limen-ai 1.0.0

package/dist/kernel/rbac/rbac_engine.js

@@ -0,0 +1,257 @@
+/**
+ * RBAC engine implementation.
+ * S ref: §34, I-13, §3.7
+ *
+ * Phase: 1 (Kernel) -- Build Order 6
+ * Required by all API-facing modules.
+ *
+ * §34: RBAC with five default roles (admin, developer, operator, viewer, auditor).
+ * I-13: Authorization completeness -- every operation enforces RBAC.
+ * §3.7: Single-user default mode where RBAC is dormant.
+ */
+import { randomUUID } from 'node:crypto';
+/**
+ * Default role definitions per §34.
+ * S ref: §34 (five default roles with predefined permission sets)
+ */
+const DEFAULT_ROLES = [
+    {
+        name: 'admin',
+        permissions: [
+            'create_agent', 'modify_agent', 'delete_agent',
+            'chat', 'infer', 'create_mission',
+            'view_telemetry', 'view_audit',
+            'manage_providers', 'manage_budgets', 'manage_roles',
+            'purge_data',
+            'approve_response', 'edit_response', 'takeover_session', 'review_batch',
+        ],
+    },
+    {
+        name: 'developer',
+        permissions: [
+            'create_agent', 'modify_agent',
+            'chat', 'infer', 'create_mission',
+            'view_telemetry',
+        ],
+    },
+    {
+        name: 'operator',
+        permissions: [
+            'chat',
+            'view_telemetry',
+            'manage_providers', 'manage_budgets',
+        ],
+    },
+    {
+        name: 'viewer',
+        permissions: [
+            'chat',
+            'view_telemetry',
+        ],
+    },
+    {
+        name: 'auditor',
+        permissions: [
+            'view_audit',
+            'view_telemetry',
+        ],
+    },
+];
+/**
+ * Create an RbacEngine implementation.
+ * CF-006: Accepts optional conn to restore RBAC active state from DB on restart.
+ * If custom roles exist (is_default=0), RBAC activates immediately.
+ * S ref: §34 (RBAC), I-13 (authorization completeness), §3.7 (dormant mode)
+ */
+export function createRbacEngine(conn) {
+    /** RBAC active state. Starts dormant (single-user default). S ref: §3.7. */
+    let rbacActive = false;
+    // CF-006: Restore active state from DB if custom roles exist.
+    // Without this, a restart after role creation leaves RBAC dormant,
+    // bypassing all permission checks until a new custom role is created.
+    if (conn) {
+        const customRoleCount = conn.get('SELECT COUNT(*) as cnt FROM core_roles WHERE is_default = 0');
+        if (customRoleCount && customRoleCount.cnt > 0) {
+            rbacActive = true;
+        }
+    }
+    return {
+        /**
+         * Check if context has required permission.
+         * In dormant mode (single-user), always returns true.
+         * S ref: §34 (permission check), I-13 (every operation enforces RBAC)
+         */
+        checkPermission(ctx, required) {
+            try {
+                // §3.7: In single-user mode, RBAC is dormant -- all operations allowed
+                if (!rbacActive) {
+                    return { ok: true, value: true };
+                }
+                // I-13: Check if context has the required permission
+                const hasPermission = ctx.permissions.has(required);
+                return { ok: true, value: hasPermission };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'RBAC_CHECK_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: 'I-13',
+                    },
+                };
+            }
+        },
+        /**
+         * Check if RBAC is currently active.
+         * S ref: §3.7 (single-user mode), §34 (multi-user activation)
+         */
+        isActive() {
+            return rbacActive;
+        },
+        /**
+         * Create a role with the specified permissions.
+         * Activates RBAC if not already active.
+         * S ref: §34 (role management)
+         */
+        createRole(conn, ctx, name, permissions) {
+            try {
+                const roleId = randomUUID();
+                const tenantId = ctx.tenantId;
+                conn.run(`INSERT INTO core_roles (id, tenant_id, name, permissions, is_default, version, created_at, updated_at)
+           VALUES (?, ?, ?, ?, 0, 1, strftime('%Y-%m-%dT%H:%M:%fZ','now'), strftime('%Y-%m-%dT%H:%M:%fZ','now'))`, [roleId, tenantId, name, JSON.stringify(permissions)]);
+                // Activate RBAC when first non-default role is created
+                rbacActive = true;
+                return { ok: true, value: roleId };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'ROLE_CREATE_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§34',
+                    },
+                };
+            }
+        },
+        /**
+         * Assign role to principal (user or agent).
