agentlock-shared 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.turbo/turbo-build.log +1 -1
- package/.turbo/turbo-test.log +57 -15
- package/dist/__tests__/crypto.test.js +137 -47
- package/dist/__tests__/crypto.test.js.map +1 -1
- package/dist/__tests__/messaging.test.d.ts +2 -0
- package/dist/__tests__/messaging.test.d.ts.map +1 -0
- package/dist/__tests__/messaging.test.js +75 -0
- package/dist/__tests__/messaging.test.js.map +1 -0
- package/dist/__tests__/policy.test.js +124 -7
- package/dist/__tests__/policy.test.js.map +1 -1
- package/dist/__tests__/signing.test (# Edit conflict 2026-04-01 z3etfmC #).js +51 -0
- package/dist/__tests__/signing.test.js (# Edit conflict 2026-04-01 4rndy9C #).map +1 -0
- package/dist/crypto.d.ts +36 -0
- package/dist/crypto.d.ts.map +1 -1
- package/dist/crypto.js +150 -5
- package/dist/crypto.js.map +1 -1
- package/dist/plans.d.ts +4 -0
- package/dist/plans.d.ts.map +1 -1
- package/dist/plans.js +16 -0
- package/dist/plans.js.map +1 -1
- package/dist/policy.d.ts.map +1 -1
- package/dist/policy.js +54 -29
- package/dist/policy.js.map +1 -1
- package/dist/redact.d.ts.map +1 -1
- package/dist/redact.js +21 -4
- package/dist/redact.js.map +1 -1
- package/dist/schemas.d.ts +72 -11
- package/dist/schemas.d.ts.map +1 -1
- package/dist/schemas.js +62 -10
- package/dist/schemas.js.map +1 -1
- package/dist/types.d.ts +1 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/__tests__/crypto.test.ts +169 -0
- package/src/__tests__/messaging.test.ts +83 -0
- package/src/__tests__/policy.test.ts +141 -7
- package/src/crypto.ts +153 -5
- package/src/plans.ts +20 -0
- package/src/policy.ts +58 -28
- package/src/redact.ts +20 -3
- package/src/schemas.ts +121 -53
- package/src/types.ts +1 -0
package/dist/redact.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":"AAsGA,wBAAgB,MAAM,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,SAAI,GAAG,OAAO,CAcvD;AAED,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAMrF;AAED,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC/B,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAEzB"}
|
package/dist/redact.js
CHANGED
|
@@ -56,7 +56,15 @@ const SECRET_SUBSTRINGS = [
|
|
|
56
56
|
'connection_string',
|
|
57
57
|
'database_url',
|
|
58
58
|
'access_key',
|
|
59
|
-
'
|
|
59
|
+
'auth_token',
|
|
60
|
+
'refresh_key',
|
|
61
|
+
'session_secret',
|
|
62
|
+
'webhook_secret',
|
|
63
|
+
'jwt',
|
|
64
|
+
'oauth',
|
|
65
|
+
'ssn',
|
|
66
|
+
'credit_card',
|
|
67
|
+
'routing_number',
|
|
60
68
|
];
|
|
61
69
|
const REDACTED = '[REDACTED]';
|
|
62
70
|
// Value-based patterns to detect secrets regardless of field name
|
|
@@ -75,6 +83,13 @@ const SECRET_VALUE_PATTERNS = [
|
|
|
75
83
|
/^sk-ant-[a-zA-Z0-9_-]{20,}$/, // Anthropic API keys
|
|
76
84
|
/^SG\.[a-zA-Z0-9_-]{20,}$/, // SendGrid API keys
|
|
77
85
|
/^SK[a-f0-9]{32}$/, // Twilio API keys
|
|
86
|
+
/-----BEGIN\s+(RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/, // PEM private keys
|
|
87
|
+
/^DefaultEndpointsProtocol=/, // Azure connection strings
|
|
88
|
+
/^[A-Za-z0-9+\/]{43,}={0,2}$/, // Base64-encoded symmetric keys (32+ bytes)
|
|
89
|
+
/^[A-Za-z0-9_-]{43,}={0,2}$/, // URL-safe base64 encoded keys
|
|
90
|
+
/^whsec_[a-zA-Z0-9]{20,}$/, // Stripe webhook secrets
|
|
91
|
+
/^npm_[a-zA-Z0-9]{20,}$/, // npm tokens
|
|
92
|
+
/^vercel_[a-zA-Z0-9]{20,}$/, // Vercel tokens
|
|
78
93
|
];
|
|
79
94
|
function isSecretField(key) {
|
|
80
95
|
const lower = key.toLowerCase();
|
|
@@ -86,8 +101,10 @@ function isSecretValue(value) {
|
|
|
86
101
|
return SECRET_VALUE_PATTERNS.some((pattern) => pattern.test(value));
|
|
87
102
|
}
|
|
88
103
|
function redact(obj, depth = 0) {
|
|
89
|
-
|
|
90
|
-
|
|
104
|
+
// SECURITY: At max depth, redact entirely rather than passing data through.
|
|
105
|
+
// Prevents secrets in deeply nested objects from bypassing redaction.
