npm - @simonsbs/keylore - Versions diffs - 1.0.0-rc4 - Mend

@simonsbs/keylore 1.0.0-rc4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (81) hide show

package/.env.example +64 -0
package/LICENSE +176 -0
package/NOTICE +5 -0
package/README.md +424 -0
package/bin/keylore-http.js +3 -0
package/bin/keylore-stdio.js +3 -0
package/data/auth-clients.json +54 -0
package/data/catalog.json +53 -0
package/data/policies.json +25 -0
package/dist/adapters/adapter-registry.js +143 -0
package/dist/adapters/aws-secrets-manager-adapter.js +99 -0
package/dist/adapters/command-runner.js +17 -0
package/dist/adapters/env-secret-adapter.js +42 -0
package/dist/adapters/gcp-secret-manager-adapter.js +129 -0
package/dist/adapters/local-secret-adapter.js +54 -0
package/dist/adapters/onepassword-secret-adapter.js +83 -0
package/dist/adapters/reference-utils.js +44 -0
package/dist/adapters/types.js +1 -0
package/dist/adapters/vault-secret-adapter.js +103 -0
package/dist/app.js +132 -0
package/dist/cli/args.js +51 -0
package/dist/cli/run.js +483 -0
package/dist/cli.js +18 -0
package/dist/config.js +295 -0
package/dist/domain/types.js +967 -0
package/dist/http/admin-ui.js +3010 -0
package/dist/http/server.js +1210 -0
package/dist/index.js +40 -0
package/dist/mcp/create-server.js +388 -0
package/dist/mcp/stdio.js +7 -0
package/dist/repositories/credential-repository.js +109 -0
package/dist/repositories/interfaces.js +1 -0
package/dist/repositories/json-file.js +20 -0
package/dist/repositories/pg-access-token-repository.js +118 -0
package/dist/repositories/pg-approval-repository.js +157 -0
package/dist/repositories/pg-audit-log.js +62 -0
package/dist/repositories/pg-auth-client-repository.js +98 -0
package/dist/repositories/pg-authorization-code-repository.js +95 -0
package/dist/repositories/pg-break-glass-repository.js +174 -0
package/dist/repositories/pg-credential-repository.js +163 -0
package/dist/repositories/pg-oauth-client-assertion-repository.js +25 -0
package/dist/repositories/pg-policy-repository.js +62 -0
package/dist/repositories/pg-refresh-token-repository.js +125 -0
package/dist/repositories/pg-rotation-run-repository.js +127 -0
package/dist/repositories/pg-tenant-repository.js +56 -0
package/dist/repositories/policy-repository.js +24 -0
package/dist/runtime/sandbox-runner.js +114 -0
package/dist/services/access-fingerprint.js +13 -0
package/dist/services/approval-service.js +148 -0
package/dist/services/audit-log.js +38 -0
package/dist/services/auth-context.js +43 -0
package/dist/services/auth-secrets.js +14 -0
package/dist/services/auth-service.js +784 -0
package/dist/services/backup-service.js +610 -0
package/dist/services/break-glass-service.js +207 -0
package/dist/services/broker-service.js +557 -0
package/dist/services/core-mode-service.js +154 -0
package/dist/services/egress-policy.js +119 -0
package/dist/services/local-secret-store.js +119 -0
package/dist/services/maintenance-service.js +99 -0
package/dist/services/notification-service.js +83 -0
package/dist/services/policy-engine.js +85 -0
package/dist/services/rate-limit-service.js +80 -0
package/dist/services/rotation-service.js +271 -0
package/dist/services/telemetry.js +149 -0
package/dist/services/tenant-service.js +127 -0
package/dist/services/trace-export-service.js +126 -0
package/dist/services/trace-service.js +87 -0
package/dist/storage/bootstrap.js +68 -0
package/dist/storage/database.js +39 -0
package/dist/storage/in-memory-database.js +40 -0
package/dist/storage/migrations.js +27 -0
package/migrations/001_init.sql +49 -0
package/migrations/002_phase2_auth.sql +53 -0
package/migrations/003_v05_operations.sql +9 -0
package/migrations/004_v07_security.sql +28 -0
package/migrations/005_v08_reviews.sql +11 -0
package/migrations/006_v09_auth_trace_rotation.sql +51 -0
package/migrations/007_v010_multi_tenant.sql +32 -0
package/migrations/008_v011_auth_tenant_ops.sql +95 -0
package/package.json +78 -0

