@psavelis/enterprise-blockchain 0.1.0 → 1.1.0

package/dist/hsm/application/envelope-encryption-service.js

@@ -0,0 +1,59 @@
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+/**
+ * DEK/KEK envelope encryption — ephemeral DEK wrapped by a stored KEK.
+ *
+ * The resulting ciphertext is suitable for storage on a distributed ledger:
+ *  - encryptedRecord  = AES-256-GCM ciphertext of the payload
+ *  - wrappedDek       = GCM-wrapped DEK (only the HSM can unwrap it)
+ */
+export class EnvelopeEncryptionService {
+    symmetric;
+    audit;
+    constructor(symmetric, audit) {
+        this.symmetric = symmetric;
+        this.audit = audit;
+    }
+    encrypt(kekLabel, plaintext) {
+        const dek = randomBytes(32);
+        const payloadIv = randomBytes(12);
+        const payloadCipher = createCipheriv("aes-256-gcm", dek, payloadIv);
+        const ciphertextBuf = Buffer.concat([
+            payloadCipher.update(plaintext, "utf8"),
+            payloadCipher.final(),
+        ]);
+        const payloadAuthTag = payloadCipher.getAuthTag();
+        const encryptedRecord = {
+            ciphertext: ciphertextBuf.toString("hex"),
+            iv: payloadIv.toString("hex"),
+            authTag: payloadAuthTag.toString("hex"),
+            algorithm: "aes-256-gcm",
+        };
+        const wrappedDek = this.symmetric.wrapKey(dek, kekLabel);
+        dek.fill(0);
+        this.audit.record("encryptWithEnvelope", kekLabel, "success");
+        return { encryptedRecord, wrappedDek };
+    }
+    decrypt(wrappedDek, encryptedRecord) {
+        const dek = this.symmetric.unwrapKey(wrappedDek);
+        const iv = Buffer.from(encryptedRecord.iv, "hex");
+        const authTag = Buffer.from(encryptedRecord.authTag, "hex");
+        const ciphertext = Buffer.from(encryptedRecord.ciphertext, "hex");
+        try {
+            const decipher = createDecipheriv("aes-256-gcm", dek, iv);
+            decipher.setAuthTag(authTag);
+            const plaintext = Buffer.concat([
+                decipher.update(ciphertext),
+                decipher.final(),
+            ]).toString("utf8");
+            this.audit.record("decryptWithEnvelope", wrappedDek.kekLabel, "success");
+            return plaintext;
+        }
+        catch {
+            this.audit.record("decryptWithEnvelope", wrappedDek.kekLabel, "failed", "GCM authentication failed");
+            throw new Error("HSM decryptWithEnvelope: GCM authentication failed");
+        }
+        finally {
+            dek.fill(0);
+        }
+    }
+}

package/dist/hsm/application/symmetric-key-service.d.ts

@@ -0,0 +1,34 @@
+import type { SymmetricKeyEntry, WrappedKey } from "../domain/entities.js";
+import type { AuditLog, KeyStore } from "../domain/ports.js";
+/**
+ * AES-256-GCM symmetric operations — key generation, wrapping, unwrapping.
+ *
+ * The raw key is stored as Uint8Array in the domain entity to enable
+ * explicit zeroization. In a production HSM the key never leaves
+ * hardware-protected storage. Do not persist or log the key bytes.
+ *
+ * SECURITY: Intermediate key buffers are zeroized after use to minimize
+ * key material exposure in memory.
+ */
+export declare class SymmetricKeyService {
+    private readonly keyStore;
+    private readonly audit;
+    constructor(keyStore: KeyStore, audit: AuditLog);
+    generateSymmetricKey(keyLabel: string): void;
+    /**
+     * Wrap a DEK (data encryption key) using the KEK (key encryption key).
+     *
+     * SECURITY: The kekBuffer is zeroized after use.
+     */
+    wrapKey(plaintextDek: Buffer, kekLabel: string): WrappedKey;
+    /**
+     * Unwrap a DEK using the KEK.
+     *
+     * SECURITY: The kekBuffer is zeroized after use.
+     * CALLER RESPONSIBILITY: The returned DEK buffer MUST be zeroized
+     * after use via `dekBuffer.fill(0)`.
+     */
+    unwrapKey(wrapped: WrappedKey): Buffer;
+    requireSymmetric(kekLabel: string): SymmetricKeyEntry;
+}
+//# sourceMappingURL=symmetric-key-service.d.ts.map

