chainlesschain 0.37.12 → 0.40.1

package/src/commands/pqc.js

@@ -0,0 +1,162 @@
+/**
+ * PQC commands
+ * chainlesschain pqc keys|generate|migration-status|migrate
+ */
+
+import chalk from "chalk";
+import { logger } from "../lib/logger.js";
+import { bootstrap, shutdown } from "../runtime/bootstrap.js";
+import {
+  ensurePQCTables,
+  listKeys,
+  generateKey,
+  getMigrationStatus,
+  migrate,
+} from "../lib/pqc-manager.js";
+
+export function registerPqcCommand(program) {
+  const pqc = program
+    .command("pqc")
+    .description("Post-quantum cryptography — key management and migration");
+
+  // pqc keys
+  pqc
+    .command("keys")
+    .description("List PQC keys")
+    .option("-a, --algorithm <algo>", "Filter by algorithm")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensurePQCTables(db);
+
+        const keys = listKeys({ algorithm: options.algorithm });
+        if (options.json) {
+          console.log(JSON.stringify(keys, null, 2));
+        } else if (keys.length === 0) {
+          logger.info("No PQC keys. Use `pqc generate` to create one.");
+        } else {
+          for (const k of keys) {
+            logger.log(
+              `  ${chalk.cyan(k.id.slice(0, 8))} ${k.algorithm} [${k.purpose}] size=${k.keySize} hybrid=${k.hybridMode}`,
+            );
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // pqc generate
+  pqc
+    .command("generate <algorithm>")
+    .description("Generate a PQC key pair")
+    .option(
+      "-p, --purpose <purpose>",
+      "Key purpose: encryption, signing, key_exchange",
+      "encryption",
+    )
+    .action(async (algorithm, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensurePQCTables(db);
+
+        const key = generateKey(db, algorithm, options.purpose);
+        logger.success("PQC key generated");
+        logger.log(`  ${chalk.bold("ID:")}        ${chalk.cyan(key.id)}`);
+        logger.log(`  ${chalk.bold("Algorithm:")} ${key.algorithm}`);
+        logger.log(`  ${chalk.bold("Purpose:")}   ${key.purpose}`);
+        logger.log(`  ${chalk.bold("Key Size:")}  ${key.keySize}`);
+        logger.log(`  ${chalk.bold("Hybrid:")}    ${key.hybridMode}`);
+        if (key.classicalAlgorithm) {
+          logger.log(`  ${chalk.bold("Classical:")} ${key.classicalAlgorithm}`);
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // pqc migration-status
+  pqc
+    .command("migration-status")
+    .description("Show PQC migration status")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensurePQCTables(db);
+
+        const plans = getMigrationStatus();
+        if (options.json) {
+          console.log(JSON.stringify(plans, null, 2));
+        } else if (plans.length === 0) {
+          logger.info("No migration plans.");
+        } else {
+          for (const p of plans) {
+            logger.log(
+              `  ${chalk.cyan(p.id.slice(0, 8))} ${p.planName} ${p.sourceAlgorithm}→${p.targetAlgorithm} [${p.status}] ${p.migratedKeys}/${p.totalKeys}`,
+            );
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // pqc migrate
+  pqc
+    .command("migrate <plan-name> <target-algorithm>")
+    .description("Execute PQC key migration")
+    .option("-s, --source <algorithm>", "Source algorithm to migrate from")
+    .action(async (planName, targetAlgorithm, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensurePQCTables(db);
+
+        const plan = migrate(db, planName, options.source, targetAlgorithm);
+        logger.success("Migration completed");
+        logger.log(`  ${chalk.bold("ID:")}       ${chalk.cyan(plan.id)}`);
+        logger.log(`  ${chalk.bold("Plan:")}     ${plan.planName}`);
+        logger.log(`  ${chalk.bold("Source:")}   ${plan.sourceAlgorithm}`);
+        logger.log(`  ${chalk.bold("Target:")}   ${plan.targetAlgorithm}`);
+        logger.log(
+          `  ${chalk.bold("Migrated:")} ${plan.migratedKeys}/${plan.totalKeys}`,
+        );
+        logger.log(`  ${chalk.bold("Status:")}   ${plan.status}`);
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+}

