@revealui/core 0.3.0 → 0.5.0

package/dist/security/authorization.js

@@ -1,492 +0,0 @@
-/**
- * Authorization System
- *
- * Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC)
- */
-/**
- * Authorization system
- */
-export class AuthorizationSystem {
-    roles = new Map();
-    policies = new Map();
-    /**
-     * Register role
-     */
-    registerRole(role) {
-        this.roles.set(role.id, role);
-    }
-    /**
-     * Get role
-     */
-    getRole(roleId) {
-        return this.roles.get(roleId);
-    }
-    /**
-     * Register policy
-     */
-    registerPolicy(policy) {
-        this.policies.set(policy.id, policy);
-    }
-    /**
-     * Check if user has permission (RBAC)
-     */
-    hasPermission(userRoles, resource, action) {
-        // Get all permissions for user's roles
-        const permissions = this.getUserPermissions(userRoles);
-        // Check if any permission matches
-        return permissions.some((permission) => this.matchesResource(permission.resource, resource) &&
-            this.matchesAction(permission.action, action));
-    }
-    /**
-     * Check access with policies (ABAC)
-     */
-    checkAccess(context, resource, action) {
-        // Check RBAC first
-        if (this.hasPermission(context.user.roles, resource, action)) {
-            return { allowed: true };
-        }
-        // Check policies
-        const applicablePolicies = this.getApplicablePolicies(resource, action, context);
-        // Sort by priority (higher priority first)
-        applicablePolicies.sort((a, b) => (b.priority || 0) - (a.priority || 0));
-        // Apply first matching policy
-        for (const policy of applicablePolicies) {
-            if (this.evaluateConditions(policy.conditions || [], context)) {
-                return {
-                    allowed: policy.effect === 'allow',
-                    reason: policy.effect === 'deny' ? `Denied by policy: ${policy.name}` : undefined,
-                };
-            }
-        }
-        return { allowed: false, reason: 'No matching policy' };
-    }
-    /**
-     * Get all permissions for roles
-     */
-    getUserPermissions(roleIds) {
-        const permissions = [];
-        const visited = new Set();
-        const addRolePermissions = (roleId) => {
-            if (visited.has(roleId))
-                return;
-            visited.add(roleId);
-            const role = this.roles.get(roleId);
-            if (!role)
-                return;
-            // Add role permissions
-            permissions.push(...role.permissions);
-            // Add inherited permissions
-            if (role.inherits) {
-                role.inherits.forEach((inheritedRoleId) => {
-                    addRolePermissions(inheritedRoleId);
-                });
-            }
-        };
-        roleIds.forEach(addRolePermissions);
-        return permissions;
-    }
-    /**
-     * Get applicable policies
-     */
-    getApplicablePolicies(resource, action, _context) {
-        return Array.from(this.policies.values()).filter((policy) => {
-            // Check if resource matches
-            const resourceMatches = policy.resources.some((r) => this.matchesResource(r, resource));
-            // Check if action matches
-            const actionMatches = policy.actions.some((a) => this.matchesAction(a, action));
-            return resourceMatches && actionMatches;
-        });
-    }
-    /**
-     * Match resource pattern
-     */
-    matchesResource(pattern, resource) {
-        if (pattern === '*')
-            return true;
-        if (pattern === resource)
-            return true;
-        // Convert glob pattern to regex
-        const regex = new RegExp(`^${pattern.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/\?/g, '.')}$`);
-        return regex.test(resource);
-    }
-    /**
-     * Match action pattern
-     */
-    matchesAction(pattern, action) {
-        if (pattern === '*')
-            return true;
-        if (pattern === action)
-            return true;
-        // Support wildcards like "read:*"
-        const regex = new RegExp(`^${pattern.replace(/\./g, '\\.').replace(/\*/g, '.*').replace(/\?/g, '.')}$`);
-        return regex.test(action);
-    }
-    /**
-     * Evaluate policy conditions
-     */
