@simonsbs/keylore 1.0.0-rc4

package/dist/repositories/pg-approval-repository.js

@@ -0,0 +1,157 @@
+import { randomUUID } from "node:crypto";
+import { approvalRequestSchema } from "../domain/types.js";
+function toIso(value) {
+    if (value === null) {
+        return undefined;
+    }
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    return approvalRequestSchema.parse({
+        id: row.id,
+        tenantId: row.tenant_id,
+        createdAt: toIso(row.created_at),
+        expiresAt: toIso(row.expires_at),
+        status: row.status,
+        requestedBy: row.requested_by,
+        requestedRoles: row.requested_roles,
+        credentialId: row.credential_id,
+        operation: row.operation,
+        targetUrl: row.target_url,
+        targetHost: row.target_host,
+        reason: row.reason,
+        ruleId: row.rule_id ?? undefined,
+        correlationId: row.correlation_id,
+        fingerprint: row.fingerprint,
+        requiredApprovals: row.required_approvals,
+        approvalCount: row.approval_count,
+        denialCount: row.denial_count,
+        reviews: Array.isArray(row.reviews) ? row.reviews : [],
+        reviewedBy: row.reviewed_by ?? undefined,
+        reviewedAt: toIso(row.reviewed_at),
+        reviewNote: row.review_note ?? undefined,
+    });
+}
+export class PgApprovalRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async create(input) {
+        const parsed = approvalRequestSchema.parse(input);
+        await this.database.query(`INSERT INTO approval_requests (
+        id, tenant_id, created_at, expires_at, status, requested_by, requested_roles,
+        credential_id, operation, target_url, target_host, reason, rule_id,
+        correlation_id, fingerprint, required_approvals, approval_count, denial_count, reviews,
+        reviewed_by, reviewed_at, review_note
+      ) VALUES (
+        $1, $2, $3, $4, $5, $6, $7,
+        $8, $9, $10, $11, $12, $13,
+        $14, $15, $16, $17, $18, $19,
+        $20, $21, $22
+      )`, [
+            parsed.id,
+            parsed.tenantId,
+            parsed.createdAt,
+            parsed.expiresAt,
+            parsed.status,
+            parsed.requestedBy,
+            parsed.requestedRoles,
+            parsed.credentialId,
+            parsed.operation,
+            parsed.targetUrl,
+            parsed.targetHost,
+            parsed.reason,
+            parsed.ruleId ?? null,
+            parsed.correlationId,
+            parsed.fingerprint,
+            parsed.requiredApprovals,
+            parsed.approvalCount,
+            parsed.denialCount,
+            JSON.stringify(parsed.reviews),
+            parsed.reviewedBy ?? null,
+            parsed.reviewedAt ?? null,
+            parsed.reviewNote ?? null,
+        ]);
+        return parsed;
+    }
+    async expireStale() {
+        const result = await this.database.query(`WITH expired AS (
+         UPDATE approval_requests
+         SET status = 'expired'
+         WHERE status = 'pending' AND expires_at <= NOW()
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM expired`);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async getById(id) {
+        const result = await this.database.query("SELECT * FROM approval_requests WHERE id = $1", [id]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async list(status, tenantId) {
+        const clauses = [];
+        const params = [];
+        if (status) {
+            params.push(status);
+            clauses.push(`status = $${params.length}`);
+        }
+        if (tenantId) {
+            params.push(tenantId);
+            clauses.push(`tenant_id = $${params.length}`);
+        }
+        const where = clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : "";
+        const result = await this.database.query(`SELECT * FROM approval_requests ${where} ORDER BY created_at DESC`, params);
+        return result.rows.map(mapRow);
+    }
+    async review(id, update) {
+        return this.database.withTransaction(async (client) => {
+            const currentResult = await client.query("SELECT * FROM approval_requests WHERE id = $1 FOR UPDATE", [id]);
+            const current = currentResult.rows[0];
+            if (!current) {
+                return undefined;
+            }
+            const parsed = mapRow(current);
+            if (parsed.status !== "pending") {
+                return undefined;
+            }
+            if (parsed.reviews.some((review) => review.reviewedBy === update.reviewedBy)) {
+                throw new Error("Reviewer has already reviewed this request.");
+            }
+            const review = {
+                reviewId: randomUUID(),
+                reviewedAt: new Date().toISOString(),
+                reviewedBy: update.reviewedBy,
+                decision: update.status,
+                note: update.reviewNote,
+            };
+            const reviews = [...parsed.reviews, review];
+            const approvalCount = parsed.approvalCount + (update.status === "approved" ? 1 : 0);
+            const denialCount = parsed.denialCount + (update.status === "denied" ? 1 : 0);
+            const nextStatus = denialCount > 0
+                ? "denied"
+                : approvalCount >= parsed.requiredApprovals
+                    ? "approved"
+                    : "pending";
+            const result = await client.query(`UPDATE approval_requests
+         SET status = $2,
+             approval_count = $3,
+             denial_count = $4,
+             reviews = $5::jsonb,
+             reviewed_by = $6,
+             reviewed_at = NOW(),
+             review_note = $7
+         WHERE id = $1
+         RETURNING *`, [
+                id,
+                nextStatus,
+                approvalCount,
+                denialCount,
+                JSON.stringify(reviews),
+                update.reviewedBy,
+                update.reviewNote ?? null,
+            ]);
+            return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+        });
+    }
+}