|
|
106
|
+
if (depth > 20)
|
|
107
|
+
return REDACTED;
|
|
91
108
|
if (obj === null || obj === undefined)
|
|
92
109
|
return obj;
|
|
93
110
|
if (typeof obj === 'string')
|
|
@@ -105,7 +122,7 @@ function redact(obj, depth = 0) {
|
|
|
105
122
|
function redactHeaders(headers) {
|
|
106
123
|
const result = {};
|
|
107
124
|
for (const [key, value] of Object.entries(headers)) {
|
|
108
|
-
result[key] = isSecretField(key) ? REDACTED : value;
|
|
125
|
+
result[key] = (isSecretField(key) || isSecretValue(value)) ? REDACTED : value;
|
|
109
126
|
}
|
|
110
127
|
return result;
|
|
111
128
|
}
|
package/dist/redact.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"redact.js","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"redact.js","sourceRoot":"","sources":["../src/redact.ts"],"names":[],"mappings":";;AAsGA,wBAcC;AAED,sCAMC;AAED,sDAIC;AAlID,sDAAsD;AACtD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,eAAe;IACf,SAAS;IACT,QAAQ;IACR,SAAS;IACT,OAAO;IACP,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,aAAa;IACb,YAAY;IACZ,cAAc;IACd,eAAe;IACf,eAAe;IACf,WAAW;IACX,cAAc;IACd,aAAa;IACb,QAAQ;IACR,eAAe;IACf,aAAa;IACb,QAAQ;IACR,YAAY;IACZ,uBAAuB;IACvB,mBAAmB;IACnB,cAAc;IACd,mBAAmB;IACnB,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,aAAa;IACb,kBAAkB;IAClB,2BAA2B;CAC5B,CAAC,CAAC;AAEH,0EAA0E;AAC1E,MAAM,iBAAiB,GAAG;IACxB,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,OAAO;IACP,SAAS;IACT,QAAQ;IACR,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,eAAe;IACf,UAAU;IACV,YAAY;IACZ,gBAAgB;IAChB,aAAa;IACb,mBAAmB;IACnB,cAAc;IACd,YAAY;IACZ,YAAY;IACZ,aAAa;IACb,gBAAgB;IAChB,gBAAgB;IAChB,KAAK;IACL,OAAO;IACP,KAAK;IACL,aAAa;IACb,gBAAgB;CACjB,CAAC;AAEF,MAAM,QAAQ,GAAG,YAAY,CAAC;AAE9B,kEAAkE;AAClE,MAAM,qBAAqB,GAAG;IAC5B,2CAA2C,EAAG,cAAc;IAC5D,0BAA0B,EAAuB,yBAAyB;IAC1E,uBAAuB,EAA0B,cAAc;IAC/D,gCAAgC,EAAiB,2BAA2B;IAC5E,uBAAuB,EAA0B,sBAAsB;IACvE,oBAAoB,EAA6B,qBAAqB;IACtE,4CAA4C,EAAI,oBAAoB;IACpE,gCAAgC,EAAgB,eAAe;IAC/D,iCAAiC,EAAe,gBAAgB;IAChE,yBAAyB,EAAwB,kBAAkB;IACnE,uBAAuB,EAA0B,kBAAkB;IACnE,6BAA6B,EAAoB,qBAAqB;IACtE,0BAA0B,EAAuB,oBAAoB;IACrE,kBAAkB,EAA+B,kBAAkB;IACnE,wDAAwD,EAAG,mBAAmB;IAC9E,4BAA4B,EAAwB,2BAA2B;IAC/E,6BAA6B,EAAsB,4CAA4C;IAC/F,4BAA4B,EAAuB,+BAA+B;IAClF,0BAA0B,EAA0B,yBAAyB;IAC7E,wBAAwB,EAA4B,aAAa;IACjE,2BAA2B,EAAyB,gBAAgB;CACrE,CAAC;AAEF,SAAS,aAAa,CAAC,GAAW;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IAChC,IAAI,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,SAAgB,MAAM,CAAC,GAAY,EAAE,KAAK,GAAG,CAAC;IAC5C,4EAA4E;IAC5E,sEAAsE;IACtE,IAAI,KAAK,GAAG,EAAE;QAAE,OAAO,QAAQ,CAAC;IAChC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,GAAG,CAAC;IAClD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;IACxE,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxC,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAE1E,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAA8B,CAAC,EAAE,CAAC;QAC1E,MAAM,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,aAAa,CAAC,OAA+B;IAC3D,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;IAChF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,qBAAqB,CACnC,OAAgC;IAEhC,OAAO,MAAM,CAAC,OAAO,CAA4B,CAAC;AACpD,CAAC"}
|
package/dist/schemas.d.ts
CHANGED
|
@@ -1,4 +1,10 @@
|
|
|
1
1
|
import { z } from 'zod';
|
|
2
|
+
/**
|
|
3
|
+
* Reusable Zod schema for webhook URLs.
|
|
4
|
+
* Enforces: max length 2048, valid URL syntax, HTTPS-only,
|
|
5
|
+
* and rejects private/internal hostnames at parse time.
