@smilintux/skcapstone 0.1.0 → 0.2.3

package/src/skcapstone/pillars/identity.py

@@ -8,6 +8,7 @@ No corporate SSO. No OAuth dance. Cryptographic proof of self.
 from __future__ import annotations
 
 import json
+import logging
 import subprocess
 from datetime import datetime, timezone
 from pathlib import Path
@@ -15,6 +16,8 @@ from typing import Optional
 
 from ..models import IdentityState, PillarStatus
 
+logger = logging.getLogger("skcapstone.identity")
+
 
 def generate_identity(
     home: Path,
@@ -44,20 +47,12 @@ def generate_identity(
         status=PillarStatus.DEGRADED,
     )
 
-    try:
-        from capauth.keys import generate_keypair  # type: ignore[import-untyped]
-
-        pub_key, fingerprint = generate_keypair(
-            name=name,
-            email=state.email,
-            output_dir=str(identity_dir),
-        )
-        state.fingerprint = fingerprint
-        state.key_path = identity_dir / "agent.pub"
+    capauth_state = _try_init_capauth(name, state.email, identity_dir)
+    if capauth_state is not None:
+        state.fingerprint = capauth_state.fingerprint
+        state.key_path = capauth_state.key_path
         state.status = PillarStatus.ACTIVE
-    except (ImportError, Exception):
-        # Reason: CapAuth not installed or key generation failed —
-        # record identity metadata anyway so agent has a name
+    else:
         state.fingerprint = _generate_placeholder_fingerprint(name)
         state.status = PillarStatus.DEGRADED
 
@@ -68,11 +63,86 @@ def generate_identity(
         "created_at": state.created_at.isoformat() if state.created_at else None,
         "capauth_managed": state.status == PillarStatus.ACTIVE,
     }
-    (identity_dir / "identity.json").write_text(json.dumps(identity_manifest, indent=2))
+    (identity_dir / "identity.json").write_text(json.dumps(identity_manifest, indent=2), encoding="utf-8")
 
     return state
 
 
+def _try_init_capauth(
+    name: str, email: str, identity_dir: Path
+) -> Optional[IdentityState]:
+    """Try to create or load a real CapAuth identity.
+
+    Attempts (in order):
+    1. Load an existing CapAuth profile from ~/.capauth/
+    2. Create a new profile via capauth.profile.init_profile()
+    3. Fall back to legacy capauth.keys.generate_keypair()
+
+    Args:
+        name: Agent display name.
+        email: Agent email.
+        identity_dir: Path to ~/.skcapstone/identity/.
+
+    Returns:
+        IdentityState with real PGP keys, or None if CapAuth unavailable.
+    """
+    # Try loading an existing CapAuth profile first
+    try:
+        from capauth.profile import load_profile  # type: ignore[import-untyped]
+
+        profile = load_profile()
+        return IdentityState(
+            fingerprint=profile.key_info.fingerprint,
+            key_path=Path(profile.key_info.public_key_path),
+            name=profile.entity.name,
+            email=profile.entity.email,
+            status=PillarStatus.ACTIVE,
+        )
+    except ImportError:
+        return None
+    except Exception as exc:
+        logger.debug("Could not load existing CapAuth profile: %s", exc)
+
+    # No existing profile — try creating one
+    try:
+        from capauth.profile import init_profile  # type: ignore[import-untyped]
+
+        profile = init_profile(
+            name=name,
+            email=email,
+            passphrase="",
+        )
+        return IdentityState(
+            fingerprint=profile.key_info.fingerprint,
+            key_path=Path(profile.key_info.public_key_path),
+            name=profile.entity.name,
+            email=profile.entity.email,
+            status=PillarStatus.ACTIVE,
+        )
+    except Exception as exc:
+        logger.debug("Could not create CapAuth profile: %s", exc)
+
+    # Legacy fallback: capauth.keys.generate_keypair
+    try:
+        from capauth.keys import generate_keypair  # type: ignore[import-untyped]
+
+        _pub_key, fingerprint = generate_keypair(
+            name=name,
+            email=email,
+            output_dir=str(identity_dir),
+        )
+        return IdentityState(
+            fingerprint=fingerprint,
+            key_path=identity_dir / "agent.pub",
+            name=name,
+            email=email,
+            status=PillarStatus.ACTIVE,
+        )
+    except Exception as exc:
+        logger.debug("CapAuth keypair generation failed: %s", exc)
+        return None
+
+
 def _generate_placeholder_fingerprint(name: str) -> str:
     """Generate a deterministic placeholder fingerprint from the agent name.
 

package/src/skcapstone/pillars/memory.py

@@ -31,7 +31,9 @@ def initialize_memory(home: Path, memory_home: Optional[Path] = None) -> MemoryS
     Returns:
         MemoryState after initialization.
     """
-    memory_dir = home / "memory"
+    # Use agent-specific memory directory
+    agent_name = os.environ.get("SKCAPSTONE_AGENT", "lumina")
+    memory_dir = home / "agents" / agent_name / "memory"
     memory_dir.mkdir(parents=True, exist_ok=True)
 
     for layer in MemoryLayer:

package/src/skcapstone/pillars/security.py

@@ -2,16 +2,42 @@
 Security pillar — SKSecurity integration.
 
