@downcity/agent 1.1.6 → 1.1.8

package/src/shared/utils/store/StoreSecureSettings.ts

@@ -1,126 +0,0 @@
-/**
- * PlatformStore 加密配置仓储。
- *
- * 关键点（中文）
- * - 管理 `platform_secure_settings` 表。
- * - 平台级与 agent 级敏感配置都复用这套存储。
- */
-
-import { decryptText, decryptTextSync, encryptText, encryptTextSync } from "./crypto.js";
-import type { PlatformStoreContext } from "./StoreShared.js";
-import { normalizeNonEmptyText, nowIso } from "./StoreShared.js";
-
-/**
- * 同步读取加密 JSON 配置。
- */
-export function getSecureSettingJsonSync<T>(
-  context: PlatformStoreContext,
-  key: string,
-): T | null {
-  const settingKey = normalizeNonEmptyText(key, "setting key");
-  const row = context.sqlite
-    .prepare(
-      "SELECT value_encrypted FROM platform_secure_settings WHERE key = ? LIMIT 1;",
-    )
-    .get(settingKey) as { value_encrypted?: unknown } | undefined;
-  if (!row || typeof row.value_encrypted !== "string" || !row.value_encrypted) {
-    return null;
-  }
-  const raw = decryptTextSync(row.value_encrypted);
-  return JSON.parse(raw) as T;
-}
-
-/**
- * 同步写入加密 JSON 配置。
- */
-export function setSecureSettingJsonSync(
-  context: PlatformStoreContext,
-  key: string,
-  value: unknown,
-): void {
-  const settingKey = normalizeNonEmptyText(key, "setting key");
-  const raw = JSON.stringify(value ?? null);
-  const encrypted = encryptTextSync(raw);
-  const now = nowIso();
-  context.sqlite
-    .prepare(
-      `
-      INSERT INTO platform_secure_settings (key, value_encrypted, created_at, updated_at)
-      VALUES (?, ?, ?, ?)
-      ON CONFLICT(key) DO UPDATE SET
-        value_encrypted = excluded.value_encrypted,
-        updated_at = excluded.updated_at;
-      `,
-    )
-    .run(settingKey, encrypted, now, now);
-}
-
-/**
- * 删除加密配置。
- */
-export function removeSecureSetting(
-  context: PlatformStoreContext,
-  key: string,
-): void {
-  const settingKey = normalizeNonEmptyText(key, "setting key");
-  context.sqlite
-    .prepare("DELETE FROM platform_secure_settings WHERE key = ?;")
-    .run(settingKey);
-}
-
-/**
- * 异步读取加密 JSON 配置。
- */
-export async function getSecureSettingJson<T>(
-  context: PlatformStoreContext,
-  key: string,
-): Promise<T | null> {
-  const settingKey = normalizeNonEmptyText(key, "setting key");
-  const row = context.sqlite
-    .prepare(
-      "SELECT value_encrypted FROM platform_secure_settings WHERE key = ? LIMIT 1;",
-    )
-    .get(settingKey) as { value_encrypted?: unknown } | undefined;
-  if (!row || typeof row.value_encrypted !== "string" || !row.value_encrypted) {
-    return null;
-  }
-  const raw = await decryptText(row.value_encrypted);
-  return JSON.parse(raw) as T;
-}
-
-/**
- * 异步写入加密 JSON 配置。
- */
-export async function setSecureSettingJson(
-  context: PlatformStoreContext,
-  key: string,
-  value: unknown,
-): Promise<void> {
-  const settingKey = normalizeNonEmptyText(key, "setting key");
-  const raw = JSON.stringify(value ?? null);
-  const encrypted = await encryptText(raw);
-  const now = nowIso();
-  context.sqlite
-    .prepare(
-      `
-      INSERT INTO platform_secure_settings (key, value_encrypted, created_at, updated_at)
-      VALUES (?, ?, ?, ?)
-      ON CONFLICT(key) DO UPDATE SET
-        value_encrypted = excluded.value_encrypted,
-        updated_at = excluded.updated_at;
-      `,
-    )
-    .run(settingKey, encrypted, now, now);
-}
-
-/**
- * 构造 agent 级加密配置 key。
- */
-export function buildAgentSecureSettingKey(
-  agentIdInput: string,
-  keyInput: string,
-): string {
-  const agentId = normalizeNonEmptyText(agentIdInput, "agentId");
-  const key = normalizeNonEmptyText(keyInput, "agent secure setting key");
-  return `agent:${agentId}:${key}`;
-}