|
|
6
|
+
*/
|
|
7
|
+
export declare const WebhookUrlSchema: z.ZodEffects<z.ZodEffects<z.ZodString, string, string>, string, string>;
|
|
2
8
|
export declare const AgentActionRequestSchema: z.ZodObject<{
|
|
3
9
|
action_type: z.ZodEnum<["read", "write", "financial", "admin"]>;
|
|
4
10
|
tool: z.ZodString;
|
|
@@ -6,14 +12,14 @@ export declare const AgentActionRequestSchema: z.ZodObject<{
|
|
|
6
12
|
idempotency_key: z.ZodOptional<z.ZodString>;
|
|
7
13
|
cost_estimate: z.ZodOptional<z.ZodNumber>;
|
|
8
14
|
}, "strip", z.ZodTypeAny, {
|
|
9
|
-
action_type: "admin" | "read" | "write" | "financial";
|
|
10
15
|
tool: string;
|
|
16
|
+
action_type: "admin" | "read" | "write" | "financial";
|
|
11
17
|
payload: Record<string, unknown>;
|
|
12
18
|
idempotency_key?: string | undefined;
|
|
13
19
|
cost_estimate?: number | undefined;
|
|
14
20
|
}, {
|
|
15
|
-
action_type: "admin" | "read" | "write" | "financial";
|
|
16
21
|
tool: string;
|
|
22
|
+
action_type: "admin" | "read" | "write" | "financial";
|
|
17
23
|
payload: Record<string, unknown>;
|
|
18
24
|
idempotency_key?: string | undefined;
|
|
19
25
|
cost_estimate?: number | undefined;
|
|
@@ -36,36 +42,53 @@ export declare const RegisterAgentSchema: z.ZodObject<{
|
|
|
36
42
|
}>;
|
|
37
43
|
export declare const PolicyRulesSchema: z.ZodObject<{
|
|
38
44
|
defaultMode: z.ZodEnum<["allow", "require_approval", "block"]>;
|
|
39
|
-
rules: z.ZodArray<z.ZodObject<{
|
|
45
|
+
rules: z.ZodArray<z.ZodEffects<z.ZodObject<{
|
|
40
46
|
action_type: z.ZodOptional<z.ZodEnum<["read", "write", "financial", "admin"]>>;
|
|
41
47
|
tool: z.ZodOptional<z.ZodString>;
|
|
42
48
|
domain: z.ZodOptional<z.ZodString>;
|
|
43
49
|
decision: z.ZodEnum<["ALLOW", "REQUIRE_APPROVAL", "BLOCK"]>;
|
|
44
50
|
require_two_approvals: z.ZodOptional<z.ZodBoolean>;
|
|
51
|
+
allowed_approvers: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
|
|
45
52
|
}, "strip", z.ZodTypeAny, {
|
|
46
53
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
47
|
-
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
48
54
|
tool?: string | undefined;
|
|
55
|
+
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
49
56
|
domain?: string | undefined;
|
|
50
57
|
require_two_approvals?: boolean | undefined;
|
|
58
|
+
allowed_approvers?: string[] | undefined;
|
|
51
59
|
}, {
|
|
52
60
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
61
|
+
tool?: string | undefined;
|
|
53
62
|
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
63
|
+
domain?: string | undefined;
|
|
64
|
+
require_two_approvals?: boolean | undefined;
|
|
65
|
+
allowed_approvers?: string[] | undefined;
|
|
66
|
+
}>, {
|
|
67
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
54
68
|
tool?: string | undefined;
|
|
69
|
+
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
55
70
|
domain?: string | undefined;
|
|
56
71
|
require_two_approvals?: boolean | undefined;
|
|
72
|
+
allowed_approvers?: string[] | undefined;
|
|
73
|
+
}, {
|
|
74
|
+
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
75
|
+
tool?: string | undefined;
|
|
76
|
+
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
77
|
+
domain?: string | undefined;
|
|
78
|
+
require_two_approvals?: boolean | undefined;
|
|
79
|
+
allowed_approvers?: string[] | undefined;
|
|
57
80
|
}>, "many">;
|
|
58
81
|
http: z.ZodOptional<z.ZodObject<{
|
|
59
82
|
allowedDomains: z.ZodArray<z.ZodString, "many">;
|
|
60
|
-
allowedMethods: z.ZodArray<z.
|
|
83
|
+
allowedMethods: z.ZodArray<z.ZodEnum<["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]>, "many">;
|
|
61
84
|
blockList: z.ZodArray<z.ZodString, "many">;
|
|
62
85
|
}, "strip", z.ZodTypeAny, {
|
|
63
86
|
allowedDomains: string[];
|
|
64
|
-
allowedMethods:
|
|
87
|
+
allowedMethods: ("GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS")[];
|
|
65
88
|
blockList: string[];
|
|
66
89
|
}, {
|
|
67
90
|
allowedDomains: string[];
|
|
68
|
-
allowedMethods:
|
|
91
|
+
allowedMethods: ("GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS")[];
|
|
69
92
|
blockList: string[];
|
|
70
93
|
}>>;
|
|
71
94
|
limits: z.ZodOptional<z.ZodObject<{
|
|
@@ -82,14 +105,15 @@ export declare const PolicyRulesSchema: z.ZodObject<{
|
|
|
82
105
|
defaultMode: "allow" | "require_approval" | "block";
|
|
83
106
|
rules: {
|
|
84
107
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
85
|
-
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
86
108
|
tool?: string | undefined;
|
|
109
|
+
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
87
110
|
domain?: string | undefined;
|
|
88
111
|
require_two_approvals?: boolean | undefined;
|
|
112
|
+
allowed_approvers?: string[] | undefined;
|
|
89
113
|
}[];
|
|
90
114
|
http?: {
|
|
91
115
|