package/dist/hsm/application/symmetric-key-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"symmetric-key-service.d.ts","sourceRoot":"","sources":["../../../src/hsm/application/symmetric-key-service.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE7D;;;;;;;;;GASG;AACH,qBAAa,mBAAmB;IAE5B,OAAO,CAAC,QAAQ,CAAC,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK;gBADL,QAAQ,EAAE,QAAQ,EAClB,KAAK,EAAE,QAAQ;IAGlC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAc5C;;;;OAIG;IACH,OAAO,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU;IA6B3D;;;;;;OAMG;IACH,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM;IA8BtC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,iBAAiB;CAYtD"}

package/dist/hsm/application/symmetric-key-service.js

@@ -0,0 +1,107 @@
+import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
+/**
+ * AES-256-GCM symmetric operations — key generation, wrapping, unwrapping.
+ *
+ * The raw key is stored as Uint8Array in the domain entity to enable
+ * explicit zeroization. In a production HSM the key never leaves
+ * hardware-protected storage. Do not persist or log the key bytes.
+ *
+ * SECURITY: Intermediate key buffers are zeroized after use to minimize
+ * key material exposure in memory.
+ */
+export class SymmetricKeyService {
+    keyStore;
+    audit;
+    constructor(keyStore, audit) {
+        this.keyStore = keyStore;
+        this.audit = audit;
+    }
+    generateSymmetricKey(keyLabel) {
+        if (this.keyStore.has(keyLabel)) {
+            throw new Error(`HSM key already exists: ${keyLabel}`);
+        }
+        this.keyStore.set(keyLabel, {
+            kind: "symmetric",
+            keyLabel,
+            // Buffer is a Uint8Array subclass; no copy needed
+            keyBytes: randomBytes(32),
+            createdAt: new Date().toISOString(),
+        });
+        this.audit.record("generateSymmetricKey", keyLabel, "success");
+    }
+    /**
+     * Wrap a DEK (data encryption key) using the KEK (key encryption key).
+     *
+     * SECURITY: The kekBuffer is zeroized after use.
+     */
+    wrapKey(plaintextDek, kekLabel) {
+        const kek = this.requireSymmetric(kekLabel);
+        const kekBuffer = Buffer.from(kek.keyBytes);
+        const iv = randomBytes(12);
+        try {
+            const cipher = createCipheriv("aes-256-gcm", kekBuffer, iv);
+            const wrappedDek = Buffer.concat([
+                cipher.update(plaintextDek),
+                cipher.final(),
+            ]);
+            const authTag = cipher.getAuthTag();
+            this.audit.record("wrapKey", kekLabel, "success");
+            return {
+                algorithm: "aes-256-gcm",
+                wrappedDek: wrappedDek.toString("hex"),
+                iv: iv.toString("hex"),
+                authTag: authTag.toString("hex"),
+                kekLabel,
+                wrappedAt: new Date().toISOString(),
+            };
+        }
+        finally {
+            // Zeroize intermediate key material
+            kekBuffer.fill(0);
+        }
+    }
+    /**
+     * Unwrap a DEK using the KEK.
+     *
+     * SECURITY: The kekBuffer is zeroized after use.
+     * CALLER RESPONSIBILITY: The returned DEK buffer MUST be zeroized
+     * after use via `dekBuffer.fill(0)`.
+     */
+    unwrapKey(wrapped) {
+        const kek = this.requireSymmetric(wrapped.kekLabel);
+        const kekBuffer = Buffer.from(kek.keyBytes);
+        const iv = Buffer.from(wrapped.iv, "hex");
+        const authTag = Buffer.from(wrapped.authTag, "hex");
+        const wrappedBuf = Buffer.from(wrapped.wrappedDek, "hex");
+        try {
+            const decipher = createDecipheriv("aes-256-gcm", kekBuffer, iv);
+            decipher.setAuthTag(authTag);
+            const plaintext = Buffer.concat([
+                decipher.update(wrappedBuf),
+                decipher.final(),
+            ]);
+            this.audit.record("unwrapKey", wrapped.kekLabel, "success");
+            return plaintext;
+        }
+        catch {
+            this.audit.record("unwrapKey", wrapped.kekLabel, "failed", "GCM authentication failed");
+            throw new Error("HSM unwrapKey: GCM authentication failed");
+        }
+        finally {
+            // Zeroize intermediate key material
+            kekBuffer.fill(0);
+        }
+    }
+    requireSymmetric(kekLabel) {
+        const entry = this.keyStore.get(kekLabel);
+        if (!entry) {
+            this.audit.record("keyLookup", kekLabel, "failed", "key not found");
+            throw new Error(`HSM key not found: ${kekLabel}`);
+        }
+        if (entry.kind !== "symmetric") {
+            this.audit.record("keyLookup", kekLabel, "failed", "unexpected key type");
+            throw new Error(`HSM key '${kekLabel}' is not a symmetric key`);
+        }
+        return entry;
+    }
+}

