chainlesschain 0.37.12 → 0.40.1

package/src/lib/pqc-manager.js

@@ -0,0 +1,196 @@
+/**
+ * PQC Manager — post-quantum cryptography key management,
+ * algorithm migration, and hybrid encryption support.
+ */
+
+import crypto from "crypto";
+
+/* ── In-memory stores ──────────────────────────────────────── */
+const _keys = new Map();
+const _migrations = new Map();
+
+const PQC_ALGORITHMS = {
+  ML_KEM_768: "ML-KEM-768",
+  ML_KEM_1024: "ML-KEM-1024",
+  ML_DSA_65: "ML-DSA-65",
+  ML_DSA_87: "ML-DSA-87",
+  HYBRID_X25519_ML_KEM: "HYBRID-X25519-ML-KEM",
+  HYBRID_ED25519_ML_DSA: "HYBRID-ED25519-ML-DSA",
+};
+
+const KEY_PURPOSES = {
+  ENCRYPTION: "encryption",
+  SIGNING: "signing",
+  KEY_EXCHANGE: "key_exchange",
+};
+
+const MIGRATION_STATUS = {
+  PENDING: "pending",
+  IN_PROGRESS: "in_progress",
+  COMPLETED: "completed",
+  FAILED: "failed",
+};
+
+/* ── Schema ────────────────────────────────────────────────── */
+
+export function ensurePQCTables(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS pqc_keys (
+      id TEXT PRIMARY KEY,
+      algorithm TEXT NOT NULL,
+      purpose TEXT,
+      public_key TEXT,
+      key_size INTEGER,
+      hybrid_mode INTEGER DEFAULT 0,
+      classical_algorithm TEXT,
+      status TEXT DEFAULT 'active',
+      metadata TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS pqc_migration_status (
+      id TEXT PRIMARY KEY,
+      plan_name TEXT,
+      source_algorithm TEXT,
+      target_algorithm TEXT,
+      total_keys INTEGER DEFAULT 0,
+      migrated_keys INTEGER DEFAULT 0,
+      status TEXT DEFAULT 'pending',
+      started_at TEXT,
+      completed_at TEXT,
+      error_message TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+}
+
+/* ── Key Management ───────────────────────────────────────── */
+
+export function listKeys(filter = {}) {
+  let keys = [..._keys.values()];
+  if (filter.algorithm) {
+    keys = keys.filter((k) => k.algorithm === filter.algorithm);
+  }
+  if (filter.status) {
+    keys = keys.filter((k) => k.status === filter.status);
+  }
+  return keys;
+}
+
+export function generateKey(db, algorithm, purpose, opts = {}) {
+  if (!algorithm) throw new Error("Algorithm is required");
+
+  const validAlgorithms = Object.values(PQC_ALGORITHMS);
+  if (!validAlgorithms.includes(algorithm)) {
+    throw new Error(
+      `Invalid algorithm: ${algorithm}. Valid: ${validAlgorithms.join(", ")}`,
+    );
+  }
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  const keySize =
+    algorithm.includes("1024") || algorithm.includes("87") ? 1024 : 768;
+  const publicKey = crypto.randomBytes(keySize / 8).toString("hex");
+  const isHybrid = algorithm.startsWith("HYBRID");
+  const classicalAlgorithm = isHybrid
+    ? algorithm.includes("X25519")
+      ? "X25519"
+      : "Ed25519"
+    : null;
+
+  const key = {
+    id,
+    algorithm,
+    purpose: purpose || KEY_PURPOSES.ENCRYPTION,
+    publicKey,
+    keySize,
+    hybridMode: isHybrid,
+    classicalAlgorithm,
+    status: "active",
+    metadata: opts.metadata || {},
+    createdAt: now,
+  };
+
+  _keys.set(id, key);
+
+  db.prepare(
+    `INSERT INTO pqc_keys (id, algorithm, purpose, public_key, key_size, hybrid_mode, classical_algorithm, status, metadata, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(
+    id,
+    algorithm,
+    key.purpose,
+    publicKey,
+    keySize,
+    isHybrid ? 1 : 0,
+    classicalAlgorithm,
+    "active",
+    JSON.stringify(key.metadata),
+    now,
+  );
+
+  return key;
+}
+
+/* ── Migration ────────────────────────────────────────────── */
+
+export function getMigrationStatus() {
+  return [..._migrations.values()];
+}
+
+export function migrate(db, planName, sourceAlgorithm, targetAlgorithm) {
+  if (!planName) throw new Error("Plan name is required");
+  if (!targetAlgorithm) throw new Error("Target algorithm is required");
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  // Find keys matching source algorithm
+  const sourceKeys = sourceAlgorithm
+    ? [..._keys.values()].filter((k) => k.algorithm === sourceAlgorithm)
+    : [..._keys.values()];
+
+  const plan = {
+    id,
+    planName,
+    sourceAlgorithm: sourceAlgorithm || "all",
+    targetAlgorithm,
+    totalKeys: sourceKeys.length,
+    migratedKeys: sourceKeys.length, // Simulate instant migration
+    status: MIGRATION_STATUS.COMPLETED,
+    startedAt: now,
+    completedAt: now,
+    errorMessage: null,
+  };
+
+  _migrations.set(id, plan);
+
+  db.prepare(
+    `INSERT INTO pqc_migration_status (id, plan_name, source_algorithm, target_algorithm, total_keys, migrated_keys, status, started_at, completed_at, error_message, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(
+    id,
+    planName,
+    plan.sourceAlgorithm,
+    targetAlgorithm,
+    plan.totalKeys,
+    plan.migratedKeys,
+    plan.status,
+    now,
+    now,
+    null,
+    now,
+  );
+
+  return plan;
+}
+
+/* ── Reset (for testing) ───────────────────────────────────── */
+
+export function _resetState() {
+  _keys.clear();
+  _migrations.clear();
+}

