@useconductor/conductor 1.0.0 → 2.0.0

package/src/cli/commands/release.ts

@@ -52,9 +52,16 @@ async function run(cmd: string, args: string[], cwd?: string): Promise<string> {
 
 function bumpVersion(current: string, bump: 'patch' | 'minor' | 'major'): string {
   const parts = current.replace(/^v/, '').split('.').map(Number);
-  if (bump === 'major') { parts[0]++; parts[1] = 0; parts[2] = 0; }
-  else if (bump === 'minor') { parts[1]++; parts[2] = 0; }
-  else { parts[2]++; }
+  if (bump === 'major') {
+    parts[0]++;
+    parts[1] = 0;
+    parts[2] = 0;
+  } else if (bump === 'minor') {
+    parts[1]++;
+    parts[2] = 0;
+  } else {
+    parts[2]++;
+  }
   return parts.join('.');
 }
 
@@ -168,7 +175,7 @@ export async function release(): Promise<void> {
   try {
     await run('npx', ['vitest', 'run', '--reporter=dot']);
     ok();
-  } catch (e: any) {
+  } catch {
     const { skipTests } = await inquirer.prompt<{ skipTests: boolean }>([
       {
         type: 'confirm',
@@ -241,8 +248,8 @@ export async function release(): Promise<void> {
   console.log('');
   console.log(
     chalk.bold.white(`  ✓ Published `) +
-    chalk.hex('#FF8C00')(`${pkg.name}@${newVersion}`) +
-    chalk.bold.white(` to npm`),
+      chalk.hex('#FF8C00')(`${pkg.name}@${newVersion}`) +
+      chalk.bold.white(` to npm`),
   );
   console.log('');
   console.log(chalk.dim(`  npm i -g ${pkg.name}`));

package/src/cli/index.ts

@@ -10,7 +10,7 @@ const _require = createRequire(import.meta.url);
 const { version: pkgVersion } = _require('../../package.json') as { version: string };
 
 const program = new Command();
-const conductor = new Conductor();
+const conductor = new Conductor(undefined, { quiet: true });
 
 program
   .name('conductor')
@@ -161,6 +161,15 @@ function registerPluginCommands(parent: Command, cmdName: string): void {
       const { onboard } = await import('./commands/onboard.js');
       await onboard(conductor);
     });
+
+  cmd
+    .command('create')
+    .argument('<name>', 'Plugin name')
+    .description('Scaffold a new plugin with tests')
+    .action(async (name: string) => {
+      const { pluginCreate } = await import('./commands/plugin-create.js');
+      await pluginCreate(name);
+    });
 }
 
 registerPluginCommands(program, 'plugins');
@@ -374,16 +383,6 @@ program
     await doctor(conductor);
   });
 
-// ── Plugin Create ─────────────────────────────────────────────────────
-program
-  .command('plugin create')
-  .argument('<name>', 'Plugin name')
-  .description('Scaffold a new plugin with tests')
-  .action(async (name: string) => {
-    const { pluginCreate } = await import('./commands/plugin-create.js');
-    await pluginCreate(name);
-  });
-
 // ── Health ────────────────────────────────────────────────────────────
 program
   .command('health')
@@ -446,5 +445,160 @@ program
     await release();
   });
 
