@onmars/lunar-core 0.1.0

package/src/lib/scheduler.ts

@@ -0,0 +1,422 @@
+/**
+ * Scheduler — Cron-based job system for proactive AI behavior.
+ *
+ * Spec (ARCHITECTURE.md §16):
+ *   - Polls SQLite jobs table every pollInterval (default 60s)
+ *   - Three schedule types: cron (5-field), at (one-shot ISO-8601), every (interval)
+ *   - Two payload types: query (agent), message (static)
+ *   - Dispatches via Router.dispatchScheduled()
+ *   - Jobs defined in config.yaml and/or created at runtime via slash commands
+ *   - Timezone-aware (Intl.DateTimeFormat)
+ *
+ * Lifecycle:
+ *   daemon.start() -> scheduler.start()
+ *   daemon.stop()  -> scheduler.stop()
+ */
+
+import { type CronFields, nextOccurrence, parseCron } from './cron-parser'
+import { log } from './logger'
+
+// ════════════════════════════════════════════════════════════
+// Types
+// ════════════════════════════════════════════════════════════
+
+export type Schedule =
+  | { kind: 'cron'; expr: string; tz?: string }
+  | { kind: 'at'; at: string }
+  | { kind: 'every'; intervalMs: number }
+
+export type JobPayload = { kind: 'query'; prompt: string } | { kind: 'message'; text: string }
+
+export interface Job {
+  id: string
+  name?: string
+  schedule: Schedule
+  payload: JobPayload
+  channel: string
+  moon?: string
+  enabled: boolean
+  oneShot: boolean
+  lastRun?: number
+  nextRun?: number
+  createdAt: number
+}
+
+export interface SchedulerConfig {
+  enabled: boolean
+  pollIntervalMs: number
+  timezone: string
+  jobs: Record<string, JobConfig>
+}
+
+export interface JobConfig {
+  schedule: Schedule
+  channel: string
+  payload: JobPayload
+  moon?: string
+  enabled?: boolean
+  oneShot?: boolean
+}
+
+/** Dispatch function signature — provided by the Router */
+export type DispatchFn = (
+  channel: string,
+  payload: JobPayload,
+  options?: { moon?: string; jobId?: string; jobName?: string },
+) => Promise<void>
+
+// ════════════════════════════════════════════════════════════
+// JobStore — SQLite persistence layer
+// ════════════════════════════════════════════════════════════
+
+/**
+ * JobStore wraps the SQLite database for job CRUD operations.
+ * Uses the `jobs` table already created by SessionStore.
+ */
+export class JobStore {
+  private db: import('bun:sqlite').Database
+
+  constructor(db: import('bun:sqlite').Database) {
+    this.db = db
+    this.ensureSchema()
+  }
+
+  private ensureSchema(): void {
+    // Add columns that may not exist in the v0.1 schema
+    // SQLite doesn't have IF NOT EXISTS for columns, so we check first
+    try {
+      this.db.exec(`
+        ALTER TABLE jobs ADD COLUMN channel TEXT NOT NULL DEFAULT '';
+      `)
+    } catch {
+      /* column already exists */
+    }
+
+    try {
+      this.db.exec(`
+        ALTER TABLE jobs ADD COLUMN moon TEXT;
+      `)
+    } catch {
+      /* column already exists */
+    }
+
+    try {
+      this.db.exec(`
+        ALTER TABLE jobs ADD COLUMN one_shot INTEGER NOT NULL DEFAULT 0;
+      `)
+    } catch {
+      /* column already exists */
+    }
+  }
+
+  /** Add a new job */
+  add(job: Job): void {
+    this.db
+      .query(`
+      INSERT OR REPLACE INTO jobs (id, name, schedule, payload, channel, moon, enabled, one_shot, last_run, next_run, created_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `)
+      .run(
+        job.id,
+        job.name ?? null,
+        JSON.stringify(job.schedule),
+        JSON.stringify(job.payload),
+        job.channel,
+        job.moon ?? null,
+        job.enabled ? 1 : 0,
+        job.oneShot ? 1 : 0,
+        job.lastRun ?? null,
+        job.nextRun ?? null,
+        job.createdAt,
+      )
+  }
+
+  /** Get a job by ID or name */
+  get(idOrName: string): Job | null {
+    const row = this.db
+      .query('SELECT * FROM jobs WHERE id = ? OR name = ?')
