@arka-labs/nemesis 1.2.0

package/lib/core/project.js

@@ -0,0 +1,287 @@
+import { mkdirSync, writeFileSync, copyFileSync, existsSync, readdirSync, readFileSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { loadTemplate, mergeTemplate } from './templates.js';
+import { warn } from './logger.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const EMBEDDED_TEMPLATES = join(__dirname, '..', '..', 'templates');
+
+const HCM_SUBDIRS = [
+  'contracts',
+  'odm',
+  'cr',
+  'transactions',
+  'note',
+  'decisions',
+  'interventions',
+  'contributors',
+  'project',
+  'odm-cr-QA',
+];
+
+/**
+ * Init a new project — scaffold .nemesis/HCM/ structure.
+ */
+export function initProject(opts) {
+  const { projectId, projectName, description, root = process.cwd(), pmName, pmId } = opts;
+  const hcmDir = join(root, '.nemesis', 'HCM');
+  const templateDir = join(root, '.nemesis', 'template');
+  const onboardingDir = join(root, '.nemesis', 'onboarding');
+  const claudeDir = join(root, '.nemesis', 'claude');
+  const stateDir = join(root, '.nemesis', 'state');
+
+  // 1. Create HCM subdirectories
+  const created = [];
+  for (const sub of HCM_SUBDIRS) {
+    const dir = join(hcmDir, sub);
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+      created.push(sub);
+    }
+  }
+
+  // 2. Create auxiliary directories
+  for (const dir of [templateDir, onboardingDir, claudeDir, stateDir]) {
+    if (!existsSync(dir)) {
+      mkdirSync(dir, { recursive: true });
+    }
+  }
+
+  // 3. Copy embedded templates to .nemesis/template/ (if not present)
+  if (existsSync(EMBEDDED_TEMPLATES)) {
+    const templateFiles = readdirSync(EMBEDDED_TEMPLATES).filter(f => f.endsWith('.json'));
+    for (const file of templateFiles) {
+      const dest = join(templateDir, file);
+      if (!existsSync(dest)) {
+        copyFileSync(join(EMBEDDED_TEMPLATES, file), dest);
+      }
+    }
+  }
+
+  // 4. Generate CONTEXT_PROJECT
+  const contextData = {
+    project_meta: {
+      project_id: projectId,
+      name: projectName,
+      description: description || '',
+      status: 'ACTIVE',
+      created_at: new Date().toISOString(),
+      created_by: 'PM',
+    },
+  };
+  const contextFile = join(hcmDir, 'project', `CONTEXT_PROJECT_${projectId}.json`);
+  if (!existsSync(contextFile)) {
+    writeFileSync(contextFile, JSON.stringify(contextData, null, 2) + '\n', 'utf-8');
+  }
+
+  // 5. Generate REGISTRY with PM only
+  const registryTemplate = loadTemplate('registry', root);
+  const registry = mergeTemplate(registryTemplate, {
+    registry_meta: {
+      registry_id: `REGISTRY-${projectId}`,
+      project_id: projectId,
+      updated_at: new Date().toISOString(),
+      updated_by: 'nemesis init',
+    },
+    registry_payload: {
+      hierarchy: {
+        pm: {
+          id: pmId || 'pm',
+          name: pmName || 'PM',
+          kind: 'human',
+          role: 'Product Manager',
+          responsibilities: ['validation', 'arbitrage', 'decisions'],
+        },
+        lanes: [],
+      },
+    },
+  });
+  const registryFile = join(hcmDir, 'project', `REGISTRY-${projectId}.json`);
+  if (!existsSync(registryFile)) {
+    writeFileSync(registryFile, JSON.stringify(registry, null, 2) + '\n', 'utf-8');
+  }
+
+  // 6. Generate PROCESS.md
+  const processFile = join(hcmDir, 'PROCESS.md');
+  if (!existsSync(processFile)) {
+    const processContent = `# Process — ${projectName || projectId}
+
+> Projet : ${projectId}
+> Cree le : ${new Date().toISOString().split('T')[0]}
+
+## Workflow
+
+1. PM redige Mission Contract
+2. Architecte/QA redige les OdM
+3. PM valide les OdM
+4. Implementeur execute
+5. Architecte/QA review (CR)
+6. PM valide le CR
+
+## Conventions
+
+- File-first : toute donnee = fichier JSON dans .nemesis/HCM/
+- Les agents deposent dans .nemesis/HCM/, le hook sync vers HCM
+- Le PM utilise nemesis CLI pour piloter
+`;
+    writeFileSync(processFile, processContent, 'utf-8');
+  }
+
+  return { hcmDir, created, projectId };
+}
+
+/**
+ * Store HCM connectivity status in CONTEXT_PROJECT.
