aidp 0.33.0 → 0.34.0

data/lib/aidp/security/secrets_registry.rb

@@ -0,0 +1,227 @@
+# frozen_string_literal: true
+
+require "json"
+require "fileutils"
+require "securerandom"
+require "time"
+
+module Aidp
+  module Security
+    # Registry for user-declared secrets that should be proxied
+    # Secrets are registered by name, with the actual value stored securely
+    # and never exposed directly to agents.
+    #
+    # Storage: .aidp/security/secrets_registry.json
+    # Format: { "SECRET_NAME": { "env_var": "ACTUAL_ENV_VAR", "registered_at": timestamp } }
+    #
+    # The registry only stores metadata - actual secret values come from environment
+    # variables at runtime. This ensures secrets are never persisted to disk.
+    class SecretsRegistry
+      REGISTRY_FILENAME = "secrets_registry.json"
+
+      attr_reader :project_dir
+
+      def initialize(project_dir: Dir.pwd)
+        @project_dir = project_dir
+        @cache = nil
+        @cache_mtime = nil
+        @mutex = Mutex.new
+      end
+
+      # Register a secret by name
+      # @param name [String] The name to reference this secret by
+      # @param env_var [String] The environment variable containing the secret
+      # @param description [String] Optional description of what this secret is for
+      # @param scopes [Array<String>] Optional list of allowed operations for this secret
+      # @return [Hash] Registration details
+      def register(name:, env_var:, description: nil, scopes: [])
+        @mutex.synchronize do
+          registry = load_registry
+
+          # Validate the environment variable exists (but don't store the value)
+          unless ENV.key?(env_var)
+            Aidp.log_warn("security.registry", "env_var_not_found",
+              name: name,
+              env_var: env_var)
+          end
+
+          registration = {
+            env_var: env_var,
+            description: description,
+            scopes: scopes,
+            registered_at: Time.now.iso8601,
+            id: SecureRandom.hex(8)
+          }
+
+          registry[name] = registration
+          save_registry(registry)
+
+          Aidp.log_info("security.registry", "secret_registered",
+            name: name,
+            env_var: env_var,
+            scopes: scopes)
+
+          registration.merge(name: name)
+        end
+      end
+
+      # Unregister a secret
+      # @param name [String] The secret name to remove
+      # @return [Boolean] true if removed, false if not found
+      def unregister(name:)
+        @mutex.synchronize do
+          registry = load_registry
+
+          key = registry.key?(name.to_sym) ? name.to_sym : name.to_s
+          unless registry.key?(key)
+            Aidp.log_warn("security.registry", "secret_not_found_for_unregister",
+              name: name)
+            return false
+          end
+
+          registry.delete(key)
+          save_registry(registry)
+
+          Aidp.log_info("security.registry", "secret_unregistered", name: name)
+          true
+        end
+      end
+
+      # Check if a secret is registered
+      # @param name [String] The secret name
+      # @return [Boolean]
+      def registered?(name)
+        @mutex.synchronize do
+          registry = load_registry
+          registry.key?(name.to_sym) || registry.key?(name.to_s)
+        end
+      end
+
+      # Get registration details for a secret (without the actual value)
+      # @param name [String] The secret name
+      # @return [Hash, nil] Registration details or nil if not found
+      def get(name)
+        @mutex.synchronize do
+          registry = load_registry
+          entry = registry[name.to_sym] || registry[name.to_s]
+          return nil unless entry
+
+          entry.merge(name: name)
+        end
+      end
+
+      # Get the environment variable name for a secret
+      # @param name [String] The secret name
+      # @return [String, nil] The env var name or nil if not registered
+      def env_var_for(name)
+        entry = get(name)
+        entry&.dig(:env_var) || entry&.dig("env_var")
+      end
+
+      # List all registered secrets (names and metadata only, never values)
+      # @return [Array<Hash>] List of registered secrets with metadata
+      def list
+        @mutex.synchronize do
+          registry = load_registry
+          registry.map do |name, details|
+            {
+              name: name,
+              env_var: details[:env_var] || details["env_var"],
+              description: details[:description] || details["description"],
+              scopes: details[:scopes] || details["scopes"] || [],
+              registered_at: details[:registered_at] || details["registered_at"],
+              has_value: ENV.key?(details[:env_var] || details["env_var"])
+            }
+          end
+        end
+      end
+
+      # Get list of environment variables that should be stripped from agent environment
+      # @return [Array<String>] List of env var names to remove
+      def env_vars_to_strip
+        @mutex.synchronize do
+          registry = load_registry
+          registry.values.map { |entry| entry[:env_var] || entry["env_var"] }.compact.uniq
+        end
+      end
+
+      # Check if an environment variable is registered as a secret
+      # @param env_var [String] The environment variable name
+      # @return [Boolean]
+      def env_var_registered?(env_var)
+        @mutex.synchronize do
+          registry = load_registry
+          registry.values.any? { |entry| (entry[:env_var] || entry["env_var"]) == env_var }
+        end
+      end
+
+      # Get the secret name for an environment variable
+      # @param env_var [String] The environment variable name
+      # @return [String, nil] The secret name or nil if not found
+      def name_for_env_var(env_var)
+        @mutex.synchronize do
+          registry = load_registry
+          registry.find { |_name, entry| (entry[:env_var] || entry["env_var"]) == env_var }&.first
+        end
+      end
+
+      # Clear the in-memory cache (forces reload on next access)
+      def clear_cache!
