@elevasis/core 0.12.0 → 0.14.0

package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts

@@ -1,216 +1,217 @@
-import { describe, it, expect } from 'vitest'
-import { encryptCredential, decryptCredential } from '../server/encryption'
-
-// Note: SECRETS_ENCRYPTION_KEY is set in vitest.config.ts env section
-// The encryption module reads it at load time
-
-describe('Credential Encryption', () =>{
-
-  describe('encryptCredential', () => {
-    it('encrypts plaintext to base64-encoded JSON string', () => {
-      const plaintext = 'my-secret-api-key'
-      const encrypted = encryptCredential(plaintext)
-
-      // Should be a valid JSON string
-      expect(() => JSON.parse(encrypted)).not.toThrow()
-
-      const parsed = JSON.parse(encrypted)
-      expect(parsed).toHaveProperty('iv')
-      expect(parsed).toHaveProperty('authTag')
-      expect(parsed).toHaveProperty('data')
-    })
-
-    it('produces different ciphertext for same input (random IV)', () => {
-      const plaintext = 'same-secret'
-
-      const encrypted1 = encryptCredential(plaintext)
-      const encrypted2 = encryptCredential(plaintext)
-
-      // Different IVs mean different ciphertext
-      expect(encrypted1).not.toBe(encrypted2)
-
-      // But both decrypt to same plaintext
-      expect(decryptCredential(encrypted1)).toBe(plaintext)
-      expect(decryptCredential(encrypted2)).toBe(plaintext)
-    })
-
-    it('handles empty string', () => {
-      const plaintext = ''
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe('')
-    })
-
-    it('handles long strings', () => {
-      const plaintext = 'x'.repeat(10000)
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('handles special characters and unicode', () => {
-      const plaintext = 'Hello 世界! 🔐 Special chars: \n\t\r"\'\\`'
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('validates key is configured at module load', () => {
-      // We can't test missing key dynamically since MASTER_KEY is set at module load
-      // Instead, verify the key is set and encryption works
-      const encrypted = encryptCredential('test')
-      expect(encrypted).toBeDefined()
-    })
-  })
-
-  describe('decryptCredential', () => {
-    it('decrypts ciphertext back to original plaintext', () => {
-      const plaintext = 'my-secret-api-key'
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('successfully decrypts with configured key', () => {
-      const encrypted = encryptCredential('test')
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe('test')
-    })
-
-    it('throws error on malformed JSON', () => {
-      expect(() => decryptCredential('not-json')).toThrow()
-    })
-
-    it('throws error on missing fields', () => {
-      const invalidData = JSON.stringify({ iv: 'abc', authTag: 'def' }) // Missing 'data'
-
-      expect(() => decryptCredential(invalidData)).toThrow()
-    })
-
-    it('throws error on tampered ciphertext', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with the data
-      parsed.data = 'tampered-data'
-      const tampered = JSON.stringify(parsed)
-
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('throws error on tampered auth tag', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with the auth tag
-      parsed.authTag = 'AAAAAAAAAAAAAAAAAAAAAA=='
-      const tampered = JSON.stringify(parsed)
-
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('detects tampering via auth tag (GCM mode)', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with just one byte of data
-      const dataBuffer = Buffer.from(parsed.data, 'base64')
-      dataBuffer[0] ^= 0x01 // Flip one bit
-      parsed.data = dataBuffer.toString('base64')
-
-      const tampered = JSON.stringify(parsed)
-
-      // GCM should detect the tampering and throw
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('throws error on invalid base64 encoding', () => {
-      const invalidData = JSON.stringify({
-        iv: 'not-valid-base64!!!',
-        authTag: 'AAAA',
-        data: 'BBBB'
-      })
-
-      expect(() => decryptCredential(invalidData)).toThrow()
-    })
-  })
-
-  describe('Round-trip encryption/decryption', () => {