+         * S ref: §34 (role assignment), DL-3 (trust progression)
+         */
+        assignRole(conn, ctx, principalType, principalId, roleId) {
+            try {
+                // Verify role exists
+                const role = conn.get(`SELECT id FROM core_roles WHERE id = ?`, [roleId]);
+                if (!role) {
+                    return {
+                        ok: false,
+                        error: {
+                            code: 'ROLE_NOT_FOUND',
+                            message: `Role ${roleId} not found`,
+                            spec: '§34',
+                        },
+                    };
+                }
+                const id = randomUUID();
+                const tenantId = ctx.tenantId;
+                const grantedBy = ctx.userId ?? ctx.agentId ?? 'system';
+                conn.run(`INSERT INTO core_role_assignments (id, tenant_id, principal_type, principal_id, role_id, granted_by, granted_at)
+           VALUES (?, ?, ?, ?, ?, ?, strftime('%Y-%m-%dT%H:%M:%fZ','now'))
+           ON CONFLICT(tenant_id, principal_type, principal_id, role_id) DO NOTHING`, [id, tenantId, principalType, principalId, roleId, grantedBy]);
+                return { ok: true, value: undefined };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'ROLE_ASSIGN_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§34',
+                    },
+                };
+            }
+        },
+        /**
+         * Revoke role from principal.
+         * S ref: §34 (role revocation)
+         */
+        revokeRole(conn, ctx, principalType, principalId, roleId) {
+            try {
+                const tenantId = ctx.tenantId;
+                conn.run(`DELETE FROM core_role_assignments
+           WHERE principal_type = ? AND principal_id = ? AND role_id = ?
+           AND (tenant_id = ? OR (tenant_id IS NULL AND ? IS NULL))`, [principalType, principalId, roleId, tenantId, tenantId]);
+                return { ok: true, value: undefined };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'ROLE_REVOKE_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§34',
+                    },
+                };
+            }
+        },
+        /**
+         * Get permissions for a principal.
+         * Returns the union of all permissions from all assigned roles.
+         * S ref: §34 (permission resolution)
+         */
+        getPermissions(conn, principalType, principalId, tenantId) {
+            try {
+                const rows = conn.query(`SELECT r.permissions FROM core_roles r
+           INNER JOIN core_role_assignments ra ON ra.role_id = r.id
+           WHERE ra.principal_type = ? AND ra.principal_id = ?
+           AND (ra.tenant_id = ? OR (ra.tenant_id IS NULL AND ? IS NULL))
+           AND (ra.expires_at IS NULL OR ra.expires_at > strftime('%Y-%m-%dT%H:%M:%fZ','now'))`, [principalType, principalId, tenantId, tenantId]);
+                const permissionSet = new Set();
+                for (const row of rows) {
+                    const perms = JSON.parse(row.permissions);
+                    for (const p of perms) {
+                        permissionSet.add(p);
+                    }
+                }
+                return { ok: true, value: permissionSet };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'PERMISSIONS_FETCH_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§34',
+                    },
+                };
+            }
+        },
+        /**
+         * Seed default roles (admin, developer, operator, viewer, auditor).
