@build-astron-co/nimbus 0.2.0 → 0.4.0

package/dist/src/config/safety-policy.js

@@ -0,0 +1,251 @@
+/**
+ * Safety Policy Configuration
+ *
+ * Defines safety policies for infrastructure operations
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+/**
+ * Default safety policy
+ */
+export const defaultSafetyPolicy = {
+    alwaysRequireApproval: ['destroy', 'delete', 'terminate', 'update', 'apply', 'create'],
+    protectedEnvironments: ['production', 'prod', 'prd', 'live', 'main', 'master'],
+    costThreshold: 500,
+    skipSafetyFor: ['plan', 'validate', 'show', 'list', 'get', 'describe', 'logs', 'status'],
+    customRules: [],
+};
+/**
+ * Load safety policy from config file or use defaults
+ */
+export function loadSafetyPolicy(configPath) {
+    // Try to load from workspace config
+    const nimbusDir = path.join(process.cwd(), '.nimbus');
+    const configFile = configPath || path.join(nimbusDir, 'config.yaml');
+    if (fs.existsSync(configFile)) {
+        try {
+            const content = fs.readFileSync(configFile, 'utf-8');
+            const policy = parseSafetyConfig(content);
+            if (policy) {
+                return { ...defaultSafetyPolicy, ...policy };
+            }
+        }
+        catch {
+            // Use defaults
+        }
+    }
+    return defaultSafetyPolicy;
+}
+/**
+ * Parse safety config from YAML content
+ */
+function parseSafetyConfig(content) {
+    // Simple YAML parsing for safety section
+    const safetyMatch = content.match(/safety:\s*\n((?:[ \t]+.+\n?)*)/);
+    if (!safetyMatch) {
+        return null;
+    }
+    const safetySection = safetyMatch[1];
+    const policy = {};
+    // Parse requireApproval
+    const approvalMatch = safetySection.match(/requireApproval:\s*(true|false)/);
+    if (approvalMatch) {
+        if (approvalMatch[1] === 'false') {
+            policy.alwaysRequireApproval = [];
+        }
+    }
+    // Parse protectedEnvironments
+    const envMatch = safetySection.match(/protectedEnvironments:\s*\[([^\]]+)\]/);
+    if (envMatch) {
+        policy.protectedEnvironments = envMatch[1].split(',').map(s => s.trim().replace(/['"]/g, ''));
+    }
+    // Parse costThreshold
+    const costMatch = safetySection.match(/costThreshold:\s*(\d+)/);
+    if (costMatch) {
+        policy.costThreshold = parseInt(costMatch[1], 10);
+    }
+    return policy;
+}
+/**
+ * Check if an operation requires safety checks
+ */
+export function requiresSafetyCheck(operation, policy = defaultSafetyPolicy) {
+    const normalizedOp = operation.toLowerCase();
+    return !policy.skipSafetyFor.some(skip => normalizedOp.includes(skip.toLowerCase()));
+}
+/**
+ * Check if an operation requires approval
+ */
+export function requiresApproval(operation, context, policy = defaultSafetyPolicy) {
+    const normalizedOp = operation.toLowerCase();
+    // Check if operation is in always require list
+    if (policy.alwaysRequireApproval.some(op => normalizedOp.includes(op.toLowerCase()))) {
+        return true;
+    }
+    // Check if environment is protected
+    if (context.environment) {
+        const normalizedEnv = context.environment.toLowerCase();
+        if (policy.protectedEnvironments.some(env => normalizedEnv.includes(env.toLowerCase()))) {
+            return true;
+        }
+    }
+    // Check cost threshold
+    if (context.estimatedCost && context.estimatedCost > policy.costThreshold) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Evaluate safety for an operation
+ */
+export function evaluateSafety(context, policy = defaultSafetyPolicy) {
+    const risks = [];
+    const blockers = [];
+    let requiresApprovalFlag = false;
+    // Check for destroy/delete operations
+    if (['destroy', 'delete', 'terminate'].some(op => context.operation.toLowerCase().includes(op))) {
+        const risk = {
+            id: 'destructive-operation',
+            severity: 'critical',
+            message: `Destructive operation: ${context.operation}`,
+            canProceed: true,
+            requiresApproval: true,
+        };
+        risks.push(risk);
+        requiresApprovalFlag = true;
+    }
+    // Check for protected environment
+    if (context.environment) {
+        const normalizedEnv = context.environment.toLowerCase();
+        if (policy.protectedEnvironments.some(env => normalizedEnv.includes(env.toLowerCase()))) {
+            const risk = {
