mindforge-cc 3.0.0 → 5.0.0

package/bin/engine/sre-manager.js

@@ -0,0 +1,63 @@
+/**
+ * MindForge — SREManager (Pillar VI: Sovereign Reason Enclaves)
+ * Manages confidential reasoning sessions in simulated Trusted Execution Environments (TEE).
+ */
+'use strict';
+
+const crypto = require('crypto');
+
+class SREManager {
+  constructor() {
+    this.activeEnclaves = new Map();
+  }
+
+  /**
+   * Initializes a Sovereign Reason Enclave for a task.
+   * @param {Object} context - Task context (requires Tier 3 identity)
+   * @returns {string} - Enclave ID
+   */
+  initializeEnclave(context) {
+    if (context.tier < 3) {
+      throw new Error(`[SRE-DENY] Tier ${context.tier} principal is not authorized for Sovereign Reason Enclaves.`);
+    }
+
+    const enclaveId = crypto.randomBytes(12).toString('hex');
+    this.activeEnclaves.set(enclaveId, {
+      startedAt: new Date().toISOString(),
+      principal: context.did,
+      hasIP: true,
+      isolationLevel: 'Hardware-Enclave (Simulated)'
+    });
+
+    console.log(`[SRE-INIT] Initialized Sovereign Reason Enclave: ${enclaveId} for ${context.did}`);
+    return enclaveId;
+  }
+
+  /**
+   * Sanitizes a thought chain for global audit logging.
+   * Ensures that sensitive IP or "zero-visibility" thoughts are isolated.
+   * @param {string} thoughtChain - The raw agentic thought chain.
+   * @returns {string} - Sanitized/Isolated thought chain.
+   */
+  sanitizeThoughtChain(thoughtChain, enclaveId) {
+    if (!this.activeEnclaves.has(enclaveId)) return thoughtChain;
+
+    // Zero-Visibility Protocol: In SRE mode, the global audit log only receives a hash
+    // or a redacted summary. The full chain is kept in volatile enclave memory.
+    const digest = crypto.createHash('sha256').update(thoughtChain).digest('hex');
+    
+    return `[SRE-ISOLATED] Confidential reasoning executed in enclave ${enclaveId}. Verification Digest: ${digest}. Original trace is isolated from persistence.`;
+  }
+
+  /**
+   * Finalizes and purges the enclave.
+   */
+  terminateEnclave(enclaveId) {
+    if (this.activeEnclaves.has(enclaveId)) {
+      this.activeEnclaves.delete(enclaveId);
+      console.log(`[SRE-PURGE] Sovereign Reason Enclave ${enclaveId} has been securely purged.`);
+    }
+  }
+}
+
+module.exports = SREManager;

