@smilintux/skmemory 0.5.0 → 0.7.2

package/tests/test_vault.py

@@ -0,0 +1,186 @@
+"""Tests for the Memory Vault — at-rest encryption.
+
+Covers encrypt/decrypt roundtrip, tamper detection, file operations,
+wrong passphrase handling, and header validation.
+"""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+try:
+    from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+    CRYPTO_AVAILABLE = True
+except ImportError:
+    CRYPTO_AVAILABLE = False
+
+from skmemory.vault import (
+    VAULT_HEADER,
+    MemoryVault,
+    _derive_key,
+    decrypt_memory_store,
+    encrypt_memory_store,
+)
+
+pytestmark = pytest.mark.skipif(
+    not CRYPTO_AVAILABLE,
+    reason="cryptography package not installed",
+)
+
+
+@pytest.fixture
+def vault() -> MemoryVault:
+    """Provide a vault with a test passphrase."""
+    return MemoryVault(passphrase="pengu-nation-sovereign")
+
+
+@pytest.fixture
+def sample_json() -> bytes:
+    """Sample memory JSON bytes."""
+    return b'{"title": "Test Memory", "content": "This is sovereign data."}'
+
+
+class TestKeyDerivation:
+    """Test PBKDF2 key derivation."""
+
+    def test_derive_key_deterministic(self):
+        """Same passphrase + salt = same key."""
+        salt = b"0" * 16
+        k1 = _derive_key("test", salt)
+        k2 = _derive_key("test", salt)
+        assert k1 == k2
+
+    def test_derive_key_different_salt(self):
+        """Different salt = different key."""
+        k1 = _derive_key("test", b"a" * 16)
+        k2 = _derive_key("test", b"b" * 16)
+        assert k1 != k2
+
+    def test_derive_key_length(self):
+        """Key is 32 bytes (256 bits)."""
+        key = _derive_key("passphrase", b"s" * 16)
+        assert len(key) == 32
+
+
+class TestEncryptDecrypt:
+    """Test core encrypt/decrypt operations."""
+
+    def test_roundtrip(self, vault: MemoryVault, sample_json: bytes):
+        """Encrypt then decrypt recovers original."""
+        encrypted = vault.encrypt(sample_json)
+        decrypted = vault.decrypt(encrypted)
+        assert decrypted == sample_json
+
+    def test_encrypted_has_header(self, vault: MemoryVault, sample_json: bytes):
+        """Encrypted data starts with SKMV1 header."""
+        encrypted = vault.encrypt(sample_json)
+        assert encrypted[:5] == VAULT_HEADER
+
+    def test_different_nonce_each_time(self, vault: MemoryVault, sample_json: bytes):
+        """Same plaintext produces different ciphertext."""
+        e1 = vault.encrypt(sample_json)
+        e2 = vault.encrypt(sample_json)
+        assert e1 != e2
+
+    def test_wrong_passphrase_fails(self, sample_json: bytes):
+        """Decryption with wrong passphrase raises."""
+        vault1 = MemoryVault(passphrase="correct")
+        vault2 = MemoryVault(passphrase="wrong")
+        encrypted = vault1.encrypt(sample_json)
+        with pytest.raises(Exception):
+            vault2.decrypt(encrypted)
+
+    def test_tampered_ciphertext_fails(self, vault: MemoryVault, sample_json: bytes):
+        """Altered ciphertext fails authenticated decryption."""
+        encrypted = bytearray(vault.encrypt(sample_json))
+        encrypted[-10] ^= 0xFF
+        with pytest.raises(Exception):
+            vault.decrypt(bytes(encrypted))
+
+    def test_bad_header_raises(self, vault: MemoryVault):
+        """Non-vault data raises ValueError."""
+        with pytest.raises(ValueError, match="bad header"):
+            vault.decrypt(b"NOT_A_VAULT_FILE_DATA")
+
+    def test_empty_plaintext(self, vault: MemoryVault):
+        """Empty bytes encrypt and decrypt correctly."""