 Audit everything. Detect threats. Protect the sovereign.
+
+Audit log format is JSONL (one JSON object per line), making entries
+both machine-parseable and append-only safe. Each entry includes a
+timestamp, event type, detail, and the hostname that generated it.
 """
 
 from __future__ import annotations
 
 import json
+import socket
 from datetime import datetime, timezone
 from pathlib import Path
+from typing import Optional
+
+from pydantic import BaseModel, Field
 
 from ..models import PillarStatus, SecurityState
 
+AUDIT_LOG_NAME = "audit.log"
+
+
+class AuditEntry(BaseModel):
+    """A single structured audit log entry.
+
+    Each entry is serialised as one JSON line in the append-only log.
+    """
+
+    timestamp: str = Field(
+        default_factory=lambda: datetime.now(timezone.utc).isoformat()
+    )
+    event_type: str
+    detail: str
+    host: str = Field(default_factory=socket.gethostname)
+    agent: Optional[str] = None
+    metadata: Optional[dict] = None
+
 
 def initialize_security(home: Path) -> SecurityState:
     """Initialize security layer for the agent.
@@ -32,52 +58,119 @@ def initialize_security(home: Path) -> SecurityState:
     try:
         import sksecurity  # type: ignore[import-untyped]
 
-        state.status = PillarStatus.DEGRADED
+        sksecurity_version = getattr(sksecurity, "__version__", None)
     except ImportError:
         security_config = {
             "note": "Install sksecurity (pip install sksecurity) for full security",
             "audit_enabled": True,
         }
-        (security_dir / "security.json").write_text(json.dumps(security_config, indent=2))
+        (security_dir / "security.json").write_text(json.dumps(security_config, indent=2), encoding="utf-8")
         state.status = PillarStatus.DEGRADED
         _init_audit_log(security_dir)
         return state
 
     _init_audit_log(security_dir)
 
+    audit_log = security_dir / AUDIT_LOG_NAME
+    if sksecurity_version and audit_log.exists():
+        state.status = PillarStatus.ACTIVE
+    else:
+        state.status = PillarStatus.DEGRADED
+
     baseline = {
         "threats_detected": 0,
         "last_scan": None,
         "audit_enabled": True,
+        "sksecurity_version": sksecurity_version,
         "initialized_at": datetime.now(timezone.utc).isoformat(),
     }
-    (security_dir / "security.json").write_text(json.dumps(baseline, indent=2))
+    (security_dir / "security.json").write_text(json.dumps(baseline, indent=2), encoding="utf-8")
 
     return state
 
 
 def _init_audit_log(security_dir: Path) -> None:
-    """Create the audit log file with a header entry."""
-    audit_log = security_dir / "audit.log"
+    """Create the audit log file with a structured INIT entry."""
+    audit_log = security_dir / AUDIT_LOG_NAME
     if not audit_log.exists():
-        timestamp = datetime.now(timezone.utc).isoformat()
-        audit_log.write_text(f"[{timestamp}] INIT — SKCapstone security audit log created\n")
+        entry = AuditEntry(
+            event_type="INIT",
+            detail="SKCapstone security audit log created",
+        )
+        audit_log.write_text(entry.model_dump_json() + "\n", encoding="utf-8")
+
 
+def audit_event(
+    home: Path,
+    event_type: str,
+    detail: str,
+    agent: Optional[str] = None,
+    metadata: Optional[dict] = None,
+) -> AuditEntry:
+    """Append a structured event to the audit log.
 
-def audit_event(home: Path, event_type: str, detail: str) -> None:
-    """Append an event to the audit log.
+    Each event is written as a single JSON line (JSONL format),
+    keeping the log append-only and machine-parseable.
 
