opc-agent 3.0.0 → 4.0.0

package/src/memory/user-profiler.ts

@@ -0,0 +1,215 @@
+import type { Message } from '../core/types';
+
+export interface UserProfile {
+  preferences: Record<string, string>;
+  communication_style: string;
+  expertise_areas: string[];
+  common_requests: string[];
+  last_updated: number;
+}
+
+const EMPTY_PROFILE: UserProfile = {
+  preferences: {},
+  communication_style: 'unknown',
+  expertise_areas: [],
+  common_requests: [],
+  last_updated: 0,
+};
+
+/**
+ * DeepBrain-powered user profiling from conversation signals.
+ */
+export class UserProfiler {
+  private observationCount = 0;
+  private signals = {
+    languages: new Map<string, number>(),
+    techKeywords: new Set<string>(),
+    styleSignals: { brief: 0, detailed: 0, formal: 0, casual: 0 },
+    requestTypes: new Map<string, number>(),
+  };
+
+  private readonly LEARN_INTERVAL = 20;
+
+  /**
+   * Detect language mix of a text.
+   */
+  private detectLanguage(text: string): string {
+    let cn = 0, en = 0;
+    for (const char of text) {
+      const code = char.codePointAt(0) ?? 0;
+      if (code >= 0x4e00 && code <= 0x9fff) cn++;
+      else if ((code >= 0x41 && code <= 0x5a) || (code >= 0x61 && code <= 0x7a)) en++;
+    }
+    if (cn > 0 && en > 0) return 'mixed';
+    if (cn > en) return 'chinese';
+    return 'english';
+  }
+
+  /**
+   * Detect technical level from content.
+   */
+  private detectTechLevel(text: string): string {
+    const expertTerms = /\b(kubernetes|k8s|microservice|architecture|distributed|consensus|raft|paxos|sharding|vector db|embedding|fine-?tun|transformer|CUDA|inference|quantiz|LoRA|RAG)\b/i;
+    const intermediateTerms = /\b(API|REST|GraphQL|Docker|CI\/CD|database|deploy|cloud|React|TypeScript|Python|async|cache|redis|nginx)\b/i;
+
+    if (expertTerms.test(text)) return 'expert';
+    if (intermediateTerms.test(text)) return 'intermediate';
+    return 'beginner';
+  }
+
+  /**
+   * Detect communication style.
+   */
+  private detectStyle(text: string): void {
+    if (text.length < 50) this.signals.styleSignals.brief++;
+    else if (text.length > 300) this.signals.styleSignals.detailed++;
+
+    if (/\b(please|kindly|would you|could you|请问|烦请|麻烦)\b/i.test(text)) {
+      this.signals.styleSignals.formal++;
+    }
+    if (/[!]{2,}|lol|haha|😂|🤣|哈哈|牛|666|👍/i.test(text)) {
+      this.signals.styleSignals.casual++;
+    }
+  }
+
+  /**
+   * Extract domain keywords.
+   */
+  private extractDomainKeywords(text: string): void {
+    const techWords = text.match(/\b[A-Z][a-zA-Z]{2,}(?:\.js|\.ts|\.py)?\b/g) ?? [];
+    techWords.forEach(w => this.signals.techKeywords.add(w));
+    // Chinese tech terms
+    const cnTerms = text.match(/(?:人工智能|机器学习|深度学习|大模型|微服务|架构|部署|运维|前端|后端|数据库|缓存|分布式)/g) ?? [];
+    cnTerms.forEach(w => this.signals.techKeywords.add(w));
+  }
+
+  /**
+   * Classify request type.
+   */
+  private classifyRequest(text: string): string {
+    if (/\b(how to|怎么|如何|how do)\b/i.test(text)) return 'how-to';
+    if (/\b(why|为什么|原因)\b/i.test(text)) return 'explanation';
+    if (/\b(fix|error|bug|报错|出错|failed)\b/i.test(text)) return 'debugging';
+    if (/\b(review|评审|看看|check)\b/i.test(text)) return 'review';
+    if (/\b(create|build|write|写|创建|生成)\b/i.test(text)) return 'creation';
+    return 'general';
+  }
+
+  /**
+   * Observe a user message and accumulate profile signals.
+   */
+  async observe(message: Message, brain?: any): Promise<void> {
+    if (message.role !== 'user') return;
+
+    const text = message.content;
+
+    // Language
+    const lang = this.detectLanguage(text);
