icopilot 2.2.0

package/dist/security/proxy.js

@@ -0,0 +1,301 @@
+import fs from 'node:fs';
+import http from 'node:http';
+import https from 'node:https';
+import os from 'node:os';
+import path from 'node:path';
+import { ProxyAgent } from 'proxy-agent';
+import { config } from '../config.js';
+const PROXY_PATH_ENV = 'ICOPILOT_PROXY_PATH';
+export class ProxyManager {
+    static singleton = new ProxyManager();
+    currentConfig = null;
+    currentSource = null;
+    cachedAgent = null;
+    cachedAgentKey = null;
+    static shared() {
+        return ProxyManager.singleton;
+    }
+    static parseProxyUrl(raw) {
+        let parsed;
+        try {
+            parsed = new URL(raw);
+        }
+        catch {
+            throw new Error('proxy URL must be a valid absolute URL');
+        }
+        const type = protocolToType(parsed.protocol);
+        const host = parsed.hostname.trim();
+        if (!host)
+            throw new Error('proxy host is required');
+        const port = parsed.port ? Number(parsed.port) : defaultPortForType(type);
+        if (!Number.isInteger(port) || port < 1 || port > 65_535) {
+            throw new Error('proxy port must be between 1 and 65535');
+        }
+        const auth = parsed.username.length > 0
+            ? {
+                username: decodeURIComponent(parsed.username),
+                ...(parsed.password ? { password: decodeURIComponent(parsed.password) } : {}),
+            }
+            : undefined;
+        return { type, host, port, ...(auth ? { auth } : {}) };
+    }
+    loadConfig() {
+        const envConfig = readEnvProxyConfig();
+        const fileConfig = envConfig ? null : readProxyConfigFile(this.configPath());
+        const noProxy = readNoProxyEnv();
+        const active = cloneConfig(envConfig ?? fileConfig);
+        if (active && noProxy !== undefined) {
+            active.noProxy = noProxy;
+        }
+        this.currentConfig = active;
+        this.currentSource = envConfig ? 'env' : fileConfig ? 'file' : null;
+        return cloneConfig(active);
+    }
+    setProxy(config) {
+        const normalized = normalizeProxyConfig(config);
+        const file = this.configPath();
+        fs.mkdirSync(path.dirname(file), { recursive: true });
+        fs.writeFileSync(file, `${JSON.stringify(normalized, null, 2)}\n`, 'utf8');
+        this.currentConfig = cloneConfig(normalized);
+        this.currentSource = 'file';
+        this.resetAgentCache();
+        return cloneConfig(normalized);
+    }
+    clearProxy() {
+        const file = this.configPath();
+        fs.rmSync(file, { force: true });
+        this.currentConfig = null;
+        this.currentSource = null;
+        this.resetAgentCache();
+    }
+    getAgent(targetUrl) {
+        const active = this.loadConfig();
+        if (!active)
+            return undefined;
+        if (targetUrl && !this.isProxied(targetUrl, active))
+            return undefined;
+        const agentKey = JSON.stringify(active);
+        if (this.cachedAgent && this.cachedAgentKey === agentKey) {
+            return this.cachedAgent;
+        }
+        const proxyUrl = proxyConfigToUrl(active);
+        this.cachedAgent = new ProxyAgent({
+            getProxyForUrl: (url) => (this.isProxied(url, active) ? proxyUrl : ''),
+        });
+        this.cachedAgentKey = agentKey;
+        return this.cachedAgent;
+    }
+    isProxied(targetUrl, active = this.loadConfig()) {
+        if (!active)
+            return false;
+        let parsed;
+        try {
+            parsed = new URL(targetUrl);
+        }
+        catch {
+            return false;
+        }
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:')
+            return false;
+        return !matchesNoProxy(parsed, active.noProxy ?? []);
+    }
+    async testConnection(targetUrl = config.endpoint) {
+        const proxied = this.isProxied(targetUrl);
+        let parsed;
+        try {
+            parsed = new URL(targetUrl);
+        }
+        catch {
+            return { ok: false, proxied, url: targetUrl, error: 'invalid target URL' };
+        }
+        const agent = this.getAgent(targetUrl);
