enya-agent 0.1.0

package/crates/enact-config/src/lib.rs

@@ -0,0 +1,298 @@
+//! Enact Configuration Management
+//!
+//! Unified configuration management for Enact with:
+//! - Environment variable support for secrets (checks `ENACT_*` env vars first)
+//! - OS keychain for secrets (API keys, tokens, credentials) with fallback support
+//! - Encrypted file storage for settings (feature flags, timeouts, preferences)
+//! - Cloud sync for authenticated users (respects air-gapped mode)
+//!
+//! # Example
+//!
+//! ```rust,no_run
+//! use enact_config::{ConfigManager, RuntimeMode, default_config_path};
+//!
+//! # async fn example() -> anyhow::Result<()> {
+//! let config_path = default_config_path()?;
+//! let manager = ConfigManager::new(config_path).await?;
+//!
+//! // Load configuration
+//! let config = manager.load().await?;
+//!
+//! // Set a secret (stored in keychain)
+//! manager.set_secret("providers.azure.apiKey", "your-api-key").await?;
+//!
+//! // Set a setting (stored in encrypted file)
+//! let mut config = manager.load().await?;
+//! config.runtime.mode = RuntimeMode::Local;
+//! manager.save(&config).await?;
+//!
+//! // Save configuration
+//! manager.save(&config).await?;
+//! # Ok(())
+//! # }
+//! ```
+
+pub mod config;
+pub mod encrypted_store;
+pub mod secrets;
+pub mod sync;
+
+pub use config::*;
+pub use encrypted_store::{default_config_path, EncryptedStore};
+pub use secrets::SecretManager;
+pub use sync::{SyncManager, SyncStatus};
+
+use anyhow::{Context, Result};
+use serde_json;
+use std::path::PathBuf;
+use tracing::{debug, info};
+
+/// Main configuration manager
+pub struct ConfigManager {
+    encrypted_store: EncryptedStore,
+    secrets: SecretManager,
+    sync_manager: Option<SyncManager>,
+}
+
+impl ConfigManager {
+    /// Create a new configuration manager
+    ///
+    /// # Arguments
+    /// * `config_path` - Path to the encrypted config file
+    pub async fn new(config_path: impl Into<PathBuf>) -> Result<Self> {
+        let config_path = config_path.into();
+
+        // In test mode, we might want mock store
+        if std::env::var("ENACT_USE_MOCK_SECRET_STORE").is_ok()
+            || std::env::var("CARGO_TARGET_TMPDIR").is_ok()
+        {
+            return Self::new_with_mock_secrets(config_path).await;
+        }
+
+        #[cfg(test)]
+        {
+            return Self::new_with_mock_secrets(config_path).await;
+        }
+
+        #[cfg(not(test))]
+        {
+            // Always use SecretManager which handles env vars and .env files
+            // No more OS keychain prompts!
+            let secrets = SecretManager::new();
+            // For EncryptedStore, we need to pass the secret manager if it uses it for encryption keys?
+            // EncryptedStore used to take KeychainManager to store the master key.
+            // Now that we don't have keychain, where does EncryptedStore get the master key?
+            // Usually it generates one and stores it in keychain.
+            // If keychain is gone, we must store the master key in .env? ENACT_MASTER_KEY?
+
+            // I need to check EncryptedStore implementation. It likely calls `keychain.get("enact.master.key")`.
+            // With SecretManager, it will look for ENACT_ENACT_MASTER_KEY in env.
+            // If not found, EncryptedStore usually generates it. But it can't save it back to env.
+            // So EncryptedStore setup might fail or generate a new key every time if not in .env.
+            // This effectively means configuration is ephemeral unless ENACT_MASTER_KEY is set.
+
+            // I'll proceed with updating ConfigManager, and then I MUST check EncryptedStore.
