@elevasis/core 0.22.0 → 0.24.0

package/src/_gen/__tests__/scaffold-contracts.test.ts

@@ -9,26 +9,26 @@
  * if the output changes without an intentional snapshot update.
  */
 
-import { readFileSync } from 'node:fs'
-import { resolve } from 'node:path'
-import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { describe, it, expect } from 'vitest'
 
 /** Monorepo root relative to packages/core/src/_gen/__tests__/ */
-const ROOT = resolve(import.meta.dirname, '..', '..', '..', '..', '..')
-
-const OUTPUT_PATH = resolve(ROOT, 'packages/core/src/reference/_generated/contracts.md')
-const SNAPSHOT_PATH = resolve(import.meta.dirname, '__snapshots__', 'contracts.md.snap')
-
-function normalizeSnapshotContent(content: string) {
-  return content
-    .replace(/\r\n/g, '\n')
-    .replace(
-      /<!-- Auto-generated on \d{4}-\d{2}-\d{2} by scripts\/monorepo\/generate-scaffold-contracts\.js -->/,
-      '<!-- Auto-generated on YYYY-MM-DD by scripts/monorepo/generate-scaffold-contracts.js -->'
-    )
-}
+const ROOT = resolve(import.meta.dirname, '..', '..', '..', '..', '..')
 
-describe('scaffold-contracts generator', () => {
+const OUTPUT_PATH = resolve(ROOT, 'packages/core/src/reference/_generated/contracts.md')
+const SNAPSHOT_PATH = resolve(import.meta.dirname, '__snapshots__', 'contracts.md.snap')
+
+function normalizeSnapshotContent(content: string) {
+  return content
+    .replace(/\r\n/g, '\n')
+    .replace(
+      /<!-- Auto-generated on \d{4}-\d{2}-\d{2} by scripts\/monorepo\/generate-scaffold-contracts\.js -->/,
+      '<!-- Auto-generated on YYYY-MM-DD by scripts/monorepo/generate-scaffold-contracts.js -->'
+    )
+}
+
+describe('scaffold-contracts generator', () => {
   it('output file exists and has content', () => {
     // The generator must have been run (either manually or by CI gen step).
     // This test validates the committed artifact — it does NOT re-run the generator
@@ -46,19 +46,19 @@ describe('scaffold-contracts generator', () => {
     expect(content.length).toBeGreaterThan(0)
   })
 
-  it('output file matches stored snapshot', () => {
-    let content: string
-    try {
-      content = readFileSync(OUTPUT_PATH, 'utf8')
+  it('output file matches stored snapshot', () => {
+    let content: string
+    try {
+      content = readFileSync(OUTPUT_PATH, 'utf8')
     } catch {
       throw new Error(
         `Generated file not found: ${OUTPUT_PATH}\n` +
-        `Run "pnpm scaffold:generate" first to produce the artifact before snapshotting.`
-      )
-    }
-
-    const snapshot = readFileSync(SNAPSHOT_PATH, 'utf8')
-
-    expect(normalizeSnapshotContent(content)).toBe(normalizeSnapshotContent(snapshot))
-  })
-})
+        `Run "pnpm scaffold:generate" first to produce the artifact before snapshotting.`
+      )
+    }
+
+    const snapshot = readFileSync(SNAPSHOT_PATH, 'utf8')
+
+    expect(normalizeSnapshotContent(content)).toBe(normalizeSnapshotContent(snapshot))
+  })
+})

