@omniradiology/omnirad 0.1.3

package/lib/security/secrets.ts

@@ -0,0 +1,179 @@
+/**
+ * OmniRad Secret Management Module
+ * 
+ * Handles encryption, hashing, masking, and secure storage of secrets
+ * like API keys, PACS passwords, and integration tokens.
+ */
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from "crypto";
+import path from "path";
+import fs from "fs";
+
+// ─── Encryption Key Management ──────────────────────────────────────────────
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits for GCM
+const AUTH_TAG_LENGTH = 16;
+
+/**
+ * Gets or creates the master encryption key.
+ * Priority: 1) OMNIRAD_ENCRYPTION_KEY env var, 2) Auto-generated key file
+ */
+function getEncryptionKey(): Buffer {
+    // Check environment variable first
+    const envKey = process.env.OMNIRAD_ENCRYPTION_KEY;
+    if (envKey) {
+        // If it's hex-encoded
+        if (/^[0-9a-fA-F]{64}$/.test(envKey)) {
+            return Buffer.from(envKey, "hex");
+        }
+        // Hash the env key to get exactly 32 bytes
+        return createHash("sha256").update(envKey).digest();
+    }
+
+    // Auto-generate and store key in data directory
+    const dataDir = path.join(process.cwd(), "data");
+    const keyFile = path.join(dataDir, ".encryption_key");
+
+    try {
+        if (fs.existsSync(keyFile)) {
+            const keyHex = fs.readFileSync(keyFile, "utf-8").trim();
+            return Buffer.from(keyHex, "hex");
+        }
+    } catch {
+        // File doesn't exist or can't be read — generate new key
+    }
+
+    // Generate new key
+    const newKey = randomBytes(KEY_LENGTH);
+
+    // Ensure data directory exists
+    if (!fs.existsSync(dataDir)) {
+        fs.mkdirSync(dataDir, { recursive: true });
+    }
+
+    // Write key file with restrictive permissions
+    fs.writeFileSync(keyFile, newKey.toString("hex"), { mode: 0o600 });
+
+    return newKey;
+}
+
+// Cache the key in memory
+let _cachedKey: Buffer | null = null;
+function getCachedKey(): Buffer {
+    if (!_cachedKey) {
+        _cachedKey = getEncryptionKey();
+    }
+    return _cachedKey;
+}
+
+// ─── Encryption / Decryption ─────────────────────────────────────────────────
+
+/**
+ * Encrypts a plaintext string using AES-256-GCM.
+ * Returns a string in format: iv:authTag:ciphertext (all hex-encoded)
+ */
+export function encryptSecret(plaintext: string): string {
+    if (!plaintext) return "";
+
+    const key = getCachedKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+
+    let encrypted = cipher.update(plaintext, "utf8", "hex");
+    encrypted += cipher.final("hex");
+    const authTag = cipher.getAuthTag();
+
+    return `${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted}`;
+}
+
+/**
+ * Decrypts a ciphertext string encrypted by encryptSecret.
+ * Returns the original plaintext.
+ */
+export function decryptSecret(ciphertext: string): string {
+    if (!ciphertext) return "";
+
+    // If it doesn't look encrypted (no colons), return as-is for backward compat
+    if (!ciphertext.includes(":")) return ciphertext;
+
+    try {
+        const parts = ciphertext.split(":");
+        if (parts.length !== 3) return ciphertext; // Not encrypted format
+
+        const [ivHex, authTagHex, encryptedHex] = parts;
+        const key = getCachedKey();
+        const iv = Buffer.from(ivHex, "hex");
+        const authTag = Buffer.from(authTagHex, "hex");
+
+        const decipher = createDecipheriv(ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+
+        let decrypted = decipher.update(encryptedHex, "hex", "utf8");
+        decrypted += decipher.final("utf8");
+
+        return decrypted;
+    } catch {
+        // If decryption fails, return as-is (might be a plaintext from before encryption was added)
+        return ciphertext;
+    }
+}
+
+// ─── Hashing (for verification-only tokens) ──────────────────────────────────
+
+/**
+ * Creates a SHA-256 hash of a token (for verification-only use cases).
+ * Use this for integration tokens where we only need to verify, not recover.
+ */
+export function hashToken(token: string): string {
+    return createHash("sha256").update(token).digest("hex");
+}
+
+/**
+ * Verifies a token against its hash.
+ */
+export function verifyToken(token: string, hash: string): boolean {
+    const computed = hashToken(token);
+    // Constant-time comparison to prevent timing attacks
+    if (computed.length !== hash.length) return false;
+    let result = 0;
+    for (let i = 0; i < computed.length; i++) {
+        result |= computed.charCodeAt(i) ^ hash.charCodeAt(i);
+    }
+    return result === 0;
+}
+
+// ─── Masking ─────────────────────────────────────────────────────────────────
+
+/**
+ * Masks a secret value for display, showing only the last 4 characters.
+ * Returns "********last4" format.
+ */
+export function maskSecret(value: string | null | undefined): string {
+    if (!value || value.length === 0) return "";
+    if (value.length <= 4) return "********";
+
+    const last4 = value.slice(-4);
+    return `********${last4}`;
+}
+
+/**
+ * Returns an object indicating whether a secret is set and its masked value.
+ * Use this when building API responses that reference secrets.
+ */
+export function secretSummary(value: string | null | undefined): { hasSecret: boolean; maskedValue: string } {
+    return {
+        hasSecret: !!value && value.length > 0,
+        maskedValue: maskSecret(value),
+    };
+}
+
+// ─── Token Generation ────────────────────────────────────────────────────────
+
+/**
+ * Generates a cryptographically secure random token.
+ * Default length is 48 bytes (96 hex chars).
+ */
+export function generateSecureToken(byteLength: number = 48): string {
+    return randomBytes(byteLength).toString("hex");
+}

