agentlock-shared 0.1.0 → 0.2.0

package/src/__tests__/messaging.test.ts

@@ -0,0 +1,83 @@
+import { describe, it, expect } from 'vitest';
+import { SendMessageSchema, AgentSendMessageSchema, ApproveRequestSchema } from '../schemas';
+
+describe('SendMessageSchema', () => {
+  it('accepts valid message with content only', () => {
+    const result = SendMessageSchema.safeParse({ content: 'Hello agent' });
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts message with thread_id and expires_at', () => {
+    const result = SendMessageSchema.safeParse({
+      content: 'Do this task',
+      thread_id: '550e8400-e29b-41d4-a716-446655440000',
+      expires_at: '2026-04-01T12:00:00Z',
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects empty content', () => {
+    const result = SendMessageSchema.safeParse({ content: '' });
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects content over 4096 chars', () => {
+    const result = SendMessageSchema.safeParse({ content: 'x'.repeat(4097) });
+    expect(result.success).toBe(false);
+  });
+
+  it('rejects invalid thread_id', () => {
+    const result = SendMessageSchema.safeParse({ content: 'hi', thread_id: 'not-a-uuid' });
+    expect(result.success).toBe(false);
+  });
+});
+
+describe('AgentSendMessageSchema', () => {
+  it('requires thread_id', () => {
+    const result = AgentSendMessageSchema.safeParse({ content: 'Reply' });
+    expect(result.success).toBe(false);
+  });
+
+  it('accepts valid reply', () => {
+    const result = AgentSendMessageSchema.safeParse({
+      content: 'I found 3 files',
+      thread_id: '550e8400-e29b-41d4-a716-446655440000',
+    });
+    expect(result.success).toBe(true);
+  });
+});
+
+describe('ApproveRequestSchema with reply_message', () => {
+  it('accepts approve without reply', () => {
+    const result = ApproveRequestSchema.safeParse({ action: 'approve' });
+    expect(result.success).toBe(true);
+  });
+
+  it('accepts approve with reply_message', () => {
+    const result = ApproveRequestSchema.safeParse({
+      action: 'approve',
+      reply_message: 'Only delete files older than 7 days',
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.reply_message).toBe('Only delete files older than 7 days');
+    }
+  });
+
+  it('accepts deny with reason and reply_message', () => {
+    const result = ApproveRequestSchema.safeParse({
+      action: 'deny',
+      reason: 'Too risky',
+      reply_message: 'Try a safer approach',
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it('rejects reply_message over 2000 chars', () => {
+    const result = ApproveRequestSchema.safeParse({
+      action: 'approve',
+      reply_message: 'x'.repeat(2001),
+    });
+    expect(result.success).toBe(false);
+  });
+});

package/src/__tests__/policy.test.ts

@@ -4,7 +4,8 @@ import type { AgentActionRequest } from '../types.js';
 
 describe('Policy Engine', () => {
   it('should ALLOW read actions by default', () => {
-    const action: AgentActionRequest = { action_type: 'read', tool: 'http', payload: {} };
+    // Use a non-http tool to test the default read policy (http without URL is now correctly blocked)
+    const action: AgentActionRequest = { action_type: 'read', tool: 'demo.list', payload: {} };
     expect(evaluatePolicy(action, DEFAULT_POLICY_RULES).decision).toBe('ALLOW');
   });
 
@@ -49,20 +50,40 @@ describe('Policy Engine', () => {
     expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
   });
 
-  it('should ALLOW admin actions when defaultMode is allow and no matching rule', () => {
+  it('should REQUIRE_APPROVAL for admin actions even when defaultMode is allow', () => {
     const action: AgentActionRequest = { action_type: 'admin', tool: 'system', payload: {} };
     const rules = { ...DEFAULT_POLICY_RULES, defaultMode: 'allow' as const, rules: [] };
     const result = evaluatePolicy(action, rules);
-    expect(result.decision).toBe('ALLOW');
-    expect(result.reason).toBe('Default policy');
+    expect(result.decision).toBe('REQUIRE_APPROVAL');
   });
 