+        encrypted = vault.encrypt(b"")
+        assert vault.decrypt(encrypted) == b""
+
+    def test_large_plaintext(self, vault: MemoryVault):
+        """Large data (1MB) encrypts and decrypts correctly."""
+        big = b"A" * (1024 * 1024)
+        encrypted = vault.encrypt(big)
+        assert vault.decrypt(encrypted) == big
+
+
+class TestFileOperations:
+    """Test file-level encrypt/decrypt."""
+
+    def test_encrypt_file(self, vault: MemoryVault, tmp_path: Path):
+        """encrypt_file creates .vault file and removes original."""
+        original = tmp_path / "memory.json"
+        original.write_bytes(b'{"test": true}')
+
+        vault_path = vault.encrypt_file(original)
+        assert vault_path.exists()
+        assert vault_path.suffix == ".vault"
+        assert not original.exists()
+
+    def test_decrypt_file(self, vault: MemoryVault, tmp_path: Path):
+        """decrypt_file restores the original file."""
+        original = tmp_path / "memory.json"
+        original.write_bytes(b'{"test": true}')
+
+        vault_path = vault.encrypt_file(original)
+        restored = vault.decrypt_file(vault_path)
+
+        assert restored.exists()
+        assert restored.read_bytes() == b'{"test": true}'
+        assert not vault_path.exists()
+
+    def test_encrypt_memory_store(self, tmp_path: Path):
+        """encrypt_memory_store encrypts all JSON files."""
+        for layer in ("short-term", "long-term"):
+            d = tmp_path / layer
+            d.mkdir()
+            (d / "mem1.json").write_bytes(b'{"id": 1}')
+            (d / "mem2.json").write_bytes(b'{"id": 2}')
+
+        count = encrypt_memory_store(tmp_path, "test-pass")
+        assert count == 4
+        assert len(list(tmp_path.rglob("*.vault"))) == 4
+        assert len(list(tmp_path.rglob("*.json"))) == 0
+
+    def test_decrypt_memory_store(self, tmp_path: Path):
+        """decrypt_memory_store decrypts all vault files."""
+        d = tmp_path / "memories"
+        d.mkdir()
+        vault = MemoryVault("test-pass")
+        for i in range(3):
+            f = d / f"mem{i}.json"
+            f.write_bytes(f'{{"id": {i}}}'.encode())
+            vault.encrypt_file(f)
+
+        count = decrypt_memory_store(d, "test-pass")
+        assert count == 3
+        assert len(list(d.rglob("*.json"))) == 3
+
+
+class TestIsEncrypted:
+    """Test encrypted file detection."""
+
+    def test_encrypted_file_detected(self, vault: MemoryVault, tmp_path: Path):
+        """is_encrypted returns True for vault files."""
+        f = tmp_path / "test.json"
+        f.write_bytes(b'{"data": 1}')
+        vf = vault.encrypt_file(f)
+        assert vault.is_encrypted(vf) is True
+
+    def test_plain_file_not_detected(self, vault: MemoryVault, tmp_path: Path):
+        """is_encrypted returns False for plain JSON."""
+        f = tmp_path / "plain.json"
+        f.write_bytes(b'{"data": 1}')
+        assert vault.is_encrypted(f) is False

package/skmemory/backends/falkordb_backend.py

@@ -1,310 +0,0 @@
-"""
-FalkorDB graph backend (Level 2 — relationships).
-
-Enables graph-based memory traversal: "What memories are connected
-to this person?" or "Show me the seed lineage chain." Uses the
-Cypher query language over a Redis-compatible protocol.
-
-Requires:
-    pip install falkordb
-
-FalkorDB is the successor to RedisGraph. Run locally via Docker
-or point to an external instance.
-
-This backend is SUPPLEMENTARY — it indexes relationships alongside
-the primary backend (SQLite or file). It does not store full memory
-content, only the graph edges and key metadata for traversal.