package/src/lib/scim-manager.js

@@ -0,0 +1,212 @@
+/**
+ * SCIM Manager — user/group provisioning via SCIM 2.0 protocol,
+ * connector management, and sync operations.
+ */
+
+import crypto from "crypto";
+
+/* ── In-memory stores ──────────────────────────────────────── */
+const _users = new Map();
+const _connectors = new Map();
+const _syncLog = [];
+
+const SCIM_SCHEMAS = {
+  USER: "urn:ietf:params:scim:schemas:core:2.0:User",
+  LIST_RESPONSE: "urn:ietf:params:scim:api:messages:2.0:ListResponse",
+};
+
+/* ── Schema ────────────────────────────────────────────────── */
+
+export function ensureSCIMTables(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS scim_resources (
+      id TEXT PRIMARY KEY,
+      resource_type TEXT DEFAULT 'User',
+      external_id TEXT,
+      display_name TEXT,
+      user_name TEXT,
+      email TEXT,
+      active INTEGER DEFAULT 1,
+      attributes TEXT,
+      source TEXT,
+      provider TEXT,
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS scim_sync_log (
+      id TEXT PRIMARY KEY,
+      operation TEXT,
+      resource_type TEXT,
+      resource_id TEXT,
+      provider TEXT,
+      status TEXT,
+      details TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+}
+
+/* ── User Management ──────────────────────────────────────── */
+
+export function listUsers(filter = {}) {
+  let users = [..._users.values()];
+  if (filter.active !== undefined) {
+    users = users.filter((u) => u.active === filter.active);
+  }
+  const limit = filter.limit || 100;
+  const startIndex = filter.startIndex || 0;
+  return {
+    totalResults: users.length,
+    startIndex,
+    itemsPerPage: limit,
+    resources: users.slice(startIndex, startIndex + limit),
+  };
+}
+
+export function createUser(db, userName, displayName, email) {
+  if (!userName) throw new Error("Username is required");
+
+  // Check for duplicate
+  for (const u of _users.values()) {
+    if (u.userName === userName)
+      throw new Error(`User already exists: ${userName}`);
+  }
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  const user = {
+    id,
+    userName,
+    displayName: displayName || userName,
+    email: email || null,
+    active: true,
+    createdAt: now,
+    updatedAt: now,
+  };
+
+  _users.set(id, user);
+
+  db.prepare(
+    `INSERT INTO scim_resources (id, resource_type, external_id, display_name, user_name, email, active, attributes, source, provider, created_at, updated_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(
+    id,
+    "User",
+    null,
+    user.displayName,
+    userName,
+    email,
+    1,
+    "{}",
+    "cli",
+    null,
+    now,
+    now,
+  );
+
+  return user;
+}
+
+export function getUser(userId) {
+  const user = _users.get(userId);
+  if (!user) return null;
+  return user;
+}
+
+export function deleteUser(db, userId) {
+  const user = _users.get(userId);
+  if (!user) throw new Error(`User not found: ${userId}`);
+
+  _users.delete(userId);
+
+  db.prepare(`DELETE FROM scim_resources WHERE id = ?`).run(userId);
+
+  return { success: true, userId };
+}
+
+/* ── Connector Management ─────────────────────────────────── */
+
+export function listConnectors() {
+  return [..._connectors.values()];
+}
+
+export function addConnector(db, name, provider, config) {
