npm - lsh-framework - Versions diffs - 1.3.2 → 1.4.1 - Mend

lsh-framework 1.3.2 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/.env.example +43 -3
package/README.md +25 -4
package/dist/cli.js +6 -0
package/dist/commands/config.js +240 -0
package/dist/daemon/saas-api-routes.js +778 -0
package/dist/daemon/saas-api-server.js +225 -0
package/dist/lib/config-manager.js +321 -0
package/dist/lib/database-persistence.js +75 -3
package/dist/lib/env-validator.js +17 -0
package/dist/lib/local-storage-adapter.js +493 -0
package/dist/lib/saas-audit.js +213 -0
package/dist/lib/saas-auth.js +427 -0
package/dist/lib/saas-billing.js +402 -0
package/dist/lib/saas-email.js +402 -0
package/dist/lib/saas-encryption.js +220 -0
package/dist/lib/saas-organizations.js +592 -0
package/dist/lib/saas-secrets.js +378 -0
package/dist/lib/saas-types.js +108 -0
package/dist/lib/supabase-client.js +77 -11
package/package.json +13 -2

package/dist/lib/saas-secrets.js ADDED Viewed

@@ -0,0 +1,378 @@
+/**
+ * LSH SaaS Secrets Management Service
+ * Multi-tenant secrets with per-team encryption
+ */
+import { getSupabaseClient } from './supabase-client.js';
+import { encryptionService } from './saas-encryption.js';
+import { auditLogger } from './saas-audit.js';
+import { organizationService } from './saas-organizations.js';
+/**
+ * Secrets Service
+ */
+export class SecretsService {
+    supabase = getSupabaseClient();
+    /**
+     * Create a new secret
+     */
+    async createSecret(input) {
+        // Check tier limits
+        await this.checkSecretsLimit(input.teamId);
+        // Get or create encryption key for team
+        let encryptionKey = await encryptionService.getTeamKey(input.teamId);
+        if (!encryptionKey) {
+            // Auto-create encryption key for team
+            const team = await this.getTeamById(input.teamId);
+            if (!team) {
+                throw new Error('Team not found');
+            }
+            encryptionKey = await encryptionService.generateTeamKey(input.teamId, input.createdBy);
+        }
+        // Encrypt the secret value
+        const encryptedValue = await encryptionService.encryptForTeam(input.teamId, input.value);
+        // Store secret
+        const { data, error } = await this.supabase
+            .from('secrets')
+            .insert({
+            team_id: input.teamId,
+            environment: input.environment,
+            key: input.key,
+            encrypted_value: encryptedValue,
+            encryption_key_id: encryptionKey.id,
+            description: input.description || null,
+            tags: JSON.stringify(input.tags || []),
+            rotation_interval_days: input.rotationIntervalDays || null,
+            created_by: input.createdBy,
+        })
+            .select()
+            .single();
+        if (error) {
+            throw new Error(`Failed to create secret: ${error.message}`);
+        }
+        // Audit log
+        const team = await this.getTeamById(input.teamId);
+        if (team) {
+            await auditLogger.log({
+                organizationId: team.organization_id,
+                teamId: input.teamId,
+                userId: input.createdBy,
+                action: 'secret.create',
+                resourceType: 'secret',
+                resourceId: data.id,
+                newValue: {
+                    key: input.key,
+                    environment: input.environment,
+                },
+            });
+        }
+        return this.mapDbSecretToSecret(data);
+    }
+    /**
+     * Get secret by ID
+     */
+    async getSecretById(id, decrypt = false) {
+        const { data, error } = await this.supabase
+            .from('secrets')
+            .select('*')
+            .eq('id', id)
+            .is('deleted_at', null)
+            .single();
+        if (error || !data) {
+            return null;
+        }
+        const secret = this.mapDbSecretToSecret(data);
+        // Decrypt if requested
+        if (decrypt) {
+            const decryptedValue = await encryptionService.decryptForTeam(secret.teamId, secret.encryptedValue);
+            return { ...secret, encryptedValue: decryptedValue };
+        }
+        return secret;
+    }
+    /**
+     * Get secrets for team/environment
+     */
+    async getTeamSecrets(teamId, environment, decrypt = false) {
+        let query = this.supabase
+            .from('secrets')
+            .select('*')
+            .eq('team_id', teamId)
+            .is('deleted_at', null);
+        if (environment) {
+            query = query.eq('environment', environment);
+        }
+        query = query.order('key', { ascending: true });
+        const { data, error } = await query;
+        if (error) {
