chainlesschain 0.66.0 → 0.132.0

package/src/commands/dlp.js

@@ -16,6 +16,20 @@ import {
   updatePolicy,
   deletePolicy,
   listDLPPolicies,
+  DLP_ACTION,
+  DLP_CHANNEL,
+  DLP_SEVERITY,
+  DLP_DEFAULT_MAX_CONTENT_SIZE,
+  createPolicyV2,
+  getPolicyV2,
+  listActivePoliciesForChannel,
+  scanContentV2,
+  listIncidentsV2,
+  getIncidentV2,
+  listBuiltinPolicyTemplates,
+  installBuiltinPolicies,
+  getDLPStatsV2,
+  getHighestUnresolvedSeverity,
 } from "../lib/dlp-engine.js";
 
 export function registerDlpCommand(program) {
@@ -269,6 +283,333 @@ export function registerDlpCommand(program) {
         deletePolicy(db, policyId);
         logger.success(`Policy ${chalk.cyan(policyId.slice(0, 8))} deleted`);
 
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // ═══════════════════════════════════════════════════════════════
+  // V2 Canonical Subcommands (Phase 50)
+  // ═══════════════════════════════════════════════════════════════
+
+  dlp
+    .command("actions")
+    .description("List DLP actions (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(DLP_ACTION), null, 2));
+    });
+
+  dlp
+    .command("channels")
+    .description("List DLP channels (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(DLP_CHANNEL), null, 2));
+    });
+
+  dlp
+    .command("severities")
+    .description("List DLP severity levels (V2)")
+    .action(() => {
+      console.log(JSON.stringify(Object.values(DLP_SEVERITY), null, 2));
+    });
+
+  dlp
+    .command("default-max-size")
+    .description("Show default DLP scan size limit in bytes (V2)")
+    .action(() => {
+      console.log(JSON.stringify({ bytes: DLP_DEFAULT_MAX_CONTENT_SIZE }));
+    });
+
+  // policy-v2 create — channel-aware + description
+  policy
+    .command("create-v2 <name>")
+    .description("Create a V2 policy with channel filter + description")
+    .option("-d, --description <text>", "Description", "")
+    .option(
+      "-c, --channels <list>",
+      "Comma-separated channels (empty = all)",
+      "",
+    )
+    .option("-p, --patterns <list>", "Comma-separated regex patterns", "")
+    .option("-k, --keywords <list>", "Comma-separated keywords", "")
+    .option("-a, --action <action>", "Action", "alert")
+    .option("-s, --severity <level>", "Severity", "medium")
+    .action(async (name, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        const result = createPolicyV2(db, {
+          name,
+          description: options.description,
+          channels: options.channels
+            ? options.channels
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean)
+            : [],
+          patterns: options.patterns
+            ? options.patterns
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean)
+            : [],
+          keywords: options.keywords
+            ? options.keywords
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean)
+            : [],
+          action: options.action,
+          severity: options.severity,
+        });
+        console.log(JSON.stringify(result, null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  policy
+    .command("show-v2 <policy-id>")
+    .description("Show V2 policy with description + channels")
+    .action(async (policyId) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        console.log(JSON.stringify(getPolicyV2(policyId), null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  policy
+    .command("active-for <channel>")
+    .description("List active V2 policies applicable to a channel")
+    .action(async (channel) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        console.log(
+          JSON.stringify(listActivePoliciesForChannel(channel), null, 2),
+        );
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // Built-in templates
+  const templates = dlp
+    .command("templates")
+    .description("Built-in policy templates");
+
+  templates
+    .command("list")
+    .description("List built-in policy templates")
+    .action(() => {
+      console.log(JSON.stringify(listBuiltinPolicyTemplates(), null, 2));
+    });
+
+  templates
+    .command("install [names...]")
+    .description("Install built-in policy templates (all if no names given)")
+    .action(async (names) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        const installed = installBuiltinPolicies(
+          db,
+          names && names.length > 0 ? names : undefined,
+        );
+        console.log(JSON.stringify(installed, null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // scan-v2 — channel filter + size gate + metadata
+  dlp
+    .command("scan-v2 <content>")
+    .description("Scan content with V2 channel filter + metadata")
+    .option("-c, --channel <channel>", "Channel")
+    .option("-u, --user <id>", "User ID")
+    .option("-m, --metadata <json>", "Metadata JSON", "{}")
+    .option("--max-size <bytes>", "Override max content size")
+    .action(async (content, options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        let metadata = {};
+        try {
+          metadata = JSON.parse(options.metadata);
+        } catch (_err) {
+          logger.error("Invalid --metadata JSON");
+          process.exit(1);
+        }
+        const result = scanContentV2(db, {
+          content,
+          channel: options.channel,
+          userId: options.user,
+          metadata,
+          maxContentSize: options.maxSize ? Number(options.maxSize) : undefined,
+        });
+        console.log(JSON.stringify(result, null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  // incidents-v2 — rich filter
+  dlp
+    .command("incidents-v2")
+    .description(
+      "List V2 incidents (channel/severity/resolved/user/policy/date)",
+    )
+    .option("-c, --channel <channel>", "Filter by channel")
+    .option("-s, --severity <level>", "Filter by severity")
+    .option("-r, --resolved <bool>", "Filter by resolved (true/false)")
+    .option("-u, --user <id>", "Filter by userId")
+    .option("-p, --policy <id>", "Filter by policyId")
+    .option("--from <iso>", "fromDate ISO string")
+    .option("--to <iso>", "toDate ISO string")
+    .option("-l, --limit <n>", "Limit", "50")
+    .action(async (options) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        const filter = {};
+        if (options.channel) filter.channel = options.channel;
+        if (options.severity) filter.severity = options.severity;
+        if (options.resolved === "true") filter.resolved = true;
+        else if (options.resolved === "false") filter.resolved = false;
+        if (options.user) filter.userId = options.user;
+        if (options.policy) filter.policyId = options.policy;
+        if (options.from) filter.fromDate = options.from;
+        if (options.to) filter.toDate = options.to;
+        filter.limit = Number(options.limit);
+        console.log(JSON.stringify(listIncidentsV2(filter), null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  dlp
+    .command("incident-v2 <incident-id>")
+    .description("Show V2 incident with metadata")
+    .action(async (incidentId) => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        console.log(JSON.stringify(getIncidentV2(incidentId), null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  dlp
+    .command("stats-v2")
+    .description(
+      "Show V2 DLP stats (byAction/bySeverity/byChannel/topPolicies)",
+    )
+    .action(async () => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        console.log(JSON.stringify(getDLPStatsV2(), null, 2));
+
+        await shutdown();
+      } catch (err) {
+        logger.error(`Failed: ${err.message}`);
+        process.exit(1);
+      }
+    });
+
+  dlp
+    .command("highest-severity")
+    .description("Show highest unresolved incident severity (V2)")
+    .action(async () => {
+      try {
+        const ctx = await bootstrap({ verbose: program.opts().verbose });
+        if (!ctx.db) {
+          logger.error("Database not available");
+          process.exit(1);
+        }
+        const db = ctx.db.getDatabase();
+        ensureDLPTables(db);
+
+        console.log(
+          JSON.stringify({ highestSeverity: getHighestUnresolvedSeverity() }),
+        );
+
         await shutdown();
       } catch (err) {
         logger.error(`Failed: ${err.message}`);

