agentlock-shared 0.2.0 → 0.3.0

package/src/crypto.ts

@@ -1,235 +0,0 @@
-import nacl from 'tweetnacl';
-import { encodeBase64, decodeBase64 } from 'tweetnacl-util';
-
-/**
- * Envelope encryption prefix. Data encrypted with envelopeEncrypt() is
- * stored as a single string: "env1:<base64-wrappedDEK>:<base64-payload>".
- * The decrypt() function detects this prefix and automatically unwraps
- * using the DEK, maintaining backward compatibility with legacy data
- * encrypted directly with MASTER_KEY.
- */
-const ENVELOPE_PREFIX = 'env1:';
-
-export function generateKey(): Uint8Array {
-  return nacl.randomBytes(32);
-}
-
-/**
- * Low-level symmetric encryption using a provided key.
- * Callers that need envelope encryption (per-data DEK) should use
- * envelopeEncrypt() instead.
- */
-export function encrypt(data: string, key: Uint8Array): string {
-  const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
-  const message = new TextEncoder().encode(data);
-  const box = nacl.secretbox(message, nonce, key);
-
-  const combined = new Uint8Array(nonce.length + box.length);
-  combined.set(nonce);
-  combined.set(box, nonce.length);
-
-  return encodeBase64(combined);
-}
-
-/**
- * Low-level symmetric decryption. Handles both envelope-encrypted data
- * (prefixed with "env1:") and legacy direct-key encrypted data.
- *
- * For envelope data: unwraps the per-data DEK using the master key,
- * then decrypts the payload with the DEK.
- *
- * For legacy data: decrypts directly with the provided key, falling
- * back to MASTER_KEY_PREVIOUS for key rotation support.
- */
-export function decrypt(encryptedData: string, key: Uint8Array): string {
-  // Detect envelope-encrypted format and handle transparently
-  if (encryptedData.startsWith(ENVELOPE_PREFIX)) {
-    return envelopeDecryptInternal(encryptedData, key);
-  }
-
-  // Legacy format: data encrypted directly with MASTER_KEY
-  const combined = decodeBase64(encryptedData);
-  const nonce = combined.slice(0, nacl.secretbox.nonceLength);
-  const box = combined.slice(nacl.secretbox.nonceLength);
-
-  const message = nacl.secretbox.open(box, nonce, key);
-  if (message) {
-    return new TextDecoder().decode(message);
-  }
-
-  // Try previous master key for rotation support
-  const prevKey = getPreviousMasterKey();
-  if (prevKey) {
-    const message2 = nacl.secretbox.open(box, nonce, prevKey);
-    if (message2) {
-      return new TextDecoder().decode(message2);
-    }
-  }
-
-  throw new Error('Decryption failed: invalid key or corrupted data');
-}
-
-/**
- * Encrypt arbitrary data using a per-data DEK (envelope encryption).
- * Generates a fresh 256-bit DEK, encrypts the data with it, then wraps
- * the DEK with the provided master key. Returns a single string in the
- * format "env1:<wrappedDEK>:<encryptedPayload>" so it fits in a single
- * database column and is backward-compatible with decrypt().
- *
- * Use this instead of encrypt() for all data at rest. Each encrypted
- * value gets its own DEK, so compromising one ciphertext does not
- * expose other data -- the attacker still needs the master key to
- * unwrap any individual DEK.
- */
-export function envelopeEncrypt(data: string, masterKey: Uint8Array): string {
-  const dek = generateKey();
-  try {
-    const wrappedDEK = encrypt(encodeBase64(dek), masterKey);
-    const encryptedPayload = encrypt(data, dek);
-    return `${ENVELOPE_PREFIX}${wrappedDEK}:${encryptedPayload}`;
-  } finally {
-    // Zero DEK from memory after use (defense-in-depth against heap dumps)
-    dek.fill(0);
-  }
-}
-
-/**
- * Decrypt data produced by envelopeEncrypt(). Expects the "env1:" prefixed
- * format. For general use, call decrypt() which auto-detects the format.