allowedDomains: string[];
|
|
92
|
-
allowedMethods:
|
|
116
|
+
allowedMethods: ("GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS")[];
|
|
93
117
|
blockList: string[];
|
|
94
118
|
} | undefined;
|
|
95
119
|
limits?: {
|
|
@@ -100,14 +124,15 @@ export declare const PolicyRulesSchema: z.ZodObject<{
|
|
|
100
124
|
defaultMode: "allow" | "require_approval" | "block";
|
|
101
125
|
rules: {
|
|
102
126
|
decision: "ALLOW" | "REQUIRE_APPROVAL" | "BLOCK";
|
|
103
|
-
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
104
127
|
tool?: string | undefined;
|
|
128
|
+
action_type?: "admin" | "read" | "write" | "financial" | undefined;
|
|
105
129
|
domain?: string | undefined;
|
|
106
130
|
require_two_approvals?: boolean | undefined;
|
|
131
|
+
allowed_approvers?: string[] | undefined;
|
|
107
132
|
}[];
|
|
108
133
|
http?: {
|
|
109
134
|
allowedDomains: string[];
|
|
110
|
-
allowedMethods:
|
|
135
|
+
allowedMethods: ("GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "HEAD" | "OPTIONS")[];
|
|
111
136
|
blockList: string[];
|
|
112
137
|
} | undefined;
|
|
113
138
|
limits?: {
|
|
@@ -118,11 +143,47 @@ export declare const PolicyRulesSchema: z.ZodObject<{
|
|
|
118
143
|
export declare const ApproveRequestSchema: z.ZodObject<{
|
|
119
144
|
action: z.ZodEnum<["approve", "deny"]>;
|
|
120
145
|
reason: z.ZodOptional<z.ZodString>;
|
|
146
|
+
reply_message: z.ZodOptional<z.ZodString>;
|
|
147
|
+
/** Server-side biometric challenge token (mobile clients only) */
|
|
148
|
+
biometric_challenge: z.ZodOptional<z.ZodString>;
|
|
121
149
|
}, "strip", z.ZodTypeAny, {
|
|
122
150
|
action: "approve" | "deny";
|
|
123
151
|
reason?: string | undefined;
|
|
152
|
+
reply_message?: string | undefined;
|
|
153
|
+
biometric_challenge?: string | undefined;
|
|
124
154
|
}, {
|
|
125
155
|
action: "approve" | "deny";
|
|
126
156
|
reason?: string | undefined;
|
|
157
|
+
reply_message?: string | undefined;
|
|
158
|
+
biometric_challenge?: string | undefined;
|
|
159
|
+
}>;
|
|
160
|
+
export declare const SendMessageSchema: z.ZodObject<{
|
|
161
|
+
content: z.ZodString;
|
|
162
|
+
thread_id: z.ZodOptional<z.ZodString>;
|
|
163
|
+
expires_at: z.ZodOptional<z.ZodString>;
|
|
164
|
+
metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
|
|
165
|
+
}, "strip", z.ZodTypeAny, {
|
|
166
|
+
content: string;
|
|
167
|
+
thread_id?: string | undefined;
|
|
168
|
+
expires_at?: string | undefined;
|
|
169
|
+
metadata?: Record<string, unknown> | undefined;
|
|
170
|
+
}, {
|
|
171
|
+
content: string;
|
|
172
|
+
thread_id?: string | undefined;
|
|
173
|
+
expires_at?: string | undefined;
|
|
174
|
+
metadata?: Record<string, unknown> | undefined;
|
|
175
|
+
}>;
|
|
176
|
+
export declare const AgentSendMessageSchema: z.ZodObject<{
|
|
177
|
+
content: z.ZodString;
|
|
178
|
+
thread_id: z.ZodString;
|
|
179
|
+
metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
|
|
180
|
+
}, "strip", z.ZodTypeAny, {
|
|
181
|
+
content: string;
|
|
182
|
+
thread_id: string;
|
|
183
|
+
metadata?: Record<string, unknown> | undefined;
|
|
184
|
+
}, {
|
|
185
|
+
content: string;
|
|
186
|
+
thread_id: string;
|
|
187
|
+
metadata?: Record<string, unknown> | undefined;
|
|
127
188
|
}>;
|
|
128
189
|
//# sourceMappingURL=schemas.d.ts.map
|
package/dist/schemas.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAQxB;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,yEA8B1B,CAAC;AAEJ,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;EASnC,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;EAK9B,CAAC;AAIH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAyB5B,CAAC;AAEH,eAAO,MAAM,oBAAoB;;;;IAI/B,kEAAkE;;;;;;;;;;;;EAElE,CAAC;AAKH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;EAQ5B,CAAC;AAEH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;EAOjC,CAAC"}
|
package/dist/schemas.js
CHANGED
|
@@ -1,15 +1,49 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.ApproveRequestSchema = exports.PolicyRulesSchema = exports.RegisterAgentSchema = exports.AgentActionRequestSchema = void 0;
|
|
3
|
+
exports.AgentSendMessageSchema = exports.SendMessageSchema = exports.ApproveRequestSchema = exports.PolicyRulesSchema = exports.RegisterAgentSchema = exports.AgentActionRequestSchema = exports.WebhookUrlSchema = void 0;
|
|
4
4
|
const zod_1 = require("zod");
|
|
5
5
|
/** Max payload size: 64KB when serialized */
|
|
6
6
|
const MAX_PAYLOAD_SIZE = 65_536;
|
|
7
|
+
/** Maximum length for webhook URLs (standard URL length limit) */
|
|
8
|
+
const MAX_WEBHOOK_URL_LENGTH = 2048;
|
|
9
|
+
/**
|
|
10
|
+
* Reusable Zod schema for webhook URLs.
|
|
11
|
+
* Enforces: max length 2048, valid URL syntax, HTTPS-only,
|
|
12
|
+
* and rejects private/internal hostnames at parse time.
