opc-agent 3.0.1 → 4.0.1

package/src/security/approvals.ts

@@ -0,0 +1,143 @@
+/**
+ * Approvals Module - v1.0.0
+ * Policy-based exec approval system with queue, expiry, history, and callbacks.
+ */
+
+import { randomUUID } from 'crypto';
+
+export type ExecApprovalPolicy = 'always' | 'elevated-only' | 'never' | 'allowlist';
+
+export interface ExecApprovalRequest {
+  id: string;
+  command: string;
+  elevated: boolean;
+  requestedAt: number;
+  expiresAt: number;
+  status: 'pending' | 'approved' | 'denied' | 'expired';
+  approvedBy?: string;
+  reason?: string;
+}
+
+export interface ExecApprovalHistory {
+  request: ExecApprovalRequest;
+  resolvedAt: number;
+}
+
+export type ApprovalRequestCallback = (request: ExecApprovalRequest) => void;
+
+export class ExecApprovalManager {
+  private policy: ExecApprovalPolicy;
+  private pending: Map<string, ExecApprovalRequest> = new Map();
+  private history: ExecApprovalHistory[] = [];
+  private allowedCommands: Set<string> = new Set();
+  private expiryMs: number;
+  private onRequestCallback?: ApprovalRequestCallback;
+  private expiryTimer?: ReturnType<typeof setInterval>;
+
+  constructor(options: {
+    policy?: ExecApprovalPolicy;
+    expiryMs?: number;
+    allowedCommands?: string[];
+    onRequest?: ApprovalRequestCallback;
+  } = {}) {
+    this.policy = options.policy ?? 'elevated-only';
+    this.expiryMs = options.expiryMs ?? 300_000; // 5 min default
+    this.onRequestCallback = options.onRequest;
+    if (options.allowedCommands) {
+      for (const cmd of options.allowedCommands) this.allowedCommands.add(cmd);
+    }
+    this.expiryTimer = setInterval(() => this.expirePending(), 10_000);
+    if (this.expiryTimer.unref) this.expiryTimer.unref();
+  }
+
+  getPolicy(): ExecApprovalPolicy { return this.policy; }
+  setPolicy(p: ExecApprovalPolicy): void { this.policy = p; }
+
+  addAllowedCommand(cmd: string): void { this.allowedCommands.add(cmd); }
+  removeAllowedCommand(cmd: string): void { this.allowedCommands.delete(cmd); }
+  getAllowedCommands(): string[] { return [...this.allowedCommands]; }
+
+  needsApproval(command: string, elevated: boolean): boolean {
+    switch (this.policy) {
+      case 'never': return false;
+      case 'always': return true;
+      case 'elevated-only': return elevated;
+      case 'allowlist': return !this.isAllowed(command);
+    }
+  }
+
+  private isAllowed(command: string): boolean {
+    for (const allowed of this.allowedCommands) {
+      if (command.startsWith(allowed) || command === allowed) return true;
+    }
+    return false;
+  }
+
+  request(command: string, elevated: boolean = false): ExecApprovalRequest {
+    const now = Date.now();
+    const req: ExecApprovalRequest = {
+      id: randomUUID(),
+      command,
+      elevated,
+      requestedAt: now,
+      expiresAt: now + this.expiryMs,
+      status: 'pending',
+    };
+    this.pending.set(req.id, req);
+    this.onRequestCallback?.(req);
+    return req;
+  }
+
+  approve(id: string, approver: string): ExecApprovalRequest {
+    const req = this.pending.get(id);
+    if (!req) throw new Error(`Request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
+    req.status = 'approved';
+    req.approvedBy = approver;
+    this.pending.delete(id);
+    this.history.push({ request: req, resolvedAt: Date.now() });
+    return req;
+  }
+
+  deny(id: string, approver: string, reason?: string): ExecApprovalRequest {
+    const req = this.pending.get(id);
+    if (!req) throw new Error(`Request ${id} not found`);
+    if (req.status !== 'pending') throw new Error(`Request ${id} already ${req.status}`);
+    req.status = 'denied';
+    req.approvedBy = approver;
+    req.reason = reason;
+    this.pending.delete(id);
+    this.history.push({ request: req, resolvedAt: Date.now() });
+    return req;
+  }
+
+  getPending(): ExecApprovalRequest[] {
+    return [...this.pending.values()];
+  }
+
+  getHistory(): ExecApprovalHistory[] {
+    return [...this.history];
+  }
+
+  getRequest(id: string): ExecApprovalRequest | undefined {
+    return this.pending.get(id) ?? this.history.find(h => h.request.id === id)?.request;
+  }
+
+  private expirePending(): void {
+    const now = Date.now();
+    for (const [id, req] of this.pending) {
+      if (now >= req.expiresAt) {
+        req.status = 'expired';
+        this.pending.delete(id);
+        this.history.push({ request: req, resolvedAt: now });
+      }
+    }
+  }
+
+  /** Force expire check (for testing) */
+  checkExpiry(): void { this.expirePending(); }
+
+  destroy(): void {
+    if (this.expiryTimer) clearInterval(this.expiryTimer);
+  }
+}