-  it('should ALLOW financial actions when defaultMode is allow and no matching rule', () => {
+  it('should REQUIRE_APPROVAL for financial actions even when defaultMode is allow', () => {
     const action: AgentActionRequest = { action_type: 'financial', tool: 'stripe', payload: {} };
     const rules = { ...DEFAULT_POLICY_RULES, defaultMode: 'allow' as const, rules: [] };
     const result = evaluatePolicy(action, rules);
-    expect(result.decision).toBe('ALLOW');
-    expect(result.reason).toBe('Default policy');
+    expect(result.decision).toBe('REQUIRE_APPROVAL');
+  });
+
+  it('should REQUIRE_APPROVAL for admin action even with explicit ALLOW rule', () => {
+    const action: AgentActionRequest = { action_type: 'admin', tool: 'admin.delete_user', payload: {} };
+    const rules = {
+      ...DEFAULT_POLICY_RULES,
+      defaultMode: 'allow' as const,
+      rules: [{ action_type: 'admin' as const, decision: 'ALLOW' as const }],
+    };
+    const result = evaluatePolicy(action, rules);
+    expect(result.decision).toBe('REQUIRE_APPROVAL');
+  });
+
+  it('should REQUIRE_APPROVAL for financial action even with explicit ALLOW rule', () => {
+    const action: AgentActionRequest = { action_type: 'financial', tool: 'stripe.charge', payload: {} };
+    const rules = {
+      ...DEFAULT_POLICY_RULES,
+      defaultMode: 'allow' as const,
+      rules: [{ action_type: 'financial' as const, decision: 'ALLOW' as const }],
+    };
+    const result = evaluatePolicy(action, rules);
+    expect(result.decision).toBe('REQUIRE_APPROVAL');
   });
 
   it('should still respect explicit rules for admin even with defaultMode allow', () => {
@@ -85,4 +106,117 @@ describe('Policy Engine', () => {
     const rules = { ...DEFAULT_POLICY_RULES, limits: { maxCostPerAction: 100 } };
     expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
   });
+
+  // --- Case-sensitivity bypass tests ---
+
+  it('should enforce HTTP domain allowlist even with mixed-case tool name', () => {
+    const action: AgentActionRequest = {
+      action_type: 'read',
+      tool: 'Http.get',
+      payload: { url: 'https://evil.com/data', method: 'GET' },
+    };
+    const rules = {
+      ...DEFAULT_POLICY_RULES,
+      http: { allowedDomains: ['trusted.com'], allowedMethods: ['GET'], blockList: [] },
+    };
+    expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
+  });
+
+  it('should match tool-specific rules case-insensitively', () => {
+    const action: AgentActionRequest = {
+      action_type: 'read',
+      tool: 'MCP.list_tools',
+      payload: {},
+    };
+    const result = evaluatePolicy(action, DEFAULT_POLICY_RULES);
+    expect(result.decision).toBe('ALLOW');
+  });
+
+  // --- URL edge cases ---
+
+  it('should not match subdomain of blocklisted domain (e.g., notevil.com vs evil.com)', () => {
+    const action: AgentActionRequest = {
+      action_type: 'read',
+      tool: 'http.get',
+      payload: { url: 'https://notevil.com/data', method: 'GET' },
+    };
+    const rules = {
+      ...DEFAULT_POLICY_RULES,
+      http: { allowedDomains: ['notevil.com', 'trusted.com'], allowedMethods: ['GET'], blockList: ['evil.com'] },
+    };
+    expect(evaluatePolicy(action, rules).decision).not.toBe('BLOCK');
+  });
+
+  it('should BLOCK HTTP tool with no URL in payload', () => {
+    const action: AgentActionRequest = {
+      action_type: 'read',
+      tool: 'http.get',
+      payload: {},
+    };
+    const rules = {
+      ...DEFAULT_POLICY_RULES,
+      http: { allowedDomains: ['trusted.com'], allowedMethods: ['GET'], blockList: [] },
+    };
+    expect(evaluatePolicy(action, rules).decision).toBe('BLOCK');
+  });
+
+  // --- Browser tool policy ---
+
+  it('should REQUIRE_APPROVAL for browser.open', () => {
+    const action: AgentActionRequest = {
+      action_type: 'write',
+      tool: 'browser.open',
+      payload: { url: 'https://example.com' },
+    };
+    const result = evaluatePolicy(action, DEFAULT_POLICY_RULES);
+    expect(result.decision).toBe('REQUIRE_APPROVAL');
+  });
+
+  it('should BLOCK browser.* actions without a session (reaching policy engine)', () => {
+    const action: AgentActionRequest = {
+      action_type: 'write',
+      tool: 'browser.click',
+      payload: {},
+    };
+    const result = evaluatePolicy(action, DEFAULT_POLICY_RULES);
+    expect(result.decision).toBe('BLOCK');
+  });
+
+  // --- Unknown action_type ---
+
+  it('should BLOCK unknown action types', () => {
+    const action = {
+      action_type: 'delete' as 'read',
+      tool: 'custom.tool',
+      payload: {},
+    };
+    const result = evaluatePolicy(action, DEFAULT_POLICY_RULES);
+    expect(result.decision).toBe('BLOCK');
+  });
+
+  // --- cost_estimate omission ---
+
+  it('should not enforce budget check when cost_estimate is omitted', () => {
+    const action: AgentActionRequest = {
+      action_type: 'write',
+      tool: 'demo',
+      payload: {},
+      // cost_estimate intentionally omitted
+    };
+    const rules = { ...DEFAULT_POLICY_RULES, limits: { maxCostPerAction: 100 } };
+    // Should match action_type 'write' rule, not be BLOCK-ed by cost limit
+    expect(evaluatePolicy(action, rules).decision).toBe('REQUIRE_APPROVAL');
+  });
+
+  // --- HTTP allowlist not configured ---
+
+  it('should REQUIRE_APPROVAL when HTTP allowlist is empty (safe default)', () => {
+    const action: AgentActionRequest = {
+      action_type: 'read',
+      tool: 'http.get',
+      payload: { url: 'https://any-site.com/data', method: 'GET' },
+    };
+    const result = evaluatePolicy(action, DEFAULT_POLICY_RULES);
+    expect(result.decision).toBe('REQUIRE_APPROVAL');
+  });
 });