package/dist/repositories/pg-audit-log.js

@@ -0,0 +1,62 @@
+import { randomUUID } from "node:crypto";
+import { auditEventSchema } from "../domain/types.js";
+function mapRow(row) {
+    return auditEventSchema.parse({
+        eventId: row.event_id,
+        occurredAt: row.occurred_at instanceof Date
+            ? row.occurred_at.toISOString()
+            : row.occurred_at,
+        tenantId: row.tenant_id,
+        type: row.type,
+        action: row.action,
+        outcome: row.outcome,
+        principal: row.principal,
+        correlationId: row.correlation_id,
+        metadata: row.metadata,
+    });
+}
+export class PgAuditLogService {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async record(input) {
+        const event = auditEventSchema.parse({
+            eventId: randomUUID(),
+            occurredAt: new Date().toISOString(),
+            tenantId: input.tenantId ?? "default",
+            type: input.type,
+            action: input.action,
+            outcome: input.outcome,
+            principal: input.principal,
+            correlationId: input.correlationId ?? randomUUID(),
+            metadata: input.metadata ?? {},
+        });
+        await this.database.query(`INSERT INTO audit_events (
+        event_id, occurred_at, tenant_id, type, action, outcome, principal, correlation_id, metadata
+      ) VALUES (
+        $1, $2, $3, $4, $5, $6, $7, $8, $9::jsonb
+      )`, [
+            event.eventId,
+            event.occurredAt,
+            event.tenantId,
+            event.type,
+            event.action,
+            event.outcome,
+            event.principal,
+            event.correlationId,
+            JSON.stringify(event.metadata),
+        ]);
+        return event;
+    }
+    async listRecent(limit = 20, tenantId) {
+        const result = tenantId
+            ? await this.database.query(`SELECT * FROM audit_events WHERE tenant_id = $2 ORDER BY occurred_at DESC LIMIT $1`, [limit, tenantId])
+            : await this.database.query(`SELECT * FROM audit_events ORDER BY occurred_at DESC LIMIT $1`, [limit]);
+        return result.rows.map(mapRow);
+    }
+    async count() {
+        const result = await this.database.query("SELECT COUNT(*)::text AS count FROM audit_events");
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+}

