@forklaunch/core 1.2.9 → 1.3.0

package/lib/persistence/index.js

@@ -30,9 +30,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/persistence/index.ts
 var persistence_exports = {};
 __export(persistence_exports, {
-  ComplianceEventSubscriber: () => ComplianceEventSubscriber,
   ComplianceLevel: () => ComplianceLevel,
   DecryptionError: () => DecryptionError,
+  EncryptedType: () => EncryptedType,
   EncryptionRequiredError: () => EncryptionRequiredError,
   FieldEncryptor: () => FieldEncryptor,
   MissingEncryptionKeyError: () => MissingEncryptionKeyError,
@@ -47,14 +47,18 @@ __export(persistence_exports, {
   getAllRetentionPolicies: () => getAllRetentionPolicies,
   getAllUserIdFields: () => getAllUserIdFields,
   getComplianceMetadata: () => getComplianceMetadata,
+  getCurrentTenantId: () => getCurrentTenantId,
   getEntityComplianceFields: () => getEntityComplianceFields,
   getEntityRetention: () => getEntityRetention,
   getEntityUserIdField: () => getEntityUserIdField,
   getSuperAdminContext: () => getSuperAdminContext,
   parseDuration: () => parseDuration,
+  registerEncryptor: () => registerEncryptor,
+  setEncryptionTenantId: () => setEncryptionTenantId,
   setupRls: () => setupRls,
   setupTenantFilter: () => setupTenantFilter,
   subtractDuration: () => subtractDuration,
+  withEncryptionContext: () => withEncryptionContext,
   wrapEmWithNativeQueryBlocking: () => wrapEmWithNativeQueryBlocking
 });
 module.exports = __toCommonJS(persistence_exports);
@@ -143,7 +147,102 @@ function getAllRetentionPolicies() {
 }
 
 // src/persistence/compliancePropertyBuilder.ts
+var import_core2 = require("@mikro-orm/core");
+
+// src/persistence/encryptedType.ts
+var import_node_async_hooks = require("async_hooks");
 var import_core = require("@mikro-orm/core");
+var ENCRYPTED_PREFIXES = ["v1:", "v2:"];
+function isEncrypted(value) {
+  return ENCRYPTED_PREFIXES.some((p3) => value.startsWith(p3));
+}
+var _encryptor;
+var _tenantContext = new import_node_async_hooks.AsyncLocalStorage();
+function registerEncryptor(encryptor) {
+  _encryptor = encryptor;
+}
+function withEncryptionContext(tenantId, fn) {
+  return _tenantContext.run({ tenantId }, fn);
+}
+function setEncryptionTenantId(tenantId) {
+  _tenantContext.enterWith({ tenantId });
+}
+function getCurrentTenantId() {
+  return _tenantContext.getStore()?.tenantId ?? "";
+}
+var EncryptedType = class extends import_core.Type {
+  originalType;
+  /**
+   * @param originalType - The original JS type hint ('string' | 'json' | 'number' | 'boolean').
+   *                       Used to determine serialization strategy.