package/src/crypto.ts

@@ -1,10 +1,24 @@
 import nacl from 'tweetnacl';
 import { encodeBase64, decodeBase64 } from 'tweetnacl-util';
 
+/**
+ * Envelope encryption prefix. Data encrypted with envelopeEncrypt() is
+ * stored as a single string: "env1:<base64-wrappedDEK>:<base64-payload>".
+ * The decrypt() function detects this prefix and automatically unwraps
+ * using the DEK, maintaining backward compatibility with legacy data
+ * encrypted directly with MASTER_KEY.
+ */
+const ENVELOPE_PREFIX = 'env1:';
+
 export function generateKey(): Uint8Array {
   return nacl.randomBytes(32);
 }
 
+/**
+ * Low-level symmetric encryption using a provided key.
+ * Callers that need envelope encryption (per-data DEK) should use
+ * envelopeEncrypt() instead.
+ */
 export function encrypt(data: string, key: Uint8Array): string {
   const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
   const message = new TextEncoder().encode(data);
@@ -17,17 +31,125 @@ export function encrypt(data: string, key: Uint8Array): string {
   return encodeBase64(combined);
 }
 
+/**
+ * Low-level symmetric decryption. Handles both envelope-encrypted data
+ * (prefixed with "env1:") and legacy direct-key encrypted data.
+ *
+ * For envelope data: unwraps the per-data DEK using the master key,
+ * then decrypts the payload with the DEK.
+ *
+ * For legacy data: decrypts directly with the provided key, falling
+ * back to MASTER_KEY_PREVIOUS for key rotation support.
+ */
 export function decrypt(encryptedData: string, key: Uint8Array): string {
+  // Detect envelope-encrypted format and handle transparently
+  if (encryptedData.startsWith(ENVELOPE_PREFIX)) {
+    return envelopeDecryptInternal(encryptedData, key);
+  }
+
+  // Legacy format: data encrypted directly with MASTER_KEY
   const combined = decodeBase64(encryptedData);
   const nonce = combined.slice(0, nacl.secretbox.nonceLength);
   const box = combined.slice(nacl.secretbox.nonceLength);
 
