@complior/engine 0.9.0

package/src/services/passport-service.ts

@@ -0,0 +1,339 @@
+/**
+ * Passport Service — facade over CRUD, document generation, and audit sub-modules.
+ * CRUD operations live here; documents and audit are delegated to sub-modules.
+ */
+import { writeFile, readFile, readdir, mkdir, stat } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
+import { randomUUID } from 'node:crypto';
+import { z } from 'zod';
+import type { ScanContext } from '../ports/scanner.port.js';
+import type { EventBusPort } from '../ports/events.port.js';
+import type { ScanResult } from '../types/common.types.js';
+import type { AgentPassport } from '../types/passport.types.js';
+import { parsePassport } from '../types/passport-schemas.js';
+import { createEvidence } from '../domain/scanner/evidence.js';
+import type { Scanner } from '../domain/scanner/create-scanner.js';
+import { parseDepsFromContext } from '../domain/shared/parse-dependencies.js';
+import { runLayer3 } from '../domain/scanner/layers/layer3-config.js';
+import { runLayer4 } from '../domain/scanner/layers/layer4-patterns.js';
+import { discoverAgents } from '../domain/passport/discovery/agent-discovery.js';
+import { analyzeAutonomy } from '../domain/passport/discovery/autonomy-analyzer.js';
+import type { AutonomyAnalysis } from '../domain/passport/discovery/autonomy-analyzer.js';
+import { scanPermissions } from '../domain/passport/discovery/permission-scanner.js';
+import { buildPassport } from '../domain/passport/builder/manifest-builder.js';
+import type { ProjectProfile } from '../domain/passport/builder/manifest-builder.js';
+import { deriveDocStatusFromFindings, buildScanSummary, buildDocQualitySummary } from '../domain/passport/scan-to-compliance.js';
+import { loadOrCreateKeyPair, signPassport, verifyPassport as verifyPassportCrypto } from '../domain/passport/crypto-signer.js';
+import { validatePassport, computeCompleteness } from '../domain/passport/passport-validator.js';
+import type { ValidationResult, CompletenessResult } from '../domain/passport/passport-validator.js';
+import type { EvidenceStore } from '../domain/scanner/evidence-store.js';
+import type { AuditStore } from '../domain/audit/audit-trail.js';
+import { updatePassportCompliance } from './passport-service-utils.js';
+import { createLogger } from '../infra/logger.js';
+
+const log = createLogger('passport-service');
+import { createPassportDocuments } from './passport-documents.js';
+import { createPassportAudit } from './passport-audit.js';
+
+// --- Types ---
+
+export interface PassportServiceDeps {
+  readonly collectFiles: (path: string) => Promise<ScanContext>;
+  readonly scanner: Scanner;
+  readonly events: EventBusPort;
+  readonly getProjectPath: () => string;
+  readonly getLastScanResult: () => ScanResult | null;
+  readonly loadTemplate?: (file: string) => Promise<string>;
+  readonly loadPolicyTemplate?: (file: string) => Promise<string>;
+  readonly evidenceStore?: EvidenceStore;
+  readonly auditStore?: AuditStore;
+}
+
+export interface InitPassportResult {
+  readonly manifests: readonly AgentPassport[];
+  readonly savedPaths: readonly string[];
+  readonly skipped: readonly string[];
+}
+
+// --- Helpers ---
+
+/** Read .complior/profile.json — non-fatal if missing. */
+const ProfileSchema = z.record(z.unknown());
+
+const loadProjectProfile = async (projectPath: string): Promise<ProjectProfile | undefined> => {
+  try {
+    const raw = await readFile(join(projectPath, '.complior', 'profile.json'), 'utf-8');
+    const parsed = ProfileSchema.safeParse(JSON.parse(raw));
+    if (!parsed.success) { log.warn('Invalid profile.json:', parsed.error.message); return undefined; }
+    const profile = parsed.data;
+    const business = profile.business as Record<string, unknown> | undefined;
+    const data = profile.data as Record<string, unknown> | undefined;
+    const aiSystem = profile.aiSystem as Record<string, unknown> | undefined;
+    const computed = profile.computed as Record<string, unknown> | undefined;
