lsh-framework 3.2.4 → 3.5.0

package/dist/lib/saas-secrets.js

@@ -1,408 +0,0 @@
-/**
- * LSH SaaS Secrets Management Service
- * Multi-tenant secrets with per-team encryption
- */
-import { getErrorMessage, } from './saas-types.js';
-import { getSupabaseClient } from './supabase-client.js';
-import { encryptionService } from './saas-encryption.js';
-import { auditLogger } from './saas-audit.js';
-import { organizationService } from './saas-organizations.js';
-import { TABLES } from '../constants/index.js';
-/**
- * Secrets Service
- */
-export class SecretsService {
-    supabase = getSupabaseClient();
-    /**
-     * Create a new secret
-     */
-    async createSecret(input) {
-        // Check tier limits
-        await this.checkSecretsLimit(input.teamId);
-        // Get or create encryption key for team
-        let encryptionKey = await encryptionService.getTeamKey(input.teamId);
-        if (!encryptionKey) {
-            // Auto-create encryption key for team
-            const team = await this.getTeamById(input.teamId);
-            if (!team) {
-                throw new Error('Team not found');
-            }
-            encryptionKey = await encryptionService.generateTeamKey(input.teamId, input.createdBy);
-        }
-        // Encrypt the secret value
-        const encryptedValue = await encryptionService.encryptForTeam(input.teamId, input.value);
-        // Store secret
-        const { data, error } = await this.supabase
-            .from('secrets')
-            .insert({
-            team_id: input.teamId,
-            environment: input.environment,
-            key: input.key,
-            encrypted_value: encryptedValue,
-            encryption_key_id: encryptionKey.id,
-            description: input.description || null,
-            tags: JSON.stringify(input.tags || []),
-            rotation_interval_days: input.rotationIntervalDays || null,
-            created_by: input.createdBy,
-        })
-            .select()
-            .single();
-        if (error) {
-            throw new Error(`Failed to create secret: ${error.message}`);
-        }
-        // Audit log
-        const team = await this.getTeamById(input.teamId);
-        if (team) {
-            await auditLogger.log({
-                organizationId: team.organization_id,
-                teamId: input.teamId,
-                userId: input.createdBy,
-                action: 'secret.create',
-                resourceType: 'secret',
-                resourceId: data.id,
-                newValue: {
-                    key: input.key,
-                    environment: input.environment,
-                },
-            });
-        }
-        return this.mapDbSecretToSecret(data);
-    }
-    /**
-     * Get secret by ID
-     */
-    async getSecretById(id, decrypt = false) {
-        const { data, error } = await this.supabase
-            .from('secrets')
-            .select('*')
-            .eq('id', id)
-            .is('deleted_at', null)
-            .single();
-        if (error || !data) {
-            return null;
-        }
-        const secret = this.mapDbSecretToSecret(data);
-        // Decrypt if requested
-        if (decrypt) {
-            const decryptedValue = await encryptionService.decryptForTeam(secret.teamId, secret.encryptedValue);
-            return { ...secret, encryptedValue: decryptedValue };
-        }
-        return secret;
-    }
-    /**
-     * Get secrets for team/environment
-     */
-    async getTeamSecrets(teamId, environment, decrypt = false) {
-        let query = this.supabase
-            .from('secrets')
-            .select('*')
-            .eq('team_id', teamId)
-            .is('deleted_at', null);
-        if (environment) {
-            query = query.eq('environment', environment);
-        }
-        query = query.order('key', { ascending: true });
-        const { data, error } = await query;
-        if (error) {
-            throw new Error(`Failed to get secrets: ${error.message}`);
-        }
-        const secrets = (data || []).map(this.mapDbSecretToSecret);
-        // Decrypt if requested
-        if (decrypt) {
-            return Promise.all(secrets.map(async (secret) => {
-                try {
-                    const decryptedValue = await encryptionService.decryptForTeam(teamId, secret.encryptedValue);
-                    return { ...secret, encryptedValue: decryptedValue };
-                }
-                catch (error) {
-                    console.error(`Failed to decrypt secret ${secret.id}:`, error);
-                    return secret;
-                }
-            }));
-        }
-        return secrets;
-    }
-    /**
-     * Update secret
-     */
-    async updateSecret(id, input) {
-        const secret = await this.getSecretById(id);
-        if (!secret) {
-            throw new Error('Secret not found');
-        }
-        const updateData = {
