@simonsbs/keylore 1.0.0-rc4

package/dist/services/core-mode-service.js

@@ -0,0 +1,154 @@
+import { coreCredentialCreateInputSchema, } from "../domain/types.js";
+export class CoreModeService {
+    broker;
+    policies;
+    localSecrets;
+    defaultPrincipal;
+    coreRoles = ["admin", "operator"];
+    reconcileScopes = ["catalog:read", "catalog:write"];
+    constructor(broker, policies, localSecrets, defaultPrincipal) {
+        this.broker = broker;
+        this.policies = policies;
+        this.localSecrets = localSecrets;
+        this.defaultPrincipal = defaultPrincipal;
+    }
+    coreAllowRuleId(tenantId, credentialId) {
+        const safeTenant = tenantId.replace(/[^a-zA-Z0-9_-]+/g, "-");
+        const safeCredential = credentialId.replace(/[^a-zA-Z0-9_-]+/g, "-");
+        return `core-allow-${safeTenant}-${safeCredential}`;
+    }
+    buildCoreAllowRule(credential) {
+        return {
+            id: this.coreAllowRuleId(credential.tenantId, credential.id),
+            tenantId: credential.tenantId,
+            effect: "allow",
+            description: `Core mode auto-allow rule for ${credential.displayName}.`,
+            principals: ["*"],
+            principalRoles: this.coreRoles,
+            credentialIds: [credential.id],
+            services: [credential.service],
+            operations: credential.permittedOperations,
+            domainPatterns: credential.allowedDomains,
+            environments: ["development", "test"],
+        };
+    }
+    async syncCoreAllowRule(credential) {
+        const policies = await this.policies.read();
+        const ruleId = this.coreAllowRuleId(credential.tenantId, credential.id);
+        const nextRules = policies.rules.filter((rule) => rule.id !== ruleId);
+        nextRules.push(this.buildCoreAllowRule(credential));
+        await this.policies.replaceAll({
+            version: policies.version,
+            rules: nextRules,
+        });
+    }
+    async deleteCoreAllowRule(tenantId, credentialId) {
+        const policies = await this.policies.read();
+        const ruleId = this.coreAllowRuleId(tenantId, credentialId);
+        await this.policies.replaceAll({
+            version: policies.version,
+            rules: policies.rules.filter((rule) => rule.id !== ruleId),
+        });
+    }
+    async reconcileLocalCredentialPolicies() {
+        const credentials = await this.broker.listCredentials({
+            principal: this.defaultPrincipal,
+            clientId: this.defaultPrincipal,
+            tenantId: "default",
+            roles: this.coreRoles,
+            scopes: this.reconcileScopes,
+        });
+        const localCredentials = credentials.filter((credential) => credential.owner === "local");
+        for (const credential of localCredentials) {
+            await this.syncCoreAllowRule(credential);
+        }
+    }
+    async createCredential(context, input) {
+        const parsed = coreCredentialCreateInputSchema.parse(input);
+        const existing = await this.broker.getCredential(context, parsed.credentialId);
+        if (existing) {
+            throw new Error(`Credential ${parsed.credentialId} already exists.`);
+        }
+        const binding = parsed.secretSource.adapter === "local"
+            ? {
+                adapter: "local",
+                ref: `local:${parsed.tenantId}:${parsed.credentialId}`,
+                authType: parsed.authType,
+                headerName: parsed.headerName,
+                headerPrefix: parsed.headerPrefix,
+                injectionEnvName: parsed.injectionEnvName,
+            }
+            : {
+                adapter: "env",
+                ref: parsed.secretSource.ref,
+                authType: parsed.authType,
+                headerName: parsed.headerName,
+                headerPrefix: parsed.headerPrefix,
+                injectionEnvName: parsed.injectionEnvName,
+            };
+        const record = {
+            id: parsed.credentialId,
+            tenantId: parsed.tenantId,
+            displayName: parsed.displayName,
+            service: parsed.service,
+            owner: parsed.owner,
+            scopeTier: parsed.scopeTier,
+            sensitivity: parsed.sensitivity,
+            allowedDomains: parsed.allowedDomains,
+            permittedOperations: parsed.permittedOperations,
+            expiresAt: parsed.expiresAt,
+            rotationPolicy: parsed.rotationPolicy,
+            lastValidatedAt: null,
+            selectionNotes: parsed.selectionNotes,
+            binding,
+            tags: parsed.tags,
+            status: parsed.status,
+        };
+        if (parsed.secretSource.adapter === "local") {
+            await this.localSecrets.put(binding.ref, parsed.secretSource.secretValue);
+            try {
+                const created = await this.broker.createCredential(context, record);
+                try {
+                    await this.syncCoreAllowRule(created);
+                }
+                catch (error) {
+                    await this.broker.deleteCredential(context, created.id);
+                    await this.localSecrets.delete(binding.ref);
+                    throw error;
+                }
+                return created;
+            }
+            catch (error) {
+                await this.localSecrets.delete(binding.ref);
+                throw error;
+            }
+        }
+        const created = await this.broker.createCredential(context, record);
+        try {
+            await this.syncCoreAllowRule(created);
+        }
+        catch (error) {
+            await this.broker.deleteCredential(context, created.id);
+            throw error;
+        }
+        return created;
+    }
+    async updateCredentialContext(context, credentialId, patch) {
+        const updated = await this.broker.updateCredential(context, credentialId, patch);
+        await this.syncCoreAllowRule(updated);
+        return updated;
+    }
+    async deleteCredential(context, credentialId) {
+        const existing = await this.broker.getCredential(context, credentialId);
+        if (!existing) {
+            return false;
+        }
+        const deleted = await this.broker.deleteCredential(context, credentialId);
+        if (!deleted) {
+            return false;
+        }
+        await this.localSecrets.delete(`local:${existing.tenantId}:${existing.id}`);
+        await this.deleteCoreAllowRule(existing.tenantId, existing.id);
+        return true;
+    }
+}