+      .get(idOrName, idOrName) as JobRow | null
+    return row ? this.mapRow(row) : null
+  }
+
+  /** List all jobs (optionally only enabled) */
+  list(enabledOnly = false): Job[] {
+    const query = enabledOnly
+      ? 'SELECT * FROM jobs WHERE enabled = 1 ORDER BY next_run ASC'
+      : 'SELECT * FROM jobs ORDER BY created_at DESC'
+    const rows = this.db.query(query).all() as JobRow[]
+    return rows.map((r) => this.mapRow(r))
+  }
+
+  /** Get due jobs (next_run <= now and enabled) */
+  getDue(now: number): Job[] {
+    const rows = this.db
+      .query('SELECT * FROM jobs WHERE enabled = 1 AND next_run IS NOT NULL AND next_run <= ?')
+      .all(now) as JobRow[]
+    return rows.map((r) => this.mapRow(r))
+  }
+
+  /** Update last_run and next_run */
+  updateRun(id: string, lastRun: number, nextRun: number | null): void {
+    this.db
+      .query('UPDATE jobs SET last_run = ?, next_run = ? WHERE id = ?')
+      .run(lastRun, nextRun, id)
+  }
+
+  /** Disable a job */
+  disable(id: string): void {
+    this.db.query('UPDATE jobs SET enabled = 0 WHERE id = ?').run(id)
+  }
+
+  /** Enable a job */
+  enable(id: string): void {
+    this.db.query('UPDATE jobs SET enabled = 1 WHERE id = ?').run(id)
+  }
+
+  /** Remove a job */
+  remove(id: string): boolean {
+    const result = this.db.query('DELETE FROM jobs WHERE id = ? OR name = ?').run(id, id)
+    return result.changes > 0
+  }
+
+  /** Map a database row to a Job object */
+  private mapRow(row: JobRow): Job {
+    return {
+      id: row.id,
+      name: row.name ?? undefined,
+      schedule: JSON.parse(row.schedule) as Schedule,
+      payload: JSON.parse(row.payload) as JobPayload,
+      channel: row.channel,
+      moon: row.moon ?? undefined,
+      enabled: row.enabled === 1,
+      oneShot: row.one_shot === 1,
+      lastRun: row.last_run ?? undefined,
+      nextRun: row.next_run ?? undefined,
+      createdAt: row.created_at,
+    }
+  }
+}
+
+interface JobRow {
+  id: string
+  name: string | null
+  schedule: string
+  payload: string
+  channel: string
+  moon: string | null
+  enabled: number
+  one_shot: number
+  last_run: number | null
+  next_run: number | null
+  created_at: number
+}
+
+// ════════════════════════════════════════════════════════════
+// Scheduler — Poll loop + dispatch
+// ════════════════════════════════════════════════════════════
+
+export class Scheduler {
+  private store: JobStore
+  private dispatch: DispatchFn
+  private config: SchedulerConfig
+  private intervalHandle?: ReturnType<typeof setInterval>
+  private running = false
+  /** Cache parsed cron fields to avoid re-parsing every tick */
+  private cronCache = new Map<string, CronFields>()
+
+  constructor(store: JobStore, dispatch: DispatchFn, config: SchedulerConfig) {
+    this.store = store
+    this.dispatch = dispatch
+    this.config = config
+  }
+
+  /**
+   * Start the scheduler.
