lsh-framework 3.2.5 → 3.5.1

package/dist/lib/saas-email.js

@@ -1,403 +0,0 @@
-/**
- * LSH SaaS Email Service
- * Email sending using Resend API
- */
-import { ENV_VARS } from '../constants/index.js';
-/**
- * Email Service
- */
-export class EmailService {
-    config;
-    resendApiUrl = 'https://api.resend.com/emails';
-    constructor(config) {
-        this.config = {
-            apiKey: config?.apiKey || process.env[ENV_VARS.RESEND_API_KEY] || '',
-            fromEmail: config?.fromEmail || process.env[ENV_VARS.EMAIL_FROM] || 'noreply@lsh.dev',
-            fromName: config?.fromName || 'LSH Secrets Manager',
-            baseUrl: config?.baseUrl || process.env[ENV_VARS.BASE_URL] || 'https://app.lsh.dev',
-        };
-        if (!this.config.apiKey) {
-            console.warn('RESEND_API_KEY not set - emails will not be sent');
-        }
-    }
-    /**
-     * Send email using Resend API
-     */
-    async sendEmail(params) {
-        if (!this.config.apiKey) {
-            // Sanitize email parameters to prevent log injection
-            const sanitizedTo = params.to.replace(/[\r\n]/g, '');
-            const sanitizedSubject = params.subject.replace(/[\r\n]/g, '');
-            const sanitizedText = params.text.replace(/[\r\n]/g, ' ');
-            console.log('Email would be sent to:', sanitizedTo);
-            console.log('Subject:', sanitizedSubject);
-            console.log('Text:', sanitizedText);
-            return;
-        }
-        try {
-            const response = await fetch(this.resendApiUrl, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    Authorization: `Bearer ${this.config.apiKey}`,
-                },
-                body: JSON.stringify({
-                    from: `${this.config.fromName} <${this.config.fromEmail}>`,
-                    to: params.to,
-                    subject: params.subject,
-                    html: params.html,
-                    text: params.text,
-                }),
-            });
-            if (!response.ok) {
-                const error = await response.text();
-                throw new Error(`Failed to send email: ${error}`);
-            }
-        }
-        catch (error) {
-            console.error('Email send error:', error);
-            throw error;
-        }
-    }
-    /**
-     * Send email verification
-     */
-    async sendVerificationEmail(to, token, firstName) {
-        const verificationUrl = `${this.config.baseUrl}/verify-email?token=${token}`;
-        const name = firstName || 'there';
-        const template = this.getVerificationEmailTemplate(name, verificationUrl);
-        await this.sendEmail({
-            to,
-            subject: template.subject,
-            html: template.html,
-            text: template.text,
-        });
-    }
-    /**
-     * Send password reset email
-     */
-    async sendPasswordResetEmail(to, token, firstName) {
-        const resetUrl = `${this.config.baseUrl}/reset-password?token=${token}`;
-        const name = firstName || 'there';
-        const template = this.getPasswordResetTemplate(name, resetUrl);
-        await this.sendEmail({
-            to,
-            subject: template.subject,
-            html: template.html,
-            text: template.text,
-        });
-    }
-    /**
-     * Send organization invitation email
-     */
-    async sendOrganizationInvite(to, organizationName, inviterName, inviteUrl) {
-        const template = this.getOrganizationInviteTemplate(organizationName, inviterName, inviteUrl);
-        await this.sendEmail({
-            to,
-            subject: template.subject,
-            html: template.html,
-            text: template.text,
-        });
-    }
-    /**
-     * Send welcome email
-     */
-    async sendWelcomeEmail(to, firstName) {
-        const name = firstName || 'there';
-        const template = this.getWelcomeEmailTemplate(name);
-        await this.sendEmail({
-            to,
-            subject: template.subject,
-            html: template.html,
-            text: template.text,
-        });
-    }
-    /**
-     * Send subscription confirmation
-     */
-    async sendSubscriptionConfirmation(to, tier, firstName) {
-        const name = firstName || 'there';
-        const template = this.getSubscriptionConfirmationTemplate(name, tier);
-        await this.sendEmail({
-            to,
-            subject: template.subject,
-            html: template.html,
-            text: template.text,
-        });
-    }
-    /**
-     * Email verification template
-     */
-    getVerificationEmailTemplate(name, verificationUrl) {
-        return {
-            subject: 'Verify your email address',
-            html: `
-        <!DOCTYPE html>
-        <html>
-        <head>
-          <meta charset="utf-8">
-          <meta name="viewport" content="width=device-width, initial-scale=1.0">
-        </head>
-        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
-          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
