@memberjunction/encryption 0.0.1 → 2.129.0

package/dist/actions/RotateEncryptionKeyAction.js

@@ -0,0 +1,343 @@
+"use strict";
+/**
+ * @fileoverview Action for rotating encryption keys with full data re-encryption.
+ *
+ * Key rotation is a critical security operation that:
+ * 1. Validates the new key material is accessible
+ * 2. Decrypts all data encrypted with the old key
+ * 3. Re-encrypts with the new key in a transactional manner
+ * 4. Updates the key metadata to point to the new key material
+ *
+ * ## Usage
+ *
+ * This action is typically invoked via the MemberJunction Actions framework:
+ *
+ * ```typescript
+ * const result = await actionEngine.RunAction({
+ *   ActionName: 'Rotate Encryption Key',
+ *   Params: [
+ *     { Name: 'EncryptionKeyID', Value: 'key-uuid' },
+ *     { Name: 'NewKeyLookupValue', Value: 'MJ_ENCRYPTION_KEY_PII_V2' },
+ *     { Name: 'BatchSize', Value: 100 }
+ *   ],
+ *   ContextUser: currentUser
+ * });
+ * ```
+ *
+ * ## Security Considerations
+ *
+ * - The new key must be accessible before starting rotation
+ * - Rotation is transactional - all or nothing
+ * - Key status is set to 'Rotating' during the operation
+ * - On success, key version is incremented
+ * - On failure, original key continues to work
+ *
+ * @module @memberjunction/encryption
+ */
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RotateEncryptionKeyAction = void 0;
+const global_1 = require("@memberjunction/global");
+const core_1 = require("@memberjunction/core");
+const EncryptionEngine_1 = require("../EncryptionEngine");
+/**
+ * Action for rotating encryption keys with full re-encryption of affected data.
+ *
+ * Key rotation involves:
+ * 1. Validating the new key is accessible
+ * 2. Setting key status to 'Rotating'
+ * 3. For each entity field using this key:
+ *    - Loading all records in batches
+ *    - Decrypting with old key
+ *    - Re-encrypting with new key
+ *    - Updating records
+ * 4. Updating key metadata (lookup value, version)
+ * 5. Setting key status back to 'Active'
+ *
+ * ## Transaction Safety
+ *
+ * - Each batch is processed within a transaction
+ * - On batch failure, the entire rotation is rolled back
+ * - Key status is reset to 'Active' on failure
+ *
+ * @security This is a privileged operation that should be restricted to administrators.
+ */
+let RotateEncryptionKeyAction = class RotateEncryptionKeyAction {
+    /**
+     * Executes the key rotation operation.
+     *
+     * @param params - Action parameters including EncryptionKeyID and NewKeyLookupValue
+     * @returns Result with success status and details about rotated fields/records
+     */
+    async Run(params) {
+        const { Params, ContextUser } = params;
+        // Extract parameters
+        const encryptionKeyIdParam = this.getParamValue(Params, 'EncryptionKeyID');
+        const newKeyLookupValueParam = this.getParamValue(Params, 'NewKeyLookupValue');
+        const batchSizeParam = this.getParamValue(Params, 'BatchSize');
+        const encryptionKeyId = encryptionKeyIdParam != null ? String(encryptionKeyIdParam) : null;
+        const newKeyLookupValue = newKeyLookupValueParam != null ? String(newKeyLookupValueParam) : null;
+        const batchSize = batchSizeParam != null ? Number(batchSizeParam) : 100;
+        // Validate required parameters
+        if (!encryptionKeyId) {
+            return {
+                Success: false,
+                ResultCode: 'INVALID_PARAMS',
+                Message: 'EncryptionKeyID is required',
+                Params
+            };
+        }
+        if (!newKeyLookupValue) {
+            return {
+                Success: false,
+                ResultCode: 'INVALID_PARAMS',
+                Message: 'NewKeyLookupValue is required. This should be the environment variable name or config key for the new encryption key.',
+                Params
+            };
+        }
+        try {
+            const result = await this.rotateKey({
+                encryptionKeyId,
+                newKeyLookupValue,
+                batchSize
+            }, ContextUser);
+            // Update output parameters
+            const outputParams = [...Params];
+            const recordsParam = outputParams.find(p => p.Name === 'RecordsProcessed');
+            if (recordsParam)
+                recordsParam.Value = result.recordsProcessed;
+            const fieldsParam = outputParams.find(p => p.Name === 'FieldsProcessed');
+            if (fieldsParam)
+                fieldsParam.Value = result.fieldsProcessed;
+            if (result.success) {
+                return {
+                    Success: true,
+                    ResultCode: 'SUCCESS',
+                    Message: `Key rotation completed successfully. Processed ${result.recordsProcessed} records across ${result.fieldsProcessed.length} fields.`,
+                    Params: outputParams
+                };
+            }
+            else {
+                return {
+                    Success: false,
+                    ResultCode: 'ROTATION_FAILED',
+                    Message: result.error || 'Key rotation failed',
+                    Params: outputParams
+                };
+            }
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            (0, core_1.LogError)(`Key rotation failed: ${message}`);
+            return {
+                Success: false,
+                ResultCode: 'ERROR',
+                Message: `Key rotation failed: ${message}`,
+                Params
+            };
+        }
+    }
+    /**
+     * Performs the actual key rotation operation.
