@vaharoni/devops 1.2.8 → 1.2.10

package/dist/app-support/crypto/aes.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Encrypts a plaintext string using AES-256-GCM with the given key.
+ * @param plaintext
+ * @param key - The key to use for encryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The encrypted ciphertext.
+ */
+export declare function encryptAes256Gcm(plaintext: string, key?: Buffer): string;
+/**
+ * Decrypts a ciphertext string using AES-256-GCM with the given key.
+ * @param ciphertext - The ciphertext to decrypt.
+ * @param key - The key to use for decryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The decrypted plaintext.
+ */
+export declare function decryptAes256Gcm(ciphertext: string, key?: Buffer): string;
+//# sourceMappingURL=aes.d.ts.map

package/dist/app-support/crypto/aes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/aes.ts"],"names":[],"mappings":"AAaA;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAqBxE;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAiBzE"}

package/dist/app-support/crypto/aes.js

@@ -0,0 +1,56 @@
+import crypto from "crypto";
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12; // GCM recommended IV length
+const AUTH_TAG_LENGTH = 16;
+function getKey() {
+    const keyStr = process.env.MONOREPO_BASE_SECRET;
+    if (!keyStr)
+        throw new Error("MONOREPO_BASE_SECRET not set");
+    // The secret is 32 random bytes stored as hex (64 chars) - decode it directly
+    return Buffer.from(keyStr, "hex");
+}
+/**
+ * Encrypts a plaintext string using AES-256-GCM with the given key.
+ * @param plaintext
+ * @param key - The key to use for encryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The encrypted ciphertext.
+ */
+export function encryptAes256Gcm(plaintext, key) {
+    key ??= getKey();
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+        authTagLength: AUTH_TAG_LENGTH,
+    });
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, "utf8"),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    // Format: iv:authTag:ciphertext (all base64)
+    return [
+        iv.toString("base64"),
+        authTag.toString("base64"),
+        encrypted.toString("base64"),
+    ].join(":");
+}
+/**
+ * Decrypts a ciphertext string using AES-256-GCM with the given key.
+ * @param ciphertext - The ciphertext to decrypt.
+ * @param key - The key to use for decryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The decrypted plaintext.
+ */
+export function decryptAes256Gcm(ciphertext, key) {
+    key ??= getKey();
+    const [ivB64, authTagB64, encryptedB64] = ciphertext.split(":");
+    const iv = Buffer.from(ivB64, "base64");
+    const authTag = Buffer.from(authTagB64, "base64");
+    const encrypted = Buffer.from(encryptedB64, "base64");
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+        authTagLength: AUTH_TAG_LENGTH,
+    });
+    decipher.setAuthTag(authTag);
+    return Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final(),
+    ]).toString("utf8");
+}

package/dist/app-support/crypto/aes.spec.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=aes.spec.d.ts.map

package/dist/app-support/crypto/aes.spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes.spec.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/aes.spec.ts"],"names":[],"mappings":""}

