globodai-mcp-payment-manager 1.0.1

package/src/lib/crypto.ts

@@ -0,0 +1,284 @@
+/**
+ * Encryption for sensitive data with KMS support
+ * 
+ * Supports multiple backends:
+ * 1. AWS KMS (recommended for production)
+ * 2. Local AES-256-GCM (for development)
+ * 
+ * Configuration via environment:
+ * - MCP_CRYPTO_BACKEND: "aws-kms" | "local" (default: "local")
+ * - AWS_KMS_KEY_ID: ARN or alias of the KMS key
+ * - AWS_REGION: AWS region for KMS
+ * - MCP_MASTER_KEY: Local master key (if using local backend)
+ * 
+ * Security model with KMS:
+ * - Even with root access to VPS, attacker needs AWS credentials
+ * - AWS credentials should use IAM role with minimal permissions
+ * - KMS provides audit logs of all decrypt operations
+ */
+
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+import { KMSClient, EncryptCommand, DecryptCommand, GenerateDataKeyCommand } from "@aws-sdk/client-kms";
+
+// ============================================================================
+// Configuration
+// ============================================================================
+
+const ALGORITHM = "aes-256-gcm";
+const KEY_LENGTH = 32;
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+
+const CONFIG_DIR = join(homedir(), ".mcp-ecosystem");
+const KEY_FILE = join(CONFIG_DIR, ".master-key");
+const DEK_CACHE_FILE = join(CONFIG_DIR, ".dek-cache");
+
+// Prefixes to identify encryption version/backend
+const PREFIX_LOCAL = "enc:local:";
+const PREFIX_KMS = "enc:kms:";
+
+type CryptoBackend = "local" | "aws-kms";
+
+function getBackend(): CryptoBackend {
+  const backend = process.env.MCP_CRYPTO_BACKEND?.toLowerCase();
+  if (backend === "aws-kms" || backend === "kms") return "aws-kms";
+  return "local";
+}
+
+// ============================================================================
+// AWS KMS Backend
+// ============================================================================
+
+let kmsClient: KMSClient | null = null;
+let cachedDataKey: Buffer | null = null;
+let cachedEncryptedDataKey: Buffer | null = null;
+
+function getKMSClient(): KMSClient {
+  if (!kmsClient) {
+    kmsClient = new KMSClient({
+      region: process.env.AWS_REGION || "us-east-1",
+    });
+  }
+  return kmsClient;
+}
+
+function getKMSKeyId(): string {
+  const keyId = process.env.AWS_KMS_KEY_ID;
+  if (!keyId) {
+    throw new Error("AWS_KMS_KEY_ID environment variable required for KMS backend");
+  }
+  return keyId;
+}
+
+/**
+ * Generate or retrieve Data Encryption Key (DEK) from KMS
+ * Uses envelope encryption pattern
+ */
+async function getDataKey(): Promise<{ plaintext: Buffer; encrypted: Buffer }> {
+  // Check memory cache first
+  if (cachedDataKey && cachedEncryptedDataKey) {
+    return { plaintext: cachedDataKey, encrypted: cachedEncryptedDataKey };
+  }
+
+  // Check disk cache (encrypted DEK)
+  if (existsSync(DEK_CACHE_FILE)) {
+    try {
+      const encryptedDek = readFileSync(DEK_CACHE_FILE);
+      const client = getKMSClient();
+      
+      const response = await client.send(new DecryptCommand({
+        CiphertextBlob: encryptedDek,
+        KeyId: getKMSKeyId(),
+      }));
+
+      if (response.Plaintext) {
+        cachedDataKey = Buffer.from(response.Plaintext);
+        cachedEncryptedDataKey = encryptedDek;
+        return { plaintext: cachedDataKey, encrypted: cachedEncryptedDataKey };
+      }
+    } catch (err) {
+      console.error("[crypto] Failed to decrypt cached DEK, generating new one");
+    }
+  }
+
+  // Generate new DEK
+  const client = getKMSClient();
+  const response = await client.send(new GenerateDataKeyCommand({
+    KeyId: getKMSKeyId(),
+    KeySpec: "AES_256",
+  }));
+
+  if (!response.Plaintext || !response.CiphertextBlob) {
+    throw new Error("KMS GenerateDataKey failed");
+  }
+
+  cachedDataKey = Buffer.from(response.Plaintext);
+  cachedEncryptedDataKey = Buffer.from(response.CiphertextBlob);
+
+  // Cache encrypted DEK to disk (safe - it's encrypted by KMS)
+  ensureConfigDir();
+  writeFileSync(DEK_CACHE_FILE, cachedEncryptedDataKey, { mode: 0o600 });
+
+  console.error("[crypto] Generated new Data Encryption Key via KMS");
+  return { plaintext: cachedDataKey, encrypted: cachedEncryptedDataKey };
+}
+
+async function encryptWithKMS(plaintext: string): Promise<string> {
+  const { plaintext: dek } = await getDataKey();
+  
