cipher-security 5.0.0

package/lib/config.js

@@ -0,0 +1,213 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * config.js — YAML config reader/writer for CIPHER CLI.
+ *
+ * Mirrors the Python gateway/config.py load_config() format and precedence:
+ *   1. Environment variables (LLM_BACKEND, ANTHROPIC_API_KEY)   — highest
+ *   2. Project-root config.yaml (where pyproject.toml lives)
+ *   3. ~/.config/cipher/config.yaml                             — lowest
+ *
+ * Produces YAML that Python's yaml.safe_load() can parse identically.
+ *
+ * @module config
+ */
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { join, dirname, resolve } from 'node:path';
+import { homedir } from 'node:os';
+import { parse, stringify } from 'yaml';
+
+// ---------------------------------------------------------------------------
+// Path resolution
+// ---------------------------------------------------------------------------
+
+/**
+ * Walk up from `startDir` looking for pyproject.toml — same logic as Python's
+ * _find_project_root(). Returns the directory containing pyproject.toml, or null.
+ *
+ * @param {string} [startDir=process.cwd()]
+ * @returns {string | null}
+ */
+function findProjectRoot(startDir = process.cwd()) {
+  let current = resolve(startDir);
+  for (let i = 0; i < 20; i++) {
+    if (existsSync(join(current, 'pyproject.toml'))) {
+      return current;
+    }
+    const parent = dirname(current);
+    if (parent === current) break; // filesystem root
+    current = parent;
+  }
+  return null;
+}
+
+/**
+ * Return the two config file paths CIPHER checks.
+ *
+ * @param {{ home?: string, cwd?: string }} [opts] — overrides for testing
+ * @returns {{ userConfig: string, projectConfig: string }}
+ */
+export function getConfigPaths(opts = {}) {
+  const home = opts.home || homedir();
+  const startDir = opts.cwd || process.cwd();
+  const userConfig = join(home, '.config', 'cipher', 'config.yaml');
+  const projectRoot = findProjectRoot(startDir);
+  const projectConfig = projectRoot
+    ? join(projectRoot, 'config.yaml')
+    : join(startDir, 'config.yaml');
+  return { userConfig, projectConfig };
+}
+
+/**
+ * Check whether any config file exists (user-home or project-root).
+ *
+ * @param {{ home?: string, cwd?: string }} [opts] — overrides for testing
+ * @returns {boolean}
+ */
+export function configExists(opts) {
+  const { userConfig, projectConfig } = getConfigPaths(opts);
+  return existsSync(userConfig) || existsSync(projectConfig);
+}
+
+// ---------------------------------------------------------------------------
+// YAML file I/O
+// ---------------------------------------------------------------------------
+
+/**
+ * Safely load a YAML file. Returns empty object if missing or empty.
+ * Wraps parse errors with the file path for diagnostics.
+ *
+ * @param {string} filePath
+ * @returns {Record<string, any>}
+ */
+function loadYamlFile(filePath) {
+  if (!existsSync(filePath)) return {};
+  try {
+    const raw = readFileSync(filePath, 'utf-8');
+    const data = parse(raw);
+    return data && typeof data === 'object' && !Array.isArray(data) ? data : {};
+  } catch (err) {
+    throw new Error(
+      `Failed to parse config at ${filePath}: ${err.message}`
+    );
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Deep merge helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Deep-merge `source` into `target`. Source values override target.
+ * Only merges plain objects — arrays and primitives are replaced wholesale.
+ *
+ * @param {Record<string, any>} target
+ * @param {Record<string, any>} source
+ * @returns {Record<string, any>}
+ */
+function deepMerge(target, source) {
+  const result = { ...target };
+  for (const key of Object.keys(source)) {
+    if (
+      source[key] &&
+      typeof source[key] === 'object' &&
+      !Array.isArray(source[key]) &&
+      target[key] &&
+      typeof target[key] === 'object' &&
+      !Array.isArray(target[key])
+    ) {
+      result[key] = deepMerge(target[key], source[key]);
+    } else {
+      result[key] = source[key];
+    }
+  }
+  return result;
+}
+
+// ---------------------------------------------------------------------------
+// Load config
+// ---------------------------------------------------------------------------
+
+/**
+ * Load configuration from YAML files and environment variable overrides.