- */
-export function envelopeDecrypt(encryptedData: string, masterKey: Uint8Array): string {
-  if (!encryptedData.startsWith(ENVELOPE_PREFIX)) {
-    throw new Error('Not an envelope-encrypted value (missing env1: prefix)');
-  }
-  return envelopeDecryptInternal(encryptedData, masterKey);
-}
-
-/**
- * Internal envelope decryption. Parses the "env1:wrappedDEK:payload" format,
- * unwraps the DEK, and decrypts the payload.
- */
-function envelopeDecryptInternal(encryptedData: string, masterKey: Uint8Array): string {
-  // Format: "env1:<base64-wrappedDEK>:<base64-encryptedPayload>"
-  // The wrapped DEK itself is a base64 string produced by encrypt(), which
-  // can contain '+', '/', '=' but never ':'. So we split on ':' after the prefix.
-  const withoutPrefix = encryptedData.slice(ENVELOPE_PREFIX.length);
-  const separatorIndex = withoutPrefix.lastIndexOf(':');
-  if (separatorIndex <= 0) {
-    throw new Error('Invalid envelope format: missing DEK/payload separator');
-  }
-  const wrappedDEK = withoutPrefix.slice(0, separatorIndex);
-  const encryptedPayload = withoutPrefix.slice(separatorIndex + 1);
-
-  if (!wrappedDEK || !encryptedPayload) {
-    throw new Error('Invalid envelope format: empty DEK or payload');
-  }
-
-  // Unwrap the DEK using the master key (with key-rotation fallback)
-  let dekBase64: string;
-  try {
-    dekBase64 = decrypt(wrappedDEK, masterKey);
-  } catch {
-    throw new Error('Envelope decryption failed: could not unwrap DEK');
-  }
-
-  const dek = decodeBase64(dekBase64);
-  try {
-    // Decrypt the payload using the per-data DEK
-    // Use low-level decryption here (not decrypt()) to avoid infinite
-    // recursion on the envelope prefix check -- the inner payload is
-    // always in legacy format.
-    const combined = decodeBase64(encryptedPayload);
-    const nonce = combined.slice(0, nacl.secretbox.nonceLength);
-    const box = combined.slice(nacl.secretbox.nonceLength);
-    const message = nacl.secretbox.open(box, nonce, dek);
-    if (!message) {
-      throw new Error('Envelope decryption failed: payload decryption failed');
-    }
-    return new TextDecoder().decode(message);
-  } finally {
-    // Zero DEK from memory after use
-    dek.fill(0);
-  }
-}
-
-export function encryptDEK(dek: Uint8Array, masterKey: Uint8Array): string {
-  return encrypt(encodeBase64(dek), masterKey);
-}
-
-export function decryptDEK(encryptedDEK: string, masterKey: Uint8Array): Uint8Array {
-  const dekBase64 = decrypt(encryptedDEK, masterKey);
-  return decodeBase64(dekBase64);
-}
-
-// Cache the decoded master key to avoid creating multiple copies in memory.
-// A single copy is preferable to many short-lived copies scattered on the heap.