package/lib/supabase.ts

@@ -0,0 +1,72 @@
+
+import { createClient, SupabaseClient } from '@supabase/supabase-js';
+
+// Helper to validate a proper HTTP/HTTPS URL
+function isValidHttpUrl(str: string): boolean {
+    try {
+        const url = new URL(str);
+        return url.protocol === 'http:' || url.protocol === 'https:';
+    } catch {
+        return false;
+    }
+}
+
+// Cache: once we fetch the config from the API, we store it here
+let cachedConfig: { supabaseUrl: string; supabaseAnonKey: string } | null = null;
+let cachedClient: SupabaseClient | null = null;
+let configLoaded = false;
+
+// Async function to ensure the config is loaded from the SQLite API
+export async function ensureSupabaseConfig() {
+    if (configLoaded) return;
+    configLoaded = true;
+
+    try {
+        const res = await fetch('/api/settings?type=config');
+        if (res.ok) {
+            const data = await res.json();
+            if (data.supabaseUrl?.trim() && data.supabaseAnonKey?.trim()) {
+                cachedConfig = {
+                    supabaseUrl: data.supabaseUrl.trim(),
+                    supabaseAnonKey: data.supabaseAnonKey.trim(),
+                };
+            }
+        }
+    } catch (e) {
+        console.warn("[OmniRad] Could not fetch Supabase config from API:", e);
+    }
+}
+
+// Synchronous getter — uses cached config or env vars
+export const getSupabaseClient = (): SupabaseClient | null => {
+    // If we already have a cached client, return it
+    if (cachedClient) return cachedClient;
+
+    let supabaseUrl = process.env.NEXT_PUBLIC_SUPABASE_URL;
+    let supabaseAnonKey = process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY;
+
+    // Override with cached config from API (if available)
+    if (cachedConfig) {
+        supabaseUrl = cachedConfig.supabaseUrl;
+        supabaseAnonKey = cachedConfig.supabaseAnonKey;
+    }
+
+    if (supabaseUrl && supabaseAnonKey && isValidHttpUrl(supabaseUrl)) {
+        try {
+            cachedClient = createClient(supabaseUrl, supabaseAnonKey);
+            return cachedClient;
+        } catch (e) {
+            console.error("[OmniRad] Failed to create Supabase client:", e);
+            return null;
+        }
+    }
+
+    return null;
+};
+
+// Reset cached client (e.g. when settings change)
+export const resetSupabaseClient = () => {
+    cachedClient = null;
+    cachedConfig = null;
+    configLoaded = false;
+};

package/lib/utils.ts

@@ -0,0 +1,6 @@
+import { type ClassValue, clsx } from "clsx";
+import { twMerge } from "tailwind-merge";
+
+export function cn(...inputs: ClassValue[]) {
+    return twMerge(clsx(inputs));
+}

package/next.config.ts

@@ -0,0 +1,35 @@
+import type { NextConfig } from "next";
+
+const nextConfig: NextConfig = {
+  output: "standalone",
+  outputFileTracingRoot: process.cwd(),
+  webpack: (config) => {
+    config.experiments = {
+      ...config.experiments,
+      asyncWebAssembly: true,
+      layers: true,
+    };
+    /* Cornerstone3D wasm file loading */
+    config.module.rules.push({
+      test: /\.wasm$/,
+      type: "asset/resource",
+    });
+
+    /* Stub out Node.js built-ins that Cornerstone3D codec decoders reference */
+    config.resolve.fallback = {
+      ...config.resolve.fallback,
+      fs: false,
+      path: false,
+      crypto: false,
+      stream: false,
+      os: false,
+      http: false,
+      https: false,
+      zlib: false,
+    };
+
+    return config;
+  },
+};
+
+export default nextConfig;

