@smilintux/skmemory 0.5.0 → 0.9.2

package/tests/test_fortress_hardening.py

@@ -0,0 +1,441 @@
+"""Tests for Memory Fortress hardening — Sprint 6 Layer 3.
+
+Covers:
+- VaultedSQLiteBackend: transparent AES-256-GCM at-rest encryption
+- FortifiedMemoryStore with vault_passphrase
+- seal_all / unseal_all / vault_status
+- Mixed (partially-encrypted) store migration
+- CLI fortress and vault commands
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+import pytest
+
+try:
+    import cryptography.hazmat.primitives.ciphers.aead  # noqa: F401
+
+    CRYPTO_AVAILABLE = True
+except ImportError:
+    CRYPTO_AVAILABLE = False
+
+from skmemory.vault import VAULT_HEADER
+
+pytestmark = pytest.mark.skipif(
+    not CRYPTO_AVAILABLE,
+    reason="cryptography package not installed",
+)
+
+
+# ---------------------------------------------------------------------------
+# Fixtures
+# ---------------------------------------------------------------------------
+
+
+@pytest.fixture
+def vaulted_backend(tmp_path):
+    """A VaultedSQLiteBackend with a temp directory."""
+    from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+
+    return VaultedSQLiteBackend(
+        passphrase="pengu-nation-test-key", base_path=str(tmp_path / "memories")
+    )
+
+
+@pytest.fixture
+def plain_backend(tmp_path):
+    """A plain SQLiteBackend for comparison / migration tests."""
+    from skmemory.backends.sqlite_backend import SQLiteBackend
+
+    return SQLiteBackend(base_path=str(tmp_path / "memories"))
+
+
+@pytest.fixture
+def fortress_vaulted(tmp_path):
+    """A FortifiedMemoryStore backed by VaultedSQLiteBackend."""
+    from skmemory.fortress import FortifiedMemoryStore
+
+    return FortifiedMemoryStore(
+        vault_passphrase="pengu-test-passphrase",
+        audit_path=tmp_path / "audit.jsonl",
+        use_sqlite=False,
+        base_path=str(tmp_path / "memories"),
+    )
+
+
+# ---------------------------------------------------------------------------
+# VaultedSQLiteBackend tests
+# ---------------------------------------------------------------------------
+
+
+class TestVaultedSQLiteBackend:
+    def test_save_produces_encrypted_file(self, vaulted_backend, tmp_path):
+        """Saved memory files must start with the SKMV1 vault header."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Secret", content="Classified info")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        # Find the written file
+        files = list((tmp_path / "memories").rglob("*.json"))
+        assert len(files) == 1, "Expected exactly one memory file"
+        raw = files[0].read_bytes()
+        assert raw[: len(VAULT_HEADER)] == VAULT_HEADER, "File must be vault-encrypted"
+
+    def test_load_roundtrip(self, vaulted_backend):
+        """Save then load should return the original memory content."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Trip Memory", content="The roundtrip works perfectly")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        loaded = vaulted_backend.load(mem.id)
+        assert loaded is not None
+        assert loaded.title == "Trip Memory"
+        assert loaded.content == "The roundtrip works perfectly"
+
+    def test_list_memories_with_encryption(self, vaulted_backend):
+        """list_memories should decrypt transparently."""
+        from skmemory.models import Memory
+
+        for i in range(3):
+            mem = Memory(title=f"Memory {i}", content=f"Content {i}")
+            mem.seal()
+            vaulted_backend.save(mem)
+
+        results = vaulted_backend.list_memories(limit=10)
+        assert len(results) == 3
+        titles = {m.title for m in results}
+        assert titles == {"Memory 0", "Memory 1", "Memory 2"}
+
+    def test_reindex_with_encrypted_files(self, vaulted_backend):
+        """reindex() should correctly parse encrypted files."""
+        from skmemory.models import Memory
+
+        for i in range(4):
+            mem = Memory(title=f"Reindex {i}", content=f"Data {i}")
+            mem.seal()
+            vaulted_backend.save(mem)
+
+        count = vaulted_backend.reindex()
+        assert count == 4
+
+    def test_seal_all_encrypts_plaintext(self, tmp_path):
+        """seal_all() should encrypt any plaintext JSON files."""
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+        from skmemory.models import Memory
+
+        mem_path = tmp_path / "memories"
+
+        # First write plaintext via plain backend