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, dek, iv);
+
+  let encrypted = cipher.update(plaintext, "utf8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag();
+
+  // Format: enc:kms:<iv>:<authTag>:<ciphertext>
+  return `${PREFIX_KMS}${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+
+async function decryptWithKMS(encrypted: string): Promise<string> {
+  const { plaintext: dek } = await getDataKey();
+  
+  const parts = encrypted.slice(PREFIX_KMS.length).split(":");
+  if (parts.length !== 3) {
+    throw new Error("Invalid KMS encrypted format");
+  }
+
+  const iv = Buffer.from(parts[0]!, "base64");
+  const authTag = Buffer.from(parts[1]!, "base64");
+  const ciphertext = parts[2]!;
+
+  const decipher = createDecipheriv(ALGORITHM, dek, iv);
+  decipher.setAuthTag(authTag);
+
+  let decrypted: string = decipher.update(ciphertext, "base64", "utf8");
+  decrypted += decipher.final("utf8");
+
+  return decrypted;
+}
+
+// ============================================================================
+// Local Backend (for development)
+// ============================================================================
+
+function ensureConfigDir(): void {
+  if (!existsSync(CONFIG_DIR)) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+  }
+}
+
+function getLocalMasterKey(): Buffer {
+  if (process.env.MCP_MASTER_KEY) {
+    return scryptSync(process.env.MCP_MASTER_KEY, "mcp-ecosystem-salt-v1", KEY_LENGTH);
+  }
+
+  if (existsSync(KEY_FILE)) {
+    const keyData = readFileSync(KEY_FILE, "utf-8").trim();
+    return scryptSync(keyData, "mcp-ecosystem-salt-v1", KEY_LENGTH);
+  }
+
+  console.error("[crypto] Generating new local master key...");
+  const newKey = randomBytes(32).toString("base64");
+  
+  ensureConfigDir();
+  writeFileSync(KEY_FILE, newKey, { mode: 0o600 });
+  chmodSync(KEY_FILE, 0o600);
+  
+  console.error(`[crypto] Master key saved to ${KEY_FILE}`);
+  return scryptSync(newKey, "mcp-ecosystem-salt-v1", KEY_LENGTH);
+}
+
+function encryptLocal(plaintext: string): string {
+  const key = getLocalMasterKey();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+
+  let encrypted = cipher.update(plaintext, "utf8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag();
+
+  return `${PREFIX_LOCAL}${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+
+function decryptLocal(encrypted: string): string {
+  const key = getLocalMasterKey();
+  const parts = encrypted.slice(PREFIX_LOCAL.length).split(":");
+  
+  if (parts.length !== 3) {
+    throw new Error("Invalid local encrypted format");
+  }
+
+  const iv = Buffer.from(parts[0]!, "base64");
+  const authTag = Buffer.from(parts[1]!, "base64");
+  const ciphertext = parts[2]!;
+
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(authTag);
+
+  let decrypted: string = decipher.update(ciphertext, "base64", "utf8");
+  decrypted += decipher.final("utf8");
+
+  return decrypted;
+}
+
+// ============================================================================
+// Public API
+// ============================================================================
+
+/**
+ * Check if a value is encrypted
+ */
+export function isEncrypted(value: string): boolean {
+  return value?.startsWith(PREFIX_LOCAL) || value?.startsWith(PREFIX_KMS) || false;
+}
+
+/**
+ * Encrypt sensitive data using configured backend
+ */
+export async function encrypt(plaintext: string): Promise<string> {
+  if (!plaintext || isEncrypted(plaintext)) {
+    return plaintext;
+  }
+
+  const backend = getBackend();
+  
+  if (backend === "aws-kms") {
+    return encryptWithKMS(plaintext);
+  }
+  
+  return encryptLocal(plaintext);
+}
+
+/**
+ * Decrypt sensitive data (auto-detects backend from prefix)
+ */
+export async function decrypt(encrypted: string): Promise<string> {
+  if (!encrypted || !isEncrypted(encrypted)) {
+    return encrypted;
+  }
+
+  if (encrypted.startsWith(PREFIX_KMS)) {
+    return decryptWithKMS(encrypted);
+  }
+  
+  if (encrypted.startsWith(PREFIX_LOCAL)) {
+    return decryptLocal(encrypted);
+  }
+
+  throw new Error("Unknown encryption format");
+}
+
+/**
+ * Get current crypto backend info
+ */
+export function getCryptoInfo(): { backend: CryptoBackend; kmsKeyId?: string } {
+  const backend = getBackend();
+  return {
+    backend,
+    kmsKeyId: backend === "aws-kms" ? process.env.AWS_KMS_KEY_ID : undefined,
+  };
+}