package/src/security/elevated.ts

@@ -0,0 +1,105 @@
+/**
+ * Elevated Permissions Module - v1.0.0
+ * Elevation mode management with allowed commands, auto-revoke, and audit log.
+ */
+
+export type ElevationMode = 'off' | 'ask' | 'on';
+
+export interface ElevationAuditEntry {
+  timestamp: number;
+  action: 'elevate' | 'revoke' | 'execute' | 'deny';
+  command?: string;
+  reason?: string;
+}
+
+export class ElevatedManager {
+  private mode: ElevationMode;
+  private elevated: boolean = false;
+  private allowedCommands: RegExp[] = [];
+  private auditLog: ElevationAuditEntry[] = [];
+  private revokeTimer?: ReturnType<typeof setTimeout>;
+  private autoRevokeMs: number;
+
+  constructor(options: {
+    mode?: ElevationMode;
+    allowedCommands?: (string | RegExp)[];
+    autoRevokeMs?: number;
+  } = {}) {
+    this.mode = options.mode ?? 'ask';
+    this.autoRevokeMs = options.autoRevokeMs ?? 600_000; // 10 min
+    if (options.allowedCommands) {
+      for (const cmd of options.allowedCommands) {
+        this.allowedCommands.push(cmd instanceof RegExp ? cmd : new RegExp(`^${cmd.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`));
+      }
+    }
+  }
+
+  getMode(): ElevationMode { return this.mode; }
+  setMode(mode: ElevationMode): void { this.mode = mode; }
+  isElevated(): boolean { return this.elevated; }
+
+  addAllowedCommand(pattern: string | RegExp): void {
+    this.allowedCommands.push(pattern instanceof RegExp ? pattern : new RegExp(`^${pattern.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}$`));
+  }
+
+  isCommandAllowed(command: string): boolean {
+    return this.allowedCommands.some(r => r.test(command));
+  }
+
+  elevate(reason?: string): boolean {
+    if (this.mode === 'off') return false;
+    this.elevated = true;
+    this.auditLog.push({ timestamp: Date.now(), action: 'elevate', reason });
+    this.startAutoRevoke();
+    return true;
+  }
+
+  revoke(reason?: string): void {
+    this.elevated = false;
+    this.clearAutoRevoke();
+    this.auditLog.push({ timestamp: Date.now(), action: 'revoke', reason });
+  }
+
+  canExecute(command: string): { allowed: boolean; needsElevation: boolean } {
+    if (this.isCommandAllowed(command)) return { allowed: true, needsElevation: false };
+    if (this.mode === 'off') return { allowed: true, needsElevation: false };
+    if (this.mode === 'on') {
+      if (!this.elevated) this.elevate('auto-on mode');
+      this.auditLog.push({ timestamp: Date.now(), action: 'execute', command });
+      return { allowed: true, needsElevation: false };
+    }
+    // ask mode
+    if (this.elevated) {
+      this.auditLog.push({ timestamp: Date.now(), action: 'execute', command });
+      return { allowed: true, needsElevation: false };
+    }
+    return { allowed: false, needsElevation: true };
+  }
+
+  getAuditLog(): ElevationAuditEntry[] {
+    return [...this.auditLog];
+  }
+
+  clearAuditLog(): void {
+    this.auditLog = [];
+  }
+
+  private startAutoRevoke(): void {
+    this.clearAutoRevoke();
+    this.revokeTimer = setTimeout(() => {
+      this.revoke('auto-revoke timer');
+    }, this.autoRevokeMs);
+    if (this.revokeTimer.unref) this.revokeTimer.unref();
+  }
+
+  private clearAutoRevoke(): void {
+    if (this.revokeTimer) {
+      clearTimeout(this.revokeTimer);
+      this.revokeTimer = undefined;
+    }
+  }
+
+  destroy(): void {
+    this.clearAutoRevoke();
+  }
+}