package/bin/engine/temporal-hindsight.js

@@ -0,0 +1,88 @@
+/**
+ * MindForge — TemporalHindsight (Pillar VI: Proactive Equilibrium)
+ * Performs automated RCA and generates repair plans for diverging waves.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+class TemporalHindsight {
+  constructor(config = {}) {
+    this.projectRoot = config.projectRoot || process.cwd();
+    this.historyLimit = config.historyLimit || 10; // Analyze last 10 failed tasks
+  }
+
+  /**
+   * Performs Root Cause Analysis (RCA) on a failed wave.
+   * @param {Object} waveReport - Current wave results (failed tasks, logs)
+   * @returns {Object} - Diagnosis and Repair Plan
+   */
+  async analyze(waveReport) {
+    const { failedTasks, divergence, phase } = waveReport;
+    const diagnosis = this.diagnoseFailures(failedTasks);
+    
+    return {
+      timestamp: new Date().toISOString(),
+      phase,
+      divergence,
+      diagnosis,
+      repairPlan: this.generateRepairPlan(diagnosis, phase),
+    };
+  }
+
+  /**
+   * Diagnoses common failure patterns in agentic workloads.
+   */
+  diagnoseFailures(tasks) {
+    const errorMessages = tasks.map(t => t.error || '').join(' ').toLowerCase();
+    
+    if (errorMessages.includes('permission denied') || errorMessages.includes('eacces')) {
+      return { type: 'ENVIRONMENTAL', cause: 'File system permission issues detected in multiple tasks.', severity: 'CRITICAL' };
+    }
+    
+    if (errorMessages.includes('timeout') || errorMessages.includes('deadline exceeded')) {
+      return { type: 'RESOURCE', cause: 'Wave execution timeout. Tasks are too large or the model response is slow.', severity: 'HIGH' };
+    }
+    
+    if (errorMessages.includes('lint') || errorMessages.includes('syntax error')) {
+      return { type: 'LOGIC', cause: 'Cumulative coding errors. The existing plan is producing invalid syntax consistently.', severity: 'STRICT' };
+    }
+
+    return { type: 'UNKNOWN', cause: 'Generic wave divergence. Multiple unrelated failures detected.', severity: 'MEDIUM' };
+  }
+
+  /**
+   * Generates a "Self-Healing" Plan.md entry.
+   */
+  generateRepairPlan(diagnosis, phase) {
+    const steps = [];
+    
+    switch (diagnosis.type) {
+      case 'ENVIRONMENTAL':
+        steps.push('PAUSE execution immediately.');
+        steps.push('Run `chmod -R u+w .` (simulated) on the affected directories.');
+        steps.push('Re-verify task 0.1 before resuming the wave.');
+        break;
+      case 'RESOURCE':
+        steps.push('PAUSE execution and increase `taskTimeoutMs` by 50%.');
+        steps.push('Request `EXECUTOR_MODEL` upgrade to `claude-3-opus` for complex tasks.');
+        steps.push('Serialise the next wave (concurrency = 1) to reduce resource contention.');
+        break;
+      case 'LOGIC':
+        steps.push('STOP active wave.');
+        steps.push('Rewrite Sub-tasks in PLAN.md for Phase ' + phase + ' with stricter TDD requirements.');
+        steps.push('Inject `Quality-Auditor` persona into the review loop.');
+        break;
+      default:
+        steps.push('PAUSE and request human review for divergence RCA.');
+    }
+    
+    return {
+      title: `AUTONOMOUS REPAIR PLAN: PHASE ${phase}`,
+      steps,
+      autoApplyStatus: 'PENDING_SIGNATURE',
+    };
+  }
+}
+
+module.exports = TemporalHindsight;

package/bin/governance/policies/default-policies.jsonl

@@ -0,0 +1,33 @@
+{
+  "id": "policy_enforce_tier_3_security",
+  "version": "1.0.0",
+  "effect": "DENY",
+  "description": "Agents with Tier < 3 cannot modify security or governance files.",
+  "conditions": {
+    "resource": "*/security/*,*/governance/*",
+    "min_tier": 3
+  }
+}
+<!-- slide -->
+{
+  "id": "policy_permit_developer_src",
+  "version": "1.0.0",
+  "effect": "PERMIT",
+  "description": "Developer agents can write to src and tests.",
+  "conditions": {
+    "action": "write_file",
+    "resource": "*/src/*,*/tests/*",
+    "min_tier": 2
+  }
+}
+<!-- slide -->
+{
+  "id": "policy_permit_global_sync_lead",
+  "version": "1.0.0",
+  "effect": "PERMIT",
+  "description": "Lead Architects can push to the Federated Intelligence Mesh.",
+  "conditions": {
+    "action": "federated_sync_push",
+    "min_tier": 3
+  }
+}