+   */
+  constructor(originalType = "string") {
+    super();
+    this.originalType = originalType;
+  }
+  convertToDatabaseValue(value, _platform, _context) {
+    if (value === null || value === void 0) return null;
+    if (typeof value === "string" && value.length === 0) return "";
+    if (!_encryptor) {
+      return this.serializeValue(value);
+    }
+    if (typeof value === "string" && isEncrypted(value)) {
+      return value;
+    }
+    const serialized = this.serializeValue(value);
+    return _encryptor.encrypt(serialized, getCurrentTenantId()) ?? serialized;
+  }
+  convertToJSValue(value, _platform) {
+    if (value === null || value === void 0) return null;
+    if (typeof value !== "string") return value;
+    if (!isEncrypted(value)) {
+      return this.deserializeValue(value);
+    }
+    if (!_encryptor) return value;
+    try {
+      const decrypted = _encryptor.decrypt(value, getCurrentTenantId());
+      if (decrypted === null) return null;
+      return this.deserializeValue(decrypted);
+    } catch {
+      return value;
+    }
+  }
+  getColumnType() {
+    return "text";
+  }
+  get runtimeType() {
+    return this.originalType === "json" ? "object" : this.originalType;
+  }
+  ensureComparable() {
+    return true;
+  }
+  // ---------------------------------------------------------------------------
+  // Serialization helpers
+  // ---------------------------------------------------------------------------
+  serializeValue(value) {
+    if (typeof value === "string") return value;
+    return JSON.stringify(value);
+  }
+  deserializeValue(value) {
+    switch (this.originalType) {
+      case "string":
+        return value;
+      case "number":
+        return Number(value);
+      case "boolean":
+        return value === "true";
+      case "json":
+      default:
+        try {
+          return JSON.parse(value);
+        } catch {
+          return value;
+        }
+    }
+  }
+};
+
+// src/persistence/compliancePropertyBuilder.ts
 function isBuilder(value) {
   return value != null && typeof value === "object" && "~options" in value;
 }
@@ -169,7 +268,34 @@ function wrapUnclassified(builder) {
     }
   });
 }
+var ENCRYPTED_LEVELS = /* @__PURE__ */ new Set(["pii", "phi", "pci"]);
+function detectOriginalType(options) {
+  const type = options.type;
+  if (!type) return "string";
+  let t;
+  if (typeof type === "string") {
+    t = type.toLowerCase();
+  } else if (typeof type === "object" && type !== null) {
+    const rt = type.runtimeType;
+    t = rt ?? type.constructor?.name?.toLowerCase() ?? "string";
+  } else {
+    return "string";
+  }
+  if (t.includes("json") || t === "object") return "json";
+  if (t.includes("int") || t === "number" || t === "double" || t === "float" || t === "decimal" || t === "smallint" || t === "tinyint") return "number";
+  if (t === "boolean" || t === "bool") return "boolean";
+  return "string";
+}
 function wrapClassified(builder, level) {
+  if (ENCRYPTED_LEVELS.has(level)) {
+    const options = builder["~options"];
+    if (options) {
+      const originalType = detectOriginalType(options);
+      options.type = new EncryptedType(originalType);
+      options.columnType = "text";
+      options.runtimeType = originalType === "json" ? "object" : originalType;
+    }
+  }
   return new Proxy(builder, {
     get(target, prop) {
       if (prop === COMPLIANCE_KEY) return level;
@@ -201,7 +327,7 @@ var RELATION_METHODS = /* @__PURE__ */ new Set([
 function isRelationMethod(prop) {
   return typeof prop === "string" && RELATION_METHODS.has(prop);
 }
-var fp = new Proxy(import_core.p, {
+var fp = new Proxy(import_core2.p, {
   get(target, prop) {
     const value = Reflect.get(target, prop, target);
     if (typeof value !== "function") return value;
@@ -225,7 +351,7 @@ var fp = new Proxy(import_core.p, {
 });
 
 // src/persistence/defineComplianceEntity.ts
-var import_core2 = require("@mikro-orm/core");
+var import_core3 = require("@mikro-orm/core");
 function readComplianceLevel(builder) {
   if (builder == null || typeof builder !== "object") return void 0;
   return builder[COMPLIANCE_KEY];
@@ -234,7 +360,7 @@ function defineComplianceEntity(meta) {
   const entityName = "name" in meta ? meta.name : "Unknown";
   const complianceFields = /* @__PURE__ */ new Map();
   const rawProperties = meta.properties;
-  const resolvedProperties = typeof rawProperties === "function" ? rawProperties(import_core2.p) : rawProperties;
+  const resolvedProperties = typeof rawProperties === "function" ? rawProperties(import_core3.p) : rawProperties;
   for (const [fieldName, rawProp] of Object.entries(resolvedProperties)) {
     if (typeof rawProp === "function") {
       complianceFields.set(fieldName, "none");
@@ -261,14 +387,11 @@ function defineComplianceEntity(meta) {
   if (meta.userIdField) {
     registerEntityUserIdField(entityName, meta.userIdField);
   }
-  return (0, import_core2.defineEntity)(
+  return (0, import_core3.defineEntity)(
     meta
   );
 }
 
-// src/persistence/complianceEventSubscriber.ts
-var import_core3 = require("@mikro-orm/core");
-
 // src/persistence/fieldEncryptor.ts
 var import_crypto = __toESM(require("crypto"));
 var MissingEncryptionKeyError = class extends Error {
@@ -311,12 +434,23 @@ var FieldEncryptor = class {
       import_crypto.default.hkdfSync(HKDF_HASH, this.masterKey, HKDF_SALT, tenantId, KEY_BYTES)
     );
   }
+  /**
+   * Derive a deterministic IV from the key and plaintext using HMAC-SHA256,
+   * truncated to IV_BYTES. Same plaintext + same key → same IV → same
+   * ciphertext. This enables WHERE clause matching on encrypted columns
+   * while maintaining AES-256-GCM authenticated encryption.