package/dist/repositories/pg-auth-client-repository.js

@@ -0,0 +1,98 @@
+import { authClientRecordSchema, publicJwkSchema, } from "../domain/types.js";
+function normalizeJwks(value) {
+    if (Array.isArray(value)) {
+        return value;
+    }
+    if (value && typeof value === "object" && "kty" in value) {
+        return [value];
+    }
+    return [];
+}
+function mapRow(row) {
+    const base = authClientRecordSchema.parse({
+        clientId: row.client_id,
+        tenantId: row.tenant_id,
+        displayName: row.display_name,
+        roles: row.roles,
+        allowedScopes: row.allowed_scopes,
+        status: row.status,
+        tokenEndpointAuthMethod: row.token_endpoint_auth_method,
+        grantTypes: row.grant_types,
+        redirectUris: row.redirect_uris,
+        jwks: normalizeJwks(row.jwks).map((entry) => publicJwkSchema.parse(entry)),
+    });
+    return {
+        ...base,
+        secretHash: row.secret_hash ?? undefined,
+        secretSalt: row.secret_salt ?? undefined,
+    };
+}
+function stripSecrets(client) {
+    return authClientRecordSchema.parse({
+        clientId: client.clientId,
+        tenantId: client.tenantId,
+        displayName: client.displayName,
+        roles: client.roles,
+        allowedScopes: client.allowedScopes,
+        status: client.status,
+        tokenEndpointAuthMethod: client.tokenEndpointAuthMethod,
+        grantTypes: client.grantTypes,
+        redirectUris: client.redirectUris,
+        jwks: client.jwks,
+    });
+}
+export class PgAuthClientRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async ensureInitialized() {
+        await this.database.healthcheck();
+    }
+    async count() {
+        const result = await this.database.query("SELECT COUNT(*)::text AS count FROM oauth_clients");
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async list() {
+        const result = await this.database.query("SELECT * FROM oauth_clients ORDER BY client_id ASC");
+        return result.rows.map((row) => stripSecrets(mapRow(row)));
+    }
+    async getByClientId(clientId) {
+        const result = await this.database.query("SELECT * FROM oauth_clients WHERE client_id = $1", [clientId]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async upsert(client) {
+        await this.database.query(`INSERT INTO oauth_clients (
+        client_id, tenant_id, display_name, secret_hash, secret_salt, roles, allowed_scopes, status,
+        token_endpoint_auth_method, grant_types, redirect_uris, jwks
+      ) VALUES (
+        $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12
+      )
+      ON CONFLICT (client_id) DO UPDATE SET
+        tenant_id = EXCLUDED.tenant_id,
+        display_name = EXCLUDED.display_name,
+        secret_hash = EXCLUDED.secret_hash,
+        secret_salt = EXCLUDED.secret_salt,
+        roles = EXCLUDED.roles,
+        allowed_scopes = EXCLUDED.allowed_scopes,
+        status = EXCLUDED.status,
+        token_endpoint_auth_method = EXCLUDED.token_endpoint_auth_method,
+        grant_types = EXCLUDED.grant_types,
+        redirect_uris = EXCLUDED.redirect_uris,
+        jwks = EXCLUDED.jwks,
+        updated_at = NOW()`, [
+            client.clientId,
+            client.tenantId,
+            client.displayName,
+            client.secretHash ?? null,
+            client.secretSalt ?? null,
+            client.roles,
+            client.allowedScopes,
+            client.status,
+            client.tokenEndpointAuthMethod,
+            client.grantTypes,
+            client.redirectUris,
+            client.jwks,
+        ]);
+    }
+}

