{"version":3,"sources":["../src/encryption.ts"],"sourcesContent":["import { createCipheriv, createDecipheriv, randomBytes, scrypt } from 'node:crypto';\nimport { promisify } from 'node:util';\n\nconst scryptAsync = promisify(scrypt);\n\nexport type EncryptionKey = {\n id: string;\n key: Buffer;\n createdAt: Date;\n expiresAt?: Date;\n isActive: boolean;\n};\n\nexport type EnvelopeEncryptionConfig = {\n masterKey: string;\n keyRotationDays: number;\n keySize: number;\n algorithm: string;\n};\n\nexport class AdvancedEncryptionManager {\n private readonly keys: Map = new Map();\n private currentKeyId: string;\n\n constructor(private readonly config: EnvelopeEncryptionConfig) {\n this.currentKeyId = this.generateKeyId();\n void this.initializeKeys();\n }\n\n private async initializeKeys(): Promise {\n // Create initial data encryption key\n const key = await this.deriveKey(this.config.masterKey, this.currentKeyId);\n this.keys.set(this.currentKeyId, {\n id: this.currentKeyId,\n key,\n createdAt: new Date(),\n isActive: true,\n });\n }\n\n private generateKeyId(): string {\n return `key_${Date.now()}_${randomBytes(4).toString('hex')}`;\n }\n\n private async deriveKey(masterKey: string, salt: string): Promise {\n const key = await scryptAsync(masterKey, salt, this.config.keySize);\n return key as Buffer;\n }\n\n encrypt(plaintext: string): Promise<{\n ciphertext: string;\n keyId: string;\n iv: string;\n }> {\n const currentKey = this.keys.get(this.currentKeyId);\n if (!currentKey) {\n throw new Error('No active encryption key available');\n }\n\n const iv = randomBytes(16);\n const cipher = createCipheriv(this.config.algorithm, currentKey.key, iv);\n\n let encrypted = cipher.update(plaintext, 'utf8', 'hex');\n encrypted += cipher.final('hex');\n\n return Promise.resolve({\n ciphertext: encrypted,\n keyId: this.currentKeyId,\n iv: iv.toString('hex'),\n });\n }\n\n decrypt(ciphertext: string, keyId: string, iv: string): Promise {\n const key = this.keys.get(keyId);\n if (!key) {\n return Promise.reject(new Error(`Encryption key ${keyId} not found`));\n }\n\n const decipher = createDecipheriv(this.config.algorithm, key.key, Buffer.from(iv, 'hex'));\n\n let decrypted = decipher.update(ciphertext, 'hex', 'utf8');\n decrypted += decipher.final('utf8');\n\n return Promise.resolve(decrypted);\n }\n\n async rotateKey(): Promise {\n // Create new key\n const newKeyId = this.generateKeyId();\n const newKey = await this.deriveKey(this.config.masterKey, newKeyId);\n\n this.keys.set(newKeyId, {\n id: newKeyId,\n key: newKey,\n createdAt: new Date(),\n isActive: true,\n });\n\n // Mark old key as inactive but keep for decryption\n