package/dist/app-support/crypto/aes.spec.js

@@ -0,0 +1,58 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+import { encryptAes256Gcm, decryptAes256Gcm } from './aes';
+describe('AES-256-GCM encrypt and decrypt', () => {
+    beforeEach(() => {
+        // AES-256 requires a 32-byte key (64 hex characters)
+        process.env.MONOREPO_BASE_SECRET = '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef';
+    });
+    it('should encrypt and decrypt a simple string', () => {
+        const plaintext = 'hello world';
+        const encrypted = encryptAes256Gcm(plaintext);
+        const decrypted = decryptAes256Gcm(encrypted);
+        expect(decrypted).toEqual(plaintext);
+    });
+    it('should encrypt and decrypt an empty string', () => {
+        const plaintext = '';
+        const encrypted = encryptAes256Gcm(plaintext);
+        const decrypted = decryptAes256Gcm(encrypted);
+        expect(decrypted).toEqual(plaintext);
+    });
+    it('should encrypt and decrypt unicode text', () => {
+        const plaintext = '你好世界 🌍 héllo';
+        const encrypted = encryptAes256Gcm(plaintext);
+        const decrypted = decryptAes256Gcm(encrypted);
+        expect(decrypted).toEqual(plaintext);
+    });
+    it('should produce different ciphertexts for the same plaintext (random IV)', () => {
+        const plaintext = 'same input';
+        const encrypted1 = encryptAes256Gcm(plaintext);
+        const encrypted2 = encryptAes256Gcm(plaintext);
+        expect(encrypted1).not.toEqual(encrypted2);
+        // But both should decrypt to the same value
+        expect(decryptAes256Gcm(encrypted1)).toEqual(plaintext);
+        expect(decryptAes256Gcm(encrypted2)).toEqual(plaintext);
+    });
+    it('should produce ciphertext in expected format (iv:authTag:ciphertext)', () => {
+        const encrypted = encryptAes256Gcm('test');
+        const parts = encrypted.split(':');
+        expect(parts).toHaveLength(3);
+        // All parts should be valid base64
+        parts.forEach((part) => {
+            expect(() => Buffer.from(part, 'base64')).not.toThrow();
+        });
+    });
+    it('should throw on tampered ciphertext', () => {
+        const encrypted = encryptAes256Gcm('sensitive data');
+        const [iv, authTag, ciphertext] = encrypted.split(':');
+        const tamperedCiphertext = `${iv}:${authTag}:${ciphertext.slice(0, -1)}x`;
+        expect(() => decryptAes256Gcm(tamperedCiphertext)).toThrow();
+    });
+    it('should throw on tampered auth tag', () => {
+        const encrypted = encryptAes256Gcm('sensitive data');
+        const [iv, _authTag, ciphertext] = encrypted.split(':');
+        // Use a completely different auth tag (all zeros)
+        const fakeAuthTag = Buffer.alloc(16, 0).toString('base64');
+        const tamperedTag = `${iv}:${fakeAuthTag}:${ciphertext}`;
+        expect(() => decryptAes256Gcm(tamperedTag)).toThrow();
+    });
+});

package/dist/app-support/crypto/index.d.ts

@@ -1,3 +1,4 @@
+export { encryptAes256Gcm, decryptAes256Gcm } from "./aes";
 /**
  * A simple token generation/verification class that relies on the subject field of an internal JWT-like token. It can:
  * - generate a short-lived (60s) token with the given subject

package/dist/app-support/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/index.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,qBAAa,aAAa;IACL,OAAO,EAAE,MAAM;gBAAf,OAAO,EAAE,MAAM;IAElC,QAAQ;IAIR,aAAa,CAAC,KAAK,EAAE,MAAM;IAO3B,uBAAuB,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI;CAO5D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/app-support/crypto/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AAE3D;;;;;;GAMG;AACH,qBAAa,aAAa;IACL,OAAO,EAAE,MAAM;gBAAf,OAAO,EAAE,MAAM;IAElC,QAAQ;IAIR,aAAa,CAAC,KAAK,EAAE,MAAM;IAO3B,uBAAuB,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,IAAI;CAO5D"}

package/dist/app-support/crypto/index.js

@@ -1,4 +1,5 @@
 import { generateInternalAuthToken, parseInternalAuthTokenOrThrow } from "./internal-token";
+export { encryptAes256Gcm, decryptAes256Gcm } from "./aes";
 /**
  * A simple token generation/verification class that relies on the subject field of an internal JWT-like token. It can:
  * - generate a short-lived (60s) token with the given subject

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vaharoni/devops",
   "type": "module",
-  "version": "1.2.8",
+  "version": "1.2.10",
   "description": "Devops utility",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",

