aios-core 4.2.13 → 4.2.14

package/pro/license/license-crypto.js

@@ -1,303 +0,0 @@
-/**
- * License Crypto Module
- *
- * Provides cryptographic utilities for license cache encryption:
- * - Machine ID generation (deterministic fingerprint)
- * - PBKDF2 key derivation
- * - AES-256-GCM encryption/decryption
- * - HMAC-SHA256 integrity verification
- *
- * @module pro/license/license-crypto
- * @see ADR-PRO-003 - Feature Gating & Licensing
- * @see Story PRO-6 - License Key & Feature Gating System
- */
-
-'use strict';
-
-const crypto = require('crypto');
-const os = require('os');
-
-/**
- * Configuration constants for cryptographic operations.
- * These values follow security best practices per ADR-PRO-003.
- */
-const CONFIG = {
-  // PBKDF2 settings
-  PBKDF2_ITERATIONS: 100000, // Minimum per ADR-PRO-003
-  PBKDF2_KEY_LENGTH: 32, // 256 bits for AES-256
-  PBKDF2_DIGEST: 'sha256',
-
-  // AES-256-GCM settings
-  AES_ALGORITHM: 'aes-256-gcm',
-  AES_IV_LENGTH: 12, // 96 bits recommended for GCM
-  AES_TAG_LENGTH: 16, // 128 bits auth tag
-
-  // HMAC settings
-  HMAC_ALGORITHM: 'sha256',
-
-  // Salt settings
-  SALT_LENGTH: 16, // 128 bits
-};
-
-/**
- * Generate a deterministic machine identifier.
- *
- * Combines hostname + CPU model + first MAC address to create
- * a unique but reproducible identifier for this machine.
- *
- * @returns {string} SHA-256 hash of machine fingerprint components
- */
-function generateMachineId() {
-  const components = [];
-
-  // Hostname
-  const hostname = os.hostname();
-  components.push(hostname);
-
-  // CPU model (first CPU)
-  const cpus = os.cpus();
-  if (cpus.length > 0) {
-    components.push(cpus[0].model);
-  }
-
-  // First non-internal MAC address
-  const networkInterfaces = os.networkInterfaces();
-  for (const [, interfaces] of Object.entries(networkInterfaces)) {
-    for (const iface of interfaces) {
-      if (!iface.internal && iface.mac && iface.mac !== '00:00:00:00:00:00') {
-        components.push(iface.mac);
-        break;
-      }
-    }
-    // Only use first valid MAC
-    if (components.length > 2) {
-      break;
-    }
-  }
-
-  // Create deterministic hash
-  const fingerprint = components.join('|');
-  return crypto.createHash('sha256').update(fingerprint).digest('hex');
-}
-
-/**
- * Generate a cryptographically secure random salt.
- *
- * @param {number} [length=16] - Salt length in bytes
- * @returns {Buffer} Random salt buffer
- */
-function generateSalt(length = CONFIG.SALT_LENGTH) {
-  return crypto.randomBytes(length);
-}
-
-/**
- * Derive an encryption key from machine ID using PBKDF2.
- *
- * Uses 100,000 iterations minimum per ADR-PRO-003 security requirements.
- *
- * @param {string} machineId - Machine identifier from generateMachineId()
- * @param {Buffer|string} salt - Random salt (Buffer or hex string)
- * @returns {Buffer} 256-bit derived key
- */
-function deriveCacheKey(machineId, salt) {
-  const saltBuffer = Buffer.isBuffer(salt) ? salt : Buffer.from(salt, 'hex');
-
-  return crypto.pbkdf2Sync(
-    machineId,
-    saltBuffer,
-    CONFIG.PBKDF2_ITERATIONS,
-    CONFIG.PBKDF2_KEY_LENGTH,
-    CONFIG.PBKDF2_DIGEST,
-  );
-}
-
-/**
- * Encrypt data using AES-256-GCM.
- *
- * Returns an object containing the encrypted ciphertext, initialization vector,
- * and authentication tag for integrity verification.