const oldKey = this.keys.get(this.currentKeyId);\n if (oldKey) {\n oldKey.isActive = false;\n }\n\n this.currentKeyId = newKeyId;\n return newKeyId;\n }\n\n shouldRotateKey(): Promise {\n const currentKey = this.keys.get(this.currentKeyId);\n if (!currentKey) {\n return Promise.resolve(true);\n }\n\n const ageInDays = (Date.now() - currentKey.createdAt.getTime()) / (1000 * 60 * 60 * 24);\n return Promise.resolve(ageInDays >= this.config.keyRotationDays);\n }\n\n getActiveKeyId(): string {\n return this.currentKeyId;\n }\n\n getKeyInfo(keyId: string): EncryptionKey | undefined {\n return this.keys.get(keyId);\n }\n\n listKeys(): EncryptionKey[] {\n return Array.from(this.keys.values());\n }\n\n cleanupExpiredKeys(): Promise {\n const now = Date.now();\n for (const [keyId, key] of this.keys) {\n if (key.expiresAt && key.expiresAt.getTime() < now && !key.isActive) {\n this.keys.delete(keyId);\n }\n }\n return Promise.resolve();\n }\n}\n\nexport class BackupManager {\n constructor(\n _storagePath: string,\n private readonly retentionDays = 30\n ) {}\n\n createBackup(data: unknown): Promise {\n const timestamp = new Date().toISOString().replace(/[:.]/g, '-');\n const backupId = `backup_${timestamp}`;\n\n // In a real implementation, this would:\n // 1. Serialize the data\n // 2. Encrypt it\n // 3. Store it in the configured storage backend\n // 4. Create metadata about the backup\n\n console.info(`Creating backup ${backupId} with ${JSON.stringify(data).length} bytes of data`);\n return Promise.resolve(backupId);\n }\n\n restoreFromBackup(backupId: string): Promise {\n // In a real implementation, this would:\n // 1. Locate the backup\n // 2. Decrypt it\n // 3. Deserialize and return the data\n\n console.info(`Restoring from backup ${backupId}`);\n return Promise.reject(new Error('Backup restoration not yet implemented'));\n }\n\n listBackups(): Promise {\n // Return list of available backup IDs\n return Promise.resolve([]);\n }\n\n cleanupOldBackups(): Promise {\n const cutoffDate = new Date();\n cutoffDate.setDate(cutoffDate.getDate() - this.retentionDays);\n\n console.info(`Cleaning up backups older than ${cutoffDate.toISOString()}`);\n // In a real implementation, this would delete old backups\n return Promise.resolve();\n }\n}\n"],"mappings":";;;;;AAAA,SAAS,gBAAgB,kBAAkB,aAAa,cAAc;AACtE,SAAS,iBAAiB;AAE1B,IAAM,cAAc,UAAU,MAAM;AAiB7B,IAAM,4BAAN,MAAgC;AAAA,EAIrC,YAA6B,QAAkC;AAAlC;AAH7B,wBAAiB,QAAmC,oBAAI,IAAI;AAC5D,wBAAQ;AAGN,SAAK,eAAe,KAAK,cAAc;AACvC,SAAK,KAAK,eAAe;AAAA,EAC3B;AAAA,EAEA,MAAc,iBAAgC;AAE5C,UAAM,MAAM,MAAM,KAAK,UAAU,KAAK,OAAO,WAAW,KAAK,YAAY;AACzE,SAAK,KAAK,IAAI,KAAK,cAAc;AAAA,MAC/B,IAAI,KAAK;AAAA,MACT;AAAA,MACA,WAAW,oBAAI,KAAK;AAAA,MACpB,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAAA,EAEQ,gBAAwB;AAC9B,WAAO,OAAO,KAAK,IAAI,CAAC,IAAI,YAAY,CAAC,EAAE,SAAS,KAAK,CAAC;AAAA,EAC5D;AAAA,EAEA,MAAc,UAAU,WAAmB,MAA+B;AACxE,UAAM,MAAM,MAAM,YAAY,WAAW,MAAM,KAAK,OAAO,OAAO;AAClE,WAAO;AAAA,EACT;AAAA,EAEA,QAAQ,WAIL;AACD,UAAM,aAAa,KAAK,KAAK,IAAI,KAAK,YAAY;AAClD,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,MAAM,oCAAoC;AAAA,IACtD;AAEA,UAAM,KAAK,YAAY,EAAE;AACzB,UAAM,SAAS,eAAe,KAAK,OAAO,WAAW,WAAW,KAAK,EAAE;AAEvE,QAAI,YAAY,OAAO,OAAO,WAAW,QAAQ,KAAK;AACtD,iBAAa,OAAO,MAAM,KAAK;AAE/B,WAAO,QAAQ,QAAQ;AAAA,MACrB,YAAY;AAAA,MACZ,OAAO,KAAK;AAAA,MACZ,IAAI,GAAG,SAAS,KAAK;AAAA,IACvB,CAAC;AAAA,EACH;AAAA,EAEA,QAAQ,YAAoB,OAAe,IAA6B;AACtE,UAAM,MAAM,KAAK,KAAK,IAAI,KAAK;AAC/B,QAAI,CAAC,KAAK;AACR,aAAO,QAAQ,OAAO,IAAI,MAAM,kBAAkB,KAAK,YAAY,CAAC;AAAA,IACtE;AAEA,UAAM,WAAW,iBAAiB,KAAK,OAAO,WAAW,IAAI,KAAK,OAAO,KAAK,IAAI,KAAK,CAAC;AAExF,QAAI,YAAY,SAAS,OAAO,YAAY,OAAO,MAAM;AACzD,iBAAa,SAAS,MAAM,MAAM;AAElC,WAAO,QAAQ,QAAQ,SAAS;AAAA,EAClC;AAAA,EAEA,MAAM,YAA6B;AAEjC,UAAM,WAAW,KAAK,cAAc;AACpC,UAAM,SAAS,MAAM,KAAK,UAAU,KAAK,OAAO,WAAW,QAAQ;AAEnE,SAAK,KAAK,IAAI,UAAU;AAAA,MACtB,IAAI;AAAA,MACJ,KAAK;AAAA,MACL,WAAW,oBAAI,KAAK;AAAA,MACpB,UAAU;AAAA,IACZ,CAAC;AAGD,UAAM,SAAS,KAAK,KAAK,IAAI,KAAK,YAAY;AAC9C,QAAI,QAAQ;AACV,aAAO,WAAW;AAAA,IACpB;AAEA,SAAK,eAAe;AACpB,WAAO;AAAA,EACT;AAAA,EAEA,kBAAoC;AAClC,UAAM,aAAa,KAAK,KAAK,IAAI,KAAK,YAAY;AAClD,QAAI,CAAC,YAAY;AACf,aAAO,QAAQ,QAAQ,IAAI;AAAA,IAC7B;AAEA,UAAM,aAAa,KAAK,IAAI,IAAI,WAAW,UAAU,QAAQ,MAAM,MAAO,KAAK,KAAK;AACpF,WAAO,QAAQ,QAAQ,aAAa,KAAK,OAAO,eAAe;AAAA,EACjE;AAAA,EAEA,iBAAyB;AACvB,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,WAAW,OAA0C;AACnD,WAAO,KAAK,KAAK,IAAI,KAAK;AAAA,EAC5B;AAAA,EAEA,WAA4B;AAC1B,WAAO,MAAM,KAAK,KAAK,KAAK,OAAO,CAAC;AAAA,EACtC;AAAA,EAEA,qBAAoC;AAClC,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,OAAO,GAAG,KAAK,KAAK,MAAM;AACpC,UAAI,IAAI,aAAa,IAAI,UAAU,QAAQ,IAAI,OAAO,CAAC,IAAI,UAAU;AACnE,aAAK,KAAK,OAAO,KAAK;AAAA,MACxB;AAAA,IACF;AACA,WAAO,QAAQ,QAAQ;AAAA,EACzB;AACF;AAEO,IAAM,gBAAN,MAAoB;AAAA,EACzB,YACE,cACiB,gBAAgB,IACjC;AADiB;AAAA,EAChB;AAAA,EAEH,aAAa,MAAgC;AAC3C,UAAM,aAAY,oBAAI,KAAK,GAAE,YAAY,EAAE,QAAQ,SAAS,GAAG;AAC/D,UAAM,WAAW,UAAU,SAAS;AAQpC,YAAQ,KAAK,mBAAmB,QAAQ,SAAS,KAAK,UAAU,IAAI,EAAE,MAAM,gBAAgB;AAC5F,WAAO,QAAQ,QAAQ,QAAQ;AAAA,EACjC;AAAA,EAEA,kBAAkB,UAAoC;AAMpD,YAAQ,KAAK,yBAAyB,QAAQ,EAAE;AAChD,WAAO,QAAQ,OAAO,IAAI,MAAM,wCAAwC,CAAC;AAAA,EAC3E;AAAA,EAEA,cAAiC;AAE/B,WAAO,QAAQ,QAAQ,CAAC,CAAC;AAAA,EAC3B;AAAA,EAEA,oBAAmC;AACjC,UAAM,aAAa,oBAAI,KAAK;AAC5B,eAAW,QAAQ,WAAW,QAAQ,IAAI,KAAK,aAAa;AAE5D,YAAQ,KAAK,kCAAkC,WAAW,YAAY,CAAC,EAAE;AAEzE,WAAO,QAAQ,QAAQ;AAAA,EACzB;AACF;","names":[]}