package/dist/runtime/sandbox-runner.js ADDED Viewed

@@ -0,0 +1,114 @@
+import { spawn } from "node:child_process";
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+function redact(text, secret) {
+    return text
+        .replaceAll(secret, "[REDACTED_SECRET]")
+        .replace(/gh[pousr]_[A-Za-z0-9_]+/g, "[REDACTED_GITHUB_TOKEN]")
+        .replace(/github_pat_[A-Za-z0-9_]+/g, "[REDACTED_GITHUB_TOKEN]")
+        .replace(/Bearer\s+[A-Za-z0-9._-]+/gi, "Bearer [REDACTED_TOKEN]");
+}
+function truncate(text, maxLength) {
+    if (text.length <= maxLength) {
+        return { value: text, truncated: false };
+    }
+    return {
+        value: `${text.slice(0, maxLength)}\n...[truncated]`,
+        truncated: true,
+    };
+}
+export class SandboxRunner {
+    config;
+    constructor(config) {
+        this.config = config;
+    }
+    sanitizeEnv(inputEnv, secretEnvName) {
+        if (!inputEnv) {
+            return {};
+        }
+        const reservedNames = new Set(["PATH", "HOME", secretEnvName]);
+        const sanitized = {};
+        for (const [name, value] of Object.entries(inputEnv)) {
+            if (reservedNames.has(name)) {
+                throw new Error(`Sandbox env variable is reserved and cannot be overridden: ${name}`);
+            }
+            if (!this.config.sandboxEnvAllowlist.includes(name)) {
+                throw new Error(`Sandbox env variable is not allowlisted: ${name}`);
+            }
+            sanitized[name] = value;
+        }
+        return sanitized;
+    }
+    async run(input, secret, secretEnvName) {
+        if (!this.config.sandboxInjectionEnabled) {
+            throw new Error("Sandbox injection mode is disabled.");
+        }
+        if (!this.config.sandboxCommandAllowlist.includes(input.command)) {
+            throw new Error(`Command is not allowlisted for sandbox execution: ${input.command}`);
+        }
+        const cwd = await fs.mkdtemp(path.join(os.tmpdir(), "keylore-sandbox-"));
+        const startedAt = Date.now();
+        const sanitizedEnv = this.sanitizeEnv(input.env, secretEnvName);
+        try {
+            const result = await new Promise((resolve, reject) => {
+                const child = spawn(input.command, input.args, {
+                    cwd,
+                    shell: false,
+                    stdio: ["ignore", "pipe", "pipe"],
+                    env: {
+                        PATH: process.env.PATH,
+                        HOME: process.env.HOME,
+                        ...sanitizedEnv,
+                        [secretEnvName]: secret,
+                    },
+                });
+                let stdout = "";
+                let stderr = "";
+                let timedOut = false;
+                const timeoutMs = input.timeoutMs ?? this.config.sandboxDefaultTimeoutMs;
+                const timer = setTimeout(() => {
+                    timedOut = true;
+                    child.kill("SIGKILL");
+                }, timeoutMs);
+                child.stdout.setEncoding("utf8");
+                child.stderr.setEncoding("utf8");
+                child.stdout.on("data", (chunk) => {
+                    stdout += chunk;
+                });
+                child.stderr.on("data", (chunk) => {
+                    stderr += chunk;
+                });
+                child.on("error", (error) => {
+                    clearTimeout(timer);
+                    reject(error);
+                });
+                child.on("close", (code) => {
+                    clearTimeout(timer);
+                    resolve({
+                        exitCode: code ?? (timedOut ? 137 : 1),
+                        timedOut,
+                        stdout,
+                        stderr,
+                    });
+                });
+            });
+            const stdout = truncate(redact(result.stdout, secret), this.config.sandboxMaxOutputBytes);
+            const stderr = truncate(redact(result.stderr, secret), this.config.sandboxMaxOutputBytes);
+            return {
+                mode: "sandbox_injection",
+                command: input.command,
+                args: input.args,
+                exitCode: result.exitCode,
+                timedOut: result.timedOut,
+                durationMs: Date.now() - startedAt,
+                stdoutPreview: stdout.value,
+                stderrPreview: stderr.value,
+                outputTruncated: stdout.truncated || stderr.truncated,
+            };
+        }
+        finally {
+            await fs.rm(cwd, { recursive: true, force: true });
+        }
+    }
+}