-            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
-            <p style="color: rgba(255,255,255,0.9); margin: 10px 0 0 0; font-size: 16px;">Secrets Manager</p>
-          </div>
-
-          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
-            <h2 style="color: #333; margin-top: 0;">Hi ${name}! 👋</h2>
-
-            <p>Thanks for signing up for LSH Secrets Manager. Please verify your email address to get started.</p>
-
-            <div style="text-align: center; margin: 30px 0;">
-              <a href="${verificationUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
-                Verify Email Address
-              </a>
-            </div>
-
-            <p style="color: #666; font-size: 14px;">Or copy and paste this link into your browser:</p>
-            <p style="color: #667eea; font-size: 12px; word-break: break-all; background: #f5f5f5; padding: 10px; border-radius: 4px;">${verificationUrl}</p>
-
-            <p style="color: #666; font-size: 14px; margin-top: 30px;">This link will expire in 24 hours.</p>
-
-            <hr style="border: none; border-top: 1px solid #e0e0e0; margin: 30px 0;">
-
-            <p style="color: #999; font-size: 12px; margin: 0;">If you didn't create an account, you can safely ignore this email.</p>
-          </div>
-        </body>
-        </html>
-      `,
-            text: `
-Hi ${name}!
-
-Thanks for signing up for LSH Secrets Manager. Please verify your email address to get started.
-
-Verification link: ${verificationUrl}
-
-This link will expire in 24 hours.
-
-If you didn't create an account, you can safely ignore this email.
-
----
-LSH Secrets Manager
-      `.trim(),
-        };
-    }
-    /**
-     * Password reset template
-     */
-    getPasswordResetTemplate(name, resetUrl) {
-        return {
-            subject: 'Reset your password',
-            html: `
-        <!DOCTYPE html>
-        <html>
-        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
-          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
-            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
-            <p style="color: rgba(255,255,255,0.9); margin: 10px 0 0 0;">Secrets Manager</p>
-          </div>
-
-          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
-            <h2 style="color: #333; margin-top: 0;">Hi ${name},</h2>
-
-            <p>We received a request to reset your password. Click the button below to create a new password.</p>
-
-            <div style="text-align: center; margin: 30px 0;">
-              <a href="${resetUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
-                Reset Password
-              </a>
-            </div>
-
-            <p style="color: #666; font-size: 14px;">Or copy and paste this link:</p>
-            <p style="color: #667eea; font-size: 12px; word-break: break-all; background: #f5f5f5; padding: 10px; border-radius: 4px;">${resetUrl}</p>
-
-            <p style="color: #666; font-size: 14px; margin-top: 30px;">This link will expire in 1 hour.</p>
-
-            <hr style="border: none; border-top: 1px solid #e0e0e0; margin: 30px 0;">
-
-            <p style="color: #999; font-size: 12px;">If you didn't request a password reset, you can safely ignore this email.</p>
-          </div>
-        </body>
-        </html>
-      `,
-            text: `
-Hi ${name},
-
-We received a request to reset your password. Use the link below to create a new password:
-
-${resetUrl}
-
-This link will expire in 1 hour.
-
-If you didn't request a password reset, you can safely ignore this email.
-
----
-LSH Secrets Manager
-      `.trim(),
-        };
-    }
-    /**
-     * Organization invite template
-     */
-    getOrganizationInviteTemplate(organizationName, inviterName, inviteUrl) {
-        return {
-            subject: `You've been invited to join ${organizationName} on LSH`,
-            html: `
-        <!DOCTYPE html>
-        <html>
-        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
-          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
-            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
-          </div>
-
-          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
-            <h2 style="color: #333; margin-top: 0;">You've been invited! 🎉</h2>
-
-            <p><strong>${inviterName}</strong> has invited you to join <strong>${organizationName}</strong> on LSH Secrets Manager.</p>
-
-            <div style="text-align: center; margin: 30px 0;">
-              <a href="${inviteUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
-                Accept Invitation
-              </a>
-            </div>
-
-            <p style="color: #666; font-size: 14px;">Or copy and paste this link:</p>
-            <p style="color: #667eea; font-size: 12px; word-break: break-all; background: #f5f5f5; padding: 10px; border-radius: 4px;">${inviteUrl}</p>
-          </div>
-        </body>
-        </html>
-      `,
-            text: `
-You've been invited!