     Args:
         home: Agent home directory.
-        event_type: Event category (INIT, AUTH, MEMORY, TRUST, etc.).
+        event_type: Event category (INIT, AUTH, MEMORY, TRUST, SYNC,
+            TOKEN_ISSUE, TOKEN_REVOKE, SECURITY, etc.).
         detail: Human-readable event description.
+        agent: Optional agent name that triggered the event.
+        metadata: Optional dict of extra structured data.
+
+    Returns:
+        AuditEntry: The entry that was written.
     """
     security_dir = home / "security"
     security_dir.mkdir(parents=True, exist_ok=True)
-    audit_log = security_dir / "audit.log"
+    audit_log = security_dir / AUDIT_LOG_NAME
+
+    entry = AuditEntry(
+        event_type=event_type,
+        detail=detail,
+        agent=agent,
+        metadata=metadata,
+    )
+
+    with audit_log.open("a", encoding="utf-8") as f:
+        f.write(entry.model_dump_json() + "\n")
+
+    return entry
+
+
+def read_audit_log(home: Path, limit: int = 0) -> list[AuditEntry]:
+    """Read and parse the audit log.
 
-    timestamp = datetime.now(timezone.utc).isoformat()
-    entry = f"[{timestamp}] {event_type} — {detail}\n"
+    Handles both legacy plain-text entries and new JSONL entries
+    gracefully — old lines are wrapped in an AuditEntry with
+    event_type="LEGACY".
 
-    with audit_log.open("a") as f:
-        f.write(entry)
+    Args:
+        home: Agent home directory.
+        limit: Maximum entries to return (0 = all, newest first).
+
+    Returns:
+        list[AuditEntry]: Parsed audit entries.
+    """
+    audit_log = home / "security" / AUDIT_LOG_NAME
+    if not audit_log.exists():
+        return []
+
+    entries: list[AuditEntry] = []
+    for line in audit_log.read_text(encoding="utf-8").splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            data = json.loads(line)
+            entries.append(AuditEntry.model_validate(data))
+        except (json.JSONDecodeError, Exception):
+            # Reason: gracefully handle legacy plain-text log lines
+            entries.append(AuditEntry(event_type="LEGACY", detail=line))
+
+    if limit > 0:
+        entries = entries[-limit:]
+
+    return entries

package/src/skcapstone/pillars/sync.py

@@ -21,6 +21,7 @@ from datetime import datetime, timezone
 from pathlib import Path
 from typing import Optional
 
+from .. import SHARED_ROOT
 from ..models import PillarStatus, SyncConfig, SyncState, SyncTransport
 
 logger = logging.getLogger("skcapstone.sync")
@@ -56,7 +57,7 @@ def initialize_sync(home: Path, config: Optional[SyncConfig] = None) -> SyncStat
         "auto_push": config.auto_push,
         "auto_pull": config.auto_pull,
     }
-    (sync_dir / "sync-manifest.json").write_text(json.dumps(manifest, indent=2))
+    (sync_dir / "sync-manifest.json").write_text(json.dumps(manifest, indent=2), encoding="utf-8")
 
     state = SyncState(
         transport=config.transport,
@@ -88,9 +89,7 @@ def collect_seed(home: Path, agent_name: str) -> Path:
     Returns:
         Path to the generated seed file in the outbox.
     """
-    sync_dir = (home / "sync").expanduser() if not (home / "sync").is_absolute() else home / "sync"
-    if not sync_dir.exists():
-        sync_dir = Path("~/.skcapstone/sync").expanduser()
+    sync_dir = _resolve_sync_dir(home)
     outbox = sync_dir / "outbox"
     outbox.mkdir(parents=True, exist_ok=True)
 
@@ -107,11 +106,11 @@ def collect_seed(home: Path, agent_name: str) -> Path:
 
     identity_file = home / "identity" / "identity.json"
     if identity_file.exists():
-        seed["identity"] = json.loads(identity_file.read_text())
+        seed["identity"] = json.loads(identity_file.read_text(encoding="utf-8"))
 
     trust_file = home / "trust" / "trust.json"
     if trust_file.exists():
-        seed["trust"] = json.loads(trust_file.read_text())
+        seed["trust"] = json.loads(trust_file.read_text(encoding="utf-8"))
         try:
             from .trust import export_febs_for_seed
 
@@ -134,11 +133,11 @@ def collect_seed(home: Path, agent_name: str) -> Path:
 
     manifest_file = home / "manifest.json"
     if manifest_file.exists():
-        seed["manifest"] = json.loads(manifest_file.read_text())
+        seed["manifest"] = json.loads(manifest_file.read_text(encoding="utf-8"))
 
     seed_name = f"{agent_name}-{hostname}-{timestamp.strftime('%Y%m%dT%H%M%SZ')}{SEED_EXTENSION}"
     seed_path = outbox / seed_name
-    seed_path.write_text(json.dumps(seed, indent=2, default=str))
+    seed_path.write_text(json.dumps(seed, indent=2, default=str), encoding="utf-8")
 
     logger.info("Seed collected: %s", seed_path.name)
     return seed_path
@@ -148,16 +147,20 @@ def gpg_encrypt(
     seed_path: Path,
     recipient: Optional[str] = None,
     home: Optional[Path] = None,
+    extra_recipients: Optional[list[str]] = None,
 ) -> Optional[Path]:
     """Encrypt a seed file with GPG.
 
