mindforge-cc 3.0.0 → 4.3.0

package/bin/governance/trust-verifier.js

@@ -0,0 +1,81 @@
+/**
+ * MindForge ZTAI Trust Verifier
+ * v4.2.0-alpha.ztai
+ */
+
+const fs = require('fs');
+const ztai = require('./ztai-manager');
+
+class TrustVerifier {
+  /**
+   * Verifies a single audit entry.
+   * @param {object} entry - The audit entry object
+   * @returns {object} - { valid: boolean, error: string|null, tier: number }
+   */
+  verifyEntry(entry) {
+    if (!entry.did || !entry.signature) {
+      return { valid: false, error: 'Missing ZTAI identity (did/signature)', tier: 0 };
+    }
+
+    try {
+      // Reconstruct payroll for verification (signature is stripped)
+      const { signature, ...payloadObj } = entry;
+      const payload = JSON.stringify(payloadObj);
+
+      const isValid = ztai.verifySignature(entry.did, payload, signature);
+      const agent = ztai.getAgent(entry.did);
+
+      if (!isValid) {
+        return { valid: false, error: 'Cryptographic signature mismatch', tier: agent ? agent.tier : 0 };
+      }
+
+      return { valid: true, error: null, tier: agent.tier };
+    } catch (err) {
+      return { valid: false, error: err.message, tier: 0 };
+    }
+  }
+
+  /**
+   * Validates a Tier 3 action requirement.
+   * @param {string} did - Executing agent DID
+   */
+  isAuthorizedForTier3(did) {
+    const agent = ztai.getAgent(did);
+    return agent && agent.tier >= 3;
+  }
+
+  /**
+   * Scans a file of JSONL audit entries for integrity.
+   * @param {string} filePath 
+   */
+  async verifyAuditLog(filePath) {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const lines = content.split('\n').filter(l => l.trim());
+    const results = {
+      total: lines.length,
+      valid: 0,
+      invalid: 0,
+      errors: []
+    };
+
+    for (const [index, line] of lines.entries()) {
+      try {
+        const entry = JSON.parse(line);
+        const { valid, error } = this.verifyEntry(entry);
+        if (valid) {
+          results.valid++;
+        } else {
+          results.invalid++;
+          results.errors.push(`Line ${index + 1}: ${error}`);
+        }
+      } catch (err) {
+        results.invalid++;
+        results.errors.push(`Line ${index + 1}: Invalid JSON`);
+      }
+    }
+
+    return results;
+  }
+}
+
+module.exports = new TrustVerifier();