+ *
+ * Precedence (highest → lowest):
+ *   1. Environment variables
+ *   2. Project-root config.yaml
+ *   3. ~/.config/cipher/config.yaml
+ *
+ * @param {{ home?: string, cwd?: string }} [opts] — overrides for testing
+ * @returns {Record<string, any>} Plain config object matching the Python shape.
+ */
+export function loadConfig(opts) {
+  const { userConfig, projectConfig } = getConfigPaths(opts);
+
+  // Load both files — project-root overrides user-home via deep merge
+  const userData = loadYamlFile(userConfig);
+  const projectData = loadYamlFile(projectConfig);
+  const merged = deepMerge(userData, projectData);
+
+  // Apply env var overrides (highest precedence)
+  if (process.env.LLM_BACKEND) {
+    merged.llm_backend = process.env.LLM_BACKEND;
+  }
+  if (process.env.ANTHROPIC_API_KEY) {
+    if (!merged.claude || typeof merged.claude !== 'object') {
+      merged.claude = {};
+    }
+    merged.claude.api_key = process.env.ANTHROPIC_API_KEY;
+  }
+
+  return merged;
+}
+
+// ---------------------------------------------------------------------------
+// Write config
+// ---------------------------------------------------------------------------
+
+/**
+ * Write a config object as YAML. Creates parent directories if needed.
+ *
+ * @param {Record<string, any>} config — config object to write
+ * @param {string} [targetPath] — defaults to ~/.config/cipher/config.yaml
+ * @returns {string} The path that was written.
+ */
+export function writeConfig(config, targetPath) {
+  const dest = targetPath || join(homedir(), '.config', 'cipher', 'config.yaml');
+  const dir = dirname(dest);
+
+  try {
+    mkdirSync(dir, { recursive: true });
+  } catch (err) {
+    throw new Error(
+      `Failed to create config directory ${dir}: ${err.code || err.message}`
+    );
+  }
+
+  const yamlStr = stringify(config, {
+    lineWidth: 0,       // no line wrapping — matches Python's default_flow_style=False
+    nullStr: '""',      // empty strings stay as "" not null
+  });
+
+  // Add the standard header comment
+  const header = [
+    '# CIPHER Gateway Configuration',
+    `# Written by cipher setup — ${new Date().toISOString()}`,
+    '#',
+    '# Precedence: env vars > project-root config.yaml > ~/.config/cipher/config.yaml',
+    '',
+  ].join('\n');
+
+  try {
+    writeFileSync(dest, header + yamlStr, 'utf-8');
+  } catch (err) {
+    throw new Error(
+      `Failed to write config to ${dest}: ${err.code || err.message}`
+    );
+  }
+
+  return dest;
+}

package/lib/gateway/client.js

@@ -0,0 +1,309 @@
+// Copyright (c) 2026 defconxt. All rights reserved.
+// Licensed under AGPL-3.0 — see LICENSE file for details.
+// CIPHER is a trademark of defconxt.
+
+/**
+ * client.js — LLM client factory for CIPHER gateway.
+ *
+ * Ports Python gateway/client.py:
+ * - makeClient(config) → { client, model }
+ * - Claude: Anthropic SDK
+ * - Ollama: Anthropic SDK with baseURL
+ * - LiteLLM: OpenAI SDK with adapter presenting Anthropic-compatible interface
+ *
+ * All SDK imports are lazy (dynamic import()) to preserve cold start <200ms.
+ * API keys are treated as opaque strings — never logged.
+ *
+ * @module gateway/client
+ */
+
+const debug = process.env.CIPHER_DEBUG === '1'
+  ? (/** @type {string} */ msg) => process.stderr.write(`[bridge:node] ${msg}\n`)
+  : () => {};
+
+// ---------------------------------------------------------------------------
+// LiteLLM → Anthropic adapter
+// ---------------------------------------------------------------------------
+
+/**
+ * Converts Anthropic-style (system + messages) to OpenAI-style messages.
