@pikku/core 0.12.4 → 0.12.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (235) hide show
  1. package/CHANGELOG.md +21 -1
  2. package/dist/dev/hot-reload.d.ts +10 -0
  3. package/dist/dev/hot-reload.js +158 -0
  4. package/dist/middleware-runner.d.ts +1 -0
  5. package/dist/middleware-runner.js +5 -0
  6. package/dist/permissions.d.ts +1 -0
  7. package/dist/permissions.js +5 -0
  8. package/dist/services/content-service.d.ts +2 -0
  9. package/dist/services/in-memory-workflow-service.d.ts +1 -0
  10. package/dist/services/in-memory-workflow-service.js +16 -11
  11. package/dist/services/workflow-service.d.ts +1 -0
  12. package/dist/wirings/ai-agent/ai-agent-prepare.js +16 -1
  13. package/dist/wirings/channel/channel-middleware-runner.d.ts +1 -0
  14. package/dist/wirings/channel/channel-middleware-runner.js +5 -0
  15. package/dist/wirings/http/http-runner.js +1 -1
  16. package/dist/wirings/workflow/pikku-workflow-service.d.ts +6 -0
  17. package/dist/wirings/workflow/pikku-workflow-service.js +51 -16
  18. package/dist/wirings/workflow/workflow.types.d.ts +2 -0
  19. package/package.json +5 -3
  20. package/src/crypto-utils.test.ts +214 -0
  21. package/src/crypto-utils.ts +213 -0
  22. package/src/dev/hot-reload.test.ts +484 -0
  23. package/src/dev/hot-reload.ts +212 -0
  24. package/src/errors/error-handler.ts +62 -0
  25. package/src/errors/error.test.ts +195 -0
  26. package/src/errors/errors.ts +374 -0
  27. package/src/errors/index.ts +2 -0
  28. package/src/factory-functions.test.ts +109 -0
  29. package/src/function/function-runner.test.ts +536 -0
  30. package/src/function/function-runner.ts +365 -0
  31. package/src/function/functions.types.ts +304 -0
  32. package/src/function/index.ts +5 -0
  33. package/src/handle-error.test.ts +424 -0
  34. package/src/handle-error.ts +69 -0
  35. package/src/index.ts +118 -0
  36. package/src/internal.ts +6 -0
  37. package/src/middleware/auth-apikey.test.ts +363 -0
  38. package/src/middleware/auth-apikey.ts +47 -0
  39. package/src/middleware/auth-bearer.test.ts +450 -0
  40. package/src/middleware/auth-bearer.ts +72 -0
  41. package/src/middleware/auth-cookie.test.ts +528 -0
  42. package/src/middleware/auth-cookie.ts +80 -0
  43. package/src/middleware/cors.test.ts +424 -0
  44. package/src/middleware/cors.ts +104 -0
  45. package/src/middleware/index.ts +5 -0
  46. package/src/middleware/remote-auth.test.ts +488 -0
  47. package/src/middleware/remote-auth.ts +68 -0
  48. package/src/middleware/timeout.ts +15 -0
  49. package/src/middleware-runner.test.ts +418 -0
  50. package/src/middleware-runner.ts +240 -0
  51. package/src/permissions.test.ts +434 -0
  52. package/src/permissions.ts +327 -0
  53. package/src/pikku-request.ts +23 -0
  54. package/src/pikku-response.ts +5 -0
  55. package/src/pikku-state.test.ts +224 -0
  56. package/src/pikku-state.ts +216 -0
  57. package/src/run-tests-script.test.ts +49 -0
  58. package/src/schema.test.ts +249 -0
  59. package/src/schema.ts +151 -0
  60. package/src/services/ai-agent-runner-service.ts +41 -0
  61. package/src/services/ai-run-state-service.ts +20 -0
  62. package/src/services/ai-storage-service.ts +39 -0
  63. package/src/services/content-service.ts +81 -0
  64. package/src/services/deployment-service.ts +22 -0
  65. package/src/services/gateway-service.ts +20 -0
  66. package/src/services/gopass-secrets.ts +98 -0
  67. package/src/services/in-memory-ai-run-state-service.ts +73 -0
  68. package/src/services/in-memory-trigger-service.ts +64 -0
  69. package/src/services/in-memory-workflow-service.test.ts +351 -0
  70. package/src/services/in-memory-workflow-service.ts +512 -0