package/dist/hsm/domain/entities.d.ts

@@ -0,0 +1,104 @@
+/**
+ * HSM Domain Entities
+ *
+ * These types define the HSM domain model. They MUST NOT depend on
+ * infrastructure types (like node:crypto KeyObject) to maintain
+ * hexagonal architecture purity.
+ *
+ * @see docs/adr/ADR-0001-hexagonal-architecture.md
+ */
+export interface HsmSlotConfig {
+    slotId: string;
+    label: string;
+}
+export interface HsmKeyPair {
+    keyLabel: string;
+    keyType: "EC";
+    namedCurve: "P-256";
+    publicKeyPem: string;
+    privateKeyHandle: string;
+    createdAt: string;
+}
+export interface HsmSignatureResult {
+    keyLabel: string;
+    algorithm: "ecdsa-sha256";
+    signature: string;
+    publicKeyPem: string;
+    timestamp: string;
+    hsmAttestation: string;
+}
+export interface WrappedKey {
+    algorithm: "aes-256-gcm";
+    wrappedDek: string;
+    iv: string;
+    authTag: string;
+    kekLabel: string;
+    wrappedAt: string;
+}
+export interface EncryptedRecord {
+    ciphertext: string;
+    iv: string;
+    authTag: string;
+    algorithm: "aes-256-gcm";
+}
+export interface EnvelopeEncryptionResult {
+    encryptedRecord: EncryptedRecord;
+    wrappedDek: WrappedKey;
+}
+export interface HsmAuditEntry {
+    timestamp: string;
+    operation: string;
+    keyLabel: string;
+    result: "success" | "failed";
+    detail?: string;
+}
+/**
+ * Opaque handle for asymmetric keys.
+ *
+ * The domain should not know about the underlying key representation.
+ * The handle contains PEM-encoded keys which are portable and
+ * infrastructure-agnostic.
+ */
+export interface AsymmetricKeyHandle {
+    /** PEM-encoded private key (PKCS#8 format) */
+    privateKeyPem: string;
+    /** PEM-encoded public key (SPKI format) */
+    publicKeyPem: string;
+}
+/**
+ * Internal key store entry for asymmetric keys.
+ *
+ * Uses PEM strings instead of KeyObject to keep domain types
+ * infrastructure-agnostic. The infrastructure layer converts
+ * to/from KeyObject as needed.
+ */
+export interface AsymmetricKeyEntry {
+    kind: "asymmetric";
+    keyLabel: string;
+    /** PEM-encoded private key */
+    privateKeyPem: string;
+    /** PEM-encoded public key */
+    publicKeyPem: string;
+    namedCurve: "P-256";
+    createdAt: string;
+}
+export interface SymmetricKeyEntry {
+    kind: "symmetric";
+    keyLabel: string;
+    /**
+     * Raw key material as a byte array.
+     *
+     * Using Uint8Array instead of a base64 string enables explicit zeroization
+     * of in-memory key material. The infrastructure layer handles encoding/decoding
+     * at boundaries.
+     *
+     * SECURITY: This field represents the long-lived stored key material managed
+     * by the key store. Callers MUST NOT mutate or zeroize this buffer directly.
+     * Instead, create an ephemeral copy (e.g. `const key = Buffer.from(entry.keyBytes);`)
+     * for cryptographic operations, and securely zeroize that ephemeral copy after use.
+     */
+    keyBytes: Uint8Array;
+    createdAt: string;
+}
+export type KeyEntry = AsymmetricKeyEntry | SymmetricKeyEntry;
+//# sourceMappingURL=entities.d.ts.map