+
+            let encrypted_store =
+                EncryptedStore::new(&config_path).context("Failed to create encrypted store")?;
+
+            Ok(Self {
+                encrypted_store,
+                secrets,
+                sync_manager: None,
+            })
+        }
+    }
+
+    /// Create a new configuration manager with a mock secrets for testing
+    pub async fn new_with_mock_secrets(config_path: impl Into<PathBuf>) -> Result<Self> {
+        let config_path = config_path.into();
+        let mock_secrets = SecretManager::new_mock();
+        // EncryptedStore needs to be updated to take SecretManager
+        // For now, assume EncryptedStore still expects KeychainManager?
+        // I need to update EncryptedStore too!
+
+        // This tool call only updates lib.rs. I'll need to update encrypted_store.rs next.
+        // I will temporarily comment out EncryptedStore usage here or assume it's updated.
+        // But `EncryptedStore::with_keychain` signature will change.
+
+        // Let's assume I will rename `with_keychain` to `with_secrets`.
+        let encrypted_store = EncryptedStore::with_secrets(&config_path, mock_secrets.clone())
+            .context("Failed to create encrypted store")?;
+
+        Ok(Self {
+            encrypted_store,
+            secrets: mock_secrets,
+            sync_manager: None,
+        })
+    }
+
+    /// Create a configuration manager with cloud sync enabled
+    pub async fn with_sync(
+        config_path: impl Into<PathBuf>,
+        api_url: Option<String>,
+        tenant_id: Option<String>,
+        auto_sync: bool,
+        runtime_mode: RuntimeMode,
+    ) -> Result<Self> {
+        let mut manager = Self::new(config_path).await?;
+        manager.sync_manager = Some(SyncManager::new(
+            api_url,
+            tenant_id,
+            auto_sync,
+            runtime_mode,
+        ));
+
+        let mut config = manager.load().await?;
+        let mut changed = false;
+        if config.runtime.mode != runtime_mode {
+            config.runtime.mode = runtime_mode;
+            changed = true;
+        }
+
+        if matches!(runtime_mode, RuntimeMode::AirGapped) && config.runtime.allow_network {
+            config.runtime.allow_network = false;
+            changed = true;
+        }
+
+        if changed {
+            manager.save(&config).await?;
+        }
+
+        Ok(manager)
+    }
+
+    /// Load configuration from encrypted file
+    pub async fn load(&self) -> Result<Config> {
+        match self.encrypted_store.load()? {
+            Some(json) => {
+                let config: Config =
+                    serde_json::from_str(&json).context("Failed to parse configuration")?;
+                debug!("Loaded configuration from encrypted store");
+                Ok(config)
+            }
+            None => {
+                debug!("No configuration found, using defaults");
+                Ok(Config::default())
+            }
+        }
+    }
+
+    /// Save configuration to encrypted file
+    pub async fn save(&self, config: &Config) -> Result<()> {
+        let json =
+            serde_json::to_string_pretty(config).context("Failed to serialize configuration")?;
+
+        self.encrypted_store.save(&json)?;
+
+        // Auto-sync to cloud if enabled
+        if let Some(ref sync_manager) = self.sync_manager {
+            if sync_manager.is_enabled() {
+                info!("Auto-syncing configuration to cloud");
+                if let Err(e) = sync_manager.sync_to_cloud(config).await {
+                    tracing::warn!("Failed to sync configuration to cloud: {}", e);
+                }
+            }
+        }
+
+        Ok(())
+    }
+
+    /// Set a secret value
+    /// Note: With SecretManager, this might fail if not using mock store.
+    /// Users should set secrets in .env.