-    it('preserves API key format', () => {
-      const apiKey = 'sk_test_1234567890abcdefghijklmnopqrstuvwxyz'
-      const encrypted = encryptCredential(apiKey)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(apiKey)
-    })
-
-    it('preserves database connection strings', () => {
-      const connString = 'postgresql://user:password@localhost:5432/database?sslmode=require'
-      const encrypted = encryptCredential(connString)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(connString)
-    })
-
-    it('preserves JSON credentials', () => {
-      const jsonCreds = JSON.stringify({
-        type: 'service_account',
-        project_id: 'my-project',
-        private_key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----\n'
-      })
-
-      const encrypted = encryptCredential(jsonCreds)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(jsonCreds)
-      expect(JSON.parse(decrypted)).toEqual(JSON.parse(jsonCreds))
-    })
-  })
-
-  describe('Security properties', () => {
-    it('uses AES-256-GCM (authenticated encryption)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Auth tag should be present (GCM mode)
-      expect(parsed.authTag).toBeDefined()
-      expect(parsed.authTag.length).toBeGreaterThan(0)
-    })
-
-    it('uses random IV for each encryption', () => {
-      const ivs = new Set()
-
-      for (let i = 0; i < 100; i++) {
-        const encrypted = encryptCredential('test')
-        const parsed = JSON.parse(encrypted)
-        ivs.add(parsed.iv)
-      }
-
-      // All IVs should be unique
-      expect(ivs.size).toBe(100)
-    })
-
-    it('IV is 16 bytes (128 bits)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Base64-encoded 16 bytes = 24 characters
-      const ivBuffer = Buffer.from(parsed.iv, 'base64')
-      expect(ivBuffer.length).toBe(16)
-    })
-
-    it('auth tag is 16 bytes (128 bits)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Base64-encoded 16 bytes = 24 characters
-      const authTagBuffer = Buffer.from(parsed.authTag, 'base64')
-      expect(authTagBuffer.length).toBe(16)
-    })
-  })
-})
+import crypto from 'crypto'
+import { describe, it, expect, beforeAll } from 'vitest'
+import { encryptCredential, decryptCredential, setKek, CURRENT_KEY_ID } from '../server/encryption'
+
+beforeAll(() => {
+  setKek(CURRENT_KEY_ID, crypto.randomBytes(32))
+})
+
+describe('Credential Encryption', () => {
+  describe('encryptCredential', () => {
+    it('encrypts plaintext to base64-encoded JSON string', () => {
+      const plaintext = 'my-secret-api-key'
+      const encrypted = encryptCredential(plaintext)
+
+      // Should be a valid JSON string
+      expect(() => JSON.parse(encrypted)).not.toThrow()
+
+      const parsed = JSON.parse(encrypted)
+      expect(parsed).toHaveProperty('iv')
+      expect(parsed).toHaveProperty('authTag')
+      expect(parsed).toHaveProperty('data')
+    })
+
+    it('produces different ciphertext for same input (random IV)', () => {
+      const plaintext = 'same-secret'
+
+      const encrypted1 = encryptCredential(plaintext)
+      const encrypted2 = encryptCredential(plaintext)
+
+      // Different IVs mean different ciphertext
+      expect(encrypted1).not.toBe(encrypted2)
+
+      // But both decrypt to same plaintext
+      expect(decryptCredential(encrypted1)).toBe(plaintext)
+      expect(decryptCredential(encrypted2)).toBe(plaintext)
+    })
+
+    it('handles empty string', () => {
+      const plaintext = ''
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe('')
+    })
+
+    it('handles long strings', () => {
+      const plaintext = 'x'.repeat(10000)
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('handles special characters and unicode', () => {
+      const plaintext = 'Hello 世界! 🔐 Special chars: \n\t\r"\'\\`'
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('validates key is configured at module load', () => {
+      // We can't test missing key dynamically since MASTER_KEY is set at module load
+      // Instead, verify the key is set and encryption works
+      const encrypted = encryptCredential('test')