+        plain = SQLiteBackend(base_path=str(mem_path))
+        for i in range(3):
+            mem = Memory(title=f"Plain {i}", content=f"Unencrypted {i}")
+            mem.seal()
+            plain.save(mem)
+        plain.close()
+
+        # Now create vaulted backend and seal_all
+        vaulted = VaultedSQLiteBackend(passphrase="seal-test", base_path=str(mem_path))
+        count = vaulted.seal_all()
+        assert count == 3
+
+        # All files should now have vault header
+        for json_file in mem_path.rglob("*.json"):
+            raw = json_file.read_bytes()
+            assert raw[: len(VAULT_HEADER)] == VAULT_HEADER, f"{json_file} not encrypted"
+
+    def test_seal_all_idempotent(self, vaulted_backend):
+        """seal_all() on an already-encrypted store should encrypt 0 files."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Already sealed", content="content")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        count = vaulted_backend.seal_all()
+        assert count == 0, "Re-sealing should skip already-encrypted files"
+
+    def test_unseal_all_decrypts(self, tmp_path):
+        """unseal_all() should decrypt all vault files back to plaintext JSON."""
+        from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+        from skmemory.models import Memory
+
+        mem_path = tmp_path / "memories"
+        vaulted = VaultedSQLiteBackend(passphrase="unseal-test", base_path=str(mem_path))
+
+        for i in range(2):
+            mem = Memory(title=f"Sealed {i}", content=f"Encrypted {i}")
+            mem.seal()
+            vaulted.save(mem)
+
+        count = vaulted.unseal_all()
+        assert count == 2
+
+        # Files should now be valid JSON (not encrypted)
+        for json_file in mem_path.rglob("*.json"):
+            raw = json_file.read_bytes()
+            assert raw[: len(VAULT_HEADER)] != VAULT_HEADER, f"{json_file} still encrypted"
+            parsed = json.loads(raw.decode("utf-8"))
+            assert "title" in parsed
+
+    def test_vault_status_all_encrypted(self, vaulted_backend):
+        """vault_status() should report 100% coverage when all files are encrypted."""
+        from skmemory.models import Memory
+
+        for i in range(3):
+            mem = Memory(title=f"Status {i}", content=f"Data {i}")
+            mem.seal()
+            vaulted_backend.save(mem)
+
+        status = vaulted_backend.vault_status()
+        assert status["total"] == 3
+        assert status["encrypted"] == 3
+        assert status["plaintext"] == 0
+        assert status["coverage_pct"] == 100.0
+
+    def test_vault_status_empty_store(self, vaulted_backend):
+        """vault_status() on an empty store should report 100% (trivially)."""
+        status = vaulted_backend.vault_status()
+        assert status["total"] == 0
+        assert status["coverage_pct"] == 100.0
+
+    def test_wrong_passphrase_fails_load(self, tmp_path):
+        """Loading with wrong passphrase should return None (graceful failure)."""
+        from skmemory.backends.vaulted_backend import VaultedSQLiteBackend
+        from skmemory.models import Memory
+
+        mem_path = tmp_path / "memories"
+        correct = VaultedSQLiteBackend(passphrase="correct-key", base_path=str(mem_path))
+        mem = Memory(title="Locked", content="Top secret")
+        mem.seal()
+        correct.save(mem)
+
+        wrong = VaultedSQLiteBackend(passphrase="wrong-key", base_path=str(mem_path))
+        result = wrong.load(mem.id)
+        assert result is None, "Wrong passphrase should return None, not raise"
+
+    def test_export_all_decrypts(self, vaulted_backend, tmp_path):
+        """export_all() should produce a plaintext JSON backup."""
+        from skmemory.models import Memory
+
+        mem = Memory(title="Export Test", content="Exportable content")
+        mem.seal()
+        vaulted_backend.save(mem)
+
+        backup_path = str(tmp_path / "backup.json")
+        out_path = vaulted_backend.export_all(output_path=backup_path)
+
+        backup = json.loads(Path(out_path).read_text())
+        assert backup["memory_count"] == 1
+        assert backup["memories"][0]["title"] == "Export Test"
+
+
+# ---------------------------------------------------------------------------
+# FortifiedMemoryStore + vault_passphrase integration
+# ---------------------------------------------------------------------------
+
+