  71. package/src/services/index.ts +56 -0
  72. package/src/services/jwt-service.ts +30 -0
  73. package/src/services/local-content.ts +120 -0
  74. package/src/services/local-gateway-service.ts +62 -0
  75. package/src/services/local-secrets.test.ts +80 -0
  76. package/src/services/local-secrets.ts +94 -0
  77. package/src/services/local-variables.test.ts +61 -0
  78. package/src/services/local-variables.ts +39 -0
  79. package/src/services/logger-console.test.ts +118 -0
  80. package/src/services/logger-console.ts +98 -0
  81. package/src/services/logger.ts +57 -0
  82. package/src/services/scheduler-service.ts +86 -0
  83. package/src/services/schema-service.ts +33 -0
  84. package/src/services/scoped-secret-service.test.ts +74 -0
  85. package/src/services/scoped-secret-service.ts +41 -0
  86. package/src/services/secret-service.ts +38 -0
  87. package/src/services/trigger-service.ts +17 -0
  88. package/src/services/typed-secret-service.test.ts +93 -0
  89. package/src/services/typed-secret-service.ts +70 -0
  90. package/src/services/typed-variables-service.test.ts +73 -0
  91. package/src/services/typed-variables-service.ts +81 -0
  92. package/src/services/user-session-service.test.ts +113 -0
  93. package/src/services/user-session-service.ts +86 -0
  94. package/src/services/variables-service.ts +11 -0
  95. package/src/services/workflow-service.ts +96 -0
  96. package/src/testing/index.ts +2 -0
  97. package/src/testing/service-tests.ts +873 -0
  98. package/src/time-utils.test.ts +56 -0
  99. package/src/time-utils.ts +107 -0
  100. package/src/types/core.types.ts +478 -0
  101. package/src/types/state.types.ts +188 -0
  102. package/src/utils/hash.test.ts +68 -0
  103. package/src/utils/hash.ts +26 -0
  104. package/src/utils.test.ts +350 -0
  105. package/src/utils.ts +129 -0
  106. package/src/version.test.ts +80 -0
  107. package/src/version.ts +25 -0
  108. package/src/wirings/ai-agent/agent-dynamic-workflow.ts +469 -0
  109. package/src/wirings/ai-agent/ai-agent-helpers.test.ts +152 -0
  110. package/src/wirings/ai-agent/ai-agent-helpers.ts +76 -0
  111. package/src/wirings/ai-agent/ai-agent-memory.ts +310 -0
  112. package/src/wirings/ai-agent/ai-agent-model-config.test.ts +115 -0
  113. package/src/wirings/ai-agent/ai-agent-model-config.ts +43 -0
  114. package/src/wirings/ai-agent/ai-agent-prepare.ts +659 -0
  115. package/src/wirings/ai-agent/ai-agent-registry.test.ts +37 -0
  116. package/src/wirings/ai-agent/ai-agent-registry.ts +82 -0
  117. package/src/wirings/ai-agent/ai-agent-runner.test.ts +319 -0
  118. package/src/wirings/ai-agent/ai-agent-runner.ts +773 -0
  119. package/src/wirings/ai-agent/ai-agent-stream.test.ts +859 -0
  120. package/src/wirings/ai-agent/ai-agent-stream.ts +1153 -0
  121. package/src/wirings/ai-agent/ai-agent.types.ts +382 -0
  122. package/src/wirings/ai-agent/index.ts +37 -0
  123. package/src/wirings/channel/channel-common.ts +90 -0
  124. package/src/wirings/channel/channel-handler.ts +250 -0
  125. package/src/wirings/channel/channel-middleware-runner.ts +126 -0
  126. package/src/wirings/channel/channel-runner.ts +166 -0
  127. package/src/wirings/channel/channel-store.ts +29 -0
  128. package/src/wirings/channel/channel.types.ts +172 -0
  129. package/src/wirings/channel/define-channel-routes.ts +25 -0
  130. package/src/wirings/channel/eventhub-service.ts +34 -0
  131. package/src/wirings/channel/eventhub-store.ts +13 -0
  132. package/src/wirings/channel/index.ts +24 -0
  133. package/src/wirings/channel/local/index.ts +3 -0
  134. package/src/wirings/channel/local/local-channel-handler.ts +81 -0
  135. package/src/wirings/channel/local/local-channel-runner.test.ts +215 -0