package/dist/services/egress-policy.js

@@ -0,0 +1,119 @@
+import dns from "node:dns/promises";
+import net from "node:net";
+function matchPattern(value, pattern) {
+    const normalizedValue = value.toLowerCase();
+    const normalizedPattern = pattern.toLowerCase();
+    if (normalizedPattern === "*") {
+        return true;
+    }
+    if (normalizedPattern.startsWith("*.")) {
+        return (normalizedValue === normalizedPattern.slice(2) ||
+            normalizedValue.endsWith(normalizedPattern.slice(1)));
+    }
+    return normalizedValue === normalizedPattern;
+}
+function isLoopbackHostname(hostname) {
+    return hostname === "localhost";
+}
+function isLoopbackIp(ip) {
+    return ip === "::1" || ip === "127.0.0.1" || ip.startsWith("127.");
+}
+function isBlockedIpv4(ip) {
+    const octets = ip.split(".").map((value) => Number.parseInt(value, 10));
+    if (octets.length !== 4 || octets.some((value) => Number.isNaN(value) || value < 0 || value > 255)) {
+        return true;
+    }
+    const [a, b, c] = octets;
+    if (a === 0 || a === 10 || a === 127) {
+        return true;
+    }
+    if (a === 100 && b >= 64 && b <= 127) {
+        return true;
+    }
+    if (a === 169 && b === 254) {
+        return true;
+    }
+    if (a === 172 && b >= 16 && b <= 31) {
+        return true;
+    }
+    if (a === 192 && b === 0) {
+        return true;
+    }
+    if (a === 192 && b === 168) {
+        return true;
+    }
+    if (a === 192 && b === 0 && c === 2) {
+        return true;
+    }
+    if (a === 198 && (b === 18 || b === 19 || b === 51) && c === 100) {
+        return true;
+    }
+    if (a === 203 && b === 0 && c === 113) {
+        return true;
+    }
+    return a >= 224;
+}
+function isBlockedIpv6(ip) {
+    const normalized = ip.toLowerCase();
+    return (normalized === "::" ||
+        normalized === "::1" ||
+        normalized.startsWith("fc") ||
+        normalized.startsWith("fd") ||
+        normalized.startsWith("fe8") ||
+        normalized.startsWith("fe9") ||
+        normalized.startsWith("fea") ||
+        normalized.startsWith("feb") ||
+        normalized.startsWith("::ffff:127.") ||
+        normalized.startsWith("::ffff:10.") ||
+        normalized.startsWith("::ffff:192.168.") ||
+        normalized.startsWith("::ffff:172.16.") ||
+        normalized.startsWith("::ffff:172.17.") ||
+        normalized.startsWith("::ffff:172.18.") ||
+        normalized.startsWith("::ffff:172.19.") ||
+        normalized.startsWith("::ffff:172.2") ||
+        normalized.startsWith("::ffff:169.254."));
+}
+function isBlockedIp(ip) {
+    if (net.isIPv4(ip)) {
+        return isBlockedIpv4(ip);
+    }
+    if (net.isIPv6(ip)) {
+        return isBlockedIpv6(ip);
+    }
+    return true;
+}
+async function resolveAddresses(hostname) {
+    try {
+        const records = await dns.lookup(hostname, { all: true, verbatim: true });
+        return records.map((record) => record.address);
+    }
+    catch {
+        return [];
+    }
+}
+export async function validateEgressTarget(rawUrl, config) {
+    const targetUrl = new URL(rawUrl);
+    const hostname = targetUrl.hostname;
+    const hostAllowlisted = config.egressAllowedHosts.some((pattern) => matchPattern(hostname, pattern));
+    const isLoopbackHost = isLoopbackHostname(hostname);
+    const isLoopbackHttp = targetUrl.protocol === "http:" && isLoopbackHost;
+    if (targetUrl.protocol !== "https:" && !isLoopbackHttp) {
+        throw new Error("Only HTTPS targets are allowed, except localhost for local development.");
+    }
+    if (targetUrl.protocol === "https:" &&
+        targetUrl.port.length > 0 &&
+        !config.egressAllowedHttpsPorts.includes(Number.parseInt(targetUrl.port, 10)) &&
+        !hostAllowlisted) {
+        throw new Error("HTTPS target port is not allowlisted by egress policy.");
+    }
+    if (config.egressAllowPrivateIps || hostAllowlisted || isLoopbackHost) {
+        return targetUrl;
+    }
+    const addresses = net.isIP(hostname) > 0
+        ? [hostname]
+        : await resolveAddresses(hostname);
+    if (addresses.some((address) => isLoopbackIp(address) || isBlockedIp(address))) {
+        throw new Error("Target resolves to a blocked private, loopback, or link-local address.");
+    }
+    return targetUrl;
+}