+            throw new Error(`Failed to get secrets: ${error.message}`);
+        }
+        const secrets = (data || []).map(this.mapDbSecretToSecret);
+        // Decrypt if requested
+        if (decrypt) {
+            return Promise.all(secrets.map(async (secret) => {
+                try {
+                    const decryptedValue = await encryptionService.decryptForTeam(teamId, secret.encryptedValue);
+                    return { ...secret, encryptedValue: decryptedValue };
+                }
+                catch (error) {
+                    console.error(`Failed to decrypt secret ${secret.id}:`, error);
+                    return secret;
+                }
+            }));
+        }
+        return secrets;
+    }
+    /**
+     * Update secret
+     */
+    async updateSecret(id, input) {
+        const secret = await this.getSecretById(id);
+        if (!secret) {
+            throw new Error('Secret not found');
+        }
+        const updateData = {
+            updated_by: input.updatedBy,
+            updated_at: new Date().toISOString(),
+        };
+        // Encrypt new value if provided
+        if (input.value) {
+            updateData.encrypted_value = await encryptionService.encryptForTeam(secret.teamId, input.value);
+        }
+        if (input.description !== undefined) {
+            updateData.description = input.description;
+        }
+        if (input.tags) {
+            updateData.tags = JSON.stringify(input.tags);
+        }
+        if (input.rotationIntervalDays !== undefined) {
+            updateData.rotation_interval_days = input.rotationIntervalDays;
+        }
+        const { data, error } = await this.supabase
+            .from('secrets')
+            .update(updateData)
+            .eq('id', id)
+            .select()
+            .single();
+        if (error) {
+            throw new Error(`Failed to update secret: ${error.message}`);
+        }
+        // Audit log
+        const team = await this.getTeamById(secret.teamId);
+        if (team) {
+            await auditLogger.log({
+                organizationId: team.organization_id,
+                teamId: secret.teamId,
+                userId: input.updatedBy,
+                action: 'secret.update',
+                resourceType: 'secret',
+                resourceId: id,
+                oldValue: { description: secret.description },
+                newValue: { description: input.description },
+            });
+        }
+        return this.mapDbSecretToSecret(data);
+    }
+    /**
+     * Delete secret (soft delete)
+     */
+    async deleteSecret(id, deletedBy) {
+        const secret = await this.getSecretById(id);
+        if (!secret) {
+            throw new Error('Secret not found');
+        }
+        const { error } = await this.supabase
+            .from('secrets')
+            .update({
+            deleted_at: new Date().toISOString(),
+            deleted_by: deletedBy,
+        })
+            .eq('id', id);
+        if (error) {
+            throw new Error(`Failed to delete secret: ${error.message}`);
+        }
+        // Audit log
+        const team = await this.getTeamById(secret.teamId);
+        if (team) {
+            await auditLogger.log({
+                organizationId: team.organization_id,
+                teamId: secret.teamId,
+                userId: deletedBy,
+                action: 'secret.delete',
+                resourceType: 'secret',
+                resourceId: id,
+                oldValue: {
+                    key: secret.key,
+                    environment: secret.environment,
+                },
+            });
+        }
+    }
+    /**
+     * Get secrets summary by team
+     */
+    async getSecretsSummary(teamId) {
+        const { data, error } = await this.supabase
+            .from('secrets_summary')
+            .select('*')
+            .eq('team_id', teamId);
+        if (error) {
+            throw new Error(`Failed to get secrets summary: ${error.message}`);
+        }
+        return (data || []).map((row) => ({
+            teamId: row.team_id,
+            teamName: row.team_name,
+            environment: row.environment,
+            secretsCount: row.secrets_count || 0,
+            lastUpdated: row.last_updated ? new Date(row.last_updated) : null,
+        }));
+    }
+    /**
+     * Export secrets to .env format
+     */
+    async exportToEnv(teamId, environment) {
+        const secrets = await this.getTeamSecrets(teamId, environment, true);
+        const envLines = secrets.map((secret) => {
+            // Escape special characters in values (backslashes first, then quotes)
+            const value = secret.encryptedValue.includes(' ')