+   *
+   * Meets SOC 2, HIPAA, PCI DSS, GDPR requirements for encryption at rest.
+   */
+  deriveDeterministicIv(key, plaintext) {
+    return import_crypto.default.createHmac("sha256", key).update(plaintext).digest().subarray(0, IV_BYTES);
+  }
   encrypt(plaintext, tenantId) {
     if (plaintext === null || plaintext === void 0) {
       return null;
     }
     const key = this.deriveKey(tenantId ?? "");
-    const iv = import_crypto.default.randomBytes(IV_BYTES);
+    const iv = this.deriveDeterministicIv(key, plaintext);
     const cipher = import_crypto.default.createCipheriv(ALGORITHM, key, iv);
     const encrypted = Buffer.concat([
       cipher.update(plaintext, "utf8"),
@@ -324,7 +458,7 @@ var FieldEncryptor = class {
     ]);
     const authTag = cipher.getAuthTag();
     return [
-      "v1",
+      "v2",
       iv.toString("base64"),
       authTag.toString("base64"),
       encrypted.toString("base64")
@@ -335,7 +469,7 @@ var FieldEncryptor = class {
       return null;
     }
     const parts = ciphertext.split(":");
-    if (parts.length !== 4 || parts[0] !== "v1") {
+    if (parts.length !== 4 || parts[0] !== "v1" && parts[0] !== "v2") {
       throw new DecryptionError(
         `Unknown ciphertext version or malformed format`
       );
@@ -360,102 +494,7 @@ var FieldEncryptor = class {
 };
 
 // src/persistence/complianceEventSubscriber.ts
-var ENCRYPTED_PREFIX = "v1:";
-var ENCRYPTED_LEVELS = /* @__PURE__ */ new Set(["pii", "phi", "pci"]);
-var ComplianceEventSubscriber = class {
-  encryptor;
-  constructor(encryptor) {
-    this.encryptor = encryptor;
-  }
-  async beforeCreate(args) {
-    this.encryptFields(args);
-  }
-  async beforeUpdate(args) {
-    this.encryptFields(args);
-  }
-  async onLoad(args) {
-    this.decryptFields(args);
-    try {
-      const wrapped = (0, import_core3.wrap)(args.entity, true);
-      const snapshot = wrapped.__originalEntityData;
-      if (snapshot) {
-        const entity = args.entity;
-        const complianceFields = getEntityComplianceFields(args.meta.className);
-        if (complianceFields) {
-          for (const [fieldName, level] of complianceFields) {
-            if (!ENCRYPTED_LEVELS.has(level)) continue;
-            if (entity[fieldName] !== void 0) {
-              snapshot[fieldName] = entity[fieldName];
-            }
-          }
-        }
-      }
-    } catch {
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Encrypt on persist
-  // ---------------------------------------------------------------------------
-  encryptFields(args) {
-    const entityName = args.meta.className;
-    const complianceFields = getEntityComplianceFields(entityName);
-    if (!complianceFields) return;
-    const tenantId = this.getTenantId(args.em);
-    const entity = args.entity;
-    for (const [fieldName, level] of complianceFields) {
-      if (!ENCRYPTED_LEVELS.has(level)) continue;
-      const value = entity[fieldName];
-      if (value === null || value === void 0) continue;
-      if (typeof value !== "string") continue;
-      if (value.startsWith(ENCRYPTED_PREFIX)) continue;
-      entity[fieldName] = this.encryptor.encrypt(value, tenantId ?? "");
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Decrypt on load
