@wopr-network/platform-core 0.1.0

package/dist/security/credential-vault/store.js

@@ -0,0 +1,181 @@
+import { createHmac, randomUUID } from "node:crypto";
+import { decrypt, encrypt, generateInstanceKey } from "../encryption.js";
+/**
+ * Credential vault store — encrypted CRUD for platform-level provider API keys.
+ *
+ * SECURITY:
+ * - Keys are encrypted with AES-256-GCM before storage.
+ * - The encryption key is derived from a platform secret (env var).
+ * - Plaintext keys are never logged, persisted, or returned in list operations.
+ * - All mutations are audit-logged.
+ */
+export class CredentialVaultStore {
+    repo;
+    encryptionKey;
+    auditLog;
+    secretAuditRepo;
+    constructor(repo, encryptionKey, auditLog, secretAuditRepo) {
+        this.repo = repo;
+        this.encryptionKey = encryptionKey;
+        this.auditLog = auditLog ?? null;
+        this.secretAuditRepo = secretAuditRepo ?? null;
+    }
+    recordSecretAudit(credentialId, accessedBy, action, ip) {
+        if (!this.secretAuditRepo)
+            return;
+        const event = {
+            id: randomUUID(),
+            credentialId,
+            accessedAt: Date.now(),
+            accessedBy,
+            action,
+            ip: ip ?? null,
+        };
+        // Fire-and-forget — audit must never break primary operations
+        this.secretAuditRepo.insert(event).catch(() => { });
+    }
+    /** Create a new provider credential. Returns the record ID. */
+    async create(input) {
+        const id = randomUUID();
+        const encrypted = encrypt(input.plaintextKey, this.encryptionKey);
+        const serialized = JSON.stringify(encrypted);
+        await this.repo.insert({
+            id,
+            provider: input.provider,
+            keyName: input.keyName,
+            encryptedValue: serialized,
+            authType: input.authType,
+            authHeader: input.authHeader ?? null,
+            createdBy: input.createdBy,
+        });
+        this.audit(input.createdBy, "credential.create", {
+            credentialId: id,
+            provider: input.provider,
+            keyName: input.keyName,
+        });
+        this.recordSecretAudit(id, input.createdBy, "write");
+        return id;
+    }
+    /** List all credentials for a provider (or all providers). Never returns encrypted values. */
+    async list(provider) {
+        const rows = await this.repo.list(provider);
+        return rows.map((r) => ({ ...r, isActive: r.isActive }));
+    }
+    /** Get a single credential summary by ID. */
+    async getById(id) {
+        const row = await this.repo.getSummaryById(id);
+        if (!row)
+            return null;
+        return { ...row, isActive: row.isActive };
+    }
+    /**
+     * Decrypt and return a credential's key. For gateway use only.
+     *
+     * SECURITY: The returned plaintext key MUST be discarded after use.
+     */
+    async decrypt(id) {
+        const row = await this.repo.getFullById(id);
+        if (!row)
+            return null;
+        const payload = JSON.parse(row.encryptedValue);
+        const plaintextKey = decrypt(payload, this.encryptionKey);
+        return {
+            id: row.id,
+            provider: row.provider,
+            keyName: row.keyName,
+            plaintextKey,
+            authType: row.authType,
+            authHeader: row.authHeader,
+        };
+    }
+    /**
+     * Get the active credential(s) for a provider, decrypted.
+     * Returns all active keys for load distribution; caller picks one.
+     *
+     * SECURITY: Returned keys MUST be discarded after use.