+ */
+export function storeHcmStatus(hcmDir, projectId, status) {
+  const contextFile = join(hcmDir, 'project', `CONTEXT_PROJECT_${projectId}.json`);
+  if (!existsSync(contextFile)) return;
+  try {
+    const data = JSON.parse(readFileSync(contextFile, 'utf-8'));
+    data.hcm_status = status;
+    writeFileSync(contextFile, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+  } catch (e) {
+    warn(`project:storeHcmStatus failed for ${projectId}: ${e.message}`);
+  }
+}
+
+/**
+ * Get project status from local files.
+ */
+export function getProjectStatus(hcmDir) {
+  const status = {
+    odms: [],
+    crs: [],
+    decisions: [],
+    contracts: [],
+    team: { pm: null, agents: [] },
+  };
+
+  // Read OdMs
+  const odmDir = join(hcmDir, 'odm');
+  if (existsSync(odmDir)) {
+    status.odms = readdirSync(odmDir)
+      .filter(f => f.endsWith('.json') && !f.startsWith('legacy_'))
+      .map(f => {
+        try {
+          const data = JSON.parse(readFileSync(join(odmDir, f), 'utf-8'));
+          return {
+            id: data.odm_meta?.odm_id || f,
+            title: data.odm_payload?.cadrage?.title || '',
+            status: data.odm_meta?.status || 'UNKNOWN',
+            assignee: data.odm_meta?.assigned_to?.actor_id || '',
+            priority: data.odm_meta?.priority || '',
+          };
+        } catch (e) {
+          warn(`project:malformed OdM ${f}: ${e.message}`);
+          return { id: f, title: '', status: 'ERROR', assignee: '', priority: '' };
+        }
+      });
+  }
+
+  // Read CRs
+  const crDir = join(hcmDir, 'cr');
+  if (existsSync(crDir)) {
+    status.crs = readdirSync(crDir)
+      .filter(f => f.endsWith('.json'))
+      .map(f => {
+        try {
+          const data = JSON.parse(readFileSync(join(crDir, f), 'utf-8'));
+          return {
+            id: data.metadata?.odm_id || f,
+            title: data.title || '',
+            status: data.metadata?.status || 'UNKNOWN',
+            date: data.metadata?.date_execution || '',
+          };
+        } catch (e) {
+          warn(`project:malformed CR ${f}: ${e.message}`);
+          return { id: f, title: '', status: 'ERROR', date: '' };
+        }
+      });
+  }
+
+  // Read decisions
+  const decDir = join(hcmDir, 'decisions');
+  if (existsSync(decDir)) {
+    status.decisions = readdirSync(decDir)
+      .filter(f => f.endsWith('.json'))
+      .map(f => {
+        try {
+          const data = JSON.parse(readFileSync(join(decDir, f), 'utf-8'));
+          return {
+            id: data.decision_meta?.decision_id || f,
+            title: data.decision_payload?.title || '',
+            status: data.decision_meta?.status || '',
+          };
+        } catch (e) {
+          warn(`project:malformed decision ${f}: ${e.message}`);
+          return { id: f, title: '', status: 'ERROR' };
+        }
+      });
+  }
+
+  // Read contracts
+  const contractDir = join(hcmDir, 'contracts');
+  if (existsSync(contractDir)) {
+    status.contracts = readdirSync(contractDir)
+      .filter(f => f.endsWith('.json'))
+      .map(f => {
+        try {
+          const data = JSON.parse(readFileSync(join(contractDir, f), 'utf-8'));
+          return {
+            id: data.contract_meta?.id || f,
+            title: data.contract_payload?.cadrage?.title || '',
+            status: data.contract_meta?.status || '',
+          };
+        } catch (e) {
+          warn(`project:malformed contract ${f}: ${e.message}`);
+          return { id: f, title: '', status: 'ERROR' };
+        }
+      });
+  }
+
+  return status;
+}
+
+/**
+ * Detect the current project from .nemesis/HCM/project/CONTEXT_PROJECT_*.json
+ * Backward-compatible: falls back to .owner/HCM/ if .nemesis/ doesn't exist.