-"""
-
-from __future__ import annotations
-
-import json
-import logging
-from typing import Optional
-
-from ..models import Memory, MemoryLayer
-from .base import BaseBackend
-
-logger = logging.getLogger(__name__)
-
-
-class FalkorDBBackend:
-    """FalkorDB graph backend for memory relationship traversal.
-
-    Not a full BaseBackend — this is a supplementary index for
-    graph queries. The primary backend handles CRUD.
-
-    Args:
-        url: FalkorDB/Redis URL (default: localhost:6379).
-        graph_name: Name of the graph (default: 'skmemory').
-    """
-
-    def __init__(
-        self,
-        url: str = "redis://localhost:6379",
-        graph_name: str = "skmemory",
-    ) -> None:
-        self.url = url
-        self.graph_name = graph_name
-        self._db = None
-        self._graph = None
-        self._initialized = False
-
-    def _ensure_initialized(self) -> bool:
-        """Lazy-initialize the FalkorDB connection.
-
-        Returns:
-            bool: True if connection succeeded.
-        """
-        if self._initialized:
-            return True
-
-        try:
-            from falkordb import FalkorDB
-        except ImportError:
-            logger.warning("falkordb not installed: pip install falkordb")
-            return False
-
-        try:
-            self._db = FalkorDB.from_url(self.url)
-            self._graph = self._db.select_graph(self.graph_name)
-            self._initialized = True
-            return True
-        except Exception as e:
-            logger.warning("FalkorDB connection failed: %s", e)
-            return False
-
-    def index_memory(self, memory: Memory) -> bool:
-        """Add a memory node and its relationships to the graph.
-
-        Args:
-            memory: The memory to index.
-
-        Returns:
-            bool: True if indexed successfully.
-        """
-        if not self._ensure_initialized():
-            return False
-
-        try:
-            self._graph.query(
-                """
-                MERGE (m:Memory {id: $id})
-                SET m.title = $title,
-                    m.layer = $layer,
-                    m.source = $source,
-                    m.intensity = $intensity,
-                    m.created_at = $created_at
-                """,
-                {
-                    "id": memory.id,
-                    "title": memory.title,
-                    "layer": memory.layer.value,
-                    "source": memory.source,
-                    "intensity": memory.emotional.intensity,
-                    "created_at": memory.created_at,
-                },
-            )
-
-            if memory.parent_id:
-                self._graph.query(
-                    """
-                    MATCH (child:Memory {id: $child_id})
-                    MERGE (parent:Memory {id: $parent_id})
-                    MERGE (child)-[:PROMOTED_FROM]->(parent)
-                    """,
-                    {"child_id": memory.id, "parent_id": memory.parent_id},
-                )
-
-            for related_id in memory.related_ids:
-                self._graph.query(
-                    """
-                    MATCH (a:Memory {id: $a_id})
-                    MERGE (b:Memory {id: $b_id})
-                    MERGE (a)-[:RELATED_TO]->(b)
-                    """,
-                    {"a_id": memory.id, "b_id": related_id},
-                )
-
-            for tag in memory.tags:
-                self._graph.query(
-                    """
-                    MATCH (m:Memory {id: $mem_id})
-                    MERGE (t:Tag {name: $tag})
-                    MERGE (m)-[:TAGGED]->(t)
-                    """,
-                    {"mem_id": memory.id, "tag": tag},
-                )
-
-            if memory.source == "seed":
-                creator = next(
-                    (t.split(":", 1)[1] for t in memory.tags if t.startswith("creator:")),
-                    None,
-                )
-                if creator:
-                    self._graph.query(
-                        """
-                        MATCH (m:Memory {id: $mem_id})
-                        MERGE (a:AI {name: $creator})
-                        MERGE (a)-[:PLANTED]->(m)
-                        """,
-                        {"mem_id": memory.id, "creator": creator},
-                    )
-
-            return True
-        except Exception as e:
-            logger.warning("FalkorDB index failed: %s", e)
-            return False
-
-    def get_related(self, memory_id: str, depth: int = 2) -> list[dict]:
-        """Traverse the graph to find related memories.
-
-        Args:
-            memory_id: Starting memory ID.
