meyi-vault-server 1.0.0

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "meyi-vault-server",
+  "version": "1.0.0",
+  "description": "Self-hosted encrypted password manager — server plugin for MeyiConnect",
+  "type": "module",
+  "main": "src/index.mjs",
+  "exports": {
+    ".": "./src/index.mjs",
+    "./database": "./src/database/schema.mjs",
+    "./plugin": "./src/plugin.mjs"
+  },
+  "scripts": {
+    "dev": "node --watch src/index.mjs",
+    "build": "esbuild src/index.mjs --bundle --platform=node --format=esm --outfile=dist/index.mjs",
+    "test": "node --test src/**/*.test.mjs"
+  },
+  "keywords": ["password-manager", "vault", "meyiconnect", "plugin", "encrypted"],
+  "author": "Meyi Technologies",
+  "license": "MIT",
+  "dependencies": {
+    "drizzle-orm": "^0.44.7",
+    "pg": "^8.18.0"
+  },
+  "devDependencies": {
+    "esbuild": "0.25.5"
+  },
+  "peerDependencies": {
+    "express": "^4.x"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  }
+}

package/src/database/migrate.mjs

@@ -0,0 +1,110 @@
+/**
+ * Creates all vault tables inside the host's PostgreSQL schema.
+ * Uses raw SQL (IF NOT EXISTS) so it is safe to run multiple times.
+ * Called by the plugin's install() lifecycle method.
+ */
+
+export async function runMigrations(pool, schemaName = 'meyiconnect') {
+  const client = await pool.connect()
+  try {
+    await client.query(`SET search_path TO "${schemaName}", public`)
+
+    await client.query(`
+      -- Vaults: top-level container, one AES key per vault
+      CREATE TABLE IF NOT EXISTS "${schemaName}".vault_vaults (
+        id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        name          TEXT NOT NULL,
+        owner_id      UUID NOT NULL,
+        key_material  TEXT NOT NULL DEFAULT '',
+        created_at    TIMESTAMPTZ DEFAULT NOW()
+      );
+
+      -- Groups: domain buckets inside a vault
+      CREATE TABLE IF NOT EXISTS "${schemaName}".vault_groups (
+        id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        vault_id    UUID NOT NULL
+                      REFERENCES "${schemaName}".vault_vaults(id)
+                      ON DELETE CASCADE,
+        domain      TEXT NOT NULL,
+        name        TEXT NOT NULL,
+        created_at  TIMESTAMPTZ DEFAULT NOW(),
+        UNIQUE(vault_id, domain)
+      );
+
+      -- Entries: AES-256-GCM encrypted credentials
+      CREATE TABLE IF NOT EXISTS "${schemaName}".vault_entries (
+        id             UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        group_id       UUID NOT NULL
+                         REFERENCES "${schemaName}".vault_groups(id)
+                         ON DELETE CASCADE,
+        title          TEXT NOT NULL,
+        username       TEXT NOT NULL,
+        encrypted_data TEXT NOT NULL,
+        iv             TEXT NOT NULL,
+        auth_tag       TEXT NOT NULL,
+        deleted_at     TIMESTAMPTZ,
+        created_at     TIMESTAMPTZ DEFAULT NOW(),
+        updated_at     TIMESTAMPTZ DEFAULT NOW()
+      );
+
+      -- Grants: time-limited shared access
+      CREATE TABLE IF NOT EXISTS "${schemaName}".vault_grants (
+        id             UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        scope          TEXT NOT NULL CHECK (scope IN ('vault','group','entry')),
+        scope_id       UUID NOT NULL,
+        grantee_id     UUID NOT NULL,
+        granted_by_id  UUID NOT NULL,
+        expires_at     TIMESTAMPTZ,
+        revoked_at     TIMESTAMPTZ,
+        created_at     TIMESTAMPTZ DEFAULT NOW(),
+        UNIQUE(scope, scope_id, grantee_id)
+      );
+
+      -- Index for fast grant lookups by grantee
+      CREATE INDEX IF NOT EXISTS idx_vault_grants_grantee
+        ON "${schemaName}".vault_grants (grantee_id)
+        WHERE revoked_at IS NULL;
+
+      -- Index for soft-delete queries on entries
+      CREATE INDEX IF NOT EXISTS idx_vault_entries_group_active
+        ON "${schemaName}".vault_entries (group_id)
+        WHERE deleted_at IS NULL;
+
+      -- Audit logs: immutable activity trail
+      CREATE TABLE IF NOT EXISTS "${schemaName}".vault_audit_logs (
+        id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+        actor_id     TEXT NOT NULL,
+        actor_name   TEXT NOT NULL DEFAULT '',
+        actor_email  TEXT NOT NULL DEFAULT '',
+        action       TEXT NOT NULL,
+        module       TEXT NOT NULL,
+        item_id      TEXT NOT NULL DEFAULT '',
+        item_label   TEXT NOT NULL DEFAULT '',
+        meta         TEXT,
+        created_at   TIMESTAMPTZ DEFAULT NOW()
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_vault_audit_created
+        ON "${schemaName}".vault_audit_logs (created_at DESC);
+    `)
+
+    console.log(`[vault-server] ✅ Migrations complete (schema: ${schemaName})`)
+  } finally {
+    client.release()
+  }
+}
+
+export async function dropTables(pool, schemaName = 'meyiconnect') {
+  const client = await pool.connect()
+  try {
+    await client.query(`
+      DROP TABLE IF EXISTS "${schemaName}".vault_grants;
+      DROP TABLE IF EXISTS "${schemaName}".vault_entries;
+      DROP TABLE IF EXISTS "${schemaName}".vault_groups;
+      DROP TABLE IF EXISTS "${schemaName}".vault_vaults;
+    `)
+    console.log(`[vault-server] Tables dropped (schema: ${schemaName})`)
+  } finally {
+    client.release()
+  }
+}

