@wopr-network/platform-core 0.1.0

package/dist/security/credential-vault/key-rotation.js

@@ -0,0 +1,52 @@
+import { createHmac } from "node:crypto";
+import { decrypt, encrypt } from "../encryption.js";
+import { getVaultEncryptionKey } from "./store.js";
+/** Derive a per-tenant encryption key (duplicated from tenant-keys route to avoid circular deps). */
+function deriveTenantKey(tenantId, platformSecret) {
+    return createHmac("sha256", platformSecret).update(`tenant:${tenantId}`).digest();
+}
+/**
+ * Re-encrypt all credentials from oldSecret to newSecret.
+ *
+ * MUST be run inside a transaction by the caller.
+ * Back up the database before running this.
+ */
+export async function reEncryptAllCredentials(credentialAccess, tenantKeyAccess, oldSecret, newSecret) {
+    const result = {
+        providerCredentials: { migrated: 0, errors: [] },
+        tenantKeys: { migrated: 0, errors: [] },
+    };
+    const oldVaultKey = getVaultEncryptionKey(oldSecret);
+    const newVaultKey = getVaultEncryptionKey(newSecret);
+    // --- provider_credentials ---
+    const provRows = await credentialAccess.listAllWithEncryptedValue();
+    for (const row of provRows) {
+        try {
+            const payload = JSON.parse(row.encryptedValue);
+            const plaintext = decrypt(payload, oldVaultKey);
+            const reEncrypted = encrypt(plaintext, newVaultKey);
+            await credentialAccess.updateEncryptedValueOnly(row.id, JSON.stringify(reEncrypted));
+            result.providerCredentials.migrated++;
+        }
+        catch (err) {
+            result.providerCredentials.errors.push(`Row ${row.id}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    // --- tenant_api_keys ---
+    const tenantRows = await tenantKeyAccess.listAll();
+    for (const row of tenantRows) {
+        try {
+            const payload = JSON.parse(row.encryptedKey);
+            const oldTenantKey = deriveTenantKey(row.tenantId, oldSecret);
+            const plaintext = decrypt(payload, oldTenantKey);
+            const newTenantKey = deriveTenantKey(row.tenantId, newSecret);
+            const reEncrypted = encrypt(plaintext, newTenantKey);
+            await tenantKeyAccess.updateEncryptedKey(row.id, JSON.stringify(reEncrypted));
+            result.tenantKeys.migrated++;
+        }
+        catch (err) {
+            result.tenantKeys.errors.push(`Row ${row.id}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    return result;
+}

package/dist/security/credential-vault/key-rotation.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/credential-vault/key-rotation.test.js