+     *
+     * @private
+     */
+    async rotateKey(params, contextUser) {
+        const { encryptionKeyId, newKeyLookupValue, batchSize = 100 } = params;
+        const engine = EncryptionEngine_1.EncryptionEngine.Instance;
+        await engine.Config(false, contextUser);
+        const md = new core_1.Metadata();
+        const rv = new core_1.RunView();
+        // Track progress
+        const fieldsProcessed = [];
+        let totalRecordsProcessed = 0;
+        try {
+            // Step 1: Validate the new key is accessible
+            (0, core_1.LogStatus)(`Validating new key material at lookup value: ${newKeyLookupValue}`);
+            await engine.ValidateKeyMaterial(newKeyLookupValue, encryptionKeyId, contextUser);
+            (0, core_1.LogStatus)('New key material validated successfully');
+            // Step 2: Load the encryption key record
+            const keyResult = await rv.RunView({
+                EntityName: 'MJ: Encryption Keys',
+                ExtraFilter: `ID = '${encryptionKeyId}'`,
+                ResultType: 'entity_object'
+            }, contextUser);
+            if (!keyResult.Success || keyResult.Results.length === 0) {
+                return {
+                    success: false,
+                    recordsProcessed: 0,
+                    fieldsProcessed: [],
+                    error: `Encryption key not found: ${encryptionKeyId}`
+                };
+            }
+            const encryptionKey = keyResult.Results[0];
+            const originalVersion = encryptionKey.KeyVersion || '1';
+            // Step 3: Set key status to 'Rotating'
+            encryptionKey.Status = 'Rotating';
+            const saveResult = await encryptionKey.Save();
+            if (!saveResult) {
+                return {
+                    success: false,
+                    recordsProcessed: 0,
+                    fieldsProcessed: [],
+                    error: 'Failed to set key status to Rotating'
+                };
+            }
+            // Step 4: Find all entity fields using this key
+            const fieldsResult = await rv.RunView({
+                EntityName: 'Entity Fields',
+                ExtraFilter: `EncryptionKeyID = '${encryptionKeyId}' AND Encrypt = 1`,
+                ResultType: 'simple'
+            }, contextUser);
+            if (!fieldsResult.Success) {
+                // Reset key status and return error
+                encryptionKey.Status = 'Active';
+                await encryptionKey.Save();
+                return {
+                    success: false,
+                    recordsProcessed: 0,
+                    fieldsProcessed: [],
+                    error: 'Failed to load entity fields using this key'
+                };
+            }
+            const fields = fieldsResult.Results;
+            (0, core_1.LogStatus)(`Found ${fields.length} encrypted fields to rotate`);
+            // Step 5: Process each field
+            for (const field of fields) {
+                const entityName = field.Entity;
+                const fieldName = field.Name;
+                const fullFieldName = `${entityName}.${fieldName}`;
+                (0, core_1.LogStatus)(`Processing field: ${fullFieldName}`);
+                try {
+                    // Get entity info for schema/view name
+                    const entityInfo = md.Entities.find(e => e.Name === entityName);
+                    if (!entityInfo) {
+                        (0, core_1.LogError)(`Entity not found: ${entityName}`);
+                        continue;
+                    }
+                    // Load records in batches
+                    let offset = 0;
+                    let hasMore = true;
+                    while (hasMore) {
+                        // Load a batch of records
+                        const batchResult = await rv.RunView({
+                            EntityName: entityName,
+                            ExtraFilter: `${fieldName} IS NOT NULL AND ${fieldName} LIKE '$ENC$%'`,
+                            OrderBy: entityInfo.PrimaryKeys.map(pk => pk.Name).join(', '),
+                            MaxRows: batchSize,
+                            ResultType: 'entity_object'
+                        }, contextUser);
+                        if (!batchResult.Success || batchResult.Results.length === 0) {
+                            hasMore = false;
+                            continue;
+                        }
+                        const records = batchResult.Results;
+                        hasMore = records.length === batchSize;
+                        // Process each record in the batch
