chainlesschain 0.51.0 → 0.81.0

package/src/commands/sandbox.js

@@ -18,6 +18,23 @@ import {
   getSandbox,
   setQuota,
   monitorBehavior,
+  // Phase 87 V2
+  SANDBOX_STATUS,
+  PERMISSION_TYPE,
+  RISK_LEVEL,
+  QUOTA_TYPE,
+  pauseSandboxV2,
+  resumeSandboxV2,
+  terminateSandboxV2,
+  setQuotaTyped,
+  enforcePermission,
+  checkQuotaV2,
+  getRiskLevel,
+  calculateRiskScore,
+  autoIsolate,
+  listIsolations,
+  filterAuditLog,
+  getSandboxStatsV2,
 } from "../lib/sandbox-v2.js";
 
 export function registerSandboxCommand(program) {
@@ -437,4 +454,388 @@ export function registerSandboxCommand(program) {
         process.exit(1);
       }
     });
+
+  // ═════════════════════════════════════════════════════════════════
+  // Phase 87 — Agent Security Sandbox 2.0 subcommands
+  // ═════════════════════════════════════════════════════════════════
+
+  // sandbox statuses
+  sandbox
+    .command("statuses")
+    .description("List sandbox lifecycle status enum values (Phase 87)")
+    .option("--json", "Output as JSON")
+    .action((options) => {
+      const values = Object.values(SANDBOX_STATUS);
+      if (options.json) console.log(JSON.stringify(values, null, 2));
+      else values.forEach((v) => logger.log(`  ${chalk.cyan(v)}`));
+    });
+
+  // sandbox permission-types
+  sandbox
+    .command("permission-types")
+    .description("List permission type enum values (Phase 87)")
+    .option("--json", "Output as JSON")
+    .action((options) => {
+      const values = Object.values(PERMISSION_TYPE);
+      if (options.json) console.log(JSON.stringify(values, null, 2));
+      else values.forEach((v) => logger.log(`  ${chalk.cyan(v)}`));
+    });
+
+  // sandbox risk-levels
+  sandbox
+    .command("risk-levels")
+    .description("List risk level enum values (Phase 87)")
+    .option("--json", "Output as JSON")
+    .action((options) => {
+      const values = Object.values(RISK_LEVEL);
+      if (options.json) console.log(JSON.stringify(values, null, 2));
+      else values.forEach((v) => logger.log(`  ${chalk.cyan(v)}`));
+    });
+
+  // sandbox quota-types
+  sandbox
+    .command("quota-types")
+    .description("List quota type enum values (Phase 87)")
+    .option("--json", "Output as JSON")
+    .action((options) => {
+      const values = Object.values(QUOTA_TYPE);
+      if (options.json) console.log(JSON.stringify(values, null, 2));
+      else values.forEach((v) => logger.log(`  ${chalk.cyan(v)}`));
+    });
+
+  // sandbox pause <id>
+  sandbox
+    .command("pause")
+    .description("Pause a running sandbox (Phase 87)")
+    .argument("<id>", "Sandbox ID")
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const r = pauseSandboxV2(db, id);
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else
+          logger.log(
+            `${chalk.green("✓ Paused")} ${chalk.cyan(id)} (was ${chalk.yellow(r.previousStatus)})`,
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox resume <id>
+  sandbox
+    .command("resume")
+    .description("Resume a paused sandbox (Phase 87)")
+    .argument("<id>", "Sandbox ID")
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const r = resumeSandboxV2(db, id);
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else logger.log(`${chalk.green("✓ Resumed")} ${chalk.cyan(id)}`);
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox terminate <id>
+  sandbox
+    .command("terminate")
+    .description(
+      "Terminate a sandbox (Phase 87 canonical; more explicit than destroy)",
+    )
+    .argument("<id>", "Sandbox ID")
+    .option("--reason <reason>", "Termination reason", "manual")
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const r = terminateSandboxV2(db, id, options.reason);
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else
+          logger.log(
+            `${chalk.green("✓ Terminated")} ${chalk.cyan(id)} reason=${chalk.yellow(r.reason)}`,
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox set-quota-typed <id> <type> <limit>
+  sandbox