-            updated_by: input.updatedBy,
-            updated_at: new Date().toISOString(),
-        };
-        // Encrypt new value if provided
-        if (input.value) {
-            updateData.encrypted_value = await encryptionService.encryptForTeam(secret.teamId, input.value);
-        }
-        if (input.description !== undefined) {
-            updateData.description = input.description;
-        }
-        if (input.tags) {
-            updateData.tags = JSON.stringify(input.tags);
-        }
-        if (input.rotationIntervalDays !== undefined) {
-            updateData.rotation_interval_days = input.rotationIntervalDays;
-        }
-        const { data, error } = await this.supabase
-            .from('secrets')
-            .update(updateData)
-            .eq('id', id)
-            .select()
-            .single();
-        if (error) {
-            throw new Error(`Failed to update secret: ${error.message}`);
-        }
-        // Audit log
-        const team = await this.getTeamById(secret.teamId);
-        if (team) {
-            await auditLogger.log({
-                organizationId: team.organization_id,
-                teamId: secret.teamId,
-                userId: input.updatedBy,
-                action: 'secret.update',
-                resourceType: 'secret',
-                resourceId: id,
-                oldValue: { description: secret.description },
-                newValue: { description: input.description },
-            });
-        }
-        return this.mapDbSecretToSecret(data);
-    }
-    /**
-     * Delete secret (soft delete)
-     */
-    async deleteSecret(id, deletedBy) {
-        const secret = await this.getSecretById(id);
-        if (!secret) {
-            throw new Error('Secret not found');
-        }
-        const { error } = await this.supabase
-            .from('secrets')
-            .update({
-            deleted_at: new Date().toISOString(),
-            deleted_by: deletedBy,
-        })
-            .eq('id', id);
-        if (error) {
-            throw new Error(`Failed to delete secret: ${error.message}`);
-        }
-        // Audit log
-        const team = await this.getTeamById(secret.teamId);
-        if (team) {
-            await auditLogger.log({
-                organizationId: team.organization_id,
-                teamId: secret.teamId,
-                userId: deletedBy,
-                action: 'secret.delete',
-                resourceType: 'secret',
-                resourceId: id,
-                oldValue: {
-                    key: secret.key,
-                    environment: secret.environment,
-                },
-            });
-        }
-    }
-    /**
-     * Get secrets summary by team
-     */
-    async getSecretsSummary(teamId) {
-        const { data, error } = await this.supabase
-            .from(TABLES.SECRETS_SUMMARY)
-            .select('*')
-            .eq('team_id', teamId);
-        if (error) {
-            throw new Error(`Failed to get secrets summary: ${error.message}`);
-        }
-        return (data || []).map((row) => ({
-            teamId: row.team_id,
-            teamName: row.team_name,
-            environment: row.environment,
-            secretsCount: row.secrets_count || 0,
-            lastUpdated: row.last_updated ? new Date(row.last_updated) : null,
-        }));
-    }
-    /**
-     * Export secrets to .env format
-     */
-    async exportToEnv(teamId, environment) {
-        const secrets = await this.getTeamSecrets(teamId, environment, true);
-        const envLines = secrets.map((secret) => {
-            // Escape special characters in values (backslashes first, then quotes)
-            const value = secret.encryptedValue.includes(' ')
-                ? `"${secret.encryptedValue.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`
-                : secret.encryptedValue;
-            const comment = secret.description ? `# ${secret.description}\n` : '';
-            return `${comment}${secret.key}=${value}`;
-        });
-        return envLines.join('\n');
-    }
-    /**
-     * Import secrets from .env format
-     */
-    async importFromEnv(teamId, environment, envContent, createdBy) {
-        const lines = envContent.split('\n');
-        const secrets = [];
-        let currentDescription = '';
-        // Parse .env file
-        for (const line of lines) {
-            const trimmed = line.trim();
-            // Skip empty lines
-            if (!trimmed) {
-                currentDescription = '';
-                continue;
-            }
-            // Comment line (description)
-            if (trimmed.startsWith('#')) {
-                currentDescription = trimmed.substring(1).trim();
-                continue;
-            }
-            // Key=value line
-            const match = trimmed.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/);
-            if (match) {
-                let value = match[2];