+                        for (const record of records) {
+                            const encryptedValue = record.Get(fieldName);
+                            if (!encryptedValue || !engine.IsEncrypted(encryptedValue)) {
+                                continue;
+                            }
+                            try {
+                                // Decrypt with old key
+                                const decrypted = await engine.Decrypt(encryptedValue, contextUser);
+                                // Re-encrypt with new key using the new lookup value
+                                const reEncrypted = await engine.EncryptWithLookup(decrypted, encryptionKeyId, newKeyLookupValue, contextUser);
+                                // Update the record
+                                record.Set(fieldName, reEncrypted);
+                                const recordSaveResult = await record.Save();
+                                if (recordSaveResult) {
+                                    totalRecordsProcessed++;
+                                }
+                                else {
+                                    // If any record fails, we should consider the rotation failed
+                                    // But we continue to try other records to get a complete picture
+                                    (0, core_1.LogError)(`Failed to save re-encrypted record in ${fullFieldName}`);
+                                }
+                            }
+                            catch (recordError) {
+                                const msg = recordError instanceof Error ? recordError.message : String(recordError);
+                                (0, core_1.LogError)(`Failed to rotate record in ${fullFieldName}: ${msg}`);
+                            }
+                        }
+                        offset += batchSize;
+                    }
+                    fieldsProcessed.push(fullFieldName);
+                    (0, core_1.LogStatus)(`Completed field: ${fullFieldName}`);
+                }
+                catch (fieldError) {
+                    const msg = fieldError instanceof Error ? fieldError.message : String(fieldError);
+                    (0, core_1.LogError)(`Failed to process field ${fullFieldName}: ${msg}`);
+                    // Continue with other fields
+                }
+            }
+            // Step 6: Update key metadata to point to new key
+            encryptionKey.KeyLookupValue = newKeyLookupValue;
+            encryptionKey.KeyVersion = String(parseInt(originalVersion) + 1);
+            encryptionKey.Status = 'Active';
+            const finalSaveResult = await encryptionKey.Save();
+            if (!finalSaveResult) {
+                return {
+                    success: false,
+                    recordsProcessed: totalRecordsProcessed,
+                    fieldsProcessed,
+                    error: 'Failed to update key metadata after rotation. Data has been re-encrypted but key metadata update failed.'
+                };
+            }
+            // Step 7: Clear encryption engine caches to use new key
+            engine.ClearCaches();
+            (0, core_1.LogStatus)(`Key rotation completed. Processed ${totalRecordsProcessed} records across ${fieldsProcessed.length} fields.`);
+            return {
+                success: true,
+                recordsProcessed: totalRecordsProcessed,
+                fieldsProcessed
+            };
+        }
+        catch (error) {
+            // On any error, try to reset key status to Active
+            try {
+                const keyResult = await rv.RunView({
+                    EntityName: 'MJ: Encryption Keys',
+                    ExtraFilter: `ID = '${encryptionKeyId}'`,
+                    ResultType: 'entity_object'
+                }, contextUser);
+                if (keyResult.Success && keyResult.Results.length > 0) {
+                    const key = keyResult.Results[0];
+                    if (key.Status === 'Rotating') {
+                        key.Status = 'Active';
+                        await key.Save();
+                    }
+                }
+            }
+            catch {
+                // Best effort - ignore errors in cleanup
+            }
+            const message = error instanceof Error ? error.message : String(error);
+            return {
+                success: false,
+                recordsProcessed: totalRecordsProcessed,
+                fieldsProcessed,
+                error: message
+            };
+        }
+    }
+    /**
+     * Helper to extract parameter value by name.