+    .command("set-quota-typed")
+    .description("Set a single quota by type (Phase 87)")
+    .argument("<id>", "Sandbox ID")
+    .argument(
+      "<type>",
+      "Quota type (cpu_percent|memory_mb|disk_mb|network_kbps|process_count)",
+    )
+    .argument("<limit>", "Numeric limit")
+    .option("--json", "Output as JSON")
+    .action(async (id, type, limit, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const r = setQuotaTyped(db, id, type, Number(limit));
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else
+          logger.log(
+            `${chalk.green("✓ Quota set")} ${chalk.cyan(id)} ${type}=${chalk.yellow(limit)}`,
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox check-permission <id> <type> <target>
+  sandbox
+    .command("check-permission")
+    .description(
+      "Check whether a sandbox may perform a permission op (Phase 87)",
+    )
+    .argument("<id>", "Sandbox ID")
+    .argument(
+      "<type>",
+      "Permission type (filesystem|network|syscall|ipc|process)",
+    )
+    .argument("<target>", "Target (path / host / syscall name)")
+    .option("--mode <mode>", "File mode (read|write)", "read")
+    .option("--json", "Output as JSON")
+    .action(async (id, type, target, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const sandbox = getSandbox(db, id);
+        if (!sandbox) {
+          logger.error(`Sandbox not found: ${id}`);
+          await shutdown();
+          process.exit(1);
+          return;
+        }
+        const r = enforcePermission(sandbox, {
+          type,
+          target,
+          mode: options.mode,
+        });
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else
+          logger.log(
+            `${r.allowed ? chalk.green("allowed") : chalk.red("denied")} ${type} ${options.mode} ${target}`,
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox check-quota <id> <type> [amount]
+  sandbox
+    .command("check-quota")
+    .description("Check quota availability for a type (Phase 87)")
+    .argument("<id>", "Sandbox ID")
+    .argument("<type>", "Quota type")
+    .argument("[amount]", "Amount to check", "0")
+    .option("--json", "Output as JSON")
+    .action(async (id, type, amount, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const sandbox = getSandbox(db, id);
+        if (!sandbox) {
+          logger.error(`Sandbox not found: ${id}`);
+          await shutdown();
+          process.exit(1);
+          return;
+        }
+        const r = checkQuotaV2(sandbox, type, Number(amount));
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else
+          logger.log(
+            `${r.ok ? chalk.green("ok") : chalk.red("exceeded")} ${type}: ${r.current}/${r.limit ?? "∞"} (remaining ${r.remaining})`,
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox risk-score <id>
+  sandbox
+    .command("risk-score")
+    .description("Compute risk score + risk level for a sandbox (Phase 87)")
+    .argument("<id>", "Sandbox ID")
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const r = calculateRiskScore(db, id);
+        if (options.json) console.log(JSON.stringify(r, null, 2));
+        else {
+          const color =
+            r.riskLevel === RISK_LEVEL.CRITICAL
+              ? chalk.red
+              : r.riskLevel === RISK_LEVEL.HIGH
+                ? chalk.magenta
+                : r.riskLevel === RISK_LEVEL.MEDIUM
+                  ? chalk.yellow
+                  : chalk.green;
+          logger.log(
+            `risk=${color(r.riskLevel)}  score=${chalk.cyan(r.riskScore)}  patterns=${r.patterns.length}  events=${r.totalEvents}`,
+          );
+        }
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox risk-level <score>
+  sandbox
+    .command("risk-level")
+    .description("Map a risk score to a RISK_LEVEL bucket (Phase 87)")
+    .argument("<score>", "Numeric score 0-100")
+    .option("--json", "Output as JSON")
+    .action((score, options) => {
+      const level = getRiskLevel(Number(score));
+      if (options.json)