package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts

@@ -1,217 +1,217 @@
-import crypto from 'crypto'
-import { describe, it, expect, beforeAll } from 'vitest'
-import { encryptCredential, decryptCredential, setKek, CURRENT_KEY_ID } from '../server/encryption'
-
-beforeAll(() => {
-  setKek(CURRENT_KEY_ID, crypto.randomBytes(32))
-})
-
-describe('Credential Encryption', () => {
-  describe('encryptCredential', () => {
-    it('encrypts plaintext to base64-encoded JSON string', () => {
-      const plaintext = 'my-secret-api-key'
-      const encrypted = encryptCredential(plaintext)
-
-      // Should be a valid JSON string
-      expect(() => JSON.parse(encrypted)).not.toThrow()
-
-      const parsed = JSON.parse(encrypted)
-      expect(parsed).toHaveProperty('iv')
-      expect(parsed).toHaveProperty('authTag')
-      expect(parsed).toHaveProperty('data')
-    })
-
-    it('produces different ciphertext for same input (random IV)', () => {
-      const plaintext = 'same-secret'
-
-      const encrypted1 = encryptCredential(plaintext)
-      const encrypted2 = encryptCredential(plaintext)
-
-      // Different IVs mean different ciphertext
-      expect(encrypted1).not.toBe(encrypted2)
-
-      // But both decrypt to same plaintext
-      expect(decryptCredential(encrypted1)).toBe(plaintext)
-      expect(decryptCredential(encrypted2)).toBe(plaintext)
-    })
-
-    it('handles empty string', () => {
-      const plaintext = ''
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe('')
-    })
-
-    it('handles long strings', () => {
-      const plaintext = 'x'.repeat(10000)
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('handles special characters and unicode', () => {
-      const plaintext = 'Hello 世界! 🔐 Special chars: \n\t\r"\'\\`'
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('validates key is configured at module load', () => {
-      // We can't test missing key dynamically since MASTER_KEY is set at module load
-      // Instead, verify the key is set and encryption works
-      const encrypted = encryptCredential('test')
-      expect(encrypted).toBeDefined()
-    })
-  })
-
-  describe('decryptCredential', () => {
-    it('decrypts ciphertext back to original plaintext', () => {
-      const plaintext = 'my-secret-api-key'
-      const encrypted = encryptCredential(plaintext)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(plaintext)
-    })
-
-    it('successfully decrypts with configured key', () => {
-      const encrypted = encryptCredential('test')
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe('test')
-    })
-
-    it('throws error on malformed JSON', () => {
-      expect(() => decryptCredential('not-json')).toThrow()
-    })
-
-    it('throws error on missing fields', () => {
-      const invalidData = JSON.stringify({ iv: 'abc', authTag: 'def' }) // Missing 'data'
-
-      expect(() => decryptCredential(invalidData)).toThrow()
-    })
-
-    it('throws error on tampered ciphertext', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with the data
-      parsed.data = 'tampered-data'
-      const tampered = JSON.stringify(parsed)
-
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('throws error on tampered auth tag', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with the auth tag
-      parsed.authTag = 'AAAAAAAAAAAAAAAAAAAAAA=='
-      const tampered = JSON.stringify(parsed)
-
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('detects tampering via auth tag (GCM mode)', () => {
-      const encrypted = encryptCredential('secret')
-      const parsed = JSON.parse(encrypted)
-
-      // Tamper with just one byte of data
-      const dataBuffer = Buffer.from(parsed.data, 'base64')
-      dataBuffer[0] ^= 0x01 // Flip one bit
-      parsed.data = dataBuffer.toString('base64')
-
-      const tampered = JSON.stringify(parsed)
-
-      // GCM should detect the tampering and throw
-      expect(() => decryptCredential(tampered)).toThrow()
-    })
-
-    it('throws error on invalid base64 encoding', () => {
-      const invalidData = JSON.stringify({
-        iv: 'not-valid-base64!!!',
-        authTag: 'AAAA',
-        data: 'BBBB'
-      })
-
-      expect(() => decryptCredential(invalidData)).toThrow()
-    })
-  })
-
-  describe('Round-trip encryption/decryption', () => {
