@dollhousemcp/mcp-server
Version:
DollhouseMCP - A Model Context Protocol (MCP) server that enables dynamic AI persona management from markdown files, allowing Claude and other compatible AI assistants to activate and switch between different behavioral personas.
158 lines • 5.07 kB
TypeScript
/**
* Pattern Encryption Service for Memory Security
*
* Part of Issue #1321 Phase 2: Memory Security Architecture
*
* PURPOSE:
* Encrypts dangerous patterns extracted from FLAGGED memories using AES-256-GCM.
* Ensures patterns are never stored in plain text while remaining accessible
* for authorized security research outside LLM contexts.
*
* ARCHITECTURE:
* - Uses AES-256-GCM for authenticated encryption
* - Derives keys from DOLLHOUSE_ENCRYPTION_SECRET via PBKDF2
* - Generates unique IV for each encryption operation
* - Provides GCM authentication tags for integrity verification
*
* SECURITY:
* - Patterns encrypted at rest
* - Decryption only outside LLM context
* - All decryption attempts logged
* - Key rotation supported
*
* REFACTOR NOTE:
* Converted from static class to instance-based for DI architecture compatibility.
*
* @module PatternEncryptor
*/
/**
* Encrypted pattern structure
* Contains ciphertext, algorithm metadata, and authentication data
*/
export interface EncryptedPattern {
/** Base64-encoded encrypted data */
encryptedData: string;
/** Encryption algorithm (always 'aes-256-gcm') */
algorithm: 'aes-256-gcm';
/** Base64-encoded initialization vector */
iv: string;
/** Base64-encoded GCM authentication tag for integrity */
authTag: string;
}
/**
* Configuration for pattern encryption
*/
export interface EncryptionConfig {
/** Enable encryption (default: true in production) */
enabled: boolean;
/** Encryption secret (from environment) */
secret?: string;
/** PBKDF2 iterations (default: 100000) */
iterations: number;
/** Salt for key derivation (default: 'dollhouse-pattern-encryption-v1') */
salt: string;
}
/**
* PatternEncryptor service
*
* Handles encryption and decryption of dangerous patterns using AES-256-GCM.
* Provides authenticated encryption with integrity protection via GCM mode.
*
* DI-COMPATIBLE: Instance-based service for dependency injection.
*/
export declare class PatternEncryptor {
private readonly ALGORITHM;
private readonly KEY_LENGTH;
private readonly IV_LENGTH;
private readonly AUTH_TAG_LENGTH;
private config;
private encryptionKey?;
private isInitialized;
/**
* Create a new PatternEncryptor instance
*
* @param config - Optional configuration overrides
*/
constructor(config?: Partial<EncryptionConfig>);
/**
* Initialize encryption with configuration
*
* @param config - Optional configuration overrides
* @throws Error if encryption secret is not provided when enabled
*/
initialize(config?: Partial<EncryptionConfig>): Promise<void>;
/**
* Encrypt a pattern using AES-256-GCM
*
* @param pattern - Plain text pattern to encrypt
* @returns Encrypted pattern with metadata
* @throws Error if encryption not initialized or pattern is empty
*/
encrypt(pattern: string): EncryptedPattern;
/**
* Decrypt an encrypted pattern
*
* @param encrypted - Encrypted pattern structure
* @returns Decrypted plain text pattern
* @throws Error if decryption fails or authentication fails
*/
decrypt(encrypted: EncryptedPattern): string;
/**
* Derive encryption key from secret using PBKDF2
*
* @param secret - Master secret from environment
* @param salt - Salt for key derivation
* @param iterations - Number of PBKDF2 iterations
* @returns Derived encryption key
*/
private deriveKey;
/**
* Check if encryption is enabled
*
* @returns true if encryption is enabled and initialized
*/
isEnabled(): boolean;
/**
* Get encryption configuration status
*
* @returns Configuration status (without exposing secrets)
*/
getStatus(): {
enabled: boolean;
initialized: boolean;
algorithm: string;
keyLength: number;
iterations: number;
hasSecret: boolean;
};
/**
* Securely clear encryption key from memory
* SECURITY FIX: Overwrites key buffer with zeros before releasing
*
* This prevents key recovery from memory dumps or process inspection.
* Should be called when encryption is no longer needed.
*/
private secureKeyClear;
/**
* Reset the encryptor (useful for testing)
* SECURITY FIX: Now performs secure key clearing
* WARNING: This will securely clear the encryption key from memory
*/
reset(): void;
/**
* Securely reset the encryptor and clear all sensitive data
* SECURITY: Explicitly clears encryption keys from memory
*
* Use this when:
* - Shutting down the application
* - Rotating encryption keys
* - Responding to security incidents
*/
secureReset(): void;
/**
* Dispose of the encryptor and securely clear all data
* Implements cleanup for proper DI lifecycle management
*/
dispose(): Promise<void>;
}
//# sourceMappingURL=PatternEncryptor.d.ts.map