-            depth: How many hops to traverse (1-5).
-
-        Returns:
-            list[dict]: Related memory nodes with relationship info.
-        """
-        if not self._ensure_initialized():
-            return []
-
-        try:
-            result = self._graph.query(
-                f"""
-                MATCH (start:Memory {{id: $id}})
-                MATCH path = (start)-[*1..{min(depth, 5)}]-(related:Memory)
-                WHERE related.id <> $id
-                RETURN DISTINCT related.id AS id,
-                       related.title AS title,
-                       related.layer AS layer,
-                       related.intensity AS intensity,
-                       length(path) AS distance
-                ORDER BY distance ASC, related.intensity DESC
-                LIMIT 20
-                """,
-                {"id": memory_id},
-            )
-            return [
-                {
-                    "id": row[0],
-                    "title": row[1],
-                    "layer": row[2],
-                    "intensity": row[3],
-                    "distance": row[4],
-                }
-                for row in result.result_set
-            ]
-        except Exception as e:
-            logger.warning("FalkorDB query failed: %s", e)
-            return []
-
-    def get_lineage(self, memory_id: str) -> list[dict]:
-        """Get the promotion/seed lineage chain for a memory.
-
-        Args:
-            memory_id: Starting memory ID.
-
-        Returns:
-            list[dict]: Chain of ancestor memories.
-        """
-        if not self._ensure_initialized():
-            return []
-
-        try:
-            result = self._graph.query(
-                """
-                MATCH (start:Memory {id: $id})
-                MATCH path = (start)-[:PROMOTED_FROM*1..10]->(ancestor:Memory)
-                RETURN ancestor.id AS id,
-                       ancestor.title AS title,
-                       ancestor.layer AS layer,
-                       length(path) AS depth
-                ORDER BY depth ASC
-                """,
-                {"id": memory_id},
-            )
-            return [
-                {
-                    "id": row[0],
-                    "title": row[1],
-                    "layer": row[2],
-                    "depth": row[3],
-                }
-                for row in result.result_set
-            ]
-        except Exception as e:
-            logger.warning("FalkorDB lineage query failed: %s", e)
-            return []
-
-    def get_memory_clusters(self, min_connections: int = 2) -> list[dict]:
-        """Find clusters of highly connected memories.
-
-        Args:
-            min_connections: Minimum edges to be considered a cluster center.
-
-        Returns:
-            list[dict]: Cluster centers with connection counts.
-        """
-        if not self._ensure_initialized():
-            return []
-
-        try:
-            result = self._graph.query(
-                """
-                MATCH (m:Memory)-[r]-(connected:Memory)
-                WITH m, count(DISTINCT connected) AS connections
-                WHERE connections >= $min
-                RETURN m.id AS id,
-                       m.title AS title,
-                       m.layer AS layer,
-                       connections
-                ORDER BY connections DESC
-                LIMIT 20
-                """,
-                {"min": min_connections},
-            )
-            return [
-                {
-                    "id": row[0],
-                    "title": row[1],
-                    "layer": row[2],
-                    "connections": row[3],
-                }
-                for row in result.result_set
-            ]
-        except Exception as e:
-            logger.warning("FalkorDB cluster query failed: %s", e)
-            return []
-
-    def health_check(self) -> dict:
-        """Check FalkorDB backend health.
-
-        Returns:
-            dict: Status with connection and graph info.
-        """
-        if not self._ensure_initialized():
-            return {
-                "ok": False,
-                "backend": "FalkorDBBackend",
-                "error": "Not initialized",
-            }
-
-        try:
-            result = self._graph.query(
-                "MATCH (n) RETURN count(n) AS nodes"
-            )
-            node_count = result.result_set[0][0] if result.result_set else 0
-            return {
-                "ok": True,
-                "backend": "FalkorDBBackend",
-                "url": self.url,
-                "graph": self.graph_name,
-                "node_count": node_count,
-            }
-        except Exception as e:
-            return {
-                "ok": False,
-                "backend": "FalkorDBBackend",
-                "error": str(e),
-            }