lean-claudient-daemon 0.1.0

package/README.md

@@ -0,0 +1,39 @@
+# @lean-claudient/daemon
+
+**Background daemon service** — Phase 5B for continuous monitoring and self-healing.
+
+## Features
+
+- Long-running background service
+- Token consumption monitoring
+- Self-healing automation
+- Persistent state management
+- Service lifecycle management
+
+## Installation
+
+```bash
+npm install @lean-claudient/daemon
+```
+
+## CLI
+
+```bash
+lean-claudient-daemon start
+lean-claudient-daemon stop
+lean-claudient-daemon status
+```
+
+## Development
+
+```bash
+npm run build      # Compile TypeScript
+npm run dev        # Watch mode
+npm run test       # Run tests
+npm run lint       # ESLint
+npm run type-check # TypeScript validation
+```
+
+## License
+
+MIT

package/dist/api.js

@@ -0,0 +1,54 @@
+import { Router } from 'express';
+export function createApiRouter(store) {
+    const router = Router();
+    router.get('/status', (req, res) => {
+        const uptime = process.uptime();
+        const memory = process.memoryUsage().heapUsed / 1024 / 1024;
+        res.json({
+            running: true,
+            uptime: Math.floor(uptime),
+            memory: parseFloat(memory.toFixed(2)),
+            pid: process.pid,
+        });
+    });
+    router.get('/metrics', async (req, res) => {
+        try {
+            const metrics = await store.getAggregateMetrics();
+            res.json(metrics);
+        }
+        catch (error) {
+            res.status(500).json({ error: 'Failed to retrieve metrics' });
+        }
+    });
+    router.get('/budget/:sessionId', async (req, res) => {
+        try {
+            const budget = await store.getBudgetStatus(req.params.sessionId);
+            if (!budget) {
+                return res.status(404).json({ error: 'Session not found' });
+            }
+            res.json(budget);
+        }
+        catch (error) {
+            res.status(500).json({ error: 'Failed to retrieve budget' });
+        }
+    });
+    router.get('/sessions', async (req, res) => {
+        try {
+            const sessions = await store.getAllSessions();
+            res.json(sessions);
+        }
+        catch (error) {
+            res.status(500).json({ error: 'Failed to retrieve sessions' });
+        }
+    });
+    router.post('/sessions/:id/checkpoint', async (req, res) => {
+        try {
+            await store.saveCheckpoint(req.params.id, req.body.checkpoint);
+            res.json({ saved: true });
+        }
+        catch (error) {
+            res.status(500).json({ error: 'Failed to save checkpoint' });
+        }
+    });
+    return router;
+}

package/dist/bin/daemon.js

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import { LeanClaudientDaemon } from '../service.js';
+const program = new Command();
+program
+    .name('lean-claudient-daemon')
+    .version('0.1.0')
+    .option('-p, --port <port>', 'Port to listen on', '9831')
+    .option('-l, --log <path>', 'Log file path')
+    .action(async (options) => {
+    const daemon = new LeanClaudientDaemon(parseInt(options.port), options.log);
+    await daemon.start();
+});
+program.parse();

package/dist/metrics.js

@@ -0,0 +1,31 @@
+export function aggregateMetrics(records) {
+    if (records.length === 0) {
+        return {
+            totalInputTokens: 0,
+            totalOutputTokens: 0,
+            totalTokens: 0,
+            totalCost: '$0.00',
+            totalSavedTokens: 0,
+            averageCompressionRatio: 0,
+            sessionCount: 0,
+            averageSubagentCount: 0,
+        };
+    }
+    const totalInputTokens = records.reduce((sum, r) => sum + r.inputTokens, 0);
+    const totalOutputTokens = records.reduce((sum, r) => sum + r.outputTokens, 0);
+    const totalTokens = totalInputTokens + totalOutputTokens;
+    const totalCost = totalInputTokens * 0.000003 + totalOutputTokens * 0.000015;
+    const totalSavedTokens = records.reduce((sum, r) => sum + r.savedTokens, 0);
+    const avgCompressionRatio = records.reduce((sum, r) => sum + r.compressionRatio, 0) / records.length;
+    const avgSubagentCount = records.reduce((sum, r) => sum + r.subagentCount, 0) / records.length;
+    return {
+        totalInputTokens,
+        totalOutputTokens,
+        totalTokens,
+        totalCost: `$${totalCost.toFixed(2)}`,
+        totalSavedTokens,
+        averageCompressionRatio: parseFloat(avgCompressionRatio.toFixed(2)),
+        sessionCount: records.length,
+        averageSubagentCount: Math.round(avgSubagentCount),
+    };
+}

