securityclaw 0.0.1

package/src/config/live_config.ts

@@ -0,0 +1,144 @@
+import { existsSync, statSync } from "node:fs";
+
+import type { SecurityClawConfig } from "../types.ts";
+import { ConfigManager } from "./loader.ts";
+import { applyRuntimeOverride, type RuntimeOverride } from "./runtime_override.ts";
+import { StrategyStore } from "./strategy_store.ts";
+
+type LiveConfigLogger = {
+  info?: (message: string) => void;
+  warn?: (message: string) => void;
+};
+
+type LiveConfigOptions = {
+  configPath: string;
+  dbPath: string;
+  legacyOverridePath?: string;
+  logger?: LiveConfigLogger;
+  transform?: (config: SecurityClawConfig) => SecurityClawConfig;
+  onReload?: (snapshot: LiveConfigSnapshot) => void;
+};
+
+export type LiveConfigSnapshot = {
+  config: SecurityClawConfig;
+  override?: RuntimeOverride;
+  overrideLoaded: boolean;
+};
+
+function safeMtimeMs(filePath: string): number | undefined {
+  try {
+    if (!existsSync(filePath)) {
+      return undefined;
+    }
+    return statSync(filePath).mtimeMs;
+  } catch {
+    return undefined;
+  }
+}
+
+function overrideSignature(override: RuntimeOverride | undefined): string {
+  return override ? JSON.stringify(override) : "none";
+}
+
+export class LiveConfigResolver {
+  #configPath: string;
+  #configManager: ConfigManager;
+  #strategyStore: StrategyStore;
+  #logger: LiveConfigLogger | undefined;
+  #transform: ((config: SecurityClawConfig) => SecurityClawConfig) | undefined;
+  #onReload: ((snapshot: LiveConfigSnapshot) => void) | undefined;
+  #configMtimeMs: number | undefined;
+  #overrideSig = "uninitialized";
+  #snapshot: LiveConfigSnapshot;
+
+  constructor(options: LiveConfigOptions) {
+    this.#configPath = options.configPath;
+    this.#logger = options.logger;
+    this.#transform = options.transform;
+    this.#onReload = options.onReload;
+    this.#configManager = ConfigManager.fromFile(options.configPath);
+    const initialConfig = this.#configManager.getConfig();
+    this.#snapshot = {
+      config: this.#transform ? this.#transform(initialConfig) : initialConfig,
+      overrideLoaded: false
+    };
+    this.#strategyStore = new StrategyStore(options.dbPath, {
+      ...(options.legacyOverridePath !== undefined ? { legacyOverridePath: options.legacyOverridePath } : {}),
+      ...(options.logger !== undefined ? { logger: options.logger } : {})
+    });
+    this.#configMtimeMs = safeMtimeMs(this.#configPath);
+    this.#snapshot = this.#buildSnapshot(true);
+  }
+
+  getSnapshot(): LiveConfigSnapshot {
+    const nextMtimeMs = safeMtimeMs(this.#configPath);
+    const baseChanged = nextMtimeMs !== this.#configMtimeMs;
+    if (baseChanged) {
+      this.#configManager.reload();
+      this.#configMtimeMs = nextMtimeMs;
+    }
+
+    let override: RuntimeOverride | undefined;
+    try {
+      override = this.#strategyStore.readOverride();
+    } catch (error) {
+      this.#logger?.warn?.(`securityclaw: failed to read runtime strategy override (${String(error)})`);
+      return this.#snapshot;
+    }
+
+    const nextOverrideSig = overrideSignature(override);
+    if (!baseChanged && nextOverrideSig === this.#overrideSig) {
+      return this.#snapshot;
+    }
+
+    return this.#buildSnapshot(false, override, nextOverrideSig);
+  }
+
+  close(): void {
+    this.#strategyStore.close();
+  }
+
+  #buildSnapshot(
+    isInitialLoad: boolean,
+    override?: RuntimeOverride,
+    signature?: string,
+  ): LiveConfigSnapshot {
+    const base = this.#configManager.getConfig();
+    let effectiveOverride = override;
+
+    if (effectiveOverride === undefined) {
+      try {
+        effectiveOverride = this.#strategyStore.readOverride();
+      } catch (error) {
+        this.#logger?.warn?.(`securityclaw: failed to read runtime strategy override (${String(error)})`);
+        return this.#snapshot;
+      }
+    }
+    const effectiveSignature = signature ?? overrideSignature(effectiveOverride);
+
+    try {
+      const effective = effectiveOverride ? applyRuntimeOverride(base, effectiveOverride) : base;
+      const config = this.#transform ? this.#transform(effective) : effective;
+      this.#overrideSig = effectiveSignature;
+      const snapshot: LiveConfigSnapshot = {
+        config,
+        overrideLoaded: Boolean(effectiveOverride)
+      };
+      if (effectiveOverride !== undefined) {
+        snapshot.override = effectiveOverride;
+      }
+      this.#snapshot = snapshot;
+      const action = isInitialLoad ? "loaded" : "reloaded";
+      this.#logger?.info?.(
+        `securityclaw: ${action} policy_version=${config.policy_version} rules=${config.policies.length} strategy_loaded=${Boolean(effectiveOverride)}`,
+      );
+      if (!isInitialLoad) {
+        this.#onReload?.(this.#snapshot);
+      }
+      return this.#snapshot;
+    } catch (error) {
+      this.#logger?.warn?.(`securityclaw: failed to apply runtime strategy (${String(error)})`);
+      return this.#snapshot;
+    }
+  }
+}

