@johpaz/hive 1.1.0

package/packages/core/src/security/google-chat.ts

@@ -0,0 +1,269 @@
+import http, { type IncomingMessage, type ServerResponse, type Server } from "http";
+import { BaseChannel, type ChannelConfig, type IncomingMessage as HiveIncomingMessage, type OutboundMessage } from "../channels/base.ts";
+import { logger } from "../utils/logger.ts";
+import { pairingService } from "./pairing.ts";
+
+export interface GoogleChatConfig extends ChannelConfig {
+  projectId?: string;
+  serviceAccountKey?: string;
+  webhookPort?: number;
+  webhookPath?: string;
+}
+
+interface GoogleChatEvent {
+  type: string;
+  eventTime: string;
+  space: {
+    name: string;
+    displayName: string;
+    type: "ROOM" | "DM";
+  };
+  message?: {
+    name: string;
+    sender: {
+      name: string;
+      displayName: string;
+    };
+    createTime: string;
+    text: string;
+    thread?: {
+      name: string;
+    };
+  };
+  user?: {
+    name: string;
+    displayName: string;
+  };
+}
+
+export class GoogleChatChannel extends BaseChannel {
+  name = "google-chat";
+  accountId: string;
+  config: GoogleChatConfig;
+
+  private server?: Server;
+  private log = logger.child("google-chat");
+  private spaceCache: Map<string, { space: string; thread?: string }> = new Map();
+
+  constructor(accountId: string, config: GoogleChatConfig) {
+    super();
+    this.accountId = accountId;
+    this.config = {
+      ...config,
+      dmPolicy: config.dmPolicy ?? "pairing",
+      allowFrom: config.allowFrom ?? [],
+      enabled: config.enabled ?? true,
+      webhookPort: config.webhookPort ?? 8080,
+      webhookPath: config.webhookPath ?? "/webhook/google-chat",
+    };
+  }
+
+  async start(): Promise<void> {
+    this.server = http.createServer((req, res) => {
+      if (req.url === this.config.webhookPath && req.method === "POST") {
+        this.handleWebhook(req, res);
+      } else {
+        res.writeHead(404).end();
+      }
+    });
+
+    return new Promise((resolve, reject) => {
+      this.server!.listen(this.config.webhookPort, () => {
+        this.running = true;
+        this.log.info(
+          `Google Chat webhook listening on port ${this.config.webhookPort}${this.config.webhookPath}`
+        );
+        resolve();
+      });
+
+      this.server!.on("error", (error: Error) => {
+        this.log.error(`Server error: ${error.message}`);
+        reject(error);
+      });
+    });
+  }
+
+  private async handleWebhook(req: IncomingMessage, res: ServerResponse): Promise<void> {
+    let body = "";
+    req.on("data", (chunk) => (body += chunk));
+    req.on("end", async () => {
+      try {
+        const event: GoogleChatEvent = JSON.parse(body);
+
+        if (event.type === "ADDED_TO_SPACE") {
+          await this.handleAddedToSpace(event, res);
+          return;
+        }
+
+        if (event.type === "REMOVED_FROM_SPACE") {
+          this.log.info(`Removed from space: ${event.space.name}`);
+          res.writeHead(200).end();
+          return;
+        }
+
+        if (event.type === "MESSAGE" && event.message) {
+          await this.handleChatMessage(event, res);
+          return;
+        }
+
+        res.writeHead(200).end();
+      } catch (error) {
+        this.log.error(`Webhook error: ${(error as Error).message}`);
+        res.writeHead(500).end();
+      }
+    });
+  }
+
+  private async handleAddedToSpace(
+    event: GoogleChatEvent,
+    res: ServerResponse
+  ): Promise<void> {
+    const message =
+      event.space.type === "DM"
+        ? {
+          text: "¡Hola! Soy tu asistente AI. Envía un mensaje para comenzar.",
+        }
+        : {
+          text: "¡Gracias por añadirme al espacio! Mencióname con @bot para interactuar.",
+        };
+
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(message));
+  }
+
+  private async handleChatMessage(event: GoogleChatEvent, res: ServerResponse): Promise<void> {
+    if (!event.message) {
+      res.writeHead(200).end();
+      return;
+    }
+
+    const userId = event.message.sender.name.split("/").pop() ?? "unknown";
+    const spaceName = event.space.name;
+    const isDM = event.space.type === "DM";
+    const kind = isDM ? "direct" : "group";
+    const peerId = isDM ? userId : `${spaceName}:${userId}`;
+
+    if (event.message.text === "/myid") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          text: `🆔 Tu Google Chat ID es: ${userId}\n\nPara emparejar, solicita un código al administrador.`,
+        })
+      );
+      return;
+    }
+
+    if (event.message.text.startsWith("/pair ")) {
+      const code = event.message.text.split(" ")[1]?.trim();
+      const result = pairingService.approve(code ?? "");
+
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          text: result.success
+            ? "✅ ¡Emparejamiento exitoso!"