+
+    const domain = (business?.domain as string) ?? 'general';
+    const dataTypes = Array.isArray(data?.types) ? (data.types as string[]) : [];
+    const systemType = (aiSystem?.type as string) ?? 'feature';
+    const riskLevel = (computed?.riskLevel as string) ?? 'limited';
+    const dataStorage = (data?.storage as string) ?? undefined;
+
+    return { domain, dataTypes, systemType, riskLevel, dataStorage };
+  } catch (err) {
+    log.debug('No project profile found:', err);
+    return undefined;
+  }
+};
+
+// --- Service factory ---
+
+export const createPassportService = (deps: PassportServiceDeps) => {
+  const { collectFiles, events, getProjectPath, getLastScanResult } = deps;
+
+  // --- CRUD ---
+
+  const initPassport = async (
+    projectPath?: string,
+    overrides?: Record<string, unknown>,
+    force?: boolean,
+  ): Promise<InitPassportResult> => {
+    const path = projectPath ?? getProjectPath();
+    const ctx = await collectFiles(path);
+    const parsedDeps = parseDepsFromContext(ctx);
+    const agents = discoverAgents(ctx, parsedDeps);
+
+    if (agents.length === 0) return { manifests: [], savedPaths: [], skipped: [] };
+
+    const l3Results = runLayer3(ctx);
+    const l4Results = runLayer4(ctx, l3Results);
+    const scanResult = getLastScanResult();
+
+    // Load project profile for risk classification (non-fatal if missing)
+    const projectProfile = await loadProjectProfile(path);
+
+    const manifests: AgentPassport[] = [];
+    const savedPaths: string[] = [];
+    const skipped: string[] = [];
+
+    for (const agent of agents) {
+      const autonomy = analyzeAutonomy(l4Results);
+      const permissions = scanPermissions(ctx);
+
+      // Check for existing passport to preserve dates on --force
+      const agentsDir = join(path, '.complior', 'agents');
+      const filePath = join(agentsDir, `${agent.name}-manifest.json`);
+      let existingPassport: { created: string; deployed_since: string } | undefined;
+
+      if (force) {
+        try {
+          const raw = await readFile(filePath, 'utf-8');
+          const existing = parsePassport(raw);
+          if (existing) {
+            existingPassport = {
+              created: existing.created,
+              deployed_since: existing.lifecycle.deployed_since,
+            };
+          }
+        } catch (err) { log.debug(`No existing passport for ${agent.name}:`, err); }
+      }
+
+      const unsignedManifest = buildPassport({
+        agent, autonomy, permissions,
+        scanResult: scanResult ?? undefined,
+        overrides,
+        projectProfile,
+        existingPassport,
+      });
+
+      const keyPair = await loadOrCreateKeyPair();
+      const signature = signPassport(unsignedManifest, keyPair.privateKey);
+      const signedManifest: AgentPassport = { ...unsignedManifest, signature };
+
+      await mkdir(dirname(filePath), { recursive: true });
+
+      if (!force) {
+        try {
+          const existing = await readFile(filePath, 'utf-8');
+          if (existing.trim().length > 0) { skipped.push(agent.name); continue; }
+          // Empty file — treat as non-existent, overwrite
+        } catch { /* file doesn't exist — create it */ }
+      }
+
+      await writeFile(filePath, JSON.stringify(signedManifest, null, 2));
+      manifests.push(signedManifest);
+      savedPaths.push(filePath);
+
+      if (deps.auditStore) {
+        await deps.auditStore.append('passport.created', { name: agent.name, path: filePath }, agent.name);
+      }
+      if (deps.evidenceStore) {
+        const evidence = createEvidence(agent.name, 'passport', 'passport', { file: filePath });
+        await deps.evidenceStore.append([evidence], randomUUID());
+      }
+      if (scanResult) {
+        events.emit('agent.scan.completed', { agentName: agent.name, result: scanResult });
+        events.emit('agent.score.updated', { agentName: agent.name, before: 0, after: scanResult.score?.totalScore ?? 0 });
+      }