+  if (!name) throw new Error("Connector name is required");
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  const connector = {
+    id,
+    name,
+    provider: provider || "generic",
+    config: config || {},
+    status: "active",
+    lastSync: null,
+    createdAt: now,
+  };
+
+  _connectors.set(id, connector);
+
+  return connector;
+}
+
+/* ── Sync Operations ──────────────────────────────────────── */
+
+export function syncProvision(db, connectorId) {
+  const connector = _connectors.get(connectorId);
+  if (!connector) throw new Error(`Connector not found: ${connectorId}`);
+
+  const now = new Date().toISOString();
+  connector.lastSync = now;
+
+  const logEntry = {
+    id: crypto.randomUUID(),
+    operation: "sync",
+    resourceType: "User",
+    resourceId: null,
+    provider: connector.provider,
+    status: "completed",
+    details: `Synced via ${connector.name}`,
+    createdAt: now,
+  };
+
+  _syncLog.push(logEntry);
+
+  db.prepare(
+    `INSERT INTO scim_sync_log (id, operation, resource_type, resource_id, provider, status, details, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(
+    logEntry.id,
+    logEntry.operation,
+    logEntry.resourceType,
+    null,
+    logEntry.provider,
+    logEntry.status,
+    logEntry.details,
+    now,
+  );
+
+  return { success: true, connector: connector.name, syncedAt: now };
+}
+
+export function getStatus() {
+  return {
+    users: _users.size,
+    connectors: _connectors.size,
+    syncOperations: _syncLog.length,
+    lastSync:
+      _syncLog.length > 0 ? _syncLog[_syncLog.length - 1].createdAt : null,
+  };
+}
+
+/* ── Reset (for testing) ───────────────────────────────────── */
+
+export function _resetState() {
+  _users.clear();
+  _connectors.clear();
+  _syncLog.length = 0;
+}

package/src/lib/session-manager.js

@@ -155,6 +155,44 @@ export function deleteSession(db, sessionId) {
   return result.changes > 0;
 }
 
+/**
+ * Compress a session's messages using a context engineering compact function.
+ * Reduces stored message count while preserving important context.
+ *
+ * @param {object} db - Database instance
+ * @param {string} sessionId - Session to compress
+ * @param {function} compactFn - (messages, options) => compacted messages
+ * @param {object} [options] - Options passed to compactFn
+ * @returns {{ original: number, compressed: number }}
+ */
+export function compressSession(db, sessionId, compactFn, options = {}) {
+  ensureSessionsTable(db);
+
+  const session = db
+    .prepare("SELECT messages FROM llm_sessions WHERE id = ?")
+    .get(sessionId);
+
+  if (!session) throw new Error(`Session not found: ${sessionId}`);
+
+  const messages = JSON.parse(session.messages || "[]");
+  if (messages.length <= 5) {
+    return { original: messages.length, compressed: messages.length };
+  }
+
+  const compacted = compactFn(messages, options);
+
+  db.prepare(
+    `UPDATE llm_sessions SET messages = ?, message_count = ?, summary = ?, updated_at = datetime('now') WHERE id = ?`,
+  ).run(
+    JSON.stringify(compacted),
+    compacted.length,
+    `Compressed from ${messages.length} to ${compacted.length} messages`,
+    sessionId,
+  );
+
+  return { original: messages.length, compressed: compacted.length };
+}
+
 /**
  * Export session as markdown
  */