+                id: 'protected-environment',
+                severity: 'high',
+                message: `Operating on protected environment: ${context.environment}`,
+                canProceed: true,
+                requiresApproval: true,
+            };
+            risks.push(risk);
+            requiresApprovalFlag = true;
+        }
+    }
+    // Check cost threshold
+    if (context.estimatedCost && context.estimatedCost > policy.costThreshold) {
+        const risk = {
+            id: 'high-cost',
+            severity: 'high',
+            message: `Estimated cost $${context.estimatedCost} exceeds threshold $${policy.costThreshold}`,
+            details: {
+                estimatedCost: context.estimatedCost,
+                threshold: policy.costThreshold,
+            },
+            canProceed: true,
+            requiresApproval: true,
+        };
+        risks.push(risk);
+        requiresApprovalFlag = true;
+    }
+    // Check for mutations in apply
+    if (context.operation.toLowerCase().includes('apply')) {
+        const risk = {
+            id: 'mutation-operation',
+            severity: 'medium',
+            message: 'This operation will modify infrastructure',
+            canProceed: true,
+            requiresApproval: true,
+        };
+        risks.push(risk);
+        requiresApprovalFlag = true;
+    }
+    // Check custom rules
+    if (policy.customRules) {
+        for (const rule of policy.customRules) {
+            try {
+                if (rule.check(context)) {
+                    const risk = {
+                        id: rule.id,
+                        severity: rule.severity,
+                        message: rule.message,
+                        canProceed: rule.severity !== 'critical',
+                        requiresApproval: rule.severity === 'critical' || rule.severity === 'high',
+                    };
+                    if (!risk.canProceed) {
+                        blockers.push(risk);
+                    }
+                    else {
+                        risks.push(risk);
+                        if (risk.requiresApproval) {
+                            requiresApprovalFlag = true;
+                        }
+                    }
+                }
+            }
+            catch {
+                // Skip rule on error
+            }
+        }
+    }
+    // Analyze plan output for resource changes
+    if (context.planOutput) {
+        const changes = analyzePlanOutput(context.planOutput);
+        if (changes.destroy > 0) {
+            const risk = {
+                id: 'resource-destruction',
+                severity: 'high',
+                message: `${changes.destroy} resources will be destroyed`,
+                details: { count: changes.destroy },
+                canProceed: true,
+                requiresApproval: true,
+            };
+            risks.push(risk);
+            requiresApprovalFlag = true;
+        }
+    }
+    return {
+        passed: blockers.length === 0,
+        risks,
+        blockers,
+        requiresApproval: requiresApprovalFlag,
+        estimatedCost: context.estimatedCost,
+        affectedResources: context.resources,
+    };
+}
+/**
+ * Analyze Terraform plan output for changes
+ */
+function analyzePlanOutput(output) {
+    const addMatch = output.match(/(\d+) to add/);
+    const changeMatch = output.match(/(\d+) to change/);
+    const destroyMatch = output.match(/(\d+) to destroy/);
+    return {
+        add: addMatch ? parseInt(addMatch[1], 10) : 0,
+        change: changeMatch ? parseInt(changeMatch[1], 10) : 0,
+        destroy: destroyMatch ? parseInt(destroyMatch[1], 10) : 0,
+    };
+}
+/**
+ * Format risks for display
+ */
+export function formatRisks(risks) {
+    return risks.map(risk => {
+        const icon = getSeverityIcon(risk.severity);
+        return `${icon} [${risk.severity.toUpperCase()}] ${risk.message}`;
+    });
+}
+/**
+ * Get icon for severity level
+ */
+function getSeverityIcon(severity) {
+    switch (severity) {
+        case 'critical':
+            return '🔴';
+        case 'high':
+            return '🟠';
+        case 'medium':
+            return '🟡';
+        case 'low':
+            return '🔵';
+        default:
+            return '⚪';
+    }
+}

package/dist/src/config/schema.js

@@ -0,0 +1,107 @@
+/**
+ * Zod Config Schema
+ *
+ * Validates NimbusConfig at load time and on set() operations.