package/dist/metricsStore.js

@@ -0,0 +1,84 @@
+import sqlite3 from 'sqlite3';
+import { promisify } from 'util';
+import path from 'path';
+import fs from 'fs';
+import { aggregateMetrics } from './metrics.js';
+export class MetricsStore {
+    constructor(dbPath) {
+        this.dbPath = dbPath || path.join(process.env.HOME, '.lean-claudient', 'daemon.db');
+    }
+    async initialize() {
+        const dir = path.dirname(this.dbPath);
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        this.db = new sqlite3.Database(this.dbPath);
+        const run = promisify(this.db.run.bind(this.db));
+        await run(`
+      CREATE TABLE IF NOT EXISTS metrics (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        sessionId TEXT NOT NULL,
+        timestamp INTEGER NOT NULL,
+        inputTokens INTEGER,
+        outputTokens INTEGER,
+        cost REAL,
+        savedTokens INTEGER,
+        compressionRatio REAL,
+        subagentCount INTEGER,
+        UNIQUE(sessionId, timestamp)
+      )
+    `);
+        await run(`
+      CREATE TABLE IF NOT EXISTS checkpoints (
+        sessionId TEXT PRIMARY KEY,
+        checkpoint TEXT NOT NULL,
+        timestamp INTEGER NOT NULL
+      )
+    `);
+    }
+    async recordMetrics(metrics) {
+        const run = promisify(this.db.run.bind(this.db));
+        await run(`INSERT OR REPLACE INTO metrics (sessionId, timestamp, inputTokens, outputTokens, cost, savedTokens, compressionRatio, subagentCount)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`, [
+            metrics.sessionId,
+            metrics.timestamp,
+            metrics.inputTokens,
+            metrics.outputTokens,
+            metrics.cost,
+            metrics.savedTokens,
+            metrics.compressionRatio,
+            metrics.subagentCount,
+        ]);
+    }
+    async getAggregateMetrics() {
+        const all = promisify(this.db.all.bind(this.db));
+        const records = (await all('SELECT * FROM metrics WHERE timestamp > ? ORDER BY timestamp DESC LIMIT 1000', [Date.now() - 7 * 24 * 60 * 60 * 1000]));
+        return aggregateMetrics(records);
+    }
+    async getBudgetStatus(sessionId) {
+        const get = promisify(this.db.get.bind(this.db));
+        const record = (await get('SELECT * FROM metrics WHERE sessionId = ? ORDER BY timestamp DESC LIMIT 1', [sessionId]));
+        if (!record)
+            return null;
+        return {
+            sessionId,
+            spent: record.cost,
+            limit: 500,
+            remaining: 500 - record.cost,
+            alert: record.cost > 375 ? 'warning' : 'ok',
+        };
+    }
+    async getAllSessions() {
+        const all = promisify(this.db.all.bind(this.db));
+        return (await all('SELECT DISTINCT sessionId, MIN(timestamp) as startTime, COUNT(*) as recordCount FROM metrics GROUP BY sessionId'));
+    }
+    async saveCheckpoint(sessionId, checkpoint) {
+        const run = promisify(this.db.run.bind(this.db));
+        await run('INSERT OR REPLACE INTO checkpoints (sessionId, checkpoint, timestamp) VALUES (?, ?, ?)', [sessionId, checkpoint, Date.now()]);
+    }
+    async close() {
+        return new Promise((resolve, reject) => {
+            this.db.close((err) => (err ? reject(err) : resolve()));
+        });
+    }
+}