package/dist/services/access-fingerprint.js ADDED Viewed

@@ -0,0 +1,13 @@
+import { createHash } from "node:crypto";
+export function accessFingerprint(context, input) {
+    const serialized = JSON.stringify({
+        principal: context.principal,
+        tenantId: context.tenantId ?? null,
+        credentialId: input.credentialId,
+        operation: input.operation,
+        targetUrl: input.targetUrl,
+        headers: input.headers ?? {},
+        payload: input.payload ?? "",
+    });
+    return createHash("sha256").update(serialized).digest("hex");
+}

package/dist/services/approval-service.js ADDED Viewed

@@ -0,0 +1,148 @@
+import { randomUUID } from "node:crypto";
+import { approvalRequestSchema } from "../domain/types.js";
+import { accessFingerprint } from "./access-fingerprint.js";
+export class ApprovalService {
+    approvals;
+    audit;
+    approvalTtlSeconds;
+    approvalReviewQuorum;
+    notifications;
+    traces;
+    constructor(approvals, audit, approvalTtlSeconds, approvalReviewQuorum, notifications, traces) {
+        this.approvals = approvals;
+        this.audit = audit;
+        this.approvalTtlSeconds = approvalTtlSeconds;
+        this.approvalReviewQuorum = approvalReviewQuorum;
+        this.notifications = notifications;
+        this.traces = traces;
+    }
+    async createPending(context, input, decision, tenantId) {
+        return this.traces.withSpan("approval.create_pending", { credentialId: input.credentialId }, async () => {
+            const request = approvalRequestSchema.parse({
+                id: randomUUID(),
+                tenantId,
+                createdAt: new Date().toISOString(),
+                expiresAt: new Date(Date.now() + this.approvalTtlSeconds * 1000).toISOString(),
+                status: "pending",
+                requestedBy: context.principal,
+                requestedRoles: context.roles,
+                credentialId: input.credentialId,
+                operation: input.operation,
+                targetUrl: input.targetUrl,
+                targetHost: new URL(input.targetUrl).hostname,
+                reason: decision.reason,
+                ruleId: decision.ruleId,
+                correlationId: decision.correlationId,
+                fingerprint: accessFingerprint(context, input),
+                requiredApprovals: this.approvalReviewQuorum,
+                approvalCount: 0,
+                denialCount: 0,
+                reviews: [],
+            });
+            const created = await this.approvals.create(request);
+            await this.audit.record({
+                type: "approval.request",
+                action: "approval.request",
+                outcome: "success",
+                tenantId,
+                principal: context.principal,
+                correlationId: decision.correlationId,
+                metadata: {
+                    approvalId: created.id,
+                    tenantId,
+                    credentialId: created.credentialId,
+                    operation: created.operation,
+                    targetHost: created.targetHost,
+                    ruleId: created.ruleId ?? null,
+                    requiredApprovals: created.requiredApprovals,
+                },
+            });
+            await this.notifications.send("approval.pending", {
+                approvalId: created.id,
+                credentialId: created.credentialId,
+                requestedBy: created.requestedBy,
+                requiredApprovals: created.requiredApprovals,
+                targetHost: created.targetHost,
+            });
+            return created;
+        });
+    }
+    async verifyApproval(context, input) {
+        await this.approvals.expireStale();
+        if (!input.approvalId) {
+            return undefined;
+        }
+        const approval = await this.approvals.getById(input.approvalId);
+        if (!approval || approval.status !== "approved") {
+            return undefined;
+        }
+        if (context.tenantId && approval.tenantId !== context.tenantId) {
+            return undefined;
+        }
+        if (new Date(approval.expiresAt).getTime() <= Date.now()) {
+            return undefined;
+        }
+        return approval.fingerprint === accessFingerprint(context, input) ? approval : undefined;
+    }
+    async list(context, status) {
+        await this.approvals.expireStale();
+        return this.approvals.list(status, context.tenantId);
+    }
+    async review(id, context, status, note) {
+        return this.traces.withSpan("approval.review", { approvalId: id, decision: status }, async () => {
+            await this.approvals.expireStale();
+            const existing = await this.approvals.getById(id);
+            if (existing && context.tenantId && existing.tenantId !== context.tenantId) {
+                throw new Error("Tenant access denied.");
+            }
+            const reviewed = await this.approvals.review(id, {
+                status,
+                reviewedBy: context.principal,
+                reviewNote: note,
+            });
+            if (reviewed) {
+                await this.audit.record({
+                    type: "approval.review",
+                    action: `approval.${status}`,
+                    outcome: status === "approved" ? "allowed" : "denied",
+                    tenantId: reviewed.tenantId,
+                    principal: context.principal,
+                    correlationId: reviewed.correlationId,
+                    metadata: {
+                        approvalId: reviewed.id,
+                        tenantId: reviewed.tenantId,
+                        credentialId: reviewed.credentialId,
+                        requestedBy: reviewed.requestedBy,
+                        reviewNote: reviewed.reviewNote ?? null,
+                        approvalCount: reviewed.approvalCount,
+                        denialCount: reviewed.denialCount,
+                        requiredApprovals: reviewed.requiredApprovals,
+                        currentStatus: reviewed.status,
+                    },
+                });
+                await this.notifications.send("approval.reviewed", {
+                    approvalId: reviewed.id,
+                    credentialId: reviewed.credentialId,
+                    requestedBy: reviewed.requestedBy,
+                    reviewer: context.principal,
+                    decision: status,
+                    currentStatus: reviewed.status,
+                    approvalCount: reviewed.approvalCount,
+                    denialCount: reviewed.denialCount,
+                    requiredApprovals: reviewed.requiredApprovals,
+                });
+                if (reviewed.status === "approved" || reviewed.status === "denied") {
+                    await this.notifications.send(`approval.${reviewed.status}`, {
+                        approvalId: reviewed.id,
+                        credentialId: reviewed.credentialId,
+                        requestedBy: reviewed.requestedBy,
+                        approvalCount: reviewed.approvalCount,
+                        denialCount: reviewed.denialCount,
+                        requiredApprovals: reviewed.requiredApprovals,
+                    });
+                }
+            }
+            return reviewed;
+        });
+    }
+}