-    it('preserves API key format', () => {
-      const apiKey = 'sk_test_1234567890abcdefghijklmnopqrstuvwxyz'
-      const encrypted = encryptCredential(apiKey)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(apiKey)
-    })
-
-    it('preserves database connection strings', () => {
-      const connString = 'postgresql://user:password@localhost:5432/database?sslmode=require'
-      const encrypted = encryptCredential(connString)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(connString)
-    })
-
-    it('preserves JSON credentials', () => {
-      const jsonCreds = JSON.stringify({
-        type: 'service_account',
-        project_id: 'my-project',
-        private_key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----\n'
-      })
-
-      const encrypted = encryptCredential(jsonCreds)
-      const decrypted = decryptCredential(encrypted)
-
-      expect(decrypted).toBe(jsonCreds)
-      expect(JSON.parse(decrypted)).toEqual(JSON.parse(jsonCreds))
-    })
-  })
-
-  describe('Security properties', () => {
-    it('uses AES-256-GCM (authenticated encryption)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Auth tag should be present (GCM mode)
-      expect(parsed.authTag).toBeDefined()
-      expect(parsed.authTag.length).toBeGreaterThan(0)
-    })
-
-    it('uses random IV for each encryption', () => {
-      const ivs = new Set()
-
-      for (let i = 0; i < 100; i++) {
-        const encrypted = encryptCredential('test')
-        const parsed = JSON.parse(encrypted)
-        ivs.add(parsed.iv)
-      }
-
-      // All IVs should be unique
-      expect(ivs.size).toBe(100)
-    })
-
-    it('IV is 16 bytes (128 bits)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Base64-encoded 16 bytes = 24 characters
-      const ivBuffer = Buffer.from(parsed.iv, 'base64')
-      expect(ivBuffer.length).toBe(16)
-    })
-
-    it('auth tag is 16 bytes (128 bits)', () => {
-      const encrypted = encryptCredential('test')
-      const parsed = JSON.parse(encrypted)
-
-      // Base64-encoded 16 bytes = 24 characters
-      const authTagBuffer = Buffer.from(parsed.authTag, 'base64')
-      expect(authTagBuffer.length).toBe(16)
-    })
-  })
-})
+import crypto from 'crypto'
+import { describe, it, expect, beforeAll } from 'vitest'
+import { encryptCredential, decryptCredential, setKek, CURRENT_KEY_ID } from '../server/encryption'
+
+beforeAll(() => {
+  setKek(CURRENT_KEY_ID, crypto.randomBytes(32))
+})
+
+describe('Credential Encryption', () => {
+  describe('encryptCredential', () => {
+    it('encrypts plaintext to base64-encoded JSON string', () => {
+      const plaintext = 'my-secret-api-key'
+      const encrypted = encryptCredential(plaintext)
+
+      // Should be a valid JSON string
+      expect(() => JSON.parse(encrypted)).not.toThrow()
+
+      const parsed = JSON.parse(encrypted)
+      expect(parsed).toHaveProperty('iv')
+      expect(parsed).toHaveProperty('authTag')
+      expect(parsed).toHaveProperty('data')
+    })
+
+    it('produces different ciphertext for same input (random IV)', () => {
+      const plaintext = 'same-secret'
+
+      const encrypted1 = encryptCredential(plaintext)
+      const encrypted2 = encryptCredential(plaintext)
+
+      // Different IVs mean different ciphertext
+      expect(encrypted1).not.toBe(encrypted2)
+
+      // But both decrypt to same plaintext
+      expect(decryptCredential(encrypted1)).toBe(plaintext)
+      expect(decryptCredential(encrypted2)).toBe(plaintext)
+    })
+
+    it('handles empty string', () => {
+      const plaintext = ''
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe('')
+    })
+
+    it('handles long strings', () => {
+      const plaintext = 'x'.repeat(10000)
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('handles special characters and unicode', () => {
+      const plaintext = 'Hello 世界! 🔐 Special chars: \n\t\r"\'\\`'
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('validates key is configured at module load', () => {
+      // We can't test missing key dynamically since MASTER_KEY is set at module load
+      // Instead, verify the key is set and encryption works
+      const encrypted = encryptCredential('test')
+      expect(encrypted).toBeDefined()
+    })
+  })
+
+  describe('decryptCredential', () => {