+ * Uses safeParse to gracefully handle invalid configs without crashing.
+ */
+import { z } from 'zod';
+export const WorkspaceConfigSchema = z.object({
+    defaultProvider: z.string().optional(),
+    outputDirectory: z.string().optional(),
+    name: z.string().optional(),
+});
+export const CostOptimizationConfigSchema = z.object({
+    enabled: z.boolean().optional(),
+    cheap_model: z.string().optional(),
+    expensive_model: z.string().optional(),
+    // A5/A6: task-category routing arrays
+    use_cheap_model_for: z.array(z.string()).optional(),
+    use_expensive_model_for: z.array(z.string()).optional(),
+});
+// A3/A4: per-provider configuration map entry
+export const ProviderConfigSchema = z.object({
+    api_key: z.string().optional(),
+    base_url: z.string().url().optional(),
+    models: z.array(z.string()).optional(),
+});
+// A7/A8: provider fallback configuration
+export const FallbackConfigSchema = z.object({
+    enabled: z.boolean().optional(),
+    providers: z.array(z.string()).optional(),
+});
+export const LLMConfigSchema = z.object({
+    defaultModel: z.string().optional(),
+    // A2: explicit default provider name
+    default_provider: z.string().optional(),
+    temperature: z.number().min(0).max(1).optional(),
+    maxTokens: z.number().positive().optional(),
+    cost_optimization: CostOptimizationConfigSchema.optional(),
+    // A3/A4: per-provider configuration keyed by provider name
+    providers: z.record(z.string(), ProviderConfigSchema).optional(),
+    // A7/A8: fallback provider chain
+    fallback: FallbackConfigSchema.optional(),
+});
+export const HistoryConfigSchema = z.object({
+    maxEntries: z.number().positive().optional(),
+    enabled: z.boolean().optional(),
+});
+export const AutoApproveConfigSchema = z.object({
+    read: z.boolean().optional(),
+    generate: z.boolean().optional(),
+    create: z.boolean().optional(),
+    update: z.boolean().optional(),
+    delete: z.boolean().optional(),
+});
+export const SafetyConfigSchema = z.object({
+    requireConfirmation: z.boolean().optional(),
+    dryRunByDefault: z.boolean().optional(),
+    auto_approve: AutoApproveConfigSchema.optional(),
+});
+export const UIConfigSchema = z.object({
+    theme: z.enum(['dark', 'light', 'auto']).optional(),
+    colors: z.boolean().optional(),
+    spinner: z.enum(['dots', 'line', 'simple']).optional(),
+});
+export const PersonaConfigSchema = z.object({
+    // A9: added 'custom' to the mode enum
+    mode: z
+        .enum(['professional', 'assistant', 'expert', 'standard', 'concise', 'detailed', 'custom'])
+        .optional(),
+    verbosity: z.enum(['minimal', 'normal', 'detailed', 'verbose']).optional(),
+    custom: z.string().optional(),
+});
+export const CloudProviderConfigSchema = z.object({
+    default_region: z.string().optional(),
+    default_profile: z.string().optional(),
+    default_project: z.string().optional(),
+    default_subscription: z.string().optional(),
+});
+export const CloudConfigSchema = z.object({
+    default_provider: z.enum(['aws', 'gcp', 'azure']).optional(),
+    aws: CloudProviderConfigSchema.optional(),
+    gcp: CloudProviderConfigSchema.optional(),
+    azure: CloudProviderConfigSchema.optional(),
+});
+export const TerraformDefaultsSchema = z.object({
+    default_backend: z.enum(['s3', 'gcs', 'azurerm', 'local']).optional(),
+    state_bucket: z.string().optional(),
+    lock_table: z.string().optional(),
+});
+export const KubernetesDefaultsSchema = z.object({
+    default_context: z.string().optional(),
+    default_namespace: z.string().optional(),
+});
+export const NimbusConfigSchema = z.object({
+    version: z.number().optional(),