package/src/app-support/crypto/aes.spec.ts

@@ -0,0 +1,66 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+import { encryptAes256Gcm, decryptAes256Gcm } from './aes';
+
+describe('AES-256-GCM encrypt and decrypt', () => {
+  beforeEach(() => {
+    // AES-256 requires a 32-byte key (64 hex characters)
+    process.env.MONOREPO_BASE_SECRET = '1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef';
+  });
+
+  it('should encrypt and decrypt a simple string', () => {
+    const plaintext = 'hello world';
+    const encrypted = encryptAes256Gcm(plaintext);
+    const decrypted = decryptAes256Gcm(encrypted);
+    expect(decrypted).toEqual(plaintext);
+  });
+
+  it('should encrypt and decrypt an empty string', () => {
+    const plaintext = '';
+    const encrypted = encryptAes256Gcm(plaintext);
+    const decrypted = decryptAes256Gcm(encrypted);
+    expect(decrypted).toEqual(plaintext);
+  });
+
+  it('should encrypt and decrypt unicode text', () => {
+    const plaintext = '你好世界 🌍 héllo';
+    const encrypted = encryptAes256Gcm(plaintext);
+    const decrypted = decryptAes256Gcm(encrypted);
+    expect(decrypted).toEqual(plaintext);
+  });
+
+  it('should produce different ciphertexts for the same plaintext (random IV)', () => {
+    const plaintext = 'same input';
+    const encrypted1 = encryptAes256Gcm(plaintext);
+    const encrypted2 = encryptAes256Gcm(plaintext);
+    expect(encrypted1).not.toEqual(encrypted2);
+    // But both should decrypt to the same value
+    expect(decryptAes256Gcm(encrypted1)).toEqual(plaintext);
+    expect(decryptAes256Gcm(encrypted2)).toEqual(plaintext);
+  });
+
+  it('should produce ciphertext in expected format (iv:authTag:ciphertext)', () => {
+    const encrypted = encryptAes256Gcm('test');
+    const parts = encrypted.split(':');
+    expect(parts).toHaveLength(3);
+    // All parts should be valid base64
+    parts.forEach((part) => {
+      expect(() => Buffer.from(part, 'base64')).not.toThrow();
+    });
+  });
+
+  it('should throw on tampered ciphertext', () => {
+    const encrypted = encryptAes256Gcm('sensitive data');
+    const [iv, authTag, ciphertext] = encrypted.split(':');
+    const tamperedCiphertext = `${iv}:${authTag}:${ciphertext.slice(0, -1)}x`;
+    expect(() => decryptAes256Gcm(tamperedCiphertext)).toThrow();
+  });
+
+  it('should throw on tampered auth tag', () => {
+    const encrypted = encryptAes256Gcm('sensitive data');
+    const [iv, _authTag, ciphertext] = encrypted.split(':');
+    // Use a completely different auth tag (all zeros)
+    const fakeAuthTag = Buffer.alloc(16, 0).toString('base64');
+    const tamperedTag = `${iv}:${fakeAuthTag}:${ciphertext}`;
+    expect(() => decryptAes256Gcm(tamperedTag)).toThrow();
+  });
+});

package/src/app-support/crypto/aes.ts

@@ -0,0 +1,66 @@
+import crypto from "crypto";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 12; // GCM recommended IV length
+const AUTH_TAG_LENGTH = 16;
+
+function getKey(): Buffer {
+  const keyStr = process.env.MONOREPO_BASE_SECRET;
+  if (!keyStr) throw new Error("MONOREPO_BASE_SECRET not set");
+  // The secret is 32 random bytes stored as hex (64 chars) - decode it directly
+  return Buffer.from(keyStr, "hex");
+}
+
+/**
+ * Encrypts a plaintext string using AES-256-GCM with the given key.
+ * @param plaintext 
+ * @param key - The key to use for encryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The encrypted ciphertext.
+ */
+export function encryptAes256Gcm(plaintext: string, key?: Buffer): string {
+  key ??= getKey();
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  const encrypted = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+
+  const authTag = cipher.getAuthTag();
+
+  // Format: iv:authTag:ciphertext (all base64)
+  return [
+    iv.toString("base64"),
+    authTag.toString("base64"),
+    encrypted.toString("base64"),
+  ].join(":");
+}
+
+/**
+ * Decrypts a ciphertext string using AES-256-GCM with the given key.
+ * @param ciphertext - The ciphertext to decrypt.
+ * @param key - The key to use for decryption. If not provided, the key will be derived from the MONOREPO_BASE_SECRET environment variable.
+ * @returns The decrypted plaintext.
+ */
+export function decryptAes256Gcm(ciphertext: string, key?: Buffer): string {
+  key ??= getKey();
+  const [ivB64, authTagB64, encryptedB64] = ciphertext.split(":");
+
+  const iv = Buffer.from(ivB64, "base64");
+  const authTag = Buffer.from(authTagB64, "base64");
+  const encrypted = Buffer.from(encryptedB64, "base64");
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(authTag);
+
+  return Buffer.concat([
+    decipher.update(encrypted),
+    decipher.final(),
+  ]).toString("utf8");
+}

package/src/app-support/crypto/index.ts

@@ -1,4 +1,5 @@
 import { generateInternalAuthToken, parseInternalAuthTokenOrThrow } from "./internal-token";
+export { encryptAes256Gcm, decryptAes256Gcm } from "./aes";
 
 /** 
  * A simple token generation/verification class that relies on the subject field of an internal JWT-like token. It can:

package/dist/test.d.ts

@@ -1,2 +0,0 @@
-export {};
-//# sourceMappingURL=test.d.ts.map

package/dist/test.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"test.d.ts","sourceRoot":"","sources":["../src/test.ts"],"names":[],"mappings":""}

package/dist/test.js

@@ -1 +0,0 @@
-export {};