@tamyla/clodo-framework 2.0.20 → 3.0.3

package/bin/shared/security/secure-token-manager.js

@@ -0,0 +1,398 @@
+/**
+ * Secure Token Manager
+ * Implements secure token storage, rotation, and access control
+ */
+
+import { readFile, writeFile, access, mkdir } from 'fs/promises';
+import { join } from 'path';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import crypto from 'crypto';
+
+const execAsync = promisify(exec);
+
+export class SecureTokenManager {
+  constructor(options = {}) {
+    this.frameworkConfig = null; // Will be loaded in initialize()
+    this.config = {
+      tokenDir: options.tokenDir, // Will be set from framework config if not provided
+      encryptionKey: options.encryptionKey || this.generateEncryptionKey(),
+      tokenRotationInterval: options.tokenRotationInterval || 24 * 60 * 60 * 1000, // 24 hours
+      maxTokensPerService: options.maxTokensPerService || 3,
+      enableAudit: options.enableAudit !== false,
+      auditLogPath: options.auditLogPath, // Will be set from framework config if not provided
+      ...options
+    };
+
+    this.tokens = new Map(); // service -> token data
+    this.auditLog = [];
+  }
+
+  /**
+   * Initialize the token manager
+   */
+  async initialize() {
+    try {
+      // Load framework configuration
+      const { frameworkConfig } = await import('../../../src/utils/framework-config.js');
+      this.frameworkConfig = frameworkConfig;
+      
+      // Update paths with framework config
+      const configPaths = this.frameworkConfig.getPaths();
+      
+      this.config.tokenDir = this.config.tokenDir || configPaths.secureTokens;
+      this.config.auditLogPath = this.config.auditLogPath || join(configPaths.auditLogs, 'token-audit.log');
+      
+      console.log(`🔐 Token directory configured: ${this.config.tokenDir}`);
+      console.log(`📋 Token audit log: ${this.config.auditLogPath}`);
+      
+    } catch (error) {
+      console.warn(`⚠️  Could not load framework config: ${error.message}. Using default paths.`);
+      // Use fallback defaults
+      this.config.tokenDir = this.config.tokenDir || '.secure-tokens';
+      this.config.auditLogPath = this.config.auditLogPath || 'token-audit.log';
+    }
+
+    await this.ensureSecureDirectory();
+    await this.loadTokens();
+    await this.rotateExpiredTokens();
+
+    if (this.config.enableAudit) {
+      this.logAuditEvent('TOKEN_MANAGER_INITIALIZED', { timestamp: new Date() });
+    }
+  }
+
+  /**
+   * Store a token securely
+   */
+  async storeToken(service, token, metadata = {}) {
+    const tokenData = {
+      service,
+      token: this.encrypt(token),
+      created: new Date(),
+      expires: new Date(Date.now() + this.config.tokenRotationInterval),
+      metadata: {
+        ...metadata,
+        permissions: metadata.permissions || ['read'],
+        environment: metadata.environment || 'production'
+      },
+      fingerprint: this.generateFingerprint(token)
+    };
+
+    // Check token limits
+    const serviceTokens = this.getServiceTokens(service);
+    if (serviceTokens.length >= this.config.maxTokensPerService) {
+      // Remove oldest token
+      const oldestToken = serviceTokens.sort((a, b) => a.created - b.created)[0];
+      await this.revokeToken(service, oldestToken.fingerprint);
+    }
+
+    this.tokens.set(`${service}_${tokenData.fingerprint}`, tokenData);
+    await this.saveTokens();
+
+    if (this.config.enableAudit) {
+      this.logAuditEvent('TOKEN_STORED', {
+        service,
+        fingerprint: tokenData.fingerprint,
+        permissions: tokenData.metadata.permissions
+      });
+    }
+
+    return tokenData.fingerprint;
+  }
+
+  /**
+   * Retrieve a token securely
+   */
+  async retrieveToken(service, fingerprint, requiredPermissions = []) {
+    const tokenKey = `${service}_${fingerprint}`;
+    const tokenData = this.tokens.get(tokenKey);
+
+    if (!tokenData) {
+      throw new Error(`Token not found for service: ${service}`);
+    }
+
+    // Check expiration
+    if (new Date() > tokenData.expires) {
+      await this.revokeToken(service, fingerprint);
+      throw new Error(`Token expired for service: ${service}`);
+    }
+
+    // Check permissions
+    if (requiredPermissions.length > 0) {
+      const hasPermissions = requiredPermissions.every(perm =>
+        tokenData.metadata.permissions.includes(perm)
+      );
