Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "@socioprophet/hellgraph",
"version": "0.4.3",
"description": "HellGraph \u2014 TypeScript OpenCog-compatible AtomSpace metagraph engine (PLN, ECAN, pattern matcher, SPARQL/Gremlin, SHACL, Atomese, StorageNode federation). Polyglot sibling of the Rust hellgraph crate.",
"version": "0.4.5",
"description": "HellGraph TypeScript OpenCog-compatible AtomSpace metagraph engine (PLN, ECAN, pattern matcher, SPARQL/Gremlin, SHACL, Atomese, StorageNode federation). Polyglot sibling of the Rust hellgraph crate.",
"license": "UNLICENSED",
"type": "commonjs",
"main": "ts/dist/index.js",
Expand Down
Binary file modified ts/dist/index.js
Binary file not shown.
Binary file modified ts/dist/index.mjs
Binary file not shown.
10 changes: 8 additions & 2 deletions ts/src/masking.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
* KeyProvider is injected; the default is a passphrase-derived static key for local/test use.
*/

import { createCipheriv, createDecipheriv, createHash, randomBytes } from 'node:crypto'
import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto'
import type { HellGraphStore } from './store.js'

// ─── Key custody (injected; production model is an open decision) ────────────────────
Expand All @@ -23,7 +23,13 @@ export interface KeyProvider { getKey(keyId?: string): Buffer }
export class StaticKeyProvider implements KeyProvider {
private constructor(private readonly key: Buffer) {}
static fromPassphrase(passphrase: string): StaticKeyProvider {
return new StaticKeyProvider(createHash('sha256').update(passphrase, 'utf8').digest())
// Derive the AES-256 key with a memory-hard KDF (scrypt), not a bare SHA-256
// (js/insufficient-password-hash) — a weak passphrase is then far costlier to
// brute-force. Deterministic (fixed domain salt) so the same passphrase
// reproduces the key for reversible masking. NOTE: this changes the derived
// key vs the prior SHA-256 derivation — data masked under the old scheme must
// be re-masked.
return new StaticKeyProvider(scryptSync(passphrase, 'hellgraph.masking.kdf.v1', 32))
}
getKey(): Buffer { return this.key }
}
Expand Down
Loading
Loading