  136. package/src/wirings/channel/local/local-channel-runner.ts +210 -0
  137. package/src/wirings/channel/local/local-eventhub-service.test.ts +95 -0
  138. package/src/wirings/channel/local/local-eventhub-service.ts +101 -0
  139. package/src/wirings/channel/log-channels.ts +20 -0
  140. package/src/wirings/channel/pikku-abstract-channel-handler.test.ts +54 -0
  141. package/src/wirings/channel/pikku-abstract-channel-handler.ts +45 -0
  142. package/src/wirings/channel/serverless/index.ts +5 -0
  143. package/src/wirings/channel/serverless/serverless-channel-runner.ts +289 -0
  144. package/src/wirings/cli/channel/cli-channel-runner.ts +136 -0
  145. package/src/wirings/cli/channel/index.ts +1 -0
  146. package/src/wirings/cli/cli-runner.test.ts +403 -0
  147. package/src/wirings/cli/cli-runner.ts +529 -0
  148. package/src/wirings/cli/cli.types.ts +358 -0
  149. package/src/wirings/cli/command-parser.test.ts +445 -0
  150. package/src/wirings/cli/command-parser.ts +504 -0
  151. package/src/wirings/cli/define-cli-commands.ts +24 -0
  152. package/src/wirings/cli/index.ts +19 -0
  153. package/src/wirings/gateway/gateway-runner.test.ts +474 -0
  154. package/src/wirings/gateway/gateway-runner.ts +411 -0
  155. package/src/wirings/gateway/gateway.types.ts +149 -0
  156. package/src/wirings/gateway/index.ts +13 -0
  157. package/src/wirings/http/http-routes.test.ts +322 -0
  158. package/src/wirings/http/http-routes.ts +197 -0
  159. package/src/wirings/http/http-runner.test.ts +144 -0
  160. package/src/wirings/http/http-runner.ts +588 -0
  161. package/src/wirings/http/http.types.ts +369 -0
  162. package/src/wirings/http/index.ts +28 -0
  163. package/src/wirings/http/log-http-routes.ts +22 -0
  164. package/src/wirings/http/pikku-fetch-http-request.test.ts +237 -0
  165. package/src/wirings/http/pikku-fetch-http-request.ts +170 -0
  166. package/src/wirings/http/pikku-fetch-http-response.test.ts +82 -0
  167. package/src/wirings/http/pikku-fetch-http-response.ts +147 -0
  168. package/src/wirings/http/routers/http-router.ts +13 -0
  169. package/src/wirings/http/routers/path-to-regex.test.ts +319 -0
  170. package/src/wirings/http/routers/path-to-regex.ts +126 -0
  171. package/src/wirings/http/web-request.test.ts +236 -0
  172. package/src/wirings/http/web-request.ts +104 -0
  173. package/src/wirings/mcp/index.ts +27 -0
  174. package/src/wirings/mcp/mcp-endpoint-registry.test.ts +389 -0
  175. package/src/wirings/mcp/mcp-endpoint-registry.ts +159 -0
  176. package/src/wirings/mcp/mcp-runner.ts +323 -0
  177. package/src/wirings/mcp/mcp.types.ts +216 -0
  178. package/src/wirings/node/index.ts +2 -0
  179. package/src/wirings/node/node.types.ts +23 -0
  180. package/src/wirings/oauth2/index.ts +3 -0
  181. package/src/wirings/oauth2/oauth2-client.test.ts +929 -0
  182. package/src/wirings/oauth2/oauth2-client.ts +335 -0
  183. package/src/wirings/oauth2/oauth2.types.ts +69 -0
  184. package/src/wirings/oauth2/wire-oauth2-credential.ts +23 -0
  185. package/src/wirings/queue/index.ts +31 -0
  186. package/src/wirings/queue/queue-runner.test.ts +710 -0
  187. package/src/wirings/queue/queue-runner.ts +192 -0
  188. package/src/wirings/queue/queue.types.ts +189 -0
  189. package/src/wirings/queue/register-queue-helper.ts +60 -0
  190. package/src/wirings/queue/validate-worker-config.test.ts +108 -0
  191. package/src/wirings/queue/validate-worker-config.ts +116 -0
  192. package/src/wirings/rpc/index.ts +4 -0
  193. package/src/wirings/rpc/rpc-runner.ts +460 -0
  194. package/src/wirings/rpc/rpc-types.ts +56 -0
  195. package/src/wirings/rpc/wire-addon.ts +21 -0