@@ -0,0 +1,95 @@
+import { createHmac } from "node:crypto";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { decrypt, encrypt } from "../encryption.js";
+import { DrizzleCredentialRepository, DrizzleMigrationTenantKeyAccess } from "./credential-repository.js";
+import { reEncryptAllCredentials } from "./key-rotation.js";
+import { getVaultEncryptionKey } from "./store.js";
+const OLD_SECRET = "old-platform-secret-for-test";
+const NEW_SECRET = "new-platform-secret-for-test";
+const NOW_EPOCH = Math.floor(Date.now() / 1000);
+function deriveTenantKey(tenantId, secret) {
+    return createHmac("sha256", secret).update(`tenant:${tenantId}`).digest();
+}
+describe("reEncryptAllCredentials", () => {
+    let pool;
+    let db;
+    beforeAll(async () => {
+        ({ db, pool } = await createTestDb());
+    });
+    afterAll(async () => {
+        await pool.close();
+    });
+    beforeEach(async () => {
+        await truncateAllTables(pool);
+    });
+    it("re-encrypts provider credentials from old to new secret", async () => {
+        const oldKey = getVaultEncryptionKey(OLD_SECRET);
+        const encrypted = encrypt("sk-ant-real-key-12345", oldKey);
+        await pool.query("INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)", ["cred-1", "openrouter", "default", JSON.stringify(encrypted), "bearer", "test"]);
+        const credAccess = new DrizzleCredentialRepository(db);
+        const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+        const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+        expect(result.providerCredentials.migrated).toBe(1);
+        expect(result.providerCredentials.errors).toHaveLength(0);
+        const row = await pool.query("SELECT encrypted_value FROM provider_credentials WHERE id = $1", ["cred-1"]);
+        const newKey = getVaultEncryptionKey(NEW_SECRET);
+        const payload = JSON.parse(row.rows[0].encrypted_value);
+        const decrypted = decrypt(payload, newKey);
+        expect(decrypted).toBe("sk-ant-real-key-12345");
+        const oldKey2 = getVaultEncryptionKey(OLD_SECRET);
+        expect(() => decrypt(payload, oldKey2)).toThrow();
+    });
+    it("re-encrypts tenant BYOK keys from old to new secret", async () => {
+        const oldTenantKey = deriveTenantKey("t1", OLD_SECRET);
+        const encrypted = encrypt("sk-openai-tenant-key", oldTenantKey);
+        await pool.query("INSERT INTO tenant_api_keys (id, tenant_id, provider, encrypted_key, created_at, updated_at) VALUES ($1, $2, $3, $4, $5, $6)", ["tk-1", "t1", "openai", JSON.stringify(encrypted), NOW_EPOCH, NOW_EPOCH]);
+        const credAccess = new DrizzleCredentialRepository(db);
+        const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+        const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+        expect(result.tenantKeys.migrated).toBe(1);
+        expect(result.tenantKeys.errors).toHaveLength(0);
+        const row = await pool.query("SELECT encrypted_key FROM tenant_api_keys WHERE id = $1", [
+            "tk-1",
+        ]);
+        const newTenantKey = deriveTenantKey("t1", NEW_SECRET);
+        const payload = JSON.parse(row.rows[0].encrypted_key);
+        expect(decrypt(payload, newTenantKey)).toBe("sk-openai-tenant-key");
+    });
+    it("handles mixed valid and invalid rows gracefully", async () => {
+        const oldKey = getVaultEncryptionKey(OLD_SECRET);
+        const encrypted = encrypt("valid-key", oldKey);
+        await pool.query("INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)", ["cred-1", "openrouter", "default", JSON.stringify(encrypted), "bearer", "test"]);
+        await pool.query("INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)", ["cred-2", "openrouter", "default", "not-valid-json", "bearer", "test"]);
+        const credAccess = new DrizzleCredentialRepository(db);
+        const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+        const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+        expect(result.providerCredentials.migrated).toBe(1);
+        expect(result.providerCredentials.errors).toHaveLength(1);
+        expect(result.providerCredentials.errors[0]).toContain("cred-2");
+    });
+    it("returns zero counts when tables are empty", async () => {
+        const credAccess = new DrizzleCredentialRepository(db);
+        const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+        const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+        expect(result.providerCredentials.migrated).toBe(0);
+        expect(result.tenantKeys.migrated).toBe(0);
+    });
+    it("re-encrypts multiple provider credentials", async () => {
+        const oldKey = getVaultEncryptionKey(OLD_SECRET);
+        for (let i = 1; i <= 3; i++) {
+            const encrypted = encrypt(`sk-key-${i}`, oldKey);
+            await pool.query("INSERT INTO provider_credentials (id, provider, key_name, encrypted_value, auth_type, created_by) VALUES ($1, $2, $3, $4, $5, $6)", [`cred-${i}`, "openrouter", "default", JSON.stringify(encrypted), "bearer", "test"]);
+        }
+        const credAccess = new DrizzleCredentialRepository(db);
+        const tenantKeyAccess = new DrizzleMigrationTenantKeyAccess(db);
+        const result = await reEncryptAllCredentials(credAccess, tenantKeyAccess, OLD_SECRET, NEW_SECRET);
+        expect(result.providerCredentials.migrated).toBe(3);
+        const newKey = getVaultEncryptionKey(NEW_SECRET);
+        for (let i = 1; i <= 3; i++) {
+            const row = await pool.query("SELECT encrypted_value FROM provider_credentials WHERE id = $1", [`cred-${i}`]);
+            const payload = JSON.parse(row.rows[0].encrypted_value);
+            expect(decrypt(payload, newKey)).toBe(`sk-key-${i}`);
+        }
+    });
+});