package/dist/hsm/domain/entities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entities.d.ts","sourceRoot":"","sources":["../../../src/hsm/domain/entities.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,IAAI,CAAC;IACd,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,cAAc,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,aAAa,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,aAAa,CAAC;CAC1B;AAED,MAAM,WAAW,wBAAwB;IACvC,eAAe,EAAE,eAAe,CAAC;IACjC,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,SAAS,GAAG,QAAQ,CAAC;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,aAAa,EAAE,MAAM,CAAC;IACtB,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,YAAY,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,8BAA8B;IAC9B,aAAa,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,OAAO,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,WAAW,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;;;;;;;;OAWG;IACH,QAAQ,EAAE,UAAU,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,QAAQ,GAAG,kBAAkB,GAAG,iBAAiB,CAAC"}

package/dist/hsm/domain/entities.js

@@ -0,0 +1,10 @@
+/**
+ * HSM Domain Entities
+ *
+ * These types define the HSM domain model. They MUST NOT depend on
+ * infrastructure types (like node:crypto KeyObject) to maintain
+ * hexagonal architecture purity.
+ *
+ * @see docs/adr/ADR-0001-hexagonal-architecture.md
+ */
+export {};

package/dist/hsm/domain/ports.d.ts

@@ -0,0 +1,20 @@
+import type { HsmAuditEntry, KeyEntry } from "./entities.js";
+/**
+ * Port for the HSM key store — decouples domain services from storage.
+ */
+export interface KeyStore {
+    has(label: string): boolean;
+    get(label: string): KeyEntry | undefined;
+    set(label: string, entry: KeyEntry): void;
+}
+/**
+ * Port for the HSM audit log.
+ *
+ * Ref: NIST SP 800-57 Part 1, §8.1 — key management lifecycle auditing
+ * https://csrc.nist.gov/pubs/sp/800-57/pt1/r5/final
+ */
+export interface AuditLog {
+    record(operation: string, keyLabel: string, result: "success" | "failed", detail?: string): void;
+    entries(): readonly HsmAuditEntry[];
+}
+//# sourceMappingURL=ports.d.ts.map

package/dist/hsm/domain/ports.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ports.d.ts","sourceRoot":"","sources":["../../../src/hsm/domain/ports.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE7D;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAC5B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS,CAAC;IACzC,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,GAAG,IAAI,CAAC;CAC3C;AAED;;;;;GAKG;AACH,MAAM,WAAW,QAAQ;IACvB,MAAM,CACJ,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,SAAS,GAAG,QAAQ,EAC5B,MAAM,CAAC,EAAE,MAAM,GACd,IAAI,CAAC;IACR,OAAO,IAAI,SAAS,aAAa,EAAE,CAAC;CACrC"}

package/dist/hsm/domain/ports.js

@@ -0,0 +1 @@
+export {};