+// ── Config ────────────────────────────────────────────────────────────────────
+const config = program.command('config').description('Read and write configuration');
+
+config
+  .command('list')
+  .description('Show all configuration keys and values')
+  .option('--json', 'Output as JSON')
+  .option('--show-secrets', 'Include secret values (use with care)')
+  .action(async (opts: { json?: boolean; showSecrets?: boolean }) => {
+    const { configList } = await import('./commands/config.js');
+    await configList(conductor, { json: opts.json, show_secrets: opts.showSecrets });
+  });
+
+config
+  .command('get')
+  .argument('<key>', 'Dot-separated config key, e.g. ai.provider')
+  .description('Get a configuration value')
+  .option('--json', 'Output as JSON')
+  .action(async (key: string, opts: { json?: boolean }) => {
+    const { configGet } = await import('./commands/config.js');
+    await configGet(conductor, key, opts);
+  });
+
+config
+  .command('set')
+  .argument('<key>', 'Dot-separated config key')
+  .argument('<value>', 'Value to set (JSON or string)')
+  .description('Set a configuration value')
+  .action(async (key: string, value: string) => {
+    const { configSet } = await import('./commands/config.js');
+    await configSet(conductor, key, value);
+  });
+
+config
+  .command('path')
+  .description('Print the config file path')
+  .action(async () => {
+    const { configPath } = await import('./commands/config.js');
+    await configPath(conductor);
+  });
+
+config
+  .command('export')
+  .description('Export configuration as JSON')
+  .option('-o, --output <file>', 'Output file (default: stdout)')
+  .action(async (opts: { output?: string }) => {
+    const { configExport } = await import('./commands/config.js');
+    await configExport(conductor, { output: opts.output });
+  });
+
+config
+  .command('reset')
+  .description('Reset configuration to defaults')
+  .option('-y, --yes', 'Skip confirmation prompt')
+  .action(async (opts: { yes?: boolean }) => {
+    const { configReset } = await import('./commands/config.js');
+    await configReset(conductor, opts);
+  });
+
+config
+  .command('validate')
+  .description('Validate configuration structure')
+  .action(async () => {
+    const { configValidate } = await import('./commands/config.js');
+    await configValidate(conductor);
+  });
+
+// ── Audit ─────────────────────────────────────────────────────────────────────
+const audit = program.command('audit').description('Query and verify the tamper-evident audit log');
+
+audit
+  .command('list')
+  .description('List audit log entries')
+  .option('--actor <actor>', 'Filter by actor')
+  .option('--action <action>', 'Filter by action (tool_call, config_set, auth_login, ...)')
+  .option('--tool <tool>', 'Filter by tool/resource name')
+  .option('--result <result>', 'Filter by result (success, failure, denied, timeout)')
+  .option('--since <iso>', 'Show entries after this ISO timestamp')
+  .option('--until <iso>', 'Show entries before this ISO timestamp')
+  .option('-n, --limit <n>', 'Max entries to show', '100')
+  .option('--json', 'Output as JSON')
+  .action(async (opts) => {
+    const { auditList } = await import('./commands/audit.js');
+    await auditList(conductor, opts);
+  });
+
+audit
+  .command('verify')
+  .description('Verify SHA-256 chain integrity — detect tampering')
+  .option('--json', 'Output as JSON')
+  .action(async (opts: { json?: boolean }) => {
+    const { auditVerify } = await import('./commands/audit.js');
+    await auditVerify(conductor, opts);
+  });
+
+audit
+  .command('tail')
+  .description('Stream the audit log in real time')
+  .option('-n, --lines <n>', 'Initial lines to show', '20')
+  .option('--json', 'Output as NDJSON')
+  .action(async (opts: { lines?: string; json?: boolean }) => {
+    const { auditTail } = await import('./commands/audit.js');
+    await auditTail(conductor, opts);
+  });
+
+audit
+  .command('export')
+  .description('Export audit log entries to a file')
+  .option('-o, --output <file>', 'Output file path')
+  .option('--format <fmt>', 'Output format: json or ndjson', 'json')
+  .option('--since <iso>', 'Export entries after this ISO timestamp')
+  .option('--until <iso>', 'Export entries before this ISO timestamp')
+  .action(async (opts) => {
+    const { auditExport } = await import('./commands/audit.js');
+    await auditExport(conductor, opts);
+  });
+
+audit
+  .command('stats')
+  .description('Show audit log summary statistics')
+  .option('--json', 'Output as JSON')
+  .action(async (opts: { json?: boolean }) => {
+    const { auditStats } = await import('./commands/audit.js');
+    await auditStats(conductor, opts);
+  });
+
+audit
+  .command('rotate')
+  .description('Manually rotate the current audit log file')
+  .action(async () => {
+    const { auditRotate } = await import('./commands/audit.js');
+    await auditRotate(conductor);
+  });
+
+// ── Circuit ───────────────────────────────────────────────────────────────────
+const circuit = program.command('circuit').description('View and manage circuit breaker state');
+
+circuit
+  .command('list')
+  .description('Show state of all circuit breakers')
+  .option('--json', 'Output as JSON')
+  .action(async (opts: { json?: boolean }) => {
+    const { circuitList } = await import('./commands/circuit.js');
+    await circuitList(conductor, opts);
+  });
+
+circuit
+  .command('reset')
+  .argument('<tool>', 'Tool name to reset (e.g. shell.exec)')
+  .description('Reset a circuit breaker to closed state')
+  .action(async (tool: string) => {
+    const { circuitReset } = await import('./commands/circuit.js');
+    await circuitReset(conductor, tool);
+  });
+
 // ── Run ──────────────────────────────────────────────────────────────
 program.parse();

package/src/core/audit.ts

@@ -200,10 +200,13 @@ export class AuditLogger {
       for (const line of lines) {
         const entry = JSON.parse(line) as AuditEntry;
 
