opc-agent 2.0.0 → 2.0.2

package/src/schema/oad.ts

@@ -60,7 +60,7 @@ export const AuthSchema = z.object({
 });
 
 export const ChannelSchema = z.object({
-  type: z.enum(['web', 'websocket', 'telegram', 'cli', 'voice', 'webhook']),
+  type: z.enum(['web', 'websocket', 'telegram', 'cli', 'voice', 'webhook', 'wechat', 'feishu', 'email', 'slack', 'discord']),
   port: z.number().optional(),
   config: z.record(z.unknown()).optional(),
 });
@@ -68,7 +68,13 @@ export const ChannelSchema = z.object({
 export const LongTermMemorySchema = z.object({
   provider: z.enum(['in-memory', 'deepbrain']).default('in-memory'),
   collection: z.string().optional(),
-  config: z.record(z.unknown()).optional(),
+  config: z.object({
+    database: z.string().optional(),
+    embeddingProvider: z.string().optional(),
+    autoLearn: z.boolean().optional(),
+    autoRecall: z.boolean().optional(),
+    evolveInterval: z.number().optional(),
+  }).passthrough().optional(),
 });
 
 export const MemorySchema = z.object({
@@ -127,11 +133,40 @@ export const MCPServerSchema = z.object({
   env: z.record(z.string()).optional(),
 });
 
+export const MCPServeSchema = z.object({
+  enabled: z.boolean().default(false),
+  mode: z.enum(['stdio', 'http']).default('stdio'),
+  port: z.number().default(3002),
+  exposedTools: z.array(z.string()).optional(),
+});
+
 export const ToolsSchema = z.object({
   builtin: z.array(z.string()).optional(),
   mcp: z.array(MCPServerSchema).optional(),
 });
 
+export const TelemetrySchema = z.object({
+  enabled: z.boolean().default(false),
+  exporter: z.enum(['console', 'file', 'otlp']).default('console'),
+  endpoint: z.string().optional(),
+  filePath: z.string().optional(),
+  maxSpans: z.number().optional(),
+});
+
+export const AGUIProtocolSchema = z.object({
+  enabled: z.boolean().default(false),
+  path: z.string().default('/agui'),
+});
+
+export const ProtocolsSchema = z.object({
+  a2a: z.object({
+    enabled: z.boolean().default(false),
+    port: z.number().optional(),
+  }).optional(),
+  agui: AGUIProtocolSchema.optional(),
+  mcp: MCPServeSchema.optional(),
+});
+
 export const SpecSchema = z.object({
   provider: ProviderSchema.optional(),
   model: z.string().default('deepseek-chat'),
@@ -149,6 +184,8 @@ export const SpecSchema = z.object({
   webhook: WebhookSchema.optional(),
   hitl: HITLSchema.optional(),
   auth: AuthSchema.optional(),
+  telemetry: TelemetrySchema.optional(),
+  protocols: ProtocolsSchema.optional(),
   plugins: z.array(PluginRefSchema).optional(),
 });
 