-    evaluateConditions(conditions, context) {
-        return conditions.every((condition) => {
-            const value = this.getContextValue(condition.field, context);
-            return this.evaluateCondition(condition, value);
-        });
-    }
-    /**
-     * Get value from context
-     */
-    getContextValue(field, context) {
-        const parts = field.split('.');
-        let value = context;
-        for (const part of parts) {
-            if (value && typeof value === 'object' && part in value) {
-                value = value[part];
-            }
-            else {
-                return undefined;
-            }
-        }
-        return value;
-    }
-    /**
-     * Evaluate single condition
-     */
-    evaluateCondition(condition, value) {
-        switch (condition.operator) {
-            case 'eq':
-                return value === condition.value;
-            case 'ne':
-                return value !== condition.value;
-            case 'gt':
-                return typeof value === 'number' && value > condition.value;
-            case 'gte':
-                return typeof value === 'number' && value >= condition.value;
-            case 'lt':
-                return typeof value === 'number' && value < condition.value;
-            case 'lte':
-                return typeof value === 'number' && value <= condition.value;
-            case 'in':
-                return Array.isArray(condition.value) && condition.value.includes(value);
-            case 'contains':
-                return (typeof value === 'string' &&
-                    typeof condition.value === 'string' &&
-                    value.includes(condition.value));
-            default:
-                return false;
-        }
-    }
-    /**
-     * Check if user owns resource
-     */
-    ownsResource(userId, resource) {
-        return resource.owner === userId;
-    }
-    /**
-     * Clear all roles and policies
-     */
-    clear() {
-        this.roles.clear();
-        this.policies.clear();
-    }
-}
-/**
- * Global authorization instance
- */
-export const authorization = new AuthorizationSystem();
-/**
- * Common roles — aligned with DB schema (`users.role` column)
- * and `UserRoleSchema` in @revealui/contracts.
- *
- * Values: owner | admin | editor | viewer | agent | contributor
- */
-export const CommonRoles = {
-    owner: {
-        id: 'owner',
-        name: 'Owner',
-        description: 'Full control — inherits admin',
-        permissions: [{ resource: '*', action: '*' }],
-        inherits: ['admin'],
-    },
-    admin: {
-        id: 'admin',
-        name: 'Administrator',
-        description: 'Full system access',
-        permissions: [{ resource: '*', action: '*' }],
-    },
-    editor: {
-        id: 'editor',
-        name: 'Editor',
-        description: 'Can read and modify content',
-        permissions: [
-            { resource: 'content', action: 'read' },
-            { resource: 'content', action: 'create' },
-            { resource: 'content', action: 'update' },
-            { resource: 'profile', action: 'read' },
-            { resource: 'profile', action: 'update' },
-            { resource: 'sites', action: 'read' },
-            { resource: 'marketplace', action: 'read' },
-        ],
-    },
-    viewer: {
-        id: 'viewer',
-        name: 'Viewer',
-        description: 'Read-only access',
-        permissions: [
-            { resource: 'content', action: 'read' },
-            { resource: 'profile', action: 'read' },
-            { resource: 'sites', action: 'read' },
-            { resource: 'public', action: 'read' },
-        ],
-    },
-    agent: {
-        id: 'agent',
-        name: 'AI Agent',
-        description: 'Can execute tasks and read content',
-        permissions: [
-            { resource: 'tasks', action: 'create' },
-            { resource: 'tasks', action: 'read' },
-            { resource: 'content', action: 'read' },
-            { resource: 'rag', action: 'read' },
-            { resource: 'rag', action: 'create' },
-        ],
-    },
-    contributor: {
-        id: 'contributor',
-        name: 'Contributor',
-        description: 'Can suggest changes — create drafts but not publish or delete',
-        permissions: [