+    this.signals.languages.set(lang, (this.signals.languages.get(lang) ?? 0) + 1);
+
+    // Style
+    this.detectStyle(text);
+
+    // Domain keywords
+    this.extractDomainKeywords(text);
+
+    // Request type
+    const reqType = this.classifyRequest(text);
+    this.signals.requestTypes.set(reqType, (this.signals.requestTypes.get(reqType) ?? 0) + 1);
+
+    this.observationCount++;
+
+    // Periodically persist to brain
+    if (brain?.learn && this.observationCount % this.LEARN_INTERVAL === 0) {
+      const profile = this.buildProfileFromSignals();
+      try {
+        await brain.learn(JSON.stringify(profile), { insight_type: 'user_profile' });
+      } catch { /* non-critical */ }
+    }
+  }
+
+  private buildProfileFromSignals(): UserProfile {
+    // Language preference
+    let topLang = 'english';
+    let maxCount = 0;
+    for (const [lang, count] of this.signals.languages) {
+      if (count > maxCount) { topLang = lang; maxCount = count; }
+    }
+
+    // Communication style
+    const ss = this.signals.styleSignals;
+    const styles = [
+      ['brief', ss.brief], ['detailed', ss.detailed],
+      ['formal', ss.formal], ['casual', ss.casual],
+    ] as const;
+    const topStyle = styles.reduce((a, b) => (b[1] > a[1] ? b : a))[0];
+
+    // Top request types
+    const topRequests = [...this.signals.requestTypes.entries()]
+      .sort((a, b) => b[1] - a[1])
+      .slice(0, 5)
+      .map(([t]) => t);
+
+    return {
+      preferences: { language: topLang },
+      communication_style: topStyle,
+      expertise_areas: [...this.signals.techKeywords].slice(0, 20),
+      common_requests: topRequests,
+      last_updated: Date.now(),
+    };
+  }
+
+  /**
+   * Get user profile, optionally from brain recall.
+   */
+  async getProfile(brain?: any): Promise<UserProfile> {
+    // First try local signals
+    if (this.observationCount > 0) {
+      return this.buildProfileFromSignals();
+    }
+
+    // Fallback to brain recall
+    if (brain?.recall) {
+      try {
+        const results = await brain.recall('user profile preferences style');
+        if (Array.isArray(results) && results.length > 0) {
+          const raw = typeof results[0] === 'string' ? results[0] : results[0].content;
+          return { ...EMPTY_PROFILE, ...JSON.parse(raw) };
+        }
+      } catch { /* ignore parse errors */ }
+    }
+
+    return { ...EMPTY_PROFILE };
+  }
+
+  /**
+   * Enhance a system prompt with user profile context.
+   */
+  enhance(systemPrompt: string, profile: UserProfile): string {
+    const hints: string[] = [];
+
+    if (profile.preferences.language) {
+      const langMap: Record<string, string> = {
+        chinese: 'User prefers Chinese responses.',
+        english: 'User prefers English responses.',
+        mixed: 'User uses mixed Chinese/English. Match their style.',
+      };
+      if (langMap[profile.preferences.language]) hints.push(langMap[profile.preferences.language]);
+    }
+
+    if (profile.communication_style && profile.communication_style !== 'unknown') {
+      hints.push(`User communication style: ${profile.communication_style}.`);
+    }
+
+    if (profile.expertise_areas.length > 0) {
+      hints.push(`User expertise: ${profile.expertise_areas.slice(0, 10).join(', ')}.`);
+    }
+
+    if (profile.common_requests.length > 0) {
+      hints.push(`Common request types: ${profile.common_requests.join(', ')}.`);
+    }
+
+    if (hints.length === 0) return systemPrompt;
+    return `${systemPrompt}\n\n[User Profile] ${hints.join(' ')}`;
+  }
+}