+                ? `"${secret.encryptedValue.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`
+                : secret.encryptedValue;
+            const comment = secret.description ? `# ${secret.description}\n` : '';
+            return `${comment}${secret.key}=${value}`;
+        });
+        return envLines.join('\n');
+    }
+    /**
+     * Import secrets from .env format
+     */
+    async importFromEnv(teamId, environment, envContent, createdBy) {
+        const lines = envContent.split('\n');
+        const secrets = [];
+        let currentDescription = '';
+        // Parse .env file
+        for (const line of lines) {
+            const trimmed = line.trim();
+            // Skip empty lines
+            if (!trimmed) {
+                currentDescription = '';
+                continue;
+            }
+            // Comment line (description)
+            if (trimmed.startsWith('#')) {
+                currentDescription = trimmed.substring(1).trim();
+                continue;
+            }
+            // Key=value line
+            const match = trimmed.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/);
+            if (match) {
+                let value = match[2];
+                // Remove quotes if present
+                if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+                    value = value.slice(1, -1);
+                }
+                secrets.push({
+                    key: match[1],
+                    value,
+                    description: currentDescription || undefined,
+                });
+                currentDescription = '';
+            }
+        }
+        // Import secrets
+        let created = 0;
+        let updated = 0;
+        const errors = [];
+        for (const secret of secrets) {
+            try {
+                // Check if secret already exists
+                const { data: existing } = await this.supabase
+                    .from('secrets')
+                    .select('id')
+                    .eq('team_id', teamId)
+                    .eq('environment', environment)
+                    .eq('key', secret.key)
+                    .is('deleted_at', null)
+                    .single();
+                if (existing) {
+                    // Update existing
+                    await this.updateSecret(existing.id, {
+                        value: secret.value,
+                        description: secret.description,
+                        updatedBy: createdBy,
+                    });
+                    updated++;
+                }
+                else {
+                    // Create new
+                    await this.createSecret({
+                        teamId,
+                        environment,
+                        key: secret.key,
+                        value: secret.value,
+                        description: secret.description,
+                        createdBy,
+                    });
+                    created++;
+                }
+            }
+            catch (error) {
+                errors.push(`${secret.key}: ${error.message}`);
+            }
+        }
+        return { created, updated, errors };
+    }
+    /**
+     * Check secrets limit for tier
+     */
+    async checkSecretsLimit(teamId) {
+        const team = await this.getTeamById(teamId);
+        if (!team) {
+            throw new Error('Team not found');
+        }
+        const org = await organizationService.getOrganizationById(team.organization_id);
+        if (!org) {
+            throw new Error('Organization not found');
+        }
+        const usage = await organizationService.getUsageSummary(team.organization_id);
+        const { TIER_LIMITS } = await import('./saas-types.js');
+        const limits = TIER_LIMITS[org.subscriptionTier];
+        if (usage.secretCount >= limits.secrets) {
+            throw new Error('TIER_LIMIT_EXCEEDED: Secret limit reached. Please upgrade your plan.');
+        }
+    }
+    /**
+     * Helper to get team
+     */
+    async getTeamById(teamId) {
+        const { data } = await this.supabase
+            .from('teams')
+            .select('*')
+            .eq('id', teamId)
+            .single();
+        return data;
+    }
+    /**
+     * Map database secret to Secret type
+     */
+    mapDbSecretToSecret(dbSecret) {
+        return {
+            id: dbSecret.id,
+            teamId: dbSecret.team_id,
+            environment: dbSecret.environment,
+            key: dbSecret.key,
+            encryptedValue: dbSecret.encrypted_value,
+            encryptionKeyId: dbSecret.encryption_key_id,
+            description: dbSecret.description,
+            tags: typeof dbSecret.tags === 'string' ? JSON.parse(dbSecret.tags) : (dbSecret.tags || []),