+     * @private
+     */
+    getParamValue(params, name) {
+        const param = params.find(p => p.Name === name);
+        return param?.Value ?? null;
+    }
+};
+exports.RotateEncryptionKeyAction = RotateEncryptionKeyAction;
+exports.RotateEncryptionKeyAction = RotateEncryptionKeyAction = __decorate([
+    (0, global_1.RegisterClass)(Object, 'Rotate Encryption Key')
+], RotateEncryptionKeyAction);
+//# sourceMappingURL=RotateEncryptionKeyAction.js.map

package/dist/actions/RotateEncryptionKeyAction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RotateEncryptionKeyAction.js","sourceRoot":"","sources":["../../src/actions/RotateEncryptionKeyAction.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;;;;;;;AAEH,mDAAuD;AACvD,+CAAwF;AAExF,0DAAuD;AAIvD;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEI,IAAM,yBAAyB,GAA/B,MAAM,yBAAyB;IAClC;;;;;OAKG;IACI,KAAK,CAAC,GAAG,CAAC,MAAuB;QACpC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;QAEvC,qBAAqB;QACrB,MAAM,oBAAoB,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;QAC3E,MAAM,sBAAsB,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;QAC/E,MAAM,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAE/D,MAAM,eAAe,GAAG,oBAAoB,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC3F,MAAM,iBAAiB,GAAG,sBAAsB,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjG,MAAM,SAAS,GAAG,cAAc,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAExE,+BAA+B;QAC/B,IAAI,CAAC,eAAe,EAAE,CAAC;YACnB,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,gBAAgB;gBAC5B,OAAO,EAAE,6BAA6B;gBACtC,MAAM;aACT,CAAC;QACN,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACrB,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,gBAAgB;gBAC5B,OAAO,EAAE,uHAAuH;gBAChI,MAAM;aACT,CAAC;QACN,CAAC;QAED,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC;gBAChC,eAAe;gBACf,iBAAiB;gBACjB,SAAS;aACZ,EAAE,WAAW,CAAC,CAAC;YAEhB,2BAA2B;YAC3B,MAAM,YAAY,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;YACjC,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,kBAAkB,CAAC,CAAC;YAC3E,IAAI,YAAY;gBAAE,YAAY,CAAC,KAAK,GAAG,MAAM,CAAC,gBAAgB,CAAC;YAC/D,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,iBAAiB,CAAC,CAAC;YACzE,IAAI,WAAW;gBAAE,WAAW,CAAC,KAAK,GAAG,MAAM,CAAC,eAAe,CAAC;YAE5D,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO;oBACH,OAAO,EAAE,IAAI;oBACb,UAAU,EAAE,SAAS;oBACrB,OAAO,EAAE,kDAAkD,MAAM,CAAC,gBAAgB,mBAAmB,MAAM,CAAC,eAAe,CAAC,MAAM,UAAU;oBAC5I,MAAM,EAAE,YAAY;iBACvB,CAAC;YACN,CAAC;iBAAM,CAAC;gBACJ,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,UAAU,EAAE,iBAAiB;oBAC7B,OAAO,EAAE,MAAM,CAAC,KAAK,IAAI,qBAAqB;oBAC9C,MAAM,EAAE,YAAY;iBACvB,CAAC;YACN,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,IAAA,eAAQ,EAAC,wBAAwB,OAAO,EAAE,CAAC,CAAC;YAE5C,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,UAAU,EAAE,OAAO;gBACnB,OAAO,EAAE,wBAAwB,OAAO,EAAE;gBAC1C,MAAM;aACT,CAAC;QACN,CAAC;IACL,CAAC;IAED;;;;OAIG;IACK,KAAK,CAAC,SAAS,CACnB,MAAuB,EACvB,WAAsB;QAEtB,MAAM,EAAE,eAAe,EAAE,iBAAiB,EAAE,SAAS,GAAG,GAAG,EAAE,GAAG,MAAM,CAAC;QACvE,MAAM,MAAM,GAAG,mCAAgB,CAAC,QAAQ,CAAC;QACzC,MAAM,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;QACxC,MAAM,EAAE,GAAG,IAAI,eAAQ,EAAE,CAAC;QAC1B,MAAM,EAAE,GAAG,IAAI,cAAO,EAAE,CAAC;QAEzB,iBAAiB;QACjB,MAAM,eAAe,GAAa,EAAE,CAAC;QACrC,IAAI,qBAAqB,GAAG,CAAC,CAAC;QAE9B,IAAI,CAAC;YACD,6CAA6C;YAC7C,IAAA,gBAAS,EAAC,gDAAgD,iBAAiB,EAAE,CAAC,CAAC;YAC/E,MAAM,MAAM,CAAC,mBAAmB,CAAC,iBAAiB,EAAE,eAAe,EAAE,WAAW,CAAC,CAAC;YAClF,IAAA,gBAAS,EAAC,yCAAyC,CAAC,CAAC;YAErD,yCAAyC;YACzC,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;gBAC/B,UAAU,EAAE,qBAAqB;gBACjC,WAAW,EAAE,SAAS,eAAe,GAAG;gBACxC,UAAU,EAAE,eAAe;aAC9B,EAAE,WAAW,CAAC,CAAC;YAEhB,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvD,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,