package/src/config/loader.ts

@@ -0,0 +1,168 @@
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+import type { SecurityClawConfig } from "../types.ts";
+import { hydrateSensitivePathConfig } from "../domain/services/sensitive_path_registry.ts";
+import { deepClone, deepFreeze, parseScalar, stripInlineComment } from "../utils.ts";
+import { validateConfig } from "./validator.ts";
+
+type Frame = {
+  indent: number;
+  container: Record<string, unknown> | unknown[];
+  parent?: Record<string, unknown> | unknown[];
+  key?: string | number;
+};
+
+function isArrayFrame(frame: Frame): frame is Frame & { container: unknown[] } {
+  return Array.isArray(frame.container);
+}
+
+function attachChild(frame: Frame, child: Record<string, unknown> | unknown[]): void {
+  if (frame.parent === undefined || frame.key === undefined) {
+    return;
+  }
+  if (Array.isArray(frame.parent)) {
+    frame.parent[Number(frame.key)] = child;
+  } else {
+    frame.parent[String(frame.key)] = child;
+  }
+  frame.container = child;
+}
+
+function parseYaml(source: string): Record<string, unknown> {
+  const root: Record<string, unknown> = {};
+  const frames: Frame[] = [{ indent: -1, container: root }];
+
+  const lines = source.split(/\r?\n/);
+  for (const originalLine of lines) {
+    const withoutComment = stripInlineComment(originalLine);
+    if (!withoutComment.trim()) {
+      continue;
+    }
+    const indent = withoutComment.match(/^ */)?.[0].length ?? 0;
+    const text = withoutComment.trim();
+    while (frames.length > 1 && indent <= frames[frames.length - 1].indent) {
+      frames.pop();
+    }
+    const current = frames[frames.length - 1];
+
+    if (text.startsWith("- ")) {
+      if (!isArrayFrame(current)) {
+        const replacement: unknown[] = [];
+        attachChild(current, replacement);
+      }
+      const arrayFrame = frames[frames.length - 1] as Frame & { container: unknown[] };
+      const itemText = text.slice(2).trim();
+      if (itemText === "") {
+        const child: Record<string, unknown> = {};
+        arrayFrame.container.push(child);
+        frames.push({
+          indent,
+          container: child,
+          parent: arrayFrame.container,
+          key: arrayFrame.container.length - 1
+        });
+        continue;
+      }
+      if (itemText.includes(":")) {
+        const colonIndex = itemText.indexOf(":");
+        const key = itemText.slice(0, colonIndex).trim();
+        const valueText = itemText.slice(colonIndex + 1).trim();
+        const child: Record<string, unknown> = {};
+        child[key] = valueText === "" ? {} : parseScalar(valueText);
+        arrayFrame.container.push(child);
+        frames.push({
+          indent,
+          container: child,
+          parent: arrayFrame.container,
+          key: arrayFrame.container.length - 1
+        });
+        if (valueText === "") {
+          frames.push({
+            indent: indent + 1,
+            container: child[key] as Record<string, unknown>,
+            parent: child,
+            key
+          });
+        }
+        continue;
+      }
+      arrayFrame.container.push(parseScalar(itemText));
+      continue;
+    }
+
+    const colonIndex = text.indexOf(":");
+    if (colonIndex === -1) {
+      throw new Error(`Invalid YAML line: ${text}`);
+    }
+
+    const key = text.slice(0, colonIndex).trim();
+    const valueText = text.slice(colonIndex + 1).trim();
+    if (Array.isArray(current.container)) {
+      throw new Error(`Unexpected mapping under array without item context: ${text}`);
+    }
+
+    if (valueText === "") {
+      current.container[key] = {};
+      frames.push({
+        indent,
+        container: current.container[key] as Record<string, unknown>,
+        parent: current.container,
+        key
+      });
+      continue;
+    }
+    current.container[key] = parseScalar(valueText);
+  }
+
+  return root;
+}
+
+export class ConfigManager {
+  #config: SecurityClawConfig;
+  #lastKnownGood: SecurityClawConfig;
+  #path: string | undefined;
+
+  constructor(config: SecurityClawConfig, path?: string) {
+    const frozen = deepFreeze(deepClone(config));
+    this.#config = frozen;
+    this.#lastKnownGood = frozen;
+    this.#path = path;
+  }
+
+  static fromFile(path: string): ConfigManager {
+    const resolved = resolve(path);
+    const source = readFileSync(resolved, "utf8");
+    const raw = parseYaml(source);
+    const config = hydrateConfig(validateConfig(raw));
+    return new ConfigManager(config, resolved);
+  }
+
+  getConfig(): SecurityClawConfig {
+    return this.#config;
+  }
+
+  getLastKnownGood(): SecurityClawConfig {
+    return this.#lastKnownGood;
+  }
+
+  reload(nextSource?: string): SecurityClawConfig {
+    try {
+      const raw = nextSource ? parseYaml(nextSource) : parseYaml(readFileSync(this.#path!, "utf8"));
+      const validated = deepFreeze(deepClone(hydrateConfig(validateConfig(raw))));
+      this.#config = validated;
+      this.#lastKnownGood = validated;
+      return this.#config;
+    } catch {
+      this.#config = this.#lastKnownGood;
+      return this.#config;
+    }
+  }
+}
+
+function hydrateConfig(config: SecurityClawConfig): SecurityClawConfig {
+  return {
+    ...config,
+    sensitivity: hydrateSensitivePathConfig(config.sensitivity)
+  };
+}

