chainlesschain 0.37.9 → 0.37.11

package/src/commands/sandbox.js

@@ -0,0 +1,366 @@
+/**
+ * Security Sandbox v2 commands
+ * chainlesschain sandbox create|exec|destroy|list|audit|quota|monitor
+ */
+
+import chalk from "chalk";
+import ora from "ora";
+import { logger } from "../lib/logger.js";
+import { bootstrap, shutdown } from "../runtime/bootstrap.js";
+import {
+  createSandbox,
+  executeSandbox,
+  destroySandbox,
+  listSandboxes,
+  getAuditLog,
+  getSandbox,
+  setQuota,
+  monitorBehavior,
+} from "../lib/sandbox-v2.js";
+
+export function registerSandboxCommand(program) {
+  const sandbox = program
+    .command("sandbox")
+    .description("Security sandbox v2 — isolated agent execution environments");
+
+  // sandbox create <agent-id>
+  sandbox
+    .command("create")
+    .description("Create a new sandbox for an agent")
+    .argument("<agent-id>", "Agent ID to sandbox")
+    .option("--allow-read <paths>", "Comma-separated allowed read paths")
+    .option("--allow-write <paths>", "Comma-separated allowed write paths")
+    .option("--allowed-hosts <hosts>", "Comma-separated allowed network hosts")
+    .option("--json", "Output as JSON")
+    .action(async (agentId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        const spinner = ora("Creating sandbox...").start();
+
+        const perms = {};
+        if (options.allowRead || options.allowWrite) {
+          perms.fileSystem = {
+            read: options.allowRead
+              ? options.allowRead.split(",").map((p) => p.trim())
+              : ["/tmp"],
+            write: options.allowWrite
+              ? options.allowWrite.split(",").map((p) => p.trim())
+              : ["/tmp"],
+            denied: ["/etc", "/usr", "/sys"],
+          };
+        }
+        if (options.allowedHosts) {
+          perms.network = {
+            allowed: options.allowedHosts.split(",").map((h) => h.trim()),
+            denied: [],
+            maxConnections: 10,
+          };
+        }
+
+        const sandboxOpts =
+          Object.keys(perms).length > 0 ? { permissions: perms } : {};
+        const result = createSandbox(db, agentId, sandboxOpts);
+        spinner.succeed("Sandbox created");
+
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          logger.log(chalk.bold("Sandbox Created:"));
+          logger.log(`  ID:     ${chalk.cyan(result.id)}`);
+          logger.log(`  Status: ${chalk.green(result.status)}`);
+          logger.log(
+            `  Quota:  CPU=${result.quota.cpu}, Memory=${(result.quota.memory / 1024 / 1024).toFixed(0)}MB`,
+          );
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox exec <sandbox-id> <code>
+  sandbox
+    .command("exec")
+    .description("Execute code within a sandbox")
+    .argument("<sandbox-id>", "Sandbox ID")
+    .argument("<code>", "Code to execute")
+    .option("--json", "Output as JSON")
+    .action(async (sandboxId, code, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        const spinner = ora("Executing in sandbox...").start();
+
+        const result = executeSandbox(db, sandboxId, code);
+        spinner.succeed("Execution complete");
+
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          logger.log(chalk.bold("Execution Result:"));
+          logger.log(`  Output:    ${result.output}`);
+          logger.log(
+            `  Exit Code: ${result.exitCode === 0 ? chalk.green(0) : chalk.red(result.exitCode)}`,
+          );
+          logger.log(`  Duration:  ${result.duration}ms`);
+          logger.log(`  CPU Used:  ${result.resourceUsage.cpu}`);
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox destroy <sandbox-id>
+  sandbox
+    .command("destroy")
+    .description("Destroy a sandbox")
+    .argument("<sandbox-id>", "Sandbox ID to destroy")
+    .option("--json", "Output as JSON")
+    .action(async (sandboxId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+
+        const result = destroySandbox(db, sandboxId);
+
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          logger.log(chalk.yellow(`Sandbox ${sandboxId} destroyed.`));
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox list
+  sandbox
+    .command("list")