package/dist/hsm/index.d.ts

@@ -0,0 +1,48 @@
+export type { HsmSlotConfig, HsmKeyPair, HsmSignatureResult, WrappedKey, EncryptedRecord, EnvelopeEncryptionResult, HsmAuditEntry, } from "./domain/entities.js";
+export type { KeyStore, AuditLog } from "./domain/ports.js";
+export { AsymmetricKeyService } from "./application/asymmetric-key-service.js";
+export { SymmetricKeyService } from "./application/symmetric-key-service.js";
+export { EnvelopeEncryptionService } from "./application/envelope-encryption-service.js";
+export { InMemoryAuditLog } from "./infrastructure/audit-log.js";
+export { InMemoryKeyStore } from "./infrastructure/key-store.js";
+export { FileAuditLog } from "./infrastructure/file-audit-log.js";
+export type { ChainedAuditEntry } from "./infrastructure/file-audit-log.js";
+export { SyslogAuditLog, DEFAULT_SYSLOG_CONFIG, } from "./infrastructure/syslog-audit-log.js";
+export type { SyslogConfig, SyslogSeverity, SyslogFacility, } from "./infrastructure/syslog-audit-log.js";
+export { AuditLogFactory, AUDIT_LOG_ENV, } from "./infrastructure/audit-log-factory.js";
+export type { AuditLogType, AuditLogFactoryConfig, } from "./infrastructure/audit-log-factory.js";
+import type { HsmSlotConfig, HsmKeyPair, HsmSignatureResult, WrappedKey, EncryptedRecord, EnvelopeEncryptionResult, HsmAuditEntry } from "./domain/entities.js";
+/**
+ * Software simulation of a PKCS#11-style HSM.
+ *
+ * Private keys and raw symmetric material are stored inside the object and
+ * never returned to callers — only opaque handles or PEM public keys are
+ * surfaced externally.  All operations are appended to an immutable audit log.
+ *
+ * Ref: PKCS#11 v3.1 — https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.1/pkcs11-curr-v3.1.html
+ */
+export declare class HsmClient {
+    private initialized;
+    private slotId;
+    private readonly store;
+    private readonly audit;
+    private asymmetric;
+    private symmetric;
+    private envelope;
+    initialize(config: HsmSlotConfig): void;
+    generateKeyPair(keyLabel: string): HsmKeyPair;
+    sign(keyLabel: string, data: string): HsmSignatureResult;
+    verify(keyLabel: string, data: string, signature: string): boolean;
+    exportPublicKey(keyLabel: string): string;
+    generateSymmetricKey(keyLabel: string): void;
+    wrapKey(plaintextDek: Buffer, kekLabel: string): WrappedKey;
+    unwrapKey(wrapped: WrappedKey): Buffer;
+    encryptWithEnvelope(kekLabel: string, plaintext: string): EnvelopeEncryptionResult;
+    decryptWithEnvelope(wrappedDek: WrappedKey, encryptedRecord: EncryptedRecord): string;
+    getAuditLog(): readonly HsmAuditEntry[];
+    private requireAsymmetric;
+    private requireSymmetric;
+    private requireEnvelope;
+    private assertInitialized;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/hsm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/hsm/index.ts"],"names":[],"mappings":"AACA,YAAY,EACV,aAAa,EACb,UAAU,EACV,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,wBAAwB,EACxB,aAAa,GACd,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAG5D,OAAO,EAAE,oBAAoB,EAAE,MAAM,yCAAyC,CAAC;AAC/E,OAAO,EAAE,mBAAmB,EAAE,MAAM,wCAAwC,CAAC;AAC7E,OAAO,EAAE,yBAAyB,EAAE,MAAM,8CAA8C,CAAC;AAGzF,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAClE,YAAY,EAAE,iBAAiB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,EACL,cAAc,EACd,qBAAqB,GACtB,MAAM,sCAAsC,CAAC;AAC9C,YAAY,EACV,YAAY,EACZ,cAAc,EACd,cAAc,GACf,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,eAAe,EACf,aAAa,GACd,MAAM,uCAAuC,CAAC;AAC/C,YAAY,EACV,YAAY,EACZ,qBAAqB,GACtB,MAAM,uCAAuC,CAAC;AAS/C,OAAO,KAAK,EACV,aAAa,EACb,UAAU,EACV,kBAAkB,EAClB,UAAU,EACV,eAAe,EACf,wBAAwB,EACxB,aAAa,EACd,MAAM,sBAAsB,CAAC;AAO9B;;;;;;;;GAQG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,MAAM,CAAM;IACpB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA0B;IAChD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAA0B;IAChD,OAAO,CAAC,UAAU,CAAqC;IACvD,OAAO,CAAC,SAAS,CAAoC;IACrD,OAAO,CAAC,QAAQ,CAA0C;IAE1D,UAAU,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAwBvC,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU;IAI7C,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,kBAAkB;IAIxD,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAIlE,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM;IAIzC,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAI5C,OAAO,CAAC,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,UAAU;IAI3D,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM;IAItC,mBAAmB,CACjB,QAAQ,EAAE,MAAM,EAChB,SAAS,EAAE,MAAM,GAChB,wBAAwB;IAI3B,mBAAmB,CACjB,UAAU,EAAE,UAAU,EACtB,eAAe,EAAE,eAAe,GAC/B,MAAM;IAIT,WAAW,IAAI,SAAS,aAAa,EAAE;IAIvC,OAAO,CAAC,iBAAiB;IAKzB,OAAO,CAAC,gBAAgB;IAKxB,OAAO,CAAC,eAAe;IAKvB,OAAO,CAAC,iBAAiB;CAK1B"}