+    it('decrypts ciphertext back to original plaintext', () => {
+      const plaintext = 'my-secret-api-key'
+      const encrypted = encryptCredential(plaintext)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(plaintext)
+    })
+
+    it('successfully decrypts with configured key', () => {
+      const encrypted = encryptCredential('test')
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe('test')
+    })
+
+    it('throws error on malformed JSON', () => {
+      expect(() => decryptCredential('not-json')).toThrow()
+    })
+
+    it('throws error on missing fields', () => {
+      const invalidData = JSON.stringify({ iv: 'abc', authTag: 'def' }) // Missing 'data'
+
+      expect(() => decryptCredential(invalidData)).toThrow()
+    })
+
+    it('throws error on tampered ciphertext', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with the data
+      parsed.data = 'tampered-data'
+      const tampered = JSON.stringify(parsed)
+
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('throws error on tampered auth tag', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with the auth tag
+      parsed.authTag = 'AAAAAAAAAAAAAAAAAAAAAA=='
+      const tampered = JSON.stringify(parsed)
+
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('detects tampering via auth tag (GCM mode)', () => {
+      const encrypted = encryptCredential('secret')
+      const parsed = JSON.parse(encrypted)
+
+      // Tamper with just one byte of data
+      const dataBuffer = Buffer.from(parsed.data, 'base64')
+      dataBuffer[0] ^= 0x01 // Flip one bit
+      parsed.data = dataBuffer.toString('base64')
+
+      const tampered = JSON.stringify(parsed)
+
+      // GCM should detect the tampering and throw
+      expect(() => decryptCredential(tampered)).toThrow()
+    })
+
+    it('throws error on invalid base64 encoding', () => {
+      const invalidData = JSON.stringify({
+        iv: 'not-valid-base64!!!',
+        authTag: 'AAAA',
+        data: 'BBBB'
+      })
+
+      expect(() => decryptCredential(invalidData)).toThrow()
+    })
+  })
+
+  describe('Round-trip encryption/decryption', () => {
+    it('preserves API key format', () => {
+      const apiKey = 'sk_test_1234567890abcdefghijklmnopqrstuvwxyz'
+      const encrypted = encryptCredential(apiKey)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(apiKey)
+    })
+
+    it('preserves database connection strings', () => {
+      const connString = 'postgresql://user:password@localhost:5432/database?sslmode=require'
+      const encrypted = encryptCredential(connString)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(connString)
+    })
+
+    it('preserves JSON credentials', () => {
+      const jsonCreds = JSON.stringify({
+        type: 'service_account',
+        project_id: 'my-project',
+        private_key: '-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----\n'
+      })
+
+      const encrypted = encryptCredential(jsonCreds)
+      const decrypted = decryptCredential(encrypted)
+
+      expect(decrypted).toBe(jsonCreds)
+      expect(JSON.parse(decrypted)).toEqual(JSON.parse(jsonCreds))
+    })
+  })
+
+  describe('Security properties', () => {
+    it('uses AES-256-GCM (authenticated encryption)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Auth tag should be present (GCM mode)
+      expect(parsed.authTag).toBeDefined()
+      expect(parsed.authTag.length).toBeGreaterThan(0)
+    })
+
+    it('uses random IV for each encryption', () => {
+      const ivs = new Set()
+
+      for (let i = 0; i < 100; i++) {
+        const encrypted = encryptCredential('test')
+        const parsed = JSON.parse(encrypted)
+        ivs.add(parsed.iv)
+      }
+
+      // All IVs should be unique
+      expect(ivs.size).toBe(100)
+    })
+
+    it('IV is 16 bytes (128 bits)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Base64-encoded 16 bytes = 24 characters
+      const ivBuffer = Buffer.from(parsed.iv, 'base64')
+      expect(ivBuffer.length).toBe(16)
+    })
+
+    it('auth tag is 16 bytes (128 bits)', () => {
+      const encrypted = encryptCredential('test')
+      const parsed = JSON.parse(encrypted)
+
+      // Base64-encoded 16 bytes = 24 characters
+      const authTagBuffer = Buffer.from(parsed.authTag, 'base64')
+      expect(authTagBuffer.length).toBe(16)
+    })
+  })
+})