|
|
13
|
+
*/
|
|
14
|
+
exports.WebhookUrlSchema = zod_1.z
|
|
15
|
+
.string()
|
|
16
|
+
.max(MAX_WEBHOOK_URL_LENGTH, `Webhook URL exceeds maximum length (${MAX_WEBHOOK_URL_LENGTH} characters)`)
|
|
17
|
+
.refine((val) => {
|
|
18
|
+
try {
|
|
19
|
+
const parsed = new URL(val);
|
|
20
|
+
return parsed.protocol === 'https:';
|
|
21
|
+
}
|
|
22
|
+
catch {
|
|
23
|
+
return false;
|
|
24
|
+
}
|
|
25
|
+
}, { message: 'Webhook URL must be a valid HTTPS URL' })
|
|
26
|
+
.refine((val) => {
|
|
27
|
+
try {
|
|
28
|
+
const parsed = new URL(val);
|
|
29
|
+
const hostname = parsed.hostname;
|
|
30
|
+
const privatePatterns = [
|
|
31
|
+
/^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./,
|
|
32
|
+
/^192\.168\./, /^169\.254\./, /^0\./,
|
|
33
|
+
/^localhost$/i, /\.local$/i, /\.internal$/i,
|
|
34
|
+
];
|
|
35
|
+
return !privatePatterns.some((p) => p.test(hostname));
|
|
36
|
+
}
|
|
37
|
+
catch {
|
|
38
|
+
return false;
|
|
39
|
+
}
|
|
40
|
+
}, { message: 'Webhook URL cannot target private or internal addresses' });
|
|
7
41
|
exports.AgentActionRequestSchema = zod_1.z.object({
|
|
8
42
|
action_type: zod_1.z.enum(['read', 'write', 'financial', 'admin']),
|
|
9
43
|
tool: zod_1.z.string().min(1).max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons'),
|
|
10
44
|
payload: zod_1.z.record(zod_1.z.unknown()).refine((val) => JSON.stringify(val).length <= MAX_PAYLOAD_SIZE, { message: `Payload exceeds maximum size of ${MAX_PAYLOAD_SIZE} bytes` }),
|
|
11
45
|
idempotency_key: zod_1.z.string().max(128).optional(),
|
|
12
|
-
cost_estimate: zod_1.z.number().optional(),
|
|
46
|
+
cost_estimate: zod_1.z.number().nonnegative().optional(),
|
|
13
47
|
});
|
|
14
48
|
exports.RegisterAgentSchema = zod_1.z.object({
|
|
15
49
|
name: zod_1.z.string().min(1).max(100),
|
|
@@ -17,31 +51,49 @@ exports.RegisterAgentSchema = zod_1.z.object({
|
|
|
17
51
|
public_key: zod_1.z.string().min(40),
|
|
18
52
|
allowed_tools: zod_1.z.array(zod_1.z.string()).default([]),
|
|
19
53
|
});
|
|
54
|
+
const DOMAIN_RE = /^(\*\.)?([a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\.)*[a-zA-Z]{2,}$/;
|
|
20
55
|
exports.PolicyRulesSchema = zod_1.z.object({
|
|
21
56
|
defaultMode: zod_1.z.enum(['allow', 'require_approval', 'block']),
|
|
22
57
|
rules: zod_1.z.array(zod_1.z.object({
|
|
23
58
|
action_type: zod_1.z.enum(['read', 'write', 'financial', 'admin']).optional(),
|
|
24
|
-
tool: zod_1.z.string().optional(),
|
|
25
|
-
domain: zod_1.z.string().optional(),
|
|
59
|
+
tool: zod_1.z.string().max(100).regex(/^[a-zA-Z0-9._\-:]+$/, 'Tool name must be alphanumeric with dots, dashes, underscores, or colons').optional(),
|
|
60
|
+
domain: zod_1.z.string().regex(DOMAIN_RE, 'Invalid domain format').optional(),
|
|
26
61
|
decision: zod_1.z.enum(['ALLOW', 'REQUIRE_APPROVAL', 'BLOCK']),
|
|
27
62
|
require_two_approvals: zod_1.z.boolean().optional(),
|
|
28
|
-
|
|
63
|
+
allowed_approvers: zod_1.z.array(zod_1.z.string().uuid()).optional(),
|
|
64
|
+
}).refine(r => r.action_type || r.tool, { message: 'Rule must specify action_type or tool' })).max(100),
|
|
29
65
|
http: zod_1.z
|
|
30
66
|
.object({
|
|
31
|
-
allowedDomains: zod_1.z.array(zod_1.z.string()),
|
|
32
|
-
allowedMethods: zod_1.z.array(zod_1.z.
|
|
33
|
-
blockList: zod_1.z.array(zod_1.z.string()),
|
|
67
|
+
allowedDomains: zod_1.z.array(zod_1.z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
|
|
68
|
+
allowedMethods: zod_1.z.array(zod_1.z.enum(['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'])),
|
|
69
|
+
blockList: zod_1.z.array(zod_1.z.string().min(1).max(253).regex(DOMAIN_RE, 'Invalid domain format')),
|
|
34
70
|
})
|
|
35
71
|
.optional(),
|
|
36
72
|
limits: zod_1.z
|
|
37
73
|
.object({
|
|
38
|
-
maxCostPerAction: zod_1.z.number().optional(),
|
|
39
|
-
maxActionsPerHour: zod_1.z.number().optional(),
|
|
74
|
+
maxCostPerAction: zod_1.z.number().nonnegative().optional(),
|
|
75
|
+
maxActionsPerHour: zod_1.z.number().nonnegative().optional(),
|
|
40
76
|
})
|
|
41
77
|
.optional(),
|
|
42
78
|
});
|
|
43
79
|
exports.ApproveRequestSchema = zod_1.z.object({
|
|
44
80
|
action: zod_1.z.enum(['approve', 'deny']),
|
|
45
81
|
reason: zod_1.z.string().max(1000).optional(),
|
|
82
|
+
reply_message: zod_1.z.string().max(2000).optional(),
|
|
83
|
+
/** Server-side biometric challenge token (mobile clients only) */
|
|
84
|
+
biometric_challenge: zod_1.z.string().uuid().optional(),
|
|
85
|
+
});
|
|
86
|
+
/** Max metadata size: 8KB when serialized (prevents storage exhaustion) */
|
|
87
|
+
const MAX_METADATA_SIZE = 8_192;
|
|
88
|
+
exports.SendMessageSchema = zod_1.z.object({
|
|
89
|
+
content: zod_1.z.string().min(1).max(4096),
|
|
90
|
+
thread_id: zod_1.z.string().uuid().optional(),
|
|
91
|
+
expires_at: zod_1.z.string().datetime().optional(),
|
|
92
|
+
metadata: zod_1.z.record(zod_1.z.unknown()).refine((val) => JSON.stringify(val).length <= MAX_METADATA_SIZE, { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }).optional(),
|
|
93
|
+
});
|
|
94
|
+
exports.AgentSendMessageSchema = zod_1.z.object({
|
|
95
|
+
content: zod_1.z.string().min(1).max(4096),
|
|
96
|
+
thread_id: zod_1.z.string().uuid(),
|
|
97
|
+