+        @mutex.synchronize do
+          @cache = nil
+          @cache_mtime = nil
+        end
+      end
+
+      private
+
+      def registry_path
+        File.join(@project_dir, ".aidp", "security", REGISTRY_FILENAME)
+      end
+
+      def ensure_security_dir
+        dir = File.dirname(registry_path)
+        FileUtils.mkdir_p(dir) unless Dir.exist?(dir)
+      end
+
+      def load_registry
+        # Check if cache is still valid based on file mtime
+        return @cache if cache_valid?
+
+        if File.exist?(registry_path)
+          content = File.read(registry_path)
+          @cache = JSON.parse(content, symbolize_names: true)
+          @cache_mtime = File.mtime(registry_path)
+          Aidp.log_debug("security.registry", "cache_loaded", path: registry_path)
+        else
+          @cache = {}
+          @cache_mtime = nil
+        end
+
+        @cache
+      rescue JSON::ParserError => e
+        Aidp.log_error("security.registry", "failed_to_parse_registry",
+          error: e.message,
+          path: registry_path)
+        @cache = {}
+        @cache_mtime = nil
+        @cache
+      end
+
+      def cache_valid?
+        return false unless @cache
+        return true unless File.exist?(registry_path)
+
+        current_mtime = File.mtime(registry_path)
+        @cache_mtime && current_mtime == @cache_mtime
+      end
+
+      def save_registry(registry)
+        ensure_security_dir
+        File.write(registry_path, JSON.pretty_generate(registry))
+        @cache = registry
+        @cache_mtime = File.mtime(registry_path)
+      end
+    end
+  end
+end

data/lib/aidp/security/trifecta_state.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+module Aidp
+  module Security
+    # Tracks the three security flags that form the "lethal trifecta"
+    # Per Rule of Two: never enable all three simultaneously
+    #
+    # Flags:
+    # - untrusted_input: Processing content from untrusted sources (issues, PRs, external data)
+    # - private_data: Access to secrets, credentials, or sensitive data
+    # - egress: Ability to communicate externally (git push, API calls, network access)
+    #
+    # State is tracked per work unit and resets between units.
+    class TrifectaState
+      attr_reader :untrusted_input, :private_data, :egress, :work_unit_id
+
+      # Track sources for audit logging
+      attr_reader :untrusted_input_source, :private_data_source, :egress_source
+
+      def initialize(work_unit_id: nil)
+        @work_unit_id = work_unit_id || SecureRandom.hex(8)
+        @untrusted_input = false
+        @private_data = false
+        @egress = false
+        @untrusted_input_source = nil
+        @private_data_source = nil
+        @egress_source = nil
+        @frozen = false
+      end
+
+      # Check if enabling a flag would create the lethal trifecta
+      # @param flag [Symbol] :untrusted_input, :private_data, or :egress
+      # @return [Boolean] true if enabling would create lethal trifecta
+      def would_create_trifecta?(flag)
+        case flag
+        when :untrusted_input
+          private_data && egress
+        when :private_data
+          untrusted_input && egress
+        when :egress
+          untrusted_input && private_data
+        else
+          raise ArgumentError, "Unknown trifecta flag: #{flag}"
+        end
+      end
+
+      # Check if the lethal trifecta is currently active
+      # @return [Boolean] true if all three flags are enabled
+      def lethal_trifecta?