+        const transport = parsed.protocol === 'http:' ? http : https;
+        return new Promise((resolve) => {
+            const req = transport.request(parsed, {
+                method: 'GET',
+                agent,
+                headers: { 'user-agent': 'icopilot-proxy-test/1.0' },
+                timeout: 5_000,
+            }, (res) => {
+                res.resume();
+                resolve({
+                    ok: true,
+                    proxied,
+                    status: res.statusCode,
+                    url: targetUrl,
+                });
+            });
+            req.on('timeout', () => req.destroy(new Error('request timed out')));
+            req.on('error', (error) => {
+                resolve({
+                    ok: false,
+                    proxied,
+                    url: targetUrl,
+                    error: error.message,
+                });
+            });
+            req.end();
+        });
+    }
+    getSource() {
+        return this.currentSource;
+    }
+    getConfigPath() {
+        return this.configPath();
+    }
+    configPath() {
+        return process.env[PROXY_PATH_ENV] || path.join(os.homedir(), '.icopilot', 'proxy.json');
+    }
+    resetAgentCache() {
+        this.cachedAgent?.destroy();
+        this.cachedAgent = null;
+        this.cachedAgentKey = null;
+    }
+}
+function readEnvProxyConfig() {
+    const raw = process.env.HTTPS_PROXY ??
+        process.env.https_proxy ??
+        process.env.HTTP_PROXY ??
+        process.env.http_proxy;
+    if (!raw)
+        return null;
+    return normalizeProxyConfig(ProxyManager.parseProxyUrl(raw));
+}
+function readNoProxyEnv() {
+    const raw = process.env.NO_PROXY ?? process.env.no_proxy;
+    if (raw === undefined)
+        return undefined;
+    return parseNoProxy(raw);
+}
+function readProxyConfigFile(file) {
+    if (!fs.existsSync(file))
+        return null;
+    try {
+        const parsed = JSON.parse(fs.readFileSync(file, 'utf8'));
+        return normalizeProxyConfig(parsed);
+    }
+    catch {
+        return null;
+    }
+}
+function normalizeProxyConfig(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error('proxy config must be an object');
+    }
+    const record = value;
+    const type = normalizeProxyType(record.type);
+    if (!type)
+        throw new Error('proxy type must be http, https, or socks5');
+    const host = typeof record.host === 'string' ? record.host.trim() : '';
+    if (!host)
+        throw new Error('proxy host is required');
+    const port = typeof record.port === 'number' ? record.port : Number(record.port);
+    if (!Number.isInteger(port) || port < 1 || port > 65_535) {
+        throw new Error('proxy port must be between 1 and 65535');
+    }
+    const auth = normalizeProxyAuth(record.auth);
+    const noProxy = normalizeNoProxy(record.noProxy);
+    return {
+        type,
+        host,
+        port,
+        ...(auth ? { auth } : {}),
+        ...(noProxy.length ? { noProxy } : {}),
+    };
+}
+function normalizeProxyType(value) {
+    if (value === 'http' || value === 'https' || value === 'socks5')
+        return value;
+    return null;
+}
+function normalizeProxyAuth(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value))
+        return undefined;
+    const auth = value;
+    const username = typeof auth.username === 'string' ? auth.username : '';
+    if (!username)
+        return undefined;
+    const password = typeof auth.password === 'string' ? auth.password : undefined;
+    return password ? { username, password } : { username };
+}
+function normalizeNoProxy(value) {
+    if (typeof value === 'string')
+        return parseNoProxy(value);
+    if (!Array.isArray(value))
+        return [];
+    return value
+        .filter((entry) => typeof entry === 'string')
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+}
+function parseNoProxy(raw) {
+    return raw
+        .split(',')
+        .map((entry) => entry.trim())
+        .filter(Boolean);
+}
+function protocolToType(protocol) {
+    switch (protocol.toLowerCase()) {
+        case 'http:':
+            return 'http';
+        case 'https:':
+            return 'https';
+        case 'socks5:':