package/src/security/approvals.ts

@@ -0,0 +1,143 @@
+/**
+ * Approvals Module - v1.0.0
+ * Policy-based exec approval system with queue, expiry, history, and callbacks.
+ */
+
+import { randomUUID } from 'crypto';
+
+export type ExecApprovalPolicy = 'always' | 'elevated-only' | 'never' | 'allowlist';
+
+export interface ExecApprovalRequest {
+  id: string;
+  command: string;
+  elevated: boolean;
+  requestedAt: number;
+  expiresAt: number;
+  status: 'pending' | 'approved' | 'denied' | 'expired';
+  approvedBy?: string;
+  reason?: string;
+}
+
+export interface ExecApprovalHistory {
+  request: ExecApprovalRequest;
+  resolvedAt: number;
+}
+
+export type ApprovalRequestCallback = (request: ExecApprovalRequest) => void;
+
+export class ExecApprovalManager {
+  private policy: ExecApprovalPolicy;
+  private pending: Map<string, ExecApprovalRequest> = new Map();
+  private history: ExecApprovalHistory[] = [];
+  private allowedCommands: Set<string> = new Set();
+  private expiryMs: number;
+  private onRequestCallback?: ApprovalRequestCallback;
+  private expiryTimer?: ReturnType<typeof setInterval>;
+
+  constructor(options: {
+    policy?: ExecApprovalPolicy;
+    expiryMs?: number;
+    allowedCommands?: string[];
+    onRequest?: ApprovalRequestCallback;
+  } = {}) {
+    this.policy = options.policy ?? 'elevated-only';
+    this.expiryMs = options.expiryMs ?? 300_000; // 5 min default
+    this.onRequestCallback = options.onRequest;
+    if (options.allowedCommands) {
+      for (const cmd of options.allowedCommands) this.allowedCommands.add(cmd);
+    }
+    this.expiryTimer = setInterval(() => this.expirePending(), 10_000);
+    if (this.expiryTimer.unref) this.expiryTimer.unref();
+  }
+
+  getPolicy(): ExecApprovalPolicy { return this.policy; }
+  setPolicy(p: ExecApprovalPolicy): void { this.policy = p; }
+
+  addAllowedCommand(cmd: string): void { this.allowedCommands.add(cmd); }
+  removeAllowedCommand(cmd: string): void { this.allowedCommands.delete(cmd); }
+  getAllowedCommands(): string[] { return [...this.allowedCommands]; }
+
+  needsApproval(command: string, elevated: boolean): boolean {
+    switch (this.policy) {
+      case 'never': return false;
+      case 'always': return true;
+      case 'elevated-only': return elevated;
+      case 'allowlist': return !this.isAllowed(command);
+    }
+  }
+
+  private isAllowed(command: string): boolean {
+    for (const allowed of this.allowedCommands) {
+      if (command.startsWith(allowed) || command === allowed) return true;
+    }
+    return false;
+  }
+
+  request(command: string, elevated: boolean = false): ExecApprovalRequest {
+    const now = Date.now();
+    const req: ExecApprovalRequest = {
+      id: randomUUID(),
+      command,
+      elevated,
+      requestedAt: now,
+      expiresAt: now + this.expiryMs,
+      status: 'pending',
+    };
+    this.pending.set(req.id, req);
+    this.onRequestCallback?.(req);
+    return req;
+  }
+
+  approve(id: string, approver: string): ExecApprovalRequest {
+    const req = this.pending.get(id);
+    if (!req) throw new Error(`Request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
+    req.status = 'approved';
+    req.approvedBy = approver;
+    this.pending.delete(id);
+    this.history.push({ request: req, resolvedAt: Date.now() });
+    return req;
+  }
+
+  deny(id: string, approver: string, reason?: string): ExecApprovalRequest {
+    const req = this.pending.get(id);
+    if (!req) throw new Error(`Request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
+    req.status = 'denied';
+    req.approvedBy = approver;
+    req.reason = reason;
+    this.pending.delete(id);
+    this.history.push({ request: req, resolvedAt: Date.now() });
+    return req;
+  }
+
+  getPending(): ExecApprovalRequest[] {
+    return [...this.pending.values()];
+  }
+
+  getHistory(): ExecApprovalHistory[] {
+    return [...this.history];
+  }
+
+  getRequest(id: string): ExecApprovalRequest | undefined {
+    return this.pending.get(id) ?? this.history.find(h => h.request.id === id)?.request;
+  }
+
+  private expirePending(): void {
+    const now = Date.now();
+    for (const [id, req] of this.pending) {
+      if (now >= req.expiresAt) {
+        req.status = 'expired';
+        this.pending.delete(id);
+        this.history.push({ request: req, resolvedAt: now });
+      }
+    }
+  }
+
+  /** Force expire check (for testing) */
+  checkExpiry(): void { this.expirePending(); }
+
+  destroy(): void {
+    if (this.expiryTimer) clearInterval(this.expiryTimer);
+  }
+}