+    pub async fn set_secret(&self, key: &str, value: &str) -> Result<()> {
+        self.secrets.set(key, value)?;
+        debug!("Set secret: {}", key);
+        Ok(())
+    }
+
+    /// Get a secret value
+    pub async fn get_secret(&self, key: &str) -> Result<Option<String>> {
+        self.secrets.get(key)
+    }
+
+    /// Delete a secret
+    pub async fn delete_secret(&self, key: &str) -> Result<()> {
+        self.secrets.delete(key)?;
+        debug!("Deleted secret: {}", key);
+        Ok(())
+    }
+
+    /// Sync configuration from cloud
+    pub async fn sync_from_cloud(&self) -> Result<Option<Config>> {
+        if let Some(ref sync_manager) = self.sync_manager {
+            sync_manager.sync_from_cloud().await
+        } else {
+            Ok(None)
+        }
+    }
+
+    /// Sync configuration to cloud
+    pub async fn sync_to_cloud(&self, config: &Config) -> Result<Option<sync::SyncResponse>> {
+        if let Some(ref sync_manager) = self.sync_manager {
+            sync_manager.sync_to_cloud(config).await
+        } else {
+            Ok(None)
+        }
+    }
+
+    /// Get sync status
+    pub fn sync_status(&self) -> SyncStatus {
+        self.sync_manager
+            .as_ref()
+            .map(|m| m.status())
+            .unwrap_or(SyncStatus::Disabled)
+    }
+
+    /// Get the config file path
+    pub fn config_path(&self) -> &std::path::Path {
+        self.encrypted_store.config_path()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use tempfile::TempDir;
+
+    #[tokio::test]
+    async fn test_config_manager() {
+        let temp_dir = TempDir::new().unwrap();
+        let config_path = temp_dir.path().join("test_config.encrypted");
+        let manager = ConfigManager::new_with_mock_secrets(&config_path)
+            .await
+            .unwrap();
+
+        // Test default config
+        let config = manager.load().await.unwrap();
+        assert_eq!(config.runtime.mode, RuntimeMode::Local);
+
+        // Test save and load
+        let mut config = Config::default();
+        config.runtime.mode = RuntimeMode::AirGapped;
+        manager.save(&config).await.unwrap();
+
+        let loaded = manager.load().await.unwrap();
+        assert_eq!(loaded.runtime.mode, RuntimeMode::AirGapped);
+    }
+
+    #[tokio::test]
+    async fn test_secret_management() {
+        let temp_dir = TempDir::new().unwrap();
+        let config_path = temp_dir.path().join("test_config.encrypted");
+        let manager = ConfigManager::new_with_mock_secrets(&config_path)
+            .await
+            .unwrap();
+
+        // Test set and get secret
+        manager.set_secret("test.key", "test_value").await.unwrap();
+        let value = manager.get_secret("test.key").await.unwrap();
+        assert_eq!(value, Some("test_value".to_string()));
+
+        // Test delete
+        manager.delete_secret("test.key").await.unwrap();
+        let value = manager.get_secret("test.key").await.unwrap();
+        assert_eq!(value, None);
+    }
+}

package/crates/enact-config/src/secrets.rs

@@ -0,0 +1,149 @@
+//! Secrets Management - Environment variable based storage for secrets
+//!
+//! Replaces OS keychain with .env file support as requested by user.
+//! Secrets are read from:
+//! 1. Environment variables directly
+//! 2. .env file loaded at startup
+//!
+//! Setting secrets via API is no longer supported (must be set in .env or environment).
