@build-astron-co/nimbus 0.4.2 → 0.4.3

package/src/config/safety-policy.ts

@@ -1,358 +0,0 @@
-/**
- * Safety Policy Configuration
- *
- * Defines safety policies for infrastructure operations
- */
-
-import * as fs from 'fs';
-import * as path from 'path';
-
-/**
- * Risk severity levels
- */
-export type RiskSeverity = 'critical' | 'high' | 'medium' | 'low';
-
-/**
- * Risk definition
- */
-export interface Risk {
-  id: string;
-  severity: RiskSeverity;
-  message: string;
-  details?: Record<string, unknown>;
-  canProceed: boolean;
-  requiresApproval: boolean;
-}
-
-/**
- * Safety check result
- */
-export interface SafetyCheckResult {
-  passed: boolean;
-  risks: Risk[];
-  blockers: Risk[];
-  requiresApproval: boolean;
-  estimatedCost?: number;
-  affectedResources?: string[];
-}
-
-/**
- * Safety policy configuration
- */
-export interface SafetyPolicy {
-  /** Operations that always require approval */
-  alwaysRequireApproval: string[];
-  /** Protected environments that require extra caution */
-  protectedEnvironments: string[];
-  /** Cost threshold that triggers approval ($) */
-  costThreshold: number;
-  /** Operations to skip safety checks for */
-  skipSafetyFor: string[];
-  /** Custom rules */
-  customRules?: SafetyRule[];
-}
-
-/**
- * Custom safety rule
- */
-export interface SafetyRule {
-  id: string;
-  name: string;
-  description: string;
-  severity: RiskSeverity;
-  check: (context: SafetyContext) => boolean;
-  message: string;
-}
-
-/**
- * Context for safety checks
- */
-export interface SafetyContext {
-  operation: string;
-  type: 'terraform' | 'kubernetes' | 'helm' | 'aws' | 'gcp' | 'azure';
-  environment?: string;
-  resources?: string[];
-  estimatedCost?: number;
-  planOutput?: string;
-  metadata?: Record<string, unknown>;
-}
-
-/**
- * Default safety policy
- */
-export const defaultSafetyPolicy: SafetyPolicy = {
-  alwaysRequireApproval: ['destroy', 'delete', 'terminate', 'update', 'apply', 'create'],
-  protectedEnvironments: ['production', 'prod', 'prd', 'live', 'main', 'master'],
-  costThreshold: 500,
-  skipSafetyFor: ['plan', 'validate', 'show', 'list', 'get', 'describe', 'logs', 'status'],
-  customRules: [],
-};
-
-/**
- * Load safety policy from config file or use defaults
- */
-export function loadSafetyPolicy(configPath?: string): SafetyPolicy {
-  // Try to load from workspace config
-  const nimbusDir = path.join(process.cwd(), '.nimbus');
-  const configFile = configPath || path.join(nimbusDir, 'config.yaml');
-
-  if (fs.existsSync(configFile)) {
-    try {
-      const content = fs.readFileSync(configFile, 'utf-8');
-      const policy = parseSafetyConfig(content);
-      if (policy) {
-        return { ...defaultSafetyPolicy, ...policy };
-      }
-    } catch {
-      // Use defaults
-    }
-  }
-
-  return defaultSafetyPolicy;
-}
-
-/**
- * Parse safety config from YAML content
- */
-function parseSafetyConfig(content: string): Partial<SafetyPolicy> | null {
-  // Simple YAML parsing for safety section
-  const safetyMatch = content.match(/safety:\s*\n((?:[ \t]+.+\n?)*)/);
-  if (!safetyMatch) {
-    return null;
-  }
-
-  const safetySection = safetyMatch[1];
-  const policy: Partial<SafetyPolicy> = {};
-
-  // Parse requireApproval
-  const approvalMatch = safetySection.match(/requireApproval:\s*(true|false)/);