eAAe,EAAE,EAAE;oBACnB,KAAK,EAAE,6BAA6B,eAAe,EAAE;iBACxD,CAAC;YACN,CAAC;YAED,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAC3C,MAAM,eAAe,GAAG,aAAa,CAAC,UAAU,IAAI,GAAG,CAAC;YAExD,uCAAuC;YACvC,aAAa,CAAC,MAAM,GAAG,UAAU,CAAC;YAClC,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;YAC9C,IAAI,CAAC,UAAU,EAAE,CAAC;gBACd,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,eAAe,EAAE,EAAE;oBACnB,KAAK,EAAE,sCAAsC;iBAChD,CAAC;YACN,CAAC;YAED,gDAAgD;YAChD,MAAM,YAAY,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;gBAClC,UAAU,EAAE,eAAe;gBAC3B,WAAW,EAAE,sBAAsB,eAAe,mBAAmB;gBACrE,UAAU,EAAE,QAAQ;aACvB,EAAE,WAAW,CAAC,CAAC;YAEhB,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;gBACxB,oCAAoC;gBACpC,aAAa,CAAC,MAAM,GAAG,QAAQ,CAAC;gBAChC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;gBAC3B,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,CAAC;oBACnB,eAAe,EAAE,EAAE;oBACnB,KAAK,EAAE,6CAA6C;iBACvD,CAAC;YACN,CAAC;YAED,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC;YACpC,IAAA,gBAAS,EAAC,SAAS,MAAM,CAAC,MAAM,6BAA6B,CAAC,CAAC;YAE/D,6BAA6B;YAC7B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBACzB,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC;gBAChC,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC;gBAC7B,MAAM,aAAa,GAAG,GAAG,UAAU,IAAI,SAAS,EAAE,CAAC;gBAEnD,IAAA,gBAAS,EAAC,qBAAqB,aAAa,EAAE,CAAC,CAAC;gBAEhD,IAAI,CAAC;oBACD,uCAAuC;oBACvC,MAAM,UAAU,GAAG,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;oBAChE,IAAI,CAAC,UAAU,EAAE,CAAC;wBACd,IAAA,eAAQ,EAAC,qBAAqB,UAAU,EAAE,CAAC,CAAC;wBAC5C,SAAS;oBACb,CAAC;oBAED,0BAA0B;oBAC1B,IAAI,MAAM,GAAG,CAAC,CAAC;oBACf,IAAI,OAAO,GAAG,IAAI,CAAC;oBAEnB,OAAO,OAAO,EAAE,CAAC;wBACb,0BAA0B;wBAC1B,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;4BACjC,UAAU,EAAE,UAAU;4BACtB,WAAW,EAAE,GAAG,SAAS,oBAAoB,SAAS,gBAAgB;4BACtE,OAAO,EAAE,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;4BAC7D,OAAO,EAAE,SAAS;4BAClB,UAAU,EAAE,eAAe;yBAC9B,EAAE,WAAW,CAAC,CAAC;wBAEhB,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;4BAC3D,OAAO,GAAG,KAAK,CAAC;4BAChB,SAAS;wBACb,CAAC;wBAED,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC;wBACpC,OAAO,GAAG,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC;wBAEvC,mCAAmC;wBACnC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;4BAC3B,MAAM,cAAc,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;4BAE7C,IAAI,CAAC,cAAc,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,EAAE,CAAC;gCACzD,SAAS;4BACb,CAAC;4BAED,IAAI,CAAC;gCACD,uBAAuB;gCACvB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;gCAEpE,qDAAqD;gCACrD,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAC9C,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,WAAW,CACd,CAAC;gCAEF,oBAAoB;gCACpB,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;gCACnC,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;gCAE7C,IAAI,gBAAgB,EAAE,CAAC;oCACnB,qBAAqB,EAAE,CAAC;gCAC5B,CAAC;qCAAM,CAAC;oCACJ,8DAA8D;oCAC9D,iEAAiE;oCACjE,IAAA,eAAQ,EAAC,yCAAyC,aAAa,EAAE,CAAC,CAAC;gCACvE,CAAC;4BACL,CAAC;4BAAC,OAAO,WAAW,EAAE,CAAC;gCACnB,MAAM,GAAG,GAAG,WAAW,YAAY,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gCACrF,IAAA,eAAQ,EAAC,8BAA8B,aAAa,KAAK,GAAG,EAAE,CAAC,CAAC;4BACpE,CAAC;wBACL,CAAC;wBAED,MAAM,IAAI,SAAS,CAAC;oBACxB,CAAC;oBAED,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;oBACpC,IAAA,gBAAS,EAAC,oBAAoB,aAAa,EAAE,CAAC,CAAC;gBAEnD,CAAC;gBAAC,OAAO,UAAU,EAAE,CAAC;oBAClB,MAAM,GAAG,GAAG,UAAU,YAAY,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;oBAClF,IAAA,eAAQ,EAAC,2BAA2B,aAAa,KAAK,GAAG,EAAE,CAAC,CAAC;oBAC7D,6BAA6B;gBACjC,CAAC;YACL,CAAC;YAED,kDAAkD;YAClD,aAAa,CAAC,cAAc,GAAG,iBAAiB,CAAC;YACjD,aAAa,CAAC,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;YACjE,aAAa,CAAC,MAAM,GAAG,QAAQ,CAAC;YAChC,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