+            : `❌ ${result.error}`,
+        })
+      );
+      return;
+    }
+
+    if (this.config.dmPolicy === "pairing" && !pairingService.isAllowed("google-chat", userId)) {
+      this.log.debug(`Message from unpaired user: ${userId}`);
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          text:
+            "⛔ No estás emparejado.\n\n" +
+            "Tu ID: " +
+            userId +
+            "\n\n" +
+            "Solicita un código de emparejamiento al administrador.",
+        })
+      );
+      return;
+    }
+
+    if (!isDM && !this.isUserAllowed(peerId)) {
+      this.log.debug(`Message from unauthorized user: ${peerId}`);
+      res.writeHead(200).end();
+      return;
+    }
+
+    const sessionId = this.formatSessionId(peerId, kind);
+    this.spaceCache.set(sessionId, {
+      space: spaceName,
+      thread: event.message.thread?.name,
+    });
+
+    const incomingMessage: HiveIncomingMessage = {
+      sessionId,
+      channel: "google-chat",
+      accountId: this.accountId,
+      peerId,
+      peerKind: kind,
+      content: event.message.text,
+      metadata: {
+        googleChat: {
+          spaceName,
+          userId,
+          displayName: event.message.sender.displayName,
+          threadName: event.message.thread?.name,
+        },
+      },
+    };
+
+    res.writeHead(200).end();
+
+    await this.handleMessage(incomingMessage);
+  }
+
+  async stop(): Promise<void> {
+    if (this.server) {
+      return new Promise((resolve) => {
+        this.server!.close(() => {
+          this.running = false;
+          this.log.info("Google Chat channel stopped");
+          resolve();
+        });
+      });
+    }
+  }
+
+  async send(sessionId: string, message: OutboundMessage): Promise<void> {
+    const content = message.content ?? "";
+
+    if (!content || content.trim().length === 0) {
+      this.log.warn("Empty response, skipping send");
+      return;
+    }
+
+    const cached = this.spaceCache.get(sessionId);
+
+    if (!cached) {
+      this.log.warn(`No cached space for session: ${sessionId}`);
+      return;
+    }
+
+    if (message.type === "stream" && message.chunk) {
+      this.log.info(`[Google Chat] Stream chunk to ${cached.space}: ${message.chunk.slice(0, 50)}...`);
+      return;
+    }
+
+    this.log.info(`[Google Chat] Would send to ${cached.space}: ${content.slice(0, 100)}...`);
+  }
+
+  async sendMessage(space: string, content: string, thread?: string): Promise<void> {
+    this.log.info(`[Google Chat] Sending to ${space}: ${content.slice(0, 100)}...`);
+    if (thread) {
+      this.log.info(`  Thread: ${thread}`);
+    }
+  }
+}
+
+export function createGoogleChatChannel(
+  accountId: string,
+  config: GoogleChatConfig
+): GoogleChatChannel {
+  return new GoogleChatChannel(accountId, config);
+}

package/packages/core/src/security/index.ts

@@ -0,0 +1,192 @@
+import type { Config } from "../config/loader.ts";
+import { logger } from "../utils/logger.ts";
+
+export * from "./pairing.ts";
+export * from "./rate-limit.ts";
+export * from "./signal.ts";
+export * from "./google-chat.ts";
+
+export interface RateLimitConfig {
+  windowMs: number;
+  maxRequests: number;
+}
+
+export interface RateLimitEntry {
+  count: number;
+  resetAt: number;
+}
+
+export class RateLimiter {
+  private limits: Map<string, RateLimitEntry> = new Map();
+  private config: RateLimitConfig;
+  private log = logger.child("rate-limiter");
+
+  constructor(config: RateLimitConfig) {
+    this.config = config;
+    this.startCleanup();
+  }
+
+  check(key: string): { allowed: boolean; remaining: number; resetAt: number } {
+    const now = Date.now();