- *
- * @param {string|object} data - Data to encrypt (objects are JSON stringified)
- * @param {Buffer|string} key - 256-bit encryption key (Buffer or hex string)
- * @returns {{ ciphertext: string, iv: string, tag: string }} Encrypted data components (hex encoded)
- * @throws {Error} If encryption fails
- */
-function encrypt(data, key) {
-  const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, 'hex');
-
-  if (keyBuffer.length !== 32) {
-    throw new Error('Encryption key must be 256 bits (32 bytes)');
-  }
-
-  // Generate random IV
-  const iv = crypto.randomBytes(CONFIG.AES_IV_LENGTH);
-
-  // Stringify objects
-  const plaintext = typeof data === 'object' ? JSON.stringify(data) : String(data);
-
-  // Create cipher and encrypt
-  const cipher = crypto.createCipheriv(CONFIG.AES_ALGORITHM, keyBuffer, iv, {
-    authTagLength: CONFIG.AES_TAG_LENGTH,
-  });
-
-  let ciphertext = cipher.update(plaintext, 'utf8', 'hex');
-  ciphertext += cipher.final('hex');
-
-  // Get auth tag
-  const tag = cipher.getAuthTag();
-
-  return {
-    ciphertext,
-    iv: iv.toString('hex'),
-    tag: tag.toString('hex'),
-  };
-}
-
-/**
- * Decrypt data using AES-256-GCM.
- *
- * Verifies the authentication tag to ensure data integrity.
- *
- * @param {{ ciphertext: string, iv: string, tag: string }} encryptedData - Encrypted data object
- * @param {Buffer|string} key - 256-bit encryption key (Buffer or hex string)
- * @param {boolean} [parseJson=true] - Whether to parse result as JSON
- * @returns {string|object} Decrypted data
- * @throws {Error} If decryption fails or authentication fails
- */
-function decrypt(encryptedData, key, parseJson = true) {
-  const { ciphertext, iv, tag } = encryptedData;
-
-  const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, 'hex');
-
-  if (keyBuffer.length !== 32) {
-    throw new Error('Decryption key must be 256 bits (32 bytes)');
-  }
-
-  const ivBuffer = Buffer.from(iv, 'hex');
-  const tagBuffer = Buffer.from(tag, 'hex');
-
-  // Create decipher
-  const decipher = crypto.createDecipheriv(CONFIG.AES_ALGORITHM, keyBuffer, ivBuffer, {
-    authTagLength: CONFIG.AES_TAG_LENGTH,
-  });
-
-  decipher.setAuthTag(tagBuffer);
-
-  let plaintext = decipher.update(ciphertext, 'hex', 'utf8');
-  plaintext += decipher.final('utf8');
-
-  // Optionally parse as JSON
-  if (parseJson) {
-    try {
-      return JSON.parse(plaintext);
-    } catch {
-      // Return as string if not valid JSON
-      return plaintext;
-    }
-  }
-
-  return plaintext;
-}
-
-/**
- * Compute HMAC-SHA256 for data integrity verification.
- *
- * @param {string|Buffer} data - Data to compute HMAC for
- * @param {Buffer|string} key - HMAC key (Buffer or hex string)
- * @returns {string} HMAC as hex string
- */
-function computeHMAC(data, key) {
-  const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, 'hex');
-  const dataString = Buffer.isBuffer(data) ? data.toString('utf8') : String(data);
-
-  return crypto.createHmac(CONFIG.HMAC_ALGORITHM, keyBuffer).update(dataString).digest('hex');
-}
-
-/**
- * Verify HMAC matches expected value.
- *
- * Uses timing-safe comparison to prevent timing attacks.
- *
- * @param {string|Buffer} data - Data to verify
- * @param {Buffer|string} key - HMAC key
- * @param {string} expectedHmac - Expected HMAC value (hex string)
- * @returns {boolean} true if HMAC matches
- */
-function verifyHMAC(data, key, expectedHmac) {
-  const computedHmac = computeHMAC(data, key);
-
-  // Use timing-safe comparison
-  const computedBuffer = Buffer.from(computedHmac, 'hex');
-  const expectedBuffer = Buffer.from(expectedHmac, 'hex');
-
-  if (computedBuffer.length !== expectedBuffer.length) {
-    return false;
-  }
-
-  return crypto.timingSafeEqual(computedBuffer, expectedBuffer);
-}
-
-/**
- * Mask a license key for display.