package/dist/hsm/index.js

@@ -0,0 +1,97 @@
+// Application
+export { AsymmetricKeyService } from "./application/asymmetric-key-service.js";
+export { SymmetricKeyService } from "./application/symmetric-key-service.js";
+export { EnvelopeEncryptionService } from "./application/envelope-encryption-service.js";
+// Infrastructure
+export { InMemoryAuditLog } from "./infrastructure/audit-log.js";
+export { InMemoryKeyStore } from "./infrastructure/key-store.js";
+export { FileAuditLog } from "./infrastructure/file-audit-log.js";
+export { SyslogAuditLog, DEFAULT_SYSLOG_CONFIG, } from "./infrastructure/syslog-audit-log.js";
+export { AuditLogFactory, AUDIT_LOG_ENV, } from "./infrastructure/audit-log-factory.js";
+import { AsymmetricKeyService } from "./application/asymmetric-key-service.js";
+import { SymmetricKeyService } from "./application/symmetric-key-service.js";
+import { EnvelopeEncryptionService } from "./application/envelope-encryption-service.js";
+import { InMemoryAuditLog } from "./infrastructure/audit-log.js";
+import { InMemoryKeyStore } from "./infrastructure/key-store.js";
+/**
+ * Software simulation of a PKCS#11-style HSM.
+ *
+ * Private keys and raw symmetric material are stored inside the object and
+ * never returned to callers — only opaque handles or PEM public keys are
+ * surfaced externally.  All operations are appended to an immutable audit log.
+ *
+ * Ref: PKCS#11 v3.1 — https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.1/pkcs11-curr-v3.1.html
+ */
+export class HsmClient {
+    initialized = false;
+    slotId = "";
+    store = new InMemoryKeyStore();
+    audit = new InMemoryAuditLog();
+    asymmetric = null;
+    symmetric = null;
+    envelope = null;
+    initialize(config) {
+        if (config.slotId.trim().length === 0) {
+            throw new Error("HSM initialize: slotId must not be empty");
+        }
+        if (config.label.trim().length === 0) {
+            throw new Error("HSM initialize: label must not be empty");
+        }
+        if (this.initialized) {
+            throw new Error(`HSM already initialized on slot '${this.slotId}' — create a new HsmClient instance for a different slot`);
+        }
+        this.slotId = config.slotId;
+        this.asymmetric = new AsymmetricKeyService(this.store, this.audit, this.slotId);
+        this.symmetric = new SymmetricKeyService(this.store, this.audit);
+        this.envelope = new EnvelopeEncryptionService(this.symmetric, this.audit);
+        this.initialized = true;
+        this.audit.record("initialize", config.slotId, "success", config.label);
+    }
+    generateKeyPair(keyLabel) {
+        return this.requireAsymmetric().generateKeyPair(keyLabel);
+    }
+    sign(keyLabel, data) {
+        return this.requireAsymmetric().sign(keyLabel, data);
+    }
+    verify(keyLabel, data, signature) {
+        return this.requireAsymmetric().verify(keyLabel, data, signature);
+    }
+    exportPublicKey(keyLabel) {
+        return this.requireAsymmetric().exportPublicKey(keyLabel);
+    }
+    generateSymmetricKey(keyLabel) {
+        this.requireSymmetric().generateSymmetricKey(keyLabel);
+    }
+    wrapKey(plaintextDek, kekLabel) {
+        return this.requireSymmetric().wrapKey(plaintextDek, kekLabel);
+    }
+    unwrapKey(wrapped) {
+        return this.requireSymmetric().unwrapKey(wrapped);
+    }
+    encryptWithEnvelope(kekLabel, plaintext) {
+        return this.requireEnvelope().encrypt(kekLabel, plaintext);
+    }
+    decryptWithEnvelope(wrappedDek, encryptedRecord) {
+        return this.requireEnvelope().decrypt(wrappedDek, encryptedRecord);
+    }
+    getAuditLog() {
+        return this.audit.entries();
+    }
+    requireAsymmetric() {
+        this.assertInitialized();
+        return this.asymmetric;
+    }
+    requireSymmetric() {
+        this.assertInitialized();
+        return this.symmetric;
+    }
+    requireEnvelope() {
+        this.assertInitialized();
+        return this.envelope;
+    }
+    assertInitialized() {
+        if (!this.initialized) {
+            throw new Error("HSM not initialized: call initialize() first");
+        }
+    }
+}