   const message = nacl.secretbox.open(box, nonce, key);
-  if (!message) {
-    throw new Error('Decryption failed: invalid key or corrupted data');
+  if (message) {
+    return new TextDecoder().decode(message);
+  }
+
+  // Try previous master key for rotation support
+  const prevKey = getPreviousMasterKey();
+  if (prevKey) {
+    const message2 = nacl.secretbox.open(box, nonce, prevKey);
+    if (message2) {
+      return new TextDecoder().decode(message2);
+    }
+  }
+
+  throw new Error('Decryption failed: invalid key or corrupted data');
+}
+
+/**
+ * Encrypt arbitrary data using a per-data DEK (envelope encryption).
+ * Generates a fresh 256-bit DEK, encrypts the data with it, then wraps
+ * the DEK with the provided master key. Returns a single string in the
+ * format "env1:<wrappedDEK>:<encryptedPayload>" so it fits in a single
+ * database column and is backward-compatible with decrypt().
+ *
+ * Use this instead of encrypt() for all data at rest. Each encrypted
+ * value gets its own DEK, so compromising one ciphertext does not
+ * expose other data -- the attacker still needs the master key to
+ * unwrap any individual DEK.
+ */
+export function envelopeEncrypt(data: string, masterKey: Uint8Array): string {
+  const dek = generateKey();
+  try {
+    const wrappedDEK = encrypt(encodeBase64(dek), masterKey);
+    const encryptedPayload = encrypt(data, dek);
+    return `${ENVELOPE_PREFIX}${wrappedDEK}:${encryptedPayload}`;
+  } finally {
+    // Zero DEK from memory after use (defense-in-depth against heap dumps)
+    dek.fill(0);
+  }
+}
+
+/**
+ * Decrypt data produced by envelopeEncrypt(). Expects the "env1:" prefixed
+ * format. For general use, call decrypt() which auto-detects the format.
+ */
+export function envelopeDecrypt(encryptedData: string, masterKey: Uint8Array): string {
+  if (!encryptedData.startsWith(ENVELOPE_PREFIX)) {
+    throw new Error('Not an envelope-encrypted value (missing env1: prefix)');
+  }
+  return envelopeDecryptInternal(encryptedData, masterKey);
+}
+
+/**
+ * Internal envelope decryption. Parses the "env1:wrappedDEK:payload" format,
+ * unwraps the DEK, and decrypts the payload.
+ */
+function envelopeDecryptInternal(encryptedData: string, masterKey: Uint8Array): string {
+  // Format: "env1:<base64-wrappedDEK>:<base64-encryptedPayload>"
+  // The wrapped DEK itself is a base64 string produced by encrypt(), which
+  // can contain '+', '/', '=' but never ':'. So we split on ':' after the prefix.
+  const withoutPrefix = encryptedData.slice(ENVELOPE_PREFIX.length);
+  const separatorIndex = withoutPrefix.lastIndexOf(':');
+  if (separatorIndex <= 0) {
+    throw new Error('Invalid envelope format: missing DEK/payload separator');
   }
+  const wrappedDEK = withoutPrefix.slice(0, separatorIndex);
+  const encryptedPayload = withoutPrefix.slice(separatorIndex + 1);
 
-  return new TextDecoder().decode(message);
+  if (!wrappedDEK || !encryptedPayload) {
+    throw new Error('Invalid envelope format: empty DEK or payload');
+  }
+
+  // Unwrap the DEK using the master key (with key-rotation fallback)
+  let dekBase64: string;
+  try {
+    dekBase64 = decrypt(wrappedDEK, masterKey);
+  } catch {
+    throw new Error('Envelope decryption failed: could not unwrap DEK');
+  }
+
+  const dek = decodeBase64(dekBase64);
+  try {
+    // Decrypt the payload using the per-data DEK
+    // Use low-level decryption here (not decrypt()) to avoid infinite
+    // recursion on the envelope prefix check -- the inner payload is
+    // always in legacy format.
+    const combined = decodeBase64(encryptedPayload);
+    const nonce = combined.slice(0, nacl.secretbox.nonceLength);
+    const box = combined.slice(nacl.secretbox.nonceLength);
+    const message = nacl.secretbox.open(box, nonce, dek);
+    if (!message) {
+      throw new Error('Envelope decryption failed: payload decryption failed');
+    }
+    return new TextDecoder().decode(message);
+  } finally {
+    // Zero DEK from memory after use
+    dek.fill(0);
+  }
 }
 