package/dist/services/local-secret-store.js

@@ -0,0 +1,119 @@
+import { createCipheriv, createDecipheriv, randomBytes, } from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+function encode(value) {
+    return value.toString("base64");
+}
+function decode(value) {
+    return Buffer.from(value, "base64");
+}
+const EMPTY_STORE = {
+    version: 1,
+    entries: {},
+};
+export class LocalSecretStore {
+    secretsFilePath;
+    keyFilePath;
+    constructor(secretsFilePath, keyFilePath) {
+        this.secretsFilePath = secretsFilePath;
+        this.keyFilePath = keyFilePath;
+    }
+    async ensureParentDirs() {
+        await fs.mkdir(path.dirname(this.secretsFilePath), { recursive: true });
+        await fs.mkdir(path.dirname(this.keyFilePath), { recursive: true });
+    }
+    async loadKey() {
+        await this.ensureParentDirs();
+        try {
+            const existing = await fs.readFile(this.keyFilePath, "utf8");
+            return decode(existing.trim());
+        }
+        catch (error) {
+            if (!(error instanceof Error) || !("code" in error) || error.code !== "ENOENT") {
+                throw error;
+            }
+        }
+        const key = randomBytes(32);
+        await fs.writeFile(this.keyFilePath, encode(key), { mode: 0o600 });
+        return key;
+    }
+    async loadStore() {
+        await this.ensureParentDirs();
+        try {
+            const raw = await fs.readFile(this.secretsFilePath, "utf8");
+            const parsed = JSON.parse(raw);
+            if (parsed.version !== 1 || typeof parsed.entries !== "object" || !parsed.entries) {
+                throw new Error("Local secret store file is invalid.");
+            }
+            return parsed;
+        }
+        catch (error) {
+            if (!(error instanceof Error) || !("code" in error) || error.code !== "ENOENT") {
+                throw error;
+            }
+            return { ...EMPTY_STORE, entries: {} };
+        }
+    }
+    async saveStore(store) {
+        await this.ensureParentDirs();
+        const tempPath = `${this.secretsFilePath}.tmp`;
+        await fs.writeFile(tempPath, `${JSON.stringify(store, null, 2)}\n`, { mode: 0o600 });
+        await fs.rename(tempPath, this.secretsFilePath);
+    }
+    async encrypt(secret) {
+        const key = await this.loadKey();
+        const iv = randomBytes(12);
+        const cipher = createCipheriv("aes-256-gcm", key, iv);
+        const ciphertext = Buffer.concat([cipher.update(secret, "utf8"), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return {
+            iv: encode(iv),
+            tag: encode(tag),
+            ciphertext: encode(ciphertext),
+            updatedAt: new Date().toISOString(),
+        };
+    }
+    async decrypt(entry) {
+        const key = await this.loadKey();
+        const decipher = createDecipheriv("aes-256-gcm", key, decode(entry.iv));
+        decipher.setAuthTag(decode(entry.tag));
+        const secret = Buffer.concat([
+            decipher.update(decode(entry.ciphertext)),
+            decipher.final(),
+        ]);
+        return secret.toString("utf8");
+    }
+    async put(ref, secret) {
+        const store = await this.loadStore();
+        store.entries[ref] = await this.encrypt(secret);
+        await this.saveStore(store);
+    }
+    async get(ref) {
+        const store = await this.loadStore();
+        const entry = store.entries[ref];
+        if (!entry) {
+            return undefined;
+        }
+        return this.decrypt(entry);
+    }
+    async delete(ref) {
+        const store = await this.loadStore();
+        if (!store.entries[ref]) {
+            return;
+        }
+        delete store.entries[ref];
+        await this.saveStore(store);
+    }
+    async inspect(ref) {
+        const store = await this.loadStore();
+        const entry = store.entries[ref];
+        return {
+            resolved: Boolean(entry),
+            updatedAt: entry?.updatedAt,
+        };
+    }
+    async healthcheck() {
+        await this.loadKey();
+        await this.loadStore();
+    }
+}