package/dist/hsm/infrastructure/audit-log-factory.d.ts

@@ -0,0 +1,59 @@
+import type { AuditLog } from "../domain/ports.js";
+import { type SyslogConfig } from "./syslog-audit-log.js";
+/**
+ * Audit log adapter types supported by the factory.
+ */
+export type AuditLogType = "memory" | "file" | "syslog";
+/**
+ * Configuration for creating audit log instances.
+ */
+export interface AuditLogFactoryConfig {
+    /** Type of audit log adapter. Default: "memory" */
+    type: AuditLogType;
+    /** File path for FileAuditLog (required when type is "file") */
+    filePath?: string;
+    /** Syslog configuration for SyslogAuditLog (optional when type is "syslog") */
+    syslogConfig?: Partial<SyslogConfig>;
+}
+/**
+ * Environment variable names for audit log configuration.
+ */
+export declare const AUDIT_LOG_ENV: {
+    readonly TYPE: "HSM_AUDIT_LOG_TYPE";
+    readonly FILE_PATH: "HSM_AUDIT_LOG_PATH";
+    readonly SYSLOG_HOST: "HSM_SYSLOG_HOST";
+    readonly SYSLOG_PORT: "HSM_SYSLOG_PORT";
+    readonly SYSLOG_FACILITY: "HSM_SYSLOG_FACILITY";
+    readonly SYSLOG_APP_NAME: "HSM_SYSLOG_APP_NAME";
+};
+/**
+ * Factory for creating audit log instances based on configuration.
+ *
+ * Supports three adapter types:
+ * - "memory": In-memory (default, for development/testing)
+ * - "file": Append-only file with cryptographic chaining
+ * - "syslog": RFC 5424 syslog for enterprise SIEM integration
+ *
+ * Configuration can be provided via:
+ * - Direct config object
+ * - Environment variables (for production)
+ */
+export declare class AuditLogFactory {
+    /**
+     * Create an audit log instance from explicit configuration.
+     */
+    static create(config: AuditLogFactoryConfig): AuditLog;
+    /**
+     * Create an audit log instance from environment variables.
+     *
+     * Environment variables:
+     * - HSM_AUDIT_LOG_TYPE: "memory" | "file" | "syslog" (default: "memory")
+     * - HSM_AUDIT_LOG_PATH: file path for FileAuditLog
+     * - HSM_SYSLOG_HOST: syslog server hostname
+     * - HSM_SYSLOG_PORT: syslog server port
+     * - HSM_SYSLOG_FACILITY: syslog facility name
+     * - HSM_SYSLOG_APP_NAME: application name for syslog
+     */
+    static createFromEnv(env?: NodeJS.ProcessEnv): AuditLog;
+}
+//# sourceMappingURL=audit-log-factory.d.ts.map

package/dist/hsm/infrastructure/audit-log-factory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log-factory.d.ts","sourceRoot":"","sources":["../../../src/hsm/infrastructure/audit-log-factory.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAGnD,OAAO,EAAkB,KAAK,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1E;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;AAExD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,mDAAmD;IACnD,IAAI,EAAE,YAAY,CAAC;IACnB,gEAAgE;IAChE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;CACtC;AAED;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAEX;;;;;;;;;;;GAWG;AACH,qBAAa,eAAe;IAC1B;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,qBAAqB,GAAG,QAAQ;IAuBtD;;;;;;;;;;OAUG;IACH,MAAM,CAAC,aAAa,CAAC,GAAG,GAAE,MAAM,CAAC,UAAwB,GAAG,QAAQ;CA8CrE"}