+   * 1. Sync config-defined jobs to the database
+   * 2. Compute next_run for all enabled jobs
+   * 3. Start the poll interval
+   */
+  async start(): Promise<void> {
+    if (this.running) return
+
+    // Sync config jobs -> database
+    this.syncConfigJobs()
+
+    // Compute initial next_run for all enabled jobs
+    this.computeAllNextRuns()
+
+    // Start poll loop
+    this.running = true
+    this.intervalHandle = setInterval(() => {
+      this.tick().catch((err) => {
+        log.error({ err }, 'Scheduler tick error')
+      })
+    }, this.config.pollIntervalMs)
+
+    const jobs = this.store.list(true)
+    log.info(
+      { pollMs: this.config.pollIntervalMs, tz: this.config.timezone, enabledJobs: jobs.length },
+      'Scheduler started',
+    )
+
+    // Log next runs
+    for (const job of jobs) {
+      if (job.nextRun) {
+        log.debug(
+          { name: job.name ?? job.id, nextRun: new Date(job.nextRun * 1000).toISOString() },
+          'Job scheduled',
+        )
+      }
+    }
+  }
+
+  /** Stop the scheduler */
+  async stop(): Promise<void> {
+    if (!this.running) return
+
+    this.running = false
+    if (this.intervalHandle) {
+      clearInterval(this.intervalHandle)
+      this.intervalHandle = undefined
+    }
+
+    log.info('Scheduler stopped')
+  }
+
+  /** Get the job store for external access (slash commands, etc.) */
+  getStore(): JobStore {
+    return this.store
+  }
+
+  // ────────────────────────────────────────────────────────
+
+  /** One poll cycle: find and execute due jobs */
+  async tick(): Promise<void> {
+    const nowSec = Math.floor(Date.now() / 1000)
+    const dueJobs = this.store.getDue(nowSec)
+
+    if (dueJobs.length === 0) return
+
+    log.debug({ count: dueJobs.length }, 'Scheduler: due jobs found')
+
+    for (const job of dueJobs) {
+      try {
+        log.info(
+          { id: job.id, name: job.name, channel: job.channel, kind: job.payload.kind },
+          'Executing scheduled job',
+        )
+
+        await this.dispatch(job.channel, job.payload, {
+          moon: job.moon,
+          jobId: job.id,
+          jobName: job.name,
+        })
+
+        // Update last_run and compute next_run
+        const nextRun = this.computeNextRun(job.schedule, nowSec)
+        this.store.updateRun(job.id, nowSec, nextRun)
+
+        // Auto-disable one-shot jobs
+        if (job.oneShot) {
+          this.store.disable(job.id)
+          log.info({ id: job.id, name: job.name }, 'One-shot job disabled after execution')
+        }
+      } catch (err) {
+        log.error({ err, id: job.id, name: job.name }, 'Failed to execute scheduled job')
+        // Don't re-throw — continue with other jobs
+        // Still update last_run to avoid retrying immediately
+        const nextRun = this.computeNextRun(job.schedule, nowSec)
+        this.store.updateRun(job.id, nowSec, nextRun)
+      }
+    }
+  }
+
+  // ────────────────────────────────────────────────────────
+
+  /**
+   * Sync config-defined jobs to the database.
+   * Config is the source of truth for static jobs.
+   * Runtime-created jobs (no matching config name) are preserved.