+         * S ref: §34 (five default roles with predefined permission sets)
+         */
+        seedDefaultRoles(conn) {
+            try {
+                for (const role of DEFAULT_ROLES) {
+                    const roleId = randomUUID();
+                    conn.run(`INSERT INTO core_roles (id, tenant_id, name, permissions, is_default, version, created_at, updated_at)
+             VALUES (?, NULL, ?, ?, 1, 1, strftime('%Y-%m-%dT%H:%M:%fZ','now'), strftime('%Y-%m-%dT%H:%M:%fZ','now'))
+             ON CONFLICT(tenant_id, name) DO NOTHING`, [roleId, role.name, JSON.stringify(role.permissions)]);
+                }
+                return { ok: true, value: undefined };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'SEED_ROLES_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§34',
+                    },
+                };
+            }
+        },
+    };
+}
+//# sourceMappingURL=rbac_engine.js.map

package/dist/kernel/rbac/rbac_engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac_engine.js","sourceRoot":"","sources":["../../../src/kernel/rbac/rbac_engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAMzC;;;GAGG;AACH,MAAM,aAAa,GAGd;IACH;QACE,IAAI,EAAE,OAAO;QACb,WAAW,EAAE;YACX,cAAc,EAAE,cAAc,EAAE,cAAc;YAC9C,MAAM,EAAE,OAAO,EAAE,gBAAgB;YACjC,gBAAgB,EAAE,YAAY;YAC9B,kBAAkB,EAAE,gBAAgB,EAAE,cAAc;YACpD,YAAY;YACZ,kBAAkB,EAAE,eAAe,EAAE,kBAAkB,EAAE,cAAc;SACxE;KACF;IACD;QACE,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE;YACX,cAAc,EAAE,cAAc;YAC9B,MAAM,EAAE,OAAO,EAAE,gBAAgB;YACjC,gBAAgB;SACjB;KACF;IACD;QACE,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE;YACX,MAAM;YACN,gBAAgB;YAChB,kBAAkB,EAAE,gBAAgB;SACrC;KACF;IACD;QACE,IAAI,EAAE,QAAQ;QACd,WAAW,EAAE;YACX,MAAM;YACN,gBAAgB;SACjB;KACF;IACD;QACE,IAAI,EAAE,SAAS;QACf,WAAW,EAAE;YACX,YAAY;YACZ,gBAAgB;SACjB;KACF;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAyB;IACxD,4EAA4E;IAC5E,IAAI,UAAU,GAAG,KAAK,CAAC;IAEvB,8DAA8D;IAC9D,mEAAmE;IACnE,sEAAsE;IACtE,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAC9B,6DAA6D,CAC9D,CAAC;QACF,IAAI,eAAe,IAAI,eAAe,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;YAC/C,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO;QACL;;;;WAIG;QACH,eAAe,CAAC,GAAqB,EAAE,QAAoB;YACzD,IAAI,CAAC;gBACH,uEAAuE;gBACvE,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;gBACnC,CAAC;gBAED,qDAAqD;gBACrD,MAAM,aAAa,GAAG,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACpD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;YAC5C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,mBAAmB;wBACzB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,MAAM;qBACb;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,QAAQ;YACN,OAAO,UAAU,CAAC;QACpB,CAAC;QAED;;;;WAIG;QACH,UAAU,CAAC,IAAwB,EAAE,GAAqB,EAAE,IAAY,EAAE,WAAyB;YACjG,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,UAAU,EAAY,CAAC;gBACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;gBAE9B,IAAI,CAAC,GAAG,CACN;iHACuG,EACvG,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CACtD,CAAC;gBAEF,uDAAuD;gBACvD,UAAU,GAAG,IAAI,CAAC;gBAElB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;YACrC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,UAAU,CAAC,IAAwB,EAAE,GAAqB,EAAE,aAA+B,EAAE,WAAmB,EAAE,MAAc;YAC9H,IAAI,CAAC;gBACH,qBAAqB;gBACrB,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CACnB,wCAAwC,EACxC,CAAC,MAAM,CAAC,CACT,CAAC;gBAEF,IAAI,CAAC,IAAI,EAAE,CAAC;oBACV,OAAO;wBACL,EAAE,EAAE,KAAK;wBACT,KAAK,EAAE;4BACL,IAAI,EAAE,gBAAgB;4BACtB,OAAO,EAAE,QAAQ,MAAM,YAAY;4BACnC,IAAI,EAAE,KAAK;yBACZ;qBACF,CAAC;gBACJ,CAAC;gBAED,MAAM,EAAE,GAAG,UAAU,EAAE,CAAC;gBACxB,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;gBAC9B,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,OAAO,IAAI,QAAQ,CAAC;gBAExD,IAAI,CAAC,GAAG,CACN;;oFAE0E,EAC1E,CAAC,EAAE,EAAE,QAAQ,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,CAAC,CAC9D,CAAC;gBAEF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACxC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,UAAU,CAAC,IAAwB,EAAE,GAAqB,EAAE,aAA+B,EAAE,WAAmB,EAAE,MAAc;YAC9H,