- *
- * Shows only first and last 4 characters: PRO-XXXX-****-****-XXXX
- * CRITICAL: Always use this function when logging or displaying keys.
- *
- * @param {string} key - Full license key
- * @returns {string} Masked key for display
- */
-function maskKey(key) {
-  if (!key || typeof key !== 'string') {
-    return '****-****-****-****';
-  }
-
-  // Handle PRO-XXXX-XXXX-XXXX-XXXX format
-  const parts = key.split('-');
-  if (parts.length !== 5 || parts[0] !== 'PRO') {
-    // Non-standard format, mask all but first/last 4
-    if (key.length <= 8) {
-      return '****';
-    }
-    return `${key.slice(0, 4)}-****-****-${key.slice(-4)}`;
-  }
-
-  // Standard format: PRO-XXXX-XXXX-XXXX-XXXX
-  return `${parts[0]}-${parts[1]}-****-****-${parts[4]}`;
-}
-
-/**
- * Validate license key format.
- *
- * Expected format: PRO-XXXX-XXXX-XXXX-XXXX
- * Where X is alphanumeric (A-Z0-9)
- *
- * @param {string} key - License key to validate
- * @returns {boolean} true if format is valid
- */
-function validateKeyFormat(key) {
-  if (!key || typeof key !== 'string') {
-    return false;
-  }
-
-  // Format: PRO-XXXX-XXXX-XXXX-XXXX (uppercase alphanumeric)
-  const pattern = /^PRO-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}$/;
-  return pattern.test(key);
-}
-
-module.exports = {
-  // Core functions per ADR-PRO-003
-  generateMachineId,
-  deriveCacheKey,
-  encrypt,
-  decrypt,
-  computeHMAC,
-
-  // Additional utilities
-  generateSalt,
-  verifyHMAC,
-  maskKey,
-  validateKeyFormat,
-
-  // Exported for testing
-  _CONFIG: CONFIG,
-};

package/scripts/glue/README.md

@@ -1,355 +0,0 @@
-# Glue Script: Compose Agent Prompt
-
-Deterministic prompt composition for autonomous AIOS agents.
-
-## Overview
-
-The glue script (`compose-agent-prompt.cjs`) composes complete prompts for autonomous agents by combining:
-
-1. **Agent Persona** - From `.aios-core/development/agents/{id}.md`
-2. **Task Workflow** - From Mission Router → `.aios-core/development/tasks/{file}.md`
-3. **Extra Resources** - Checklists, templates specified in Mission Router
-4. **Context** - Story files, accumulated context, etc.
-5. **Execution Directive** - Mission-specific instructions
-
-## Architecture
-
-```
-Skill (orchestrator)     → Calls glue script
-       ↓
-Glue Script              → Deterministic composition (~240 lines)
-       ↓ outputs 1500-2000 lines
-Task(general-purpose)    → Agent receives COMPLETE prompt
-       ↓
-Autonomous Execution     → No additional Reads needed
-```
-
-**Benefits:**
-- Lead doesn't burn context with Reads per spawn
-- Agent receives everything upfront (fresh context)
-- Deterministic: same inputs → same output
-- Validatable and testable
-
-## Installation
-
-```bash
-# Already included in project
-# No additional dependencies needed
-```
-
-## Usage
-
-### Basic Usage
-
-```bash
-# Develop a story
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent dev \
-  --mission develop-story \
-  --context path/to/story.md
-
-# Validate a story
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent po \
-  --mission validate-story \
-  --context path/to/expanded.md
-
-# Review implementation
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent qa \
-  --mission gate \
-  --context path/to/story.md \
-  --context path/to/impl-log.md
-```
-
-### Options
-
-| Option | Description | Example |
-|--------|-------------|---------|
-| `--agent <id>` | Agent ID (dev, qa, po, db-sage, etc.) | `--agent dev` |
-| `--mission <keyword>` | Mission from Agent's Router | `--mission develop-story` |
-| `--context <path>` | Context file (repeatable) | `--context story.md` |
-| `--squad <name>` | Explicit squad name for agent resolution | `--squad design` |
-| `--extra-instruction` | Additional instruction | `--extra-instruction "Focus on tests"` |
-| `--verbose` | Show debug info to stderr | `--verbose` |
-| `--list-missions` | List available missions | `--list-missions` |
-
-### Multiple Contexts
-
-```bash
-# Story + accumulated context
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent po \