package/src/shared/utils/store/StoreShared.ts

@@ -1,67 +0,0 @@
-/**
- * PlatformStore 共享内部工具。
- *
- * 关键点（中文）
- * - 这里只放 `PlatformStore` 内部多个子模块共用的类型与纯函数。
- * - 对外不暴露业务语义，只服务 `utils/store/*` 内部实现。
- */
-
-import Database from "better-sqlite3";
-import { drizzle } from "drizzle-orm/better-sqlite3";
-import type { StoredChannelAccountChannel } from "@/shared/types/Store.js";
-
-/**
- * Drizzle SQLite 实例类型。
- */
-export type PlatformDrizzleDb = ReturnType<typeof drizzle>;
-
-/**
- * PlatformStore 子模块上下文。
- */
-export interface PlatformStoreContext {
-  /**
-   * 原始 SQLite 连接。
-   */
-  sqlite: Database.Database;
-  /**
-   * Drizzle 查询实例。
-   */
-  db: PlatformDrizzleDb;
-}
-
-/**
- * 返回当前时间的 ISO 字符串。
- */
-export function nowIso(): string {
-  return new Date().toISOString();
-}
-
-/**
- * 归一化非空文本。
- */
-export function normalizeNonEmptyText(value: string, fieldName: string): string {
-  const normalized = String(value || "").trim();
-  if (!normalized) throw new Error(`${fieldName} cannot be empty`);
-  return normalized;
-}
-
-/**
- * 把字符串裁剪为可选文本。
- */
-export function optionalTrimmedText(value: string | undefined): string | undefined {
-  const normalized = String(value || "").trim();
-  return normalized || undefined;
-}
-
-/**
- * 规范化 channel account 的 channel 字段。
- */
-export function normalizeChannelAccountChannel(
-  input: string,
-): StoredChannelAccountChannel {
-  const channel = String(input || "").trim().toLowerCase();
-  if (channel === "telegram" || channel === "feishu" || channel === "qq") {
-    return channel;
-  }
-  throw new Error(`Unsupported channel account type: ${input}`);
-}

package/src/shared/utils/store/crypto.ts

@@ -1,112 +0,0 @@
-/**
- * 模型存储加密工具。
- *
- * 关键点（中文）
- * - 使用 AES-256-GCM 对敏感字段（apiKey）做加密落盘。
- * - 默认从 `~/.downcity/main/model-db.key` 加载或自动生成密钥。
- */
-import crypto from "node:crypto";
-import fs from "fs-extra";
-import path from "node:path";
-import { getPlatformStoreKeyPath } from "@/host/runtime/CityPaths.js";
-
-const MODEL_DB_KEY_PATH = "model-db.key";
-const ENCRYPTION_ALGO = "aes-256-gcm";
-
-let cachedKey: Buffer | null = null;
-
-/**
- * 重置缓存密钥。
- *
- * 关键点（中文）
- * - 仅在迁移阶段替换 key 文件后调用，确保后续解密重新从磁盘加载最新 key。
- */
-export function resetModelDbKeyCache(): void {
-  cachedKey = null;
-}
-
-function resolveKeyFilePathSync(): string {
-  const keyPath = getPlatformStoreKeyPath();
-  fs.ensureDirSync(path.dirname(keyPath));
-  return keyPath;
-}
-
-async function resolveKeyFilePath(): Promise<string> {
-  return resolveKeyFilePathSync();
-}
-
-function loadOrCreateKeySync(): Buffer {
-  if (cachedKey) return cachedKey;
-  const envKey = String(process.env.DC_MODEL_DB_KEY || "").trim();
-  if (envKey) {
-    cachedKey = crypto.createHash("sha256").update(envKey, "utf8").digest();
-    return cachedKey;
-  }
-
-  const keyPath = resolveKeyFilePathSync();
-  if (fs.existsSync(keyPath)) {
-    const raw = String(fs.readFileSync(keyPath, "utf8")).trim();
-    if (raw) {
-      const parsed = Buffer.from(raw, "base64");
-      if (parsed.length === 32) {
-        cachedKey = parsed;
-        return cachedKey;
-      }
-    }
-  }
-
-  const next = crypto.randomBytes(32);
-  fs.writeFileSync(keyPath, next.toString("base64"), { mode: 0o600 });
-  cachedKey = next;
-  return cachedKey;
-}
-
-async function loadOrCreateKey(): Promise<Buffer> {
-  return loadOrCreateKeySync();
-}
-
-/**
- * 同步加密字符串（用于同步配置读取链路）。
- */
-export function encryptTextSync(plainText: string): string {
-  const key = loadOrCreateKeySync();
-  const iv = crypto.randomBytes(12);
-  const cipher = crypto.createCipheriv(ENCRYPTION_ALGO, key, iv);
-  const encrypted = Buffer.concat([cipher.update(plainText, "utf8"), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return Buffer.concat([iv, tag, encrypted]).toString("base64");
-}
-
-/**
- * 同步解密字符串（用于同步配置读取链路）。
- */
-export function decryptTextSync(cipherText: string): string {
-  const key = loadOrCreateKeySync();
-  const packed = Buffer.from(cipherText, "base64");
-  if (packed.length < 28) {
-    throw new Error("Invalid encrypted payload");
-  }
-  const iv = packed.subarray(0, 12);
-  const tag = packed.subarray(12, 28);
-  const body = packed.subarray(28);
-  const decipher = crypto.createDecipheriv(ENCRYPTION_ALGO, key, iv);
-  decipher.setAuthTag(tag);
-  const plain = Buffer.concat([decipher.update(body), decipher.final()]);
-  return plain.toString("utf8");
-}
-
-/**
- * 加密字符串。
- */
-export async function encryptText(plainText: string): Promise<string> {
-  await loadOrCreateKey();
-  return encryptTextSync(plainText);
-}
-
-/**
- * 解密字符串。
- */
-export async function decryptText(cipherText: string): Promise<string> {
-  await loadOrCreateKey();
-  return decryptTextSync(cipherText);
-}