+    // A1: opt-in/out of anonymous telemetry
+    telemetry: z.boolean().optional(),
+    workspace: WorkspaceConfigSchema.optional(),
+    llm: LLMConfigSchema.optional(),
+    history: HistoryConfigSchema.optional(),
+    safety: SafetyConfigSchema.optional(),
+    ui: UIConfigSchema.optional(),
+    persona: PersonaConfigSchema.optional(),
+    cloud: CloudConfigSchema.optional(),
+    terraform: TerraformDefaultsSchema.optional(),
+    kubernetes: KubernetesDefaultsSchema.optional(),
+});

package/dist/src/config/types.js

@@ -0,0 +1,311 @@
+/**
+ * Configuration Types
+ *
+ * Type definitions for Nimbus CLI configuration
+ */
+/**
+ * Registry of all config keys
+ */
+export const CONFIG_KEYS = [
+    {
+        key: 'workspace.defaultProvider',
+        description: 'Default cloud provider (aws, gcp, azure)',
+        type: 'string',
+        defaultValue: 'aws',
+    },
+    {
+        key: 'workspace.outputDirectory',
+        description: 'Output directory for generated code',
+        type: 'string',
+        defaultValue: './infrastructure',
+    },
+    {
+        key: 'workspace.name',
+        description: 'Project name',
+        type: 'string',
+    },
+    {
+        key: 'llm.defaultModel',
+        description: 'Default LLM model to use',
+        type: 'string',
+    },
+    {
+        key: 'llm.temperature',
+        description: 'Temperature for LLM generation (0-1)',
+        type: 'number',
+        defaultValue: 0.7,
+    },
+    {
+        key: 'llm.maxTokens',
+        description: 'Maximum tokens for LLM response',
+        type: 'number',
+        defaultValue: 4096,
+    },
+    {
+        key: 'history.maxEntries',
+        description: 'Maximum history entries to keep',
+        type: 'number',
+        defaultValue: 100,
+    },
+    {
+        key: 'history.enabled',
+        description: 'Enable command history',
+        type: 'boolean',
+        defaultValue: true,
+    },
+    {
+        key: 'safety.requireConfirmation',
+        description: 'Require confirmation for destructive operations',
+        type: 'boolean',
+        defaultValue: true,
+    },
+    {
+        key: 'safety.dryRunByDefault',
+        description: 'Enable dry-run mode by default',
+        type: 'boolean',
+        defaultValue: false,
+    },
+    {
+        key: 'safety.auto_approve.read',
+        description: 'Auto-approve read operations (list, get, describe)',
+        type: 'boolean',
+        defaultValue: true,
+    },
+    {
+        key: 'safety.auto_approve.generate',
+        description: 'Auto-approve generate operations (IaC generation)',
+        type: 'boolean',
+        defaultValue: true,
+    },
+    {
+        key: 'safety.auto_approve.create',
+        description: 'Auto-approve create operations (apply, install)',
+        type: 'boolean',
+        defaultValue: false,
+    },
+    {
+        key: 'safety.auto_approve.update',
+        description: 'Auto-approve update operations (upgrade, scale)',
+        type: 'boolean',
+        defaultValue: false,
+    },
+    {
+        key: 'safety.auto_approve.delete',
+        description: 'Auto-approve delete operations (delete, destroy, uninstall)',
+        type: 'boolean',
+        defaultValue: false,
+    },
+    {
+        key: 'ui.theme',
+        description: 'Color theme (dark, light, auto)',
+        type: 'string',
+        defaultValue: 'auto',
+    },
+    {
+        key: 'ui.colors',
+        description: 'Enable colors in output',
+        type: 'boolean',
+        defaultValue: true,
+    },
+    {
+        key: 'ui.spinner',
+        description: 'Spinner style (dots, line, simple)',
+        type: 'string',