+            lastRotatedAt: dbSecret.last_rotated_at ? new Date(dbSecret.last_rotated_at) : null,
+            rotationIntervalDays: dbSecret.rotation_interval_days,
+            createdAt: new Date(dbSecret.created_at),
+            createdBy: dbSecret.created_by,
+            updatedAt: new Date(dbSecret.updated_at),
+            updatedBy: dbSecret.updated_by,
+            deletedAt: dbSecret.deleted_at ? new Date(dbSecret.deleted_at) : null,
+            deletedBy: dbSecret.deleted_by,
+        };
+    }
+}
+/**
+ * Singleton instance
+ */
+export const secretsService = new SecretsService();

package/dist/lib/saas-types.js ADDED Viewed

@@ -0,0 +1,108 @@
+/**
+ * LSH SaaS Platform TypeScript Type Definitions
+ * Mirrors the database schema for multi-tenant support
+ */
+export const TIER_LIMITS = {
+    free: {
+        organizations: 1,
+        teamMembers: 3,
+        secrets: 10,
+        environments: 3,
+        auditLogRetentionDays: 30,
+        apiCallsPerMonth: 1000,
+        ssoEnabled: false,
+        prioritySupport: false,
+    },
+    pro: {
+        organizations: 1,
+        teamMembers: Infinity,
+        secrets: Infinity,
+        environments: Infinity,
+        auditLogRetentionDays: 365,
+        apiCallsPerMonth: 100000,
+        ssoEnabled: false,
+        prioritySupport: true,
+    },
+    enterprise: {
+        organizations: Infinity,
+        teamMembers: Infinity,
+        secrets: Infinity,
+        environments: Infinity,
+        auditLogRetentionDays: Infinity,
+        apiCallsPerMonth: Infinity,
+        ssoEnabled: true,
+        prioritySupport: true,
+    },
+};
+export const ROLE_PERMISSIONS = {
+    owner: {
+        canManageBilling: true,
+        canInviteMembers: true,
+        canRemoveMembers: true,
+        canCreateTeams: true,
+        canDeleteTeams: true,
+        canManageSecrets: true,
+        canViewSecrets: true,
+        canViewAuditLogs: true,
+        canManageApiKeys: true,
+    },
+    admin: {
+        canManageBilling: false,
+        canInviteMembers: true,
+        canRemoveMembers: true,
+        canCreateTeams: true,
+        canDeleteTeams: true,
+        canManageSecrets: true,
+        canViewSecrets: true,
+        canViewAuditLogs: true,
+        canManageApiKeys: true,
+    },
+    member: {
+        canManageBilling: false,
+        canInviteMembers: false,
+        canRemoveMembers: false,
+        canCreateTeams: false,
+        canDeleteTeams: false,
+        canManageSecrets: true,
+        canViewSecrets: true,
+        canViewAuditLogs: false,
+        canManageApiKeys: true,
+    },
+    viewer: {
+        canManageBilling: false,
+        canInviteMembers: false,
+        canRemoveMembers: false,
+        canCreateTeams: false,
+        canDeleteTeams: false,
+        canManageSecrets: false,
+        canViewSecrets: true,
+        canViewAuditLogs: false,
+        canManageApiKeys: false,
+    },
+};
+// ============================================================================
+// ERROR CODES
+// ============================================================================
+export var ErrorCode;
+(function (ErrorCode) {
+    // Auth
+    ErrorCode["UNAUTHORIZED"] = "UNAUTHORIZED";
+    ErrorCode["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
+    ErrorCode["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
+    ErrorCode["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
+    ErrorCode["INVALID_TOKEN"] = "INVALID_TOKEN";
+    // Permissions
+    ErrorCode["FORBIDDEN"] = "FORBIDDEN";
+    ErrorCode["INSUFFICIENT_PERMISSIONS"] = "INSUFFICIENT_PERMISSIONS";
+    // Resources
+    ErrorCode["NOT_FOUND"] = "NOT_FOUND";
+    ErrorCode["ALREADY_EXISTS"] = "ALREADY_EXISTS";
+    ErrorCode["INVALID_INPUT"] = "INVALID_INPUT";
+    // Billing
+    ErrorCode["TIER_LIMIT_EXCEEDED"] = "TIER_LIMIT_EXCEEDED";
+    ErrorCode["SUBSCRIPTION_REQUIRED"] = "SUBSCRIPTION_REQUIRED";
+    ErrorCode["PAYMENT_REQUIRED"] = "PAYMENT_REQUIRED";
+    // General
+    ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
+    ErrorCode["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
+})(ErrorCode || (ErrorCode = {}));

package/dist/lib/supabase-client.js CHANGED Viewed

@@ -3,21 +3,21 @@
  * Provides database connectivity for LSH features
  */
 import { createClient } from '@supabase/supabase-js';
-// Supabase configuration
-const SUPABASE_URL = 'https://uljsqvwkomdrlnofmlad.supabase.co';
-const SUPABASE_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InVsanNxdndrb21kcmxub2ZtbGFkIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NTY4MDIyNDQsImV4cCI6MjA3MjM3ODI0NH0.QCpfcEpxGX_5Wn8ljf_J2KWjJLGdF8zRsV_7OatxmHI';
-// Database connection string (for direct PostgreSQL access if needed)