-    Uses the agent's CapAuth key (or specified recipient) for encryption.
-    Armor output for git-friendliness.
+    Encrypts to the agent's own key AND all known peer fingerprints so
+    that every peer in the mesh can independently decrypt the seed they
+    receive via Syncthing. Without peer fingerprints, only the sender
+    can decrypt — which defeats the purpose of sync.
 
     Args:
         seed_path: Path to the plaintext seed file.
-        recipient: GPG recipient (fingerprint/email). Auto-detects if None.
+        recipient: Primary GPG recipient (fingerprint/email). Auto-detects if None.
         home: Agent home directory for key detection.
+        extra_recipients: Additional peer fingerprints to encrypt to.
 
     Returns:
         Path to the encrypted file, or None if encryption failed.
@@ -166,21 +169,32 @@ def gpg_encrypt(
         logger.error("gpg not found in PATH — cannot encrypt")
         return None
 
+    agent_home = home or Path(SHARED_ROOT).expanduser()
+
     if recipient is None:
-        agent_home = home or Path("~/.skcapstone").expanduser()
         recipient = _detect_gpg_key(agent_home)
 
     if recipient is None:
         logger.error("No GPG key found for encryption")
         return None
 
+    # Build recipient list: own key + all known peers
+    all_recipients = [recipient]
+    if extra_recipients:
+        all_recipients.extend(r for r in extra_recipients if r and r != recipient)
+
     encrypted_path = seed_path.parent / (seed_path.name + ".gpg")
 
+    recipient_args: list[str] = []
+    for r in all_recipients:
+        recipient_args += ["--recipient", r]
+
     try:
         subprocess.run(
             [
                 "gpg", "--batch", "--yes", "--trust-model", "always",
-                "--armor", "--encrypt", "--recipient", recipient,
+                "--armor", "--encrypt",
+                *recipient_args,
                 "--output", str(encrypted_path), str(seed_path),
             ],
             capture_output=True,
@@ -188,7 +202,10 @@ def gpg_encrypt(
             check=True,
             timeout=30,
         )
-        logger.info("Encrypted: %s -> %s", seed_path.name, encrypted_path.name)
+        logger.info(
+            "Encrypted: %s -> %s (recipients: %d)",
+            seed_path.name, encrypted_path.name, len(all_recipients),
+        )
         return encrypted_path
     except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as exc:
         logger.error("GPG encryption failed: %s", exc)
@@ -235,6 +252,9 @@ def push_seed(home: Path, agent_name: str, encrypt: bool = True) -> Optional[Pat
     This is the high-level 'push' operation. After this, Syncthing
     (or git) handles propagation to all peers automatically.
 
+    Reads peer_fingerprints from the sync config so seeds are encrypted
+    to all known peers, not just the sender's own key.
+
     Args:
         home: Agent home directory.
         agent_name: Agent display name.
@@ -246,7 +266,8 @@ def push_seed(home: Path, agent_name: str, encrypt: bool = True) -> Optional[Pat
     seed_path = collect_seed(home, agent_name)
 
     if encrypt:
-        encrypted = gpg_encrypt(seed_path, home=home)
+        peer_fingerprints = _load_peer_fingerprints(home)
+        encrypted = gpg_encrypt(seed_path, home=home, extra_recipients=peer_fingerprints)
         if encrypted:
             seed_path.unlink()
             return encrypted
@@ -255,6 +276,29 @@ def push_seed(home: Path, agent_name: str, encrypt: bool = True) -> Optional[Pat
     return seed_path
 
 
+def _load_peer_fingerprints(home: Path) -> list[str]:
+    """Load known peer GPG fingerprints from sync config.
+
+    Args:
+        home: Agent home directory.
+
+    Returns:
+        List of peer fingerprint strings (may be empty).
+    """
+    config_file = home / "config" / "config.yaml"
+    if not config_file.exists():
+        return []
+    try:
+        import yaml as _yaml
+        data = _yaml.safe_load(config_file.read_text(encoding="utf-8")) or {}
+        sync_data = data.get("sync", {})
+        peers = sync_data.get("peer_fingerprints", [])
+        return [str(p) for p in peers if p]
+    except Exception as exc:
+        logger.debug("Could not load peer fingerprints: %s", exc)
+        return []
+
+
 def pull_seeds(home: Path, decrypt: bool = True) -> list[dict]:
     """Pull and process seed files from the inbox.
 