-  if (approvalMatch) {
-    if (approvalMatch[1] === 'false') {
-      policy.alwaysRequireApproval = [];
-    }
-  }
-
-  // Parse protectedEnvironments
-  const envMatch = safetySection.match(/protectedEnvironments:\s*\[([^\]]+)\]/);
-  if (envMatch) {
-    policy.protectedEnvironments = envMatch[1].split(',').map(s => s.trim().replace(/['"]/g, ''));
-  }
-
-  // Parse costThreshold
-  const costMatch = safetySection.match(/costThreshold:\s*(\d+)/);
-  if (costMatch) {
-    policy.costThreshold = parseInt(costMatch[1], 10);
-  }
-
-  return policy;
-}
-
-/**
- * Check if an operation requires safety checks
- */
-export function requiresSafetyCheck(
-  operation: string,
-  policy: SafetyPolicy = defaultSafetyPolicy
-): boolean {
-  const normalizedOp = operation.toLowerCase();
-  return !policy.skipSafetyFor.some(skip => normalizedOp.includes(skip.toLowerCase()));
-}
-
-/**
- * Check if an operation requires approval
- */
-export function requiresApproval(
-  operation: string,
-  context: SafetyContext,
-  policy: SafetyPolicy = defaultSafetyPolicy
-): boolean {
-  const normalizedOp = operation.toLowerCase();
-
-  // Check if operation is in always require list
-  if (policy.alwaysRequireApproval.some(op => normalizedOp.includes(op.toLowerCase()))) {
-    return true;
-  }
-
-  // Check if environment is protected
-  if (context.environment) {
-    const normalizedEnv = context.environment.toLowerCase();
-    if (policy.protectedEnvironments.some(env => normalizedEnv.includes(env.toLowerCase()))) {
-      return true;
-    }
-  }
-
-  // Check cost threshold
-  if (context.estimatedCost && context.estimatedCost > policy.costThreshold) {
-    return true;
-  }
-
-  return false;
-}
-
-/**
- * Evaluate safety for an operation
- */
-export function evaluateSafety(
-  context: SafetyContext,
-  policy: SafetyPolicy = defaultSafetyPolicy
-): SafetyCheckResult {
-  const risks: Risk[] = [];
-  const blockers: Risk[] = [];
-  let requiresApprovalFlag = false;
-
-  // Check for destroy/delete operations
-  if (['destroy', 'delete', 'terminate'].some(op => context.operation.toLowerCase().includes(op))) {
-    const risk: Risk = {
-      id: 'destructive-operation',
-      severity: 'critical',
-      message: `Destructive operation: ${context.operation}`,
-      canProceed: true,
-      requiresApproval: true,
-    };
-    risks.push(risk);
-    requiresApprovalFlag = true;
-  }
-
-  // Check for protected environment
-  if (context.environment) {
-    const normalizedEnv = context.environment.toLowerCase();
-    if (policy.protectedEnvironments.some(env => normalizedEnv.includes(env.toLowerCase()))) {
-      const risk: Risk = {
-        id: 'protected-environment',
-        severity: 'high',
-        message: `Operating on protected environment: ${context.environment}`,
-        canProceed: true,
-        requiresApproval: true,
-      };
-      risks.push(risk);
-      requiresApprovalFlag = true;
-    }
-  }
-
-  // Check cost threshold
-  if (context.estimatedCost && context.estimatedCost > policy.costThreshold) {
-    const risk: Risk = {
-      id: 'high-cost',
-      severity: 'high',
-      message: `Estimated cost $${context.estimatedCost} exceeds threshold $${policy.costThreshold}`,
-      details: {
-        estimatedCost: context.estimatedCost,