package/dist/services/maintenance-service.js

@@ -0,0 +1,99 @@
+export class MaintenanceService {
+    enabled;
+    intervalMs;
+    approvals;
+    breakGlass;
+    tokens;
+    refreshTokens;
+    rateLimits;
+    authorizationCodes;
+    assertions;
+    telemetry;
+    timer;
+    running = false;
+    statusSnapshot;
+    constructor(enabled, intervalMs, approvals, breakGlass, tokens, refreshTokens, rateLimits, authorizationCodes, assertions, telemetry) {
+        this.enabled = enabled;
+        this.intervalMs = intervalMs;
+        this.approvals = approvals;
+        this.breakGlass = breakGlass;
+        this.tokens = tokens;
+        this.refreshTokens = refreshTokens;
+        this.rateLimits = rateLimits;
+        this.authorizationCodes = authorizationCodes;
+        this.assertions = assertions;
+        this.telemetry = telemetry;
+        this.statusSnapshot = {
+            enabled,
+            intervalMs,
+            running: false,
+            consecutiveFailures: 0,
+        };
+    }
+    start() {
+        if (!this.enabled || this.timer) {
+            return;
+        }
+        this.timer = setInterval(() => {
+            void this.runOnce("scheduled");
+        }, this.intervalMs);
+        this.timer.unref();
+    }
+    async stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = undefined;
+        }
+    }
+    status() {
+        return { ...this.statusSnapshot };
+    }
+    async runOnce(task = "manual") {
+        if (this.running) {
+            throw new Error("Maintenance is already running.");
+        }
+        this.running = true;
+        this.statusSnapshot.running = true;
+        this.statusSnapshot.lastRunAt = new Date().toISOString();
+        const startedAt = Date.now();
+        try {
+            const result = {
+                approvalsExpired: await this.approvals.expireStale(),
+                breakGlassExpired: await this.breakGlass.expireStale(),
+                accessTokensExpired: await this.tokens.expireStale(),
+                refreshTokensExpired: await this.refreshTokens.expireStale(),
+                rateLimitBucketsDeleted: await this.rateLimits.cleanup(),
+                authorizationCodesExpired: await this.authorizationCodes.cleanup(),
+                oauthClientAssertionsExpired: await this.assertions.cleanup(),
+            };
+            const durationMs = Date.now() - startedAt;
+            this.statusSnapshot = {
+                ...this.statusSnapshot,
+                running: false,
+                lastSuccessAt: new Date().toISOString(),
+                lastDurationMs: durationMs,
+                consecutiveFailures: 0,
+                lastError: undefined,
+                lastResult: result,
+            };
+            this.telemetry.recordMaintenanceRun(task, "success", durationMs);
+            return result;
+        }
+        catch (error) {
+            const durationMs = Date.now() - startedAt;
+            this.statusSnapshot = {
+                ...this.statusSnapshot,
+                running: false,
+                lastDurationMs: durationMs,
+                consecutiveFailures: this.statusSnapshot.consecutiveFailures + 1,
+                lastError: error instanceof Error ? error.message : "Maintenance failed.",
+            };
+            this.telemetry.recordMaintenanceRun(task, "error", durationMs);
+            throw error;
+        }
+        finally {
