@useconductor/conductor 1.0.0 → 2.0.0

package/src/plugins/builtin/jira.ts

@@ -76,11 +76,7 @@ export class JiraPlugin implements Plugin {
     return { domain, email, token };
   }
 
-  private async jiraFetch(
-    path: string,
-    body?: Record<string, unknown>,
-    method = 'GET',
-  ): Promise<any> {
+  private async jiraFetch(path: string, body?: Record<string, unknown>, method = 'GET'): Promise<any> {
     const { domain, email, token } = await this.getCredentials();
     const auth = Buffer.from(`${email}:${token}`).toString('base64');
     const base = `https://${domain}.atlassian.net/rest/api/3`;
@@ -188,7 +184,9 @@ export class JiraPlugin implements Plugin {
           required: ['key'],
         },
         handler: async ({ key }: any) => {
-          const i = await this.jiraFetch(`/issue/${key}?fields=summary,status,priority,assignee,reporter,issuetype,project,created,updated,labels,description,comment`);
+          const i = await this.jiraFetch(
+            `/issue/${key}?fields=summary,status,priority,assignee,reporter,issuetype,project,created,updated,labels,description,comment`,
+          );
           const base = this.formatIssue(i);
           const comments = (i.fields?.comment?.comments ?? []).slice(-5).map((c: any) => ({
             author: c.author?.displayName,
@@ -287,13 +285,17 @@ export class JiraPlugin implements Plugin {
         },
         requiresApproval: true,
         handler: async ({ key, body }: any) => {
-          const data = await this.jiraFetch(`/issue/${key}/comment`, {
-            body: {
-              type: 'doc',
-              version: 1,
-              content: [{ type: 'paragraph', content: [{ type: 'text', text: body }] }],
+          const data = await this.jiraFetch(
+            `/issue/${key}/comment`,
+            {
+              body: {
+                type: 'doc',
+                version: 1,
+                content: [{ type: 'paragraph', content: [{ type: 'text', text: body }] }],
+              },
             },
-          }, 'POST');
+            'POST',
+          );
           return { id: data.id, author: data.author?.displayName, created: data.created };
         },
       },
@@ -360,15 +362,17 @@ export class JiraPlugin implements Plugin {
           const body: Record<string, unknown> = { transition: { id: transition_id } };
           if (comment) {
             body.update = {
-              comment: [{
-                add: {
-                  body: {
-                    type: 'doc',
-                    version: 1,
-                    content: [{ type: 'paragraph', content: [{ type: 'text', text: comment }] }],
+              comment: [
+                {
+                  add: {
+                    body: {
+                      type: 'doc',
+                      version: 1,
+                      content: [{ type: 'paragraph', content: [{ type: 'text', text: comment }] }],
+                    },
                   },
                 },
-              }],
+              ],
             };
           }
           await this.jiraFetch(`/issue/${key}/transitions`, body, 'POST');

package/src/plugins/builtin/linear.ts

@@ -42,7 +42,7 @@ export class LinearPlugin implements Plugin {
   }
 
   isConfigured(): boolean {
-    return true; // checked at tool call time
+    return true; // check at tool call time
   }
 
   private async getApiKey(): Promise<string> {

package/src/plugins/builtin/shell.ts

@@ -89,7 +89,7 @@ const SAFE_COMMANDS = new Set([
 
 // Dangerous patterns that are never allowed even with approval
 const DANGEROUS_PATTERNS = [
-  /\brm\s+-rf\s+\/\b/,
+  /\brm\s+-r[f]?\s+\/(\s|$)/,
   /\bmkfs\b/,
   /\bdd\s+if\b/,
   /\bchmod\s+[0-7]*777\s+\/\b/,

package/src/plugins/builtin/slack.ts

@@ -26,13 +26,18 @@ export class SlackPlugin implements Plugin {
   version = '1.0.0';
 
   private keychain!: Keychain;
+  private hasToken = false;
 