-
-${inviterName} has invited you to join ${organizationName} on LSH Secrets Manager.
-
-Accept invitation: ${inviteUrl}
-
----
-LSH Secrets Manager
-      `.trim(),
-        };
-    }
-    /**
-     * Welcome email template
-     */
-    getWelcomeEmailTemplate(name) {
-        const dashboardUrl = `${this.config.baseUrl}/dashboard`;
-        const docsUrl = 'https://docs.lsh.dev';
-        return {
-            subject: 'Welcome to LSH Secrets Manager! 🚀',
-            html: `
-        <!DOCTYPE html>
-        <html>
-        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
-          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
-            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
-          </div>
-
-          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
-            <h2 style="color: #333; margin-top: 0;">Welcome, ${name}! 🎉</h2>
-
-            <p>Your account is now active. Here's how to get started:</p>
-
-            <ol style="color: #666;">
-              <li><strong>Create a team</strong> - Organize your secrets by project or environment</li>
-              <li><strong>Add secrets</strong> - Securely store API keys, tokens, and credentials</li>
-              <li><strong>Invite team members</strong> - Collaborate securely with your team</li>
-              <li><strong>Install the CLI</strong> - <code>npm install -g lsh</code></li>
-            </ol>
-
-            <div style="text-align: center; margin: 30px 0;">
-              <a href="${dashboardUrl}" style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 14px 32px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block; margin-right: 10px;">
-                Go to Dashboard
-              </a>
-              <a href="${docsUrl}" style="background: white; color: #667eea; border: 2px solid #667eea; padding: 12px 30px; text-decoration: none; border-radius: 6px; font-weight: 600; display: inline-block;">
-                View Docs
-              </a>
-            </div>
-
-            <p style="color: #666;">Need help? Reply to this email or check out our <a href="${docsUrl}" style="color: #667eea;">documentation</a>.</p>
-          </div>
-        </body>
-        </html>
-      `,
-            text: `
-Welcome to LSH Secrets Manager, ${name}!
-
-Your account is now active. Here's how to get started:
-
-1. Create a team - Organize your secrets by project or environment
-2. Add secrets - Securely store API keys, tokens, and credentials
-3. Invite team members - Collaborate securely with your team
-4. Install the CLI - npm install -g lsh
-
-Dashboard: ${dashboardUrl}
-Documentation: ${docsUrl}
-
-Need help? Reply to this email or check out our documentation.
-
----
-LSH Secrets Manager
-      `.trim(),
-        };
-    }
-    /**
-     * Subscription confirmation template
-     */
-    getSubscriptionConfirmationTemplate(name, tier) {
-        return {
-            subject: `Your ${tier} subscription is active! 🎉`,
-            html: `
-        <!DOCTYPE html>
-        <html>
-        <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; line-height: 1.6; color: #333; max-width: 600px; margin: 0 auto; padding: 20px;">
-          <div style="background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; text-align: center; border-radius: 8px 8px 0 0;">
-            <h1 style="color: white; margin: 0; font-size: 32px;">🔐 LSH</h1>
-          </div>
-
-          <div style="background: white; padding: 40px; border: 1px solid #e0e0e0; border-top: none; border-radius: 0 0 8px 8px;">
-            <h2 style="color: #333; margin-top: 0;">Thanks, ${name}! 🎉</h2>
-
-            <p>Your <strong>${tier}</strong> subscription is now active. You now have access to:</p>
-
-            <ul style="color: #666;">
-              ${tier === 'Pro'
-                ? `
-              <li>Unlimited team members</li>
-              <li>Unlimited secrets</li>
-              <li>Unlimited environments</li>
-              <li>1-year audit log retention</li>
-              <li>Priority support</li>
-              `
-                : `
-              <li>Multiple organizations</li>
-              <li>SSO/SAML integration</li>
-              <li>Unlimited audit log retention</li>
-              <li>SLA support</li>
-              <li>On-premise deployment option</li>
-              `}
-            </ul>
-
-            <p style="color: #666;">Manage your subscription anytime from your account settings.</p>
-          </div>
-        </body>
-        </html>
-      `,
-            text: `
-Thanks, ${name}!