package/dist/security/credential-vault/migrate-plaintext.d.ts

@@ -0,0 +1,15 @@
+import type { ICredentialMigrationAccess, IMigrationTenantKeyAccess } from "./credential-repository.js";
+export interface MigrationResult {
+    table: string;
+    migratedCount: number;
+    errors: string[];
+}
+/**
+ * Migrate any plaintext credentials to encrypted form.
+ *
+ * For provider_credentials: re-encrypts encrypted_value column using vaultKey.
+ * For tenant_api_keys: re-encrypts encrypted_key column using tenantKeyDeriver.
+ *
+ * IMPORTANT: This is destructive — run in a transaction and back up first.
+ */
+export declare function migratePlaintextCredentials(credentialRepo: ICredentialMigrationAccess, vaultKey: Buffer, tenantKeyDeriver: (tenantId: string) => Buffer, tenantKeyAccess?: IMigrationTenantKeyAccess | null): Promise<MigrationResult[]>;

package/dist/security/credential-vault/migrate-plaintext.js

@@ -0,0 +1,80 @@
+import { encrypt } from "../encryption.js";
+import { scanForKeyLeaks } from "../key-audit.js";
+/**
+ * Migrate any plaintext credentials to encrypted form.
+ *
+ * For provider_credentials: re-encrypts encrypted_value column using vaultKey.
+ * For tenant_api_keys: re-encrypts encrypted_key column using tenantKeyDeriver.
+ *
+ * IMPORTANT: This is destructive — run in a transaction and back up first.
+ */
+export async function migratePlaintextCredentials(credentialRepo, vaultKey, tenantKeyDeriver, tenantKeyAccess) {
+    const results = [];
+    // --- provider_credentials ---
+    const provResult = {
+        table: "provider_credentials",
+        migratedCount: 0,
+        errors: [],
+    };
+    const provRows = await credentialRepo.listAllWithEncryptedValue();
+    for (const row of provRows) {
+        try {
+            const parsed = JSON.parse(row.encryptedValue);
+            if (parsed.iv && parsed.authTag && parsed.ciphertext) {
+                continue; // Already encrypted
+            }
+        }
+        catch {
+            // Not JSON — treat as plaintext
+        }
+        // This row has plaintext data — encrypt it
+        const leaks = scanForKeyLeaks(row.encryptedValue);
+        if (leaks.length === 0 && row.encryptedValue.trim() === "") {
+            continue; // Empty value, skip
+        }
+        try {
+            const encrypted = encrypt(row.encryptedValue, vaultKey);
+            const serialized = JSON.stringify(encrypted);
+            await credentialRepo.updateEncryptedValueOnly(row.id, serialized);
+            provResult.migratedCount++;
+        }
+        catch (err) {
+            provResult.errors.push(`Row ${row.id}: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    results.push(provResult);
+    // --- tenant_api_keys ---
+    if (tenantKeyAccess) {
+        const tenantResult = {
+            table: "tenant_api_keys",
+            migratedCount: 0,
+            errors: [],
+        };
+        const tenantRows = await tenantKeyAccess.listAll();
+        for (const row of tenantRows) {
+            try {
+                const parsed = JSON.parse(row.encryptedKey);
+                if (parsed.iv && parsed.authTag && parsed.ciphertext) {
+                    continue; // Already encrypted
+                }
+            }
+            catch {
+                // Not JSON — treat as plaintext
+            }
+            if (row.encryptedKey.trim() === "")
+                continue;
+            try {
+                const tenantKey = tenantKeyDeriver(row.tenantId);
+                const encrypted = encrypt(row.encryptedKey, tenantKey);
+                const serialized = JSON.stringify(encrypted);
+                await tenantKeyAccess.updateEncryptedKey(row.id, serialized);
+                tenantResult.migratedCount++;
+            }
+            catch (err) {
+                tenantResult.errors.push(`Row ${row.id}: ${err instanceof Error ? err.message : String(err)}`);
+            }
+        }
+        results.push(tenantResult);
+    }
+    return results;
+}

package/dist/security/credential-vault/migrate-plaintext.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/credential-vault/migrate-plaintext.test.js