+      expect(encrypted).toBeDefined()
+    })
+  })
+
+  describe('decryptCredential', () => {
+    it('decrypts ciphertext back to original plaintext', () => {
+      const plaintext = 'my-secret-api-key'
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('successfully decrypts with configured key', () => {
+      const encrypted = encryptCredential('test')
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe('test')
+    })
+
+    it('throws error on malformed JSON', () => {
+      expect(() => decryptCredential('not-json')).toThrow()
+    })
+
+    it('throws error on missing fields', () => {
+      const invalidData = JSON.stringify({ iv: 'abc', authTag: 'def' }) // Missing 'data'
+
+      expect(() => decryptCredential(invalidData)).toThrow()
+    })
+
+    it('throws error on tampered ciphertext', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with the data
+      parsed.data = 'tampered-data'
+      const tampered = JSON.stringify(parsed)
+
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('throws error on tampered auth tag', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with the auth tag
+      parsed.authTag = 'AAAAAAAAAAAAAAAAAAAAAA=='
+      const tampered = JSON.stringify(parsed)
+
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('detects tampering via auth tag (GCM mode)', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with just one byte of data
+      const dataBuffer = Buffer.from(parsed.data, 'base64')
+      dataBuffer[0] ^= 0x01 // Flip one bit
+      parsed.data = dataBuffer.toString('base64')
+
+      const tampered = JSON.stringify(parsed)
+
+      // GCM should detect the tampering and throw
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('throws error on invalid base64 encoding', () => {
+      const invalidData = JSON.stringify({
+        iv: 'not-valid-base64!!!',
+        authTag: 'AAAA',
+        data: 'BBBB'
+      })
+
+      expect(() => decryptCredential(invalidData)).toThrow()
+    })
+  })
+
+  describe('Round-trip encryption/decryption', () => {
+    it('preserves API key format', () => {
+      const apiKey = 'sk_test_1234567890abcdefghijklmnopqrstuvwxyz'
+      const encrypted = encryptCredential(apiKey)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(apiKey)
+    })
+
+    it('preserves database connection strings', () => {
+      const connString = 'postgresql://user:password@localhost:5432/database?sslmode=require'
+      const encrypted = encryptCredential(connString)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(connString)
+    })
+
+    it('preserves JSON credentials', () => {
+      const jsonCreds = JSON.stringify({
+        type: 'service_account',
+        project_id: 'my-project',
+        private_key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----\n'
+      })
+
+      const encrypted = encryptCredential(jsonCreds)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(jsonCreds)
+      expect(JSON.parse(decrypted)).toEqual(JSON.parse(jsonCreds))
+    })
+  })
+
+  describe('Security properties', () => {
+    it('uses AES-256-GCM (authenticated encryption)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Auth tag should be present (GCM mode)
+      expect(parsed.authTag).toBeDefined()
+      expect(parsed.authTag.length).toBeGreaterThan(0)
+    })
+
+    it('uses random IV for each encryption', () => {
+      const ivs = new Set()
+
+      for (let i = 0; i < 100; i++) {
+        const encrypted = encryptCredential('test')
+        const parsed = JSON.parse(encrypted)
+        ivs.add(parsed.iv)
+      }
+
+      // All IVs should be unique
+      expect(ivs.size).toBe(100)
+    })
+
+    it('IV is 16 bytes (128 bits)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Base64-encoded 16 bytes = 24 characters
+      const ivBuffer = Buffer.from(parsed.iv, 'base64')
+      expect(ivBuffer.length).toBe(16)
+    })
+
+    it('auth tag is 16 bytes (128 bits)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Base64-encoded 16 bytes = 24 characters
+      const authTagBuffer = Buffer.from(parsed.authTag, 'base64')
+      expect(authTagBuffer.length).toBe(16)
+    })
+  })
+})