+   */
+  private syncConfigJobs(): void {
+    const existingJobs = this.store.list()
+    const existingByName = new Map(existingJobs.filter((j) => j.name).map((j) => [j.name!, j]))
+
+    for (const [name, config] of Object.entries(this.config.jobs)) {
+      const existing = existingByName.get(name)
+
+      const job: Job = {
+        id: existing?.id ?? crypto.randomUUID(),
+        name,
+        schedule: config.schedule,
+        payload: config.payload,
+        channel: config.channel,
+        moon: config.moon,
+        enabled: config.enabled !== false,
+        oneShot: config.oneShot === true,
+        lastRun: existing?.lastRun,
+        nextRun: existing?.nextRun,
+        createdAt: existing?.createdAt ?? Math.floor(Date.now() / 1000),
+      }
+
+      this.store.add(job)
+      log.debug({ name, id: job.id }, 'Config job synced')
+    }
+  }
+
+  /** Compute next_run for all enabled jobs that don't have one */
+  private computeAllNextRuns(): void {
+    const jobs = this.store.list(true)
+    const nowSec = Math.floor(Date.now() / 1000)
+
+    for (const job of jobs) {
+      if (!job.nextRun || job.nextRun <= nowSec) {
+        const nextRun = this.computeNextRun(job.schedule, nowSec)
+        if (nextRun !== null) {
+          this.store.updateRun(job.id, job.lastRun ?? 0, nextRun)
+        }
+      }
+    }
+  }
+
+  /**
+   * Compute the next run time for a schedule.
+   * @returns Unix timestamp (seconds) or null if no next run
+   */
+  computeNextRun(schedule: Schedule, afterSec: number): number | null {
+    const afterMs = afterSec * 1000
+
+    switch (schedule.kind) {
+      case 'cron': {
+        const tz = schedule.tz ?? this.config.timezone
+        // Use cached parsed fields
+        const cacheKey = `${schedule.expr}|${tz}`
+        let fields = this.cronCache.get(cacheKey)
+        if (!fields) {
+          fields = parseCron(schedule.expr)
+          this.cronCache.set(cacheKey, fields)
+        }
+        const next = nextOccurrence(fields, afterMs, tz)
+        return next ? Math.floor(next.getTime() / 1000) : null
+      }
+
+      case 'at': {
+        const atMs = new Date(schedule.at).getTime()
+        if (Number.isNaN(atMs)) {
+          log.warn({ at: schedule.at }, 'Invalid "at" timestamp')
+          return null
+        }
+        // Only fire if in the future
+        return atMs > afterMs ? Math.floor(atMs / 1000) : null
+      }
+
+      case 'every': {
+        return afterSec + Math.floor(schedule.intervalMs / 1000)
+      }
+
+      default:
+        log.warn({ schedule }, 'Unknown schedule kind')
+        return null
+    }
+  }
+}

package/src/lib/security.ts

@@ -0,0 +1,259 @@
+import type { InputSanitizationConfig, SecurityConfig } from './config-loader'
+import { log } from './logger'
+
+/**
+ * Default regex patterns that are ALWAYS active for output redaction.
+ * User patterns from config.yaml are added on top of these.
+ */
+const DEFAULT_REDACT_PATTERNS = [
+  /sk-[a-zA-Z0-9]{20,}/g, // OpenAI API keys
+  /ghp_[a-zA-Z0-9]{36}/g, // GitHub PATs
+  /github_pat_[a-zA-Z0-9_]{82}/g, // GitHub fine-grained PATs
+  /xox[bpas]-[a-zA-Z0-9-]+/g, // Slack tokens
+  /\b[A-Za-z0-9]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}/g, // Discord bot tokens
+  /ghu_[a-zA-Z0-9]{36}/g, // GitHub user tokens
+  /ghs_[a-zA-Z0-9]{36}/g, // GitHub server tokens
+  /AKIA[0-9A-Z]{16}/g, // AWS access keys
+  /AIza[0-9A-Za-z_-]{35}/g, // Google API keys
+  /sk_live_[a-zA-Z0-9]{24,}/g, // Stripe live keys
+]
+
+/**
+ * Build a safe environment for the agent subprocess.
+ *
+ * Strategy: ALLOWLIST (default deny).
+ * Only variables in envDefaults + envPassthrough are included.
+ * If envPassthroughAll is true, passes everything (dangerous).