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;gBAE9B,IAAI,CAAC,GAAG,CACN;;oEAE0D,EAC1D,CAAC,aAAa,EAAE,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CACzD,CAAC;gBAEF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACxC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;;WAIG;QACH,cAAc,CAAC,IAAwB,EAAE,aAA+B,EAAE,WAAmB,EAAE,QAAyB;YACtH,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CACrB;;;;+FAIqF,EACrF,CAAC,aAAa,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,CACjD,CAAC;gBAEF,MAAM,aAAa,GAAG,IAAI,GAAG,EAAc,CAAC;gBAC5C,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAiB,CAAC;oBAC1D,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;wBACtB,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;oBACvB,CAAC;gBACH,CAAC;gBAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;YAC5C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,0BAA0B;wBAChC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,gBAAgB,CAAC,IAAwB;YACvC,IAAI,CAAC;gBACH,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;oBACjC,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;oBAC5B,IAAI,CAAC,GAAG,CACN;;qDAEyC,EACzC,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CACtD,CAAC;gBACJ,CAAC;gBAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACxC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,mBAAmB;wBACzB,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/kernel/retention/retention_scheduler.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Data retention scheduler implementation.
+ * S ref: §35, I-06, I-02
+ *
+ * Phase: 1 (Kernel) -- Build Order 7
+ * Depends on database + audit + crypto.
+ *
+ * §35: Configurable per-type retention with automated archival/deletion.
+ * I-06: Audit entries archived to sealed file, never deleted.
+ * I-02: User data ownership -- retention supports purge operations.
+ *
+ * Default retention values (§35):
+ * - memories: 365 days (archive)
+ * - audit: 2555 days / 7 years (archive to sealed file per I-06)
+ * - sessions: 90 days (archive)
+ * - artifacts: mission-scoped + retention period (archive)
+ * - techniques: indefinite (soft_delete per I-10)
+ * - events: 90 days (delete)
+ */
+import type { RetentionScheduler, AuditTrail } from '../interfaces/index.js';
+import type { TimeProvider } from '../interfaces/time.js';
+/**
+ * Default retention policies per §35.
+ * S ref: §35 (default retention values)
+ */
+declare const DEFAULT_POLICIES: ReadonlyArray<{
+    dataType: string;
+    retentionDays: number;
+    action: 'archive' | 'delete' | 'soft_delete';
+}>;
+/**
+ * Create a RetentionScheduler implementation.
+ * S ref: §35 (retention policies), I-06 (audit archival), I-02 (data ownership)
+ */
+/**
+ * CF-018: Create a RetentionScheduler with optional audit trail for tombstoning.
+ * When auditTrail is provided, the 'audit' data type uses tombstone() instead of delete.
+ */
+export declare function createRetentionScheduler(auditTrail?: AuditTrail, time?: TimeProvider): RetentionScheduler;
+export { DEFAULT_POLICIES };
+//# sourceMappingURL=retention_scheduler.d.ts.map

package/dist/kernel/retention/retention_scheduler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention_scheduler.d.ts","sourceRoot":"","sources":["../../../src/kernel/retention/retention_scheduler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,KAAK,EAEV,kBAAkB,EAClB,UAAU,EACX,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE1D;;;GAGG;AACH,QAAA,MAAM,gBAAgB,EAAE,aAAa,CAAC;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,aAAa,CAAC;CAC9C,CAOA,CAAC;AAEF;;;GAGG;AACH;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,UAAU,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,YAAY,GAAG,kBAAkB,CAmOzG;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/kernel/retention/retention_scheduler.js

@@ -0,0 +1,218 @@
+/**
+ * Data retention scheduler implementation.
+ * S ref: §35, I-06, I-02
+ *
+ * Phase: 1 (Kernel) -- Build Order 7
+ * Depends on database + audit + crypto.
+ *
+ * §35: Configurable per-type retention with automated archival/deletion.