-const DATABASE_URL = 'postgresql://postgres:[YOUR-PASSWORD]@db.uljsqvwkomdrlnofmlad.supabase.co:5432/postgres';
 export class SupabaseClient {
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     client;
     config;
     constructor(config) {
+        const url = config?.url || process.env.SUPABASE_URL;
+        const anonKey = config?.anonKey || process.env.SUPABASE_ANON_KEY;
+        const databaseUrl = config?.databaseUrl || process.env.DATABASE_URL;
+        if (!url || !anonKey) {
+            throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
+        }
         this.config = {
-            url: SUPABASE_URL,
-            anonKey: SUPABASE_ANON_KEY,
-            databaseUrl: DATABASE_URL,
-            ...config,
+            url,
+            anonKey,
+            databaseUrl,
         };
         this.client = createClient(this.config.url, this.config.anonKey);
     }
@@ -54,6 +54,72 @@ export class SupabaseClient {
         };
     }
 }
-// Default client instance
-export const supabaseClient = new SupabaseClient();
+// Default client instance - lazily initialized to avoid errors at module load
+let _supabaseClient = null;
+let _clientInitializationFailed = false;
+function getDefaultClient() {
+    if (_clientInitializationFailed) {
+        return null;
+    }
+    if (!_supabaseClient) {
+        try {
+            _supabaseClient = new SupabaseClient();
+        }
+        catch (_error) {
+            // Supabase not configured - will fall back to local storage
+            _clientInitializationFailed = true;
+            return null;
+        }
+    }
+    return _supabaseClient;
+}
+/**
+ * Check if Supabase is configured and available
+ */
+export function isSupabaseConfigured() {
+    return !!(process.env.SUPABASE_URL && process.env.SUPABASE_ANON_KEY);
+}
+export const supabaseClient = {
+    getClient() {
+        const client = getDefaultClient();
+        if (!client) {
+            throw new Error('Supabase client not initialized. Using local storage fallback.');
+        }
+        return client.getClient();
+    },
+    async testConnection() {
+        const client = getDefaultClient();
+        if (!client) {
+            return false;
+        }
+        return client.testConnection();
+    },
+    getConnectionInfo() {
+        const client = getDefaultClient();
+        if (!client) {
+            return {
+                url: undefined,
+                databaseUrl: undefined,
+                isConnected: false,
+            };
+        }
+        return client.getConnectionInfo();
+    },
+    isAvailable() {
+        return getDefaultClient() !== null;
+    }
+};
+/**
+ * Get Supabase client for SaaS platform
+ * Uses environment variables for configuration
+ * @throws {Error} If SUPABASE_URL or SUPABASE_ANON_KEY are not set
+ */
+export function getSupabaseClient() {
+    const url = process.env.SUPABASE_URL;
+    const key = process.env.SUPABASE_ANON_KEY;
+    if (!url || !key) {
+        throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
+    }
+    return createClient(url, key);
+}
 export default SupabaseClient;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "lsh-framework",
-  "version": "1.3.2",
+  "version": "1.4.1",
   "description": "Simple, cross-platform encrypted secrets manager with automatic sync and multi-environment support. Just run lsh sync and start managing your secrets.",
   "main": "dist/app.js",
   "bin": {
@@ -22,7 +22,9 @@
     "clean": "rm -rf ./build; rm -rf ./bin; rm -rf ./dist",
     "lint": "eslint src --ext .js,.ts,.tsx",
     "lint:fix": "eslint src --ext .js,.ts,.tsx --fix",
-    "typecheck": "tsc --noEmit"
+    "typecheck": "tsc --noEmit",
+    "saas:api": "node dist/daemon/saas-api-server.js",
+    "saas:dev": "tsc && node dist/daemon/saas-api-server.js"
   },
   "keywords": [
     "secrets-manager",
@@ -58,13 +60,18 @@
   ],
   "dependencies": {
     "@supabase/supabase-js": "^2.57.4",
+    "bcrypt": "^5.1.1",
     "chalk": "^5.3.0",
     "chokidar": "^3.6.0",
     "commander": "^10.0.1",
+    "cors": "^2.8.5",
     "dotenv": "^16.4.5",
+    "express": "^4.18.2",
+    "express-rate-limit": "^7.5.1",
     "glob": "^10.3.12",
     "inquirer": "^9.2.12",
     "js-yaml": "^4.1.0",
+    "jsonwebtoken": "^9.0.2",
     "node-cron": "^3.0.3",
     "ora": "^8.0.1",
     "pg": "^8.16.3",
@@ -72,8 +79,12 @@
     "uuid": "^10.0.0"
   },
   "devDependencies": {
+    "@types/bcrypt": "^5.0.2",
+    "@types/cors": "^2.8.17",
+    "@types/express": "^4.17.21",
     "@types/jest": "^30.0.0",
     "@types/js-yaml": "^4.0.9",
+    "@types/jsonwebtoken": "^9.0.5",
     "@types/node": "^20.12.7",
     "@typescript-eslint/eslint-plugin": "^8.44.1",
     "@typescript-eslint/parser": "^8.44.1",