package/bin/governance/ztai-archiver.js

@@ -0,0 +1,104 @@
+/**
+ * MindForge ZTAI Audit Archiver
+ * v4.2.5 — Non-Repudiation Engine
+ */
+
+const crypto = require('node:crypto');
+const fs = require('node:fs/promises');
+const path = require('node:path');
+const ztai = require('./ztai-manager');
+
+class ZTAIArchiver {
+  constructor(auditPath = '.mindforge/audit/AUDIT.jsonl') {
+    this.auditPath = auditPath;
+    this.manifestDir = '.mindforge/audit/manifests';
+  }
+
+  /**
+   * Generates an integrity manifest for a specific block of audit entries.
+   * @param {Array<Object>} entries - A block of entries to sign.
+   * @param {string} archiverDid - The DID of the archiver (e.g., Release Manager)
+   * @returns {Promise<Object>} - The signed manifest
+   */
+  async generateManifest(entries, archiverDid) {
+    if (!entries || entries.length === 0) return null;
+
+    // 1. Calculate the Merkle-like root hash of the block
+    const blockHashes = entries.map(e => 
+      crypto.createHash('sha256').update(JSON.stringify(e)).digest('hex')
+    );
+    
+    // Simple cumulative hash chain as a Merkle Root equivalent
+    let cumulativeHash = '';
+    for (const h of blockHashes) {
+      cumulativeHash = crypto.createHash('sha256').update(cumulativeHash + h).digest('hex');
+    }
+
+    const manifestMetadata = {
+      blockStart: entries[0].timestamp,
+      blockEnd: entries[entries.length - 1].timestamp,
+      entryCount: entries.length,
+      merkleRoot: cumulativeHash,
+      archivedAt: new Date().toISOString(),
+      archiver: archiverDid,
+      version: 'v4.2.5'
+    };
+
+    // 2. Sign the manifest with the archiver's DID
+    const signature = await ztai.signData(archiverDid, JSON.stringify(manifestMetadata));
+
+    return {
+      ...manifestMetadata,
+      signature
+    };
+  }
+
+  /**
+   * Scans the current AUDIT.jsonl and generates manifests for un-archived blocks.
+   * For the simulation, we process the entire file and generate one manifest.
+   */
+  async archiveAuditLog(archiverDid) {
+    try {
+      const data = await fs.readFile(this.auditPath, 'utf8');
+      const lines = data.split('\n').filter(l => l.trim() !== '');
+      const entries = lines.map(l => JSON.parse(l));
+
+      if (entries.length === 0) return null;
+
+      const manifest = await this.generateManifest(entries, archiverDid);
+      
+      // Ensure manifest directory exists
+      await fs.mkdir(this.manifestDir, { recursive: true });
+      
+      const manifestPath = path.join(this.manifestDir, `manifest_${Date.now()}.json`);
+      await fs.writeFile(manifestPath, JSON.stringify(manifest, null, 2));
+
+      console.log(`[ZTAI-ARCHIVER] Manifest generated and signed by ${archiverDid}: ${manifestPath}`);
+      return manifest;
+    } catch (err) {
+      console.error(`[ZTAI-ARCHIVER] Failed to archive audit log: ${err.message}`);
+      return null;
+    }
+  }
+
+  /**
+   * Verifies the integrity of the audit log against a manifest.
+   */
+  async verifyIntegrity(manifestPath) {
+    const manifest = JSON.parse(await fs.readFile(manifestPath, 'utf8'));
+    const { signature, ...manifestMetadata } = manifest;
+    
+    // 1. Verify Archiver Signature
+    const isSignatureValid = ztai.verifySignature(manifest.archiver, JSON.stringify(manifestMetadata), signature);
+    if (!isSignatureValid) {
+      throw new Error(`CRITICAL: Manifest signature invalid for ${manifestPath}`);
+    }
+
+    // 2. Recalculate and Verify Merkle Root (Simulated)
+    // In a real environment, this would compare against the actual AUDIT.jsonl data slices.
+    console.log(`[ZTAI-ARCHIVER] Integrity Verified for block ending ${manifest.blockEnd}`);
+    return true;
+  }
+}
+
+module.exports = ZTAIArchiver;