+ * I-06: Audit entries archived to sealed file, never deleted.
+ * I-02: User data ownership -- retention supports purge operations.
+ *
+ * Default retention values (§35):
+ * - memories: 365 days (archive)
+ * - audit: 2555 days / 7 years (archive to sealed file per I-06)
+ * - sessions: 90 days (archive)
+ * - artifacts: mission-scoped + retention period (archive)
+ * - techniques: indefinite (soft_delete per I-10)
+ * - events: 90 days (delete)
+ */
+import { randomUUID } from 'node:crypto';
+/**
+ * Default retention policies per §35.
+ * S ref: §35 (default retention values)
+ */
+const DEFAULT_POLICIES = [
+    { dataType: 'memories', retentionDays: 365, action: 'archive' },
+    { dataType: 'audit', retentionDays: 2555, action: 'archive' }, // 7 years per I-06
+    { dataType: 'sessions', retentionDays: 90, action: 'archive' },
+    { dataType: 'artifacts', retentionDays: 365, action: 'archive' },
+    { dataType: 'techniques', retentionDays: 0, action: 'soft_delete' }, // 0 = indefinite (I-10)
+    { dataType: 'events', retentionDays: 90, action: 'delete' },
+];
+/**
+ * Create a RetentionScheduler implementation.
+ * S ref: §35 (retention policies), I-06 (audit archival), I-02 (data ownership)
+ */
+/**
+ * CF-018: Create a RetentionScheduler with optional audit trail for tombstoning.
+ * When auditTrail is provided, the 'audit' data type uses tombstone() instead of delete.
+ */
+export function createRetentionScheduler(auditTrail, time) {
+    const clock = time ?? { nowISO: () => new Date().toISOString(), nowMs: () => Date.now() };
+    return {
+        /**
+         * Execute retention pass: archive/delete records past retention period.
+         * S ref: §35 (automated retention execution)
+         */
+        executeRetention(conn, _ctx) {
+            try {
+                const runId = randomUUID();
+                let recordsArchived = 0;
+                let recordsDeleted = 0;
+                const policiesApplied = [];
+                // Get active policies
+                const policies = conn.query(`SELECT id, data_type, retention_days, action, enabled
+           FROM core_retention_policies WHERE enabled = 1`);
+                // Record the run start
+                conn.run(`INSERT INTO core_retention_runs (id, started_at, policies_applied, status)
+           VALUES (?, strftime('%Y-%m-%dT%H:%M:%fZ','now'), ?, 'running')`, [runId, JSON.stringify(policies.map(p => p.id))]);
+                for (const policy of policies) {
+                    if (policy.retention_days === 0)
+                        continue; // 0 = indefinite
+                    const cutoffMs = clock.nowMs() - (policy.retention_days * 24 * 60 * 60 * 1000);
+                    const cutoff = new Date(cutoffMs).toISOString();
+                    // CF-018: Execute retention per data type
+                    switch (policy.data_type) {
+                        case 'events': {
+                            if (policy.action === 'delete') {
+                                const result = conn.run(`DELETE FROM obs_events WHERE created_at < ? AND delivered = 1`, [cutoff]);
+                                recordsDeleted += result.changes;
+                            }
+                            break;
+                        }
+                        case 'sessions': {
+                            // Delete conversation turns for old conversations, then conversations, then sessions
+                            const oldConvs = conn.query(`SELECT id FROM core_conversations WHERE created_at < ?`, [cutoff]);
+                            for (const conv of oldConvs) {
+                                recordsDeleted += conn.run(`DELETE FROM core_conversation_turns WHERE conversation_id = ?`, [conv.id]).changes;
+                            }
+                            recordsDeleted += conn.run(`DELETE FROM core_conversations WHERE created_at < ?`, [cutoff]).changes;
+                            break;
+                        }
+                        case 'artifacts': {
+                            // Delete artifact dependencies first, then artifacts
+                            const oldArtifacts = conn.query(`SELECT id FROM core_artifacts WHERE created_at < ?`, [cutoff]);
+                            for (const art of oldArtifacts) {
+                                recordsDeleted += conn.run(`DELETE FROM core_artifact_dependencies WHERE artifact_id = ?`, [art.id]).changes;
+                            }
+                            recordsDeleted += conn.run(`DELETE FROM core_artifacts WHERE created_at < ?`, [cutoff]).changes;
+                            break;
+                        }
+                        case 'audit': {
+                            // I-06: Audit entries are NEVER deleted. Use tombstone (CF-035) or archive.