+      if (!hasPermissions) {
+        if (this.config.enableAudit) {
+          this.logAuditEvent('TOKEN_ACCESS_DENIED', {
+            service,
+            fingerprint,
+            requiredPermissions,
+            tokenPermissions: tokenData.metadata.permissions
+          });
+        }
+        throw new Error(`Insufficient permissions for token access`);
+      }
+    }
+
+    if (this.config.enableAudit) {
+      this.logAuditEvent('TOKEN_RETRIEVED', {
+        service,
+        fingerprint,
+        permissions: tokenData.metadata.permissions
+      });
+    }
+
+    return this.decrypt(tokenData.token);
+  }
+
+  /**
+   * Rotate a token
+   */
+  async rotateToken(service, fingerprint, newToken) {
+    const tokenKey = `${service}_${fingerprint}`;
+    const tokenData = this.tokens.get(tokenKey);
+
+    if (!tokenData) {
+      throw new Error(`Token not found for rotation: ${service}`);
+    }
+
+    const newFingerprint = this.generateFingerprint(newToken);
+    const rotatedTokenData = {
+      ...tokenData,
+      token: this.encrypt(newToken),
+      created: new Date(),
+      expires: new Date(Date.now() + this.config.tokenRotationInterval),
+      fingerprint: newFingerprint,
+      rotatedFrom: fingerprint
+    };
+
+    // Remove old token
+    this.tokens.delete(tokenKey);
+
+    // Store new token
+    this.tokens.set(`${service}_${newFingerprint}`, rotatedTokenData);
+    await this.saveTokens();
+
+    if (this.config.enableAudit) {
+      this.logAuditEvent('TOKEN_ROTATED', {
+        service,
+        oldFingerprint: fingerprint,
+        newFingerprint: newFingerprint
+      });
+    }
+
+    return newFingerprint;
+  }
+
+  /**
+   * Revoke a token
+   */
+  async revokeToken(service, fingerprint) {
+    const tokenKey = `${service}_${fingerprint}`;
+    const tokenData = this.tokens.get(tokenKey);
+
+    if (tokenData) {
+      this.tokens.delete(tokenKey);
+      await this.saveTokens();
+
+      if (this.config.enableAudit) {
+        this.logAuditEvent('TOKEN_REVOKED', {
+          service,
+          fingerprint,
+          reason: 'manual_revoke'
+        });
+      }
+    }
+  }
+
+  /**
+   * List tokens for a service
+   */
+  listTokens(service) {
+    const serviceTokens = [];
+    for (const [key, tokenData] of this.tokens) {
+      if (key.startsWith(`${service}_`)) {
+        serviceTokens.push({
+          fingerprint: tokenData.fingerprint,
+          created: tokenData.created,
+          expires: tokenData.expires,
+          permissions: tokenData.metadata.permissions,
+          environment: tokenData.metadata.environment
+        });
+      }
+    }
+    return serviceTokens;
+  }
+
+  /**
+   * Get service tokens
+   */
+  getServiceTokens(service) {
+    const serviceTokens = [];
+    for (const [key, tokenData] of this.tokens) {
+      if (key.startsWith(`${service}_`)) {
+        serviceTokens.push(tokenData);
+      }
+    }
+    return serviceTokens;
+  }
+
+  /**
+   * Rotate expired tokens
+   */
+  async rotateExpiredTokens() {
+    const now = new Date();
+    const expiredTokens = [];
+
+    for (const [key, tokenData] of this.tokens) {
+      if (now > tokenData.expires) {
+        expiredTokens.push({ key, tokenData });
+      }
+    }
+
+    for (const { key, tokenData } of expiredTokens) {
+      this.tokens.delete(key);
+      if (this.config.enableAudit) {
+        this.logAuditEvent('TOKEN_EXPIRED', {
+          service: tokenData.service,
+          fingerprint: tokenData.fingerprint
+        });
+      }
+    }
+
+    if (expiredTokens.length > 0) {
+      await this.saveTokens();
+    }
+  }
+
+  /**
+   * Encrypt token data
+   */
+  encrypt(data) {
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipher('aes-256-gcm', this.config.encryptionKey);
+    cipher.setIV(iv);
+
+    let encrypted = cipher.update(data, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+
+    const authTag = cipher.getAuthTag();
+
+    return {
+      encrypted,
+      iv: iv.toString('hex'),
+      authTag: authTag.toString('hex')
+    };
+  }
+
+  /**
+   * Decrypt token data
+   */
+  decrypt(encryptedData) {
+    const decipher = crypto.createDecipher('aes-256-gcm', this.config.encryptionKey);
+    decipher.setIV(Buffer.from(encryptedData.iv, 'hex'));
+    decipher.setAuthTag(Buffer.from(encryptedData.authTag, 'hex'));
+