+     */
+    async getActiveForProvider(provider) {
+        const rows = await this.repo.listActiveForProvider(provider);
+        return rows.map((row) => {
+            const payload = JSON.parse(row.encryptedValue);
+            const plaintextKey = decrypt(payload, this.encryptionKey);
+            return {
+                id: row.id,
+                provider: row.provider,
+                keyName: row.keyName,
+                plaintextKey,
+                authType: row.authType,
+                authHeader: row.authHeader,
+            };
+        });
+    }
+    /** Rotate a credential's key. Encrypts the new key and records the rotation timestamp. */
+    async rotate(input) {
+        const existing = await this.repo.getSummaryById(input.id);
+        if (!existing)
+            return false;
+        const encrypted = encrypt(input.plaintextKey, this.encryptionKey);
+        const serialized = JSON.stringify(encrypted);
+        await this.repo.updateEncryptedValue(input.id, serialized);
+        this.audit(input.rotatedBy, "credential.rotate", {
+            credentialId: input.id,
+            provider: existing.provider,
+        });
+        this.recordSecretAudit(input.id, input.rotatedBy, "write");
+        return true;
+    }
+    /** Mark a credential as active or inactive. */
+    async setActive(id, isActive, changedBy) {
+        const existing = await this.repo.getSummaryById(id);
+        if (!existing)
+            return false;
+        await this.repo.setActive(id, isActive);
+        this.audit(changedBy, isActive ? "credential.activate" : "credential.deactivate", {
+            credentialId: id,
+            provider: existing.provider,
+        });
+        this.recordSecretAudit(id, changedBy, "write");
+        return true;
+    }
+    /** Record a successful validation timestamp. */
+    async markValidated(id) {
+        return this.repo.markValidated(id);
+    }
+    /** Permanently delete a credential. */
+    async delete(id, deletedBy) {
+        const existing = await this.repo.getSummaryById(id);
+        if (!existing)
+            return false;
+        await this.repo.deleteById(id);
+        this.audit(deletedBy, "credential.delete", {
+            credentialId: id,
+            provider: existing.provider,
+            keyName: existing.keyName,
+        });
+        this.recordSecretAudit(id, deletedBy, "delete");
+        return true;
+    }
+    // -----------------------------------------------------------------------
+    // Audit helper
+    // -----------------------------------------------------------------------
+    audit(adminUser, action, details) {
+        if (!this.auditLog)
+            return;
+        this.auditLog.log({
+            adminUser,
+            action,
+            category: "config",
+            details,
+        });
+    }
+}
+/**
+ * Derive the credential vault encryption key from a platform secret.
+ * If no secret is provided, generates a random key (suitable for tests only).
+ */
+export function getVaultEncryptionKey(platformSecret) {
+    if (platformSecret) {
+        return createHmac("sha256", platformSecret).update("credential-vault").digest();
+    }
+    return generateInstanceKey();
+}

package/dist/security/credential-vault/store.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/credential-vault/store.test.js

@@ -0,0 +1,482 @@
+import { eq } from "drizzle-orm";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { DrizzleAdminAuditLogRepository } from "../../admin/admin-audit-log-repository.js";
+import { AdminAuditLog } from "../../admin/audit-log.js";
+import { providerCredentials, tenantApiKeys } from "../../db/schema/index.js";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { encrypt, generateInstanceKey } from "../encryption.js";
+import { DrizzleCredentialRepository } from "./credential-repository.js";
+import { CredentialVaultStore, getVaultEncryptionKey } from "./store.js";
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function buildStore(db) {
+    const encryptionKey = generateInstanceKey();
+    const auditLog = new AdminAuditLog(new DrizzleAdminAuditLogRepository(db));
+    const repo = new DrizzleCredentialRepository(db);
+    const store = new CredentialVaultStore(repo, encryptionKey, auditLog);
+    return { store, encryptionKey, auditLog };
+}
+// ---------------------------------------------------------------------------
+// CredentialVaultStore
+// ---------------------------------------------------------------------------
+describe("CredentialVaultStore", () => {
+    let store;
+    let pool;
+    let db;
+    beforeAll(async () => {
+        ({ db, pool } = await createTestDb());
+    });
+    afterAll(async () => {
+        await pool.close();
+    });
+    beforeEach(async () => {
+        await truncateAllTables(pool);
+        ({ store } = buildStore(db));
+    });
+    describe("create", () => {
+        it("returns a UUID for the new credential", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Production",
+                plaintextKey: "sk-ant-test-key-123",
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            expect(id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/);
+        });
+        it("encrypts the key before storing", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Production",
+                plaintextKey: "sk-ant-test-key-123",
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            // Verify by decrypting - if the stored value were plaintext, decrypt would fail
+            const decrypted = await store.decrypt(id);