package/src/commands/scim.js

@@ -0,0 +1,218 @@
+/**
+ * SCIM commands
+ * chainlesschain scim users|connectors|sync|status
+ */
+
+import chalk from "chalk";
+import { logger } from "../lib/logger.js";
+import { bootstrap, shutdown } from "../runtime/bootstrap.js";
+import {
+  ensureSCIMTables,
+  listUsers,
+  createUser,
+  getUser,
+  deleteUser,
+  listConnectors,
+  addConnector,
+  syncProvision,
+  getStatus,
+} from "../lib/scim-manager.js";
+
+export function registerScimCommand(program) {
+  const scim = program
+    .command("scim")
+    .description("SCIM provisioning — user management, connectors, sync");
+
+  // scim users
+  const users = scim.command("users").description("SCIM user management");
+
+  users
+    .command("list")
+    .description("List SCIM users")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSCIMTables(db);
+
+        const result = listUsers();
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else if (result.resources.length === 0) {
+          logger.info("No SCIM users.");
+        } else {
+          for (const u of result.resources) {
+            logger.log(
+              `  ${chalk.cyan(u.id.slice(0, 8))} ${u.userName} (${u.displayName}) active=${u.active}`,
+            );
+          }
+          logger.log(`\n${result.totalResults} user(s) total.`);
+        }
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  users
+    .command("create <username>")
+    .description("Create a SCIM user")
+    .option("-n, --name <display-name>", "Display name")
+    .option("-e, --email <email>", "Email address")
+    .action(async (username, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSCIMTables(db);
+
+        const user = createUser(db, username, options.name, options.email);
+        logger.success("User created");
+        logger.log(`  ${chalk.bold("ID:")}       ${chalk.cyan(user.id)}`);
+        logger.log(`  ${chalk.bold("Username:")} ${user.userName}`);
+        logger.log(`  ${chalk.bold("Name:")}     ${user.displayName}`);
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  users
+    .command("get <user-id>")
+    .description("Get a SCIM user by ID")
+    .option("--json", "Output as JSON")
+    .action(async (userId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSCIMTables(db);
+
+        const user = getUser(userId);
+        if (!user) {
+          logger.error(`User not found: ${userId}`);
+          process.exit(1);
+        }
+        if (options.json) {
+          console.log(JSON.stringify(user, null, 2));
+        } else {
+          logger.log(`  ${chalk.bold("ID:")}       ${chalk.cyan(user.id)}`);
+          logger.log(`  ${chalk.bold("Username:")} ${user.userName}`);
+          logger.log(`  ${chalk.bold("Name:")}     ${user.displayName}`);
+          logger.log(`  ${chalk.bold("Email:")}    ${user.email || "N/A"}`);
+          logger.log(`  ${chalk.bold("Active:")}   ${user.active}`);
+        }
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  users
+    .command("delete <user-id>")
+    .description("Delete a SCIM user")
+    .action(async (userId) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSCIMTables(db);
+
+        deleteUser(db, userId);
+        logger.success(`User ${chalk.cyan(userId.slice(0, 8))} deleted`);
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // scim connectors
+  scim
+    .command("connectors")
+    .description("List SCIM connectors")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const connectors = listConnectors();
+        if (options.json) {
+          console.log(JSON.stringify(connectors, null, 2));
+        } else if (connectors.length === 0) {
+          logger.info("No SCIM connectors configured.");
+        } else {
+          for (const c of connectors) {
+            logger.log(
+              `  ${chalk.cyan(c.id.slice(0, 8))} ${c.name} [${c.provider}] status=${c.status}`,
+            );
+          }
+        }
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // scim sync
+  scim
+    .command("sync <connector-id>")
+    .description("Trigger SCIM provisioning sync")
+    .action(async (connectorId) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSCIMTables(db);
+
+        const result = syncProvision(db, connectorId);
+        logger.success(`Sync completed via ${chalk.cyan(result.connector)}`);
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // scim status
+  scim
+    .command("status")
+    .description("Show SCIM provisioning status")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const status = getStatus();
+        if (options.json) {
+          console.log(JSON.stringify(status, null, 2));
+        } else {
+          logger.log(`  ${chalk.bold("Users:")}      ${status.users}`);
+          logger.log(`  ${chalk.bold("Connectors:")} ${status.connectors}`);
+          logger.log(`  ${chalk.bold("Sync Ops:")}   ${status.syncOperations}`);
+          logger.log(
+            `  ${chalk.bold("Last Sync:")}  ${status.lastSync || "never"}`,
+          );
+        }
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+}