package/bin/governance/ztai-manager.js

@@ -0,0 +1,203 @@
+/**
+ * MindForge ZTAI (Zero-Trust Agentic Identity) Manager
+ * v4.2.5 — Beast Mode Hardening
+ */
+
+const crypto = require('node:crypto');
+const { promisify } = require('node:util');
+
+const generateKeyPair = promisify(crypto.generateKeyPair);
+
+/**
+ * Abstract Base Class for Key Providers
+ */
+class KeyProvider {
+  async generate(did) { throw new Error('Not implemented'); }
+  async sign(did, data) { throw new Error('Not implemented'); }
+  async rotate(did) { throw new Error('Not implemented'); }
+  delete(did) { throw new Error('Not implemented'); }
+}
+
+/**
+ * Standard In-Memory Key Provider (Tier 1-2)
+ */
+class LocalKeyProvider extends KeyProvider {
+  constructor() {
+    super();
+    this.keys = new Map(); // DID -> privateKeyPEM
+  }
+
+  async generate(did) {
+    const { publicKey, privateKey } = await generateKeyPair('ed25519');
+    const pubPEM = publicKey.export({ type: 'spki', format: 'pem' });
+    const privPEM = privateKey.export({ type: 'pkcs8', format: 'pem' });
+    
+    this.keys.set(did, privPEM);
+    return pubPEM;
+  }
+
+  async sign(did, data) {
+    const privPEM = this.keys.get(did);
+    if (!privPEM) throw new Error(`Private key not found in local store for ${did}`);
+    
+    const privateKey = crypto.createPrivateKey(privPEM);
+    return crypto.sign(null, Buffer.from(data), privateKey).toString('base64');
+  }
+
+  async rotate(did) {
+    return this.generate(did);
+  }
+
+  delete(did) {
+    this.keys.delete(did);
+  }
+}
+
+/**
+ * Simulated Hardware Security Enclave (Tier 3)
+ * Mocks a TPM/KMS environment where keys never leave the "hardware".
+ */
+class SecureEnclaveProvider extends KeyProvider {
+  constructor() {
+    super();
+    this.enclaveStore = new Map(); // DID -> { privateKey, metadata }
+  }
+
+  async generate(did) {
+    console.log(`[ZTAI-HSM] Provisioning protected identity enclave for ${did}...`);
+    const { publicKey, privateKey } = await generateKeyPair('ed25519');
+    const pubPEM = publicKey.export({ type: 'spki', format: 'pem' });
+    
+    this.enclaveStore.set(did, {
+      privateKey, // In a real HSM, this would be a key handle/ID
+      provisionedAt: new Date().toISOString(),
+      integrityCheck: crypto.randomBytes(32).toString('hex')
+    });
+    
+    return pubPEM;
+  }
+
+  async sign(did, data) {
+    const record = this.enclaveStore.get(did);
+    if (!record) throw new Error(`Enclave record not found for ${did}`);
+    
+    console.log(`[ZTAI-HSM] Delegating signature to hardware enclave [DID: ${did}]`);
+    
+    // Simulate enclave "wrapping" or "sealing" logic
+    const signature = crypto.sign(null, Buffer.from(data), record.privateKey);
+    
+    // Add a verifiable "Enclave Metadata" header to the signature in a real implementation
+    // For now, we just return the standard signature but log the security event.
+    return signature.toString('base64');
+  }
+
+  async rotate(did) {
+    console.log(`[ZTAI-HSM] Rotating enclave keys for ${did}...`);
+    return this.generate(did);
+  }
+
+  delete(did) {
+    this.enclaveStore.delete(did);
+  }
+}
+
+class ZTAIManager {
+  constructor() {
+    this.agentRegistry = new Map(); // DID -> { publicKey, persona, tier, providerType }
+    this.providers = {
+      local: new LocalKeyProvider(),
+      enclave: new SecureEnclaveProvider()
+    };
+  }
+
+  /**
+   * Registers a new agent and assigns a provider based on Trust Tier.
+   */
+  async registerAgent(persona, tier = 1) {
+    const uuid = crypto.randomUUID();
+    const did = `did:mindforge:${uuid}`;
+    
+    // Tier 3 agents use the SecureEnclaveProvider
+    const providerType = tier >= 3 ? 'enclave' : 'local';
+    const provider = this.providers[providerType];
+    
+    const publicKeyPEM = await provider.generate(did);
+
+    this.agentRegistry.set(did, {
+      publicKey: publicKeyPEM,
+      persona,
+      tier,
+      providerType,
+      createdAt: new Date().toISOString()
+    });
+
+    return did;
+  }
+
+  /**
+   * Signs data using the provider associated with the DID.
+   */
+  async signData(did, data) {
+    const agent = this.agentRegistry.get(did);
+    if (!agent) throw new Error(`Agent not registered: ${did}`);
+    
+    const provider = this.providers[agent.providerType];
+    return await provider.sign(did, data);
+  }
+
+  /**
+   * Verifies a signature against the registered public key.
+   */
+  verifySignature(did, data, signature) {
+    const agent = this.agentRegistry.get(did);
+    if (!agent) throw new Error(`Agent not registered: ${did}`);
+
+    const publicKey = crypto.createPublicKey(agent.publicKey);
+    return crypto.verify(null, Buffer.from(data), publicKey, Buffer.from(signature, 'base64'));
+  }
+
+  isAuthorized(did, requiredTier) {
+    const agent = this.agentRegistry.get(did);
+    return agent && agent.tier >= requiredTier;
+  }
+
+  async rotateKeys(did) {
+    const agent = this.agentRegistry.get(did);
+    if (!agent) throw new Error(`Agent not found: ${did}`);
+    
+    const provider = this.providers[agent.providerType];
+    agent.publicKey = await provider.rotate(did);
+    agent.rotatedAt = new Date().toISOString();
+    return true;
+  }
+
+  revokeAgent(did) {
+    const agent = this.agentRegistry.get(did);
+    if (agent) {
+      this.providers[agent.providerType].delete(did);
+      this.agentRegistry.delete(did);
+    }
+  }
+
+  getAgent(did) {
+    return this.agentRegistry.get(did);
+  }
+
+  /**
+   * Specialized signing for FinOps budget decisions (Pillar V).
+   */
+  async signFinOpsDecision(did, decision) {
+    const data = JSON.stringify(decision);
+    return await this.signData(did, data);
+  }
+
+  /**
+   * Specialized signing for Self-Healing repair plans (Pillar VI).
+   */
+  async signSelfHealPlan(did, plan) {
+    const data = JSON.stringify(plan);
+    return await this.signData(did, data);
+  }
+}
+
+module.exports = new ZTAIManager();