-                // Remove quotes if present
-                if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
-                    value = value.slice(1, -1);
-                }
-                secrets.push({
-                    key: match[1],
-                    value,
-                    description: currentDescription || undefined,
-                });
-                currentDescription = '';
-            }
-        }
-        // Import secrets
-        let created = 0;
-        let updated = 0;
-        const errors = [];
-        for (const secret of secrets) {
-            try {
-                // Check if secret already exists
-                const { data: existing } = await this.supabase
-                    .from('secrets')
-                    .select('id')
-                    .eq('team_id', teamId)
-                    .eq('environment', environment)
-                    .eq('key', secret.key)
-                    .is('deleted_at', null)
-                    .single();
-                if (existing) {
-                    // Update existing
-                    await this.updateSecret(existing.id, {
-                        value: secret.value,
-                        description: secret.description,
-                        updatedBy: createdBy,
-                    });
-                    updated++;
-                }
-                else {
-                    // Create new
-                    await this.createSecret({
-                        teamId,
-                        environment,
-                        key: secret.key,
-                        value: secret.value,
-                        description: secret.description,
-                        createdBy,
-                    });
-                    created++;
-                }
-            }
-            catch (error) {
-                errors.push(`${secret.key}: ${getErrorMessage(error)}`);
-            }
-        }
-        return { created, updated, errors };
-    }
-    /**
-     * Check secrets limit for tier
-     */
-    async checkSecretsLimit(teamId) {
-        const team = await this.getTeamById(teamId);
-        if (!team) {
-            throw new Error('Team not found');
-        }
-        const org = await organizationService.getOrganizationById(team.organization_id);
-        if (!org) {
-            throw new Error('Organization not found');
-        }
-        const usage = await organizationService.getUsageSummary(team.organization_id);
-        const { TIER_LIMITS } = await import('./saas-types.js');
-        const limits = TIER_LIMITS[org.subscriptionTier];
-        if (usage.secretCount >= limits.secrets) {
-            throw new Error('TIER_LIMIT_EXCEEDED: Secret limit reached. Please upgrade your plan.');
-        }
-    }
-    /**
-     * Helper to get team record from database.
-     *
-     * Fetches raw team record from 'teams' table. Used internally to get
-     * organization_id for audit logging and tier limit checks.
-     *
-     * @param teamId - UUID of team to fetch
-     * @returns Raw Supabase team record or null if not found
-     * @see DbTeamRecord in database-types.ts for return shape
-     */
-    async getTeamById(teamId) {
-        const { data } = await this.supabase
-            .from('teams')
-            .select('*')
-            .eq('id', teamId)
-            .single();
-        return data;
-    }
-    /**
-     * Transform Supabase secret record to domain model.
-     *
-     * Maps database snake_case columns to TypeScript camelCase properties:
-     * - `team_id` → `teamId`
-     * - `encrypted_value` → `encryptedValue` (AES-256 encrypted)
-     * - `encryption_key_id` → `encryptionKeyId` (FK to team's encryption key)
-     * - `last_rotated_at` → `lastRotatedAt` (nullable Date)
-     * - `rotation_interval_days` → `rotationIntervalDays` (nullable number)
-     * - `created_by` → `createdBy` (FK to users.id)
-     * - `updated_by` → `updatedBy` (FK to users.id)
-     * - `deleted_by` → `deletedBy` (FK to users.id, for soft delete audit)
-     *
-     * Special handling:
-     * - `tags`: Parses JSON string to string[] if stored as string, passes through if already array
-     *
-     * Note: The `encryptedValue` field contains the encrypted secret. Use
-     * `encryptionService.decryptForTeam()` to decrypt it when needed.
-     *
-     * @param dbSecret - Supabase record from 'secrets' table
-     * @returns Domain Secret object with parsed tags
-     * @see DbSecretRecord in database-types.ts for input shape
-     * @see Secret in saas-types.ts for output shape
-     */
-    mapDbSecretToSecret(dbSecret) {
-        return {
-            id: dbSecret.id,
-            teamId: dbSecret.team_id,
-            environment: dbSecret.environment,
-            key: dbSecret.key,
-            encryptedValue: dbSecret.encrypted_value,
-            encryptionKeyId: dbSecret.encryption_key_id,