+ */
+export function detectProject(root = process.cwd()) {
+  // Priority 1: .nemesis/HCM/project/
+  let baseDir = '.nemesis';
+  let projectDir = join(root, '.nemesis', 'HCM', 'project');
+
+  // Fallback: .owner/HCM/project/
+  if (!existsSync(projectDir)) {
+    const legacyDir = join(root, '.owner', 'HCM', 'project');
+    if (existsSync(legacyDir)) {
+      baseDir = '.owner';
+      projectDir = legacyDir;
+    } else {
+      return null;
+    }
+  }
+
+  const files = readdirSync(projectDir);
+  const ctxFile = files.find(f => f.startsWith('CONTEXT_PROJECT_') && f.endsWith('.json'));
+  if (!ctxFile) return null;
+
+  try {
+    const data = JSON.parse(readFileSync(join(projectDir, ctxFile), 'utf-8'));
+    return {
+      id: data.project_meta?.project_id || ctxFile.replace('CONTEXT_PROJECT_', '').replace('.json', ''),
+      name: data.project_meta?.name || null,
+      description: data.project_meta?.description || '',
+      status: data.project_meta?.status || 'UNKNOWN',
+      hcm_dir: join(root, baseDir, 'HCM'),
+      hcm_status: data.hcm_status || null,
+      root,
+      legacy: baseDir === '.owner',
+    };
+  } catch (e) {
+    warn(`project:corrupted project context ${ctxFile}: ${e.message}`);
+    return null;
+  }
+}

package/lib/core/registry.js

@@ -0,0 +1,129 @@
+import { readFileSync, writeFileSync, existsSync, readdirSync, renameSync } from 'node:fs';
+import { join } from 'node:path';
+
+/**
+ * Find the registry file for a project.
+ */
+export function findRegistryFile(hcmDir) {
+  const projectDir = join(hcmDir, 'project');
+  if (!existsSync(projectDir)) return null;
+
+  const files = readdirSync(projectDir);
+  const registryFile = files.find(f => f.startsWith('REGISTRY-') && f.endsWith('.json'));
+  return registryFile ? join(projectDir, registryFile) : null;
+}
+
+/**
+ * Read the registry.
+ */
+export function readRegistry(hcmDir) {
+  const filepath = findRegistryFile(hcmDir);
+  if (!filepath) return null;
+
+  return JSON.parse(readFileSync(filepath, 'utf-8'));
+}
+
+/**
+ * Write the registry back (atomic via tmp + rename).
+ */
+export function writeRegistry(hcmDir, data) {
+  const filepath = findRegistryFile(hcmDir);
+  if (!filepath) throw new Error('Registry introuvable');
+
+  const tmpPath = filepath + '.tmp';
+  writeFileSync(tmpPath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+  renameSync(tmpPath, filepath);
+}
+
+/**
+ * Atomic field-level patch on a lane — reads fresh, patches, writes atomically.
+ * Minimizes race-condition window vs separate read/updateLaneField/write.
+ * @param {string} hcmDir
+ * @param {string} agentId
+ * @param {Record<string, any>} fields — { pid: 123, session_id: 'abc', ... }
+ */
+export function patchLaneFields(hcmDir, agentId, fields) {
+  const filepath = findRegistryFile(hcmDir);
+  if (!filepath) return;
+
+  const data = JSON.parse(readFileSync(filepath, 'utf-8'));
+  const lane = data.registry_payload?.hierarchy?.lanes?.find(l => l.id === agentId);
+  if (!lane) return;
+
+  for (const [key, value] of Object.entries(fields)) {
+    lane[key] = value;
+  }
+  data.registry_meta.updated_at = new Date().toISOString();
+
+  const tmpPath = filepath + '.tmp';
+  writeFileSync(tmpPath, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+  renameSync(tmpPath, filepath);
+}
+
+/**
+ * Add a lane (agent) to the registry.
+ */
+export function addLane(registry, lane) {
+  if (!registry.registry_payload?.hierarchy?.lanes) {
+    throw new Error('Structure registry invalide');
+  }
+
+  const existing = registry.registry_payload.hierarchy.lanes.find(l => l.id === lane.id);
+  if (existing) {
+    throw new Error(`Agent ${lane.id} deja present dans le registre`);
+  }
+
+  registry.registry_payload.hierarchy.lanes.push(lane);
+  registry.registry_meta.updated_at = new Date().toISOString();
+  return registry;
+}
+
+/**
+ * Remove a lane from the registry.