+            this.running = false;
+            this.statusSnapshot.running = false;
+        }
+    }
+}

package/dist/services/notification-service.js

@@ -0,0 +1,83 @@
+import { createHmac, randomUUID } from "node:crypto";
+export class NotificationService {
+    webhookUrl;
+    signingSecret;
+    timeoutMs;
+    audit;
+    telemetry;
+    traces;
+    constructor(webhookUrl, signingSecret, timeoutMs, audit, telemetry, traces) {
+        this.webhookUrl = webhookUrl;
+        this.signingSecret = signingSecret;
+        this.timeoutMs = timeoutMs;
+        this.audit = audit;
+        this.telemetry = telemetry;
+        this.traces = traces;
+    }
+    async send(type, payload) {
+        if (!this.webhookUrl) {
+            this.telemetry.recordNotificationDelivery(type, "disabled");
+            return;
+        }
+        const webhookUrl = this.webhookUrl;
+        const envelope = {
+            id: randomUUID(),
+            type,
+            occurredAt: new Date().toISOString(),
+            traceId: this.traces.currentTraceId(),
+            payload,
+        };
+        const body = JSON.stringify(envelope);
+        const headers = {
+            "content-type": "application/json",
+            "x-keylore-event-type": type,
+            "x-keylore-event-id": envelope.id,
+        };
+        if (this.signingSecret) {
+            headers["x-keylore-signature"] = createHmac("sha256", this.signingSecret).update(body).digest("hex");
+        }
+        await this.traces.withSpan("notification.delivery", { eventType: type }, async () => {
+            const tenantId = typeof payload.tenantId === "string" && payload.tenantId.length > 0 ? payload.tenantId : undefined;
+            try {
+                const response = await fetch(webhookUrl, {
+                    method: "POST",
+                    headers,
+                    body,
+                    signal: AbortSignal.timeout(this.timeoutMs),
+                });
+                if (!response.ok) {
+                    throw new Error(`Notification webhook responded with ${response.status}.`);
+                }
+                this.telemetry.recordNotificationDelivery(type, "success");
+                await this.audit.record({
+                    type: "notification.delivery",
+                    action: `notification.${type}`,
+                    outcome: "success",
+                    tenantId,
+                    principal: "keylore-system",
+                    metadata: {
+                        tenantId: tenantId ?? null,
+                        eventType: type,
+                        webhookUrl,
+                    },
+                });
+            }
+            catch (error) {
+                this.telemetry.recordNotificationDelivery(type, "error");
+                await this.audit.record({
+                    type: "notification.delivery",
+                    action: `notification.${type}`,
+                    outcome: "error",
+                    tenantId,
+                    principal: "keylore-system",
+                    metadata: {
+                        tenantId: tenantId ?? null,
+                        eventType: type,
+                        webhookUrl,
+                        error: error instanceof Error ? error.message : "Notification delivery failed.",
+                    },
+                });
+            }
+        });
+    }
+}

