insforge 0.3.1

package/backend/src/core/logs/providers/localdb.provider.ts

@@ -0,0 +1,246 @@
+import { Pool } from 'pg';
+import { LogSource, AnalyticsLogRecord, LogSourceStats } from '@/types/logs.js';
+import logger from '@/utils/logger.js';
+import { BaseAnalyticsProvider } from './base.provider.js';
+
+export class LocalDBProvider extends BaseAnalyticsProvider {
+  private pool!: Pool;
+
+  async initialize(): Promise<void> {
+    this.pool = new Pool({
+      host: process.env.POSTGRES_HOST || 'localhost',
+      port: parseInt(process.env.POSTGRES_PORT || '5432'),
+      database: '_insforge',
+      user: process.env.POSTGRES_USER || 'postgres',
+      password: process.env.POSTGRES_PASSWORD || 'postgres',
+      max: 10,
+      idleTimeoutMillis: 30000,
+      connectionTimeoutMillis: 2000,
+    });
+
+    try {
+      const client = await this.pool.connect();
+      client.release();
+      logger.info('Analytics database connection established');
+    } catch (error) {
+      logger.error('Failed to connect to analytics database', {
+        error: error instanceof Error ? error.message : String(error),
+      });
+      throw error;
+    }
+  }
+
+  async getLogSources(): Promise<LogSource[]> {
+    const client = await this.pool.connect();
+    try {
+      const result = await client.query(`
+        SELECT id, name, token
+        FROM _analytics.sources
+        ORDER BY name
+      `);
+
+      const sourcesWithData: LogSource[] = [];
+      for (const source of result.rows) {
+        const tableName = `log_events_${source.token.replace(/-/g, '_')}`;
+        try {
+          const countResult = await client.query(`
+            SELECT COUNT(*) as count
+            FROM _analytics.${tableName}
+          `);
+          const count = parseInt(countResult.rows[0].count);
+          if (count > 0) {
+            sourcesWithData.push({
+              ...source,
+              name: this.getDisplayName(source.name),
+            });
+          }
+        } catch (error) {
+          logger.warn(`Source ${source.name} has no accessible data`, {
+            error: error instanceof Error ? error.message : String(error),
+          });
+        }
+      }
+      return sourcesWithData;
+    } finally {
+      client.release();
+    }
+  }
+
+  async getLogsBySource(
+    sourceName: string,
+    limit: number = 100,
+    beforeTimestamp?: string
+  ): Promise<{
+    logs: AnalyticsLogRecord[];
+    total: number;
+    tableName: string;
+  }> {
+    const client = await this.pool.connect();
+    try {
+      // Convert display name to internal name for query
+      const internalSourceName = this.getInternalName(sourceName);
+
+      // First, get the source token to determine the table name
+      const sourceResult = await client.query(
+        `SELECT token FROM _analytics.sources WHERE name = $1`,
+        [internalSourceName]
+      );
+
+      if (sourceResult.rows.length === 0) {
+        throw new Error(`Log source '${sourceName}' not found`);
+      }
+
+      const token = sourceResult.rows[0].token;
+      const tableName = `log_events_${token.replace(/-/g, '_')}`;
+
+      // Build the query with timestamp-based pagination
+      // If no beforeTimestamp provided, use current time
+      const beforeTs = beforeTimestamp || new Date().toISOString();
+
+      const query = `
+        SELECT id, event_message, timestamp, body
+        FROM _analytics.${tableName}
+        WHERE timestamp < $1
+        ORDER BY timestamp DESC
+        LIMIT $2
+      `;
+      const params = [beforeTs, limit];
+
+      const logsResult = await client.query(query, params);
+
+      // Get total count of all records (not filtered by timestamp)
+      const countQuery = `SELECT COUNT(*) as count FROM _analytics.${tableName}`;
+      const countResult = await client.query(countQuery);
+
+      return {
+        logs: logsResult.rows,
+        total: parseInt(countResult.rows[0].count),
+        tableName: `_analytics.${tableName}`,
+      };
+    } finally {
+      client.release();
+    }
+  }
+
+  async getLogSourceStats(): Promise<LogSourceStats[]> {
+    const client = await this.pool.connect();
+    try {
+      const sources = await this.getLogSources();
+      const stats: LogSourceStats[] = [];