  196. package/src/wirings/scheduler/index.ts +11 -0
  197. package/src/wirings/scheduler/log-schedulers.ts +20 -0
  198. package/src/wirings/scheduler/scheduler-runner.test.ts +660 -0
  199. package/src/wirings/scheduler/scheduler-runner.ts +133 -0
  200. package/src/wirings/scheduler/scheduler.types.ts +53 -0
  201. package/src/wirings/secret/index.ts +9 -0
  202. package/src/wirings/secret/secret.types.ts +32 -0
  203. package/src/wirings/secret/validate-secret-definitions.test.ts +140 -0
  204. package/src/wirings/secret/validate-secret-definitions.ts +82 -0
  205. package/src/wirings/trigger/index.ts +10 -0
  206. package/src/wirings/trigger/pikku-trigger-service.ts +112 -0
  207. package/src/wirings/trigger/trigger-runner.test.ts +79 -0
  208. package/src/wirings/trigger/trigger-runner.ts +135 -0
  209. package/src/wirings/trigger/trigger.types.ts +178 -0
  210. package/src/wirings/variable/index.ts +8 -0
  211. package/src/wirings/variable/validate-variable-definitions.test.ts +91 -0
  212. package/src/wirings/variable/validate-variable-definitions.ts +69 -0
  213. package/src/wirings/variable/variable.types.ts +22 -0
  214. package/src/wirings/workflow/dsl/index.ts +31 -0
  215. package/src/wirings/workflow/dsl/workflow-dsl.types.ts +320 -0
  216. package/src/wirings/workflow/dsl/workflow-runner.ts +28 -0
  217. package/src/wirings/workflow/graph/graph-node.ts +222 -0
  218. package/src/wirings/workflow/graph/graph-runner.test.ts +487 -0
  219. package/src/wirings/workflow/graph/graph-runner.ts +816 -0
  220. package/src/wirings/workflow/graph/graph-validation.test.ts +170 -0
  221. package/src/wirings/workflow/graph/graph-validation.ts +237 -0
  222. package/src/wirings/workflow/graph/index.ts +19 -0
  223. package/src/wirings/workflow/graph/template.test.ts +49 -0
  224. package/src/wirings/workflow/graph/template.ts +42 -0
  225. package/src/wirings/workflow/graph/wire-workflow-graph.ts +29 -0
  226. package/src/wirings/workflow/graph/workflow-graph.types.ts +104 -0
  227. package/src/wirings/workflow/index.ts +82 -0
  228. package/src/wirings/workflow/pikku-workflow-service.test.ts +200 -0
  229. package/src/wirings/workflow/pikku-workflow-service.ts +1229 -0
  230. package/src/wirings/workflow/workflow-helpers.test.ts +129 -0
  231. package/src/wirings/workflow/workflow-helpers.ts +79 -0
  232. package/src/wirings/workflow/workflow.types.ts +276 -0
  233. package/tsconfig.json +14 -0
  234. package/tsconfig.tsbuildinfo +1 -0
  235. package/lcov.info +0 -18891
@@ -0,0 +1,214 @@
1
+ import { describe, test } from 'node:test'
2
+ import assert from 'node:assert'
3
+ import {
4
+ encryptJSON,
5
+ decryptJSON,
6
+ generateDEK,
7
+ wrapDEK,
8
+ unwrapDEK,
9
+ envelopeEncrypt,
10
+ envelopeDecrypt,
11
+ envelopeRewrap,
12
+ } from './crypto-utils.js'
13
+
14
+ describe('encryptJSON / decryptJSON', () => {
15
+ const secret = 'test-secret-key-for-encryption'
16
+
17
+ test('should round-trip a simple object', async () => {
18
+ const original = { hello: 'world', num: 42 }
19
+ const encrypted = await encryptJSON(secret, original)
20
+ const decrypted = await decryptJSON(secret, encrypted)
21
+ assert.deepStrictEqual(decrypted, original)
22
+ })
23
+
24
+ test('should round-trip a string value', async () => {
25
+ const original = 'just a string'
26
+ const encrypted = await encryptJSON(secret, original)
27
+ const decrypted = await decryptJSON(secret, encrypted)
28
+ assert.strictEqual(decrypted, original)
29
+ })
30
+
31
+ test('should round-trip a number', async () => {
32
+ const original = 12345
33
+ const encrypted = await encryptJSON(secret, original)
34
+ const decrypted = await decryptJSON(secret, encrypted)