-        threshold: policy.costThreshold,
-      },
-      canProceed: true,
-      requiresApproval: true,
-    };
-    risks.push(risk);
-    requiresApprovalFlag = true;
-  }
-
-  // Check for mutations in apply
-  if (context.operation.toLowerCase().includes('apply')) {
-    const risk: Risk = {
-      id: 'mutation-operation',
-      severity: 'medium',
-      message: 'This operation will modify infrastructure',
-      canProceed: true,
-      requiresApproval: true,
-    };
-    risks.push(risk);
-    requiresApprovalFlag = true;
-  }
-
-  // Check custom rules
-  if (policy.customRules) {
-    for (const rule of policy.customRules) {
-      try {
-        if (rule.check(context)) {
-          const risk: Risk = {
-            id: rule.id,
-            severity: rule.severity,
-            message: rule.message,
-            canProceed: rule.severity !== 'critical',
-            requiresApproval: rule.severity === 'critical' || rule.severity === 'high',
-          };
-
-          if (!risk.canProceed) {
-            blockers.push(risk);
-          } else {
-            risks.push(risk);
-            if (risk.requiresApproval) {
-              requiresApprovalFlag = true;
-            }
-          }
-        }
-      } catch {
-        // Skip rule on error
-      }
-    }
-  }
-
-  // Analyze plan output for resource changes
-  if (context.planOutput) {
-    const changes = analyzePlanOutput(context.planOutput);
-    if (changes.destroy > 0) {
-      const risk: Risk = {
-        id: 'resource-destruction',
-        severity: 'high',
-        message: `${changes.destroy} resources will be destroyed`,
-        details: { count: changes.destroy },
-        canProceed: true,
-        requiresApproval: true,
-      };
-      risks.push(risk);
-      requiresApprovalFlag = true;
-    }
-  }
-
-  return {
-    passed: blockers.length === 0,
-    risks,
-    blockers,
-    requiresApproval: requiresApprovalFlag,
-    estimatedCost: context.estimatedCost,
-    affectedResources: context.resources,
-  };
-}
-
-/**
- * Analyze Terraform plan output for changes
- */
-function analyzePlanOutput(output: string): { add: number; change: number; destroy: number } {
-  const addMatch = output.match(/(\d+) to add/);
-  const changeMatch = output.match(/(\d+) to change/);
-  const destroyMatch = output.match(/(\d+) to destroy/);
-
-  return {
-    add: addMatch ? parseInt(addMatch[1], 10) : 0,
-    change: changeMatch ? parseInt(changeMatch[1], 10) : 0,
-    destroy: destroyMatch ? parseInt(destroyMatch[1], 10) : 0,
-  };
-}
-
-/**
- * Format risks for display
- */
-export function formatRisks(risks: Risk[]): string[] {
-  return risks.map(risk => {
-    const icon = getSeverityIcon(risk.severity);
-    return `${icon} [${risk.severity.toUpperCase()}] ${risk.message}`;
-  });
-}
-
-/**
- * Get icon for severity level
- */
-function getSeverityIcon(severity: RiskSeverity): string {
-  switch (severity) {
-    case 'critical':
-      return '🔴';
-    case 'high':
-      return '🟠';
-    case 'medium':
-      return '🟡';
-    case 'low':
-      return '🔵';
-    default:
-      return '⚪';
-  }
-}

package/src/config/schema.ts

@@ -1,125 +0,0 @@
-/**
- * Zod Config Schema
- *
- * Validates NimbusConfig at load time and on set() operations.
- * Uses safeParse to gracefully handle invalid configs without crashing.