+    let decrypted = decipher.update(encryptedData.encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+
+    return decrypted;
+  }
+
+  /**
+   * Generate encryption key
+   */
+  generateEncryptionKey() {
+    return crypto.randomBytes(32).toString('hex');
+  }
+
+  /**
+   * Generate token fingerprint
+   */
+  generateFingerprint(token) {
+    return crypto.createHash('sha256').update(token).digest('hex').substring(0, 16);
+  }
+
+  /**
+   * Ensure secure directory exists
+   */
+  async ensureSecureDirectory() {
+    try {
+      await access(this.config.tokenDir);
+    } catch {
+      await mkdir(this.config.tokenDir, { mode: 0o700 }); // Secure permissions
+    }
+  }
+
+  /**
+   * Save tokens to disk
+   */
+  async saveTokens() {
+    const tokenFile = join(this.config.tokenDir, 'tokens.json');
+    const tokenData = {};
+
+    for (const [key, token] of this.tokens) {
+      tokenData[key] = token;
+    }
+
+    await writeFile(tokenFile, JSON.stringify(tokenData, null, 2));
+  }
+
+  /**
+   * Load tokens from disk
+   */
+  async loadTokens() {
+    try {
+      const tokenFile = join(this.config.tokenDir, 'tokens.json');
+      const data = await readFile(tokenFile, 'utf8');
+      const tokenData = JSON.parse(data);
+
+      for (const [key, token] of Object.entries(tokenData)) {
+        // Convert date strings back to Date objects
+        token.created = new Date(token.created);
+        token.expires = new Date(token.expires);
+        this.tokens.set(key, token);
+      }
+    } catch (error) {
+      // File doesn't exist or is corrupted, start fresh
+      this.tokens.clear();
+    }
+  }
+
+  /**
+   * Log audit event
+   */
+  logAuditEvent(event, details) {
+    const auditEntry = {
+      timestamp: new Date(),
+      event,
+      details
+    };
+
+    this.auditLog.push(auditEntry);
+
+    // Keep only last 1000 entries in memory
+    if (this.auditLog.length > 1000) {
+      this.auditLog.shift();
+    }
+
+    // In a real implementation, you'd write to a secure audit log
+    console.log(`[TOKEN_AUDIT] ${event}:`, details);
+  }
+
+  /**
+   * Get audit log
+   */
+  getAuditLog(limit = 100) {
+    return this.auditLog.slice(-limit);
+  }
+
+  /**
+   * Validate token permissions
+   */
+  validatePermissions(tokenPermissions, requiredPermissions) {
+    return requiredPermissions.every(perm => tokenPermissions.includes(perm));
+  }
+}

package/bin/shared/utils/error-recovery.js

@@ -0,0 +1,225 @@
+/**
+ * Error Recovery Module
+ * Implements circuit breakers, retries, and graceful degradation
+ */
+
+export class ErrorRecoveryManager {
+  constructor(options = {}) {
+    this.options = options;
+    this.config = null;
+    this.circuitStates = new Map(); // service -> { failures, lastFailure, state }
+    this.retryStates = new Map(); // operation -> retry count
+  }
+
+  /**
+   * Initialize with framework configuration
+   */
+  async initialize() {
+    // Import framework config for consistent timing and retry settings
+    const { frameworkConfig } = await import('../../../dist/utils/framework-config.js');
+    const timing = frameworkConfig.getTiming();
+    
+    this.config = {
+      maxRetries: this.options.maxRetries || timing.retryAttempts,
+      retryDelay: this.options.retryDelay || timing.retryDelay,
+      circuitBreakerThreshold: this.options.circuitBreakerThreshold || timing.circuitBreakerThreshold,
+      circuitBreakerTimeout: this.options.circuitBreakerTimeout || timing.circuitBreakerTimeout,
+      gracefulDegradation: this.options.gracefulDegradation !== false,
+      ...this.options
+    };
+  }
+
+  /**
+   * Execute operation with error recovery
+   */
+  async executeWithRecovery(operation, options = {}) {
+    const config = { ...this.config, ...options };
+    const operationId = this.getOperationId(operation);
+
+    // Check circuit breaker
+    if (this.isCircuitOpen(operationId)) {
+      if (config.gracefulDegradation) {
+        return this.executeGracefulFallback(operation, config);
+      }
+      throw new Error(`Circuit breaker open for operation: ${operationId}`);
+    }
+
+    let lastError;
+    for (let attempt = 0; attempt <= config.maxRetries; attempt++) {
+      try {
+        const result = await operation();
+        this.recordSuccess(operationId);
+        return result;
+      } catch (error) {
+        lastError = error;
+        this.recordFailure(operationId, error);
+