+
+      for (const source of sources) {
+        const tableName = `log_events_${source.token.replace(/-/g, '_')}`;
+        try {
+          const result = await client.query(`
+            SELECT
+              COUNT(*) as count,
+              MAX(timestamp) as last_activity
+            FROM _analytics.${tableName}
+          `);
+          stats.push({
+            source: source.name,
+            count: parseInt(result.rows[0].count),
+            lastActivity: result.rows[0].last_activity || '',
+          });
+        } catch (error) {
+          logger.warn(`Failed to get stats for source ${source.name}`, {
+            error: error instanceof Error ? error.message : String(error),
+          });
+          stats.push({
+            source: source.name,
+            count: 0,
+            lastActivity: '',
+          });
+        }
+      }
+      return stats.sort((a, b) => b.count - a.count);
+    } finally {
+      client.release();
+    }
+  }
+
+  async searchLogs(
+    query: string,
+    sourceName?: string,
+    limit: number = 100,
+    offset: number = 0
+  ): Promise<{
+    logs: (AnalyticsLogRecord & { source: string })[];
+    total: number;
+  }> {
+    const client = await this.pool.connect();
+    try {
+      let sources: LogSource[];
+
+      if (sourceName) {
+        // Convert display name to internal name for query
+        const internalSourceName = this.getInternalName(sourceName);
+        const sourceResult = await client.query(
+          `SELECT id, name, token FROM _analytics.sources WHERE name = $1`,
+          [internalSourceName]
+        );
+        // Apply name mapping to the result
+        sources = sourceResult.rows.map((source) => ({
+          ...source,
+          name: this.getDisplayName(source.name),
+        }));
+      } else {
+        // getLogSources already returns mapped names
+        sources = await this.getLogSources();
+      }
+
+      const results: (AnalyticsLogRecord & { source: string })[] = [];
+      let totalCount = 0;
+
+      for (const source of sources) {
+        const tableName = `log_events_${source.token.replace(/-/g, '_')}`;
+
+        try {
+          // Search in event_message and body fields
+          const searchResult = await client.query(
+            `SELECT id, event_message, timestamp, body, $1 as source
+            FROM _analytics.${tableName}
+            WHERE event_message ILIKE $2
+               OR body::text ILIKE $2
+            ORDER BY timestamp DESC
+            LIMIT $3 OFFSET $4`,
+            [source.name, `%${query}%`, limit, offset]
+          );
+
+          results.push(...searchResult.rows);
+
+          // Get count for this source
+          const countResult = await client.query(
+            `SELECT COUNT(*) as count
+            FROM _analytics.${tableName}
+            WHERE event_message ILIKE $1
+               OR body::text ILIKE $1`,
+            [`%${query}%`]
+          );
+
+          totalCount += parseInt(countResult.rows[0].count);
+        } catch (error) {
+          logger.warn(`Failed to search in source ${source.name}`, {
+            error: error instanceof Error ? error.message : String(error),
+          });
+        }
+      }
+
+      // Sort combined results by timestamp
+      results.sort((a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime());
+
+      return {
+        logs: results.slice(0, limit),
+        total: totalCount,
+      };
+    } finally {
+      client.release();
+    }
+  }
+
+  async close(): Promise<void> {
+    if (this.pool) {
+      await this.pool.end();
+    }
+  }
+}

package/backend/src/core/secrets/encryption.ts

@@ -0,0 +1,58 @@
+import crypto from 'crypto';
+
+/**
+ * Encryption utilities for secrets management
+ */
+export class EncryptionUtils {
+  private static encryptionKey: Buffer | null = null;
+
+  private static getEncryptionKey(): Buffer {
+    if (!this.encryptionKey) {
+      const key = process.env.ENCRYPTION_KEY || process.env.JWT_SECRET;
+      if (!key) {
+        throw new Error('ENCRYPTION_KEY or JWT_SECRET must be set for secrets encryption');
+      }
+      this.encryptionKey = crypto.createHash('sha256').update(key).digest();
+    }
+    return this.encryptionKey;
+  }