package/src/lib/cvv-crypto.ts

@@ -0,0 +1,81 @@
+/**
+ * CVV-specific encryption using PIN-derived key
+ * 
+ * CVV is encrypted with a key derived from the master PIN.
+ * This means:
+ * - CVV is stored encrypted
+ * - Without the PIN, CVV cannot be decrypted
+ * - Even with system access, attacker needs the PIN
+ */
+
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+import { getCvvEncryptionKey } from "./pin-manager";
+
+const ALGORITHM = "aes-256-gcm";
+const IV_LENGTH = 16;
+
+const CVV_PREFIX = "cvv:";
+
+/**
+ * Check if value is CVV-encrypted
+ */
+export function isCvvEncrypted(value: string): boolean {
+  return value?.startsWith(CVV_PREFIX) || false;
+}
+
+/**
+ * Encrypt CVV with PIN-derived key
+ * Requires cards to be unlocked
+ */
+export function encryptCvv(cvv: string): string | null {
+  const key = getCvvEncryptionKey();
+  if (!key) {
+    return null; // Not unlocked
+  }
+  
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  
+  let encrypted = cipher.update(cvv, "utf8", "base64");
+  encrypted += cipher.final("base64");
+  const authTag = cipher.getAuthTag();
+  
+  // Format: cvv:<iv>:<authTag>:<ciphertext>
+  return `${CVV_PREFIX}${iv.toString("base64")}:${authTag.toString("base64")}:${encrypted}`;
+}
+
+/**
+ * Decrypt CVV with PIN-derived key
+ * Requires cards to be unlocked
+ */
+export function decryptCvv(encrypted: string): string | null {
+  if (!isCvvEncrypted(encrypted)) {
+    return encrypted; // Not encrypted, return as-is
+  }
+  
+  const key = getCvvEncryptionKey();
+  if (!key) {
+    return null; // Not unlocked
+  }
+  
+  const parts = encrypted.slice(CVV_PREFIX.length).split(":");
+  if (parts.length !== 3) {
+    return null; // Invalid format
+  }
+  
+  try {
+    const iv = Buffer.from(parts[0]!, "base64");
+    const authTag = Buffer.from(parts[1]!, "base64");
+    const ciphertext = parts[2]!;
+    
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    
+    let decrypted = decipher.update(ciphertext, "base64", "utf8");
+    decrypted += decipher.final("utf8");
+    
+    return decrypted;
+  } catch {
+    return null; // Decryption failed (wrong PIN or corrupted)
+  }
+}

package/src/lib/mcp-core.ts

@@ -0,0 +1,127 @@
+/**
+ * MCP Core - Shared utilities for all MCP servers
+ */
+
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema,
+  type Tool,
+} from "@modelcontextprotocol/sdk/types.js";
+
+export interface MCPServerConfig {
+  name: string;
+  version: string;
+  description?: string;
+}
+
+export interface ToolDefinition {
+  name: string;
+  description: string;
+  inputSchema: Record<string, unknown>;
+  handler: (args: Record<string, unknown>) => Promise<ToolResult>;
+}
+
+export interface ToolResult {
+  content: Array<{ type: "text"; text: string }>;
+  isError?: boolean;
+  [key: string]: unknown;
+}
+
+/**
+ * Create and configure an MCP server with tools
+ */
+export function createMCPServer(
+  config: MCPServerConfig,
+  tools: ToolDefinition[]
+): Server {
+  const server = new Server(
+    {
+      name: config.name,
+      version: config.version,
+    },
+    {
+      capabilities: {
+        tools: {},
+      },
+    }
+  );
+
+  // Register tool list handler
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: tools.map((t) => ({
+      name: t.name,
+      description: t.description,
+      inputSchema: t.inputSchema,
+    })),
+  }));
+
+  // Register tool call handler
+  server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const toolName = request.params.name;
+    const tool = tools.find((t) => t.name === toolName);
+
+    if (!tool) {
+      return {
+        content: [{ type: "text" as const, text: `Unknown tool: ${toolName}` }],
+        isError: true,
+      };
+    }
+
+    try {
+      const args = request.params.arguments ?? {};
+      return await tool.handler(args as Record<string, unknown>);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return {
+        content: [{ type: "text" as const, text: `Error: ${message}` }],
+        isError: true,
+      };
+    }
+  });
+
+  return server;
+}
+
+/**
+ * Start MCP server with stdio transport
+ */
+export async function startMCPServer(server: Server): Promise<void> {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error(`[MCP] Server started`);
+}
+
+/**
+ * Helper to create a successful tool result
+ */
+export function success(text: string): ToolResult {
+  return {
+    content: [{ type: "text", text }],
+  };
+}
+
+/**
+ * Helper to create a JSON tool result
+ */
+export function json(data: unknown): ToolResult {
+  return {
+    content: [{ type: "text", text: JSON.stringify(data, null, 2) }],
+  };
+}
+
+/**
+ * Helper to create an error tool result
+ */
+export function error(message: string): ToolResult {
+  return {
+    content: [{ type: "text", text: message }],
+    isError: true,
+  };
+}
+
+export { Server, StdioServerTransport };
+
+// CLI execution utilities
+export { execCommand, execGit, execHeroku, parseJsonOutput, type ExecResult, type ExecOptions } from "./cli-runner";