package/src/database/schema.mjs

@@ -0,0 +1,89 @@
+/**
+ * vault-server/database
+ * ─────────────────────
+ * Exports all Drizzle table definitions so the host app (MeyiConnect)
+ * can import them for migrations, type inference, and query building.
+ *
+ * Usage in plugin:
+ *   import * as vaultSchema from 'vault-server/database'
+ */
+
+import { pgSchema, uuid, text, timestamp } from 'drizzle-orm/pg-core'
+
+// All vault tables live inside the host's PostgreSQL schema.
+// Schema name is injected at runtime via VAULT_DB_SCHEMA env var
+// (defaults to 'meyiconnect' to co-exist with MeyiConnect's tables).
+const schemaName = process.env.VAULT_DB_SCHEMA || 'meyiconnect'
+const vaultSchema = pgSchema(schemaName)
+
+// ── vault_vaults ──────────────────────────────────────────────────────────────
+export const vaultVaults = vaultSchema.table('vault_vaults', {
+  id:           uuid('id').defaultRandom().primaryKey(),
+  name:         text('name').notNull(),
+  owner_id:     uuid('owner_id').notNull(),
+  // AES-256 key stored as hex. In production, encrypt this column using
+  // PostgreSQL pgcrypto or an HSM. For self-hosted this provides
+  // encryption-at-rest via full-disk encryption on the DB server.
+  key_material: text('key_material').notNull(),
+  created_at:   timestamp('created_at').defaultNow(),
+})
+
+// ── vault_groups ──────────────────────────────────────────────────────────────
+// A "group" maps a domain to a set of credentials.
+// The browser extension uses the domain for auto-match on login pages.
+export const vaultGroups = vaultSchema.table('vault_groups', {
+  id:         uuid('id').defaultRandom().primaryKey(),
+  vault_id:   uuid('vault_id').notNull().references(() => vaultVaults.id, { onDelete: 'cascade' }),
+  domain:     text('domain').notNull(),   // e.g. "console.aws.amazon.com"
+  name:       text('name').notNull(),     // e.g. "AWS Console"
+  created_at: timestamp('created_at').defaultNow(),
+})
+
+// ── vault_entries ─────────────────────────────────────────────────────────────
+// One credential per entry. password+notes encrypted with AES-256-GCM.
+export const vaultEntries = vaultSchema.table('vault_entries', {
+  id:             uuid('id').defaultRandom().primaryKey(),
+  group_id:       uuid('group_id').notNull().references(() => vaultGroups.id, { onDelete: 'cascade' }),
+  title:          text('title').notNull(),
+  username:       text('username').notNull(),     // plaintext — not a secret
+  encrypted_data: text('encrypted_data').notNull(), // base64 AES-GCM ciphertext
+  iv:             text('iv').notNull(),             // base64 12-byte IV
+  auth_tag:       text('auth_tag').notNull(),       // base64 16-byte GCM auth tag
+  deleted_at:     timestamp('deleted_at'),          // soft delete — never hard delete
+  created_at:     timestamp('created_at').defaultNow(),
+  updated_at:     timestamp('updated_at').defaultNow(),
+})
+
+// ── vault_grants ──────────────────────────────────────────────────────────────
+// Time-limited access grants from one user to another for any scope.
+export const vaultGrants = vaultSchema.table('vault_grants', {
+  id:            uuid('id').defaultRandom().primaryKey(),
+  scope:         text('scope').notNull(),     // 'vault' | 'group' | 'entry'
+  scope_id:      uuid('scope_id').notNull(),  // ID of the scoped resource
+  grantee_id:    uuid('grantee_id').notNull(),
+  granted_by_id: uuid('granted_by_id').notNull(),
+  expires_at:    timestamp('expires_at'),     // null = no expiry
+  revoked_at:    timestamp('revoked_at'),     // null = still active
+  created_at:    timestamp('created_at').defaultNow(),
+})
+
+// ── vault_audit_logs ──────────────────────────────────────────────────────────
+// Immutable audit trail — never updated or deleted.
+// Every mutation in vaults/groups/entries/grants writes one row here.
+export const vaultAuditLogs = vaultSchema.table('vault_audit_logs', {
+  id:           uuid('id').defaultRandom().primaryKey(),
+  // Who performed the action
+  actor_id:     text('actor_id').notNull(),
+  actor_name:   text('actor_name').notNull().default(''),
+  actor_email:  text('actor_email').notNull().default(''),
+  // What happened: VAULT_CREATED | GROUP_CREATED | ENTRY_CREATED | GRANT_CREATED etc.
+  action:       text('action').notNull(),
+  // Which module: vault | group | entry | grant
+  module:       text('module').notNull(),
+  // The resource that was acted on
+  item_id:      text('item_id').notNull().default(''),
+  item_label:   text('item_label').notNull().default(''),
+  // Extra context (JSON)
+  meta:         text('meta'),
+  created_at:   timestamp('created_at').defaultNow(),
+})