+
+use anyhow::Result;
+use dotenv::dotenv;
+use std::collections::HashMap;
+use std::sync::{Arc, Mutex};
+use tracing::{debug, warn};
+
+/// Convert a key identifier to an environment variable name
+///
+/// Converts keys like `providers.azure.apiKey` to `ENACT_PROVIDERS_AZURE_APIKEY`
+fn key_to_env_var_name(key: &str) -> String {
+    let env_name = key.to_uppercase().replace('.', "_");
+    format!("ENACT_{}", env_name)
+}
+
+/// Get legacy environment variable names for a given config key
+fn get_legacy_env_vars(key: &str) -> Option<Vec<&'static str>> {
+    match key {
+        "providers.azure.apiKey" => Some(vec!["AZURE_OPENAI_API_KEY", "AZURE_API_KEY"]),
+        "providers.azure.endpoint" => {
+            Some(vec!["AZURE_OPENAI_ENDPOINT", "AZURE_OPENAI_API_ENDPOINT"])
+        }
+        "providers.azure.deploymentName" => Some(vec![
+            "AZURE_OPENAI_DEPLOYMENT",
+            "AZURE_OPENAI_DEPLOYMENT_NAME",
+        ]),
+        "providers.azure.apiVersion" => Some(vec!["AZURE_OPENAI_API_VERSION"]),
+        "providers.anthropic.apiKey" => Some(vec!["ANTHROPIC_API_KEY"]),
+        "providers.openai.apiKey" => Some(vec!["OPENAI_API_KEY"]),
+        "providers.google.apiKey" => Some(vec!["GOOGLE_AI_API_KEY", "GOOGLE_API_KEY"]),
+        "providers.ollama.baseUrl" => Some(vec!["OLLAMA_BASE_URL"]),
+        "storage.eventStore.dsn" => Some(vec!["DATABASE_URL"]),
+        "storage.cache.url" => Some(vec!["REDIS_URL"]),
+        _ => None,
+    }
+}
+
+/// Secret manager for retrieving secrets from environment
+#[derive(Clone)]
+pub struct SecretManager {
+    mock_store: Option<Arc<Mutex<HashMap<String, String>>>>,
+}
+
+impl SecretManager {
+    /// Create a new secret manager
+    pub fn new() -> Self {
+        // Load .env file if present
+        if let Err(e) = dotenv() {
+            debug!("No .env file found or error loading it: {}", e);
+        } else {
+            debug!("Loaded .env file");
+        }
+
+        Self { mock_store: None }
+    }
+
+    /// Create a new secret manager with in-memory mock storage for testing
+    pub fn new_mock() -> Self {
+        Self {
+            mock_store: Some(Arc::new(Mutex::new(HashMap::new()))),
+        }
+    }
+
+    /// Set a secret (only supported in mock mode)
+    ///
+    /// In production, secrets must be set via environment variables.
+    pub fn set(&self, key: &str, value: &str) -> Result<()> {
+        if let Some(ref store) = self.mock_store {
+            let mut map = store.lock().unwrap();
+            map.insert(key.to_string(), value.to_string());
+            debug!("Stored secret in mock store: {}", key);
+            return Ok(());
+        }
+
+        // We cannot write to environment variables persistently from here.
+        // Warn the user or return error?
+        // Returning error is safer to indicate this operation is not supported.
+        warn!("Setting secrets programmatically is not supported with .env auth. Please update your .env file or environment manually.");
+        Err(anyhow::anyhow!(
+            "Setting secrets is not supported in .env mode"
+        ))
+    }
+
+    /// Retrieve a secret
+    ///
+    /// Checks mock store first (if enabled), then environment variables.
+    pub fn get(&self, key: &str) -> Result<Option<String>> {
+        // Check mock store first if enabled
+        if let Some(ref store) = self.mock_store {
+            let map = store.lock().unwrap();
+            let value = map.get(key).cloned();
+            return Ok(value);
+        }
+
+        // Check for environment variable (standard enactment format)
+        let env_var_name = key_to_env_var_name(key);
+        if let Ok(value) = std::env::var(&env_var_name) {
+            debug!(
+                "Retrieved secret from environment variable {}: {}",
+                env_var_name, key
+            );
+            return Ok(Some(value));
+        }
+
+        // Check for legacy/alternative environment variables
+        // This allows standard .env files to work without renaming keys
+        if let Some(legacy_vars) = get_legacy_env_vars(key) {
+            for legacy_var in legacy_vars {
+                if let Ok(value) = std::env::var(legacy_var) {
+                    debug!(
+                        "Retrieved secret from legacy environment variable {}: {}",
+                        legacy_var, key
+                    );
+                    return Ok(Some(value));
+                }
+            }
+        }
+
+        // Not found
+        Ok(None)
+    }
+
+    /// Delete a secret (only supported in mock mode)
+    pub fn delete(&self, key: &str) -> Result<()> {
+        if let Some(ref store) = self.mock_store {
+            let mut map = store.lock().unwrap();
+            map.remove(key);
+            return Ok(());
+        }
+
+        Err(anyhow::anyhow!(
+            "Deleting secrets is not supported in .env mode"
+        ))
+    }
+}
+
+impl Default for SecretManager {
+    fn default() -> Self {
+        Self::new()
+    }
+}

package/crates/enact-config/src/sync.rs

@@ -0,0 +1,260 @@
+//! Cloud Sync - Automatic configuration synchronization
+//!