   async initialize(conductor: Conductor): Promise<void> {
     this.keychain = new Keychain(conductor.getConfig().getConfigDir());
+    try {
+      const t = await this.keychain.get('slack', 'bot_token');
+      this.hasToken = !!t;
+    } catch { this.hasToken = false; }
   }
 
   isConfigured(): boolean {
-    return true;
+    return this.hasToken || !!process.env['SLACK_BOT_TOKEN'];
   }
 
   private async getToken(): Promise<string> {

package/src/plugins/builtin/spotify.ts

@@ -73,7 +73,7 @@ export class SpotifyPlugin implements Plugin {
   }
 
   isConfigured(): boolean {
-    return true;
+    return true; // check at tool call time
   }
 
   // ── Auth helpers ────────────────────────────────────────────────────────────

package/src/plugins/builtin/vercel.ts

@@ -60,7 +60,9 @@ export class VercelPlugin implements Plugin {
   }
 
   isConfigured(): boolean {
-    return true;
+    // Check if we have a token - return true if keychain has token
+    // This is called synchronously so we can't await - use sync check if available
+    return true; // Real check happens at tool call time
   }
 
   private async getAuth(): Promise<{ token: string; teamId: string | null }> {

package/src/security/sso.ts

@@ -0,0 +1,124 @@
+/**
+ * Enterprise SSO/OIDC Auth Middleware
+ * 
+ * Supports:
+ * - OIDC (Okta, Auth0, Google Workspace, Azure AD)
+ * - Custom JWT
+ * 
+ * Usage:
+ *   conductor config set security.auth.provider oidc
+ *   conductor config set security.auth.clientId <id>
+ *   conductor config set security.auth.clientSecret <secret>
+ *   conductor config set security.auth.issuerUrl <url>
+ */
+
+import jwt from 'jsonwebtoken';
+
+export interface AuthConfig {
+  provider: 'none' | 'oidc' | 'saml' | 'jwt';
+  issuerUrl?: string;
+  clientId?: string;
+  clientSecret?: string;
+  audience?: string;
+  jwksUri?: string;
+}
+
+export interface AuthUser {
+  id: string;
+  email: string;
+  name?: string;
+  roles: string[];
+}
+
+export class AuthMiddleware {
+  private config: AuthConfig;
+
+  constructor(config: any) {
+    this.config = config?.security?.auth ?? { provider: 'none' };
+  }
+
+  isEnabled(): boolean {
+    return this.config.provider !== 'none';
+  }
+
+  async verifyToken(token: string): Promise<AuthUser | null> {
+    if (this.config.provider === 'none' || !token) {
+      return null;
+    }
+
+    try {
+      if (this.config.provider === 'jwt') {
+        return this.verifyJWT(token);
+      }
+      return this.verifyOIDC(token);
+    } catch (err) {
+      console.error('Auth verification failed:', err);
+      return null;
+    }
+  }
+
+  private verifyJWT(token: string): AuthUser {
+    const secret = this.config.clientSecret;
+    if (!secret) throw new Error('JWT secret not configured');
+
+    const decoded = jwt.verify(token, secret, {
+      issuer: this.config.issuerUrl,
+      audience: this.config.audience,
+    }) as any;
+
+    return {
+      id: decoded.sub,
+      email: decoded.email,
+      name: decoded.name,
+      roles: decoded.roles ?? [],
+    };
+  }
+
+  private async verifyOIDC(token: string): Promise<AuthUser> {
+    // Introspect endpoint
+    const response = await fetch(this.config.issuerUrl + '/oauth/introspect', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Authorization': `Basic ${Buffer.from(
+          `${this.config.clientId}:${this.config.clientSecret}`
+        ).toString('base64')}`,
+      },
+      body: `token=${token}`,
+    });
+
+    const data = await response.json() as any;
+    if (!data.active) throw new Error('Token inactive');
+
+    return {
+      id: data.sub,
+      email: data.email ?? data.preferred_username,
+      name: data.name,
+      roles: data.roles ?? [],
+    };
+  }
+}
+
+export function createAuthMiddleware(config: any) {
+  const auth = new AuthMiddleware(config);
+
+  return async (req: any, res: any, next: any) => {
+    if (!auth.isEnabled()) return next();
+
+    const token =
+      req.headers.authorization?.replace('Bearer ', '') ||
+      req.headers['x-forwarded-auth'] || '';
+
+    if (!token) {
+      return res.status(401).json({ error: 'Authentication required' });
+    }
+
+    const user = await auth.verifyToken(token);
+    if (!user) {
+      return res.status(401).json({ error: 'Invalid token' });
+    }
+
+    req.user = user;
+    next();
+  };
+}