@@ -0,0 +1,111 @@
+import crypto from "node:crypto";
+import { describe, expect, it } from "vitest";
+import { decrypt, encrypt } from "../encryption.js";
+import { migratePlaintextCredentials } from "./migrate-plaintext.js";
+// ---------------------------------------------------------------------------
+// Mock helpers
+// ---------------------------------------------------------------------------
+function mockCredentialRepo(rows = []) {
+    const updates = [];
+    return {
+        updates,
+        listAllWithEncryptedValue: async () => [...rows],
+        updateEncryptedValueOnly: async (id, encryptedValue) => {
+            updates.push({ id, encryptedValue });
+            // Also update the source array so re-reads see the new value
+            const row = rows.find((r) => r.id === id);
+            if (row)
+                row.encryptedValue = encryptedValue;
+        },
+    };
+}
+function mockTenantKeyAccess(rows = []) {
+    const updates = [];
+    return {
+        updates,
+        listAll: async () => [...rows],
+        updateEncryptedKey: async (id, encryptedKey) => {
+            updates.push({ id, encryptedKey });
+        },
+    };
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe("migratePlaintextCredentials", () => {
+    const vaultKey = crypto.randomBytes(32);
+    const tenantKeyDeriver = (_tenantId) => crypto.randomBytes(32);
+    it("returns empty results when no rows exist", async () => {
+        const repo = mockCredentialRepo();
+        const tenantAccess = mockTenantKeyAccess();
+        const results = await migratePlaintextCredentials(repo, vaultKey, tenantKeyDeriver, tenantAccess);
+        expect(results).toHaveLength(2);
+        expect(results.find((r) => r.table === "provider_credentials")?.migratedCount).toBe(0);
+        expect(results.find((r) => r.table === "tenant_api_keys")?.migratedCount).toBe(0);
+    });
+    it("returns only provider results when no tenant access provided", async () => {
+        const repo = mockCredentialRepo();
+        const results = await migratePlaintextCredentials(repo, vaultKey, tenantKeyDeriver);
+        expect(results).toHaveLength(1);
+        expect(results[0].table).toBe("provider_credentials");
+    });
+    it("skips already-encrypted provider credentials", async () => {
+        const encrypted = encrypt("my-secret-key", vaultKey);
+        const repo = mockCredentialRepo([{ id: "cred-1", encryptedValue: JSON.stringify(encrypted) }]);
+        const results = await migratePlaintextCredentials(repo, vaultKey, tenantKeyDeriver);
+        expect(results.find((r) => r.table === "provider_credentials")?.migratedCount).toBe(0);
+        expect(repo.updates).toHaveLength(0);
+    });
+    it("encrypts plaintext provider credentials", async () => {
+        const repo = mockCredentialRepo([{ id: "cred-2", encryptedValue: "sk-plaintext-key-value" }]);
+        const results = await migratePlaintextCredentials(repo, vaultKey, tenantKeyDeriver);
+        const provResult = results.find((r) => r.table === "provider_credentials");
+        expect(provResult?.migratedCount).toBe(1);
+        expect(provResult?.errors).toHaveLength(0);
+        expect(repo.updates).toHaveLength(1);
+        const parsed = JSON.parse(repo.updates[0].encryptedValue);
+        expect(parsed).toHaveProperty("iv");
+        expect(parsed).toHaveProperty("authTag");
+        expect(parsed).toHaveProperty("ciphertext");
+        expect(decrypt(parsed, vaultKey)).toBe("sk-plaintext-key-value");
+    });
+    it("skips empty provider credential values", async () => {
+        const repo = mockCredentialRepo([{ id: "cred-3", encryptedValue: "   " }]);
+        const results = await migratePlaintextCredentials(repo, vaultKey, tenantKeyDeriver);
+        expect(results.find((r) => r.table === "provider_credentials")?.migratedCount).toBe(0);
+        expect(repo.updates).toHaveLength(0);
+    });
+    it("encrypts plaintext tenant API keys", async () => {
+        const stableKey = crypto.randomBytes(32);
+        const stableDeriver = (_tenantId) => stableKey;
+        const tenantAccess = mockTenantKeyAccess([{ id: "key-1", tenantId: "t-1", encryptedKey: "plaintext-tenant-key" }]);
+        const repo = mockCredentialRepo();
+        const results = await migratePlaintextCredentials(repo, vaultKey, stableDeriver, tenantAccess);
+        const tenantResult = results.find((r) => r.table === "tenant_api_keys");
+        expect(tenantResult?.migratedCount).toBe(1);
+        expect(tenantAccess.updates).toHaveLength(1);
+        const parsed = JSON.parse(tenantAccess.updates[0].encryptedKey);
+        expect(parsed).toHaveProperty("iv");
+        expect(decrypt(parsed, stableKey)).toBe("plaintext-tenant-key");
+    });
+    it("skips already-encrypted tenant API keys", async () => {
+        const stableKey = crypto.randomBytes(32);
+        const encrypted = encrypt("my-key", stableKey);
+        const tenantAccess = mockTenantKeyAccess([
+            { id: "key-2", tenantId: "t-1", encryptedKey: JSON.stringify(encrypted) },
+        ]);
+        const repo = mockCredentialRepo();
+        const results = await migratePlaintextCredentials(repo, vaultKey, () => stableKey, tenantAccess);
+        expect(results.find((r) => r.table === "tenant_api_keys")?.migratedCount).toBe(0);
+        expect(tenantAccess.updates).toHaveLength(0);
+    });
+    it("records errors without aborting migration for bad key length", async () => {
+        const badKey = crypto.randomBytes(16); // wrong length
+        const repo = mockCredentialRepo([{ id: "cred-err", encryptedValue: "plaintext-value" }]);
+        const results = await migratePlaintextCredentials(repo, badKey, tenantKeyDeriver);
+        const provResult = results.find((r) => r.table === "provider_credentials");
+        expect(provResult?.migratedCount).toBe(0);
+        expect(provResult?.errors).toHaveLength(1);
+        expect(provResult?.errors[0]).toContain("cred-err");
+    });
+});