package/src/commands/encrypt.js

@@ -14,6 +14,35 @@ import {
   getDbEncryptionStatus,
   setDbEncryptionStatus,
   hashPassword,
+  KEY_MATURITY_V2 as CRYPTO_KEY_MATURITY_V2,
+  CRYPTO_JOB_LIFECYCLE_V2,
+  getMaxActiveKeysPerOwnerV2 as cryptoGetMaxActiveKeys,
+  setMaxActiveKeysPerOwnerV2 as cryptoSetMaxActiveKeys,
+  getMaxPendingJobsPerKeyV2 as cryptoGetMaxPendingJobs,
+  setMaxPendingJobsPerKeyV2 as cryptoSetMaxPendingJobs,
+  getKeyIdleMsV2 as cryptoGetKeyIdleMs,
+  setKeyIdleMsV2 as cryptoSetKeyIdleMs,
+  getJobStuckMsV2,
+  setJobStuckMsV2,
+  registerKeyV2 as cryptoRegisterKey,
+  getKeyV2 as cryptoGetKey,
+  listKeysV2 as cryptoListKeys,
+  activateKeyV2 as cryptoActivateKey,
+  rotateKeyV2,
+  retireKeyV2,
+  touchKeyV2 as cryptoTouchKey,
+  createJobV2,
+  getJobV2,
+  listJobsV2,
+  startJobV2,
+  completeJobV2,
+  failJobV2,
+  cancelJobV2,
+  getActiveKeyCountV2 as cryptoGetActiveKeyCount,
+  getPendingJobCountV2,
+  autoRotateIdleKeysV2,
+  autoFailStuckJobsV2,
+  getCryptoManagerStatsV2,
 } from "../lib/crypto-manager.js";
 