+//! Syncs configuration between local and cloud for authenticated users.
+//! Respects air-gapped mode (no sync when runtime.mode === "airgapped").
+
+use anyhow::{Context, Result};
+use serde::{Deserialize, Serialize};
+use tracing::{debug, warn};
+
+use crate::config::{Config, RuntimeMode};
+
+/// Sync status
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SyncStatus {
+    /// Sync is enabled and active
+    Enabled,
+    /// Sync is disabled (air-gapped mode or not authenticated)
+    Disabled,
+    /// Sync is in progress
+    Syncing,
+    /// Sync failed
+    Failed,
+}
+
+/// Cloud sync manager
+pub struct SyncManager {
+    api_url: Option<String>,
+    tenant_id: Option<String>,
+    auto_sync: bool,
+    runtime_mode: RuntimeMode,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct SyncRequest {
+    tenant_id: String,
+    config: Config,
+    timestamp: i64,
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+pub struct SyncResponse {
+    pub config: Config,
+    pub timestamp: i64,
+    pub conflicts: Vec<String>,
+}
+
+impl SyncManager {
+    /// Create a new sync manager
+    pub fn new(
+        api_url: Option<String>,
+        tenant_id: Option<String>,
+        auto_sync: bool,
+        runtime_mode: RuntimeMode,
+    ) -> Self {
+        Self {
+            api_url,
+            tenant_id,
+            auto_sync,
+            runtime_mode,
+        }
+    }
+
+    /// Check if sync is enabled
+    ///
+    /// Sync is enabled only if:
+    /// - auto_sync is true
+    /// - runtime_mode is not "airgapped"
+    /// - api_url and tenant_id are set
+    pub fn is_enabled(&self) -> bool {
+        if !self.auto_sync {
+            return false;
+        }
+
+        if matches!(self.runtime_mode, RuntimeMode::AirGapped) {
+            debug!("Sync disabled: air-gapped mode");
+            return false;
+        }
+
+        if self.api_url.is_none() || self.tenant_id.is_none() {
+            debug!("Sync disabled: missing API URL or tenant ID");
+            return false;
+        }
+
+        true
+    }
+
+    /// Get sync status
+    pub fn status(&self) -> SyncStatus {
+        if self.is_enabled() {
+            SyncStatus::Enabled
+        } else {
+            SyncStatus::Disabled
+        }
+    }
+
+    /// Sync configuration to cloud
+    ///
+    /// # Arguments
+    /// * `config` - The configuration to sync
+    ///
+    /// # Returns
+    /// * `Ok(Some(response))` if sync was successful
+    /// * `Ok(None)` if sync is disabled
+    /// * `Err` if there was an error syncing
+    pub async fn sync_to_cloud(&self, config: &Config) -> Result<Option<SyncResponse>> {
+        if !self.is_enabled() {
+            return Ok(None);
+        }
+
+        let api_url = self.api_url.as_ref().unwrap();
+        let tenant_id = self.tenant_id.as_ref().unwrap();
+
+        let sync_request = SyncRequest {
+            tenant_id: tenant_id.clone(),
+            config: config.clone(),
+            timestamp: chrono::Utc::now().timestamp(),
+        };
+
+        let client = reqwest::Client::new();
+        let url = format!("{}/api/v1/config/sync", api_url);
+
+        debug!("Syncing configuration to cloud: {}", url);
+
+        let response = client
+            .post(&url)
+            .json(&sync_request)
+            .send()
+            .await
+            .context("Failed to send sync request")?;
+
+        if !response.status().is_success() {
+            let status = response.status();
+            let error_text = response.text().await.unwrap_or_default();
+            return Err(anyhow::anyhow!(
+                "Sync failed with status {}: {}",
+                status,