-
-Your ${tier} subscription is now active.
-
-Manage your subscription anytime from your account settings.
-
----
-LSH Secrets Manager
-      `.trim(),
-        };
-    }
-}
-/**
- * Singleton instance
- */
-export const emailService = new EmailService();

package/dist/lib/saas-encryption.js

@@ -1,221 +0,0 @@
-/**
- * LSH SaaS Per-Team Encryption Service
- * Manages encryption keys for each team
- */
-import { randomBytes, createCipheriv, createDecipheriv, createHash, pbkdf2Sync } from 'crypto';
-import { getSupabaseClient } from './supabase-client.js';
-import { ENV_VARS } from '../constants/index.js';
-const ALGORITHM = 'aes-256-cbc';
-const KEY_LENGTH = 32; // 256 bits
-const IV_LENGTH = 16; // 128 bits
-const _SALT_LENGTH = 32; // Reserved for future use
-const PBKDF2_ITERATIONS = 100000;
-/**
- * Get master encryption key from environment
- * This key is used to encrypt/decrypt team encryption keys
- */
-function getMasterKey() {
-    const masterKeyHex = process.env[ENV_VARS.LSH_MASTER_KEY] || process.env[ENV_VARS.LSH_SECRETS_KEY];
-    if (!masterKeyHex) {
-        throw new Error('LSH_MASTER_KEY or LSH_SECRETS_KEY environment variable must be set for encryption');
-    }
-    // If it's a hex string, convert it
-    if (/^[0-9a-fA-F]+$/.test(masterKeyHex)) {
-        return Buffer.from(masterKeyHex, 'hex');
-    }
-    // Otherwise, derive a key from it using PBKDF2
-    const salt = createHash('sha256').update('lsh-saas-master-key-salt').digest();
-    return pbkdf2Sync(masterKeyHex, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha256');
-}
-/**
- * Encryption Service
- */
-export class EncryptionService {
-    supabase = getSupabaseClient();
-    masterKey;
-    constructor() {
-        this.masterKey = getMasterKey();
-    }
-    /**
-     * Generate a new encryption key for a team
-     */
-    async generateTeamKey(teamId, createdBy) {
-        // Generate random key
-        const teamKey = randomBytes(KEY_LENGTH);
-        // Encrypt the team key with the master key
-        const encryptedKey = this.encryptWithMasterKey(teamKey);
-        // Store in database
-        const { data, error } = await this.supabase
-            .from('encryption_keys')
-            .insert({
-            team_id: teamId,
-            encrypted_key: encryptedKey,
-            key_version: 1,
-            algorithm: ALGORITHM,
-            is_active: true,
-            created_by: createdBy,
-        })
-            .select()
-            .single();
-        if (error) {
-            throw new Error(`Failed to create encryption key: ${error.message}`);
-        }
-        // Update team to use this key
-        await this.supabase
-            .from('teams')
-            .update({ encryption_key_id: data.id })
-            .eq('id', teamId);
-        return this.mapDbKeyToKey(data);
-    }
-    /**
-     * Rotate team encryption key
-     */
-    async rotateTeamKey(teamId, rotatedBy) {
-        // Get current key version
-        const { data: currentKeys } = await this.supabase
-            .from('encryption_keys')
-            .select('key_version')
-            .eq('team_id', teamId)
-            .order('key_version', { ascending: false })
-            .limit(1);
-        const newVersion = currentKeys && currentKeys.length > 0 ? currentKeys[0].key_version + 1 : 1;
-        // Mark old keys as inactive
-        await this.supabase
-            .from('encryption_keys')
-            .update({
-            is_active: false,
-            rotated_at: new Date().toISOString(),
-        })
-            .eq('team_id', teamId)
-            .eq('is_active', true);
-        // Generate new key
-        const teamKey = randomBytes(KEY_LENGTH);
-        const encryptedKey = this.encryptWithMasterKey(teamKey);
-        // Store new key
-        const { data, error } = await this.supabase
-            .from('encryption_keys')
-            .insert({
-            team_id: teamId,
-            encrypted_key: encryptedKey,
-            key_version: newVersion,
-            algorithm: ALGORITHM,
-            is_active: true,
-            created_by: rotatedBy,