+    .description("List active sandboxes")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        const sandboxes = listSandboxes(db);
+
+        if (options.json) {
+          console.log(JSON.stringify(sandboxes, null, 2));
+        } else if (sandboxes.length === 0) {
+          logger.info("No active sandboxes.");
+        } else {
+          logger.log(chalk.bold(`Active Sandboxes (${sandboxes.length}):\n`));
+          for (const s of sandboxes) {
+            logger.log(`  ${chalk.cyan(s.id)}`);
+            logger.log(
+              `    Agent: ${s.agentId}  Status: ${chalk.green(s.status)}`,
+            );
+            logger.log(
+              `    CPU: ${s.resourceUsage.cpu}/${s.quota.cpu}  Memory: ${s.resourceUsage.memory}/${s.quota.memory}`,
+            );
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox audit [sandbox-id]
+  sandbox
+    .command("audit")
+    .description("Show audit log for sandboxes")
+    .argument("[sandbox-id]", "Optional sandbox ID to filter")
+    .option("--action <name>", "Filter by action type")
+    .option("--limit <n>", "Limit entries", parseInt)
+    .option("--json", "Output as JSON")
+    .action(async (sandboxId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+
+        const entries = getAuditLog(db, sandboxId || null, {
+          action: options.action,
+          limit: options.limit,
+        });
+
+        if (options.json) {
+          console.log(JSON.stringify(entries, null, 2));
+        } else if (entries.length === 0) {
+          logger.info("No audit entries found.");
+        } else {
+          logger.log(chalk.bold(`Audit Log (${entries.length} entries):\n`));
+          for (const e of entries) {
+            const ts = chalk.gray(e.timestamp);
+            const action = chalk.yellow(e.action);
+            logger.log(`  ${ts}  ${action}  sandbox=${e.sandboxId}`);
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox quota <sandbox-id>
+  sandbox
+    .command("quota")
+    .description("Show or set sandbox quota")
+    .argument("<sandbox-id>", "Sandbox ID")
+    .option("--cpu <n>", "Set CPU quota", parseInt)
+    .option("--memory <n>", "Set memory quota in MB", parseInt)
+    .option("--json", "Output as JSON")
+    .action(async (sandboxId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+
+        if (options.cpu || options.memory) {
+          const current = getSandbox(db, sandboxId);
+          if (!current) {
+            logger.error("Sandbox not found");
+            process.exit(1);
+          }
+          const newQuota = { ...current.quota };
+          if (options.cpu) newQuota.cpu = options.cpu;
+          if (options.memory) newQuota.memory = options.memory * 1024 * 1024;
+
+          const result = setQuota(db, sandboxId, newQuota);
+          if (options.json) {
+            console.log(JSON.stringify(result, null, 2));
+          } else {
+            logger.log(chalk.green("Quota updated."));
+            logger.log(
+              `  CPU: ${newQuota.cpu}  Memory: ${(newQuota.memory / 1024 / 1024).toFixed(0)}MB`,
+            );
+          }
+        } else {
+          const info = getSandbox(db, sandboxId);
+          if (!info) {
+            logger.error("Sandbox not found");
+            process.exit(1);
+          }
+          if (options.json) {
+            console.log(
+              JSON.stringify(
+                { quota: info.quota, resourceUsage: info.resourceUsage },
+                null,
+                2,
+              ),
+            );
+          } else {
+            logger.log(chalk.bold("Quota:"));
+            logger.log(
+              `  CPU:     ${info.resourceUsage.cpu} / ${info.quota.cpu}`,
+            );
+            logger.log(
+              `  Memory:  ${info.resourceUsage.memory} / ${info.quota.memory}`,
+            );
+            logger.log(
+              `  Storage: ${info.resourceUsage.storage} / ${info.quota.storage}`,
+            );
+            logger.log(
+              `  Network: ${info.resourceUsage.network} / ${info.quota.network}`,
+            );
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox monitor <sandbox-id>
+  sandbox
+    .command("monitor")
+    .description("Monitor sandbox behavior and detect suspicious patterns")