+
+  /**
+   * Encrypt a value using AES-256-GCM
+   */
+  static encrypt(value: string): string {
+    const encryptionKey = this.getEncryptionKey();
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv('aes-256-gcm', encryptionKey, iv);
+
+    let encrypted = cipher.update(value, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+
+    const authTag = cipher.getAuthTag();
+
+    return iv.toString('hex') + ':' + authTag.toString('hex') + ':' + encrypted;
+  }
+
+  /**
+   * Decrypt a value using AES-256-GCM
+   */
+  static decrypt(ciphertext: string): string {
+    const encryptionKey = this.getEncryptionKey();
+    const parts = ciphertext.split(':');
+    if (parts.length !== 3) {
+      throw new Error('Invalid ciphertext format');
+    }
+
+    const iv = Buffer.from(parts[0], 'hex');
+    const authTag = Buffer.from(parts[1], 'hex');
+    const encrypted = parts[2];
+
+    const decipher = crypto.createDecipheriv('aes-256-gcm', encryptionKey, iv);
+    decipher.setAuthTag(authTag);
+
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+
+    return decrypted;
+  }
+}

package/backend/src/core/secrets/secrets.ts

@@ -0,0 +1,410 @@
+import { Pool } from 'pg';
+import crypto from 'crypto';
+import { DatabaseManager } from '@/core/database/manager.js';
+import logger from '@/utils/logger.js';
+import { EncryptionUtils } from './encryption.js';
+
+export interface SecretSchema {
+  id: string;
+  key: string;
+  isActive: boolean;
+  isReserved: boolean;
+  lastUsedAt: Date | null;
+  expiresAt: Date | null;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
+export interface CreateSecretInput {
+  key: string;
+  value: string;
+  isReserved?: boolean;
+  expiresAt?: Date;
+}
+
+export interface UpdateSecretInput {
+  value?: string;
+  isActive?: boolean;
+  isReserved?: boolean;
+  expiresAt?: Date | null;
+}
+
+export class SecretsService {
+  private pool: Pool | null = null;
+
+  constructor() {
+    // Encryption is now handled by the shared EncryptionUtils
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  /**
+   * Create a new secret
+   */
+  async createSecret(input: CreateSecretInput): Promise<{ id: string }> {
+    const client = await this.getPool().connect();
+    try {
+      const encryptedValue = EncryptionUtils.encrypt(input.value);
+
+      const result = await client.query(
+        `INSERT INTO _secrets (key, value_ciphertext, is_reserved, expires_at)
+         VALUES ($1, $2, $3, $4)
+         RETURNING id`,
+        [input.key, encryptedValue, input.isReserved || false, input.expiresAt || null]
+      );
+
+      logger.info('Secret created', { id: result.rows[0].id, key: input.key });
+      return { id: result.rows[0].id };
+    } catch (error) {
+      logger.error('Failed to create secret', { error, key: input.key });
+      throw new Error('Failed to create secret');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Get a decrypted secret by ID
+   */
+  async getSecretById(id: string): Promise<string | null> {
+    const client = await this.getPool().connect();
+    try {
+      const result = await client.query(
+        `UPDATE _secrets
+         SET last_used_at = NOW()
+         WHERE id = $1 AND is_active = true
+         AND (expires_at IS NULL OR expires_at > NOW())
+         RETURNING value_ciphertext`,
+        [id]
+      );
+
+      if (result.rows.length === 0) {
+        return null;
+      }
+
+      const decryptedValue = EncryptionUtils.decrypt(result.rows[0].value_ciphertext);
+      logger.info('Secret retrieved', { id });
+      return decryptedValue;
+    } catch (error) {
+      logger.error('Failed to get secret', { error, id });
+      throw new Error('Failed to get secret');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Get a decrypted secret by key
+   */
+  async getSecretByKey(key: string): Promise<string | null> {
+    const client = await this.getPool().connect();
+    try {
+      const result = await client.query(
+        `UPDATE _secrets
+         SET last_used_at = NOW()
+         WHERE key = $1 AND is_active = true
+         AND (expires_at IS NULL OR expires_at > NOW())
+         RETURNING value_ciphertext`,
+        [key]
+      );
+
+      if (result.rows.length === 0) {
+        return null;