-            { resource: 'content', action: 'read' },
-            { resource: 'content', action: 'create' },
-            { resource: 'profile', action: 'read' },
-            { resource: 'profile', action: 'update' },
-        ],
-    },
-};
-/**
- * Permission builder
- */
-export class PermissionBuilder {
-    permission = {};
-    resource(resource) {
-        this.permission.resource = resource;
-        return this;
-    }
-    action(action) {
-        this.permission.action = action;
-        return this;
-    }
-    conditions(conditions) {
-        this.permission.conditions = conditions;
-        return this;
-    }
-    build() {
-        if (!(this.permission.resource && this.permission.action)) {
-            throw new Error('Resource and action are required');
-        }
-        return this.permission;
-    }
-}
-/**
- * Policy builder
- */
-export class PolicyBuilder {
-    policy = {
-        effect: 'allow',
-        resources: [],
-        actions: [],
-        conditions: [],
-    };
-    id(id) {
-        this.policy.id = id;
-        return this;
-    }
-    name(name) {
-        this.policy.name = name;
-        return this;
-    }
-    allow() {
-        this.policy.effect = 'allow';
-        return this;
-    }
-    deny() {
-        this.policy.effect = 'deny';
-        return this;
-    }
-    resources(...resources) {
-        this.policy.resources = resources;
-        return this;
-    }
-    actions(...actions) {
-        this.policy.actions = actions;
-        return this;
-    }
-    condition(field, operator, value) {
-        if (!this.policy.conditions) {
-            this.policy.conditions = [];
-        }
-        this.policy.conditions.push({ field, operator, value });
-        return this;
-    }
-    priority(priority) {
-        this.policy.priority = priority;
-        return this;
-    }
-    build() {
-        if (!(this.policy.id && this.policy.name)) {
-            throw new Error('ID and name are required');
-        }
-        return this.policy;
-    }
-}
-/**
- * Authorization decorators
- */
-export function RequirePermission(resource, action) {
-    return (_target, _propertyKey, descriptor) => {
-        const originalMethod = descriptor.value;
-        descriptor.value = function (...args) {
-            const userRoles = this.user?.roles || [];
-            if (!authorization.hasPermission(userRoles, resource, action)) {
-                throw new Error(`Permission denied: ${resource}:${action}`);
-            }
-            return originalMethod.apply(this, args);
-        };
-        return descriptor;
-    };
-}
-export function RequireRole(requiredRole) {
-    return (_target, _propertyKey, descriptor) => {
-        const originalMethod = descriptor.value;
-        descriptor.value = function (...args) {
-            const userRoles = this.user?.roles || [];
-            if (!userRoles.includes(requiredRole)) {
-                throw new Error(`Role required: ${requiredRole}`);
-            }
-            return originalMethod.apply(this, args);
-        };
-        return descriptor;
-    };
-}
-/**
- * Authorization middleware
- */
-export function createAuthorizationMiddleware(getUser, resource, action) {
-    return (request, next) => {
-        const user = getUser(request);
-        if (!authorization.hasPermission(user.roles, resource, action)) {
-            throw new Error(`Permission denied: ${resource}:${action}`);
-        }
-        return next();
-    };
-}
-/**
- * Resource ownership check
- */
-export function canAccessResource(userId, userRoles, resource, action) {
-    // Check if user has permission
-    if (authorization.hasPermission(userRoles, resource.type, action)) {
-        return true;
-    }
-    // Check if user owns the resource
-    if (authorization.ownsResource(userId, resource)) {
-        return true;
-    }
-    return false;
-}
-/**
- * Attribute-based access control helper
- */
-export function checkAttributeAccess(context, resource, action, requiredAttributes) {
-    // Check basic permission
-    const { allowed } = authorization.checkAccess(context, resource, action);
-    if (!allowed) {
-        return false;
-    }
-    // Check required attributes
-    if (requiredAttributes) {
-        const userAttributes = context.user.attributes || {};
