      return envKey
+    }
+  }
+
+  return undefined
+}
+
+export function encryptCredential(plaintext: string): string {
+  const key = resolveKek(CURRENT_KEY_ID)
+  if (!key) {
+    throw new Error(`Encryption KEK '${CURRENT_KEY_ID}' not loaded; call setKek() at boot`)
+  }
+
+  const iv = crypto.randomBytes(16)
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
+  const authTag = cipher.getAuthTag()
+
+  return JSON.stringify({
+    iv: iv.toString('base64'),
+    authTag: authTag.toString('base64'),
+    data: encrypted.toString('base64'),
+    keyId: CURRENT_KEY_ID
+  })
+}
+
+export function decryptCredential(encrypted: string): string {
+  const { iv, authTag, data, keyId } = JSON.parse(encrypted) as EncryptedData
+  const resolvedKeyId = keyId ?? LEGACY_KEY_ID
+  const key = resolveKek(resolvedKeyId)
+  if (!key) {
+    throw new Error(`Decryption KEK '${resolvedKeyId}' not loaded`)
+  }
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'))
+  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
+
+  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
+}

package/src/auth/multi-tenancy/credentials/server/kek-loader.ts

@@ -0,0 +1,47 @@
+import { getSupabaseClient } from '../../../../supabase/server/client'
+import { setKek, CURRENT_KEY_ID, LEGACY_KEY_ID } from './encryption'
+
+let loaded = false
+
+/**
+ * Loads the platform credential KEK from Supabase Vault and registers it under
+ * `CURRENT_KEY_ID` ('platform-v1'). During the migration window, also registers
+ * the legacy `SECRETS_ENCRYPTION_KEY` env var under `LEGACY_KEY_ID` so existing
+ * ciphertext rows (no `keyId` field) can still be decrypted.
+ *
+ * Idempotent: subsequent calls are no-ops.
+ *
+ * Fails fast on missing / malformed Vault KEK so misconfigured deploys do not
+ * silently fall through to env-only encryption.
+ */
+export async function loadCredentialKEKs(): Promise<void> {
+  if (loaded) return
+
+  const supabase = await getSupabaseClient()
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- RPC isn't in generated types yet (run `supabase gen types` post-merge)
+  const { data, error } = await (supabase.rpc as any)('get_platform_credential_kek')
+  if (error) {
+    throw new Error(
+      `Failed to load platform credential KEK from Vault: ${error.message}. ` +
+        `Did you run provision-credential-kek.sql against this environment?`
+    )
+  }
+  if (typeof data !== 'string' || data.length === 0) {
+    throw new Error('Vault returned null/empty platform credential KEK')
+  }
+  const vaultKek = Buffer.from(data, 'hex')
+  if (vaultKek.length !== 32) {
+    throw new Error(`Vault KEK is ${vaultKek.length} bytes, expected 32`)
+  }
+  setKek(CURRENT_KEY_ID, vaultKek)
+
+  const legacyHex = process.env.SECRETS_ENCRYPTION_KEY
+  if (legacyHex) {
+    const legacyKey = Buffer.from(legacyHex, 'hex')
+    if (legacyKey.length === 32) {
+      setKek(LEGACY_KEY_ID, legacyKey)
+    }
+  }
+
+  loaded = true
+}

package/src/auth/multi-tenancy/index.ts

@@ -4,6 +4,9 @@ export * from './types'
 // Permission catalog (canonical PERMISSIONS constant + types)
 export * from './permissions'
 
+// Role management schemas
+export * from './role-management/index'
+
 // Organization types
 export * from './organizations/index'
 