package/src/security/elevated.ts

@@ -0,0 +1,105 @@
+/**
+ * Elevated Permissions Module - v1.0.0
+ * Elevation mode management with allowed commands, auto-revoke, and audit log.
+ */
+
+export type ElevationMode = 'off' | 'ask' | 'on';
+
+export interface ElevationAuditEntry {
+  timestamp: number;
+  action: 'elevate' | 'revoke' | 'execute' | 'deny';
+  command?: string;
+  reason?: string;
+}
+
+export class ElevatedManager {
+  private mode: ElevationMode;
+  private elevated: boolean = false;
+  private allowedCommands: RegExp[] = [];
+  private auditLog: ElevationAuditEntry[] = [];
+  private revokeTimer?: ReturnType<typeof setTimeout>;
+  private autoRevokeMs: number;
+
+  constructor(options: {
+    mode?: ElevationMode;
+    allowedCommands?: (string | RegExp)[];
+    autoRevokeMs?: number;
+  } = {}) {
+    this.mode = options.mode ?? 'ask';
+    this.autoRevokeMs = options.autoRevokeMs ?? 600_000; // 10 min
+    if (options.allowedCommands) {
+      for (const cmd of options.allowedCommands) {
+        this.allowedCommands.push(cmd instanceof RegExp ? cmd : new RegExp(`^${cmd.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`));
+      }
+    }
+  }
+
+  getMode(): ElevationMode { return this.mode; }
+  setMode(mode: ElevationMode): void { this.mode = mode; }
+  isElevated(): boolean { return this.elevated; }
+
+  addAllowedCommand(pattern: string | RegExp): void {
+    this.allowedCommands.push(pattern instanceof RegExp ? pattern : new RegExp(`^${pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`));
+  }
+
+  isCommandAllowed(command: string): boolean {
+    return this.allowedCommands.some(r => r.test(command));
+  }
+
+  elevate(reason?: string): boolean {
+    if (this.mode === 'off') return false;
+    this.elevated = true;
+    this.auditLog.push({ timestamp: Date.now(), action: 'elevate', reason });
+    this.startAutoRevoke();
+    return true;
+  }
+
+  revoke(reason?: string): void {
+    this.elevated = false;
+    this.clearAutoRevoke();
+    this.auditLog.push({ timestamp: Date.now(), action: 'revoke', reason });
+  }
+
+  canExecute(command: string): { allowed: boolean; needsElevation: boolean } {
+    if (this.isCommandAllowed(command)) return { allowed: true, needsElevation: false };
+    if (this.mode === 'off') return { allowed: true, needsElevation: false };
+    if (this.mode === 'on') {
+      if (!this.elevated) this.elevate('auto-on mode');
+      this.auditLog.push({ timestamp: Date.now(), action: 'execute', command });
+      return { allowed: true, needsElevation: false };
+    }
+    // ask mode
+    if (this.elevated) {
+      this.auditLog.push({ timestamp: Date.now(), action: 'execute', command });
+      return { allowed: true, needsElevation: false };
+    }
+    return { allowed: false, needsElevation: true };
+  }
+
+  getAuditLog(): ElevationAuditEntry[] {
+    return [...this.auditLog];
+  }
+
+  clearAuditLog(): void {
+    this.auditLog = [];
+  }
+
+  private startAutoRevoke(): void {
+    this.clearAutoRevoke();
+    this.revokeTimer = setTimeout(() => {
+      this.revoke('auto-revoke timer');
+    }, this.autoRevokeMs);
+    if (this.revokeTimer.unref) this.revokeTimer.unref();
+  }
+
+  private clearAutoRevoke(): void {
+    if (this.revokeTimer) {
+      clearTimeout(this.revokeTimer);
+      this.revokeTimer = undefined;
+    }
+  }
+
+  destroy(): void {
+    this.clearAutoRevoke();
+  }
+}

package/src/security/index.ts

@@ -1,3 +1,9 @@
 export { ApprovalManager } from './approval';
 export type { ApprovalPolicy, ApprovalRequest } from './approval';
 export { KeyManager } from './keys';
+export { ExecApprovalManager } from './approvals';
+export type { ExecApprovalPolicy, ExecApprovalRequest, ExecApprovalHistory, ApprovalRequestCallback } from './approvals';
+export { ElevatedManager } from './elevated';
+export type { ElevationMode, ElevationAuditEntry } from './elevated';
+export { SecretsManager } from './secrets';
+export type { SecretsStore } from './secrets';