+ */
+export function removeLane(registry, agentId) {
+  if (!registry.registry_payload?.hierarchy?.lanes) {
+    throw new Error('Structure registry invalide');
+  }
+
+  const idx = registry.registry_payload.hierarchy.lanes.findIndex(l => l.id === agentId);
+  if (idx === -1) {
+    throw new Error(`Agent ${agentId} non trouve dans le registre`);
+  }
+
+  registry.registry_payload.hierarchy.lanes.splice(idx, 1);
+  registry.registry_meta.updated_at = new Date().toISOString();
+  return registry;
+}
+
+/**
+ * Update a single field on an existing lane.
+ */
+export function updateLaneField(registry, agentId, field, value) {
+  if (!registry.registry_payload?.hierarchy?.lanes) {
+    throw new Error('Structure registry invalide');
+  }
+
+  const lane = registry.registry_payload.hierarchy.lanes.find(l => l.id === agentId);
+  if (!lane) {
+    throw new Error(`Agent ${agentId} non trouve dans le registre`);
+  }
+
+  lane[field] = value;
+  registry.registry_meta.updated_at = new Date().toISOString();
+  return registry;
+}
+
+/**
+ * Get all lanes from the registry.
+ */
+export function getLanes(registry) {
+  return registry?.registry_payload?.hierarchy?.lanes || [];
+}
+
+/**
+ * Get PM info from the registry.
+ */
+export function getPM(registry) {
+  return registry?.registry_payload?.hierarchy?.pm || null;
+}

package/lib/core/secrets.js

@@ -0,0 +1,137 @@
+import { createCipheriv, createDecipheriv, randomBytes, createHash, pbkdf2Sync } from 'node:crypto';
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir, hostname } from 'node:os';
+
+const ALGO = 'aes-256-gcm';
+const SECRETS_FILE = join(homedir(), '.nemesis', 'secrets.json');
+const PBKDF2_ITERATIONS = 100_000;
+const PBKDF2_KEYLEN = 32;
+const PBKDF2_DIGEST = 'sha512';
+const MIN_API_KEY_LENGTH = 8;
+
+/**
+ * Derive a 32-byte encryption key using PBKDF2.
+ * @param {Buffer} salt — random salt
+ * @returns {Buffer} 32-byte key
+ */
+export function deriveKey(salt) {
+  const passphrase = `${hostname()}:${homedir()}`;
+  return pbkdf2Sync(passphrase, salt, PBKDF2_ITERATIONS, PBKDF2_KEYLEN, PBKDF2_DIGEST);
+}
+
+/**
+ * Legacy key derivation — SHA-256 + hardcoded salt.
+ * Used only for migration from old schema.
+ */
+function deriveKeyLegacy() {
+  return createHash('sha256')
+    .update(`${hostname()}:${homedir()}:nemesis-arka-labs-2026`)
+    .digest();
+}
+
+export function encrypt(plaintext, key) {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv(ALGO, key, iv);
+  let encrypted = cipher.update(plaintext, 'utf-8', 'hex');
+  encrypted += cipher.final('hex');
+  const tag = cipher.getAuthTag().toString('hex');
+  return { iv: iv.toString('hex'), tag, data: encrypted };
+}
+
+export function decrypt(encrypted, key) {
+  const decipher = createDecipheriv(ALGO, key, Buffer.from(encrypted.iv, 'hex'));
+  decipher.setAuthTag(Buffer.from(encrypted.tag, 'hex'));
+  let decrypted = decipher.update(encrypted.data, 'hex', 'utf-8');
+  decrypted += decipher.final('utf-8');
+  return decrypted;
+}
+
+export function validateApiKey(value) {
+  if (!value || typeof value !== 'string') return false;
+  return value.trim().length >= MIN_API_KEY_LENGTH;
+}
+
+export function readSecrets() {
+  if (!existsSync(SECRETS_FILE)) return {};
+  try { return JSON.parse(readFileSync(SECRETS_FILE, 'utf-8')); }
+  catch (_e) { /* fallback: corrupted secrets file */ return {}; }
+}
+
+export function writeSecrets(secrets) {
+  const dir = join(homedir(), '.nemesis');
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  writeFileSync(SECRETS_FILE, JSON.stringify(secrets, null, 2) + '\n', { encoding: 'utf-8', mode: 0o600 });
+}
+
+/**
+ * Migrate secrets from old schema (SHA-256 + hardcoded salt) to new (PBKDF2 + random salt).