+ */
+export function buildSafeEnv(
+  processEnv: Record<string, string | undefined>,
+  security: SecurityConfig,
+  extraEnv?: Record<string, string>,
+): Record<string, string> {
+  // Dangerous mode: pass everything
+  if (security.envPassthroughAll) {
+    log.warn('envPassthroughAll is enabled — ALL env vars will be passed to agent subprocess')
+    const env: Record<string, string> = {}
+    for (const [key, value] of Object.entries(processEnv)) {
+      if (value !== undefined) env[key] = value
+    }
+    if (extraEnv) Object.assign(env, extraEnv)
+    return env
+  }
+
+  // Build allowlist from defaults + user passthrough
+  const allowed = new Set([...security.envDefaults, ...security.envPassthrough])
+
+  const env: Record<string, string> = {}
+  for (const key of allowed) {
+    const value = processEnv[key]
+    if (value !== undefined) {
+      env[key] = value
+    }
+  }
+
+  // Apply programmatic overrides (these always take priority)
+  if (extraEnv) {
+    Object.assign(env, extraEnv)
+  }
+
+  log.debug(
+    {
+      allowed: allowed.size,
+      resolved: Object.keys(env).length,
+      keys: Object.keys(env).sort(),
+    },
+    'Agent env built (allowlist)',
+  )
+
+  return env
+}
+
+/**
+ * Create a reusable redaction function from security config.
+ * Combines default patterns with user-configured patterns.
+ */
+export function createRedactor(security: SecurityConfig): (text: string) => string {
+  // Compile user patterns
+  const userPatterns: RegExp[] = []
+  for (const pattern of security.outputRedactPatterns) {
+    try {
+      userPatterns.push(new RegExp(pattern, 'g'))
+    } catch (error) {
+      log.warn({ pattern, err: error }, 'Invalid redaction regex pattern, skipping')
+    }
+  }
+
+  const allPatterns = [...DEFAULT_REDACT_PATTERNS, ...userPatterns]
+
+  log.debug(
+    { defaultPatterns: DEFAULT_REDACT_PATTERNS.length, userPatterns: userPatterns.length },
+    'Output redactor initialized',
+  )
+
+  return (text: string): string => {
+    let redacted = text
+    for (const pattern of allPatterns) {
+      // Reset lastIndex for global regexes
+      pattern.lastIndex = 0
+      redacted = redacted.replace(pattern, '[REDACTED]')
+    }
+    return redacted
+  }
+}
+
+// ════════════════════════════════════════════════════════════
+// Input Sanitization — Defense against prompt injection
+// ════════════════════════════════════════════════════════════
+
+/**
+ * Tier 1 — Markers to STRIP silently from input.
+ * These are system-prompt-like markers that should never appear in user messages.
+ */
+const STRIP_PATTERNS: RegExp[] = [
+  // XML-style system markers
+  /<\/?system>/gi,
+  /<\/?instructions>/gi,
+  /<\/?prompt>/gi,
+  /<\/?assistant>/gi,
+  /<\/?human>/gi,
+
+  // Bracket-style markers
+  /\[SYSTEM\]/gi,
+  /\[INST\]/gi,
+  /\[\/INST\]/gi,
+  /\[INSTRUCTIONS?\]/gi,
+
+  // Separator-style injection attempts
+  /^-{3,}\s*system\s*-{3,}$/gim,
+  /^={3,}\s*system\s*={3,}$/gim,
+
+  // "Ignore previous" family — the most common prompt injection
+  /ignore (?:all )?(?:previous|above|prior) (?:instructions?|prompts?|rules?)/gi,
+  /disregard (?:all )?(?:previous|above|prior) (?:instructions?|prompts?|rules?)/gi,
+  /forget (?:all )?(?:previous|above) (?:instructions?|context)/gi,
+]
+
+/**
+ * Tier 2 — Patterns to DETECT and LOG (not stripped).
+ * These could be malicious or could be legitimate use.
+ * We log them for review but don't alter the message.