package/bin/memory/ghost-pattern-detector.js

@@ -0,0 +1,69 @@
+/**
+ * MindForge Ghost Pattern Detector
+ * v4.2.5 — Proactive Risk Mitigation
+ */
+
+const semanticHub = require('./semantic-hub');
+const fs = require('node:fs/promises');
+
+class GhostPatternDetector {
+  /**
+   * Analyzes a newly proposed pattern against the global Ghost Hub.
+   * @param {Object} proposedPattern - The architecture/pattern being proposed.
+   * @returns {Promise<Array<Object>>} - List of detected risks.
+   */
+  async analyzeRisk(proposedPattern) {
+    console.log(`[GHOST-DETECTOR] Analyzing proposed pattern: ${proposedPattern.id}`);
+
+    // 1. Fetch ghost patterns from semantic hub
+    const ghostPatterns = await semanticHub.getGhostPatterns();
+    if (ghostPatterns.length === 0) return [];
+
+    // 2. Fuzzy match or Tag overlap logic (Simulated)
+    const risks = ghostPatterns.filter(ghost => {
+      // Check for tag overlap
+      const overlap = ghost.tags.filter(t => proposedPattern.tags.includes(t));
+      
+      // If there's an overlap and the ghost is tagged 'failure', trigger a risk.
+      const isRisk = (overlap.length >= 2 || ghost.tags.includes('critical-fail'));
+      if (isRisk) {
+        console.warn(`[GHOST-DETECTOR] Found potential ghost match: ${ghost.id} (Tags: ${overlap.join(',')})`);
+      }
+      return isRisk;
+    });
+
+    return risks.map(r => ({
+      ghostId: r.id,
+      riskLevel: r.tags.includes('p0') ? 'CRITICAL' : 'HIGH',
+      description: `Pattern similarity detected with past failure: ${r.failureContext || 'N/A'}`,
+      mitigation: r.mitigationStrategy || 'Consult mf-reviewer for deep-audit.'
+    }));
+  }
+
+  /**
+   * Batch scan the local project for ghost patterns.
+   */
+  async fullScan() {
+    const localPatterns = await this.loadLocalPatterns();
+    const allRisks = [];
+
+    for (const p of localPatterns) {
+      const risks = await this.analyzeRisk(p);
+      if (risks.length > 0) allRisks.push({ patternId: p.id, risks });
+    }
+
+    return allRisks;
+  }
+
+  async loadLocalPatterns() {
+    const localFile = '.mindforge/memory/pattern-library.jsonl';
+    try {
+      const data = await fs.readFile(localFile, 'utf8');
+      return data.split('\n').filter(Boolean).map(JSON.parse);
+    } catch (e) {
+      return [];
+    }
+  }
+}
+
+module.exports = new GhostPatternDetector();

package/bin/memory/semantic-hub.js

@@ -0,0 +1,104 @@
+/**
+ * MindForge Semantic Hub
+ * v4.2.5 — Global Intelligence Mesh
+ */
+
+const fs = require('node:fs/promises');
+const path = require('node:path');
+const os = require('node:os');
+
+class SemanticHub {
+  constructor() {
+    this.localPath = '.mindforge/memory';
+    this.globalPath = path.join(os.homedir(), '.mindforge/memory/global');
+    this.syncManifest = path.join(this.localPath, 'sync-manifest.json');
+  }
+
+  /**
+   * Initializes the global memory store if it doesn't exist.
+   */
+  async ensureGlobalStore() {
+    try {
+      await fs.mkdir(this.globalPath, { recursive: true });
+      console.log(`[SEMANTIC-HUB] Global Store Initialized: ${this.globalPath}`);
+    } catch (err) {
+      console.error(`[SEMANTIC-HUB] Failed to initialize global store: ${err.message}`);
+    }
+  }
+
+  /**
+   * Syncs a local library with the global hub.
+   * @param {string} libraryName - e.g., 'pattern-library.jsonl'
+   */
+  async syncLibrary(libraryName) {
+    const localFile = path.join(this.localPath, libraryName);
+    const globalFile = path.join(this.globalPath, libraryName);
+
+    try {
+      // 1. Read local entries
+      const localData = await fs.readFile(localFile, 'utf8');
+      const localEntries = localData.split('\n').filter(Boolean).map(JSON.parse);
+
+      // 2. Read global entries (if exist)
+      let globalEntries = [];
+      try {
+        const globalData = await fs.readFile(globalFile, 'utf8');
+        globalEntries = globalData.split('\n').filter(Boolean).map(JSON.parse);
+      } catch (e) {
+        // Global doesn't exist yet, that's fine.
+      }
+
+      // 3. Simple ID-based deduplication Logic
+      const globalIds = new Set(globalEntries.map(e => e.id));
+      const newEntries = localEntries.filter(e => !globalIds.has(e.id));
+
+      if (newEntries.length > 0) {
+        // Append new entries to global store
+        const appendData = newEntries.map(e => JSON.stringify(e)).join('\n') + '\n';
+        await fs.appendFile(globalFile, appendData);
+        console.log(`[SEMANTIC-HUB] Synced ${newEntries.length} new entries to global ${libraryName}`);
+      }
+
+      // 4. Update sync manifest
+      await this.updateManifest(libraryName, localEntries.length);
+      
+      return true;
+    } catch (err) {
+      console.error(`[SEMANTIC-HUB] Sync failed for ${libraryName}: ${err.message}`);
+      return false;
+    }
+  }
+
+  async updateManifest(libraryName, count) {
+    let manifest = {};
+    try {
+      const data = await fs.readFile(this.syncManifest, 'utf8');
+      manifest = JSON.parse(data);
+    } catch (e) {}
+
+    manifest[libraryName] = {
+      lastSync: new Date().toISOString(),
+      localCount: count
+    };
+
+    await fs.writeFile(this.syncManifest, JSON.stringify(manifest, null, 2));
+  }
+
+  /**
+   * Retrieves all 'ghost_pattern' types from the global hub.
+   */
+  async getGhostPatterns() {
+    const patternFile = path.join(this.globalPath, 'pattern-library.jsonl');
+    try {
+      const data = await fs.readFile(patternFile, 'utf8');
+      return data.split('\n')
+        .filter(Boolean)
+        .map(JSON.parse)
+        .filter(p => p.type === 'ghost-pattern' || p.tags?.includes('failure'));
+    } catch (e) {
+      return [];
+    }
+  }
+}
+
+module.exports = new SemanticHub();