package/src/auth/multi-tenancy/credentials/server/encryption.ts

@@ -1,69 +1,69 @@
-import crypto from 'crypto'
-
-const ALGORITHM = 'aes-256-gcm'
-
-// keyId stamped on all newly encrypted ciphertexts.
-export const CURRENT_KEY_ID = 'platform-v1'
-
-// Implicit keyId for pre-Vault ciphertext rows that lack a keyId field. All
-// known rows were restamped with CURRENT_KEY_ID during the re-encryption
-// migration; this constant remains only so any unexpected legacy blob produces
-// a clear "KEK not loaded" error rather than a silent default-key decrypt.
-export const LEGACY_KEY_ID = 'platform-v0-legacy'
-
-interface EncryptedData {
-  iv: string
-  authTag: string
-  data: string
-  keyId?: string
-}
-
-const kekMap = new Map<string, Buffer>()
-
-export function setKek(keyId: string, key: Buffer): void {
-  if (key.length !== 32) {
-    throw new Error(`KEK must be 32 bytes (256 bits); got ${key.length}`)
-  }
-  kekMap.set(keyId, key)
-}
-
-export function clearKeks(): void {
-  kekMap.clear()
-}
-
-function resolveKek(keyId: string): Buffer | undefined {
-  return kekMap.get(keyId)
-}
-
-export function encryptCredential(plaintext: string): string {
-  const key = resolveKek(CURRENT_KEY_ID)
-  if (!key) {
-    throw new Error(`Encryption KEK '${CURRENT_KEY_ID}' not loaded; call setKek() at boot`)
-  }
-
-  const iv = crypto.randomBytes(16)
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
-  const authTag = cipher.getAuthTag()
-
-  return JSON.stringify({
-    iv: iv.toString('base64'),
-    authTag: authTag.toString('base64'),
-    data: encrypted.toString('base64'),
-    keyId: CURRENT_KEY_ID
-  })
-}
-
-export function decryptCredential(encrypted: string): string {
-  const { iv, authTag, data, keyId } = JSON.parse(encrypted) as EncryptedData
-  const resolvedKeyId = keyId ?? LEGACY_KEY_ID
-  const key = resolveKek(resolvedKeyId)
-  if (!key) {
-    throw new Error(`Decryption KEK '${resolvedKeyId}' not loaded`)
-  }
-
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'))
-  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
-
-  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
-}
+import crypto from 'crypto'
+
+const ALGORITHM = 'aes-256-gcm'
+
+// keyId stamped on all newly encrypted ciphertexts.
+export const CURRENT_KEY_ID = 'platform-v1'
+
+// Implicit keyId for pre-Vault ciphertext rows that lack a keyId field. All
+// known rows were restamped with CURRENT_KEY_ID during the re-encryption
+// migration; this constant remains only so any unexpected legacy blob produces
+// a clear "KEK not loaded" error rather than a silent default-key decrypt.
+export const LEGACY_KEY_ID = 'platform-v0-legacy'
+
+interface EncryptedData {
+  iv: string
+  authTag: string
+  data: string
+  keyId?: string
+}
+
+const kekMap = new Map<string, Buffer>()
+
+export function setKek(keyId: string, key: Buffer): void {
+  if (key.length !== 32) {
+    throw new Error(`KEK must be 32 bytes (256 bits); got ${key.length}`)
+  }
+  kekMap.set(keyId, key)
+}
+
+export function clearKeks(): void {
+  kekMap.clear()
+}
+
+function resolveKek(keyId: string): Buffer | undefined {
+  return kekMap.get(keyId)
+}
+
+export function encryptCredential(plaintext: string): string {
+  const key = resolveKek(CURRENT_KEY_ID)
+  if (!key) {
+    throw new Error(`Encryption KEK '${CURRENT_KEY_ID}' not loaded; call setKek() at boot`)
+  }
+
+  const iv = crypto.randomBytes(16)
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
+  const authTag = cipher.getAuthTag()
+
+  return JSON.stringify({
+    iv: iv.toString('base64'),
+    authTag: authTag.toString('base64'),
+    data: encrypted.toString('base64'),
+    keyId: CURRENT_KEY_ID
+  })
+}
+
+export function decryptCredential(encrypted: string): string {
+  const { iv, authTag, data, keyId } = JSON.parse(encrypted) as EncryptedData
+  const resolvedKeyId = keyId ?? LEGACY_KEY_ID
+  const key = resolveKek(resolvedKeyId)
+  if (!key) {
+    throw new Error(`Decryption KEK '${resolvedKeyId}' not loaded`)
+  }
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'))
+  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
+
+  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
+}