+    const entry = this.limits.get(key);
+
+    if (!entry || now > entry.resetAt) {
+      const resetAt = now + this.config.windowMs;
+      this.limits.set(key, { count: 1, resetAt });
+      return { allowed: true, remaining: this.config.maxRequests - 1, resetAt };
+    }
+
+    if (entry.count >= this.config.maxRequests) {
+      this.log.warn(`Rate limit exceeded for ${key}`);
+      return { allowed: false, remaining: 0, resetAt: entry.resetAt };
+    }
+
+    entry.count++;
+    return { 
+      allowed: true, 
+      remaining: this.config.maxRequests - entry.count, 
+      resetAt: entry.resetAt 
+    };
+  }
+
+  reset(key: string): void {
+    this.limits.delete(key);
+  }
+
+  private startCleanup(): void {
+    setInterval(() => {
+      const now = Date.now();
+      for (const [key, entry] of this.limits) {
+        if (now > entry.resetAt) {
+          this.limits.delete(key);
+        }
+      }
+    }, this.config.windowMs);
+  }
+}
+
+export class InputValidator {
+  private maxMessageLength: number;
+  private maxCommandArgs: number;
+  private log = logger.child("validator");
+
+  constructor(options: { maxMessageLength?: number; maxCommandArgs?: number } = {}) {
+    this.maxMessageLength = options.maxMessageLength ?? 100000;
+    this.maxCommandArgs = options.maxCommandArgs ?? 50;
+  }
+
+  validateMessage(content: string): { valid: boolean; error?: string } {
+    if (typeof content !== "string") {
+      return { valid: false, error: "Message must be a string" };
+    }
+
+    if (content.length === 0) {
+      return { valid: false, error: "Message cannot be empty" };
+    }
+
+    if (content.length > this.maxMessageLength) {
+      this.log.warn(`Message too long: ${content.length} > ${this.maxMessageLength}`);
+      return { 
+        valid: false, 
+        error: `Message too long (max ${this.maxMessageLength} characters)` 
+      };
+    }
+
+    return { valid: true };
+  }
+
+  validateCommand(name: string, args: string[]): { valid: boolean; error?: string } {
+    if (!name || typeof name !== "string") {
+      return { valid: false, error: "Command name is required" };
+    }
+
+    if (!/^[a-z0-9_-]+$/.test(name)) {
+      return { valid: false, error: "Invalid command name format" };
+    }
+
+    if (args.length > this.maxCommandArgs) {
+      return { valid: false, error: `Too many arguments (max ${this.maxCommandArgs})` };
+    }
+
+    return { valid: true };
+  }
+
+  validateSessionId(sessionId: string): { valid: boolean; error?: string } {
+    if (!sessionId || typeof sessionId !== "string") {
+      return { valid: false, error: "Session ID is required" };
+    }
+
+    const pattern = /^agent:[a-z0-9_-]+:[a-z0-9_-]+:(main|dm|group)(?::[a-z0-9_-]+)?$/;
+    if (!pattern.test(sessionId)) {
+      return { valid: false, error: "Invalid session ID format" };
+    }
+
+    return { valid: true };
+  }
+
+  sanitizeInput(input: string): string {
+    return input
+      .replace(/\x00/g, "")
+      .replace(/[\x1F\x7F]/g, "")
+      .trim();
+  }
+}
+
+export class AuthManager {
+  private config: Config;
+  private allowedUsers: Set<string>;
+  private log = logger.child("auth");
+
+  constructor(config: Config) {
+    this.config = config;
+    this.allowedUsers = new Set(config.security?.allowedUsers ?? []);
+  }
+
+  isAllowed(peerId: string, channel: string): boolean {
+    if (this.allowedUsers.size === 0) {
+      return true;
+    }
+
+    const channelConfig = this.config.channels?.[channel as keyof typeof this.config.channels];
+    if (channelConfig && typeof channelConfig === "object" && "allowFrom" in channelConfig) {
+      const allowFrom = (channelConfig as { allowFrom?: string[] }).allowFrom;