package/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "@omniradiology/omnirad",
+  "version": "0.1.3",
+  "description": "OmniRad — AI-powered radiology platform with DICOM viewer and intelligent reporting",
+  "keywords": [
+    "radiology",
+    "dicom",
+    "medical-imaging",
+    "ai",
+    "healthcare"
+  ],
+  "license": "MIT",
+  "author": "OmniRad Team",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/omniradiology/omnirad.git"
+  },
+  "files": [
+    "app",
+    "components",
+    "lib",
+    "types",
+    "public",
+    "db",
+    "data",
+    "next.config.ts",
+    "tsconfig.json",
+    "drizzle.config.ts"
+  ],
+  "scripts": {
+    "dev": "concurrently -k -n \"NEXT,AI\" -c \"cyan,magenta\" \"npm run dev:next\" \"npm run dev:ai\"",
+    "dev:next": "next dev --webpack",
+    "dev:ai": "cd ai_service && python -m uv run main.py",
+    "build": "next build --webpack",
+    "start": "next start",
+    "lint": "eslint",
+    "postinstall": "node scripts/patch-html2canvas.js"
+  },
+  "dependencies": {
+    "@cornerstonejs/core": "^4.20.0",
+    "@cornerstonejs/dicom-image-loader": "^4.20.0",
+    "@cornerstonejs/tools": "^4.20.0",
+    "@supabase/supabase-js": "^2.95.3",
+    "@types/bcryptjs": "^2.4.6",
+    "bcryptjs": "^3.0.3",
+    "better-sqlite3": "^12.8.0",
+    "clsx": "^2.1.1",
+    "dicom-parser": "^1.8.21",
+    "drizzle-orm": "^0.45.1",
+    "fhir-kit-client": "^2.0.2",
+    "html2pdf.js": "^0.14.0",
+    "lucide-react": "^0.563.0",
+    "next": "16.1.6",
+    "react": "19.2.3",
+    "react-dom": "19.2.3",
+    "react-markdown": "^10.1.0",
+    "react-resizable-panels": "^4.6.2",
+    "react-signature-canvas": "^1.1.0-alpha.2",
+    "remark-gfm": "^4.0.1",
+    "tailwind-merge": "^3.4.0"
+  },
+  "devDependencies": {
+    "@tailwindcss/postcss": "^4",
+    "@types/better-sqlite3": "^7.6.13",
+    "@types/fhir": "^0.0.44",
+    "@types/node": "^20",
+    "@types/react": "^19",
+    "@types/react-dom": "^19",
+    "concurrently": "^9.2.1",
+    "drizzle-kit": "^0.31.10",
+    "eslint": "^9",
+    "eslint-config-next": "16.1.6",
+    "tailwindcss": "^4",
+    "typescript": "^5"
+  }
+}

package/public/file.svg

@@ -0,0 +1 @@
+<svg fill="none" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"><path d="M14.5 13.5V5.41a1 1 0 0 0-.3-.7L9.8.29A1 1 0 0 0 9.08 0H1.5v13.5A2.5 2.5 0 0 0 4 16h8a2.5 2.5 0 0 0 2.5-2.5m-1.5 0v-7H8v-5H3v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1M9.5 5V2.12L12.38 5zM5.13 5h-.62v1.25h2.12V5zm-.62 3h7.12v1.25H4.5zm.62 3h-.62v1.25h7.12V11z" clip-rule="evenodd" fill="#666" fill-rule="evenodd"/></svg>

package/public/globe.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><g clip-path="url(#a)"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.27 14.1a6.5 6.5 0 0 0 3.67-3.45q-1.24.21-2.7.34-.31 1.83-.97 3.1M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16m.48-1.52a7 7 0 0 1-.96 0H7.5a4 4 0 0 1-.84-1.32q-.38-.89-.63-2.08a40 40 0 0 0 3.92 0q-.25 1.2-.63 2.08a4 4 0 0 1-.84 1.31zm2.94-4.76q1.66-.15 2.95-.43a7 7 0 0 0 0-2.58q-1.3-.27-2.95-.43a18 18 0 0 1 0 3.44m-1.27-3.54a17 17 0 0 1 0 3.64 39 39 0 0 1-4.3 0 17 17 0 0 1 0-3.64 39 39 0 0 1 4.3 0m1.1-1.17q1.45.13 2.69.34a6.5 6.5 0 0 0-3.67-3.44q.65 1.26.98 3.1M8.48 1.5l.01.02q.41.37.84 1.31.38.89.63 2.08a40 40 0 0 0-3.92 0q.25-1.2.63-2.08a4 4 0 0 1 .85-1.32 7 7 0 0 1 .96 0m-2.75.4a6.5 6.5 0 0 0-3.67 3.44 29 29 0 0 1 2.7-.34q.31-1.83.97-3.1M4.58 6.28q-1.66.16-2.95.43a7 7 0 0 0 0 2.58q1.3.27 2.95.43a18 18 0 0 1 0-3.44m.17 4.71q-1.45-.12-2.69-.34a6.5 6.5 0 0 0 3.67 3.44q-.65-1.27-.98-3.1" fill="#666"/></g><defs><clipPath id="a"><path fill="#fff" d="M0 0h16v16H0z"/></clipPath></defs></svg>