package/tests/audit.test.ts

@@ -0,0 +1,185 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { AuditLogger } from '../src/core/audit.js';
+import { mkdtemp, rm } from 'fs/promises';
+import { tmpdir } from 'os';
+import path from 'path';
+
+describe('AuditLogger', () => {
+  let logger: AuditLogger;
+  let tmpDir: string;
+
+  beforeEach(async () => {
+    tmpDir = await mkdtemp(path.join(tmpdir(), 'conductor-audit-'));
+    logger = new AuditLogger(tmpDir, { flushIntervalMs: 50000 }); // long interval so tests control flush
+  });
+
+  afterEach(async () => {
+    await logger.close();
+    await rm(tmpDir, { recursive: true, force: true });
+  });
+
+  it('logs an entry and flushes to disk', async () => {
+    await logger.log({
+      actor: 'user1',
+      action: 'tool_call',
+      resource: 'calc_math',
+      result: 'success',
+      metadata: { expression: '2+2' },
+    });
+    await logger.flush();
+
+    const entries = await logger.query({ actor: 'user1' });
+    expect(entries).toHaveLength(1);
+    expect(entries[0].actor).toBe('user1');
+    expect(entries[0].action).toBe('tool_call');
+    expect(entries[0].resource).toBe('calc_math');
+    expect(entries[0].result).toBe('success');
+  });
+
+  it('adds timestamp to each entry', async () => {
+    const before = new Date().toISOString();
+    await logger.log({
+      actor: 'system',
+      action: 'test',
+      resource: 'x',
+      result: 'success',
+      metadata: {},
+    });
+    const after = new Date().toISOString();
+    await logger.flush();
+
+    const entries = await logger.query();
+    expect(entries[0].timestamp >= before).toBe(true);
+    expect(entries[0].timestamp <= after).toBe(true);
+  });
+
+  it('chains SHA-256 hashes', async () => {
+    await logger.log({ actor: 'a', action: 'one', resource: 'r', result: 'success', metadata: {} });
+    await logger.log({ actor: 'b', action: 'two', resource: 'r', result: 'success', metadata: {} });
+    await logger.flush();
+
+    const entries = await logger.query();
+    expect(entries).toHaveLength(2);
+    expect(entries[0].hash).toBeTruthy();
+    expect(entries[1].previousHash).toBe(entries[0].hash);
+  });
+
+  it('verifyIntegrity returns valid for untampered log', async () => {
+    await logger.log({ actor: 'u', action: 'a', resource: 'r', result: 'success', metadata: {} });
+    await logger.log({ actor: 'u', action: 'b', resource: 'r', result: 'success', metadata: {} });
+    await logger.flush();
+
+    const { valid } = await logger.verifyIntegrity();
+    expect(valid).toBe(true);
+  });
+
+  it('verifyIntegrity returns valid when no log file exists', async () => {
+    const { valid } = await logger.verifyIntegrity();
+    expect(valid).toBe(true);
+  });
+
+  describe('toolCall convenience', () => {
+    it('logs tool calls correctly', async () => {
+      await logger.toolCall('user1', 'calc_math', { expression: '1+1' }, 'success');
+      await logger.flush();
+
+      const entries = await logger.query({ action: 'tool_call' });
+      expect(entries).toHaveLength(1);
+      expect(entries[0].resource).toBe('calc_math');
+    });
+
+    it('redacts tokens in input', async () => {
+      await logger.toolCall('user1', 'some_tool', { token: 'ghp_secrettoken' }, 'success');
+      await logger.flush();
+
+      const entries = await logger.query({ action: 'tool_call' });
+      const input = entries[0].metadata.input as Record<string, string>;