-  // ---------------------------------------------------------------------------
-  decryptFields(args) {
-    const entityName = args.meta.className;
-    const complianceFields = getEntityComplianceFields(entityName);
-    if (!complianceFields) return;
-    const tenantId = this.getTenantId(args.em);
-    const entity = args.entity;
-    for (const [fieldName, level] of complianceFields) {
-      if (!ENCRYPTED_LEVELS.has(level)) continue;
-      const value = entity[fieldName];
-      if (value === null || value === void 0) continue;
-      if (typeof value !== "string") continue;
-      if (value.startsWith(ENCRYPTED_PREFIX)) {
-        try {
-          entity[fieldName] = this.encryptor.decrypt(value, tenantId ?? "");
-        } catch (err) {
-          if (err instanceof DecryptionError) {
-            throw new DecryptionError(
-              `Failed to decrypt ${entityName}.${fieldName}: ${err.message}`
-            );
-          }
-          throw err;
-        }
-      } else {
-        console.warn(
-          `[compliance] ${entityName}.${fieldName} contains unencrypted ${level} data. Run encryption migration to encrypt existing data.`
-        );
-      }
-    }
-  }
-  // ---------------------------------------------------------------------------
-  // Tenant ID resolution
-  // ---------------------------------------------------------------------------
-  /**
-   * Read the tenant ID from the EntityManager's filter parameters.
-   * Returns undefined when no tenant context is set (startup, seeders,
-   * better-auth). Callers skip encryption/decryption in that case.
-   */
-  getTenantId(em) {
-    const filters = em.getFilterParams("tenant");
-    return filters?.tenantId;
-  }
-};
+var ENCRYPTED_LEVELS2 = /* @__PURE__ */ new Set(["pii", "phi", "pci"]);
 function wrapEmWithNativeQueryBlocking(em) {
   const BLOCKED_METHODS = [
     "nativeInsert",
@@ -471,7 +510,7 @@ function wrapEmWithNativeQueryBlocking(em) {
             const fields = getEntityComplianceFields(entityName);
             if (fields) {
               for (const [fieldName, level] of fields) {
-                if (ENCRYPTED_LEVELS.has(level)) {
+                if (ENCRYPTED_LEVELS2.has(level)) {
                   throw new EncryptionRequiredError(
                     `${prop}() blocked on entity '${entityName}' because field '${fieldName}' has compliance level '${level}'. Use em.create() + em.flush() instead to ensure encryption.`
                   );
@@ -644,9 +683,9 @@ function escapeSqlString(value) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  ComplianceEventSubscriber,
   ComplianceLevel,
   DecryptionError,
+  EncryptedType,
   EncryptionRequiredError,
   FieldEncryptor,
   MissingEncryptionKeyError,
@@ -661,14 +700,18 @@ function escapeSqlString(value) {
   getAllRetentionPolicies,
   getAllUserIdFields,
   getComplianceMetadata,
+  getCurrentTenantId,
   getEntityComplianceFields,
   getEntityRetention,
   getEntityUserIdField,
   getSuperAdminContext,
   parseDuration,
+  registerEncryptor,
+  setEncryptionTenantId,
   setupRls,
   setupTenantFilter,
   subtractDuration,
+  withEncryptionContext,
   wrapEmWithNativeQueryBlocking
 });
 //# sourceMappingURL=index.js.map