package/src/config/runtime_override.ts

@@ -0,0 +1,66 @@
+import { existsSync, readFileSync } from "node:fs";
+
+import {
+  applySensitivePathStrategyOverride,
+  hydrateSensitivePathConfig,
+  normalizeSensitivePathStrategyOverride,
+} from "../domain/services/sensitive_path_registry.ts";
+import { normalizeFileRules } from "../domain/services/file_rule_registry.ts";
+import type {
+  AccountPolicyRecord,
+  DlpConfig,
+  FileRule,
+  PolicyRule,
+  SecurityClawConfig,
+  SensitivePathStrategyOverride,
+} from "../types.ts";
+import { validateConfig } from "./validator.ts";
+
+export type RuntimeOverride = {
+  updated_at?: string | undefined;
+  environment?: string | undefined;
+  policy_version?: string | undefined;
+  defaults?: Partial<SecurityClawConfig["defaults"]> | undefined;
+  policies?: PolicyRule[] | undefined;
+  account_policies?: AccountPolicyRecord[] | undefined;
+  sensitivity?: SensitivePathStrategyOverride | undefined;
+  file_rules?: FileRule[] | undefined;
+  dlp?: (Partial<Omit<DlpConfig, "patterns">> & { patterns?: DlpConfig["patterns"]; }) | undefined;
+};
+
+function isObject(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+export function readRuntimeOverride(overridePath: string): RuntimeOverride | undefined {
+  if (!existsSync(overridePath)) {
+    return undefined;
+  }
+  const raw = JSON.parse(readFileSync(overridePath, "utf8")) as unknown;
+  if (!isObject(raw)) {
+    throw new Error("runtime override must be an object");
+  }
+  return raw as RuntimeOverride;
+}
+
+export function applyRuntimeOverride(base: SecurityClawConfig, override: RuntimeOverride): SecurityClawConfig {
+  const baseSensitivity = hydrateSensitivePathConfig(base.sensitivity);
+  const merged: SecurityClawConfig = {
+    ...base,
+    environment: override.environment ?? base.environment,
+    policy_version: override.policy_version ?? base.policy_version,
+    defaults: {
+      ...base.defaults,
+      ...(override.defaults ?? {})
+    },
+    dlp: {
+      ...base.dlp,
+      ...(override.dlp ?? {}),
+      patterns: override.dlp?.patterns ?? base.dlp.patterns
+    },
+    policies: override.policies ?? base.policies,
+    sensitivity: applySensitivePathStrategyOverride(baseSensitivity, normalizeSensitivePathStrategyOverride(override.sensitivity)),
+    file_rules: override.file_rules !== undefined ? normalizeFileRules(override.file_rules) : base.file_rules,
+  };
+  return validateConfig(merged as unknown as Record<string, unknown>);
+}