package/dist/hsm/infrastructure/audit-log-factory.js

@@ -0,0 +1,95 @@
+import { InMemoryAuditLog } from "./audit-log.js";
+import { FileAuditLog } from "./file-audit-log.js";
+import { SyslogAuditLog } from "./syslog-audit-log.js";
+/**
+ * Environment variable names for audit log configuration.
+ */
+export const AUDIT_LOG_ENV = {
+    TYPE: "HSM_AUDIT_LOG_TYPE",
+    FILE_PATH: "HSM_AUDIT_LOG_PATH",
+    SYSLOG_HOST: "HSM_SYSLOG_HOST",
+    SYSLOG_PORT: "HSM_SYSLOG_PORT",
+    SYSLOG_FACILITY: "HSM_SYSLOG_FACILITY",
+    SYSLOG_APP_NAME: "HSM_SYSLOG_APP_NAME",
+};
+/**
+ * Factory for creating audit log instances based on configuration.
+ *
+ * Supports three adapter types:
+ * - "memory": In-memory (default, for development/testing)
+ * - "file": Append-only file with cryptographic chaining
+ * - "syslog": RFC 5424 syslog for enterprise SIEM integration
+ *
+ * Configuration can be provided via:
+ * - Direct config object
+ * - Environment variables (for production)
+ */
+export class AuditLogFactory {
+    /**
+     * Create an audit log instance from explicit configuration.
+     */
+    static create(config) {
+        switch (config.type) {
+            case "memory":
+                return new InMemoryAuditLog();
+            case "file":
+                if (!config.filePath) {
+                    throw new Error("AuditLogFactory: filePath is required when type is 'file'");
+                }
+                return new FileAuditLog(config.filePath);
+            case "syslog":
+                return new SyslogAuditLog(config.syslogConfig);
+            default:
+                throw new Error(`AuditLogFactory: unknown audit log type '${config.type}'`);
+        }
+    }
+    /**
+     * Create an audit log instance from environment variables.
+     *
+     * Environment variables:
+     * - HSM_AUDIT_LOG_TYPE: "memory" | "file" | "syslog" (default: "memory")
+     * - HSM_AUDIT_LOG_PATH: file path for FileAuditLog
+     * - HSM_SYSLOG_HOST: syslog server hostname
+     * - HSM_SYSLOG_PORT: syslog server port
+     * - HSM_SYSLOG_FACILITY: syslog facility name
+     * - HSM_SYSLOG_APP_NAME: application name for syslog
+     */
+    static createFromEnv(env = process.env) {
+        const type = env[AUDIT_LOG_ENV.TYPE] || "memory";
+        const config = { type };
+        if (type === "file") {
+            const filePath = env[AUDIT_LOG_ENV.FILE_PATH];
+            if (filePath) {
+                config.filePath = filePath;
+            }
+        }
+        if (type === "syslog") {
+            const syslogConfig = {};
+            const host = env[AUDIT_LOG_ENV.SYSLOG_HOST];
+            if (host) {
+                syslogConfig.host = host;
+            }
+            const port = env[AUDIT_LOG_ENV.SYSLOG_PORT];
+            if (port) {
+                const parsedPort = parseInt(port, 10);
+                if (!Number.isFinite(parsedPort) ||
+                    !Number.isInteger(parsedPort) ||
+                    parsedPort < 1 ||
+                    parsedPort > 65535) {
+                    throw new Error(`AuditLogFactory: invalid ${AUDIT_LOG_ENV.SYSLOG_PORT} value '${port}'. Expected an integer between 1 and 65535`);
+                }
+                syslogConfig.port = parsedPort;
+            }
+            const facility = env[AUDIT_LOG_ENV.SYSLOG_FACILITY];
+            if (facility) {
+                syslogConfig.facility = facility;
+            }
+            const appName = env[AUDIT_LOG_ENV.SYSLOG_APP_NAME];
+            if (appName) {
+                syslogConfig.appName = appName;
+            }
+            config.syslogConfig = syslogConfig;
+        }
+        return this.create(config);
+    }
+}