package/bin/governance/policy-engine.js

@@ -0,0 +1,106 @@
+/**
+ * MindForge v5 — Agentic Policy Orchestrator (APO) Engine
+ * Evaluates agent intents against organizational security policies.
+ */
+'use strict';
+
+const fs   = require('node:fs');
+const path = require('node:path');
+
+class PolicyEngine {
+  constructor(config = {}) {
+    this.policiesDir = config.policiesDir || path.join(__dirname, 'policies');
+    this.ensurePoliciesDir();
+  }
+
+  ensurePoliciesDir() {
+    if (!fs.existsSync(this.policiesDir)) {
+      fs.mkdirSync(this.policiesDir, { recursive: true });
+    }
+  }
+
+  /**
+   * Evaluates an agent's intent against all active policies.
+   * @param {Object} intent - The intent to evaluate.
+   * @param {string} intent.did - Source agent DID.
+   * @param {string} intent.action - Action type (e.g. 'write_file', 'delete_file').
+   * @param {string} intent.resource - Target resource (e.g. file path).
+   * @param {number} intent.tier - Agent trust tier.
+   * @returns {Object} - { verdict: 'PERMIT' | 'DENY', reason: string, requestId: string }
+   */
+  evaluate(intent) {
+    const requestId = `pol_${Date.now()}_${Math.random().toString(36).slice(2, 7)}`;
+    console.log(`[APO-EVAL] [${requestId}] Evaluating intent: ${intent.action} on ${intent.resource} by ${intent.did}`);
+
+    const policies = this.loadPolicies();
+    
+    // Default Deny if no policies found
+    if (policies.length === 0) {
+      return { verdict: 'DENY', reason: 'No organizational policies defined (Default Deny)', requestId };
+    }
+
+    // 1. Check for explicit DENY rules first
+    for (const policy of policies) {
+      if (policy.effect === 'DENY' && this.matches(policy, intent)) {
+        return { verdict: 'DENY', reason: `Violation: ${policy.description || policy.id}`, requestId };
+      }
+    }
+
+    // 2. Check for explicit PERMIT rules
+    for (const policy of policies) {
+      if (policy.effect === 'PERMIT' && this.matches(policy, intent)) {
+        return { verdict: 'PERMIT', reason: `Authorized by ${policy.id}`, requestId };
+      }
+    }
+
+    return { verdict: 'DENY', reason: 'No matching PERMIT policy found (Implicit Deny)', requestId };
+  }
+
+  loadPolicies() {
+    if (!fs.existsSync(this.policiesDir)) return [];
+    
+    return fs.readdirSync(this.policiesDir)
+      .filter(f => f.endsWith('.json'))
+      .map(f => {
+        try {
+          const content = fs.readFileSync(path.join(this.policiesDir, f), 'utf8');
+          return JSON.parse(content);
+        } catch (err) {
+          console.error(`[APO-ERROR] Failed to parse policy ${f}:`, err.message);
+          return null;
+        }
+      })
+      .filter(Boolean);
+  }
+
+  /**
+   * Simple rule matcher (simulated OPA/Rego logic).
+   */
+  matches(policy, intent) {
+    const { conditions } = policy;
+    if (!conditions) return true;
+
+    // Check DID match (supports wildcards)
+    if (conditions.did && !this.globMatch(conditions.did, intent.did)) return false;
+
+    // Check Action match
+    if (conditions.action && !this.globMatch(conditions.action, intent.action)) return false;
+
+    // Check Resource match
+    if (conditions.resource && !this.globMatch(conditions.resource, intent.resource)) return false;
+
+    // Check Tier match
+    if (conditions.min_tier && intent.tier < conditions.min_tier) return false;
+
+    return true;
+  }
+
+  globMatch(pattern, text) {
+    if (pattern === '*') return true;
+    if (pattern === text) return true;
+    const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
+    return regex.test(text);
+  }
+}
+
+module.exports = PolicyEngine;