35
+ assert.strictEqual(decrypted, original)
36
+ })
37
+
38
+ test('should round-trip null', async () => {
39
+ const encrypted = await encryptJSON(secret, null)
40
+ const decrypted = await decryptJSON(secret, encrypted)
41
+ assert.strictEqual(decrypted, null)
42
+ })
43
+
44
+ test('should round-trip a boolean', async () => {
45
+ const encrypted = await encryptJSON(secret, true)
46
+ const decrypted = await decryptJSON(secret, encrypted)
47
+ assert.strictEqual(decrypted, true)
48
+ })
49
+
50
+ test('should round-trip a nested object', async () => {
51
+ const original = { user: { id: 1, roles: ['admin', 'user'] }, active: true }
52
+ const encrypted = await encryptJSON(secret, original)
53
+ const decrypted = await decryptJSON(secret, encrypted)
54
+ assert.deepStrictEqual(decrypted, original)
55
+ })
56
+
57
+ test('should round-trip an array', async () => {
58
+ const original = [1, 'two', { three: 3 }]
59
+ const encrypted = await encryptJSON(secret, original)
60
+ const decrypted = await decryptJSON(secret, encrypted)
61
+ assert.deepStrictEqual(decrypted, original)
62
+ })
63
+
64
+ test('should produce different ciphertexts for same input (random IV)', async () => {
65
+ const value = { same: 'data' }
66
+ const enc1 = await encryptJSON(secret, value)
67
+ const enc2 = await encryptJSON(secret, value)
68
+ assert.notStrictEqual(enc1, enc2)
69
+ })
70
+
71
+ test('should produce a base64url string (no +, /, or = characters)', async () => {
72
+ const encrypted = await encryptJSON(secret, { test: 'base64url' })
73
+ assert.ok(!/[+/=]/.test(encrypted), `Expected base64url, got: ${encrypted}`)
74
+ })
75
+
76
+ test('should fail to decrypt with wrong secret', async () => {
77
+ const encrypted = await encryptJSON(secret, { data: 'sensitive' })
78
+ await assert.rejects(
79
+ () => decryptJSON('wrong-secret', encrypted),
80
+ (err: any) => err instanceof Error
81
+ )
82
+ })
83
+
84
+ test('should reject an invalid encrypted payload (too short)', async () => {
85
+ await assert.rejects(() => decryptJSON(secret, 'dG9vc2hvcnQ'), {
86
+ message: 'Invalid encrypted payload',
87
+ })
88
+ })
89
+
90
+ test('should reject empty string', async () => {
91
+ await assert.rejects(() => decryptJSON(secret, ''), {
92
+ message: 'Invalid encrypted payload',
93
+ })
94
+ })
95
+
96
+ test('should reject corrupted ciphertext', async () => {
97
+ const encrypted = await encryptJSON(secret, { data: 'test' })
98
+ const corrupted = encrypted.slice(0, -4) + 'XXXX'
99
+ await assert.rejects(
100
+ () => decryptJSON(secret, corrupted),
101
+ (err: any) => err instanceof Error
102
+ )
103
+ })
104
+
105
+ test('should handle unicode content', async () => {
106
+ const original = { emoji: '🎉', japanese: 'こんにちは', arabic: 'مرحبا' }
107
+ const encrypted = await encryptJSON(secret, original)
108
+ const decrypted = await decryptJSON(secret, encrypted)
109
+ assert.deepStrictEqual(decrypted, original)
110
+ })
111
+
112
+ test('should handle empty object', async () => {
113
+ const original = {}
114
+ const encrypted = await encryptJSON(secret, original)
115
+ const decrypted = await decryptJSON(secret, encrypted)
116
+ assert.deepStrictEqual(decrypted, original)
117
+ })
118
+
119
+ test('should handle large payload', async () => {
120
+ const original = { data: 'x'.repeat(10000) }
121
+ const encrypted = await encryptJSON(secret, original)
122
+ const decrypted = await decryptJSON(secret, encrypted)
123
+ assert.deepStrictEqual(decrypted, original)
124
+ })
125
+ })
126
+
127
+ describe('envelope encryption', () => {
128
+ const kek = 'my-key-encryption-key'
129
+
130
+ test('generateDEK produces unique keys', async () => {