+        untrusted_input && private_data && egress
+      end
+
+      # Count of currently enabled flags
+      # @return [Integer] 0, 1, 2, or 3
+      def enabled_count
+        [untrusted_input, private_data, egress].count(true)
+      end
+
+      # Enable a flag with source tracking
+      # @param flag [Symbol] :untrusted_input, :private_data, or :egress
+      # @param source [String] Description of what caused this flag to be enabled
+      # @raise [PolicyViolation] if enabling would create lethal trifecta
+      # @return [TrifectaState] self for chaining
+      def enable(flag, source: nil)
+        raise FrozenStateError, "Cannot modify frozen trifecta state" if @frozen
+
+        if would_create_trifecta?(flag)
+          raise PolicyViolation.new(
+            flag: flag,
+            source: source,
+            current_state: to_h,
+            message: build_violation_message(flag, source)
+          )
+        end
+
+        case flag
+        when :untrusted_input
+          @untrusted_input = true
+          @untrusted_input_source = source
+        when :private_data
+          @private_data = true
+          @private_data_source = source
+        when :egress
+          @egress = true
+          @egress_source = source
+        else
+          raise ArgumentError, "Unknown trifecta flag: #{flag}"
+        end
+
+        log_flag_enabled(flag, source)
+        self
+      end
+
+      # Disable a flag
+      # @param flag [Symbol] :untrusted_input, :private_data, or :egress
+      # @return [TrifectaState] self for chaining
+      def disable(flag)
+        raise FrozenStateError, "Cannot modify frozen trifecta state" if @frozen
+
+        case flag
+        when :untrusted_input
+          @untrusted_input = false
+          @untrusted_input_source = nil
+        when :private_data
+          @private_data = false
+          @private_data_source = nil
+        when :egress
+          @egress = false
+          @egress_source = nil
+        else
+          raise ArgumentError, "Unknown trifecta flag: #{flag}"
+        end
+
+        log_flag_disabled(flag)
+        self
+      end
+
+      # Freeze state - no further modifications allowed
+      # Used when passing state to execution context
+      def freeze!
+        @frozen = true
+        self
+      end
+
+      # Check if state is frozen
+      def frozen?
+        @frozen
+      end
+
+      # Create a copy of this state (unfrozen)
+      def dup
+        new_state = TrifectaState.new(work_unit_id: "#{@work_unit_id}_dup")
+        new_state.instance_variable_set(:@untrusted_input, @untrusted_input)
+        new_state.instance_variable_set(:@private_data, @private_data)
+        new_state.instance_variable_set(:@egress, @egress)
+        new_state.instance_variable_set(:@untrusted_input_source, @untrusted_input_source)
+        new_state.instance_variable_set(:@private_data_source, @private_data_source)
+        new_state.instance_variable_set(:@egress_source, @egress_source)
+        new_state
+      end
+
+      # Export state as hash for logging/serialization
+      def to_h
+        {
+          work_unit_id: @work_unit_id,
+          untrusted_input: @untrusted_input,
+          untrusted_input_source: @untrusted_input_source,
+          private_data: @private_data,
+          private_data_source: @private_data_source,
+          egress: @egress,
+          egress_source: @egress_source,
+          enabled_count: enabled_count,
+          lethal_trifecta: lethal_trifecta?,
+          frozen: @frozen
+        }
+      end
+
+      # Human-readable status string
+      def status_string
+        flags = []
+        flags << "untrusted_input" if untrusted_input
+        flags << "private_data" if private_data
+        flags << "egress" if egress
+
+        if flags.empty?
+          "No flags enabled (safe)"
+        elsif lethal_trifecta?
+          "LETHAL TRIFECTA: #{flags.join(", ")}"
+        else
+          "Enabled: #{flags.join(", ")} (#{enabled_count}/3 - safe)"
+        end
+      end
+
+      private
+
+      def build_violation_message(flag, source)
+        existing_flags = []
+        existing_flags << "untrusted_input (#{@untrusted_input_source || "unknown source"})" if untrusted_input
+        existing_flags << "private_data (#{@private_data_source || "unknown source"})" if private_data
+        existing_flags << "egress (#{@egress_source || "unknown source"})" if egress
+
+        <<~MSG.strip
+          Rule of Two violation: Cannot enable '#{flag}' (#{source || "unknown source"})
+
+          Currently enabled flags:
+          #{existing_flags.map { |f| "  - #{f}" }.join("\n")}
+
+          Enabling '#{flag}' would create the lethal trifecta where an agent has:
+          1. Access to untrusted input (prompt injection vector)
+          2. Access to private data/secrets
+          3. Ability to exfiltrate via external communication
+
+          To proceed, you must either:
+          - Use the Secrets Proxy to isolate credential access
+          - Sanitize untrusted input before processing
+          - Disable external communication for this operation
+        MSG
+      end
+
+      def log_flag_enabled(flag, source)
+        Aidp.log_debug("security.trifecta", "flag_enabled",
+          work_unit_id: @work_unit_id,
+          flag: flag,
+          source: source,
+          enabled_count: enabled_count,
+          state: to_h)
+      end
+
+      def log_flag_disabled(flag)
+        Aidp.log_debug("security.trifecta", "flag_disabled",
+          work_unit_id: @work_unit_id,
+          flag: flag,
+          enabled_count: enabled_count)
+      end
+    end
+
+    # Error raised when attempting to modify frozen state
+    class FrozenStateError < StandardError; end
+  end
+end