-            description: dbSecret.description,
-            tags: typeof dbSecret.tags === 'string' ? JSON.parse(dbSecret.tags) : (dbSecret.tags || []),
-            lastRotatedAt: dbSecret.last_rotated_at ? new Date(dbSecret.last_rotated_at) : null,
-            rotationIntervalDays: dbSecret.rotation_interval_days,
-            createdAt: new Date(dbSecret.created_at),
-            createdBy: dbSecret.created_by,
-            updatedAt: new Date(dbSecret.updated_at),
-            updatedBy: dbSecret.updated_by,
-            deletedAt: dbSecret.deleted_at ? new Date(dbSecret.deleted_at) : null,
-            deletedBy: dbSecret.deleted_by,
-        };
-    }
-}
-/**
- * Singleton instance
- */
-export const secretsService = new SecretsService();

package/dist/lib/saas-types.js

@@ -1,165 +0,0 @@
-/**
- * LSH SaaS Platform TypeScript Type Definitions
- * Mirrors the database schema for multi-tenant support
- */
-export const TIER_LIMITS = {
-    free: {
-        organizations: 1,
-        teamMembers: 3,
-        secrets: 10,
-        environments: 3,
-        auditLogRetentionDays: 30,
-        apiCallsPerMonth: 1000,
-        ssoEnabled: false,
-        prioritySupport: false,
-    },
-    pro: {
-        organizations: 1,
-        teamMembers: Infinity,
-        secrets: Infinity,
-        environments: Infinity,
-        auditLogRetentionDays: 365,
-        apiCallsPerMonth: 100000,
-        ssoEnabled: false,
-        prioritySupport: true,
-    },
-    enterprise: {
-        organizations: Infinity,
-        teamMembers: Infinity,
-        secrets: Infinity,
-        environments: Infinity,
-        auditLogRetentionDays: Infinity,
-        apiCallsPerMonth: Infinity,
-        ssoEnabled: true,
-        prioritySupport: true,
-    },
-};
-export const ROLE_PERMISSIONS = {
-    owner: {
-        canManageBilling: true,
-        canInviteMembers: true,
-        canRemoveMembers: true,
-        canCreateTeams: true,
-        canDeleteTeams: true,
-        canManageSecrets: true,
-        canViewSecrets: true,
-        canViewAuditLogs: true,
-        canManageApiKeys: true,
-    },
-    admin: {
-        canManageBilling: false,
-        canInviteMembers: true,
-        canRemoveMembers: true,
-        canCreateTeams: true,
-        canDeleteTeams: true,
-        canManageSecrets: true,
-        canViewSecrets: true,
-        canViewAuditLogs: true,
-        canManageApiKeys: true,
-    },
-    member: {
-        canManageBilling: false,
-        canInviteMembers: false,
-        canRemoveMembers: false,
-        canCreateTeams: false,
-        canDeleteTeams: false,
-        canManageSecrets: true,
-        canViewSecrets: true,
-        canViewAuditLogs: false,
-        canManageApiKeys: true,
-    },
-    viewer: {
-        canManageBilling: false,
-        canInviteMembers: false,
-        canRemoveMembers: false,
-        canCreateTeams: false,
-        canDeleteTeams: false,
-        canManageSecrets: false,
-        canViewSecrets: true,
-        canViewAuditLogs: false,
-        canManageApiKeys: false,
-    },
-};
-// ============================================================================
-// ERROR CODES
-// ============================================================================
-export var ErrorCode;
-(function (ErrorCode) {
-    // Auth
-    ErrorCode["UNAUTHORIZED"] = "UNAUTHORIZED";
-    ErrorCode["INVALID_CREDENTIALS"] = "INVALID_CREDENTIALS";
-    ErrorCode["EMAIL_NOT_VERIFIED"] = "EMAIL_NOT_VERIFIED";
-    ErrorCode["EMAIL_ALREADY_EXISTS"] = "EMAIL_ALREADY_EXISTS";
-    ErrorCode["INVALID_TOKEN"] = "INVALID_TOKEN";
-    // Permissions
-    ErrorCode["FORBIDDEN"] = "FORBIDDEN";
-    ErrorCode["INSUFFICIENT_PERMISSIONS"] = "INSUFFICIENT_PERMISSIONS";
-    // Resources
-    ErrorCode["NOT_FOUND"] = "NOT_FOUND";
-    ErrorCode["ALREADY_EXISTS"] = "ALREADY_EXISTS";
-    ErrorCode["INVALID_INPUT"] = "INVALID_INPUT";
-    // Billing
-    ErrorCode["TIER_LIMIT_EXCEEDED"] = "TIER_LIMIT_EXCEEDED";
-    ErrorCode["SUBSCRIPTION_REQUIRED"] = "SUBSCRIPTION_REQUIRED";
-    ErrorCode["PAYMENT_REQUIRED"] = "PAYMENT_REQUIRED";
-    // General
-    ErrorCode["INTERNAL_ERROR"] = "INTERNAL_ERROR";
-    ErrorCode["SERVICE_UNAVAILABLE"] = "SERVICE_UNAVAILABLE";
-})(ErrorCode || (ErrorCode = {}));
-/**
- * Helper to safely extract error message
- */
-export function getErrorMessage(error) {
-    if (error instanceof Error) {
-        return error.message;
-    }
-    if (typeof error === 'string') {
-        return error;
-    }
-    return 'Unknown error occurred';
-}
-/**
- * Helper to safely extract error for logging
- */
-export function getErrorDetails(error) {
-    if (error instanceof Error) {
-        return {
-            message: error.message,
-            stack: error.stack,
-            code: error.code,
-        };
-    }
-    return { message: String(error) };
-}
-/**
- * Helper to get authenticated user from request.