package/dist/security/credential-vault/migration-check.d.ts

@@ -0,0 +1,15 @@
+import type { PlatformDb } from "../../db/index.js";
+/**
+ * Scan all credential columns in the database for plaintext API key patterns.
+ * Returns an array of findings. Empty array = all clear.
+ *
+ * This is a safety net, not a migration — the platform was designed encrypted-first.
+ * Run as part of deployment validation or as a periodic security check.
+ */
+export interface PlaintextFinding {
+    table: string;
+    column: string;
+    rowId: string;
+    provider: string;
+}
+export declare function auditCredentialEncryption(db: PlatformDb): Promise<PlaintextFinding[]>;

package/dist/security/credential-vault/migration-check.js

@@ -0,0 +1,71 @@
+import { providerCredentials, tenantApiKeys } from "../../db/schema/index.js";
+import { scanForKeyLeaks } from "../key-audit.js";
+export async function auditCredentialEncryption(db) {
+    const findings = [];
+    // Check provider_credentials.encrypted_value
+    const providerRows = await db
+        .select({ id: providerCredentials.id, encryptedValue: providerCredentials.encryptedValue })
+        .from(providerCredentials);
+    for (const row of providerRows) {
+        // A properly encrypted value should be a JSON object with iv/authTag/ciphertext
+        try {
+            const parsed = JSON.parse(row.encryptedValue);
+            if (!parsed.iv || !parsed.authTag || !parsed.ciphertext) {
+                findings.push({
+                    table: "provider_credentials",
+                    column: "encrypted_value",
+                    rowId: row.id,
+                    provider: "unknown",
+                });
+            }
+        }
+        catch {
+            // Not valid JSON = likely plaintext
+            const leaks = scanForKeyLeaks(row.encryptedValue);
+            if (leaks.length > 0 || row.encryptedValue.trim().length > 0) {
+                findings.push({
+                    table: "provider_credentials",
+                    column: "encrypted_value",
+                    rowId: row.id,
+                    provider: leaks[0]?.provider ?? "unknown",
+                });
+            }
+        }
+    }
+    // Check tenant_api_keys.encrypted_key (if table exists)
+    try {
+        const tenantRows = await db
+            .select({ id: tenantApiKeys.id, encryptedKey: tenantApiKeys.encryptedKey })
+            .from(tenantApiKeys);
+        for (const row of tenantRows) {
+            try {
+                const parsed = JSON.parse(row.encryptedKey);
+                if (!parsed.iv || !parsed.authTag || !parsed.ciphertext) {
+                    findings.push({
+                        table: "tenant_api_keys",
+                        column: "encrypted_key",
+                        rowId: row.id,
+                        provider: "unknown",
+                    });
+                }
+            }
+            catch {
+                const leaks = scanForKeyLeaks(row.encryptedKey);
+                if (leaks.length > 0 || row.encryptedKey.trim().length > 0) {
+                    findings.push({
+                        table: "tenant_api_keys",
+                        column: "encrypted_key",
+                        rowId: row.id,
+                        provider: leaks[0]?.provider ?? "unknown",
+                    });
+                }
+            }
+        }
+    }
+    catch (err) {
+        if (!(err instanceof Error && err.message.includes("no such table")))
+            throw err;
+        // Table doesn't exist yet — that's fine
+    }
+    return findings;
+}

package/dist/security/credential-vault/migration-check.test.d.ts

@@ -0,0 +1 @@
+export {};