+        defaultValue: 'dots',
+    },
+    {
+        key: 'persona.mode',
+        description: 'AI persona mode (standard, concise, detailed, expert)',
+        type: 'string',
+        defaultValue: 'standard',
+    },
+    {
+        key: 'persona.verbosity',
+        description: 'Response verbosity level (minimal, normal, verbose)',
+        type: 'string',
+        defaultValue: 'normal',
+    },
+    {
+        key: 'persona.custom',
+        description: 'Custom persona prompt override',
+        type: 'string',
+        defaultValue: '',
+    },
+    {
+        key: 'cloud.default_provider',
+        description: 'Default cloud provider (aws, gcp, azure)',
+        type: 'string',
+        defaultValue: 'aws',
+    },
+    {
+        key: 'cloud.aws.default_region',
+        description: 'Default AWS region',
+        type: 'string',
+        defaultValue: 'us-east-1',
+    },
+    {
+        key: 'cloud.aws.default_profile',
+        description: 'Default AWS CLI profile',
+        type: 'string',
+        defaultValue: 'default',
+    },
+    {
+        key: 'cloud.gcp.default_region',
+        description: 'Default GCP region',
+        type: 'string',
+        defaultValue: 'us-central1',
+    },
+    {
+        key: 'cloud.gcp.default_project',
+        description: 'Default GCP project ID',
+        type: 'string',
+    },
+    {
+        key: 'cloud.azure.default_region',
+        description: 'Default Azure region',
+        type: 'string',
+        defaultValue: 'eastus',
+    },
+    {
+        key: 'cloud.azure.default_subscription',
+        description: 'Default Azure subscription ID',
+        type: 'string',
+    },
+    {
+        key: 'terraform.default_backend',
+        description: 'Default Terraform backend (s3, gcs, azurerm, local)',
+        type: 'string',
+        defaultValue: 's3',
+    },
+    {
+        key: 'terraform.state_bucket',
+        description: 'Terraform state bucket name',
+        type: 'string',
+    },
+    {
+        key: 'terraform.lock_table',
+        description: 'Terraform DynamoDB lock table name',
+        type: 'string',
+    },
+    {
+        key: 'kubernetes.default_context',
+        description: 'Default kubectl context',
+        type: 'string',
+    },
+    {
+        key: 'kubernetes.default_namespace',
+        description: 'Default Kubernetes namespace',
+        type: 'string',
+        defaultValue: 'default',
+    },
+    {
+        key: 'llm.cost_optimization.enabled',
+        description: 'Enable LLM cost optimization routing',
+        type: 'boolean',
+        defaultValue: false,
+    },
+    {
+        key: 'llm.cost_optimization.cheap_model',
+        description: 'Model for simple tasks (summaries, classification)',
+        type: 'string',
+        defaultValue: 'claude-haiku-4-20250514',
+    },
+    {
+        key: 'llm.cost_optimization.expensive_model',
+        description: 'Model for complex tasks (code generation, reasoning)',
+        type: 'string',
+        defaultValue: 'claude-sonnet-4-20250514',
+    },
+    // A1: Telemetry
+    {
+        key: 'telemetry',
+        description: 'Enable anonymous usage statistics and error reporting',
+        type: 'boolean',
+        defaultValue: true,
+    },
+    // A2: LLM default provider
+    {
+        key: 'llm.default_provider',
+        description: 'Default LLM provider to use (e.g. anthropic, openai, google)',
+        type: 'string',
+    },
+    // A5: Cost optimization — cheap model task routing
+    {
+        key: 'llm.cost_optimization.use_cheap_model_for',
+        description: 'Task categories that should be routed to the cheap model (JSON array)',
+        type: 'string',