package/src/index.mjs

@@ -0,0 +1,139 @@
+/**
+ * vault-server — MeyiConnect plugin entry point
+ * ─────────────────────────────────────────────
+ * Implements the MeyiConnect plugin contract:
+ *
+ *   install()           → create DB tables (idempotent)
+ *   start(app, cfg, db) → mount Express routes at /api/v1/vault
+ *   stop()              → teardown (optional cleanup)
+ *
+ * The host (MeyiConnect) calls these from pluginService.mjs.
+ * Auth is handled by the host's verifyToken middleware — this
+ * package does NOT ship its own auth.
+ *
+ * Environment variables:
+ *   DATABASE_URL      — PostgreSQL connection string (from host)
+ *   VAULT_DB_SCHEMA   — override schema name (default: 'meyiconnect')
+ *   VAULT_MOUNT_PATH  — override mount path   (default: '/api/v1/vault')
+ */
+
+import { Router } from 'express'
+import { Pool } from 'pg'
+import { drizzle } from 'drizzle-orm/node-postgres'
+import { runMigrations } from './database/migrate.mjs'
+import { createVaultsRouter } from './routes/vaults.mjs'
+import { createGroupsRouter } from './routes/groups.mjs'
+import { createEntriesRouter } from './routes/entries.mjs'
+import { createGrantsRouter } from './routes/grants.mjs'
+import { createStatsRouter } from './routes/stats.mjs'
+import { createAuditRouter } from './routes/audit.mjs'
+import * as schema from './database/schema.mjs'
+
+const SCHEMA = process.env.VAULT_DB_SCHEMA || 'meyiconnect'
+const MOUNT  = process.env.VAULT_MOUNT_PATH || '/api/v1/vault'
+
+// Module-level singletons — pool lives for the process lifetime
+let _pool = null
+let _db   = null
+let _mounted = false
+
+function getPool() {
+  if (!_pool) {
+    if (!process.env.DATABASE_URL) {
+      throw new Error('[vault-server] DATABASE_URL is not set')
+    }
+    _pool = new Pool({
+      connectionString: process.env.DATABASE_URL,
+      max: 10,
+      idleTimeoutMillis: 30_000,
+    })
+    _pool.on('error', (err) => {
+      console.error('[vault-server] Pool error:', err.message)
+    })
+  }
+  return _pool
+}
+
+function getDb() {
+  if (!_db) {
+    _db = drizzle(getPool(), { schema })
+  }
+  return _db
+}
+
+// ── Plugin lifecycle ──────────────────────────────────────────────────────────
+
+/**
+ * install() — idempotent table creation.
+ * Safe to run on every app start; uses CREATE TABLE IF NOT EXISTS.
+ */
+export async function install() {
+  console.log('[vault-server] install() — running migrations...')
+  await runMigrations(getPool(), SCHEMA)
+}
+
+/**
+ * start(app, config, hostDb) — mount all vault routes.
+ *
+ * @param {import('express').Application} app       — Express app from host
+ * @param {object}  config   — plugin config row from DB (unused, reserved)
+ * @param {object}  hostDb   — host's Drizzle instance (not used; we use own pool)
+ * @param {Function} verifyToken — host's auth middleware (injected by host)
+ */
+export async function start(app, config = {}, hostDb = null, verifyToken) {
+  if (_mounted) {
+    console.log('[vault-server] Already mounted, skipping')
+    return
+  }
+
+  const db = getDb()
+  const router = Router()
+
+  // Vault CRUD
+  router.use('/vaults', createVaultsRouter(db))
+
+  // Group CRUD (nested under vault param)
+  router.use('/vaults/:vaultId/groups', createGroupsRouter(db))
+
+  // Entry CRUD (nested under group param)