package/dist/middleware/rateLimiting.js

@@ -0,0 +1,193 @@
+/**
+ * Rate Limiting Middleware
+ * Prevents DOS attacks by limiting requests per IP and session
+ */
+/**
+ * Rate limit store - stores request counts by key
+ * Key format: "ip:address" or "session:sessionId"
+ */
+class RateLimitStore {
+    constructor() {
+        this.store = new Map();
+        // Clean up expired entries every minute
+        this.cleanupInterval = setInterval(() => {
+            const now = Date.now();
+            for (const [key, value] of this.store.entries()) {
+                if (value.resetTime < now) {
+                    this.store.delete(key);
+                }
+            }
+        }, 60000);
+    }
+    /**
+     * Record a request and return remaining quota
+     */
+    recordRequest(key, windowMs, limit) {
+        const now = Date.now();
+        const entry = this.store.get(key);
+        if (!entry || entry.resetTime < now) {
+            this.store.set(key, { count: 1, resetTime: now + windowMs });
+            return limit - 1;
+        }
+        entry.count++;
+        return Math.max(0, limit - entry.count);
+    }
+    /**
+     * Check if limit is exceeded
+     */
+    isLimited(key, windowMs, limit) {
+        const now = Date.now();
+        const entry = this.store.get(key);
+        if (!entry || entry.resetTime < now) {
+            return false;
+        }
+        return entry.count >= limit;
+    }
+    /**
+     * Get remaining time until reset
+     */
+    getResetTime(key) {
+        const entry = this.store.get(key);
+        if (!entry)
+            return 0;
+        return Math.max(0, entry.resetTime - Date.now());
+    }
+    /**
+     * Cleanup
+     */
+    destroy() {
+        clearInterval(this.cleanupInterval);
+        this.store.clear();
+    }
+}
+const globalStore = new RateLimitStore();
+/**
+ * Create rate limit middleware
+ */
+export function rateLimit(config) {
+    const { windowMs = 15 * 60 * 1000, // 15 minutes default
+    max = 100, keyGenerator = (req) => `ip:${req.ip}`, skip, onLimitReached, } = config;
+    return (req, res, next) => {
+        if (skip && skip(req)) {
+            return next();
+        }
+        const key = keyGenerator(req);
+        const remaining = globalStore.recordRequest(key, windowMs, max);
+        const isLimited = globalStore.isLimited(key, windowMs, max);
+        const resetTime = globalStore.getResetTime(key);
+        // Set rate limit headers
+        res.setHeader('X-RateLimit-Limit', max);
+        res.setHeader('X-RateLimit-Remaining', Math.max(0, remaining));
+        res.setHeader('X-RateLimit-Reset', Math.ceil((Date.now() + resetTime) / 1000));
+        if (isLimited) {
+            res.setHeader('Retry-After', Math.ceil(resetTime / 1000));
+            if (onLimitReached) {
+                onLimitReached(req, key);
+            }
+            return res.status(429).json({
+                error: 'Too Many Requests',
+                code: 'RATE_LIMIT_EXCEEDED',
+                details: {
+                    retryAfter: Math.ceil(resetTime / 1000),
+                    limit: max,
+                    windowMs,
+                },
+            });
+        }
+        next();
+    };
+}
+/**
+ * Generic rate limiter by key
+ */
+export function createRateLimiter(config) {
+    return rateLimit(config);
+}
+/**
+ * Rate limiter by IP address
+ */
+export function createIPRateLimiter(maxRequests, windowMinutes = 15) {
+    return rateLimit({
+        windowMs: windowMinutes * 60 * 1000,
+        max: maxRequests,
+        keyGenerator: (req) => `ip:${req.ip || 'unknown'}`,
+    });
+}
+/**
+ * Rate limiter by session ID
+ */
+export function createSessionRateLimiter(maxRequests, windowMinutes = 15) {
+    return rateLimit({
+        windowMs: windowMinutes * 60 * 1000,
+        max: maxRequests,
+        keyGenerator: (req) => {
+            const sessionId = req.params.sessionId || req.query.sessionId;
+            return `session:${sessionId || 'unknown'}`;
+        },
+    });
+}
+/**
+ * Rate limiter by user ID (from query or body)
+ */
+export function createUserRateLimiter(maxRequests, windowMinutes = 15) {
+    return rateLimit({
+        windowMs: windowMinutes * 60 * 1000,
+        max: maxRequests,
+        keyGenerator: (req) => {
+            const userId = req.query.userId || req.body?.userId;
+            return `user:${userId || 'anonymous'}`;
+        },
+    });
+}
+/**
+ * Tiered rate limiter configuration
+ * Different limits for different endpoints
+ */
+export const RATE_LIMITS = {
+    // High frequency - status checks
+    STATUS: { max: 100, windowMinutes: 1 },
+    // Medium frequency - metrics reads
+    METRICS: { max: 60, windowMinutes: 1 },
+    // Medium frequency - budget checks
+    BUDGET: { max: 60, windowMinutes: 1 },
+    // Low frequency - session creation
+    SESSIONS: { max: 30, windowMinutes: 1 },
+    // Very low frequency - checkpoints
+    CHECKPOINT: { max: 10, windowMinutes: 1 },
+    // Low frequency - admin operations
+    ADMIN: { max: 20, windowMinutes: 1 },
+};
+/**
+ * Create logging function for rate limit violations
+ */
+export function createRateLimitLogger(logFile) {
+    return (req, key) => {
+        const logEntry = {
+            timestamp: new Date().toISOString(),
+            key,
+            method: req.method,
+            path: req.path,
+            ip: req.ip,
+            userAgent: req.get('User-Agent'),
+        };
+        if (logFile) {
+            // Would log to file in production
+            console.warn('[RATE_LIMIT]', JSON.stringify(logEntry));
+        }
+        else {
+            console.warn('[RATE_LIMIT]', logEntry);
+        }
+    };
+}
+/**
+ * Cleanup rate limiter
+ */
+export function destroyRateLimiter() {
+    globalStore.destroy();
+}
+/**
+ * Reset rate limiter for testing
+ */
+export function resetRateLimiter() {
+    destroyRateLimiter();
+}