+      }
+
+      const decryptedValue = EncryptionUtils.decrypt(result.rows[0].value_ciphertext);
+      logger.info('Secret retrieved by key', { key });
+      return decryptedValue;
+    } catch (error) {
+      logger.error('Failed to get secret by key', { error, key });
+      throw new Error('Failed to get secret');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * List all secrets (without decrypting values)
+   */
+  async listSecrets(): Promise<SecretSchema[]> {
+    const client = await this.getPool().connect();
+    try {
+      const result = await client.query(
+        `SELECT
+          id,
+          key,
+          is_active as "isActive",
+          is_reserved as "isReserved",
+          last_used_at as "lastUsedAt",
+          expires_at as "expiresAt",
+          created_at as "createdAt",
+          updated_at as "updatedAt"
+         FROM _secrets
+         ORDER BY created_at DESC`
+      );
+
+      return result.rows;
+    } catch (error) {
+      logger.error('Failed to list secrets', { error });
+      throw new Error('Failed to list secrets');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Update a secret
+   */
+  async updateSecret(id: string, input: UpdateSecretInput): Promise<boolean> {
+    const client = await this.getPool().connect();
+    try {
+      const updates: string[] = [];
+      const values: (string | boolean | Date | null)[] = [];
+      let paramCount = 1;
+
+      if (input.value !== undefined) {
+        const encryptedValue = EncryptionUtils.encrypt(input.value);
+        updates.push(`value_ciphertext = $${paramCount++}`);
+        values.push(encryptedValue);
+      }
+
+      if (input.isActive !== undefined) {
+        updates.push(`is_active = $${paramCount++}`);
+        values.push(input.isActive);
+      }
+
+      if (input.isReserved !== undefined) {
+        updates.push(`is_reserved = $${paramCount++}`);
+        values.push(input.isReserved);
+      }
+
+      if (input.expiresAt !== undefined) {
+        updates.push(`expires_at = $${paramCount++}`);
+        values.push(input.expiresAt);
+      }
+
+      values.push(id);
+
+      const result = await client.query(
+        `UPDATE _secrets
+         SET ${updates.join(', ')}
+         WHERE id = $${paramCount}`,
+        values
+      );
+
+      const success = (result.rowCount ?? 0) > 0;
+      if (success) {
+        logger.info('Secret updated', { id });
+      }
+      return success;
+    } catch (error) {
+      logger.error('Failed to update secret', { error, id });
+      throw new Error('Failed to update secret');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Check if a secret value matches the stored value
+   */
+  async checkSecretByKey(key: string, value: string): Promise<boolean> {
+    const client = await this.getPool().connect();
+    try {
+      const result = await client.query(
+        `SELECT value_ciphertext FROM _secrets
+         WHERE key = $1
+         AND is_active = true
+         AND (expires_at IS NULL OR expires_at > NOW())
+         LIMIT 1`,
+        [key]
+      );
+
+      if (result.rows.length === 0) {
+        logger.warn('Secret not found for verification', { key });
+        return false;
+      }
+
+      const decryptedValue = EncryptionUtils.decrypt(result.rows[0].value_ciphertext);
+      const matches = decryptedValue === value;
+
+      // Update last_used_at if the check was successful
+      if (matches) {
+        await client.query(
+          `UPDATE _secrets
+           SET last_used_at = NOW()
+           WHERE key = $1
+           AND is_active = true`,
+          [key]
+        );
+        logger.info('Secret check successful', { key });
+      } else {
+        logger.warn('Secret check failed - value mismatch', { key });
+      }
+
+      return matches;
+    } catch (error) {
+      logger.error('Failed to check secret', { error, key });
+      return false;
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Delete a secret
+   */
+  async deleteSecret(id: string): Promise<boolean> {
+    const client = await this.getPool().connect();
+    try {
+      // Check if secret is reserved first
+      const checkResult = await client.query('SELECT is_reserved FROM _secrets WHERE id = $1', [