package/bin/models/finops-hub.js

@@ -0,0 +1,79 @@
+/**
+ * MindForge — FinOps Hub (Pillar V: Autonomous FinOps Hub)
+ * Enterprise-grade monitoring and budget enforcement for agentic workloads.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+class FinOpsHub {
+  constructor(config = {}) {
+    this.projectRoot = config.projectRoot || process.cwd();
+    this.budgetLimit = config.budgetLimit || 100.00; // $100.00 USD Default
+    this.monthlyUsage = 0.00;
+  }
+
+  /**
+   * Initializes the FinOps state and budget monitoring.
+   */
+  async init() {
+    const roiPath = path.join(this.projectRoot, '.planning', 'ROI.jsonl');
+    if (fs.existsSync(roiPath)) {
+      const logs = fs.readFileSync(roiPath, 'utf8').split('\n').filter(Boolean);
+      logs.forEach(line => {
+        try {
+          const entry = JSON.parse(line);
+          this.monthlyUsage += entry.estimatedCostUSD || 0;
+        } catch (e) {
+          // Skip malformed lines
+        }
+      });
+    }
+  }
+
+  /**
+   * Checks if the task is within budget constraints.
+   * @param {Object} task - Task details (difficulty, priority)
+   * @returns {Object} - Budget check result (status, reasoning)
+   */
+  checkBudget(task) {
+    if (this.monthlyUsage >= this.budgetLimit) {
+      return { status: 'DENIED', reason: `Monthly budget limit ($${this.budgetLimit}) reached.` };
+    }
+
+    if (this.monthlyUsage >= this.budgetLimit * 0.9) {
+      return { status: 'WARNING', reason: `Project has consumed 90% of the allocated budget ($${this.monthlyUsage.toFixed(2)} / $${this.budgetLimit.toFixed(2)}).` };
+    }
+
+    return { status: 'APPROVED', usage: this.monthlyUsage };
+  }
+
+  /**
+   * Generates a "Spending Profile" for the project.
+   * Used for the Nexus Dashboard to visualize ROI.
+   */
+  getSpendingProfile() {
+    const roiPath = path.join(this.projectRoot, '.planning', 'ROI.jsonl');
+    if (!fs.existsSync(roiPath)) return { totalSpend: 0, goalsAchieved: 0, roi: 0 };
+
+    const logs = fs.readFileSync(roiPath, 'utf8').split('\n').filter(Boolean).map(JSON.parse);
+    const totalSpend = logs.reduce((acc, l) => acc + (l.estimatedCostUSD || 0), 0);
+    const goalsAchieved = logs.reduce((acc, l) => acc + (l.goalAchieved || 0), 0);
+
+    return {
+      totalSpend: totalSpend.toFixed(2),
+      goalsAchieved,
+      roi: totalSpend > 0 ? (goalsAchieved / totalSpend).toFixed(2) : 0,
+      tokenEfficiency: logs.length > 0 ? (totalSpend / logs.length).toFixed(4) : 0,
+    };
+  }
+
+  /**
+   * Resets the usage counter (system-level call).
+   */
+  resetMonthlyUsage() {
+    this.monthlyUsage = 0.00;
+  }
+}
+
+module.exports = FinOpsHub;