package/src/config/strategy_store.ts

@@ -0,0 +1,121 @@
+import { mkdirSync } from "node:fs";
+import path from "node:path";
+import { DatabaseSync } from "node:sqlite";
+
+import type { SecurityClawConfig } from "../types.ts";
+import { applyRuntimeOverride, readRuntimeOverride, type RuntimeOverride } from "./runtime_override.ts";
+
+type StrategyStoreOptions = {
+  legacyOverridePath?: string;
+  logger?: {
+    warn?: (message: string) => void;
+  };
+};
+
+type OverrideRow = {
+  payload_json: string;
+};
+
+const STRATEGY_SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS strategy_override (
+  id INTEGER PRIMARY KEY CHECK (id = 1),
+  payload_json TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+`;
+
+function isObject(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+
+export class StrategyStore {
+  #dbPath: string;
+  #db: DatabaseSync;
+  #legacyOverridePath: string | undefined;
+  #logger: StrategyStoreOptions["logger"] | undefined;
+
+  constructor(dbPath: string, options: StrategyStoreOptions = {}) {
+    this.#dbPath = dbPath;
+    this.#legacyOverridePath = options.legacyOverridePath;
+    this.#logger = options.logger;
+    mkdirSync(path.dirname(dbPath), { recursive: true });
+    this.#db = new DatabaseSync(dbPath);
+    this.#db.exec("PRAGMA journal_mode=WAL;");
+    this.#db.exec("PRAGMA synchronous=NORMAL;");
+    this.#db.exec(STRATEGY_SCHEMA_SQL);
+    this.#bootstrapFromLegacyFile();
+  }
+
+  get dbPath(): string {
+    return this.#dbPath;
+  }
+
+  readOverride(): RuntimeOverride | undefined {
+    const row = this.#db
+      .prepare("SELECT payload_json FROM strategy_override WHERE id = 1")
+      .get() as OverrideRow | undefined;
+    if (!row) {
+      return undefined;
+    }
+    const raw = JSON.parse(row.payload_json) as unknown;
+    if (!isObject(raw)) {
+      throw new Error("runtime override in database must be an object");
+    }
+    return raw as RuntimeOverride;
+  }
+
+  writeOverride(override: RuntimeOverride): void {
+    const now = new Date().toISOString();
+    const payload: RuntimeOverride = {
+      ...override,
+      updated_at: override.updated_at ?? now
+    };
+    this.#db
+      .prepare(
+        `
+        INSERT INTO strategy_override (id, payload_json, updated_at)
+        VALUES (1, ?, ?)
+        ON CONFLICT(id) DO UPDATE SET
+          payload_json = excluded.payload_json,
+          updated_at = excluded.updated_at
+      `,
+      )
+      .run(JSON.stringify(payload), payload.updated_at ?? now);
+  }
+
+  readEffective(base: SecurityClawConfig): {
+    effective: SecurityClawConfig;
+    override?: RuntimeOverride;
+  } {
+    const override = this.readOverride();
+    if (!override) {
+      return { effective: base };
+    }
+    return {
+      effective: applyRuntimeOverride(base, override),
+      override
+    };
+  }
+
+  close(): void {
+    this.#db.close();
+  }
+
+  #bootstrapFromLegacyFile(): void {
+    if (!this.#legacyOverridePath || this.readOverride()) {
+      return;
+    }
+    try {
+      const legacy = readRuntimeOverride(this.#legacyOverridePath);
+      if (!legacy) {
+        return;
+      }
+      this.writeOverride(legacy);
+      this.#logger?.warn?.(
+        `migrated strategy override from legacy file (${this.#legacyOverridePath}) into sqlite (${this.#dbPath})`,
+      );
+    } catch (error) {
+      this.#logger?.warn?.(`failed to migrate legacy override file (${String(error)})`);
+    }
+  }
+}