+        case 'socks:':
+            return 'socks5';
+        default:
+            throw new Error('proxy protocol must be http, https, or socks5');
+    }
+}
+function defaultPortForType(type) {
+    switch (type) {
+        case 'http':
+            return 80;
+        case 'https':
+            return 443;
+        case 'socks5':
+            return 1080;
+    }
+}
+function proxyConfigToUrl(proxy) {
+    const auth = proxy.auth?.username
+        ? `${encodeURIComponent(proxy.auth.username)}${proxy.auth.password ? `:${encodeURIComponent(proxy.auth.password)}` : ''}@`
+        : '';
+    return `${proxy.type}://${auth}${proxy.host}:${proxy.port}`;
+}
+function matchesNoProxy(target, rules) {
+    const hostname = target.hostname.toLowerCase();
+    const port = target.port || defaultPortForProtocol(target.protocol);
+    return rules.some((rule) => matchesNoProxyRule(hostname, port, rule));
+}
+function matchesNoProxyRule(hostname, port, rawRule) {
+    const rule = rawRule.trim().toLowerCase();
+    if (!rule)
+        return false;
+    if (rule === '*')
+        return true;
+    const separator = rule.lastIndexOf(':');
+    const hasPort = separator > -1 && /^\d+$/.test(rule.slice(separator + 1));
+    const ruleHost = hasPort ? rule.slice(0, separator) : rule;
+    const rulePort = hasPort ? rule.slice(separator + 1) : '';
+    if (rulePort && rulePort !== port)
+        return false;
+    const bareHost = ruleHost.replace(/^\*\./, '.');
+    if (bareHost.startsWith('.')) {
+        const suffix = bareHost.slice(1);
+        return hostname === suffix || hostname.endsWith(`.${suffix}`);
+    }
+    return hostname === bareHost || hostname.endsWith(`.${bareHost}`);
+}
+function defaultPortForProtocol(protocol) {
+    return protocol === 'http:' ? '80' : protocol === 'https:' ? '443' : '';
+}
+function cloneConfig(config) {
+    if (!config)
+        return null;
+    return {
+        ...config,
+        ...(config.auth ? { auth: { ...config.auth } } : {}),
+        ...(config.noProxy ? { noProxy: [...config.noProxy] } : {}),
+    };
+}

package/dist/security/retention.js

@@ -0,0 +1,281 @@
+import fs from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { parse, stringify } from 'yaml';
+import { config } from '../config.js';
+import { auditLogPath } from './audit.js';
+import { theme } from '../ui/theme.js';
+const CONCRETE_TARGETS = ['sessions', 'audit', 'memory'];
+export function retentionConfigPath() {
+    return path.join(os.homedir(), '.icopilot', 'retention.yaml');
+}
+export class RetentionManager {
+    configPath;
+    sessionDir;
+    auditPath;
+    memoryDir;
+    now;
+    constructor(options = {}) {
+        this.configPath = path.resolve(options.configPath ?? retentionConfigPath());
+        this.sessionDir = path.resolve(options.sessionDir ?? config.sessionDir);
+        this.auditPath = path.resolve(options.auditPath ?? auditLogPath());
+        this.memoryDir = path.resolve(options.memoryDir ?? path.join(os.homedir(), '.icopilot', 'memory'));
+        this.now = options.now ?? (() => new Date());
+    }
+    loadPolicies() {
+        try {
+            if (!fs.existsSync(this.configPath))
+                return [];
+            const raw = parse(fs.readFileSync(this.configPath, 'utf8'));
+            const source = Array.isArray(raw)
+                ? raw
+                : raw && typeof raw === 'object' && Array.isArray(raw.policies)
+                    ? raw.policies
+                    : [];
+            const normalized = source
+                .map(normalizePolicy)
+                .filter((policy) => policy !== null);
+            return dedupePolicies(normalized);
+        }
+        catch {
+            return [];
+        }
+    }
+    setPolicy(policy) {
+        const normalized = normalizePolicy(policy);
+        if (!normalized) {
+            throw new Error('Invalid retention policy.');
+        }
+        const next = dedupePolicies([
+            ...this.loadPolicies().filter((entry) => entry.target !== normalized.target),
+            normalized,
+        ]);
+        fs.mkdirSync(path.dirname(this.configPath), { recursive: true });