+    }
+
+    events.emit('scan.started', { projectPath: path });
+    return { manifests, savedPaths, skipped };
+  };
+
+  const listPassports = async (projectPath?: string): Promise<readonly AgentPassport[]> => {
+    const path = projectPath ?? getProjectPath();
+    const agentsDir = join(path, '.complior', 'agents');
+    try {
+      const files = await readdir(agentsDir);
+      const manifests: AgentPassport[] = [];
+      for (const file of files) {
+        if (!file.endsWith('-manifest.json')) continue;
+        const content = await readFile(join(agentsDir, file), 'utf-8');
+        const passport = parsePassport(content);
+        if (passport) manifests.push(passport);
+      }
+      return manifests;
+    } catch (err) { log.debug('Failed to list passports:', err); return []; }
+  };
+
+  const showPassport = async (name: string, projectPath?: string): Promise<AgentPassport | null> => {
+    const path = projectPath ?? getProjectPath();
+    try {
+      const content = await readFile(join(path, '.complior', 'agents', `${name}-manifest.json`), 'utf-8');
+      return parsePassport(content);
+    } catch (err) { log.debug(`Failed to read passport ${name}:`, err); return null; }
+  };
+
+  const verifyPassport = async (name: string, projectPath?: string): Promise<boolean> => {
+    const manifest = await showPassport(name, projectPath);
+    if (manifest === null) return false;
+    return verifyPassportCrypto(manifest);
+  };
+
+  const analyzeProjectAutonomy = async (projectPath?: string): Promise<AutonomyAnalysis> => {
+    const path = projectPath ?? getProjectPath();
+    const ctx = await collectFiles(path);
+    return analyzeAutonomy(runLayer4(ctx, runLayer3(ctx)));
+  };
+
+  const validatePassportByName = async (name: string, projectPath?: string): Promise<ValidationResult | null> => {
+    const manifest = await showPassport(name, projectPath);
+    return manifest ? validatePassport(manifest) : null;
+  };
+
+  const getPassportCompleteness = async (name: string, projectPath?: string): Promise<CompletenessResult | null> => {
+    const manifest = await showPassport(name, projectPath);
+    return manifest ? computeCompleteness(manifest) : null;
+  };
+
+  const findAgentsForFile = async (changedPath: string): Promise<readonly { name: string; sourceFiles: readonly string[] }[]> => {
+    const { relative } = await import('node:path');
+    const projectPath = getProjectPath();
+    const relChanged = relative(projectPath, changedPath);
+    const passports = await listPassports(projectPath);
+    return passports
+      .filter((p) => (p.source_files ?? []).some((sf) => relChanged === sf || relChanged.startsWith(sf + '/')))
+      .map((p) => ({ name: p.name, sourceFiles: p.source_files ?? [] }));
+  };
+
+  /** Step 10: Auto-update passports after scan — refreshes score, doc status, and scan_summary per-agent. */
+  const updatePassportsAfterScan = async (scanResult: ScanResult, projectPath?: string): Promise<void> => {
+    const path = projectPath ?? getProjectPath();
+    const passports = await listPassports(path);
+
+    // Global findings (no agentId) apply to ALL agents — they represent project-wide checks
+    // (doc quality, config, dependencies, etc.) that affect every agent in the project.
+    const globalFindings = scanResult.findings.filter(f => !f.agentId);
+
+    for (const passport of passports) {
+      // Agent-specific + global findings = full compliance picture for this agent
+      const agentSpecificFindings = scanResult.findings.filter(f => f.agentId === passport.name);
+      const allAgentFindings = [...agentSpecificFindings, ...globalFindings];
+
+      const docStatus = deriveDocStatusFromFindings(allAgentFindings, scanResult.scannedAt);
+      const scanSummary = buildScanSummary(allAgentFindings, scanResult.scannedAt);
+
+      // complior_score: per-agent simple ratio (no category weights).
+      // Contrast with project_score (weighted 8-category score from score-calculator.ts).