+                            if (auditTrail && policy.action === 'archive') {
+                                // Tombstone audit entries per tenant for entries older than cutoff
+                                // Find distinct tenants with old entries
+                                const tenants = conn.query(`SELECT DISTINCT tenant_id FROM core_audit_log WHERE timestamp < ? AND tenant_id IS NOT NULL`, [cutoff]);
+                                for (const t of tenants) {
+                                    const result = auditTrail.tombstone(conn, t.tenant_id);
+                                    if (result.ok) {
+                                        recordsArchived += result.value.tombstonedEntries;
+                                    }
+                                }
+                            }
+                            break;
+                        }
+                        case 'memories':
+                        case 'techniques': {
+                            // CF-002 dependency: core_memories and core_techniques tables don't exist yet.
+                            // These will be handled when the learning system (SS29) is implemented.
+                            break;
+                        }
+                    }
+                    policiesApplied.push(policy.id);
+                }
+                // Update run status
+                conn.run(`UPDATE core_retention_runs SET
+           completed_at = strftime('%Y-%m-%dT%H:%M:%fZ','now'),
+           policies_applied = ?, records_archived = ?, records_deleted = ?,
+           status = 'completed'
+           WHERE id = ?`, [JSON.stringify(policiesApplied), recordsArchived, recordsDeleted, runId]);
+                return {
+                    ok: true,
+                    value: {
+                        runId,
+                        recordsArchived,
+                        recordsDeleted,
+                        policiesApplied,
+                    },
+                };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'RETENTION_EXECUTE_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§35',
+                    },
+                };
+            }
+        },
+        /**
+         * Get current retention policies.
+         * S ref: §35 (policy inspection)
+         */
+        getPolicies(conn, _ctx) {
+            try {
+                const rows = conn.query(`SELECT id, data_type, retention_days, action, enabled
+           FROM core_retention_policies ORDER BY data_type`);
+                const policies = rows.map(row => ({
+                    id: row.id,
+                    dataType: row.data_type,
+                    retentionDays: row.retention_days,
+                    action: row.action,
+                    enabled: row.enabled === 1,
+                }));
+                return { ok: true, value: policies };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'RETENTION_GET_POLICIES_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§35',
+                    },
+                };
+            }
+        },
+        /**
+         * Update retention policy for a data type.
+         * S ref: §35 (configurable retention periods)
+         */
+        updatePolicy(conn, _ctx, dataType, retentionDays, action) {
+            try {
+                // I-06: Audit entries must always use 'archive' action, never 'delete'
+                if (dataType === 'audit' && action === 'delete') {
+                    return {
+                        ok: false,
+                        error: {
+                            code: 'AUDIT_RETENTION_VIOLATION',
+                            message: 'Audit entries must be archived, not deleted (I-06)',
+                            spec: 'I-06',
+                        },
+                    };
+                }
+                const result = conn.run(`UPDATE core_retention_policies SET