131
+ const dek1 = await generateDEK()
132
+ const dek2 = await generateDEK()
133
+ assert.notStrictEqual(dek1, dek2)
134
+ assert.ok(dek1.length > 0)
135
+ })
136
+
137
+ test('wrapDEK / unwrapDEK round-trip', async () => {
138
+ const dek = await generateDEK()
139
+ const wrapped = await wrapDEK(kek, dek)
140
+ const unwrapped = await unwrapDEK(kek, wrapped)
141
+ assert.strictEqual(unwrapped, dek)
142
+ })
143
+
144
+ test('unwrapDEK fails with wrong KEK', async () => {
145
+ const dek = await generateDEK()
146
+ const wrapped = await wrapDEK(kek, dek)
147
+ await assert.rejects(
148
+ () => unwrapDEK('wrong-kek', wrapped),
149
+ (err: any) => err instanceof Error
150
+ )
151
+ })
152
+
153
+ test('envelopeEncrypt / envelopeDecrypt round-trip', async () => {
154
+ const original = {
155
+ apiKey: 'sk-secret-123',
156
+ endpoint: 'https://api.example.com',
157
+ }
158
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
159
+ const decrypted = await envelopeDecrypt(kek, ciphertext, wrappedDEK)
160
+ assert.deepStrictEqual(decrypted, original)
161
+ })
162
+
163
+ test('envelopeEncrypt produces unique ciphertexts and DEKs per call', async () => {
164
+ const value = { same: 'data' }
165
+ const r1 = await envelopeEncrypt(kek, value)
166
+ const r2 = await envelopeEncrypt(kek, value)
167
+ assert.notStrictEqual(r1.ciphertext, r2.ciphertext)
168
+ assert.notStrictEqual(r1.wrappedDEK, r2.wrappedDEK)
169
+ })
170
+
171
+ test('envelopeDecrypt fails with wrong KEK', async () => {
172
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, 'secret')
173
+ await assert.rejects(
174
+ () => envelopeDecrypt('wrong-kek', ciphertext, wrappedDEK),
175
+ (err: any) => err instanceof Error
176
+ )
177
+ })
178
+
179
+ test('envelopeRewrap allows decryption with new KEK', async () => {
180
+ const newKEK = 'my-new-kek'
181
+ const original = { token: 'abc-123' }
182
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
183
+
184
+ const rewrapped = await envelopeRewrap(kek, newKEK, wrappedDEK)
185
+
186
+ await assert.rejects(
187
+ () => envelopeDecrypt(kek, ciphertext, rewrapped),
188
+ (err: any) => err instanceof Error
189
+ )
190
+
191
+ const decrypted = await envelopeDecrypt(newKEK, ciphertext, rewrapped)
192
+ assert.deepStrictEqual(decrypted, original)
193
+ })
194
+
195
+ test('envelopeRewrap does not change the ciphertext', async () => {
196
+ const original = { data: 'important' }
197
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(kek, original)
198
+ const rewrapped = await envelopeRewrap(kek, 'new-kek', wrappedDEK)
199
+
200
+ assert.notStrictEqual(rewrapped, wrappedDEK)
201
+
202
+ const decrypted = await envelopeDecrypt('new-kek', ciphertext, rewrapped)
203
+ assert.deepStrictEqual(decrypted, original)
204
+ })
205
+
206
+ test('envelope handles string secrets', async () => {
207
+ const { ciphertext, wrappedDEK } = await envelopeEncrypt(
208
+ kek,
209
+ 'plain-string-secret'
210
+ )
211
+ const decrypted = await envelopeDecrypt<string>(kek, ciphertext, wrappedDEK)
212
+ assert.strictEqual(decrypted, 'plain-string-secret')
213
+ })
214
+ })
@@ -0,0 +1,213 @@
1
+ const encoder = new TextEncoder()
2
+ const decoder = new TextDecoder()
3
+
4
+ const getSubtle = () => {
5
+ const crypto = globalThis.crypto
6
+ if (!crypto?.subtle) {
7
+ throw new Error('WebCrypto not available')
8
+ }
9
+ return crypto.subtle
10
+ }
11
+
12
+ const base64Encode = (bytes: Uint8Array): string => {
13
+ if (typeof Buffer !== 'undefined') {
14
+ return Buffer.from(bytes).toString('base64')
15
+ }
16
+ let binary = ''
17
+ for (let i = 0; i < bytes.length; i++) {
18
+ binary += String.fromCharCode(bytes[i]!)