+      const agentPassed = allAgentFindings.filter(f => f.type === 'pass').length;
+      const agentFailed = allAgentFindings.filter(f => f.type === 'fail').length;
+      const applicable = agentPassed + agentFailed;
+      const agentScore = applicable > 0 ? Math.round((agentPassed / applicable) * 100) : 0;
+
+      const docQualitySummary = buildDocQualitySummary(docStatus);
+
+      await updatePassportCompliance(deps, passport.name, {
+        complior_score: agentScore,
+        project_score: scanResult.score.totalScore,
+        last_scan: scanResult.scannedAt,
+        scan_summary: scanSummary,
+        doc_quality_summary: docQualitySummary,
+        ...docStatus,
+      }, path).catch((err) => { log.debug(`Failed to update passport ${passport.name}:`, err); });
+    }
+  };
+
+  // --- Delegate to sub-modules ---
+
+  const coreOps = { showPassport, listPassports };
+  const docs = createPassportDocuments(deps, coreOps);
+  const audit = createPassportAudit(deps, coreOps);
+
+  /** Rename a passport: update file name, internal name field, re-sign. */
+  const renamePassport = async (
+    oldName: string,
+    newName: string,
+    projectPath?: string,
+  ): Promise<{ oldPath: string; newPath: string }> => {
+    const path = projectPath ?? getProjectPath();
+    const agentsDir = join(path, '.complior', 'agents');
+    const oldPath = join(agentsDir, `${oldName}-manifest.json`);
+    const newPath = join(agentsDir, `${newName}-manifest.json`);
+
+    // Read existing passport
+    const raw = await readFile(oldPath, 'utf-8');
+    const passport = parsePassport(raw);
+    if (!passport) throw new Error(`Invalid passport: ${oldName}`);
+
+    // Check target doesn't already exist
+    try { await stat(newPath); throw new Error(`Passport '${newName}' already exists`); } catch (e) {
+      if ((e as NodeJS.ErrnoException).code !== 'ENOENT') throw e;
+    }
+
+    // Update name + re-sign
+    const updated: AgentPassport = { ...passport, name: newName, updated: new Date().toISOString() };
+    const keyPair = await loadOrCreateKeyPair();
+    const signature = signPassport(updated, keyPair.privateKey);
+    const signed: AgentPassport = { ...updated, signature };
+
+    // Write new file, remove old
+    await writeFile(newPath, JSON.stringify(signed, null, 2));
+    const { unlink } = await import('node:fs/promises');
+    await unlink(oldPath);
+
+    // Audit trail
+    if (deps.auditStore) {
+      await deps.auditStore.append('passport.updated' as Parameters<typeof deps.auditStore.append>[0], {
+        action: 'rename', oldName, newName, path: newPath,
+      }, newName);
+    }
+
+    return { oldPath, newPath };
+  };
+
+  return Object.freeze({
+    initPassport,
+    listPassports,
+    showPassport,
+    verifyPassport,
+    analyzeProjectAutonomy,
+    validatePassportByName,
+    getPassportCompleteness,
+    findAgentsForFile,
+    updatePassportsAfterScan,
+    renamePassport,
+    ...docs,
+    ...audit,
+  });
+};
+
+export type PassportService = ReturnType<typeof createPassportService>;

package/src/services/proxy-service.ts

@@ -0,0 +1,81 @@
+import type { ProxyConfig, ProxyStats, McpCallLog } from '../domain/proxy/proxy-types.js';
+import { ProxyConfigSchema } from '../domain/proxy/proxy-types.js';
+import { createInterceptor, type ProxyInterceptor, type InterceptorDeps } from '../domain/proxy/proxy-interceptor.js';
+import { createProxyBridge, type ProxyBridge } from '../domain/proxy/proxy-bridge.js';
+import { createPolicyEngine, type ProxyPolicy } from '../domain/proxy/policy-engine.js';
+
+export interface ProxyServiceDeps {
+  readonly logCall?: InterceptorDeps['logCall'];
+  readonly recordEvidence?: InterceptorDeps['recordEvidence'];
+  readonly loadPolicy?: (projectPath: string) => Promise<ProxyPolicy | null>;
+}
+
+export interface ProxyService {
+  readonly start: (config: ProxyConfig, projectPath?: string) => Promise<{ success: boolean; error?: string }>;
+  readonly stop: () => { success: boolean };
+  readonly health: () => ProxyStats | { isRunning: false };
+  readonly getCallLog: () => readonly McpCallLog[];
+}
+
+export const createProxyService = (deps: ProxyServiceDeps): ProxyService => {
+  let bridge: ProxyBridge | null = null;
+  let interceptor: ProxyInterceptor | null = null;
+
+  const start = async (rawConfig: ProxyConfig, projectPath?: string): Promise<{ success: boolean; error?: string }> => {
+    if (bridge?.isRunning()) {