-  --mission validate \
-  --context story.md \
-  --context accumulated-context.md
-
-# Story + implementation log
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent qa \
-  --mission gate \
-  --context expanded.md \
-  --context impl-log.md
-```
-
-### Mission Aliases
-
-Common shortcuts for mission keywords:
-
-| Alias | Resolves To |
-|-------|-------------|
-| `review` | `gate` |
-| `validate` | `validate-story` |
-| `expand` | `create-story` |
-| `develop` | `develop-story` |
-| `implement` | `develop-story` |
-| `backlog` | `backlog-review` |
-| `draft` | `create-story` |
-
-### List Available Missions
-
-```bash
-# List missions for QA agent
-node scripts/glue/compose-agent-prompt.cjs --agent qa --list-missions
-
-# List missions for PO agent
-node scripts/glue/compose-agent-prompt.cjs --agent po --list-missions
-```
-
-## Integration with Task Tool
-
-```javascript
-// 1. Compose the prompt
-const prompt = await Bash(
-  `node scripts/glue/compose-agent-prompt.cjs \
-    --agent dev \
-    --mission develop-story \
-    --context ${storyPath}`
-);
-
-// 2. Spawn agent with complete prompt
-Task({
-  subagent_type: "general-purpose",
-  model: "opus",  // or "sonnet" for mechanical tasks
-  mode: "bypassPermissions",
-  prompt: prompt.stdout
-});
-```
-
-## Execute-Epic Pipeline
-
-The glue script supports the full execute-epic pipeline:
-
-### Phase 1: Backlog Review (PO)
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent po \
-  --mission backlog-review \
-  --context path/to/epic.md
-```
-
-### Phase 2: Development Cycle
-
-**2.1 Expand Story (SM)**
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent sm \
-  --mission expand \
-  --context path/to/epic.md \
-  --extra-instruction "Extract story X"
-```
-
-**2.2 Validate Story (PO)**
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent po \
-  --mission validate \
-  --context path/to/expanded.md
-```
-
-**2.3 Implement (Dev)**
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent dev \
-  --mission develop \
-  --context path/to/expanded.md \
-  --context path/to/accumulated-context.md
-```
-
-**2.4 Review (QA)**
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent qa \
-  --mission review \
-  --context path/to/expanded.md \
-  --context path/to/impl-log.md
-```
-
-### Phase 3: Retrospective (PO)
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent po \
-  --mission retrospective \
-  --context path/to/accumulated-context.md
-```
-
-## Agent Reference
-
-### Agent Resolution Priority
-
-The glue script resolves agents in this order:
-
-1. `.claude/agents/aios-{id}.md` (AIOS core agents)
-2. `.claude/agents/{id}.md` (standalone agents like db-sage)
-3. `squads/{squad}/agents/{id}.md` (squad-specific agents)
-
-### AIOS Core Agents
-
-| Agent ID | Role | Common Missions |
-|----------|------|-----------------|
-| `dev` | Developer | `develop-story`, `apply-qa-fixes` |
-| `qa` | Quality Assurance | `gate`, `review-story`, `security-scan` |
-| `po` | Product Owner | `validate-story`, `backlog-review` |
-| `sm` | Scrum Master | `create-story`, `expand` |
-| `architect` | Architect | `analyze-impact`, `create-fullstack-arch` |
-| `devops` | DevOps | `commit`, `pre-push`, `create-pr` |
-| `analyst` | Analyst | `market-research`, `competitor-analysis` |
-| `data-engineer` | Data Engineer | `develop-story`, `migration`, `schema-audit` |
-| `ux` | UX Designer | `wireframe`, `audit`, `develop-story` |
-| `pm` | Product Manager | `create-prd`, `create-epic` |
-
-### Specialized Squad Agents
-
-| Agent ID | Squad | Replaces | Common Missions |
-|----------|-------|----------|-----------------|
-| `db-sage` | db-sage | data-engineer (for DB) | `kiss`, `kiss-schema-check`, `setup` |
-| `brad-frost` | design | — | Uses internal `*command` system |
-| `design-chief` | design | — | Squad orchestration |
-| `cyber-chief` | cybersecurity | — | Security audits |
-
-**Note:** Squad agents may use different mission systems. Use `--list-missions` to check available missions for each agent.