+            expect(decrypted?.plaintextKey).toBe("sk-ant-test-key-123");
+        });
+        it("stores ciphertext that differs from plaintext in the DB", async () => {
+            const plaintext = "sk-ant-test-key-123";
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Production",
+                plaintextKey: plaintext,
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            const rows = await db
+                .select({ encryptedValue: providerCredentials.encryptedValue })
+                .from(providerCredentials)
+                .where(eq(providerCredentials.id, id));
+            expect(rows).toHaveLength(1);
+            // Raw DB value must NOT contain the plaintext
+            expect(rows[0].encryptedValue).not.toContain(plaintext);
+            // Must be valid encrypted JSON payload
+            const parsed = JSON.parse(rows[0].encryptedValue);
+            expect(parsed).toHaveProperty("iv");
+            expect(parsed).toHaveProperty("authTag");
+            expect(parsed).toHaveProperty("ciphertext");
+        });
+        it("logs an audit entry", async () => {
+            await store.create({
+                provider: "openai",
+                keyName: "Backup",
+                plaintextKey: "sk-test",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            // Verify via list (audit log is recorded - just verify store works)
+            const list = await store.list();
+            expect(list).toHaveLength(1);
+        });
+        it("allows multiple keys per provider", async () => {
+            await store.create({
+                provider: "anthropic",
+                keyName: "Production",
+                plaintextKey: "sk-ant-prod",
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            await store.create({
+                provider: "anthropic",
+                keyName: "Backup",
+                plaintextKey: "sk-ant-backup",
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            const list = await store.list("anthropic");
+            expect(list).toHaveLength(2);
+        });
+    });
+    describe("list", () => {
+        it("returns empty array when no credentials exist", async () => {
+            expect(await store.list()).toEqual([]);
+        });
+        it("returns summaries without encrypted values", async () => {
+            await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "sk-ant-secret",
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            const list = await store.list();
+            expect(list).toHaveLength(1);
+            expect(list[0].provider).toBe("anthropic");
+            expect(list[0].keyName).toBe("Prod");
+            expect(list[0].isActive).toBe(true);
+            // Ensure no encrypted value leaks
+            expect(list[0].encryptedValue).toBeUndefined();
+            expect(list[0].plaintextKey).toBeUndefined();
+        });
+        it("filters by provider", async () => {
+            await store.create({
+                provider: "anthropic",
+                keyName: "A",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            await store.create({
+                provider: "openai",
+                keyName: "B",
+                plaintextKey: "k2",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            expect(await store.list("anthropic")).toHaveLength(1);
+            expect(await store.list("openai")).toHaveLength(1);
+            expect(await store.list("google")).toHaveLength(0);
+            expect(await store.list()).toHaveLength(2);
+        });
+    });
+    describe("getById", () => {
+        it("returns null for non-existent id", async () => {
+            expect(await store.getById("00000000-0000-0000-0000-000000000000")).toBeNull();
+        });
+        it("returns the credential summary", async () => {
+            const id = await store.create({
+                provider: "openai",
+                keyName: "Main",
+                plaintextKey: "sk-openai-key",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            const cred = await store.getById(id);
+            expect(cred).not.toBeNull();
+            expect(cred?.provider).toBe("openai");
+            expect(cred?.keyName).toBe("Main");
+            expect(cred?.authType).toBe("bearer");
+            expect(cred?.isActive).toBe(true);
+            expect(cred?.createdBy).toBe("admin-1");
+        });
+    });
+    describe("decrypt", () => {
+        it("returns null for non-existent id", async () => {
+            expect(await store.decrypt("00000000-0000-0000-0000-000000000000")).toBeNull();
+        });
+        it("decrypts the stored key correctly", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "sk-ant-my-real-key-12345",
+                authType: "header",
+                authHeader: "x-api-key",
+                createdBy: "admin-1",
+            });
+            const decrypted = await store.decrypt(id);
+            expect(decrypted).not.toBeNull();
+            expect(decrypted?.plaintextKey).toBe("sk-ant-my-real-key-12345");
+            expect(decrypted?.provider).toBe("anthropic");
+            expect(decrypted?.authType).toBe("header");
+            expect(decrypted?.authHeader).toBe("x-api-key");
+        });
+    });
+    describe("getActiveForProvider", () => {
+        it("returns empty array when no active keys exist", async () => {
+            expect(await store.getActiveForProvider("anthropic")).toEqual([]);
+        });
+        it("returns only active credentials", async () => {
+            await store.create({