+    },
+    // A6: Cost optimization — expensive model task routing
+    {
+        key: 'llm.cost_optimization.use_expensive_model_for',
+        description: 'Task categories that should be routed to the expensive model (JSON array)',
+        type: 'string',
+    },
+    // A7: Fallback enabled
+    {
+        key: 'llm.fallback.enabled',
+        description: 'Enable automatic fallback to alternative LLM providers on failure',
+        type: 'boolean',
+        defaultValue: false,
+    },
+    // A8: Fallback provider list
+    {
+        key: 'llm.fallback.providers',
+        description: 'Ordered list of fallback LLM providers to try on failure (JSON array)',
+        type: 'string',
+    },
+    // M4: Primary cloud providers
+    {
+        key: 'primaryClouds',
+        description: 'Primary cloud providers (comma-separated: aws,gcp,azure)',
+        type: 'string',
+    },
+    // M4: Model override (validated against known model IDs)
+    {
+        key: 'model',
+        description: 'Default model ID (e.g. claude-opus-4-6, claude-sonnet-4-6, claude-haiku-4-5-20251001)',
+        type: 'string',
+    },
+    // G16: Default cost budget per session
+    {
+        key: 'defaultCostBudget',
+        description: 'Default cost budget in USD per session (e.g. 1.00). 0 means unlimited.',
+        type: 'number',
+        defaultValue: 0,
+    },
+    // G21: Configurable agent turn silence timeout
+    {
+        key: 'agentTurnTimeoutSeconds',
+        description: 'Seconds to wait for LLM response before aborting (default: 60)',
+        type: 'number',
+        defaultValue: 60,
+    },
+];
+/**
+ * Load per-project configuration from:
+ *   1. <cwd>/nimbus.yaml  (JSON-parsed, no YAML dep)
+ *   2. <cwd>/.nimbus/config.json
+ *
+ * Returns null if neither file exists or both fail to parse.
+ */
+export function loadProjectConfig(cwd) {
+    const { existsSync, readFileSync } = require('node:fs');
+    const { join } = require('node:path');
+    const candidates = [
+        join(cwd, 'nimbus.yaml'),
+        join(cwd, '.nimbus', 'config.json'),
+    ];
+    for (const file of candidates) {
+        try {
+            if (!existsSync(file))
+                continue;
+            const raw = readFileSync(file, 'utf-8');
+            const parsed = JSON.parse(raw);
+            return parsed;
+        }
+        catch {
+            // Try next candidate
+        }
+    }
+    return null;
+}

package/dist/src/config/workspace-state.js

@@ -0,0 +1,38 @@
+/**
+ * Workspace state persistence — saves terraform workspace + kubectl context
+ * per working directory to ~/.nimbus/workspace-state.json
+ */
+import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+const STATE_PATH = join(homedir(), '.nimbus', 'workspace-state.json');
+function loadStateFile() {
+    try {
+        return JSON.parse(readFileSync(STATE_PATH, 'utf-8'));
+    }
+    catch {
+        return {};
+    }
+}
+function saveStateFile(state) {
+    try {
+        mkdirSync(join(homedir(), '.nimbus'), { recursive: true });
+        writeFileSync(STATE_PATH, JSON.stringify(state, null, 2), 'utf-8');
+    }
+    catch { /* non-critical */ }
+}
+export function loadWorkspaceState(cwd) {
+    const all = loadStateFile();
+    return all[cwd] ?? {};
+}
+export function saveWorkspaceState(cwd, state) {
+    const all = loadStateFile();
+    all[cwd] = { ...all[cwd], ...state, lastSeen: new Date().toISOString() };
+    saveStateFile(all);
+}
+export function mergeWorkspaceState(cwd, infra) {
+    const existing = loadWorkspaceState(cwd);
+    const merged = { ...existing, ...infra };
+    saveWorkspaceState(cwd, merged);
+    return merged;
+}