+      expect(input.token).toBe('[REDACTED]');
+    });
+  });
+
+  describe('authEvent convenience', () => {
+    it('logs auth_login for successful auth', async () => {
+      await logger.authEvent('user1', 'google', true);
+      await logger.flush();
+
+      const entries = await logger.query({ action: 'auth_login' });
+      expect(entries).toHaveLength(1);
+      expect(entries[0].result).toBe('success');
+    });
+
+    it('logs auth_failure for failed auth', async () => {
+      await logger.authEvent('user1', 'github', false);
+      await logger.flush();
+
+      const entries = await logger.query({ action: 'auth_failure' });
+      expect(entries).toHaveLength(1);
+      expect(entries[0].result).toBe('failure');
+    });
+  });
+
+  describe('configChange convenience', () => {
+    it('logs config changes immediately (flush on config_set)', async () => {
+      await logger.configChange('admin', 'ai.provider', 'openai', 'claude');
+      // No manual flush needed — config_set triggers immediate flush
+      const entries = await logger.query({ action: 'config_set' });
+      expect(entries).toHaveLength(1);
+      expect(entries[0].resource).toBe('ai.provider');
+    });
+
+    it('redacts sensitive config values', async () => {
+      await logger.configChange('admin', 'github.token', 'ghp_oldtoken', 'ghp_newtoken');
+      const entries = await logger.query({ action: 'config_set' });
+      const meta = entries[0].metadata as { old_value: string; new_value: string };
+      expect(meta.old_value).toBe('[REDACTED]');
+      expect(meta.new_value).toBe('[REDACTED]');
+    });
+  });
+
+  describe('pluginEvent convenience', () => {
+    it('logs plugin lifecycle events', async () => {
+      await logger.pluginEvent('admin', 'github', 'enable');
+      await logger.flush();
+
+      const entries = await logger.query({ action: 'plugin_enable' });
+      expect(entries).toHaveLength(1);
+      expect(entries[0].resource).toBe('github');
+    });
+  });
+
+  describe('query filters', () => {
+    beforeEach(async () => {
+      await logger.log({ actor: 'user1', action: 'tool_call', resource: 'calc_math', result: 'success', metadata: {} });
+      await logger.log({ actor: 'user2', action: 'tool_call', resource: 'shell_run', result: 'failure', metadata: {} });
+      await logger.log({ actor: 'user1', action: 'config_set', resource: 'ai.provider', result: 'success', metadata: {} });
+      await logger.flush();
+    });
+
+    it('filters by actor', async () => {
+      const entries = await logger.query({ actor: 'user1' });
+      expect(entries).toHaveLength(2);
+      expect(entries.every((e) => e.actor === 'user1')).toBe(true);
+    });
+
+    it('filters by action', async () => {
+      const entries = await logger.query({ action: 'tool_call' });
+      expect(entries).toHaveLength(2);
+    });
+
+    it('filters by result', async () => {
+      const entries = await logger.query({ result: 'failure' });
+      expect(entries).toHaveLength(1);
+      expect(entries[0].actor).toBe('user2');
+    });
+
+    it('filters by resource', async () => {
+      const entries = await logger.query({ resource: 'calc_math' });
+      expect(entries).toHaveLength(1);
+    });
+
+    it('respects limit', async () => {
+      const entries = await logger.query({ limit: 2 });
+      expect(entries).toHaveLength(2);
+    });
+  });
+});