+           retention_days = ?, action = ?,
+           updated_at = strftime('%Y-%m-%dT%H:%M:%fZ','now')
+           WHERE data_type = ?`, [retentionDays, action, dataType]);
+                if (result.changes === 0) {
+                    return {
+                        ok: false,
+                        error: {
+                            code: 'RETENTION_POLICY_NOT_FOUND',
+                            message: `No retention policy found for data type "${dataType}"`,
+                            spec: '§35',
+                        },
+                    };
+                }
+                return { ok: true, value: undefined };
+            }
+            catch (err) {
+                return {
+                    ok: false,
+                    error: {
+                        code: 'RETENTION_UPDATE_FAILED',
+                        message: err instanceof Error ? err.message : String(err),
+                        spec: '§35',
+                    },
+                };
+            }
+        },
+    };
+}
+export { DEFAULT_POLICIES };
+//# sourceMappingURL=retention_scheduler.js.map

package/dist/kernel/retention/retention_scheduler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"retention_scheduler.js","sourceRoot":"","sources":["../../../src/kernel/retention/retention_scheduler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAQzC;;;GAGG;AACH,MAAM,gBAAgB,GAIjB;IACH,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE;IAC/D,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,EAAO,mBAAmB;IACvF,EAAE,QAAQ,EAAE,UAAU,EAAE,aAAa,EAAE,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE;IAC9D,EAAE,QAAQ,EAAE,WAAW,EAAE,aAAa,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE;IAChE,EAAE,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE,wBAAwB;IAC7F,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,EAAE,EAAE,MAAM,EAAE,QAAQ,EAAE;CAC5D,CAAC;AAEF;;;GAGG;AACH;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,UAAuB,EAAE,IAAmB;IACnF,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC1F,OAAO;QACL;;;WAGG;QACH,gBAAgB,CAAC,IAAwB,EAAE,IAAsB;YAC/D,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;gBAC3B,IAAI,eAAe,GAAG,CAAC,CAAC;gBACxB,IAAI,cAAc,GAAG,CAAC,CAAC;gBACvB,MAAM,eAAe,GAAa,EAAE,CAAC;gBAErC,sBAAsB;gBACtB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAIzB;0DACgD,CACjD,CAAC;gBAEF,uBAAuB;gBACvB,IAAI,CAAC,GAAG,CACN;0EACgE,EAChE,CAAC,KAAK,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CACjD,CAAC;gBAEF,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;oBAC9B,IAAI,MAAM,CAAC,cAAc,KAAK,CAAC;wBAAE,SAAS,CAAC,iBAAiB;oBAE5D,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBAC/E,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;oBAEhD,0CAA0C;oBAC1C,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC;wBACzB,KAAK,QAAQ,CAAC,CAAC,CAAC;4BACd,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;gCAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CACrB,+DAA+D,EAC/D,CAAC,MAAM,CAAC,CACT,CAAC;gCACF,cAAc,IAAI,MAAM,CAAC,OAAO,CAAC;4BACnC,CAAC;4BACD,MAAM;wBACR,CAAC;wBAED,KAAK,UAAU,CAAC,CAAC,CAAC;4BAChB,qFAAqF;4BACrF,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,wDAAwD,EAAE,CAAC,MAAM,CAAC,CACnE,CAAC;4BACF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;gCAC5B,cAAc,IAAI,IAAI,CAAC,GAAG,CACxB,+DAA+D,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAC3E,CAAC,OAAO,CAAC;4BACZ,CAAC;4BACD,cAAc,IAAI,IAAI,CAAC,GAAG,CACxB,qDAAqD,EAAE,CAAC,MAAM,CAAC,CAChE,CAAC,OAAO,CAAC;4BACV,MAAM;wBACR,CAAC;wBAED,KAAK,WAAW,CAAC,CAAC,CAAC;4BACjB,qDAAqD;4BACrD,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAC7B,oDAAoD,EAAE,CAAC,MAAM,CAAC,CAC/D,CAAC;4BACF,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;gCAC/B,cAAc,IAAI,IAAI,CAAC,GAAG,CACxB,8DAA8D,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CACzE,CAAC,OAAO,CAAC;4BACZ,CAAC;4BACD,cAAc,IAAI,IAAI,CAAC,GAAG,CACxB,iDAAiD,EAAE,CAAC,MAAM,CAAC,CAC5D,CAAC,OAAO,CAAC;4BACV,MAAM;wBACR,CAAC;wBAED,KAAK,OAAO,CAAC,CAAC,CAAC;4BACb,4EAA4E;4BAC5E,IAAI,UAAU,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gCAC9C,mEAAmE;gCACnE,yCAAyC;gCACzC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,6FAA6F,EAC7F,CAAC,MAAM,CAAC,CACT,CAAC;gCACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;oCACxB,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,SAAqB,CAAC,CAAC;oCACnE,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;wCACd,eAAe,IAAI,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC;oCACpD,CAAC;gCACH,CAAC;4BACH,CAAC;4BACD,MAAM;wBACR,CAAC;wBAED,KAAK,UAAU,CAAC;wBAChB,KAAK,YAAY,CAAC,CAAC,CAAC;4BAClB,+EAA+E;4BAC/E,wEAAwE;4BACxE,MAAM;wBACR,CAAC;oBACH,CAAC;oBAED,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;gBAClC,CAAC;gBAED,oBAAoB;gBACpB,IAAI,CAAC,GAAG,CACN;;;;wBAIc,EACd,CAAC,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,eAAe,EAAE,cAAc,EAAE,KAAK,CAAC,CAC1E,CAAC;gBAEF,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,KAAK,EAAE;wBACL,KAAK;wBACL,eAAe;wBACf,cAAc;wBACd,eAAe;qBAChB;iBACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,0BAA0B;wBAChC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,WAAW,CAAC,IAAwB,EAAE,IAAsB;YAC1D,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAIrB;2DACiD,CAClD,CAAC;gBAEF,MAAM,QAAQ,GAAsB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBACnD,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,QAAQ,EAAE,GAAG,CAAC,SAAS;oBACvB,aAAa,EAAE,GAAG,CAAC,cAAc;oBACjC,MAAM,EAAE,GAAG,CAAC,MAA8C;oBAC1D,OAAO,EAAE,GAAG,CAAC,OAAO,KAAK,CAAC;iBAC3B,CAAC,CAAC,CAAC;gBAEJ,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,+BAA+B;wBACrC,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED;;;WAGG;QACH,YAAY,CAAC,IAAwB,EAAE,IAAsB,EAAE,QAAgB,EAAE,aAAqB,EAAE,MAA4C;YAClJ,IAAI,CAAC;gBACH,uEAAuE;gBACvE,IAAI,QAAQ,KAAK,OAAO,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;oBAChD,OAAO;wBACL,EAAE,EAAE,KAAK;wBACT,KAAK,EAAE;4BACL,IAAI,EAAE,2BAA2B;4BACjC,OAAO,EAAE,oDAAoD;4BAC7D,IAAI,EAAE,MAAM;yBACb;qBACF,CAAC;gBACJ,CAAC;gBAED,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CACrB;;;+BAGqB,EACrB,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC,CAClC,CAAC;gBAEF,IAAI,MAAM,CAAC,OAAO,KAAK,CAAC,EAAE,CAAC;oBACzB,OAAO;wBACL,EAAE,EAAE,KAAK;wBACT,KAAK,EAAE;4BACL,IAAI,EAAE,4BAA4B;4BAClC,OAAO,EAAE,4CAA4C,QAAQ,GAAG;4BAChE,IAAI,EAAE,KAAK;yBACZ;qBACF,CAAC;gBACJ,CAAC;gBAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;YACxC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,KAAK,EAAE;wBACL,IAAI,EAAE,yBAAyB;wBAC/B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;wBACzD,IAAI,EAAE,KAAK;qBACZ;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/kernel/tenant/tenant_context.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Tenant context implementation.
+ * S ref: RDD-3, FM-10
+ *
+ * Phase: 1 (Kernel) -- Build Order 7
+ * Transparent tenant isolation.
+ *
+ * RDD-3: Consumer never knows which tenancy mode is active.
+ * FM-10: Tenant data leakage prevention via automatic tenant_id injection.
+ *
+ * Three modes:
+ * - single: No tenant_id column population. All queries return rows where tenant_id IS NULL.
+ * - row-level: Automatic WHERE tenant_id = ? injection.
+ * - database: Each tenant gets its own database file.
+ */
+import type { TenantContext, DatabaseConnection } from '../interfaces/index.js';
+/**
+ * Create a TenantContext implementation.
+ * S ref: RDD-3 (transparent tenancy), FM-10 (tenant isolation)
+ */
+export declare function createTenantContext(primaryConn: DatabaseConnection): TenantContext;
+//# sourceMappingURL=tenant_context.d.ts.map

package/dist/kernel/tenant/tenant_context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant_context.d.ts","sourceRoot":"","sources":["../../../src/kernel/tenant/tenant_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAEV,aAAa,EAAE,kBAAkB,EAClC,MAAM,wBAAwB,CAAC;AAEhC;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,kBAAkB,GAAG,aAAa,CAwFlF"}