package/bin/governance/rbac-manager.js

@@ -0,0 +1,109 @@
+/**
+ * MindForge v5 — Agentic RBAC Manager
+ * Maps Agent DIDs to specific project roles and granular permissions.
+ */
+'use strict';
+
+const fs    = require('node:fs');
+const path  = require('node:path');
+const ztai  = require('./ztai-manager');
+
+class RBACManager {
+  constructor(config = {}) {
+    this.rolesPath = config.rolesPath || path.join(process.cwd(), '.planning/AGENT-ROLES.json');
+    this.defaultRoles = {
+      'did:mindforge:planner': ['lead-architect', 'resource-optimizer'],
+      'did:mindforge:executor': ['developer', 'test-automator'],
+      'did:mindforge:reviewer': ['security-auditor', 'compliance-checker'],
+      'did:mindforge:researcher': ['knowledge-detective'],
+      'did:mindforge:tool': ['system-operator']
+    };
+  }
+
+  /**
+   * Gets the roles assigned to a specific agent DID.
+   * @param {string} did 
+   */
+  getRoles(did) {
+    const roles = this.loadRoles();
+    // Return explicit roles OR default roles based on persona-matched DIDs
+    const explicit = roles[did];
+    if (explicit) return explicit;
+
+    // Default mapping (regex for persona-based DIDs)
+    for (const [pattern, defaultRoles] of Object.entries(this.defaultRoles)) {
+      if (did.includes(pattern)) return defaultRoles;
+    }
+
+    return ['guest-agent'];
+  }
+
+  /**
+   * [HARDEN] Dynamically binds roles based on ZTAI trust tiers if no explicit role exists.
+   * Ensures high-trust agents automatically get architect-level visibility.
+   */
+  async getRolesByTier(did) {
+    const manager = new ztai();
+    const identity = await manager.getIdentity();
+    const explicit = this.getRoles(did);
+
+    if (identity.tier >= 3) {
+      return [...new Set([...explicit, 'lead-architect'])];
+    }
+    if (identity.tier >= 2) {
+      return [...new Set([...explicit, 'developer'])];
+    }
+    return explicit;
+  }
+
+  loadRoles() {
+    if (!fs.existsSync(this.rolesPath)) return {};
+    try {
+      return JSON.parse(fs.readFileSync(this.rolesPath, 'utf8'));
+    } catch {
+      return {};
+    }
+  }
+
+  /**
+   * Assigns a role to an agent.
+   */
+  assignRole(did, roles) {
+    const current = this.loadRoles();
+    current[did] = Array.isArray(roles) ? roles : [roles];
+    fs.writeFileSync(this.rolesPath, JSON.stringify(current, null, 2));
+    console.log(`[RBAC] Assigned roles [${roles}] to agent ${did}`);
+  }
+
+  /**
+   * Revokes all roles for an agent.
+   */
+  revokeRoles(did) {
+    const current = this.loadRoles();
+    delete current[did];
+    fs.writeFileSync(this.rolesPath, JSON.stringify(current, null, 2));
+  }
+
+  /**
+   * Checks if an agent has a specific permission based on their roles.
+   * @param {string} did 
+   * @param {string} permission 
+   */
+  hasPermission(did, permission) {
+    const roles = this.getRoles(did);
+    const PERMISSION_MAP = {
+      'lead-architect': ['write_architecture', 'approve_adr', 'global_sync_push'],
+      'developer':      ['write_src', 'read_src', 'execute_tests'],
+      'security-auditor': ['read_security', 'write_audit_log', 'block_execution'],
+      'system-operator': ['write_bin', 'modify_infrastructure'],
+      'guest-agent':     ['read_src']
+    };
+
+    for (const role of roles) {
+      if (PERMISSION_MAP[role]?.includes(permission)) return true;
+    }
+    return false;
+  }
+}
+
+module.exports = RBACManager;

package/bin/governance/trust-verifier.js

@@ -0,0 +1,81 @@
+/**
+ * MindForge ZTAI Trust Verifier
+ * v4.2.0-alpha.ztai
+ */
+
+const fs = require('fs');
+const ztai = require('./ztai-manager');
+
+class TrustVerifier {
+  /**
+   * Verifies a single audit entry.
+   * @param {object} entry - The audit entry object
+   * @returns {object} - { valid: boolean, error: string|null, tier: number }
+   */
+  verifyEntry(entry) {
+    if (!entry.did || !entry.signature) {
+      return { valid: false, error: 'Missing ZTAI identity (did/signature)', tier: 0 };
+    }
+
+    try {
+      // Reconstruct payroll for verification (signature is stripped)
+      const { signature, ...payloadObj } = entry;
+      const payload = JSON.stringify(payloadObj);
+
+      const isValid = ztai.verifySignature(entry.did, payload, signature);
+      const agent = ztai.getAgent(entry.did);
+
+      if (!isValid) {
+        return { valid: false, error: 'Cryptographic signature mismatch', tier: agent ? agent.tier : 0 };
+      }
+
+      return { valid: true, error: null, tier: agent.tier };
+    } catch (err) {
+      return { valid: false, error: err.message, tier: 0 };
+    }
+  }
+
+  /**
+   * Validates a Tier 3 action requirement.
+   * @param {string} did - Executing agent DID
+   */
+  isAuthorizedForTier3(did) {
+    const agent = ztai.getAgent(did);
+    return agent && agent.tier >= 3;
+  }
+
+  /**
+   * Scans a file of JSONL audit entries for integrity.
+   * @param {string} filePath 
+   */
+  async verifyAuditLog(filePath) {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const lines = content.split('\n').filter(l => l.trim());
+    const results = {
+      total: lines.length,
+      valid: 0,
+      invalid: 0,
+      errors: []
+    };
+
+    for (const [index, line] of lines.entries()) {
+      try {
+        const entry = JSON.parse(line);
+        const { valid, error } = this.verifyEntry(entry);
+        if (valid) {
+          results.valid++;
+        } else {
+          results.invalid++;
+          results.errors.push(`Line ${index + 1}: ${error}`);
+        }
+      } catch (err) {
+        results.invalid++;
+        results.errors.push(`Line ${index + 1}: Invalid JSON`);
+      }
+    }
+
+    return results;
+  }
+}
+
+module.exports = new TrustVerifier();