+ *
+ * @param {string|null} system
+ * @param {Array<{role: string, content: string}>} messages
+ * @returns {Array<{role: string, content: string}>}
+ */
+function toOpenAIMessages(system, messages) {
+  const result = [];
+  if (system) result.push({ role: 'system', content: system });
+  for (const msg of messages) {
+    result.push({ role: msg.role, content: msg.content });
+  }
+  return result;
+}
+
+/**
+ * Convert Anthropic tool schema to OpenAI function-calling format.
+ *
+ * Anthropic: { name, description, input_schema: {...} }
+ * OpenAI:    { type: "function", function: { name, description, parameters: {...} } }
+ *
+ * @param {Array<{name: string, description: string, input_schema: Object}>} tools
+ * @returns {Array<{type: string, function: {name: string, description: string, parameters: Object}}>}
+ */
+function toOpenAITools(tools) {
+  return tools.map(t => ({
+    type: 'function',
+    function: {
+      name: t.name,
+      description: t.description || '',
+      parameters: t.input_schema || { type: 'object', properties: {} },
+    },
+  }));
+}
+
+/**
+ * Map OpenAI finish_reason to Anthropic stop_reason.
+ * @param {string} finishReason
+ * @returns {string}
+ */
+function mapStopReason(finishReason) {
+  if (finishReason === 'tool_calls') return 'tool_use';
+  if (finishReason === 'length') return 'max_tokens';
+  return 'end_turn';
+}
+
+/**
+ * Build a LiteLLM adapter that presents an Anthropic-SDK-compatible interface.
+ *
+ * client.messages.create() and client.messages.stream() work identically
+ * to the Anthropic SDK from the Gateway's perspective.
+ *
+ * @param {Object} openaiClient - OpenAI SDK instance
+ * @param {string} model
+ * @param {number} timeout
+ * @returns {Object}
+ */
+function buildLiteLLMAdapter(openaiClient, model, timeout) {
+  return {
+    messages: {
+      /**
+       * Non-streaming completion with optional tool-use support.
+       *
+       * When `tools` is provided, forwards them to the OpenAI API in
+       * function-calling format and maps any tool_calls in the response
+       * back to Anthropic-style content blocks.
+       *
+       * @param {Object} opts
+       * @param {string} opts.model
+       * @param {number} opts.max_tokens
+       * @param {string} [opts.system]
+       * @param {Array} opts.messages
+       * @param {Array} [opts.tools] - Anthropic-format tool schemas
+       * @returns {Promise<Object>} Anthropic-shaped response
+       */
+      async create({ model: m, max_tokens, system, messages, tools }) {
+        const reqParams = {
+          model: m,
+          messages: toOpenAIMessages(system || null, messages),
+          max_tokens,
+        };
+
+        // Forward tools when provided
+        if (tools && tools.length > 0) {
+          reqParams.tools = toOpenAITools(tools);
+        }
+
+        const response = await openaiClient.chat.completions.create(reqParams);
+
+        const choice = response.choices?.[0];
+        const message = choice?.message || {};
+        const finishReason = choice?.finish_reason || 'stop';
+
+        // Build Anthropic-style content blocks
+        const content = [];
+
+        // Text content
+        if (message.content) {
+          content.push({ text: message.content, type: 'text' });
+        }
+
+        // Tool calls → Anthropic tool_use blocks
+        if (message.tool_calls && message.tool_calls.length > 0) {
+          for (const tc of message.tool_calls) {
+            let input = {};
+            try {
+              input = typeof tc.function.arguments === 'string'
+                ? JSON.parse(tc.function.arguments)
+                : tc.function.arguments || {};
+            } catch {
+              input = {};
+            }
+            content.push({
+              type: 'tool_use',
+              id: tc.id,
+              name: tc.function.name,
+              input,
+            });
+          }
+        }
+
+        // If no content blocks at all, add empty text
+        if (content.length === 0) {
+          content.push({ text: '', type: 'text' });
+        }
+
+        return {
+          content,
+          model: m,
+          role: 'assistant',
+          stop_reason: mapStopReason(finishReason),
+          usage: {
+            input_tokens: response.usage?.prompt_tokens || 0,
+            output_tokens: response.usage?.completion_tokens || 0,
+          },
+        };
+      },
+
+      /**
+       * Streaming completion — returns object with .on('text', cb) pattern.
+       *
+       * The Anthropic Node.js SDK uses .on('text', cb) for streaming.