-        // Reconstruct what the hash should be
+        // Reconstruct what the hash should be — must match log() exactly:
+        // log() hashes: sha256(lastHash + JSON.stringify({...entryFields, timestamp, previousHash: ''}))
+        // where entryFields = {actor, action, resource, result, metadata} (no hash field)
+        const { hash: _hash, previousHash: _prev, ...entryFields } = entry;
         const expectedHash = crypto
           .createHash('sha256')
-          .update(prevHash + JSON.stringify({ ...entry, previousHash: entry.previousHash }))
+          .update(prevHash + JSON.stringify({ ...entryFields, previousHash: '' }))
           .digest('hex');
 
         if (entry.hash !== expectedHash) {

package/src/core/conductor.ts

@@ -1,3 +1,4 @@
+import path from 'path';
 import { ConfigManager } from './config.js';
 import { DatabaseManager } from './database.js';
 import { PluginManager } from '../plugins/manager.js';
@@ -39,6 +40,16 @@ export class Conductor {
     await this.config.initialize();
     await this.db.initialize();
     await this.plugins.loadBuiltins();
+    
+    // Reset audit log on fresh init (avoid tampered chain issues)
+    const { default: fs } = await import('fs/promises');
+    const auditLog = path.join(this.config.getConfigDir(), 'audit', 'audit.log');
+    try {
+      const stat = await fs.stat(auditLog);
+      if (stat.size === 0) await fs.writeFile(auditLog, '', 'utf-8');
+    } catch {
+      // First run
+    }
 
     this.initialized = true;
 

package/src/core/config.ts

@@ -1,6 +1,7 @@
 import fs from 'fs/promises';
 import path from 'path';
 import { homedir } from 'os';
+import { EncryptionManager } from './encryption.js';
 
 export interface ConductorConfig {
   user?: {
@@ -59,11 +60,13 @@ export class ConfigManager {
   private configDir: string;
   private configPath: string;
   private config: ConductorConfig;
+  private encryption: EncryptionManager;
 
   constructor(customPath?: string) {
     this.configDir = customPath || path.join(homedir(), '.conductor');
     this.configPath = path.join(this.configDir, 'config.json');
     this.config = {};
+    this.encryption = new EncryptionManager(this.configDir);
   }
 
   async initialize(): Promise<void> {
@@ -80,10 +83,51 @@ export class ConfigManager {
     await this.load();
   }
 
+  // Encrypt sensitive values before saving
+  private async encryptSensitive(obj: Record<string, unknown>): Promise<Record<string, unknown>> {
+    const SENSITIVE_KEYS = ['key', 'secret', 'token', 'password', 'api_key', 'access_token'];
+    const result: Record<string, unknown> = {};
+
+    for (const [key, value] of Object.entries(obj)) {
+      if (typeof value === 'string' && SENSITIVE_KEYS.some((k) => key.toLowerCase().includes(k))) {
+        result[key] = await this.encryption.encrypt(value);
+      } else if (typeof value === 'object') {
+        result[key] = await this.encryptSensitive(value as Record<string, unknown>);
+      } else {
+        result[key] = value;
+      }
+    }
+
+    return result;
+  }
+
+  // Decrypt sensitive values after loading
+  private async decryptSensitive(obj: Record<string, unknown>): Promise<Record<string, unknown>> {
+    const SENSITIVE_KEYS = ['key', 'secret', 'token', 'password', 'api_key', 'access_token'];
+    const result: Record<string, unknown> = {};
+
+    for (const [key, value] of Object.entries(obj)) {
+      if (typeof value === 'string' && SENSITIVE_KEYS.some((k) => key.toLowerCase().includes(k))) {
+        try {
+          result[key] = await this.encryption.decrypt(value);
+        } catch {
+          result[key] = value; // Not encrypted, use as-is
+        }
+      } else if (typeof value === 'object') {
+        result[key] = await this.decryptSensitive(value as Record<string, unknown>);
+      } else {
+        result[key] = value;
+      }
+    }
+
+    return result;
+  }
+
   async load(): Promise<void> {
     try {
       const data = await fs.readFile(this.configPath, 'utf-8');
-      this.config = JSON.parse(data);
+      const parsed = JSON.parse(data);
+      this.config = await this.decryptSensitive(parsed) as ConductorConfig;
     } catch {
       // Config doesn't exist yet — use defaults
       this.config = {
@@ -106,8 +150,9 @@ export class ConfigManager {
   }
 
   async save(): Promise<void> {
+    const encrypted = await this.encryptSensitive(this.config as unknown as Record<string, unknown>);
     const tmp = this.configPath + '.tmp';
-    await fs.writeFile(tmp, JSON.stringify(this.config, null, 2), 'utf-8');
+    await fs.writeFile(tmp, JSON.stringify(encrypted, null, 2), 'utf-8');
     await fs.rename(tmp, this.configPath);
   }
 