- * Use after authenticateUser middleware - throws if user not present.
- */
-export function getAuthenticatedUser(req) {
-    if (!req.user) {
-        throw new Error('User not authenticated');
-    }
-    return req.user;
-}
-/**
- * Create a standardized API error response
- */
-export function createErrorResponse(code, message, details) {
-    return {
-        success: false,
-        error: {
-            code,
-            message,
-            details,
-        },
-    };
-}
-/**
- * Create a standardized API success response
- */
-export function createSuccessResponse(data) {
-    return {
-        success: true,
-        data,
-    };
-}

package/dist/lib/supabase-client.js

@@ -1,125 +0,0 @@
-/**
- * Supabase Client Configuration
- * Provides database connectivity for LSH features
- */
-import { createClient } from '@supabase/supabase-js';
-import { ENV_VARS } from '../constants/index.js';
-export class SupabaseClient {
-    client;
-    config;
-    constructor(config) {
-        const url = config?.url || process.env[ENV_VARS.SUPABASE_URL];
-        const anonKey = config?.anonKey || process.env[ENV_VARS.SUPABASE_ANON_KEY];
-        const databaseUrl = config?.databaseUrl || process.env[ENV_VARS.DATABASE_URL];
-        if (!url || !anonKey) {
-            throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
-        }
-        this.config = {
-            url,
-            anonKey,
-            databaseUrl,
-        };
-        this.client = createClient(this.config.url, this.config.anonKey);
-    }
-    /**
-     * Get the Supabase client instance
-     */
-    getClient() {
-        return this.client;
-    }
-    /**
-     * Test database connectivity
-     */
-    async testConnection() {
-        try {
-            const { error } = await this.client
-                .from('shell_history')
-                .select('count')
-                .limit(1);
-            return !error;
-        }
-        catch (error) {
-            console.error('Supabase connection test failed:', error);
-            return false;
-        }
-    }
-    /**
-     * Get database connection info
-     */
-    getConnectionInfo() {
-        return {
-            url: this.config.url,
-            databaseUrl: this.config.databaseUrl,
-            isConnected: !!this.client,
-        };
-    }
-}
-// Default client instance - lazily initialized to avoid errors at module load
-let _supabaseClient = null;
-let _clientInitializationFailed = false;
-function getDefaultClient() {
-    if (_clientInitializationFailed) {
-        return null;
-    }
-    if (!_supabaseClient) {
-        try {
-            _supabaseClient = new SupabaseClient();
-        }
-        catch (_error) {
-            // Supabase not configured - will fall back to local storage
-            _clientInitializationFailed = true;
-            return null;
-        }
-    }
-    return _supabaseClient;
-}
-/**
- * Check if Supabase is configured and available
- */
-export function isSupabaseConfigured() {
-    return !!(process.env[ENV_VARS.SUPABASE_URL] && process.env[ENV_VARS.SUPABASE_ANON_KEY]);
-}
-export const supabaseClient = {
-    getClient() {
-        const client = getDefaultClient();
-        if (!client) {
-            throw new Error('Supabase client not initialized. Using local storage fallback.');
-        }
-        return client.getClient();
-    },
-    async testConnection() {
-        const client = getDefaultClient();
-        if (!client) {
-            return false;
-        }
-        return client.testConnection();
-    },
-    getConnectionInfo() {
-        const client = getDefaultClient();
-        if (!client) {
-            return {
-                url: undefined,
-                databaseUrl: undefined,
-                isConnected: false,
-            };
-        }
-        return client.getConnectionInfo();
-    },
-    isAvailable() {
-        return getDefaultClient() !== null;
-    }
-};
-/**
- * Get Supabase client for SaaS platform
- * Uses environment variables for configuration
- * @throws {Error} If SUPABASE_URL or SUPABASE_ANON_KEY are not set
- */
-export function getSupabaseClient() {
-    const url = process.env[ENV_VARS.SUPABASE_URL];
-    const key = process.env[ENV_VARS.SUPABASE_ANON_KEY];
-    if (!url || !key) {
-        throw new Error('Supabase configuration missing. Please set SUPABASE_URL and SUPABASE_ANON_KEY environment variables.');
-    }
-    return createClient(url, key);
-}
-export default SupabaseClient;