package/src/security/secrets.ts

@@ -0,0 +1,129 @@
+/**
+ * Secrets Manager - v1.0.0
+ * AES-256-GCM encrypted secrets storage with rotation, export/import.
+ */
+
+import { randomBytes, createCipheriv, createDecipheriv, scryptSync } from 'crypto';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { dirname, join } from 'path';
+import { homedir } from 'os';
+
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LEN = 32;
+const IV_LEN = 12;
+const SALT_LEN = 16;
+const TAG_LEN = 16;
+
+export interface SecretsStore {
+  version: number;
+  secrets: Record<string, string>;
+}
+
+export class SecretsManager {
+  private masterKey: Buffer;
+  private filePath: string;
+  private store: SecretsStore;
+
+  constructor(options: { password: string; filePath?: string }) {
+    this.filePath = options.filePath ?? join(homedir(), '.opc', 'secrets.enc');
+    // Derive a stable key from password (we store salt in the file)
+    this.masterKey = Buffer.alloc(KEY_LEN); // placeholder, set on load/init
+    this.store = { version: 1, secrets: {} };
+    this.init(options.password);
+  }
+
+  private init(password: string): void {
+    if (existsSync(this.filePath)) {
+      this.load(password);
+    } else {
+      const salt = randomBytes(SALT_LEN);
+      this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
+      this.store = { version: 1, secrets: {} };
+      this.save(salt);
+    }
+  }
+
+  private load(password: string): void {
+    const data = readFileSync(this.filePath);
+    const salt = data.subarray(0, SALT_LEN);
+    const iv = data.subarray(SALT_LEN, SALT_LEN + IV_LEN);
+    const tag = data.subarray(SALT_LEN + IV_LEN, SALT_LEN + IV_LEN + TAG_LEN);
+    const encrypted = data.subarray(SALT_LEN + IV_LEN + TAG_LEN);
+
+    this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
+    const decipher = createDecipheriv(ALGORITHM, this.masterKey, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    this.store = JSON.parse(decrypted.toString('utf8'));
+  }
+
+  private save(salt?: Buffer): void {
+    const dir = dirname(this.filePath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+    if (!salt && existsSync(this.filePath)) {
+      salt = readFileSync(this.filePath).subarray(0, SALT_LEN);
+    }
+    if (!salt) salt = randomBytes(SALT_LEN);
+
+    const iv = randomBytes(IV_LEN);
+    const cipher = createCipheriv(ALGORITHM, this.masterKey, iv);
+    const encrypted = Buffer.concat([cipher.update(JSON.stringify(this.store), 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+
+    writeFileSync(this.filePath, Buffer.concat([salt, iv, tag, encrypted]));
+  }
+
+  set(key: string, value: string): void {
+    this.store.secrets[key] = value;
+    this.save();
+  }
+
+  get(key: string): string | undefined {
+    return this.store.secrets[key];
+  }
+
+  delete(key: string): boolean {
+    if (!(key in this.store.secrets)) return false;
+    delete this.store.secrets[key];
+    this.save();
+    return true;
+  }
+
+  list(): string[] {
+    return Object.keys(this.store.secrets);
+  }
+
+  has(key: string): boolean {
+    return key in this.store.secrets;
+  }
+
+  /** Inject secrets into env-like object */
+  inject(env: Record<string, string | undefined>, keys?: string[]): Record<string, string | undefined> {
+    const toInject = keys ?? this.list();
+    for (const k of toInject) {
+      if (this.has(k)) env[k] = this.store.secrets[k];
+    }
+    return env;
+  }
+
+  /** Rotate: re-encrypt with new password */
+  rotate(newPassword: string): void {
+    const salt = randomBytes(SALT_LEN);
+    this.masterKey = scryptSync(newPassword, salt, KEY_LEN) as Buffer;
+    this.save(salt);
+  }
+
+  /** Export as encrypted buffer */
+  exportEncrypted(): Buffer {
+    return readFileSync(this.filePath);
+  }
+
+  /** Import from encrypted buffer (must know password) */
+  static importEncrypted(data: Buffer, password: string, filePath: string): SecretsManager {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    writeFileSync(filePath, data);
+    return new SecretsManager({ password, filePath });
+  }
+}