 async function promptPassword(message = "Password:") {
@@ -230,4 +259,316 @@ export function registerEncryptCommand(program) {
         process.exit(1);
       }
     });
+
+  // ===== V2 in-memory governance surface (no DB, no bootstrap) =====
+
+  enc
+    .command("key-maturities-v2")
+    .description("[V2] List crypto key maturity states")
+    .option("--json")
+    .action((o) => {
+      const s = Object.values(CRYPTO_KEY_MATURITY_V2);
+      if (o.json) console.log(JSON.stringify(s, null, 2));
+      else for (const v of s) logger.log(v);
+    });
+  enc
+    .command("job-lifecycles-v2")
+    .description("[V2] List crypto job lifecycle states")
+    .option("--json")
+    .action((o) => {
+      const s = Object.values(CRYPTO_JOB_LIFECYCLE_V2);
+      if (o.json) console.log(JSON.stringify(s, null, 2));
+      else for (const v of s) logger.log(v);
+    });
+  enc
+    .command("config-v2")
+    .description("[V2] Show governance config")
+    .option("--json")
+    .action((o) => {
+      const cfg = {
+        maxActiveKeysPerOwner: cryptoGetMaxActiveKeys(),
+        maxPendingJobsPerKey: cryptoGetMaxPendingJobs(),
+        keyIdleMs: cryptoGetKeyIdleMs(),
+        jobStuckMs: getJobStuckMsV2(),
+      };
+      if (o.json) console.log(JSON.stringify(cfg, null, 2));
+      else for (const [k, v] of Object.entries(cfg)) logger.log(`${k}: ${v}`);
+    });
+  enc
+    .command("set-max-active-keys-per-owner-v2 <n>")
+    .description("[V2] Set per-owner active key cap")
+    .action((n) => {
+      try {
+        cryptoSetMaxActiveKeys(Number(n));
+        logger.success(`= ${cryptoGetMaxActiveKeys()}`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("set-max-pending-jobs-per-key-v2 <n>")
+    .description("[V2] Set per-key pending job cap")
+    .action((n) => {
+      try {
+        cryptoSetMaxPendingJobs(Number(n));
+        logger.success(`= ${cryptoGetMaxPendingJobs()}`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("set-key-idle-ms-v2 <ms>")
+    .description("[V2] Set key idle threshold (ms)")
+    .action((m) => {
+      try {
+        cryptoSetKeyIdleMs(Number(m));
+        logger.success(`= ${cryptoGetKeyIdleMs()}`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("set-job-stuck-ms-v2 <ms>")
+    .description("[V2] Set job stuck threshold (ms)")
+    .action((m) => {
+      try {
+        setJobStuckMsV2(Number(m));
+        logger.success(`= ${getJobStuckMsV2()}`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+
+  enc
+    .command("register-key-v2 <id>")
+    .description("[V2] Register a crypto key profile (PENDING)")
+    .requiredOption("-o, --owner <id>")
+    .requiredOption("-a, --algorithm <algo>")
+    .option("-p, --purpose <p>", "Purpose", "encryption")
+    .action((id, o) => {
+      try {
+        const k = cryptoRegisterKey(id, {
+          ownerId: o.owner,
+          algorithm: o.algorithm,
+          purpose: o.purpose,
+        });
+        logger.success(`key ${k.id} registered (status=${k.status})`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("activate-key-v2 <id>")
+    .description("[V2] Activate key (pending|rotated -> active)")
+    .action((id) => {
+      try {
+        cryptoActivateKey(id);
+        logger.success(`key ${id} active`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("rotate-key-v2 <id>")
+    .description("[V2] Rotate key (active -> rotated)")
+    .action((id) => {
+      try {
+        rotateKeyV2(id);
+        logger.success(`key ${id} rotated`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("retire-key-v2 <id>")
+    .description("[V2] Retire key (terminal)")
+    .action((id) => {
+      try {
+        retireKeyV2(id);
+        logger.success(`key ${id} retired`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("touch-key-v2 <id>")
+    .description("[V2] Bump key lastSeenAt")
+    .action((id) => {
+      try {
+        cryptoTouchKey(id);
+        logger.success(`key ${id} touched`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("get-key-v2 <id>")
+    .description("[V2] Show crypto key profile")
+    .option("--json")
+    .action((id) => {
+      const k = cryptoGetKey(id);
+      if (!k) {
+        logger.info("key not found");
+        return;
+      }
+      console.log(JSON.stringify(k, null, 2));