+      if (allowFrom && allowFrom.length > 0) {
+        return allowFrom.includes(peerId);
+      }
+    }
+
+    return this.allowedUsers.has(peerId);
+  }
+
+  addAllowedUser(peerId: string): void {
+    this.allowedUsers.add(peerId);
+    this.log.info(`Added allowed user: ${peerId}`);
+  }
+
+  removeAllowedUser(peerId: string): boolean {
+    const removed = this.allowedUsers.delete(peerId);
+    if (removed) {
+      this.log.info(`Removed allowed user: ${peerId}`);
+    }
+    return removed;
+  }
+
+  listAllowedUsers(): string[] {
+    return Array.from(this.allowedUsers);
+  }
+}
+
+export function createRateLimiter(config: RateLimitConfig): RateLimiter {
+  return new RateLimiter(config);
+}
+
+export function createInputValidator(options?: {
+  maxMessageLength?: number;
+  maxCommandArgs?: number;
+}): InputValidator {
+  return new InputValidator(options);
+}
+
+export function createAuthManager(config: Config): AuthManager {
+  return new AuthManager(config);
+}

package/packages/core/src/security/pairing.ts

@@ -0,0 +1,250 @@
+import crypto from "crypto";
+import { eventBus } from "../events/event-bus.ts";
+import { logger } from "../utils/logger.ts";
+
+export interface PairingCode {
+  code: string;
+  channel: string;
+  userId: string;
+  createdAt: number;
+  expiresAt: number;
+  attempts: number;
+}
+
+export interface PairingConfig {
+  codeLength?: number;
+  expirationMs?: number;
+  maxAttempts?: number;
+}
+
+export interface PairingStats {
+  pendingCodes: number;
+  totalAllowlist: number;
+  byChannel: Record<string, { pending: number; allowed: number }>;
+}
+
+export class PairingService {
+  private codes: Map<string, PairingCode> = new Map();
+  private allowlist: Map<string, Set<string>> = new Map();
+  private config: Required<PairingConfig>;
+  private log = logger.child("pairing");
+
+  constructor(config: PairingConfig = {}) {
+    this.config = {
+      codeLength: config.codeLength ?? 8,
+      expirationMs: config.expirationMs ?? 10 * 60 * 1000,
+      maxAttempts: config.maxAttempts ?? 3,
+    };
+
+    this.startCleanup();
+  }
+
+  generateCode(channel: string, userId: string): string {
+    this.cleanup();
+
+    const code = this.generateSecureCode();
+    const now = Date.now();
+
+    const record: PairingCode = {
+      code,
+      channel,
+      userId,
+      createdAt: now,
+      expiresAt: now + this.config.expirationMs,
+      attempts: 0,
+    };
+
+    this.codes.set(code, record);
+
+    this.log.info(`Generated pairing code for ${channel}:${userId}`);
+
+    eventBus.emit("pairing:requested", {
+      channel,
+      userId,
+      code,
+      expiresAt: record.expiresAt,
+    });
+
+    return code;
+  }
+
+  validateCode(code: string): PairingCode | null {
+    const record = this.codes.get(code);
+    if (!record) return null;
+
+    if (Date.now() > record.expiresAt) {
+      this.codes.delete(code);
+      eventBus.emit("pairing:expired", {
+        code,
+        channel: record.channel,
+        userId: record.userId,
+      });
+      return null;
+    }
+
+    return record;
+  }
+
+  approve(code: string): { success: boolean; error?: string } {
+    const record = this.validateCode(code);
+    if (!record) {
+      return { success: false, error: "Invalid or expired code" };
+    }
+
+    if (!this.allowlist.has(record.channel)) {
+      this.allowlist.set(record.channel, new Set());
+    }
+    this.allowlist.get(record.channel)!.add(record.userId);
+
+    this.codes.delete(code);
+
+    this.log.info(`Approved pairing for ${record.channel}:${record.userId}`);
+
+    eventBus.emit("pairing:approved", {