+    .argument("<sandbox-id>", "Sandbox ID to monitor")
+    .option("--json", "Output as JSON")
+    .action(async (sandboxId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        const spinner = ora("Analyzing behavior...").start();
+
+        const result = monitorBehavior(db, sandboxId);
+        spinner.succeed("Analysis complete");
+
+        if (options.json) {
+          console.log(JSON.stringify(result, null, 2));
+        } else {
+          logger.log(chalk.bold("Behavior Analysis:"));
+          logger.log(`  Total Events: ${result.totalEvents}`);
+          const riskColor =
+            result.riskScore > 50
+              ? chalk.red
+              : result.riskScore > 20
+                ? chalk.yellow
+                : chalk.green;
+          logger.log(`  Risk Score:   ${riskColor(result.riskScore)}/100`);
+
+          if (result.patterns.length > 0) {
+            logger.log(chalk.bold("\n  Detected Patterns:"));
+            for (const p of result.patterns) {
+              const sev =
+                p.severity === "high"
+                  ? chalk.red(p.severity)
+                  : chalk.yellow(p.severity);
+              logger.log(
+                `    - ${p.type} (count: ${p.count}, severity: ${sev})`,
+              );
+            }
+          } else {
+            logger.log(chalk.green("\n  No suspicious patterns detected."));
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+}

package/src/commands/search.js

@@ -0,0 +1,237 @@
+/**
+ * RAG / hybrid search commands
+ * chainlesschain search <query> [--mode vector|bm25|hybrid] [--top-k <n>]
+ */
+
+import chalk from "chalk";
+import ora from "ora";
+import { logger } from "../lib/logger.js";
+import { bootstrap, shutdown } from "../runtime/bootstrap.js";
+import { BM25Search } from "../lib/bm25-search.js";
+
+/**
+ * Ensure the notes table exists (same as note.js)
+ */
+function ensureNotesTable(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS notes (
+      id TEXT PRIMARY KEY,
+      title TEXT NOT NULL,
+      content TEXT DEFAULT '',
+      tags TEXT DEFAULT '[]',
+      category TEXT DEFAULT 'general',
+      created_at TEXT DEFAULT (datetime('now')),
+      updated_at TEXT DEFAULT (datetime('now')),
+      deleted_at TEXT DEFAULT NULL
+    )
+  `);
+}
+
+/**
+ * Load all notes from DB for indexing
+ */
+function loadNotes(db) {
+  ensureNotesTable(db);
+  return db
+    .prepare(
+      "SELECT id, title, content, tags, category, created_at FROM notes WHERE deleted_at IS NULL",
+    )
+    .all();
+}
+
+/**
+ * Simple vector embedding using character/word frequency (fallback when no LLM)
+ * Produces a 128-dim feature vector
+ */
+function simpleEmbed(text) {
+  if (!text) return new Array(128).fill(0);
+
+  const normalized = text.toLowerCase();
+  const vec = new Array(128).fill(0);
+
+  // Character frequency features (first 64 dims)
+  for (let i = 0; i < normalized.length; i++) {
+    const code = normalized.charCodeAt(i);
+    vec[code % 64] += 1;
+  }
+
+  // Word-level features (next 64 dims)
+  const words = normalized.split(/\s+/);
+  for (const word of words) {
+    let hash = 0;
+    for (let i = 0; i < word.length; i++) {
+      hash = (hash * 31 + word.charCodeAt(i)) & 0x7fffffff;
+    }
+    vec[64 + (hash % 64)] += 1;
+  }
+
+  // Normalize
+  const mag = Math.sqrt(vec.reduce((s, v) => s + v * v, 0)) || 1;
+  return vec.map((v) => v / mag);
+}
+
+function cosineSimilarity(a, b) {
+  let dot = 0;
+  let magA = 0;
+  let magB = 0;
+  for (let i = 0; i < a.length; i++) {
+    dot += a[i] * b[i];
+    magA += a[i] * a[i];
+    magB += b[i] * b[i];
+  }
+  return dot / (Math.sqrt(magA) * Math.sqrt(magB) || 1);
+}
+
+/**
+ * Vector search using simple embeddings
+ */
+function vectorSearch(query, notes, topK) {
+  const queryVec = simpleEmbed(query);
+  const scored = notes.map((note) => {
+    const text = [note.title || "", note.content || ""].join(" ");
+    const noteVec = simpleEmbed(text);
+    return {
+      id: note.id,
+      score: cosineSimilarity(queryVec, noteVec),
+      doc: note,
+    };
+  });
+  scored.sort((a, b) => b.score - a.score);
+  return scored.slice(0, topK);
+}
+
+/**
+ * Reciprocal Rank Fusion to combine results from multiple methods
+ */