-let _cachedMasterKey: Uint8Array | null = null;
-
-export function getMasterKey(): Uint8Array {
-  if (_cachedMasterKey) return _cachedMasterKey.slice();
-  const key = process.env.MASTER_KEY;
-  if (!key) throw new Error('MASTER_KEY environment variable not set');
-  _cachedMasterKey = decodeBase64(key);
-  return _cachedMasterKey.slice();
-}
-
-// Support MASTER_KEY rotation: try previous key when current key fails
-let _cachedPrevKey: Uint8Array | null = null;
-let _prevKeyChecked = false;
-
-export function getPreviousMasterKey(): Uint8Array | null {
-  if (_prevKeyChecked) return _cachedPrevKey ? _cachedPrevKey.slice() : null;
-  _prevKeyChecked = true;
-  const key = process.env.MASTER_KEY_PREVIOUS;
-  if (!key) return null;
-  _cachedPrevKey = decodeBase64(key);
-  return _cachedPrevKey.slice();
-}
-
-/** Zero and release cached master keys. Call on graceful shutdown. */
-export function clearCachedKeys(): void {
-  if (_cachedMasterKey) {
-    _cachedMasterKey.fill(0);
-    _cachedMasterKey = null;
-  }
-  if (_cachedPrevKey) {
-    _cachedPrevKey.fill(0);
-    _cachedPrevKey = null;
-  }
-  _prevKeyChecked = false;
-}
-
-export function generateMasterKey(): string {
-  return encodeBase64(generateKey());
-}
-
-export function encryptCredential(
-  payload: Record<string, unknown>,
-  masterKey: Uint8Array
-): { encryptedDEK: string; encryptedPayload: string } {
-  const dek = generateKey();
-  try {
-    const encryptedDEK = encryptDEK(dek, masterKey);
-    const encryptedPayload = encrypt(JSON.stringify(payload), dek);
-    return { encryptedDEK, encryptedPayload };
-  } finally {
-    // Zero DEK from memory after use (defense-in-depth against heap dumps)
-    dek.fill(0);
-  }
-}
-
-export function decryptCredential(
-  encryptedDEK: string,
-  encryptedPayload: string,
-  masterKey: Uint8Array
-): Record<string, unknown> {
-  const dek = decryptDEK(encryptedDEK, masterKey);
-  try {
-    const json = decrypt(encryptedPayload, dek);
-    return JSON.parse(json);
-  } finally {
-    // Best-effort: zero DEK from memory to minimize exposure window.
-    // Not guaranteed by JS runtime, but reduces risk of heap-dump leaks.
-    dek.fill(0);
-  }
-}

package/src/index.ts

@@ -1,8 +0,0 @@
-export * from './types.js';
-export * from './crypto.js';
-export * from './signing.js';
-export * from './policy.js';
-export * from './redact.js';
-export * from './schemas.js';
-export * from './plans.js';
-export * from './mcp-catalog.js';

package/src/mcp-catalog.ts

@@ -1,181 +0,0 @@
-export interface McpServerTemplate {
-  id: string;
-  name: string;
-  description: string;
-  serverUrl: string;
-  authType: 'bearer' | 'none';
-  authLabel?: string;
-  authPlaceholder?: string;
-  authHelpUrl?: string;
-  category: string;
-}
-
-export const MCP_CATALOG: McpServerTemplate[] = [
-  // --- Developer Tools ---
-  {
-    id: 'github',
-    name: 'GitHub',
-    description: 'Manage repos, issues, PRs, and code search',
-
-    serverUrl: 'https://api.githubcopilot.com/mcp/',
-    authType: 'bearer',
-    authLabel: 'Personal Access Token',
-    authPlaceholder: 'ghp_...',
-    authHelpUrl: 'https://github.com/settings/tokens',
-    category: 'Developer Tools',
-  },
-  {
-    id: 'gitlab',
-    name: 'GitLab',
-    description: 'Projects, merge requests, pipelines, and issues',
-
-    serverUrl: 'https://gitlab.com/-/mcp',
-    authType: 'bearer',
-    authLabel: 'Personal Access Token',
-    authPlaceholder: 'glpat-...',
-    authHelpUrl: 'https://gitlab.com/-/user_settings/personal_access_tokens',
-    category: 'Developer Tools',
-  },
-  {
-    id: 'linear',
-    name: 'Linear',