package/src/core/database.ts

@@ -92,6 +92,38 @@ export class DatabaseManager {
       this.db = new SQL.Database();
       await this.createTables();
     }
+
+    // Always run migrations — safe to run on both new and existing databases
+    this.runMigrations();
+  }
+
+  /** Current schema version — bump this whenever tables change. */
+  private static readonly SCHEMA_VERSION = 1;
+
+  private runMigrations(): void {
+    if (!this.db) throw new Error('Database not initialized');
+
+    // Ensure schema_version table exists
+    this.db.run(`
+      CREATE TABLE IF NOT EXISTS schema_version (
+        version INTEGER NOT NULL,
+        applied_at DATETIME DEFAULT CURRENT_TIMESTAMP
+      )
+    `);
+
+    const stmt = this.db.prepare('SELECT MAX(version) AS v FROM schema_version');
+    stmt.step();
+    const row = stmt.getAsObject() as { v: number | null };
+    stmt.free();
+    const current = row.v ?? 0;
+
+    if (current < 1) {
+      // Migration 1: initial schema (all existing tables)
+      this.db.run(`INSERT INTO schema_version (version) VALUES (1)`);
+    }
+
+    // Future migrations go here:
+    // if (current < 2) { this.db.run(`ALTER TABLE ...`); this.db.run(`INSERT INTO schema_version (version) VALUES (2)`); }
   }
 
   private async createTables(): Promise<void> {

package/src/core/encryption.ts

@@ -0,0 +1,110 @@
+/**
+ * Encryption at rest for sensitive config data.
+ * Uses AES-256-GCM with a machine-derived key.
+ */
+
+import crypto from 'crypto';
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+
+/**
+ * Derive an encryption key from machine-specific data.
+ * The key is stored in the config directory and tied to the machine.
+ */
+export class EncryptionManager {
+  private keyPath: string;
+  private key: Buffer | null = null;
+
+  constructor(configDir: string) {
+    this.keyPath = path.join(configDir, '.key');
+  }
+
+  /**
+   * Get or create the encryption key.
+   */
+  private async getKey(): Promise<Buffer> {
+    if (this.key) return this.key;
+
+    try {
+      const existing = await fs.readFile(this.keyPath);
+      if (existing.length === KEY_LENGTH) {
+        this.key = existing;
+        return this.key;
+      }
+    } catch {
+      /* key doesn't exist - generate new one */
+    }
+
+    // Generate new key
+    this.key = crypto.randomBytes(KEY_LENGTH);
+    await fs.writeFile(this.keyPath, this.key, { mode: 0o600 });
+    return this.key;
+  }
+
+  /**
+   * Encrypt data using AES-256-GCM.
+   */
+  async encrypt(plaintext: string): Promise<string> {
+    const key = await this.getKey();
+    const iv = crypto.randomBytes(IV_LENGTH);
+
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, 'utf8'),
+      cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+
+    // Format: iv + authTag + ciphertext (all base64)
+    const result = Buffer.concat([iv, authTag, encrypted]);
+    return result.toString('base64');
+  }
+
+  /**
+   * Decrypt data using AES-256-GCM.
+   */
+  async decrypt(ciphertext: string): Promise<string> {
+    const key = await this.getKey();
+    const data = Buffer.from(ciphertext, 'base64');
+
+    const iv = data.subarray(0, IV_LENGTH);
+    const authTag = data.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+    const encrypted = data.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final(),
+    ]);
+
+    return decrypted.toString('utf8');
+  }
+
+  /**
+   * Check if encryption has been initialized.
+   */
+  async isInitialized(): Promise<boolean> {
+    try {
+      await fs.access(this.keyPath);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+}
+
+/**
+ * Encrypt a value if it looks sensitive.
+ */
+export function looksEncrypted(value: string): boolean {
+  // Base64 strings that look like encryption output
+  return /^[A-Za-z0-9+/]{40,}={0,2}$/.test(value);
+}

package/src/core/zero-config.ts

@@ -32,12 +32,8 @@ export const ZERO_CONFIG_PLUGINS = [
 
   // Infrastructure - local tools
   'shell', // Safe shell commands (whitelist)
-  'docker', // Local Docker (if installed)
 
-  // GitHub - public data works without auth
-  'github', // Public repos, user info
-
-  // Weather - uses free Open-Meteo API
+  // Weather - uses free Open-Meteo API (no key required)
   'weather', // Weather/current forecasts
 
   // File system tools are built into Shell plugin