+        console.log(JSON.stringify({ score: Number(score), level }, null, 2));
+      else logger.log(`score=${score} → ${chalk.cyan(level)}`);
+    });
+
+  // sandbox auto-isolate <id>
+  sandbox
+    .command("auto-isolate")
+    .description("Auto-isolate a sandbox: record + terminate (Phase 87)")
+    .argument("<id>", "Sandbox ID")
+    .option("--reason <reason>", "Isolation reason", "high-risk")
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const entry = autoIsolate(db, id, options.reason);
+        if (options.json) console.log(JSON.stringify(entry, null, 2));
+        else
+          logger.log(
+            `${chalk.red("⊘ Isolated")} ${chalk.cyan(id)} reason=${chalk.yellow(entry.reason)} at ${entry.isolatedAt}`,
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox isolations
+  sandbox
+    .command("isolations")
+    .description("List isolation records (Phase 87)")
+    .option("-s, --sandbox <id>", "Filter by sandbox ID")
+    .option("--reason <reason>", "Filter by reason")
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        await bootstrap({ verbose: program.opts().verbose });
+        const items = listIsolations({
+          sandboxId: options.sandbox,
+          reason: options.reason,
+        });
+        if (options.json) console.log(JSON.stringify(items, null, 2));
+        else if (items.length === 0) logger.info("No isolation records.");
+        else
+          items.forEach((i) =>
+            logger.log(
+              `  ${chalk.cyan(i.sandboxId)}  reason=${chalk.yellow(i.reason)}  at=${i.isolatedAt}`,
+            ),
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox audit-filter <id>
+  sandbox
+    .command("audit-filter")
+    .description("Filter audit log by event types / time range (Phase 87)")
+    .argument("[id]", "Sandbox ID (omit for all)")
+    .option("-e, --events <types>", "Comma-separated event types")
+    .option("--from <iso>", "ISO timestamp lower bound")
+    .option("--to <iso>", "ISO timestamp upper bound")
+    .option("-l, --limit <n>", "Max entries to return", parseInt)
+    .option("--json", "Output as JSON")
+    .action(async (id, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        const db = ctx.db.getDatabase();
+        const filter = {};
+        if (options.events)
+          filter.eventTypes = options.events.split(",").map((s) => s.trim());
+        if (options.from || options.to)
+          filter.timeRange = { from: options.from, to: options.to };
+        if (options.limit) filter.limit = options.limit;
+        const entries = filterAuditLog(db, id, filter);
+        if (options.json) console.log(JSON.stringify(entries, null, 2));
+        else if (entries.length === 0)
+          logger.info("No matching audit entries.");
+        else
+          entries.forEach((e) =>
+            logger.log(
+              `  ${chalk.gray(e.timestamp)}  ${chalk.cyan(e.sandboxId)}  ${chalk.yellow(e.action)}`,
+            ),
+          );
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // sandbox stats-v2
+  sandbox
+    .command("stats-v2")
+    .description(
+      "Extended V2 stats (byStatus / auditByAction / isolations) (Phase 87)",
+    )
+    .option("--json", "Output as JSON")
+    .action(async (options) => {
+      try {
+        await bootstrap({ verbose: program.opts().verbose });
+        const stats = getSandboxStatsV2();
+        if (options.json) console.log(JSON.stringify(stats, null, 2));
+        else {
+          logger.log(chalk.bold("Sandbox stats (Phase 87):"));
+          logger.log(`  total: ${chalk.cyan(stats.totalSandboxes)}`);
+          logger.log(`  by status:`);
+          for (const [k, v] of Object.entries(stats.byStatus))
+            logger.log(`    ${k}: ${chalk.cyan(v)}`);
+          logger.log(`  audit events: ${chalk.cyan(stats.auditEventCount)}`);
+          logger.log(
+            `  isolations: total=${chalk.cyan(stats.isolations.total)}`,
+          );
+        }
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
 }