19
+ }
20
+ return btoa(binary)
21
+ }
22
+
23
+ const base64Decode = (input: string): Uint8Array => {
24
+ if (typeof Buffer !== 'undefined') {
25
+ return new Uint8Array(Buffer.from(input, 'base64'))
26
+ }
27
+ const binary = atob(input)
28
+ const bytes = new Uint8Array(binary.length)
29
+ for (let i = 0; i < binary.length; i++) {
30
+ bytes[i] = binary.charCodeAt(i)
31
+ }
32
+ return bytes
33
+ }
34
+
35
+ const toBase64Url = (bytes: Uint8Array): string => {
36
+ return base64Encode(bytes)
37
+ .replace(/\+/g, '-')
38
+ .replace(/\//g, '_')
39
+ .replace(/=+$/g, '')
40
+ }
41
+
42
+ const fromBase64Url = (input: string): Uint8Array => {
43
+ let base64 = input.replace(/-/g, '+').replace(/_/g, '/')
44
+ while (base64.length % 4 !== 0) base64 += '='
45
+ return base64Decode(base64)
46
+ }
47
+
48
+ const deriveKey = async (secret: string): Promise<CryptoKey> => {
49
+ const subtle = getSubtle()
50
+ const hash = await subtle.digest('SHA-256', encoder.encode(secret))
51
+ return subtle.importKey('raw', hash, { name: 'AES-GCM' }, false, [
52
+ 'encrypt',
53
+ 'decrypt',
54
+ ])
55
+ }
56
+
57
+ export const encryptJSON = async (
58
+ secret: string,
59
+ value: unknown
60
+ ): Promise<string> => {
61
+ const crypto = globalThis.crypto
62
+ if (!crypto?.getRandomValues) {
63
+ throw new Error('WebCrypto not available')
64
+ }
65
+ const subtle = getSubtle()
66
+ const iv = crypto.getRandomValues(new Uint8Array(12))
67
+ const key = await deriveKey(secret)
68
+ const plaintext = encoder.encode(JSON.stringify(value))
69
+ const encrypted = await subtle.encrypt(
70
+ { name: 'AES-GCM', iv },
71
+ key,
72
+ plaintext
73
+ )
74
+ const cipherBytes = new Uint8Array(encrypted)
75
+ const out = new Uint8Array(iv.length + cipherBytes.length)
76
+ out.set(iv, 0)
77
+ out.set(cipherBytes, iv.length)
78
+ return toBase64Url(out)
79
+ }
80
+
81
+ export const decryptJSON = async <T>(
82
+ secret: string,
83
+ token: string
84
+ ): Promise<T> => {
85
+ const subtle = getSubtle()
86
+ const data = fromBase64Url(token)
87
+ if (data.length < 13) {
88
+ throw new Error('Invalid encrypted payload')
89
+ }
90
+ const iv = data.slice(0, 12)
91
+ const ciphertext = data.slice(12)
92
+ const key = await deriveKey(secret)
93
+ const decrypted = await subtle.decrypt(
94
+ { name: 'AES-GCM', iv },
95
+ key,
96
+ ciphertext
97
+ )
98
+ return JSON.parse(decoder.decode(new Uint8Array(decrypted))) as T
99
+ }
100
+
101
+ /**
102
+ * Envelope encryption utilities.
103
+ *
104
+ * Each secret gets its own random DEK (data encryption key).