package/src/auth/multi-tenancy/credentials/server/encryption.ts

@@ -5,10 +5,10 @@ const ALGORITHM = 'aes-256-gcm'
 // keyId stamped on all newly encrypted ciphertexts.
 export const CURRENT_KEY_ID = 'platform-v1'
 
-// Implicit keyId for pre-Vault ciphertext rows that were encrypted before this
-// field existed. The kek-loader registers the legacy SECRETS_ENCRYPTION_KEY env
-// value under this id during the migration window so existing rows decrypt
-// until the re-encryption script (B4) restamps them with CURRENT_KEY_ID.
+// Implicit keyId for pre-Vault ciphertext rows that lack a keyId field. All
+// known rows were restamped with CURRENT_KEY_ID during the re-encryption
+// migration; this constant remains only so any unexpected legacy blob produces
+// a clear "KEK not loaded" error rather than a silent default-key decrypt.
 export const LEGACY_KEY_ID = 'platform-v0-legacy'
 
 interface EncryptedData {
@@ -32,21 +32,7 @@ export function clearKeks(): void {
 }
 
 function resolveKek(keyId: string): Buffer | undefined {
-  const cached = kekMap.get(keyId)
-  if (cached) return cached
-
-  // Non-production fallback: bootstrap from SECRETS_ENCRYPTION_KEY so tests and
-  // local dev keep working without an explicit setKek() boot step. Production
-  // must register KEKs via the kek-loader; the env var is removed in Wave B5.
-  if (process.env.NODE_ENV !== 'production' && process.env.SECRETS_ENCRYPTION_KEY) {
-    const envKey = Buffer.from(process.env.SECRETS_ENCRYPTION_KEY, 'hex')
-    if (envKey.length === 32) {
-      kekMap.set(keyId, envKey)
-      return envKey
-    }
-  }
-
-  return undefined
+  return kekMap.get(keyId)
 }
 
 export function encryptCredential(plaintext: string): string {

package/src/auth/multi-tenancy/credentials/server/kek-loader.ts

@@ -1,18 +1,16 @@
 import { getSupabaseClient } from '../../../../supabase/server/client'
-import { setKek, CURRENT_KEY_ID, LEGACY_KEY_ID } from './encryption'
+import { setKek, CURRENT_KEY_ID } from './encryption'
 
 let loaded = false
 
 /**
  * Loads the platform credential KEK from Supabase Vault and registers it under
- * `CURRENT_KEY_ID` ('platform-v1'). During the migration window, also registers
- * the legacy `SECRETS_ENCRYPTION_KEY` env var under `LEGACY_KEY_ID` so existing
- * ciphertext rows (no `keyId` field) can still be decrypted.
+ * `CURRENT_KEY_ID` ('platform-v1').
  *
  * Idempotent: subsequent calls are no-ops.
  *
  * Fails fast on missing / malformed Vault KEK so misconfigured deploys do not
- * silently fall through to env-only encryption.
+ * silently start without a usable encryption key.
  */
 export async function loadCredentialKEKs(): Promise<void> {
   if (loaded) return
@@ -35,13 +33,5 @@ export async function loadCredentialKEKs(): Promise<void> {
   }
   setKek(CURRENT_KEY_ID, vaultKek)
 
-  const legacyHex = process.env.SECRETS_ENCRYPTION_KEY
-  if (legacyHex) {
-    const legacyKey = Buffer.from(legacyHex, 'hex')
-    if (legacyKey.length === 32) {
-      setKek(LEGACY_KEY_ID, legacyKey)
-    }
-  }
-
   loaded = true
 }

package/src/auth/multi-tenancy/permissions.ts

@@ -8,7 +8,7 @@
  *
  * The DB table `org_rol_permissions` mirrors this constant. Reconciliation
  * runs at API boot (insert-or-update only — never auto-delete; see the
- * deletion runbook in the auth-role-system-redesign doc).
+ * deletion runbook in the auth-role-system doc -- review/auth-role-system/).
  *
  * Adding a permission:
  *   1. Add an entry below.
@@ -29,7 +29,8 @@ export const PERMISSIONS = {
   SECRETS_MANAGE: 'secrets.manage',
   OPERATIONS_READ: 'operations.read',
   OPERATIONS_MANAGE: 'operations.manage',
-  WORK_MANAGE: 'work.manage'
+  ACQUISITION_MANAGE: 'acquisition.manage',
+  PROJECTS_MANAGE: 'projects.manage'
 } as const
 
 export type PermissionKey = (typeof PERMISSIONS)[keyof typeof PERMISSIONS]
@@ -87,9 +88,15 @@ export const PERMISSION_CATALOG: readonly PermissionDescriptor[] = [
     isOrgGrantable: true
   },
   {
-    key: 'work.manage',
-    description: 'Create and edit business-domain records (acq_*, prj_*)',
-    isOrgGrantable: true
+    key: 'acquisition.manage',
+    description:
+      'Create, update, and delete acquisition records (acq_companies, acq_contacts, acq_deals, acq_lists*, acq_content*, acquisition storage files)',
+    isOrgGrantable: false
+  },
+  {
+    key: 'projects.manage',
+    description: 'Create, update, and delete project records (prj_projects, prj_milestones, prj_tasks, prj_notes)',
+    isOrgGrantable: false
   }
 ] as const