+class TestFortifiedMemoryStoreVault:
+    def test_vault_passphrase_activates_encryption(self, fortress_vaulted, tmp_path):
+        """FortifiedMemoryStore with vault_passphrase should encrypt files."""
+        fortress_vaulted.snapshot("Vaulted Title", "Encrypted content")
+
+        # Find the physical file
+        base = fortress_vaulted.primary.base_path
+        files = list(base.rglob("*.json"))
+        assert len(files) == 1
+        raw = files[0].read_bytes()
+        assert raw[: len(VAULT_HEADER)] == VAULT_HEADER, "File should be vault-encrypted"
+
+    def test_vault_active_property(self, fortress_vaulted):
+        """vault_active should be True when vault_passphrase is set."""
+        assert fortress_vaulted.vault_active is True
+
+    def test_vault_active_false_by_default(self, tmp_path):
+        """vault_active should be False without vault_passphrase."""
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.fortress import FortifiedMemoryStore
+
+        backend = SQLiteBackend(base_path=str(tmp_path / "memories"))
+        fortress = FortifiedMemoryStore(
+            primary=backend,
+            use_sqlite=False,
+            audit_path=tmp_path / "audit.jsonl",
+        )
+        assert fortress.vault_active is False
+
+    def test_recall_after_vault_store(self, fortress_vaulted):
+        """recall() should transparently decrypt and verify integrity."""
+        mem = fortress_vaulted.snapshot("Recall Test", "Content for recall")
+        recalled = fortress_vaulted.recall(mem.id)
+
+        assert recalled is not None
+        assert recalled.title == "Recall Test"
+        assert recalled.content == "Content for recall"
+        assert "integrity_warning" not in recalled.metadata
+
+    def test_tamper_alert_on_encrypted_store(self, fortress_vaulted, tmp_path):
+        """Tamper alert should fire even when vault is active."""
+        alerts = []
+        fortress_vaulted.register_alert_callback(alerts.append)
+
+        mem = fortress_vaulted.snapshot("Tamper Me", "Original")
+
+        # Directly corrupt the stored file (bypass encryption by writing junk)
+        raw = fortress_vaulted.primary.load(mem.id)
+        raw.content = "TAMPERED"
+        raw.integrity_hash = mem.integrity_hash  # old hash
+        fortress_vaulted.primary.save(raw)
+
+        recalled = fortress_vaulted.recall(mem.id)
+        assert recalled is not None
+        assert "integrity_warning" in recalled.metadata
+        assert len(alerts) == 1
+
+    def test_vault_status_method(self, fortress_vaulted):
+        """vault_status() on FortifiedMemoryStore should report coverage."""
+        fortress_vaulted.snapshot("Coverage Test", "data")
+        status = fortress_vaulted.vault_status()
+        assert status["total"] == 1
+        assert status["encrypted"] == 1
+        assert status["coverage_pct"] == 100.0
+
+    def test_vault_status_raises_without_vault(self, tmp_path):
+        """vault_status() raises when no vault is configured."""
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.fortress import FortifiedMemoryStore
+
+        backend = SQLiteBackend(base_path=str(tmp_path / "memories"))
+        fortress = FortifiedMemoryStore(
+            primary=backend,
+            use_sqlite=False,
+            audit_path=tmp_path / "audit.jsonl",
+        )
+        with pytest.raises(RuntimeError, match="vault_passphrase"):
+            fortress.vault_status()
+
+    def test_seal_vault_audited(self, fortress_vaulted):
+        """seal_vault() should append an audit record."""
+        fortress_vaulted.snapshot("Pre-existing", "data")
+        fortress_vaulted.seal_vault()
+
+        trail = fortress_vaulted.audit_trail(10)
+        ops = [r["op"] for r in trail]
+        assert "vault_seal" in ops
+
+    def test_unseal_vault(self, fortress_vaulted, tmp_path):
+        """unseal_vault() should decrypt all files and audit the action."""
+        fortress_vaulted.snapshot("Will unseal", "data")
+        count = fortress_vaulted.unseal_vault()
+        assert count >= 0  # Unseal ran without error
+
+        trail = fortress_vaulted.audit_trail(10)
+        ops = [r["op"] for r in trail]
+        assert "vault_unseal" in ops
+
+    def test_verify_all_with_vault(self, fortress_vaulted):
+        """verify_all() should work correctly on an encrypted store."""
+        for i in range(3):
+            fortress_vaulted.snapshot(f"Verify {i}", f"Content {i}")