+      return { success: false, error: 'Proxy is already running' };
+    }
+
+    const parsed = ProxyConfigSchema.safeParse(rawConfig);
+    if (!parsed.success) {
+      return { success: false, error: `Invalid config: ${parsed.error.message}` };
+    }
+    const config = parsed.data;
+
+    // Load policy from project path if available
+    let policyEngine: ReturnType<typeof createPolicyEngine> | undefined;
+    if (deps.loadPolicy && projectPath) {
+      try {
+        const policy = await deps.loadPolicy(projectPath);
+        if (policy) {
+          policyEngine = createPolicyEngine(policy);
+        }
+      } catch {
+        // Policy loading failed — continue without policy (allow-all)
+      }
+    }
+
+    const startedAt = new Date().toISOString();
+    interceptor = createInterceptor(
+      { logCall: deps.logCall, recordEvidence: deps.recordEvidence, policyEngine },
+      startedAt,
+    );
+    bridge = createProxyBridge(config, interceptor);
+
+    try {
+      await bridge.start();
+      return { success: true };
+    } catch (err) {
+      return { success: false, error: `Failed to start proxy: ${err instanceof Error ? err.message : String(err)}` };
+    }
+  };
+
+  const stop = (): { success: boolean } => {
+    if (!bridge?.isRunning()) {
+      return { success: false };
+    }
+    bridge.stop();
+    return { success: true };
+  };
+
+  const health = (): ProxyStats | { isRunning: false } => {
+    if (!interceptor || !bridge?.isRunning()) {
+      return { isRunning: false };
+    }
+    return interceptor.getStats();
+  };
+
+  const getCallLog = () => interceptor?.getCallLog() ?? [];
+
+  return Object.freeze({ start, stop, health, getCallLog });
+};

package/src/services/report-service.ts

@@ -0,0 +1,72 @@
+import { resolve } from 'node:path';
+import type { ScanResult } from '../types/common.types.js';
+import type { EventBusPort } from '../ports/events.port.js';
+import { buildAuditReportData } from '../domain/reporter/audit-report.js';
+import { renderPdfReport } from '../domain/reporter/pdf-renderer.js';
+import { generateComplianceMd } from '../domain/reporter/compliance-md.js';
+
+export interface ReportServiceDeps {
+  readonly events: EventBusPort;
+  readonly getProjectPath: () => string;
+  readonly getLastScanResult: () => ScanResult | null;
+  readonly getVersion: () => string;
+}
+
+export const createReportService = (deps: ReportServiceDeps) => {
+  const { events, getProjectPath, getLastScanResult, getVersion } = deps;
+
+  const generatePdf = async (options?: {
+    readonly organization?: string;
+    readonly jurisdiction?: string;
+    readonly outputPath?: string;
+    readonly isFree?: boolean;
+  }): Promise<{ path: string; pages: number }> => {
+    const scanResult = getLastScanResult();
+    if (!scanResult) {
+      throw new Error('No scan result available. Run a scan first.');
+    }
+
+    const data = buildAuditReportData(scanResult, {
+      organization: options?.organization,
+      jurisdiction: options?.jurisdiction,
+      version: getVersion(),
+    });
+
+    const outputPath = options?.outputPath ?? resolve(
+      getProjectPath(), '.complior', 'reports', `audit-report-${Date.now()}.pdf`,
+    );
+
+    await renderPdfReport(data, outputPath, { isFree: options?.isFree });
+
+    events.emit('report.generated', { path: outputPath, format: 'pdf' });
+
+    // Approximate page count from findings
+    const pages = Math.max(4, Math.ceil(data.findings.length / 8) + 3);
+    return { path: outputPath, pages };
+  };
+
+  const generateMarkdown = async (options?: {
+    readonly outputPath?: string;
+  }): Promise<{ path: string; content: string }> => {
+    const scanResult = getLastScanResult();
+    if (!scanResult) {
+      throw new Error('No scan result available. Run a scan first.');
+    }
+
+    const content = generateComplianceMd(scanResult, getVersion());
+    const outputPath = options?.outputPath ?? resolve(getProjectPath(), 'COMPLIANCE.md');
+
+    const { writeFile, mkdir } = await import('node:fs/promises');
+    const { dirname } = await import('node:path');
+    await mkdir(dirname(outputPath), { recursive: true });
+    await writeFile(outputPath, content);
+
+    events.emit('report.generated', { path: outputPath, format: 'markdown' });
+
+    return { path: outputPath, content };
+  };
+
+  return Object.freeze({ generatePdf, generateMarkdown });
+};
+
+export type ReportService = ReturnType<typeof createReportService>;