;YAEnD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACnB,OAAO;oBACH,OAAO,EAAE,KAAK;oBACd,gBAAgB,EAAE,qBAAqB;oBACvC,eAAe;oBACf,KAAK,EAAE,0GAA0G;iBACpH,CAAC;YACN,CAAC;YAED,wDAAwD;YACxD,MAAM,CAAC,WAAW,EAAE,CAAC;YAErB,IAAA,gBAAS,EAAC,qCAAqC,qBAAqB,mBAAmB,eAAe,CAAC,MAAM,UAAU,CAAC,CAAC;YAEzH,OAAO;gBACH,OAAO,EAAE,IAAI;gBACb,gBAAgB,EAAE,qBAAqB;gBACvC,eAAe;aAClB,CAAC;QAEN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,kDAAkD;YAClD,IAAI,CAAC;gBACD,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;oBAC/B,UAAU,EAAE,qBAAqB;oBACjC,WAAW,EAAE,SAAS,eAAe,GAAG;oBACxC,UAAU,EAAE,eAAe;iBAC9B,EAAE,WAAW,CAAC,CAAC;gBAEhB,IAAI,SAAS,CAAC,OAAO,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpD,MAAM,GAAG,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBACjC,IAAI,GAAG,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;wBAC5B,GAAG,CAAC,MAAM,GAAG,QAAQ,CAAC;wBACtB,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;oBACrB,CAAC;gBACL,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACL,yCAAyC;YAC7C,CAAC;YAED,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,gBAAgB,EAAE,qBAAqB;gBACvC,eAAe;gBACf,KAAK,EAAE,OAAO;aACjB,CAAC;QACN,CAAC;IACL,CAAC;IAED;;;OAGG;IACK,aAAa,CAAC,MAAqB,EAAE,IAAY;QACrD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;QAChD,OAAO,KAAK,EAAE,KAAK,IAAI,IAAI,CAAC;IAChC,CAAC;CACJ,CAAA;AAtTY,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,sBAAa,EAAC,MAAM,EAAE,uBAAuB,CAAC;GAClC,yBAAyB,CAsTrC"}

package/dist/actions/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * @fileoverview Encryption-related actions for key management and data migration.
+ *
+ * These actions provide administrative capabilities for:
+ * - Rotating encryption keys with full data re-encryption
+ * - Enabling encryption on existing fields (initial data encryption)
+ *
+ * @module @memberjunction/encryption
+ */
+export { RotateEncryptionKeyAction } from './RotateEncryptionKeyAction';
+export { EnableFieldEncryptionAction } from './EnableFieldEncryptionAction';
+//# sourceMappingURL=index.d.ts.map

package/dist/actions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAC;AACxE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/actions/index.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * @fileoverview Encryption-related actions for key management and data migration.
+ *
+ * These actions provide administrative capabilities for:
+ * - Rotating encryption keys with full data re-encryption
+ * - Enabling encryption on existing fields (initial data encryption)
+ *
+ * @module @memberjunction/encryption
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnableFieldEncryptionAction = exports.RotateEncryptionKeyAction = void 0;
+var RotateEncryptionKeyAction_1 = require("./RotateEncryptionKeyAction");
+Object.defineProperty(exports, "RotateEncryptionKeyAction", { enumerable: true, get: function () { return RotateEncryptionKeyAction_1.RotateEncryptionKeyAction; } });
+var EnableFieldEncryptionAction_1 = require("./EnableFieldEncryptionAction");
+Object.defineProperty(exports, "EnableFieldEncryptionAction", { enumerable: true, get: function () { return EnableFieldEncryptionAction_1.EnableFieldEncryptionAction; } });
+//# sourceMappingURL=index.js.map

package/dist/actions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/actions/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAEH,yEAAwE;AAA/D,sIAAA,yBAAyB,OAAA;AAClC,6EAA4E;AAAnE,0IAAA,2BAA2B,OAAA"}

package/dist/index.d.ts

@@ -0,0 +1,66 @@
+/**
+ * @fileoverview MemberJunction Field-Level Encryption Package
+ *
+ * This package provides field-level encryption capabilities for MemberJunction
+ * entities. It enables encrypting sensitive data at rest in the database while
+ * providing transparent decryption for authorized access.