+
+        result = fortress_vaulted.verify_all()
+        assert result["total"] == 3
+        assert result["passed"] == 3
+        assert result["tampered"] == []
+
+
+# ---------------------------------------------------------------------------
+# CLI integration tests
+# ---------------------------------------------------------------------------
+
+
+class TestFortressCLI:
+    def test_fortress_verify_clean(self, tmp_path):
+        """skmemory fortress verify should exit 0 for a clean store."""
+        from click.testing import CliRunner
+
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.cli import cli
+        from skmemory.store import MemoryStore
+
+        runner = CliRunner()
+
+        result = runner.invoke(
+            cli,
+            ["fortress", "verify"],
+            obj={
+                "store": MemoryStore(primary=SQLiteBackend(base_path=str(tmp_path / "memories"))),
+                "ai": None,
+            },
+        )
+        assert result.exit_code == 0, result.output
+        assert "Total memories" in result.output
+
+    def test_vault_status_cli(self, tmp_path):
+        """skmemory vault status should show encryption coverage."""
+        from click.testing import CliRunner
+
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.cli import cli
+        from skmemory.store import MemoryStore
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            ["vault", "status"],
+            obj={
+                "store": MemoryStore(primary=SQLiteBackend(base_path=str(tmp_path / "memories"))),
+                "ai": None,
+            },
+        )
+        assert result.exit_code == 0, result.output
+        assert "Total files" in result.output
+
+    def test_fortress_audit_cli(self, tmp_path):
+        """skmemory fortress audit should show audit entries."""
+        from click.testing import CliRunner
+
+        from skmemory.cli import cli
+        from skmemory.fortress import AuditLog
+
+        # Seed an audit entry
+        audit = AuditLog(path=tmp_path / "audit.jsonl")
+        audit.append("store", "test-id", ok=True)
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            ["fortress", "audit"],
+            obj={"store": None, "ai": None},
+            env={"SKMEMORY_HOME": str(tmp_path)},
+        )
+        # May fail if SKMEMORY_HOME is not picked up in test, but should not crash
+        assert result.exit_code in (0, 1)
+
+    def test_vault_seal_cli_requires_passphrase(self, tmp_path):
+        """vault seal without passphrase should prompt or fail."""
+        from click.testing import CliRunner
+
+        from skmemory.backends.sqlite_backend import SQLiteBackend
+        from skmemory.cli import cli
+        from skmemory.store import MemoryStore
+
+        runner = CliRunner()
+        result = runner.invoke(
+            cli,
+            ["vault", "seal", "--yes"],
+            input="badpass\nbadpass\n",
+            obj={
+                "store": MemoryStore(primary=SQLiteBackend(base_path=str(tmp_path / "memories"))),
+                "ai": None,
+            },
+        )
+        # Should succeed (0 files to seal in empty store) or error out cleanly
+        assert result.exit_code in (0, 1, 2)

package/tests/test_openclaw.py

@@ -1,6 +1,5 @@
 """Tests for the OpenClaw integration module."""
 
-import json
 from pathlib import Path
 
 import pytest
@@ -91,13 +90,16 @@ class TestPluginContext:
     """Token-efficient context loading."""
 
     def test_load_context_returns_dict(self, plugin):
-        """Context loading returns a structured dict."""
+        """Context loading returns a structured dict with tiered keys."""
         plugin.snapshot("Context test", intensity=8.0)
         ctx = plugin.load_context(max_tokens=1000)
 
         assert isinstance(ctx, dict)
-        assert "memories" in ctx
+        assert "today" in ctx
+        assert "yesterday" in ctx
+        assert "older_summary" in ctx
         assert "token_estimate" in ctx
+        assert "token_budget" in ctx
 
 
 class TestPluginExport:
@@ -115,8 +117,6 @@ class TestPluginExport:
         backup = str(tmp_path / "backup.json")
         plugin.export(backup)
 
-        fresh = SKMemoryPlugin(
-            base_path=str(tmp_path / "fresh_memories")
-        )
+        fresh = SKMemoryPlugin(base_path=str(tmp_path / "fresh_memories"))
         count = fresh.import_backup(backup)
         assert count == 1