package/tests/circuit-breaker.test.ts

@@ -0,0 +1,125 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { CircuitBreaker, CircuitOpenError } from '../src/core/circuit-breaker.js';
+
+describe('CircuitBreaker', () => {
+  let cb: CircuitBreaker;
+
+  beforeEach(() => {
+    cb = new CircuitBreaker({ failureThreshold: 3, recoveryTimeout: 100, successThreshold: 2 });
+  });
+
+  it('starts in closed state', () => {
+    expect(cb.getState()).toBe('closed');
+  });
+
+  it('executes successfully in closed state', async () => {
+    const result = await cb.execute(async () => 'ok');
+    expect(result).toBe('ok');
+    expect(cb.getState()).toBe('closed');
+  });
+
+  it('opens after hitting failure threshold', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    await expect(cb.execute(fail)).rejects.toThrow('fail');
+    await expect(cb.execute(fail)).rejects.toThrow('fail');
+    await expect(cb.execute(fail)).rejects.toThrow('fail');
+    expect(cb.getState()).toBe('open');
+  });
+
+  it('throws CircuitOpenError when open', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    for (let i = 0; i < 3; i++) {
+      await expect(cb.execute(fail)).rejects.toThrow();
+    }
+    await expect(cb.execute(async () => 'ok')).rejects.toThrow(CircuitOpenError);
+  });
+
+  it('transitions to half_open after recovery timeout', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    for (let i = 0; i < 3; i++) {
+      await expect(cb.execute(fail)).rejects.toThrow();
+    }
+    expect(cb.getState()).toBe('open');
+
+    // Mock time passing
+    vi.useFakeTimers();
+    vi.advanceTimersByTime(200);
+    expect(cb.getState()).toBe('half_open');
+    vi.useRealTimers();
+  });
+
+  it('closes circuit after successThreshold successes in half_open', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    for (let i = 0; i < 3; i++) {
+      await expect(cb.execute(fail)).rejects.toThrow();
+    }
+
+    vi.useFakeTimers();
+    vi.advanceTimersByTime(200);
+    // Must call getState() while fake timers are active to trigger the open→half_open transition
+    expect(cb.getState()).toBe('half_open');
+    vi.useRealTimers();
+
+    await cb.execute(async () => 'ok');
+    await cb.execute(async () => 'ok');
+    expect(cb.getState()).toBe('closed');
+  });
+
+  it('re-opens on failure in half_open state', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    for (let i = 0; i < 3; i++) {
+      await expect(cb.execute(fail)).rejects.toThrow();
+    }
+
+    vi.useFakeTimers();
+    vi.advanceTimersByTime(200);
+    // Must call getState() while fake timers are active to trigger the open→half_open transition
+    expect(cb.getState()).toBe('half_open');
+    vi.useRealTimers();
+
+    await expect(cb.execute(fail)).rejects.toThrow();
+    expect(cb.getState()).toBe('open');
+  });
+
+  it('reset() returns circuit to closed state', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    for (let i = 0; i < 3; i++) {
+      await expect(cb.execute(fail)).rejects.toThrow();
+    }
+    expect(cb.getState()).toBe('open');
+    cb.reset();
+    expect(cb.getState()).toBe('closed');
+  });
+
+  it('getStatus() returns state and failure counts', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    await expect(cb.execute(fail)).rejects.toThrow();
+    await expect(cb.execute(fail)).rejects.toThrow();
+
+    const status = cb.getStatus();
+    expect(status.state).toBe('closed');
+    expect(status.failures).toBe(2);
+  });
+
+  it('resets failure count on success', async () => {
+    const fail = async () => { throw new Error('fail'); };
+    await expect(cb.execute(fail)).rejects.toThrow();
+    await expect(cb.execute(fail)).rejects.toThrow();
+    await cb.execute(async () => 'ok'); // success resets failures
+    const status = cb.getStatus();
+    expect(status.failures).toBe(0);
+  });
+
+  it('uses default options when none provided', () => {
+    const defaultCb = new CircuitBreaker();
+    expect(defaultCb.getState()).toBe('closed');
+  });
+
+  it('handles concurrent executions', async () => {
+    const results = await Promise.all(
+      Array.from({ length: 10 }, () => cb.execute(async () => 42)),
+    );
+    expect(results).toHaveLength(10);
+    expect(results.every((r) => r === 42)).toBe(true);
+  });
+});