metadata: zod_1.z.record(zod_1.z.unknown()).refine((val) => JSON.stringify(val).length <= MAX_METADATA_SIZE, { message: `Metadata exceeds maximum size of ${MAX_METADATA_SIZE} bytes` }).optional(),
|
|
46
98
|
});
|
|
47
99
|
//# sourceMappingURL=schemas.js.map
|
package/dist/schemas.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAExB,6CAA6C;AAC7C,MAAM,gBAAgB,GAAG,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../src/schemas.ts"],"names":[],"mappings":";;;AAAA,6BAAwB;AAExB,6CAA6C;AAC7C,MAAM,gBAAgB,GAAG,MAAM,CAAC;AAEhC,kEAAkE;AAClE,MAAM,sBAAsB,GAAG,IAAI,CAAC;AAEpC;;;;GAIG;AACU,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,EAAE;KACR,GAAG,CAAC,sBAAsB,EAAE,uCAAuC,sBAAsB,cAAc,CAAC;KACxG,MAAM,CACL,CAAC,GAAG,EAAE,EAAE;IACN,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,EACD,EAAE,OAAO,EAAE,uCAAuC,EAAE,CACrD;KACA,MAAM,CACL,CAAC,GAAG,EAAE,EAAE;IACN,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QACjC,MAAM,eAAe,GAAG;YACtB,QAAQ,EAAE,OAAO,EAAE,4BAA4B;YAC/C,aAAa,EAAE,aAAa,EAAE,MAAM;YACpC,cAAc,EAAE,WAAW,EAAE,cAAc;SAC5C,CAAC;QACF,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,EACD,EAAE,OAAO,EAAE,yDAAyD,EAAE,CACvE,CAAC;AAES,QAAA,wBAAwB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC/C,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IAC5D,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,qBAAqB,EAAE,0EAA0E,CAAC;IACzI,OAAO,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACnC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,gBAAgB,EACvD,EAAE,OAAO,EAAE,mCAAmC,gBAAgB,QAAQ,EAAE,CACzE;IACD,eAAe,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE;IAC/C,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;CACnD,CAAC,CAAC;AAEU,QAAA,mBAAmB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC1C,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC;IACnF,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;IAC9B,aAAa,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CAC/C,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,kEAAkE,CAAC;AAExE,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;IAC3D,KAAK,EAAE,OAAC,CAAC,KAAK,CACZ,OAAC,CAAC,MAAM,CAAC;QACP,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;QACvE,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,qBAAqB,EAAE,0EAA0E,CAAC,CAAC,QAAQ,EAAE;QAC7I,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC,QAAQ,EAAE;QACvE,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,CAAC,CAAC;QACxD,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC7C,iBAAiB,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;KACzD,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC,CAC9F,CAAC,GAAG,CAAC,GAAG,CAAC;IACV,IAAI,EAAE,OAAC;SACJ,MAAM,CAAC;QACN,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC;QAC7F,cAAc,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;QAC7F,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC;KACzF,CAAC;SACD,QAAQ,EAAE;IACb,MAAM,EAAE,OAAC;SACN,MAAM,CAAC;QACN,gBAAgB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;QACrD,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,EAAE;KACvD,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC3C,MAAM,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;IACnC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;IACvC,aAAa,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE;IAC9C,kEAAkE;IAClE,mBAAmB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;CAClD,CAAC,CAAC;AAEH,2EAA2E;AAC3E,MAAM,iBAAiB,GAAG,KAAK,CAAC;AAEnB,QAAA,iBAAiB,GAAG,OAAC,CAAC,MAAM,CAAC;IACxC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACpC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;IAC5C,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACpC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,iBAAiB,EACxD,EAAE,OAAO,EAAE,oCAAoC,iBAAiB,QAAQ,EAAE,CAC3E,CAAC,QAAQ,EAAE;CACb,CAAC,CAAC;AAEU,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACpC,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IAC5B,QAAQ,EAAE,OAAC,CAAC,MAAM,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CACpC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,iBAAiB,EACxD,EAAE,OAAO,EAAE,oCAAoC,iBAAiB,QAAQ,EAAE,CAC3E,CAAC,QAAQ,EAAE;CACb,CAAC,CAAC"}
|
package/dist/types.d.ts
CHANGED
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,CAAC;AACtE,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,CAAC;AAC7D,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG,SAAS,GAAG,YAAY,CAAC;AACxE,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,uBAAuB,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,CAAC;AACnH,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,GAAG,QAAQ,GAAG,QAAQ,CAAC;AACxF,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,WAAW,GAAG,OAAO,CAAC;AAClE,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;AACpE,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,aAAa,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,gBAAgB,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,EAAE,WAAW,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,EAAE,WAAW,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;IACpD,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,IAAI,CAAC,EAAE;QACL,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,SAAS,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF,MAAM,CAAC,EAAE;QACP,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