+function rrfFusion(resultSets, k = 60) {
+  const scores = new Map();
+
+  for (const results of resultSets) {
+    for (let rank = 0; rank < results.length; rank++) {
+      const id = results[rank].id;
+      const rrfScore = 1 / (k + rank + 1);
+      scores.set(id, (scores.get(id) || 0) + rrfScore);
+    }
+  }
+
+  // Get original docs
+  const allDocs = new Map();
+  for (const results of resultSets) {
+    for (const r of results) {
+      if (!allDocs.has(r.id)) {
+        allDocs.set(r.id, r.doc);
+      }
+    }
+  }
+
+  const fused = Array.from(scores.entries()).map(([id, score]) => ({
+    id,
+    score,
+    doc: allDocs.get(id),
+  }));
+
+  fused.sort((a, b) => b.score - a.score);
+  return fused;
+}
+
+export function registerSearchCommand(program) {
+  program
+    .command("search")
+    .description("Search knowledge base (BM25 + vector hybrid)")
+    .argument("<query>", "Search query")
+    .option("--mode <mode>", "Search mode: bm25, vector, hybrid", "hybrid")
+    .option("--top-k <n>", "Number of results", "10")
+    .option("--threshold <n>", "Minimum score threshold", "0")
+    .option("--json", "Output as JSON")
+    .action(async (query, options) => {
+      const spinner = ora("Searching...").start();
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          spinner.fail("Database not available");
+          process.exit(1);
+        }
+
+        const db = ctx.db.getDatabase();
+        const notes = loadNotes(db);
+
+        if (notes.length === 0) {
+          spinner.info("No notes in knowledge base. Use 'note add' first.");
+          await shutdown();
+          return;
+        }
+
+        const topK = Math.max(1, parseInt(options.topK) || 10);
+        const threshold = parseFloat(options.threshold) || 0;
+        const mode = options.mode;
+        let results = [];
+
+        if (mode === "bm25") {
+          const bm25 = new BM25Search();
+          bm25.indexDocuments(notes);
+          results = bm25.search(query, { topK, threshold });
+        } else if (mode === "vector") {
+          results = vectorSearch(query, notes, topK);
+          if (threshold > 0) {
+            results = results.filter((r) => r.score >= threshold);
+          }
+        } else {
+          // Hybrid: BM25 + vector → RRF fusion
+          const bm25 = new BM25Search();
+          bm25.indexDocuments(notes);
+          const bm25Results = bm25.search(query, { topK: topK * 2 });
+          const vecResults = vectorSearch(query, notes, topK * 2);
+          results = rrfFusion([bm25Results, vecResults]).slice(0, topK);
+          if (threshold > 0) {
+            results = results.filter((r) => r.score >= threshold);
+          }
+        }
+
+        spinner.stop();
+
+        if (options.json) {
+          console.log(
+            JSON.stringify(
+              results.map((r) => ({
+                id: r.id,
+                score: r.score,
+                title: r.doc.title,
+                category: r.doc.category,
+                created_at: r.doc.created_at,
+                snippet: (r.doc.content || "").substring(0, 200),
+              })),
+              null,
+              2,
+            ),
+          );
+        } else if (results.length === 0) {
+          logger.info(`No results for "${query}"`);
+        } else {
+          logger.log(
+            chalk.bold(
+              `Search results for "${query}" (${results.length}, mode: ${mode}):\n`,
+            ),
+          );
+          for (const r of results) {
+            const tags = JSON.parse(r.doc.tags || "[]");
+            const tagStr =
+              tags.length > 0 ? chalk.gray(` [${tags.join(", ")}]`) : "";
+            const snippet = (r.doc.content || "")
+              .substring(0, 120)
+              .replace(/\n/g, " ");
+            logger.log(
+              `  ${chalk.yellow(r.score.toFixed(4))}  ${chalk.gray(r.id.slice(0, 8))}  ${chalk.white(r.doc.title)}${tagStr}`,
+            );
+            if (snippet) {
+              logger.log(`         ${chalk.gray(snippet)}`);
+            }
+          }
+        }
+
+        await shutdown();
+      } catch (err) {
+        spinner.fail(`Search failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+}