package/src/security/index.ts

@@ -1,3 +1,9 @@
 export { ApprovalManager } from './approval';
 export type { ApprovalPolicy, ApprovalRequest } from './approval';
 export { KeyManager } from './keys';
+export { ExecApprovalManager } from './approvals';
+export type { ExecApprovalPolicy, ExecApprovalRequest, ExecApprovalHistory, ApprovalRequestCallback } from './approvals';
+export { ElevatedManager } from './elevated';
+export type { ElevationMode, ElevationAuditEntry } from './elevated';
+export { SecretsManager } from './secrets';
+export type { SecretsStore } from './secrets';

package/src/security/secrets.ts

@@ -0,0 +1,129 @@
+/**
+ * Secrets Manager - v1.0.0
+ * AES-256-GCM encrypted secrets storage with rotation, export/import.
+ */
+
+import { randomBytes, createCipheriv, createDecipheriv, scryptSync } from 'crypto';
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { dirname, join } from 'path';
+import { homedir } from 'os';
+
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LEN = 32;
+const IV_LEN = 12;
+const SALT_LEN = 16;
+const TAG_LEN = 16;
+
+export interface SecretsStore {
+  version: number;
+  secrets: Record<string, string>;
+}
+
+export class SecretsManager {
+  private masterKey: Buffer;
+  private filePath: string;
+  private store: SecretsStore;
+
+  constructor(options: { password: string; filePath?: string }) {
+    this.filePath = options.filePath ?? join(homedir(), '.opc', 'secrets.enc');
+    // Derive a stable key from password (we store salt in the file)
+    this.masterKey = Buffer.alloc(KEY_LEN); // placeholder, set on load/init
+    this.store = { version: 1, secrets: {} };
+    this.init(options.password);
+  }
+
+  private init(password: string): void {
+    if (existsSync(this.filePath)) {
+      this.load(password);
+    } else {
+      const salt = randomBytes(SALT_LEN);
+      this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
+      this.store = { version: 1, secrets: {} };
+      this.save(salt);
+    }
+  }
+
+  private load(password: string): void {
+    const data = readFileSync(this.filePath);
+    const salt = data.subarray(0, SALT_LEN);
+    const iv = data.subarray(SALT_LEN, SALT_LEN + IV_LEN);
+    const tag = data.subarray(SALT_LEN + IV_LEN, SALT_LEN + IV_LEN + TAG_LEN);
+    const encrypted = data.subarray(SALT_LEN + IV_LEN + TAG_LEN);
+
+    this.masterKey = scryptSync(password, salt, KEY_LEN) as Buffer;
+    const decipher = createDecipheriv(ALGORITHM, this.masterKey, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    this.store = JSON.parse(decrypted.toString('utf8'));
+  }
+
+  private save(salt?: Buffer): void {
+    const dir = dirname(this.filePath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+    if (!salt && existsSync(this.filePath)) {
+      salt = readFileSync(this.filePath).subarray(0, SALT_LEN);
+    }
+    if (!salt) salt = randomBytes(SALT_LEN);
+
+    const iv = randomBytes(IV_LEN);
+    const cipher = createCipheriv(ALGORITHM, this.masterKey, iv);
+    const encrypted = Buffer.concat([cipher.update(JSON.stringify(this.store), 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+
+    writeFileSync(this.filePath, Buffer.concat([salt, iv, tag, encrypted]));
+  }
+
+  set(key: string, value: string): void {
+    this.store.secrets[key] = value;
+    this.save();
+  }
+
+  get(key: string): string | undefined {
+    return this.store.secrets[key];
+  }
+
+  delete(key: string): boolean {
+    if (!(key in this.store.secrets)) return false;
+    delete this.store.secrets[key];
+    this.save();
+    return true;
+  }
+
+  list(): string[] {
+    return Object.keys(this.store.secrets);
+  }
+
+  has(key: string): boolean {
+    return key in this.store.secrets;
+  }
+
+  /** Inject secrets into env-like object */
+  inject(env: Record<string, string | undefined>, keys?: string[]): Record<string, string | undefined> {
+    const toInject = keys ?? this.list();
+    for (const k of toInject) {
+      if (this.has(k)) env[k] = this.store.secrets[k];
+    }
+    return env;
+  }
+
+  /** Rotate: re-encrypt with new password */
+  rotate(newPassword: string): void {
+    const salt = randomBytes(SALT_LEN);
+    this.masterKey = scryptSync(newPassword, salt, KEY_LEN) as Buffer;
+    this.save(salt);
+  }
+
+  /** Export as encrypted buffer */
+  exportEncrypted(): Buffer {
+    return readFileSync(this.filePath);
+  }
+
+  /** Import from encrypted buffer (must know password) */
+  static importEncrypted(data: Buffer, password: string, filePath: string): SecretsManager {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    writeFileSync(filePath, data);
+    return new SecretsManager({ password, filePath });
+  }
+}