+                provider: "anthropic",
+                keyName: "Active",
+                plaintextKey: "sk-ant-active",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            const id2 = await store.create({
+                provider: "anthropic",
+                keyName: "Inactive",
+                plaintextKey: "sk-ant-inactive",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            await store.setActive(id2, false, "admin-1");
+            const active = await store.getActiveForProvider("anthropic");
+            expect(active).toHaveLength(1);
+            expect(active[0].plaintextKey).toBe("sk-ant-active");
+        });
+        it("does not return credentials for other providers", async () => {
+            await store.create({
+                provider: "anthropic",
+                keyName: "A",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            await store.create({
+                provider: "openai",
+                keyName: "B",
+                plaintextKey: "k2",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            const anthropicKeys = await store.getActiveForProvider("anthropic");
+            expect(anthropicKeys).toHaveLength(1);
+            expect(anthropicKeys[0].provider).toBe("anthropic");
+        });
+    });
+    describe("rotate", () => {
+        it("returns false for non-existent credential", async () => {
+            expect(await store.rotate({
+                id: "00000000-0000-0000-0000-000000000000",
+                plaintextKey: "new-key",
+                rotatedBy: "admin-1",
+            })).toBe(false);
+        });
+        it("replaces the encrypted key value", async () => {
+            const id = await store.create({
+                provider: "openai",
+                keyName: "Prod",
+                plaintextKey: "sk-old-key",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            const ok = await store.rotate({
+                id,
+                plaintextKey: "sk-new-key",
+                rotatedBy: "admin-1",
+            });
+            expect(ok).toBe(true);
+            const decrypted = await store.decrypt(id);
+            expect(decrypted?.plaintextKey).toBe("sk-new-key");
+        });
+        it("sets the rotatedAt timestamp", async () => {
+            const id = await store.create({
+                provider: "openai",
+                keyName: "Prod",
+                plaintextKey: "sk-old",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            const before = await store.getById(id);
+            expect(before?.rotatedAt).toBeNull();
+            await store.rotate({ id, plaintextKey: "sk-new", rotatedBy: "admin-1" });
+            const after = await store.getById(id);
+            expect(after?.rotatedAt).not.toBeNull();
+        });
+        it("logs an audit entry", async () => {
+            const id = await store.create({
+                provider: "openai",
+                keyName: "Prod",
+                plaintextKey: "sk-old",
+                authType: "bearer",
+                createdBy: "admin-1",
+            });
+            await store.rotate({ id, plaintextKey: "sk-new", rotatedBy: "admin-2" });
+            // Verify by reading the key back - rotation was successful
+            const decrypted = await store.decrypt(id);
+            expect(decrypted?.plaintextKey).toBe("sk-new");
+        });
+    });
+    describe("setActive", () => {
+        it("returns false for non-existent credential", async () => {
+            expect(await store.setActive("00000000-0000-0000-0000-000000000000", false, "admin-1")).toBe(false);
+        });
+        it("deactivates a credential", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            expect(await store.setActive(id, false, "admin-1")).toBe(true);
+            expect((await store.getById(id))?.isActive).toBe(false);
+        });
+        it("reactivates a credential", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            await store.setActive(id, false, "admin-1");
+            await store.setActive(id, true, "admin-1");
+            expect((await store.getById(id))?.isActive).toBe(true);
+        });
+        it("logs audit entries for activate and deactivate", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            await store.setActive(id, false, "admin-1");
+            await store.setActive(id, true, "admin-1");
+            // Verify by checking the state - deactivate and reactivate both worked
+            const cred = await store.getById(id);
+            expect(cred?.isActive).toBe(true);
+        });
+    });
+    describe("markValidated", () => {
+        it("returns false for non-existent credential", async () => {
+            expect(await store.markValidated("00000000-0000-0000-0000-000000000000")).toBe(false);
+        });
+        it("sets the lastValidated timestamp", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            expect((await store.getById(id))?.lastValidated).toBeNull();
+            expect(await store.markValidated(id)).toBe(true);
+            expect((await store.getById(id))?.lastValidated).not.toBeNull();
+        });
+    });
+    describe("delete", () => {
+        it("returns false for non-existent credential", async () => {
+            expect(await store.delete("00000000-0000-0000-0000-000000000000", "admin-1")).toBe(false);
+        });
+        it("removes the credential", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            expect(await store.delete(id, "admin-1")).toBe(true);
+            expect(await store.getById(id)).toBeNull();