+        fs.writeFileSync(this.configPath, stringify({ policies: next }), 'utf8');
+        return next;
+    }
+    preview() {
+        const expired = this.getExpired('all');
+        return {
+            policies: this.loadPolicies(),
+            expired,
+            totals: this.buildTotals(expired),
+        };
+    }
+    enforce() {
+        const preview = this.preview();
+        const deleted = [];
+        const errors = [];
+        for (const candidate of preview.expired) {
+            try {
+                if (fs.existsSync(candidate.path)) {
+                    fs.rmSync(candidate.path, { force: true, recursive: false });
+                }
+                deleted.push(candidate);
+            }
+            catch (error) {
+                errors.push({
+                    path: candidate.path,
+                    message: error instanceof Error ? error.message : String(error),
+                });
+            }
+        }
+        return {
+            ...preview,
+            deleted,
+            errors,
+        };
+    }
+    getExpired(target) {
+        if (target === 'all') {
+            return CONCRETE_TARGETS.flatMap((entry) => this.getExpired(entry));
+        }
+        const policy = this.policyForTarget(target);
+        if (!policy || !policy.enabled)
+            return [];
+        const items = this.itemsForTarget(target).sort((left, right) => right.modifiedAt.getTime() - left.modifiedAt.getTime());
+        const cutoff = this.now().getTime() - policy.maxAgeDays * 24 * 60 * 60 * 1000;
+        return items.flatMap((item, index) => {
+            const reasons = [];
+            if (item.modifiedAt.getTime() <= cutoff)
+                reasons.push('age');
+            if (typeof policy.maxCount === 'number' && index >= policy.maxCount)
+                reasons.push('count');
+            if (reasons.length === 0)
+                return [];
+            return [
+                {
+                    target: item.target,
+                    path: item.path,
+                    modifiedAt: item.modifiedAt.toISOString(),
+                    ageDays: ageDaysBetween(item.modifiedAt, this.now()),
+                    reasons,
+                },
+            ];
+        });
+    }
+    buildTotals(expired) {
+        return {
+            sessions: {
+                scanned: this.itemsForTarget('sessions').length,
+                expired: expired.filter((entry) => entry.target === 'sessions').length,
+            },
+            audit: {
+                scanned: this.itemsForTarget('audit').length,
+                expired: expired.filter((entry) => entry.target === 'audit').length,
+            },
+            memory: {
+                scanned: this.itemsForTarget('memory').length,
+                expired: expired.filter((entry) => entry.target === 'memory').length,
+            },
+        };
+    }
+    policyForTarget(target) {
+        const policies = this.loadPolicies();
+        return (policies.find((policy) => policy.target === target) ??
+            policies.find((policy) => policy.target === 'all') ??
+            null);
+    }
+    itemsForTarget(target) {
+        switch (target) {
+            case 'sessions':
+                return listFiles(this.sessionDir, target);
+            case 'audit':
+                return listSingleFile(this.auditPath, target);
+            case 'memory':
+                return listFiles(this.memoryDir, target);
+        }
+    }
+}
+export function formatPolicies(manager) {
+    const policies = manager.loadPolicies();
+    if (policies.length === 0) {
+        return `${theme.brand('Retention policies')} ${theme.dim(manager.configPath)}\n  ${theme.dim('No retention policies configured.')}\n`;
+    }
+    const lines = policies.map((policy) => {
+        const bits = [
+            `age=${theme.hl(String(policy.maxAgeDays))}d`,
+            typeof policy.maxCount === 'number' ? `count=${theme.hl(String(policy.maxCount))}` : null,
+            policy.enabled ? theme.ok('enabled') : theme.warn('disabled'),
+        ].filter(Boolean);
+        return `  ${theme.hl(policy.target)}  ${bits.join('  ')}`;
+    });