+  router.use('/groups/:groupId/entries', createEntriesRouter(db))
+
+  // Access grants
+  router.use('/grants', createGrantsRouter(db))
+
+  // Dashboard stats widget
+  router.use('/stats', createStatsRouter(db))
+
+  // Audit logs
+  router.use('/audit', createAuditRouter(db))
+
+  // Mount on Express app
+  // verifyToken is injected by the host so we don't couple to its internals
+  if (verifyToken) {
+    app.use(MOUNT, verifyToken, router)
+  } else {
+    // Fallback: mount without auth (host should protect at a higher level)
+    console.warn('[vault-server] ⚠️  No verifyToken provided — routes are unprotected!')
+    app.use(MOUNT, router)
+  }
+
+  _mounted = true
+  console.log(`[vault-server] ✅ Mounted at ${MOUNT}`)
+}
+
+/**
+ * stop() — graceful teardown on plugin disable / app shutdown.
+ */
+export async function stop() {
+  if (_pool) {
+    await _pool.end()
+    _pool = null
+    _db   = null
+  }
+  _mounted = false
+  console.log('[vault-server] stopped')
+}
+
+// Named export for direct use outside MeyiConnect
+export { schema as vaultSchema }
+export { encrypt, decrypt, generateVaultKey } from './utils/crypto.mjs'

package/src/routes/audit.mjs

@@ -0,0 +1,75 @@
+import { Router } from 'express'
+import { eq, and, ilike, or, desc, sql, count } from 'drizzle-orm'
+import { vaultAuditLogs } from '../database/schema.mjs'
+
+export function createAuditRouter(db) {
+  const router = Router()
+
+  /**
+   * GET /audit
+   */
+  router.get('/', async (req, res) => {
+    try {
+      const page   = Math.max(1, parseInt(req.query.page)  || 1)
+      const limit  = Math.min(100, parseInt(req.query.limit) || 25)
+      const offset = (page - 1) * limit
+
+      const conditions = []
+
+      if (req.query.module) {
+        conditions.push(eq(vaultAuditLogs.module, req.query.module))
+      }
+      if (req.query.action) {
+        conditions.push(eq(vaultAuditLogs.action, req.query.action))
+      }
+      if (req.query.actor_id) {
+        conditions.push(eq(vaultAuditLogs.actor_id, req.query.actor_id))
+      }
+      if (req.query.search) {
+        const pattern = `%${req.query.search}%`
+        conditions.push(
+          or(
+            ilike(vaultAuditLogs.actor_name, pattern),
+            ilike(vaultAuditLogs.actor_email, pattern),
+            ilike(vaultAuditLogs.item_label, pattern)
+          )
+        )
+      }
+
+      const where = conditions.length > 0 ? and(...conditions) : undefined
+
+      // Get total count
+      const [countRes] = await db
+        .select({ total: count() })
+        .from(vaultAuditLogs)
+        .where(where)
+      
+      const total = countRes.total
+
+      // Get logs
+      const logs = await db
+        .select()
+        .from(vaultAuditLogs)
+        .where(where)
+        .orderBy(desc(vaultAuditLogs.created_at))
+        .limit(limit)
+        .offset(offset)
+
+      res.json({
+        logs: logs.map(l => ({
+          ...l,
+          meta: l.meta ? JSON.parse(l.meta) : null
+        })),
+        total,
+        page,
+        limit,
+        total_pages: Math.max(1, Math.ceil(total / limit))
+      })
+    } catch (err) {
+      console.error('[vault] GET /audit ERROR:', err)
+      res.status(500).json({ error: 'Failed to fetch audit logs', details: err.message })
+    }
+  })
+
+  return router
+}