+            expect(await store.list()).toHaveLength(0);
+        });
+        it("logs an audit entry", async () => {
+            const id = await store.create({
+                provider: "anthropic",
+                keyName: "Prod",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            await store.delete(id, "admin-2");
+            // Verify credential is gone
+            expect(await store.getById(id)).toBeNull();
+        });
+    });
+    describe("without audit log", () => {
+        it("works without an audit log instance", async () => {
+            const encryptionKey = generateInstanceKey();
+            const repo2 = new DrizzleCredentialRepository(db);
+            const storeNoAudit = new CredentialVaultStore(repo2, encryptionKey);
+            const id = await storeNoAudit.create({
+                provider: "anthropic",
+                keyName: "Test",
+                plaintextKey: "k1",
+                authType: "header",
+                createdBy: "admin-1",
+            });
+            expect(id).toMatch(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/);
+            expect(await storeNoAudit.getById(id)).not.toBeNull();
+        });
+    });
+});
+// ---------------------------------------------------------------------------
+// Tenant isolation (tenant_api_keys)
+// ---------------------------------------------------------------------------
+describe("Tenant isolation (tenant_api_keys)", () => {
+    let tenantPool;
+    let tenantDb;
+    beforeAll(async () => {
+        ({ db: tenantDb, pool: tenantPool } = await createTestDb());
+    });
+    afterAll(async () => {
+        await tenantPool.close();
+    });
+    beforeEach(async () => {
+        await truncateAllTables(tenantPool);
+    });
+    it("tenant A credential is not retrievable when querying tenant B", async () => {
+        const key = generateInstanceKey();
+        // Store a credential for tenant-a
+        const encryptedA = JSON.stringify(encrypt("sk-secret-for-tenant-a", key));
+        await tenantDb.insert(tenantApiKeys).values({
+            id: "tk-a",
+            tenantId: "tenant-a",
+            provider: "anthropic",
+            label: "A key",
+            encryptedKey: encryptedA,
+            createdAt: Date.now(),
+            updatedAt: Date.now(),
+        });
+        // Store a credential for tenant-b
+        const encryptedB = JSON.stringify(encrypt("sk-secret-for-tenant-b", key));
+        await tenantDb.insert(tenantApiKeys).values({
+            id: "tk-b",
+            tenantId: "tenant-b",
+            provider: "anthropic",
+            label: "B key",
+            encryptedKey: encryptedB,
+            createdAt: Date.now(),
+            updatedAt: Date.now(),
+        });
+        // Query for tenant-a only
+        const rowsA = await tenantDb.select().from(tenantApiKeys).where(eq(tenantApiKeys.tenantId, "tenant-a"));
+        expect(rowsA).toHaveLength(1);
+        expect(rowsA[0].id).toBe("tk-a");
+        // Verify tenant-b's key is NOT in tenant-a's results
+        const tenantAIds = rowsA.map((r) => r.id);
+        expect(tenantAIds).not.toContain("tk-b");
+        // Query for tenant-b only
+        const rowsB = await tenantDb.select().from(tenantApiKeys).where(eq(tenantApiKeys.tenantId, "tenant-b"));
+        expect(rowsB).toHaveLength(1);
+        expect(rowsB[0].id).toBe("tk-b");
+    });
+});
+// ---------------------------------------------------------------------------
+// getVaultEncryptionKey
+// ---------------------------------------------------------------------------
+describe("getVaultEncryptionKey", () => {
+    it("derives a 32-byte key from a platform secret", () => {
+        const key = getVaultEncryptionKey("my-platform-secret");
+        expect(key).toBeInstanceOf(Buffer);
+        expect(key.length).toBe(32);
+    });
+    it("is deterministic for the same secret", () => {
+        const a = getVaultEncryptionKey("same-secret");
+        const b = getVaultEncryptionKey("same-secret");
+        expect(a.equals(b)).toBe(true);
+    });
+    it("differs for different secrets", () => {
+        const a = getVaultEncryptionKey("secret-a");
+        const b = getVaultEncryptionKey("secret-b");
+        expect(a.equals(b)).toBe(false);
+    });
+    it("generates a random key when no secret provided", () => {
+        const a = getVaultEncryptionKey();
+        const b = getVaultEncryptionKey();
+        expect(a.length).toBe(32);
+        expect(a.equals(b)).toBe(false);
+    });
+});

package/dist/security/encryption.d.ts

@@ -0,0 +1,22 @@
+import type { EncryptedPayload } from "./types.js";
+/**
+ * Derive a per-instance encryption key from the instance ID and a platform secret.
+ * Uses HMAC-SHA256 so the platform never stores the raw key — it's deterministic
+ * from (instanceId + platformSecret) but the secret lives only in Docker secrets.
+ */
+export declare function deriveInstanceKey(instanceId: string, platformSecret: string): Buffer;
+/**
+ * Generate a random 32-byte encryption key.
+ * Used when creating a new instance to produce a Docker secret.
+ */
+export declare function generateInstanceKey(): Buffer;
+/**
+ * Encrypt a plaintext string with AES-256-GCM.
+ * Returns a structured payload with iv, authTag, and ciphertext (all hex-encoded).
+ */
+export declare function encrypt(plaintext: string, key: Buffer): EncryptedPayload;
+/**
+ * Decrypt an AES-256-GCM encrypted payload back to plaintext.
+ * Throws on tampered data or wrong key.
+ */
+export declare function decrypt(payload: EncryptedPayload, key: Buffer): string;