+       * This adapter internally iterates the OpenAI stream and calls the cb.
+       *
+       * @param {Object} opts
+       * @param {string} opts.model
+       * @param {number} opts.max_tokens
+       * @param {string} [opts.system]
+       * @param {Array<{role: string, content: string}>} opts.messages
+       * @returns {Object} Stream-like object with .on() and async iteration
+       */
+      stream({ model: m, max_tokens, system, messages }) {
+        /** @type {Array<{event: string, cb: Function}>} */
+        const listeners = [];
+        let finalMessageCb = null;
+        let streamPromise = null;
+
+        const streamObj = {
+          /**
+           * Register event listener. Supported events: 'text', 'finalMessage'.
+           */
+          on(event, cb) {
+            if (event === 'finalMessage') {
+              finalMessageCb = cb;
+            } else {
+              listeners.push({ event, cb });
+            }
+            return streamObj;
+          },
+
+          /**
+           * Consume the stream — awaiting this drives the iteration.
+           */
+          async finalMessage() {
+            if (!streamPromise) {
+              streamPromise = _consumeStream();
+            }
+            return streamPromise;
+          },
+
+          /**
+           * Async iterator for text chunks.
+           */
+          async *[Symbol.asyncIterator]() {
+            const response = await openaiClient.chat.completions.create({
+              model: m,
+              messages: toOpenAIMessages(system || null, messages),
+              max_tokens,
+              stream: true,
+            });
+
+            for await (const chunk of response) {
+              const delta = chunk.choices?.[0]?.delta?.content;
+              if (delta) yield delta;
+            }
+          },
+        };
+
+        async function _consumeStream() {
+          const fullText = [];
+          const response = await openaiClient.chat.completions.create({
+            model: m,
+            messages: toOpenAIMessages(system || null, messages),
+            max_tokens,
+            stream: true,
+          });
+
+          for await (const chunk of response) {
+            const delta = chunk.choices?.[0]?.delta?.content;
+            if (delta) {
+              fullText.push(delta);
+              for (const { event, cb } of listeners) {
+                if (event === 'text') cb(delta);
+              }
+            }
+          }
+
+          const msg = {
+            content: [{ text: fullText.join(''), type: 'text' }],
+            model: m,
+            role: 'assistant',
+          };
+
+          if (finalMessageCb) finalMessageCb(msg);
+          return msg;
+        }
+
+        return streamObj;
+      },
+    },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Public factory
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a client for the configured backend.
+ *
+ * All SDK imports are lazy — called only when this function runs.
+ *
+ * @param {import('./config-validate.js').GatewayConfig} config
+ * @returns {Promise<{client: Object, model: string}>}
+ */
+export async function makeClient(config) {
+  if (config.backend === 'ollama') {
+    const { default: Anthropic } = await import('@anthropic-ai/sdk');
+    const client = new Anthropic({
+      baseURL: config.ollama_base_url,
+      apiKey: 'ollama', // Ollama ignores the key; SDK constructor requires it
+      timeout: config.ollama_timeout * 1000, // SDK expects milliseconds
+    });
+    debug(`client: ollama at ${config.ollama_base_url}, model=${config.ollama_model}`);
+    return { client, model: config.ollama_model };
+  }
+
+  if (config.backend === 'litellm') {
+    const { default: OpenAI } = await import('openai');
+    const openaiClient = new OpenAI({
+      apiKey: config.litellm_api_key || 'unused',
+      baseURL: config.litellm_api_base || undefined,
+      timeout: config.litellm_timeout * 1000,
+    });
+    const client = buildLiteLLMAdapter(openaiClient, config.litellm_model, config.litellm_timeout);
+    debug(`client: litellm, model=${config.litellm_model}`);
+    return { client, model: config.litellm_model };
+  }
+
+  // backend === 'claude'
+  const { default: Anthropic } = await import('@anthropic-ai/sdk');
+  const client = new Anthropic({
+    apiKey: config.claude_api_key,
+    timeout: config.claude_timeout * 1000,
+  });
+  debug(`client: claude, model=${config.claude_model}`);
+  return { client, model: config.claude_model };
+}
+
+// Exported for testing only
+export { buildLiteLLMAdapter as _buildLiteLLMAdapter };