- */
-
-import { z } from 'zod';
-
-export const WorkspaceConfigSchema = z.object({
-  defaultProvider: z.string().optional(),
-  outputDirectory: z.string().optional(),
-  name: z.string().optional(),
-});
-
-export const CostOptimizationConfigSchema = z.object({
-  enabled: z.boolean().optional(),
-  cheap_model: z.string().optional(),
-  expensive_model: z.string().optional(),
-  // A5/A6: task-category routing arrays
-  use_cheap_model_for: z.array(z.string()).optional(),
-  use_expensive_model_for: z.array(z.string()).optional(),
-});
-
-// A3/A4: per-provider configuration map entry
-export const ProviderConfigSchema = z.object({
-  api_key: z.string().optional(),
-  base_url: z.string().url().optional(),
-  models: z.array(z.string()).optional(),
-});
-
-// A7/A8: provider fallback configuration
-export const FallbackConfigSchema = z.object({
-  enabled: z.boolean().optional(),
-  providers: z.array(z.string()).optional(),
-});
-
-export const LLMConfigSchema = z.object({
-  defaultModel: z.string().optional(),
-  // A2: explicit default provider name
-  default_provider: z.string().optional(),
-  temperature: z.number().min(0).max(1).optional(),
-  maxTokens: z.number().positive().optional(),
-  cost_optimization: CostOptimizationConfigSchema.optional(),
-  // A3/A4: per-provider configuration keyed by provider name
-  providers: z.record(z.string(), ProviderConfigSchema).optional(),
-  // A7/A8: fallback provider chain
-  fallback: FallbackConfigSchema.optional(),
-});
-
-export const HistoryConfigSchema = z.object({
-  maxEntries: z.number().positive().optional(),
-  enabled: z.boolean().optional(),
-});
-
-export const AutoApproveConfigSchema = z.object({
-  read: z.boolean().optional(),
-  generate: z.boolean().optional(),
-  create: z.boolean().optional(),
-  update: z.boolean().optional(),
-  delete: z.boolean().optional(),
-});
-
-export const SafetyConfigSchema = z.object({
-  requireConfirmation: z.boolean().optional(),
-  dryRunByDefault: z.boolean().optional(),
-  auto_approve: AutoApproveConfigSchema.optional(),
-});
-
-export const UIConfigSchema = z.object({
-  theme: z.enum(['dark', 'light', 'auto']).optional(),
-  colors: z.boolean().optional(),
-  spinner: z.enum(['dots', 'line', 'simple']).optional(),
-});
-
-export const PersonaConfigSchema = z.object({
-  // A9: added 'custom' to the mode enum
-  mode: z
-    .enum(['professional', 'assistant', 'expert', 'standard', 'concise', 'detailed', 'custom'])
-    .optional(),
-  verbosity: z.enum(['minimal', 'normal', 'detailed', 'verbose']).optional(),
-  custom: z.string().optional(),
-});
-
-export const CloudProviderConfigSchema = z.object({
-  default_region: z.string().optional(),
-  default_profile: z.string().optional(),
-  default_project: z.string().optional(),
-  default_subscription: z.string().optional(),
-});
-
-export const CloudConfigSchema = z.object({
-  default_provider: z.enum(['aws', 'gcp', 'azure']).optional(),
-  aws: CloudProviderConfigSchema.optional(),
-  gcp: CloudProviderConfigSchema.optional(),
-  azure: CloudProviderConfigSchema.optional(),
-});
-
-export const TerraformDefaultsSchema = z.object({
-  default_backend: z.enum(['s3', 'gcs', 'azurerm', 'local']).optional(),
-  state_bucket: z.string().optional(),
-  lock_table: z.string().optional(),
-});
-
-export const KubernetesDefaultsSchema = z.object({
-  default_context: z.string().optional(),
-  default_namespace: z.string().optional(),
-});
-
-export const NimbusConfigSchema = z.object({
-  version: z.number().optional(),
-  // A1: opt-in/out of anonymous telemetry
-  telemetry: z.boolean().optional(),
-  workspace: WorkspaceConfigSchema.optional(),
-  llm: LLMConfigSchema.optional(),
-  history: HistoryConfigSchema.optional(),
-  safety: SafetyConfigSchema.optional(),
-  ui: UIConfigSchema.optional(),
-  persona: PersonaConfigSchema.optional(),
-  cloud: CloudConfigSchema.optional(),
-  terraform: TerraformDefaultsSchema.optional(),
-  kubernetes: KubernetesDefaultsSchema.optional(),
-});
-
-export type ValidatedNimbusConfig = z.infer<typeof NimbusConfigSchema>;