+    });
+  enc
+    .command("list-keys-v2")
+    .description("[V2] List crypto key profiles")
+    .option("-o, --owner <id>")
+    .option("-s, --status <s>")
+    .option("-a, --algorithm <algo>")
+    .option("--json")
+    .action((o) => {
+      const list = cryptoListKeys({
+        ownerId: o.owner,
+        status: o.status,
+        algorithm: o.algorithm,
+      });
+      if (o.json) console.log(JSON.stringify(list, null, 2));
+      else
+        for (const k of list)
+          logger.log(`${k.id}\t${k.ownerId}\t${k.status}\t${k.algorithm}`);
+    });
+
+  enc
+    .command("create-job-v2 <id>")
+    .description("[V2] Create a queued V2 crypto job")
+    .requiredOption("-k, --key <keyId>")
+    .option("-K, --kind <kind>", "Job kind", "encrypt")
+    .action((id, o) => {
+      try {
+        const j = createJobV2(id, { keyId: o.key, kind: o.kind });
+        logger.success(`job ${j.id} queued (key=${j.keyId} kind=${j.kind})`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("start-job-v2 <id>")
+    .description("[V2] Start crypto job (queued -> running)")
+    .action((id) => {
+      try {
+        startJobV2(id);
+        logger.success(`job ${id} running`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("complete-job-v2 <id>")
+    .description("[V2] Complete crypto job (running -> completed)")
+    .action((id) => {
+      try {
+        completeJobV2(id);
+        logger.success(`job ${id} completed`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("fail-job-v2 <id>")
+    .description("[V2] Fail crypto job (running -> failed)")
+    .action((id) => {
+      try {
+        failJobV2(id);
+        logger.success(`job ${id} failed`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("cancel-job-v2 <id>")
+    .description("[V2] Cancel crypto job (queued|running -> cancelled)")
+    .action((id) => {
+      try {
+        cancelJobV2(id);
+        logger.success(`job ${id} cancelled`);
+      } catch (e) {
+        logger.error(e.message);
+        process.exit(1);
+      }
+    });
+  enc
+    .command("get-job-v2 <id>")
+    .description("[V2] Show crypto job")
+    .option("--json")
+    .action((id) => {
+      const j = getJobV2(id);
+      if (!j) {
+        logger.info("job not found");
+        return;
+      }
+      console.log(JSON.stringify(j, null, 2));
+    });
+  enc
+    .command("list-jobs-v2")
+    .description("[V2] List V2 crypto jobs")
+    .option("-k, --key <keyId>")
+    .option("-s, --status <s>")
+    .option("-K, --kind <kind>")
+    .option("--json")
+    .action((o) => {
+      const list = listJobsV2({ keyId: o.key, status: o.status, kind: o.kind });
+      if (o.json) console.log(JSON.stringify(list, null, 2));
+      else
+        for (const j of list)
+          logger.log(`${j.id}\t${j.keyId}\t${j.status}\t${j.kind}`);
+    });
+
+  enc
+    .command("active-key-count-v2")
+    .description("[V2] Count active crypto keys (optional --owner)")
+    .option("-o, --owner <id>")
+    .action((o) => logger.log(String(cryptoGetActiveKeyCount(o.owner))));
+  enc
+    .command("pending-job-count-v2")
+    .description("[V2] Count pending crypto jobs (queued+running)")
+    .option("-k, --key <keyId>")
+    .action((o) => logger.log(String(getPendingJobCountV2(o.key))));
+  enc
+    .command("auto-rotate-idle-keys-v2")
+    .description("[V2] Rotate idle active keys")
+    .option("--now <ms>")
+    .option("--json")
+    .action((o) => {
+      const list = autoRotateIdleKeysV2(
+        o.now ? { now: Number(o.now) } : undefined,
+      );
+      if (o.json) console.log(JSON.stringify(list, null, 2));
+      else logger.success(`rotated ${list.length}`);
+    });
+  enc
+    .command("auto-fail-stuck-jobs-v2")
+    .description("[V2] Fail stuck running crypto jobs")
+    .option("--now <ms>")
+    .option("--json")
+    .action((o) => {
+      const list = autoFailStuckJobsV2(
+        o.now ? { now: Number(o.now) } : undefined,
+      );
+      if (o.json) console.log(JSON.stringify(list, null, 2));
+      else logger.success(`failed ${list.length}`);
+    });
+  enc
+    .command("stats-v2")
+    .description("[V2] Show governance stats")
+    .option("--json")
+    .action(() =>
+      console.log(JSON.stringify(getCryptoManagerStatsV2(), null, 2)),
+    );
 }