package/dist/repositories/pg-authorization-code-repository.js

@@ -0,0 +1,95 @@
+function toIso(value) {
+    if (value === null) {
+        return undefined;
+    }
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    return {
+        codeId: row.code_id,
+        clientId: row.client_id,
+        tenantId: row.tenant_id,
+        subject: row.subject,
+        scopes: row.scopes,
+        roles: row.roles,
+        resource: row.resource ?? undefined,
+        redirectUri: row.redirect_uri,
+        codeChallenge: row.code_challenge,
+        codeChallengeMethod: row.code_challenge_method,
+        expiresAt: toIso(row.expires_at) ?? new Date(0).toISOString(),
+        status: row.status,
+        createdAt: toIso(row.created_at) ?? new Date(0).toISOString(),
+        consumedAt: toIso(row.consumed_at),
+    };
+}
+export class PgAuthorizationCodeRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async create(input) {
+        await this.database.query(`INSERT INTO oauth_authorization_codes (
+         code_id, code_hash, client_id, tenant_id, subject, scopes, roles, resource,
+         redirect_uri, code_challenge, code_challenge_method, expires_at, status
+       ) VALUES (
+         $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, 'active'
+       )`, [
+            input.codeId,
+            input.codeHash,
+            input.clientId,
+            input.tenantId,
+            input.subject,
+            input.scopes,
+            input.roles,
+            input.resource ?? null,
+            input.redirectUri,
+            input.codeChallenge,
+            input.codeChallengeMethod,
+            input.expiresAt,
+        ]);
+    }
+    async consumeByHash(codeHash) {
+        return this.database.withTransaction(async (client) => {
+            const result = await client.query("SELECT * FROM oauth_authorization_codes WHERE code_hash = $1 FOR UPDATE", [codeHash]);
+            const row = result.rows[0];
+            if (!row) {
+                return undefined;
+            }
+            const record = mapRow(row);
+            const expired = new Date(record.expiresAt).getTime() <= Date.now();
+            if (record.status !== "active" || expired) {
+                if (expired && record.status === "active") {
+                    await client.query("UPDATE oauth_authorization_codes SET status = 'revoked' WHERE code_hash = $1", [codeHash]);
+                }
+                return undefined;
+            }
+            await client.query(`UPDATE oauth_authorization_codes
+         SET status = 'consumed', consumed_at = NOW()
+         WHERE code_hash = $1`, [codeHash]);
+            return {
+                ...record,
+                status: "consumed",
+                consumedAt: new Date().toISOString(),
+            };
+        });
+    }
+    async cleanup() {
+        const result = await this.database.query(`WITH cleaned AS (
+         DELETE FROM oauth_authorization_codes
+         WHERE expires_at <= NOW() OR status <> 'active'
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM cleaned`);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async revokeByClientId(clientId) {
+        const result = await this.database.query(`WITH revoked AS (
+         UPDATE oauth_authorization_codes
+         SET status = 'revoked'
+         WHERE client_id = $1 AND status = 'active'
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM revoked`, [clientId]);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+}