+                error_text
+            ));
+        }
+
+        let sync_response: SyncResponse = response
+            .json()
+            .await
+            .context("Failed to parse sync response")?;
+
+        if !sync_response.conflicts.is_empty() {
+            warn!(
+                "Configuration conflicts detected: {:?}",
+                sync_response.conflicts
+            );
+        }
+
+        debug!("Configuration synced successfully");
+        Ok(Some(sync_response))
+    }
+
+    /// Sync configuration from cloud
+    ///
+    /// # Returns
+    /// * `Ok(Some(config))` if sync was successful
+    /// * `Ok(None)` if sync is disabled
+    /// * `Err` if there was an error syncing
+    pub async fn sync_from_cloud(&self) -> Result<Option<Config>> {
+        if !self.is_enabled() {
+            return Ok(None);
+        }
+
+        let api_url = self.api_url.as_ref().unwrap();
+        let tenant_id = self.tenant_id.as_ref().unwrap();
+
+        let client = reqwest::Client::new();
+        let url = format!("{}/api/v1/config/sync?tenant_id={}", api_url, tenant_id);
+
+        debug!("Syncing configuration from cloud: {}", url);
+
+        let response = client
+            .get(&url)
+            .send()
+            .await
+            .context("Failed to send sync request")?;
+
+        if !response.status().is_success() {
+            let status = response.status();
+            let error_text = response.text().await.unwrap_or_default();
+            return Err(anyhow::anyhow!(
+                "Sync failed with status {}: {}",
+                status,
+                error_text
+            ));
+        }
+
+        let sync_response: SyncResponse = response
+            .json()
+            .await
+            .context("Failed to parse sync response")?;
+
+        debug!("Configuration synced from cloud successfully");
+        Ok(Some(sync_response.config))
+    }
+
+    /// Resolve conflicts using last-write-wins strategy
+    ///
+    /// # Arguments
+    /// * `local_config` - Local configuration
+    /// * `cloud_config` - Cloud configuration
+    /// * `conflicts` - List of conflicting keys
+    ///
+    /// # Returns
+    /// * Merged configuration with conflicts resolved
+    pub fn resolve_conflicts(
+        &self,
+        _local_config: &Config,
+        cloud_config: &Config,
+        conflicts: &[String],
+    ) -> Config {
+        // For now, use last-write-wins (cloud wins)
+        // In the future, this could be more sophisticated
+        warn!(
+            "Resolving {} conflicts using last-write-wins (cloud wins)",
+            conflicts.len()
+        );
+        cloud_config.clone()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_sync_enabled() {
+        let manager = SyncManager::new(
+            Some("https://api.example.com".to_string()),
+            Some("tenant-123".to_string()),
+            true,
+            RuntimeMode::Local,
+        );
+        assert!(manager.is_enabled());
+        assert_eq!(manager.status(), SyncStatus::Enabled);
+    }
+
+    #[test]
+    fn test_sync_disabled_airgapped() {
+        let manager = SyncManager::new(
+            Some("https://api.example.com".to_string()),
+            Some("tenant-123".to_string()),
+            true,
+            RuntimeMode::AirGapped,
+        );
+        assert!(!manager.is_enabled());
+        assert_eq!(manager.status(), SyncStatus::Disabled);
+    }
+
+    #[test]
+    fn test_sync_disabled_no_auth() {
+        let manager = SyncManager::new(None, None, true, RuntimeMode::Local);
+        assert!(!manager.is_enabled());
+        assert_eq!(manager.status(), SyncStatus::Disabled);
+    }
+}