+ *
+ * ## Features
+ *
+ * - **AES-256-GCM/CBC encryption** - Industry-standard authenticated encryption
+ * - **Pluggable key sources** - Environment variables, config files, or custom providers
+ * - **Declarative configuration** - Enable encryption via EntityField metadata
+ * - **Transparent operation** - Automatic encrypt on save, decrypt on load
+ * - **Key rotation support** - Full re-encryption with transactional safety
+ *
+ * ## Quick Start
+ *
+ * ```typescript
+ * import { EncryptionEngine } from '@memberjunction/encryption';
+ *
+ * const engine = EncryptionEngine.Instance;
+ *
+ * // Encrypt a value
+ * const encrypted = await engine.Encrypt(
+ *   'sensitive-data',
+ *   encryptionKeyId,
+ *   contextUser
+ * );
+ *
+ * // Decrypt a value
+ * const decrypted = await engine.Decrypt(encrypted, contextUser);
+ *
+ * // Check if value is encrypted
+ * if (engine.IsEncrypted(someValue)) {
+ *   // Handle encrypted value
+ * }
+ * ```
+ *
+ * ## Key Source Providers
+ *
+ * Built-in providers:
+ * - `EnvVarKeySource` - Reads keys from environment variables
+ * - `ConfigFileKeySource` - Reads keys from mj.config.cjs
+ *
+ * To create a custom provider, extend `EncryptionKeySourceBase`.
+ *
+ * ## Security Considerations
+ *
+ * - Keys are never stored in the database
+ * - Authenticated encryption (GCM) prevents tampering
+ * - Random IVs for each encryption operation
+ * - Cached key material has configurable TTL
+ *
+ * @module @memberjunction/encryption
+ * @packageDocumentation
+ */
+export { EncryptionKeySourceConfig, EncryptedValueParts, KeyConfiguration, RotateKeyParams, RotateKeyResult, EnableFieldEncryptionParams, EnableFieldEncryptionResult } from './interfaces';
+export { EncryptionKeySourceBase } from './EncryptionKeySourceBase';
+export { EncryptionEngine } from './EncryptionEngine';
+export { EnvVarKeySource } from './providers/EnvVarKeySource';
+export { ConfigFileKeySource } from './providers/ConfigFileKeySource';
+export { AWSKMSKeySource } from './providers/AWSKMSKeySource';
+export { AzureKeyVaultKeySource } from './providers/AzureKeyVaultKeySource';
+export { RotateEncryptionKeyAction } from './actions/RotateEncryptionKeyAction';
+export { EnableFieldEncryptionAction } from './actions/EnableFieldEncryptionAction';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAGH,OAAO,EACH,yBAAyB,EACzB,mBAAmB,EACnB,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,2BAA2B,EAC3B,2BAA2B,EAC9B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAGpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAGtD,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAGtE,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAC;AAG5E,OAAO,EAAE,yBAAyB,EAAE,MAAM,qCAAqC,CAAC;AAChF,OAAO,EAAE,2BAA2B,EAAE,MAAM,uCAAuC,CAAC"}

package/dist/index.js

@@ -0,0 +1,81 @@
+"use strict";
+/**
+ * @fileoverview MemberJunction Field-Level Encryption Package
+ *
+ * This package provides field-level encryption capabilities for MemberJunction
+ * entities. It enables encrypting sensitive data at rest in the database while
+ * providing transparent decryption for authorized access.