,qBAAqB,CAAC,EAAE,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,CAAC;AACtE,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,CAAC;AAC7D,MAAM,MAAM,gBAAgB,GAAG,aAAa,GAAG,SAAS,GAAG,YAAY,CAAC;AACxE,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,uBAAuB,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,GAAG,WAAW,CAAC;AACnH,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,SAAS,GAAG,WAAW,GAAG,QAAQ,GAAG,QAAQ,CAAC;AACxF,MAAM,MAAM,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,WAAW,GAAG,OAAO,CAAC;AAClE,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;AACpE,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE/D,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,gBAAgB,EAAE,OAAO,CAAC;IAC1B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,aAAa,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,gBAAgB,CAAC;IAC9B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,MAAM,EAAE,WAAW,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,EAAE,WAAW,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,WAAW,EAAE,OAAO,GAAG,kBAAkB,GAAG,OAAO,CAAC;IACpD,KAAK,EAAE,UAAU,EAAE,CAAC;IACpB,IAAI,CAAC,EAAE;QACL,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,SAAS,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC;IACF,MAAM,CAAC,EAAE;QACP,gBAAgB,CAAC,EAAE,MAAM,CAAC;QAC1B,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,CAAC,EAAE,UAAU,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;IACzB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,cAAc,CAAC;IACzB,UAAU,EAAE,SAAS,CAAC;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,CAAC,EAAE,UAAU,CAAC;CAC3B;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,cAAc,CAAC;IACvB,WAAW,EAAE,UAAU,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,aAAa,CAAC;IACvB,UAAU,EAAE,SAAS,CAAC;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,sBAAsB,EAAE,OAAO,CAAC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,UAAU,CAAC;IACxB,MAAM,EAAE,eAAe,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC3C,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC7C,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,oBAAoB,GAAG,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEnE,MAAM,MAAM,WAAW,GACnB,cAAc,GACd,eAAe,GACf,cAAc,GACd,0BAA0B,GAC1B,kBAAkB,GAClB,kBAAkB,GAClB,oBAAoB,GACpB,mBAAmB,GACnB,gBAAgB,GAChB,gBAAgB,GAChB,eAAe,CAAC;AAEpB,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,oBAAoB,CAAC;IAC7B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,UAAU,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,cAAc,CAAC;IACzB,MAAM,EAAE,cAAc,GAAG,SAAS,GAAG,SAAS,CAAC;IAC/C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB"}
|
package/package.json
CHANGED
|
@@ -0,0 +1,169 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import nacl from 'tweetnacl';
|
|
3
|
+
import { encodeBase64 } from 'tweetnacl-util';
|
|
4
|
+
import {
|
|
5
|
+
encrypt,
|
|
6
|
+
decrypt,
|
|
7
|
+
envelopeEncrypt,
|
|
8
|
+
envelopeDecrypt,
|
|
9
|
+
generateKey,
|
|
10
|
+
encryptCredential,
|
|
11
|
+
decryptCredential,
|
|
12
|
+
} from '../crypto.js';
|
|
13
|
+
|
|
14
|
+
// Deterministic test key (not from env -- tests must not depend on MASTER_KEY)
|
|
15
|
+
const testMasterKey = nacl.randomBytes(32);
|
|
16
|
+
|
|
17
|
+
describe('encrypt / decrypt (low-level)', () => {
|
|
18
|
+
it('round-trips a string', () => {
|
|
19
|
+
const data = 'hello world';
|
|
20
|
+
const encrypted = encrypt(data, testMasterKey);
|
|
21
|
+
expect(encrypted).not.toBe(data);
|
|
22
|
+
expect(decrypt(encrypted, testMasterKey)).toBe(data);
|
|
23
|
+
});
|
|
24
|
+
|
|
25
|
+
it('produces different ciphertext each call (random nonce)', () => {
|
|
26
|
+
const data = 'deterministic?';
|
|
27
|
+
const a = encrypt(data, testMasterKey);
|
|
28
|
+
const b = encrypt(data, testMasterKey);
|
|
29
|
+
expect(a).not.toBe(b);
|
|
30
|
+
});
|
|
31
|
+
|
|
32
|
+
it('rejects wrong key', () => {
|
|
33
|
+
const data = 'secret';
|
|
34
|
+
const encrypted = encrypt(data, testMasterKey);
|
|
35
|
+
const wrongKey = nacl.randomBytes(32);
|
|
36
|
+
expect(() => decrypt(encrypted, wrongKey)).toThrow('Decryption failed');
|
|
37
|
+
});
|
|
38
|
+
|
|
39
|
+
it('handles empty string', () => {
|
|
40
|
+
const encrypted = encrypt('', testMasterKey);
|
|
41
|
+
expect(decrypt(encrypted, testMasterKey)).toBe('');
|
|
42
|
+
});
|
|
43
|
+
|
|
44
|
+
it('handles unicode', () => {
|
|
45
|
+
const data = 'Hello unicode world';
|
|
46
|
+
const encrypted = encrypt(data, testMasterKey);
|
|
47
|
+
expect(decrypt(encrypted, testMasterKey)).toBe(data);
|
|
48
|
+
});
|
|
49
|
+
});
|
|
50
|
+
|
|
51
|
+
describe('envelopeEncrypt / envelopeDecrypt', () => {
|
|
52
|
+
it('round-trips a string', () => {
|
|
53
|
+
const data = 'envelope test data';
|
|
54
|
+
const encrypted = envelopeEncrypt(data, testMasterKey);
|
|
55
|
+
expect(encrypted).toMatch(/^env1:/);
|
|
56
|
+
expect(envelopeDecrypt(encrypted, testMasterKey)).toBe(data);
|
|
57
|
+
});
|
|
58
|
+
|
|
59
|
+
it('produces different ciphertext each call (fresh DEK + nonce)', () => {
|
|
60
|
+
const data = 'same data';
|
|
61
|
+
const a = envelopeEncrypt(data, testMasterKey);
|
|
62
|
+
const b = envelopeEncrypt(data, testMasterKey);
|
|
63
|
+
expect(a).not.toBe(b);
|