105
+ * The DEK is wrapped (encrypted) by a KEK (key encryption key) — typically an env var.
106
+ * The actual secret is encrypted with the DEK.
107
+ *
108
+ * KEK rotation only re-wraps the DEK, never touches the ciphertext.
109
+ */
110
+
111
+ const importRawKey = async (rawBytes: Uint8Array): Promise<CryptoKey> => {
112
+ const subtle = getSubtle()
113
+ return subtle.importKey(
114
+ 'raw',
115
+ rawBytes.buffer as ArrayBuffer,
116
+ { name: 'AES-GCM' },
117
+ true,
118
+ ['encrypt', 'decrypt']
119
+ )
120
+ }
121
+
122
+ export const generateDEK = async (): Promise<string> => {
123
+ const raw = globalThis.crypto.getRandomValues(new Uint8Array(32))
124
+ return toBase64Url(raw)
125
+ }
126
+
127
+ export const wrapDEK = async (
128
+ kek: string,
129
+ plaintextDEK: string
130
+ ): Promise<string> => {
131
+ return encryptJSON(kek, plaintextDEK)
132
+ }
133
+
134
+ export const unwrapDEK = async (
135
+ kek: string,
136
+ wrappedDEK: string
137
+ ): Promise<string> => {
138
+ return decryptJSON<string>(kek, wrappedDEK)
139
+ }
140
+
141
+ const encryptWithDEK = async (
142
+ dekBase64: string,
143
+ value: unknown
144
+ ): Promise<string> => {
145
+ const crypto = globalThis.crypto
146
+ const subtle = getSubtle()
147
+ const iv = crypto.getRandomValues(new Uint8Array(12))
148
+ const key = await importRawKey(fromBase64Url(dekBase64))
149
+ const plaintext = encoder.encode(JSON.stringify(value))
150
+ const encrypted = await subtle.encrypt(
151
+ { name: 'AES-GCM', iv },
152
+ key,
153
+ plaintext
154
+ )
155
+ const cipherBytes = new Uint8Array(encrypted)
156
+ const out = new Uint8Array(iv.length + cipherBytes.length)
157
+ out.set(iv, 0)
158
+ out.set(cipherBytes, iv.length)
159
+ return toBase64Url(out)
160
+ }
161
+
162
+ const decryptWithDEK = async <T>(
163
+ dekBase64: string,
164
+ token: string
165
+ ): Promise<T> => {
166
+ const subtle = getSubtle()
167
+ const data = fromBase64Url(token)
168
+ if (data.length < 13) {
169
+ throw new Error('Invalid encrypted payload')
170
+ }
171
+ const iv = data.slice(0, 12)
172
+ const ciphertext = data.slice(12)
173
+ const key = await importRawKey(fromBase64Url(dekBase64))
174
+ const decrypted = await subtle.decrypt(
175
+ { name: 'AES-GCM', iv },
176
+ key,
177
+ ciphertext
178
+ )
179
+ return JSON.parse(decoder.decode(new Uint8Array(decrypted))) as T
180
+ }
181
+
182
+ export interface EnvelopeEncryptResult {
183
+ ciphertext: string
184
+ wrappedDEK: string
185
+ }
186
+
187
+ export const envelopeEncrypt = async (
188
+ kek: string,
189
+ value: unknown
190
+ ): Promise<EnvelopeEncryptResult> => {
191
+ const dek = await generateDEK()
192
+ const ciphertext = await encryptWithDEK(dek, value)
193
+ const wrappedDEK = await wrapDEK(kek, dek)
194
+ return { ciphertext, wrappedDEK }
195
+ }
196
+
197
+ export const envelopeDecrypt = async <T>(
198
+ kek: string,
199
+ ciphertext: string,
200
+ wrappedDEK: string
201
+ ): Promise<T> => {
202
+ const dek = await unwrapDEK(kek, wrappedDEK)
203
+ return decryptWithDEK<T>(dek, ciphertext)
204
+ }
205
+
206
+ export const envelopeRewrap = async (
207
+ oldKEK: string,
208
+ newKEK: string,
209
+ wrappedDEK: string
210
+ ): Promise<string> => {
211
+ const dek = await unwrapDEK(oldKEK, wrappedDEK)
212
+ return wrapDEK(newKEK, dek)
213
+ }