+ *
+ * ## Features
+ *
+ * - **AES-256-GCM/CBC encryption** - Industry-standard authenticated encryption
+ * - **Pluggable key sources** - Environment variables, config files, or custom providers
+ * - **Declarative configuration** - Enable encryption via EntityField metadata
+ * - **Transparent operation** - Automatic encrypt on save, decrypt on load
+ * - **Key rotation support** - Full re-encryption with transactional safety
+ *
+ * ## Quick Start
+ *
+ * ```typescript
+ * import { EncryptionEngine } from '@memberjunction/encryption';
+ *
+ * const engine = EncryptionEngine.Instance;
+ *
+ * // Encrypt a value
+ * const encrypted = await engine.Encrypt(
+ *   'sensitive-data',
+ *   encryptionKeyId,
+ *   contextUser
+ * );
+ *
+ * // Decrypt a value
+ * const decrypted = await engine.Decrypt(encrypted, contextUser);
+ *
+ * // Check if value is encrypted
+ * if (engine.IsEncrypted(someValue)) {
+ *   // Handle encrypted value
+ * }
+ * ```
+ *
+ * ## Key Source Providers
+ *
+ * Built-in providers:
+ * - `EnvVarKeySource` - Reads keys from environment variables
+ * - `ConfigFileKeySource` - Reads keys from mj.config.cjs
+ *
+ * To create a custom provider, extend `EncryptionKeySourceBase`.
+ *
+ * ## Security Considerations
+ *
+ * - Keys are never stored in the database
+ * - Authenticated encryption (GCM) prevents tampering
+ * - Random IVs for each encryption operation
+ * - Cached key material has configurable TTL
+ *
+ * @module @memberjunction/encryption
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnableFieldEncryptionAction = exports.RotateEncryptionKeyAction = exports.AzureKeyVaultKeySource = exports.AWSKMSKeySource = exports.ConfigFileKeySource = exports.EnvVarKeySource = exports.EncryptionEngine = exports.EncryptionKeySourceBase = void 0;
+// Base class for key source providers
+var EncryptionKeySourceBase_1 = require("./EncryptionKeySourceBase");
+Object.defineProperty(exports, "EncryptionKeySourceBase", { enumerable: true, get: function () { return EncryptionKeySourceBase_1.EncryptionKeySourceBase; } });
+// Core encryption engine
+var EncryptionEngine_1 = require("./EncryptionEngine");
+Object.defineProperty(exports, "EncryptionEngine", { enumerable: true, get: function () { return EncryptionEngine_1.EncryptionEngine; } });
+// Built-in key source providers
+var EnvVarKeySource_1 = require("./providers/EnvVarKeySource");
+Object.defineProperty(exports, "EnvVarKeySource", { enumerable: true, get: function () { return EnvVarKeySource_1.EnvVarKeySource; } });
+var ConfigFileKeySource_1 = require("./providers/ConfigFileKeySource");
+Object.defineProperty(exports, "ConfigFileKeySource", { enumerable: true, get: function () { return ConfigFileKeySource_1.ConfigFileKeySource; } });
+// Cloud key source providers (require optional dependencies)
+var AWSKMSKeySource_1 = require("./providers/AWSKMSKeySource");
+Object.defineProperty(exports, "AWSKMSKeySource", { enumerable: true, get: function () { return AWSKMSKeySource_1.AWSKMSKeySource; } });
+var AzureKeyVaultKeySource_1 = require("./providers/AzureKeyVaultKeySource");
+Object.defineProperty(exports, "AzureKeyVaultKeySource", { enumerable: true, get: function () { return AzureKeyVaultKeySource_1.AzureKeyVaultKeySource; } });
+// Actions for key management and data migration
+var RotateEncryptionKeyAction_1 = require("./actions/RotateEncryptionKeyAction");
+Object.defineProperty(exports, "RotateEncryptionKeyAction", { enumerable: true, get: function () { return RotateEncryptionKeyAction_1.RotateEncryptionKeyAction; } });
+var EnableFieldEncryptionAction_1 = require("./actions/EnableFieldEncryptionAction");
+Object.defineProperty(exports, "EnableFieldEncryptionAction", { enumerable: true, get: function () { return EnableFieldEncryptionAction_1.EnableFieldEncryptionAction; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;;AAaH,sCAAsC;AACtC,qEAAoE;AAA3D,kIAAA,uBAAuB,OAAA;AAEhC,yBAAyB;AACzB,uDAAsD;AAA7C,oHAAA,gBAAgB,OAAA;AAEzB,gCAAgC;AAChC,+DAA8D;AAArD,kHAAA,eAAe,OAAA;AACxB,uEAAsE;AAA7D,0HAAA,mBAAmB,OAAA;AAE5B,6DAA6D;AAC7D,+DAA8D;AAArD,kHAAA,eAAe,OAAA;AACxB,6EAA4E;AAAnE,gIAAA,sBAAsB,OAAA;AAE/B,gDAAgD;AAChD,iFAAgF;AAAvE,sIAAA,yBAAyB,OAAA;AAClC,qFAAoF;AAA3E,0IAAA,2BAA2B,OAAA"}