package/src/security/approval.ts

@@ -0,0 +1,131 @@
+import { randomUUID } from 'crypto';
+
+export type ApprovalPolicy = 'always' | 'dangerous' | 'never';
+
+export interface ApprovalRequest {
+  id: string;
+  type: 'shell' | 'file_write' | 'file_delete' | 'network' | 'plugin';
+  command: string;
+  description: string;
+  requestedAt: Date;
+  status: 'pending' | 'approved' | 'denied';
+  approvedBy?: string;
+}
+
+export class ApprovalManager {
+  private policy: ApprovalPolicy;
+  private pendingApprovals: Map<string, ApprovalRequest> = new Map();
+  private allowlist: Set<string> = new Set();
+  private blocklist: Set<string> = new Set();
+
+  private static readonly DANGEROUS_PATTERNS = [
+    /rm\s+-rf/i, /del\s+\/s/i, /format\s+/i,
+    /DROP\s+TABLE/i, /DELETE\s+FROM/i,
+    /curl.*\|.*sh/i, /wget.*\|.*sh/i,
+    /chmod\s+777/i, /sudo\s+/i,
+    /npm\s+publish/i,
+  ];
+
+  constructor(policy: ApprovalPolicy = 'dangerous') {
+    this.policy = policy;
+  }
+
+  getPolicy(): ApprovalPolicy {
+    return this.policy;
+  }
+
+  setPolicy(policy: ApprovalPolicy): void {
+    this.policy = policy;
+  }
+
+  needsApproval(type: string, command: string): boolean {
+    // Blocklist always needs approval (effectively blocked)
+    if (this.isBlocked(command)) return true;
+    // Allowlist never needs approval
+    if (this.isAllowed(command)) return false;
+
+    if (this.policy === 'never') return false;
+    if (this.policy === 'always') return true;
+    // 'dangerous'
+    return this.isDangerous(type, command);
+  }
+
+  private isDangerous(_type: string, command: string): boolean {
+    return ApprovalManager.DANGEROUS_PATTERNS.some(p => p.test(command));
+  }
+
+  private isAllowed(command: string): boolean {
+    for (const pattern of this.allowlist) {
+      if (command.includes(pattern)) return true;
+    }
+    return false;
+  }
+
+  private isBlocked(command: string): boolean {
+    for (const pattern of this.blocklist) {
+      if (command.includes(pattern)) return true;
+    }
+    return false;
+  }
+
+  requestApproval(type: ApprovalRequest['type'], command: string, description: string): ApprovalRequest {
+    const request: ApprovalRequest = {
+      id: randomUUID(),
+      type,
+      command,
+      description,
+      requestedAt: new Date(),
+      status: 'pending',
+    };
+    this.pendingApprovals.set(request.id, request);
+    return request;
+  }
+
+  approve(id: string, approver: string): void {
+    const req = this.pendingApprovals.get(id);
+    if (!req) throw new Error(`Approval request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} is already ${req.status}`);
+    req.status = 'approved';
+    req.approvedBy = approver;
+  }
+
+  deny(id: string, approver: string): void {
+    const req = this.pendingApprovals.get(id);
+    if (!req) throw new Error(`Approval request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} is already ${req.status}`);
+    req.status = 'denied';
+    req.approvedBy = approver;
+  }
+
+  getRequest(id: string): ApprovalRequest | undefined {
+    return this.pendingApprovals.get(id);
+  }
+
+  addToAllowlist(pattern: string): void {
+    this.allowlist.add(pattern);
+  }
+
+  removeFromAllowlist(pattern: string): void {
+    this.allowlist.delete(pattern);
+  }
+
+  addToBlocklist(pattern: string): void {
+    this.blocklist.add(pattern);
+  }
+
+  removeFromBlocklist(pattern: string): void {
+    this.blocklist.delete(pattern);
+  }
+
+  getPending(): ApprovalRequest[] {
+    return Array.from(this.pendingApprovals.values()).filter(r => r.status === 'pending');
+  }
+
+  getAllowlist(): string[] {
+    return Array.from(this.allowlist);
+  }
+
+  getBlocklist(): string[] {
+    return Array.from(this.blocklist);
+  }
+}

package/src/security/index.ts

@@ -0,0 +1,3 @@
+export { ApprovalManager } from './approval';
+export type { ApprovalPolicy, ApprovalRequest } from './approval';
+export { KeyManager } from './keys';

package/src/security/keys.ts

@@ -0,0 +1,87 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as crypto from 'crypto';
+import * as os from 'os';
+
+export class KeyManager {
+  private keys: Map<string, string> = new Map();
+  private keyFile: string;
+  private secret: Buffer;
+
+  constructor(keyFile: string = '.opc/keys.json') {
+    this.keyFile = path.resolve(keyFile);
+    this.secret = this.deriveSecret();
+    this.load();
+  }
+
+  private deriveSecret(): Buffer {
+    // Derive a key from machine-specific info (hostname + homedir)
+    const machineId = `${os.hostname()}:${os.homedir()}:opc-agent-keys`;
+    return crypto.createHash('sha256').update(machineId).digest();
+  }
+
+  set(name: string, value: string): void {
+    this.keys.set(name, value);
+    this.save();
+  }
+
+  get(name: string): string | undefined {
+    return this.keys.get(name);
+  }
+
+  delete(name: string): boolean {
+    const result = this.keys.delete(name);
+    if (result) this.save();
+    return result;
+  }
+
+  list(): string[] {
+    return Array.from(this.keys.keys());
+  }
+
+  private load(): void {
+    try {
+      if (fs.existsSync(this.keyFile)) {
+        const data = JSON.parse(fs.readFileSync(this.keyFile, 'utf-8'));
+        for (const [name, encoded] of Object.entries(data)) {
+          try {
+            this.keys.set(name, this.decode(encoded as string));
+          } catch {
+            // Skip corrupted entries
+          }
+        }
+      }
+    } catch {
+      // File doesn't exist or is corrupted — start fresh
+    }
+  }
+
+  private save(): void {
+    const dir = path.dirname(this.keyFile);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    const data: Record<string, string> = {};
+    for (const [name, value] of this.keys) {
+      data[name] = this.encode(value);
+    }
+    fs.writeFileSync(this.keyFile, JSON.stringify(data, null, 2), 'utf-8');
+  }
+
+  private encode(value: string): string {
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv('aes-256-cbc', this.secret, iv);
+    let encrypted = cipher.update(value, 'utf-8', 'hex');
+    encrypted += cipher.final('hex');
+    return iv.toString('hex') + ':' + encrypted;
+  }
+
+  private decode(encoded: string): string {
+    const [ivHex, encrypted] = encoded.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const decipher = crypto.createDecipheriv('aes-256-cbc', this.secret, iv);
+    let decrypted = decipher.update(encrypted, 'hex', 'utf-8');
+    decrypted += decipher.final('utf-8');
+    return decrypted;
+  }
+}