package/src/commands/siem.js

@@ -12,6 +12,19 @@ import {
   addTarget,
   exportLogs,
   getSIEMStats,
+  SIEM_FORMAT,
+  SIEM_TARGET_TYPE,
+  SIEM_SEVERITY,
+  SIEM_TARGET_STATUS,
+  SIEM_DEFAULT_BATCH_SIZE,
+  severityToCEF,
+  formatLog,
+  addTargetV2,
+  removeTarget,
+  setTargetStatus,
+  exportLogsV2,
+  getSIEMStatsV2,
+  listTargetsByStatus,
 } from "../lib/siem-exporter.js";
 
 export function registerSiemCommand(program) {
@@ -147,6 +160,239 @@ export function registerSiemCommand(program) {
           }
         }
 
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // ═══════════════════════════════════════════════════════════════
+  // V2 Canonical Subcommands (Phase 51)
+  // ═══════════════════════════════════════════════════════════════
+
+  siem
+    .command("formats")
+    .description("List SIEM export formats (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(SIEM_FORMAT), null, 2));
+    });
+
+  siem
+    .command("target-types")
+    .description("List SIEM target types (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(SIEM_TARGET_TYPE), null, 2));
+    });
+
+  siem
+    .command("severities")
+    .description("List SIEM severity levels (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(SIEM_SEVERITY), null, 2));
+    });
+
+  siem
+    .command("statuses")
+    .description("List SIEM target statuses (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(SIEM_TARGET_STATUS), null, 2));
+    });
+
+  siem
+    .command("default-batch-size")
+    .description("Show default SIEM batch size (V2)")
+    .action(() => {
+      console.log(JSON.stringify({ batchSize: SIEM_DEFAULT_BATCH_SIZE }));
+    });
+
+  siem
+    .command("severity-cef <severity>")
+    .description("Map a SIEM severity to its CEF integer (0-10)")
+    .action((severity) => {
+      try {
+        console.log(JSON.stringify({ severity, cef: severityToCEF(severity) }));
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("format-log <format>")
+    .description("Format a JSON log payload as cef|leef|json")
+    .option("-l, --log <json>", "Log object as JSON", "{}")
+    .action((format, options) => {
+      try {
+        const log = JSON.parse(options.log);
+        const result = formatLog(format, log);
+        console.log(
+          typeof result === "string" ? result : JSON.stringify(result, null, 2),
+        );
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("add-target-v2")
+    .description("Add a SIEM target via canonical options (V2)")
+    .option("-t, --type <type>", "Target type")
+    .option("-u, --url <url>", "Target URL")
+    .option("-f, --format <fmt>", "Export format", "json")
+    .option("-c, --config <json>", "Config JSON", "{}")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        let config = {};
+        try {
+          config = JSON.parse(options.config);
+        } catch (_err) {
+          logger.error("Invalid --config JSON");
+          process.exit(1);
+        }
+        const target = addTargetV2(db, {
+          type: options.type,
+          url: options.url,
+          format: options.format,
+          config,
+        });
+        console.log(JSON.stringify(target, null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("remove-target <target-id>")
+    .description("Remove a SIEM target (V2)")
+    .action(async (targetId) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        console.log(JSON.stringify(removeTarget(db, targetId), null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("set-status <target-id> <status>")
+    .description("Transition a SIEM target's status (V2)")
+    .action(async (targetId, status) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        console.log(
+          JSON.stringify(setTargetStatus(db, targetId, status), null, 2),
+        );
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("export-v2 <target-id>")
+    .description("Batch-export logs to a target (V2)")
+    .option("-l, --logs <json>", "Logs as JSON array", "[]")
+    .option("-b, --batch-size <n>", "Batch size override")
+    .action(async (targetId, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        let logs = [];
+        try {
+          logs = JSON.parse(options.logs);
+        } catch (_err) {
+          logger.error("Invalid --logs JSON");
+          process.exit(1);
+        }
+        const r = exportLogsV2(db, {
+          targetId,
+          logs,
+          batchSize: options.batchSize ? Number(options.batchSize) : undefined,
+        });
+        console.log(JSON.stringify(r, null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("stats-v2")
+    .description("Show extended SIEM stats (byFormat/byType/byStatus, V2)")
+    .action(async () => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        console.log(JSON.stringify(getSIEMStatsV2(), null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  siem
+    .command("by-status <status>")
+    .description("List SIEM targets filtered by status (V2)")
+    .action(async (status) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureSIEMTables(db);
+
+        console.log(JSON.stringify(listTargetsByStatus(status), null, 2));
+
         await shutdown();
       } catch (err) {
         logger.error(`Failed: ${err.message}`);