@@ -293,7 +337,7 @@ def pull_seeds(home: Path, decrypt: bool = True) -> list[dict]:
 
         if seed_path.suffix == ".json" or seed_path.name.endswith(SEED_EXTENSION):
             try:
-                data = json.loads(seed_path.read_text())
+                data = json.loads(seed_path.read_text(encoding="utf-8"))
                 seeds.append(data)
 
                 if "memory_entries" in data:
@@ -304,7 +348,7 @@ def pull_seeds(home: Path, decrypt: bool = True) -> list[dict]:
                         if imported:
                             logger.info("Imported %d memories from seed %s", imported, seed_path.name)
                     except Exception as exc:
-                        logger.debug("Could not import seed memories: %s", exc)
+                        logger.warning("Could not import memories from seed %s: %s", seed_path.name, exc)
 
                 if "febs" in data:
                     try:
@@ -314,7 +358,7 @@ def pull_seeds(home: Path, decrypt: bool = True) -> list[dict]:
                         if feb_imported:
                             logger.info("Imported %d FEB(s) from seed %s", feb_imported, seed_path.name)
                     except Exception as exc:
-                        logger.debug("Could not import seed FEBs: %s", exc)
+                        logger.warning("Could not import FEBs from seed %s: %s", seed_path.name, exc)
 
                 archive.mkdir(exist_ok=True)
                 seed_path.rename(archive / seed_path.name)
@@ -343,7 +387,7 @@ def discover_sync(home: Path) -> SyncState:
         return SyncState(sync_path=sync_dir, status=PillarStatus.DEGRADED)
 
     try:
-        data = json.loads(manifest_file.read_text())
+        data = json.loads(manifest_file.read_text(encoding="utf-8"))
     except (json.JSONDecodeError, OSError):
         return SyncState(sync_path=sync_dir, status=PillarStatus.DEGRADED)
 
@@ -370,11 +414,19 @@ def discover_sync(home: Path) -> SyncState:
 
 
 def _resolve_sync_dir(home: Path) -> Path:
-    """Resolve the sync directory path."""
+    """Resolve the sync directory path.
+
+    Prefers the explicitly-passed home/sync (used by tests and
+    single-agent mode), then falls back to SHARED_ROOT/sync for
+    multi-agent mode.
+    """
     sync_dir = home / "sync"
     if sync_dir.exists():
         return sync_dir
-    return Path("~/.skcapstone/sync").expanduser()
+    shared_sync = Path(SHARED_ROOT).expanduser() / "sync"
+    if shared_sync.exists():
+        return shared_sync
+    return sync_dir
 
 
 def _detect_gpg_key(home: Path) -> Optional[str]:
@@ -382,7 +434,7 @@ def _detect_gpg_key(home: Path) -> Optional[str]:
     identity_file = home / "identity" / "identity.json"
     if identity_file.exists():
         try:
-            data = json.loads(identity_file.read_text())
+            data = json.loads(identity_file.read_text(encoding="utf-8"))
             fp = data.get("fingerprint")
             if fp and data.get("capauth_managed"):
                 return fp
@@ -460,14 +512,14 @@ def _load_sync_timestamps(sync_dir: Path, state: SyncState) -> None:
     state_file = sync_dir / "sync-state.json"
     if state_file.exists():
         try:
-            data = json.loads(state_file.read_text())
+            data = json.loads(state_file.read_text(encoding="utf-8"))
             if data.get("last_push"):
                 state.last_push = datetime.fromisoformat(data["last_push"])
             if data.get("last_pull"):
                 state.last_pull = datetime.fromisoformat(data["last_pull"])
             state.peers_known = data.get("peers_known", 0)
-        except (json.JSONDecodeError, OSError, ValueError):
-            pass
+        except (json.JSONDecodeError, OSError, ValueError) as exc:
+            logger.debug("Could not load sync timestamps: %s", exc)
 
 
 def save_sync_state(sync_dir: Path, state: SyncState) -> None:
@@ -483,4 +535,4 @@ def save_sync_state(sync_dir: Path, state: SyncState) -> None:
         "peers_known": state.peers_known,
         "seed_count": state.seed_count,
     }
-    (sync_dir / "sync-state.json").write_text(json.dumps(data, indent=2))
+    (sync_dir / "sync-state.json").write_text(json.dumps(data, indent=2), encoding="utf-8")