package/dist/services/policy-engine.js

@@ -0,0 +1,85 @@
+function matchPattern(value, pattern) {
+    if (pattern === "*") {
+        return true;
+    }
+    const normalizedValue = value.toLowerCase();
+    const normalizedPattern = pattern.toLowerCase();
+    if (normalizedPattern.startsWith("*.")) {
+        return (normalizedValue === normalizedPattern.slice(2) ||
+            normalizedValue.endsWith(normalizedPattern.slice(1)));
+    }
+    return normalizedValue === normalizedPattern;
+}
+function ruleMatches(rule, principal, roles, credential, operation, host, environment) {
+    const principalMatch = rule.principals.some((candidate) => matchPattern(principal, candidate));
+    const roleMatch = !rule.principalRoles ||
+        rule.principalRoles.some((requiredRole) => roles.includes(requiredRole));
+    const credentialMatch = !rule.credentialIds || rule.credentialIds.some((candidate) => candidate === credential.id);
+    const serviceMatch = !rule.services || rule.services.some((candidate) => matchPattern(credential.service, candidate));
+    const operationMatch = rule.operations.some((candidate) => matchPattern(operation, candidate));
+    const domainMatch = rule.domainPatterns.some((candidate) => matchPattern(host, candidate));
+    const environmentMatch = !rule.environments ||
+        rule.environments.some((candidate) => matchPattern(environment, candidate));
+    return (principalMatch &&
+        roleMatch &&
+        credentialMatch &&
+        serviceMatch &&
+        operationMatch &&
+        domainMatch &&
+        environmentMatch);
+}
+export class PolicyEngine {
+    evaluate(policies, principal, roles, credential, operation, host, environment) {
+        if (credential.status !== "active") {
+            return { decision: "deny", reason: "Credential is not active.", ruleId: undefined };
+        }
+        if (credential.expiresAt &&
+            new Date(credential.expiresAt).getTime() <= Date.now()) {
+            return { decision: "deny", reason: "Credential has expired.", ruleId: undefined };
+        }
+        if (!credential.permittedOperations.includes(operation)) {
+            return {
+                decision: "deny",
+                reason: "Operation is not permitted for this credential.",
+                ruleId: undefined,
+            };
+        }
+        if (!credential.allowedDomains.some((domain) => matchPattern(host, domain))) {
+            return {
+                decision: "deny",
+                reason: "Target domain is not allowlisted for this credential.",
+                ruleId: undefined,
+            };
+        }
+        const matchingRules = policies.rules.filter((rule) => ruleMatches(rule, principal, roles, credential, operation, host, environment));
+        const denyRule = matchingRules.find((rule) => rule.effect === "deny");
+        if (denyRule) {
+            return {
+                decision: "deny",
+                reason: denyRule.description,
+                ruleId: denyRule.id,
+            };
+        }
+        const approvalRule = matchingRules.find((rule) => rule.effect === "approval");
+        if (approvalRule) {
+            return {
+                decision: "approval",
+                reason: approvalRule.description,
+                ruleId: approvalRule.id,
+            };
+        }
+        const allowRule = matchingRules.find((rule) => rule.effect === "allow");
+        if (allowRule) {
+            return {
+                decision: "allow",
+                reason: allowRule.description,
+                ruleId: allowRule.id,
+            };
+        }
+        return {
+            decision: "deny",
+            reason: "No matching allow rule was found. KeyLore is default-deny.",
+            ruleId: undefined,
+        };
+    }
+}