+    return `${theme.brand('Retention policies')} ${theme.dim(manager.configPath)}\n${lines.join('\n')}\n`;
+}
+export function formatPreview(preview, manager) {
+    const lines = [
+        `${theme.brand('Retention preview')} ${theme.dim(manager.configPath)}`,
+        ...formatTotals(preview.totals),
+    ];
+    if (preview.expired.length === 0) {
+        lines.push('', theme.ok('No expired retention items.'));
+        return `${lines.join('\n')}\n`;
+    }
+    lines.push('', theme.brand('Expired items'));
+    for (const candidate of preview.expired) {
+        lines.push(`  ${theme.hl(candidate.target)}  ${candidate.path} ${theme.dim(`(${candidate.ageDays.toFixed(1)}d, ${candidate.reasons.join('+')})`)}`);
+    }
+    return `${lines.join('\n')}\n`;
+}
+export function formatResult(result, manager) {
+    const lines = [
+        `${theme.brand('Retention enforce')} ${theme.dim(manager.configPath)}`,
+        ...formatTotals(result.totals),
+        '',
+        `${theme.ok(`Deleted ${result.deleted.length} item${result.deleted.length === 1 ? '' : 's'}.`)}`,
+    ];
+    if (result.errors.length > 0) {
+        lines.push(theme.warn(`Errors: ${result.errors.length}`));
+        for (const error of result.errors) {
+            lines.push(`  ${error.path} ${theme.dim(`(${error.message})`)}`);
+        }
+    }
+    return `${lines.join('\n')}\n`;
+}
+function formatTotals(totals) {
+    return CONCRETE_TARGETS.map((target) => {
+        const summary = totals[target];
+        return `  ${theme.hl(target)}  scanned=${summary.scanned}  expired=${summary.expired}`;
+    });
+}
+function normalizePolicy(value) {
+    if (!value || typeof value !== 'object')
+        return null;
+    const candidate = value;
+    if (candidate.target !== 'sessions' &&
+        candidate.target !== 'audit' &&
+        candidate.target !== 'memory' &&
+        candidate.target !== 'all') {
+        return null;
+    }
+    const maxAgeDays = normalizeCount(candidate.maxAgeDays);
+    if (maxAgeDays === null)
+        return null;
+    const maxCount = candidate.maxCount === undefined ? undefined : normalizeCount(candidate.maxCount);
+    if (candidate.maxCount !== undefined && maxCount === null)
+        return null;
+    const normalizedMaxCount = maxCount ?? undefined;
+    if (typeof candidate.enabled !== 'boolean')
+        return null;
+    return {
+        target: candidate.target,
+        maxAgeDays,
+        maxCount: normalizedMaxCount,
+        enabled: candidate.enabled,
+    };
+}
+function normalizeCount(value) {
+    if (typeof value !== 'number' || !Number.isFinite(value))
+        return null;
+    const normalized = Math.trunc(value);
+    return normalized >= 0 ? normalized : null;
+}
+function dedupePolicies(policies) {
+    const seen = new Set();
+    const ordered = [];
+    for (const target of ['sessions', 'audit', 'memory', 'all']) {
+        const policy = policies.find((entry) => entry.target === target);
+        if (!policy || seen.has(policy.target))
+            continue;
+        seen.add(policy.target);
+        ordered.push(policy);
+    }
+    return ordered;
+}
+function listFiles(dirPath, target) {
+    try {
+        if (!fs.existsSync(dirPath) || !fs.statSync(dirPath).isDirectory())
+            return [];
+        return fs.readdirSync(dirPath).flatMap((name) => {
+            const filePath = path.join(dirPath, name);
+            try {
+                const stat = fs.statSync(filePath);
+                if (!stat.isFile())
+                    return [];
+                return [{ target, path: filePath, modifiedAt: stat.mtime }];
+            }
+            catch {
+                return [];
+            }
+        });
+    }
+    catch {
+        return [];
+    }
+}
+function listSingleFile(filePath, target) {
+    try {
+        if (!fs.existsSync(filePath))
+            return [];
+        const stat = fs.statSync(filePath);
+        if (!stat.isFile())
+            return [];
+        return [{ target, path: filePath, modifiedAt: stat.mtime }];
+    }
+    catch {
+        return [];
+    }
+}
+function ageDaysBetween(from, to) {
+    return Math.max(0, (to.getTime() - from.getTime()) / (24 * 60 * 60 * 1000));
+}