package/src/lib/siem-exporter.js

@@ -0,0 +1,137 @@
+/**
+ * SIEM Exporter — log export to external SIEM targets
+ * (Splunk HEC, Elasticsearch, Azure Sentinel) in JSON/CEF/LEEF formats.
+ */
+
+import crypto from "crypto";
+
+/* ── In-memory stores ──────────────────────────────────────── */
+const _targets = new Map();
+const _exports = [];
+
+const SIEM_FORMATS = { JSON: "json", CEF: "cef", LEEF: "leef" };
+const SIEM_TARGETS = {
+  SPLUNK_HEC: "splunk_hec",
+  ELASTICSEARCH: "elasticsearch",
+  AZURE_SENTINEL: "azure_sentinel",
+};
+
+/* ── Schema ────────────────────────────────────────────────── */
+
+export function ensureSIEMTables(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS siem_exports (
+      id TEXT PRIMARY KEY,
+      target_type TEXT,
+      target_url TEXT,
+      format TEXT DEFAULT 'json',
+      last_exported_log_id TEXT,
+      exported_count INTEGER DEFAULT 0,
+      last_export_at TEXT,
+      status TEXT DEFAULT 'active',
+      config TEXT,
+      created_at TEXT DEFAULT (datetime('now'))
+    )
+  `);
+}
+
+/* ── Target Management ────────────────────────────────────── */
+
+export function listTargets() {
+  return [..._targets.values()];
+}
+
+export function addTarget(db, type, url, format, config) {
+  if (!type) throw new Error("Target type is required");
+  if (!url) throw new Error("Target URL is required");
+
+  const validTypes = Object.values(SIEM_TARGETS);
+  if (!validTypes.includes(type)) {
+    throw new Error(
+      `Invalid target type: ${type}. Valid: ${validTypes.join(", ")}`,
+    );
+  }
+
+  const id = crypto.randomUUID();
+  const now = new Date().toISOString();
+
+  const target = {
+    id,
+    type,
+    url,
+    format: format || SIEM_FORMATS.JSON,
+    exportedCount: 0,
+    lastExportAt: null,
+    lastExportedLogId: null,
+    status: "active",
+    config: config || {},
+    createdAt: now,
+  };
+
+  _targets.set(id, target);
+
+  db.prepare(
+    `INSERT INTO siem_exports (id, target_type, target_url, format, last_exported_log_id, exported_count, last_export_at, status, config, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+  ).run(
+    id,
+    type,
+    url,
+    target.format,
+    null,
+    0,
+    null,
+    "active",
+    JSON.stringify(target.config),
+    now,
+  );
+
+  return target;
+}
+
+/* ── Log Export ────────────────────────────────────────────── */
+
+export function exportLogs(db, targetId, logs) {
+  const target = _targets.get(targetId);
+  if (!target) throw new Error(`Target not found: ${targetId}`);
+
+  const items = logs || [];
+  const now = new Date().toISOString();
+  const exported = items.length;
+
+  target.exportedCount += exported;
+  target.lastExportAt = now;
+  if (items.length > 0) {
+    target.lastExportedLogId =
+      items[items.length - 1].id || `log-${Date.now()}`;
+  }
+
+  _exports.push({ targetId, exported, timestamp: now });
+
+  db.prepare(
+    `UPDATE siem_exports SET exported_count = ?, last_export_at = ?, last_exported_log_id = ? WHERE id = ?`,
+  ).run(target.exportedCount, now, target.lastExportedLogId, targetId);
+
+  return { exported, lastId: target.lastExportedLogId };
+}
+
+/* ── Stats ─────────────────────────────────────────────────── */
+
+export function getSIEMStats() {
+  return [..._targets.values()].map((t) => ({
+    id: t.id,
+    type: t.type,
+    url: t.url,
+    format: t.format,
+    exportedCount: t.exportedCount,
+    lastExportAt: t.lastExportAt,
+    status: t.status,
+  }));
+}
+
+/* ── Reset (for testing) ───────────────────────────────────── */
+
+export function _resetState() {
+  _targets.clear();
+  _exports.length = 0;
+}