+        id,
+      ]);
+
+      if (checkResult.rows.length > 0 && checkResult.rows[0].is_reserved) {
+        throw new Error('Cannot delete reserved secret');
+      }
+
+      const result = await client.query('DELETE FROM _secrets WHERE id = $1', [id]);
+
+      const success = (result.rowCount ?? 0) > 0;
+      if (success) {
+        logger.info('Secret deleted', { id });
+      }
+      return success;
+    } catch (error) {
+      logger.error('Failed to delete secret', { error, id });
+      throw new Error('Failed to delete secret');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Rotate a secret (create new value, keep old for grace period)
+   */
+  async rotateSecret(id: string, newValue: string): Promise<{ newId: string }> {
+    const client = await this.getPool().connect();
+    try {
+      await client.query('BEGIN');
+
+      const oldSecretResult = await client.query(`SELECT key FROM _secrets WHERE id = $1`, [id]);
+
+      if (oldSecretResult.rows.length === 0) {
+        throw new Error('Secret not found');
+      }
+
+      const secretKey = oldSecretResult.rows[0].key;
+
+      await client.query(
+        `UPDATE _secrets
+         SET is_active = false,
+             expires_at = NOW() + INTERVAL '24 hours'
+         WHERE id = $1`,
+        [id]
+      );
+
+      const encryptedValue = EncryptionUtils.encrypt(newValue);
+      const newSecretResult = await client.query(
+        `INSERT INTO _secrets (key, value_ciphertext)
+         VALUES ($1, $2)
+         RETURNING id`,
+        [secretKey, encryptedValue]
+      );
+
+      await client.query('COMMIT');
+
+      logger.info('Secret rotated', {
+        oldId: id,
+        newId: newSecretResult.rows[0].id,
+        key: secretKey,
+      });
+
+      return { newId: newSecretResult.rows[0].id };
+    } catch (error) {
+      await client.query('ROLLBACK');
+      logger.error('Failed to rotate secret', { error, id });
+      throw new Error('Failed to rotate secret');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Clean up expired secrets
+   */
+  async cleanupExpiredSecrets(): Promise<number> {
+    const client = await this.getPool().connect();
+    try {
+      const result = await client.query(
+        `DELETE FROM _secrets
+         WHERE expires_at IS NOT NULL
+         AND expires_at < NOW()
+         RETURNING id`
+      );
+
+      const deletedCount = result.rowCount ?? 0;
+      if (deletedCount > 0) {
+        logger.info('Expired secrets cleaned up', { count: deletedCount });
+      }
+      return deletedCount;
+    } catch (error) {
+      logger.error('Failed to cleanup expired secrets', { error });
+      throw new Error('Failed to cleanup expired secrets');
+    } finally {
+      client.release();
+    }
+  }
+
+  /**
+   * Generate a new API key with 'ik_' prefix (Insforge Key)
+   */
+  generateApiKey(): string {
+    return 'ik_' + crypto.randomBytes(32).toString('hex');
+  }
+
+  /**
+   * Verify API key against database
+   */
+  async verifyApiKey(apiKey: string): Promise<boolean> {
+    if (!apiKey) {
+      return false;
+    }
+    return this.checkSecretByKey('API_KEY', apiKey);
+  }
+
+  /**
+   * Initialize API key on startup
+   * Seeds from environment variable if database is empty
+   */
+  async initializeApiKey(): Promise<string> {
+    let apiKey = await this.getSecretByKey('API_KEY');
+
+    if (!apiKey) {
+      // Check if ACCESS_API_KEY is provided via environment
+      const envApiKey = process.env.ACCESS_API_KEY;
+
+      if (envApiKey && envApiKey.trim() !== '') {
+        // Use the provided API key from environment, ensure it has 'ik_' prefix
+        apiKey = envApiKey.startsWith('ik_') ? envApiKey : 'ik_' + envApiKey;
+        await this.createSecret({ key: 'API_KEY', value: apiKey, isReserved: true });
+        logger.info('✅ API key initialized from ACCESS_API_KEY environment variable');
+      } else {
+        // Generate a new API key if none provided
+        apiKey = this.generateApiKey();
+        await this.createSecret({ key: 'API_KEY', value: apiKey, isReserved: true });
+        logger.info('✅ API key generated and stored');
+      }
+    } else {
+      logger.info('✅ API key exists in database');
+    }
+
+    return apiKey;
+  }
+}