package/dist/middleware/securityHeaders.js

@@ -0,0 +1,239 @@
+/**
+ * Security Headers Middleware
+ * Adds security-related HTTP headers to all responses
+ */
+/**
+ * Default security headers configuration
+ */
+const DEFAULT_CONFIG = {
+    hstsMaxAge: 31536000, // 1 year
+    hstsIncludeSubdomains: true,
+    hstsPreload: true,
+    noSniff: true,
+    frameOptions: 'DENY',
+    xssProtection: true,
+    referrerPolicy: 'strict-origin-when-cross-origin',
+    cspDirectives: {
+        'default-src': "'none'",
+        'script-src': "'self'",
+        'style-src': "'self'",
+        'img-src': "'self'",
+        'font-src': "'self'",
+        'connect-src': "'self'",
+        'frame-ancestors': "'none'",
+        'base-uri': "'self'",
+        'form-action': "'self'",
+    },
+};
+/**
+ * Create security headers middleware
+ */
+export function securityHeaders(config = {}) {
+    const finalConfig = { ...DEFAULT_CONFIG, ...config };
+    return (req, res, next) => {
+        // Strict-Transport-Security (HSTS)
+        if (finalConfig.hstsMaxAge !== undefined) {
+            let hstsValue = `max-age=${finalConfig.hstsMaxAge}`;
+            if (finalConfig.hstsIncludeSubdomains) {
+                hstsValue += '; includeSubDomains';
+            }
+            if (finalConfig.hstsPreload) {
+                hstsValue += '; preload';
+            }
+            res.setHeader('Strict-Transport-Security', hstsValue);
+        }
+        // X-Content-Type-Options
+        if (finalConfig.noSniff !== false) {
+            res.setHeader('X-Content-Type-Options', 'nosniff');
+        }
+        // X-Frame-Options
+        if (finalConfig.frameOptions) {
+            res.setHeader('X-Frame-Options', finalConfig.frameOptions);
+        }
+        // X-XSS-Protection
+        if (finalConfig.xssProtection !== false) {
+            res.setHeader('X-XSS-Protection', '1; mode=block');
+        }
+        // Referrer-Policy
+        if (finalConfig.referrerPolicy) {
+            res.setHeader('Referrer-Policy', finalConfig.referrerPolicy);
+        }
+        // Content-Security-Policy (CSP)
+        if (finalConfig.cspDirectives) {
+            const cspValue = Object.entries(finalConfig.cspDirectives)
+                .map(([key, value]) => `${key} ${value}`)
+                .join('; ');
+            res.setHeader('Content-Security-Policy', cspValue);
+        }
+        // Permissions-Policy
+        if (finalConfig.permissionsPolicy) {
+            const ppValue = Object.entries(finalConfig.permissionsPolicy)
+                .map(([key, value]) => `${key}=(${value})`)
+                .join(', ');
+            res.setHeader('Permissions-Policy', ppValue);
+        }
+        // Additional security headers
+        res.setHeader('X-Powered-By', 'Lean Claudient');
+        res.setHeader('Server', 'Lean Claudient Daemon');
+        next();
+    };
+}
+/**
+ * Middleware for API endpoints (stricter CSP)
+ */
+export function securityHeadersAPI(config = {}) {
+    const apiConfig = {
+        ...DEFAULT_CONFIG,
+        cspDirectives: {
+            'default-src': "'none'",
+            'script-src': "'none'",
+            'style-src': "'none'",
+            'img-src': "'none'",
+            'font-src': "'none'",
+            'connect-src': "'none'",
+            'frame-ancestors': "'none'",
+            'base-uri': "'self'",
+            'form-action': "'none'",
+        },
+        ...config,
+    };
+    return securityHeaders(apiConfig);
+}
+/**
+ * Remove potentially dangerous headers
+ */
+export function removeDangerousHeaders(req, res, next) {
+    // Remove headers that might leak information
+    const dangerous = ['X-Powered-By', 'Server', 'X-AspNet-Version', 'X-Runtime-Version'];
+    for (const header of dangerous) {
+        res.removeHeader(header);
+    }
+    // Disable caching for sensitive data