package/src/routes/domains.mjs

@@ -0,0 +1,80 @@
+import { Router } from 'express'
+import { eq, and, isNull, sql } from 'drizzle-orm'
+import { vaultDomains, vaultEntries } from '../database/schema.mjs'
+
+export function createDomainsRouter(db) {
+  const router = Router({ mergeParams: true })
+
+  // GET /vaults/:vaultId/domains
+  router.get('/', async (req, res) => {
+    try {
+      const domains = await db.select().from(vaultDomains)
+        .where(eq(vaultDomains.vault_id, req.params.vaultId))
+
+      // Entry counts per domain
+      const withCounts = await Promise.all(domains.map(async (d) => {
+        const [{ count }] = await db
+          .select({ count: sql`count(*)::int` })
+          .from(vaultEntries)
+          .where(and(eq(vaultEntries.domain_id, d.id), isNull(vaultEntries.deleted_at)))
+        return { ...d, entry_count: count ?? 0 }
+      }))
+
+      res.json({ domains: withCounts })
+    } catch (err) {
+      res.status(500).json({ error: 'Failed to fetch domains' })
+    }
+  })
+
+  // POST /vaults/:vaultId/domains
+  router.post('/', async (req, res) => {
+    try {
+      const { name, domain } = req.body
+      if (!name || !domain) return res.status(400).json({ error: 'name and domain required' })
+      const [domainRecord] = await db.insert(vaultDomains).values({
+        vault_id: req.params.vaultId,
+        name: name.trim(),
+        domain: domain.trim().toLowerCase(),
+      }).returning()
+      res.status(201).json({ domain: { ...domainRecord, entry_count: 0 } })
+    } catch (err) {
+      if (err.code === '23505') {
+        return res.status(409).json({ error: 'This domain already exists in the vault' })
+      }
+      res.status(500).json({ error: 'Failed to create domain group' })
+    }
+  })
+
+  // PUT /vaults/:vaultId/domains/:id
+  router.put('/:id', async (req, res) => {
+    try {
+      const updates = {}
+      if (req.body.name) updates.name = req.body.name.trim()
+      if (req.body.domain) updates.domain = req.body.domain.trim().toLowerCase()
+      if (!Object.keys(updates).length) return res.status(400).json({ error: 'Nothing to update' })
+
+      const [domainRecord] = await db.update(vaultDomains).set(updates)
+        .where(and(eq(vaultDomains.id, req.params.id), eq(vaultDomains.vault_id, req.params.vaultId)))
+        .returning()
+
+      if (!domainRecord) return res.status(404).json({ error: 'Domain not found' })
+      res.json({ domain: domainRecord })
+    } catch (err) {
+      res.status(500).json({ error: 'Failed to update domain' })
+    }
+  })
+
+  // DELETE /vaults/:vaultId/domains/:id
+  router.delete('/:id', async (req, res) => {
+    try {
+      await db.delete(vaultDomains).where(
+        and(eq(vaultDomains.id, req.params.id), eq(vaultDomains.vault_id, req.params.vaultId))
+      )
+      res.json({ ok: true })
+    } catch (err) {
+      res.status(500).json({ error: 'Failed to delete domain' })
+    }
+  })
+
+  return router
+}