|
64
|
+
});
|
|
65
|
+
|
|
66
|
+
it('rejects wrong master key', () => {
|
|
67
|
+
const data = 'secret';
|
|
68
|
+
const encrypted = envelopeEncrypt(data, testMasterKey);
|
|
69
|
+
const wrongKey = nacl.randomBytes(32);
|
|
70
|
+
expect(() => envelopeDecrypt(encrypted, wrongKey)).toThrow();
|
|
71
|
+
});
|
|
72
|
+
|
|
73
|
+
it('handles empty string', () => {
|
|
74
|
+
const encrypted = envelopeEncrypt('', testMasterKey);
|
|
75
|
+
expect(envelopeDecrypt(encrypted, testMasterKey)).toBe('');
|
|
76
|
+
});
|
|
77
|
+
|
|
78
|
+
it('handles large data', () => {
|
|
79
|
+
const data = 'x'.repeat(100_000);
|
|
80
|
+
const encrypted = envelopeEncrypt(data, testMasterKey);
|
|
81
|
+
expect(envelopeDecrypt(encrypted, testMasterKey)).toBe(data);
|
|
82
|
+
});
|
|
83
|
+
|
|
84
|
+
it('handles JSON data', () => {
|
|
85
|
+
const obj = { tool: 'http', payload: { url: 'https://example.com' }, nested: [1, 2, 3] };
|
|
86
|
+
const data = JSON.stringify(obj);
|
|
87
|
+
const encrypted = envelopeEncrypt(data, testMasterKey);
|
|
88
|
+
const decrypted = JSON.parse(envelopeDecrypt(encrypted, testMasterKey));
|
|
89
|
+
expect(decrypted).toEqual(obj);
|
|
90
|
+
});
|
|
91
|
+
|
|
92
|
+
it('envelopeDecrypt rejects non-envelope data', () => {
|
|
93
|
+
const legacy = encrypt('legacy data', testMasterKey);
|
|
94
|
+
expect(() => envelopeDecrypt(legacy, testMasterKey)).toThrow('missing env1: prefix');
|
|
95
|
+
});
|
|
96
|
+
|
|
97
|
+
it('rejects malformed envelope (no separator)', () => {
|
|
98
|
+
expect(() => envelopeDecrypt('env1:nodatahere', testMasterKey)).toThrow('missing DEK/payload separator');
|
|
99
|
+
});
|
|
100
|
+
|
|
101
|
+
it('rejects malformed envelope (empty parts)', () => {
|
|
102
|
+
// env1:: has withoutPrefix=":" where lastIndexOf(':') returns 0,
|
|
103
|
+
// caught by the separatorIndex <= 0 check
|
|
104
|
+
expect(() => envelopeDecrypt('env1::', testMasterKey)).toThrow('missing DEK/payload separator');
|
|
105
|
+
// env1:abc: has empty payload after separator
|
|
106
|
+
expect(() => envelopeDecrypt('env1:abc:', testMasterKey)).toThrow('empty DEK or payload');
|
|
107
|
+
});
|
|
108
|
+
});
|
|
109
|
+
|
|
110
|
+
describe('decrypt() backward compatibility', () => {
|
|
111
|
+
it('transparently decrypts envelope-encrypted data', () => {
|
|
112
|
+
const data = 'new envelope data';
|
|
113
|
+
const encrypted = envelopeEncrypt(data, testMasterKey);
|
|
114
|
+
// decrypt() should auto-detect the env1: prefix and handle it
|
|
115
|
+
expect(decrypt(encrypted, testMasterKey)).toBe(data);
|
|
116
|
+
});
|
|
117
|
+
|
|
118
|
+
it('still decrypts legacy direct-encrypted data', () => {
|
|
119
|
+
const data = 'legacy direct data';
|
|
120
|
+
const encrypted = encrypt(data, testMasterKey);
|
|
121
|
+
// Legacy data should still work with decrypt()
|
|
122
|
+
expect(decrypt(encrypted, testMasterKey)).toBe(data);
|
|
123
|
+
});
|
|
124
|
+
|
|
125
|
+
it('handles mixed legacy and envelope data in sequence', () => {
|
|
126
|
+
const legacyData = 'old format';
|
|
127
|
+
const envelopeData = 'new format';
|
|
128
|
+
|
|
129
|
+
const legacyEncrypted = encrypt(legacyData, testMasterKey);
|
|
130
|
+
const envelopeEncrypted = envelopeEncrypt(envelopeData, testMasterKey);
|
|
131
|
+
|
|
132
|
+
// Both should decrypt through the same decrypt() function
|
|
133
|
+
expect(decrypt(legacyEncrypted, testMasterKey)).toBe(legacyData);
|
|
134
|
+
expect(decrypt(envelopeEncrypted, testMasterKey)).toBe(envelopeData);
|
|
135
|
+
});
|
|
136
|
+
});
|
|
137
|
+
|
|
138
|
+
describe('encryptCredential / decryptCredential (existing DEK pattern)', () => {
|
|
139
|
+
it('still works correctly after envelope changes', () => {
|
|
140
|
+
const payload = { api_key: 'sk-test-12345', name: 'test-cred' };
|
|
141
|
+
const { encryptedDEK, encryptedPayload } = encryptCredential(payload, testMasterKey);
|
|
142
|
+
const decrypted = decryptCredential(encryptedDEK, encryptedPayload, testMasterKey);
|
|
143
|
+
expect(decrypted).toEqual(payload);
|
|
144
|
+
});
|
|
145
|
+
});
|
|
146
|
+
|
|
147
|
+
describe('envelope format structure', () => {
|
|
148
|
+
it('has exactly the env1:wrappedDEK:payload format', () => {
|
|
149
|
+
const encrypted = envelopeEncrypt('test', testMasterKey);
|
|
150
|
+
const parts = encrypted.split(':');
|
|
151
|
+
// Should be: "env1", wrappedDEK (base64), payload (base64)
|
|
152
|
+
expect(parts[0]).toBe('env1');
|
|
153
|
+
expect(parts.length).toBe(3);
|
|
154
|
+
// Both parts after prefix should be valid base64
|
|
155
|
+
expect(parts[1].length).toBeGreaterThan(0);
|
|
156
|
+
expect(parts[2].length).toBeGreaterThan(0);
|
|
157
|
+
});
|
|
158
|
+
|
|
159
|
+
it('base64 parts do not contain colons', () => {
|
|
160
|
+
// Run multiple times to catch edge cases with different random nonces
|
|
161
|
+
for (let i = 0; i < 20; i++) {
|
|
162
|
+
const encrypted = envelopeEncrypt(`test data ${i}`, testMasterKey);
|
|
163
|
+
const withoutPrefix = encrypted.slice(5); // remove "env1:"
|
|
164
|
+
const colonCount = (withoutPrefix.match(/:/g) || []).length;
|
|
165
|
+
// Exactly one colon separating wrappedDEK and payload
|
|
166
|
+
expect(colonCount).toBe(1);
|
|
167
|
+
}
|
|
168
|
+
});
|
|
169
|
+
});
|