+    if (req.path.includes('/api/')) {
+        res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0');
+        res.setHeader('Pragma', 'no-cache');
+        res.setHeader('Expires', '0');
+    }
+    next();
+}
+/**
+ * Validate request headers
+ */
+export function validateRequestHeaders(req, res, next) {
+    const dangerousPatterns = [
+        /javascript:/i,
+        /on\w+=/i, // onclick, onload, etc
+        /eval\(/i,
+    ];
+    // Check headers for suspicious content
+    for (const [key, value] of Object.entries(req.headers)) {
+        if (typeof value !== 'string')
+            continue;
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(value)) {
+                return res.status(400).json({
+                    error: 'Invalid request header',
+                    code: 'INVALID_HEADER',
+                    details: {
+                        header: key,
+                        message: 'Header contains suspicious content',
+                    },
+                });
+            }
+        }
+    }
+    next();
+}
+/**
+ * Enforce HTTPS redirect for non-local environments
+ */
+export function enforceHTTPS(req, res, next) {
+    // Skip for localhost and internal IPs
+    if (req.hostname === 'localhost' ||
+        req.hostname === '127.0.0.1' ||
+        req.ip === '::1' ||
+        req.ip?.startsWith('127.') ||
+        req.ip?.startsWith('192.168.') ||
+        req.ip?.startsWith('10.')) {
+        return next();
+    }
+    // Check if connection is secure
+    const isSecure = req.secure || req.get('X-Forwarded-Proto') === 'https';
+    if (!isSecure) {
+        return res.redirect(301, `https://${req.get('Host')}${req.url}`);
+    }
+    next();
+}
+/**
+ * Add Content Security Policy meta tag (for responses with HTML)
+ */
+export function cspMetaTag(config = {}) {
+    const finalConfig = { ...DEFAULT_CONFIG, ...config };
+    return (req, res, next) => {
+        // Store CSP config on response for template use
+        if (finalConfig.cspDirectives) {
+            const cspValue = Object.entries(finalConfig.cspDirectives)
+                .map(([key, value]) => `${key} ${value}`)
+                .join('; ');
+            res.locals = { cspMetaTag: cspValue };
+        }
+        next();
+    };
+}
+/**
+ * Prevent information disclosure
+ */
+export function preventInformationDisclosure(req, res, next) {
+    const originalJson = res.json;
+    res.json = function (body) {
+        // Remove stack traces from error responses in production
+        if (process.env.NODE_ENV === 'production') {
+            if (body && typeof body === 'object') {
+                delete body.stack;
+                delete body.stackTrace;
+                delete body.internal;
+            }
+        }
+        return originalJson.call(this, body);
+    };
+    next();
+}
+/**
+ * Create all security headers middleware stack
+ */
+export function createSecurityStack(config = {}) {
+    return [
+        validateRequestHeaders,
+        removeDangerousHeaders,
+        preventInformationDisclosure,
+        securityHeaders(config),
+    ];
+}
+/**
+ * Strict security headers for admin endpoints
+ */
+export const strictSecurityHeaders = securityHeaders({
+    hstsMaxAge: 31536000,
+    frameOptions: 'DENY',
+    cspDirectives: {
+        'default-src': "'none'",
+        'script-src': "'self'",
+        'style-src': "'self'",
+        'img-src': "'self'",
+        'font-src': "'self'",
+        'connect-src': "'self'",
+        'frame-ancestors': "'none'",
+        'base-uri': "'self'",
+        'form-action': "'self'",
+    },
+});
+/**
+ * Relaxed security headers for public APIs (JSON only)
+ */
+export const apiSecurityHeaders = securityHeaders({
+    cspDirectives: {
+        'default-src': "'none'",
+        'frame-ancestors': "'none'",
+        'base-uri': "'self'",
+    },
+});