+        if (attempt < config.maxRetries) {
+          const delay = this.calculateRetryDelay(attempt, config.retryDelay);
+          await this.delay(delay);
+        }
+      }
+    }
+
+    // All retries exhausted
+    if (config.gracefulDegradation) {
+      return this.executeGracefulFallback(operation, config);
+    }
+
+    throw lastError;
+  }
+
+  /**
+   * Check if circuit breaker is open
+   */
+  isCircuitOpen(operationId) {
+    const state = this.circuitStates.get(operationId);
+    if (!state) return false;
+
+    if (state.state === 'open') {
+      // Check if timeout has passed
+      if (Date.now() - state.lastFailure > this.config.circuitBreakerTimeout) {
+        state.state = 'half-open';
+        state.failures = 0;
+        return false;
+      }
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Record operation success
+   */
+  recordSuccess(operationId) {
+    const state = this.circuitStates.get(operationId);
+    if (state) {
+      if (state.state === 'half-open') {
+        state.state = 'closed';
+        state.failures = 0;
+      }
+    }
+  }
+
+  /**
+   * Record operation failure
+   */
+  recordFailure(operationId, error) {
+    let state = this.circuitStates.get(operationId);
+    if (!state) {
+      state = { failures: 0, lastFailure: 0, state: 'closed' };
+      this.circuitStates.set(operationId, state);
+    }
+
+    state.failures++;
+    state.lastFailure = Date.now();
+
+    if (state.failures >= this.config.circuitBreakerThreshold) {
+      state.state = 'open';
+    }
+  }
+
+  /**
+   * Calculate retry delay with exponential backoff
+   */
+  calculateRetryDelay(attempt, baseDelay) {
+    const exponentialDelay = baseDelay * Math.pow(2, attempt);
+    const jitter = Math.random() * 0.1 * exponentialDelay;
+    return Math.min(exponentialDelay + jitter, 30000); // Max 30 seconds
+  }
+
+  /**
+   * Execute graceful fallback
+   */
+  async executeGracefulFallback(operation, config) {
+    console.warn(`Executing graceful fallback for operation`);
+
+    // Try to execute with reduced functionality
+    try {
+      // For deployment operations, try a simplified version
+      if (operation.name && operation.name.includes('deploy')) {
+        return { success: false, degraded: true, message: 'Operation executed in degraded mode' };
+      }
+
+      // For data operations, return cached or default data
+      if (operation.name && operation.name.includes('fetch')) {
+        return { data: [], cached: true, degraded: true };
+      }
+
+      // Default fallback
+      return { success: false, degraded: true, fallback: true };
+
+    } catch (fallbackError) {
+      console.error('Graceful fallback also failed:', fallbackError);
+      throw fallbackError;
+    }
+  }
+
+  /**
+   * Get unique operation ID
+   */
+  getOperationId(operation) {
+    if (typeof operation === 'function' && operation.name) {
+      return operation.name;
+    }
+    return `operation_${Date.now()}_${Math.random()}`;
+  }
+
+  /**
+   * Utility delay function
+   */
+  delay(ms) {
+    return new Promise(resolve => setTimeout(resolve, ms));
+  }
+
+  /**
+   * Get circuit breaker status
+   */
+  getCircuitStatus(operationId) {
+    const state = this.circuitStates.get(operationId);
+    if (!state) {
+      return { state: 'closed', failures: 0 };
+    }
+    return {
+      state: state.state,
+      failures: state.failures,
+      lastFailure: state.lastFailure,
+      timeSinceLastFailure: Date.now() - state.lastFailure
+    };
+  }
+
+  /**
+   * Reset circuit breaker
+   */
+  resetCircuit(operationId) {
+    this.circuitStates.delete(operationId);
+  }
+
+  /**
+   * Get all circuit statuses
+   */
+  getAllCircuitStatuses() {
+    const statuses = {};
+    for (const [operationId, state] of this.circuitStates) {
+      statuses[operationId] = this.getCircuitStatus(operationId);
+    }
+    return statuses;
+  }
+}
+
+/**
+ * Retry wrapper for functions
+ */
+export function withRetry(fn, options = {}) {
+  const recovery = new ErrorRecoveryManager(options);
+  return (...args) => recovery.executeWithRecovery(() => fn(...args), options);
+}
+
+/**
+ * Circuit breaker wrapper for functions
+ */
+export function withCircuitBreaker(fn, options = {}) {
+  const recovery = new ErrorRecoveryManager(options);
+  return (...args) => recovery.executeWithRecovery(() => fn(...args), options);
+}