-    description: 'Issue tracking, projects, and team workflows',
-
-    serverUrl: 'https://mcp.linear.app/sse',
-    authType: 'bearer',
-    authLabel: 'API Key',
-    authPlaceholder: 'lin_api_...',
-    authHelpUrl: 'https://linear.app/settings/api',
-    category: 'Developer Tools',
-  },
-  {
-    id: 'sentry',
-    name: 'Sentry',
-    description: 'Error tracking, performance monitoring, and alerts',
-
-    serverUrl: 'https://mcp.sentry.dev/sse',
-    authType: 'bearer',
-    authLabel: 'Auth Token',
-    authPlaceholder: 'sntrys_...',
-    authHelpUrl: 'https://sentry.io/settings/account/api/auth-tokens/',
-    category: 'Developer Tools',
-  },
-
-  // --- Cloud & Infrastructure ---
-  {
-    id: 'cloudflare',
-    name: 'Cloudflare',
-    description: 'Workers, KV, D1, R2, and DNS management',
-    serverUrl: 'https://workers-mcp.cloudflare.com/mcp',
-    authType: 'bearer',
-    authLabel: 'API Token',
-    authPlaceholder: '',
-    authHelpUrl: 'https://dash.cloudflare.com/profile/api-tokens',
-    category: 'Cloud & Infrastructure',
-  },
-
-  // --- Communication ---
-  {
-    id: 'slack',
-    name: 'Slack',
-    description: 'Send messages, manage channels, and search conversations',
-    serverUrl: 'https://slack.com/api/mcp',
-    authType: 'bearer',
-    authLabel: 'Bot Token',
-    authPlaceholder: 'xoxb-...',
-    authHelpUrl: 'https://api.slack.com/apps',
-    category: 'Communication',
-  },
-
-  // --- Search & Data ---
-  {
-    id: 'brave-search',
-    name: 'Brave Search',
-    description: 'Web search, news, and local results',
-    serverUrl: 'https://mcp.brave.com/sse',
-    authType: 'bearer',
-    authLabel: 'API Key',
-    authPlaceholder: 'BSA...',
-    authHelpUrl: 'https://brave.com/search/api/',
-    category: 'Search & Data',
-  },
-
-  // --- Productivity ---
-  {
-    id: 'notion',
-    name: 'Notion',
-    description: 'Pages, databases, and workspace content',
-    serverUrl: 'https://mcp.notion.so/sse',
-    authType: 'bearer',
-    authLabel: 'Integration Token',
-    authPlaceholder: 'ntn_...',
-    authHelpUrl: 'https://www.notion.so/my-integrations',
-    category: 'Productivity',
-  },
-
-  // --- AI & LLMs ---
-  {
-    id: 'context7',
-    name: 'Context7',
-    description: 'Up-to-date documentation and code examples for any library',
-    serverUrl: 'https://mcp.context7.com/sse',
-    authType: 'none',
-    category: 'AI & LLMs',
-  },
-
-  // --- Databases ---
-  {
-    id: 'supabase',
-    name: 'Supabase',
-    description: 'Database queries, auth, storage, and edge functions',
-    serverUrl: 'https://mcp.supabase.com/sse',
-    authType: 'bearer',
-    authLabel: 'Access Token',
-    authPlaceholder: 'sbp_...',
-    authHelpUrl: 'https://supabase.com/dashboard/account/tokens',
-    category: 'Databases',
-  },
-  {
-    id: 'neon',
-    name: 'Neon',
-    description: 'Serverless Postgres — branches, queries, and management',
-    serverUrl: 'https://mcp.neon.tech/sse',
-    authType: 'bearer',
-    authLabel: 'API Key',
-    authPlaceholder: '',
-    authHelpUrl: 'https://console.neon.tech/app/settings/api-keys',
-    category: 'Databases',
-  },
-
-  // --- Payments ---
-  {
-    id: 'stripe',
-    name: 'Stripe',
-    description: 'Payments, subscriptions, customers, and invoices',
-    serverUrl: 'https://mcp.stripe.com/sse',
-    authType: 'bearer',
-    authLabel: 'Secret Key',
-    authPlaceholder: 'sk_...',
-    authHelpUrl: 'https://dashboard.stripe.com/apikeys',
-    category: 'Payments',
-  },
-
-  // --- Monitoring ---
-  {
-    id: 'grafana',
-    name: 'Grafana',