package/bin/governance/ztai-archiver.js

@@ -0,0 +1,104 @@
+/**
+ * MindForge ZTAI Audit Archiver
+ * v4.2.5 — Non-Repudiation Engine
+ */
+
+const crypto = require('node:crypto');
+const fs = require('node:fs/promises');
+const path = require('node:path');
+const ztai = require('./ztai-manager');
+
+class ZTAIArchiver {
+  constructor(auditPath = '.mindforge/audit/AUDIT.jsonl') {
+    this.auditPath = auditPath;
+    this.manifestDir = '.mindforge/audit/manifests';
+  }
+
+  /**
+   * Generates an integrity manifest for a specific block of audit entries.
+   * @param {Array<Object>} entries - A block of entries to sign.
+   * @param {string} archiverDid - The DID of the archiver (e.g., Release Manager)
+   * @returns {Promise<Object>} - The signed manifest
+   */
+  async generateManifest(entries, archiverDid) {
+    if (!entries || entries.length === 0) return null;
+
+    // 1. Calculate the Merkle-like root hash of the block
+    const blockHashes = entries.map(e => 
+      crypto.createHash('sha256').update(JSON.stringify(e)).digest('hex')
+    );
+    
+    // Simple cumulative hash chain as a Merkle Root equivalent
+    let cumulativeHash = '';
+    for (const h of blockHashes) {
+      cumulativeHash = crypto.createHash('sha256').update(cumulativeHash + h).digest('hex');
+    }
+
+    const manifestMetadata = {
+      blockStart: entries[0].timestamp,
+      blockEnd: entries[entries.length - 1].timestamp,
+      entryCount: entries.length,
+      merkleRoot: cumulativeHash,
+      archivedAt: new Date().toISOString(),
+      archiver: archiverDid,
+      version: 'v4.2.5'
+    };
+
+    // 2. Sign the manifest with the archiver's DID
+    const signature = await ztai.signData(archiverDid, JSON.stringify(manifestMetadata));
+
+    return {
+      ...manifestMetadata,
+      signature
+    };
+  }
+
+  /**
+   * Scans the current AUDIT.jsonl and generates manifests for un-archived blocks.
+   * For the simulation, we process the entire file and generate one manifest.
+   */
+  async archiveAuditLog(archiverDid) {
+    try {
+      const data = await fs.readFile(this.auditPath, 'utf8');
+      const lines = data.split('\n').filter(l => l.trim() !== '');
+      const entries = lines.map(l => JSON.parse(l));
+
+      if (entries.length === 0) return null;
+
+      const manifest = await this.generateManifest(entries, archiverDid);
+      
+      // Ensure manifest directory exists
+      await fs.mkdir(this.manifestDir, { recursive: true });
+      
+      const manifestPath = path.join(this.manifestDir, `manifest_${Date.now()}.json`);
+      await fs.writeFile(manifestPath, JSON.stringify(manifest, null, 2));
+
+      console.log(`[ZTAI-ARCHIVER] Manifest generated and signed by ${archiverDid}: ${manifestPath}`);
+      return manifest;
+    } catch (err) {
+      console.error(`[ZTAI-ARCHIVER] Failed to archive audit log: ${err.message}`);
+      return null;
+    }
+  }
+
+  /**
+   * Verifies the integrity of the audit log against a manifest.
+   */
+  async verifyIntegrity(manifestPath) {
+    const manifest = JSON.parse(await fs.readFile(manifestPath, 'utf8'));
+    const { signature, ...manifestMetadata } = manifest;
+    
+    // 1. Verify Archiver Signature
+    const isSignatureValid = ztai.verifySignature(manifest.archiver, JSON.stringify(manifestMetadata), signature);
+    if (!isSignatureValid) {
+      throw new Error(`CRITICAL: Manifest signature invalid for ${manifestPath}`);
+    }
+
+    // 2. Recalculate and Verify Merkle Root (Simulated)
+    // In a real environment, this would compare against the actual AUDIT.jsonl data slices.
+    console.log(`[ZTAI-ARCHIVER] Integrity Verified for block ending ${manifest.blockEnd}`);
+    return true;
+  }
+}
+
+module.exports = ZTAIArchiver;