-
-### Squad Agent Usage
-
-```bash
-# db-sage uses Mission Router
-node scripts/glue/compose-agent-prompt.cjs --agent db-sage --mission kiss
-
-# brad-frost uses internal command system (load persona only)
-node scripts/glue/compose-agent-prompt.cjs --agent brad-frost --mission audit \
-  --extra-instruction "Execute *audit command from your configuration"
-
-# Explicit squad specification
-node scripts/glue/compose-agent-prompt.cjs --agent my-agent --squad my-squad --mission task
-```
-
-## Prompt Structure
-
-The output prompt has the following structure:
-
-```markdown
-## Agent Persona
-
-[Full agent definition from .aios-core/development/agents/{id}.md]
-
----
-
-## Task Workflow: {mission}
-
-[Task workflow from .aios-core/development/tasks/{file}.md]
-
----
-
-## Checklist: {resource}.md
-
-[Checklists specified in Mission Router]
-
----
-
-## Context
-
-### Context 1: {filename}
-
-[File content]
-
-### Context 2: {filename}
-
-[File content]
-
----
-
-## Execution Directive
-
-Execute the mission "{mission}" following the task workflow above.
-- Follow ALL steps in the task workflow exactly
-- Use Self-Critique checkpoints if defined in the workflow
-- Output artifacts as specified in the workflow
-- Mark success/failure clearly at the end
-
-**Additional Instruction:** {extra-instruction if provided}
-```
-
-## Verbose Mode
-
-Use `--verbose` to see debug information:
-
-```bash
-node scripts/glue/compose-agent-prompt.cjs \
-  --agent dev \
-  --mission develop \
-  --context story.md \
-  --verbose
-```
-
-Output (to stderr):
-```
-[glue] Agent: dev, Mission: develop, Resolved: develop-story
-[glue] Task file: dev-develop-story.md
-[glue] Extra resources: story-dod-checklist.md, self-critique-checklist.md
-[glue] Loading context: story.md
-
-[glue] Prompt stats: 1773 lines, 60117 chars
-[glue] Sections: 6 (persona, task, 2 checklists, 1 contexts, directive)
-```
-
-## Troubleshooting
-
-### Agent file not found
-```
-Error: Agent file not found: .claude/agents/aios-foo.md
-```
-Check that the agent ID is valid. Use one of: dev, qa, po, sm, architect, devops, analyst, data-engineer, ux, pm.
-
-### Mission not found
-```
-## Mission: foo
-No router entry found. Execute mission based on agent expertise.
-```
-Use `--list-missions` to see available missions for the agent.
-
-### Context file not found
-```
-### Context 1
-File not found: /path/to/missing.md
-```
-Verify the context file path is correct.
-
-## Test Results
-
-Pipeline tested with MMOS epic stories:
-
-| Story | Phase | Agent | Duration | Result |
-|-------|-------|-------|----------|--------|
-| MMOS-001 | Develop | dev | 227s | ✅ COMPLETED (verified existing impl) |
-| MMOS-002 | Validate | po | 60s | ✅ APPROVED (impl exists) |
-| MMOS-002 | Review | qa | 345s | ✅ APPROVED (38/38 tests pass) |
-
-**Key Metrics:**
-- Prompt size: 1500-1850 lines per agent
-- Agent autonomy: 100% (no manual intervention)
-- Test pass rate: 100%
-
----
-
-*Created: 2026-02-06*
-*Version: 1.0.0*