package/src/auth/multi-tenancy/invitations/api-schemas.ts

@@ -1,107 +1,104 @@
-/**
- * Invitations Domain - Zod Validation Schemas
- *
- * Validation schemas for invitation management endpoints.
- * Includes request bodies, query params, and path params.
- *
- * Security:
- * - All schemas use .strict() to prevent mass assignment attacks
- * - Email validation prevents header injection
- * - Role enum validation prevents privilege escalation
- * - organizationId from JWT (not accepted in body for protected routes)
- */
-
-import { z } from 'zod'
-import { EmailSchema } from '../../../platform/utils/validation'
-import { MembershipRoleSchema } from '../memberships/api-schemas'
-
-// ============================================================================
-// Path Parameters
-// ============================================================================
-
-/**
- * Validate invitation ID in URL path
- * Used by: GET/DELETE /invitations/:id
- */
-export const InvitationIdParamSchema = z
-  .object({
-    id: z.string().min(1) // WorkOS invitation IDs
-  })
-  .strict()
-
-// ============================================================================
-// Request Bodies
-// ============================================================================
-
-/**
- * Send new invitation
- * POST /invitations
- *
- * Security:
- * - Email format validated (prevents header injection)
- * - Role enum prevents privilege escalation
- * - expiresInDays bounded (1-90 days)
- * - organizationId NOT in body (from JWT via requireOrganization middleware)
- */
-export const SendInvitationSchema = z
-  .object({
-    email: EmailSchema,
-    organizationId: z.string().optional(), // For WorkOS API - but typically from JWT
-    roleSlug: MembershipRoleSchema.default('member'),
-    expiresInDays: z.number().int().min(1).max(90).default(7)
-  })
-  .strict()
-
-/**
- * Accept invitation by token
- * POST /invitations/accept
- *
- * Security:
- * - Token validated (non-empty string)
- */
-export const AcceptInvitationSchema = z
-  .object({
-    invitation_token: z.string().min(1, 'Invitation token is required')
-  })
-  .strict()
-
-// ============================================================================
-// Query Parameters
-// ============================================================================
-
-/**
- * List invitations with filters
- * GET /invitations
- *
- * Filters:
- * - organizationId: Filter by organization
- * - email: Filter by email
- *
- * Security:
- * - Requires organizationId or userId filter
- * - Email validated
- */
-export const ListInvitationsQuerySchema = z
-  .object({
-    organizationId: z.string().optional(),
-    userId: z.string().optional(),
-    email: EmailSchema.optional(),
-    limit: z.coerce.number().int().min(1).max(100).optional(),
-    before: z.string().optional(), // WorkOS pagination cursor
-    after: z.string().optional()   // WorkOS pagination cursor
-  })
-  .strict()
-  .refine(
-    (data) => data.organizationId || data.userId,
-    { message: 'Either organizationId or userId must be provided' }
-  )
-
-// ============================================================================
-// TypeScript Type Exports
-// ============================================================================
-
-// Export inferred types for use in route handlers
-export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
-export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
-export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
-export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>
+/**
+ * Invitations Domain - Zod Validation Schemas
+ *
+ * Validation schemas for invitation management endpoints.
+ * Includes request bodies, query params, and path params.
+ *
+ * Security:
+ * - All schemas use .strict() to prevent mass assignment attacks
+ * - Email validation prevents header injection
+ * - Role enum validation prevents privilege escalation
+ * - organizationId from JWT (not accepted in body for protected routes)
+ */
+
+import { z } from 'zod'
+import { EmailSchema } from '../../../platform/utils/validation'
+import { MembershipRoleSchema } from '../memberships/api-schemas'
+
+// ============================================================================
+// Path Parameters
+// ============================================================================
+
+/**
+ * Validate invitation ID in URL path
+ * Used by: GET/DELETE /invitations/:id
+ */
+export const InvitationIdParamSchema = z
+  .object({
+    id: z.string().min(1) // WorkOS invitation IDs
+  })
+  .strict()
+
+// ============================================================================
+// Request Bodies
+// ============================================================================
+
+/**
+ * Send new invitation
+ * POST /invitations
+ *
+ * Security:
+ * - Email format validated (prevents header injection)
+ * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
+ * - expiresInDays bounded (1-90 days)
+ * - organizationId NOT in body (from JWT via requireOrganization middleware)
+ */
+export const SendInvitationSchema = z
+  .object({
+    email: EmailSchema,
+    organizationId: z.string().optional(), // For WorkOS API - but typically from JWT
+    roleSlug: MembershipRoleSchema.default('member'),
+    expiresInDays: z.number().int().min(1).max(90).default(7)
+  })
+  .strict()
+
+/**
+ * Accept invitation by token
+ * POST /invitations/accept
+ *
+ * Security:
+ * - Token validated (non-empty string)
+ */
+export const AcceptInvitationSchema = z
+  .object({
+    invitation_token: z.string().min(1, 'Invitation token is required')
+  })
+  .strict()
+
+// ============================================================================
+// Query Parameters
+// ============================================================================
+
+/**
+ * List invitations with filters
+ * GET /invitations
+ *
+ * Filters:
+ * - organizationId: Filter by organization
+ * - email: Filter by email
+ *
+ * Security:
+ * - Requires organizationId or userId filter
+ * - Email validated
+ */
+export const ListInvitationsQuerySchema = z
+  .object({
+    organizationId: z.string().optional(),
+    userId: z.string().optional(),
+    email: EmailSchema.optional(),
+    limit: z.coerce.number().int().min(1).max(100).optional(),
+    before: z.string().optional(), // WorkOS pagination cursor
+    after: z.string().optional() // WorkOS pagination cursor
+  })
+  .strict()
+  .refine((data) => data.organizationId || data.userId, { message: 'Either organizationId or userId must be provided' })
+
+// ============================================================================
+// TypeScript Type Exports
+// ============================================================================
+
+// Export inferred types for use in route handlers
+export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
+export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
+export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
+export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>

package/src/auth/multi-tenancy/memberships/api-schemas.ts

@@ -19,11 +19,12 @@ import { z } from 'zod'
 
 /**
  * Membership role validation
- * Restricts to valid role slugs only
+ * Accepts any non-empty role slug (max 64 chars).
  *
- * Security: Prevents privilege escalation by limiting role values
+ * Roles are now DB-driven via `org_rol_definitions`. Runtime validation
+ * against valid slugs happens at the service layer, not here.
  */
-export const MembershipRoleSchema = z.enum(['admin', 'member'])
+export const MembershipRoleSchema = z.string().min(1).max(64)
 
 /**
  * Membership status validation
@@ -73,7 +74,7 @@ export const MyOrgPermissionsResponseSchema = z.object({
  * Security:
  * - userId must be valid (string format for WorkOS)
  * - organizationId must be valid (string format for WorkOS)
- * - roleSlug enum prevents privilege escalation
+ * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
  * - Strict mode prevents injection
  */
 export const CreateMembershipSchema = z
@@ -90,7 +91,7 @@ export const CreateMembershipSchema = z
  *
  * Security:
  * - Only roleSlug can be updated
- * - Enum validation prevents privilege escalation
+ * - Service layer validates slug against org_rol_definitions
  */
 export const UpdateMembershipSchema = z
   .object({