+ */
+const SUSPICIOUS_PATTERNS: Array<{ pattern: RegExp; label: string }> = [
+  // Role override attempts
+  { pattern: /you are now (?:a |an |the )/gi, label: 'role-override' },
+  { pattern: /from now on,? (?:you |your )/gi, label: 'behavior-override' },
+  { pattern: /new instructions?:/gi, label: 'instruction-inject' },
+
+  // System prompt extraction
+  {
+    pattern:
+      /(?:reveal|show|tell me|print|output|display|repeat) (?:your |the )?(?:system ?prompt|instructions|rules|secrets|initial prompt)/gi,
+    label: 'extraction-attempt',
+  },
+  {
+    pattern: /what (?:are|is|were) your (?:system ?prompt|instructions|rules|original prompt)/gi,
+    label: 'extraction-attempt',
+  },
+
+  // Encoding evasion
+  {
+    pattern:
+      /(?:encode|decode|convert) (?:this |it )?(?:in |to |as )?(?:base64|rot13|hex|binary)/gi,
+    label: 'encoding-evasion',
+  },
+
+  // Zero-width characters (can hide instructions)
+  { pattern: /\u200b|\u200c|\u200d|\ufeff/g, label: 'zero-width-chars' },
+]
+
+/**
+ * Result of input sanitization.
+ */
+export interface SanitizationResult {
+  /** Cleaned text */
+  text: string
+  /** Number of strip operations performed */
+  stripped: number
+  /** Labels of suspicious patterns detected */
+  suspicious: string[]
+  /** Whether any sanitization was applied */
+  wasSanitized: boolean
+}
+
+/**
+ * Sanitize user input against prompt injection attempts.
+ *
+ * Two tiers:
+ * 1. STRIP — remove known system-prompt markers silently
+ * 2. DETECT — log suspicious patterns without modifying text
+ *
+ * This is defense-in-depth, not a complete solution.
+ * Real protection comes from env isolation (L1 security).
+ *
+ * @param text - Raw user input
+ * @param config - Sanitization config from security section
+ * @returns SanitizationResult with cleaned text and detection info
+ */
+export function sanitizeInput(text: string, config: InputSanitizationConfig): SanitizationResult {
+  if (!config.enabled) {
+    return { text, stripped: 0, suspicious: [], wasSanitized: false }
+  }
+
+  let cleaned = text
+  let stripped = 0
+
+  // Tier 1: Strip markers
+  if (config.stripMarkers) {
+    for (const pattern of STRIP_PATTERNS) {
+      pattern.lastIndex = 0
+      const before = cleaned
+      cleaned = cleaned.replace(pattern, '')
+      if (cleaned !== before) stripped++
+    }
+
+    // User-defined custom patterns
+    for (const patternStr of config.customPatterns) {
+      try {
+        const regex = new RegExp(patternStr, 'gi')
+        const before = cleaned
+        cleaned = cleaned.replace(regex, '')
+        if (cleaned !== before) stripped++
+      } catch {
+        // Invalid regex — skip silently (already warned at config load)
+      }
+    }
+
+    // Clean up leftover whitespace from stripping
+    if (stripped > 0) {
+      cleaned = cleaned.replace(/\n{3,}/g, '\n\n').trim()
+    }
+  }
+
+  // Tier 2: Detect suspicious patterns (on original text, not cleaned)
+  const suspicious: string[] = []
+  if (config.logSuspicious) {
+    for (const { pattern, label } of SUSPICIOUS_PATTERNS) {
+      pattern.lastIndex = 0
+      if (pattern.test(text)) {
+        if (!suspicious.includes(label)) {
+          suspicious.push(label)
+        }
+      }
+    }
+  }
+
+  const wasSanitized = stripped > 0 || suspicious.length > 0
+
+  return { text: cleaned, stripped, suspicious, wasSanitized }
+}
+
+/**
+ * Create a reusable sanitizer function from config.
+ * Analogous to createRedactor() for output — this is for input.
+ */
+export function createSanitizer(
+  config: InputSanitizationConfig,
+): (text: string) => SanitizationResult {
+  return (text: string) => sanitizeInput(text, config)
+}