-    description: 'Dashboards, alerts, and observability data',
-    serverUrl: 'https://mcp.grafana.com/sse',
-    authType: 'bearer',
-    authLabel: 'Service Account Token',
-    authPlaceholder: 'glsa_...',
-    authHelpUrl: 'https://grafana.com/docs/grafana/latest/administration/service-accounts/',
-    category: 'Monitoring',
-  },
-];
-
-export const MCP_CATEGORIES = [...new Set(MCP_CATALOG.map((s) => s.category))];
-
-export function getMcpTemplate(id: string): McpServerTemplate | undefined {
-  return MCP_CATALOG.find((s) => s.id === id);
-}

package/src/plans.ts

@@ -1,116 +0,0 @@
-export type PlanId = 'free' | 'pro' | 'team';
-
-export interface PlanLimits {
-  actionsPerMonth: number;
-  agents: number;
-  credentials: number;
-  members: number;
-  policies: number;
-  timelineHistoryDays: number;
-  undoEnabled: boolean;
-  browserSessions: number;
-  messagesPerMonth: number;
-  messageHistoryDays: number;
-  threadsPerAgent: number;
-}
-
-export interface PlanDefinition extends PlanLimits {
-  id: PlanId;
-  name: string;
-  monthlyPrice: number; // USD cents
-  yearlyPrice: number; // USD cents (total per year)
-  stripePriceMonthly: string;
-  stripePriceYearly: string;
-}
-
-export const PLANS: Record<PlanId, PlanDefinition> = {
-  free: {
-    id: 'free',
-    name: 'Free',
-    monthlyPrice: 0,
-    yearlyPrice: 0,
-    stripePriceMonthly: '',
-    stripePriceYearly: '',
-    actionsPerMonth: 1000,
-    agents: 3,
-    credentials: 2,
-    members: 1,
-    policies: 3,
-    timelineHistoryDays: 14,
-    undoEnabled: false,
-    browserSessions: 0,
-    messagesPerMonth: 100,
-    messageHistoryDays: 7,
-    threadsPerAgent: 5,
-  },
-  pro: {
-    id: 'pro',
-    name: 'Pro',
-    monthlyPrice: 900,
-    yearlyPrice: 7900,
-    stripePriceMonthly: 'price_1T6b3m2NRlIkxMrBZ9bmEDYE',
-    stripePriceYearly: 'price_1T6b3m2NRlIkxMrBo2yx01sJ',
-    actionsPerMonth: Infinity,
-    agents: 10,
-    credentials: 25,
-    members: 5,
-    policies: 10,
-    timelineHistoryDays: 90,
-    undoEnabled: true,
-    browserSessions: 2,
-    messagesPerMonth: 5000,
-    messageHistoryDays: 30,
-    threadsPerAgent: 50,
-  },
-  team: {
-    id: 'team',
-    name: 'Team',
-    monthlyPrice: 4900,
-    yearlyPrice: 41000,
-    stripePriceMonthly: 'price_1T6b3n2NRlIkxMrBstkfVECC',
-    stripePriceYearly: 'price_1T6b3o2NRlIkxMrBzHoQKPjz',
-    actionsPerMonth: Infinity,
-    agents: 50,
-    credentials: Infinity,
-    members: 25,
-    policies: 50,
-    timelineHistoryDays: 365,
-    undoEnabled: true,
-    browserSessions: 5,
-    messagesPerMonth: Infinity,
-    messageHistoryDays: 90,
-    threadsPerAgent: Infinity,
-  },
-} as const;
-
-export function getPlanLimits(plan: string): PlanLimits {
-  const def = PLANS[plan as PlanId];
-  if (!def) return PLANS.free;
-  return {
-    actionsPerMonth: def.actionsPerMonth,
-    agents: def.agents,
-    credentials: def.credentials,
-    members: def.members,
-    policies: def.policies,
-    timelineHistoryDays: def.timelineHistoryDays,
-    undoEnabled: def.undoEnabled,
-    browserSessions: def.browserSessions,
-    messagesPerMonth: def.messagesPerMonth,
-    messageHistoryDays: def.messageHistoryDays,
-    threadsPerAgent: def.threadsPerAgent,
-  };
-}
-
-export function canUndo(plan: string): boolean {
-  return getPlanLimits(plan).undoEnabled;
-}
-
-/** Map a Stripe price ID back to a plan ID */
-export function planFromPriceId(priceId: string): PlanId | null {
-  for (const plan of Object.values(PLANS)) {
-    if (plan.stripePriceMonthly === priceId || plan.stripePriceYearly === priceId) {
-      return plan.id;
-    }
-  }
-  return null;
-}