+      channel: record.channel,
+      userId: record.userId,
+    });
+
+    return { success: true };
+  }
+
+  reject(code: string, reason: string): boolean {
+    const record = this.codes.get(code);
+    if (!record) return false;
+
+    this.codes.delete(code);
+
+    this.log.info(`Rejected pairing for ${record.channel}:${record.userId}: ${reason}`);
+
+    eventBus.emit("pairing:rejected", {
+      channel: record.channel,
+      userId: record.userId,
+      reason,
+    });
+
+    return true;
+  }
+
+  attempt(code: string): boolean {
+    const record = this.codes.get(code);
+    if (!record) return false;
+
+    record.attempts++;
+
+    if (record.attempts >= this.config.maxAttempts) {
+      this.codes.delete(code);
+      this.log.warn(`Code ${code} exhausted attempts`);
+      return false;
+    }
+
+    return true;
+  }
+
+  isAllowed(channel: string, userId: string): boolean {
+    const channelAllowlist = this.allowlist.get(channel);
+    return channelAllowlist?.has(userId) ?? false;
+  }
+
+  removeFromAllowlist(channel: string, userId: string): boolean {
+    const channelAllowlist = this.allowlist.get(channel);
+    if (!channelAllowlist) return false;
+
+    const removed = channelAllowlist.delete(userId);
+
+    if (channelAllowlist.size === 0) {
+      this.allowlist.delete(channel);
+    }
+
+    if (removed) {
+      this.log.info(`Removed ${userId} from allowlist for ${channel}`);
+    }
+
+    return removed;
+  }
+
+  listAllowed(channel?: string): { channel: string; userId: string }[] {
+    const result: { channel: string; userId: string }[] = [];
+
+    if (channel) {
+      const channelAllowlist = this.allowlist.get(channel);
+      if (channelAllowlist) {
+        for (const userId of channelAllowlist) {
+          result.push({ channel, userId });
+        }
+      }
+    } else {
+      for (const [ch, users] of this.allowlist) {
+        for (const userId of users) {
+          result.push({ channel: ch, userId });
+        }
+      }
+    }
+
+    return result;
+  }
+
+  listPending(): PairingCode[] {
+    this.cleanup();
+    return Array.from(this.codes.values());
+  }
+
+  getStats(): PairingStats {
+    const byChannel: Record<string, { pending: number; allowed: number }> = {};
+
+    for (const [channel, users] of this.allowlist) {
+      byChannel[channel] = {
+        pending: 0,
+        allowed: users.size,
+      };
+    }
+
+    for (const record of this.codes.values()) {
+      if (!byChannel[record.channel]) {
+        byChannel[record.channel] = { pending: 0, allowed: 0 };
+      }
+      byChannel[record.channel]!.pending++;
+    }
+
+    return {
+      pendingCodes: this.codes.size,
+      totalAllowlist: Array.from(this.allowlist.values()).reduce(
+        (sum, set) => sum + set.size,
+        0
+      ),
+      byChannel,
+    };
+  }
+
+  clear(): void {
+    this.codes.clear();
+    this.allowlist.clear();
+    this.log.info("All pairing data cleared");
+  }
+
+  private generateSecureCode(): string {
+    const bytes = crypto.randomBytes(Math.ceil(this.config.codeLength / 2));
+    return bytes.toString("hex").toUpperCase().slice(0, this.config.codeLength);
+  }
+
+  private cleanup(): void {
+    const now = Date.now();
+    for (const [code, record] of this.codes) {
+      if (now > record.expiresAt) {
+        this.codes.delete(code);
+        eventBus.emit("pairing:expired", {
+          code,
+          channel: record.channel,
+          userId: record.userId,
+        });
+      }
+    }
+  }
+
+  private startCleanup(): void {
+    setInterval(() => {
+      this.cleanup();
+    }, 60 * 1000);
+  }
+}
+
+export const pairingService = new PairingService();