package/dist/services/audit-log.js ADDED Viewed

@@ -0,0 +1,38 @@
+import { randomUUID } from "node:crypto";
+import { auditEventSchema } from "../domain/types.js";
+import { ensureParentDirectory, readTextFile, writeTextFile } from "../repositories/json-file.js";
+export class AuditLogService {
+    filePath;
+    constructor(filePath) {
+        this.filePath = filePath;
+    }
+    async record(input) {
+        const event = auditEventSchema.parse({
+            eventId: randomUUID(),
+            occurredAt: new Date().toISOString(),
+            type: input.type,
+            action: input.action,
+            outcome: input.outcome,
+            principal: input.principal,
+            correlationId: input.correlationId ?? randomUUID(),
+            metadata: input.metadata ?? {},
+        });
+        await ensureParentDirectory(this.filePath);
+        const existing = (await readTextFile(this.filePath)) ?? "";
+        await writeTextFile(this.filePath, `${existing}${JSON.stringify(event)}\n`);
+        return event;
+    }
+    async listRecent(limit = 20) {
+        const text = await readTextFile(this.filePath);
+        if (!text) {
+            return [];
+        }
+        return text
+            .trim()
+            .split("\n")
+            .filter(Boolean)
+            .map((line) => auditEventSchema.parse(JSON.parse(line)))
+            .slice(-limit)
+            .reverse();
+    }
+}

package/dist/services/auth-context.js ADDED Viewed

@@ -0,0 +1,43 @@
+import { authContextSchema } from "../domain/types.js";
+const allScopes = [
+    "catalog:read",
+    "catalog:write",
+    "admin:read",
+    "admin:write",
+    "auth:read",
+    "auth:write",
+    "broker:use",
+    "sandbox:run",
+    "audit:read",
+    "approval:read",
+    "approval:review",
+    "system:read",
+    "system:write",
+    "backup:read",
+    "backup:write",
+    "breakglass:request",
+    "breakglass:read",
+    "breakglass:review",
+    "mcp:use",
+];
+const localRoles = [
+    "admin",
+    "auth_admin",
+    "operator",
+    "maintenance_operator",
+    "backup_operator",
+    "breakglass_operator",
+    "auditor",
+    "approver",
+];
+export function localOperatorContext(principal) {
+    return authContextSchema.parse({
+        principal,
+        clientId: "local-cli",
+        roles: localRoles,
+        scopes: allScopes,
+    });
+}
+export function authContextFromToken(auth) {
+    return authContextSchema.parse(auth);
+}

package/dist/services/auth-secrets.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { randomBytes, scryptSync, timingSafeEqual, createHash } from "node:crypto";
+export function hashSecret(secret) {
+    const salt = randomBytes(16).toString("hex");
+    const hash = scryptSync(secret, salt, 64).toString("hex");
+    return { salt, hash };
+}
+export function verifySecret(secret, salt, expectedHash) {
+    const derived = scryptSync(secret, salt, 64);
+    const expected = Buffer.from(expectedHash, "hex");
+    return derived.length === expected.length && timingSafeEqual(derived, expected);
+}
+export function hashOpaqueToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}