+ * Pure function — no I/O. Caller must persist the result.
+ */
+export function migrateSecrets(secrets) {
+  if (secrets._salt) return secrets;
+  const entries = Object.entries(secrets).filter(([id]) => !id.startsWith('_'));
+  if (entries.length === 0) return secrets;
+
+  const legacyKey = deriveKeyLegacy();
+  const salt = randomBytes(32);
+  const newKey = deriveKey(salt);
+  const migrated = { _salt: salt.toString('base64') };
+
+  for (const [id, encryptedValue] of entries) {
+    try {
+      const plaintext = decrypt(encryptedValue, legacyKey);
+      migrated[id] = encrypt(plaintext, newKey);
+    } catch (_e) {
+      /* fallback: cannot decrypt with legacy key — preserve entry as-is */
+      migrated[id] = encryptedValue;
+    }
+  }
+
+  return migrated;
+}
+
+/**
+ * Get the encryption key and secrets object.
+ * Handles migration from old schema transparently.
+ */
+function getKeyAndSecrets() {
+  let secrets = readSecrets();
+
+  if (!secrets._salt) {
+    if (Object.keys(secrets).length > 0) {
+      secrets = migrateSecrets(secrets);
+      writeSecrets(secrets);
+    } else {
+      const salt = randomBytes(32);
+      secrets._salt = salt.toString('base64');
+      writeSecrets(secrets);
+    }
+  }
+
+  const salt = Buffer.from(secrets._salt, 'base64');
+  const key = deriveKey(salt);
+  return { key, secrets };
+}
+
+export function storeSecret(connexionId, plaintext) {
+  if (!validateApiKey(plaintext)) {
+    throw new Error(`Invalid key: must be at least ${MIN_API_KEY_LENGTH} characters`);
+  }
+  const { key, secrets } = getKeyAndSecrets();
+  secrets[connexionId] = encrypt(plaintext, key);
+  writeSecrets(secrets);
+}
+
+export function getSecret(connexionId) {
+  const { key, secrets } = getKeyAndSecrets();
+  if (!secrets[connexionId]) return null;
+  try { return decrypt(secrets[connexionId], key); }
+  catch (_e) { /* fallback: decryption failed */ return null; }
+}
+
+export function removeSecret(connexionId) {
+  const { secrets } = getKeyAndSecrets();
+  delete secrets[connexionId];
+  writeSecrets(secrets);
+}

package/lib/core/services.js

@@ -0,0 +1,45 @@
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+export const SERVICE_IDS = ['notes', 'kairos'];
+
+export const SERVICE_LABELS = {
+  notes: 'NOTES / CR \u2014 Extraction post-hook',
+  kairos: 'KAIROS ROUTER \u2014 Routeur situationnel',
+};
+
+export const SERVICE_DEFAULTS = {
+  notes:  { timeout: 8, fallback_timeout: 5 },
+  kairos: { timeout: 5, fallback_timeout: 3 },
+};
+
+export function readServices(root) {
+  const file = join(root, '.nemesis', 'services.json');
+  if (!existsSync(file)) return { services: {} };
+  try { return JSON.parse(readFileSync(file, 'utf-8')); }
+  catch (_e) { /* fallback: corrupted services file */ return { services: {} }; }
+}
+
+export function writeServices(root, data) {
+  const file = join(root, '.nemesis', 'services.json');
+  writeFileSync(file, JSON.stringify(data, null, 2) + '\n', 'utf-8');
+}
+
+export function assignService(root, serviceId, opts) {
+  const { connexionId, modelOverride, fallback, timeout } = opts;
+  const data = readServices(root);
+  const defaults = SERVICE_DEFAULTS[serviceId] || { timeout: 5 };
+  data.services[serviceId] = {
+    connexion_id: connexionId,
+    model_override: modelOverride || null,
+    fallback: fallback || [],
+    timeout: timeout || defaults.timeout,
+  };
+  writeServices(root, data);
+  return data.services[serviceId];
+}
+
+export function getServiceConfig(root, serviceId) {
+  const data = readServices(root);
+  return data.services[serviceId] || null;
+}