 export function encryptDEK(dek: Uint8Array, masterKey: Uint8Array): string {
@@ -44,11 +166,37 @@ export function decryptDEK(encryptedDEK: string, masterKey: Uint8Array): Uint8Ar
 let _cachedMasterKey: Uint8Array | null = null;
 
 export function getMasterKey(): Uint8Array {
-  if (_cachedMasterKey) return _cachedMasterKey;
+  if (_cachedMasterKey) return _cachedMasterKey.slice();
   const key = process.env.MASTER_KEY;
   if (!key) throw new Error('MASTER_KEY environment variable not set');
   _cachedMasterKey = decodeBase64(key);
-  return _cachedMasterKey;
+  return _cachedMasterKey.slice();
+}
+
+// Support MASTER_KEY rotation: try previous key when current key fails
+let _cachedPrevKey: Uint8Array | null = null;
+let _prevKeyChecked = false;
+
+export function getPreviousMasterKey(): Uint8Array | null {
+  if (_prevKeyChecked) return _cachedPrevKey ? _cachedPrevKey.slice() : null;
+  _prevKeyChecked = true;
+  const key = process.env.MASTER_KEY_PREVIOUS;
+  if (!key) return null;
+  _cachedPrevKey = decodeBase64(key);
+  return _cachedPrevKey.slice();
+}
+
+/** Zero and release cached master keys. Call on graceful shutdown. */
+export function clearCachedKeys(): void {
+  if (_cachedMasterKey) {
+    _cachedMasterKey.fill(0);
+    _cachedMasterKey = null;
+  }
+  if (_cachedPrevKey) {
+    _cachedPrevKey.fill(0);
+    _cachedPrevKey = null;
+  }
+  _prevKeyChecked = false;
 }
 
 export function generateMasterKey(): string {

package/src/plans.ts

@@ -5,9 +5,13 @@ export interface PlanLimits {
   agents: number;
   credentials: number;
   members: number;
+  policies: number;
   timelineHistoryDays: number;
   undoEnabled: boolean;
   browserSessions: number;
+  messagesPerMonth: number;
+  messageHistoryDays: number;
+  threadsPerAgent: number;
 }
 
 export interface PlanDefinition extends PlanLimits {
@@ -31,9 +35,13 @@ export const PLANS: Record<PlanId, PlanDefinition> = {
     agents: 3,
     credentials: 2,
     members: 1,
+    policies: 3,
     timelineHistoryDays: 14,
     undoEnabled: false,
     browserSessions: 0,
+    messagesPerMonth: 100,
+    messageHistoryDays: 7,
+    threadsPerAgent: 5,
   },
   pro: {
     id: 'pro',
@@ -46,9 +54,13 @@ export const PLANS: Record<PlanId, PlanDefinition> = {
     agents: 10,
     credentials: 25,
     members: 5,
+    policies: 10,
     timelineHistoryDays: 90,
     undoEnabled: true,
     browserSessions: 2,
+    messagesPerMonth: 5000,
+    messageHistoryDays: 30,
+    threadsPerAgent: 50,
   },
   team: {
     id: 'team',
@@ -61,9 +73,13 @@ export const PLANS: Record<PlanId, PlanDefinition> = {
     agents: 50,
     credentials: Infinity,
     members: 25,
+    policies: 50,
     timelineHistoryDays: 365,
     undoEnabled: true,
     browserSessions: 5,
+    messagesPerMonth: Infinity,
+    messageHistoryDays: 90,
+    threadsPerAgent: Infinity,
   },
 } as const;
 
@@ -75,9 +91,13 @@ export function getPlanLimits(plan: string): PlanLimits {
     agents: def.agents,
     credentials: def.credentials,
     members: def.members,
+    policies: def.policies,
     timelineHistoryDays: def.timelineHistoryDays,
     undoEnabled: def.undoEnabled,
     browserSessions: def.browserSessions,
+    messagesPerMonth: def.messagesPerMonth,
+    messageHistoryDays: def.messageHistoryDays,
+    threadsPerAgent: def.threadsPerAgent,
   };
 }