package/src/commands/serve.js

@@ -0,0 +1,109 @@
+/**
+ * serve command — start a WebSocket server for remote CLI access
+ * chainlesschain serve [--port] [--host] [--token] [--max-connections] [--timeout] [--allow-remote]
+ */
+
+import chalk from "chalk";
+import { logger } from "../lib/logger.js";
+import { ChainlessChainWSServer } from "../lib/ws-server.js";
+
+export function registerServeCommand(program) {
+  program
+    .command("serve")
+    .description("Start WebSocket server for remote CLI access")
+    .option("-p, --port <port>", "Port number", "18800")
+    .option("-H, --host <host>", "Bind host", "127.0.0.1")
+    .option(
+      "--token <token>",
+      "Authentication token (required for remote access)",
+    )
+    .option("--max-connections <n>", "Maximum concurrent connections", "10")
+    .option(
+      "--timeout <ms>",
+      "Command execution timeout in milliseconds",
+      "30000",
+    )
+    .option(
+      "--allow-remote",
+      "Allow non-localhost connections (requires --token)",
+    )
+    .action(async (opts) => {
+      const port = parseInt(opts.port, 10);
+      const maxConnections = parseInt(opts.maxConnections, 10);
+      const timeout = parseInt(opts.timeout, 10);
+      let host = opts.host;
+
+      // Validation
+      if (isNaN(port) || port < 1 || port > 65535) {
+        logger.error("Invalid port number. Must be between 1 and 65535.");
+        process.exit(1);
+      }
+
+      if (opts.allowRemote) {
+        if (!opts.token) {
+          logger.error("--allow-remote requires --token for security.");
+          process.exit(1);
+        }
+        host = "0.0.0.0";
+      }
+
+      const server = new ChainlessChainWSServer({
+        port,
+        host,
+        token: opts.token || null,
+        maxConnections,
+        timeout,
+      });
+
+      // Event logging
+      server.on("connection", ({ clientId, ip }) => {
+        logger.log(chalk.green(`  + Client connected: ${clientId} (${ip})`));
+      });
+
+      server.on("disconnection", ({ clientId, reason }) => {
+        const extra = reason ? ` (${reason})` : "";
+        logger.log(
+          chalk.yellow(`  - Client disconnected: ${clientId}${extra}`),
+        );
+      });
+
+      server.on("command:start", ({ id, command }) => {
+        logger.log(chalk.cyan(`  > [${id}] ${command}`));
+      });
+
+      server.on("command:end", ({ id, exitCode }) => {
+        const color = exitCode === 0 ? chalk.green : chalk.red;
+        logger.log(color(`  < [${id}] exit ${exitCode}`));
+      });
+
+      // Graceful shutdown
+      const shutdown = async () => {
+        logger.log("\n" + chalk.yellow("Shutting down WebSocket server..."));
+        await server.stop();
+        process.exit(0);
+      };
+
+      process.on("SIGINT", shutdown);
+      process.on("SIGTERM", shutdown);
+
+      try {
+        await server.start();
+
+        logger.log("");
+        logger.log(chalk.bold("  ChainlessChain WebSocket Server"));
+        logger.log("");
+        logger.log(`  Address:  ${chalk.cyan(`ws://${host}:${port}`)}`);
+        logger.log(
+          `  Auth:     ${opts.token ? chalk.green("enabled") : chalk.yellow("disabled")}`,
+        );
+        logger.log(`  Max conn: ${maxConnections}`);
+        logger.log(`  Timeout:  ${timeout}ms`);
+        logger.log("");
+        logger.log(chalk.dim("  Press Ctrl+C to stop"));
+        logger.log("");
+      } catch (err) {
+        logger.error(`Failed to start server: ${err.message}`);
+        process.exit(1);
+      }
+    });
+}