package/dist/repositories/pg-break-glass-repository.js

@@ -0,0 +1,174 @@
+import { randomUUID } from "node:crypto";
+import { breakGlassRequestSchema } from "../domain/types.js";
+function toIso(value) {
+    if (value === null) {
+        return undefined;
+    }
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    return breakGlassRequestSchema.parse({
+        id: row.id,
+        tenantId: row.tenant_id,
+        createdAt: toIso(row.created_at),
+        expiresAt: toIso(row.expires_at),
+        status: row.status,
+        requestedBy: row.requested_by,
+        requestedRoles: row.requested_roles,
+        credentialId: row.credential_id,
+        operation: row.operation,
+        targetUrl: row.target_url,
+        targetHost: row.target_host,
+        justification: row.justification,
+        requestedDurationSeconds: row.requested_duration_seconds,
+        correlationId: row.correlation_id,
+        fingerprint: row.fingerprint,
+        requiredApprovals: row.required_approvals,
+        approvalCount: row.approval_count,
+        denialCount: row.denial_count,
+        reviews: Array.isArray(row.reviews) ? row.reviews : [],
+        reviewedBy: row.reviewed_by ?? undefined,
+        reviewedAt: toIso(row.reviewed_at),
+        reviewNote: row.review_note ?? undefined,
+        revokedBy: row.revoked_by ?? undefined,
+        revokedAt: toIso(row.revoked_at),
+        revokeNote: row.revoke_note ?? undefined,
+    });
+}
+export class PgBreakGlassRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async create(input) {
+        const parsed = breakGlassRequestSchema.parse(input);
+        await this.database.query(`INSERT INTO break_glass_requests (
+         id, tenant_id, created_at, expires_at, status, requested_by, requested_roles,
+         credential_id, operation, target_url, target_host, justification, requested_duration_seconds,
+         correlation_id, fingerprint, required_approvals, approval_count, denial_count, reviews, reviewed_by, reviewed_at, review_note,
+         revoked_by, revoked_at, revoke_note
+       ) VALUES (
+         $1, $2, $3, $4, $5, $6, $7,
+         $8, $9, $10, $11, $12, $13,
+         $14, $15, $16, $17, $18, $19, $20, $21, $22,
+         $23, $24, $25
+       )`, [
+            parsed.id,
+            parsed.tenantId,
+            parsed.createdAt,
+            parsed.expiresAt,
+            parsed.status,
+            parsed.requestedBy,
+            parsed.requestedRoles,
+            parsed.credentialId,
+            parsed.operation,
+            parsed.targetUrl,
+            parsed.targetHost,
+            parsed.justification,
+            parsed.requestedDurationSeconds,
+            parsed.correlationId,
+            parsed.fingerprint,
+            parsed.requiredApprovals,
+            parsed.approvalCount,
+            parsed.denialCount,
+            JSON.stringify(parsed.reviews),
+            parsed.reviewedBy ?? null,
+            parsed.reviewedAt ?? null,
+            parsed.reviewNote ?? null,
+            parsed.revokedBy ?? null,
+            parsed.revokedAt ?? null,
+            parsed.revokeNote ?? null,
+        ]);
+        return parsed;
+    }
+    async expireStale() {
+        const result = await this.database.query(`WITH expired AS (
+         UPDATE break_glass_requests
+         SET status = 'expired'
+         WHERE status IN ('pending', 'active') AND expires_at <= NOW()
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM expired`);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async getById(id) {
+        const result = await this.database.query("SELECT * FROM break_glass_requests WHERE id = $1", [id]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async list(filter) {
+        const clauses = [];
+        const params = [];
+        if (filter?.status) {
+            params.push(filter.status);
+            clauses.push(`status = $${params.length}`);
+        }
+        if (filter?.requestedBy) {
+            params.push(filter.requestedBy);
+            clauses.push(`requested_by = $${params.length}`);
+        }
+        if (filter?.tenantId) {
+            params.push(filter.tenantId);
+            clauses.push(`tenant_id = $${params.length}`);
+        }
+        const where = clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : "";
+        const result = await this.database.query(`SELECT * FROM break_glass_requests ${where} ORDER BY created_at DESC`, params);
+        return result.rows.map(mapRow);
+    }
+    async review(id, update) {
+        return this.database.withTransaction(async (client) => {
+            const currentResult = await client.query("SELECT * FROM break_glass_requests WHERE id = $1 FOR UPDATE", [id]);
+            const current = currentResult.rows[0];
+            if (!current) {
+                return undefined;
+            }
+            const parsed = mapRow(current);
+            if (parsed.status !== "pending") {
+                return undefined;
+            }
+            if (parsed.reviews.some((review) => review.reviewedBy === update.reviewedBy)) {
+                throw new Error("Reviewer has already reviewed this request.");
+            }
+            const review = {
+                reviewId: randomUUID(),
+                reviewedAt: new Date().toISOString(),
+                reviewedBy: update.reviewedBy,
+                decision: update.status === "active" ? "approved" : "denied",
+                note: update.reviewNote,
+            };
+            const reviews = [...parsed.reviews, review];
+            const approvalCount = parsed.approvalCount + (update.status === "active" ? 1 : 0);
+            const denialCount = parsed.denialCount + (update.status === "denied" ? 1 : 0);
+            const nextStatus = denialCount > 0
+                ? "denied"
+                : approvalCount >= parsed.requiredApprovals
+                    ? "active"
+                    : "pending";
+            const result = await client.query(`UPDATE break_glass_requests
+         SET status = $2,
+             approval_count = $3,
+             denial_count = $4,
+             reviews = $5::jsonb,
+             reviewed_by = $6,
+             reviewed_at = NOW(),
+             review_note = $7
+         WHERE id = $1
+         RETURNING *`, [
+                id,
+                nextStatus,
+                approvalCount,
+                denialCount,
+                JSON.stringify(reviews),
+                update.reviewedBy,
+                update.reviewNote ?? null,
+            ]);
+            return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+        });
+    }
+    async revoke(id, update) {
+        const result = await this.database.query(`UPDATE break_glass_requests
+       SET status = 'revoked', revoked_by = $2, revoked_at = NOW(), revoke_note = $3
+       WHERE id = $1 AND status = 'active'
+       RETURNING *`, [id, update.revokedBy, update.revokeNote ?? null]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+}