-        })
-            .select()
-            .single();
-        if (error) {
-            throw new Error(`Failed to rotate encryption key: ${error.message}`);
-        }
-        // Update team
-        await this.supabase
-            .from('teams')
-            .update({ encryption_key_id: data.id })
-            .eq('id', teamId);
-        return this.mapDbKeyToKey(data);
-    }
-    /**
-     * Get active encryption key for a team
-     */
-    async getTeamKey(teamId) {
-        const { data, error } = await this.supabase
-            .from('encryption_keys')
-            .select('*')
-            .eq('team_id', teamId)
-            .eq('is_active', true)
-            .single();
-        if (error || !data) {
-            return null;
-        }
-        return this.mapDbKeyToKey(data);
-    }
-    /**
-     * Get decrypted team key (for encryption/decryption operations)
-     */
-    async getDecryptedTeamKey(teamId) {
-        const key = await this.getTeamKey(teamId);
-        if (!key) {
-            throw new Error('No active encryption key found for team');
-        }
-        return this.decryptWithMasterKey(key.encryptedKey);
-    }
-    /**
-     * Encrypt data with team's key
-     */
-    async encryptForTeam(teamId, data) {
-        const teamKey = await this.getDecryptedTeamKey(teamId);
-        // Generate random IV
-        const iv = randomBytes(IV_LENGTH);
-        // Encrypt
-        const cipher = createCipheriv(ALGORITHM, teamKey, iv);
-        let encrypted = cipher.update(data, 'utf8', 'hex');
-        encrypted += cipher.final('hex');
-        // Return IV + encrypted data
-        return iv.toString('hex') + ':' + encrypted;
-    }
-    /**
-     * Decrypt data with team's key
-     */
-    async decryptForTeam(teamId, encryptedData) {
-        const teamKey = await this.getDecryptedTeamKey(teamId);
-        // Split IV and encrypted data
-        const parts = encryptedData.split(':');
-        if (parts.length !== 2) {
-            throw new Error('Invalid encrypted data format');
-        }
-        const iv = Buffer.from(parts[0], 'hex');
-        const encrypted = parts[1];
-        // Decrypt
-        const decipher = createDecipheriv(ALGORITHM, teamKey, iv);
-        let decrypted = decipher.update(encrypted, 'hex', 'utf8');
-        decrypted += decipher.final('utf8');
-        return decrypted;
-    }
-    /**
-     * Encrypt team key with master key
-     */
-    encryptWithMasterKey(teamKey) {
-        const iv = randomBytes(IV_LENGTH);
-        const cipher = createCipheriv(ALGORITHM, this.masterKey, iv);
-        let encrypted = cipher.update(teamKey);
-        encrypted = Buffer.concat([encrypted, cipher.final()]);
-        // Return IV + encrypted key
-        return iv.toString('hex') + ':' + encrypted.toString('hex');
-    }
-    /**
-     * Decrypt team key with master key
-     */
-    decryptWithMasterKey(encryptedKey) {
-        const parts = encryptedKey.split(':');
-        if (parts.length !== 2) {
-            throw new Error('Invalid encrypted key format');
-        }
-        const iv = Buffer.from(parts[0], 'hex');
-        const encrypted = Buffer.from(parts[1], 'hex');
-        const decipher = createDecipheriv(ALGORITHM, this.masterKey, iv);
-        let decrypted = decipher.update(encrypted);
-        decrypted = Buffer.concat([decrypted, decipher.final()]);
-        return decrypted;
-    }
-    /**
-     * Map database key to EncryptionKey type
-     */
-    mapDbKeyToKey(dbKey) {
-        return {
-            id: dbKey.id,
-            teamId: dbKey.team_id,
-            encryptedKey: dbKey.encrypted_key,
-            keyVersion: dbKey.key_version,
-            algorithm: dbKey.algorithm,
-            isActive: dbKey.is_active,
-            rotatedAt: dbKey.rotated_at ? new Date(dbKey.rotated_at) : null,
-            expiresAt: dbKey.expires_at ? new Date(dbKey.expires_at) : null,
-            createdAt: new Date(dbKey.created_at),
-            createdBy: dbKey.created_by,
-        };
-    }
-}
-/**
- * Singleton instance
- */
-export const encryptionService = new EncryptionService();