package/src/commands/siem.js

@@ -0,0 +1,156 @@
+/**
+ * SIEM commands
+ * chainlesschain siem targets|add-target|export|stats
+ */
+
+import chalk from "chalk";
+import { logger } from "../lib/logger.js";
+import { bootstrap, shutdown } from "../runtime/bootstrap.js";
+import {
+  ensureSIEMTables,
+  listTargets,
+  addTarget,
+  exportLogs,
+  getSIEMStats,
+} from "../lib/siem-exporter.js";
+
+export function registerSiemCommand(program) {
+  const siem = program
+    .command("siem")
+    .description("SIEM integration — log export to external targets");
+
+  // siem targets
+  siem
+    .command("targets")
+    .description("List SIEM export targets")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        const targets = listTargets();
+        if (options.json) {
+          console.log(JSON.stringify(targets, null, 2));
+        } else if (targets.length === 0) {
+          logger.info("No SIEM targets configured.");
+        } else {
+          for (const t of targets) {
+            logger.log(
+              `  ${chalk.cyan(t.id.slice(0, 8))} ${t.type} → ${t.url} [${t.format}] exported=${t.exportedCount}`,
+            );
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // siem add-target
+  siem
+    .command("add-target <type> <url>")
+    .description(
+      "Add a SIEM target (splunk_hec, elasticsearch, azure_sentinel)",
+    )
+    .option("-f, --format <fmt>", "Export format: json, cef, leef", "json")
+    .action(async (type, url, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        const target = addTarget(db, type, url, options.format);
+        logger.success("SIEM target added");
+        logger.log(`  ${chalk.bold("ID:")}     ${chalk.cyan(target.id)}`);
+        logger.log(`  ${chalk.bold("Type:")}   ${target.type}`);
+        logger.log(`  ${chalk.bold("URL:")}    ${target.url}`);
+        logger.log(`  ${chalk.bold("Format:")} ${target.format}`);
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // siem export
+  siem
+    .command("export <target-id>")
+    .description("Export logs to a SIEM target")
+    .action(async (targetId) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        // Export with simulated log batch
+        const result = exportLogs(db, targetId, [
+          {
+            id: `log-${Date.now()}`,
+            level: "info",
+            message: "CLI export test",
+          },
+        ]);
+        logger.success(`Exported ${result.exported} log(s)`);
+        logger.log(
+          `  ${chalk.bold("Last ID:")} ${chalk.cyan(result.lastId || "N/A")}`,
+        );
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // siem stats
+  siem
+    .command("stats")
+    .description("Show SIEM export statistics")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        const stats = getSIEMStats();
+        if (options.json) {
+          console.log(JSON.stringify(stats, null, 2));
+        } else if (stats.length === 0) {
+          logger.info("No SIEM targets configured.");
+        } else {
+          for (const s of stats) {
+            logger.log(
+              `  ${chalk.cyan(s.id.slice(0, 8))} ${s.type} [${s.format}] exported=${s.exportedCount} status=${s.status}`,
+            );
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+}