-        return Object.entries(requiredAttributes).every(([key, value]) => userAttributes[key] === value);
-    }
-    return true;
-}
-/**
- * Permission cache for performance
- */
-export class PermissionCache {
-    cache = new Map();
-    ttl;
-    maxEntries;
-    constructor(ttl = 300000, maxEntries = 10_000) {
-        // 5 minutes default, 10k max entries
-        this.ttl = ttl;
-        this.maxEntries = maxEntries;
-    }
-    /**
-     * Get cached permission
-     */
-    get(userId, resource, action) {
-        const key = this.getCacheKey(userId, resource, action);
-        const cached = this.cache.get(key);
-        if (!cached) {
-            return undefined;
-        }
-        // Check expiration
-        if (Date.now() > cached.expiresAt) {
-            this.cache.delete(key);
-            return undefined;
-        }
-        return cached.allowed;
-    }
-    /**
-     * Set cached permission
-     */
-    set(userId, resource, action, allowed) {
-        const key = this.getCacheKey(userId, resource, action);
-        // Evict expired entries when approaching max size
-        if (this.cache.size >= this.maxEntries) {
-            const now = Date.now();
-            for (const [k, v] of this.cache) {
-                if (now > v.expiresAt)
-                    this.cache.delete(k);
-            }
-            // If still over limit after purge, drop oldest entries (FIFO via Map insertion order)
-            if (this.cache.size >= this.maxEntries) {
-                const excess = this.cache.size - this.maxEntries + 1;
-                const keys = this.cache.keys();
-                for (let i = 0; i < excess; i++) {
-                    const next = keys.next();
-                    if (!next.done)
-                        this.cache.delete(next.value);
-                }
-            }
-        }
-        this.cache.set(key, {
-            allowed,
-            expiresAt: Date.now() + this.ttl,
-        });
-    }
-    /**
-     * Clear cache for user
-     */
-    clearUser(userId) {
-        for (const key of this.cache.keys()) {
-            if (key.startsWith(`${userId}:`)) {
-                this.cache.delete(key);
-            }
-        }
-    }
-    /**
-     * Clear all cache
-     */
-    clear() {
-        this.cache.clear();
-    }
-    /**
-     * Get cache key
-     */
-    getCacheKey(userId, resource, action) {
-        return `${userId}:${resource}:${action}`;
-    }
-}
-/**
- * Global permission cache
- */
-export const permissionCache = new PermissionCache();

package/dist/security/encryption.d.ts

@@ -1,226 +0,0 @@
-/**
- * Encryption Utilities
- *
- * Data encryption for at-rest and in-transit protection
- */
-export interface EncryptionConfig {
-    algorithm: 'AES-GCM' | 'AES-CTR';
-    keySize: 128 | 192 | 256;
-    ivSize?: number;
-}
-export interface EncryptedData {
-    data: string;
-    iv: string;
-    tag?: string;
-    algorithm: string;
-}
-/**
- * Encryption system
- */
-export declare class EncryptionSystem {
-    private config;
-    private keys;
-    constructor(config?: Partial<EncryptionConfig>);
-    /**
-     * Generate encryption key
-     */
-    generateKey(keyId?: string): Promise<CryptoKey>;
-    /**
-     * Import key from raw data
-     */
-    importKey(keyData: ArrayBuffer, keyId?: string): Promise<CryptoKey>;
-    /**
-     * Export key to raw data
-     */
-    exportKey(key: CryptoKey): Promise<ArrayBuffer>;
-    /**
-     * Encrypt data
-     */
-    encrypt(data: string, keyOrId: CryptoKey | string): Promise<EncryptedData>;
-    /**
-     * Decrypt data
-     */
-    decrypt(encryptedData: EncryptedData, keyOrId: CryptoKey | string): Promise<string>;
-    /**
-     * Encrypt object
-     */
-    encryptObject<T extends Record<string, unknown>>(obj: T, keyOrId: CryptoKey | string): Promise<EncryptedData>;
-    /**
-     * Decrypt object
-     */
-    decryptObject<T extends Record<string, unknown>>(encryptedData: EncryptedData, keyOrId: CryptoKey | string): Promise<T>;
-    /**
-     * Hash data
-     */
-    hash(data: string, algorithm?: 'SHA-256' | 'SHA-384' | 'SHA-512'): Promise<string>;
-    /**
-     * Generate random bytes
-     */
-    randomBytes(length: number): Uint8Array;
-    /**
-     * Generate random string
-     */
-    randomString(length: number, charset?: string): string;
-    /**
-     * Convert ArrayBuffer to base64
-     */
-    private arrayBufferToBase64;
-    /**
-     * Convert base64 to ArrayBuffer
-     */
-    private base64ToArrayBuffer;
-    /**
-     * Store key
-     */
-    storeKey(keyId: string, key: CryptoKey): void;
-    /**
-     * Get key
-     */
-    getKey(keyId: string): CryptoKey | undefined;
-    /**
-     * Remove key
-     */
-    removeKey(keyId: string): void;
-    /**
-     * Clear all keys
-     */
-    clearKeys(): void;
-}
-/**
- * Global encryption instance
- */
-export declare const encryption: EncryptionSystem;
-/**
- * Field-level encryption
- */
-export declare class FieldEncryption {
-    private encryption;
-    private key;
-    constructor(encryption: EncryptionSystem);
-    /**
-     * Initialize with key
-     */
-    initialize(key: CryptoKey): Promise<void>;
-    /**
-     * Encrypt field
-     */
-    encryptField(value: unknown): Promise<EncryptedData>;
-    /**
-     * Decrypt field
-     */
-    decryptField(encryptedData: EncryptedData): Promise<unknown>;
-    /**
-     * Encrypt object fields
-     */
-    encryptFields<T extends Record<string, unknown>>(obj: T, fields: (keyof T)[]): Promise<T>;
-    /**
-     * Decrypt object fields
-     */
-    decryptFields<T extends Record<string, unknown>>(obj: T, fields: (keyof T)[]): Promise<T>;
-}
-/**
- * Key rotation
- */
-export declare class KeyRotationManager {
-    private encryption;
-    private currentKeyId;
-    private oldKeys;
-    private keyCreationDates;
-    constructor(encryption: EncryptionSystem, initialKeyId: string);
-    /**
-     * Rotate to new key
-     */
-    rotate(newKeyId: string, newKey: CryptoKey): Promise<void>;
-    /**
-     * Re-encrypt data with new key
-     */
-    reencrypt(encryptedData: EncryptedData, oldKeyId: string): Promise<EncryptedData>;
-    /**
-     * Get current key ID
-     */
-    getCurrentKeyId(): string;
-    /**
-     * Clean up old keys created before the specified date.
-     * Never removes the current active key.
-     */
-    cleanupOldKeys(olderThan: Date): void;
-}
-/**
- * Envelope encryption for large data
- */
-export declare class EnvelopeEncryption {
-    private encryption;
-    private masterKey;
-    constructor(encryption: EncryptionSystem, masterKey: CryptoKey);
-    /**
-     * Encrypt with envelope encryption
-     */
-    encrypt(data: string): Promise<{
-        encryptedData: EncryptedData;
-        encryptedKey: EncryptedData;
-    }>;
-    /**
-     * Decrypt with envelope encryption
-     */
-    decrypt(encryptedData: EncryptedData, encryptedKey: EncryptedData): Promise<string>;
-    private arrayBufferToBase64;
-    private base64ToArrayBuffer;
-}
-/**
- * Data masking utilities
- */
-/**
- * Mask email
- */
-declare function maskEmail(email: string): string;
-/**
- * Mask phone number
- */
-declare function maskPhone(phone: string): string;
-/**
- * Mask credit card
- */
-declare function maskCreditCard(card: string): string;
-/**
- * Mask SSN
- */
-declare function maskSSN(ssn: string): string;
-/**
- * Mask string (keep first and last character)
- */
-declare function maskString(str: string, keepChars?: number): string;
-export declare const DataMasking: {
-    readonly maskEmail: typeof maskEmail;
-    readonly maskPhone: typeof maskPhone;
-    readonly maskCreditCard: typeof maskCreditCard;
-    readonly maskSSN: typeof maskSSN;
-    readonly maskString: typeof maskString;
-};
-/**
- * Secure random token generator
- */
-/**
- * Generate secure token. `length` is the number of random bytes;
- * the returned string is hex-encoded, so it will be `length * 2` characters.
- */
-declare function generateToken(length?: number): string;
-/**
- * Generate UUID v4
- */
-declare function generateUUID(): string;
-/**
- * Generate API key
- */
-declare function generateAPIKey(prefix?: string): string;
-/**
- * Generate session ID
- */
-declare function generateSessionID(): string;
-export declare const TokenGenerator: {
-    readonly generate: typeof generateToken;
-    readonly generateUUID: typeof generateUUID;
-    readonly generateAPIKey: typeof generateAPIKey;
-    readonly generateSessionID: typeof generateSessionID;
-};
-export {};
-//# sourceMappingURL=encryption.d.ts.map